From prasun.gera at gmail.com Sun May 1 03:26:00 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Sat, 30 Apr 2016 23:26:00 -0400 Subject: [Freeipa-users] Account/password expirations In-Reply-To: References: <20160419155704.GC14903@hendrix> <20160421193726.GB4262@hendrix> <20160429073230.GC25181@hendrix> Message-ID: Ah, this doesn't work on ubuntu (14.04). The command itself works, but sshd on ubuntu isn't probably compiled with support for this although I see "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" in sshd_config. I don't think the freeipa/sssd ppas package sshd. Any way to get this working on ubuntu 14.04 ? On Fri, Apr 29, 2016 at 12:30 PM, Anon Lister wrote: > Yep sorry I missed that. You need to put your public keys in IPA. > On Apr 29, 2016 3:32 AM, "Jakub Hrozek" wrote: > > On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote: > > > > > > Your can still authenticate with SSH keys, but to access any NFS 4 > shares > > > they will need a Kerberos ticket, which can be obtained via a 'kinit' > after > > > logging in. > > > > > > > Then how does the key authentication work if the .ssh directory on nfs4 > is > > not accessible ? Doesn't the key authentication process rely on > > .ssh/authorized keys being readable by the authentication module ? > > SSSD can fetch the authorized keys from IPA, see man > sss_ssh_authorizedkeys(1) > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Sun May 1 08:24:42 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sun, 1 May 2016 11:24:42 +0300 Subject: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version In-Reply-To: References: <570CF37E.7000700@redhat.com> Message-ID: Hi All, again link for IPA 4.3.1 is offline https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ On Tue, Apr 12, 2016 at 4:19 PM, Ben .T.George wrote: > Hi > > Wow.Thanks for your fast response. > > Regards > Ben > On 12 Apr 2016 16:09, "Martin Basti" wrote: > >> >> >> On 12.04.2016 14:59, Ben .T.George wrote: >> >> Hi List, >> >> Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link >> provided in website is broken. >> https://www.freeipa.org/page/Releases/4.3.1 >> >> please someone give me right package details. >> >> Regards, >> Ben >> >> >> Hello, >> >> thank you for report, I fixed the page >> >> CentOS repos: >> https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ >> >> Martin >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matrix.zj at qq.com Sun May 1 08:38:20 2016 From: matrix.zj at qq.com (=?ISO-8859-1?B?TWF0cml4?=) Date: Sun, 1 May 2016 16:38:20 +0800 Subject: [Freeipa-users] AD Trust failed with 'CIFS server configuration does not allow access to \\pipe\lsarpc' Message-ID: Hi, list I am trying to setup an integration env between IPA and AD Window 2012 R2. Below error occurred while running "# echo 'RedHat1!' | ipa trust-add --type=ad examplemedia.net --admin Administrator --password" # echo 'RedHat1!' | ipa trust-add --type=ad examplemedia.net --admin Administrator --password ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc IPA / Samba Version, I am running with: ipa-server-4.2.0-15.el7.x86_64 samba-4.2.3-12.el7_2.x86_64 # tailf /var/log/httpd/error_log [Sun May 01 08:27:17.493412 2016] [:error] [pid 32267] ipa: INFO: [jsonserver_session] admin at DEV.EXAMPLE.NET: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError [Sun May 01 08:35:00.600654 2016] [:error] [pid 32266] ipa: INFO: [jsonserver_session] admin at DEV.EXAMPLE.NET: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError I have also tried latest ipa-server version shipped by RHEL. the same error occurred. It ssems that https://bugzilla.redhat.com/show_bug.cgi?id=1249455 did not fixed it. Matrix -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Sun May 1 12:30:18 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sun, 1 May 2016 15:30:18 +0300 Subject: [Freeipa-users] dnsforwardzone-add giving error Message-ID: HI LIst, i dont; know how to explain this issue. I was trying IPA 4.3.1 while adding DNS, i am getting below error [root at global tmp]# ipa dnsforwardzone-add kwttestdc.com.kw --forwarder=192.168.37.131 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: DNS zone kwttestdc.com.kw. already exists in DNS and is handled by server(s): corp.kwttestdc.com.kw. and in my resolv.conf , i have given like below: nameserver 127.0.0.1 someone please explan what is the issue and how to fix this one. Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Sun May 1 12:32:45 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sun, 1 May 2016 15:32:45 +0300 Subject: [Freeipa-users] dnsforwardzone-add giving error In-Reply-To: References: Message-ID: HI After reboot i tried the same command and i got below error [root at global ~]# ipa dnsforwardzone-add kwttestdc.com.kw --forwarder=192.168.37.131 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: DNS check for domain kwttestdc.com.kw. failed: All nameservers failed to answer the query kwttestdc.com.kw. IN SOA: Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL. this is the first time i am seeing this error. On Sun, May 1, 2016 at 3:30 PM, Ben .T.George wrote: > HI LIst, > > i dont; know how to explain this issue. I was trying IPA 4.3.1 > > while adding DNS, i am getting below error > > [root at global tmp]# ipa dnsforwardzone-add kwttestdc.com.kw > --forwarder=192.168.37.131 --forward-policy=only > Server will check DNS forwarder(s). > This may take some time, please wait ... > ipa: ERROR: DNS zone kwttestdc.com.kw. already exists in DNS and is > handled by server(s): corp.kwttestdc.com.kw. > > > and in my resolv.conf , i have given like below: > > nameserver 127.0.0.1 > > someone please explan what is the issue and how to fix this one. > > Regards, > Ben > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sun May 1 13:40:39 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 1 May 2016 16:40:39 +0300 Subject: [Freeipa-users] AD Trust failed with 'CIFS server configuration does not allow access to \\pipe\lsarpc' In-Reply-To: References: Message-ID: <20160501134039.hiwyy7gkhez7gq5i@redhat.com> On Sun, 01 May 2016, Matrix wrote: >Hi, list > >I am trying to setup an integration env between IPA and AD Window 2012 R2. > >Below error occurred while running "# echo 'RedHat1!' | ipa trust-add --type=ad examplemedia.net --admin Administrator --password" > ># echo 'RedHat1!' | ipa trust-add --type=ad examplemedia.net --admin Administrator --password >ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc > > >IPA / Samba Version, I am running with: > >ipa-server-4.2.0-15.el7.x86_64 >samba-4.2.3-12.el7_2.x86_64 > ># tailf /var/log/httpd/error_log >[Sun May 01 08:27:17.493412 2016] [:error] [pid 32267] ipa: INFO: [jsonserver_session] admin at DEV.EXAMPLE.NET: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError >[Sun May 01 08:35:00.600654 2016] [:error] [pid 32266] ipa: INFO: [jsonserver_session] admin at DEV.EXAMPLE.NET: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError > >I have also tried latest ipa-server version shipped by RHEL. the same error occurred. > >It ssems that https://bugzilla.redhat.com/show_bug.cgi?id=1249455 did not fixed it. Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try 'ipa trust-add'. You'll get more detailed debugging output in error_log. -- / Alexander Bokovoy From matrix.zj at qq.com Sun May 1 13:55:20 2016 From: matrix.zj at qq.com (=?ISO-8859-1?B?TWF0cml4?=) Date: Sun, 1 May 2016 21:55:20 +0800 Subject: [Freeipa-users] AD Trust failed with 'CIFS server configurationdoes not allow access to \\pipe\lsarpc' In-Reply-To: <20160501134039.hiwyy7gkhez7gq5i@redhat.com> References: <20160501134039.hiwyy7gkhez7gq5i@redhat.com> Message-ID: Hi, Alexander log from /var/log/httpd/error_log lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty Processing section "[global]" INFO: Current debug levels: all: 100 tdb: 100 printdrivers: 100 lanman: 100 smb: 100 rpc_parse: 100 rpc_srv: 100 rpc_cli: 100 passdb: 100 sam: 100 auth: 100 winbind: 100 vfs: 100 idmap: 100 quota: 100 acls: 100 locking: 100 msdfs: 100 dmapi: 100 registry: 100 scavenger: 100 dns: 100 ldb: 100 pm_process() returned Yes Using binding ncacn_np:ipaserver.dev.example.net[,print,smb2] s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f1c1c0ff6b0 s4_tevent: Added timed event "composite_trigger": 0x7f1c1c458350 s4_tevent: Added timed event "composite_trigger": 0x7f1c1c45ba70 s4_tevent: Running timer event 0x7f1c1c458350 "composite_trigger" s4_tevent: Destroying timer event 0x7f1c1c45ba70 "composite_trigger" Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=192.168.10.241 bcast=192.168.11.255 netmask=255.255.254.0 added interface eth0 ip=192.168.10.241 bcast=192.168.11.255 netmask=255.255.254.0 resolve_lmhosts: Attempting lmhosts lookup for name ipaserver.dev.example.net<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost s4_tevent: Added timed event "composite_trigger": 0x7f1c1c46d740 s4_tevent: Ending timer event 0x7f1c1c458350 "composite_trigger" s4_tevent: Running timer event 0x7f1c1c46d740 "composite_trigger" s4_tevent: Ending timer event 0x7f1c1c46d740 "composite_trigger" s4_tevent: Added timed event "connect_multi_timer": 0x7f1c1c242c70 s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c04d750 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c04d750 s4_tevent: Destroying timer event 0x7f1c1c242c70 "connect_multi_timer" Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 2626560 SO_RCVBUF = 1061296 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c2e3430 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 s4_tevent: Destroying timer event 0x7f1c1c2e3430 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c04d600 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c04d600 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for admin at DEV.EXAMPLE.NET will expire in 84175 secs s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c42a450 s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 s4_tevent: Destroying timer event 0x7f1c1c42a450 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c2ad220 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c2ad220 gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c3e7650 signed SMB2 message s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 s4_tevent: Destroying timer event 0x7f1c1c3e7650 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c2ad220 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c2ad220 s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c4441c0 signed SMB2 message s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 s4_tevent: Destroying timer event 0x7f1c1c4441c0 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c05db70 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c05db70 s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c47fd40 signed SMB2 message s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 s4_tevent: Destroying timer event 0x7f1c1c47fd40 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1cb553c0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1cb553c0 s4_tevent: Destroying timer event 0x7f1c1c0ff6b0 "dcerpc_connect_timeout_handler" [Sun May 01 13:53:05.420066 2016] [:error] [pid 6995] ipa: INFO: [jsonserver_session] admin at DEV.EXAMPLE.NET: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError ------------------ Original ------------------ From: "Alexander Bokovoy";; Date: Sun, May 1, 2016 09:40 PM To: "Matrix"; Cc: "freeipa-users"; Subject: Re: [Freeipa-users] AD Trust failed with 'CIFS server configurationdoes not allow access to \\pipe\lsarpc' On Sun, 01 May 2016, Matrix wrote: >Hi, list > >I am trying to setup an integration env between IPA and AD Window 2012 R2. > >Below error occurred while running "# echo 'RedHat1!' | ipa trust-add --type=ad examplemedia.net --admin Administrator --password" > ># echo 'RedHat1!' | ipa trust-add --type=ad examplemedia.net --admin Administrator --password >ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc > > >IPA / Samba Version, I am running with: > >ipa-server-4.2.0-15.el7.x86_64 >samba-4.2.3-12.el7_2.x86_64 > ># tailf /var/log/httpd/error_log >[Sun May 01 08:27:17.493412 2016] [:error] [pid 32267] ipa: INFO: [jsonserver_session] admin at DEV.EXAMPLE.NET: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError >[Sun May 01 08:35:00.600654 2016] [:error] [pid 32266] ipa: INFO: [jsonserver_session] admin at DEV.EXAMPLE.NET: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError > >I have also tried latest ipa-server version shipped by RHEL. the same error occurred. > >It ssems that https://bugzilla.redhat.com/show_bug.cgi?id=1249455 did not fixed it. Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try 'ipa trust-add'. You'll get more detailed debugging output in error_log. -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sun May 1 14:27:50 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 1 May 2016 17:27:50 +0300 Subject: [Freeipa-users] AD Trust failed with 'CIFS server configurationdoes not allow access to \\pipe\lsarpc' In-Reply-To: References: <20160501134039.hiwyy7gkhez7gq5i@redhat.com> Message-ID: <20160501142750.hun22rztxjafyr2z@redhat.com> On Sun, 01 May 2016, Matrix wrote: >Hi, Alexander > >log from /var/log/httpd/error_log > >lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty >Processing section "[global]" >INFO: Current debug levels: > all: 100 > tdb: 100 > printdrivers: 100 > lanman: 100 > smb: 100 > rpc_parse: 100 > rpc_srv: 100 > rpc_cli: 100 > passdb: 100 > sam: 100 > auth: 100 > winbind: 100 > vfs: 100 > idmap: 100 > quota: 100 > acls: 100 > locking: 100 > msdfs: 100 > dmapi: 100 > registry: 100 > scavenger: 100 > dns: 100 > ldb: 100 >pm_process() returned Yes >Using binding ncacn_np:ipaserver.dev.example.net[,print,smb2] >s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f1c1c0ff6b0 >s4_tevent: Added timed event "composite_trigger": 0x7f1c1c458350 >s4_tevent: Added timed event "composite_trigger": 0x7f1c1c45ba70 >s4_tevent: Running timer event 0x7f1c1c458350 "composite_trigger" >s4_tevent: Destroying timer event 0x7f1c1c45ba70 "composite_trigger" >Mapped to DCERPC endpoint \pipe\lsarpc >added interface eth0 ip=192.168.10.241 bcast=192.168.11.255 netmask=255.255.254.0 >added interface eth0 ip=192.168.10.241 bcast=192.168.11.255 netmask=255.255.254.0 >resolve_lmhosts: Attempting lmhosts lookup for name ipaserver.dev.example.net<0x20> >getlmhostsent: lmhost entry: 127.0.0.1 localhost >s4_tevent: Added timed event "composite_trigger": 0x7f1c1c46d740 >s4_tevent: Ending timer event 0x7f1c1c458350 "composite_trigger" >s4_tevent: Running timer event 0x7f1c1c46d740 "composite_trigger" >s4_tevent: Ending timer event 0x7f1c1c46d740 "composite_trigger" >s4_tevent: Added timed event "connect_multi_timer": 0x7f1c1c242c70 >s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c04d750 >s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c04d750 >s4_tevent: Destroying timer event 0x7f1c1c242c70 "connect_multi_timer" >Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 2626560 > SO_RCVBUF = 1061296 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 >s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c2e3430 >s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 >s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 >s4_tevent: Destroying timer event 0x7f1c1c2e3430 "tevent_req_timedout" >s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c04d600 >s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c04d600 >Starting GENSEC mechanism spnego >Starting GENSEC submechanism gssapi_krb5 >Ticket in credentials cache for admin at DEV.EXAMPLE.NET will expire in 84175 secs >s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c42a450 >s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 >s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 >s4_tevent: Destroying timer event 0x7f1c1c42a450 "tevent_req_timedout" >s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c2ad220 >s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c2ad220 >gensec_gssapi: NO credentials were delegated >GSSAPI Connection will be cryptographically sealed >s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c3e7650 >signed SMB2 message >s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 >s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 >s4_tevent: Destroying timer event 0x7f1c1c3e7650 "tevent_req_timedout" >s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c2ad220 >s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c2ad220 >s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c4441c0 >signed SMB2 message >s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 >s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 >s4_tevent: Destroying timer event 0x7f1c1c4441c0 "tevent_req_timedout" >s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c05db70 >s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c05db70 >s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c47fd40 >signed SMB2 message >s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 >s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0 >s4_tevent: Destroying timer event 0x7f1c1c47fd40 "tevent_req_timedout" >s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1cb553c0 >s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1cb553c0 >s4_tevent: Destroying timer event 0x7f1c1c0ff6b0 "dcerpc_connect_timeout_handler" Ok, so it is local smbd not answering well. This warrants going with the full logs procedure as described in http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust -- / Alexander Bokovoy From joshua at azariah.com Sun May 1 02:53:40 2016 From: joshua at azariah.com (Joshua J. Kugler) Date: Sat, 30 Apr 2016 18:53:40 -0800 Subject: [Freeipa-users] Unexpiring user passwords Message-ID: <2910253.sYcCN7UY4D@hosanna> I have read this page http://www.freeipa.org/page/New_Passwords_Expired Aside from the fact that the decision should have been left to the company and their policies, and violates the tenant that software should have sane defaults while leaving flexibility to the user, I'm wondering if you can help me. We have a situation where the passwords in FreeIPA need to be synchronized with another system in the company (a database of users, which is the authoritative source for users and passwords). But, from what I read, the documentation is telling me we can't do that, because if we followed this work flow: 1. Users goes to "master DB" and changes their password 2. master DB runs a script which sets password on FreeIPA system 3. User's login is now broken because the password is expired. It is really unfortunate that this design decision was made, because 1. It prevents FreeIPA from being integrated with existing systems (telling people, effectively, you have to use FreeIPA for EVERYTHING or you can't use us at all) 2. It doesn't really improve security as claimed, because if the user's new password is intercepted, the interceptor can use that password to login and change the expired password, still giving access. Is there a way around this? Is there a password synchronization protocol that can be used to link up systems that need to have common logins? Thanks for any help you can offer! j -- Joshua J. Kugler -- Fairbanks, AK Blogs: http://jjncj.com/blog/ (Family) -- http://joshuakugler.com (Geek) Every knee shall bow, and every tongue confess, in heaven, on earth, and under the earth, that Jesus Christ is LORD From rcritten at redhat.com Sun May 1 16:31:14 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 1 May 2016 12:31:14 -0400 Subject: [Freeipa-users] Unexpiring user passwords In-Reply-To: <2910253.sYcCN7UY4D@hosanna> References: <2910253.sYcCN7UY4D@hosanna> Message-ID: <57262F52.6000702@redhat.com> Joshua J. Kugler wrote: > I have read this page http://www.freeipa.org/page/New_Passwords_Expired > > Aside from the fact that the decision should have been left to the company and > their policies, and violates the tenant that software should have sane > defaults while leaving flexibility to the user, I'm wondering if you can help > me. > > We have a situation where the passwords in FreeIPA need to be synchronized > with another system in the company (a database of users, which is the > authoritative source for users and passwords). But, from what I read, the > documentation is telling me we can't do that, because if we followed this work > flow: > > 1. Users goes to "master DB" and changes their password > 2. master DB runs a script which sets password on FreeIPA system > 3. User's login is now broken because the password is expired. > > It is really unfortunate that this design decision was made, because > 1. It prevents FreeIPA from being integrated with existing systems (telling > people, effectively, you have to use FreeIPA for EVERYTHING or you can't use us > at all) > 2. It doesn't really improve security as claimed, because if the user's new > password is intercepted, the interceptor can use that password to login and > change the expired password, still giving access. > > Is there a way around this? Is there a password synchronization protocol that > can be used to link up systems that need to have common logins? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#password-sync rob From natxo.asenjo at gmail.com Sun May 1 17:04:44 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sun, 1 May 2016 19:04:44 +0200 Subject: [Freeipa-users] Unexpiring user passwords In-Reply-To: <2910253.sYcCN7UY4D@hosanna> References: <2910253.sYcCN7UY4D@hosanna> Message-ID: On Sun, May 1, 2016 at 4:53 AM, Joshua J. Kugler wrote: > We have a situation where the passwords in FreeIPA need to be synchronized > with another system in the company (a database of users, which is the > authoritative source for users and passwords). But, from what I read, the > documentation is telling me we can't do that, because if we followed this > work > flow: > > 1. Users goes to "master DB" and changes their password > 2. master DB runs a script which sets password on FreeIPA system > 3. User's login is now broken because the password is expired. > leaving the design/philosophy aside, you could modify your users' krbpasswordexpiration ldap attribute in your script that changes the freeipa password from your master DB password source. It's quite simple using your ldap tools of choice. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Sun May 1 18:46:02 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Sun, 1 May 2016 20:46:02 +0200 Subject: [Freeipa-users] is it possible to use 'ipa-replica' to sync userbetween different suffix AD and IPA domain? In-Reply-To: References: <410229fc-04a8-9774-6759-6881cb996765@redhat.com> Message-ID: On 04/28/2016 05:30 PM, Matrix wrote: > Hi, Petr > > Thanks for your quickly reply. > > I want to integrated linux servers with existed AD, centralized manage HBAC/Sudo > rules. > > So i have setup a standalone IPA server with domain 'example.net', trying to > sync users from existed AD to it with following cmd: > > ipa-replica-manage connect --winsync > --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='XXXX' > --passsync='XXXX' --cacert='/etc/openldap/cacerts/ipaad.cer' > --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net > > > After it has been successfully established, users in AD did not sync to IPA. Before we go into debugging, please make sure that you have done the steps described in section 7.4 of Windows integration guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html > > > For 'trusts' integration method, since user did not sync to IPA at all, how to > set sudo/HBAC rules for users? I have not tried it. > > > Matrix > > > > > ------------------ Original ------------------ > *From: * "Petr Vobornik";; > *Date: * Thu, Apr 28, 2016 11:21 PM > *To: * "Matrix"; "freeipa-users"; > *Subject: * Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync > userbetween different suffix AD and IPA domain? > > On 04/28/2016 04:44 PM, Matrix wrote: > > Hi, all > > > > I am trying to do a centrelized solution > > > > AD domain is 'examplemedia.net' > > > > IPA domain is 'example.net' > > > > After ipa-replica has been established, i found that nothing has been synced > > from AD to IPA. > > > > IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > > > I doubt that for different suffix is supported ? If so, anyone can show some > > hint for me to investigate more? > > > > Thanks for your kindly help. > > > > Matrix > > Hello, > > what is your goal and current setup? > > By "ipa-replica has been established" do you mean that you installed a > new currently standalone IPA server? And connected it somehow with AD? > > Or did you run `ipa-replica-manage connect --winsync ...` > > It would be good to mention that IPA server[1] cannot be a replica of an > AD server. But it can integrate with it. Either by using > winsync(synchronization) or the recommended solution: Trusts [2]. > > Documentation: > [1] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html > [2] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html > > HTH > -- > Petr Vobornik > -- Petr Vobornik From bentech4you at gmail.com Sun May 1 20:46:59 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sun, 1 May 2016 23:46:59 +0300 Subject: [Freeipa-users] Help regarding SUDo rule implementation Message-ID: HI i have a working setup of FreeIPA 4.3 with AD integrated, I can able to apply HBAC rules and from client side it's working. how can i apply sudo rules to that specific POSIX group. i have created sample rue and added 2 commands put option as !authenticate and attached this rule to client, but still sudo -l is not working /etc/nsswitch.conf file has : sudoers: files sss and /etc/sssd/sssd.conf has : services = nss, sudo, pam, ssh Thanks & Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From siology.io at gmail.com Mon May 2 00:05:17 2016 From: siology.io at gmail.com (siology.io) Date: Mon, 2 May 2016 12:05:17 +1200 Subject: [Freeipa-users] ipa-client password authentication failed In-Reply-To: <08f1d5b6-a600-7dcb-30cf-e608f25e8d96@redhat.com> References: <20160422151651.GH620@hendrix> <70BBF132-4288-4550-B875-D774ED73FB20@redhat.com> <08f1d5b6-a600-7dcb-30cf-e608f25e8d96@redhat.com> Message-ID: That plugins.py file does exist, but it's totally empty. And yes, all i get on the browser is an empty white screen window, On 30 April 2016 at 02:20, Petr Vobornik wrote: > On 04/29/2016 12:44 AM, siology.io wrote: > > On a clean centos 7 VM, after installation of ipa-server browsing to the > ipa web > > UI gets me in the httpd error_logs: > > > > [Thu Apr 28 18:41:11.826134 2016] [:error] [pid 10162] [remote > 10.0.4.10:244 > > ] mod_wsgi (pid=10162): Target WSGI script > > '/usr/share/ipa/wsgi/plugins.py' does not contain WSGI application > 'application'. > > > > Is this a known issue ? I didn't get much out of google. > > > > I don't see this issue on RHEL 7.2 nor FreeIPA 4.3.x on F23. Could you > paste here content of your /usr/share/ipa/wsgi/plugins.py file? > > Does it prevent to load Web UI? > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Mon May 2 00:14:35 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Sun, 1 May 2016 20:14:35 -0400 Subject: [Freeipa-users] Account/password expirations In-Reply-To: References: <20160419155704.GC14903@hendrix> <20160421193726.GB4262@hendrix> <20160429073230.GC25181@hendrix> Message-ID: It turns out that this was a permissions issue. Everything works now. Thanks. On Sat, Apr 30, 2016 at 11:26 PM, Prasun Gera wrote: > Ah, this doesn't work on ubuntu (14.04). The command itself works, but > sshd on ubuntu isn't probably compiled with support for this although I see > "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" in sshd_config. I > don't think the freeipa/sssd ppas package sshd. Any way to get this working > on ubuntu 14.04 ? > > On Fri, Apr 29, 2016 at 12:30 PM, Anon Lister > wrote: > >> Yep sorry I missed that. You need to put your public keys in IPA. >> On Apr 29, 2016 3:32 AM, "Jakub Hrozek" wrote: >> >> On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote: >> > > >> > > Your can still authenticate with SSH keys, but to access any NFS 4 >> shares >> > > they will need a Kerberos ticket, which can be obtained via a 'kinit' >> after >> > > logging in. >> > > >> > >> > Then how does the key authentication work if the .ssh directory on nfs4 >> is >> > not accessible ? Doesn't the key authentication process rely on >> > .ssh/authorized keys being readable by the authentication module ? >> >> SSSD can fetch the authorized keys from IPA, see man >> sss_ssh_authorizedkeys(1) >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From joshua at azariah.com Mon May 2 02:43:24 2016 From: joshua at azariah.com (Joshua J. Kugler) Date: Sun, 01 May 2016 18:43:24 -0800 Subject: [Freeipa-users] Unexpiring user passwords In-Reply-To: <57262F52.6000702@redhat.com> References: <2910253.sYcCN7UY4D@hosanna> <57262F52.6000702@redhat.com> Message-ID: <2057309.WEi9MLHt0U@hosanna> On Sunday, May 01, 2016 12:31:14 Rob Crittenden wrote: > > Is there a way around this? Is there a password synchronization protocol > > that can be used to link up systems that need to have common logins? > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#password-sync Rob - Thank you! For some reason, I had seen that page, and scanned through it, but missed that part. Very grateful! j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design joshua at azariah.com - Jabber: pedahzur at gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A From bentech4you at gmail.com Mon May 2 03:13:42 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 2 May 2016 06:13:42 +0300 Subject: [Freeipa-users] Help regarding SUDo rule implementation In-Reply-To: References: Message-ID: HI All sudo rules got worked .actually i tried after 6 hours, what is the default time to get affect this rule affect normally, is there any way to manually pull changes from client? Regards, Ben On Sun, May 1, 2016 at 11:46 PM, Ben .T.George wrote: > HI > > i have a working setup of FreeIPA 4.3 with AD integrated, I can able to > apply HBAC rules and from client side it's working. > > how can i apply sudo rules to that specific POSIX group. > > i have created sample rue and added 2 commands put option as !authenticate > and attached this rule to client, but still sudo -l is not working > > /etc/nsswitch.conf file has : sudoers: files sss > > and /etc/sssd/sssd.conf has : services = nss, sudo, pam, ssh > > Thanks & Regards, > Ben > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon May 2 06:44:58 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 2 May 2016 08:44:58 +0200 Subject: [Freeipa-users] DNS reverse Zones on other server In-Reply-To: <08C1F0DB82CAD14DA46313AE457AFF721B990D41@fieinfmbx2vp.fiege.com> References: <08C1F0DB82CAD14DA46313AE457AFF721B990D41@fieinfmbx2vp.fiege.com> Message-ID: <2eccfc87-329b-249d-3418-df95e3929153@redhat.com> On 29.4.2016 17:46, Wanka, Silvio wrote: > Hi, > > if I search in the web for this problem I don?t find an useable solution, maybe my search pattern is wrong. ;-) > > I have setup an IPA domain with integrated DNS but because the most systems here are Windows servers and clients the IPA clients must use the same IP ranges. So the reverse zones are located on AD domain controllers. These reverse zones are of course configured as forward zones on the IPA DNS server. So reverse lookup works properly for all AD computers but I miss a possibility that if we join a computer to IPA which adds a DNS record or manually add a DNS record that the reverse record will be automatically added on AD site as it would be done if the reverse zone would be located on IPA site. > Is there the only possibility to manage the reverse record on AD site manually or update/refresh it per regular running script? > > I have a one-way trust to AD but won?t change it to two-way, if necessary and possible I would use a special AD account for that. I can see two options: - configure DHCP server to somehow update the DNS server (to avoid authentication of client machines to to the DNS server for updates) - use two-way trust - you already denied this option Sorry, we do not have better answer for you right now. -- Petr^2 Spacek From pspacek at redhat.com Mon May 2 06:48:23 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 2 May 2016 08:48:23 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> Message-ID: <8276059e-6897-e61c-01a8-7209b206269c@redhat.com> On 28.4.2016 20:14, Hosakote Nagesh, Pawan wrote: > As a Follow up question I also wanted to know why is absolutely necessary for Kerberos Client to have hostname? Wont Client initiate the connection and FreeIPA server can take it from there. > If so what is the need of FQDN for FreeIPA client at all? FQDN is needed as a host identifier in cases where you need to use a keytab. Kerberos Client could function without keytab but it could not host any services and it would be less secure as the client could not verify KDC's identity etc. FreeIPA right now does not support keytab-less clients. Does it answer your question? -- Petr^2 Spacek From pspacek at redhat.com Mon May 2 06:55:01 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 2 May 2016 08:55:01 +0200 Subject: [Freeipa-users] dnsforwardzone-add giving error In-Reply-To: References: Message-ID: <3f34e304-a6c5-f555-3eb2-41672147270c@redhat.com> On 1.5.2016 14:32, Ben .T.George wrote: > HI > > After reboot i tried the same command and i got below error > > [root at global ~]# ipa dnsforwardzone-add kwttestdc.com.kw > --forwarder=192.168.37.131 --forward-policy=only > Server will check DNS forwarder(s). > This may take some time, please wait ... > ipa: ERROR: DNS check for domain kwttestdc.com.kw. failed: All nameservers > failed to answer the query kwttestdc.com.kw. IN SOA: Server 127.0.0.1 UDP > port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 > anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered > The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS > operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL. > > > this is the first time i am seeing this error. This indicates a problem with DNS resolution from the FreeIPA server. I would recommend you to run following command and to inspect named logs: $ dig kwttestdc.com.kw SOA $ journalctl named -u named-pkcs11 Also, please see below. > On Sun, May 1, 2016 at 3:30 PM, Ben .T.George wrote: > >> HI LIst, >> >> i dont; know how to explain this issue. I was trying IPA 4.3.1 >> >> while adding DNS, i am getting below error >> >> [root at global tmp]# ipa dnsforwardzone-add kwttestdc.com.kw >> --forwarder=192.168.37.131 --forward-policy=only >> Server will check DNS forwarder(s). >> This may take some time, please wait ... >> ipa: ERROR: DNS zone kwttestdc.com.kw. already exists in DNS and is >> handled by server(s): corp.kwttestdc.com.kw. IPA detected that you are trying to use forward zone to override content of zone kwttestdc.com.kw which is already resolvable. This is almost always a bad idea. You are you adding forward zone even though the zone can be resolved directly from the FreeIPA server? What is the use-case? Petr^2 Spacek >> >> >> and in my resolv.conf , i have given like below: >> >> nameserver 127.0.0.1 >> >> someone please explan what is the issue and how to fix this one. >> >> Regards, >> Ben From jhrozek at redhat.com Mon May 2 07:23:08 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 2 May 2016 09:23:08 +0200 Subject: [Freeipa-users] Help regarding SUDo rule implementation In-Reply-To: References: Message-ID: <20160502072308.GQ25181@hendrix> On Mon, May 02, 2016 at 06:13:42AM +0300, Ben .T.George wrote: > HI All > > sudo rules got worked .actually i tried after 6 hours, what is the default > time to get affect this rule affect normally, is there any way to manually > pull changes from client? see man sssd-sudo, there are explanations of the different timeouts sssd uses. From pvoborni at redhat.com Mon May 2 08:38:36 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 2 May 2016 10:38:36 +0200 Subject: [Freeipa-users] ipa-client password authentication failed In-Reply-To: References: <20160422151651.GH620@hendrix> <70BBF132-4288-4550-B875-D774ED73FB20@redhat.com> <08f1d5b6-a600-7dcb-30cf-e608f25e8d96@redhat.com> Message-ID: On 05/02/2016 02:05 AM, siology.io wrote: > That plugins.py file does exist, but it's totally empty. Following should be the content of the file. Adding it there should fix the issue. https://git.fedorahosted.org/cgit/freeipa.git/tree/install/wsgi/plugins.py Question how it got into the state. What IPA version from what repository do you use? Have you done any manual changes there? > > And yes, all i get on the browser is an empty white screen window, That is most-likely a result of the above. > > On 30 April 2016 at 02:20, Petr Vobornik > wrote: > > On 04/29/2016 12:44 AM, siology.io wrote: > > On a clean centos 7 VM, after installation of ipa-server browsing to the ipa web > > UI gets me in the httpd error_logs: > > > > [Thu Apr 28 18:41:11.826134 2016] [:error] [pid 10162] [remote10.0.4.10:244 > > ] mod_wsgi (pid=10162): Target WSGI script > > '/usr/share/ipa/wsgi/plugins.py' does not contain WSGI application 'application'. > > > > Is this a known issue ? I didn't get much out of google. > > > > I don't see this issue on RHEL 7.2 nor FreeIPA 4.3.x on F23. Could you > paste here content of your /usr/share/ipa/wsgi/plugins.py file? > > Does it prevent to load Web UI? > -- > Petr Vobornik > > -- Petr Vobornik From rob.verduijn at gmail.com Mon May 2 09:48:48 2016 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Mon, 2 May 2016 11:48:48 +0200 Subject: [Freeipa-users] ipa client deletes dns record from ipa domain Message-ID: Hello, I'm a bit at loss here. For some reason when I set 'dyndns_update = True' the system deletes it's dns a record from the ipa domain. I have this with some systems not all, which makes it more confusing for me. I've deleted the sssd cache, triple checked all the configs and logs , but I can't seem to find any errors or inconsystencies with the flawed system or the ones that do work. Any ideas what could cause this ? I now have set it to false on the system that keeps deleting its record, but I keep wondering what is causing this. Regards Rob Verduijn From jhrozek at redhat.com Mon May 2 09:54:54 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 2 May 2016 11:54:54 +0200 Subject: [Freeipa-users] ipa client deletes dns record from ipa domain In-Reply-To: References: Message-ID: <20160502095454.GB14225@hendrix> On Mon, May 02, 2016 at 11:48:48AM +0200, Rob Verduijn wrote: > Hello, > > I'm a bit at loss here. > For some reason when I set 'dyndns_update = True' the system deletes > it's dns a record from the ipa domain. > > I have this with some systems not all, which makes it more confusing for me. > > I've deleted the sssd cache, triple checked all the configs and logs , > but I can't seem to find any errors or inconsystencies with the flawed > system or the ones that do work. > > Any ideas what could cause this ? > > I now have set it to false on the system that keeps deleting its > record, but I keep wondering what is causing this. I guess sssd logs would tell something. I thought we removed the old and re-added the new records within the same transaction, but I could be wrong.. From mbasti at redhat.com Mon May 2 10:28:53 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 2 May 2016 12:28:53 +0200 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire In-Reply-To: References: <5723436E.8030206@redhat.com> <57234734.6050601@redhat.com> Message-ID: <57272BE5.4040203@redhat.com> Hello, Can you try to upgrade server to the same version? You did not provided all information I requested. Martin On 29.04.2016 19:13, barrykfl at gmail.com wrote: > server 1: > ipa-server-3.0.0-26.el6_4.4.x86_64 > > server2 > > ipa-server-3.0.0-37.el6.x86_64 > > 2016-04-30 1:10 GMT+08:00 >: > > > ipa-server-3.0.0-37.el6.x86_64 << here > > 2016-04-29 19:36 GMT+08:00 Martin Basti >: > > Please keep, user-list in CC > > You did not send all information I requested. > > Please use `rpm -ql ipa-server` to get exact version number > > > On 29.04.2016 13:32, barrykfl at gmail.com > wrote: >> >> Error.is from Gss api And i m thinkbif it relate cert issue. >> >> Server1> server 2 fail >> Server 2 > server1 ok >> >> Freeipa 3.0 both >> >> slapd_ldap_sasl_interactive_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: >> Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_492' not >> found)) errno 0 (Success) >> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could >> not perform interactive bind for id [] mech [GSSAPI]: error >> -2 (Local error) >> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - >> agmt="cn=meTocentral02.ABC.com >> " (central02:389): Replication >> bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials >> cache file '/tmp/krb5cc_492' not found)) >> [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on >> All Interfaces port 389 for LDAP requests >> [26/Apr/2016:18:40:19 +0800] - Listening on >> /var/run/slapd-ABC-COM.socket for LDAPI requests >> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - >> agmt="cn=meTocentral02.ABC.com >> " (central02:389): Replication >> bind with GSSAPI auth resumed >> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - >> agmt="cn=meTocentral02.ABC.com >> " (central02:389): Missing >> data encountered >> [26/Apr/2016:18:40:23 +0800] >> >> >> >> On 29.04.2016 13:02, barrykfl at gmail.com >> wrote: >>> Hi All: >>> >>> Any method can fall back the default ipa cert if I didn't >>> backup orginal? >>> >>> Now the slapd and ipa cert storage quite a mess so they cant >>> replicate even disabled nsslapd:security to off >>> >>> >>> thx >>> Barry >>> >>> >> Hello Barry, >> >> Can you provide more info? >> >> What is your IPA version, OS? >> What are the symptoms you are experiencing? >> What do you mean by default ipa cert ? >> Can you provide logs from replicas? >> Can you provide `getcert list` command output? >> Can you provide `ipactl status` from both server? >> >> Replication uses GSSAPI, at least on new IPA versions, I'm >> not sure if certificates are involved in this. >> >> Martin > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon May 2 10:39:38 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 2 May 2016 12:39:38 +0200 Subject: [Freeipa-users] Ldap error in ModifyPassword - 50: Insufficient access In-Reply-To: <0984AB34E553F54B8705D776686863E70AC0AE7F@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70AC0AE7F@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <57272E6A.8040004@redhat.com> Hello, comments inline On 29.04.2016 19:37, Gady Notrica wrote: > > Hey guys, > > After my previous issue, my password do not sync anymore with IPA. No > password changed for the sync user. Any ideas? > I don't know what your previous issue was, so please put context here. > > Thank you, > > 04/29/16 13:32:56: Ldap error in ModifyPassword > > 50: Insufficient access > > 04/29/16 13:32:56: Modify password failed for remote entry: > uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local > > 04/29/16 13:32:56: Deferring password change for jlaporte > > 04/29/16 13:32:58: Ldap error in ModifyPassword > > 50: Insufficient access > > 04/29/16 13:32:58: Modify password failed for remote entry: > uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local > > 04/29/16 13:32:58: Deferring password change for jlaporte > > 04/29/16 13:33:02: Ldap error in ModifyPassword > > 50: Insufficient access > > 04/29/16 13:33:02: Modify password failed for remote entry: > uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local > > 04/29/16 13:33:02: Deferring password change for jlaporte > > 04/29/16 13:33:10: Ldap error in ModifyPassword > > 50: Insufficient access > > 04/29/16 13:33:10: Modify password failed for remote entry: > uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local > > 04/29/16 13:33:10: Deferring password change for jlaporte > > Gady > Well error message is clear to me, you have low privileges to do that operation. Can you check ACI or IPA privileges for the user that is trying to change passwords. Martin > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dsullivan2 at bsd.uchicago.edu Mon May 2 10:48:13 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Mon, 2 May 2016 10:48:13 +0000 Subject: [Freeipa-users] Quick question regarding modifying attributes In-Reply-To: <20160429072218.GA25181@hendrix> References: <4D672522-7239-4023-8BA6-B2A15152A4D9@bsd.uchicago.edu> <20160428162933.GZ12779@hendrix> <879C1889-45C7-4922-B794-87A52B851197@bsd.uchicago.edu> <20160429072218.GA25181@hendrix> Message-ID: <12E444B0-0563-4B91-B198-FF0F4CDCA2A5@bsd.uchicago.edu> Hi, Jakub, Thank you for taking the time to reply to my email. It is nice to know that short names will be possible in 7.3. Unfortunately this will not address the problem we are trying to resolve; to make a long story short we are working with a proprietary system called Isilon OneFS (a scale out NAS platform made by EMC); we are aggregating records from disparate authenticate sources into a single identity (the mapping engine is proprietary). The aggregation logic implemented matches based on username. So, we need the user (and group) names in their short representation served up via either LDAP or NIS, not just via SSSD. It sounds like with 7.3 it might be possible to do this if we implement a NIS server on a client running an SSSD client with id_provider=ipa. One of the things we are struggling with is enumerating every object (of either user or group class) of a foreign domain via querying IPA?s LDAP server. It is possible to explicitly query entries from remote domain from my IPA instance via LDAP by querying for username at f.q.d.n, but it does not seem possible to query for all user objects in a foreign domain by doing something such as a wildcard search. If it is possible to enumerate all objects from a specific class from a foreign domain (i.e. force the generation of anchor records), we be interested in the methodology behind this. Thank you again for all of your help. Best, Dan Sullivan On Apr 29, 2016, at 2:22 AM, Jakub Hrozek > wrote: On Thu, Apr 28, 2016 at 06:31:20PM +0000, Sullivan, Daniel [AAA] wrote: Jakub, Thank you for your reply. I did not know that the compat tree was populated from sssd; Do you have any experience and or recommendation on using the full_name_format variable of sssd.conf to manipulate how cn?s are populated in anchor records? Basically I?m interested in trying to get IPA to provision anchor records for a trusted domain without the @f.d.q.n appended to usernames. It seems like having a custom full_name_format (sssd.conf) possibly in conjunction with default_domain_suffix (sssd.conf) might achieve this (have already done some internal testing with partial results, running into some issues but interested in yours and the groups opinion on the viability of this). It's not possible at the moment to change the output format of the sssd on the server or the format of the entries in the compat tree. Several pieces of the stack (including the extdom plugin that serves requests to the sssd clients) rely on the name being qualified at least on the server side to function properly. What should be possible starting with 7.3 is to have the shortnames in the output of SSSD clients with id_provider=ipa. But I'm not sure legacy clients would work either with shortnames because with the legacy clients, we typically treat the whole qualified string as a "name": ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [sssd] services = nss, pam config_file_version = 2 domains = default re_expression = (?P.+) <------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the re_expression tells sssd that the whole input string, qualified or not is a "name", there is no separate IPA and AD domain in these setups. This is because with the legacy clients, those clients must use the "ldap" id_provider pointed to the compat tree and the 'ldap' provider, unlike the 'ipa' or 'ad' providers has no notion of trusted domains internally. So if you want to use shortnames on the output, I think the best bet is to wait for sssd-1.14 (coming in RHEL-7.3) with the ipa provider. ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From mbasti at redhat.com Mon May 2 10:54:01 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 2 May 2016 12:54:01 +0200 Subject: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version In-Reply-To: References: <570CF37E.7000700@redhat.com> Message-ID: <572731C9.2020304@redhat.com> On 01.05.2016 10:24, Ben .T.George wrote: > Hi All, > > again link for IPA 4.3.1 is offline > > https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ > > Could it be a temporal copr issue? I see all packages there. Martin > > On Tue, Apr 12, 2016 at 4:19 PM, Ben .T.George > wrote: > > Hi > > Wow.Thanks for your fast response. > > Regards > Ben > > On 12 Apr 2016 16:09, "Martin Basti" > wrote: > > > > On 12.04.2016 14 :59, Ben .T.George wrote: >> Hi List, >> >> Ffrom where can i get repo details for FreeIPA 4.3.1 version. >> the link provided in website is broken. >> https://www.freeipa.org/page/Releases/4.3.1 >> >> please someone give me right package details. >> >> Regards, >> Ben >> >> > Hello, > > thank you for report, I fixed the page > > CentOS repos: > https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ > > Martin > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Mon May 2 10:55:14 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 2 May 2016 13:55:14 +0300 Subject: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version In-Reply-To: <572731C9.2020304@redhat.com> References: <570CF37E.7000700@redhat.com> <572731C9.2020304@redhat.com> Message-ID: HI thanks yes now it's working and yesterday it was not. regards, Ben On Mon, May 2, 2016 at 1:54 PM, Martin Basti wrote: > > > On 01.05.2016 10:24, Ben .T.George wrote: > > Hi All, > > again link for IPA 4.3.1 is offline > > https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ > > > Could it be a temporal copr issue? I see all packages there. > Martin > > > On Tue, Apr 12, 2016 at 4:19 PM, Ben .T.George > wrote: > >> Hi >> >> Wow.Thanks for your fast response. >> >> Regards >> Ben >> On 12 Apr 2016 16:09, "Martin Basti" wrote: >> >>> >>> >>> On 12.04.2016 14 <12.04.2016%2014>:59, Ben .T.George wrote: >>> >>> Hi List, >>> >>> Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link >>> provided in website is broken. >>> https://www.freeipa.org/page/Releases/4.3.1 >>> >>> please someone give me right package details. >>> >>> Regards, >>> Ben >>> >>> >>> Hello, >>> >>> thank you for report, I fixed the page >>> >>> CentOS repos: >>> https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ >>> >>> Martin >>> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon May 2 11:02:56 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 2 May 2016 14:02:56 +0300 Subject: [Freeipa-users] Quick question regarding modifying attributes In-Reply-To: <12E444B0-0563-4B91-B198-FF0F4CDCA2A5@bsd.uchicago.edu> References: <4D672522-7239-4023-8BA6-B2A15152A4D9@bsd.uchicago.edu> <20160428162933.GZ12779@hendrix> <879C1889-45C7-4922-B794-87A52B851197@bsd.uchicago.edu> <20160429072218.GA25181@hendrix> <12E444B0-0563-4B91-B198-FF0F4CDCA2A5@bsd.uchicago.edu> Message-ID: <20160502110256.2luwxciwywtgk3th@redhat.com> On Mon, 02 May 2016, Sullivan, Daniel [AAA] wrote: >Hi, Jakub, > >Thank you for taking the time to reply to my email. It is nice to know >that short names will be possible in 7.3. Unfortunately this will not >address the problem we are trying to resolve; to make a long story >short we are working with a proprietary system called Isilon OneFS (a >scale out NAS platform made by EMC); we are aggregating records from >disparate authenticate sources into a single identity (the mapping >engine is proprietary). The aggregation logic implemented matches >based on username. So, we need the user (and group) names in their >short representation served up via either LDAP or NIS, not just via >SSSD. > >It sounds like with 7.3 it might be possible to do this if we implement >a NIS server on a client running an SSSD client with id_provider=ipa. > >One of the things we are struggling with is enumerating every object >(of either user or group class) of a foreign domain via querying IPA?s >LDAP server. It is possible to explicitly query entries from remote >domain from my IPA instance via LDAP by querying for >username at f.q.d.n, but it does not seem >possible to query for all user objects in a foreign domain by doing >something such as a wildcard search. If it is possible to enumerate >all objects from a specific class from a foreign domain (i.e. force the >generation of anchor records), we be interested in the methodology >behind this. I don't think it would be possible. That's a short answer and if you want to discuss it, I'd hope someone from your team would be at SambaXP next week where we could discuss it in more detail. -- / Alexander Bokovoy From abokovoy at redhat.com Mon May 2 11:04:10 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 2 May 2016 14:04:10 +0300 Subject: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version In-Reply-To: References: <570CF37E.7000700@redhat.com> <572731C9.2020304@redhat.com> Message-ID: <20160502110410.bupgyvoqegs54s6u@redhat.com> On Mon, 02 May 2016, Ben .T.George wrote: >HI > >thanks > >yes now it's working and yesterday it was not. COPR service SLA is weaker than primary Fedora repositories. Basically, we have no promise COPR would be available all the time. -- / Alexander Bokovoy From rob.verduijn at gmail.com Mon May 2 11:06:13 2016 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Mon, 2 May 2016 13:06:13 +0200 Subject: [Freeipa-users] ipa client deletes dns record from ipa domain In-Reply-To: <20160502095454.GB14225@hendrix> References: <20160502095454.GB14225@hendrix> Message-ID: debug logging from sssd is rather overwhelming, What am I looking for in the logs ? Rob 2016-05-02 11:54 GMT+02:00 Jakub Hrozek : > On Mon, May 02, 2016 at 11:48:48AM +0200, Rob Verduijn wrote: >> Hello, >> >> I'm a bit at loss here. >> For some reason when I set 'dyndns_update = True' the system deletes >> it's dns a record from the ipa domain. >> >> I have this with some systems not all, which makes it more confusing for me. >> >> I've deleted the sssd cache, triple checked all the configs and logs , >> but I can't seem to find any errors or inconsystencies with the flawed >> system or the ones that do work. >> >> Any ideas what could cause this ? >> >> I now have set it to false on the system that keeps deleting its >> record, but I keep wondering what is causing this. > > I guess sssd logs would tell something. I thought we removed the old and > re-added the new records within the same transaction, but I could be > wrong.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From przemek.orzechowski at makolab.pl Mon May 2 11:23:49 2016 From: przemek.orzechowski at makolab.pl (=?UTF-8?Q?Przemys=c5=82aw_Orzechowski?=) Date: Mon, 2 May 2016 13:23:49 +0200 Subject: [Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu? Message-ID: <572738C5.1050903@makolab.pl> Hi Im trying to create a single usergroup for sudo enabled users for both Centos and Ubuntu users The problem is on centos its group wheel (10), and on ubuntu its sudo (27) how do i have tried to do it using ID view but somehow im not getting it right btw Centos clients versions 6.x, 7.x Ubuntu clients versions 12.04,14.04,16.04 Ipa server is on Centos 7 IPA VERSION: 4.2.0, API_VERSION: 2.156 Regards Przemy?aw Orzechowski From mkosek at redhat.com Mon May 2 11:32:45 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 2 May 2016 13:32:45 +0200 Subject: [Freeipa-users] ipa trust-fetch-domains failing. In-Reply-To: References: Message-ID: <6ba5c88e-7234-a306-3d17-0ba016dc5ea8@redhat.com> Thanks for confirmation. Can you share with the list what was the root cause of your problem? Maybe it helps someone else. Thanks, Martin On 04/30/2016 08:23 AM, Ben .T.George wrote: > HI All > > this issue has solved > > On Sat, Apr 30, 2016 at 9:16 AM, Ben .T.George > wrote: > > when i am running ipa trust-fetch-domains "kwttestdc.com.kw > " , i am getting below error in error_log > > [Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed to > call com.redhat.idm.trust.fetch_domains helper.DBus exception is > org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes > include: the remote application did not send a reply, the message bus > security policy blocked the reply, the reply timeout expired, or the network > connection was broken.. > [Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO: > [jsonserver_session] admin at IDM.LOCAL: trust_fetch_domains(u'kwttestdc.com.kw > ', rights=False, all=False, raw=False, > version=u'2.156'): ServerCommandError > > On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George > wrote: > > Hi > > Anyone please help me to fix this issue. > > i have created new group in AD( 4 hours back) and while i was mapping > this group as --external, i am getting below error. > > > /[root at freeipa sysctl.d]# ipa group-add --external ad_admins_external > --desc "KWTTESTDC.com.KW AD > Administrators-External"/ > /----------------------------------/ > /Added group "ad_admins_external"/ > /----------------------------------/ > / Group name: ad_admins_external/ > / Description: KWTTESTDC.com.KW AD > Administrators-External/ > /[root at freeipa sysctl.d]# ipa group-add-member ad_admins_external > --external "KWTTESTDC\test admins"/ > /[member user]:/ > /[member group]:/ > / Group name: ad_admins_external/ > / Description: KWTTESTDC.com.KW AD > Administrators-External/ > / Failed members:/ > / member user:/ > / member group: KWTTESTDC\test admins: Cannot find specified domain > or server name/ > /-------------------------/ > /Number of members added 0/ > ------------------------- > > > > On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George > wrote: > > Hi > > while issuing ipa trust-fetch-domains, i am getting below error. > > i have created new security group in AD and i want to add this to > external group. > > [root at freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw > " > ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains > from trusted fo > rest failed. See details in the error_log > > help me to fi/expalin more about this error > > Regards > > > > > > From rob.verduijn at gmail.com Mon May 2 11:41:33 2016 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Mon, 2 May 2016 13:41:33 +0200 Subject: [Freeipa-users] ipa client deletes dns record from ipa domain In-Reply-To: References: <20160502095454.GB14225@hendrix> Message-ID: found it, I needed to set dyndns_iface to the proper device It was set to the original device which was bridged, so no ip address was assigned to it. After setting it to bridge0 the update went ok Rob Verduijn 2016-05-02 13:06 GMT+02:00 Rob Verduijn : > debug logging from sssd is rather overwhelming, > What am I looking for in the logs ? > > Rob > > 2016-05-02 11:54 GMT+02:00 Jakub Hrozek : >> On Mon, May 02, 2016 at 11:48:48AM +0200, Rob Verduijn wrote: >>> Hello, >>> >>> I'm a bit at loss here. >>> For some reason when I set 'dyndns_update = True' the system deletes >>> it's dns a record from the ipa domain. >>> >>> I have this with some systems not all, which makes it more confusing for me. >>> >>> I've deleted the sssd cache, triple checked all the configs and logs , >>> but I can't seem to find any errors or inconsystencies with the flawed >>> system or the ones that do work. >>> >>> Any ideas what could cause this ? >>> >>> I now have set it to false on the system that keeps deleting its >>> record, but I keep wondering what is causing this. >> >> I guess sssd logs would tell something. I thought we removed the old and >> re-added the new records within the same transaction, but I could be >> wrong.. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From harald.dunkel at aixigo.de Mon May 2 12:39:12 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Mon, 2 May 2016 14:39:12 +0200 Subject: [Freeipa-users] cron reports "ORPHAN (no passwd entry)" for the @reboot jobs Message-ID: Hi folks, System: freeipa client, Debian 8 (using systemd), cron 3.0pl1-128, sssd 1.13.4-2 Problem: Cron fails to start a few "@reboot" jobs at boot time. cron.log shows: : May 2 13:36:48 fpsde8i002 anacron[197]: Anacron 2.3 started on 2016-05-02 May 2 13:36:48 fpsde8i002 anacron[197]: Normal exit (0 jobs run) May 2 13:36:48 fpsde8i002 cron[194]: (CRON) INFO (pidfile fd = 3) May 2 13:36:48 fpsde8i002 cron[194]: (user1) ORPHAN (no passwd entry) May 2 13:36:48 fpsde8i002 cron[194]: (user2) ORPHAN (no passwd entry) May 2 13:36:48 fpsde8i002 cron[194]: (CRON) INFO (Running @reboot jobs) : AFAICT cron is started last at boot time. cron.service is [Unit] Description=Regular background program processing daemon Documentation=man:cron(8) [Service] EnvironmentFile=-/etc/default/cron ExecStart=/usr/sbin/cron -f $EXTRA_OPTS IgnoreSIGPIPE=false KillMode=process Type=idle [Install] WantedBy=multi-user.target The "Type=idle" should make sure (https://wiki.archlinux.org/index.php/systemd). If I add a crontab entry "@reboot ( ps -ef; ls -al /home ) >/var/tmp/ls.log" for root, then the generated file reveals that sssd has been started, but its sssd_something services are not running. ls shows just the numerical UIDs instead of the login IDs. Sssd might have been started first, but apparently its not ready yet. Shouldn't it block at boot time for some time to make sure that all internal services are available? Every helpful comment is highly appreciated Harri From pspacek at redhat.com Mon May 2 12:52:56 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 2 May 2016 14:52:56 +0200 Subject: [Freeipa-users] DNS reverse Zones on other server In-Reply-To: <08C1F0DB82CAD14DA46313AE457AFF721B9918AF@fieinfmbx2vp.fiege.com> References: <08C1F0DB82CAD14DA46313AE457AFF721B990D41@fieinfmbx2vp.fiege.com> <2eccfc87-329b-249d-3418-df95e3929153@redhat.com> <08C1F0DB82CAD14DA46313AE457AFF721B991874@fieinfmbx2vp.fiege.com> <9292ac12-2c53-4a5b-668f-33751637ce1b@redhat.com> <08C1F0DB82CAD14DA46313AE457AFF721B9918AF@fieinfmbx2vp.fiege.com> Message-ID: <6be98240-a78c-4f7b-4d1b-e9e3ae354f53@redhat.com> Hi, first of all, please always keep mailing list in Cc. I re-added it back. See below: On 2.5.2016 14:40, Wanka, Silvio wrote: > Petr Spacek wrote: >> > > > Again Thx for you answer! > >> > It works differently. DNS updates from clients would be forwarded to AD >> > server (as today) and two-way trust would enable AD to authenticate IPA >> > clients. > This is not what I need, my IPA "clients" are always servers with statically IP addresses, i.e. "ipa-client-install" creates a fix A record and the enabled "Allow PTR sync" does nothing because it can't. > >> > Anyway, neither slave nor stub would help you with this problem as both >> > types are by definition read-only. > In bind exists an option "allow-update-forwarding" which would offer such possibility but then IPA must use it if the a record should be created but the zone is locally. Maybe in the future. I know from Windows DNS servers which are not Domain Controllers what the forward the request of its clients to create or update a DNS record to the DCs if the domain is configured e.g. as stub zone on this non DC DNS servers. AFAIK this works only when local server is authoritative for the zone. As far as I understood you IPA is not authoritative for the reverse zones so it would do nothing. I'm curious how this options works with GSS-TSIG updates, I never tried that. You might set-up slave zone manually in named.conf and then try to enable this option. Please report your findings to the mailing list, I'm very curious. I hope this will help. -- Petr^2 Spacek From anthony.wan.cheng at gmail.com Mon May 2 13:07:20 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Mon, 02 May 2016 13:07:20 +0000 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: <5724BC4A.3060400@redhat.com> References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> <5724BC4A.3060400@redhat.com> Message-ID: On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden wrote: > Anthony Cheng wrote: > > OK so I made process on my cert renew issue; I was able to get kinit > > working so I can follow the rest of the steps here > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > > > However, after using > > > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password > > > > and restarting apache (/sbin/service httpd restart), resubmitting 3 > > certs (ipa-getcert resubmit -i ) and restarting IPA (resubmit -i > ) > > (/sbin/service ipa restart), I still see: > > > > [root at test ~]# ipa-getcert list | more > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > > at server. Certificate operation cannot be compl > > eted: Unable to communicate with CMS (Not Found)). > > IPA proxies requests to the CA through Apache. This means that while > tomcat started ok it didn't load the dogtag CA application, hence the > Not Found. > > Check the CA debug and selftest logs to see why it failed to start > properly. > > [ snip ] > > Actually after a reboot that error went away and I just get this error instead "ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be auth enticated with known CA certificates)." from "getcert list" Result of service ipa restart is interesting since it shows today's time when I already changed date/time/disable NTP so somehow the system still know today's time. PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) > > Would really greatly appreciate any help on this. > > > > Also I noticed after I do ldapmodify of usercertificate binary data with > > > > add: usercertificate;binary > > usercertificate;binary: !@#$@!#$#@$ > > You really pasted in binary? Or was this base64-encoded data? > > I wonder if there is a problem in the wiki. If this is really a binary > value you should start with a DER-encoded cert and load it using > something like: > > dn: uid=ipara,ou=people,o=ipaca > changetype: modify > add: usercertificate;binary > usercertificate;binary:< file:///path/to/cert.der > > You can use something like openssl x509 to switch between PEM and DER > formats. > > I have a vague memory that dogtag can deal with a multi-valued > usercertificate attribute. > > rob > > Yes the wiki stated binary, the result of: ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b uid=ipara,ou=People,o=ipaca -W shows userCertificate;binary:: GJ6Q0NBbGVnQXd ... But the actual data is from a PEM though. > > > > Then I re-run > > > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b > uid=ipara,ou=People,o=ipaca > > > > I see 2 entries for usercertificate;binary (before modify there was only > > 1) but they are duplicate and NOT from data that I added. That seems > > incorrect to me. > > > > > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng > > > > wrote: > > > > klist is actually empty; kinit admin fails. Sounds like then > > getcert resubmit has a dependency on kerberoes. I can get a backup > > image that has a valid ticket but it is only good for 1 day (and > > dated pasted the cert expire). > > > > Also I had asked awhile back about whether there is dependency on > > DIRSRV to renew the cert; didn't get any response but I suspect > > there is a dependency. > > > > Regarding the clock skew, I found out from /var/log/message that > > shows me this so it may be from named: > > > > Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock > > skew too great) > > Jan 28 14:10:42 test named[2911]: loading configuration: failure > > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS > > failure. Minor code may provide more information (Creden > > tials cache file '/tmp/krb5cc_496' not found) > > > > I don't have a krb5cc_496 file (since klist is empty), so sounds to > > me I need to get a kerberoes ticket before going any further. Also > > is the file /etc/krb5.keytab access/modification time important? I > > had changed time back to before the cert expiration date and reboot > > and try renew but the error message about clock skew is still > > there. That seems strange. > > > > Lastly, as a absolute last resort, can I regenerate a new cert > > myself? > > > https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html > > > > [root at test /]# klist > > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > > [root at test /]# service ipa start > > Starting Directory Service > > Starting dirsrv: > > PKI-IPA... [ OK ] > > sample-NET... [ OK ] > > Starting KDC Service > > Starting Kerberos 5 KDC: [ OK ] > > Starting KPASSWD Service > > Starting Kerberos 5 Admin Server: [ OK ] > > Starting DNS Service > > Starting named: [FAILED] > > Failed to start DNS Service > > Shutting down > > Stopping Kerberos 5 KDC: [ OK ] > > Stopping Kerberos 5 Admin Server: [ OK ] > > Stopping named: [ OK ] > > Stopping httpd: [ OK ] > > Stopping pki-ca: [ OK ] > > Shutting down dirsrv: > > PKI-IPA... [ OK ] > > sample-NET... [ OK ] > > Aborting ipactl > > [root at test /]# klist > > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > > [root at test /]# service ipa status > > Directory Service: STOPPED > > Failed to get list of services to probe status: > > Directory Server is stopped > > > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka > > wrote: > > > > On 27/04/16 21:54, Anthony Cheng wrote: > > > Hi list, > > > > > > I am trying to renew expired certificates following the > > manual renewal procedure > > > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > but even with > > > resetting the system/hardware clock to a time before expires, > > I am getting the > > > error "ca-error: Error setting up ccache for local "host" > > service using default > > > keytab: Clock skew too great." > > > > > > With NTP disable and clock reset why would it complain about > > clock skew and how > > > does it even know about the current time? > > > > > > [root at test certs]# getcert list > > > Number of certificates and requests being tracked: 8. > > > Request ID '20111214223243': > > > status: MONITORING > > > ca-error: Error setting up ccache for local "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > ,O=sample.NET > > > expires: 2016-01-29 14:09:46 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20111214223300': > > > status: MONITORING > > > ca-error: Error setting up ccache for local "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate > > > DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > ,O=sample.NET > > > expires: 2016-01-29 14:09:45 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20111214223316': > > > status: MONITORING > > > ca-error: Error setting up ccache for local "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > ,O=sample.NET > > > expires: 2016-01-29 14:09:45 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130741': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=CA Audit,O=sample.NET > > > expires: 2017-10-13 14:10:49 UTC > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "auditSigningCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130742': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=OCSP Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-OCSPSigning > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "ocspSigningCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130743': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=CA Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "subsystemCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130744': > > > status: MONITORING > > > ca-error: Internal error: no response to > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=RA Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130745': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > > stuck: yes > > > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > ,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes[root at test certs]# getcert list > > > Number of certificates and requests being tracked: 8. > > > Request ID '20111214223243': > > > status: MONITORING > > > ca-error: Error setting up ccache for local "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > ,O=sample.NET > > > expires: 2016-01-29 14:09:46 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20111214223300': > > > status: MONITORING > > > ca-error: Error setting up ccache for local "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate > > > DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > ,O=sample.NET > > > expires: 2016-01-29 14:09:45 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20111214223316': > > > status: MONITORING > > > ca-error: Error setting up ccache for local "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > ,O=sample.NET > > > expires: 2016-01-29 14:09:45 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130741': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=CA Audit,O=sample.NET > > > expires: 2017-10-13 14:10:49 UTC > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "auditSigningCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130742': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=OCSP Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-OCSPSigning > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "ocspSigningCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130743': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=CA Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "subsystemCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130744': > > > status: MONITORING > > > ca-error: Internal error: no response to > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=RA Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130745': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > > stuck: yes > > > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > ,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > -- > > > > > > Thanks, Anthony > > > > > > > > > > > > > Hello Anthony! > > > > After stopping NTP (or other time synchronizing service) and > setting > > time manually server really don't have a way to determine that > > its time > > differs from the real one. > > > > I think this might be issue with Kerberos ticket. You can show > > content > > of root's ticket cache using klist. If there is anything clean > > it with > > kdestroy and try to resubmit the request again. > > > > -- > > David Kupka > > > > -- > > > > Thanks, Anthony > > > > -- > > > > Thanks, Anthony > > > > > > > > -- Thanks, Anthony -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon May 2 13:54:22 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 2 May 2016 09:54:22 -0400 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> <5724BC4A.3060400@redhat.com> Message-ID: <57275C0E.10003@redhat.com> Anthony Cheng wrote: > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden > wrote: > > Anthony Cheng wrote: > > OK so I made process on my cert renew issue; I was able to get kinit > > working so I can follow the rest of the steps here > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > > > However, after using > > > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w > password > > > > and restarting apache (/sbin/service httpd restart), resubmitting 3 > > certs (ipa-getcert resubmit -i ) and restarting IPA (resubmit > -i ) > > (/sbin/service ipa restart), I still see: > > > > [root at test ~]# ipa-getcert list | more > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC > failed > > at server. Certificate operation cannot be compl > > eted: Unable to communicate with CMS (Not Found)). > > IPA proxies requests to the CA through Apache. This means that while > tomcat started ok it didn't load the dogtag CA application, hence the > Not Found. > > Check the CA debug and selftest logs to see why it failed to start > properly. > > [ snip ] > > Actually after a reboot that error went away and I just get this error > instead "ca-error: Server failed request, will retry: -504 (libcurl > failed to execute the HTTP POST transaction. Peer certificate cannot be > auth enticated with known CA certificates)." from "getcert list" > > Result of service ipa restart is interesting since it shows today's time > when I already changed date/time/disable NTP so somehow the system still > know today's time. > > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable > Runtime error -8181 - Peer's Certificate has expired.) Hard to say. I'd confirm that there is no time syncing service running, ntp or otherwise. > > > Would really greatly appreciate any help on this. > > > > Also I noticed after I do ldapmodify of usercertificate binary > data with > > > > add: usercertificate;binary > > usercertificate;binary: !@#$@!#$#@$ > > You really pasted in binary? Or was this base64-encoded data? > > I wonder if there is a problem in the wiki. If this is really a binary > value you should start with a DER-encoded cert and load it using > something like: > > dn: uid=ipara,ou=people,o=ipaca > changetype: modify > add: usercertificate;binary > usercertificate;binary:< file:///path/to/cert.der > > You can use something like openssl x509 to switch between PEM and DER > formats. > > I have a vague memory that dogtag can deal with a multi-valued > usercertificate attribute. > > rob > > > Yes the wiki stated binary, the result of: > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b > uid=ipara,ou=People,o=ipaca -W > > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ... > > But the actual data is from a PEM though. Ok. So I looked at my CA data and it doesn't use the binary subtype, so my entries look like: userCertificate:: MIID.... It might make a difference if dogtag is looking for the subtype or not. rob > > > > > Then I re-run > > > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W > -b uid=ipara,ou=People,o=ipaca > > > > I see 2 entries for usercertificate;binary (before modify there > was only > > 1) but they are duplicate and NOT from data that I added. That seems > > incorrect to me. > > > > > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng > > > >> wrote: > > > > klist is actually empty; kinit admin fails. Sounds like then > > getcert resubmit has a dependency on kerberoes. I can get a > backup > > image that has a valid ticket but it is only good for 1 day (and > > dated pasted the cert expire). > > > > Also I had asked awhile back about whether there is dependency on > > DIRSRV to renew the cert; didn't get any response but I suspect > > there is a dependency. > > > > Regarding the clock skew, I found out from /var/log/message that > > shows me this so it may be from named: > > > > Jan 28 14:10:42 test named[2911]: Failed to init credentials > (Clock > > skew too great) > > Jan 28 14:10:42 test named[2911]: loading configuration: failure > > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS > > failure. Minor code may provide more information (Creden > > tials cache file '/tmp/krb5cc_496' not found) > > > > I don't have a krb5cc_496 file (since klist is empty), so > sounds to > > me I need to get a kerberoes ticket before going any > further. Also > > is the file /etc/krb5.keytab access/modification time > important? I > > had changed time back to before the cert expiration date and > reboot > > and try renew but the error message about clock skew is still > > there. That seems strange. > > > > Lastly, as a absolute last resort, can I regenerate a new cert > > myself? > > > https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html > > > > [root at test /]# klist > > klist: No credentials cache found (ticket cache > FILE:/tmp/krb5cc_0) > > [root at test /]# service ipa start > > Starting Directory Service > > Starting dirsrv: > > PKI-IPA... > [ OK ] > > sample-NET... > [ OK ] > > Starting KDC Service > > Starting Kerberos 5 KDC: [ > OK ] > > Starting KPASSWD Service > > Starting Kerberos 5 Admin Server: [ > OK ] > > Starting DNS Service > > Starting named: > [FAILED] > > Failed to start DNS Service > > Shutting down > > Stopping Kerberos 5 KDC: [ > OK ] > > Stopping Kerberos 5 Admin Server: [ > OK ] > > Stopping named: [ > OK ] > > Stopping httpd: [ > OK ] > > Stopping pki-ca: [ > OK ] > > Shutting down dirsrv: > > PKI-IPA... > [ OK ] > > sample-NET... > [ OK ] > > Aborting ipactl > > [root at test /]# klist > > klist: No credentials cache found (ticket cache > FILE:/tmp/krb5cc_0) > > [root at test /]# service ipa status > > Directory Service: STOPPED > > Failed to get list of services to probe status: > > Directory Server is stopped > > > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka > > > >> wrote: > > > > On 27/04/16 21:54, Anthony Cheng wrote: > > > Hi list, > > > > > > I am trying to renew expired certificates following the > > manual renewal procedure > > > here > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > but even with > > > resetting the system/hardware clock to a time before > expires, > > I am getting the > > > error "ca-error: Error setting up ccache for local "host" > > service using default > > > keytab: Clock skew too great." > > > > > > With NTP disable and clock reset why would it complain > about > > clock skew and how > > > does it even know about the current time? > > > > > > [root at test certs]# getcert list > > > Number of certificates and requests being tracked: 8. > > > Request ID '20111214223243': > > > status: MONITORING > > > ca-error: Error setting up ccache for local > "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > > ,O=sample.NET > > > expires: 2016-01-29 14:09:46 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20111214223300': > > > status: MONITORING > > > ca-error: Error setting up ccache for local > "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate > > > DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > > ,O=sample.NET > > > expires: 2016-01-29 14:09:45 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20111214223316': > > > status: MONITORING > > > ca-error: Error setting up ccache for local > "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > > ,O=sample.NET > > > expires: 2016-01-29 14:09:45 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130741': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=CA Audit,O=sample.NET > > > expires: 2017-10-13 14:10:49 UTC > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "auditSigningCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130742': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=OCSP Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-OCSPSigning > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "ocspSigningCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130743': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=CA Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "subsystemCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130744': > > > status: MONITORING > > > ca-error: Internal error: no response to > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=RA Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130745': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > > > stuck: yes > > > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > > ,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes[root at test certs]# getcert list > > > Number of certificates and requests being tracked: 8. > > > Request ID '20111214223243': > > > status: MONITORING > > > ca-error: Error setting up ccache for local > "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > > ,O=sample.NET > > > expires: 2016-01-29 14:09:46 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20111214223300': > > > status: MONITORING > > > ca-error: Error setting up ccache for local > "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate > > > DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > > ,O=sample.NET > > > expires: 2016-01-29 14:09:45 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20111214223316': > > > status: MONITORING > > > ca-error: Error setting up ccache for local > "host" > > service using > > > default keytab: Clock skew too great. > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > > ,O=sample.NET > > > expires: 2016-01-29 14:09:45 UTC > > > eku: id-kp-serverAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130741': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=CA Audit,O=sample.NET > > > expires: 2017-10-13 14:10:49 UTC > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "auditSigningCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130742': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=OCSP Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-OCSPSigning > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "ocspSigningCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130743': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > > > stuck: yes > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=CA Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > "subsystemCert cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130744': > > > status: MONITORING > > > ca-error: Internal error: no response to > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=RA Subsystem,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > track: yes > > > auto-renew: yes > > > Request ID '20130519130745': > > > status: NEED_CSR_GEN_PIN > > > ca-error: Internal error: no response to > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > > > stuck: yes > > > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > > ' > > > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > cert-pki-ca',token='NSS Certificate DB' > > > CA: dogtag-ipa-renew-agent > > > issuer: CN=Certificate Authority,O=sample.NET > > > subject: CN=test.sample.net > > > ,O=sample.NET > > > expires: 2017-10-13 14:09:49 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > -- > > > > > > Thanks, Anthony > > > > > > > > > > > > > Hello Anthony! > > > > After stopping NTP (or other time synchronizing service) > and setting > > time manually server really don't have a way to determine > that > > its time > > differs from the real one. > > > > I think this might be issue with Kerberos ticket. You can > show > > content > > of root's ticket cache using klist. If there is anything > clean > > it with > > kdestroy and try to resubmit the request again. > > > > -- > > David Kupka > > > > -- > > > > Thanks, Anthony > > > > -- > > > > Thanks, Anthony > > > > > > > > -- > > Thanks, Anthony > From rcritten at redhat.com Mon May 2 14:22:49 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 2 May 2016 10:22:49 -0400 Subject: [Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu? In-Reply-To: <572738C5.1050903@makolab.pl> References: <572738C5.1050903@makolab.pl> Message-ID: <572762B9.5070309@redhat.com> Przemys?aw Orzechowski wrote: > Hi > > Im trying to create a single usergroup for sudo enabled users for both > Centos and Ubuntu users > The problem is on centos its group wheel (10), and on ubuntu its sudo > (27) how do i have tried to do it using ID view but somehow im not > getting it right > > btw > Centos clients versions 6.x, 7.x > Ubuntu clients versions 12.04,14.04,16.04 > Ipa server is on Centos 7 IPA VERSION: 4.2.0, API_VERSION: 2.156 > > Regards > Przemy?aw Orzechowski > But aren't these groups used only if you use files for sudo (and even that is just a default)? If you are using IPA to provide the sudo rules then the group you choose shouldn't matter. rob From jhrozek at redhat.com Mon May 2 15:12:25 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 2 May 2016 17:12:25 +0200 Subject: [Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu? In-Reply-To: <572762B9.5070309@redhat.com> References: <572738C5.1050903@makolab.pl> <572762B9.5070309@redhat.com> Message-ID: <20160502151225.GA22751@hendrix> On Mon, May 02, 2016 at 10:22:49AM -0400, Rob Crittenden wrote: > Przemys?aw Orzechowski wrote: > > Hi > > > > Im trying to create a single usergroup for sudo enabled users for both > > Centos and Ubuntu users > > The problem is on centos its group wheel (10), and on ubuntu its sudo > > (27) how do i have tried to do it using ID view but somehow im not > > getting it right > > > > btw > > Centos clients versions 6.x, 7.x > > Ubuntu clients versions 12.04,14.04,16.04 > > Ipa server is on Centos 7 IPA VERSION: 4.2.0, API_VERSION: 2.156 > > > > Regards > > Przemy?aw Orzechowski > > > > But aren't these groups used only if you use files for sudo (and even that > is just a default)? If you are using IPA to provide the sudo rules then the > group you choose shouldn't matter. > > rob Doesn't polkit also use membership in these group to determine if the user is a 'local admin' ? I haven't configured this kind of setup myself, though. But if it is the case, the user is probably looking for: https://sourceware.org/glibc/wiki/Proposals/GroupMerging From abokovoy at redhat.com Mon May 2 15:22:44 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 2 May 2016 18:22:44 +0300 Subject: [Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu? In-Reply-To: <20160502151225.GA22751@hendrix> References: <572738C5.1050903@makolab.pl> <572762B9.5070309@redhat.com> <20160502151225.GA22751@hendrix> Message-ID: <20160502152244.hwyf6kd7hmuvlmbp@redhat.com> On Mon, 02 May 2016, Jakub Hrozek wrote: >On Mon, May 02, 2016 at 10:22:49AM -0400, Rob Crittenden wrote: >> Przemys?aw Orzechowski wrote: >> > Hi >> > >> > Im trying to create a single usergroup for sudo enabled users for both >> > Centos and Ubuntu users >> > The problem is on centos its group wheel (10), and on ubuntu its sudo >> > (27) how do i have tried to do it using ID view but somehow im not >> > getting it right >> > >> > btw >> > Centos clients versions 6.x, 7.x >> > Ubuntu clients versions 12.04,14.04,16.04 >> > Ipa server is on Centos 7 IPA VERSION: 4.2.0, API_VERSION: 2.156 >> > >> > Regards >> > Przemy?aw Orzechowski >> > >> >> But aren't these groups used only if you use files for sudo (and even that >> is just a default)? If you are using IPA to provide the sudo rules then the >> group you choose shouldn't matter. >> >> rob > >Doesn't polkit also use membership in these group to determine if the >user is a 'local admin' ? I haven't configured this kind of setup >myself, though. But if it is the case, the user is probably looking for: > https://sourceware.org/glibc/wiki/Proposals/GroupMerging There are many ways to achieve the same: http://www.freeipa.org/page/Howto/FreeIPA_PolicyKit I'd prefer to use HBAC and set 'polkit-1' and 'sudo' services via HBAC rules to grant access on the machines. -- / Alexander Bokovoy From lslebodn at redhat.com Mon May 2 15:59:07 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 2 May 2016 17:59:07 +0200 Subject: [Freeipa-users] cron reports "ORPHAN (no passwd entry)" for the @reboot jobs In-Reply-To: References: Message-ID: <20160502155906.GA32607@10.4.128.1> On (02/05/16 14:39), Harald Dunkel wrote: >Hi folks, > >System: freeipa client, Debian 8 (using systemd), cron 3.0pl1-128, >sssd 1.13.4-2 > >Problem: >Cron fails to start a few "@reboot" jobs at boot time. cron.log >shows: > >: >May 2 13:36:48 fpsde8i002 anacron[197]: Anacron 2.3 started on 2016-05-02 >May 2 13:36:48 fpsde8i002 anacron[197]: Normal exit (0 jobs run) >May 2 13:36:48 fpsde8i002 cron[194]: (CRON) INFO (pidfile fd = 3) >May 2 13:36:48 fpsde8i002 cron[194]: (user1) ORPHAN (no passwd entry) >May 2 13:36:48 fpsde8i002 cron[194]: (user2) ORPHAN (no passwd entry) >May 2 13:36:48 fpsde8i002 cron[194]: (CRON) INFO (Running @reboot jobs) >: > >AFAICT cron is started last at boot time. cron.service is > > [Unit] > Description=Regular background program processing daemon > Documentation=man:cron(8) > > [Service] > EnvironmentFile=-/etc/default/cron > ExecStart=/usr/sbin/cron -f $EXTRA_OPTS > IgnoreSIGPIPE=false > KillMode=process > Type=idle > > [Install] > WantedBy=multi-user.target > >The "Type=idle" should make sure (https://wiki.archlinux.org/index.php/systemd). > >If I add a crontab entry "@reboot ( ps -ef; ls -al /home ) >/var/tmp/ls.log" >for root, then the generated file reveals that sssd has been started, but >its sssd_something services are not running. ls shows just the numerical >UIDs instead of the login IDs. > >Sssd might have been started first, but apparently its not ready yet. >Shouldn't it block at boot time for some time to make sure that all >internal services are available? > Could you provide output of "systemctl cat sssd.service"? In my case, it should be started before nss-user-lookup.target # /usr/lib/systemd/system/sssd.service [Unit] Description=System Security Services Daemon # SSSD must be running before we permit user sessions Before=systemd-user-sessions.service nss-user-lookup.target Wants=nss-user-lookup.target [Service] EnvironmentFile=-/etc/sysconfig/sssd ExecStart=/usr/sbin/sssd -D -f # These two should be used with traditional UNIX forking daemons # consult systemd.service(5) for more details Type=forking PIDFile=/var/run/sssd.pid [Install] WantedBy=multi-user.target BTW LS From pvoborni at redhat.com Mon May 2 17:40:36 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 2 May 2016 19:40:36 +0200 Subject: [Freeipa-users] Replication error In-Reply-To: <1461916471786.49814@levi9.com> References: <1461672172950.27500@levi9.com> <1461916471786.49814@levi9.com> Message-ID: <2f7a4673-23ee-1dee-3b37-77ba56e5aab8@redhat.com> On 04/29/2016 09:54 AM, Anton Rubets wrote: > Hi > Yeap now request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) gone > But still i have > attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2.domain389/o%3Dipaca) failed. > Maybe you can help to find out were i need to go? dirsrv, ldap, client, sssd etc > Best Regards > Anton Rubets There is probably still some dangling RUV left in dirsrv o=ipaca suffix. I'll repeat the procedure for future linking. 1. Get list of replicas with CA: # ipa-csreplica-manage list 2. For *each* replica(here ipa1.example.test) get list of RUVs and its replica ID: # ldapsearch -ZZ -h ipa1.example.test -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId" replica id looks like: nsDS5ReplicaId: 6 ruv looks like: nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e7 note that it is wrapped and grepped, unwrapped RUV is e.g.: nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e284000000060000 57278b7e000000060000 You can see that RUV contains a replica ID (8 in the example). "nsds50ruv: {replicageneration} 56f3e283000000060000" can be ignored. 3. Find all RUVs which doesn't have existing replica ID. Hint: If replica wasn't reinstalled then hostname will also differ which is a nice indicator of a dangling RUV. 4. Run clearuv task for each dangling RUV identified in step 3, here the RUV is 13. # ldapmodify -ZZ -D "cn=directory manager" -W -a dn: cn=clean 13, cn=cleanallruv, cn=tasks, cn=config objectclass: extensibleObject replica-base-dn: o=ipaca replica-id: 13 cn: clean 13 So if you have e.g. 3 replicas with CA with IDs 8, 12, 10 (note that versions prior FreeIPA 4.3 have higher number for CA suffix) and nsds50ruv shows only these IDs then you don't need to clean anything. Full example: # ipa-csreplica-manage list Directory Manager password: ipa1.example.test: master ipa2.example.test: master ipa3.example.test: master # ldapsearch -ZZ -h ipa1.example.test ... nsDS5ReplicaId: 6 nsds50ruv: {replicageneration} 56f3e283000000060000 nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e2 nsds50ruv: {replica 5 ldap://ipa2.example.test:389} 56f3e2 nsds50ruv: {replica 8 ldap://ipa3.example.test:389} 56f3e7 # ldapsearch -ZZ -h ipa2.example.test ... nsDS5ReplicaId: 5 nsds50ruv: {replicageneration} 56f3e283000000060000 nsds50ruv: {replica 5 ldap://ipa2.example.test:389} 56f3e2 nsds50ruv: {replica 8 ldap://ipa3.example.test:389} 56f3e7 nsds50ruv: {replica 3 ldap://ipa4.example.test:389} 56f3e1 nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e2 # ldapsearch -ZZ -h ipa3.example.test ... nsDS5ReplicaId: 8 nsds50ruv: {replicageneration} 56f3e283000000060000 nsds50ruv: {replica 8 ldap://ipa3.example.test:389} 56f3e7 nsds50ruv: {replica 5 ldap://ipa2.example.test:389} 56f3e2 nsds50ruv: {replica 9 ldap://ipa2.example.test:389} 56f3d2 nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e2 Here the correct replica IDs are 8,5,5. Dangling are 3,9. So the cleanall ruv task would be run for 3,9, > ________________________________________ > From: Petr Vobornik > Sent: Thursday, April 28, 2016 1:49 PM > To: Anton Rubets; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Replication error > > On 04/26/2016 02:02 PM, Anton Rubets wrote: >> Hhi all >> >> I have issues with replication between to FreeIPA server >> >> In maters log >> >> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, >> ldap://ldap2.domain:389/o%3Dipaca) failed. >> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, >> ldap://ldap2.domain:389/o%3Dipaca) failed. >> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, >> ldap://ldap2.domain389/o%3Dipaca) failed. >> [26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS >> request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) >> >> >> On replica server >> >> >> [26/Apr/2016:08:38:12 +0000] attrlist_replace - attr_replace (nsslapd-referral, >> ldap://ldap1.domain:389/o%3Dipaca) failed. >> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, >> ldap://ldap1domain:389/o%3Dipaca) failed. >> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, >> ldap://ldap1.domain:389/o%3Dipaca) failed. >> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, >> ldap://ldap1.domain:389/o%3Dipaca) failed. > > This is a symptom of dangling RUVs (replica update vector) of previously > removed replicas. > > It happens when replica is removed using: > # ipa-replica-manage del $replica > # ipa-server-install --uninstall (on replica) > > without running: > # ipa-csreplica-manage del $replica > first > > resolution is to clear the RUVs manually using clean ruv DS task becase > ipa-csreplica-manage doesn't have support for it. FreeIPA 4.4 will > receive a new command which will handle bot suffixes automatically - #5411. > > The instructions can found on the list: > * https://www.redhat.com/archives/freeipa-users/2015-June/msg00386.html > * https://www.redhat.com/archives/freeipa-users/2015-June/msg00416.html > > and > * http://www.port389.org/docs/389ds/FAQ/troubleshoot-cleanallruv.html > * or general procedure for future feature: > https://fedorahosted.org/freeipa/ticket/5411#comment:7 > > > Important: Be very careful not to remove RUVs of existing replicas. > > >> >> >> And i can't find source of this problem. I have checked permission and etc. As >> i see replica is working but this message disturb my email every few minutes and >> i wanna somehow fix this. Also I just migrate from 3.0 to 4.2. >> Info: >> Master : >> rpm -qa | grep ipa >> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64 >> ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64 >> sssd-ipa-1.13.0-40.el7_2.2.x86_64 >> ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64 >> libipa_hbac-1.13.0-40.el7_2.2.x86_64 >> python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 >> python-iniparse-0.4-9.el7.noarch >> ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64 >> ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64? >> >> Replica: >> rpm -qa | grep ipa >> sssd-ipa-1.13.0-40.el7_2.2.x86_64 >> ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> libipa_hbac-1.13.0-40.el7_2.2.x86_64 >> ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 >> python-iniparse-0.4-9.el7.noarch >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64? >> >> >> Best Regards >> Anton Rubets > -- > Petr Vobornik > -- Petr Vobornik From michael.rainey.ctr at nrlssc.navy.mil Mon May 2 17:30:19 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Mon, 2 May 2016 12:30:19 -0500 Subject: [Freeipa-users] FreeIPA with smart card using LightDM In-Reply-To: <20160429082833.GA7796@p.redhat.com> References: <20160429082833.GA7796@p.redhat.com> Message-ID: Sumit, Thank you for taking the time to reply to may questions. I'm interested in trying out the suggested test build. I do have a question about using the build. Will the build contain the feature of locking the screen when the smart card is removed? Let me know when the test build is ready. Thanks, *Michael Rainey* On 04/29/2016 03:28 AM, Sumit Bose wrote: > On Thu, Apr 28, 2016 at 04:09:16PM -0500, Michael Rainey (Contractor) wrote: >> I am wondering if anyone out there is currently using freeIPA with smart >> cards along with LightDM. I have systems running SL7.2 with GDM and I have >> users that prefer to use XFCE or KDE over the default GNOME-Shell. The >> problem with GDM is I am not able to get screen lock feature to work across >> multiple desktop environments. If anyone uses XFCE, xscreensaver will need >> to be installed so they can lock their screen. This choice also makes using >> the smart card useless when logging back into the system. Also, I haven't >> been able call the lock screen from the command-line. What examples I have >> found do not work due to a missing ScreenSaver object. >> >> If anyone has any good solutions to this problem I would enjoy hearing them. > Since Smartcard authentication does not make sense for all PAM services > SSSD uses a list of services where it would offer Smartcard > authentication. Currently this list is static and based on a default RHEL > or Fedora setup. We already have > https://fedorahosted.org/sssd/ticket/2926 to make this list configurable > and Lukas already wrote an initial patch for it > https://lists.fedorahosted.org/archives/list/sssd-devel at lists.fedorahosted.org/message/FQWOBQV6FFCBKZS2EXKIJU74473E7R7Y/ > > If you are interested I can provide you with a test build where XFCE, > KDM and xscreensaver are included, just let me know for which platform > you will need it. > > bye, > Sumit > >> Thanks in advance. >> -- >> *Michael Rainey* >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From jalvarez at cyberfuel.com Mon May 2 18:05:09 2016 From: jalvarez at cyberfuel.com (Jose Alvarez R.) Date: Mon, 2 May 2016 12:05:09 -0600 Subject: [Freeipa-users] HTTP response code is 401, not 200 In-Reply-To: <076e01d1a259$276aba30$76402e90$@cyberfuel.com> References: <04e201d1a219$7a6497f0$6f2dc7d0$@cyberfuel.com> <57237EFE.4010705@redhat.com> <06b701d1a238$a151b590$e3f520b0$@cyberfuel.com> <5723965F.20102@redhat.com> <06f901d1a241$c2770910$47651b30$@cyberfuel.com> <5723A5B1.8080109@redhat.com> <076e01d1a259$276aba30$76402e90$@cyberfuel.com> Message-ID: <015801d1a49d$2a6ad440$7f407cc0$@cyberfuel.com> Hi, Rob I did what you indicated to me, but still gives the same problem. Can you help me ? Thanks, Regards Jose Alvarez -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jose Alvarez R. Sent: viernes 29 de abril de 2016 02:53 p.m. To: 'Rob Crittenden' Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 Hi, Rob Thanks for your response The link https://bugzilla.redhat.com/show_bug.cgi?id=719945 I not have access.. I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server PPA(Client IPA), but still shows the same error. A moment ago I added another client server with same version xmlrpc and installed correctly. Thanks Regards. [root at bk1 ~]# ipa-client-install --debug /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,nf_sudo': True, 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=None, servers=None, hostname=bk1.cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (domain of the hostname) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} [Kerberos realm search] Search DNS for TXT record of _kerberos.cyberfuel.com. DNS record found: DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU EL.COM} Search DNS for SRV record of _kerberos._udp.cyberfuel.com. DNS record found: DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} [LDAP server check] Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub) Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com Discovery result: Success; server=freeipa.cyberfuel.com, domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com will use discovered domain: cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS Discovery) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} DNS validated, enabling discovery will use discovered server: freeipa.cyberfuel.com Discovery was successful! will use discovered realm: CYBERFUEL.COM will use discovered basedn: dc=cyberfuel,dc=com Hostname: bk1.cyberfuel.com Hostname source: Machine's FQDN Realm: CYBERFUEL.COM Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of the hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com BaseDN: dc=cyberfuel,dc=com BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 Continue to configure the system with these values? [no]: yes args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory User authorized to enroll computers: admin will use principal provided as option: admin Synchronizing time with KDC... Search DNS for SRV record of _ntp._udp.cyberfuel.com. No DNS record found args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= stderr= args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= stderr= args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= stderr= Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Writing Kerberos configuration to /tmp/tmp5msIum: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = CYBERFUEL.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] CYBERFUEL.COM = { kdc = freeipa.cyberfuel.com:88 master_kdc = freeipa.cyberfuel.com:88 admin_server = freeipa.cyberfuel.com:749 default_domain = cyberfuel.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .cyberfuel.com = CYBERFUEL.COM cyberfuel.com = CYBERFUEL.COM Password for admin at CYBERFUEL.COM: args=kinit admin at CYBERFUEL.COM stdout=Password for admin at CYBERFUEL.COM: stderr= trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com Successfully retrieved CA cert Subject: CN=Certificate Authority,O=CYBERFUEL.COM Issuer: CN=Certificate Authority,O=CYBERFUEL.COM Valid From: Wed Sep 30 17:46:50 2015 UTC Valid Until: Sun Sep 30 17:46:50 2035 UTC args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n bk1.cyberfuel.com\r\n \r\n \r\n nsosversion\r\n 2.6.32-573.12.1.el6.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n * About to connect() to freeipa.cyberfuel.com port 443 (#0) * Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM * start date: Sep 30 17:52:11 2015 GMT * expire date: Sep 30 17:52:11 2017 GMT * common name: freeipa.cyberfuel.com * issuer: CN=Certificate Authority,O=CYBERFUEL.COM > POST /ipa/xml HTTP/1.1 Host: freeipa.cyberfuel.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://freeipa.cyberfuel.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 478 < HTTP/1.1 401 Authorization Required < Date: Fri, 29 Apr 2016 20:42:25 GMT < Server: Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" < Accept-Ranges: bytes < Content-Length: 1370 < Connection: close < Content-Type: text/html; charset=UTF-8 < * Closing connection #0 * Issue another request to this URL: 'https://freeipa.cyberfuel.com:443/ipa/xml' * About to connect() to freeipa.cyberfuel.com port 443 (#0) * Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM * start date: Sep 30 17:52:11 2015 GMT * expire date: Sep 30 17:52:11 2017 GMT * common name: freeipa.cyberfuel.com * issuer: CN=Certificate Authority,O=CYBERFUEL.COM * Server auth using GSS-Negotiate with user '' > POST /ipa/xml HTTP/1.1 Authorization: Negotiate YIIFFAYJKoZIhvcSAQICAQBuggUDMIIE/6ADAgEFoQMCAQ6iBwMFAAAAAACjggFiYYIBXjCCAVqg AwIBBaEPGw1DWUJFUkZVRUwuQ09NoigwJqADAgEDoR8wHRsESFRUUBsVZnJlZWlwYS5MIZbbMHqa QcuYz6zysTVwY+I/uvLznfkDrkClgtyvEIsnBopXcWBenFEbqcmRIBa7bkXiIxc1tYEzNh1rME/4 ZUh0PjUjX+QQO9NDpYrAIxFLoP6b6J87wFt2Wi+Rx2LPGlcPrIwKPNwyaOqw/QQ8r11FLI5RVzpH eUL3uokQgZF6+GBoFo61lHY/W36Cb3JgxdG8Ge3TWWYgjEQKWlY48N6YNSPF2a2iKpgSuy/1Qe5E HTfpyiJWnZJnlEIHllpIIDgjCCA36gAwIBEqKCA3UEggNx1WXEz0IRl4aJlkL5Eq0bxky36jm7zI q3oiCcgWzqH9ma866TuD4ew++XcXmKZxszk6zf+c8tYhdRezxK74jF9XkpnRxTiBxOao7oPabJau yM0k637IWWzTb1m+cC46PRaysFc7x3z5CGBWNyu0DpGyw240za4cepY1J+Q+mm7bq51zCDyMU1CY 7+of3Z4Z7s6P5/x/pn8DJBegXVIYq2Wb3sQbMUJCSbCG37Xb8j2nzhAaup1l4xTINQxSSLZRIS7M H2YCE+z66P0607z7xBh7bwed97hHC2o3T0hDNnJOP7SRBUXquXCW9RbLUdOmYfcLcH8ygUWemm3A MqL+mDYN3jpe25O/7Z/wFxYiUIw/6CtHGjJ1nrDy47Y1sbsjU1XT/sJ8JqxRFwCm9ALpQP+rYZ0k v8/9OAaclw4vobu4Zmb3rVFBOzKpgRaUSvg4vSuRi/SPCzcH2PwBBSHpZuXWazWvZpnpTXYBl3nw lelW8gE1PWWeAhxbCDP/u5D6vAJ7q1287bL+UdpnCki0Ye0c1+LCsqzhscPDtWOMHAqzs5pwyyfC Qpg13GX93fHWJPRkrJbGTkGAknZkQFPtjks1C3JCRqhiz62KVLo6g5uRljHr8NNzvTBr2iRl9aK6 cDAEMaW5X26ko0XtO7urcbw/w6smuJLyYjroJH5Pe41bPMaUCls3RTvhxrlMzXSXgywPr3zDFpIg CirdIfqowkF5Utq6Uub2d9wdhXXYuH3PCj3KBzsAAHFv2iI+Xg3a7+7LlWUFnTLVEzEhsKVO3lO7 jFb8kKwop5o7yTyXsQmW4g0rdCam07GuRObob6yQ= Host: freeipa.cyberfuel.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://freeipa.cyberfuel.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 478 < HTTP/1.1 200 Success < Date: Fri, 29 Apr 2016 20:42:25 GMT < Server: Apache/2.2.15 (CentOS) * Added cookie ipa_session="4aeb2b4e2cfacb0691a94b71e2d0a0c9" for domain freeipa.cyberfuel.com, path /ipa, expire 1461963745 < Set-Cookie: ipa_session=4aeb2b4e2cfacb0691a94b71e2d0a0c9; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:25 GMT; Secure; HttpOnly < Connection: close < Transfer-Encoding: chunked < Content-Type: text/xml; charset=utf-8 < * Expire cleared * Closing connection #0 XML-RPC RESPONSE: \n \n \n \n \n fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel, dc=com\n \n \n dn\n fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel, dc=com\n \n \n ipacertificatesubjectbase\n \n O=CYBERFUEL.COM\n \n \n \n has_keytab\n 0\n \n \n objectclass\n \n ipaobject\n nshost\n ipahost\n pkiuser\n ipaservice\n krbprincipalaux\n krbprincipal\n ieee802device\n ipasshhost\n top\n ipaSshGroupOfPubKeys\n \n \n \n fqdn\n \n bk1.cyberfuel.com\n \n \n \n has_password\n 0\n \n \n ipauniqueid\n \n e1a08eb8-0e4a-11e6-8c5b-005056b027f1\n \n \n \n krbprincipalname\n \n host/bk1.cyberfuel.com at CYBERFUEL.COM\n \n \n \n managedby_host\n \n bk1.cyberfuel.com\n \n \n \n \n \n \n \n Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=CYBERFUEL.COM Enrolled in IPA realm CYBERFUEL.COM args=kdestroy stdout= stderr= Attempting to get host TGT... args=/usr/bin/kinit -k -t /etc/krb5.keytab host/bk1.cyberfuel.com at CYBERFUEL.COM stdout= stderr= Attempt 1/5 succeeded. Backing up system configuration file '/etc/ipa/default.conf' -> Not backing up - '/etc/ipa/default.conf' doesn't exist Created /etc/ipa/default.conf importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' args=klist -V stdout=Kerberos 5 version 1.10.3 stderr= importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' Backing up system configuration file '/etc/sssd/sssd.conf' -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist New SSSD config will be created Backing up system configuration file '/etc/nsswitch.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt stdout= stderr= Backing up system configuration file '/etc/krb5.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Writing Kerberos configuration to /etc/krb5.conf: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = CYBERFUEL.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] CYBERFUEL.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .cyberfuel.com = CYBERFUEL.COM cyberfuel.com = CYBERFUEL.COM Configured /etc/krb5.conf for IPA realm CYBERFUEL.COM args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout= stderr=keyctl_search: Required key not available args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout= stderr=keyctl_search: Required key not available failed to find session_cookie in persistent storage for principal 'host/bk1.cyberfuel.com at CYBERFUEL.COM' trying https://freeipa.cyberfuel.com/ipa/xml Created connection context.xmlclient raw: env(None, server=True) env(None, server=True, all=True) Forwarding 'env' to server u'https://freeipa.cyberfuel.com/ipa/xml' NSSConnection init freeipa.cyberfuel.com Connecting: 192.168.20.90:0 auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=CYBERFUEL.COM Validity: Not Before: Wed Sep 30 17:52:11 2015 UTC Not After: Sat Sep 30 17:52:11 2017 UTC Subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ad:e7:d2:7f:c3:e1:91:0a:03:6d:5c:ba:54:14:3e:00: 0e:f9:e7:61:85:3c:4f:1b:8f:a8:fb:e4:b4:92:a3:7c: 7d:bb:06:b4:b8:43:8a:20:86:17:71:a2:a3:6a:a1:51: e5:89:44:0f:a1:43:67:3b:46:76:b0:81:9e:10:43:56: 86:9f:27:46:e1:5e:b3:d6:8c:17:73:e3:17:7d:e7:eb: a4:78:9c:7a:e8:6f:00:f8:36:d9:71:88:e1:90:bf:98: fa:40:0f:88:f4:2e:d8:a2:b3:a5:0c:5a:81:8b:2e:cf: 22:f9:cb:6d:bf:85:7c:c9:7f:17:de:5d:d4:1a:2b:09: 5b:1b:99:11:22:3f:1e:49:5f:26:1a:25:2f:a4:50:2a: 8b:f2:3c:12:db:45:3f:f4:06:64:a2:30:5f:f4:a1:c9: 2c:8c:60:b5:c6:aa:25:2e:1e:31:c2:ad:2c:63:b0:a4: bb:2c:fc:f8:b6:f9:13:eb:09:bc:b0:c1:4c:06:06:09: 2f:f9:08:ba:7d:a4:0a:57:d1:8e:86:87:cb:f9:3a:58: 60:f9:34:e1:5b:34:d1:2f:8e:54:87:2a:74:9c:e2:d6: 83:4f:78:6b:59:1e:95:ec:67:6e:86:25:ad:f0:d3:6c: 96:9c:db:c3:e5:3f:e5:bc:f4:ff:55:55:18:a8:3e:5d Exponent: 65537 (0x10001) Signed Extensions: (5 total) Name: Certificate Authority Key Identifier Critical: False Key ID: 31:4f:83:e1:70:d7:ea:96:e5:1b:b1:c2:2c:d8:8a:a8: d1:87:fa:ff Serial Number: None General Names: [0 total] Name: Authority Information Access Critical: False Authority Information Access: [1 total] Info [1]: Method: PKIX Online Certificate Status Protocol Location: URI: http://freeipa.cyberfuel.com:80/ca/ocsp Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: Certificate Subject Key ID Critical: False Data: 73:ed:ac:87:d3:0e:04:84:66:5c:1a:e1:10:8d:f8:e1: 89:b9:1e:70 Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 40:da:c2:6b:20:08:7c:4a:05:1a:e2:cc:49:7f:25:6c: 48:3a:73:3c:b6:ab:35:6c:1a:d9:78:15:60:48:0b:0e: c1:3c:bf:76:90:35:bf:67:b5:9d:88:1c:98:ce:3b:8a: f6:86:c7:f9:1e:7b:3c:cd:98:00:99:23:a4:06:4f:ed: 0f:ee:44:65:9d:db:b6:9d:cc:cf:cb:83:f8:7c:23:93: 2a:0b:40:bb:5b:31:c5:9e:ed:74:eb:c0:c9:cc:30:1e: 78:19:69:64:60:24:58:f5:a7:6f:3b:bb:f6:7c:72:5c: 1c:50:33:0f:df:49:b7:0a:cb:ac:3f:7b:4f:e7:42:e9: 3b:19:e0:15:a3:fe:e3:43:aa:23:69:d0:28:7a:64:b7: 19:e3:8a:a9:bc:48:3a:de:f7:c0:67:8b:02:e9:af:74: 49:33:5e:2f:21:0b:4c:f3:3d:63:ea:1e:2e:4d:e9:ed: af:ef:61:35:ad:86:2b:93:ab:b6:7d:45:ed:b1:9b:12: 57:fc:55:ef:42:46:01:63:b1:b9:84:e9:f4:46:fb:39: fa:1e:55:2e:20:32:c1:45:ad:ac:54:c9:e6:4e:ca:f1: fb:da:9a:b5:bc:8b:6c:43:86:4e:df:06:97:46:3e:9b: a2:a1:ff:41:6e:80:df:a7:bd:5d:96:2c:ba:e0:d2:56 Fingerprint (MD5): 09:ad:08:87:8b:64:04:0f:d2:6c:25:ac:b1:1e:e1:48 Fingerprint (SHA1): c9:a0:1f:6d:8e:f6:d9:9b:53:6e:6b:92:ea:7c:ae:79: ca:4d:09:98 approved_usage = SSL Server intended_usage = SSL Server cert valid True for "CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM" handshake complete, peer = 192.168.20.90:443 Protocol: TLS1.2 Cipher: TLS_RSA_WITH_AES_256_CBC_SHA received Set-Cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30 GMT; Secure; HttpOnly' storing cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30 GMT; Secure; HttpOnly' for prin args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout= stderr=keyctl_search: Required key not available args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout= stderr=keyctl_search: Required key not available args=keyctl padd user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM @s stdout=640092261 stderr= Hostname (bk1.cyberfuel.com) not found in DNS Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone cyberfuel.com. update delete bk1.cyberfuel.com. IN A send update add bk1.cyberfuel.com. 1200 IN A 192.168.20.13 send args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt stdout= stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ns1.cyberfuel.com at CYBERFUEL.COM no nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 Failed to update DNS records. args=/sbin/service messagebus start stdout=Starting system message bus: [ OK ] stderr= args=/sbin/service messagebus status stdout=messagebus (pid 41820) is running... stderr= args=/sbin/service certmonger restart stdout=Stopping certmonger: [FAILED] Starting certmonger: [ OK ] stderr= args=/sbin/service certmonger status stdout=certmonger (pid 41859) is running... stderr= args=/sbin/service certmonger restart stdout=Stopping certmonger: [ OK ] Starting certmonger: [ OK ] stderr= args=/sbin/service certmonger status stdout=certmonger (pid 41927) is running... stderr= args=/sbin/chkconfig certmonger on stdout= stderr= args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - bk1.cyberfuel.com -N CN=bk1.cyberfuel.com,O=CYBERFUEL.COM -K host/bk1.cyberfuel.com at CYBERFUEL.CO stdout=New signing request "20160429204235" added. stderr= Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub raw: host_mod(u'bk1.cyberfuel.com', ipasshpubkey=[u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA xmV14vUYyyohaIWBBi87sXwqcNsWBUWAcg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1a1HEED7xczbIHF/YHF7u08WBbFe0Y40QA5gfa7 /hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BccDZfAAAAFShUVZUinN/bv 4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb 2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3CFIBt mZY3RF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv wfpc='], updatedns=False) host_mod(u'bk1.cyberfuel.com', random=False, ipasshpubkey=(u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA xmV14vUYyyohaIWBBi87sXwlVqxX+L95cg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1aAN359BmDxbIHF/YHF7u08WBbFe0Y40QA5gfa7 /hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BcXJiFI6Ub3ShUVZUinN/bv 4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb 2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3mdAXb 7imVRF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv wfpc='), rights=False, updatedns=False, all=False, raw=False, no_members=False) Forwarding 'host_mod' to server u'https://freeipa.cyberfuel.com/ipa/xml' NSSConnection init freeipa.cyberfuel.com Connecting: 192.168.20.90:0 handshake complete, peer = 192.168.20.90:443 Protocol: TLS1.2 Cipher: TLS_RSA_WITH_AES_256_CBC_SHA received Set-Cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35 GMT; Secure; HttpOnly' storing cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35 GMT; Secure; HttpOnly' for prin args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout=640092261 stderr= args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout=640092261 stderr= args=keyctl pupdate 640092261 stdout= stderr= Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone cyberfuel.com. update delete bk1.cyberfuel.com. IN SSHFP send update add bk1.cyberfuel.com. 1200 IN SSHFP 1 1 B40F0F3FF14223B021F206C3E3276AC48F6EEAF0 update add bk1.cyberfuel.com. 1200 IN SSHFP 2 1 30D2331BC69452EFE65445B5C990773EA41A2FE8 send args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt stdout= stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ns1.cyberfuel.com at CYBERFUEL.COM no nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 Could not update DNS SSHFP records. args=/sbin/service nscd status stdout= stderr=nscd: unrecognized service Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd stdout= stderr= SSSD enabled Configuring cyberfuel.com as NIS domain args=/bin/nisdomainname stdout=(none) stderr= Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' args=/usr/sbin/authconfig --update --nisdomain cyberfuel.com stdout= stderr= args=/bin/nisdomainname cyberfuel.com stdout= stderr= args=/sbin/service sssd restart stdout=Stopping sssd: [FAILED] Starting sssd: [ OK ] stderr=cat: /var/run/sssd.pid: No such file or directory args=/sbin/service sssd status stdout=sssd (pid 42071) is running... stderr= args=/sbin/chkconfig sssd on stdout= stderr= Backing up system configuration file '/etc/openldap/ldap.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Configured /etc/openldap/ldap.conf args=getent passwd admin stdout=admin:*:1045400000:1045400000:Administrator:/home/admin:/bin/bash stderr= Backing up system configuration file '/etc/ntp/step-tickers' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=/usr/sbin/selinuxenabled stdout= stderr= args=/sbin/chkconfig ntpd stdout= stderr= Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Backing up system configuration file '/etc/ntp.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=/usr/sbin/selinuxenabled stdout= stderr= Backing up system configuration file '/etc/sysconfig/ntpd' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=/usr/sbin/selinuxenabled stdout= stderr= args=/sbin/chkconfig ntpd on stdout= stderr= args=/sbin/service ntpd restart stdout=Shutting down ntpd: [ OK ] Starting ntpd: [ OK ] stderr= args=/sbin/service ntpd status stdout=ntpd (pid 42133) is running... stderr= NTP enabled Backing up system configuration file '/etc/ssh/ssh_config' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Configured /etc/ssh/ssh_config Backing up system configuration file '/etc/ssh/sshd_config' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=sshd -t -f /dev/null -o AuthorizedKeysCommand= stdout= stderr= Configured /etc/ssh/sshd_config args=/sbin/service sshd status stdout=openssh-daemon (pid 46497) is running... stderr= args=/sbin/service sshd restart stdout=Stopping sshd: [ OK ] Starting sshd: [ OK ] stderr= args=/sbin/service sshd status stdout=openssh-daemon (pid 42190) is running... stderr= Client configuration complete. -----Original Message----- From: Rob Crittenden [ mailto:rcritten at redhat.com] Sent: viernes 29 de abril de 2016 12:19 p.m. To: Jose Alvarez R. < jalvarez at cyberfuel.com>; freeipa-users at redhat.com Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 Jose Alvarez R. wrote: > Hi, Rob > > Thanks!! > > > The version the xmlrpc-c of my server IPA: > xmlrpc-c-1.16.24-1210.1840.el6.x86_64 > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 > > > The version the xmlrpc-c of my client IPA > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 > xmlrpc-c-1.16.24-1210.1840.el6.x86_64 > libiqxmlrpc-0.12.4-0.parallels.i686 > xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64 You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed https://bugzilla.redhat.com/show_bug.cgi?id=719945 The libcurl version on the client looks ok. This is only a client-side issue so no changes on the servers should be necessary IIRC. This appears to be EL 6.1 which at this point is quite old. rob > > The versions are the same, but the libcurl is different > > It's the version curl IPA server > [root at freeipa log]# rpm -qa | grep curl > python-pycurl-7.19.0-8.el6.x86_64 > curl-7.19.7-46.el6.x86_64 > libcurl-7.19.7-46.el6.x86_64 > [root at freeipa log]# > > > It's the version curl PPA server(IPA Client) [root at ppa named]# rpm -qa > | grep curl > curl-7.31.0-1.el6.x86_64 > python-pycurl-7.19.0-8.el6.x86_64 > libcurl-7.31.0-1.el6.x86_64 > libcurl-7.31.0-1.el6.i686 > > Sorry, my english is not very well > > > Regards. > > > > -----Original Message----- > From: Rob Crittenden [ mailto:rcritten at redhat.com] > Sent: viernes 29 de abril de 2016 11:14 a.m. > To: Jose Alvarez R. < jalvarez at cyberfuel.com>; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > Jose Alvarez R. wrote: >> Hi Rob, Thanks for your response >> >> Yes, It's with admin. > > I assume this is a problem with your version of xmlrpc-c. We use > standard calls xmlrpc-c calls to setup authentication and IIRC that > links against libcurl which provides the Kerberos/GSSAPI support. On > EL6 you need xmlrpc-c >> = 1.16.24-1200.1840.2 > > I'm confused about the versions. You mention PPA but include what look > like RPM versions that seem to point to RHEL 6. > > rob > >> >> I execute the command "ipa-client-install --debug" >> --------------------------------------------------------------------- >> - >> --- >> >> >> [root at ppa named]# ipa-client-install --debug >> /usr/sbin/ipa-client-install was invoked with options: {'domain': >> None, >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, >> 'primary': False, 'mkhomedir >> ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, >> 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': >> False, 'principal': None >> , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, >> 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, >> 'conf_sudo': True, 'conf_ssh': Tr >> ue, 'force_join': False, 'ca_cert_file': None, 'server': None, >> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': >> False, 'uninstall': False} >> missing options might be asked for interactively later Loading Index >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index' >> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' >> [IPA Discovery] >> Starting IPA discovery with domain=None, servers=None, >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in >> "cyberfuel.com" (domain of the >> hostname) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> [Kerberos realm search] >> Search DNS for TXT record of _kerberos.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data: >> C >> YBERFU >> EL.COM} >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={ >> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} >> [LDAP server check] >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 >> Search LDAP server for IPA base DN Check if naming context >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' >> is a valid IPA context Search for (objectClass=krbRealmContainer) in >> dc=cyberfuel,dc=com (sub) >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com >> Discovery result: Success; server=freeipa.cyberfuel.com, >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com >> will use discovered domain: cyberfuel.com Start searching for LDAP >> SRV record in "cyberfuel.com" (Validating DNS >> Discovery) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> DNS validated, enabling discovery >> will use discovered server: freeipa.cyberfuel.com Discovery was >> successful! >> will use discovered realm: CYBERFUEL.COM will use discovered basedn: >> dc=cyberfuel,dc=com >> Hostname: ppa.cyberfuel.com >> Hostname source: Machine's FQDN >> Realm: CYBERFUEL.COM >> Realm source: Discovered from LDAP DNS records in >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: >> Discovered LDAP SRV records from cyberfuel.com (domain of the >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: >> Discovered from LDAP DNS records in freeipa.cyberfuel.com >> BaseDN: dc=cyberfuel,dc=com >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 >> >> Continue to configure the system with these values? [no]: no >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> [root at ppa named]# >> [root at ppa named]# ipa-client-install --debug >> /usr/sbin/ipa-client-install was invoked with options: {'domain': >> None, >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, >> 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': >> True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, > 'nisdomain': >> None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac': >> False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, >> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': >> True, 'force_join': False, 'ca_cert_file': None, 'server': None, >> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': >> False, 'uninstall': False} >> missing options might be asked for interactively later Loading Index >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index' >> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' >> [IPA Discovery] >> Starting IPA discovery with domain=None, servers=None, >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in >> "cyberfuel.com" (domain of the >> hostname) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> [Kerberos realm search] >> Search DNS for TXT record of _kerberos.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data: >> C >> YBERFU >> EL.COM} >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={ >> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} >> [LDAP server check] >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 >> Search LDAP server for IPA base DN Check if naming context >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' >> is a valid IPA context Search for (objectClass=krbRealmContainer) in >> dc=cyberfuel,dc=com (sub) >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com >> Discovery result: Success; server=freeipa.cyberfuel.com, >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com >> will use discovered domain: cyberfuel.com Start searching for LDAP >> SRV record in "cyberfuel.com" (Validating DNS >> Discovery) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> DNS validated, enabling discovery >> will use discovered server: freeipa.cyberfuel.com Discovery was >> successful! >> will use discovered realm: CYBERFUEL.COM will use discovered basedn: >> dc=cyberfuel,dc=com >> Hostname: ppa.cyberfuel.com >> Hostname source: Machine's FQDN >> Realm: CYBERFUEL.COM >> Realm source: Discovered from LDAP DNS records in >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: >> Discovered LDAP SRV records from cyberfuel.com (domain of the >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: >> Discovered from LDAP DNS records in freeipa.cyberfuel.com >> BaseDN: dc=cyberfuel,dc=com >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 >> >> Continue to configure the system with these values? [no]: yes >> args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM >> stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file >> or directory >> >> User authorized to enroll computers: admin will use principal >> provided as option: admin Synchronizing time with KDC... >> Search DNS for SRV record of _ntp._udp.cyberfuel.com. >> No DNS record found >> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= >> stderr= Writing Kerberos configuration to /tmp/tmpqWSatK: >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = CYBERFUEL.COM >> dns_lookup_realm = false >> dns_lookup_kdc = false >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> >> >> [realms] >> CYBERFUEL.COM = { >> kdc = freeipa.cyberfuel.com:88 >> master_kdc = freeipa.cyberfuel.com:88 >> admin_server = freeipa.cyberfuel.com:749 >> default_domain = cyberfuel.com >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> >> } >> >> >> [domain_realm] >> .cyberfuel.com = CYBERFUEL.COM >> cyberfuel.com = CYBERFUEL.COM >> >> >> >> Password for admin at CYBERFUEL.COM: >> args=kinit admin at CYBERFUEL.COM >> stdout=Password for admin at CYBERFUEL.COM: >> >> stderr= >> trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com >> Existing CA cert and Retrieved CA cert are identical >> args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b >> dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL: >> >> \r\n \r\n >> join\r\n \r\n >> \r\n >> ppa.cyberfuel.com\r\n >> \r\n >> \r\n >> nsosversion\r\n >> 2.6.32-573.8.1.el6.x86_64\r\ >> n nshardwareplatform\r\n >> x86_64\r\n >> \r\n >> \r\n >> \r\n >> >> * About to connect() to freeipa.cyberfuel.com port 443 (#0) >> * Trying 192.168.20.90... >> * Adding handle: conn: 0x10bb2f0 >> * Adding handle: send: 0 >> * Adding handle: recv: 0 >> * Curl_addHandleToPipeline: length: 1 >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 >> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) >> * successfully set certificate verify locations: >> * CAfile: /etc/ipa/ca.crt >> CApath: none >> * SSL connection using AES256-SHA >> * Server certificate: >> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com >> * start date: 2015-09-30 17:52:11 GMT >> * expire date: 2017-09-30 17:52:11 GMT >> * common name: freeipa.cyberfuel.com (matched) >> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority >> * SSL certificate verify ok. >>> POST /ipa/xml HTTP/1.1 >> Host: freeipa.cyberfuel.com >> Accept: */* >> Content-Type: text/xml >> User-Agent: ipa-join/3.0.0 >> Referer: https://freeipa.cyberfuel.com/ipa/xml >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 >> Content-Length: 477 >> >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" >> < Accept-Ranges: bytes >> < Content-Length: 1370 >> < Connection: close >> < Content-Type: text/html; charset=UTF-8 < >> * Closing connection 0 >> HTTP response code is 401, not 200 >> >> Joining realm failed: XML-RPC CALL: >> >> \r\n \r\n >> join\r\n \r\n >> \r\n >> ppa.cyberfuel.com\r\n >> \r\n >> \r\n >> nsosversion\r\n >> 2.6.32-573.8.1.el6.x86_64\r\ >> n nshardwareplatform\r\n >> x86_64\r\n >> \r\n >> \r\n >> \r\n >> >> * About to connect() to freeipa.cyberfuel.com port 443 (#0) >> * Trying 192.168.20.90... >> * Adding handle: conn: 0x10bb2f0 >> * Adding handle: send: 0 >> * Adding handle: recv: 0 >> * Curl_addHandleToPipeline: length: 1 >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 >> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) >> * successfully set certificate verify locations: >> * CAfile: /etc/ipa/ca.crt >> CApath: none >> * SSL connection using AES256-SHA >> * Server certificate: >> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com >> * start date: 2015-09-30 17:52:11 GMT >> * expire date: 2017-09-30 17:52:11 GMT >> * common name: freeipa.cyberfuel.com (matched) >> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority >> * SSL certificate verify ok. >>> POST /ipa/xml HTTP/1.1 >> Host: freeipa.cyberfuel.com >> Accept: */* >> Content-Type: text/xml >> User-Agent: ipa-join/3.0.0 >> Referer: https://freeipa.cyberfuel.com/ipa/xml >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 >> Content-Length: 477 >> >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" >> < Accept-Ranges: bytes >> < Content-Length: 1370 >> < Connection: close >> < Content-Type: text/html; charset=UTF-8 < >> * Closing connection 0 >> HTTP response code is 401, not 200 >> >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> >> ------------------------------------------------- >> >> It's the version curl IPA server >> >> [root at freeipa log]# rpm -qa | grep curl >> python-pycurl-7.19.0-8.el6.x86_64 >> curl-7.19.7-46.el6.x86_64 >> libcurl-7.19.7-46.el6.x86_64 >> [root at freeipa log]# >> >> >> It's the version curl PPA server(IPA Client) >> >> [root at ppa named]# rpm -qa | grep curl >> curl-7.31.0-1.el6.x86_64 >> python-pycurl-7.19.0-8.el6.x86_64 >> libcurl-7.31.0-1.el6.x86_64 >> libcurl-7.31.0-1.el6.i686 >> >> >> The version curl is different, but the version curl PPA is the >> repository Odin Plesk. >> >> ----------------------------------------------------- >> >> >> [root at ppa tmp]# cat kerberos_trace.log >> >> [12118] 1461855578.809966: ccselect module realm chose cache >> FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [12118] 1461855578.810171: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not >> found [12118] 1461855578.810252: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmptSoqDX with >> result: -1765328243/Matching credential not found [12118] >> 1461855578.810451: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with result: >> 0/Success >> [12118] 1461855578.810476: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [12118] 1461855578.810509: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [12118] >> 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377 >> [12118] 1461855578.810679: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118] >> 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM >> [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com >> [12118] 1461855578.811466: Initiating TCP connection to stream >> 192.168.0.90:88 >> [12118] 1461855578.811935: Sending TCP request to stream >> 192.168.0.90:88 [12118] 1461855578.816404: Received answer from >> stream >> 192.168.0.90:88 [12118] 1461855578.816714: Response was from master >> KDC [12118] 1461855578.816906: TGS reply is for admin at CYBERFUEL.COM >> -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key >> aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result: >> 0/Success [12118] 1461855578.817018: Received creds for desired >> service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [12118] 1461855578.817066: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX >> [12118] 1461855578.817107: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmptSoqDX >> [12118] 1461855578.817413: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2 >> [12118] 1461855578.874786: ccselect module realm chose cache >> FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [12118] 1461855578.874938: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not >> found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, >> subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888: >> ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client >> principal admin at CYBERFUEL.COM for server principal >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [17304] 1461858424.874126: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not >> found [17304] 1461858424.874220: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmpH0QF6P with >> result: -1765328243/Matching credential not found [17304] >> 1461858424.874531: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result: >> 0/Success >> [17304] 1461858424.874603: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [17304] 1461858424.874631: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [17304] >> 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33 >> [17304] 1461858424.874788: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304] >> 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM >> [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com >> [17304] 1461858424.875805: Initiating TCP connection to stream >> 192.168.20.90:88 >> [17304] 1461858424.877976: Sending TCP request to stream >> 192.168.20.90:88 [17304] 1461858424.882385: Received answer from >> stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from >> master KDC [17304] 1461858424.882775: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/20DA [17304] 1461858424.882850: TGS request >> result: 0/Success [17304] 1461858424.882883: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [17304] 1461858424.882918: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P >> [17304] 1461858424.882951: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P >> [17304] 1461858424.883271: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA >> [17304] 1461858424.898190: ccselect module realm chose cache >> FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [17304] 1461858424.898401: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not >> found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, >> subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386: >> ccselect module realm chose cache >> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23457] 1461863053.621602: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not >> found [23457] 1461863053.621719: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmp576FE3 with >> result: -1765328243/Matching credential not found [23457] >> 1461863053.622097: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result: >> 0/Success >> [23457] 1461863053.622144: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [23457] 1461863053.622176: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23457] >> 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C >> [23457] 1461863053.622331: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457] >> 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM >> [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com >> [23457] 1461863053.623367: Initiating TCP connection to stream >> 192.168.20.90:88 >> [23457] 1461863053.623866: Sending TCP request to stream >> 192.168.20.90:88 [23457] 1461863053.627939: Received answer from >> stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from >> master KDC [23457] 1461863053.628485: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request >> result: 0/Success [23457] 1461863053.628610: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23457] 1461863053.628655: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 >> [23457] 1461863053.628689: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmp576FE3 >> [23457] 1461863053.629119: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88 >> [23457] 1461863053.640471: ccselect module realm chose cache >> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23457] 1461863053.640721: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not >> found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, >> subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338: >> ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client >> principal admin at CYBERFUEL.COM for server principal >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23749] 1461863277.525435: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not >> found [23749] 1461863277.525469: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmprfuOsj with >> result: -1765328243/Matching credential not found [23749] >> 1461863277.525572: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result: >> 0/Success >> [23749] 1461863277.525584: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [23749] 1461863277.525593: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23749] >> 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D >> [23749] 1461863277.525662: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749] >> 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM >> [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com >> [23749] 1461863277.526161: Initiating TCP connection to stream >> 192.168.20.90:88 >> [23749] 1461863277.526440: Sending TCP request to stream >> 192.168.20.90:88 [23749] 1461863277.530652: Received answer from >> stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from >> master KDC [23749] 1461863277.530881: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request >> result: 0/Success [23749] 1461863277.530948: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23749] 1461863277.530962: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj >> [23749] 1461863277.530971: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmprfuOsj >> [23749] 1461863277.531133: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 1019693263, subkey aes256-cts/B3E0, session key >> aes256-cts/79C3 [23749] 1461863277.542808: ccselect module realm >> chose cache FILE:/tmp/tmprfuOsj with client principal >> admin at CYBERFUEL.COM for server principal >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23749] 1461863277.542889: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not >> found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, >> subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277: >> ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client >> principal admin at CYBERFUEL.COM for server principal >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [25544] 1461864401.258584: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not >> found [25544] 1461864401.258678: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmpbzX7EN with >> result: -1765328243/Matching credential not found [25544] >> 1461864401.259040: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result: >> 0/Success >> [25544] 1461864401.259076: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [25544] 1461864401.259102: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [25544] >> 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A >> [25544] 1461864401.259291: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544] >> 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM >> [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com >> [25544] 1461864401.260361: Initiating TCP connection to stream >> 192.168.20.90:88 >> [25544] 1461864401.260980: Sending TCP request to stream >> 192.168.20.90:88 [25544] 1461864401.264399: Received answer from >> stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from >> master KDC [25544] 1461864401.264893: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/9106 [25544] 1461864401.264966: TGS request >> result: 0/Success [25544] 1461864401.264996: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [25544] 1461864401.265029: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN >> [25544] 1461864401.265058: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN >> [25544] 1461864401.265581: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106 >> [25544] 1461864401.275884: ccselect module realm chose cache >> FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [25544] 1461864401.276059: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not >> found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, >> subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354: >> ccselect module realm chose cache >> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [18097] 1461937028.664456: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not >> found [18097] 1461937028.664490: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmpF9x_o8 with >> result: -1765328243/Matching credential not found [18097] >> 1461937028.664590: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result: >> 0/Success >> [18097] 1461937028.664601: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [18097] 1461937028.664611: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [18097] >> 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372 >> [18097] 1461937028.664727: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097] >> 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM >> [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com >> [18097] 1461937028.665136: Initiating TCP connection to stream >> 192.168.20.90:88 >> [18097] 1461937028.665510: Sending TCP request to stream >> 192.168.20.90:88 [18097] 1461937028.668919: Received answer from >> stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from >> master KDC [18097] 1461937028.669109: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/9592 [18097] 1461937028.669136: TGS request >> result: 0/Success [18097] 1461937028.669156: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [18097] 1461937028.669167: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 >> [18097] 1461937028.669176: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8 >> [18097] 1461937028.669304: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592 >> [18097] 1461937028.676414: ccselect module realm chose cache >> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [18097] 1461937028.676470: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not >> found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, >> subkey aes256-cts/26C4, seqnum 864174069 >> >> ----------------------------------- >> >> >> Regards >> >> Jose Alvarez >> >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: viernes 29 de abril de 2016 09:34 a.m. >> To: Jose Alvarez R. ; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 >> >> Jose Alvarez R. wrote: >>> Hi Users >>> >>> You can help me? >>> >>> I have the problem for join a client to my FREEIPA Server. The >>> version IPA Server is 3.0 and IP client is 3.0 >>> >>> When I join my client to IPA server show these errors: >>> >>> [root at ppa ~]# tail -f /var/log/ipaclient-install.log >>> >>> 2016-04-28T17:26:41Z DEBUG stderr= >>> >>> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from >>> ldap://freeipa.cyberfuel.com >>> >>> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert >>> are identical >>> >>> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s >>> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com >>> >>> 2016-04-28T17:26:41Z DEBUG stdout= >>> >>> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 >>> >>> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code >>> is 401, not 200 >>> >>> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. >>> >>> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. >> >> I'd look in the 389-ds access and error logs on the IPA server to see >> if there are any more details. Look for the BIND from the client and >> see what happens. >> >> More context from the log file might be helpful. I believe if you run >> the client installer with --debug then additional flags are passed to >> ipa-join to include the XML-RPC conversation and that might be useful too. >> >> What account are you using to enroll with, admin? >> >> rob >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon May 2 19:14:31 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 2 May 2016 15:14:31 -0400 Subject: [Freeipa-users] HTTP response code is 401, not 200 In-Reply-To: <015801d1a49d$2a6ad440$7f407cc0$@cyberfuel.com> References: <04e201d1a219$7a6497f0$6f2dc7d0$@cyberfuel.com> <57237EFE.4010705@redhat.com> <06b701d1a238$a151b590$e3f520b0$@cyberfuel.com> <5723965F.20102@redhat.com> <06f901d1a241$c2770910$47651b30$@cyberfuel.com> <5723A5B1.8080109@redhat.com> <076e01d1a259$276aba30$76402e90$@cyberfuel.com> <015801d1a49d$2a6ad440$7f407cc0$@cyberfuel.com> Message-ID: <5727A717.9080001@redhat.com> Jose Alvarez R. wrote: > *Hi, Rob* > > ** > > *I did what you indicated to me, but still gives the same problem.* > > ** > > *Can you help me ?* The problem is client side, not server side, so you need to install the updated bits on the client. I don't know what the reference to PPA is. If that doesn't fix things then it's hard to say. There are only a couple of moving parts and you just ruled out the server since another client can enroll ok. The non-working log shows the server sending WWW-Authenticate: Negotiate and the client just gives up. In the working version the client correctly responds with an Authorization header and things proceed so I think the problem is in either libcurl or xmlrpc-c. rob > > ** > > *Thanks, Regards* > > ** > > *Jose Alvarez* > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jose Alvarez R. > Sent: viernes 29 de abril de 2016 02:53 p.m. > To: 'Rob Crittenden' > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > Hi, Rob > > Thanks for your response > > The link https://bugzilla.redhat.com/show_bug.cgi?id=719945I not have > > access.. > > I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server > > PPA(Client IPA), but still shows the same error. > > A moment ago I added another client server with same version xmlrpc and > > installed correctly. > > Thanks Regards. > > [root at bk1 ~]# ipa-client-install --debug > > /usr/sbin/ipa-client-install was invoked with options: {'domain': None, > > 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > > 'primary': False, 'mkhomedir'on_master': False, 'ntp_server': None, > > 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname': > > None, 'no_ac': False, 'unattended': None, 'sssd': True,nf_sudo': True, > > 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None, > > 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': > > missing options might be asked for interactively later > > Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > > [IPA Discovery] > > Starting IPA discovery with domain=None, servers=None, > > hostname=bk1.cyberfuel.com > > Start searching for LDAP SRV record in "cyberfuel.com" (domain of the > > hostname) and its sub-domains > > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > DNS record found: > > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, > > port:389,weight:50,server:freeipa.cyberfuel.com.} > > [Kerberos realm search] > > Search DNS for TXT record of _kerberos.cyberfuel.com. > > DNS record found: > > DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU > > EL.COM} > > Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > > DNS record found: > > DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit > > y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > > [LDAP server check] > > Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server > > Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > > Search LDAP server for IPA base DN > > Check if naming context 'dc=cyberfuel,dc=com' is for IPA > > Naming context 'dc=cyberfuel,dc=com' is a valid IPA context > > Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub) > > Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > > Discovery result: Success; server=freeipa.cyberfuel.com, > > domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com > > Validated servers: freeipa.cyberfuel.com > > will use discovered domain: cyberfuel.com > > Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS > > Discovery) and its sub-domains > > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > DNS record found: > > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, > > port:389,weight:50,server:freeipa.cyberfuel.com.} > > DNS validated, enabling discovery > > will use discovered server: freeipa.cyberfuel.com > > Discovery was successful! > > will use discovered realm: CYBERFUEL.COM > > will use discovered basedn: dc=cyberfuel,dc=com > > Hostname: bk1.cyberfuel.com > > Hostname source: Machine's FQDN > > Realm: CYBERFUEL.COM > > Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com > > DNS Domain: cyberfuel.com > > DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of > > the hostname) > > IPA Server: freeipa.cyberfuel.com > > IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com > > BaseDN: dc=cyberfuel,dc=com > > BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > Continue to configure the system with these values? [no]: yes > > args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM > > stdout= > > stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory > > User authorized to enroll computers: admin > > will use principal provided as option: admin > > Synchronizing time with KDC... > > Search DNS for SRV record of _ntp._udp.cyberfuel.com. > > No DNS record found > > args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com > > stdout= > > stderr= > > args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com > > stdout= > > stderr= > > args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com > > stdout= > > stderr= > > Unable to sync time with IPA NTP server, assuming the time is in sync. > > Please check that 123 UDP port is opened. > > Writing Kerberos configuration to /tmp/tmp5msIum: > > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > > default_realm = CYBERFUEL.COM > > dns_lookup_realm = false > > dns_lookup_kdc = false > > rdns = false > > ticket_lifetime = 24h > > forwardable = yes > > udp_preference_limit = 0 > > [realms] > > CYBERFUEL.COM = { > > kdc = freeipa.cyberfuel.com:88 > > master_kdc = freeipa.cyberfuel.com:88 > > admin_server = freeipa.cyberfuel.com:749 > > default_domain = cyberfuel.com > > pkinit_anchors = FILE:/etc/ipa/ca.crt > > } > > [domain_realm] > > .cyberfuel.com = CYBERFUEL.COM > > cyberfuel.com = CYBERFUEL.COM > > Password for admin at CYBERFUEL.COM : > > args=kinit admin at CYBERFUEL.COM > > stdout=Password for admin at CYBERFUEL.COM : > > stderr= > > trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com > > Successfully retrieved CA cert > > Subject: CN=Certificate Authority,O=CYBERFUEL.COM > > Issuer: CN=Certificate Authority,O=CYBERFUEL.COM > > Valid From: Wed Sep 30 17:46:50 2015 UTC > > Valid Until: Sun Sep 30 17:46:50 2035 UTC > > args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d > > stdout= > > stderr=XML-RPC CALL: > > \r\n > > \r\n > > join\r\n > > \r\n > > \r\n > > bk1.cyberfuel.com\r\n > > \r\n > > \r\n > > nsosversion\r\n > > 2.6.32-573.12.1.el6.x86_64\r\n > > nshardwareplatform\r\n > > x86_64\r\n > > \r\n > > \r\n > > \r\n > > * About to connect() to freeipa.cyberfuel.com port 443 (#0) > > * Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com > > (192.168.20.90) port 443 (#0) > > * Initializing NSS with certpath: sql:/etc/pki/nssdb > > * CAfile: /etc/ipa/ca.crt > > CApath: none > > * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA > > * Server certificate: > > * subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM > > * start date: Sep 30 17:52:11 2015 GMT > > * expire date: Sep 30 17:52:11 2017 GMT > > * common name: freeipa.cyberfuel.com > > * issuer: CN=Certificate Authority,O=CYBERFUEL.COM > > > POST /ipa/xml HTTP/1.1 > > Host: freeipa.cyberfuel.com > > Accept: */* > > Content-Type: text/xml > > User-Agent: ipa-join/3.0.0 > > Referer: https://freeipa.cyberfuel.com/ipa/xml > > X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > > Content-Length: 478 > > < HTTP/1.1 401 Authorization Required > > < Date: Fri, 29 Apr 2016 20:42:25 GMT > > < Server: Apache/2.2.15 (CentOS) > > < WWW-Authenticate: Negotiate > > < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT > > < ETag: "a0528-55a-53051ba8f7000" > > < Accept-Ranges: bytes > > < Content-Length: 1370 > > < Connection: close > > < Content-Type: text/html; charset=UTF-8 > > < > > * Closing connection #0 > > * Issue another request to this URL: > > 'https://freeipa.cyberfuel.com:443/ipa/xml' > > * About to connect() to freeipa.cyberfuel.com port 443 (#0) > > * Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com > > (192.168.20.90) port 443 (#0) > > * CAfile: /etc/ipa/ca.crt > > CApath: none > > * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA > > * Server certificate: > > * subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM > > * start date: Sep 30 17:52:11 2015 GMT > > * expire date: Sep 30 17:52:11 2017 GMT > > * common name: freeipa.cyberfuel.com > > * issuer: CN=Certificate Authority,O=CYBERFUEL.COM > > * Server auth using GSS-Negotiate with user '' > > > POST /ipa/xml HTTP/1.1 > > Authorization: Negotiate > > YIIFFAYJKoZIhvcSAQICAQBuggUDMIIE/6ADAgEFoQMCAQ6iBwMFAAAAAACjggFiYYIBXjCCAVqg > > AwIBBaEPGw1DWUJFUkZVRUwuQ09NoigwJqADAgEDoR8wHRsESFRUUBsVZnJlZWlwYS5MIZbbMHqa > > QcuYz6zysTVwY+I/uvLznfkDrkClgtyvEIsnBopXcWBenFEbqcmRIBa7bkXiIxc1tYEzNh1rME/4 > > ZUh0PjUjX+QQO9NDpYrAIxFLoP6b6J87wFt2Wi+Rx2LPGlcPrIwKPNwyaOqw/QQ8r11FLI5RVzpH > > eUL3uokQgZF6+GBoFo61lHY/W36Cb3JgxdG8Ge3TWWYgjEQKWlY48N6YNSPF2a2iKpgSuy/1Qe5E > > HTfpyiJWnZJnlEIHllpIIDgjCCA36gAwIBEqKCA3UEggNx1WXEz0IRl4aJlkL5Eq0bxky36jm7zI > > q3oiCcgWzqH9ma866TuD4ew++XcXmKZxszk6zf+c8tYhdRezxK74jF9XkpnRxTiBxOao7oPabJau > > yM0k637IWWzTb1m+cC46PRaysFc7x3z5CGBWNyu0DpGyw240za4cepY1J+Q+mm7bq51zCDyMU1CY > > 7+of3Z4Z7s6P5/x/pn8DJBegXVIYq2Wb3sQbMUJCSbCG37Xb8j2nzhAaup1l4xTINQxSSLZRIS7M > > H2YCE+z66P0607z7xBh7bwed97hHC2o3T0hDNnJOP7SRBUXquXCW9RbLUdOmYfcLcH8ygUWemm3A > > MqL+mDYN3jpe25O/7Z/wFxYiUIw/6CtHGjJ1nrDy47Y1sbsjU1XT/sJ8JqxRFwCm9ALpQP+rYZ0k > > v8/9OAaclw4vobu4Zmb3rVFBOzKpgRaUSvg4vSuRi/SPCzcH2PwBBSHpZuXWazWvZpnpTXYBl3nw > > lelW8gE1PWWeAhxbCDP/u5D6vAJ7q1287bL+UdpnCki0Ye0c1+LCsqzhscPDtWOMHAqzs5pwyyfC > > Qpg13GX93fHWJPRkrJbGTkGAknZkQFPtjks1C3JCRqhiz62KVLo6g5uRljHr8NNzvTBr2iRl9aK6 > > cDAEMaW5X26ko0XtO7urcbw/w6smuJLyYjroJH5Pe41bPMaUCls3RTvhxrlMzXSXgywPr3zDFpIg > > CirdIfqowkF5Utq6Uub2d9wdhXXYuH3PCj3KBzsAAHFv2iI+Xg3a7+7LlWUFnTLVEzEhsKVO3lO7 > > jFb8kKwop5o7yTyXsQmW4g0rdCam07GuRObob6yQ= > > Host: freeipa.cyberfuel.com > > Accept: */* > > Content-Type: text/xml > > User-Agent: ipa-join/3.0.0 > > Referer: https://freeipa.cyberfuel.com/ipa/xml > > X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > > Content-Length: 478 > > < HTTP/1.1 200 Success > > < Date: Fri, 29 Apr 2016 20:42:25 GMT > > < Server: Apache/2.2.15 (CentOS) > > * Added cookie ipa_session="4aeb2b4e2cfacb0691a94b71e2d0a0c9" for domain > > freeipa.cyberfuel.com, path /ipa, expire 1461963745 > > < Set-Cookie: ipa_session=4aeb2b4e2cfacb0691a94b71e2d0a0c9; > > Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:25 > > GMT; Secure; HttpOnly > > < Connection: close > > < Transfer-Encoding: chunked > > < Content-Type: text/xml; charset=utf-8 > > < > > * Expire cleared > > * Closing connection #0 > > XML-RPC RESPONSE: > > \n > > \n > > \n > > \n > > \n > > fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel, > > dc=com\n > > \n > > \n > > dn\n > > fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel, > > dc=com\n > > \n > > \n > > ipacertificatesubjectbase\n > > \n > > O=CYBERFUEL.COM\n > > \n > > \n > > \n > > has_keytab\n > > 0\n > > \n > > \n > > objectclass\n > > \n > > ipaobject\n > > nshost\n > > ipahost\n > > pkiuser\n > > ipaservice\n > > krbprincipalaux\n > > krbprincipal\n > > ieee802device\n > > ipasshhost\n > > top\n > > ipaSshGroupOfPubKeys\n > > \n > > \n > > \n > > fqdn\n > > \n > > bk1.cyberfuel.com\n > > \n > > \n > > \n > > has_password\n > > 0\n > > \n > > \n > > ipauniqueid\n > > \n > > e1a08eb8-0e4a-11e6-8c5b-005056b027f1\n > > \n > > \n > > \n > > krbprincipalname\n > > \n > > host/bk1.cyberfuel.com at CYBERFUEL.COM\n > > > \n > > \n > > \n > > managedby_host\n > > \n > > bk1.cyberfuel.com\n > > \n > > \n > > \n > > \n > > \n > > \n > > \n > > Keytab successfully retrieved and stored in: /etc/krb5.keytab > > Certificate subject base is: O=CYBERFUEL.COM > > Enrolled in IPA realm CYBERFUEL.COM > > args=kdestroy > > stdout= > > stderr= > > Attempting to get host TGT... > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > > host/bk1.cyberfuel.com at CYBERFUEL.COM > > > stdout= > > stderr= > > Attempt 1/5 succeeded. > > Backing up system configuration file '/etc/ipa/default.conf' > > -> Not backing up - '/etc/ipa/default.conf' doesn't exist > > Created /etc/ipa/default.conf > > importing all plugin modules in > > '/usr/lib/python2.6/site-packages/ipalib/plugins'... > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' > > args=klist -V > > stdout=Kerberos 5 version 1.10.3 > > stderr= > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' > > Backing up system configuration file '/etc/sssd/sssd.conf' > > -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist > > New SSSD config will be created > > Backing up system configuration file '/etc/nsswitch.conf' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > Configured sudoers in /etc/nsswitch.conf > > Configured /etc/sssd/sssd.conf > > args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i > > /etc/ipa/ca.crt > > stdout= > > stderr= > > Backing up system configuration file '/etc/krb5.conf' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > Writing Kerberos configuration to /etc/krb5.conf: > > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > > default_realm = CYBERFUEL.COM > > dns_lookup_realm = true > > dns_lookup_kdc = true > > rdns = false > > ticket_lifetime = 24h > > forwardable = yes > > udp_preference_limit = 0 > > [realms] > > CYBERFUEL.COM = { > > pkinit_anchors = FILE:/etc/ipa/ca.crt > > } > > [domain_realm] > > .cyberfuel.com = CYBERFUEL.COM > > cyberfuel.com = CYBERFUEL.COM > > Configured /etc/krb5.conf for IPA realm CYBERFUEL.COM > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout= > > stderr=keyctl_search: Required key not available > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout= > > stderr=keyctl_search: Required key not available > > failed to find session_cookie in persistent storage for principal > > 'host/bk1.cyberfuel.com at CYBERFUEL.COM' > > trying https://freeipa.cyberfuel.com/ipa/xml > > Created connection context.xmlclient > > raw: env(None, server=True) > > env(None, server=True, all=True) > > Forwarding 'env' to server u'https://freeipa.cyberfuel.com/ipa/xml' > > NSSConnection init freeipa.cyberfuel.com > > Connecting: 192.168.20.90:0 > > auth_certificate_callback: check_sig=True is_server=False > > Data: > > Version: 3 (0x2) > > Serial Number: 10 (0xa) > > Signature Algorithm: > > Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: CN=Certificate Authority,O=CYBERFUEL.COM > > Validity: > > Not Before: Wed Sep 30 17:52:11 2015 UTC > > Not After: Sat Sep 30 17:52:11 2017 UTC > > Subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM > > Subject Public Key Info: > > Public Key Algorithm: > > Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > Modulus: > > ad:e7:d2:7f:c3:e1:91:0a:03:6d:5c:ba:54:14:3e:00: > > 0e:f9:e7:61:85:3c:4f:1b:8f:a8:fb:e4:b4:92:a3:7c: > > 7d:bb:06:b4:b8:43:8a:20:86:17:71:a2:a3:6a:a1:51: > > e5:89:44:0f:a1:43:67:3b:46:76:b0:81:9e:10:43:56: > > 86:9f:27:46:e1:5e:b3:d6:8c:17:73:e3:17:7d:e7:eb: > > a4:78:9c:7a:e8:6f:00:f8:36:d9:71:88:e1:90:bf:98: > > fa:40:0f:88:f4:2e:d8:a2:b3:a5:0c:5a:81:8b:2e:cf: > > 22:f9:cb:6d:bf:85:7c:c9:7f:17:de:5d:d4:1a:2b:09: > > 5b:1b:99:11:22:3f:1e:49:5f:26:1a:25:2f:a4:50:2a: > > 8b:f2:3c:12:db:45:3f:f4:06:64:a2:30:5f:f4:a1:c9: > > 2c:8c:60:b5:c6:aa:25:2e:1e:31:c2:ad:2c:63:b0:a4: > > bb:2c:fc:f8:b6:f9:13:eb:09:bc:b0:c1:4c:06:06:09: > > 2f:f9:08:ba:7d:a4:0a:57:d1:8e:86:87:cb:f9:3a:58: > > 60:f9:34:e1:5b:34:d1:2f:8e:54:87:2a:74:9c:e2:d6: > > 83:4f:78:6b:59:1e:95:ec:67:6e:86:25:ad:f0:d3:6c: > > 96:9c:db:c3:e5:3f:e5:bc:f4:ff:55:55:18:a8:3e:5d > > Exponent: > > 65537 (0x10001) > > Signed Extensions: (5 total) > > Name: Certificate Authority Key Identifier > > Critical: False > > Key ID: > > 31:4f:83:e1:70:d7:ea:96:e5:1b:b1:c2:2c:d8:8a:a8: > > d1:87:fa:ff > > Serial Number: None > > General Names: [0 total] > > Name: Authority Information Access > > Critical: False > > Authority Information Access: [1 total] > > Info [1]: > > Method: PKIX Online Certificate Status Protocol > > Location: URI: http://freeipa.cyberfuel.com:80/ca/ocsp > > Name: Certificate Key Usage > > Critical: True > > Usages: > > Digital Signature > > Non-Repudiation > > Key Encipherment > > Data Encipherment > > Name: Extended Key Usage > > Critical: False > > Usages: > > TLS Web Server Authentication Certificate > > TLS Web Client Authentication Certificate > > Name: Certificate Subject Key ID > > Critical: False > > Data: > > 73:ed:ac:87:d3:0e:04:84:66:5c:1a:e1:10:8d:f8:e1: > > 89:b9:1e:70 > > Signature: > > Signature Algorithm: > > Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Signature: > > 40:da:c2:6b:20:08:7c:4a:05:1a:e2:cc:49:7f:25:6c: > > 48:3a:73:3c:b6:ab:35:6c:1a:d9:78:15:60:48:0b:0e: > > c1:3c:bf:76:90:35:bf:67:b5:9d:88:1c:98:ce:3b:8a: > > f6:86:c7:f9:1e:7b:3c:cd:98:00:99:23:a4:06:4f:ed: > > 0f:ee:44:65:9d:db:b6:9d:cc:cf:cb:83:f8:7c:23:93: > > 2a:0b:40:bb:5b:31:c5:9e:ed:74:eb:c0:c9:cc:30:1e: > > 78:19:69:64:60:24:58:f5:a7:6f:3b:bb:f6:7c:72:5c: > > 1c:50:33:0f:df:49:b7:0a:cb:ac:3f:7b:4f:e7:42:e9: > > 3b:19:e0:15:a3:fe:e3:43:aa:23:69:d0:28:7a:64:b7: > > 19:e3:8a:a9:bc:48:3a:de:f7:c0:67:8b:02:e9:af:74: > > 49:33:5e:2f:21:0b:4c:f3:3d:63:ea:1e:2e:4d:e9:ed: > > af:ef:61:35:ad:86:2b:93:ab:b6:7d:45:ed:b1:9b:12: > > 57:fc:55:ef:42:46:01:63:b1:b9:84:e9:f4:46:fb:39: > > fa:1e:55:2e:20:32:c1:45:ad:ac:54:c9:e6:4e:ca:f1: > > fb:da:9a:b5:bc:8b:6c:43:86:4e:df:06:97:46:3e:9b: > > a2:a1:ff:41:6e:80:df:a7:bd:5d:96:2c:ba:e0:d2:56 > > Fingerprint (MD5): > > 09:ad:08:87:8b:64:04:0f:d2:6c:25:ac:b1:1e:e1:48 > > Fingerprint (SHA1): > > c9:a0:1f:6d:8e:f6:d9:9b:53:6e:6b:92:ea:7c:ae:79: > > ca:4d:09:98 > > approved_usage = SSL Server intended_usage = SSL Server > > cert valid True for "CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM" > > handshake complete, peer = 192.168.20.90:443 > > Protocol: TLS1.2 > > Cipher: TLS_RSA_WITH_AES_256_CBC_SHA > > received Set-Cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd; > > Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30 > > GMT; Secure; HttpOnly' > > storing cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd; > > Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30 > > GMT; Secure; HttpOnly' for prin > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout= > > stderr=keyctl_search: Required key not available > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout= > > stderr=keyctl_search: Required key not available > > args=keyctl padd user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM @s > > stdout=640092261 > > stderr= > > Hostname (bk1.cyberfuel.com) not found in DNS > > Writing nsupdate commands to /etc/ipa/.dns_update.txt: > > zone cyberfuel.com. > > update delete bk1.cyberfuel.com. IN A > > send > > update add bk1.cyberfuel.com. 1200 IN A 192.168.20.13 > > send > > args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt > > stdout= > > stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. > > Minor code may provide more information, Minor = Server > > DNS/ns1.cyberfuel.com at CYBERFUEL.COM > no > > nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' > > returned non-zero exit status 1 > > Failed to update DNS records. > > args=/sbin/service messagebus start > > stdout=Starting system message bus: [ OK ] > > stderr= > > args=/sbin/service messagebus status > > stdout=messagebus (pid 41820) is running... > > stderr= > > args=/sbin/service certmonger restart > > stdout=Stopping certmonger: [FAILED] > > Starting certmonger: [ OK ] > > stderr= > > args=/sbin/service certmonger status > > stdout=certmonger (pid 41859) is running... > > stderr= > > args=/sbin/service certmonger restart > > stdout=Stopping certmonger: [ OK ] > > Starting certmonger: [ OK ] > > stderr= > > args=/sbin/service certmonger status > > stdout=certmonger (pid 41927) is running... > > stderr= > > args=/sbin/chkconfig certmonger on > > stdout= > > stderr= > > args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - > > bk1.cyberfuel.com -N CN=bk1.cyberfuel.com,O=CYBERFUEL.COM -K > > host/bk1.cyberfuel.com at CYBERFUEL.CO > > > stdout=New signing request "20160429204235" added. > > stderr= > > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > > raw: host_mod(u'bk1.cyberfuel.com', ipasshpubkey=[u'ssh-rsa > > AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA > > xmV14vUYyyohaIWBBi87sXwqcNsWBUWAcg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId > > slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL > > ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1a1HEED7xczbIHF/YHF7u08WBbFe0Y40QA5gfa7 > > /hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm > > M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BccDZfAAAAFShUVZUinN/bv > > 4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb > > 2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3CFIBt > > mZY3RF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv > > wfpc='], updatedns=False) > > host_mod(u'bk1.cyberfuel.com', random=False, ipasshpubkey=(u'ssh-rsa > > AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA > > xmV14vUYyyohaIWBBi87sXwlVqxX+L95cg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId > > slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL > > ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1aAN359BmDxbIHF/YHF7u08WBbFe0Y40QA5gfa7 > > /hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm > > M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BcXJiFI6Ub3ShUVZUinN/bv > > 4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb > > 2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3mdAXb > > 7imVRF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv > > wfpc='), rights=False, updatedns=False, all=False, raw=False, > > no_members=False) > > Forwarding 'host_mod' to server u'https://freeipa.cyberfuel.com/ipa/xml' > > NSSConnection init freeipa.cyberfuel.com > > Connecting: 192.168.20.90:0 > > handshake complete, peer = 192.168.20.90:443 > > Protocol: TLS1.2 > > Cipher: TLS_RSA_WITH_AES_256_CBC_SHA > > received Set-Cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0; > > Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35 > > GMT; Secure; HttpOnly' > > storing cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0; > > Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35 > > GMT; Secure; HttpOnly' for prin > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout=640092261 > > stderr= > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout=640092261 > > stderr= > > args=keyctl pupdate 640092261 > > stdout= > > stderr= > > Writing nsupdate commands to /etc/ipa/.dns_update.txt: > > zone cyberfuel.com. > > update delete bk1.cyberfuel.com. IN SSHFP > > send > > update add bk1.cyberfuel.com. 1200 IN SSHFP 1 1 > > B40F0F3FF14223B021F206C3E3276AC48F6EEAF0 > > update add bk1.cyberfuel.com. 1200 IN SSHFP 2 1 > > 30D2331BC69452EFE65445B5C990773EA41A2FE8 > > send > > args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt > > stdout= > > stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. > > Minor code may provide more information, Minor = Server > > DNS/ns1.cyberfuel.com at CYBERFUEL.COM > no > > nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' > > returned non-zero exit status 1 > > Could not update DNS SSHFP records. > > args=/sbin/service nscd status > > stdout= > > stderr=nscd: unrecognized service > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' > > args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd > > stdout= > > stderr= > > SSSD enabled > > Configuring cyberfuel.com as NIS domain > > args=/bin/nisdomainname > > stdout=(none) > > stderr= > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' > > args=/usr/sbin/authconfig --update --nisdomain cyberfuel.com > > stdout= > > stderr= > > args=/bin/nisdomainname cyberfuel.com > > stdout= > > stderr= > > args=/sbin/service sssd restart > > stdout=Stopping sssd: [FAILED] > > Starting sssd: [ OK ] > > stderr=cat: /var/run/sssd.pid: No such file or directory > > args=/sbin/service sssd status > > stdout=sssd (pid 42071) is running... > > stderr= > > args=/sbin/chkconfig sssd on > > stdout= > > stderr= > > Backing up system configuration file '/etc/openldap/ldap.conf' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > Configured /etc/openldap/ldap.conf > > args=getent passwd admin > > stdout=admin:*:1045400000:1045400000:Administrator:/home/admin:/bin/bash > > stderr= > > Backing up system configuration file '/etc/ntp/step-tickers' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > args=/usr/sbin/selinuxenabled > > stdout= > > stderr= > > args=/sbin/chkconfig ntpd > > stdout= > > stderr= > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' > > Backing up system configuration file '/etc/ntp.conf' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > args=/usr/sbin/selinuxenabled > > stdout= > > stderr= > > Backing up system configuration file '/etc/sysconfig/ntpd' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > args=/usr/sbin/selinuxenabled > > stdout= > > stderr= > > args=/sbin/chkconfig ntpd on > > stdout= > > stderr= > > args=/sbin/service ntpd restart > > stdout=Shutting down ntpd: [ OK ] > > Starting ntpd: [ OK ] > > stderr= > > args=/sbin/service ntpd status > > stdout=ntpd (pid 42133) is running... > > stderr= > > NTP enabled > > Backing up system configuration file '/etc/ssh/ssh_config' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > Configured /etc/ssh/ssh_config > > Backing up system configuration file '/etc/ssh/sshd_config' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > args=sshd -t -f /dev/null -o AuthorizedKeysCommand= > > stdout= > > stderr= > > Configured /etc/ssh/sshd_config > > args=/sbin/service sshd status > > stdout=openssh-daemon (pid 46497) is running... > > stderr= > > args=/sbin/service sshd restart > > stdout=Stopping sshd: [ OK ] > > Starting sshd: [ OK ] > > stderr= > > args=/sbin/service sshd status > > stdout=openssh-daemon (pid 42190) is running... > > stderr= > > Client configuration complete. > > -----Original Message----- > > From: Rob Crittenden [mailto:rcritten at redhat.com] > > Sent: viernes 29 de abril de 2016 12:19 p.m. > > To: Jose Alvarez R. >; freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > Jose Alvarez R. wrote: > > > Hi, Rob > > > > > > Thanks!! > > > > > > > > > The version the xmlrpc-c of my server IPA: > > > xmlrpc-c-1.16.24-1210.1840.el6.x86_64 > > > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 > > > > > > > > > The version the xmlrpc-c of my client IPA > > > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 > > > xmlrpc-c-1.16.24-1210.1840.el6.x86_64 > > > libiqxmlrpc-0.12.4-0.parallels.i686 > > > xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64 > > You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed > > https://bugzilla.redhat.com/show_bug.cgi?id=719945 > > The libcurl version on the client looks ok. > > This is only a client-side issue so no changes on the servers should be > > necessary IIRC. This appears to be EL 6.1 which at this point is quite old. > > rob > > > > > > The versions are the same, but the libcurl is different > > > > > > It's the version curl IPA server > > > [root at freeipa log]# rpm -qa | grep curl > > > python-pycurl-7.19.0-8.el6.x86_64 > > > curl-7.19.7-46.el6.x86_64 > > > libcurl-7.19.7-46.el6.x86_64 > > > [root at freeipa log]# > > > > > > > > > It's the version curl PPA server(IPA Client) [root at ppa named]# rpm -qa > > > | grep curl > > > curl-7.31.0-1.el6.x86_64 > > > python-pycurl-7.19.0-8.el6.x86_64 > > > libcurl-7.31.0-1.el6.x86_64 > > > libcurl-7.31.0-1.el6.i686 > > > > > > Sorry, my english is not very well > > > > > > > > > Regards. > > > > > > > > > > > > -----Original Message----- > >> From: Rob Crittenden [mailto:rcritten at redhat.com] > > > Sent: viernes 29 de abril de 2016 11:14 a.m. > >> To: Jose Alvarez R. >; > freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > > > > > Jose Alvarez R. wrote: > > >> Hi Rob, Thanks for your response > > >> > > >> Yes, It's with admin. > > > > > > I assume this is a problem with your version of xmlrpc-c. We use > > > standard calls xmlrpc-c calls to setup authentication and IIRC that > > > links against libcurl which provides the Kerberos/GSSAPI support. On > > > EL6 you need xmlrpc-c > > >> = 1.16.24-1200.1840.2 > > > > > > I'm confused about the versions. You mention PPA but include what look > > > like RPM versions that seem to point to RHEL 6. > > > > > > rob > > > > > >> > > >> I execute the command "ipa-client-install --debug" > > >> --------------------------------------------------------------------- > > >> - > > >> --- > > >> > > >> > > >> [root at ppa named]# ipa-client-install --debug > > >> /usr/sbin/ipa-client-install was invoked with options: {'domain': > > >> None, > > >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > > >> 'primary': False, 'mkhomedir > > >> ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, > > >> 'on_master': False, 'ntp_server': None, 'nisdomain': None, > > 'no_nisdomain': > > >> False, 'principal': None > > >> , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, > > >> 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, > > >> 'conf_sudo': True, 'conf_ssh': Tr > > >> ue, 'force_join': False, 'ca_cert_file': None, 'server': None, > > >> 'prompt_password': False, 'permit': False, 'debug': True, > > 'preserve_sssd': > > >> False, 'uninstall': False} > > >> missing options might be asked for interactively later Loading Index > > >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > > >> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > > >> [IPA Discovery] > > >> Starting IPA discovery with domain=None, servers=None, > > >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in > > >> "cyberfuel.com" (domain of the > > >> hostname) and its sub-domains > > >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio > > >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > > >> [Kerberos realm search] > > >> Search DNS for TXT record of _kerberos.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data: > > >> C > > >> YBERFU > > >> EL.COM} > > >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={ > > >> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > > >> [LDAP server check] > > >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA > > >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > > >> Search LDAP server for IPA base DN Check if naming context > > >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' > > >> is a valid IPA context Search for (objectClass=krbRealmContainer) in > > >> dc=cyberfuel,dc=com (sub) > > >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > > >> Discovery result: Success; server=freeipa.cyberfuel.com, > > >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, > > >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com > > >> will use discovered domain: cyberfuel.com Start searching for LDAP > > >> SRV record in "cyberfuel.com" (Validating DNS > > >> Discovery) and its sub-domains > > >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio > > >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > > >> DNS validated, enabling discovery > > >> will use discovered server: freeipa.cyberfuel.com Discovery was > > >> successful! > > >> will use discovered realm: CYBERFUEL.COM will use discovered basedn: > > >> dc=cyberfuel,dc=com > > >> Hostname: ppa.cyberfuel.com > > >> Hostname source: Machine's FQDN > > >> Realm: CYBERFUEL.COM > > >> Realm source: Discovered from LDAP DNS records in > > >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: > > >> Discovered LDAP SRV records from cyberfuel.com (domain of the > > >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: > > >> Discovered from LDAP DNS records in freeipa.cyberfuel.com > > >> BaseDN: dc=cyberfuel,dc=com > > >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > >> > > >> Continue to configure the system with these values? [no]: no > > >> Installation failed. Rolling back changes. > > >> IPA client is not configured on this system. > > >> [root at ppa named]# > > >> [root at ppa named]# ipa-client-install --debug > > >> /usr/sbin/ipa-client-install was invoked with options: {'domain': > > >> None, > > >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > > >> 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': > > >> True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, > > > 'nisdomain': > > >> None, 'no_nisdomain': False, 'principal': None, 'hostname': None, > > 'no_ac': > > >> False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, > > >> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, > 'conf_ssh': > > >> True, 'force_join': False, 'ca_cert_file': None, 'server': None, > > >> 'prompt_password': False, 'permit': False, 'debug': True, > > 'preserve_sssd': > > >> False, 'uninstall': False} > > >> missing options might be asked for interactively later Loading Index > > >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > > >> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > > >> [IPA Discovery] > > >> Starting IPA discovery with domain=None, servers=None, > > >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in > > >> "cyberfuel.com" (domain of the > > >> hostname) and its sub-domains > > >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio > > >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > > >> [Kerberos realm search] > > >> Search DNS for TXT record of _kerberos.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data: > > >> C > > >> YBERFU > > >> EL.COM} > > >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={ > > >> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > > >> [LDAP server check] > > >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA > > >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > > >> Search LDAP server for IPA base DN Check if naming context > > >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' > > >> is a valid IPA context Search for (objectClass=krbRealmContainer) in > > >> dc=cyberfuel,dc=com (sub) > > >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > > >> Discovery result: Success; server=freeipa.cyberfuel.com, > > >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, > > >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com > > >> will use discovered domain: cyberfuel.com Start searching for LDAP > > >> SRV record in "cyberfuel.com" (Validating DNS > > >> Discovery) and its sub-domains > > >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio > > >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > > >> DNS validated, enabling discovery > > >> will use discovered server: freeipa.cyberfuel.com Discovery was > > >> successful! > > >> will use discovered realm: CYBERFUEL.COM will use discovered basedn: > > >> dc=cyberfuel,dc=com > > >> Hostname: ppa.cyberfuel.com > > >> Hostname source: Machine's FQDN > > >> Realm: CYBERFUEL.COM > > >> Realm source: Discovered from LDAP DNS records in > > >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: > > >> Discovered LDAP SRV records from cyberfuel.com (domain of the > > >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: > > >> Discovered from LDAP DNS records in freeipa.cyberfuel.com > > >> BaseDN: dc=cyberfuel,dc=com > > >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > >> > > >> Continue to configure the system with these values? [no]: yes > > >> args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM > > >> stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file > > >> or directory > > >> > > >> User authorized to enroll computers: admin will use principal > > >> provided as option: admin Synchronizing time with KDC... > > >> Search DNS for SRV record of _ntp._udp.cyberfuel.com. > > >> No DNS record found > > >> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= > > >> stderr= Writing Kerberos configuration to /tmp/tmpqWSatK: > > >> #File modified by ipa-client-install > > >> > > >> includedir /var/lib/sss/pubconf/krb5.include.d/ > > >> > > >> [libdefaults] > > >> default_realm = CYBERFUEL.COM > > >> dns_lookup_realm = false > > >> dns_lookup_kdc = false > > >> rdns = false > > >> ticket_lifetime = 24h > > >> forwardable = yes > > >> udp_preference_limit = 0 > > >> > > >> > > >> [realms] > > >> CYBERFUEL.COM = { > > >> kdc = freeipa.cyberfuel.com:88 > > >> master_kdc = freeipa.cyberfuel.com:88 > > >> admin_server = freeipa.cyberfuel.com:749 > > >> default_domain = cyberfuel.com > > >> pkinit_anchors = FILE:/etc/ipa/ca.crt > > >> > > >> } > > >> > > >> > > >> [domain_realm] > > >> .cyberfuel.com = CYBERFUEL.COM > > >> cyberfuel.com = CYBERFUEL.COM > > >> > > >> > > >> > >>> Password foradmin at CYBERFUEL.COM : > >>> args=kinitadmin at CYBERFUEL.COM > >>> stdout=Password foradmin at CYBERFUEL.COM : > > >> > > >> stderr= > > >> trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com > > >> Existing CA cert and Retrieved CA cert are identical > > >> args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b > > >> dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL: > > >> > > >> \r\n \r\n > > >> join\r\n \r\n > > >> \r\n > > >> ppa.cyberfuel.com\r\n > > >> \r\n > > >> \r\n > > >> nsosversion\r\n > > >> 2.6.32-573.8.1.el6.x86_64\r\ > > >> n nshardwareplatform\r\n > > >> x86_64\r\n > > >> \r\n > > >> \r\n > > >> \r\n > > >> > > >> * About to connect() to freeipa.cyberfuel.com port 443 (#0) > > >> * Trying 192.168.20.90... > > >> * Adding handle: conn: 0x10bb2f0 > > >> * Adding handle: send: 0 > > >> * Adding handle: recv: 0 > > >> * Curl_addHandleToPipeline: length: 1 > > >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 > > >> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) > > >> * successfully set certificate verify locations: > > >> * CAfile: /etc/ipa/ca.crt > > >> CApath: none > > >> * SSL connection using AES256-SHA > > >> * Server certificate: > > >> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com > > >> * start date: 2015-09-30 17:52:11 GMT > > >> * expire date: 2017-09-30 17:52:11 GMT > > >> * common name: freeipa.cyberfuel.com (matched) > > >> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority > > >> * SSL certificate verify ok. > > >>> POST /ipa/xml HTTP/1.1 > > >> Host: freeipa.cyberfuel.com > > >> Accept: */* > > >> Content-Type: text/xml > > >> User-Agent: ipa-join/3.0.0 > >>> Referer:https://freeipa.cyberfuel.com/ipa/xml > > >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > > >> Content-Length: 477 > > >> > > >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 > > >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT > > >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: > > >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: > > >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" > > >> < Accept-Ranges: bytes > > >> < Content-Length: 1370 > > >> < Connection: close > > >> < Content-Type: text/html; charset=UTF-8 < > > >> * Closing connection 0 > > >> HTTP response code is 401, not 200 > > >> > > >> Joining realm failed: XML-RPC CALL: > > >> > > >> \r\n \r\n > > >> join\r\n \r\n > > >> \r\n > > >> ppa.cyberfuel.com\r\n > > >> \r\n > > >> \r\n > > >> nsosversion\r\n > > >> 2.6.32-573.8.1.el6.x86_64\r\ > > >> n nshardwareplatform\r\n > > >> x86_64\r\n > > >> \r\n > > >> \r\n > > >> \r\n > > >> > > >> * About to connect() to freeipa.cyberfuel.com port 443 (#0) > > >> * Trying 192.168.20.90... > > >> * Adding handle: conn: 0x10bb2f0 > > >> * Adding handle: send: 0 > > >> * Adding handle: recv: 0 > > >> * Curl_addHandleToPipeline: length: 1 > > >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 > > >> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) > > >> * successfully set certificate verify locations: > > >> * CAfile: /etc/ipa/ca.crt > > >> CApath: none > > >> * SSL connection using AES256-SHA > > >> * Server certificate: > > >> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com > > >> * start date: 2015-09-30 17:52:11 GMT > > >> * expire date: 2017-09-30 17:52:11 GMT > > >> * common name: freeipa.cyberfuel.com (matched) > > >> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority > > >> * SSL certificate verify ok. > > >>> POST /ipa/xml HTTP/1.1 > > >> Host: freeipa.cyberfuel.com > > >> Accept: */* > > >> Content-Type: text/xml > > >> User-Agent: ipa-join/3.0.0 > >>> Referer:https://freeipa.cyberfuel.com/ipa/xml > > >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > > >> Content-Length: 477 > > >> > > >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 > > >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT > > >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: > > >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: > > >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" > > >> < Accept-Ranges: bytes > > >> < Content-Length: 1370 > > >> < Connection: close > > >> < Content-Type: text/html; charset=UTF-8 < > > >> * Closing connection 0 > > >> HTTP response code is 401, not 200 > > >> > > >> Installation failed. Rolling back changes. > > >> IPA client is not configured on this system. > > >> > > >> ------------------------------------------------- > > >> > > >> It's the version curl IPA server > > >> > > >> [root at freeipa log]# rpm -qa | grep curl > > >> python-pycurl-7.19.0-8.el6.x86_64 > > >> curl-7.19.7-46.el6.x86_64 > > >> libcurl-7.19.7-46.el6.x86_64 > > >> [root at freeipa log]# > > >> > > >> > > >> It's the version curl PPA server(IPA Client) > > >> > > >> [root at ppa named]# rpm -qa | grep curl > > >> curl-7.31.0-1.el6.x86_64 > > >> python-pycurl-7.19.0-8.el6.x86_64 > > >> libcurl-7.31.0-1.el6.x86_64 > > >> libcurl-7.31.0-1.el6.i686 > > >> > > >> > > >> The version curl is different, but the version curl PPA is the > > >> repository Odin Plesk. > > >> > > >> ----------------------------------------------------- > > >> > > >> > > >> [root at ppa tmp]# cat kerberos_trace.log > > >> > > >> [12118] 1461855578.809966: ccselect module realm chose cache > >>> FILE:/tmp/tmptSoqDX with client principaladmin at CYBERFUEL.COM for > >>> server principalldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >>> [12118] 1461855578.810171: Retrievingadmin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not > > >> found [12118] 1461855578.810252: Getting credentials > >>>admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > using > > >> ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving > >>>admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > from > > >> FILE:/tmp/tmptSoqDX with > > >> result: -1765328243/Matching credential not found [12118] > >>> 1461855578.810451: Retrievingadmin at CYBERFUEL.COM -> > >>>krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > from FILE:/tmp/tmptSoqDX with > result: > > >> 0/Success > > >> [12118] 1461855578.810476: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > > >> [12118] 1461855578.810509: Requesting tickets for > >>>ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > , referrals on [12118] > > >> 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377 > > >> [12118] 1461855578.810679: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118] > > >> 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM > > >> [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com > > >> [12118] 1461855578.811466: Initiating TCP connection to stream > > >> 192.168.0.90:88 > > >> [12118] 1461855578.811935: Sending TCP request to stream > > >> 192.168.0.90:88 [12118] 1461855578.816404: Received answer from > > >> stream > > >> 192.168.0.90:88 [12118] 1461855578.816714: Response was from master > >>> KDC [12118] 1461855578.816906: TGS reply is foradmin at CYBERFUEL.COM > >>> ->ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > with session key > > >> aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result: > > >> 0/Success [12118] 1461855578.817018: Received creds for desired > >>> serviceldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >>> [12118] 1461855578.817066: Removingadmin at CYBERFUEL.COM -> > >>>ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > from FILE:/tmp/tmptSoqDX > >>> [12118] 1461855578.817107: Storingadmin at CYBERFUEL.COM -> > >>>ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > in FILE:/tmp/tmptSoqDX > > >> [12118] 1461855578.817413: Creating authenticator for > > >> admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > , > > >> seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2 > > >> [12118] 1461855578.874786: ccselect module realm chose cache > >>> FILE:/tmp/tmptSoqDX with client principaladmin at CYBERFUEL.COM for > >>> server principalldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >>> [12118] 1461855578.874938: Retrievingadmin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not > > >> found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, > > >> subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888: > > >> ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client > > >> principal admin at CYBERFUEL.COM for server principal > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [17304] 1461858424.874126: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not > > >> found [17304] 1461858424.874220: Getting credentials > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > > >> ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > > >> FILE:/tmp/tmpH0QF6P with > > >> result: -1765328243/Matching credential not found [17304] > > >> 1461858424.874531: Retrieving admin at CYBERFUEL.COM -> > > >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result: > > >> 0/Success > > >> [17304] 1461858424.874603: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > >> [17304] 1461858424.874631: Requesting tickets for > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [17304] > > >> 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33 > > >> [17304] 1461858424.874788: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304] > > >> 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM > > >> [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com > > >> [17304] 1461858424.875805: Initiating TCP connection to stream > > >> 192.168.20.90:88 > > >> [17304] 1461858424.877976: Sending TCP request to stream > > >> 192.168.20.90:88 [17304] 1461858424.882385: Received answer from > > >> stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from > > >> master KDC [17304] 1461858424.882775: TGS reply is for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > > >> session key aes256-cts/20DA [17304] 1461858424.882850: TGS request > > >> result: 0/Success [17304] 1461858424.882883: Received creds for > > >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [17304] 1461858424.882918: Removing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P > > >> [17304] 1461858424.882951: Storing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P > > >> [17304] 1461858424.883271: Creating authenticator for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > > >> seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA > > >> [17304] 1461858424.898190: ccselect module realm chose cache > > >> FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [17304] 1461858424.898401: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not > > >> found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, > > >> subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386: > > >> ccselect module realm chose cache > > >> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23457] 1461863053.621602: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not > > >> found [23457] 1461863053.621719: Getting credentials > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > > >> ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > > >> FILE:/tmp/tmp576FE3 with > > >> result: -1765328243/Matching credential not found [23457] > > >> 1461863053.622097: Retrieving admin at CYBERFUEL.COM -> > > >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result: > > >> 0/Success > > >> [23457] 1461863053.622144: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > >> [23457] 1461863053.622176: Requesting tickets for > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23457] > > >> 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C > > >> [23457] 1461863053.622331: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457] > > >> 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM > > >> [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com > > >> [23457] 1461863053.623367: Initiating TCP connection to stream > > >> 192.168.20.90:88 > > >> [23457] 1461863053.623866: Sending TCP request to stream > > >> 192.168.20.90:88 [23457] 1461863053.627939: Received answer from > > >> stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from > > >> master KDC [23457] 1461863053.628485: TGS reply is for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > > >> session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request > > >> result: 0/Success [23457] 1461863053.628610: Received creds for > > >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23457] 1461863053.628655: Removing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 > > >> [23457] 1461863053.628689: Storing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmp576FE3 > > >> [23457] 1461863053.629119: Creating authenticator for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > > >> seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88 > > >> [23457] 1461863053.640471: ccselect module realm chose cache > > >> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23457] 1461863053.640721: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not > > >> found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, > > >> subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338: > > >> ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client > > >> principal admin at CYBERFUEL.COM for server principal > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23749] 1461863277.525435: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not > > >> found [23749] 1461863277.525469: Getting credentials > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > > >> ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > > >> FILE:/tmp/tmprfuOsj with > > >> result: -1765328243/Matching credential not found [23749] > > >> 1461863277.525572: Retrieving admin at CYBERFUEL.COM -> > > >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result: > > >> 0/Success > > >> [23749] 1461863277.525584: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > >> [23749] 1461863277.525593: Requesting tickets for > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23749] > > >> 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D > > >> [23749] 1461863277.525662: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749] > > >> 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM > > >> [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com > > >> [23749] 1461863277.526161: Initiating TCP connection to stream > > >> 192.168.20.90:88 > > >> [23749] 1461863277.526440: Sending TCP request to stream > > >> 192.168.20.90:88 [23749] 1461863277.530652: Received answer from > > >> stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from > > >> master KDC [23749] 1461863277.530881: TGS reply is for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > > >> session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request > > >> result: 0/Success [23749] 1461863277.530948: Received creds for > > >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23749] 1461863277.530962: Removing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj > > >> [23749] 1461863277.530971: Storing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmprfuOsj > > >> [23749] 1461863277.531133: Creating authenticator for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > > >> seqnum 1019693263, subkey aes256-cts/B3E0, session key > > >> aes256-cts/79C3 [23749] 1461863277.542808: ccselect module realm > > >> chose cache FILE:/tmp/tmprfuOsj with client principal > > >> admin at CYBERFUEL.COM for server principal > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23749] 1461863277.542889: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not > > >> found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, > > >> subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277: > > >> ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client > > >> principal admin at CYBERFUEL.COM for server principal > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [25544] 1461864401.258584: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not > > >> found [25544] 1461864401.258678: Getting credentials > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > > >> ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > > >> FILE:/tmp/tmpbzX7EN with > > >> result: -1765328243/Matching credential not found [25544] > > >> 1461864401.259040: Retrieving admin at CYBERFUEL.COM -> > > >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result: > > >> 0/Success > > >> [25544] 1461864401.259076: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > >> [25544] 1461864401.259102: Requesting tickets for > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [25544] > > >> 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A > > >> [25544] 1461864401.259291: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544] > > >> 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM > > >> [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com > > >> [25544] 1461864401.260361: Initiating TCP connection to stream > > >> 192.168.20.90:88 > > >> [25544] 1461864401.260980: Sending TCP request to stream > > >> 192.168.20.90:88 [25544] 1461864401.264399: Received answer from > > >> stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from > > >> master KDC [25544] 1461864401.264893: TGS reply is for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > > >> session key aes256-cts/9106 [25544] 1461864401.264966: TGS request > > >> result: 0/Success [25544] 1461864401.264996: Received creds for > > >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [25544] 1461864401.265029: Removing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN > > >> [25544] 1461864401.265058: Storing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN > > >> [25544] 1461864401.265581: Creating authenticator for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > > >> seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106 > > >> [25544] 1461864401.275884: ccselect module realm chose cache > > >> FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [25544] 1461864401.276059: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not > > >> found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, > > >> subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354: > > >> ccselect module realm chose cache > > >> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [18097] 1461937028.664456: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not > > >> found [18097] 1461937028.664490: Getting credentials > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > > >> ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > > >> FILE:/tmp/tmpF9x_o8 with > > >> result: -1765328243/Matching credential not found [18097] > > >> 1461937028.664590: Retrieving admin at CYBERFUEL.COM -> > > >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result: > > >> 0/Success > > >> [18097] 1461937028.664601: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > >> [18097] 1461937028.664611: Requesting tickets for > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [18097] > > >> 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372 > > >> [18097] 1461937028.664727: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097] > > >> 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM > > >> [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com > > >> [18097] 1461937028.665136: Initiating TCP connection to stream > > >> 192.168.20.90:88 > > >> [18097] 1461937028.665510: Sending TCP request to stream > > >> 192.168.20.90:88 [18097] 1461937028.668919: Received answer from > > >> stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from > > >> master KDC [18097] 1461937028.669109: TGS reply is for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > > >> session key aes256-cts/9592 [18097] 1461937028.669136: TGS request > > >> result: 0/Success [18097] 1461937028.669156: Received creds for > > >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [18097] 1461937028.669167: Removing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 > > >> [18097] 1461937028.669176: Storing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8 > > >> [18097] 1461937028.669304: Creating authenticator for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > > >> seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592 > > >> [18097] 1461937028.676414: ccselect module realm chose cache > > >> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [18097] 1461937028.676470: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not > > >> found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, > > >> subkey aes256-cts/26C4, seqnum 864174069 > > >> > > >> ----------------------------------- > > >> > > >> > > >> Regards > > >> > > >> Jose Alvarez > > >> > > >> > > >> -----Original Message----- > > >> From: Rob Crittenden [mailto:rcritten at redhat.com] > > >> Sent: viernes 29 de abril de 2016 09:34 a.m. > > >> To: Jose Alvarez R. ; > > >> freeipa-users at redhat.com > > >> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > >> > > >> Jose Alvarez R. wrote: > > >>> Hi Users > > >>> > > >>> You can help me? > > >>> > > >>> I have the problem for join a client to my FREEIPA Server. The > > >>> version IPA Server is 3.0 and IP client is 3.0 > > >>> > > >>> When I join my client to IPA server show these errors: > > >>> > > >>> [root at ppa ~]# tail -f /var/log/ipaclient-install.log > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG stderr= > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from > > >>> ldap://freeipa.cyberfuel.com > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert > > >>> are identical > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s > > >>> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG stdout= > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 > > >>> > > >>> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code > > >>> is 401, not 200 > > >>> > > >>> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. > > >>> > > >>> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. > > >> > > >> I'd look in the 389-ds access and error logs on the IPA server to see > > >> if there are any more details. Look for the BIND from the client and > > >> see what happens. > > >> > > >> More context from the log file might be helpful. I believe if you run > > >> the client installer with --debug then additional flags are passed to > > >> ipa-join to include the XML-RPC conversation and that might be useful > > too. > > >> > > >> What account are you using to enroll with, admin? > > >> > > >> rob > > >> > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > From jalvarez at cyberfuel.com Mon May 2 20:27:43 2016 From: jalvarez at cyberfuel.com (Jose Alvarez R.) Date: Mon, 2 May 2016 14:27:43 -0600 Subject: [Freeipa-users] HTTP response code is 401, not 200 In-Reply-To: <5727A717.9080001@redhat.com> References: <04e201d1a219$7a6497f0$6f2dc7d0$@cyberfuel.com> <57237EFE.4010705@redhat.com> <06b701d1a238$a151b590$e3f520b0$@cyberfuel.com> <5723965F.20102@redhat.com> <06f901d1a241$c2770910$47651b30$@cyberfuel.com> <5723A5B1.8080109@redhat.com> <076e01d1a259$276aba30$76402e90$@cyberfuel.com> <015801d1a49d$2a6ad440$7f407cc0$@cyberfuel.com> <5727A717.9080001@redhat.com> Message-ID: <01ce01d1a4b1$1525a3d0$3f70eb70$@cyberfuel.com> Hi Rob Thanks for your response. The PPA is hosting Control Panel of the company Odin(https://www.plesk.com/?_ga=1.159107642.1001081217.1436214087) Several packages were installed by this software. Because they use their own repositories. Regards Jose Alvarez -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: lunes 2 de mayo de 2016 01:15 p.m. To: Jose Alvarez R. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 Jose Alvarez R. wrote: > *Hi, Rob* > > ** > > *I did what you indicated to me, but still gives the same problem.* > > ** > > *Can you help me ?* The problem is client side, not server side, so you need to install the updated bits on the client. I don't know what the reference to PPA is. If that doesn't fix things then it's hard to say. There are only a couple of moving parts and you just ruled out the server since another client can enroll ok. The non-working log shows the server sending WWW-Authenticate: Negotiate and the client just gives up. In the working version the client correctly responds with an Authorization header and things proceed so I think the problem is in either libcurl or xmlrpc-c. rob > > ** > > *Thanks, Regards* > > ** > > *Jose Alvarez* > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jose Alvarez R. > Sent: viernes 29 de abril de 2016 02:53 p.m. > To: 'Rob Crittenden' > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > Hi, Rob > > Thanks for your response > > The link https://bugzilla.redhat.com/show_bug.cgi?id=719945I not have > > access.. > > I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server > > PPA(Client IPA), but still shows the same error. > > A moment ago I added another client server with same version xmlrpc and > > installed correctly. > > Thanks Regards. > > [root at bk1 ~]# ipa-client-install --debug > > /usr/sbin/ipa-client-install was invoked with options: {'domain': None, > > 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > > 'primary': False, 'mkhomedir'on_master': False, 'ntp_server': None, > > 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname': > > None, 'no_ac': False, 'unattended': None, 'sssd': True,nf_sudo': True, > > 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None, > > 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': > > missing options might be asked for interactively later > > Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > > [IPA Discovery] > > Starting IPA discovery with domain=None, servers=None, > > hostname=bk1.cyberfuel.com > > Start searching for LDAP SRV record in "cyberfuel.com" (domain of the > > hostname) and its sub-domains > > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > DNS record found: > > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, > > port:389,weight:50,server:freeipa.cyberfuel.com.} > > [Kerberos realm search] > > Search DNS for TXT record of _kerberos.cyberfuel.com. > > DNS record found: > > DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU > > EL.COM} > > Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > > DNS record found: > > DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit > > y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > > [LDAP server check] > > Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server > > Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > > Search LDAP server for IPA base DN > > Check if naming context 'dc=cyberfuel,dc=com' is for IPA > > Naming context 'dc=cyberfuel,dc=com' is a valid IPA context > > Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub) > > Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > > Discovery result: Success; server=freeipa.cyberfuel.com, > > domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com > > Validated servers: freeipa.cyberfuel.com > > will use discovered domain: cyberfuel.com > > Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS > > Discovery) and its sub-domains > > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > DNS record found: > > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, > > port:389,weight:50,server:freeipa.cyberfuel.com.} > > DNS validated, enabling discovery > > will use discovered server: freeipa.cyberfuel.com > > Discovery was successful! > > will use discovered realm: CYBERFUEL.COM > > will use discovered basedn: dc=cyberfuel,dc=com > > Hostname: bk1.cyberfuel.com > > Hostname source: Machine's FQDN > > Realm: CYBERFUEL.COM > > Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com > > DNS Domain: cyberfuel.com > > DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of > > the hostname) > > IPA Server: freeipa.cyberfuel.com > > IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com > > BaseDN: dc=cyberfuel,dc=com > > BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > Continue to configure the system with these values? [no]: yes > > args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM > > stdout= > > stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory > > User authorized to enroll computers: admin > > will use principal provided as option: admin > > Synchronizing time with KDC... > > Search DNS for SRV record of _ntp._udp.cyberfuel.com. > > No DNS record found > > args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com > > stdout= > > stderr= > > args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com > > stdout= > > stderr= > > args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com > > stdout= > > stderr= > > Unable to sync time with IPA NTP server, assuming the time is in sync. > > Please check that 123 UDP port is opened. > > Writing Kerberos configuration to /tmp/tmp5msIum: > > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > > default_realm = CYBERFUEL.COM > > dns_lookup_realm = false > > dns_lookup_kdc = false > > rdns = false > > ticket_lifetime = 24h > > forwardable = yes > > udp_preference_limit = 0 > > [realms] > > CYBERFUEL.COM = { > > kdc = freeipa.cyberfuel.com:88 > > master_kdc = freeipa.cyberfuel.com:88 > > admin_server = freeipa.cyberfuel.com:749 > > default_domain = cyberfuel.com > > pkinit_anchors = FILE:/etc/ipa/ca.crt > > } > > [domain_realm] > > .cyberfuel.com = CYBERFUEL.COM > > cyberfuel.com = CYBERFUEL.COM > > Password for admin at CYBERFUEL.COM : > > args=kinit admin at CYBERFUEL.COM > > stdout=Password for admin at CYBERFUEL.COM : > > stderr= > > trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com > > Successfully retrieved CA cert > > Subject: CN=Certificate Authority,O=CYBERFUEL.COM > > Issuer: CN=Certificate Authority,O=CYBERFUEL.COM > > Valid From: Wed Sep 30 17:46:50 2015 UTC > > Valid Until: Sun Sep 30 17:46:50 2035 UTC > > args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d > > stdout= > > stderr=XML-RPC CALL: > > \r\n > > \r\n > > join\r\n > > \r\n > > \r\n > > bk1.cyberfuel.com\r\n > > \r\n > > \r\n > > nsosversion\r\n > > 2.6.32-573.12.1.el6.x86_64\r\n > > nshardwareplatform\r\n > > x86_64\r\n > > \r\n > > \r\n > > \r\n > > * About to connect() to freeipa.cyberfuel.com port 443 (#0) > > * Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com > > (192.168.20.90) port 443 (#0) > > * Initializing NSS with certpath: sql:/etc/pki/nssdb > > * CAfile: /etc/ipa/ca.crt > > CApath: none > > * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA > > * Server certificate: > > * subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM > > * start date: Sep 30 17:52:11 2015 GMT > > * expire date: Sep 30 17:52:11 2017 GMT > > * common name: freeipa.cyberfuel.com > > * issuer: CN=Certificate Authority,O=CYBERFUEL.COM > > > POST /ipa/xml HTTP/1.1 > > Host: freeipa.cyberfuel.com > > Accept: */* > > Content-Type: text/xml > > User-Agent: ipa-join/3.0.0 > > Referer: https://freeipa.cyberfuel.com/ipa/xml > > X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > > Content-Length: 478 > > < HTTP/1.1 401 Authorization Required > > < Date: Fri, 29 Apr 2016 20:42:25 GMT > > < Server: Apache/2.2.15 (CentOS) > > < WWW-Authenticate: Negotiate > > < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT > > < ETag: "a0528-55a-53051ba8f7000" > > < Accept-Ranges: bytes > > < Content-Length: 1370 > > < Connection: close > > < Content-Type: text/html; charset=UTF-8 > > < > > * Closing connection #0 > > * Issue another request to this URL: > > 'https://freeipa.cyberfuel.com:443/ipa/xml' > > * About to connect() to freeipa.cyberfuel.com port 443 (#0) > > * Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com > > (192.168.20.90) port 443 (#0) > > * CAfile: /etc/ipa/ca.crt > > CApath: none > > * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA > > * Server certificate: > > * subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM > > * start date: Sep 30 17:52:11 2015 GMT > > * expire date: Sep 30 17:52:11 2017 GMT > > * common name: freeipa.cyberfuel.com > > * issuer: CN=Certificate Authority,O=CYBERFUEL.COM > > * Server auth using GSS-Negotiate with user '' > > > POST /ipa/xml HTTP/1.1 > > Authorization: Negotiate > > YIIFFAYJKoZIhvcSAQICAQBuggUDMIIE/6ADAgEFoQMCAQ6iBwMFAAAAAACjggFiYYIBXjCCAVqg > > AwIBBaEPGw1DWUJFUkZVRUwuQ09NoigwJqADAgEDoR8wHRsESFRUUBsVZnJlZWlwYS5MIZbbMHqa > > QcuYz6zysTVwY+I/uvLznfkDrkClgtyvEIsnBopXcWBenFEbqcmRIBa7bkXiIxc1tYEzNh1rME/4 > > ZUh0PjUjX+QQO9NDpYrAIxFLoP6b6J87wFt2Wi+Rx2LPGlcPrIwKPNwyaOqw/QQ8r11FLI5RVzpH > > eUL3uokQgZF6+GBoFo61lHY/W36Cb3JgxdG8Ge3TWWYgjEQKWlY48N6YNSPF2a2iKpgSuy/1Qe5E > > HTfpyiJWnZJnlEIHllpIIDgjCCA36gAwIBEqKCA3UEggNx1WXEz0IRl4aJlkL5Eq0bxky36jm7zI > > q3oiCcgWzqH9ma866TuD4ew++XcXmKZxszk6zf+c8tYhdRezxK74jF9XkpnRxTiBxOao7oPabJau > > yM0k637IWWzTb1m+cC46PRaysFc7x3z5CGBWNyu0DpGyw240za4cepY1J+Q+mm7bq51zCDyMU1CY > > 7+of3Z4Z7s6P5/x/pn8DJBegXVIYq2Wb3sQbMUJCSbCG37Xb8j2nzhAaup1l4xTINQxSSLZRIS7M > > H2YCE+z66P0607z7xBh7bwed97hHC2o3T0hDNnJOP7SRBUXquXCW9RbLUdOmYfcLcH8ygUWemm3A > > MqL+mDYN3jpe25O/7Z/wFxYiUIw/6CtHGjJ1nrDy47Y1sbsjU1XT/sJ8JqxRFwCm9ALpQP+rYZ0k > > v8/9OAaclw4vobu4Zmb3rVFBOzKpgRaUSvg4vSuRi/SPCzcH2PwBBSHpZuXWazWvZpnpTXYBl3nw > > lelW8gE1PWWeAhxbCDP/u5D6vAJ7q1287bL+UdpnCki0Ye0c1+LCsqzhscPDtWOMHAqzs5pwyyfC > > Qpg13GX93fHWJPRkrJbGTkGAknZkQFPtjks1C3JCRqhiz62KVLo6g5uRljHr8NNzvTBr2iRl9aK6 > > cDAEMaW5X26ko0XtO7urcbw/w6smuJLyYjroJH5Pe41bPMaUCls3RTvhxrlMzXSXgywPr3zDFpIg > > CirdIfqowkF5Utq6Uub2d9wdhXXYuH3PCj3KBzsAAHFv2iI+Xg3a7+7LlWUFnTLVEzEhsKVO3lO7 > > jFb8kKwop5o7yTyXsQmW4g0rdCam07GuRObob6yQ= > > Host: freeipa.cyberfuel.com > > Accept: */* > > Content-Type: text/xml > > User-Agent: ipa-join/3.0.0 > > Referer: https://freeipa.cyberfuel.com/ipa/xml > > X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > > Content-Length: 478 > > < HTTP/1.1 200 Success > > < Date: Fri, 29 Apr 2016 20:42:25 GMT > > < Server: Apache/2.2.15 (CentOS) > > * Added cookie ipa_session="4aeb2b4e2cfacb0691a94b71e2d0a0c9" for domain > > freeipa.cyberfuel.com, path /ipa, expire 1461963745 > > < Set-Cookie: ipa_session=4aeb2b4e2cfacb0691a94b71e2d0a0c9; > > Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:25 > > GMT; Secure; HttpOnly > > < Connection: close > > < Transfer-Encoding: chunked > > < Content-Type: text/xml; charset=utf-8 > > < > > * Expire cleared > > * Closing connection #0 > > XML-RPC RESPONSE: > > \n > > \n > > \n > > \n > > \n > > fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel, > > dc=com\n > > \n > > \n > > dn\n > > fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel, > > dc=com\n > > \n > > \n > > ipacertificatesubjectbase\n > > \n > > O=CYBERFUEL.COM\n > > \n > > \n > > \n > > has_keytab\n > > 0\n > > \n > > \n > > objectclass\n > > \n > > ipaobject\n > > nshost\n > > ipahost\n > > pkiuser\n > > ipaservice\n > > krbprincipalaux\n > > krbprincipal\n > > ieee802device\n > > ipasshhost\n > > top\n > > ipaSshGroupOfPubKeys\n > > \n > > \n > > \n > > fqdn\n > > \n > > bk1.cyberfuel.com\n > > \n > > \n > > \n > > has_password\n > > 0\n > > \n > > \n > > ipauniqueid\n > > \n > > e1a08eb8-0e4a-11e6-8c5b-005056b027f1\n > > \n > > \n > > \n > > krbprincipalname\n > > \n > > host/bk1.cyberfuel.com at CYBERFUEL.COM\n > > > \n > > \n > > \n > > managedby_host\n > > \n > > bk1.cyberfuel.com\n > > \n > > \n > > \n > > \n > > \n > > \n > > \n > > Keytab successfully retrieved and stored in: /etc/krb5.keytab > > Certificate subject base is: O=CYBERFUEL.COM > > Enrolled in IPA realm CYBERFUEL.COM > > args=kdestroy > > stdout= > > stderr= > > Attempting to get host TGT... > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > > host/bk1.cyberfuel.com at CYBERFUEL.COM > > > stdout= > > stderr= > > Attempt 1/5 succeeded. > > Backing up system configuration file '/etc/ipa/default.conf' > > -> Not backing up - '/etc/ipa/default.conf' doesn't exist > > Created /etc/ipa/default.conf > > importing all plugin modules in > > '/usr/lib/python2.6/site-packages/ipalib/plugins'... > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' > > args=klist -V > > stdout=Kerberos 5 version 1.10.3 > > stderr= > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' > > importing plugin module > > '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' > > Backing up system configuration file '/etc/sssd/sssd.conf' > > -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist > > New SSSD config will be created > > Backing up system configuration file '/etc/nsswitch.conf' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > Configured sudoers in /etc/nsswitch.conf > > Configured /etc/sssd/sssd.conf > > args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i > > /etc/ipa/ca.crt > > stdout= > > stderr= > > Backing up system configuration file '/etc/krb5.conf' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > Writing Kerberos configuration to /etc/krb5.conf: > > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > > default_realm = CYBERFUEL.COM > > dns_lookup_realm = true > > dns_lookup_kdc = true > > rdns = false > > ticket_lifetime = 24h > > forwardable = yes > > udp_preference_limit = 0 > > [realms] > > CYBERFUEL.COM = { > > pkinit_anchors = FILE:/etc/ipa/ca.crt > > } > > [domain_realm] > > .cyberfuel.com = CYBERFUEL.COM > > cyberfuel.com = CYBERFUEL.COM > > Configured /etc/krb5.conf for IPA realm CYBERFUEL.COM > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout= > > stderr=keyctl_search: Required key not available > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout= > > stderr=keyctl_search: Required key not available > > failed to find session_cookie in persistent storage for principal > > 'host/bk1.cyberfuel.com at CYBERFUEL.COM' > > trying https://freeipa.cyberfuel.com/ipa/xml > > Created connection context.xmlclient > > raw: env(None, server=True) > > env(None, server=True, all=True) > > Forwarding 'env' to server u'https://freeipa.cyberfuel.com/ipa/xml' > > NSSConnection init freeipa.cyberfuel.com > > Connecting: 192.168.20.90:0 > > auth_certificate_callback: check_sig=True is_server=False > > Data: > > Version: 3 (0x2) > > Serial Number: 10 (0xa) > > Signature Algorithm: > > Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: CN=Certificate Authority,O=CYBERFUEL.COM > > Validity: > > Not Before: Wed Sep 30 17:52:11 2015 UTC > > Not After: Sat Sep 30 17:52:11 2017 UTC > > Subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM > > Subject Public Key Info: > > Public Key Algorithm: > > Algorithm: PKCS #1 RSA Encryption > > RSA Public Key: > > Modulus: > > ad:e7:d2:7f:c3:e1:91:0a:03:6d:5c:ba:54:14:3e:00: > > 0e:f9:e7:61:85:3c:4f:1b:8f:a8:fb:e4:b4:92:a3:7c: > > 7d:bb:06:b4:b8:43:8a:20:86:17:71:a2:a3:6a:a1:51: > > e5:89:44:0f:a1:43:67:3b:46:76:b0:81:9e:10:43:56: > > 86:9f:27:46:e1:5e:b3:d6:8c:17:73:e3:17:7d:e7:eb: > > a4:78:9c:7a:e8:6f:00:f8:36:d9:71:88:e1:90:bf:98: > > fa:40:0f:88:f4:2e:d8:a2:b3:a5:0c:5a:81:8b:2e:cf: > > 22:f9:cb:6d:bf:85:7c:c9:7f:17:de:5d:d4:1a:2b:09: > > 5b:1b:99:11:22:3f:1e:49:5f:26:1a:25:2f:a4:50:2a: > > 8b:f2:3c:12:db:45:3f:f4:06:64:a2:30:5f:f4:a1:c9: > > 2c:8c:60:b5:c6:aa:25:2e:1e:31:c2:ad:2c:63:b0:a4: > > bb:2c:fc:f8:b6:f9:13:eb:09:bc:b0:c1:4c:06:06:09: > > 2f:f9:08:ba:7d:a4:0a:57:d1:8e:86:87:cb:f9:3a:58: > > 60:f9:34:e1:5b:34:d1:2f:8e:54:87:2a:74:9c:e2:d6: > > 83:4f:78:6b:59:1e:95:ec:67:6e:86:25:ad:f0:d3:6c: > > 96:9c:db:c3:e5:3f:e5:bc:f4:ff:55:55:18:a8:3e:5d > > Exponent: > > 65537 (0x10001) > > Signed Extensions: (5 total) > > Name: Certificate Authority Key Identifier > > Critical: False > > Key ID: > > 31:4f:83:e1:70:d7:ea:96:e5:1b:b1:c2:2c:d8:8a:a8: > > d1:87:fa:ff > > Serial Number: None > > General Names: [0 total] > > Name: Authority Information Access > > Critical: False > > Authority Information Access: [1 total] > > Info [1]: > > Method: PKIX Online Certificate Status Protocol > > Location: URI: http://freeipa.cyberfuel.com:80/ca/ocsp > > Name: Certificate Key Usage > > Critical: True > > Usages: > > Digital Signature > > Non-Repudiation > > Key Encipherment > > Data Encipherment > > Name: Extended Key Usage > > Critical: False > > Usages: > > TLS Web Server Authentication Certificate > > TLS Web Client Authentication Certificate > > Name: Certificate Subject Key ID > > Critical: False > > Data: > > 73:ed:ac:87:d3:0e:04:84:66:5c:1a:e1:10:8d:f8:e1: > > 89:b9:1e:70 > > Signature: > > Signature Algorithm: > > Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Signature: > > 40:da:c2:6b:20:08:7c:4a:05:1a:e2:cc:49:7f:25:6c: > > 48:3a:73:3c:b6:ab:35:6c:1a:d9:78:15:60:48:0b:0e: > > c1:3c:bf:76:90:35:bf:67:b5:9d:88:1c:98:ce:3b:8a: > > f6:86:c7:f9:1e:7b:3c:cd:98:00:99:23:a4:06:4f:ed: > > 0f:ee:44:65:9d:db:b6:9d:cc:cf:cb:83:f8:7c:23:93: > > 2a:0b:40:bb:5b:31:c5:9e:ed:74:eb:c0:c9:cc:30:1e: > > 78:19:69:64:60:24:58:f5:a7:6f:3b:bb:f6:7c:72:5c: > > 1c:50:33:0f:df:49:b7:0a:cb:ac:3f:7b:4f:e7:42:e9: > > 3b:19:e0:15:a3:fe:e3:43:aa:23:69:d0:28:7a:64:b7: > > 19:e3:8a:a9:bc:48:3a:de:f7:c0:67:8b:02:e9:af:74: > > 49:33:5e:2f:21:0b:4c:f3:3d:63:ea:1e:2e:4d:e9:ed: > > af:ef:61:35:ad:86:2b:93:ab:b6:7d:45:ed:b1:9b:12: > > 57:fc:55:ef:42:46:01:63:b1:b9:84:e9:f4:46:fb:39: > > fa:1e:55:2e:20:32:c1:45:ad:ac:54:c9:e6:4e:ca:f1: > > fb:da:9a:b5:bc:8b:6c:43:86:4e:df:06:97:46:3e:9b: > > a2:a1:ff:41:6e:80:df:a7:bd:5d:96:2c:ba:e0:d2:56 > > Fingerprint (MD5): > > 09:ad:08:87:8b:64:04:0f:d2:6c:25:ac:b1:1e:e1:48 > > Fingerprint (SHA1): > > c9:a0:1f:6d:8e:f6:d9:9b:53:6e:6b:92:ea:7c:ae:79: > > ca:4d:09:98 > > approved_usage = SSL Server intended_usage = SSL Server > > cert valid True for "CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM" > > handshake complete, peer = 192.168.20.90:443 > > Protocol: TLS1.2 > > Cipher: TLS_RSA_WITH_AES_256_CBC_SHA > > received Set-Cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd; > > Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30 > > GMT; Secure; HttpOnly' > > storing cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd; > > Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30 > > GMT; Secure; HttpOnly' for prin > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout= > > stderr=keyctl_search: Required key not available > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout= > > stderr=keyctl_search: Required key not available > > args=keyctl padd user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM @s > > stdout=640092261 > > stderr= > > Hostname (bk1.cyberfuel.com) not found in DNS > > Writing nsupdate commands to /etc/ipa/.dns_update.txt: > > zone cyberfuel.com. > > update delete bk1.cyberfuel.com. IN A > > send > > update add bk1.cyberfuel.com. 1200 IN A 192.168.20.13 > > send > > args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt > > stdout= > > stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. > > Minor code may provide more information, Minor = Server > > DNS/ns1.cyberfuel.com at CYBERFUEL.COM > no > > nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' > > returned non-zero exit status 1 > > Failed to update DNS records. > > args=/sbin/service messagebus start > > stdout=Starting system message bus: [ OK ] > > stderr= > > args=/sbin/service messagebus status > > stdout=messagebus (pid 41820) is running... > > stderr= > > args=/sbin/service certmonger restart > > stdout=Stopping certmonger: [FAILED] > > Starting certmonger: [ OK ] > > stderr= > > args=/sbin/service certmonger status > > stdout=certmonger (pid 41859) is running... > > stderr= > > args=/sbin/service certmonger restart > > stdout=Stopping certmonger: [ OK ] > > Starting certmonger: [ OK ] > > stderr= > > args=/sbin/service certmonger status > > stdout=certmonger (pid 41927) is running... > > stderr= > > args=/sbin/chkconfig certmonger on > > stdout= > > stderr= > > args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - > > bk1.cyberfuel.com -N CN=bk1.cyberfuel.com,O=CYBERFUEL.COM -K > > host/bk1.cyberfuel.com at CYBERFUEL.CO > > > stdout=New signing request "20160429204235" added. > > stderr= > > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > > raw: host_mod(u'bk1.cyberfuel.com', ipasshpubkey=[u'ssh-rsa > > AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA > > xmV14vUYyyohaIWBBi87sXwqcNsWBUWAcg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId > > slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL > > ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1a1HEED7xczbIHF/YHF7u08WBbFe0Y40QA5gfa7 > > /hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm > > M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BccDZfAAAAFShUVZUinN/bv > > 4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb > > 2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3CFIBt > > mZY3RF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv > > wfpc='], updatedns=False) > > host_mod(u'bk1.cyberfuel.com', random=False, ipasshpubkey=(u'ssh-rsa > > AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA > > xmV14vUYyyohaIWBBi87sXwlVqxX+L95cg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId > > slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL > > ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1aAN359BmDxbIHF/YHF7u08WBbFe0Y40QA5gfa7 > > /hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm > > M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BcXJiFI6Ub3ShUVZUinN/bv > > 4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb > > 2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3mdAXb > > 7imVRF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv > > wfpc='), rights=False, updatedns=False, all=False, raw=False, > > no_members=False) > > Forwarding 'host_mod' to server u'https://freeipa.cyberfuel.com/ipa/xml' > > NSSConnection init freeipa.cyberfuel.com > > Connecting: 192.168.20.90:0 > > handshake complete, peer = 192.168.20.90:443 > > Protocol: TLS1.2 > > Cipher: TLS_RSA_WITH_AES_256_CBC_SHA > > received Set-Cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0; > > Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35 > > GMT; Secure; HttpOnly' > > storing cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0; > > Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35 > > GMT; Secure; HttpOnly' for prin > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout=640092261 > > stderr= > > args=keyctl search @s user > > ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM > > stdout=640092261 > > stderr= > > args=keyctl pupdate 640092261 > > stdout= > > stderr= > > Writing nsupdate commands to /etc/ipa/.dns_update.txt: > > zone cyberfuel.com. > > update delete bk1.cyberfuel.com. IN SSHFP > > send > > update add bk1.cyberfuel.com. 1200 IN SSHFP 1 1 > > B40F0F3FF14223B021F206C3E3276AC48F6EEAF0 > > update add bk1.cyberfuel.com. 1200 IN SSHFP 2 1 > > 30D2331BC69452EFE65445B5C990773EA41A2FE8 > > send > > args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt > > stdout= > > stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. > > Minor code may provide more information, Minor = Server > > DNS/ns1.cyberfuel.com at CYBERFUEL.COM > no > > nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' > > returned non-zero exit status 1 > > Could not update DNS SSHFP records. > > args=/sbin/service nscd status > > stdout= > > stderr=nscd: unrecognized service > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' > > args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd > > stdout= > > stderr= > > SSSD enabled > > Configuring cyberfuel.com as NIS domain > > args=/bin/nisdomainname > > stdout=(none) > > stderr= > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' > > args=/usr/sbin/authconfig --update --nisdomain cyberfuel.com > > stdout= > > stderr= > > args=/bin/nisdomainname cyberfuel.com > > stdout= > > stderr= > > args=/sbin/service sssd restart > > stdout=Stopping sssd: [FAILED] > > Starting sssd: [ OK ] > > stderr=cat: /var/run/sssd.pid: No such file or directory > > args=/sbin/service sssd status > > stdout=sssd (pid 42071) is running... > > stderr= > > args=/sbin/chkconfig sssd on > > stdout= > > stderr= > > Backing up system configuration file '/etc/openldap/ldap.conf' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > Configured /etc/openldap/ldap.conf > > args=getent passwd admin > > stdout=admin:*:1045400000:1045400000:Administrator:/home/admin:/bin/bash > > stderr= > > Backing up system configuration file '/etc/ntp/step-tickers' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > args=/usr/sbin/selinuxenabled > > stdout= > > stderr= > > args=/sbin/chkconfig ntpd > > stdout= > > stderr= > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' > > Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' > > Backing up system configuration file '/etc/ntp.conf' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > args=/usr/sbin/selinuxenabled > > stdout= > > stderr= > > Backing up system configuration file '/etc/sysconfig/ntpd' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > args=/usr/sbin/selinuxenabled > > stdout= > > stderr= > > args=/sbin/chkconfig ntpd on > > stdout= > > stderr= > > args=/sbin/service ntpd restart > > stdout=Shutting down ntpd: [ OK ] > > Starting ntpd: [ OK ] > > stderr= > > args=/sbin/service ntpd status > > stdout=ntpd (pid 42133) is running... > > stderr= > > NTP enabled > > Backing up system configuration file '/etc/ssh/ssh_config' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > Configured /etc/ssh/ssh_config > > Backing up system configuration file '/etc/ssh/sshd_config' > > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > args=sshd -t -f /dev/null -o AuthorizedKeysCommand= > > stdout= > > stderr= > > Configured /etc/ssh/sshd_config > > args=/sbin/service sshd status > > stdout=openssh-daemon (pid 46497) is running... > > stderr= > > args=/sbin/service sshd restart > > stdout=Stopping sshd: [ OK ] > > Starting sshd: [ OK ] > > stderr= > > args=/sbin/service sshd status > > stdout=openssh-daemon (pid 42190) is running... > > stderr= > > Client configuration complete. > > -----Original Message----- > > From: Rob Crittenden [mailto:rcritten at redhat.com] > > Sent: viernes 29 de abril de 2016 12:19 p.m. > > To: Jose Alvarez R. >; freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > Jose Alvarez R. wrote: > > > Hi, Rob > > > > > > Thanks!! > > > > > > > > > The version the xmlrpc-c of my server IPA: > > > xmlrpc-c-1.16.24-1210.1840.el6.x86_64 > > > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 > > > > > > > > > The version the xmlrpc-c of my client IPA > > > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 > > > xmlrpc-c-1.16.24-1210.1840.el6.x86_64 > > > libiqxmlrpc-0.12.4-0.parallels.i686 > > > xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64 > > You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed > > https://bugzilla.redhat.com/show_bug.cgi?id=719945 > > The libcurl version on the client looks ok. > > This is only a client-side issue so no changes on the servers should be > > necessary IIRC. This appears to be EL 6.1 which at this point is quite old. > > rob > > > > > > The versions are the same, but the libcurl is different > > > > > > It's the version curl IPA server > > > [root at freeipa log]# rpm -qa | grep curl > > > python-pycurl-7.19.0-8.el6.x86_64 > > > curl-7.19.7-46.el6.x86_64 > > > libcurl-7.19.7-46.el6.x86_64 > > > [root at freeipa log]# > > > > > > > > > It's the version curl PPA server(IPA Client) [root at ppa named]# rpm -qa > > > | grep curl > > > curl-7.31.0-1.el6.x86_64 > > > python-pycurl-7.19.0-8.el6.x86_64 > > > libcurl-7.31.0-1.el6.x86_64 > > > libcurl-7.31.0-1.el6.i686 > > > > > > Sorry, my english is not very well > > > > > > > > > Regards. > > > > > > > > > > > > -----Original Message----- > >> From: Rob Crittenden [mailto:rcritten at redhat.com] > > > Sent: viernes 29 de abril de 2016 11:14 a.m. > >> To: Jose Alvarez R. >; > freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > > > > > Jose Alvarez R. wrote: > > >> Hi Rob, Thanks for your response > > >> > > >> Yes, It's with admin. > > > > > > I assume this is a problem with your version of xmlrpc-c. We use > > > standard calls xmlrpc-c calls to setup authentication and IIRC that > > > links against libcurl which provides the Kerberos/GSSAPI support. On > > > EL6 you need xmlrpc-c > > >> = 1.16.24-1200.1840.2 > > > > > > I'm confused about the versions. You mention PPA but include what look > > > like RPM versions that seem to point to RHEL 6. > > > > > > rob > > > > > >> > > >> I execute the command "ipa-client-install --debug" > > >> --------------------------------------------------------------------- > > >> - > > >> --- > > >> > > >> > > >> [root at ppa named]# ipa-client-install --debug > > >> /usr/sbin/ipa-client-install was invoked with options: {'domain': > > >> None, > > >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > > >> 'primary': False, 'mkhomedir > > >> ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, > > >> 'on_master': False, 'ntp_server': None, 'nisdomain': None, > > 'no_nisdomain': > > >> False, 'principal': None > > >> , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, > > >> 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, > > >> 'conf_sudo': True, 'conf_ssh': Tr > > >> ue, 'force_join': False, 'ca_cert_file': None, 'server': None, > > >> 'prompt_password': False, 'permit': False, 'debug': True, > > 'preserve_sssd': > > >> False, 'uninstall': False} > > >> missing options might be asked for interactively later Loading Index > > >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > > >> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > > >> [IPA Discovery] > > >> Starting IPA discovery with domain=None, servers=None, > > >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in > > >> "cyberfuel.com" (domain of the > > >> hostname) and its sub-domains > > >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio > > >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > > >> [Kerberos realm search] > > >> Search DNS for TXT record of _kerberos.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data: > > >> C > > >> YBERFU > > >> EL.COM} > > >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={ > > >> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > > >> [LDAP server check] > > >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA > > >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > > >> Search LDAP server for IPA base DN Check if naming context > > >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' > > >> is a valid IPA context Search for (objectClass=krbRealmContainer) in > > >> dc=cyberfuel,dc=com (sub) > > >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > > >> Discovery result: Success; server=freeipa.cyberfuel.com, > > >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, > > >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com > > >> will use discovered domain: cyberfuel.com Start searching for LDAP > > >> SRV record in "cyberfuel.com" (Validating DNS > > >> Discovery) and its sub-domains > > >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio > > >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > > >> DNS validated, enabling discovery > > >> will use discovered server: freeipa.cyberfuel.com Discovery was > > >> successful! > > >> will use discovered realm: CYBERFUEL.COM will use discovered basedn: > > >> dc=cyberfuel,dc=com > > >> Hostname: ppa.cyberfuel.com > > >> Hostname source: Machine's FQDN > > >> Realm: CYBERFUEL.COM > > >> Realm source: Discovered from LDAP DNS records in > > >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: > > >> Discovered LDAP SRV records from cyberfuel.com (domain of the > > >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: > > >> Discovered from LDAP DNS records in freeipa.cyberfuel.com > > >> BaseDN: dc=cyberfuel,dc=com > > >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > >> > > >> Continue to configure the system with these values? [no]: no > > >> Installation failed. Rolling back changes. > > >> IPA client is not configured on this system. > > >> [root at ppa named]# > > >> [root at ppa named]# ipa-client-install --debug > > >> /usr/sbin/ipa-client-install was invoked with options: {'domain': > > >> None, > > >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > > >> 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': > > >> True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, > > > 'nisdomain': > > >> None, 'no_nisdomain': False, 'principal': None, 'hostname': None, > > 'no_ac': > > >> False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, > > >> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, > 'conf_ssh': > > >> True, 'force_join': False, 'ca_cert_file': None, 'server': None, > > >> 'prompt_password': False, 'permit': False, 'debug': True, > > 'preserve_sssd': > > >> False, 'uninstall': False} > > >> missing options might be asked for interactively later Loading Index > > >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > > >> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > > >> [IPA Discovery] > > >> Starting IPA discovery with domain=None, servers=None, > > >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in > > >> "cyberfuel.com" (domain of the > > >> hostname) and its sub-domains > > >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio > > >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > > >> [Kerberos realm search] > > >> Search DNS for TXT record of _kerberos.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data: > > >> C > > >> YBERFU > > >> EL.COM} > > >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={ > > >> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > > >> [LDAP server check] > > >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA > > >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > > >> Search LDAP server for IPA base DN Check if naming context > > >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' > > >> is a valid IPA context Search for (objectClass=krbRealmContainer) in > > >> dc=cyberfuel,dc=com (sub) > > >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > > >> Discovery result: Success; server=freeipa.cyberfuel.com, > > >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, > > >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com > > >> will use discovered domain: cyberfuel.com Start searching for LDAP > > >> SRV record in "cyberfuel.com" (Validating DNS > > >> Discovery) and its sub-domains > > >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > > >> DNS record found: > > >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio > > >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > > >> DNS validated, enabling discovery > > >> will use discovered server: freeipa.cyberfuel.com Discovery was > > >> successful! > > >> will use discovered realm: CYBERFUEL.COM will use discovered basedn: > > >> dc=cyberfuel,dc=com > > >> Hostname: ppa.cyberfuel.com > > >> Hostname source: Machine's FQDN > > >> Realm: CYBERFUEL.COM > > >> Realm source: Discovered from LDAP DNS records in > > >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: > > >> Discovered LDAP SRV records from cyberfuel.com (domain of the > > >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: > > >> Discovered from LDAP DNS records in freeipa.cyberfuel.com > > >> BaseDN: dc=cyberfuel,dc=com > > >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > >> > > >> Continue to configure the system with these values? [no]: yes > > >> args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM > > >> stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file > > >> or directory > > >> > > >> User authorized to enroll computers: admin will use principal > > >> provided as option: admin Synchronizing time with KDC... > > >> Search DNS for SRV record of _ntp._udp.cyberfuel.com. > > >> No DNS record found > > >> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= > > >> stderr= Writing Kerberos configuration to /tmp/tmpqWSatK: > > >> #File modified by ipa-client-install > > >> > > >> includedir /var/lib/sss/pubconf/krb5.include.d/ > > >> > > >> [libdefaults] > > >> default_realm = CYBERFUEL.COM > > >> dns_lookup_realm = false > > >> dns_lookup_kdc = false > > >> rdns = false > > >> ticket_lifetime = 24h > > >> forwardable = yes > > >> udp_preference_limit = 0 > > >> > > >> > > >> [realms] > > >> CYBERFUEL.COM = { > > >> kdc = freeipa.cyberfuel.com:88 > > >> master_kdc = freeipa.cyberfuel.com:88 > > >> admin_server = freeipa.cyberfuel.com:749 > > >> default_domain = cyberfuel.com > > >> pkinit_anchors = FILE:/etc/ipa/ca.crt > > >> > > >> } > > >> > > >> > > >> [domain_realm] > > >> .cyberfuel.com = CYBERFUEL.COM > > >> cyberfuel.com = CYBERFUEL.COM > > >> > > >> > > >> > >>> Password foradmin at CYBERFUEL.COM : > >>> args=kinitadmin at CYBERFUEL.COM > >>> stdout=Password foradmin at CYBERFUEL.COM : > > >> > > >> stderr= > > >> trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com > > >> Existing CA cert and Retrieved CA cert are identical > > >> args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b > > >> dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL: > > >> > > >> \r\n \r\n > > >> join\r\n \r\n > > >> \r\n > > >> ppa.cyberfuel.com\r\n > > >> \r\n > > >> \r\n > > >> nsosversion\r\n > > >> 2.6.32-573.8.1.el6.x86_64\r\ > > >> n nshardwareplatform\r\n > > >> x86_64\r\n > > >> \r\n > > >> \r\n > > >> \r\n > > >> > > >> * About to connect() to freeipa.cyberfuel.com port 443 (#0) > > >> * Trying 192.168.20.90... > > >> * Adding handle: conn: 0x10bb2f0 > > >> * Adding handle: send: 0 > > >> * Adding handle: recv: 0 > > >> * Curl_addHandleToPipeline: length: 1 > > >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 > > >> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) > > >> * successfully set certificate verify locations: > > >> * CAfile: /etc/ipa/ca.crt > > >> CApath: none > > >> * SSL connection using AES256-SHA > > >> * Server certificate: > > >> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com > > >> * start date: 2015-09-30 17:52:11 GMT > > >> * expire date: 2017-09-30 17:52:11 GMT > > >> * common name: freeipa.cyberfuel.com (matched) > > >> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority > > >> * SSL certificate verify ok. > > >>> POST /ipa/xml HTTP/1.1 > > >> Host: freeipa.cyberfuel.com > > >> Accept: */* > > >> Content-Type: text/xml > > >> User-Agent: ipa-join/3.0.0 > >>> Referer:https://freeipa.cyberfuel.com/ipa/xml > > >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > > >> Content-Length: 477 > > >> > > >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 > > >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT > > >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: > > >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: > > >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" > > >> < Accept-Ranges: bytes > > >> < Content-Length: 1370 > > >> < Connection: close > > >> < Content-Type: text/html; charset=UTF-8 < > > >> * Closing connection 0 > > >> HTTP response code is 401, not 200 > > >> > > >> Joining realm failed: XML-RPC CALL: > > >> > > >> \r\n \r\n > > >> join\r\n \r\n > > >> \r\n > > >> ppa.cyberfuel.com\r\n > > >> \r\n > > >> \r\n > > >> nsosversion\r\n > > >> 2.6.32-573.8.1.el6.x86_64\r\ > > >> n nshardwareplatform\r\n > > >> x86_64\r\n > > >> \r\n > > >> \r\n > > >> \r\n > > >> > > >> * About to connect() to freeipa.cyberfuel.com port 443 (#0) > > >> * Trying 192.168.20.90... > > >> * Adding handle: conn: 0x10bb2f0 > > >> * Adding handle: send: 0 > > >> * Adding handle: recv: 0 > > >> * Curl_addHandleToPipeline: length: 1 > > >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 > > >> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) > > >> * successfully set certificate verify locations: > > >> * CAfile: /etc/ipa/ca.crt > > >> CApath: none > > >> * SSL connection using AES256-SHA > > >> * Server certificate: > > >> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com > > >> * start date: 2015-09-30 17:52:11 GMT > > >> * expire date: 2017-09-30 17:52:11 GMT > > >> * common name: freeipa.cyberfuel.com (matched) > > >> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority > > >> * SSL certificate verify ok. > > >>> POST /ipa/xml HTTP/1.1 > > >> Host: freeipa.cyberfuel.com > > >> Accept: */* > > >> Content-Type: text/xml > > >> User-Agent: ipa-join/3.0.0 > >>> Referer:https://freeipa.cyberfuel.com/ipa/xml > > >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > > >> Content-Length: 477 > > >> > > >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 > > >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT > > >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: > > >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: > > >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" > > >> < Accept-Ranges: bytes > > >> < Content-Length: 1370 > > >> < Connection: close > > >> < Content-Type: text/html; charset=UTF-8 < > > >> * Closing connection 0 > > >> HTTP response code is 401, not 200 > > >> > > >> Installation failed. Rolling back changes. > > >> IPA client is not configured on this system. > > >> > > >> ------------------------------------------------- > > >> > > >> It's the version curl IPA server > > >> > > >> [root at freeipa log]# rpm -qa | grep curl > > >> python-pycurl-7.19.0-8.el6.x86_64 > > >> curl-7.19.7-46.el6.x86_64 > > >> libcurl-7.19.7-46.el6.x86_64 > > >> [root at freeipa log]# > > >> > > >> > > >> It's the version curl PPA server(IPA Client) > > >> > > >> [root at ppa named]# rpm -qa | grep curl > > >> curl-7.31.0-1.el6.x86_64 > > >> python-pycurl-7.19.0-8.el6.x86_64 > > >> libcurl-7.31.0-1.el6.x86_64 > > >> libcurl-7.31.0-1.el6.i686 > > >> > > >> > > >> The version curl is different, but the version curl PPA is the > > >> repository Odin Plesk. > > >> > > >> ----------------------------------------------------- > > >> > > >> > > >> [root at ppa tmp]# cat kerberos_trace.log > > >> > > >> [12118] 1461855578.809966: ccselect module realm chose cache > >>> FILE:/tmp/tmptSoqDX with client principaladmin at CYBERFUEL.COM for > >>> server principalldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >>> [12118] 1461855578.810171: Retrievingadmin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not > > >> found [12118] 1461855578.810252: Getting credentials > >>>admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > using > > >> ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving > >>>admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > from > > >> FILE:/tmp/tmptSoqDX with > > >> result: -1765328243/Matching credential not found [12118] > >>> 1461855578.810451: Retrievingadmin at CYBERFUEL.COM -> > >>>krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > from FILE:/tmp/tmptSoqDX with > result: > > >> 0/Success > > >> [12118] 1461855578.810476: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > > >> [12118] 1461855578.810509: Requesting tickets for > >>>ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > , referrals on [12118] > > >> 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377 > > >> [12118] 1461855578.810679: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118] > > >> 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM > > >> [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com > > >> [12118] 1461855578.811466: Initiating TCP connection to stream > > >> 192.168.0.90:88 > > >> [12118] 1461855578.811935: Sending TCP request to stream > > >> 192.168.0.90:88 [12118] 1461855578.816404: Received answer from > > >> stream > > >> 192.168.0.90:88 [12118] 1461855578.816714: Response was from master > >>> KDC [12118] 1461855578.816906: TGS reply is foradmin at CYBERFUEL.COM > >>> ->ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > with session key > > >> aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result: > > >> 0/Success [12118] 1461855578.817018: Received creds for desired > >>> serviceldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >>> [12118] 1461855578.817066: Removingadmin at CYBERFUEL.COM -> > >>>ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > from FILE:/tmp/tmptSoqDX > >>> [12118] 1461855578.817107: Storingadmin at CYBERFUEL.COM -> > >>>ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > in FILE:/tmp/tmptSoqDX > > >> [12118] 1461855578.817413: Creating authenticator for > > >> admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > , > > >> seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2 > > >> [12118] 1461855578.874786: ccselect module realm chose cache > >>> FILE:/tmp/tmptSoqDX with client principaladmin at CYBERFUEL.COM for > >>> server principalldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >>> [12118] 1461855578.874938: Retrievingadmin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not > > >> found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, > > >> subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888: > > >> ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client > > >> principal admin at CYBERFUEL.COM for server principal > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [17304] 1461858424.874126: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not > > >> found [17304] 1461858424.874220: Getting credentials > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > > >> ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > > >> FILE:/tmp/tmpH0QF6P with > > >> result: -1765328243/Matching credential not found [17304] > > >> 1461858424.874531: Retrieving admin at CYBERFUEL.COM -> > > >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result: > > >> 0/Success > > >> [17304] 1461858424.874603: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > >> [17304] 1461858424.874631: Requesting tickets for > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [17304] > > >> 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33 > > >> [17304] 1461858424.874788: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304] > > >> 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM > > >> [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com > > >> [17304] 1461858424.875805: Initiating TCP connection to stream > > >> 192.168.20.90:88 > > >> [17304] 1461858424.877976: Sending TCP request to stream > > >> 192.168.20.90:88 [17304] 1461858424.882385: Received answer from > > >> stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from > > >> master KDC [17304] 1461858424.882775: TGS reply is for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > > >> session key aes256-cts/20DA [17304] 1461858424.882850: TGS request > > >> result: 0/Success [17304] 1461858424.882883: Received creds for > > >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [17304] 1461858424.882918: Removing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P > > >> [17304] 1461858424.882951: Storing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P > > >> [17304] 1461858424.883271: Creating authenticator for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > > >> seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA > > >> [17304] 1461858424.898190: ccselect module realm chose cache > > >> FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [17304] 1461858424.898401: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not > > >> found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, > > >> subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386: > > >> ccselect module realm chose cache > > >> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23457] 1461863053.621602: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not > > >> found [23457] 1461863053.621719: Getting credentials > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > > >> ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > > >> FILE:/tmp/tmp576FE3 with > > >> result: -1765328243/Matching credential not found [23457] > > >> 1461863053.622097: Retrieving admin at CYBERFUEL.COM -> > > >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result: > > >> 0/Success > > >> [23457] 1461863053.622144: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > >> [23457] 1461863053.622176: Requesting tickets for > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23457] > > >> 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C > > >> [23457] 1461863053.622331: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457] > > >> 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM > > >> [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com > > >> [23457] 1461863053.623367: Initiating TCP connection to stream > > >> 192.168.20.90:88 > > >> [23457] 1461863053.623866: Sending TCP request to stream > > >> 192.168.20.90:88 [23457] 1461863053.627939: Received answer from > > >> stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from > > >> master KDC [23457] 1461863053.628485: TGS reply is for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > > >> session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request > > >> result: 0/Success [23457] 1461863053.628610: Received creds for > > >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23457] 1461863053.628655: Removing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 > > >> [23457] 1461863053.628689: Storing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmp576FE3 > > >> [23457] 1461863053.629119: Creating authenticator for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > > >> seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88 > > >> [23457] 1461863053.640471: ccselect module realm chose cache > > >> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23457] 1461863053.640721: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not > > >> found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, > > >> subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338: > > >> ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client > > >> principal admin at CYBERFUEL.COM for server principal > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23749] 1461863277.525435: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not > > >> found [23749] 1461863277.525469: Getting credentials > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > > >> ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > > >> FILE:/tmp/tmprfuOsj with > > >> result: -1765328243/Matching credential not found [23749] > > >> 1461863277.525572: Retrieving admin at CYBERFUEL.COM -> > > >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result: > > >> 0/Success > > >> [23749] 1461863277.525584: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > >> [23749] 1461863277.525593: Requesting tickets for > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23749] > > >> 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D > > >> [23749] 1461863277.525662: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749] > > >> 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM > > >> [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com > > >> [23749] 1461863277.526161: Initiating TCP connection to stream > > >> 192.168.20.90:88 > > >> [23749] 1461863277.526440: Sending TCP request to stream > > >> 192.168.20.90:88 [23749] 1461863277.530652: Received answer from > > >> stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from > > >> master KDC [23749] 1461863277.530881: TGS reply is for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > > >> session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request > > >> result: 0/Success [23749] 1461863277.530948: Received creds for > > >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23749] 1461863277.530962: Removing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj > > >> [23749] 1461863277.530971: Storing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmprfuOsj > > >> [23749] 1461863277.531133: Creating authenticator for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > > >> seqnum 1019693263, subkey aes256-cts/B3E0, session key > > >> aes256-cts/79C3 [23749] 1461863277.542808: ccselect module realm > > >> chose cache FILE:/tmp/tmprfuOsj with client principal > > >> admin at CYBERFUEL.COM for server principal > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [23749] 1461863277.542889: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not > > >> found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, > > >> subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277: > > >> ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client > > >> principal admin at CYBERFUEL.COM for server principal > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [25544] 1461864401.258584: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not > > >> found [25544] 1461864401.258678: Getting credentials > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > > >> ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > > >> FILE:/tmp/tmpbzX7EN with > > >> result: -1765328243/Matching credential not found [25544] > > >> 1461864401.259040: Retrieving admin at CYBERFUEL.COM -> > > >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result: > > >> 0/Success > > >> [25544] 1461864401.259076: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > >> [25544] 1461864401.259102: Requesting tickets for > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [25544] > > >> 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A > > >> [25544] 1461864401.259291: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544] > > >> 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM > > >> [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com > > >> [25544] 1461864401.260361: Initiating TCP connection to stream > > >> 192.168.20.90:88 > > >> [25544] 1461864401.260980: Sending TCP request to stream > > >> 192.168.20.90:88 [25544] 1461864401.264399: Received answer from > > >> stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from > > >> master KDC [25544] 1461864401.264893: TGS reply is for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > > >> session key aes256-cts/9106 [25544] 1461864401.264966: TGS request > > >> result: 0/Success [25544] 1461864401.264996: Received creds for > > >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [25544] 1461864401.265029: Removing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN > > >> [25544] 1461864401.265058: Storing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN > > >> [25544] 1461864401.265581: Creating authenticator for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > > >> seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106 > > >> [25544] 1461864401.275884: ccselect module realm chose cache > > >> FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [25544] 1461864401.276059: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not > > >> found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, > > >> subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354: > > >> ccselect module realm chose cache > > >> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [18097] 1461937028.664456: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not > > >> found [18097] 1461937028.664490: Getting credentials > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > > >> ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > > >> FILE:/tmp/tmpF9x_o8 with > > >> result: -1765328243/Matching credential not found [18097] > > >> 1461937028.664590: Retrieving admin at CYBERFUEL.COM -> > > >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result: > > >> 0/Success > > >> [18097] 1461937028.664601: Found cached TGT for service realm: > > >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > > >> [18097] 1461937028.664611: Requesting tickets for > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [18097] > > >> 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372 > > >> [18097] 1461937028.664727: etypes requested in TGS request: > > >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097] > > >> 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM > > >> [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com > > >> [18097] 1461937028.665136: Initiating TCP connection to stream > > >> 192.168.20.90:88 > > >> [18097] 1461937028.665510: Sending TCP request to stream > > >> 192.168.20.90:88 [18097] 1461937028.668919: Received answer from > > >> stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from > > >> master KDC [18097] 1461937028.669109: TGS reply is for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > > >> session key aes256-cts/9592 [18097] 1461937028.669136: TGS request > > >> result: 0/Success [18097] 1461937028.669156: Received creds for > > >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [18097] 1461937028.669167: Removing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 > > >> [18097] 1461937028.669176: Storing admin at CYBERFUEL.COM -> > > >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8 > > >> [18097] 1461937028.669304: Creating authenticator for > > >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > > >> seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592 > > >> [18097] 1461937028.676414: ccselect module realm chose cache > > >> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for > > >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > > >> [18097] 1461937028.676470: Retrieving admin at CYBERFUEL.COM -> > > >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > > >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not > > >> found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, > > >> subkey aes256-cts/26C4, seqnum 864174069 > > >> > > >> ----------------------------------- > > >> > > >> > > >> Regards > > >> > > >> Jose Alvarez > > >> > > >> > > >> -----Original Message----- > > >> From: Rob Crittenden [mailto:rcritten at redhat.com] > > >> Sent: viernes 29 de abril de 2016 09:34 a.m. > > >> To: Jose Alvarez R. ; > > >> freeipa-users at redhat.com > > >> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > >> > > >> Jose Alvarez R. wrote: > > >>> Hi Users > > >>> > > >>> You can help me? > > >>> > > >>> I have the problem for join a client to my FREEIPA Server. The > > >>> version IPA Server is 3.0 and IP client is 3.0 > > >>> > > >>> When I join my client to IPA server show these errors: > > >>> > > >>> [root at ppa ~]# tail -f /var/log/ipaclient-install.log > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG stderr= > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from > > >>> ldap://freeipa.cyberfuel.com > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert > > >>> are identical > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s > > >>> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG stdout= > > >>> > > >>> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 > > >>> > > >>> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code > > >>> is 401, not 200 > > >>> > > >>> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. > > >>> > > >>> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. > > >> > > >> I'd look in the 389-ds access and error logs on the IPA server to see > > >> if there are any more details. Look for the BIND from the client and > > >> see what happens. > > >> > > >> More context from the log file might be helpful. I believe if you run > > >> the client installer with --debug then additional flags are passed to > > >> ipa-join to include the XML-RPC conversation and that might be useful > > too. > > >> > > >> What account are you using to enroll with, admin? > > >> > > >> rob > > >> > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > From anthony.wan.cheng at gmail.com Mon May 2 21:35:57 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Mon, 02 May 2016 21:35:57 +0000 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: <57275C0E.10003@redhat.com> References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> <5724BC4A.3060400@redhat.com> <57275C0E.10003@redhat.com> Message-ID: On Mon, May 2, 2016 at 9:54 AM Rob Crittenden wrote: > Anthony Cheng wrote: > > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden > > wrote: > > > > Anthony Cheng wrote: > > > OK so I made process on my cert renew issue; I was able to get > kinit > > > working so I can follow the rest of the steps here > > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > > > > > However, after using > > > > > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w > > password > > > > > > and restarting apache (/sbin/service httpd restart), resubmitting > 3 > > > certs (ipa-getcert resubmit -i ) and restarting IPA (resubmit > > -i ) > > > (/sbin/service ipa restart), I still see: > > > > > > [root at test ~]# ipa-getcert list | more > > > Number of certificates and requests being tracked: 8. > > > Request ID '20111214223243': > > > status: CA_UNREACHABLE > > > ca-error: Server failed request, will retry: 4301 (RPC > > failed > > > at server. Certificate operation cannot be compl > > > eted: Unable to communicate with CMS (Not Found)). > > > > IPA proxies requests to the CA through Apache. This means that while > > tomcat started ok it didn't load the dogtag CA application, hence the > > Not Found. > > > > Check the CA debug and selftest logs to see why it failed to start > > properly. > > > > [ snip ] > > > > Actually after a reboot that error went away and I just get this error > > instead "ca-error: Server failed request, will retry: -504 (libcurl > > failed to execute the HTTP POST transaction. Peer certificate cannot be > > auth enticated with known CA certificates)." from "getcert list" > > > > Result of service ipa restart is interesting since it shows today's time > > when I already changed date/time/disable NTP so somehow the system still > > know today's time. > > > > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert: > > CERT_VerifyCertificateNow: verify certificate failed for cert > > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable > > Runtime error -8181 - Peer's Certificate has expired.) > > Hard to say. I'd confirm that there is no time syncing service running, > ntp or otherwise. > > I found out why the time kept changing; it was due to the fact that it has VM tools installed (i didn't configure this box) so it automatically sync time during bootup. I did still see this error message: ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)) I tried the step http://www.freeipa.org/page/Troubleshooting with certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt openssl x509 -text -in /tmp/ra.crt certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt service httpd restart So that I can get rid of one of the CA cert that is expired (kept the 1st one) but still getting same error What exactly is CMS and why is it not found? I did notice that the selftest log is empty with a different time: -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 /var/log/pki-ca/selftests.log [root at test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds Here are some debug log after reboot: [root at test pki-ca]# tail -n 100 catalina.out INFO: JK: ajp13 listening on /0.0.0.0:9447 Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=1/23 config=null Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1722 ms Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause INFO: Pausing Coyote HTTP/1.1 on http-9180 Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause INFO: Pausing Coyote HTTP/1.1 on http-9443 Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause INFO: Pausing Coyote HTTP/1.1 on http-9445 Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause INFO: Pausing Coyote HTTP/1.1 on http-9444 Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause INFO: Pausing Coyote HTTP/1.1 on http-9446 Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop INFO: Stopping service Catalina Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [Timer-0] but has failed to stop it. This is very like ly to create a memory leak. Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu t has failed to stop it. This is very likely to create a memory leak. Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6] but has failed to stop it. This is very likely to create a memory leak. Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/system.flush-6] but has failed t o stop it. This is very likely to create a memory leak. Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/system.rollover-8] but has faile d to stop it. This is very likely to create a memory leak. Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/transactions.flush-9] but has fa iled to stop it. This is very likely to create a memory leak. Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [/var/lib/pki-ca/logs/transactions.rollover-10] but ha s failed to stop it. This is very likely to create a memory leak. Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [LDAPConnThread-2 ldap://test.sample.net:7389] but has failed to stop it. This is very likely to create a memory leak. Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [LDAPConnThread-3 ldap://test.sample.net:7389] but has failed to stop it. This is very likely to create a memory leak. Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [LDAPConnThread-4 ldap://test.sample.net:7389] but has failed to stop it. This is very likely to create a memory leak. Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9180 Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9443 Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9445 Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9444 Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9446 Jan 27, 2016 2:57:36 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9180 Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9443 Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9445 Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9444 Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9446 Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 2198 ms Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ca 64-bit osutil library loaded 64-bit osutil library loaded Certificate object not found Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9180 Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9443 Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9445 Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9444 Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9446 Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:9447 Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/40 config=null Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 2592 ms [root at test pki-ca]# tail -n 100 debug [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy subjectAltNameExtDefaultImpl Subject Alternative Name Extension Default Subject Alternative Name Extension Default com.netscape.cms.profile.def.SubjectAltNameExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy userValidityDefaultImpl User Supplied Validity Default User Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy userSubjectNameDefaultImpl User Supplied Subject Name Default User Supplied Subject Name Default com.netscape.cms.profile.def.UserSubjectNameDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy subjectDirAttributesExtDefaultImpl Subject Directory Attributes Extension Default Subject Directory Attributes Extension Default com.netscape.cms.profile.def.SubjectDirAttributesExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy certificateVersionDefaultImpl Certificate Version Default Certificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default Extended Key Usage Extension Default com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy policyConstraintsExtDefaultImpl Policy Constraints Extension Default Policy Constraints Extension Default com.netscape.cms.profile.def.PolicyConstraintsExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy crlDistributionPointsExtDefaultImpl CRL Distribution Points Extension Default CRL Distribution Points Extension Default com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy certificatePoliciesExtDefaultImpl Certificate Policies Extension Default Certificate Policies Extension Default com.netscape.cms.profile.def.CertificatePoliciesExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy validityDefaultImpl Validity Default Validty Default com.netscape.cms.profile.def.ValidityDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy privateKeyPeriodExtDefaultImpl Private Key Period Ext Default Private Key Period Ext Default com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy noDefaultImpl No Default No Default com.netscape.cms.profile.def.NoDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy imageDefaultImpl Image Default Image Default com.netscape.cms.profile.def.ImageDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy subjectInfoAccessExtDefaultImpl Subject Info Access Extension Default Subject Info Access Extension Default com.netscape.cms.profile.def.SubjectInfoAccessExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy autoAssignDefaultImpl Auto Request Assignment Default Auto Request Assignment Default com.netscape.cms.profile.def.AutoAssignDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy policyMappingsExtDefaultImpl Policy Mappings Extension Default Policy Mappings Extension Default com.netscape.cms.profile.def.PolicyMappingsExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy caValidityDefaultImpl CA Certificate Validity Default CA Certificate Validty Default com.netscape.cms.profile.def.CAValidityDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy userExtensionDefaultImpl User Supplied Extension Default User Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default Netscape Certificate Type Extension Default com.netscape.cms.profile.def.NSCertTypeExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default Token Supplied Subject Name Default com.netscape.cms.profile.def.AuthTokenSubjectNameDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy subjectNameDefaultImpl Subject Name Default Subject Name Default com.netscape.cms.profile.def.SubjectNameDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy userSigningAlgDefaultImpl User Supplied Signing Alg Default User Supplied Signing Alg Default com.netscape.cms.profile.def.UserSigningAlgDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default Subject Key Identifier Default com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default Inhibit Any-Policy Extension Default com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubjectNameDefault nsTokenDeviceKeySubjectNameDefaultImpl com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape Comment Extension Default com.netscape.cms.profile.def.NSCCommentExtDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm Default com.netscape.cms.profile.def.SigningAlgDefault [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy nameConstraintsExtDefaultImpl Name Constraints Extension Default Name Constraints Extension Default com.netscape.cms.profile.def.NameConstraintsExtDefault [27/Jan/2016:15:30:43][main]: added plugin profileUpdater subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca [27/Jan/2016:15:30:43][main]: CertificateAuthority init [27/Jan/2016:15:30:43][main]: Cert Repot inited [27/Jan/2016:15:30:43][main]: CRL Repot inited [27/Jan/2016:15:30:43][main]: Replica Repot inited [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname caSigningCert cert-pki-ca [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert cert-pki-ca' with serial number: 1 [27/Jan/2016:15:30:43][main]: converted to x509CertImpl [27/Jan/2016:15:30:43][main]: Got private key from cert [27/Jan/2016:15:30:43][main]: Got public key from cert [27/Jan/2016:15:30:43][main]: got signing algorithm RSASignatureWithSHA256Digest [27/Jan/2016:15:30:43][main]: CA signing unit inited [27/Jan/2016:15:30:43][main]: cachainNum= 0 [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS. [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname ca.ocsp_signing.cert [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name [27/Jan/2016:15:30:43][main]: SigningUnit init: debug org.mozilla.jss.crypto.ObjectNotFoundException [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException Certificate object not found at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) at com.netscape.certsrv.apps.CMS.init(CMS.java:153) at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown() > > > > Would really greatly appreciate any help on this. > > > > > > Also I noticed after I do ldapmodify of usercertificate binary > > data with > > > > > > add: usercertificate;binary > > > usercertificate;binary: !@#$@!#$#@$ > > > > You really pasted in binary? Or was this base64-encoded data? > > > > I wonder if there is a problem in the wiki. If this is really a > binary > > value you should start with a DER-encoded cert and load it using > > something like: > > > > dn: uid=ipara,ou=people,o=ipaca > > changetype: modify > > add: usercertificate;binary > > usercertificate;binary:< file:///path/to/cert.der > > > > You can use something like openssl x509 to switch between PEM and DER > > formats. > > > > I have a vague memory that dogtag can deal with a multi-valued > > usercertificate attribute. > > > > rob > > > > > > Yes the wiki stated binary, the result of: > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b > > uid=ipara,ou=People,o=ipaca -W > > > > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ... > > > > But the actual data is from a PEM though. > > Ok. So I looked at my CA data and it doesn't use the binary subtype, so > my entries look like: > > userCertificate:: MIID.... > > It might make a difference if dogtag is looking for the subtype or not. > > rob > > > > > > > > > Then I re-run > > > > > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W > > -b uid=ipara,ou=People,o=ipaca > > > > > > I see 2 entries for usercertificate;binary (before modify there > > was only > > > 1) but they are duplicate and NOT from data that I added. That > seems > > > incorrect to me. > > > > > > > > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng > > > > > > >> wrote: > > > > > > klist is actually empty; kinit admin fails. Sounds like then > > > getcert resubmit has a dependency on kerberoes. I can get a > > backup > > > image that has a valid ticket but it is only good for 1 day > (and > > > dated pasted the cert expire). > > > > > > Also I had asked awhile back about whether there is > dependency on > > > DIRSRV to renew the cert; didn't get any response but I > suspect > > > there is a dependency. > > > > > > Regarding the clock skew, I found out from /var/log/message > that > > > shows me this so it may be from named: > > > > > > Jan 28 14:10:42 test named[2911]: Failed to init credentials > > (Clock > > > skew too great) > > > Jan 28 14:10:42 test named[2911]: loading configuration: > failure > > > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) > > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS > > > failure. Minor code may provide more information (Creden > > > tials cache file '/tmp/krb5cc_496' not found) > > > > > > I don't have a krb5cc_496 file (since klist is empty), so > > sounds to > > > me I need to get a kerberoes ticket before going any > > further. Also > > > is the file /etc/krb5.keytab access/modification time > > important? I > > > had changed time back to before the cert expiration date and > > reboot > > > and try renew but the error message about clock skew is still > > > there. That seems strange. > > > > > > Lastly, as a absolute last resort, can I regenerate a new cert > > > myself? > > > > > > https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html > > > > > > [root at test /]# klist > > > klist: No credentials cache found (ticket cache > > FILE:/tmp/krb5cc_0) > > > [root at test /]# service ipa start > > > Starting Directory Service > > > Starting dirsrv: > > > PKI-IPA... > > [ OK ] > > > sample-NET... > > [ OK ] > > > Starting KDC Service > > > Starting Kerberos 5 KDC: [ > > OK ] > > > Starting KPASSWD Service > > > Starting Kerberos 5 Admin Server: [ > > OK ] > > > Starting DNS Service > > > Starting named: > > [FAILED] > > > Failed to start DNS Service > > > Shutting down > > > Stopping Kerberos 5 KDC: [ > > OK ] > > > Stopping Kerberos 5 Admin Server: [ > > OK ] > > > Stopping named: [ > > OK ] > > > Stopping httpd: [ > > OK ] > > > Stopping pki-ca: [ > > OK ] > > > Shutting down dirsrv: > > > PKI-IPA... > > [ OK ] > > > sample-NET... > > [ OK ] > > > Aborting ipactl > > > [root at test /]# klist > > > klist: No credentials cache found (ticket cache > > FILE:/tmp/krb5cc_0) > > > [root at test /]# service ipa status > > > Directory Service: STOPPED > > > Failed to get list of services to probe status: > > > Directory Server is stopped > > > > > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka > > > > > >> wrote: > > > > > > On 27/04/16 21:54, Anthony Cheng wrote: > > > > Hi list, > > > > > > > > I am trying to renew expired certificates following the > > > manual renewal procedure > > > > here > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > > but even with > > > > resetting the system/hardware clock to a time before > > expires, > > > I am getting the > > > > error "ca-error: Error setting up ccache for local > "host" > > > service using default > > > > keytab: Clock skew too great." > > > > > > > > With NTP disable and clock reset why would it complain > > about > > > clock skew and how > > > > does it even know about the current time? > > > > > > > > [root at test certs]# getcert list > > > > Number of certificates and requests being tracked: 8. > > > > Request ID '20111214223243': > > > > status: MONITORING > > > > ca-error: Error setting up ccache for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > > Certificate DB' > > > > CA: IPA > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:46 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20111214223300': > > > > status: MONITORING > > > > ca-error: Error setting up ccache for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > > Certificate > > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > > Certificate > > > > DB' > > > > CA: IPA > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:45 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20111214223316': > > > > status: MONITORING > > > > ca-error: Error setting up ccache for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > > Certificate DB' > > > > CA: IPA > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:45 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130741': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no response to > > > > > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=CA Audit,O=sample.NET > > > > expires: 2017-10-13 14:10:49 UTC > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "auditSigningCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130742': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no response to > > > > > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=OCSP Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-OCSPSigning > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "ocspSigningCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130743': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no response to > > > > > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=CA Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "subsystemCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130744': > > > > status: MONITORING > > > > ca-error: Internal error: no response to > > > > > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate > > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=RA Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130745': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no response to > > > > > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > > > stuck: yes > > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > ,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes[root at test certs]# getcert > list > > > > Number of certificates and requests being tracked: 8. > > > > Request ID '20111214223243': > > > > status: MONITORING > > > > ca-error: Error setting up ccache for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > > Certificate DB' > > > > CA: IPA > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:46 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20111214223300': > > > > status: MONITORING > > > > ca-error: Error setting up ccache for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > > Certificate > > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > > Certificate > > > > DB' > > > > CA: IPA > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:45 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20111214223316': > > > > status: MONITORING > > > > ca-error: Error setting up ccache for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > > Certificate DB' > > > > CA: IPA > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:45 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130741': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no response to > > > > > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=CA Audit,O=sample.NET > > > > expires: 2017-10-13 14:10:49 UTC > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "auditSigningCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130742': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no response to > > > > > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=OCSP Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-OCSPSigning > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "ocspSigningCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130743': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no response to > > > > > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=CA Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "subsystemCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130744': > > > > status: MONITORING > > > > ca-error: Internal error: no response to > > > > > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate > > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=RA Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130745': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no response to > > > > > > > > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > > > stuck: yes > > > > key pair storage: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > ,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > -- > > > > > > > > Thanks, Anthony > > > > > > > > > > > > > > > > > > Hello Anthony! > > > > > > After stopping NTP (or other time synchronizing service) > > and setting > > > time manually server really don't have a way to determine > > that > > > its time > > > differs from the real one. > > > > > > I think this might be issue with Kerberos ticket. You can > > show > > > content > > > of root's ticket cache using klist. If there is anything > > clean > > > it with > > > kdestroy and try to resubmit the request again. > > > > > > -- > > > David Kupka > > > > > > -- > > > > > > Thanks, Anthony > > > > > > -- > > > > > > Thanks, Anthony > > > > > > > > > > > > > -- > > > > Thanks, Anthony > > > > -- Thanks, Anthony -------------- next part -------------- An HTML attachment was scrubbed... URL: From ggiesen+freeipa-users at giesen.me Tue May 3 00:40:06 2016 From: ggiesen+freeipa-users at giesen.me (Gary T. Giesen) Date: Mon, 2 May 2016 20:40:06 -0400 Subject: [Freeipa-users] Unable to configure DNSSEC signing Message-ID: <064e01d1a4d4$57605c90$062115b0$@giesen.me> I've followed the guide at https://www.freeipa.org/page/Howto/DNSSEC to configure DNSSEC support in my FreeIPA 4.2/CentOS 7.2 installation, but I've been unable for the life of me to get it to sign zones. I've followed the steps at http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work but as yet have been unable to get signing to work. # ipa dnszone-show example.com Zone name: example.com. Active zone: TRUE Authoritative nameserver: host.example.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 1462235022 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Allow in-line DNSSEC signing: TRUE ############################################################################ #### ldapsearch -Y GSSAPI '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))' SASL/GSSAPI authentication started SASL username: admin at EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster)) # requesting: ALL # # DNSSEC, host.example.com, masters, ipa, etc, example.com dn: cn=DNSSEC,cn=host.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com objectClass: ipaConfigObject objectClass: nsContainer objectClass: top ipaConfigString: dnssecKeyMaster ipaConfigString: startOrder 100 ipaConfigString: enabledService cn: DNSSEC # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 ############################################################################ #### # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-ods-exporter Service: STOPPED ods-enforcerd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful ############################################################################ #### $ ods-ksmutil zone list zonelist filename set to /etc/opendnssec/zonelist.xml. No zones in DB or zonelist. Per the instructions, I've restarted ipa-dnskeysyncd, but it has had no effect. The only log entries I see are: # journalctl -u ipa-dnskeysyncd May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon... May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : INFO Signal 15 received: Shutting down! May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon... May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: session memcached servers not running May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO LDAP bind... May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2 May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO Commencing sync process Can anyone advise on next steps? I've been banging my head against a wall for a couple days now and would really appreciate some help. From siology.io at gmail.com Tue May 3 03:20:28 2016 From: siology.io at gmail.com (siology.io) Date: Tue, 3 May 2016 15:20:28 +1200 Subject: [Freeipa-users] migration user passwords from openldap to freeipa In-Reply-To: <5295D1CE-A4B5-43D0-B48F-8CA0F8541D64@kreitschmann.de> References: <5295D1CE-A4B5-43D0-B48F-8CA0F8541D64@kreitschmann.de> Message-ID: ok, after looking again at this, i've found that even with the admin users it's not working how i'd like. With the admin user what seems to be happening is that the users after import *must* go to the /ipa/migration/ url and then enter their password. Although it does now let them login unlike before (so i guess before i hadnt used the admin ldap user to import from and hence didnt have permissions as you suggested) However, i'd really like to avoid that because we've got hundreds of users, mostly external to the company in different timezones, and coordinating getting people to go to the portal (and making it available to the internet!) sounds like a nightmare. These users don't need kerberos credentials (afaik) as i just want them to be able to bind against the freeipa ldap server. I'm happy for users that need kerberos to have to go to the migration page. Is there any way to avoid a user needing to go to the migration page after importing the user ? On 27 April 2016 at 19:45, David Kreitschmann wrote: > Are you sure that your bind dn has read access userPassword? A default > OpenLDAP installation usually has a admin user. > Gosa ACLs are only applied when using the web interface, they are not used > for direct access via LDAP. > > > > Am 27.04.2016 um 03:43 schrieb siology.io : > > > > I'm having issues migrating from an openldap directory (which has gosa > schema) to freeipa. > > > > To migrate i'm doing (and yes, i know); > > > > ipa migrate-ds ldap://old.server.com:389 --bind-dn > "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup > --user-objectclass=inetOrgPerson --group-overwrite-gid > --user-ignore-objectclass=gosaAccount > --user-ignore-objectclass=gosaMailAccount > --user-ignore-attribute=gosaMailDeliveryMode > --user-ignore-attribute=gosaMailServer > --user-ignore-attribute=gosaSpamSortLevel > --user-ignore-attribute=gosaSpamMailbox > --user-ignore-objectclass=sshaccount --user-ignore-objectclass=gosaacl > --user-ignore-attribute=sshpublickey > --user-ignore-attribute=sambaLMPassword > --user-ignore-attribute=sambaBadPasswordTime > --user-ignore-attribute=gosaaclentry > --user-ignore-attribute=sambaBadPasswordCount > --user-ignore-attribute=sambaNTPassword > --user-ignore-attribute=sambaPwdLastSet > > > > Which seems to work to import all those users which have posix settings > set, however i have two problems: > > > > - Am i right in thinking there's no way to auto-assign a gid/uid/home > dir for the non-posix users at migration time ? That's not a deal breaker > per se, but i'd need to spin up a new copy of the old ldap and then add > those attributes to every user, then migrate to ipa from that source, which > is a real pain. > > > > - The migration seems to be successful for the users that do have posix > attributes, and ends with: > > > > Passwords have been migrated in pre-hashed format. > > IPA is unable to generate Kerberos keys unless provided > > with clear text passwords. All migrated users need to > > login at https://your.domain/ipa/migration/ before they > > can use their Kerberos accounts. > > > > ...but i'm unable to login to that page as any of my migrated users, or > bind as them with ldapsearch. It seems like the passwords were not migrated > ? > > > > Because 90% of my ~350 users are only going to be using freeipa insomuch > as using services which are making use of the ipa server's ldap i was > hoping that i wouldn't need to make kerberos tickets for those users, and > hence avoid needing every user to login to the migration page. At the > moment however i'm not able to get any migrated users at all to be able to > bind to ldap or login to that page. > > > > Any tips or gotchas i should know ? I've no idea how to begin debugging > this. > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From harald.dunkel at aixigo.de Tue May 3 05:35:15 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Tue, 3 May 2016 07:35:15 +0200 Subject: [Freeipa-users] cron reports "ORPHAN (no passwd entry)" for the @reboot jobs In-Reply-To: <20160502155906.GA32607@10.4.128.1> References: <20160502155906.GA32607@10.4.128.1> Message-ID: <4a4f0805-fbc5-9c2e-b8c9-226b704b3c27@aixigo.de> Hi Lukas, On 05/02/16 17:59, Lukas Slebodnik wrote: > Could you provide output of "systemctl cat sssd.service"? > In my case, it should be started before nss-user-lookup.target > > # /usr/lib/systemd/system/sssd.service > [Unit] > Description=System Security Services Daemon > # SSSD must be running before we permit user sessions > Before=systemd-user-sessions.service nss-user-lookup.target > Wants=nss-user-lookup.target > > [Service] > EnvironmentFile=-/etc/sysconfig/sssd > ExecStart=/usr/sbin/sssd -D -f > # These two should be used with traditional UNIX forking daemons > # consult systemd.service(5) for more details > Type=forking > PIDFile=/var/run/sssd.pid > > [Install] > WantedBy=multi-user.target I got # /lib/systemd/system/sssd.service [Unit] Description=System Security Services Daemon # SSSD must be running before we permit user sessions Before=systemd-user-sessions.service nss-user-lookup.target Wants=nss-user-lookup.target [Service] EnvironmentFile=-/etc/sysconfig/sssd ExecStart=/usr/sbin/sssd -D -f # These two should be used with traditional UNIX forking daemons # consult systemd.service(5) for more details Type=forking PIDFile=/var/run/sssd.pid [Install] WantedBy=multi-user.target Except for the first comment line diff doesn't show a difference. Maybe there is a misunderstanding: IMHO its not sufficient to start sssd before systemd-user-sessions.service and nss-user-lookup.target. sssd and all its internal sssd_something services must have completed their initialization (including the user database) before these services can be started. Here is the output of "ps -ef", created by the "@reboot" crontab entry: UID PID PPID C STIME TTY TIME CMD root 1 0 0 14:27 ? 00:00:00 /sbin/init root 23 1 0 14:27 ? 00:00:00 /lib/systemd/systemd-journald root 159 1 0 14:28 ? 00:00:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0 daemon 193 1 0 14:28 ? 00:00:00 /usr/sbin/atd -f root 194 1 0 14:28 ? 00:00:00 /usr/sbin/cron -f root 195 1 0 14:28 ? 00:00:00 /usr/sbin/ModemManager root 198 1 0 14:28 ? 00:00:00 /usr/sbin/inetd -i root 199 1 0 14:28 ? 00:00:00 /usr/sbin/sshd -D root 200 1 0 14:28 ? 00:00:00 lldpd: monitor root 201 1 0 14:28 ? 00:00:00 /usr/sbin/sssd -D -f message+ 206 1 0 14:28 ? 00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation lp 218 1 0 14:28 ? 00:00:00 /usr/sbin/lpd -s root 220 1 0 14:28 ? 00:00:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -c /var/lib/ntp/ntp.conf.dhcp -u 112:121 root 226 1 0 14:28 ? 00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n root 227 1 0 14:28 ? 00:00:00 /usr/sbin/rsyslogd -n _lldpd 229 200 0 14:28 ? 00:00:00 lldpd: no neighbor root 262 1 0 14:28 ? 00:00:00 /usr/lib/policykit-1/polkitd --no-debug root 263 194 0 14:28 ? 00:00:00 /usr/sbin/CRON -f zabbix 271 1 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd zabbix 274 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: collector [idle 1 sec] zabbix 275 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #1 [waiting for connection] zabbix 276 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #2 [waiting for connection] zabbix 277 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #3 [waiting for connection] zabbix 278 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: active checks #1 [idle 1 sec] root 492 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit root 502 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit Debian-+ 504 1 0 14:28 ? 00:00:00 /usr/sbin/exim4 -bd -q30m root 505 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit root 506 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit root 507 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit root 508 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit root 509 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit root 510 263 0 14:28 ? 00:00:00 /bin/sh -c ( ps -ef; ls -al /home ) >/var/tmp/ls.log root 511 510 0 14:28 ? 00:00:00 /bin/sh -c ( ps -ef; ls -al /home ) >/var/tmp/ls.log root 512 201 0 14:28 ? 00:00:00 /usr/sbin/sssd -D -f root 515 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit root 516 511 0 14:28 ? 00:00:00 ps -ef root 517 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit root 518 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit root 519 512 0 14:28 ? 00:00:00 /usr/sbin/sssd -D -f root 520 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit root 521 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit Please note that the sssd_* jobs are missing, and yet the cron service has been started to run this cron job. Regards Harri From rakesh.rajasekharan at gmail.com Tue May 3 06:20:59 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Tue, 3 May 2016 11:50:59 +0530 Subject: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset Message-ID: Hi, I am running a freeipa server 4.2.x. I have the following password global password policy set to force a history of 3 ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 --maxfail=3 --failinterval=300 This works good when the user himself changes the password.. and IPA does not allow reusing older password. However, if the admin resets it "ipa user-mod testuser --random" then it seems to reset the password history as well and the user can now re-use his older password Is this expected or is there something I can do about it. Also, is there a way to get the password expiry warning at the terminal when a user logs in , something similar to the "pwdExpireWarning" in ldap. I searched a bit and could only find setting up email alerts . Thanks, Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From matrix.zj at qq.com Tue May 3 06:48:46 2016 From: matrix.zj at qq.com (=?ISO-8859-1?B?TWF0cml4?=) Date: Tue, 3 May 2016 14:48:46 +0800 Subject: [Freeipa-users] is it possible to use 'ipa-replica' to syncuserbetween different suffix AD and IPA domain? In-Reply-To: References: <410229fc-04a8-9774-6759-6881cb996765@redhat.com> Message-ID: Hi, Petr all steps listed in section 7.4 of Windows integration guide have been done. user for sync is 'cn=ipa,cn=users,dc=examplemedia,dc=net' and l have been verified it with ldapsearch, detail cmd as below: # ldapsearch -H ldap://ipaad.examplemedia.net -D 'cn=ipa,cn=users,dc=examplemedia,dc=net' -w 'RedHat1!' -b "cn=users,dc=examplemedia,dc=net" -LLL -ZZ and sync cmd is created by: # ipa-replica-manage connect --winsync --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='RedHat1!' --passsync='redhatredhat' --cacert='/etc/openldap/cacerts/ad.cer' --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net after it has been created, i have also force-sync it. # ipa-replica-manage force-sync --from=ipaad.examplemedia.net Directory Manager password: ipa: INFO: Setting agreement cn=meToipaad.examplemedia.net,cn=replica,cn=dc\=dev\,dc\=example\,dc\=net,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToipaad.examplemedia.net,cn=replica,cn=dc\=dev\,dc\=example\,dc\=net,cn=mapping tree,cn=config root at ipaserver:/var/log/dirsrv/slapd-DEV-EXAMPLE-NET ? 06:47 AM Tue May 03 ? !41 # echo $? 0 Nothing error was reported. Any debug info or log i can provide for further analysis? Thanks Matrix ------------------ Original ------------------ From: "Petr Vobornik";; Date: Mon, May 2, 2016 02:46 AM To: "Matrix"; "freeipa-users"; Subject: Re: [Freeipa-users] is it possible to use 'ipa-replica' to syncuserbetween different suffix AD and IPA domain? On 04/28/2016 05:30 PM, Matrix wrote: > Hi, Petr > > Thanks for your quickly reply. > > I want to integrated linux servers with existed AD, centralized manage HBAC/Sudo > rules. > > So i have setup a standalone IPA server with domain 'example.net', trying to > sync users from existed AD to it with following cmd: > > ipa-replica-manage connect --winsync > --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='XXXX' > --passsync='XXXX' --cacert='/etc/openldap/cacerts/ipaad.cer' > --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net > > > After it has been successfully established, users in AD did not sync to IPA. Before we go into debugging, please make sure that you have done the steps described in section 7.4 of Windows integration guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html > > > For 'trusts' integration method, since user did not sync to IPA at all, how to > set sudo/HBAC rules for users? I have not tried it. > > > Matrix > > > > > ------------------ Original ------------------ > *From: * "Petr Vobornik";; > *Date: * Thu, Apr 28, 2016 11:21 PM > *To: * "Matrix"; "freeipa-users"; > *Subject: * Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync > userbetween different suffix AD and IPA domain? > > On 04/28/2016 04:44 PM, Matrix wrote: > > Hi, all > > > > I am trying to do a centrelized solution > > > > AD domain is 'examplemedia.net' > > > > IPA domain is 'example.net' > > > > After ipa-replica has been established, i found that nothing has been synced > > from AD to IPA. > > > > IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > > > I doubt that for different suffix is supported ? If so, anyone can show some > > hint for me to investigate more? > > > > Thanks for your kindly help. > > > > Matrix > > Hello, > > what is your goal and current setup? > > By "ipa-replica has been established" do you mean that you installed a > new currently standalone IPA server? And connected it somehow with AD? > > Or did you run `ipa-replica-manage connect --winsync ...` > > It would be good to mention that IPA server[1] cannot be a replica of an > AD server. But it can integrate with it. Either by using > winsync(synchronization) or the recommended solution: Trusts [2]. > > Documentation: > [1] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html > [2] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html > > HTH > -- > Petr Vobornik > -- Petr Vobornik -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue May 3 08:05:43 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 3 May 2016 10:05:43 +0200 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <064e01d1a4d4$57605c90$062115b0$@giesen.me> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> Message-ID: <57285BD7.3000301@redhat.com> On 03.05.2016 02:40, Gary T. Giesen wrote: > I've followed the guide at https://www.freeipa.org/page/Howto/DNSSEC to > configure DNSSEC support in my FreeIPA 4.2/CentOS 7.2 installation, but I've > been unable for the life of me to get it to sign zones. I've followed the > steps at > http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work but > as yet have been unable to get signing to work. > > # ipa dnszone-show example.com > Zone name: example.com. > Active zone: TRUE > Authoritative nameserver: host.example.com. > Administrator e-mail address: hostmaster.example.com. > SOA serial: 1462235022 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > Allow query: any; > Allow transfer: none; > Allow in-line DNSSEC signing: TRUE > > ############################################################################ > #### > > ldapsearch -Y GSSAPI > '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))' > SASL/GSSAPI authentication started > SASL username: admin at EXAMPLE.COM > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base (default) with scope subtree > # filter: > (&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster)) > # requesting: ALL > # > > # DNSSEC, host.example.com, masters, ipa, etc, example.com > dn: cn=DNSSEC,cn=host.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com > objectClass: ipaConfigObject > objectClass: nsContainer > objectClass: top > ipaConfigString: dnssecKeyMaster > ipaConfigString: startOrder 100 > ipaConfigString: enabledService > cn: DNSSEC > > # search result > search: 4 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > ############################################################################ > #### > > # ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-ods-exporter Service: STOPPED > ods-enforcerd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > ############################################################################ > #### > > $ ods-ksmutil zone list > zonelist filename set to /etc/opendnssec/zonelist.xml. > No zones in DB or zonelist. > > > Per the instructions, I've restarted ipa-dnskeysyncd, but it has had no > effect. The only log entries I see are: > > # journalctl -u ipa-dnskeysyncd > > May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon... > May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : INFO > Signal 15 received: Shutting down! > May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. > May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon... > May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: > session memcached servers not running > May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO > LDAP bind... > May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2 > May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO > Commencing sync process > > > > Can anyone advise on next steps? I've been banging my head against a wall > for a couple days now and would really appreciate some help. > Hello, can you please check journalctl -u named-pkcs11 ? Martin From lslebodn at redhat.com Tue May 3 08:21:46 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 3 May 2016 10:21:46 +0200 Subject: [Freeipa-users] cron reports "ORPHAN (no passwd entry)" for the @reboot jobs In-Reply-To: <4a4f0805-fbc5-9c2e-b8c9-226b704b3c27@aixigo.de> References: <20160502155906.GA32607@10.4.128.1> <4a4f0805-fbc5-9c2e-b8c9-226b704b3c27@aixigo.de> Message-ID: <20160503082145.GB22308@10.4.128.1> On (03/05/16 07:35), Harald Dunkel wrote: >Hi Lukas, > >On 05/02/16 17:59, Lukas Slebodnik wrote: >> Could you provide output of "systemctl cat sssd.service"? >> In my case, it should be started before nss-user-lookup.target >> >> # /usr/lib/systemd/system/sssd.service >> [Unit] >> Description=System Security Services Daemon >> # SSSD must be running before we permit user sessions >> Before=systemd-user-sessions.service nss-user-lookup.target >> Wants=nss-user-lookup.target >> >> [Service] >> EnvironmentFile=-/etc/sysconfig/sssd >> ExecStart=/usr/sbin/sssd -D -f >> # These two should be used with traditional UNIX forking daemons >> # consult systemd.service(5) for more details >> Type=forking >> PIDFile=/var/run/sssd.pid >> >> [Install] >> WantedBy=multi-user.target > >I got > > # /lib/systemd/system/sssd.service > [Unit] > Description=System Security Services Daemon > # SSSD must be running before we permit user sessions > Before=systemd-user-sessions.service nss-user-lookup.target > Wants=nss-user-lookup.target > > [Service] > EnvironmentFile=-/etc/sysconfig/sssd > ExecStart=/usr/sbin/sssd -D -f > # These two should be used with traditional UNIX forking daemons > # consult systemd.service(5) for more details > Type=forking > PIDFile=/var/run/sssd.pid > > [Install] > WantedBy=multi-user.target > >Except for the first comment line diff doesn't show a >difference. > >Maybe there is a misunderstanding: IMHO its not sufficient to start >sssd before systemd-user-sessions.service and nss-user-lookup.target. >sssd and all its internal sssd_something services must have >completed their initialization (including the user database) before >these services can be started. > >Here is the output of "ps -ef", created by the "@reboot" crontab >entry: > >UID PID PPID C STIME TTY TIME CMD >root 1 0 0 14:27 ? 00:00:00 /sbin/init >root 23 1 0 14:27 ? 00:00:00 /lib/systemd/systemd-journald >root 159 1 0 14:28 ? 00:00:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0 >daemon 193 1 0 14:28 ? 00:00:00 /usr/sbin/atd -f >root 194 1 0 14:28 ? 00:00:00 /usr/sbin/cron -f >root 195 1 0 14:28 ? 00:00:00 /usr/sbin/ModemManager >root 198 1 0 14:28 ? 00:00:00 /usr/sbin/inetd -i >root 199 1 0 14:28 ? 00:00:00 /usr/sbin/sshd -D >root 200 1 0 14:28 ? 00:00:00 lldpd: monitor >root 201 1 0 14:28 ? 00:00:00 /usr/sbin/sssd -D -f >message+ 206 1 0 14:28 ? 00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation >lp 218 1 0 14:28 ? 00:00:00 /usr/sbin/lpd -s >root 220 1 0 14:28 ? 00:00:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -c /var/lib/ntp/ntp.conf.dhcp -u 112:121 >root 226 1 0 14:28 ? 00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n >root 227 1 0 14:28 ? 00:00:00 /usr/sbin/rsyslogd -n >_lldpd 229 200 0 14:28 ? 00:00:00 lldpd: no neighbor >root 262 1 0 14:28 ? 00:00:00 /usr/lib/policykit-1/polkitd --no-debug >root 263 194 0 14:28 ? 00:00:00 /usr/sbin/CRON -f >zabbix 271 1 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd >zabbix 274 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: collector [idle 1 sec] >zabbix 275 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #1 [waiting for connection] >zabbix 276 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #2 [waiting for connection] >zabbix 277 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: listener #3 [waiting for connection] >zabbix 278 271 0 14:28 ? 00:00:00 /usr/sbin/zabbix_agentd: active checks #1 [idle 1 sec] >root 492 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit >root 502 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit >Debian-+ 504 1 0 14:28 ? 00:00:00 /usr/sbin/exim4 -bd -q30m >root 505 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit >root 506 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit >root 507 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit >root 508 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/ipa-submit >root 509 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit >root 510 263 0 14:28 ? 00:00:00 /bin/sh -c ( ps -ef; ls -al /home ) >/var/tmp/ls.log >root 511 510 0 14:28 ? 00:00:00 /bin/sh -c ( ps -ef; ls -al /home ) >/var/tmp/ls.log >root 512 201 0 14:28 ? 00:00:00 /usr/sbin/sssd -D -f >root 515 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit >root 516 511 0 14:28 ? 00:00:00 ps -ef >root 517 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit >root 518 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit >root 519 512 0 14:28 ? 00:00:00 /usr/sbin/sssd -D -f >root 520 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit >root 521 226 0 14:28 ? 00:00:00 /usr/lib/x86_64-linux-gnu/certmonger/certmaster-submit > >Please note that the sssd_* jobs are missing, and yet the >cron service has been started to run this cron job. > But that's not a problem of sssd. It bug in cron service file. If cron relies on user lookup then it shoudl not be started before nss-user-lookup.target. Fedora has correct service file for crond. sh$ systemctl cat crond.service # /usr/lib/systemd/system/crond.service [Unit] Description=Command Scheduler After=auditd.service nss-user-lookup.target systemd-user-sessions.service time-sync.target ypbind.service [Service] EnvironmentFile=/etc/sysconfig/crond ExecStart=/usr/sbin/crond -n $CRONDARGS ExecReload=/bin/kill -HUP $MAINPID KillMode=process [Install] WantedBy=multi-user.target Debian has quite minimal version sh$ systemctl cat cron.service # /lib/systemd/system/cron.service [Unit] Description=Regular background program processing daemon Documentation=man:cron(8) [Service] EnvironmentFile=-/etc/default/cron ExecStart=/usr/sbin/cron -f $EXTRA_OPTS IgnoreSIGPIPE=false KillMode=process [Install] WantedBy=multi-user.target You can create your custom version in /etc/systemd/system/cron.service but do not forget to call "systemctl daemon-reload" LS From lslebodn at redhat.com Tue May 3 08:45:13 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 3 May 2016 10:45:13 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> Message-ID: <20160503084513.GC22308@10.4.128.1> On (29/04/16 17:16), Hosakote Nagesh, Pawan wrote: >Thanks for your quick response. I am trying this on ubuntu. > >This is the bug I m facing right now: https://lists.launchpad.net/freeipa/msg00236.html >They say its fixed in Trusty release of Ubuntu. But it doesn?t work for me. There is no other material also >On how to fix this dbus error. > >root at jupyterhub:/# lsb_release -rd >Description: Ubuntu 14.04.4 LTS >Release: 14.04 >root at jupyterhub:/# Do I understand it correctly that you want to build your own image based on ubuntu? If answer is yes then I would recommend to use ubuntu xenial (16.04). But the benefit of container technologies is that you can use image based on different distribution and therefore it would be the best if you could use https://hub.docker.com/r/fedora/sssd/ (which was already mentioned. LS From ggiesen+freeipa-users at giesen.me Tue May 3 10:30:23 2016 From: ggiesen+freeipa-users at giesen.me (Gary T. Giesen) Date: Tue, 3 May 2016 06:30:23 -0400 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <57285BD7.3000301@redhat.com> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <57285BD7.3000301@redhat.com> Message-ID: <06ba01d1a526$ce030620$6a091260$@giesen.me> May 03 06:21:09 host.example.com systemd[1]: Stopping Berkeley Internet Name Domain (DNS) with native PKCS#11... May 03 06:21:09 host.example.com named-pkcs11[27047]: received control channel command 'stop' May 03 06:21:09 host.example.com named-pkcs11[27047]: shutting down: flushing changes May 03 06:21:09 host.example.com named-pkcs11[27047]: stopping command channel on 127.0.0.1#953 May 03 06:21:09 host.example.com named-pkcs11[27047]: stopping command channel on ::1#953 May 03 06:21:09 host.example.com named-pkcs11[27047]: zone example.com/IN (signed): shutting down May 03 06:21:09 host.example.com named-pkcs11[27047]: zone example.com/IN (unsigned): shutting down May 03 06:21:09 host.example.com named-pkcs11[27047]: no longer listening on ::#53 May 03 06:21:09 host.example.com named-pkcs11[27047]: no longer listening on 127.0.0.1#53 May 03 06:21:09 host.example.com named-pkcs11[27047]: no longer listening on 1.2.3.4#53 May 03 06:21:09 host.example.com named-pkcs11[27047]: exiting May 03 06:21:09 host.example.com systemd[1]: Starting Berkeley Internet Name Domain (DNS) with native PKCS#11... May 03 06:21:09 host.example.com bash[27077]: zone localhost.localdomain/IN: loaded serial 0 May 03 06:21:09 host.example.com bash[27077]: zone localhost/IN: loaded serial 0 May 03 06:21:09 host.example.com bash[27077]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loa May 03 06:21:09 host.example.com bash[27077]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 May 03 06:21:09 host.example.com bash[27077]: zone 0.in-addr.arpa/IN: loaded serial 0 May 03 06:21:09 host.example.com named-pkcs11[27082]: starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.3 -u named May 03 06:21:09 host.example.com named-pkcs11[27082]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' May 03 06:21:09 host.example.com named-pkcs11[27082]: ---------------------------------------------------- May 03 06:21:09 host.example.com named-pkcs11[27082]: BIND 9 is maintained by Internet Systems Consortium, May 03 06:21:09 host.example.com named-pkcs11[27082]: Inc. (ISC), a non-profit 501(c)(3) public-benefit May 03 06:21:09 host.example.com named-pkcs11[27082]: corporation. Support and training for BIND 9 are May 03 06:21:09 host.example.com named-pkcs11[27082]: available at https://www.isc.org/support May 03 06:21:09 host.example.com named-pkcs11[27082]: ---------------------------------------------------- May 03 06:21:09 host.example.com named-pkcs11[27082]: adjusted limit on open files from 4096 to 1048576 May 03 06:21:09 host.example.com named-pkcs11[27082]: found 4 CPUs, using 4 worker threads May 03 06:21:09 host.example.com named-pkcs11[27082]: using 4 UDP listeners per interface May 03 06:21:09 host.example.com named-pkcs11[27082]: using up to 4096 sockets May 03 06:21:09 host.example.com named-pkcs11[27082]: loading configuration from '/etc/named.conf' May 03 06:21:09 host.example.com named-pkcs11[27082]: reading built-in trusted keys from file '/etc/named.iscdlv.key' May 03 06:21:09 host.example.com named-pkcs11[27082]: using default UDP/IPv4 port range: [1024, 65535] May 03 06:21:09 host.example.com named-pkcs11[27082]: using default UDP/IPv6 port range: [1024, 65535] May 03 06:21:09 host.example.com named-pkcs11[27082]: listening on IPv6 interfaces, port 53 May 03 06:21:09 host.example.com named-pkcs11[27082]: listening on IPv4 interface lo, 127.0.0.1#53 May 03 06:21:09 host.example.com named-pkcs11[27082]: listening on IPv4 interface eth0, 1.2.3.4#53 May 03 06:21:09 host.example.com named-pkcs11[27082]: generating session key for dynamic DNS May 03 06:21:09 host.example.com named-pkcs11[27082]: sizing zone task pool based on 6 zones May 03 06:21:09 host.example.com named-pkcs11[27082]: /etc/named.conf:12: no forwarders seen; disabling forwarding May 03 06:21:09 host.example.com named-pkcs11[27082]: set up managed keys zone for view _default, file '/var/named/dynamic/managed- May 03 06:21:09 host.example.com named-pkcs11[27082]: bind-dyndb-ldap version 8.0 compiled at 15:16:02 Nov 20 2015, compiler 4.8.5 May 03 06:21:09 host.example.com named-pkcs11[27082]: option 'serial_autoincrement' is not supported, ignoring May 03 06:21:09 host.example.com named-pkcs11[27082]: GSSAPI client step 1 May 03 06:21:09 host.example.com named-pkcs11[27082]: GSSAPI client step 1 May 03 06:21:09 host.example.com named-pkcs11[27082]: GSSAPI client step 1 May 03 06:21:10 host.example.com named-pkcs11[27082]: GSSAPI client step 2 May 03 06:21:10 host.example.com named-pkcs11[27082]: GSSAPI client step 1 May 03 06:21:10 host.example.com named-pkcs11[27082]: GSSAPI client step 1 May 03 06:21:10 host.example.com named-pkcs11[27082]: GSSAPI client step 1 May 03 06:21:10 host.example.com named-pkcs11[27082]: GSSAPI client step 2 May 03 06:21:10 host.example.com named-pkcs11[27082]: LDAP instance 'ipa' is being synchronized, please ignore message 'all zones l May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 10.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 16.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 17.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 18.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 19.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 20.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 21.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 22.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 23.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 24.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 25.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 26.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 27.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 28.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 29.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 30.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 31.172.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 168.192.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 64.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 65.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 66.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 67.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 68.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 69.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 70.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 71.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 72.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 73.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 74.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 75.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 76.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 77.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 78.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 79.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 80.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 81.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 82.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 83.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 84.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 85.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 86.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 87.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 88.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 89.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 90.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 91.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 92.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 93.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 94.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 95.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 96.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 97.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 98.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 99.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 100.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 101.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 102.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 103.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 104.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 105.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 106.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 107.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 108.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 109.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 110.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 111.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 112.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 113.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 114.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 115.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 116.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 117.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 118.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 119.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 120.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 121.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 122.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 123.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 124.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 125.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 126.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 127.100.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 127.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 254.169.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 2.0.192.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 100.51.198.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 113.0.203.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: D.F.IP6.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 8.E.F.IP6.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 9.E.F.IP6.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: A.E.F.IP6.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: B.E.F.IP6.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA May 03 06:21:10 host.example.com named-pkcs11[27082]: /etc/named.conf:12: no forwarders seen; disabling forwarding May 03 06:21:10 host.example.com named-pkcs11[27082]: command channel listening on 127.0.0.1#953 May 03 06:21:10 host.example.com named-pkcs11[27082]: command channel listening on ::1#953 May 03 06:21:11 host.example.com named-pkcs11[27082]: managed-keys-zone: loaded serial 93 May 03 06:21:11 host.example.com named-pkcs11[27082]: zone 0.in-addr.arpa/IN: loaded serial 0 May 03 06:21:11 host.example.com named-pkcs11[27082]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa May 03 06:21:11 host.example.com named-pkcs11[27082]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 May 03 06:21:11 host.example.com named-pkcs11[27082]: zone localhost.localdomain/IN: loaded serial 0 May 03 06:21:11 host.example.com named-pkcs11[27082]: zone localhost/IN: loaded serial 0 May 03 06:21:11 host.example.com named-pkcs11[27082]: all zones loaded May 03 06:21:11 host.example.com named-pkcs11[27082]: running May 03 06:21:11 host.example.com systemd[1]: Started Berkeley Internet Name Domain (DNS) with native PKCS#11. May 03 06:21:11 host.example.com named-pkcs11[27082]: zone example.com/IN (unsigned): loaded serial 1462270871 May 03 06:21:11 host.example.com named-pkcs11[27082]: zone example.com/IN (signed): loaded serial 1462270871 May 03 06:21:11 host.example.com named-pkcs11[27082]: zone example.com/IN (signed): receive_secure_serial: unchanged May 03 06:21:11 host.example.com named-pkcs11[27082]: zone example.com/IN (signed): loaded serial 1462270871 May 03 06:21:11 host.example.com named-pkcs11[27082]: zone example.com/IN (signed): reconfiguring NSEC3PARAM to '0 0 0 00' May 03 06:21:11 host.example.com named-pkcs11[27082]: 1 master zones from LDAP instance 'ipa' loaded (1 zones defined, 0 inactive, May 03 06:21:11 host.example.com named-pkcs11[27082]: zone example.com/IN (signed): reconfiguring zone keys May 03 06:21:11 host.example.com named-pkcs11[27082]: zone example.com/IN (signed): next key event: 03-May-2016 07:21:11.049 Cheers, GTG -----Original Message----- From: Martin Basti [mailto:mbasti at redhat.com] Sent: May-03-16 4:06 AM To: Gary T. Giesen ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing Hello, can you please check journalctl -u named-pkcs11 ? Martin From ggiesen+freeipa-users at giesen.me Tue May 3 10:36:53 2016 From: ggiesen+freeipa-users at giesen.me (Gary T. Giesen) Date: Tue, 3 May 2016 06:36:53 -0400 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <06bb01d1a526$cf5d3ef0$6e17bcd0$@giesen.me> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <57285BD7.3000301@redhat.com> <06bb01d1a526$cf5d3ef0$6e17bcd0$@giesen.me> Message-ID: <06bc01d1a527$b557e900$2007bb00$@giesen.me> I made a change to the zone to try to trigger an update and got the follow in the log: May 03 06:33:24 host.example.com named-pkcs11[27082]: zone example.com/IN (signed): serial 1462271604 (unsigned 1462271604) May 03 06:33:24 host.example.com named-pkcs11[27082]: zone example.com/IN (signed): could not get zone keys for secure dynamic update May 03 06:33:24 host.example.com named-pkcs11[27082]: zone example.com/IN (signed): receive_secure_serial: not found I'm not sure if it's a cause for concern or not. Cheers, GTG -----Original Message----- From: Gary T. Giesen [mailto:ggiesen at giesen.me] Sent: May-03-16 6:30 AM To: 'Martin Basti' ; freeipa-users at redhat.com Subject: RE: [Freeipa-users] Unable to configure DNSSEC signing May 03 06:21:09 host.example.com systemd[1]: Stopping Berkeley Internet Name Domain (DNS) with native PKCS#11... ... May 03 06:21:11 host.example.com named-pkcs11[27082]: zone example.com/IN (signed): next key event: 03-May-2016 07:21:11.049 Cheers, GTG -----Original Message----- From: Martin Basti [mailto:mbasti at redhat.com] Sent: May-03-16 4:06 AM To: Gary T. Giesen ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing Hello, can you please check journalctl -u named-pkcs11 ? Martin From pspacek at redhat.com Tue May 3 11:07:31 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 3 May 2016 13:07:31 +0200 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <064e01d1a4d4$57605c90$062115b0$@giesen.me> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> Message-ID: <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> On 3.5.2016 02:40, Gary T. Giesen wrote: > I've followed the guide at https://www.freeipa.org/page/Howto/DNSSEC to > configure DNSSEC support in my FreeIPA 4.2/CentOS 7.2 installation, but I've > been unable for the life of me to get it to sign zones. I've followed the > steps at > http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work but > as yet have been unable to get signing to work. > > # ipa dnszone-show example.com > Zone name: example.com. > Active zone: TRUE > Authoritative nameserver: host.example.com. > Administrator e-mail address: hostmaster.example.com. > SOA serial: 1462235022 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > Allow query: any; > Allow transfer: none; > Allow in-line DNSSEC signing: TRUE > > ############################################################################ > #### > > ldapsearch -Y GSSAPI > '(&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster))' > SASL/GSSAPI authentication started > SASL username: admin at EXAMPLE.COM > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base (default) with scope subtree > # filter: > (&(ipaConfigString=enabledService)(ipaConfigString=dnssecKeyMaster)) > # requesting: ALL > # > > # DNSSEC, host.example.com, masters, ipa, etc, example.com > dn: cn=DNSSEC,cn=host.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com > objectClass: ipaConfigObject > objectClass: nsContainer > objectClass: top > ipaConfigString: dnssecKeyMaster > ipaConfigString: startOrder 100 > ipaConfigString: enabledService > cn: DNSSEC > > # search result > search: 4 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > ############################################################################ > #### > > # ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-ods-exporter Service: STOPPED > ods-enforcerd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > ############################################################################ > #### > > $ ods-ksmutil zone list > zonelist filename set to /etc/opendnssec/zonelist.xml. > No zones in DB or zonelist. Okay, this is a problem. It should list your zone example.com because it has DNSSEC signing enabled. Make sure you are working on host.example.com (the host listed by the ldapsearch above). I would check two things: 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If it does not, re-run ipa-dns-install with --dnssec-master option to fix that. 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and make sure that it contains line "debug=True" and restart ipa-dnskeysyncd when you are done with it. The log should be much longer after this change. I hope it will help to identify the root cause. What IPA version do you use? $ rpm -q freeipa-server Petr^2 Spacek > Per the instructions, I've restarted ipa-dnskeysyncd, but it has had no > effect. The only log entries I see are: > > # journalctl -u ipa-dnskeysyncd > > May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon... > May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : INFO > Signal 15 received: Shutting down! > May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. > May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon... > May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: > session memcached servers not running > May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO > LDAP bind... > May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2 > May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO > Commencing sync process > > > > Can anyone advise on next steps? I've been banging my head against a wall > for a couple days now and would really appreciate some help. > -- Petr^2 Spacek From ggiesen+freeipa-users at giesen.me Tue May 3 11:28:44 2016 From: ggiesen+freeipa-users at giesen.me (Gary T. Giesen) Date: Tue, 3 May 2016 07:28:44 -0400 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> Message-ID: <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> 1. Confirmed, it was already set to ISMASTER=1 2. Logs: May 03 07:21:05 host.example.com ipa-dnskeysyncd[27099]: ipa : INFO Signal 15 received: Shutting down! May 03 07:21:05 host.example.com systemd[1]: Started IPA key daemon. May 03 07:21:05 host.example.com systemd[1]: Starting IPA key daemon... May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing all plugin modules in ipalib.plugins... May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.aci May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.automember May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.automount May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.batch May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.caacl May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.cert May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.config May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.delegation May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.dns May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.group May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.host May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.idrange May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.idviews May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.internal May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.kerberos May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.migration May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.misc May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.passwd May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.permission May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.ping May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.pkinit May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.privilege May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: Starting external process May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: args='klist' '-V' May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: Process finished, return code=0 May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: stderr= May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.role May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.server May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.service May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.session May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: WARNING: session memcached servers not running May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.topology May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.trust May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.user May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.vault May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipalib.plugins.virtual May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipaserver.plugins.join May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_61570320 May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_61593232 May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/log May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: session_auth_duration: 0:20:00 May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: session_auth_duration: 0:20:00 May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: session_auth_duration: 0:20:00 May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/ May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: session_auth_duration: 0:20:00 May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: session_auth_duration: 0:20:00 May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/log May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: session_auth_duration: 0:20:00 May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/ch May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_to May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: session_auth_duration: 0:20:00 May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : DEBUG Kerberos principal: ipa-dnskeysyncd/host.example.com May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : DEBUG Initializing principal ipa-dnskeysyncd/host.example.com May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : DEBUG using ccache /tmp/ipa-dnskeysyncd.ccache May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : DEBUG Attempt 1/5: success May 03 07:21:06 host.example.com python2[27240]: GSSAPI client step 1 May 03 07:21:06 host.example.com python2[27240]: GSSAPI client step 1 May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : DEBUG LDAP URL: ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.so May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : INFO LDAP bind... May 03 07:21:07 host.example.com python2[27240]: GSSAPI client step 1 May 03 07:21:07 host.example.com python2[27240]: GSSAPI client step 2 May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa : INFO Commencing sync process May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-1 May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.exa 3. # rpm -q ipa-server ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek Sent: May-03-16 7:08 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing Okay, this is a problem. It should list your zone example.com because it has DNSSEC signing enabled. Make sure you are working on host.example.com (the host listed by the ldapsearch above). I would check two things: 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If it does not, re-run ipa-dns-install with --dnssec-master option to fix that. 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and make sure that it contains line "debug=True" and restart ipa-dnskeysyncd when you are done with it. The log should be much longer after this change. I hope it will help to identify the root cause. What IPA version do you use? $ rpm -q freeipa-server Petr^2 Spacek > Per the instructions, I've restarted ipa-dnskeysyncd, but it has had > no effect. The only log entries I see are: > > # journalctl -u ipa-dnskeysyncd > > May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon... > May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : INFO > Signal 15 received: Shutting down! > May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. > May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon... > May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: > session memcached servers not running > May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO > LDAP bind... > May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 > May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2 > May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : INFO > Commencing sync process > > > > Can anyone advise on next steps? I've been banging my head against a > wall for a couple days now and would really appreciate some help. > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From pspacek at redhat.com Tue May 3 11:33:17 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 3 May 2016 13:33:17 +0200 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> Message-ID: <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> On 3.5.2016 13:28, Gary T. Giesen wrote: > 1. Confirmed, it was already set to ISMASTER=1 > > 2. Logs: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-1 > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.exa The log seems to be truncated. Please attach it as a file to avoid truncation and line wrapping problems. Thanks Petr^2 Spacek > > > 3. # rpm -q ipa-server > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek > Sent: May-03-16 7:08 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > Okay, this is a problem. It should list your zone example.com because it has > DNSSEC signing enabled. > > Make sure you are working on host.example.com (the host listed by the > ldapsearch above). > > I would check two things: > 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If it > does not, re-run ipa-dns-install with --dnssec-master option to fix that. > > 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and make > sure that it contains line "debug=True" and restart ipa-dnskeysyncd when you > are done with it. > > The log should be much longer after this change. > > I hope it will help to identify the root cause. > > What IPA version do you use? > $ rpm -q freeipa-server > > Petr^2 Spacek > > > >> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had >> no effect. The only log entries I see are: >> >> # journalctl -u ipa-dnskeysyncd >> >> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon... >> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : > INFO >> Signal 15 received: Shutting down! >> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon... >> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >> session memcached servers not running >> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : > INFO >> LDAP bind... >> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 >> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 >> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 >> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2 >> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : > INFO >> Commencing sync process >> >> >> >> Can anyone advise on next steps? I've been banging my head against a >> wall for a couple days now and would really appreciate some help. From ggiesen+freeipa-users at giesen.me Tue May 3 11:37:35 2016 From: ggiesen+freeipa-users at giesen.me (Gary T. Giesen) Date: Tue, 3 May 2016 07:37:35 -0400 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> Message-ID: <06ce01d1a530$309269d0$91b73d70$@giesen.me> See attached. GTG -----Original Message----- From: Petr Spacek [mailto:pspacek at redhat.com] Sent: May-03-16 7:33 AM To: Gary T. Giesen ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing On 3.5.2016 13:28, Gary T. Giesen wrote: > 1. Confirmed, it was already set to ISMASTER=1 > > 2. Logs: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-1 > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.exa The log seems to be truncated. Please attach it as a file to avoid truncation and line wrapping problems. Thanks Petr^2 Spacek > > > 3. # rpm -q ipa-server > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek > Sent: May-03-16 7:08 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > Okay, this is a problem. It should list your zone example.com because > it has DNSSEC signing enabled. > > Make sure you are working on host.example.com (the host listed by the > ldapsearch above). > > I would check two things: > 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If > it does not, re-run ipa-dns-install with --dnssec-master option to fix that. > > 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and > make sure that it contains line "debug=True" and restart > ipa-dnskeysyncd when you are done with it. > > The log should be much longer after this change. > > I hope it will help to identify the root cause. > > What IPA version do you use? > $ rpm -q freeipa-server > > Petr^2 Spacek > > > >> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had >> no effect. The only log entries I see are: >> >> # journalctl -u ipa-dnskeysyncd >> >> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon... >> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : > INFO >> Signal 15 received: Shutting down! >> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon... >> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >> session memcached servers not running >> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : > INFO >> LDAP bind... >> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 >> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 >> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 >> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2 >> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : > INFO >> Commencing sync process >> >> >> >> Can anyone advise on next steps? I've been banging my head against a >> wall for a couple days now and would really appreciate some help. -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-dnskeysyncd.log Type: application/octet-stream Size: 14089 bytes Desc: not available URL: From pspacek at redhat.com Tue May 3 12:49:50 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 3 May 2016 14:49:50 +0200 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <06ce01d1a530$309269d0$91b73d70$@giesen.me> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> <06ce01d1a530$309269d0$91b73d70$@giesen.me> Message-ID: Hmm, this is really weird. It should log message "Initial LDAP dump is done, sychronizing with ODS and BIND" which is apparently not there. Maybe LDAP server is doing something weird ... Could you inspect /var/log/dirsrv/*/access_log and look for lines similar to ones in the attached file, please? It should start with log message like "connection from local to /var/run/slapd-*". This line will have identifier like "conn=84". We are looking for conn number (e.g. "conn=84") which is related to BIND DN "dn="krbprincipalname=ipa-dnskeysyncd/*". If you find the right conn number, look for other lines containing the same conn number and operation "SRCH base="cn=dns,*". This SRCH line will have specific identifier like "conn=84 op=3". Now you have identifier for particular operation. Look for RESULT line with the same ID. How does it look? Can you copy&paste complete all lines with identifier conn=??? you found? Thanks! Petr^2 Spacek On 3.5.2016 13:37, Gary T. Giesen wrote: > See attached. > > GTG > > -----Original Message----- > From: Petr Spacek [mailto:pspacek at redhat.com] > Sent: May-03-16 7:33 AM > To: Gary T. Giesen ; > freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > On 3.5.2016 13:28, Gary T. Giesen wrote: >> 1. Confirmed, it was already set to ISMASTER=1 >> >> 2. Logs: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-1 >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.exa > > The log seems to be truncated. Please attach it as a file to avoid > truncation and line wrapping problems. > > Thanks > Petr^2 Spacek > >> >> >> 3. # rpm -q ipa-server >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >> Sent: May-03-16 7:08 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >> >> Okay, this is a problem. It should list your zone example.com because >> it has DNSSEC signing enabled. >> >> Make sure you are working on host.example.com (the host listed by the >> ldapsearch above). >> >> I would check two things: >> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If >> it does not, re-run ipa-dns-install with --dnssec-master option to fix > that. >> >> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and >> make sure that it contains line "debug=True" and restart >> ipa-dnskeysyncd when you are done with it. >> >> The log should be much longer after this change. >> >> I hope it will help to identify the root cause. >> >> What IPA version do you use? >> $ rpm -q freeipa-server >> >> Petr^2 Spacek >> >> >> >>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had >>> no effect. The only log entries I see are: >>> >>> # journalctl -u ipa-dnskeysyncd >>> >>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon... >>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : >> INFO >>> Signal 15 received: Shutting down! >>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon... >>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >>> session memcached servers not running >>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : >> INFO >>> LDAP bind... >>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 >>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 >>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 >>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2 >>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : >> INFO >>> Commencing sync process >>> >>> >>> >>> Can anyone advise on next steps? I've been banging my head against a >>> wall for a couple days now and would really appreciate some help. -- Petr^2 Spacek -------------- next part -------------- conn=84 fd=112 slot=112 connection from local to /var/run/slapd-DOM-033-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=84 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI conn=84 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=84 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI conn=84 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=84 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI conn=84 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/vm-033.abc.idm.lab.eng.brq.redhat.com at dom-033.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=dom-033,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" conn=84 op=3 SRCH base="cn=dns,dc=dom-033,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=2 filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))" attrs=ALL conn=84 op=3 RESULT err=441 tag=121 nentries=0 etime=0 From ggiesen+freeipa-users at giesen.me Tue May 3 13:29:08 2016 From: ggiesen+freeipa-users at giesen.me (Gary T. Giesen) Date: Tue, 3 May 2016 09:29:08 -0400 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> <06ce01d1a530$309269d0$91b73d70$@giesen.me> Message-ID: <070801d1a53f$c64924a0$52db6de0$@giesen.me> All lines from the log file with conn=152. [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from local to /var/run/slapd-EXAMPLE-COM.socket [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=service s,cn=accounts,dc=example,dc=com" [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH base="cn=dns,dc=example,dc=com" scope=2 filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu blicKey))" attrs=ALL [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 nentries=0 etime=0 -----Original Message----- From: Petr Spacek [mailto:pspacek at redhat.com] Sent: May-03-16 8:50 AM To: Gary T. Giesen ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing Hmm, this is really weird. It should log message "Initial LDAP dump is done, sychronizing with ODS and BIND" which is apparently not there. Maybe LDAP server is doing something weird ... Could you inspect /var/log/dirsrv/*/access_log and look for lines similar to ones in the attached file, please? It should start with log message like "connection from local to /var/run/slapd-*". This line will have identifier like "conn=84". We are looking for conn number (e.g. "conn=84") which is related to BIND DN "dn="krbprincipalname=ipa-dnskeysyncd/*". If you find the right conn number, look for other lines containing the same conn number and operation "SRCH base="cn=dns,*". This SRCH line will have specific identifier like "conn=84 op=3". Now you have identifier for particular operation. Look for RESULT line with the same ID. How does it look? Can you copy&paste complete all lines with identifier conn=??? you found? Thanks! Petr^2 Spacek On 3.5.2016 13:37, Gary T. Giesen wrote: > See attached. > > GTG > > -----Original Message----- > From: Petr Spacek [mailto:pspacek at redhat.com] > Sent: May-03-16 7:33 AM > To: Gary T. Giesen ; > freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > On 3.5.2016 13:28, Gary T. Giesen wrote: >> 1. Confirmed, it was already set to ISMASTER=1 >> >> 2. Logs: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-1 >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.exa > > The log seems to be truncated. Please attach it as a file to avoid > truncation and line wrapping problems. > > Thanks > Petr^2 Spacek > >> >> >> 3. # rpm -q ipa-server >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >> Sent: May-03-16 7:08 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >> >> Okay, this is a problem. It should list your zone example.com because >> it has DNSSEC signing enabled. >> >> Make sure you are working on host.example.com (the host listed by the >> ldapsearch above). >> >> I would check two things: >> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If >> it does not, re-run ipa-dns-install with --dnssec-master option to >> fix > that. >> >> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and >> make sure that it contains line "debug=True" and restart >> ipa-dnskeysyncd when you are done with it. >> >> The log should be much longer after this change. >> >> I hope it will help to identify the root cause. >> >> What IPA version do you use? >> $ rpm -q freeipa-server >> >> Petr^2 Spacek >> >> >> >>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had >>> no effect. The only log entries I see are: >>> >>> # journalctl -u ipa-dnskeysyncd >>> >>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon... >>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : >> INFO >>> Signal 15 received: Shutting down! >>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon... >>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >>> session memcached servers not running >>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : >> INFO >>> LDAP bind... >>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step >>> 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client >>> step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI >>> client step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2 >>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : >> INFO >>> Commencing sync process >>> >>> >>> >>> Can anyone advise on next steps? I've been banging my head against a >>> wall for a couple days now and would really appreciate some help. -- Petr^2 Spacek From pspacek at redhat.com Tue May 3 13:59:24 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 3 May 2016 15:59:24 +0200 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <070801d1a53f$c64924a0$52db6de0$@giesen.me> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> <06ce01d1a530$309269d0$91b73d70$@giesen.me> <070801d1a53f$c64924a0$52db6de0$@giesen.me> Message-ID: <33dbd0d6-445c-1a59-48f4-338fbb1ca01a@redhat.com> On 3.5.2016 15:29, Gary T. Giesen wrote: > All lines from the log file with conn=152. > > [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from local to > /var/run/slapd-EXAMPLE-COM.socket > [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl version=3 > mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 nentries=0 > etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl version=3 > mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 nentries=0 > etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl version=3 > mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 nentries=0 > etime=0 > dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=service > s,cn=accounts,dc=example,dc=com" > [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH > base="cn=dns,dc=example,dc=com" scope=2 > filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu > blicKey))" attrs=ALL > [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 nentries=0 > etime=0 This seems to be okay, I will think about it a bit more and return back to you when I find something. Petr^2 Spacek > > -----Original Message----- > From: Petr Spacek [mailto:pspacek at redhat.com] > Sent: May-03-16 8:50 AM > To: Gary T. Giesen ; > freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > Hmm, this is really weird. > > It should log message "Initial LDAP dump is done, sychronizing with ODS and > BIND" which is apparently not there. Maybe LDAP server is doing something > weird ... > > Could you inspect /var/log/dirsrv/*/access_log and look for lines similar to > ones in the attached file, please? > > It should start with log message like > "connection from local to /var/run/slapd-*". > This line will have identifier like "conn=84". We are looking for conn > number (e.g. "conn=84") which is related to BIND DN > "dn="krbprincipalname=ipa-dnskeysyncd/*". > > If you find the right conn number, look for other lines containing the same > conn number and operation "SRCH base="cn=dns,*". This SRCH line will have > specific identifier like "conn=84 op=3". > > Now you have identifier for particular operation. Look for RESULT line with > the same ID. > > How does it look? > > Can you copy&paste complete all lines with identifier conn=??? you found? > > Thanks! > Petr^2 Spacek > > On 3.5.2016 13:37, Gary T. Giesen wrote: >> See attached. >> >> GTG >> >> -----Original Message----- >> From: Petr Spacek [mailto:pspacek at redhat.com] >> Sent: May-03-16 7:33 AM >> To: Gary T. Giesen ; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >> >> On 3.5.2016 13:28, Gary T. Giesen wrote: >>> 1. Confirmed, it was already set to ISMASTER=1 >>> >>> 2. Logs: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: > None >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: > {'203dbe2d-8d9c-1 >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: > host.exa >> >> The log seems to be truncated. Please attach it as a file to avoid >> truncation and line wrapping problems. >> >> Thanks >> Petr^2 Spacek >> >>> >>> >>> 3. # rpm -q ipa-server >>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> >>> -----Original Message----- >>> From: freeipa-users-bounces at redhat.com >>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >>> Sent: May-03-16 7:08 AM >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >>> >>> Okay, this is a problem. It should list your zone example.com because >>> it has DNSSEC signing enabled. >>> >>> Make sure you are working on host.example.com (the host listed by the >>> ldapsearch above). >>> >>> I would check two things: >>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If >>> it does not, re-run ipa-dns-install with --dnssec-master option to >>> fix >> that. >>> >>> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and >>> make sure that it contains line "debug=True" and restart >>> ipa-dnskeysyncd when you are done with it. >>> >>> The log should be much longer after this change. >>> >>> I hope it will help to identify the root cause. >>> >>> What IPA version do you use? >>> $ rpm -q freeipa-server >>> >>> Petr^2 Spacek >>> >>> >>> >>>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had >>>> no effect. The only log entries I see are: >>>> >>>> # journalctl -u ipa-dnskeysyncd >>>> >>>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : >>> INFO >>>> Signal 15 received: Shutting down! >>>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >>>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >>>> session memcached servers not running >>>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> LDAP bind... >>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step >>>> 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client >>>> step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI >>>> client step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI > client step 2 >>>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> Commencing sync process >>>> >>>> >>>> >>>> Can anyone advise on next steps? I've been banging my head against a >>>> wall for a couple days now and would really appreciate some help. > > > -- > Petr^2 Spacek > -- Petr^2 Spacek From zwolfinger at myemma.com Tue May 3 14:02:37 2016 From: zwolfinger at myemma.com (Zak Wolfinger) Date: Tue, 3 May 2016 09:02:37 -0500 Subject: [Freeipa-users] Password Encryption Method In-Reply-To: <5724C199.40108@redhat.com> References: <88C04EE0-A5BD-4322-8E95-9E196D48D919@myemma.com> <5724C199.40108@redhat.com> Message-ID: <7BF0719C-2AAA-476C-981A-AC1E0D426B1F@myemma.com> The old version of 389-ds-base is 1.2.11.15-48. The version we are migrating to is 1.3.4.0-29 > On Apr 30, 2016, at 9:30 AM, Rob Crittenden wrote: > > Zak Wolfinger wrote: >> Did the password encryption method change between V3.0 and newer >> versions? Where can I find out what method is being used? I? running >> into hash issues when using GADS to sync to Google. > > I don't think so, I think SSHA is still the default. Knowing what versions of 389-ds-base you're asking about would probably be helpful. > > rob > >> >> Cheers, >> *Zak Wolfinger* >> >> Infrastructure Engineer | Emma? >> zak.wolfinger at myemma.com >> 800.595.4401 or 615.292.5888 x197 >> 615.292.0777 (fax) >> * >> * >> Emma helps organizations everywhere communicate & market in style. >> Visit us online at www.myemma.com >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From ggiesen+freeipa-users at giesen.me Tue May 3 14:18:32 2016 From: ggiesen+freeipa-users at giesen.me (Gary T. Giesen) Date: Tue, 3 May 2016 10:18:32 -0400 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <33dbd0d6-445c-1a59-48f4-338fbb1ca01a@redhat.com> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> <06ce01d1a530$309269d0$91b73d70$@giesen.me> <070801d1a53f$c64924a0$52db6de0$@giesen.me> <33dbd0d6-445c-1a59-48f4-338fbb1ca01a@redhat.com> Message-ID: <071f01d1a546$acff20b0$06fd6210$@giesen.me> Thanks Petr. I'm on IRC as well if a more interactive troubleshooting session would be better. Cheers, GTG -----Original Message----- From: Petr Spacek [mailto:pspacek at redhat.com] Sent: May-03-16 9:59 AM To: Gary T. Giesen ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing On 3.5.2016 15:29, Gary T. Giesen wrote: > All lines from the log file with conn=152. > > [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from > local to /var/run/slapd-EXAMPLE-COM.socket > [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 > nentries=0 > etime=0 > dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=s > ervice > s,cn=accounts,dc=example,dc=com" > [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH > base="cn=dns,dc=example,dc=com" scope=2 > filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=i > pk11Pu > blicKey))" attrs=ALL > [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 > nentries=0 > etime=0 This seems to be okay, I will think about it a bit more and return back to you when I find something. Petr^2 Spacek > > -----Original Message----- > From: Petr Spacek [mailto:pspacek at redhat.com] > Sent: May-03-16 8:50 AM > To: Gary T. Giesen ; > freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > Hmm, this is really weird. > > It should log message "Initial LDAP dump is done, sychronizing with > ODS and BIND" which is apparently not there. Maybe LDAP server is > doing something weird ... > > Could you inspect /var/log/dirsrv/*/access_log and look for lines > similar to ones in the attached file, please? > > It should start with log message like > "connection from local to /var/run/slapd-*". > This line will have identifier like "conn=84". We are looking for conn > number (e.g. "conn=84") which is related to BIND DN > "dn="krbprincipalname=ipa-dnskeysyncd/*". > > If you find the right conn number, look for other lines containing the > same conn number and operation "SRCH base="cn=dns,*". This SRCH line > will have specific identifier like "conn=84 op=3". > > Now you have identifier for particular operation. Look for RESULT line > with the same ID. > > How does it look? > > Can you copy&paste complete all lines with identifier conn=??? you found? > > Thanks! > Petr^2 Spacek > > On 3.5.2016 13:37, Gary T. Giesen wrote: >> See attached. >> >> GTG >> >> -----Original Message----- >> From: Petr Spacek [mailto:pspacek at redhat.com] >> Sent: May-03-16 7:33 AM >> To: Gary T. Giesen ; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >> >> On 3.5.2016 13:28, Gary T. Giesen wrote: >>> 1. Confirmed, it was already set to ISMASTER=1 >>> >>> 2. Logs: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: > None >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: > {'203dbe2d-8d9c-1 >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: > host.exa >> >> The log seems to be truncated. Please attach it as a file to avoid >> truncation and line wrapping problems. >> >> Thanks >> Petr^2 Spacek >> >>> >>> >>> 3. # rpm -q ipa-server >>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> >>> -----Original Message----- >>> From: freeipa-users-bounces at redhat.com >>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >>> Sent: May-03-16 7:08 AM >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >>> >>> Okay, this is a problem. It should list your zone example.com >>> because it has DNSSEC signing enabled. >>> >>> Make sure you are working on host.example.com (the host listed by >>> the ldapsearch above). >>> >>> I would check two things: >>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". >>> If it does not, re-run ipa-dns-install with --dnssec-master option >>> to fix >> that. >>> >>> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and >>> make sure that it contains line "debug=True" and restart >>> ipa-dnskeysyncd when you are done with it. >>> >>> The log should be much longer after this change. >>> >>> I hope it will help to identify the root cause. >>> >>> What IPA version do you use? >>> $ rpm -q freeipa-server >>> >>> Petr^2 Spacek >>> >>> >>> >>>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has >>>> had no effect. The only log entries I see are: >>>> >>>> # journalctl -u ipa-dnskeysyncd >>>> >>>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : >>> INFO >>>> Signal 15 received: Shutting down! >>>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >>>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >>>> session memcached servers not running >>>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> LDAP bind... >>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step >>>> 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client >>>> step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI >>>> client step 1 May 02 20:35:54 host.example.com python2[15014]: >>>> GSSAPI > client step 2 >>>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> Commencing sync process >>>> >>>> >>>> >>>> Can anyone advise on next steps? I've been banging my head against >>>> a wall for a couple days now and would really appreciate some help. > > > -- > Petr^2 Spacek > -- Petr^2 Spacek From harri at afaics.de Tue May 3 18:10:02 2016 From: harri at afaics.de (Harald Dunkel) Date: Tue, 3 May 2016 20:10:02 +0200 Subject: [Freeipa-users] cron reports "ORPHAN (no passwd entry)" for the @reboot jobs In-Reply-To: <20160503082145.GB22308@10.4.128.1> References: <20160502155906.GA32607@10.4.128.1> <4a4f0805-fbc5-9c2e-b8c9-226b704b3c27@aixigo.de> <20160503082145.GB22308@10.4.128.1> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Lukas, On 05/03/16 10:21, Lukas Slebodnik wrote: > But that's not a problem of sssd. It bug in cron service file. If cron relies on user lookup then it shoudl not be started before nss-user-lookup.target. > > Fedora has correct service file for crond. > > sh$ systemctl cat crond.service # /usr/lib/systemd/system/crond.service [Unit] Description=Command Scheduler After=auditd.service nss-user-lookup.target systemd-user-sessions.service time-sync.target ypbind.service > > [Service] EnvironmentFile=/etc/sysconfig/crond ExecStart=/usr/sbin/crond -n $CRONDARGS ExecReload=/bin/kill -HUP $MAINPID KillMode=process > > [Install] WantedBy=multi-user.target > > Debian has quite minimal version sh$ systemctl cat cron.service # /lib/systemd/system/cron.service [Unit] Description=Regular background program processing daemon Documentation=man:cron(8) > > [Service] EnvironmentFile=-/etc/default/cron ExecStart=/usr/sbin/cron -f $EXTRA_OPTS IgnoreSIGPIPE=false KillMode=process > > [Install] WantedBy=multi-user.target > Sorry, but thats not the case for the cron service installed on my systems. See the first post in this thread: This cron.service contains "Type=idle", i.e. cron is run after all the other services, including nss-user-lookup.target. See https://bugs.debian.org/767016 IMHO sssd is the only instance to exactly know *when* its user database is available. Before this state is reached it should not give up control to the nss-user-lookup.target. The output of "ps -ef" run by the cron job showed it does. Regards Harri -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXKOl5AAoJEAqeKp5m04HLm/EH/3lCCnOQXW+i2vU0KENvjXJf 05KlPABO8ZOZzC10do7c/JwCpHXBFJjZwtfID9BRezdJ5KXWV2B5mT7Z/dpiPy+R 2/GKhoaHPpW+v8ZZdgFyS4hlRrq4B/6/XRs3FFJ8V8AAI257ZY6efQQAuYjWfBVG Eya+BqxUcjCZfddYp7ZziKxzOs+kEnFiLwi3rKeeohUMWdLGBuETL8EwnTjqDbmV Qq0jswmzVM7mDZuC0ZehUuHlu5WNeAkjnFzi2owkZ7H42SXoRxoz+RjXUkfxfIP+ X33Jw6BABIbn03FfHOApblirmbrh6+uxrtZQEEucRRdpO9RF92czEK6RQc2JTiU= =4x+q -----END PGP SIGNATURE----- From phosakotenagesh at ebay.com Tue May 3 18:25:55 2016 From: phosakotenagesh at ebay.com (Hosakote Nagesh, Pawan) Date: Tue, 3 May 2016 18:25:55 +0000 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <20160503084513.GC22308@10.4.128.1> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> <20160503084513.GC22308@10.4.128.1> Message-ID: Currently this is the error I m stuck with. There isn?t enough material online to proceed further. Failure starts with bus error.. Logs during ipa-client-install.. ==================================== Synchronizing time with KDC... Password for service_ipa at EAZ.EBAYC3.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EAZ.EBAYC3.COM Issuer: CN=Certificate Authority,O=EAZ.EBAYC3.COM Valid From: Mon Dec 07 05:17:30 2015 UTC Valid Until: Fri Dec 07 05:17:30 2035 UTC Enrolled in IPA realm EAZ.EBAYC3.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EAZ.EBAYC3.COM dbus failed to start: Command '/usr/sbin/service dbus start ' returned non-zero exit status 1 certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' certmonger request for host certificate failed 2016-05-02 22:11:53,099 CRIT reaped unknown pid 241) . . . . - Best, Pawan On 5/3/16, 1:45 AM, "Lukas Slebodnik" wrote: >On (29/04/16 17:16), Hosakote Nagesh, Pawan wrote: >>Thanks for your quick response. I am trying this on ubuntu. >> >>This is the bug I m facing right now: https://lists.launchpad.net/freeipa/msg00236.html >>They say its fixed in Trusty release of Ubuntu. But it doesn?t work for me. There is no other material also >>On how to fix this dbus error. >> >>root at jupyterhub:/# lsb_release -rd >>Description: Ubuntu 14.04.4 LTS >>Release: 14.04 >>root at jupyterhub:/# >Do I understand it correctly that you want to build your own image >based on ubuntu? > >If answer is yes then I would recommend to use ubuntu xenial (16.04). > >But the benefit of container technologies is that you can use >image based on different distribution and therefore it would be the >best if you could use https://hub.docker.com/r/fedora/sssd/ >(which was already mentioned. > >LS From alexandre at deverteuil.net Tue May 3 19:09:58 2016 From: alexandre at deverteuil.net (Alexandre de Verteuil) Date: Tue, 3 May 2016 15:09:58 -0400 Subject: [Freeipa-users] Who uses FreeIPA? Message-ID: <20160503190958.GA1640@deverteuil.net> Hello all, I've deployed FreeIPA in my home lab and I'm happy to have single sign-on for all my Archlinux virtual machines and Fedora laptops :) It took me lots of research and conversations before hearing about FreeIPA for the first time while searching for a libre SSO solution. I think FreeIPA needs much more exposure. I am really impressed with it. Tomorrow I am giving a short presentation at my workplace to talk about it and invite other sysadmins to try it. I would like to make a slide showing the current adoption of FreeIPA. I read that Red Hat uses it internally, but do they actually deploy it in their client's infrastructures? Are there any big companies that use it? Even if I only have reports of schools and small businesses would be good enough to say it's production ready and it has traction. Whether you are reporting about your own use or you know where I can find out more would be greatly appreciated! I have not found a "Who uses FreeIPA" page on the Internet. Best regards, -- Alexandre de Verteuil public key ID : 0xDD237C00 http://alexandre.deverteuil.net/ From luiz.vianna at tivit.com.br Tue May 3 20:28:35 2016 From: luiz.vianna at tivit.com.br (Luiz Fernando Vianna da Silva) Date: Tue, 3 May 2016 20:28:35 +0000 Subject: [Freeipa-users] RES: Who uses FreeIPA? In-Reply-To: <20160503190958.GA1640@deverteuil.net> References: <20160503190958.GA1640@deverteuil.net> Message-ID: Hello Alexandre. FreeIPA is the open source project, or as Red Hat calls it the upstream project, that fuels Red Hat IDM [1]. As to IDM, there are many large corporations that use it on production and mission critical environments. Due to non-disclosure agreements I cannot give you fine details about the customers I support that have Red Hat IDM deployed on their environments. For instance, one of my customers, which is largest Latin American credit and debit card operator (in terms of financial transaction volume), uses Red Hat IDM, which is based on the FreeIPA project [2], on pretty much 100% of its Linux and Unix production environments. I suggest you reach out to your Red Hat's commercial representative and ask for IDM success cases. I bet he would be glad to help you. [1] https://access.redhat.com/products/identity-management [2] https://www.redhat.com/archives/rh-community-de-berlin/2012-November/pdfOlwXB8dm7U.pdf Best Regards __________________________________________ Luiz Fernando Vianna da Silva -----Mensagem original----- De: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] Em nome de Alexandre de Verteuil Enviada em: ter?a-feira, 3 de maio de 2016 16:10 Para: freeipa-users at redhat.com Assunto: [Freeipa-users] Who uses FreeIPA? Hello all, I've deployed FreeIPA in my home lab and I'm happy to have single sign-on for all my Archlinux virtual machines and Fedora laptops :) It took me lots of research and conversations before hearing about FreeIPA for the first time while searching for a libre SSO solution. I think FreeIPA needs much more exposure. I am really impressed with it. Tomorrow I am giving a short presentation at my workplace to talk about it and invite other sysadmins to try it. I would like to make a slide showing the current adoption of FreeIPA. I read that Red Hat uses it internally, but do they actually deploy it in their client's infrastructures? Are there any big companies that use it? Even if I only have reports of schools and small businesses would be good enough to say it's production ready and it has traction. Whether you are reporting about your own use or you know where I can find out more would be greatly appreciated! I have not found a "Who uses FreeIPA" page on the Internet. Best regards, -- Alexandre de Verteuil public key ID : 0xDD237C00 http://alexandre.deverteuil.net/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From lslebodn at redhat.com Tue May 3 21:03:46 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 3 May 2016 23:03:46 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> <20160503084513.GC22308@10.4.128.1> Message-ID: <20160503210346.GA9681@10.4.128.1> On (03/05/16 18:25), Hosakote Nagesh, Pawan wrote: >Currently this is the error I m stuck with. There isn?t enough material online to proceed further. Failure starts with bus error.. > >Logs during ipa-client-install.. >==================================== > >Synchronizing time with KDC... >Password for service_ipa at EAZ.EBAYC3.COM: >Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=EAZ.EBAYC3.COM > Issuer: CN=Certificate Authority,O=EAZ.EBAYC3.COM > Valid From: Mon Dec 07 05:17:30 2015 UTC > Valid Until: Fri Dec 07 05:17:30 2035 UTC > > >Enrolled in IPA realm EAZ.EBAYC3.COM >Created /etc/ipa/default.conf >New SSSD config will be created >Configured /etc/sssd/sssd.conf >Configured /etc/krb5.conf for IPA realm EAZ.EBAYC3.COM >dbus failed to start: Command '/usr/sbin/service dbus start ' returned non-zero exit status 1 I think the error message is clear. There was a problem with starting dbus service within a container. >certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' >certmonger request for host certificate failed >2016-05-02 22:11:53,099 CRIT reaped unknown pid 241) >. > >On 5/3/16, 1:45 AM, "Lukas Slebodnik" wrote: > >>On (29/04/16 17:16), Hosakote Nagesh, Pawan wrote: >>>Thanks for your quick response. I am trying this on ubuntu. >>> >>>This is the bug I m facing right now: https://lists.launchpad.net/freeipa/msg00236.html >>>They say its fixed in Trusty release of Ubuntu. But it doesn?t work for me. There is no other material also >>>On how to fix this dbus error. >>> >>>root at jupyterhub:/# lsb_release -rd >>>Description: Ubuntu 14.04.4 LTS >>>Release: 14.04 >>>root at jupyterhub:/# >>Do I understand it correctly that you want to build your own image >>based on ubuntu? >> >>If answer is yes then I would recommend to use ubuntu xenial (16.04). >> >>But the benefit of container technologies is that you can use >>image based on different distribution and therefore it would be the >>best if you could use https://hub.docker.com/r/fedora/sssd/ >>(which was already mentioned. >> May I know why you do not want to use existing working contianer based on image fedora/sssd. You would save some time with troubleshooting things which were already solved. If you want a help then please provide more info. I assume you use docker and not lxd (based on subject) Please share details how did you build an image and how do you run container ... LS From anthony.wan.cheng at gmail.com Tue May 3 21:15:49 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Tue, 03 May 2016 21:15:49 +0000 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> <5724BC4A.3060400@redhat.com> <57275C0E.10003@redhat.com> Message-ID: Small update, I found an article on the RH solution library ( https://access.redhat.com/solutions/2020223) that has the same error code that I am getting and I followed the steps with certutil to update the cert attributes but it is still not working. The article is listed as "Solution in Progress". [root at test ~]# getcert list | more Number of certificates and requests being tracked: 7. Request ID '20111214223243': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be comp leted: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS Certifi cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=SAMPLE.NET subject: CN=caer.SAMPLE.net,O=SAMPLE.NET expires: 2016-01-29 14:09:46 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes On Mon, May 2, 2016 at 5:35 PM Anthony Cheng wrote: > On Mon, May 2, 2016 at 9:54 AM Rob Crittenden wrote: > >> Anthony Cheng wrote: >> > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden > > > wrote: >> > >> > Anthony Cheng wrote: >> > > OK so I made process on my cert renew issue; I was able to get >> kinit >> > > working so I can follow the rest of the steps here >> > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) >> > > >> > > However, after using >> > > >> > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w >> > password >> > > >> > > and restarting apache (/sbin/service httpd restart), >> resubmitting 3 >> > > certs (ipa-getcert resubmit -i ) and restarting IPA (resubmit >> > -i ) >> > > (/sbin/service ipa restart), I still see: >> > > >> > > [root at test ~]# ipa-getcert list | more >> > > Number of certificates and requests being tracked: 8. >> > > Request ID '20111214223243': >> > > status: CA_UNREACHABLE >> > > ca-error: Server failed request, will retry: 4301 (RPC >> > failed >> > > at server. Certificate operation cannot be compl >> > > eted: Unable to communicate with CMS (Not Found)). >> > >> > IPA proxies requests to the CA through Apache. This means that while >> > tomcat started ok it didn't load the dogtag CA application, hence >> the >> > Not Found. >> > >> > Check the CA debug and selftest logs to see why it failed to start >> > properly. >> > >> > [ snip ] >> > >> > Actually after a reboot that error went away and I just get this error >> > instead "ca-error: Server failed request, will retry: -504 (libcurl >> > failed to execute the HTTP POST transaction. Peer certificate cannot be >> > auth enticated with known CA certificates)." from "getcert list" >> > >> > Result of service ipa restart is interesting since it shows today's time >> > when I already changed date/time/disable NTP so somehow the system still >> > know today's time. >> > >> > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert: >> > CERT_VerifyCertificateNow: verify certificate failed for cert >> > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable >> > Runtime error -8181 - Peer's Certificate has expired.) >> >> Hard to say. I'd confirm that there is no time syncing service running, >> ntp or otherwise. >> >> > I found out why the time kept changing; it was due to the fact that it has > VM tools installed (i didn't configure this box) so it automatically sync > time during bootup. > > I did still see this error message: > > ca-error: Server failed request, will retry: 4301 (RPC failed at server. > Certificate operation cannot be completed: Unable to communicate with CMS > (Not Found)) > > I tried the step http://www.freeipa.org/page/Troubleshooting with > > certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt > openssl x509 -text -in /tmp/ra.crt > certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt > service httpd restart > > So that I can get rid of one of the CA cert that is expired (kept the 1st > one) but still getting same error > > What exactly is CMS and why is it not found? > > > I did notice that the selftest log is empty with a different time: > > -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 /var/log/pki-ca/selftests.log > > [root at test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds > > > Here are some debug log after reboot: > > [root at test pki-ca]# tail -n 100 catalina.out > > INFO: JK: ajp13 listening on /0.0.0.0:9447 > > Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start > > INFO: Jk running ID=0 time=1/23 config=null > > Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start > > INFO: Server startup in 1722 ms > > Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause > > INFO: Pausing Coyote HTTP/1.1 on http-9180 > > Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause > > INFO: Pausing Coyote HTTP/1.1 on http-9443 > > Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause > > INFO: Pausing Coyote HTTP/1.1 on http-9445 > > Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause > > INFO: Pausing Coyote HTTP/1.1 on http-9444 > > Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause > > INFO: Pausing Coyote HTTP/1.1 on http-9446 > > Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop > > INFO: Stopping service Catalina > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named [Timer-0] > but has failed to stop it. This is very like > > ly to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu > > t has failed to stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6] > > but has failed to stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/system.flush-6] but has failed t > > o stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/system.rollover-8] but has faile > > d to stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/transactions.flush-9] but has fa > > iled to stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/transactions.rollover-10] but ha > > s failed to stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [LDAPConnThread-2 ldap://test.sample.net:7389] but has failed to stop it. > This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [LDAPConnThread-3 ldap://test.sample.net:7389] but has failed to stop it. > This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [LDAPConnThread-4 ldap://test.sample.net:7389] but has failed to stop it. > This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearThreadLocalMap > > SEVERE: A web application created a ThreadLocal with key of type [null] > (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a value of type > [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9]) > but failed to remove it when the web application was stopped. To prevent a > memory leak, the ThreadLocal has been forcibly removed. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearThreadLocalMap > > SEVERE: A web application created a ThreadLocal with key of type [null] > (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a value of type > [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9]) > but failed to remove it when the web application was stopped. To prevent a > memory leak, the ThreadLocal has been forcibly removed. > > Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy > > INFO: Stopping Coyote HTTP/1.1 on http-9180 > > Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy > > INFO: Stopping Coyote HTTP/1.1 on http-9443 > > Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy > > INFO: Stopping Coyote HTTP/1.1 on http-9445 > > Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy > > INFO: Stopping Coyote HTTP/1.1 on http-9444 > > Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy > > INFO: Stopping Coyote HTTP/1.1 on http-9446 > > Jan 27, 2016 2:57:36 PM org.apache.catalina.core.AprLifecycleListener init > > INFO: The APR based Apache Tomcat Native library which allows optimal > performance in production environments was not found on the > java.library.path: > /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib > > Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init > > INFO: Initializing Coyote HTTP/1.1 on http-9180 > > Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported > by NSS. This is probably O.K. unless ECC support has been installed. > > Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported > by NSS. This is probably O.K. unless ECC support has been installed. > > Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init > > INFO: Initializing Coyote HTTP/1.1 on http-9443 > > Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported > by NSS. This is probably O.K. unless ECC support has been installed. > > Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported > by NSS. This is probably O.K. unless ECC support has been installed. > > Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init > > INFO: Initializing Coyote HTTP/1.1 on http-9445 > > Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported > by NSS. This is probably O.K. unless ECC support has been installed. > > Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported > by NSS. This is probably O.K. unless ECC support has been installed. > > Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init > > INFO: Initializing Coyote HTTP/1.1 on http-9444 > > Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported > by NSS. This is probably O.K. unless ECC support has been installed. > > Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported > by NSS. This is probably O.K. unless ECC support has been installed. > > Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init > > INFO: Initializing Coyote HTTP/1.1 on http-9446 > > Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load > > INFO: Initialization processed in 2198 ms > > Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start > > INFO: Starting service Catalina > > Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start > > INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 > > Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig > deployDirectory > > INFO: Deploying web application directory ROOT > > Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig > deployDirectory > > INFO: Deploying web application directory ca > > 64-bit osutil library loaded > > 64-bit osutil library loaded > > Certificate object not found > > Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start > > INFO: Starting Coyote HTTP/1.1 on http-9180 > > Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start > > INFO: Starting Coyote HTTP/1.1 on http-9443 > > Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start > > INFO: Starting Coyote HTTP/1.1 on http-9445 > > Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start > > INFO: Starting Coyote HTTP/1.1 on http-9444 > > Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start > > INFO: Starting Coyote HTTP/1.1 on http-9446 > > Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init > > INFO: JK: ajp13 listening on /0.0.0.0:9447 > > Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start > > INFO: Jk running ID=0 time=0/40 config=null > > Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start > > INFO: Server startup in 2592 ms > > [root at test pki-ca]# tail -n 100 debug > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > subjectAltNameExtDefaultImpl Subject Alternative Name Extension Default > Subject Alternative Name Extension Default > com.netscape.cms.profile.def.SubjectAltNameExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > userValidityDefaultImpl User Supplied Validity Default User Supplied > Validity Default com.netscape.cms.profile.def.UserValidityDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > userSubjectNameDefaultImpl User Supplied Subject Name Default User Supplied > Subject Name Default com.netscape.cms.profile.def.UserSubjectNameDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > subjectDirAttributesExtDefaultImpl Subject Directory Attributes Extension > Default Subject Directory Attributes Extension Default > com.netscape.cms.profile.def.SubjectDirAttributesExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > certificateVersionDefaultImpl Certificate Version Default Certificate > Version Default com.netscape.cms.profile.def.CertificateVersionDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default > Extended Key Usage Extension Default > com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > policyConstraintsExtDefaultImpl Policy Constraints Extension Default Policy > Constraints Extension Default > com.netscape.cms.profile.def.PolicyConstraintsExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > crlDistributionPointsExtDefaultImpl CRL Distribution Points Extension > Default CRL Distribution Points Extension Default > com.netscape.cms.profile.def.CRLDistributionPointsExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > certificatePoliciesExtDefaultImpl Certificate Policies Extension Default > Certificate Policies Extension Default > com.netscape.cms.profile.def.CertificatePoliciesExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > validityDefaultImpl Validity Default Validty Default > com.netscape.cms.profile.def.ValidityDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > privateKeyPeriodExtDefaultImpl Private Key Period Ext Default Private Key > Period Ext Default > com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy noDefaultImpl No > Default No Default com.netscape.cms.profile.def.NoDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy imageDefaultImpl > Image Default Image Default com.netscape.cms.profile.def.ImageDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > subjectInfoAccessExtDefaultImpl Subject Info Access Extension Default > Subject Info Access Extension Default > com.netscape.cms.profile.def.SubjectInfoAccessExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > autoAssignDefaultImpl Auto Request Assignment Default Auto Request > Assignment Default com.netscape.cms.profile.def.AutoAssignDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > policyMappingsExtDefaultImpl Policy Mappings Extension Default Policy > Mappings Extension Default > com.netscape.cms.profile.def.PolicyMappingsExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > caValidityDefaultImpl CA Certificate Validity Default CA Certificate > Validty Default com.netscape.cms.profile.def.CAValidityDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > userExtensionDefaultImpl User Supplied Extension Default User Supplied > Extension Default com.netscape.cms.profile.def.UserExtensionDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default > Netscape Certificate Type Extension Default > com.netscape.cms.profile.def.NSCertTypeExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default Token > Supplied Subject Name Default > com.netscape.cms.profile.def.AuthTokenSubjectNameDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > subjectNameDefaultImpl Subject Name Default Subject Name Default > com.netscape.cms.profile.def.SubjectNameDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > userSigningAlgDefaultImpl User Supplied Signing Alg Default User Supplied > Signing Alg Default com.netscape.cms.profile.def.UserSigningAlgDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default Subject > Key Identifier Default > com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default Inhibit > Any-Policy Extension Default > com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubjectNameDefault > nsTokenDeviceKeySubjectNameDefaultImpl > com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape > Comment Extension Default com.netscape.cms.profile.def.NSCCommentExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm Default > com.netscape.cms.profile.def.SigningAlgDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > nameConstraintsExtDefaultImpl Name Constraints Extension Default Name > Constraints Extension Default > com.netscape.cms.profile.def.NameConstraintsExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin profileUpdater > subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for Subsystem > Group com.netscape.cms.profile.updater.SubsystemGroupUpdater > > [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry > > [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry > > [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap > > [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap > > [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap > > [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap > > [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name > > [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name > > [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name > > [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name > > [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request > > [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request > > [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request > > [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request > > [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca > > [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca > > [27/Jan/2016:15:30:43][main]: CertificateAuthority init > > [27/Jan/2016:15:30:43][main]: Cert Repot inited > > [27/Jan/2016:15:30:43][main]: CRL Repot inited > > [27/Jan/2016:15:30:43][main]: Replica Repot inited > > [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname > caSigningCert cert-pki-ca > > [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name > > [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert > cert-pki-ca' with serial number: 1 > > [27/Jan/2016:15:30:43][main]: converted to x509CertImpl > > [27/Jan/2016:15:30:43][main]: Got private key from cert > > [27/Jan/2016:15:30:43][main]: Got public key from cert > > [27/Jan/2016:15:30:43][main]: got signing algorithm > RSASignatureWithSHA256Digest > > [27/Jan/2016:15:30:43][main]: CA signing unit inited > > [27/Jan/2016:15:30:43][main]: cachainNum= 0 > > [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS. > > [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname > ca.ocsp_signing.cert > > [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name > > [27/Jan/2016:15:30:43][main]: SigningUnit init: debug > org.mozilla.jss.crypto.ObjectNotFoundException > > [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException > > Certificate object not found > > at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) > > at > com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204) > > at > com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) > > at > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) > > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) > > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) > > at com.netscape.certsrv.apps.CMS.init(CMS.java:153) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) > > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) > > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) > > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) > > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) > > at > org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) > > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) > > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) > > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) > > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) > > at > org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) > > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) > > at > org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) > > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) > > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) > > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) > > at > org.apache.catalina.core.StandardHost.start(StandardHost.java:722) > > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) > > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) > > at > org.apache.catalina.core.StandardService.start(StandardService.java:516) > > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:710) > > at org.apache.catalina.startup.Catalina.start(Catalina.java:593) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:616) > > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > > [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown() > > > > > > >> > > Would really greatly appreciate any help on this. >> > > >> > > Also I noticed after I do ldapmodify of usercertificate binary >> > data with >> > > >> > > add: usercertificate;binary >> > > usercertificate;binary: !@#$@!#$#@$ >> > >> > You really pasted in binary? Or was this base64-encoded data? >> > >> > I wonder if there is a problem in the wiki. If this is really a >> binary >> > value you should start with a DER-encoded cert and load it using >> > something like: >> > >> > dn: uid=ipara,ou=people,o=ipaca >> > changetype: modify >> > add: usercertificate;binary >> > usercertificate;binary:< file:///path/to/cert.der >> > >> > You can use something like openssl x509 to switch between PEM and >> DER >> > formats. >> > >> > I have a vague memory that dogtag can deal with a multi-valued >> > usercertificate attribute. >> > >> > rob >> > >> > >> > Yes the wiki stated binary, the result of: >> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b >> > uid=ipara,ou=People,o=ipaca -W >> > >> > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ... >> > >> > But the actual data is from a PEM though. >> >> Ok. So I looked at my CA data and it doesn't use the binary subtype, so >> my entries look like: >> >> userCertificate:: MIID.... >> >> It might make a difference if dogtag is looking for the subtype or not. >> >> rob >> >> > >> > > >> > > Then I re-run >> > > >> > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W >> > -b uid=ipara,ou=People,o=ipaca >> > > >> > > I see 2 entries for usercertificate;binary (before modify there >> > was only >> > > 1) but they are duplicate and NOT from data that I added. That >> seems >> > > incorrect to me. >> > > >> > > >> > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng >> > > > > >> > > > >> wrote: >> > > >> > > klist is actually empty; kinit admin fails. Sounds like then >> > > getcert resubmit has a dependency on kerberoes. I can get a >> > backup >> > > image that has a valid ticket but it is only good for 1 day >> (and >> > > dated pasted the cert expire). >> > > >> > > Also I had asked awhile back about whether there is >> dependency on >> > > DIRSRV to renew the cert; didn't get any response but I >> suspect >> > > there is a dependency. >> > > >> > > Regarding the clock skew, I found out from /var/log/message >> that >> > > shows me this so it may be from named: >> > > >> > > Jan 28 14:10:42 test named[2911]: Failed to init credentials >> > (Clock >> > > skew too great) >> > > Jan 28 14:10:42 test named[2911]: loading configuration: >> failure >> > > Jan 28 14:10:42 test named[2911]: exiting (due to fatal >> error) >> > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS >> > > failure. Minor code may provide more information (Creden >> > > tials cache file '/tmp/krb5cc_496' not found) >> > > >> > > I don't have a krb5cc_496 file (since klist is empty), so >> > sounds to >> > > me I need to get a kerberoes ticket before going any >> > further. Also >> > > is the file /etc/krb5.keytab access/modification time >> > important? I >> > > had changed time back to before the cert expiration date and >> > reboot >> > > and try renew but the error message about clock skew is still >> > > there. That seems strange. >> > > >> > > Lastly, as a absolute last resort, can I regenerate a new >> cert >> > > myself? >> > > >> > >> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html >> > > >> > > [root at test /]# klist >> > > klist: No credentials cache found (ticket cache >> > FILE:/tmp/krb5cc_0) >> > > [root at test /]# service ipa start >> > > Starting Directory Service >> > > Starting dirsrv: >> > > PKI-IPA... >> > [ OK ] >> > > sample-NET... >> > [ OK ] >> > > Starting KDC Service >> > > Starting Kerberos 5 KDC: [ >> > OK ] >> > > Starting KPASSWD Service >> > > Starting Kerberos 5 Admin Server: [ >> > OK ] >> > > Starting DNS Service >> > > Starting named: >> > [FAILED] >> > > Failed to start DNS Service >> > > Shutting down >> > > Stopping Kerberos 5 KDC: [ >> > OK ] >> > > Stopping Kerberos 5 Admin Server: [ >> > OK ] >> > > Stopping named: [ >> > OK ] >> > > Stopping httpd: [ >> > OK ] >> > > Stopping pki-ca: [ >> > OK ] >> > > Shutting down dirsrv: >> > > PKI-IPA... >> > [ OK ] >> > > sample-NET... >> > [ OK ] >> > > Aborting ipactl >> > > [root at test /]# klist >> > > klist: No credentials cache found (ticket cache >> > FILE:/tmp/krb5cc_0) >> > > [root at test /]# service ipa status >> > > Directory Service: STOPPED >> > > Failed to get list of services to probe status: >> > > Directory Server is stopped >> > > >> > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka >> > >> > > >> >> wrote: >> > > >> > > On 27/04/16 21:54, Anthony Cheng wrote: >> > > > Hi list, >> > > > >> > > > I am trying to renew expired certificates following >> the >> > > manual renewal procedure >> > > > here >> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) >> > > but even with >> > > > resetting the system/hardware clock to a time before >> > expires, >> > > I am getting the >> > > > error "ca-error: Error setting up ccache for local >> "host" >> > > service using default >> > > > keytab: Clock skew too great." >> > > > >> > > > With NTP disable and clock reset why would it complain >> > about >> > > clock skew and how >> > > > does it even know about the current time? >> > > > >> > > > [root at test certs]# getcert list >> > > > Number of certificates and requests being tracked: 8. >> > > > Request ID '20111214223243': >> > > > status: MONITORING >> > > > ca-error: Error setting up ccache for local >> > "host" >> > > service using >> > > > default keytab: Clock skew too great. >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > > > Certificate >> > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > > > Certificate DB' >> > > > CA: IPA >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=test.sample.net >> > >> > > ,O=sample.NET >> > > > expires: 2016-01-29 14:09:46 UTC >> > > > eku: id-kp-serverAuth >> > > > pre-save command: >> > > > post-save command: >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20111214223300': >> > > > status: MONITORING >> > > > ca-error: Error setting up ccache for local >> > "host" >> > > service using >> > > > default keytab: Clock skew too great. >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > > Certificate >> > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > > Certificate >> > > > DB' >> > > > CA: IPA >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=test.sample.net >> > >> > > ,O=sample.NET >> > > > expires: 2016-01-29 14:09:45 UTC >> > > > eku: id-kp-serverAuth >> > > > pre-save command: >> > > > post-save command: >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20111214223316': >> > > > status: MONITORING >> > > > ca-error: Error setting up ccache for local >> > "host" >> > > service using >> > > > default keytab: Clock skew too great. >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > > > Certificate DB' >> > > > CA: IPA >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=test.sample.net >> > >> > > ,O=sample.NET >> > > > expires: 2016-01-29 14:09:45 UTC >> > > > eku: id-kp-serverAuth >> > > > pre-save command: >> > > > post-save command: >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130741': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no response to >> > > > >> > > >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > > > cert-pki-ca',token='NSS Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=CA Audit,O=sample.NET >> > > > expires: 2017-10-13 14:10:49 UTC >> > > > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ca_cert >> > > > "auditSigningCert cert-pki-ca" >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130742': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no response to >> > > > >> > > >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > > > cert-pki-ca',token='NSS Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=OCSP Subsystem,O=sample.NET >> > > > expires: 2017-10-13 14:09:49 UTC >> > > > eku: id-kp-OCSPSigning >> > > > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ca_cert >> > > > "ocspSigningCert cert-pki-ca" >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130743': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no response to >> > > > >> > > >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > > > cert-pki-ca',token='NSS Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=CA Subsystem,O=sample.NET >> > > > expires: 2017-10-13 14:09:49 UTC >> > > > eku: id-kp-serverAuth,id-kp-clientAuth >> > > > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ca_cert >> > > > "subsystemCert cert-pki-ca" >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130744': >> > > > status: MONITORING >> > > > ca-error: Internal error: no response to >> > > > >> > > >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > > Certificate >> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > > Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=RA Subsystem,O=sample.NET >> > > > expires: 2017-10-13 14:09:49 UTC >> > > > eku: id-kp-serverAuth,id-kp-clientAuth >> > > > pre-save command: >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ra_cert >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130745': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no response to >> > > > >> > > >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > > > cert-pki-ca',token='NSS Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=test.sample.net >> > >> > > ,O=sample.NET >> > > > expires: 2017-10-13 14:09:49 UTC >> > > > eku: id-kp-serverAuth,id-kp-clientAuth >> > > > pre-save command: >> > > > post-save command: >> > > > track: yes >> > > > auto-renew: yes[root at test certs]# getcert >> list >> > > > Number of certificates and requests being tracked: 8. >> > > > Request ID '20111214223243': >> > > > status: MONITORING >> > > > ca-error: Error setting up ccache for local >> > "host" >> > > service using >> > > > default keytab: Clock skew too great. >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > > > Certificate >> > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > > > Certificate DB' >> > > > CA: IPA >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=test.sample.net >> > >> > > ,O=sample.NET >> > > > expires: 2016-01-29 14:09:46 UTC >> > > > eku: id-kp-serverAuth >> > > > pre-save command: >> > > > post-save command: >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20111214223300': >> > > > status: MONITORING >> > > > ca-error: Error setting up ccache for local >> > "host" >> > > service using >> > > > default keytab: Clock skew too great. >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > > Certificate >> > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > > Certificate >> > > > DB' >> > > > CA: IPA >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=test.sample.net >> > >> > > ,O=sample.NET >> > > > expires: 2016-01-29 14:09:45 UTC >> > > > eku: id-kp-serverAuth >> > > > pre-save command: >> > > > post-save command: >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20111214223316': >> > > > status: MONITORING >> > > > ca-error: Error setting up ccache for local >> > "host" >> > > service using >> > > > default keytab: Clock skew too great. >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > > > Certificate DB' >> > > > CA: IPA >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=test.sample.net >> > >> > > ,O=sample.NET >> > > > expires: 2016-01-29 14:09:45 UTC >> > > > eku: id-kp-serverAuth >> > > > pre-save command: >> > > > post-save command: >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130741': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no response to >> > > > >> > > >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > > > cert-pki-ca',token='NSS Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=CA Audit,O=sample.NET >> > > > expires: 2017-10-13 14:10:49 UTC >> > > > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ca_cert >> > > > "auditSigningCert cert-pki-ca" >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130742': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no response to >> > > > >> > > >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > > > cert-pki-ca',token='NSS Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=OCSP Subsystem,O=sample.NET >> > > > expires: 2017-10-13 14:09:49 UTC >> > > > eku: id-kp-OCSPSigning >> > > > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ca_cert >> > > > "ocspSigningCert cert-pki-ca" >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130743': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no response to >> > > > >> > > >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > > > cert-pki-ca',token='NSS Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=CA Subsystem,O=sample.NET >> > > > expires: 2017-10-13 14:09:49 UTC >> > > > eku: id-kp-serverAuth,id-kp-clientAuth >> > > > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ca_cert >> > > > "subsystemCert cert-pki-ca" >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130744': >> > > > status: MONITORING >> > > > ca-error: Internal error: no response to >> > > > >> > > >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > > Certificate >> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > > Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=RA Subsystem,O=sample.NET >> > > > expires: 2017-10-13 14:09:49 UTC >> > > > eku: id-kp-serverAuth,id-kp-clientAuth >> > > > pre-save command: >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ra_cert >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130745': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no response to >> > > > >> > > >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > > > cert-pki-ca',token='NSS Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate Authority,O=sample.NET >> > > > subject: CN=test.sample.net >> > >> > > ,O=sample.NET >> > > > expires: 2017-10-13 14:09:49 UTC >> > > > eku: id-kp-serverAuth,id-kp-clientAuth >> > > > pre-save command: >> > > > post-save command: >> > > > track: yes >> > > > auto-renew: yes >> > > > -- >> > > > >> > > > Thanks, Anthony >> > > > >> > > > >> > > > >> > > >> > > Hello Anthony! >> > > >> > > After stopping NTP (or other time synchronizing service) >> > and setting >> > > time manually server really don't have a way to determine >> > that >> > > its time >> > > differs from the real one. >> > > >> > > I think this might be issue with Kerberos ticket. You can >> > show >> > > content >> > > of root's ticket cache using klist. If there is anything >> > clean >> > > it with >> > > kdestroy and try to resubmit the request again. >> > > >> > > -- >> > > David Kupka >> > > >> > > -- >> > > >> > > Thanks, Anthony >> > > >> > > -- >> > > >> > > Thanks, Anthony >> > > >> > > >> > > >> > >> > -- >> > >> > Thanks, Anthony >> > >> >> -- > > Thanks, Anthony > -- Thanks, Anthony -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue May 3 21:16:52 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 03 May 2016 17:16:52 -0400 Subject: [Freeipa-users] Who uses FreeIPA? In-Reply-To: <20160503190958.GA1640@deverteuil.net> References: <20160503190958.GA1640@deverteuil.net> Message-ID: <1462310212.3624.53.camel@redhat.com> Hello Alexandre, Red Hat does not strictly track Idm[1] usage across the customer base so we do not have complete stats, but we can say we have thousands of deployments, which range from 1 to more than 20 servers and from a few dozen to tens of thousands of clients attached to those servers, per deployment. Hope this helps, Simo. [1] Red Hat Identity Management is the product name use to distribute FreeIPA to RHEL customers. On Tue, 2016-05-03 at 15:09 -0400, Alexandre de Verteuil wrote: > Hello all, > > I've deployed FreeIPA in my home lab and I'm happy to have single > sign-on for all my Archlinux virtual machines and Fedora laptops :) > > It took me lots of research and conversations before hearing about > FreeIPA for the first time while searching for a libre SSO solution. I > think FreeIPA needs much more exposure. I am really impressed with it. > Tomorrow I am giving a short presentation at my workplace to talk about > it and invite other sysadmins to try it. > > I would like to make a slide showing the current adoption of FreeIPA. I > read that Red Hat uses it internally, but do they actually deploy it in > their client's infrastructures? Are there any big companies that use it? > Even if I only have reports of schools and small businesses would be > good enough to say it's production ready and it has traction. > > Whether you are reporting about your own use or you know where I can > find out more would be greatly appreciated! I have not found a "Who uses > FreeIPA" page on the Internet. > > Best regards, > -- > Alexandre de Verteuil > public key ID : 0xDD237C00 > http://alexandre.deverteuil.net/ > -- Simo Sorce * Red Hat, Inc * New York From lslebodn at redhat.com Tue May 3 21:31:02 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 3 May 2016 23:31:02 +0200 Subject: [Freeipa-users] Who uses FreeIPA? In-Reply-To: <20160503190958.GA1640@deverteuil.net> References: <20160503190958.GA1640@deverteuil.net> Message-ID: <20160503213102.GC9681@10.4.128.1> On (03/05/16 15:09), Alexandre de Verteuil wrote: >Hello all, > >I've deployed FreeIPA in my home lab and I'm happy to have single >sign-on for all my Archlinux virtual machines and Fedora laptops :) > >It took me lots of research and conversations before hearing about >FreeIPA for the first time while searching for a libre SSO solution. I >think FreeIPA needs much more exposure. I am really impressed with it. >Tomorrow I am giving a short presentation at my workplace to talk about >it and invite other sysadmins to try it. > >I would like to make a slide showing the current adoption of FreeIPA. I >read that Red Hat uses it internally, but do they actually deploy it in >their client's infrastructures? Are there any big companies that use it? >Even if I only have reports of schools and small businesses would be >good enough to say it's production ready and it has traction. > >Whether you are reporting about your own use or you know where I can >find out more would be greatly appreciated! I have not found a "Who uses >FreeIPA" page on the Internet. > The GNOME Infrastructure is now powered by FreeIPA! October 7, 2014 https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ LS From phosakotenagesh at ebay.com Tue May 3 21:27:44 2016 From: phosakotenagesh at ebay.com (Hosakote Nagesh, Pawan) Date: Tue, 3 May 2016 21:27:44 +0000 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <20160503210346.GA9681@10.4.128.1> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> <20160503084513.GC22308@10.4.128.1> <20160503210346.GA9681@10.4.128.1> Message-ID: <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> Our apps are running in a docker image based on Ubuntu 14.04 that cannot be changed to redhat. We want to install freeipa-clietn within this docker so that our app Uses freeipa ldap as against default ldap. The freeipa-client gets successfully installed in Ubuntu 14.04 plain machine, that why is why I am hoping making it run in a Ubun14.04 docker should also be very much possible. As you can see the things get stuck in not starting bus process properly(this problem is not seen in ubuntu on plain machine). I cannot see much debug statements by enabling ?debug option in ipa-client-install. Its not clear why this process doesn?t get started and what is missing in container as against plain machine which is making this install fail. I am on to this issue for 2 full days now. I am pasting whatever debug statements I got during install, here: Command ????? ipa-client-install ?domain= ?server= hostname=jupyterhub.com --no-ntp --no-dns-sshfp Log (After Error starts to happen) ????? Attached My main suspect is dbus service unable to start in this container where it launches on a plain machine. - Best, Pawan On 5/3/16, 2:03 PM, "Lukas Slebodnik" wrote: >On (03/05/16 18:25), Hosakote Nagesh, Pawan wrote: >>Currently this is the error I m stuck with. There isn?t enough material online to proceed further. Failure starts with bus error.. >> >>Logs during ipa-client-install.. >>==================================== >> >>Synchronizing time with KDC... >>Password for service_ipa at EAZ.EBAYC3.COM: >>Successfully retrieved CA cert >> Subject: CN=Certificate Authority,O=EAZ.EBAYC3.COM >> Issuer: CN=Certificate Authority,O=EAZ.EBAYC3.COM >> Valid From: Mon Dec 07 05:17:30 2015 UTC >> Valid Until: Fri Dec 07 05:17:30 2035 UTC >> >> >>Enrolled in IPA realm EAZ.EBAYC3.COM >>Created /etc/ipa/default.conf >>New SSSD config will be created >>Configured /etc/sssd/sssd.conf >>Configured /etc/krb5.conf for IPA realm EAZ.EBAYC3.COM >>dbus failed to start: Command '/usr/sbin/service dbus start ' returned non-zero exit status 1 >I think the error message is clear. >There was a problem with starting dbus service within a container. > >>certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' >>certmonger request for host certificate failed >>2016-05-02 22:11:53,099 CRIT reaped unknown pid 241) >>. >> >>On 5/3/16, 1:45 AM, "Lukas Slebodnik" wrote: >> >>>On (29/04/16 17:16), Hosakote Nagesh, Pawan wrote: >>>>Thanks for your quick response. I am trying this on ubuntu. >>>> >>>>This is the bug I m facing right now: https://lists.launchpad.net/freeipa/msg00236.html >>>>They say its fixed in Trusty release of Ubuntu. But it doesn?t work for me. There is no other material also >>>>On how to fix this dbus error. >>>> >>>>root at jupyterhub:/# lsb_release -rd >>>>Description: Ubuntu 14.04.4 LTS >>>>Release: 14.04 >>>>root at jupyterhub:/# >>>Do I understand it correctly that you want to build your own image >>>based on ubuntu? >>> >>>If answer is yes then I would recommend to use ubuntu xenial (16.04). >>> >>>But the benefit of container technologies is that you can use >>>image based on different distribution and therefore it would be the >>>best if you could use https://hub.docker.com/r/fedora/sssd/ >>>(which was already mentioned. >>> >May I know why you do not want to use existing working contianer >based on image fedora/sssd. > >You would save some time with troubleshooting things which were already solved. > >If you want a help then please provide more info. >I assume you use docker and not lxd (based on subject) >Please share details how did you build an image and how do you >run container ... > >LS -------------- next part -------------- A non-text attachment was scrubbed... Name: FreeIPA_CLient_Logs.rtf Type: text/rtf Size: 23933 bytes Desc: FreeIPA_CLient_Logs.rtf URL: From barrykfl at gmail.com Wed May 4 04:00:29 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Wed, 4 May 2016 12:00:29 +0800 Subject: [Freeipa-users] Inplace upgrade Message-ID: Hi : How to in place upgrade ipa-server-3.0.0-26.el6_4.4.x86_64 to ipa-server-3.0.0-37.el6.x86_64 This is minor version upgrade , can it just type update command? Regards Barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Wed May 4 05:17:14 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Wed, 4 May 2016 13:17:14 +0800 Subject: [Freeipa-users] Inplace upgrade In-Reply-To: References: Message-ID: Can speicific ninor version? 2016?5?4? ??1:15 ? "Devin Acosta" ??? > Barry, > > Yes you should be able to just do a: "yum update ipa-server" and you > should be good to go. > > > -- > Devin Acosta, RHCE, LFCE > Linux Certified Engineer > e: devin at linuxguru.co > > > On May 3, 2016 at 9:10:04 PM, barrykfl at gmail.com (barrykfl at gmail.com) > wrote: > > Hi : > > How to in place upgrade ipa-server-3.0.0-26.el6_4.4.x86_64 > > to ipa-server-3.0.0-37.el6.x86_64 > > This is minor version upgrade , can it just type update command? > > > Regards > > Barry > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From devin at pabstatencio.com Wed May 4 05:15:20 2016 From: devin at pabstatencio.com (Devin Acosta) Date: Tue, 3 May 2016 22:15:20 -0700 Subject: [Freeipa-users] Inplace upgrade In-Reply-To: References: Message-ID: Barry, Yes you should be able to just do a: "yum update ipa-server" and you should be good to go. --? Devin Acosta, RHCE, LFCE Linux Certified Engineer e: devin at linuxguru.co On May 3, 2016 at 9:10:04 PM, barrykfl at gmail.com (barrykfl at gmail.com) wrote: Hi : How to in place upgrade ipa-server-3.0.0-26.el6_4.4.x86_64 to? ipa-server-3.0.0-37.el6.x86_64 This is minor version upgrade , can it just type update command? Regards Barry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed May 4 07:23:40 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 4 May 2016 09:23:40 +0200 Subject: [Freeipa-users] Who uses FreeIPA? In-Reply-To: <20160503213102.GC9681@10.4.128.1> References: <20160503190958.GA1640@deverteuil.net> <20160503213102.GC9681@10.4.128.1> Message-ID: <20160504072340.GE3666@hendrix> On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote: > On (03/05/16 15:09), Alexandre de Verteuil wrote: > >Hello all, > > > >I've deployed FreeIPA in my home lab and I'm happy to have single > >sign-on for all my Archlinux virtual machines and Fedora laptops :) > > > >It took me lots of research and conversations before hearing about > >FreeIPA for the first time while searching for a libre SSO solution. I > >think FreeIPA needs much more exposure. I am really impressed with it. > >Tomorrow I am giving a short presentation at my workplace to talk about > >it and invite other sysadmins to try it. > > > >I would like to make a slide showing the current adoption of FreeIPA. I > >read that Red Hat uses it internally, but do they actually deploy it in > >their client's infrastructures? Are there any big companies that use it? > >Even if I only have reports of schools and small businesses would be > >good enough to say it's production ready and it has traction. > > > >Whether you are reporting about your own use or you know where I can > >find out more would be greatly appreciated! I have not found a "Who uses > >FreeIPA" page on the Internet. > > > The GNOME Infrastructure is now powered by FreeIPA! > October 7, 2014 > > https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ Would it make sense to add 'success stories' like this to the freeipa.org home page? Of course, we can't use Red Hat IDM customers, but those that use freeipa on Fedora/CentOS and hopefully soon on Ubuntu could be added there if they would agree.. From mbasti at redhat.com Wed May 4 07:37:13 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 4 May 2016 09:37:13 +0200 Subject: [Freeipa-users] Who uses FreeIPA? In-Reply-To: <20160504072340.GE3666@hendrix> References: <20160503190958.GA1640@deverteuil.net> <20160503213102.GC9681@10.4.128.1> <20160504072340.GE3666@hendrix> Message-ID: <5729A6A9.8050300@redhat.com> On 04.05.2016 09:23, Jakub Hrozek wrote: > On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote: >> On (03/05/16 15:09), Alexandre de Verteuil wrote: >>> Hello all, >>> >>> I've deployed FreeIPA in my home lab and I'm happy to have single >>> sign-on for all my Archlinux virtual machines and Fedora laptops :) >>> >>> It took me lots of research and conversations before hearing about >>> FreeIPA for the first time while searching for a libre SSO solution. I >>> think FreeIPA needs much more exposure. I am really impressed with it. >>> Tomorrow I am giving a short presentation at my workplace to talk about >>> it and invite other sysadmins to try it. >>> >>> I would like to make a slide showing the current adoption of FreeIPA. I >>> read that Red Hat uses it internally, but do they actually deploy it in >>> their client's infrastructures? Are there any big companies that use it? >>> Even if I only have reports of schools and small businesses would be >>> good enough to say it's production ready and it has traction. >>> >>> Whether you are reporting about your own use or you know where I can >>> find out more would be greatly appreciated! I have not found a "Who uses >>> FreeIPA" page on the Internet. >>> >> The GNOME Infrastructure is now powered by FreeIPA! >> October 7, 2014 >> >> https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ > Would it make sense to add 'success stories' like this to the > freeipa.org home page? Of course, we can't use Red Hat IDM customers, > but those that use freeipa on Fedora/CentOS and hopefully soon on Ubuntu > could be added there if they would agree.. > +1 From przemek.orzechowski at makolab.pl Wed May 4 07:51:04 2016 From: przemek.orzechowski at makolab.pl (=?UTF-8?Q?Przemys=c5=82aw_Orzechowski?=) Date: Wed, 4 May 2016 09:51:04 +0200 Subject: [Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu? In-Reply-To: <572762B9.5070309@redhat.com> References: <572738C5.1050903@makolab.pl> <572762B9.5070309@redhat.com> Message-ID: <5729A9E8.2070705@makolab.pl> Hi The problem was unclear for me with ubuntu and altrough in theory everything should work it did not so (checked fiew things that came to mind like kerberos sssd logs pam and figured out some problem with pam sssd integration so i went with the simplest solution (reinstall frreeipa-client on ubuntus) I fixed the problem with sudo on ubuntu 14.4 and 16.4 with ipa-client-install --uninstall followed by ipa-client-install --domain=myfqdndomain --principal=admin --mkhomedir then checking /etc/sssd/sssd.conf if the sudo is in servicess line (it was prior to uninstall) and appropiate mod to pam so mkhomedir actualy works for some reason afer this ubuntus started working i skiped ubuntu 12.4 or now currently im trying to get su and su - to work i mean restrict it to fiew admin users from ipa and local root. from other things i observed (not related to the sudo issue i hope) was that most of the ubuntu hosts did not register theyr A record on IPA wheras all Centos based hosts did (just added missing records for ubuntus manually so its not an issue) Next step after i get su right will be search for a way to get virt-manager work over ssh X forwarding for IPA users works for local accounts only right now Regards Przemys?aw Orzechowski W dniu 02.05.2016 o 16:22, Rob Crittenden pisze: > Przemys?aw Orzechowski wrote: >> Hi >> >> Im trying to create a single usergroup for sudo enabled users for both >> Centos and Ubuntu users >> The problem is on centos its group wheel (10), and on ubuntu its sudo >> (27) how do i have tried to do it using ID view but somehow im not >> getting it right >> >> btw >> Centos clients versions 6.x, 7.x >> Ubuntu clients versions 12.04,14.04,16.04 >> Ipa server is on Centos 7 IPA VERSION: 4.2.0, API_VERSION: 2.156 >> >> Regards >> Przemy?aw Orzechowski >> > > But aren't these groups used only if you use files for sudo (and even > that is just a default)? If you are using IPA to provide the sudo > rules then the group you choose shouldn't matter. > > rob > From lslebodn at redhat.com Wed May 4 08:23:50 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 4 May 2016 10:23:50 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> <20160503084513.GC22308@10.4.128.1> <20160503210346.GA9681@10.4.128.1> <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> Message-ID: <20160504082350.GA21729@10.4.128.1> On (03/05/16 21:27), Hosakote Nagesh, Pawan wrote: >Our apps are running in a docker image based on Ubuntu 14.04 that cannot be changed to redhat. We want to install freeipa-clietn within this docker so that our app >Uses freeipa ldap as against default ldap. > and that's the reason why you needn't care about base image in container world. sssd container can be based on fedora and other application can be based on ubuntu. And they will share common directories with unix pipes which are used communication with sssd. In another words, you just need to install package libnss-sss and libpam-sss (if you need an authenticatio as well) in client/application container + bind mount directories /var/lib/sss/pipes/ /var/lib/sss/mc/. LS From barrykfl at gmail.com Wed May 4 09:43:53 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Wed, 4 May 2016 17:43:53 +0800 Subject: [Freeipa-users] Fail to Start up the server Message-ID: Hi: Before the server can start up if i disable nasslsecuiry in dse.ldif. But now after I update to minor version from -3.0.0-26 to ipa-server-3.0.0-47.el6.centos.2.x86_64 , it not allow me to start any idea . I think it not relate to ssl cert issue. [04/May/2016:17:32:52 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [04/May/2016:17:32:52 +0800] - 389-Directory/1.2.11.25 B2013.325.1951 starting up [04/May/2016:17:32:52 +0800] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [04/May/2016:17:32:52 +0800] - libdb: file ipaca/id2entry.db4 has LSN 14/8738497, past end of log at 14/8626491 [04/May/2016:17:32:53 +0800] - libdb: Commonly caused by moving a database from one database environment [04/May/2016:17:32:53 +0800] - libdb: to another without clearing the database LSNs, or by removing all of [04/May/2016:17:32:53 +0800] - libdb: the log files from a database environment [04/May/2016:17:32:53 +0800] - libdb: /var/lib/dirsrv/slapd-PKI-IPA/db/ipaca/id2entry.db4: unexpected file type or format [04/May/2016:17:32:53 +0800] - dbp->open("ipaca/id2entry.db4") failed: Invalid argument (22) [04/May/2016:17:32:53 +0800] - dblayer_instance_start fail: Invalid argument (22) [04/May/2016:17:32:53 +0800] - start: Failed to start databases, err=22 Invalid argument [04/May/2016:17:32:53 +0800] - Failed to start database plugin ldbm database [04/May/2016:17:32:53 +0800] - WARNING: ldbm instance userRoot already exists [04/May/2016:17:32:53 +0800] - ldbm_config_read_instance_entries: failed to add instance entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config [04/May/2016:17:32:53 +0800] - ldbm_config_load_dse_info: failed to read instance entries [04/May/2016:17:32:53 +0800] - start: Loading database configuration failed [04/May/2016:17:32:53 +0800] - Failed to start database plugin ldbm database [04/May/2016:17:32:53 +0800] - Error: Failed to resolve plugin dependencies [04/May/2016:17:32:53 +0800] - Error: preoperation plugin 7-bit check is not started [04/May/2016:17:32:53 +0800] - Error: preoperation plugin Account Usability Plugin is not started [04/May/2016:17:32:53 +0800] - Error: accesscontrol plugin ACL Plugin is not started [04/May/2016:17:32:53 +0800] - Error: preoperation plugin ACL preoperation is not started [04/May/2016:17:32:53 +0800] - Error: preoperation plugin attribute uniqueness is not started [04/May/2016:17:32:53 +0800] - Error: preoperation plugin Auto Membership Plugin is not started [04/May/2016:17:32:53 +0800] - Error: object plugin Class of Service is not started [04/May/2016:17:32:53 +0800] - Error: preoperation plugin deref is not started [04/May/2016:17:32:53 +0800] - Error: preoperation plugin HTTP Client is not started [04/May/2016:17:32:53 +0800] - Error: database plugin ldbm database is not started [04/May/2016:17:32:53 +0800] - Error: object plugin Legacy Replication Plugin is not started [04/May/2016:17:32:53 +0800] - Error: preoperation plugin Linked Attributes is not started [04/May/2016:17:32:53 +0800] - Error: preoperation plugin Managed Entries is not started [04/May/2016:17:32:54 +0800] - Error: object plugin Multimaster Replication Plugin is not started [04/May/2016:17:32:54 +0800] - Error: object plugin Roles Plugin is not started [04/May/2016:17:32:54 +0800] - Error: object plugin Views is not started -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Wed May 4 11:24:55 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 4 May 2016 13:24:55 +0200 Subject: [Freeipa-users] Inplace upgrade In-Reply-To: References: Message-ID: <20160504112455.GA22424@10.4.128.1> On (04/05/16 13:17), barrykfl at gmail.com wrote: >Can speicific ninor version? Yes you can yum update ipa-server-3.0.0-37.el6.x86_64 However, it can fail if this version is not available in repositories. BTW the latest version in el6 is 3.0.0-47.el6 LS From barrykfl at gmail.com Wed May 4 11:31:14 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Wed, 4 May 2016 19:31:14 +0800 Subject: [Freeipa-users] Inplace upgrade In-Reply-To: <20160504112455.GA22424@10.4.128.1> References: <20160504112455.GA22424@10.4.128.1> Message-ID: U meant it fail start if update minor version only? 2016?5?4? ??7:25 ? "Lukas Slebodnik" ??? > On (04/05/16 13:17), barrykfl at gmail.com wrote: > >Can speicific ninor version? > Yes you can > > yum update ipa-server-3.0.0-37.el6.x86_64 > > However, it can fail if this version is not available in repositories. > > BTW the latest version in el6 is 3.0.0-47.el6 > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Wed May 4 12:45:19 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Wed, 4 May 2016 20:45:19 +0800 Subject: [Freeipa-users] Lost master 1 with CA service In-Reply-To: References: Message-ID: Hi all: I got master 1have ca and server 2 replicatiomng . Now master 1 fail all lost. Can i skip.it just make server 3 repliacted slaved or must recovered master 1. Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at int19h.net Tue May 3 23:42:12 2016 From: peter at int19h.net (Peter Bisroev) Date: Tue, 3 May 2016 19:42:12 -0400 Subject: [Freeipa-users] OTP token policies. Message-ID: Dear Developers, Firstly, thank you for a fantastic product. I have a few questions relating to OTP that I could not find the answers to in the Red Hat IdM manual, http://www.freeipa.org/page/V4/OTP document, and on both user and devel mailing lists. Hopefully I have not missed anything obvious :) With FreeIPA version 4.2, is it possible to enforce policies on what administrators and/or users can do with OTP tokens? For example: 1) Is there a way to enforce how many tokens can be active for a user at the same time? 2) Is it possible to force the number of digits to be eight and a specific algorithm to be used? 3) Is it possible to force the user to create a new OTP token after the first password change? If there is such support, it can be used to overcome the soft OTP token enrollment bootstrap issue. For example, currently, if the administrator creates a new user and enables "Two factor authentication (password + OTP)" but does not assign an OTP token, the user is able to login, change the password and continue using the new password without enabling 2FA indefinitely. However, once the OTP token is created, either by administrator or the user, the systems forces the token's use from this point on. Maybe in the future, FreeIPA can force the user to enable OTP at first login into the FreeIPA console? But I guess then, the system must somehow stop the users from login in into any other service besides FreeIPA web console, until the OTP token is generated. A few more questions: Would it be possible to describe a use case when having multiple OTP tokens enabled at the same time is a requirement? How does TOTP token synchronization work? Can it be disabled? Thank you for your time and help! Regards, --peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 4 13:07:08 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 4 May 2016 09:07:08 -0400 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> <5724BC4A.3060400@redhat.com> <57275C0E.10003@redhat.com> Message-ID: <5729F3FC.1000306@redhat.com> Anthony Cheng wrote: > Small update, I found an article on the RH solution library > (https://access.redhat.com/solutions/2020223) that has the same error > code that I am getting and I followed the steps with certutil to update > the cert attributes but it is still not working. The article is listed > as "Solution in Progress". > > [root at test ~]# getcert list | more > > Number of certificates and requests being tracked: 7. > > Request ID '20111214223243': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed at > server.Certificate operation cannot be comp > > leted: Unable to communicate with CMS (Not Found)). Not Found means the CA didn't start. You need to examine the debug and selftest logs to determine why. rob > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS > Certifi > > cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=SAMPLE.NET > > subject: CN=caer.SAMPLE.net ,O=SAMPLE.NET > > > expires: 2016-01-29 14:09:46 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > On Mon, May 2, 2016 at 5:35 PM Anthony Cheng > > wrote: > > On Mon, May 2, 2016 at 9:54 AM Rob Crittenden > wrote: > > Anthony Cheng wrote: > > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden > > > >> wrote: > > > > Anthony Cheng wrote: > > > OK so I made process on my cert renew issue; I was > able to get kinit > > > working so I can follow the rest of the steps here > > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > > > > > However, after using > > > > > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory > manager' -w > > password > > > > > > and restarting apache (/sbin/service httpd restart), > resubmitting 3 > > > certs (ipa-getcert resubmit -i ) and restarting > IPA (resubmit > > -i ) > > > (/sbin/service ipa restart), I still see: > > > > > > [root at test ~]# ipa-getcert list | more > > > Number of certificates and requests being tracked: 8. > > > Request ID '20111214223243': > > > status: CA_UNREACHABLE > > > ca-error: Server failed request, will retry: > 4301 (RPC > > failed > > > at server. Certificate operation cannot be compl > > > eted: Unable to communicate with CMS (Not Found)). > > > > IPA proxies requests to the CA through Apache. This means > that while > > tomcat started ok it didn't load the dogtag CA > application, hence the > > Not Found. > > > > Check the CA debug and selftest logs to see why it failed > to start > > properly. > > > > [ snip ] > > > > Actually after a reboot that error went away and I just get > this error > > instead "ca-error: Server failed request, will retry: -504 > (libcurl > > failed to execute the HTTP POST transaction. Peer certificate > cannot be > > auth enticated with known CA certificates)." from "getcert list" > > > > Result of service ipa restart is interesting since it shows > today's time > > when I already changed date/time/disable NTP so somehow the > system still > > know today's time. > > > > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert: > > CERT_VerifyCertificateNow: verify certificate failed for cert > > Server-Cert of family cn=RSA,cn=encryption,cn=config > (Netscape Portable > > Runtime error -8181 - Peer's Certificate has expired.) > > Hard to say. I'd confirm that there is no time syncing service > running, > ntp or otherwise. > > > I found out why the time kept changing; it was due to the fact that > it has VM tools installed (i didn't configure this box) so it > automatically sync time during bootup. > > I did still see this error message: > > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)) > > I tried the step http://www.freeipa.org/page/Troubleshooting with > > certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt > openssl x509 -text -in /tmp/ra.crt > certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt > service httpd restart > > So that I can get rid of one of the CA cert that is expired (kept > the 1st one) but still getting same error > > What exactly is CMS and why is it not found? > > > I did notice that the selftest log is empty with a different time: > > -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 > /var/log/pki-ca/selftests.log > > [root at test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds > > > Here are some debug log after reboot: > > [root at test pki-ca]# tail -n 100 catalina.out > > INFO: JK: ajp13 listening on /0.0.0.0:9447 > > Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start > > INFO: Jk running ID=0 time=1/23config=null > > Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start > > INFO: Server startup in 1722 ms > > Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause > > INFO: Pausing Coyote HTTP/1.1 on http-9180 > > Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause > > INFO: Pausing Coyote HTTP/1.1 on http-9443 > > Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause > > INFO: Pausing Coyote HTTP/1.1 on http-9445 > > Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause > > INFO: Pausing Coyote HTTP/1.1 on http-9444 > > Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause > > INFO: Pausing Coyote HTTP/1.1 on http-9446 > > Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop > > INFO: Stopping service Catalina > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [Timer-0] but has failed to stop it. This is very like > > ly to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu > > t has failed to stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6] > > but has failed to stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/system.flush-6] but has failed t > > o stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/system.rollover-8] but has faile > > d to stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/transactions.flush-9] but has fa > > iled to stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [/var/lib/pki-ca/logs/transactions.rollover-10] but ha > > s failed to stop it. This is very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [LDAPConnThread-2 ldap://test.sample.net:7389 > ] but has failed to stop it. This is > very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [LDAPConnThread-3 ldap://test.sample.net:7389 > ] but has failed to stop it. This is > very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearReferencesThreads > > SEVERE: A web application appears to have started a thread named > [LDAPConnThread-4 ldap://test.sample.net:7389 > ] but has failed to stop it. This is > very likely to create a memory leak. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearThreadLocalMap > > SEVERE: A web application created a ThreadLocal with key of type > [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a > value of type [java.text.SimpleDateFormat] (value > [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when > the web application was stopped. To prevent a memory leak, the > ThreadLocal has been forcibly removed. > > Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader > clearThreadLocalMap > > SEVERE: A web application created a ThreadLocal with key of type > [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a > value of type [java.text.SimpleDateFormat] (value > [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when > the web application was stopped. To prevent a memory leak, the > ThreadLocal has been forcibly removed. > > Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy > > INFO: Stopping Coyote HTTP/1.1 on http-9180 > > Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy > > INFO: Stopping Coyote HTTP/1.1 on http-9443 > > Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy > > INFO: Stopping Coyote HTTP/1.1 on http-9445 > > Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy > > INFO: Stopping Coyote HTTP/1.1 on http-9444 > > Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy > > INFO: Stopping Coyote HTTP/1.1 on http-9446 > > Jan 27, 2016 2:57:36 PM > org.apache.catalina.core.AprLifecycleListener init > > INFO: The APR based Apache Tomcat Native library which allows > optimal performance in production environments was not found on the > java.library.path: > /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib > > Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init > > INFO: Initializing Coyote HTTP/1.1 on http-9180 > > Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has > been installed. > > Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has > been installed. > > Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init > > INFO: Initializing Coyote HTTP/1.1 on http-9443 > > Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has > been installed. > > Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has > been installed. > > Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init > > INFO: Initializing Coyote HTTP/1.1 on http-9445 > > Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has > been installed. > > Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has > been installed. > > Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init > > INFO: Initializing Coyote HTTP/1.1 on http-9444 > > Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has > been installed. > > Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has > been installed. > > Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init > > INFO: Initializing Coyote HTTP/1.1 on http-9446 > > Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load > > INFO: Initialization processed in 2198 ms > > Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start > > INFO: Starting service Catalina > > Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start > > INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 > > Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig > deployDirectory > > INFO: Deploying web application directory ROOT > > Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig > deployDirectory > > INFO: Deploying web application directory ca > > 64-bit osutil library loaded > > 64-bit osutil library loaded > > Certificate object not found > > Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start > > INFO: Starting Coyote HTTP/1.1 on http-9180 > > Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start > > INFO: Starting Coyote HTTP/1.1 on http-9443 > > Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start > > INFO: Starting Coyote HTTP/1.1 on http-9445 > > Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start > > INFO: Starting Coyote HTTP/1.1 on http-9444 > > Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start > > INFO: Starting Coyote HTTP/1.1 on http-9446 > > Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init > > INFO: JK: ajp13 listening on /0.0.0.0:9447 > > Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start > > INFO: Jk running ID=0 time=0/40config=null > > Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start > > INFO: Server startup in 2592 ms > > [root at test pki-ca]# tail -n 100 debug > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > subjectAltNameExtDefaultImpl Subject Alternative Name Extension > Default Subject Alternative Name Extension Default > com.netscape.cms.profile.def.SubjectAltNameExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > userValidityDefaultImpl User Supplied Validity Default User Supplied > Validity Default com.netscape.cms.profile.def.UserValidityDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > userSubjectNameDefaultImpl User Supplied Subject Name Default User > Supplied Subject Name Default > com.netscape.cms.profile.def.UserSubjectNameDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > subjectDirAttributesExtDefaultImpl Subject Directory Attributes > Extension Default Subject Directory Attributes Extension Default > com.netscape.cms.profile.def.SubjectDirAttributesExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > certificateVersionDefaultImpl Certificate Version Default > Certificate Version Default > com.netscape.cms.profile.def.CertificateVersionDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default > Extended Key Usage Extension Default > com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > policyConstraintsExtDefaultImpl Policy Constraints Extension Default > Policy Constraints Extension Default > com.netscape.cms.profile.def.PolicyConstraintsExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > crlDistributionPointsExtDefaultImpl CRL Distribution Points > Extension Default CRL Distribution Points Extension Default > com.netscape.cms.profile.def.CRLDistributionPointsExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > certificatePoliciesExtDefaultImpl Certificate Policies Extension > Default Certificate Policies Extension Default > com.netscape.cms.profile.def.CertificatePoliciesExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > validityDefaultImpl Validity Default Validty Default > com.netscape.cms.profile.def.ValidityDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > privateKeyPeriodExtDefaultImpl Private Key Period Ext Default > Private Key Period Ext Default > com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > noDefaultImpl No Default No Default > com.netscape.cms.profile.def.NoDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > imageDefaultImpl Image Default Image Default > com.netscape.cms.profile.def.ImageDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > subjectInfoAccessExtDefaultImpl Subject Info Access Extension > Default Subject Info Access Extension Default > com.netscape.cms.profile.def.SubjectInfoAccessExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > autoAssignDefaultImpl Auto Request Assignment Default Auto Request > Assignment Default com.netscape.cms.profile.def.AutoAssignDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > policyMappingsExtDefaultImpl Policy Mappings Extension Default > Policy Mappings Extension Default > com.netscape.cms.profile.def.PolicyMappingsExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > caValidityDefaultImpl CA Certificate Validity Default CA Certificate > Validty Default com.netscape.cms.profile.def.CAValidityDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > userExtensionDefaultImpl User Supplied Extension Default User > Supplied Extension Default > com.netscape.cms.profile.def.UserExtensionDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default > Netscape Certificate Type Extension Default > com.netscape.cms.profile.def.NSCertTypeExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default > Token Supplied Subject Name Default > com.netscape.cms.profile.def.AuthTokenSubjectNameDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > subjectNameDefaultImpl Subject Name Default Subject Name Default > com.netscape.cms.profile.def.SubjectNameDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > userSigningAlgDefaultImpl User Supplied Signing Alg Default User > Supplied Signing Alg Default > com.netscape.cms.profile.def.UserSigningAlgDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default > Subject Key Identifier Default > com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default > Inhibit Any-Policy Extension Default > com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > nsTokenDeviceKeySubjectNameDefaultImpl > nsTokenDeviceKeySubjectNameDefault > nsTokenDeviceKeySubjectNameDefaultImpl > com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape > Comment Extension Default > com.netscape.cms.profile.def.NSCCommentExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm > Default com.netscape.cms.profile.def.SigningAlgDefault > > [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy > nameConstraintsExtDefaultImpl Name Constraints Extension Default > Name Constraints Extension Default > com.netscape.cms.profile.def.NameConstraintsExtDefault > > [27/Jan/2016:15:30:43][main]: added plugin profileUpdater > subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for > Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater > > [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry > > [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry > > [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap > > [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap > > [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap > > [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap > > [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name > > [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name > > [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name > > [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name > > [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request > > [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request > > [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request > > [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request > > [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca > > [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca > > [27/Jan/2016:15:30:43][main]: CertificateAuthority init > > [27/Jan/2016:15:30:43][main]: Cert Repot inited > > [27/Jan/2016:15:30:43][main]: CRL Repot inited > > [27/Jan/2016:15:30:43][main]: Replica Repot inited > > [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname > caSigningCert cert-pki-ca > > [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token > by name > > [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert > cert-pki-ca' with serial number: 1 > > [27/Jan/2016:15:30:43][main]: converted to x509CertImpl > > [27/Jan/2016:15:30:43][main]: Got private key from cert > > [27/Jan/2016:15:30:43][main]: Got public key from cert > > [27/Jan/2016:15:30:43][main]: got signing algorithm > RSASignatureWithSHA256Digest > > [27/Jan/2016:15:30:43][main]: CA signing unit inited > > [27/Jan/2016:15:30:43][main]: cachainNum= 0 > > [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS. > > [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname > ca.ocsp_signing.cert > > [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token > by name > > [27/Jan/2016:15:30:43][main]: SigningUnit init: debug > org.mozilla.jss.crypto.ObjectNotFoundException > > [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException > > Certificate object not found > > at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) > > at > com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204) > > at > com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) > > at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) > > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) > > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) > > at com.netscape.certsrv.apps.CMS.init(CMS.java:153) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) > > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) > > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) > > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) > > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) > > at > org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) > > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) > > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) > > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) > > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) > > at > org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) > > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) > > at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) > > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) > > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) > > at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) > > at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) > > at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) > > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) > > at > org.apache.catalina.core.StandardService.start(StandardService.java:516) > > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:710) > > at org.apache.catalina.startup.Catalina.start(Catalina.java:593) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:616) > > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > > [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown() > > > > > > > > > > Would really greatly appreciate any help on this. > > > > > > Also I noticed after I do ldapmodify of > usercertificate binary > > data with > > > > > > add: usercertificate;binary > > > usercertificate;binary: !@#$@!#$#@$ > > > > You really pasted in binary? Or was this base64-encoded data? > > > > I wonder if there is a problem in the wiki. If this is > really a binary > > value you should start with a DER-encoded cert and load > it using > > something like: > > > > dn: uid=ipara,ou=people,o=ipaca > > changetype: modify > > add: usercertificate;binary > > usercertificate;binary:< file:///path/to/cert.der > > > > You can use something like openssl x509 to switch between > PEM and DER > > formats. > > > > I have a vague memory that dogtag can deal with a > multi-valued > > usercertificate attribute. > > > > rob > > > > > > Yes the wiki stated binary, the result of: > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b > > uid=ipara,ou=People,o=ipaca -W > > > > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ... > > > > But the actual data is from a PEM though. > > Ok. So I looked at my CA data and it doesn't use the binary > subtype, so > my entries look like: > > userCertificate:: MIID.... > > It might make a difference if dogtag is looking for the subtype > or not. > > rob > > > > > > > > > Then I re-run > > > > > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory > manager' -W > > -b uid=ipara,ou=People,o=ipaca > > > > > > I see 2 entries for usercertificate;binary (before > modify there > > was only > > > 1) but they are duplicate and NOT from data that I > added. That seems > > > incorrect to me. > > > > > > > > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng > > > > > > > > > >>> wrote: > > > > > > klist is actually empty; kinit admin fails. > Sounds like then > > > getcert resubmit has a dependency on kerberoes. I > can get a > > backup > > > image that has a valid ticket but it is only good > for 1 day (and > > > dated pasted the cert expire). > > > > > > Also I had asked awhile back about whether there > is dependency on > > > DIRSRV to renew the cert; didn't get any response > but I suspect > > > there is a dependency. > > > > > > Regarding the clock skew, I found out from > /var/log/message that > > > shows me this so it may be from named: > > > > > > Jan 28 14:10:42 test named[2911]: Failed to init > credentials > > (Clock > > > skew too great) > > > Jan 28 14:10:42 test named[2911]: loading > configuration: failure > > > Jan 28 14:10:42 test named[2911]: exiting (due to > fatal error) > > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: > Unspecified GSS > > > failure. Minor code may provide more information > (Creden > > > tials cache file '/tmp/krb5cc_496' not found) > > > > > > I don't have a krb5cc_496 file (since klist is > empty), so > > sounds to > > > me I need to get a kerberoes ticket before going any > > further. Also > > > is the file /etc/krb5.keytab access/modification time > > important? I > > > had changed time back to before the cert > expiration date and > > reboot > > > and try renew but the error message about clock > skew is still > > > there. That seems strange. > > > > > > Lastly, as a absolute last resort, can I > regenerate a new cert > > > myself? > > > > > > https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html > > > > > > [root at test /]# klist > > > klist: No credentials cache found (ticket cache > > FILE:/tmp/krb5cc_0) > > > [root at test /]# service ipa start > > > Starting Directory Service > > > Starting dirsrv: > > > PKI-IPA... > > [ OK ] > > > sample-NET... > > [ OK ] > > > Starting KDC Service > > > Starting Kerberos 5 KDC: > [ > > OK ] > > > Starting KPASSWD Service > > > Starting Kerberos 5 Admin Server: > [ > > OK ] > > > Starting DNS Service > > > Starting named: > > [FAILED] > > > Failed to start DNS Service > > > Shutting down > > > Stopping Kerberos 5 KDC: > [ > > OK ] > > > Stopping Kerberos 5 Admin Server: > [ > > OK ] > > > Stopping named: > [ > > OK ] > > > Stopping httpd: > [ > > OK ] > > > Stopping pki-ca: > [ > > OK ] > > > Shutting down dirsrv: > > > PKI-IPA... > > [ OK ] > > > sample-NET... > > [ OK ] > > > Aborting ipactl > > > [root at test /]# klist > > > klist: No credentials cache found (ticket cache > > FILE:/tmp/krb5cc_0) > > > [root at test /]# service ipa status > > > Directory Service: STOPPED > > > Failed to get list of services to probe status: > > > Directory Server is stopped > > > > > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka > > > > > > > >>> wrote: > > > > > > On 27/04/16 21:54, Anthony Cheng wrote: > > > > Hi list, > > > > > > > > I am trying to renew expired certificates > following the > > > manual renewal procedure > > > > here > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > > but even with > > > > resetting the system/hardware clock to a > time before > > expires, > > > I am getting the > > > > error "ca-error: Error setting up ccache > for local "host" > > > service using default > > > > keytab: Clock skew too great." > > > > > > > > With NTP disable and clock reset why would > it complain > > about > > > clock skew and how > > > > does it even know about the current time? > > > > > > > > [root at test certs]# getcert list > > > > Number of certificates and requests being > tracked: 8. > > > > Request ID '20111214223243': > > > > status: MONITORING > > > > ca-error: Error setting up ccache > for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > > Certificate > > > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > > Certificate DB' > > > > CA: IPA > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:46 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20111214223300': > > > > status: MONITORING > > > > ca-error: Error setting up ccache > for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > > Certificate > > > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > > Certificate > > > > DB' > > > > CA: IPA > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:45 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20111214223316': > > > > status: MONITORING > > > > ca-error: Error setting up ccache > for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > > Certificate DB' > > > > CA: IPA > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:45 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130741': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no > response to > > > > > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=CA Audit,O=sample.NET > > > > expires: 2017-10-13 14:10:49 UTC > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "auditSigningCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130742': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no > response to > > > > > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=OCSP > Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-OCSPSigning > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "ocspSigningCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130743': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no > response to > > > > > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=CA Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "subsystemCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130744': > > > > status: MONITORING > > > > ca-error: Internal error: no > response to > > > > > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate > > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=RA Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130745': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no > response to > > > > > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > > > > stuck: yes > > > > key pair storage: > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > > ,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes[root at test certs]# > getcert list > > > > Number of certificates and requests being > tracked: 8. > > > > Request ID '20111214223243': > > > > status: MONITORING > > > > ca-error: Error setting up ccache > for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > > Certificate > > > > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > > > Certificate DB' > > > > CA: IPA > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:46 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20111214223300': > > > > status: MONITORING > > > > ca-error: Error setting up ccache > for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > > Certificate > > > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > > Certificate > > > > DB' > > > > CA: IPA > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:45 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20111214223316': > > > > status: MONITORING > > > > ca-error: Error setting up ccache > for local > > "host" > > > service using > > > > default keytab: Clock skew too great. > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > > Certificate DB' > > > > CA: IPA > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > > ,O=sample.NET > > > > expires: 2016-01-29 14:09:45 UTC > > > > eku: id-kp-serverAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130741': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no > response to > > > > > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=CA Audit,O=sample.NET > > > > expires: 2017-10-13 14:10:49 UTC > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "auditSigningCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130742': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no > response to > > > > > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=OCSP > Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-OCSPSigning > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "ocspSigningCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130743': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no > response to > > > > > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > > > > stuck: yes > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=CA Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > /usr/lib64/ipa/certmonger/stop_pkicad > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ca_cert > > > > "subsystemCert cert-pki-ca" > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130744': > > > > status: MONITORING > > > > ca-error: Internal error: no > response to > > > > > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > > > > stuck: no > > > > key pair storage: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate > > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > certificate: > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=RA Subsystem,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > > > post-save command: > > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > > track: yes > > > > auto-renew: yes > > > > Request ID '20130519130745': > > > > status: NEED_CSR_GEN_PIN > > > > ca-error: Internal error: no > response to > > > > > > > > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > > > > stuck: yes > > > > key pair storage: > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664 > > > > ' > > > > certificate: > > > > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > > > cert-pki-ca',token='NSS Certificate DB' > > > > CA: dogtag-ipa-renew-agent > > > > issuer: CN=Certificate > Authority,O=sample.NET > > > > subject: CN=test.sample.net > > > > > > ,O=sample.NET > > > > expires: 2017-10-13 14:09:49 UTC > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > -- > > > > > > > > Thanks, Anthony > > > > > > > > > > > > > > > > > > Hello Anthony! > > > > > > After stopping NTP (or other time > synchronizing service) > > and setting > > > time manually server really don't have a way > to determine > > that > > > its time > > > differs from the real one. > > > > > > I think this might be issue with Kerberos > ticket. You can > > show > > > content > > > of root's ticket cache using klist. If there > is anything > > clean > > > it with > > > kdestroy and try to resubmit the request again. > > > > > > -- > > > David Kupka > > > > > > -- > > > > > > Thanks, Anthony > > > > > > -- > > > > > > Thanks, Anthony > > > > > > > > > > > > > -- > > > > Thanks, Anthony > > > > -- > > Thanks, Anthony > > -- > > Thanks, Anthony > From rcritten at redhat.com Wed May 4 13:10:01 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 4 May 2016 09:10:01 -0400 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> <20160503084513.GC22308@10.4.128.1> <20160503210346.GA9681@10.4.128.1> <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> Message-ID: <5729F4A9.2000508@redhat.com> Hosakote Nagesh, Pawan wrote: > Our apps are running in a docker image based on Ubuntu 14.04 that cannot be changed to redhat. We want to install freeipa-clietn within this docker so that our app > Uses freeipa ldap as against default ldap. > > The freeipa-client gets successfully installed in Ubuntu 14.04 plain machine, that why is why I am hoping making it run in a Ubun14.04 docker should also be very much possible. > > As you can see the things get stuck in not starting bus process properly(this problem is not seen in ubuntu on plain machine). I cannot see much debug statements by enabling ?debug option in ipa-client-install. > Its not clear why this process doesn?t get started and what is missing in container as against plain machine which is making this install fail. > > I am on to this issue for 2 full days now. I am pasting whatever debug statements I got during install, here: > > Command > ????? > ipa-client-install ?domain= ?server= hostname=jupyterhub.com --no-ntp --no-dns-sshfp > > > > Log (After Error starts to happen) > ????? > Attached > > My main suspect is dbus service unable to start in this container where it launches on a plain machine. The root of the problem appears to be: dbus: unrecognized service rob > > - > Best, > Pawan > > > > > > > On 5/3/16, 2:03 PM, "Lukas Slebodnik" wrote: > >> On (03/05/16 18:25), Hosakote Nagesh, Pawan wrote: >>> Currently this is the error I m stuck with. There isn?t enough material online to proceed further. Failure starts with bus error.. >>> >>> Logs during ipa-client-install.. >>> ==================================== >>> >>> Synchronizing time with KDC... >>> Password for service_ipa at EAZ.EBAYC3.COM: >>> Successfully retrieved CA cert >>> Subject: CN=Certificate Authority,O=EAZ.EBAYC3.COM >>> Issuer: CN=Certificate Authority,O=EAZ.EBAYC3.COM >>> Valid From: Mon Dec 07 05:17:30 2015 UTC >>> Valid Until: Fri Dec 07 05:17:30 2035 UTC >>> >>> >>> Enrolled in IPA realm EAZ.EBAYC3.COM >>> Created /etc/ipa/default.conf >>> New SSSD config will be created >>> Configured /etc/sssd/sssd.conf >>> Configured /etc/krb5.conf for IPA realm EAZ.EBAYC3.COM >>> dbus failed to start: Command '/usr/sbin/service dbus start ' returned non-zero exit status 1 >> I think the error message is clear. >> There was a problem with starting dbus service within a container. >> >>> certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' >>> certmonger request for host certificate failed >>> 2016-05-02 22:11:53,099 CRIT reaped unknown pid 241) >>> . >>> >>> On 5/3/16, 1:45 AM, "Lukas Slebodnik" wrote: >>> >>>> On (29/04/16 17:16), Hosakote Nagesh, Pawan wrote: >>>>> Thanks for your quick response. I am trying this on ubuntu. >>>>> >>>>> This is the bug I m facing right now: https://lists.launchpad.net/freeipa/msg00236.html >>>>> They say its fixed in Trusty release of Ubuntu. But it doesn?t work for me. There is no other material also >>>>> On how to fix this dbus error. >>>>> >>>>> root at jupyterhub:/# lsb_release -rd >>>>> Description: Ubuntu 14.04.4 LTS >>>>> Release: 14.04 >>>>> root at jupyterhub:/# >>>> Do I understand it correctly that you want to build your own image >>>> based on ubuntu? >>>> >>>> If answer is yes then I would recommend to use ubuntu xenial (16.04). >>>> >>>> But the benefit of container technologies is that you can use >>>> image based on different distribution and therefore it would be the >>>> best if you could use https://hub.docker.com/r/fedora/sssd/ >>>> (which was already mentioned. >>>> >> May I know why you do not want to use existing working contianer >> based on image fedora/sssd. >> >> You would save some time with troubleshooting things which were already solved. >> >> If you want a help then please provide more info. >> I assume you use docker and not lxd (based on subject) >> Please share details how did you build an image and how do you >> run container ... >> >> LS >> >> From jeffrey.armstrong at gasoc.com Wed May 4 13:41:58 2016 From: jeffrey.armstrong at gasoc.com (Armstrong, Jeffrey) Date: Wed, 4 May 2016 13:41:58 +0000 Subject: [Freeipa-users] sudorule Message-ID: <3DAC7A5927B8594195EA704FB41255B076B63171@Supernatural2.gafoc.com> Hi I'm trying to add a to add a sudo command to a sudo rule. It's executing the command but it's not adding the sudo command. ipa sudorule-add-allow-command -sudocmds "/bin/su " bkrc_rule Rule name: bkrc_rule Enabled: TRUE ------------------------- Number of members added 0 Thanks Jeff Armstrong -------------- next part -------------- An HTML attachment was scrubbed... URL: From rob.verduijn at gmail.com Wed May 4 14:10:59 2016 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Wed, 4 May 2016 16:10:59 +0200 Subject: [Freeipa-users] get freeipa to update ad users and groups more often Message-ID: Hello, I'm using a trust to microsoft active directory to allow users access to linux servers. But when a user is added it takes a very long time for ipa to register this. And even more time for the ipa clients since they have to wait for the ipa servers. Since I hate to tell the users to wait for a couple hours, and also I do not like to clean up the sssd cache folder each time a new user appears. Is there a way to tell ipa and all clients to refresh their cache ? Regards Rob Verduijn From mkosek at redhat.com Wed May 4 14:16:38 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 4 May 2016 16:16:38 +0200 Subject: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset In-Reply-To: References: Message-ID: <42cec20e-bdba-ff57-384d-3ea2320923ed@redhat.com> On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote: > Hi, > > I am running a freeipa server 4.2.x. > > I have the following password global password policy set to force a history of 3 > > ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 > --maxfail=3 --failinterval=300 > > > This works good when the user himself changes the password.. and IPA does not > allow reusing older password. > > However, if the admin resets it "ipa user-mod testuser --random" then it seems > to reset the password history as well and the user can now re-use his older password > > Is this expected or is there something I can do about it. Good question, CCing Simo on this one. > Also, is there a way to get the password expiry warning at the terminal when a > user logs in , something similar to the "pwdExpireWarning" in ldap. > > I searched a bit and could only find setting up email alerts . CCing Jakub from SSSD team. Martin From rob.verduijn at gmail.com Wed May 4 14:20:19 2016 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Wed, 4 May 2016 16:20:19 +0200 Subject: [Freeipa-users] get freeipa to update ad users and groups more often In-Reply-To: References: Message-ID: This goes especially for ad groups that are bested in ipa_groups ie : microsft group is defined as an external group, and that external group is member of an ipa group and that ipa group takes forever. Regards Rob Verduijn 2016-05-04 16:10 GMT+02:00 Rob Verduijn : > Hello, > > I'm using a trust to microsoft active directory to allow users access > to linux servers. > > But when a user is added it takes a very long time for ipa to register this. > And even more time for the ipa clients since they have to wait for the > ipa servers. > > Since I hate to tell the users to wait for a couple hours, and also I > do not like to clean up the sssd cache folder each time a new user > appears. > > Is there a way to tell ipa and all clients to refresh their cache ? > > Regards > Rob Verduijn From mkosek at redhat.com Wed May 4 14:23:00 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 4 May 2016 16:23:00 +0200 Subject: [Freeipa-users] Who uses FreeIPA? In-Reply-To: <20160504072340.GE3666@hendrix> References: <20160503190958.GA1640@deverteuil.net> <20160503213102.GC9681@10.4.128.1> <20160504072340.GE3666@hendrix> Message-ID: On 05/04/2016 09:23 AM, Jakub Hrozek wrote: > On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote: >> On (03/05/16 15:09), Alexandre de Verteuil wrote: >>> Hello all, >>> >>> I've deployed FreeIPA in my home lab and I'm happy to have single >>> sign-on for all my Archlinux virtual machines and Fedora laptops :) >>> >>> It took me lots of research and conversations before hearing about >>> FreeIPA for the first time while searching for a libre SSO solution. I >>> think FreeIPA needs much more exposure. I am really impressed with it. >>> Tomorrow I am giving a short presentation at my workplace to talk about >>> it and invite other sysadmins to try it. >>> >>> I would like to make a slide showing the current adoption of FreeIPA. I >>> read that Red Hat uses it internally, but do they actually deploy it in >>> their client's infrastructures? Are there any big companies that use it? >>> Even if I only have reports of schools and small businesses would be >>> good enough to say it's production ready and it has traction. >>> >>> Whether you are reporting about your own use or you know where I can >>> find out more would be greatly appreciated! I have not found a "Who uses >>> FreeIPA" page on the Internet. >>> >> The GNOME Infrastructure is now powered by FreeIPA! >> October 7, 2014 >> >> https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ > > Would it make sense to add 'success stories' like this to the > freeipa.org home page? Of course, we can't use Red Hat IDM customers, > but those that use freeipa on Fedora/CentOS and hopefully soon on Ubuntu > could be added there if they would agree.. I think it would make sense. We already know at least about GNOME as Lukas mentioned or about eBay's Hadoop clusters: https://hadoopsummit.uservoice.com/forums/344958-governance-and-security/suggestions/11664876-freeipa-for-securing-hadoop-fish I think we should start a new "References" page on the FreeIPA.org wiki and ask for success stories from this list. Any takers? :-) From mkosek at redhat.com Wed May 4 14:24:39 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 4 May 2016 16:24:39 +0200 Subject: [Freeipa-users] Inplace upgrade In-Reply-To: References: <20160504112455.GA22424@10.4.128.1> Message-ID: <32c30955-a3b6-0220-4af2-c5ab0ebd446b@redhat.com> On 05/04/2016 01:31 PM, barrykfl at gmail.com wrote: > U meant it fail start if update minor version only? > > 2016?5?4? ??7:25 ? "Lukas Slebodnik" > ??? > > On (04/05/16 13:17), barrykfl at gmail.com wrote: > >Can speicific ninor version? > Yes you can > > yum update ipa-server-3.0.0-37.el6.x86_64 > > However, it can fail if this version is not available in repositories. > > BTW the latest version in el6 is 3.0.0-47.el6 > > LS I believe all the info should be on this page: http://www.freeipa.org/page/Upgrade If not, we should improve it - suggestions welcome! Thanks, Martin From mkosek at redhat.com Wed May 4 14:30:18 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 4 May 2016 16:30:18 +0200 Subject: [Freeipa-users] sudorule In-Reply-To: <3DAC7A5927B8594195EA704FB41255B076B63171@Supernatural2.gafoc.com> References: <3DAC7A5927B8594195EA704FB41255B076B63171@Supernatural2.gafoc.com> Message-ID: On 05/04/2016 03:41 PM, Armstrong, Jeffrey wrote: > Hi > > I?m trying to add a to add a sudo command to a sudo rule. It?s executing the > command but it?s not adding the sudo command. > > ipa sudorule-add-allow-command ?sudocmds "/bin/su " bkrc_rule > > Rule name: bkrc_rule > > Enabled: TRUE > > ------------------------- > > Number of members added 0 > > Thanks > > Jeff Armstrong Does the SUDO command object exists? # ipa sudorule-add-allow-command --sudocmds "/bin/su" test Rule name: test Enabled: TRUE ------------------------- Number of members added 0 ------------------------- # ipa sudocmd-show /bin/su ipa: ERROR: /bin/su: sudo command not found More info here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/adding-sudo.html I assume not. I actually think that this is a bug that FreeIPA does not display any warning in this ticket. Can you please file a ticket/bug? https://fedorahosted.org/freeipa/newticket Thanks, Martin From jhrozek at redhat.com Wed May 4 14:32:36 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 4 May 2016 16:32:36 +0200 Subject: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset In-Reply-To: <42cec20e-bdba-ff57-384d-3ea2320923ed@redhat.com> References: <42cec20e-bdba-ff57-384d-3ea2320923ed@redhat.com> Message-ID: <20160504143236.GJ3666@hendrix> On Wed, May 04, 2016 at 04:16:38PM +0200, Martin Kosek wrote: > On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote: > > Hi, > > > > I am running a freeipa server 4.2.x. > > > > I have the following password global password policy set to force a history of 3 > > > > ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 > > --maxfail=3 --failinterval=300 > > > > > > This works good when the user himself changes the password.. and IPA does not > > allow reusing older password. > > > > However, if the admin resets it "ipa user-mod testuser --random" then it seems > > to reset the password history as well and the user can now re-use his older password > > > > Is this expected or is there something I can do about it. > > Good question, CCing Simo on this one. > > > Also, is there a way to get the password expiry warning at the terminal when a > > user logs in , something similar to the "pwdExpireWarning" in ldap. > > > > I searched a bit and could only find setting up email alerts . Some more warnings are displayed when you bump the pam_verbosity option, see man sssd.conf. I'm not sure if the expiry warning is one of them. If not, feel free to file a bug. From jhrozek at redhat.com Wed May 4 14:33:02 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 4 May 2016 16:33:02 +0200 Subject: [Freeipa-users] Who uses FreeIPA? In-Reply-To: References: <20160503190958.GA1640@deverteuil.net> <20160503213102.GC9681@10.4.128.1> <20160504072340.GE3666@hendrix> Message-ID: <20160504143302.GK3666@hendrix> On Wed, May 04, 2016 at 04:23:00PM +0200, Martin Kosek wrote: > On 05/04/2016 09:23 AM, Jakub Hrozek wrote: > > On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote: > >> On (03/05/16 15:09), Alexandre de Verteuil wrote: > >>> Hello all, > >>> > >>> I've deployed FreeIPA in my home lab and I'm happy to have single > >>> sign-on for all my Archlinux virtual machines and Fedora laptops :) > >>> > >>> It took me lots of research and conversations before hearing about > >>> FreeIPA for the first time while searching for a libre SSO solution. I > >>> think FreeIPA needs much more exposure. I am really impressed with it. > >>> Tomorrow I am giving a short presentation at my workplace to talk about > >>> it and invite other sysadmins to try it. > >>> > >>> I would like to make a slide showing the current adoption of FreeIPA. I > >>> read that Red Hat uses it internally, but do they actually deploy it in > >>> their client's infrastructures? Are there any big companies that use it? > >>> Even if I only have reports of schools and small businesses would be > >>> good enough to say it's production ready and it has traction. > >>> > >>> Whether you are reporting about your own use or you know where I can > >>> find out more would be greatly appreciated! I have not found a "Who uses > >>> FreeIPA" page on the Internet. > >>> > >> The GNOME Infrastructure is now powered by FreeIPA! > >> October 7, 2014 > >> > >> https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ > > > > Would it make sense to add 'success stories' like this to the > > freeipa.org home page? Of course, we can't use Red Hat IDM customers, > > but those that use freeipa on Fedora/CentOS and hopefully soon on Ubuntu > > could be added there if they would agree.. > > I think it would make sense. We already know at least about GNOME as Lukas > mentioned or about eBay's Hadoop clusters: > > https://hadoopsummit.uservoice.com/forums/344958-governance-and-security/suggestions/11664876-freeipa-for-securing-hadoop-fish > > I think we should start a new "References" page on the FreeIPA.org wiki and ask > for success stories from this list. Any takers? :-) I think we should ask those projects for permission first.. From anthony.wan.cheng at gmail.com Wed May 4 14:34:43 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Wed, 4 May 2016 10:34:43 -0400 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: <5729F3FC.1000306@redhat.com> References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> <5724BC4A.3060400@redhat.com> <57275C0E.10003@redhat.com> <5729F3FC.1000306@redhat.com> Message-ID: On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden wrote: > Anthony Cheng wrote: >> >> Small update, I found an article on the RH solution library >> (https://access.redhat.com/solutions/2020223) that has the same error >> code that I am getting and I followed the steps with certutil to update >> the cert attributes but it is still not working. The article is listed >> as "Solution in Progress". >> >> [root at test ~]# getcert list | more >> >> Number of certificates and requests being tracked: 7. >> >> Request ID '20111214223243': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC failed at >> server.Certificate operation cannot be comp >> >> leted: Unable to communicate with CMS (Not Found)). > > > Not Found means the CA didn't start. You need to examine the debug and > selftest logs to determine why. > > rob selftests.log is empty; there are entries for other time but not for the test to when I set the clock to renew certs. [root at test pki-ca]# clock Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds [root at test pki-ca]# [root at test pki-ca]# [root at test pki-ca]# ll * | grep self -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log -rw-r-----. 1 pkiuser pkiuser 1206 Apr 7 2015 selftests.log.20150407143526 -rw-r-----. 1 pkiuser pkiuser 3673 Jun 30 2015 selftests.log.20150630163924 -rw-r-----. 1 pkiuser pkiuser 1217 Aug 31 20:07 selftests.log.20150831160735 -rw-r-----. 1 pkiuser pkiuser 3798 Oct 24 14:12 selftests.log.20151024101159 >From debug log I see some error messages: [28/Jan/2016:21:09:03][main]: SigningUnit init: debug org.mozilla.jss.crypto.ObjectNotFoundException [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException Certificate object not found at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) Full log: [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown() [28/Jan/2016:21:09:02][main]: ============================================ [28/Jan/2016:21:09:02][main]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [28/Jan/2016:21:09:02][main]: ============================================ [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_STARTUP [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_SHUTDOWN [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_CERT_POLICY [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_CERT_PROFILE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_CRL_PROFILE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_OCSP_PROFILE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_SIGNED_AUDIT [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ENCRYPTION [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_TRUSTED_PUBLIC_KEY [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: SELFTESTS_EXECUTION [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_DELETE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: LOG_PATH_CHANGE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: PRIVATE_KEY_ARCHIVE_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_RECOVERY_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_RECOVERY_REQUEST_ASYNC [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_RECOVERY_AGENT_LOGIN [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_RECOVERY_REQUEST_PROCESSED [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_RECOVERY_REQUEST_PROCESSED_ASYNC [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: KEY_GEN_ASYMMETRIC [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: NON_PROFILE_CERT_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: PROFILE_CERT_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CERT_REQUEST_PROCESSED [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CERT_STATUS_CHANGE_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CERT_STATUS_CHANGE_REQUEST_PROCESSED [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_SUCCESS [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_FAIL [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: INTER_BOUNDARY [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_FAIL [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_SUCCESS [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CERT_PROFILE_APPROVAL [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: PROOF_OF_POSSESSION [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_RETRIEVAL [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_VALIDATION [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CMC_SIGNED_REQUEST_SIG_VERIFY [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: SERVER_SIDE_KEYGEN_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: COMPUTE_SESSION_KEY_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: DIVERSIFY_KEY_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ENCRYPT_DATA_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: OCSP_ADD_CA_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: OCSP_ADD_CA_REQUEST_PROCESSED [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: OCSP_REMOVE_CA_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: COMPUTE_RANDOM_DATA_REQUEST [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CIMC_CERT_VERIFICATION [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=log [28/Jan/2016:21:09:02][main]: CMSEngine: initialized log [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=os [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=os [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=os [28/Jan/2016:21:09:02][main]: CMSEngine: initialized os [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=jss [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=jss [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl cipher rsa_rc4_40_md5 [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl cipher rsa_rc2_40_md5 [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl cipher rsa_des_sha [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl cipher rsa_rc4_128_md5 [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl cipher rsa_3des_sha [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl cipher rsa_fips_des_sha [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl cipher rsa_fips_3des_sha [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl cipher fortezza [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl cipher fortezza_rc4_128_sha [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl cipher rsa_null_md5 [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=jss [28/Jan/2016:21:09:02][main]: CMSEngine: initialized jss [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=dbs [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=dbs [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init() [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal LDAP Database [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password not in memory [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: try to get it from password store [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password store initialized before. [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password store initialized. [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: about to get from passwored store: Internal LDAP Da tabase [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: password store available [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: password for Internal LDAP Database not found, tryi ng internaldb [28/Jan/2016:21:09:02][main]: LdapAuthInfo: password ok: store in memory cache [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init ends [28/Jan/2016:21:09:02][main]: init: before makeConnection errorIfDown is true [28/Jan/2016:21:09:02][main]: makeConnection: errorIfDown true [28/Jan/2016:21:09:02][main]: Established LDAP connection using basic authentication to host test.sample.net port 738 9 as cn=Directory Manager [28/Jan/2016:21:09:02][main]: initializing with mininum 3 and maximum 15 connections to host test.sample.net port 738 9, secure connection, false, authentication type 1 [28/Jan/2016:21:09:02][main]: increasing minimum connections by 3 [28/Jan/2016:21:09:02][main]: new total available connections 3 [28/Jan/2016:21:09:02][main]: new number of connections 3 [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=dbs [28/Jan/2016:21:09:02][main]: CMSEngine: initialized dbs [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=usrgrp [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=usrgrp [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init() [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal LDAP Database [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: got password from memory [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password found for prompt. [28/Jan/2016:21:09:03][main]: LdapAuthInfo: password ok: store in memory cache [28/Jan/2016:21:09:03][main]: LdapAuthInfo: init ends [28/Jan/2016:21:09:03][main]: init: before makeConnection errorIfDown is false [28/Jan/2016:21:09:03][main]: makeConnection: errorIfDown false [28/Jan/2016:21:09:03][main]: Established LDAP connection using basic authentication to host test.sample.net port 738 9 as cn=Directory Manager [28/Jan/2016:21:09:03][main]: initializing with mininum 3 and maximum 15 connections to host test.sample.net port 738 9, secure connection, false, authentication type 1 [28/Jan/2016:21:09:03][main]: increasing minimum connections by 3 [28/Jan/2016:21:09:03][main]: new total available connections 3 [28/Jan/2016:21:09:03][main]: new number of connections 3 [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=usrgrp [28/Jan/2016:21:09:03][main]: CMSEngine: initialized usrgrp [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=registry [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=registry [28/Jan/2016:21:09:03][main]: RegistrySubsystem: start init [28/Jan/2016:21:09:03][main]: added plugin profileOutput pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.p rofile.output.PKCS7Output [28/Jan/2016:21:09:03][main]: added plugin profileOutput cmmfOutputImpl CMMF Response Output CMMF Response Output com .netscape.cms.profile.output.CMMFOutput [28/Jan/2016:21:09:03][main]: added plugin profileOutput certOutputImpl Certificate Output Certificate Output com.net scape.cms.profile.output.CertOutput [28/Jan/2016:21:09:03][main]: added plugin profileOutput nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netsc ape.cms.profile.output.nsNKeyOutput [28/Jan/2016:21:09:03][main]: added plugin profileInput submitterInfoInputImpl Submitter Information Input Submitter Information Input com.netscape.cms.profile.input.SubmitterInfoInput [28/Jan/2016:21:09:03][main]: added plugin profileInput serialNumRenewInputImpl Certificate Renewal Request Serial Nu mber Input Certificate Renewal Request Serial Number Input com.netscape.cms.profile.input.SerialNumRenewInput [28/Jan/2016:21:09:03][main]: added plugin profileInput dualKeyGenInputImpl Dual Key Generation Input Dual Key Genera tion Input com.netscape.cms.profile.input.DualKeyGenInput [28/Jan/2016:21:09:03][main]: added plugin profileInput nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqIn putImpl com.netscape.cms.profile.input.nsNKeyCertReqInput [28/Jan/2016:21:09:03][main]: added plugin profileInput fileSigningInputImpl File Signing Input File Signing Input co m.netscape.cms.profile.input.FileSigningInput [28/Jan/2016:21:09:03][main]: added plugin profileInput certReqInputImpl Certificate Request Input Certificate Reques t Input com.netscape.cms.profile.input.CertReqInput [28/Jan/2016:21:09:03][main]: added plugin profileInput cmcCertReqInputImpl CMC Certificate Request Input CMC Certifi cate Request Input com.netscape.cms.profile.input.CMCCertReqInput [28/Jan/2016:21:09:03][main]: added plugin profileInput nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqIn putImpl com.netscape.cms.profile.input.nsHKeyCertReqInput [28/Jan/2016:21:09:03][main]: added plugin profileInput subjectDNInputImpl Subject DN Input Subject DN Input com.nets cape.cms.profile.input.SubjectDNInput [28/Jan/2016:21:09:03][main]: added plugin profileInput keyGenInputImpl Key Generation Input Key Generation Input com .netscape.cms.profile.input.KeyGenInput [28/Jan/2016:21:09:03][main]: added plugin profileInput genericInputImpl Generic Input Generic Input com.netscape.cms .profile.input.GenericInput [28/Jan/2016:21:09:03][main]: added plugin profileInput imageInputImpl Image Input Image Input com.netscape.cms.profi le.input.ImageInput [28/Jan/2016:21:09:03][main]: added plugin profileInput subjectNameInputImpl Subject Name Input Subject Name Input co m.netscape.cms.profile.input.SubjectNameInput [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy basicConstraintsExtConstraintImpl Basic Constraints Exten sion Constraint Basic Constraints Extension Constraint com.netscape.cms.profile.constraint.BasicConstraintsExtConstra int [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy noConstraintImpl No Constraint No Constraint com.netscape .cms.profile.constraint.NoConstraint [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy signingAlgConstraintImpl Signing Algorithm Constraint Sig ning Algorithm Constraint com.netscape.cms.profile.constraint.SigningAlgConstraint [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy extendedKeyUsageExtConstraintImpl Extended Key Usage Exte nsion Constraint Extended Key Usage Extension Constraint com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConst raint [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy extensionConstraintImpl Extension Constraint Extension Co nstraint com.netscape.cms.profile.constraint.ExtensionConstraint [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy subjectNameConstraintImpl Subject Name Constraint Subject Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy uniqueSubjectNameConstraintImpl Unique Subject Name Const raint Unique Subject Name Constraint com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy keyUsageExtConstraintImpl Key Usage Extension Constraint Key Usage Extension Constraint com.netscape.cms.profile.constraint.KeyUsageExtConstraint [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy renewGracePeriodConstraintImpl Renewal Grace Period Const raint Renewal Grace Period Constraint com.netscape.cms.profile.constraint.RenewGracePeriodConstraint [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy keyConstraintImpl Key Constraint Key Constraint com.netsc ape.cms.profile.constraint.KeyConstraint [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy nsCertTypeExtConstraintImpl Netscape Certificate Type Ext ension Constraint Netscape Certificate Type Extension Constraint com.netscape.cms.profile.constraint.NSCertTypeExtCon straint [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy validityConstraintImpl Validity Constraint Validity Const raint com.netscape.cms.profile.constraint.ValidityConstraint [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy uniqueKeyConstraintImpl Unique Public Key Constraint Uniq ue Public Key Constraint com.netscape.cms.profile.constraint.UniqueKeyConstraint [28/Jan/2016:21:09:03][main]: added plugin profile caEnrollImpl Generic Certificate Enrollment Profile Certificate Au thority Generic Certificate Enrollment Profile com.netscape.cms.profile.common.CAEnrollProfile [28/Jan/2016:21:09:03][main]: added plugin profile caUserCertEnrollImpl User Certificate Enrollment Profile Certifica te Authority User Certificate Enrollment Profile com.netscape.cms.profile.common.UserCertCAEnrollProfile [28/Jan/2016:21:09:03][main]: added plugin profile caServerCertEnrollImpl Server Certificate Enrollment Profile Certi ficate Authority Server Certificate Enrollment Profile com.netscape.cms.profile.common.ServerCertCAEnrollProfile [28/Jan/2016:21:09:03][main]: added plugin profile caCACertEnrollImpl CA Certificate Enrollment Profile Certificate A uthority CA Certificate Enrollment Profile com.netscape.cms.profile.common.CACertCAEnrollProfile [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy userKeyDefaultImpl User Supplied Key Default User Supplied K ey Default com.netscape.cms.profile.def.UserKeyDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy freshestCRLExtDefaultImpl Freshest CRL Extension Default Fre shest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy authInfoAccessExtDefaultImpl Authority Info Access Extension Default Authority Info Access Extension Default com.netscape.cms.profile.def.AuthInfoAccessExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNa meDefault nsTokenUserKeySubjectNameDefaultImpl com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy genericExtDefaultImpl Generic Extension Generic Extension co m.netscape.cms.profile.def.GenericExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy authorityKeyIdentifierExtDefaultImpl Authority Key Identifie r Extension Default Authority Key Identifier Extension Default com.netscape.cms.profile.def.AuthorityKeyIdentifierExt Default [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy issuerAltNameExtDefaultImpl Issuer Alternative Name Extensio n Default Issuer Alternative Name Extension Default com.netscape.cms.profile.def.IssuerAltNameExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy basicConstraintsExtDefaultImpl Basic Constraints Extension D efault Basic Constraints Extension Default com.netscape.cms.profile.def.BasicConstraintsExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy keyUsageExtDefaultImpl Key Usage Extension Default Key Usage Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OC SP No Check Extension Default com.netscape.cms.profile.def.OCSPNoCheckExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy subjectAltNameExtDefaultImpl Subject Alternative Name Extens ion Default Subject Alternative Name Extension Default com.netscape.cms.profile.def.SubjectAltNameExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy userValidityDefaultImpl User Supplied Validity Default User Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy userSubjectNameDefaultImpl User Supplied Subject Name Defaul t User Supplied Subject Name Default com.netscape.cms.profile.def.UserSubjectNameDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy subjectDirAttributesExtDefaultImpl Subject Directory Attribu tes Extension Default Subject Directory Attributes Extension Default com.netscape.cms.profile.def.SubjectDirAttribute sExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy certificateVersionDefaultImpl Certificate Version Default Ce rtificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default Extended Key Usage Extension Default com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy policyConstraintsExtDefaultImpl Policy Constraints Extension Default Policy Constraints Extension Default com.netscape.cms.profile.def.PolicyConstraintsExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy crlDistributionPointsExtDefaultImpl CRL Distribution Points Extension Default CRL Distribution Points Extension Default com.netscape.cms.profile.def.CRLDistributionPointsExtDefa ult [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy certificatePoliciesExtDefaultImpl Certificate Policies Exten sion Default Certificate Policies Extension Default com.netscape.cms.profile.def.CertificatePoliciesExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy validityDefaultImpl Validity Default Validty Default com.net scape.cms.profile.def.ValidityDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy privateKeyPeriodExtDefaultImpl Private Key Period Ext Defaul t Private Key Period Ext Default com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy noDefaultImpl No Default No Default com.netscape.cms.profile .def.NoDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy imageDefaultImpl Image Default Image Default com.netscape.cm s.profile.def.ImageDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy subjectInfoAccessExtDefaultImpl Subject Info Access Extensio n Default Subject Info Access Extension Default com.netscape.cms.profile.def.SubjectInfoAccessExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy autoAssignDefaultImpl Auto Request Assignment Default Auto R equest Assignment Default com.netscape.cms.profile.def.AutoAssignDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy policyMappingsExtDefaultImpl Policy Mappings Extension Defau lt Policy Mappings Extension Default com.netscape.cms.profile.def.PolicyMappingsExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy caValidityDefaultImpl CA Certificate Validity Default CA Cer tificate Validty Default com.netscape.cms.profile.def.CAValidityDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy userExtensionDefaultImpl User Supplied Extension Default Use r Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default Netscape Certificate Type Extension Default com.netscape.cms.profile.def.NSCertTypeExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default Token Supplied Subject Name Default com.netscape.cms.profile.def.AuthTokenSubjectNameDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy subjectNameDefaultImpl Subject Name Default Subject Name Def ault com.netscape.cms.profile.def.SubjectNameDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy userSigningAlgDefaultImpl User Supplied Signing Alg Default User Supplied Signing Alg Default com.netscape.cms.profile.def.UserSigningAlgDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy subjectKeyIdentifierExtDefaultImpl Subject Key Identifier De fault Subject Key Identifier Default com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default Inhibit Any-Policy Extension Default com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubje ctNameDefault nsTokenDeviceKeySubjectNameDefaultImpl com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape Comment Extension Default com.netscape.cms.profile.def.NSCCommentExtDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy signingAlgDefaultImpl Signing Algorithm Default Signing Algo rithm Default com.netscape.cms.profile.def.SigningAlgDefault [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy nameConstraintsExtDefaultImpl Name Constraints Extension Def ault Name Constraints Extension Default com.netscape.cms.profile.def.NameConstraintsExtDefault [28/Jan/2016:21:09:03][main]: added plugin profileUpdater subsystemGroupUpdaterImpl Updater for Subsystem Group Updat er for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=registry [28/Jan/2016:21:09:03][main]: CMSEngine: initialized registry [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=oidmap [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=oidmap [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=oidmap [28/Jan/2016:21:09:03][main]: CMSEngine: initialized oidmap [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=X500Name [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=X500Name [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=X500Name [28/Jan/2016:21:09:03][main]: CMSEngine: initialized X500Name [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=request [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=request [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=request [28/Jan/2016:21:09:03][main]: CMSEngine: initialized request [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=ca [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=ca [28/Jan/2016:21:09:03][main]: CertificateAuthority init [28/Jan/2016:21:09:03][main]: Cert Repot inited [28/Jan/2016:21:09:03][main]: CRL Repot inited [28/Jan/2016:21:09:03][main]: Replica Repot inited [28/Jan/2016:21:09:03][main]: ca.signing Signing Unit nickname caSigningCert cert-pki-ca [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name [28/Jan/2016:21:09:03][main]: Found cert by nickname: 'caSigningCert cert-pki-ca' with serial number: 1 [28/Jan/2016:21:09:03][main]: converted to x509CertImpl [28/Jan/2016:21:09:03][main]: Got private key from cert [28/Jan/2016:21:09:03][main]: Got public key from cert [28/Jan/2016:21:09:03][main]: got signing algorithm RSASignatureWithSHA256Digest [28/Jan/2016:21:09:03][main]: CA signing unit inited [28/Jan/2016:21:09:03][main]: cachainNum= 0 [28/Jan/2016:21:09:03][main]: in init - got CA chain from JSS. [28/Jan/2016:21:09:03][main]: ca.ocsp_signing Signing Unit nickname ca.ocsp_signing.cert [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name [28/Jan/2016:21:09:03][main]: SigningUnit init: debug org.mozilla.jss.crypto.ObjectNotFoundException [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException Certificate object not found at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) at com.netscape.certsrv.apps.CMS.init(CMS.java:153) at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) [28/Jan/2016:21:09:03][main]: CMSEngine.shutdown() [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. > >> >> stuck: yes >> >> key pair storage: >> >> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS >> Certifi >> >> cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt' >> >> certificate: >> >> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS >> Certificate >> >> DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=SAMPLE.NET >> >> subject: CN=caer.SAMPLE.net ,O=SAMPLE.NET >> >> >> expires: 2016-01-29 14:09:46 UTC >> >> eku: id-kp-serverAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> >> >> On Mon, May 2, 2016 at 5:35 PM Anthony Cheng >> > wrote: >> >> On Mon, May 2, 2016 at 9:54 AM Rob Crittenden > > wrote: >> >> Anthony Cheng wrote: >> > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden >> >> > >> >> wrote: >> > >> > Anthony Cheng wrote: >> > > OK so I made process on my cert renew issue; I was >> able to get kinit >> > > working so I can follow the rest of the steps here >> > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) >> > > >> > > However, after using >> > > >> > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory >> manager' -w >> > password >> > > >> > > and restarting apache (/sbin/service httpd restart), >> resubmitting 3 >> > > certs (ipa-getcert resubmit -i ) and restarting >> IPA (resubmit >> > -i ) >> > > (/sbin/service ipa restart), I still see: >> > > >> > > [root at test ~]# ipa-getcert list | more >> > > Number of certificates and requests being tracked: 8. >> > > Request ID '20111214223243': >> > > status: CA_UNREACHABLE >> > > ca-error: Server failed request, will retry: >> 4301 (RPC >> > failed >> > > at server. Certificate operation cannot be compl >> > > eted: Unable to communicate with CMS (Not Found)). >> > >> > IPA proxies requests to the CA through Apache. This means >> that while >> > tomcat started ok it didn't load the dogtag CA >> application, hence the >> > Not Found. >> > >> > Check the CA debug and selftest logs to see why it failed >> to start >> > properly. >> > >> > [ snip ] >> > >> > Actually after a reboot that error went away and I just get >> this error >> > instead "ca-error: Server failed request, will retry: -504 >> (libcurl >> > failed to execute the HTTP POST transaction. Peer certificate >> cannot be >> > auth enticated with known CA certificates)." from "getcert >> list" >> > >> > Result of service ipa restart is interesting since it shows >> today's time >> > when I already changed date/time/disable NTP so somehow the >> system still >> > know today's time. >> > >> > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert: >> > CERT_VerifyCertificateNow: verify certificate failed for cert >> > Server-Cert of family cn=RSA,cn=encryption,cn=config >> (Netscape Portable >> > Runtime error -8181 - Peer's Certificate has expired.) >> >> Hard to say. I'd confirm that there is no time syncing service >> running, >> ntp or otherwise. >> >> >> I found out why the time kept changing; it was due to the fact that >> it has VM tools installed (i didn't configure this box) so it >> automatically sync time during bootup. >> >> I did still see this error message: >> >> ca-error: Server failed request, will retry: 4301 (RPC failed at >> server. Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found)) >> >> I tried the step http://www.freeipa.org/page/Troubleshooting with >> >> certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt >> openssl x509 -text -in /tmp/ra.crt >> certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt >> service httpd restart >> >> So that I can get rid of one of the CA cert that is expired (kept >> the 1st one) but still getting same error >> >> What exactly is CMS and why is it not found? >> >> >> I did notice that the selftest log is empty with a different time: >> >> -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 >> /var/log/pki-ca/selftests.log >> >> [root at test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds >> >> >> Here are some debug log after reboot: >> >> [root at test pki-ca]# tail -n 100 catalina.out >> >> INFO: JK: ajp13 listening on /0.0.0.0:9447 >> >> Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start >> >> INFO: Jk running ID=0 time=1/23config=null >> >> Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start >> >> INFO: Server startup in 1722 ms >> >> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >> >> INFO: Pausing Coyote HTTP/1.1 on http-9180 >> >> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >> >> INFO: Pausing Coyote HTTP/1.1 on http-9443 >> >> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >> >> INFO: Pausing Coyote HTTP/1.1 on http-9445 >> >> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >> >> INFO: Pausing Coyote HTTP/1.1 on http-9444 >> >> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >> >> INFO: Pausing Coyote HTTP/1.1 on http-9446 >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop >> >> INFO: Stopping service Catalina >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearReferencesThreads >> >> SEVERE: A web application appears to have started a thread named >> [Timer-0] but has failed to stop it. This is very like >> >> ly to create a memory leak. >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearReferencesThreads >> >> SEVERE: A web application appears to have started a thread named >> [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu >> >> t has failed to stop it. This is very likely to create a memory leak. >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearReferencesThreads >> >> SEVERE: A web application appears to have started a thread named >> [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6] >> >> but has failed to stop it. This is very likely to create a memory >> leak. >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearReferencesThreads >> >> SEVERE: A web application appears to have started a thread named >> [/var/lib/pki-ca/logs/system.flush-6] but has failed t >> >> o stop it. This is very likely to create a memory leak. >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearReferencesThreads >> >> SEVERE: A web application appears to have started a thread named >> [/var/lib/pki-ca/logs/system.rollover-8] but has faile >> >> d to stop it. This is very likely to create a memory leak. >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearReferencesThreads >> >> SEVERE: A web application appears to have started a thread named >> [/var/lib/pki-ca/logs/transactions.flush-9] but has fa >> >> iled to stop it. This is very likely to create a memory leak. >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearReferencesThreads >> >> SEVERE: A web application appears to have started a thread named >> [/var/lib/pki-ca/logs/transactions.rollover-10] but ha >> >> s failed to stop it. This is very likely to create a memory leak. >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearReferencesThreads >> >> SEVERE: A web application appears to have started a thread named >> [LDAPConnThread-2 ldap://test.sample.net:7389 >> ] but has failed to stop it. This is >> very likely to create a memory leak. >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearReferencesThreads >> >> SEVERE: A web application appears to have started a thread named >> [LDAPConnThread-3 ldap://test.sample.net:7389 >> ] but has failed to stop it. This is >> very likely to create a memory leak. >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearReferencesThreads >> >> SEVERE: A web application appears to have started a thread named >> [LDAPConnThread-4 ldap://test.sample.net:7389 >> ] but has failed to stop it. This is >> very likely to create a memory leak. >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearThreadLocalMap >> >> SEVERE: A web application created a ThreadLocal with key of type >> [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a >> value of type [java.text.SimpleDateFormat] (value >> [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when >> the web application was stopped. To prevent a memory leak, the >> ThreadLocal has been forcibly removed. >> >> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >> clearThreadLocalMap >> >> SEVERE: A web application created a ThreadLocal with key of type >> [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a >> value of type [java.text.SimpleDateFormat] (value >> [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when >> the web application was stopped. To prevent a memory leak, the >> ThreadLocal has been forcibly removed. >> >> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >> destroy >> >> INFO: Stopping Coyote HTTP/1.1 on http-9180 >> >> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >> destroy >> >> INFO: Stopping Coyote HTTP/1.1 on http-9443 >> >> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >> destroy >> >> INFO: Stopping Coyote HTTP/1.1 on http-9445 >> >> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >> destroy >> >> INFO: Stopping Coyote HTTP/1.1 on http-9444 >> >> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >> destroy >> >> INFO: Stopping Coyote HTTP/1.1 on http-9446 >> >> Jan 27, 2016 2:57:36 PM >> org.apache.catalina.core.AprLifecycleListener init >> >> INFO: The APR based Apache Tomcat Native library which allows >> optimal performance in production environments was not found on the >> java.library.path: >> >> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib >> >> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >> >> INFO: Initializing Coyote HTTP/1.1 on http-9180 >> >> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >> unsupported by NSS. This is probably O.K. unless ECC support has >> been installed. >> >> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >> unsupported by NSS. This is probably O.K. unless ECC support has >> been installed. >> >> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >> >> INFO: Initializing Coyote HTTP/1.1 on http-9443 >> >> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >> unsupported by NSS. This is probably O.K. unless ECC support has >> been installed. >> >> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >> unsupported by NSS. This is probably O.K. unless ECC support has >> been installed. >> >> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >> >> INFO: Initializing Coyote HTTP/1.1 on http-9445 >> >> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >> unsupported by NSS. This is probably O.K. unless ECC support has >> been installed. >> >> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >> unsupported by NSS. This is probably O.K. unless ECC support has >> been installed. >> >> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >> >> INFO: Initializing Coyote HTTP/1.1 on http-9444 >> >> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >> unsupported by NSS. This is probably O.K. unless ECC support has >> been installed. >> >> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >> unsupported by NSS. This is probably O.K. unless ECC support has >> been installed. >> >> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >> >> INFO: Initializing Coyote HTTP/1.1 on http-9446 >> >> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load >> >> INFO: Initialization processed in 2198 ms >> >> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start >> >> INFO: Starting service Catalina >> >> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start >> >> INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 >> >> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig >> deployDirectory >> >> INFO: Deploying web application directory ROOT >> >> Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig >> deployDirectory >> >> INFO: Deploying web application directory ca >> >> 64-bit osutil library loaded >> >> 64-bit osutil library loaded >> >> Certificate object not found >> >> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >> >> INFO: Starting Coyote HTTP/1.1 on http-9180 >> >> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >> >> INFO: Starting Coyote HTTP/1.1 on http-9443 >> >> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >> >> INFO: Starting Coyote HTTP/1.1 on http-9445 >> >> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >> >> INFO: Starting Coyote HTTP/1.1 on http-9444 >> >> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >> >> INFO: Starting Coyote HTTP/1.1 on http-9446 >> >> Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init >> >> INFO: JK: ajp13 listening on /0.0.0.0:9447 >> >> Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start >> >> INFO: Jk running ID=0 time=0/40config=null >> >> Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start >> >> INFO: Server startup in 2592 ms >> >> [root at test pki-ca]# tail -n 100 debug >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> subjectAltNameExtDefaultImpl Subject Alternative Name Extension >> Default Subject Alternative Name Extension Default >> com.netscape.cms.profile.def.SubjectAltNameExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> userValidityDefaultImpl User Supplied Validity Default User Supplied >> Validity Default com.netscape.cms.profile.def.UserValidityDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> userSubjectNameDefaultImpl User Supplied Subject Name Default User >> Supplied Subject Name Default >> com.netscape.cms.profile.def.UserSubjectNameDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> subjectDirAttributesExtDefaultImpl Subject Directory Attributes >> Extension Default Subject Directory Attributes Extension Default >> com.netscape.cms.profile.def.SubjectDirAttributesExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> certificateVersionDefaultImpl Certificate Version Default >> Certificate Version Default >> com.netscape.cms.profile.def.CertificateVersionDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default >> Extended Key Usage Extension Default >> com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> policyConstraintsExtDefaultImpl Policy Constraints Extension Default >> Policy Constraints Extension Default >> com.netscape.cms.profile.def.PolicyConstraintsExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> crlDistributionPointsExtDefaultImpl CRL Distribution Points >> Extension Default CRL Distribution Points Extension Default >> com.netscape.cms.profile.def.CRLDistributionPointsExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> certificatePoliciesExtDefaultImpl Certificate Policies Extension >> Default Certificate Policies Extension Default >> com.netscape.cms.profile.def.CertificatePoliciesExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> validityDefaultImpl Validity Default Validty Default >> com.netscape.cms.profile.def.ValidityDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> privateKeyPeriodExtDefaultImpl Private Key Period Ext Default >> Private Key Period Ext Default >> com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> noDefaultImpl No Default No Default >> com.netscape.cms.profile.def.NoDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> imageDefaultImpl Image Default Image Default >> com.netscape.cms.profile.def.ImageDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> subjectInfoAccessExtDefaultImpl Subject Info Access Extension >> Default Subject Info Access Extension Default >> com.netscape.cms.profile.def.SubjectInfoAccessExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> autoAssignDefaultImpl Auto Request Assignment Default Auto Request >> Assignment Default com.netscape.cms.profile.def.AutoAssignDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> policyMappingsExtDefaultImpl Policy Mappings Extension Default >> Policy Mappings Extension Default >> com.netscape.cms.profile.def.PolicyMappingsExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> caValidityDefaultImpl CA Certificate Validity Default CA Certificate >> Validty Default com.netscape.cms.profile.def.CAValidityDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> userExtensionDefaultImpl User Supplied Extension Default User >> Supplied Extension Default >> com.netscape.cms.profile.def.UserExtensionDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default >> Netscape Certificate Type Extension Default >> com.netscape.cms.profile.def.NSCertTypeExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default >> Token Supplied Subject Name Default >> com.netscape.cms.profile.def.AuthTokenSubjectNameDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> subjectNameDefaultImpl Subject Name Default Subject Name Default >> com.netscape.cms.profile.def.SubjectNameDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> userSigningAlgDefaultImpl User Supplied Signing Alg Default User >> Supplied Signing Alg Default >> com.netscape.cms.profile.def.UserSigningAlgDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default >> Subject Key Identifier Default >> com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default >> Inhibit Any-Policy Extension Default >> com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> nsTokenDeviceKeySubjectNameDefaultImpl >> nsTokenDeviceKeySubjectNameDefault >> nsTokenDeviceKeySubjectNameDefaultImpl >> com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape >> Comment Extension Default >> com.netscape.cms.profile.def.NSCCommentExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm >> Default com.netscape.cms.profile.def.SigningAlgDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >> nameConstraintsExtDefaultImpl Name Constraints Extension Default >> Name Constraints Extension Default >> com.netscape.cms.profile.def.NameConstraintsExtDefault >> >> [27/Jan/2016:15:30:43][main]: added plugin profileUpdater >> subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for >> Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca >> >> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca >> >> [27/Jan/2016:15:30:43][main]: CertificateAuthority init >> >> [27/Jan/2016:15:30:43][main]: Cert Repot inited >> >> [27/Jan/2016:15:30:43][main]: CRL Repot inited >> >> [27/Jan/2016:15:30:43][main]: Replica Repot inited >> >> [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname >> caSigningCert cert-pki-ca >> >> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token >> by name >> >> [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert >> cert-pki-ca' with serial number: 1 >> >> [27/Jan/2016:15:30:43][main]: converted to x509CertImpl >> >> [27/Jan/2016:15:30:43][main]: Got private key from cert >> >> [27/Jan/2016:15:30:43][main]: Got public key from cert >> >> [27/Jan/2016:15:30:43][main]: got signing algorithm >> RSASignatureWithSHA256Digest >> >> [27/Jan/2016:15:30:43][main]: CA signing unit inited >> >> [27/Jan/2016:15:30:43][main]: cachainNum= 0 >> >> [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS. >> >> [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname >> ca.ocsp_signing.cert >> >> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token >> by name >> >> [27/Jan/2016:15:30:43][main]: SigningUnit init: debug >> org.mozilla.jss.crypto.ObjectNotFoundException >> >> [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException >> >> Certificate object not found >> >> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) >> >> at >> >> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204) >> >> at >> >> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) >> >> at >> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) >> >> at >> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) >> >> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) >> >> at com.netscape.certsrv.apps.CMS.init(CMS.java:153) >> >> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) >> >> at >> >> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) >> >> at >> >> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) >> >> at >> >> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) >> >> at >> >> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) >> >> at >> >> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) >> >> at >> >> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) >> >> at >> >> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) >> >> at >> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) >> >> at >> >> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) >> >> at >> >> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) >> >> at >> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) >> >> at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) >> >> at >> >> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) >> >> at >> >> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) >> >> at >> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) >> >> at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) >> >> at >> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) >> >> at >> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) >> >> at >> >> org.apache.catalina.core.StandardService.start(StandardService.java:516) >> >> at >> org.apache.catalina.core.StandardServer.start(StandardServer.java:710) >> >> at org.apache.catalina.startup.Catalina.start(Catalina.java:593) >> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> >> at >> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> >> at >> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> >> at java.lang.reflect.Method.invoke(Method.java:616) >> >> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) >> >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) >> >> [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown() >> >> >> >> >> > >> >> > > Would really greatly appreciate any help on this. >> > > >> > > Also I noticed after I do ldapmodify of >> usercertificate binary >> > data with >> > > >> > > add: usercertificate;binary >> > > usercertificate;binary: !@#$@!#$#@$ >> > >> > You really pasted in binary? Or was this base64-encoded >> data? >> > >> > I wonder if there is a problem in the wiki. If this is >> really a binary >> > value you should start with a DER-encoded cert and load >> it using >> > something like: >> > >> > dn: uid=ipara,ou=people,o=ipaca >> > changetype: modify >> > add: usercertificate;binary >> > usercertificate;binary:< file:///path/to/cert.der >> > >> > You can use something like openssl x509 to switch between >> PEM and DER >> > formats. >> > >> > I have a vague memory that dogtag can deal with a >> multi-valued >> > usercertificate attribute. >> > >> > rob >> > >> > >> > Yes the wiki stated binary, the result of: >> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b >> > uid=ipara,ou=People,o=ipaca -W >> > >> > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ... >> > >> > But the actual data is from a PEM though. >> >> Ok. So I looked at my CA data and it doesn't use the binary >> subtype, so >> my entries look like: >> >> userCertificate:: MIID.... >> >> It might make a difference if dogtag is looking for the subtype >> or not. >> >> rob >> >> > >> > > >> > > Then I re-run >> > > >> > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory >> manager' -W >> > -b uid=ipara,ou=People,o=ipaca >> > > >> > > I see 2 entries for usercertificate;binary (before >> modify there >> > was only >> > > 1) but they are duplicate and NOT from data that I >> added. That seems >> > > incorrect to me. >> > > >> > > >> > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng >> > > > >> > > >> > > >> > > >>> wrote: >> > > >> > > klist is actually empty; kinit admin fails. >> Sounds like then >> > > getcert resubmit has a dependency on kerberoes. I >> can get a >> > backup >> > > image that has a valid ticket but it is only good >> for 1 day (and >> > > dated pasted the cert expire). >> > > >> > > Also I had asked awhile back about whether there >> is dependency on >> > > DIRSRV to renew the cert; didn't get any response >> but I suspect >> > > there is a dependency. >> > > >> > > Regarding the clock skew, I found out from >> /var/log/message that >> > > shows me this so it may be from named: >> > > >> > > Jan 28 14:10:42 test named[2911]: Failed to init >> credentials >> > (Clock >> > > skew too great) >> > > Jan 28 14:10:42 test named[2911]: loading >> configuration: failure >> > > Jan 28 14:10:42 test named[2911]: exiting (due to >> fatal error) >> > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: >> Unspecified GSS >> > > failure. Minor code may provide more information >> (Creden >> > > tials cache file '/tmp/krb5cc_496' not found) >> > > >> > > I don't have a krb5cc_496 file (since klist is >> empty), so >> > sounds to >> > > me I need to get a kerberoes ticket before going any >> > further. Also >> > > is the file /etc/krb5.keytab access/modification >> time >> > important? I >> > > had changed time back to before the cert >> expiration date and >> > reboot >> > > and try renew but the error message about clock >> skew is still >> > > there. That seems strange. >> > > >> > > Lastly, as a absolute last resort, can I >> regenerate a new cert >> > > myself? >> > > >> > >> >> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html >> > > >> > > [root at test /]# klist >> > > klist: No credentials cache found (ticket cache >> > FILE:/tmp/krb5cc_0) >> > > [root at test /]# service ipa start >> > > Starting Directory Service >> > > Starting dirsrv: >> > > PKI-IPA... >> > [ OK ] >> > > sample-NET... >> > [ OK ] >> > > Starting KDC Service >> > > Starting Kerberos 5 KDC: >> [ >> > OK ] >> > > Starting KPASSWD Service >> > > Starting Kerberos 5 Admin Server: >> [ >> > OK ] >> > > Starting DNS Service >> > > Starting named: >> > [FAILED] >> > > Failed to start DNS Service >> > > Shutting down >> > > Stopping Kerberos 5 KDC: >> [ >> > OK ] >> > > Stopping Kerberos 5 Admin Server: >> [ >> > OK ] >> > > Stopping named: >> [ >> > OK ] >> > > Stopping httpd: >> [ >> > OK ] >> > > Stopping pki-ca: >> [ >> > OK ] >> > > Shutting down dirsrv: >> > > PKI-IPA... >> > [ OK ] >> > > sample-NET... >> > [ OK ] >> > > Aborting ipactl >> > > [root at test /]# klist >> > > klist: No credentials cache found (ticket cache >> > FILE:/tmp/krb5cc_0) >> > > [root at test /]# service ipa status >> > > Directory Service: STOPPED >> > > Failed to get list of services to probe status: >> > > Directory Server is stopped >> > > >> > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka >> > >> > >> > > > > >>> wrote: >> > > >> > > On 27/04/16 21:54, Anthony Cheng wrote: >> > > > Hi list, >> > > > >> > > > I am trying to renew expired certificates >> following the >> > > manual renewal procedure >> > > > here >> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) >> > > but even with >> > > > resetting the system/hardware clock to a >> time before >> > expires, >> > > I am getting the >> > > > error "ca-error: Error setting up ccache >> for local "host" >> > > service using default >> > > > keytab: Clock skew too great." >> > > > >> > > > With NTP disable and clock reset why would >> it complain >> > about >> > > clock skew and how >> > > > does it even know about the current time? >> > > > >> > > > [root at test certs]# getcert list >> > > > Number of certificates and requests being >> tracked: 8. >> > > > Request ID '20111214223243': >> > > > status: MONITORING >> > > > ca-error: Error setting up ccache >> for local >> > "host" >> > > service using >> > > > default keytab: Clock skew too great. >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > > > Certificate >> > > >> DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > > > Certificate DB' >> > > > CA: IPA >> > > > issuer: CN=Certificate >> Authority,O=sample.NET >> > > > subject: CN=test.sample.net >> >> > >> > > ,O=sample.NET >> > > > expires: 2016-01-29 14:09:46 UTC >> > > > eku: id-kp-serverAuth >> > > > pre-save command: >> > > > post-save command: >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20111214223300': >> > > > status: MONITORING >> > > > ca-error: Error setting up ccache >> for local >> > "host" >> > > service using >> > > > default keytab: Clock skew too great. >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > > Certificate >> > > > >> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> > > Certificate >> > > > DB' >> > > > CA: IPA >> > > > issuer: CN=Certificate >> Authority,O=sample.NET >> > > > subject: CN=test.sample.net >> >> > >> > > ,O=sample.NET >> > > > expires: 2016-01-29 14:09:45 UTC >> > > > eku: id-kp-serverAuth >> > > > pre-save command: >> > > > post-save command: >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20111214223316': >> > > > status: MONITORING >> > > > ca-error: Error setting up ccache >> for local >> > "host" >> > > service using >> > > > default keytab: Clock skew too great. >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > > > Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > > > Certificate DB' >> > > > CA: IPA >> > > > issuer: CN=Certificate >> Authority,O=sample.NET >> > > > subject: CN=test.sample.net >> >> > >> > > ,O=sample.NET >> > > > expires: 2016-01-29 14:09:45 UTC >> > > > eku: id-kp-serverAuth >> > > > pre-save command: >> > > > post-save command: >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130741': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no >> response to >> > > > >> > > >> > >> >> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > > >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > > >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > > > cert-pki-ca',token='NSS Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate >> Authority,O=sample.NET >> > > > subject: CN=CA Audit,O=sample.NET >> > > > expires: 2017-10-13 14:10:49 UTC >> > > > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ca_cert >> > > > "auditSigningCert cert-pki-ca" >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130742': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no >> response to >> > > > >> > > >> > >> >> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > > >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > > >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > > > cert-pki-ca',token='NSS Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate >> Authority,O=sample.NET >> > > > subject: CN=OCSP >> Subsystem,O=sample.NET >> > > > expires: 2017-10-13 14:09:49 UTC >> > > > eku: id-kp-OCSPSigning >> > > > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ca_cert >> > > > "ocspSigningCert cert-pki-ca" >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130743': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no >> response to >> > > > >> > > >> > >> >> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > > >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > > >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > > > cert-pki-ca',token='NSS Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate >> Authority,O=sample.NET >> > > > subject: CN=CA >> Subsystem,O=sample.NET >> > > > expires: 2017-10-13 14:09:49 UTC >> > > > eku: >> id-kp-serverAuth,id-kp-clientAuth >> > > > pre-save command: >> > /usr/lib64/ipa/certmonger/stop_pkicad >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ca_cert >> > > > "subsystemCert cert-pki-ca" >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130744': >> > > > status: MONITORING >> > > > ca-error: Internal error: no >> response to >> > > > >> > > >> > >> >> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". >> > > > stuck: no >> > > > key pair storage: >> > > > >> > > >> > >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > > Certificate >> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > > > certificate: >> > > > >> > > >> > >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> > > Certificate DB' >> > > > CA: dogtag-ipa-renew-agent >> > > > issuer: CN=Certificate >> Authority,O=sample.NET >> > > > subject: CN=RA >> Subsystem,O=sample.NET >> > > > expires: 2017-10-13 14:09:49 UTC >> > > > eku: >> id-kp-serverAuth,id-kp-clientAuth >> > > > pre-save command: >> > > > post-save command: >> > > /usr/lib64/ipa/certmonger/renew_ra_cert >> > > > track: yes >> > > > auto-renew: yes >> > > > Request ID '20130519130745': >> > > > status: NEED_CSR_GEN_PIN >> > > > ca-error: Internal error: no >> response to >> > > > >> > > >> > >> >> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". >> > > > stuck: yes >> > > > key pair storage: >> > > > >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > > > cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664 >> > > > ' >> > > > certificate: >> > > > >> > >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert From ssorce at redhat.com Wed May 4 14:37:07 2016 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 04 May 2016 10:37:07 -0400 Subject: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset In-Reply-To: <42cec20e-bdba-ff57-384d-3ea2320923ed@redhat.com> References: <42cec20e-bdba-ff57-384d-3ea2320923ed@redhat.com> Message-ID: <1462372627.3624.63.camel@redhat.com> On Wed, 2016-05-04 at 16:16 +0200, Martin Kosek wrote: > On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote: > > Hi, > > > > I am running a freeipa server 4.2.x. > > > > I have the following password global password policy set to force a history of 3 > > > > ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 > > --maxfail=3 --failinterval=300 > > > > > > This works good when the user himself changes the password.. and IPA does not > > allow reusing older password. > > > > However, if the admin resets it "ipa user-mod testuser --random" then it seems > > to reset the password history as well and the user can now re-use his older password > > > > Is this expected or is there something I can do about it. > > Good question, CCing Simo on this one. It is arguably a bug, history shouldn't be lost IMHO. Simo. > > Also, is there a way to get the password expiry warning at the terminal when a > > user logs in , something similar to the "pwdExpireWarning" in ldap. > > > > I searched a bit and could only find setting up email alerts . > > CCing Jakub from SSSD team. > > Martin From jhrozek at redhat.com Wed May 4 14:41:36 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 4 May 2016 16:41:36 +0200 Subject: [Freeipa-users] get freeipa to update ad users and groups more often In-Reply-To: References: Message-ID: <20160504144136.GN3666@hendrix> On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: > This goes especially for ad groups that are bested in ipa_groups > > ie : > microsft group is defined as an external group, > and that external group is member of an ipa group > and that ipa group takes forever. > > Regards > Rob Verduijn All the work in this area is done by sssd on the server. The sssd there runs a periodical task to re-fetch new external groups memberships every 10 seconds. So I would expect the group memberships to turn up after 10 seconds at worst. Are you sure (from sssd logs) that maybe sssd is not going into offline state and just consults its cache? > > > 2016-05-04 16:10 GMT+02:00 Rob Verduijn : > > Hello, > > > > I'm using a trust to microsoft active directory to allow users access > > to linux servers. > > > > But when a user is added it takes a very long time for ipa to register this. > > And even more time for the ipa clients since they have to wait for the > > ipa servers. > > > > Since I hate to tell the users to wait for a couple hours, and also I > > do not like to clean up the sssd cache folder each time a new user > > appears. > > > > Is there a way to tell ipa and all clients to refresh their cache ? > > > > Regards > > Rob Verduijn > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From rob.verduijn at gmail.com Wed May 4 15:00:50 2016 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Wed, 4 May 2016 17:00:50 +0200 Subject: [Freeipa-users] get freeipa to update ad users and groups more often In-Reply-To: <20160504144136.GN3666@hendrix> References: <20160504144136.GN3666@hendrix> Message-ID: to make sure I did the following on the ipa host systemctl stop sssd.service rm -f /var/lib/sss/db/* systemctl start sssd.service now there is no cheating from cach getent passwd user at AD-DOMAIN.COM works and gives userid id user at AD-DOMAIN.COM works fine and show all goups the user is a member of including ad_linux_administrators (ipa group) and 'linux administrators at AD-DOMAIN.COM' getent group ad_linux_administrators only shows the group ad, no members, these pop up after a very long time getent group 'linux administrators at AD-DOMAIN.COM' imediatly show all members weird.... Rob Verduijn 2016-05-04 16:41 GMT+02:00 Jakub Hrozek : > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: >> This goes especially for ad groups that are bested in ipa_groups >> >> ie : >> microsft group is defined as an external group, >> and that external group is member of an ipa group >> and that ipa group takes forever. >> >> Regards >> Rob Verduijn > > All the work in this area is done by sssd on the server. The sssd there > runs a periodical task to re-fetch new external groups memberships every > 10 seconds. So I would expect the group memberships to turn up after 10 > seconds at worst. > > Are you sure (from sssd logs) that maybe sssd is not going into offline > state and just consults its cache? > >> >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn : >> > Hello, >> > >> > I'm using a trust to microsoft active directory to allow users access >> > to linux servers. >> > >> > But when a user is added it takes a very long time for ipa to register this. >> > And even more time for the ipa clients since they have to wait for the >> > ipa servers. >> > >> > Since I hate to tell the users to wait for a couple hours, and also I >> > do not like to clean up the sssd cache folder each time a new user >> > appears. >> > >> > Is there a way to tell ipa and all clients to refresh their cache ? >> > >> > Regards >> > Rob Verduijn >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From peljasz at yahoo.co.uk Wed May 4 16:05:08 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 04 May 2016 17:05:08 +0100 Subject: [Freeipa-users] service cert to a host/member/service Message-ID: <1462377908.6964.244.camel@yahoo.co.uk> hi users, as one follows official docs and issues a certificate for a service/host, one wonders what is the correct way to move such a certificate to a host(which is domain member) ? I understand certificates issued with: $ ipa cert-re?quest -add --prin?ci?pal are stored in ldap backend, (yet I don't quite get the difference between that tool and ipa-certget). How do I get such a certificate off the server and to a host-not- server? In my case I'm hoping to use this certificate in apache+nss. I realize I also will need CA certificate on that host, which I got hold of with certutil operated on?/etc/dirsrv/slapd-MY-DOMAIN - if it's the right way?##SELECTION_END## many thanks. L -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed May 4 16:06:05 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 4 May 2016 18:06:05 +0200 Subject: [Freeipa-users] get freeipa to update ad users and groups more often In-Reply-To: References: <20160504144136.GN3666@hendrix> Message-ID: <20160504160605.GP3666@hendrix> On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: > to make sure I did the following on the ipa host > > systemctl stop sssd.service > rm -f /var/lib/sss/db/* > systemctl start sssd.service > > now there is no cheating from cach > getent passwd user at AD-DOMAIN.COM works and gives userid > id user at AD-DOMAIN.COM works fine and show all goups the user is a > member of including ad_linux_administrators (ipa group) and 'linux > administrators at AD-DOMAIN.COM' > getent group ad_linux_administrators only shows the group ad, no > members, these pop up after a very long time > getent group 'linux administrators at AD-DOMAIN.COM' imediatly show all members Please note that getent group only works with very recent versions of ipa and sssd. What version are you running. > > weird.... > > Rob Verduijn > > 2016-05-04 16:41 GMT+02:00 Jakub Hrozek : > > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: > >> This goes especially for ad groups that are bested in ipa_groups > >> > >> ie : > >> microsft group is defined as an external group, > >> and that external group is member of an ipa group > >> and that ipa group takes forever. > >> > >> Regards > >> Rob Verduijn > > > > All the work in this area is done by sssd on the server. The sssd there > > runs a periodical task to re-fetch new external groups memberships every > > 10 seconds. So I would expect the group memberships to turn up after 10 > > seconds at worst. > > > > Are you sure (from sssd logs) that maybe sssd is not going into offline > > state and just consults its cache? > > > >> > >> > >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn : > >> > Hello, > >> > > >> > I'm using a trust to microsoft active directory to allow users access > >> > to linux servers. > >> > > >> > But when a user is added it takes a very long time for ipa to register this. > >> > And even more time for the ipa clients since they have to wait for the > >> > ipa servers. > >> > > >> > Since I hate to tell the users to wait for a couple hours, and also I > >> > do not like to clean up the sssd cache folder each time a new user > >> > appears. > >> > > >> > Is there a way to tell ipa and all clients to refresh their cache ? > >> > > >> > Regards > >> > Rob Verduijn > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project From rcritten at redhat.com Wed May 4 17:26:27 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 4 May 2016 13:26:27 -0400 Subject: [Freeipa-users] service cert to a host/member/service In-Reply-To: <1462377908.6964.244.camel@yahoo.co.uk> References: <1462377908.6964.244.camel@yahoo.co.uk> Message-ID: <572A30C3.7090603@redhat.com> lejeczek wrote: > hi users, > > as one follows official docs and issues a certificate for a > service/host, one wonders what is the correct way to move such a > certificate to a host(which is domain member) ? > I understand certificates issued with: > > $ ipa cert-re?quest -add --prin?ci?pal > > are stored in ldap backend, (yet I don't quite get the difference > between that tool and ipa-certget). The first uses the IPA command-line to get a cert directly. ipa-getcert uses certmonger. If you are getting a certificate for another host, particularly if that host isn't an IPA client, then the first form is the way to go. > How do I get such a certificate off the server and to a host-not-server? $ ipa cert-show --out cert.pem > In my case I'm hoping to use this certificate in apache+nss. > I realize I also will need CA certificate on that host, which I got hold > of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the > right way? So in this case you'd want to generate the CSR on the host-not-server using certutil. You'd take that CSR to the enrolled host and run ipa cert-request ... Get a copy of the cert and get that and /etc/ipa/ca.crt to the host-not-server. Use certutil to add both to your NSS database. rob From rob.verduijn at gmail.com Wed May 4 20:51:37 2016 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Wed, 4 May 2016 22:51:37 +0200 Subject: [Freeipa-users] get freeipa to update ad users and groups more often In-Reply-To: <20160504160605.GP3666@hendrix> References: <20160504144136.GN3666@hendrix> <20160504160605.GP3666@hendrix> Message-ID: Hi, I avoided the slow filling group by using the AD-Group with spaces (was a tad more challenging for scipting) But here's the releases (some of them) ipa 4.2 and sssd 1.13 ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 sssd-common-1.13.0-40.el7_2.2.x86_64 sssd-client-1.13.0-40.el7_2.2.x86_64 sssd-ad-1.13.0-40.el7_2.2.x86_64 Cheers Rob Verduijn 2016-05-04 18:06 GMT+02:00 Jakub Hrozek : > On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: >> to make sure I did the following on the ipa host >> >> systemctl stop sssd.service >> rm -f /var/lib/sss/db/* >> systemctl start sssd.service >> >> now there is no cheating from cach >> getent passwd user at AD-DOMAIN.COM works and gives userid >> id user at AD-DOMAIN.COM works fine and show all goups the user is a >> member of including ad_linux_administrators (ipa group) and 'linux >> administrators at AD-DOMAIN.COM' >> getent group ad_linux_administrators only shows the group ad, no >> members, these pop up after a very long time >> getent group 'linux administrators at AD-DOMAIN.COM' imediatly show all members > > Please note that getent group only works with very recent versions of > ipa and sssd. What version are you running. > >> >> weird.... >> >> Rob Verduijn >> >> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek : >> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: >> >> This goes especially for ad groups that are bested in ipa_groups >> >> >> >> ie : >> >> microsft group is defined as an external group, >> >> and that external group is member of an ipa group >> >> and that ipa group takes forever. >> >> >> >> Regards >> >> Rob Verduijn >> > >> > All the work in this area is done by sssd on the server. The sssd there >> > runs a periodical task to re-fetch new external groups memberships every >> > 10 seconds. So I would expect the group memberships to turn up after 10 >> > seconds at worst. >> > >> > Are you sure (from sssd logs) that maybe sssd is not going into offline >> > state and just consults its cache? >> > >> >> >> >> >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn : >> >> > Hello, >> >> > >> >> > I'm using a trust to microsoft active directory to allow users access >> >> > to linux servers. >> >> > >> >> > But when a user is added it takes a very long time for ipa to register this. >> >> > And even more time for the ipa clients since they have to wait for the >> >> > ipa servers. >> >> > >> >> > Since I hate to tell the users to wait for a couple hours, and also I >> >> > do not like to clean up the sssd cache folder each time a new user >> >> > appears. >> >> > >> >> > Is there a way to tell ipa and all clients to refresh their cache ? >> >> > >> >> > Regards >> >> > Rob Verduijn >> >> >> >> -- >> >> Manage your subscription for the Freeipa-users mailing list: >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> Go to http://freeipa.org for more info on the project >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project From jeff.hallyburton at bloomip.com Thu May 5 01:23:14 2016 From: jeff.hallyburton at bloomip.com (Jeff Hallyburton) Date: Wed, 4 May 2016 21:23:14 -0400 Subject: [Freeipa-users] Get Creation Time / Last Login Time for Users Message-ID: Hello, We're looking for a way to get last login time and creation time for users configured in FreeIPA. This information doesn't seem to be in the WebUI and ipa user-status only provides limited information (last failed/successful logins in seconds since epoch). Is there a supported way to get this information? Jeff Hallyburton Strategic Systems Engineer Bloomip Inc. Web: http://www.bloomip.com Engineering Support: support at bloomip.com Billing Support: billing at bloomip.com Customer Support Portal: https://my.bloomip.com From hatlam at gmail.com Thu May 5 01:51:20 2016 From: hatlam at gmail.com (Ha T. Lam) Date: Wed, 4 May 2016 18:51:20 -0700 Subject: [Freeipa-users] Dogtag migration to FreeIPA Message-ID: Hi, We have an in-house CA system managed by a stand-alone Dogtag system, we would like to integrate it with our FreeIPA system which is already in use and is setup with the company LDAP. I'm new to FreeIPA and I have some questions about this process: 1. Is it possible to add our current Dogtag on top of the FreeIPA system directly? If so, how would I achieve that? 2. If it's not possible to do the above, what about setting up a clone of the current FreeIPA system and migrate Dogtag during the installation of the replica? Is this a better option? 3. Any other alternative? Thank you, Ha -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Thu May 5 02:12:03 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 5 May 2016 12:12:03 +1000 Subject: [Freeipa-users] Lost master 1 with CA service In-Reply-To: References: Message-ID: <20160505021203.GS1237@dhcp-40-8.bne.redhat.com> On Wed, May 04, 2016 at 08:45:19PM +0800, barrykfl at gmail.com wrote: > Hi all: > > I got master 1have ca and server 2 replicatiomng . Now master 1 > fail all lost. > > Can i skip.it just make server 3 repliacted slaved or must > recovered master 1. > I take it `Server 2' was installed without the CA? If this is the case, and if you cannot recover the first master with the CA instance, then as long as you still have the replica info file with which the replica(s) were created, then you have the bits to recover the CA - but it will be quite an involved process. I have never performed this recovery so there is no documentation, but off the top of my head the steps would be (at a high level; no detail yet): 1. Make some manual changes to make FreeIPA think it is CA-less 2. Extract CA signing key from the replica info file 3. Run ipa-ca-install to install the CA on one of the IPA servers, with external CA. This will generate a new private key and CSR to send to external CA. 4. Replace the new private key generated for the CSR, with the private key from the replica info file. 5. Continue the ipa-ca-install with the CA signing certificate from the replica info file. 6. Manually adjust serial number ranges to ensure the new CA instance does not issue certs with serial numbers that collide with certs issued by the original CA instance. (This might have to be hacked into the ipa-ca-install process). 7? Depending on whether your CA is self-signed, might need to tell certmonger to track the CA signing certificate. 8! Install a CA replica on another IPA server, so you don't have to do it all again if you lose the CA host in future :) If you want to embark on this adventure, and get stuck (I know my instructures were not detailed...), let me know. I will try and find spare minutes to learn the details and document the process. Cheers, Fraser From ftweedal at redhat.com Thu May 5 02:24:43 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 5 May 2016 12:24:43 +1000 Subject: [Freeipa-users] Dogtag migration to FreeIPA In-Reply-To: References: Message-ID: <20160505022443.GT1237@dhcp-40-8.bne.redhat.com> On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote: > Hi, > > We have an in-house CA system managed by a stand-alone Dogtag system, we > would like to integrate it with our FreeIPA system which is already in use > and is setup with the company LDAP. I'm new to FreeIPA and I have some > questions about this process: > > 1. Is it possible to add our current Dogtag on top of the FreeIPA system > directly? If so, how would I achieve that? > This is not supported, though it's technically feasible (we just don't have any code to do it). > 2. If it's not possible to do the above, what about setting up a clone of > the current FreeIPA system and migrate Dogtag during the installation of > the replica? Is this a better option? > Same as above... technically feasible but no way to do it right now. > 3. Any other alternative? > One alternative is to export your CA signing cert and key, and install a new Dogtag instance in your FreeIPA environment. The IPA Dogtag instance would be "detached" from your existing Dogtag instance but, cryptographically speaking, it would be the same CA. You would have to tweak serial number ranges to ensure the new instance doesn't reuse serial numbers that were already used (a simple procedure). How well this would work in your organisation would depend on what sorts of things you use the exiting Dogtag for, how clients expect to renew certificates, etc. I'm happy to answer questions you might have in considering this approach. Cheers, Fraser From David.LeVene at blackboard.com Thu May 5 04:28:44 2016 From: David.LeVene at blackboard.com (David LeVene) Date: Thu, 5 May 2016 04:28:44 +0000 Subject: [Freeipa-users] Advise for the best way to achieve AD Caching? Message-ID: Hey All, I'm looking for a bit of direction around the best way to configure/setup an on-site cache &/or replica from an AD Server which will be uni-directional (AD -> IPA/slapd) The master are multiple AD Servers located around the place, and we exist in a place which is outside of the core network and that network link is a single point of failure. What I want to achieve is in the event we lose connectivity with the world users can still authenticate, but if someone is disabled/updated at the top level it replicates down. I've got a test AD Server & have been reviewing IPA, but have hit an issue in that I can't get software installed on the AD Masters for the 389 dir sync software. Currently I've configured a synchronization based solution with one way replication from the AD Masters -> IPA. This works fine and I can see all the users being created in IPA - but as the passwords can't be synced without installing software I can't use this method. Another nice thing would be to have a separate domain/tree available so we can split up the staff that are from the master servers and some client related user/passes that won't be in the Global Directory - but managed from the same place. Are there any other setup's that will achieve what I require? Have seen slapd with proxy cache but I'm not sure on this options either and configuring slapd with all the ldif files manually seems a little daunting at first sight. Thanks in advance, David This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu May 5 05:58:15 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 5 May 2016 07:58:15 +0200 Subject: [Freeipa-users] get freeipa to update ad users and groups more often In-Reply-To: References: <20160504144136.GN3666@hendrix> <20160504160605.GP3666@hendrix> Message-ID: <20160505055815.GC2785@hendrix> On Wed, May 04, 2016 at 10:51:37PM +0200, Rob Verduijn wrote: > Hi, > > I avoided the slow filling group by using the AD-Group with spaces > (was a tad more challenging for scipting) > > But here's the releases (some of them) > > ipa 4.2 and sssd 1.13 > > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 The IPA packages haven't been released yet (those will be at least ipa-4.2.0-15.el7_2.15) but even with older packages, I would have expected id to return the groups, "just" not getent group. > sssd-common-1.13.0-40.el7_2.2.x86_64 > sssd-client-1.13.0-40.el7_2.2.x86_64 > sssd-ad-1.13.0-40.el7_2.2.x86_64 > > Cheers > Rob Verduijn > > 2016-05-04 18:06 GMT+02:00 Jakub Hrozek : > > On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: > >> to make sure I did the following on the ipa host > >> > >> systemctl stop sssd.service > >> rm -f /var/lib/sss/db/* > >> systemctl start sssd.service > >> > >> now there is no cheating from cach > >> getent passwd user at AD-DOMAIN.COM works and gives userid > >> id user at AD-DOMAIN.COM works fine and show all goups the user is a > >> member of including ad_linux_administrators (ipa group) and 'linux > >> administrators at AD-DOMAIN.COM' > >> getent group ad_linux_administrators only shows the group ad, no > >> members, these pop up after a very long time > >> getent group 'linux administrators at AD-DOMAIN.COM' imediatly show all members > > > > Please note that getent group only works with very recent versions of > > ipa and sssd. What version are you running. > > > >> > >> weird.... > >> > >> Rob Verduijn > >> > >> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek : > >> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: > >> >> This goes especially for ad groups that are bested in ipa_groups > >> >> > >> >> ie : > >> >> microsft group is defined as an external group, > >> >> and that external group is member of an ipa group > >> >> and that ipa group takes forever. > >> >> > >> >> Regards > >> >> Rob Verduijn > >> > > >> > All the work in this area is done by sssd on the server. The sssd there > >> > runs a periodical task to re-fetch new external groups memberships every > >> > 10 seconds. So I would expect the group memberships to turn up after 10 > >> > seconds at worst. > >> > > >> > Are you sure (from sssd logs) that maybe sssd is not going into offline > >> > state and just consults its cache? > >> > > >> >> > >> >> > >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn : > >> >> > Hello, > >> >> > > >> >> > I'm using a trust to microsoft active directory to allow users access > >> >> > to linux servers. > >> >> > > >> >> > But when a user is added it takes a very long time for ipa to register this. > >> >> > And even more time for the ipa clients since they have to wait for the > >> >> > ipa servers. > >> >> > > >> >> > Since I hate to tell the users to wait for a couple hours, and also I > >> >> > do not like to clean up the sssd cache folder each time a new user > >> >> > appears. > >> >> > > >> >> > Is there a way to tell ipa and all clients to refresh their cache ? > >> >> > > >> >> > Regards > >> >> > Rob Verduijn > >> >> > >> >> -- > >> >> Manage your subscription for the Freeipa-users mailing list: > >> >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> >> Go to http://freeipa.org for more info on the project > >> > > >> > -- > >> > Manage your subscription for the Freeipa-users mailing list: > >> > https://www.redhat.com/mailman/listinfo/freeipa-users > >> > Go to http://freeipa.org for more info on the project From barrykfl at gmail.com Thu May 5 08:36:19 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Thu, 5 May 2016 16:36:19 +0800 Subject: [Freeipa-users] Restore form full backup but some warns/error ok , BUT WORK OK service Message-ID: Hi All: I restore from backup but some lib / pki error come. As the package is ipa-server-3.0.0-26.el6_4.4.x86_64 But now is ipa-server-3.0.0-47.el6.centos.2.x86_64 , it seem no harm ? How to tune it ? Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached: [ OK ] Starting HTTP Service Starting httpd: [ OK ] Starting CA Service Traceback (most recent call last): File "/usr/sbin/pki-server", line 88, in cli = PKIServerCLI() File "/usr/sbin/pki-server", line 34, in __init__ super(PKIServerCLI, self).__init__('pki-server', 'PKI server command-line interface') File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__ self.modules = collections.OrderedDict() AttributeError: 'module' object has no attribute 'OrderedDict' Starting pki-ca: [ OK ] -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu May 5 08:41:35 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 5 May 2016 10:41:35 +0200 Subject: [Freeipa-users] Who uses FreeIPA? In-Reply-To: <20160504143302.GK3666@hendrix> References: <20160503190958.GA1640@deverteuil.net> <20160503213102.GC9681@10.4.128.1> <20160504072340.GE3666@hendrix> <20160504143302.GK3666@hendrix> Message-ID: <5fb07491-dadc-f09f-54a0-10b5821deb41@redhat.com> On 4.5.2016 16:33, Jakub Hrozek wrote: > On Wed, May 04, 2016 at 04:23:00PM +0200, Martin Kosek wrote: >> On 05/04/2016 09:23 AM, Jakub Hrozek wrote: >>> On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote: >>>> On (03/05/16 15:09), Alexandre de Verteuil wrote: >>>>> Hello all, >>>>> >>>>> I've deployed FreeIPA in my home lab and I'm happy to have single >>>>> sign-on for all my Archlinux virtual machines and Fedora laptops :) >>>>> >>>>> It took me lots of research and conversations before hearing about >>>>> FreeIPA for the first time while searching for a libre SSO solution. I >>>>> think FreeIPA needs much more exposure. I am really impressed with it. >>>>> Tomorrow I am giving a short presentation at my workplace to talk about >>>>> it and invite other sysadmins to try it. >>>>> >>>>> I would like to make a slide showing the current adoption of FreeIPA. I >>>>> read that Red Hat uses it internally, but do they actually deploy it in >>>>> their client's infrastructures? Are there any big companies that use it? >>>>> Even if I only have reports of schools and small businesses would be >>>>> good enough to say it's production ready and it has traction. >>>>> >>>>> Whether you are reporting about your own use or you know where I can >>>>> find out more would be greatly appreciated! I have not found a "Who uses >>>>> FreeIPA" page on the Internet. >>>>> >>>> The GNOME Infrastructure is now powered by FreeIPA! >>>> October 7, 2014 >>>> >>>> https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ >>> >>> Would it make sense to add 'success stories' like this to the >>> freeipa.org home page? Of course, we can't use Red Hat IDM customers, >>> but those that use freeipa on Fedora/CentOS and hopefully soon on Ubuntu >>> could be added there if they would agree.. >> >> I think it would make sense. We already know at least about GNOME as Lukas >> mentioned or about eBay's Hadoop clusters: >> >> https://hadoopsummit.uservoice.com/forums/344958-governance-and-security/suggestions/11664876-freeipa-for-securing-hadoop-fish >> >> I think we should start a new "References" page on the FreeIPA.org wiki and ask >> for success stories from this list. Any takers? :-) > > I think we should ask those projects for permission first.. Why is that? The information is public in both cases, right? I really do not see a reason for ask-before-linking approach. (The next step is "pay-before-linking" as seen in various proposals from European governments.) -- Petr^2 Spacek From pspacek at redhat.com Thu May 5 08:46:35 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 5 May 2016 10:46:35 +0200 Subject: [Freeipa-users] Advise for the best way to achieve AD Caching? In-Reply-To: References: Message-ID: <9ca667d0-6347-0954-96ba-7408b265814c@redhat.com> On 5.5.2016 06:28, David LeVene wrote: > Hey All, > > I'm looking for a bit of direction around the best way to configure/setup an on-site cache &/or replica from an AD Server which will be uni-directional (AD -> IPA/slapd) > > The master are multiple AD Servers located around the place, and we exist in a place which is outside of the core network and that network link is a single point of failure. > > What I want to achieve is in the event we lose connectivity with the world users can still authenticate, but if someone is disabled/updated at the top level it replicates down. I've got a test AD Server & have been reviewing IPA, but have hit an issue in that I can't get software installed on the AD Masters for the 389 dir sync software. > > Currently I've configured a synchronization based solution with one way replication from the AD Masters -> IPA. This works fine and I can see all the users being created in IPA - but as the passwords can't be synced without installing software I can't use this method. All methods which can work completely off-line will require access to keys on AD server. This means either some additional software on AD side OR having proper AD server which is hosted locally. This could theoretically be Samba 4 AD server if you want to try that. If your clients are sufficiently new you can try to use SSSD everywhere but it comes with own limitations, e.g. users who never logged in before will not be able to login when the network link is down. I hope this help. Petr^2 Spacek > Another nice thing would be to have a separate domain/tree available so we can split up the staff that are from the master servers and some client related user/passes that won't be in the Global Directory - but managed from the same place. > > Are there any other setup's that will achieve what I require? Have seen slapd with proxy cache but I'm not sure on this options either and configuring slapd with all the ldif files manually seems a little daunting at first sight. > > Thanks in advance, > David From peljasz at yahoo.co.uk Thu May 5 09:44:39 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Thu, 05 May 2016 10:44:39 +0100 Subject: [Freeipa-users] service cert to a host/member/service In-Reply-To: <572A30C3.7090603@redhat.com> References: <1462377908.6964.244.camel@yahoo.co.uk> <572A30C3.7090603@redhat.com> Message-ID: <1462441479.4638.7.camel@yahoo.co.uk> On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote: > lejeczek wrote: > > hi users, > > > > as one follows official docs and issues a certificate for a > > service/host, one wonders what is the correct way to move such a > > certificate to a host(which is domain member) ? > > I understand certificates issued with: > > > > $ ipa cert-re?quest -add --prin?ci?pal > > > > are stored in ldap backend, (yet I don't quite get the difference > > between that tool and ipa-certget). > > The first uses the IPA command-line to get a cert directly. ipa- > getcert? > uses certmonger. > > If you are getting a certificate for another host, particularly if > that? > host isn't an IPA client, then the first form is the way to go. > > > How do I get such a certificate off the server and to a host-not- > > server? > > $ ipa cert-show --out cert.pem > > > In my case I'm hoping to use this certificate in apache+nss. > > I realize I also will need CA certificate on that host, which I got > > hold > > of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's > > the > > right way? > > So in this case you'd want to generate the CSR on the host-not- > server? > using certutil. You'd take that CSR to the enrolled host and run ipa? > cert-request ... > > Get a copy of the cert and get that and /etc/ipa/ca.crt to the? Is this the only place where IPA' CA cert resides? I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN $ certutil -d /etc/dirsrv/slapd-MY..? gets me: MY-DOMAIN IPA CA CT,C,C Server-Cert u,u,u what is that IPA CA then? I also see the same with: $ certutil -d /etc/httpd/alias -L Is this the same one certificate? (including /etc/ipa/ca.crt) I get these with:?ipa-getcert list I'm guessing these are set up by installer and to be managed by certmonger, for DS and web server for certificates auto management purposes? many thanks. > host-not-server. > > Use certutil to add both to your NSS database. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kliu at alumni.warwick.ac.uk Thu May 5 10:08:42 2016 From: kliu at alumni.warwick.ac.uk (Barry) Date: Thu, 5 May 2016 18:08:42 +0800 Subject: [Freeipa-users] Error Server update not syn to Server02 but reverse ok Message-ID: Hi all: Orginal config server <> server02 , either server can add user and syn Now server < server02 ,GSSAPI show as below ..ANY idea? THX [05/May/2016:17:29:03 +0800] - 389-Directory/1.2.11.25 B2013.325.1951 starting up [05/May/2016:17:29:03 +0800] - WARNING: userRoot: entry cache size 10485760B is less than db size 17113088B; We recommend to increase the entry cache size nsslapd-cachememsize. [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_unwrap_key: failed to unwrap key for cipher 3DES [05/May/2016:17:29:03 +0800] attrcrypt - attrcrypt_cipher_init: symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. [05/May/2016:17:29:03 +0800] attrcrypt - All prepared ciphers are not available. Please disable attribute encryption. [05/May/2016:17:29:03 +0800] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ABC,dc=com [05/May/2016:17:29:07 +0800] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=ABC,dc=com [05/May/2016:17:29:07 +0800] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=ABC,dc=com [05/May/2016:17:29:07 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be added before the CoS Definition. [05/May/2016:17:29:07 +0800] set_krb5_creds - Could not get initial credentials for principal [ldap/server.ABC.com at ABC.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [05/May/2016:17:29:07 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) errno 0 (Success) [05/May/2016:17:29:07 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [05/May/2016:17:29:07 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) [05/May/2016:17:29:07 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be added before the CoS Definition. [05/May/2016:17:29:07 +0800] - slapd started. Listening on All Interfaces port 389 for LDAP requests [05/May/2016:17:29:07 +0800] - Listening on All Interfaces port 636 for LDAPS requests [05/May/2016:17:29:07 +0800] - Listening on /var/run/slapd-ABC-COM.socket for LDAPI requests [05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Replication bind with GSSAPI auth resumed [05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Missing data encountered [05/May/2016:17:29:11 +0800] NSMMReplicationPlugin - agmt="cn= meToserver02.ABC.com" (server02:389): Incremental update failed and requires administrator action -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Thu May 5 10:28:51 2016 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 5 May 2016 15:58:51 +0530 Subject: [Freeipa-users] OTP token policies. In-Reply-To: References: Message-ID: +1 For enforcing OTP in web UI. When the user logs in for the first time he should be taken to a page to create a OTP token. Users should be able to login only using passwd+OTP. Are there any ideas for ensuring that all users are using OTP tokens ? On 4 May 2016 at 05:12, Peter Bisroev wrote: > Dear Developers, > > Firstly, thank you for a fantastic product. I have a few questions > relating to OTP that I could not find the answers to in the Red Hat IdM > manual, http://www.freeipa.org/page/V4/OTP document, and on both user and > devel mailing lists. Hopefully I have not missed anything obvious :) > > With FreeIPA version 4.2, is it possible to enforce policies on what > administrators and/or users can do with OTP tokens? For example: > > 1) Is there a way to enforce how many tokens can be active for a user at > the same time? > > 2) Is it possible to force the number of digits to be eight and a specific > algorithm to be used? > > 3) Is it possible to force the user to create a new OTP token after the > first password change? > > If there is such support, it can be used to overcome the soft OTP token > enrollment bootstrap issue. For example, currently, if the administrator > creates a new user and enables "Two factor authentication (password + OTP)" > but does not assign an OTP token, the user is able to login, change the > password and continue using the new password without enabling 2FA > indefinitely. > > However, once the OTP token is created, either by administrator or the > user, the systems forces the token's use from this point on. Maybe in the > future, FreeIPA can force the user to enable OTP at first login into the > FreeIPA console? But I guess then, the system must somehow stop the users > from login in into any other service besides FreeIPA web console, until the > OTP token is generated. > > A few more questions: > > Would it be possible to describe a use case when having multiple OTP > tokens enabled at the same time is a requirement? > > How does TOTP token synchronization work? Can it be disabled? > > Thank you for your time and help! > > Regards, > --peter > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu May 5 11:49:32 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 5 May 2016 13:49:32 +0200 Subject: [Freeipa-users] service cert to a host/member/service In-Reply-To: <1462441479.4638.7.camel@yahoo.co.uk> References: <1462377908.6964.244.camel@yahoo.co.uk> <572A30C3.7090603@redhat.com> <1462441479.4638.7.camel@yahoo.co.uk> Message-ID: On 05/05/2016 11:44 AM, lejeczek wrote: > On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote: >> lejeczek wrote: >>> hi users, as one follows official docs and issues a certificate for a >>> service/host, one wonders what is the correct way to move such a certificate >>> to a host(which is domain member) ? I understand certificates issued with: $ >>> ipa cert-re?quest -add --prin?ci?pal are stored in ldap backend, (yet I don't >>> quite get the difference between that tool and ipa-certget). >> >> >> The first uses the IPA command-line to get a cert directly. ipa-getcert >> uses certmonger. >> >> If you are getting a certificate for another host, particularly if that >> host isn't an IPA client, then the first form is the way to go. >> >>> How do I get such a certificate off the server and to a host-not-server? >> >> >> $ ipa cert-show --out cert.pem >> >>> In my case I'm hoping to use this certificate in apache+nss. I realize I also >>> will need CA certificate on that host, which I got hold of with certutil >>> operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the right way? >> >> >> So in this case you'd want to generate the CSR on the host-not-server >> using certutil. You'd take that CSR to the enrolled host and run ipa >> cert-request ... >> >> Get a copy of the cert and get that and /etc/ipa/ca.crt to the > Is this the only place where IPA' CA cert resides? > I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN > $ certutil -d /etc/dirsrv/slapd-MY.. > gets me: > > MY-DOMAIN IPA CACT,C,C > Server-Certu,u,u > > what is that IPA CA then? > I also see the same with: > $ certutil -d /etc/httpd/alias -L > Is this the same one certificate? (including /etc/ipa/ca.crt) > > I get these with: ipa-getcert list > I'm guessing these are set up by installer and to be managed by certmonger, for > DS and web server for certificates auto management purposes? You can use generic `getcert` tool to get all certs managed by certmonger and their location. It will show you also PKI internal certs. # getcert list `ipa-getcert list` is equivalent to `getcert list -c IPA` > > many thanks. > >> host-not-server. >> >> Use certutil to add both to your NSS database. >> >> rob >> > -- Petr Vobornik From rcritten at redhat.com Thu May 5 13:07:08 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 5 May 2016 09:07:08 -0400 Subject: [Freeipa-users] service cert to a host/member/service In-Reply-To: <1462441479.4638.7.camel@yahoo.co.uk> References: <1462377908.6964.244.camel@yahoo.co.uk> <572A30C3.7090603@redhat.com> <1462441479.4638.7.camel@yahoo.co.uk> Message-ID: <572B457C.3020805@redhat.com> lejeczek wrote: > On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote: >> lejeczek wrote: >>> hi users, as one follows official docs and issues a certificate for a >>> service/host, one wonders what is the correct way to move such a >>> certificate to a host(which is domain member) ? I understand >>> certificates issued with: $ ipa cert-re?quest -add --prin?ci?pal are >>> stored in ldap backend, (yet I don't quite get the difference between >>> that tool and ipa-certget). >> >> >> The first uses the IPA command-line to get a cert directly. ipa-getcert >> uses certmonger. >> >> If you are getting a certificate for another host, particularly if that >> host isn't an IPA client, then the first form is the way to go. >> >>> How do I get such a certificate off the server and to a host-not-server? >> >> >> $ ipa cert-show --out cert.pem >> >>> In my case I'm hoping to use this certificate in apache+nss. I >>> realize I also will need CA certificate on that host, which I got >>> hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if >>> it's the right way? >> >> >> So in this case you'd want to generate the CSR on the host-not-server >> using certutil. You'd take that CSR to the enrolled host and run ipa >> cert-request ... >> >> Get a copy of the cert and get that and /etc/ipa/ca.crt to the > Is this the only place where IPA' CA cert resides? > I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN > $ certutil -d /etc/dirsrv/slapd-MY.. > gets me: > > MY-DOMAIN IPA CACT,C,C > Server-Certu,u,u > > what is that IPA CA then? > I also see the same with: > $ certutil -d /etc/httpd/alias -L > Is this the same one certificate? (including /etc/ipa/ca.crt) Yes, these are all (or should be) the same (there is a copy in LDAP too). > I get these with: ipa-getcert list > I'm guessing these are set up by installer and to be managed by > certmonger, for DS and web server for certificates auto management purposes? Yes, certmonger manages automatic renewal. rob > many thanks. > >> host-not-server. >> >> Use certutil to add both to your NSS database. >> >> rob >> From andrew.holway at gmail.com Thu May 5 13:54:56 2016 From: andrew.holway at gmail.com (Andrew Holway) Date: Thu, 5 May 2016 15:54:56 +0200 Subject: [Freeipa-users] Automatic consistency checking Message-ID: Hello, We've been using Freeipa on Centos for a while and found one day that the replication stuff was broken and that the LDAP database on our pair of IPA servers was inconsistent. We didn't know how long this had been broken for but we were not able to repair it either. We use AWS so we've now deployed RHEL AMI's and are now using IdM so we can get support when this is breaking but I am a bit stuck how to monitor that the replication is still working. So is there some monitoring mechanisms in FreeIPA? Cheers, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Thu May 5 14:32:30 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 5 May 2016 16:32:30 +0200 Subject: [Freeipa-users] Automatic consistency checking In-Reply-To: References: Message-ID: <4c0c6f30-9d59-bf46-bc42-150aa3a255a6@redhat.com> On 05/05/2016 03:54 PM, Andrew Holway wrote: > Hello, > > We've been using Freeipa on Centos for a while and found one day that > the replication stuff was broken and that the LDAP database on our pair > of IPA servers was inconsistent. We didn't know how long this had been > broken for but we were not able to repair it either. > > We use AWS so we've now deployed RHEL AMI's and are now using IdM so we > can get support when this is breaking but I am a bit stuck how to > monitor that the replication is still working. > > So is there some monitoring mechanisms in FreeIPA? > > Cheers, > > Andrew > > Hi Andrew, to check the status of a replica you can use the following command: """ ipa-replica-manage list -v replica1.ipa.test master1.ipa.test: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-05-05 14:29:01+00:00 """ -- Martin^3 Babinsky From Louis.Francoeur at esignlive.com Thu May 5 14:03:22 2016 From: Louis.Francoeur at esignlive.com (Francoeur, Louis) Date: Thu, 5 May 2016 14:03:22 +0000 Subject: [Freeipa-users] Unable to create a new replica Message-ID: <1462457004143.92197@esignlive.com> I'm trying to create a new replica and i receive the following message: onfiguring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica I have done a multiple time: ipa-replica-manage del new-ipa.domain.local --force --cleanup I have validated that my ports are open: nmap -Pn -p53,80,88,443,389,464,636 existing-ipa Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-05 13:46 UTC Nmap scan report for existing-ipa (xxx.xxx.xxx.xxx) Host is up (0.29s latency). rDNS record for xxx.xxx.xxx.xxx: existing-ipa.domain.local PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 389/tcp open ldap 443/tcp open https 464/tcp open kpasswd5 636/tcp open ldapssl Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds nmap -Pn -p53,80,88,443,389,464,636 xxx.xxx.xxx.xxx (this is after the failed install - closed means nothing is listening) Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-05 13:50 UTC Nmap scan report for new-ipa.domain.local (xxx.xxx.xxx.xxx) Host is up (0.21s latency). PORT STATE SERVICE 53/tcp closed domain 80/tcp closed http 88/tcp closed kerberos-sec 389/tcp open ldap 443/tcp closed https 464/tcp closed kpasswd5 636/tcp open ldapssl Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds I am running on Centos 7 with: ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 sssd-ipa-1.13.0-40.el7_2.2.x86_64 libipa_hbac-1.13.0-40.el7_2.2.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 The other strange thing i notice at the beginning of the install is: ipa : ERROR Could not resolve hostname new-ipa.domain.local using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) But i can find it from the command line with dig/nslookup. With more debug info, i find it is trying to reach another ipa that he has no access to (geo is too far and ports are closed instead of using resolv.conf). What am i missing here? BTW i have multiples replicas installed already. Thanks Louis data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAATAAAABMCAIAAABlDnyqAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAUkZJREFUeNrUvQdgZNV5L37PrdNHZdT7Slptb7C7bKEsHQMG3BLABvL8DLgmL3aaE/s9J3HiVOefZzsOTmzAQBwbbAzGGDALC9t71RZJq941o+kzt7/v3DNzdTVNo7Jr/y/a4c6dc/v5nd/XDxL+5j+pPIuu69RSLEt1nKU9lHXRNK1wA5ReyHrGRo7j4KuqqnR6gY2yLMNhdWMhV24u5o3M2gh/6VPku4acG2nLwhgLuRg4Jrkvcnz41TyIeS/kUsl6vsvL9+StW/K9l3zXXOTGYn4tvGMxDZawzWJuhCw0dYWXKwShpV3mfEzZndXcqBkL6e4mBgg8rF3fiuEMYKCCOMy4hvk+7QKIyrivnI/COvr8dnaJBTyThSFtSa5nzouhr+iFLjkal/bZLeB2MjBpEixsgWsjK4SdgKlM/skg2JyYhDWqiMeVceoCTzgfAvP9ah0X5vucF0B6V3PgXpKDXx1qoa/cFVyhG7gSmCySoPLhkyDQFPwAlqb4mkGDc2CyuIeWjclsostun1P+zLnjwmD5mx0r51Q3rmbHWwxJ0v//EjWLEduuKCbzKYGAQKsmRqjSxGS2dJoTk9RV6dPZ+Cz8uvM9mWLk/KvWKxYv0y5e9L3iDPlbiMbfkhEh+0qI6kikVvIVFgIzIrjmVCNzYHLRnaxIXbFI+GVc+W+KFa+CsHaVNcl8DdgrKios4DkiXWMpjUMarcp2pP -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu May 5 14:35:42 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 5 May 2016 10:35:42 -0400 (EDT) Subject: [Freeipa-users] Automatic consistency checking In-Reply-To: Message-ID: <732497752.48841134.1462458942340.JavaMail.zimbra@redhat.com> On 05.05.2016 15:54, Andrew Holway wrote: Hello, We've been using Freeipa on Centos for a while and found one day that the replication stuff was broken and that the LDAP database on our pair of IPA servers was inconsistent. We didn't know how long this had been broken for but we were not able to repair it either. We use AWS so we've now deployed RHEL AMI's and are now using IdM so we can get support when this is breaking but I am a bit stuck how to monitor that the replication is still working. So is there some monitoring mechanisms in FreeIPA? Cheers, Andrew This is planned for future, you can use https://github.com/peterpakos/ipa_check_consistency (community script without any guarantee) to check your servers. Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Thu May 5 14:43:00 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Thu, 5 May 2016 20:13:00 +0530 Subject: [Freeipa-users] freeipa permission denied for user Message-ID: Hi There, I am getting a permission denied error on few of my hosts with IPA. these are all new hosts which were earlier running openldap and now being migrated over to freeipa. In the ssd_domain.log I see this error "No ccache file for user [p-testuser] found" I check the /tmp directory and the permission look fine drwxrwxrwt 4 root root 4096 May 5 14:36 /tmp this is the sssd_domain.log after I tried to login Thu May 5 14:35:37 UTC 2016 p-testuser at localhost's password: Permission denied, please try again. p-testuser at localhost's password: Permission denied, please try again. p-testuser at localhost's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). Thu May 5 14:35:51 UTC 2016 sssd_domain.log Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [be_host_handler] (0x1000): Got request for [0][name=localhost] (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.10.3.184 (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=localhost))][cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 62 (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], ldap[0x2332a80] (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [hosts_get_done] (0x0040): No host with name [localhost] found. (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sysdb_delete_ssh_host] (0x0400): Deleting host localhost (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,Host lookup failed (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[(nil)], ldap[0x2332a80] (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.10.3.184 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=p-testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 63 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2369390], ldap[0x2332a80] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=p-testuser,cn=users,cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gecos] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPrincipalName] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbLastPwdChange] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPasswordExpiration] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2369390], ldap[0x2332a80] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Save user (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object p-testuser (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Processing user p-testuser (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x2000): Adding originalDN [uid=p-testuser,cn=users,cn=accounts,dc=xyz,dc=com] to attributes of [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160505140042Z] to attributes of [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding user principal [p-testuser at xyz.COM] to attributes of [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbLastPwdChange [20160505104918Z] to attributes of [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbPasswordExpiration [20160803104918Z] to attributes of [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adAccountExpires is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adUserAccountControl is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Storing info for user p-testuser (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [objectSIDString] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adAccountExpires] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adUserAccountControl] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [sshPublicKey] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authType] from [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object p-testuser (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.10.3.184 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 64 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x23ecf60], ldap[0x2332a80] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x23ecf60], ldap[0x2332a80] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x23ecf60], ldap[0x2332a80] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=ipausers,cn=groups,cn=xyz.com,cn=sysdb))] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): ipausers is a member of 0 sysdb groups (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group ipausers is a direct member of 0 LDAP groups (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x1000): The user p-testuser is a direct member of 1 LDAP groups (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=p-testuser,cn=users,cn=xyz.com ,cn=sysdb))] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): p-testuser is a member of 1 sysdb groups (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x2000): Updating memberships for p-testuser (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=xyz,dc=com] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.10.3.184 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1879000001)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 65 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x237a290], ldap[0x2332a80] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x237a290], ldap[0x2332a80] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x237a290], ldap[0x2332a80] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object p-testuser (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Processing group p-testuser (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x2000): This is a posix group (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com] to attributes of [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160505104839Z] to attributes of [p-testuser]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Storing info for group p-testuser (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object p-testuser (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Processing group p-testuser (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): No members for group [p-testuser] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.10.3.184 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:ed58bb28-12ae-11e6-8a34-0ac54d537681))][cn=Default Trust View,cn=views,cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 66 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], ldap[0x2332a80] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], ldap[0x2332a80] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), no errmsg set (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sbus_add_timeout] (0x2000): 0x237fcd0 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[(nil)], ldap[0x2332a80] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sbus_remove_timeout] (0x2000): 0x237fcd0 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: p-testuser (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 127.0.0.1 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 1 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 32253 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [p-testuser] found. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipa-master-int.xyz.com' is 'working' (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa-master-int.xyz.com: [10.10.3.184] TTL 60 (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [32274] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [32274] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x1000): Waiting for child [32274]. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x0100): child [32274] finished successfully. (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, ) [Success] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sending result [7][xyz.com] (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sent result [7][xyz.com] (Thu May 5 14:35:41 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: p-testuser (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 127.0.0.1 (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 1 (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 32253 (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [p-testuser] found. (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipa-master-int.xyz.com' is 'working' (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa-master-int.xyz.com: [10.10.3.184] TTL 60 (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [32275] (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [32275] (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, ) [Success] (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sending result [7][xyz.com] (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sent result [7][xyz.com] (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x1000): Waiting for child [32275]. (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x0100): child [32275] finished successfully. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=xyz,dc=com] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.10.3.184 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=p-testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 67 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], ldap[0x2332a80] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=p-testuser,cn=users,cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gecos] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPrincipalName] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbLastPwdChange] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPasswordExpiration] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], ldap[0x2332a80] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Save user (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object p-testuser (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Processing user p-testuser (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x2000): Adding originalDN [uid=p-testuser,cn=users,cn=accounts,dc=xyz,dc=com] to attributes of [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160505140042Z] to attributes of [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Adding user principal [p-testuser at xyz.COM] to attributes of [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbLastPwdChange [20160505104918Z] to attributes of [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbPasswordExpiration [20160803104918Z] to attributes of [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adAccountExpires is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): adUserAccountControl is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): Storing info for user p-testuser (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [objectSIDString] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adAccountExpires] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adUserAccountControl] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [sshPublicKey] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authType] from [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object p-testuser (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.10.3.184 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 68 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x240b490], ldap[0x2332a80] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x240b490], ldap[0x2332a80] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x240b490], ldap[0x2332a80] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=ipausers,cn=groups,cn=xyz.com,cn=sysdb))] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): ipausers is a member of 0 sysdb groups (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group ipausers is a direct member of 0 LDAP groups (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x1000): The user p-testuser is a direct member of 1 LDAP groups (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=p-testuser,cn=users,cn=xyz.com ,cn=sysdb))] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] (0x1000): p-testuser is a member of 1 sysdb groups (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_initgr_store_user_memberships] (0x2000): Updating memberships for p-testuser (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=xyz,dc=com] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.10.3.184 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1879000001)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 69 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2376f60], ldap[0x2332a80] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2376f60], ldap[0x2332a80] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2376f60], ldap[0x2332a80] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object p-testuser (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Processing group p-testuser (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x2000): This is a posix group (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com] to attributes of [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20160505104839Z] to attributes of [p-testuser]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): The group has 0 members (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_ghost_members] (0x0400): Group has 0 members (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_group] (0x0400): Storing info for group p-testuser (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] (0x0400): Processing object p-testuser (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Processing group p-testuser (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] (0x0400): No members for group [p-testuser] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.10.3.184 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:ed58bb28-12ae-11e6-8a34-0ac54d537681))][cn=Default Trust View,cn=views,cn=accounts,dc=xyz,dc=com]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 70 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], ldap[0x2332a80] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], ldap[0x2332a80] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), no errmsg set (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sbus_add_timeout] (0x2000): 0x23788e0 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2357da0], connected[1], ops[(nil)], ldap[0x2332a80] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sbus_remove_timeout] (0x2000): 0x23788e0 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_req_set_domain] (0x0400): Changing request domain from [xyz.com] to [xyz.com] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): Got request with the following data (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): domain: xyz.com (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): user: p-testuser (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): service: sshd (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): tty: ssh (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): ruser: (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): rhost: 127.0.0.1 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): authtok type: 1 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): priv: 1 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): cli_pid: 32253 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): logon name: not set (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [p-testuser] found. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipa-master-int.xyz.com' is 'working' (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [get_server_status] (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa-master-int.xyz.com: [10.10.3.184] TTL 60 (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [32281] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [32281] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x1000): Waiting for child [32281]. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [child_sig_handler] (0x0100): child [32281] finished successfully. (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 7, ) [Success] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sending result [7][xyz.com] (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] (0x0100): Sent result [7][xyz.com] (Thu May 5 14:35:51 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit and here is the krb5_child.log (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [unpack_buffer] (0x0100): cmd [241] uid [1879000001] gid [1879000001] validate [true] enterprise principal [false] offline [false] UPN [p-testuser at xyz.COM] (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [unpack_buffer] (0x2000): No old ccache (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1879000001_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.10.0.127 at xyz.COM] (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [match_principal] (0x1000): Principal matched to the sample (host/10.10.0.127 at xyz.COM). (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [become_user] (0x0200): Trying to become user [1879000001][1879000001]. (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [main] (0x2000): Running as [1879000001][1879000001]. (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [k5c_setup] (0x2000): Running as [1879000001][1879000001]. (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [main] (0x0400): Will perform online auth (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [xyz.COM] (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [get_and_save_tgt] (0x0020): 1000: [-1765328353][Decrypt integrity check failed] (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [map_krb5_error] (0x0020): 1069: [-1765328353][Decrypt integrity check failed] (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [k5c_send_data] (0x0200): Received error code 1432158219 (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [main] (0x0400): krb5_child completed successfully (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [main] (0x0400): krb5_child started. (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [unpack_buffer] (0x1000): total buffer size: [134] (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [unpack_buffer] (0x0100): cmd [241] uid [1879000001] gid [1879000001] validate [true] enterprise principal [false] offline [false] UPN [p-testuser at xyz.COM] (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [unpack_buffer] (0x2000): No old ccache (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1879000001_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.10.0.127 at xyz.COM] (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [match_principal] (0x1000): Principal matched to the sample (host/10.10.0.127 at xyz.COM). (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [become_user] (0x0200): Trying to become user [1879000001][1879000001]. (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [main] (0x2000): Running as [1879000001][1879000001]. (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [k5c_setup] (0x2000): Running as [1879000001][1879000001]. (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [main] (0x0400): Will perform online auth (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [xyz.COM] (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [get_and_save_tgt] (0x0020): 1000: [-1765328353][Decrypt integrity check failed] (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [map_krb5_error] (0x0020): 1069: [-1765328353][Decrypt integrity check failed] (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [k5c_send_data] (0x0200): Received error code 1432158219 (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [main] (0x0400): krb5_child completed successfully (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [main] (0x0400): krb5_child started. (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [unpack_buffer] (0x1000): total buffer size: [134] (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [unpack_buffer] (0x0100): cmd [241] uid [1879000001] gid [1879000001] validate [true] enterprise principal [false] offline [false] UPN [p-testuser at xyz.COM] (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [unpack_buffer] (0x2000): No old ccache (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1879000001_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.10.0.127 at xyz.COM] (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [match_principal] (0x1000): Principal matched to the sample (host/10.10.0.127 at xyz.COM). (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [become_user] (0x0200): Trying to become user [1879000001][1879000001]. (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [main] (0x2000): Running as [1879000001][1879000001]. (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [k5c_setup] (0x2000): Running as [1879000001][1879000001]. (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [main] (0x0400): Will perform online auth (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [xyz.COM] (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [get_and_save_tgt] (0x0020): 1000: [-1765328353][Decrypt integrity check failed] (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [map_krb5_error] (0x0020): 1069: [-1765328353][Decrypt integrity check failed] (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [k5c_send_data] (0x0200): Received error code 1432158219 (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [pack_response_packet] (0x2000): response packet size: [4] (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [main] (0x0400): krb5_child completed successfully getent passwd works fine and shows me all the users not sure what could have gone wrong... Thanks, Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu May 5 15:04:55 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 5 May 2016 17:04:55 +0200 Subject: [Freeipa-users] freeipa permission denied for user In-Reply-To: References: Message-ID: <20160505150455.GI2785@hendrix> On Thu, May 05, 2016 at 08:13:00PM +0530, Rakesh Rajasekharan wrote: > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [get_and_save_tgt] > (0x0020): 1000: [-1765328353][Decrypt integrity check failed] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [map_krb5_error] > (0x0020): 1069: [-1765328353][Decrypt integrity check failed] This seems like a wrong password.. Are you able to kinit with the same password using the user's principal? From rakesh.rajasekharan at gmail.com Thu May 5 15:06:32 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Thu, 5 May 2016 20:36:32 +0530 Subject: [Freeipa-users] freeipa permission denied for user In-Reply-To: References: Message-ID: this was the caching issue followed the documentation http://www.freeipa.org/page/Troubleshooting apparently the hosts were earlier attempted to configure with another master. so, rm -f /var/lib/sss/db/* and sssd restart helped me get out of this issue. Thanks, Rakesh On Thu, May 5, 2016 at 8:13 PM, Rakesh Rajasekharan < rakesh.rajasekharan at gmail.com> wrote: > Hi There, > > I am getting a permission denied error on few of my hosts with IPA. > > these are all new hosts which were earlier running openldap and now being > migrated over to freeipa. > > In the ssd_domain.log I see this error "No ccache file for user > [p-testuser] found" > > I check the /tmp directory and the permission look fine > drwxrwxrwt 4 root root 4096 May 5 14:36 /tmp > > this is the sssd_domain.log after I tried to login > > Thu May 5 14:35:37 UTC 2016 > p-testuser at localhost's password: > Permission denied, please try again. > p-testuser at localhost's password: > Permission denied, please try again. > p-testuser at localhost's password: > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > Thu May 5 14:35:51 UTC 2016 > > > sssd_domain.log > Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [be_host_handler] > (0x1000): Got request for [0][name=localhost] > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.10.3.184 > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=localhost))][cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 62 > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], > ldap[0x2332a80] > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_op_finished] (0x2000): Total count [0] > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [hosts_get_done] (0x0040): > No host with name [localhost] found. > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sysdb_delete_ssh_host] > (0x0400): Deleting host localhost > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [acctinfo_callback] > (0x0100): Request processed. Returned 3,22,Host lookup failed > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[(nil)], ldap[0x2332a80] > (Thu May 5 14:35:37 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_get_account_info] > (0x0200): Got request for [0x3][1][name=p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_initgr_next_base] (0x0400): Searching for users with base > [cn=accounts,dc=xyz,dc=com] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.10.3.184 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(uid=p-testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [krbPasswordExpiration] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [loginExpirationTime] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [loginAllowedTimeMap] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 63 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2369390], > ldap[0x2332a80] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] > (0x1000): OriginalDN: [uid=p-testuser,cn=users,cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [uid] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [uidNumber] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [gidNumber] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [gecos] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [homeDirectory] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [loginShell] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [krbPrincipalName] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [krbLastPwdChange] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [krbPasswordExpiration] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2369390], > ldap[0x2332a80] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): > Save user > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] > (0x1000): No [objectSIDString] attribute. [0][Success] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] > (0x0400): Processing object p-testuser > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): > Processing user p-testuser > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x2000): > Adding originalDN [uid=p-testuser,cn=users,cn=accounts,dc=xyz,dc=com] to > attributes of [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): > Adding original memberOf attributes to [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): Adding original mod-Timestamp [20160505140042Z] to attributes of > [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): > Adding user principal [p-testuser at xyz.COM] to attributes of [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowLastChange is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowMin is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowMax is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowWarning is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowInactive is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowExpire is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowFlag is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): Adding krbLastPwdChange [20160505104918Z] to attributes of > [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): Adding krbPasswordExpiration [20160803104918Z] to attributes of > [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): pwdAttribute is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): authorizedService is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): adAccountExpires is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): adUserAccountControl is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): nsAccountLock is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): authorizedHost is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): ndsLoginDisabled is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): ndsLoginExpirationTime is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): ndsLoginAllowedTimeMap is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): sshPublicKey is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): authType is not available for [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): > Storing info for user p-testuser > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [userPassword] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [objectSIDString] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowLastChange] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowMin] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowMax] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowWarning] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowInactive] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowExpire] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowFlag] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [pwdAttribute] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [authorizedService] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [adAccountExpires] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [adUserAccountControl] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [nsAccountLock] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [authorizedHost] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [ndsLoginDisabled] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [ndsLoginExpirationTime] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [sshPublicKey] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [authType] from [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] > (0x0400): Processing object p-testuser > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] > (0x0400): The server supports deref method OpenLDAP > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.10.3.184 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 64 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x23ecf60], > ldap[0x2332a80] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x23ecf60], > ldap[0x2332a80] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [member] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x23ecf60], > ldap[0x2332a80] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] > (0x0400): Processing object ipausers > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] > (0x2000): searching sysdb with filter > [(&(objectClass=group)(member=name=ipausers,cn=groups,cn=xyz.com > ,cn=sysdb))] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] > (0x1000): ipausers is a member of 0 sysdb groups > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_initgr_nested_get_membership_diff] (0x1000): The group ipausers is a > direct member of 0 LDAP groups > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_initgr_store_user_memberships] (0x1000): The user p-testuser is a > direct member of 1 LDAP groups > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] > (0x2000): searching sysdb with filter > [(&(objectClass=group)(member=name=p-testuser,cn=users,cn=xyz.com > ,cn=sysdb))] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] > (0x1000): p-testuser is a member of 1 sysdb groups > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_initgr_store_user_memberships] (0x2000): Updating memberships for > p-testuser > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=xyz,dc=com] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.10.3.184 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(gidNumber=1879000001)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 65 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x237a290], > ldap[0x2332a80] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x237a290], > ldap[0x2332a80] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [gidNumber] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x237a290], > ldap[0x2332a80] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_groups_process] > (0x0400): Search for groups, returned 1 results. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] > (0x0400): The server supports deref method OpenLDAP > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_nested_group_process_send] (0x2000): About to process group > [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] > (0x0400): 0 users found in the hash table > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] > (0x0400): 1 groups found in the hash table > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] > (0x1000): No [objectSIDString] attribute. [0][Success] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] > (0x0400): Processing object p-testuser > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_group] > (0x0400): Processing group p-testuser > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_group] > (0x2000): This is a posix group > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): Adding original DN > [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com] to attributes of > [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): Adding original mod-Timestamp [20160505104839Z] to attributes of > [p-testuser]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_process_ghost_members] (0x0400): The group has 0 members > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_process_ghost_members] (0x0400): Group has 0 members > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_group] > (0x0400): Storing info for group p-testuser > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] > (0x0400): Processing object p-testuser > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] > (0x0400): Processing group p-testuser > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] > (0x0400): Failed to get group sid > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] > (0x0400): No members for group [p-testuser] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.10.3.184 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:ed58bb28-12ae-11e6-8a34-0ac54d537681))][cn=Default > Trust View,cn=views,cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 66 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], > ldap[0x2332a80] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], > ldap[0x2332a80] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), > no errmsg set > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sbus_add_timeout] > (0x2000): 0x237fcd0 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[(nil)], ldap[0x2332a80] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sbus_remove_timeout] > (0x2000): 0x237fcd0 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): > Got request with the following data > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > command: PAM_AUTHENTICATE > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > domain: xyz.com > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > user: p-testuser > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > service: sshd > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > tty: ssh > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > ruser: > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > rhost: 127.0.0.1 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > authtok type: 1 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > priv: 1 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > cli_pid: 32253 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > logon name: not set > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user > [p-testuser] found. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'IPA' > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [get_server_status] > (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [get_port_status] > (0x1000): Port status of port 0 for server 'ipa-master-int.xyz.com' is > 'working' > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [get_server_status] > (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] > [be_resolve_server_process] (0x0200): Found address for server > ipa-master-int.xyz.com: [10.10.3.184] TTL 60 > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [child_handler_setup] > (0x2000): Setting up signal handler up for pid [32274] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [child_handler_setup] > (0x2000): Signal handler set up for pid [32274] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [write_pipe_handler] > (0x0400): All data has been sent! > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [child_sig_handler] > (0x1000): Waiting for child [32274]. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [child_sig_handler] > (0x0100): child [32274] finished successfully. > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 7, ) [Success] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sending result [7][xyz.com] > (Thu May 5 14:35:40 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sent result [7][xyz.com] > (Thu May 5 14:35:41 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): > Got request with the following data > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > command: PAM_AUTHENTICATE > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > domain: xyz.com > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > user: p-testuser > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > service: sshd > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > tty: ssh > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > ruser: > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > rhost: 127.0.0.1 > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > authtok type: 1 > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > priv: 1 > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > cli_pid: 32253 > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > logon name: not set > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user > [p-testuser] found. > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'IPA' > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [get_server_status] > (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [get_port_status] > (0x1000): Port status of port 0 for server 'ipa-master-int.xyz.com' is > 'working' > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [get_server_status] > (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] > [be_resolve_server_process] (0x0200): Found address for server > ipa-master-int.xyz.com: [10.10.3.184] TTL 60 > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [child_handler_setup] > (0x2000): Setting up signal handler up for pid [32275] > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [child_handler_setup] > (0x2000): Signal handler set up for pid [32275] > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [write_pipe_handler] > (0x0400): All data has been sent! > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 7, ) [Success] > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sending result [7][xyz.com] > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sent result [7][xyz.com] > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [child_sig_handler] > (0x1000): Waiting for child [32275]. > (Thu May 5 14:35:44 2016) [sssd[be[xyz.com]]] [child_sig_handler] > (0x0100): child [32275] finished successfully. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_get_account_info] > (0x0200): Got request for [0x3][1][name=p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_initgr_next_base] (0x0400): Searching for users with base > [cn=accounts,dc=xyz,dc=com] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.10.3.184 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(uid=p-testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [krbPasswordExpiration] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [loginExpirationTime] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [loginAllowedTimeMap] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 67 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], > ldap[0x2332a80] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] > (0x1000): OriginalDN: [uid=p-testuser,cn=users,cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [uid] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [uidNumber] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [gidNumber] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [gecos] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [homeDirectory] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [loginShell] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [krbPrincipalName] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [memberOf] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [krbLastPwdChange] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [krbPasswordExpiration] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], > ldap[0x2332a80] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): > Save user > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] > (0x1000): No [objectSIDString] attribute. [0][Success] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] > (0x0400): Processing object p-testuser > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): > Processing user p-testuser > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x2000): > Adding originalDN [uid=p-testuser,cn=users,cn=accounts,dc=xyz,dc=com] to > attributes of [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): > Adding original memberOf attributes to [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): Adding original mod-Timestamp [20160505140042Z] to attributes of > [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): > Adding user principal [p-testuser at xyz.COM] to attributes of [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowLastChange is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowMin is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowMax is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowWarning is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowInactive is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowExpire is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): shadowFlag is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): Adding krbLastPwdChange [20160505104918Z] to attributes of > [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): Adding krbPasswordExpiration [20160803104918Z] to attributes of > [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): pwdAttribute is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): authorizedService is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): adAccountExpires is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): adUserAccountControl is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): nsAccountLock is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): authorizedHost is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): ndsLoginDisabled is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): ndsLoginExpirationTime is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): ndsLoginAllowedTimeMap is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): sshPublicKey is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): authType is not available for [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_user] (0x0400): > Storing info for user p-testuser > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [userPassword] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [objectSIDString] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowLastChange] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowMin] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowMax] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowWarning] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowInactive] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowExpire] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [shadowFlag] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [pwdAttribute] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [authorizedService] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [adAccountExpires] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [adUserAccountControl] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [nsAccountLock] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [authorizedHost] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [ndsLoginDisabled] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [ndsLoginExpirationTime] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [sshPublicKey] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_remove_attrs] > (0x2000): Removing attribute [authType] from [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] > (0x0400): Processing object p-testuser > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] > (0x0400): The server supports deref method OpenLDAP > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.10.3.184 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 68 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x240b490], > ldap[0x2332a80] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x240b490], > ldap[0x2332a80] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=ipausers,cn=groups,cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [member] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x240b490], > ldap[0x2332a80] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] > (0x0400): Processing object ipausers > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] > (0x2000): searching sysdb with filter > [(&(objectClass=group)(member=name=ipausers,cn=groups,cn=xyz.com > ,cn=sysdb))] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] > (0x1000): ipausers is a member of 0 sysdb groups > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_initgr_nested_get_membership_diff] (0x1000): The group ipausers is a > direct member of 0 LDAP groups > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_initgr_store_user_memberships] (0x1000): The user p-testuser is a > direct member of 1 LDAP groups > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] > (0x2000): searching sysdb with filter > [(&(objectClass=group)(member=name=p-testuser,cn=users,cn=xyz.com > ,cn=sysdb))] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sysdb_get_direct_parents] > (0x1000): p-testuser is a member of 1 sysdb groups > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_initgr_store_user_memberships] (0x2000): Updating memberships for > p-testuser > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=xyz,dc=com] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.10.3.184 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(gidNumber=1879000001)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 69 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2376f60], > ldap[0x2332a80] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2376f60], > ldap[0x2332a80] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_entry] > (0x1000): OriginalDN: [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [objectClass] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [cn] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [gidNumber] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [ipaUniqueID] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [modifyTimestamp] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_parse_range] > (0x2000): No sub-attributes for [entryUSN] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2376f60], > ldap[0x2332a80] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_groups_process] > (0x0400): Search for groups, returned 1 results. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_has_deref_support] > (0x0400): The server supports deref method OpenLDAP > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_nested_group_process_send] (0x2000): About to process group > [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] > (0x0400): 0 users found in the hash table > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_nested_group_recv] > (0x0400): 1 groups found in the hash table > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_get_sid_str] > (0x1000): No [objectSIDString] attribute. [0][Success] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] > (0x0400): Processing object p-testuser > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_group] > (0x0400): Processing group p-testuser > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_group] > (0x2000): This is a posix group > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): Adding original DN > [cn=p-testuser,cn=groups,cn=accounts,dc=xyz,dc=com] to attributes of > [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_attrs_add_ldap_attr] > (0x2000): Adding original mod-Timestamp [20160505104839Z] to attributes of > [p-testuser]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_process_ghost_members] (0x0400): The group has 0 members > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_process_ghost_members] (0x0400): Group has 0 members > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_group] > (0x0400): Storing info for group p-testuser > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_get_primary_name] > (0x0400): Processing object p-testuser > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] > (0x0400): Processing group p-testuser > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] > (0x0400): Failed to get group sid > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_save_grpmem] > (0x0400): No members for group [p-testuser] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.10.3.184 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:ed58bb28-12ae-11e6-8a34-0ac54d537681))][cn=Default > Trust View,cn=views,cn=accounts,dc=xyz,dc=com]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 70 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], > ldap[0x2332a80] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[0x2368670], > ldap[0x2332a80] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), > no errmsg set > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sbus_add_timeout] > (0x2000): 0x23788e0 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x2357da0], connected[1], ops[(nil)], ldap[0x2332a80] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sbus_remove_timeout] > (0x2000): 0x23788e0 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_req_set_domain] > (0x0400): Changing request domain from [xyz.com] to [xyz.com] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_pam_handler] (0x0100): > Got request with the following data > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > command: PAM_AUTHENTICATE > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > domain: xyz.com > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > user: p-testuser > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > service: sshd > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > tty: ssh > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > ruser: > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > rhost: 127.0.0.1 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > authtok type: 1 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > priv: 1 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > cli_pid: 32253 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [pam_print_data] (0x0100): > logon name: not set > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user > [p-testuser] found. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'IPA' > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [get_server_status] > (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [get_port_status] > (0x1000): Port status of port 0 for server 'ipa-master-int.xyz.com' is > 'working' > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 > seconds > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [get_server_status] > (0x1000): Status of server 'ipa-master-int.xyz.com' is 'name resolved' > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] > [be_resolve_server_process] (0x0200): Found address for server > ipa-master-int.xyz.com: [10.10.3.184] TTL 60 > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [child_handler_setup] > (0x2000): Setting up signal handler up for pid [32281] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [child_handler_setup] > (0x2000): Signal handler set up for pid [32281] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [write_pipe_handler] > (0x0400): All data has been sent! > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [child_sig_handler] > (0x1000): Waiting for child [32281]. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [child_sig_handler] > (0x0100): child [32281] finished successfully. > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [read_pipe_handler] > (0x0400): EOF received, client finished > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 7, ) [Success] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sending result [7][xyz.com] > (Thu May 5 14:35:49 2016) [sssd[be[xyz.com]]] [be_pam_handler_callback] > (0x0100): Sent result [7][xyz.com] > (Thu May 5 14:35:51 2016) [sssd[be[xyz.com]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > > > and here is the krb5_child.log > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1879000001] gid [1879000001] validate [true] > enterprise principal [false] offline [false] UPN [p-testuser at xyz.COM] > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [unpack_buffer] > (0x2000): No old ccache > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_1879000001_XXXXXX] old_ccname: [not > set] keytab: [/etc/krb5.keytab] > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.10.0.127 at xyz.COM] > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [match_principal] > (0x1000): Principal matched to the sample (host/10.10.0.127 at xyz.COM). > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [become_user] > (0x0200): Trying to become user [1879000001][1879000001]. > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [main] (0x2000): > Running as [1879000001][1879000001]. > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [k5c_setup] > (0x2000): Running as [1879000001][1879000001]. > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [main] (0x0400): > Will perform online auth > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [xyz.COM] > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [get_and_save_tgt] > (0x0020): 1000: [-1765328353][Decrypt integrity check failed] > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [map_krb5_error] > (0x0020): 1069: [-1765328353][Decrypt integrity check failed] > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [k5c_send_data] > (0x0200): Received error code 1432158219 > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] > [pack_response_packet] (0x2000): response packet size: [4] > (Thu May 5 14:35:40 2016) [[sssd[krb5_child[32274]]]] [main] (0x0400): > krb5_child completed successfully > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [main] (0x0400): > krb5_child started. > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [unpack_buffer] > (0x1000): total buffer size: [134] > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1879000001] gid [1879000001] validate [true] > enterprise principal [false] offline [false] UPN [p-testuser at xyz.COM] > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [unpack_buffer] > (0x2000): No old ccache > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_1879000001_XXXXXX] old_ccname: [not > set] keytab: [/etc/krb5.keytab] > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.10.0.127 at xyz.COM] > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [match_principal] > (0x1000): Principal matched to the sample (host/10.10.0.127 at xyz.COM). > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [become_user] > (0x0200): Trying to become user [1879000001][1879000001]. > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [main] (0x2000): > Running as [1879000001][1879000001]. > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [k5c_setup] > (0x2000): Running as [1879000001][1879000001]. > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [main] (0x0400): > Will perform online auth > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [xyz.COM] > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [get_and_save_tgt] > (0x0020): 1000: [-1765328353][Decrypt integrity check failed] > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [map_krb5_error] > (0x0020): 1069: [-1765328353][Decrypt integrity check failed] > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [k5c_send_data] > (0x0200): Received error code 1432158219 > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] > [pack_response_packet] (0x2000): response packet size: [4] > (Thu May 5 14:35:44 2016) [[sssd[krb5_child[32275]]]] [main] (0x0400): > krb5_child completed successfully > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [main] (0x0400): > krb5_child started. > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [unpack_buffer] > (0x1000): total buffer size: [134] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1879000001] gid [1879000001] validate [true] > enterprise principal [false] offline [false] UPN [p-testuser at xyz.COM] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [unpack_buffer] > (0x2000): No old ccache > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_1879000001_XXXXXX] old_ccname: [not > set] keytab: [/etc/krb5.keytab] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.10.0.127 at xyz.COM] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [match_principal] > (0x1000): Principal matched to the sample (host/10.10.0.127 at xyz.COM). > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [become_user] > (0x0200): Trying to become user [1879000001][1879000001]. > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [main] (0x2000): > Running as [1879000001][1879000001]. > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [k5c_setup] > (0x2000): Running as [1879000001][1879000001]. > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [main] (0x0400): > Will perform online auth > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [xyz.COM] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [get_and_save_tgt] > (0x0020): 1000: [-1765328353][Decrypt integrity check failed] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [map_krb5_error] > (0x0020): 1069: [-1765328353][Decrypt integrity check failed] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [k5c_send_data] > (0x0200): Received error code 1432158219 > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] > [pack_response_packet] (0x2000): response packet size: [4] > (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281]]]] [main] (0x0400): > krb5_child completed successfully > > > getent passwd works fine and shows me all the users not sure what could > have gone wrong... > > Thanks, > Rakesh > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ggiesen+freeipa-users at giesen.me Thu May 5 15:18:38 2016 From: ggiesen+freeipa-users at giesen.me (Gary T. Giesen) Date: Thu, 5 May 2016 11:18:38 -0400 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <071f01d1a546$acff20b0$06fd6210$@giesen.me> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> <06ce01d1a530$309269d0$91b73d70$@giesen.me> <070801d1a53f$c64924a0$52db6de0$@giesen.me> <33dbd0d6-445c-1a59-48f4-338fbb1ca01a@redhat.com> <071f01d1a546$acff20b0$06fd6210$@giesen.me> Message-ID: <0a1b01d1a6e1$6822ab50$386801f0$@giesen.me> I'm not entirely sure if this is what you were asking for, but here's a manual LDAP query and the associated logs, and then I restarted ipa-dnskeysyncd and the logs associated with that as well: [root at host /]# date Thu May 5 10:52:12 EDT 2016 [root at host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub '(|(objectClass=idnsZone)(objectClass=idnsS ecKey)(objectClass=ipk11PublicKey))' SASL/GSSAPI authentication started SASL username: user at EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey) ) # requesting: ALL # # example.com., dns, example.com dn: idnsname=example.com.,cn=dns,dc=example,dc=com idnsZoneActive: TRUE idnsSOAexpire: 1209600 idnsSOAminimum: 3600 objectClass: idnszone objectClass: top objectClass: idnsrecord idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOAserial: 1462338941 idnsUpdatePolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * A AAA; grant EXAMPLE.COM krb5-self * SSHFP; idnsSOArefresh: 3600 idnsAllowQuery: any; idnsName: example.com. idnsSOAmName: host.example.com. idnsSOArName: hostmaster.example.com. idnsAllowDynUpdate: TRUE nSRecord: host.example.com. mXRecord: 5 mx.example.com. tXTRecord: v=spf1 ip4:104.207.128.239 ip6:2001:19f0:300:24e1::10 -all idnsSecInlineSigning: TRUE # 2a6519b4-8d9c-11e5-8ced-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxk6apYsMbT7MH87pCzK GyVkpAmp+nOL8Alo/pwfaOALJO6EFfhvw+V+9Lnx1jKObnrAHo0O7j3c8qDqAmewjdS1beFbbeLG u GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+nMoQ3hdYMZEeBQtTLbMrhOAQR6EUksCbGpvkj c xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+ZDaJ7sm1WMgHupKndUpl2vdvJWtEi2j41/4 q FOYXAyIgx+3yv7OG9X1D5qBb7v/IqtFuJFRqc0LIdBvWUlHn5LTLYh4rtb2h/6DUK/ZnGlJ+Sss5 Q nmuhUiky3cJ0KvQIDAQAB ipk11Verify: FALSE ipk11Id:: b4AQWy4+gJz2XABOkWEgnw== ipk11VerifyRecover: FALSE ipk11UniqueId: 2a6519b4-8d9c-11e5-8ced-56000017eb11 # 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oo1sC+p8/NCfI8r2Te 4onEHxk4yrrLWfwfuKl3lN/3QHmahPAjyHNYnm8srL45/lJzNqoZpI4yGyhWtCpNQhnnoD+W67aX N 2KGnshBTYE8IGG2zCHtQ0p5CJtNTNZFyIH4pyNiLfk/QLi1ptzk79f9u6Bwq4RdEKdzEk4R1G58C w cpUlKlG6pzGk+OpiX1a3Iw8ZCfgmYIEOmHSpexz0aRBA4q2ADdRn4dERL/aP+lWC+IQEj749wn+Q H sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+n7XajelYh5YqkOY8PNcFgL 9 O+iB9tqWJJiFChQIDAQAB ipk11Verify: FALSE ipk11Id:: L9nKKUY2ypycB3EldvJjVg== ipk11VerifyRecover: FALSE ipk11UniqueId: 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11 # 70eca210-0ee0-11e6-9e98-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoAnwbNG7EwTIlWwlWvu pPOEQnV7ahv7xMoF0v9qzoEZ+ccx9Wp515IWs6okmX6UhB/HELhO3EP5iCftL2iOq+aTa3Zx8Z/+ F JtpXPFkbCweUiOxr8vq4VLTppLmok0q+Dlm5CYaQUYs5en3d9HFtmaYt3m8JD5a58AkAzozoACrO m st5aNIkwo/YGdSa0e1tNcb7Xv7RhBSGbFlrpFfwj5uX3QyI57CSxR7S5FYjOD8lG8tmlCjKuuOhH O ST8uzatbirX0kiaVH3ENohDUmEV+zW6T9//TBG2xTRTw6v7TAM21klWMCNKoUYVyh84c34jdarVr Q PvEPCDzNF6C15NwIDAQAB ipk11Verify: FALSE ipk11Id:: teifTM9dTfpDRQgbL8rsFQ== ipk11VerifyRecover: FALSE ipk11UniqueId: 70eca210-0ee0-11e6-9e98-56000017eb11 # fba8d874-10a2-11e6-86aa-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9r9+8POEp8nb+jiEi6 pvvuWWex2KuHeV1f1qo6LCe3oMSkZ39I73cdJZIfirt2E/D+CWSUMGwbWmNOnMUMIDI8YAnxLQ// K uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+VR1007Dhl5e7dEagHUlEw5OXPQ2jgeq6kCMUUteu 3 Nye/G2K51GzAJcAXlrBdVEek02LuhszHtxjYDxevq90my+0GXVb2nU9mPghIKnkwsQeHUoHXH83p H NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+T8KV6sGRqMi8rlGIU9biuYHrmGZcaUuAY R NXCIrWIUrDV21cQIDAQAB ipk11Verify: FALSE ipk11Id:: WXrLuKBlC8r8UsjjGf2zww== ipk11VerifyRecover: FALSE ipk11UniqueId: fba8d874-10a2-11e6-86aa-56000017eb11 # a7bac2a6-10a5-11e6-9c20-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4m3sUosT4X9x8EjwrtQ B6mQDmClMNs3M8hCJ6UKvcCH/X+yFH2IAht5L85IOBCqmy8RQSL2fPY6BuCxx0krDPPvFBUfCW2i / X0s2RN+vdZQ6xtCe/Q8CHxTZmXsJLrOS8WsiggbHXh7QqkP8sY4Xl2N14OFDNTmSgtQWKnKjJloy g D03p+lo7BxFmOP9L1C+NGDhiiKjBwVexBNFlYSyUXEFacIDXAIjI/WMgxeCl/9Xu9wwAW5GYiYOR D KTl9h4JgUDRrge82OBMu0kQt0FyLCdVKl3Kw5GiMazWoTnK8KGpvuZl46whl9IbOYtPeQpHEhhSw X w36Ii4Y+e6eYeoQIDAQAB ipk11Verify: FALSE ipk11Id:: +Y0cQI+gUJelIpun/N1IYQ== ipk11VerifyRecover: FALSE ipk11UniqueId: a7bac2a6-10a5-11e6-9c20-56000017eb11 # 2f32c0f8-10c9-11e6-bf47-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: TRUE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApWEc/C9jgjoCzQ2wTKT zJ9obG74mlYyokaP/rZyYA0nIIqrKF1DwArt7wemVzrMf9m8b70MyYlOZm77KJiw1gMD9qzcJieI m +two+BYb6zRAvp4o2HlTwG+x/UpOct8EnakilUh7zOhGFkEyk9m9+WnWBcXGX63lfiodL4sCrtBd s CIfF6bPH9yHYSYpa4/s/flW/mM7fRMSd0hO3ayYYxSg8INitFHVwnUj/MENxdFejeMPXlyROW/6m h kwBQjhLSYnmzvgiP2rNnA6AJIMX0cxjuxjswNaAS5vULG1Vju51Mb0f8V3RLv5P1L0dQYoY7S5Hb O aaO7c+27moTOZPQIDAQAB ipk11Verify: FALSE ipk11Id:: mn+arLpqrb1jDdDZXlroUg== ipk11VerifyRecover: FALSE ipk11UniqueId: 2f32c0f8-10c9-11e6-bf47-56000017eb11 # search result search: 4 result: 0 Success # numResponses: 8 # numEntries: 7 My manual LDAP search (/var/log/dirsrv/slapd-EXAMPLE-COM/access): [05/May/2016:10:52:13 -0400] conn=613 fd=109 slot=109 SSL connection from 2001:db8:300:24e1::10 to 2001:db8:300:24e1::10 [05/May/2016:10:52:13 -0400] conn=613 TLS1.2 256-bit AES-GCM [05/May/2016:10:52:13 -0400] conn=613 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:13 -0400] conn=613 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:13 -0400] conn=613 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=user,cn=users,cn=accounts,dc=example,dc=com" [05/May/2016:10:52:13 -0400] conn=613 op=3 SRCH base="cn=dns,dc=example,dc=com" scope=2 filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu blicKey))" attrs=ALL [05/May/2016:10:52:13 -0400] conn=613 op=3 RESULT err=0 tag=101 nentries=7 etime=0 [05/May/2016:10:52:13 -0400] conn=613 op=4 UNBIND [05/May/2016:10:52:13 -0400] conn=613 op=4 fd=109 closed - U1 I then restarted ipa-dnskeysyncd (journalctl -u ipa-dnskeysyncd): May 05 10:52:19 host.example.com systemd[1]: Stopping IPA key daemon... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13719]: ipa : INFO Signal 15 received: Shutting down! May 05 10:52:19 host.example.com systemd[1]: Started IPA key daemon. May 05 10:52:19 host.example.com systemd[1]: Starting IPA key daemon... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing all plugin modules in ipalib.plugins... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.aci May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.automember May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.automount May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.batch May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.caacl May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.cert May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.config May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.delegation May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.dns May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.group May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.host May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.idrange May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.idviews May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.internal May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.kerberos May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.migration May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.misc May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.passwd May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.permission May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.ping May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.pkinit May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.privilege May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Starting external process May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: args='klist' '-V' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Process finished, return code=0 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: stderr= May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.role May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.server May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.service May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.session May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: WARNING: session memcached servers not running May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.topology May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.trust May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.user May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.vault May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.virtual May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.join May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_43658512 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_43681424 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Kerberos principal: ipa-dnskeysyncd/host.example.com May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Initializing principal ipa-dnskeysyncd/host.example.com using keytab /etc/ipa/dnssec/ipa-dnskeysyncd.keytab May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG using ccache /tmp/ipa-dnskeysyncd.ccache May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Attempt 1/5: success May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG LDAP URL: ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket/cn%3Ddns%2Cdc%3Dexample%2Cdc %3Dme??sub?%28%7C%28objectClass%3DidnsZone%29%28objectClass%3DidnsSecKey%29% 28objectClass%3Dipk11PublicKey%29%29 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO LDAP bind... May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:21 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:21 host.example.com python2[13834]: GSSAPI client step 2 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO Commencing sync process May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None (not received yet) May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: idnsname=example.com.,cn=dns,dc=example,dc=com 203dbe2d-8d9c-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-11e5-bb23-e7a3b46d8929': } May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 203dbe63-8d9c-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 9d5e3d66-ccd4-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 59985f1f-0ee0-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com dc691799-10a2-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 83e74997-10a5-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 0f260699-10c9-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.example.com:389#krbprincipalname=ipa-dnskeysyncd/host.example.com at examp le.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(| (objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))# 33443 Logs as a result of ipa-dnskeysyncd restart (/var/log/dirsrv/slapd-EXAMPLE-COM/access): [05/May/2016:10:52:20 -0400] conn=614 fd=83 slot=83 connection from local to /var/run/slapd-EXAMPLE-COM.socket [05/May/2016:10:52:20 -0400] conn=614 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:20 -0400] conn=614 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:20 -0400] conn=614 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=service s,cn=accounts,dc=example,dc=com" [05/May/2016:10:52:20 -0400] conn=614 op=3 SRCH base="cn=dns,dc=example,dc=com" scope=2 filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu blicKey))" attrs=ALL [05/May/2016:10:52:20 -0400] conn=614 op=3 RESULT err=269 tag=121 nentries=0 etime=0 Cheers, GTG -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gary T. Giesen Sent: May-03-16 10:19 AM To: 'Petr Spacek' ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing Thanks Petr. I'm on IRC as well if a more interactive troubleshooting session would be better. Cheers, GTG -----Original Message----- From: Petr Spacek [mailto:pspacek at redhat.com] Sent: May-03-16 9:59 AM To: Gary T. Giesen ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing On 3.5.2016 15:29, Gary T. Giesen wrote: > All lines from the log file with conn=152. > > [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from > local to /var/run/slapd-EXAMPLE-COM.socket > [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 > nentries=0 > etime=0 > dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=s > ervice > s,cn=accounts,dc=example,dc=com" > [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH > base="cn=dns,dc=example,dc=com" scope=2 > filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=i > pk11Pu > blicKey))" attrs=ALL > [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 > nentries=0 > etime=0 This seems to be okay, I will think about it a bit more and return back to you when I find something. Petr^2 Spacek > > -----Original Message----- > From: Petr Spacek [mailto:pspacek at redhat.com] > Sent: May-03-16 8:50 AM > To: Gary T. Giesen ; > freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > Hmm, this is really weird. > > It should log message "Initial LDAP dump is done, sychronizing with > ODS and BIND" which is apparently not there. Maybe LDAP server is > doing something weird ... > > Could you inspect /var/log/dirsrv/*/access_log and look for lines > similar to ones in the attached file, please? > > It should start with log message like > "connection from local to /var/run/slapd-*". > This line will have identifier like "conn=84". We are looking for conn > number (e.g. "conn=84") which is related to BIND DN > "dn="krbprincipalname=ipa-dnskeysyncd/*". > > If you find the right conn number, look for other lines containing the > same conn number and operation "SRCH base="cn=dns,*". This SRCH line > will have specific identifier like "conn=84 op=3". > > Now you have identifier for particular operation. Look for RESULT line > with the same ID. > > How does it look? > > Can you copy&paste complete all lines with identifier conn=??? you found? > > Thanks! > Petr^2 Spacek > > On 3.5.2016 13:37, Gary T. Giesen wrote: >> See attached. >> >> GTG >> >> -----Original Message----- >> From: Petr Spacek [mailto:pspacek at redhat.com] >> Sent: May-03-16 7:33 AM >> To: Gary T. Giesen ; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >> >> On 3.5.2016 13:28, Gary T. Giesen wrote: >>> 1. Confirmed, it was already set to ISMASTER=1 >>> >>> 2. Logs: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: > None >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: > {'203dbe2d-8d9c-1 >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: > host.exa >> >> The log seems to be truncated. Please attach it as a file to avoid >> truncation and line wrapping problems. >> >> Thanks >> Petr^2 Spacek >> >>> >>> >>> 3. # rpm -q ipa-server >>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> >>> -----Original Message----- >>> From: freeipa-users-bounces at redhat.com >>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >>> Sent: May-03-16 7:08 AM >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >>> >>> Okay, this is a problem. It should list your zone example.com >>> because it has DNSSEC signing enabled. >>> >>> Make sure you are working on host.example.com (the host listed by >>> the ldapsearch above). >>> >>> I would check two things: >>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". >>> If it does not, re-run ipa-dns-install with --dnssec-master option >>> to fix >> that. >>> >>> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and >>> make sure that it contains line "debug=True" and restart >>> ipa-dnskeysyncd when you are done with it. >>> >>> The log should be much longer after this change. >>> >>> I hope it will help to identify the root cause. >>> >>> What IPA version do you use? >>> $ rpm -q freeipa-server >>> >>> Petr^2 Spacek >>> >>> >>> >>>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has >>>> had no effect. The only log entries I see are: >>>> >>>> # journalctl -u ipa-dnskeysyncd >>>> >>>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : >>> INFO >>>> Signal 15 received: Shutting down! >>>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >>>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >>>> session memcached servers not running >>>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> LDAP bind... >>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step >>>> 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client >>>> step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI >>>> client step 1 May 02 20:35:54 host.example.com python2[15014]: >>>> GSSAPI > client step 2 >>>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> Commencing sync process >>>> >>>> >>>> >>>> Can anyone advise on next steps? I've been banging my head against >>>> a wall for a couple days now and would really appreciate some help. > > > -- > Petr^2 Spacek > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From rmj at ast.cam.ac.uk Thu May 5 16:39:07 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Thu, 5 May 2016 17:39:07 +0100 Subject: [Freeipa-users] Help needed with keytabs Message-ID: <572B772B.3000500@ast.cam.ac.uk> Hi I need to run some ipa commands in cron jobs. The post here: https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html suggests I need to use a keytab file to authenticate kerberos. I've tried the prescription there, with variations, without success. My current testing framework is to log into the ipa client (RHEL6.7, ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy the current tickets, re-establish a tgt for the user with kinit using the keytab and try to run an ipa command. The ipa command fails (just like in my cron jobs which use the same kinit command). 1) Log into ipa client as user test. 2) Get the keytab $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p test at EXAMPLE.COM -k /home/test/test.keytab -P New Principal Password: Verify Principal Password: Keytab successfully retrieved and stored in: /home/test/test.keytab I seem to have to reset the password to what it was in this step, otherwise it gets set to something random and the user test cannot log into the ipa client any more. 3) Log into the ipa client as user test. Then $ kdestroy $ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH) 4) kinit from the keytab: $ kinit -F test at EXAMPLE.COM -k -t /home/test/test.keytab 5) Check the tickets $ klist Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH Default principal: test at EXAMPLE.COM Valid starting Expires Service principal 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/EXAMPLE.COM at EXAMPLE.COM 6) Run an ipa command: $ ipa ping ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, https://ipa2.example.com/ipa/xml Can someone advise what I'm doing wrong in this procedure please (some strings were changed to anonymize the setting)? For completeness of information, the ipa servers are RHEL 7.2, ipa-server-4.2.0-15.el7_2.6.1.x86_64. Thanks Roderick Johnstone From ggiesen+freeipa-users at giesen.me Thu May 5 17:11:01 2016 From: ggiesen+freeipa-users at giesen.me (Gary T. Giesen) Date: Thu, 5 May 2016 13:11:01 -0400 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <0a1b01d1a6e1$6822ab50$386801f0$@giesen.me> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> <06ce01d1a530$309269d0$91b73d70$@giesen.me> <070801d1a53f$c64924a0$52db6de0$@giesen.me> <33dbd0d6-445c-1a59-48f4-338fbb1ca01a@redhat.com> <071f01d1a546$acff20b0$06fd6210$@giesen.me> <0a1b01d1a6e1$6822ab50$386801f0$@giesen.me> Message-ID: <0a4a01d1a6f1$1a97a510$4fc6ef30$@giesen.me> As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and I have the same problem. These are the steps I took: # yum update -y # yum install -y nano net-tools wget # yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm # cd /etc/yum.repos.d/ # wget -N https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-fr eeipa-epel-7.repo # yum install -y haveged # systemctl start haveged # systemctl enable haveged # yum install -y ipa-server ipa-server-dns # ipa-server-install -r EXAMPLE.COM -n example.com --mkhomedir --ip-address=192.0.2.10 --idstart=100000 --idmax=199999 --no-ui-redirect --ssh-trust-dns --setup-dns --no-forwarders --no-reverse # ipa-dns-install --no-forwarders --no-reverse --dnssec-master # ipa dnszone-mod example.com --dnssec=true GTG -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gary T. Giesen Sent: May-05-16 11:19 AM To: 'Petr Spacek' ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing I'm not entirely sure if this is what you were asking for, but here's a manual LDAP query and the associated logs, and then I restarted ipa-dnskeysyncd and the logs associated with that as well: [root at host /]# date Thu May 5 10:52:12 EDT 2016 [root at host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub '(|(objectClass=idnsZone)(objectClass=idnsS ecKey)(objectClass=ipk11PublicKey))' SASL/GSSAPI authentication started SASL username: user at EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey) ) # requesting: ALL # # example.com., dns, example.com dn: idnsname=example.com.,cn=dns,dc=example,dc=com idnsZoneActive: TRUE idnsSOAexpire: 1209600 idnsSOAminimum: 3600 objectClass: idnszone objectClass: top objectClass: idnsrecord idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOAserial: 1462338941 idnsUpdatePolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * A AAA; grant EXAMPLE.COM krb5-self * SSHFP; idnsSOArefresh: 3600 idnsAllowQuery: any; idnsName: example.com. idnsSOAmName: host.example.com. idnsSOArName: hostmaster.example.com. idnsAllowDynUpdate: TRUE nSRecord: host.example.com. mXRecord: 5 mx.example.com. tXTRecord: v=spf1 ip4:104.207.128.239 ip6:2001:19f0:300:24e1::10 -all idnsSecInlineSigning: TRUE # 2a6519b4-8d9c-11e5-8ced-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxk6apYsMbT7MH87pCzK GyVkpAmp+nOL8Alo/pwfaOALJO6EFfhvw+V+9Lnx1jKObnrAHo0O7j3c8qDqAmewjdS1beFb GyVkpAmp+beLG u GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+nMoQ3hdYMZEeBQtTLbMrhOAQR6EUksCbG GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+pvkj c xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+ZDaJ7sm1WMgHupKndUpl2vdvJWtEi2j xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+41/4 q FOYXAyIgx+3yv7OG9X1D5qBb7v/IqtFuJFRqc0LIdBvWUlHn5LTLYh4rtb2h/6DUK/ZnGlJ+ FOYXAyIgx+Sss5 Q nmuhUiky3cJ0KvQIDAQAB ipk11Verify: FALSE ipk11Id:: b4AQWy4+gJz2XABOkWEgnw== ipk11VerifyRecover: FALSE ipk11UniqueId: 2a6519b4-8d9c-11e5-8ced-56000017eb11 # 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oo1sC+p8/NCfI8r2Te 4onEHxk4yrrLWfwfuKl3lN/3QHmahPAjyHNYnm8srL45/lJzNqoZpI4yGyhWtCpNQhnnoD+W67aX N 2KGnshBTYE8IGG2zCHtQ0p5CJtNTNZFyIH4pyNiLfk/QLi1ptzk79f9u6Bwq4RdEKdzEk4R1G58C w cpUlKlG6pzGk+OpiX1a3Iw8ZCfgmYIEOmHSpexz0aRBA4q2ADdRn4dERL/aP+lWC+IQEj749 cpUlKlG6pzGk+wn+Q H sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+n7XajelYh5YqkOY8PN sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+cFgL 9 O+iB9tqWJJiFChQIDAQAB ipk11Verify: FALSE ipk11Id:: L9nKKUY2ypycB3EldvJjVg== ipk11VerifyRecover: FALSE ipk11UniqueId: 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11 # 70eca210-0ee0-11e6-9e98-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoAnwbNG7EwTIlWwlWvu pPOEQnV7ahv7xMoF0v9qzoEZ+ccx9Wp515IWs6okmX6UhB/HELhO3EP5iCftL2iOq+aTa3Zx pPOEQnV7ahv7xMoF0v9qzoEZ+8Z/+ F JtpXPFkbCweUiOxr8vq4VLTppLmok0q+Dlm5CYaQUYs5en3d9HFtmaYt3m8JD5a58AkAzozo JtpXPFkbCweUiOxr8vq4VLTppLmok0q+ACrO m st5aNIkwo/YGdSa0e1tNcb7Xv7RhBSGbFlrpFfwj5uX3QyI57CSxR7S5FYjOD8lG8tmlCjKuuOhH O ST8uzatbirX0kiaVH3ENohDUmEV+zW6T9//TBG2xTRTw6v7TAM21klWMCNKoUYVyh84c34jd ST8uzatbirX0kiaVH3ENohDUmEV+arVr Q PvEPCDzNF6C15NwIDAQAB ipk11Verify: FALSE ipk11Id:: teifTM9dTfpDRQgbL8rsFQ== ipk11VerifyRecover: FALSE ipk11UniqueId: 70eca210-0ee0-11e6-9e98-56000017eb11 # fba8d874-10a2-11e6-86aa-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9r9+8POEp8nb+jiEi6 pvvuWWex2KuHeV1f1qo6LCe3oMSkZ39I73cdJZIfirt2E/D+CWSUMGwbWmNOnMUMIDI8YAnxLQ// K uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+VR1007Dhl5e7dEagHUlEw5OXPQ2jgeq6kCMU uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+Uteu 3 Nye/G2K51GzAJcAXlrBdVEek02LuhszHtxjYDxevq90my+0GXVb2nU9mPghIKnkwsQeHUoHXH83p H NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+T8KV6sGRqMi8rlGIU9biuYHrmGZca NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+UuAY R NXCIrWIUrDV21cQIDAQAB ipk11Verify: FALSE ipk11Id:: WXrLuKBlC8r8UsjjGf2zww== ipk11VerifyRecover: FALSE ipk11UniqueId: fba8d874-10a2-11e6-86aa-56000017eb11 # a7bac2a6-10a5-11e6-9c20-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4m3sUosT4X9x8EjwrtQ B6mQDmClMNs3M8hCJ6UKvcCH/X+yFH2IAht5L85IOBCqmy8RQSL2fPY6BuCxx0krDPPvFBUfCW2i / X0s2RN+vdZQ6xtCe/Q8CHxTZmXsJLrOS8WsiggbHXh7QqkP8sY4Xl2N14OFDNTmSgtQWKnKj X0s2RN+Jloy g D03p+lo7BxFmOP9L1C+NGDhiiKjBwVexBNFlYSyUXEFacIDXAIjI/WMgxeCl/9Xu9wwAW5GY D03p+lo7BxFmOP9L1C+iYOR D KTl9h4JgUDRrge82OBMu0kQt0FyLCdVKl3Kw5GiMazWoTnK8KGpvuZl46whl9IbOYtPeQpHEhhSw X w36Ii4Y+e6eYeoQIDAQAB ipk11Verify: FALSE ipk11Id:: +Y0cQI+gUJelIpun/N1IYQ== ipk11VerifyRecover: FALSE ipk11UniqueId: a7bac2a6-10a5-11e6-9c20-56000017eb11 # 2f32c0f8-10c9-11e6-bf47-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: TRUE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApWEc/C9jgjoCzQ2wTKT zJ9obG74mlYyokaP/rZyYA0nIIqrKF1DwArt7wemVzrMf9m8b70MyYlOZm77KJiw1gMD9qzcJieI m +two+BYb6zRAvp4o2HlTwG+x/UpOct8EnakilUh7zOhGFkEyk9m9+WnWBcXGX63lfiodL4sC +two+BYb6zRAvp4o2HlTwG+rtBd s CIfF6bPH9yHYSYpa4/s/flW/mM7fRMSd0hO3ayYYxSg8INitFHVwnUj/MENxdFejeMPXlyROW/6m h kwBQjhLSYnmzvgiP2rNnA6AJIMX0cxjuxjswNaAS5vULG1Vju51Mb0f8V3RLv5P1L0dQYoY7S5Hb O aaO7c+27moTOZPQIDAQAB ipk11Verify: FALSE ipk11Id:: mn+arLpqrb1jDdDZXlroUg== ipk11VerifyRecover: FALSE ipk11UniqueId: 2f32c0f8-10c9-11e6-bf47-56000017eb11 # search result search: 4 result: 0 Success # numResponses: 8 # numEntries: 7 My manual LDAP search (/var/log/dirsrv/slapd-EXAMPLE-COM/access): [05/May/2016:10:52:13 -0400] conn=613 fd=109 slot=109 SSL connection from 2001:db8:300:24e1::10 to 2001:db8:300:24e1::10 [05/May/2016:10:52:13 -0400] conn=613 TLS1.2 256-bit AES-GCM [05/May/2016:10:52:13 -0400] conn=613 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:13 -0400] conn=613 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:13 -0400] conn=613 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=user,cn=users,cn=accounts,dc=example,dc=com" [05/May/2016:10:52:13 -0400] conn=613 op=3 SRCH base="cn=dns,dc=example,dc=com" scope=2 filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu blicKey))" attrs=ALL [05/May/2016:10:52:13 -0400] conn=613 op=3 RESULT err=0 tag=101 nentries=7 etime=0 [05/May/2016:10:52:13 -0400] conn=613 op=4 UNBIND [05/May/2016:10:52:13 -0400] conn=613 op=4 fd=109 closed - U1 I then restarted ipa-dnskeysyncd (journalctl -u ipa-dnskeysyncd): May 05 10:52:19 host.example.com systemd[1]: Stopping IPA key daemon... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13719]: ipa : INFO Signal 15 received: Shutting down! May 05 10:52:19 host.example.com systemd[1]: Started IPA key daemon. May 05 10:52:19 host.example.com systemd[1]: Starting IPA key daemon... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing all plugin modules in ipalib.plugins... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.aci May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.automember May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.automount May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.batch May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.caacl May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.cert May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.config May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.delegation May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.dns May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.group May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.host May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.idrange May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.idviews May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.internal May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.kerberos May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.migration May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.misc May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.passwd May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.permission May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.ping May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.pkinit May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.privilege May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Starting external process May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: args='klist' '-V' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Process finished, return code=0 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: stderr= May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.role May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.server May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.service May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.session May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: WARNING: session memcached servers not running May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.topology May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.trust May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.user May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.vault May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.virtual May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.join May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_43658512 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_43681424 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Kerberos principal: ipa-dnskeysyncd/host.example.com May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Initializing principal ipa-dnskeysyncd/host.example.com using keytab /etc/ipa/dnssec/ipa-dnskeysyncd.keytab May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG using ccache /tmp/ipa-dnskeysyncd.ccache May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Attempt 1/5: success May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG LDAP URL: ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket/cn%3Ddns%2Cdc%3Dexample%2Cdc %3Dme??sub?%28%7C%28objectClass%3DidnsZone%29%28objectClass%3DidnsSecKey%29% 28objectClass%3Dipk11PublicKey%29%29 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO LDAP bind... May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:21 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:21 host.example.com python2[13834]: GSSAPI client step 2 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO Commencing sync process May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None (not received yet) May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: idnsname=example.com.,cn=dns,dc=example,dc=com 203dbe2d-8d9c-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-11e5-bb23-e7a3b46d8929': } May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 203dbe63-8d9c-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 9d5e3d66-ccd4-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 59985f1f-0ee0-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com dc691799-10a2-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 83e74997-10a5-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 0f260699-10c9-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.example.com:389#krbprincipalname=ipa-dnskeysyncd/host.example.com at examp le.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(| (objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))# 33443 Logs as a result of ipa-dnskeysyncd restart (/var/log/dirsrv/slapd-EXAMPLE-COM/access): [05/May/2016:10:52:20 -0400] conn=614 fd=83 slot=83 connection from local to /var/run/slapd-EXAMPLE-COM.socket [05/May/2016:10:52:20 -0400] conn=614 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:20 -0400] conn=614 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:20 -0400] conn=614 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=service s,cn=accounts,dc=example,dc=com" [05/May/2016:10:52:20 -0400] conn=614 op=3 SRCH base="cn=dns,dc=example,dc=com" scope=2 filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu blicKey))" attrs=ALL [05/May/2016:10:52:20 -0400] conn=614 op=3 RESULT err=269 tag=121 nentries=0 etime=0 Cheers, GTG -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gary T. Giesen Sent: May-03-16 10:19 AM To: 'Petr Spacek' ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing Thanks Petr. I'm on IRC as well if a more interactive troubleshooting session would be better. Cheers, GTG -----Original Message----- From: Petr Spacek [mailto:pspacek at redhat.com] Sent: May-03-16 9:59 AM To: Gary T. Giesen ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing On 3.5.2016 15:29, Gary T. Giesen wrote: > All lines from the log file with conn=152. > > [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from > local to /var/run/slapd-EXAMPLE-COM.socket > [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 > nentries=0 > etime=0 > dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=s > ervice > s,cn=accounts,dc=example,dc=com" > [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH > base="cn=dns,dc=example,dc=com" scope=2 > filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=i > pk11Pu > blicKey))" attrs=ALL > [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 > nentries=0 > etime=0 This seems to be okay, I will think about it a bit more and return back to you when I find something. Petr^2 Spacek > > -----Original Message----- > From: Petr Spacek [mailto:pspacek at redhat.com] > Sent: May-03-16 8:50 AM > To: Gary T. Giesen ; > freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > Hmm, this is really weird. > > It should log message "Initial LDAP dump is done, sychronizing with > ODS and BIND" which is apparently not there. Maybe LDAP server is > doing something weird ... > > Could you inspect /var/log/dirsrv/*/access_log and look for lines > similar to ones in the attached file, please? > > It should start with log message like > "connection from local to /var/run/slapd-*". > This line will have identifier like "conn=84". We are looking for conn > number (e.g. "conn=84") which is related to BIND DN > "dn="krbprincipalname=ipa-dnskeysyncd/*". > > If you find the right conn number, look for other lines containing the > same conn number and operation "SRCH base="cn=dns,*". This SRCH line > will have specific identifier like "conn=84 op=3". > > Now you have identifier for particular operation. Look for RESULT line > with the same ID. > > How does it look? > > Can you copy&paste complete all lines with identifier conn=??? you found? > > Thanks! > Petr^2 Spacek > > On 3.5.2016 13:37, Gary T. Giesen wrote: >> See attached. >> >> GTG >> >> -----Original Message----- >> From: Petr Spacek [mailto:pspacek at redhat.com] >> Sent: May-03-16 7:33 AM >> To: Gary T. Giesen ; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >> >> On 3.5.2016 13:28, Gary T. Giesen wrote: >>> 1. Confirmed, it was already set to ISMASTER=1 >>> >>> 2. Logs: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: > None >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: > {'203dbe2d-8d9c-1 >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: > host.exa >> >> The log seems to be truncated. Please attach it as a file to avoid >> truncation and line wrapping problems. >> >> Thanks >> Petr^2 Spacek >> >>> >>> >>> 3. # rpm -q ipa-server >>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> >>> -----Original Message----- >>> From: freeipa-users-bounces at redhat.com >>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >>> Sent: May-03-16 7:08 AM >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >>> >>> Okay, this is a problem. It should list your zone example.com >>> because it has DNSSEC signing enabled. >>> >>> Make sure you are working on host.example.com (the host listed by >>> the ldapsearch above). >>> >>> I would check two things: >>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". >>> If it does not, re-run ipa-dns-install with --dnssec-master option >>> to fix >> that. >>> >>> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and >>> make sure that it contains line "debug=True" and restart >>> ipa-dnskeysyncd when you are done with it. >>> >>> The log should be much longer after this change. >>> >>> I hope it will help to identify the root cause. >>> >>> What IPA version do you use? >>> $ rpm -q freeipa-server >>> >>> Petr^2 Spacek >>> >>> >>> >>>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has >>>> had no effect. The only log entries I see are: >>>> >>>> # journalctl -u ipa-dnskeysyncd >>>> >>>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : >>> INFO >>>> Signal 15 received: Shutting down! >>>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >>>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >>>> session memcached servers not running >>>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> LDAP bind... >>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step >>>> 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client >>>> step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI >>>> client step 1 May 02 20:35:54 host.example.com python2[15014]: >>>> GSSAPI > client step 2 >>>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> Commencing sync process >>>> >>>> >>>> >>>> Can anyone advise on next steps? I've been banging my head against >>>> a wall for a couple days now and would really appreciate some help. > > > -- > Petr^2 Spacek > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From mrorourke at earthlink.net Thu May 5 18:47:19 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Thu, 5 May 2016 14:47:19 -0400 (GMT-04:00) Subject: [Freeipa-users] Help needed with keytabs Message-ID: <31876291.1462474039879.JavaMail.wam@elwamui-little.atl.sa.earthlink.net> Roderick, Here's how we do it. Create a service account user, for example "svc_useradm". Then generate a keytab for the service account, and store it somewhere secure. ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab Now we can leverage the keytab for that user principal. Example: [root at infrae2u01 ~]# kdestroy [root at infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab svc_useradm at LNX.DR.LOCAL [root at infrae2u01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: svc_useradm at LNX.DR.LOCAL Valid starting Expires Service principal 05/05/16 14:24:12 05/06/16 14:24:12 krbtgt/LNX.DR.LOCAL at LNX.DR.LOCAL [root at infrae2u01 ~]# ipa ping ------------------------------------------ IPA server version 3.0.0. API version 2.49 ------------------------------------------ If you need to access the service account, then setup a sudo rule to switch user to that account. Example: "sudo su - svc_useradm" -Mike -----Original Message----- >From: Roderick Johnstone >Sent: May 5, 2016 12:39 PM >To: freeipa-users at redhat.com >Subject: [Freeipa-users] Help needed with keytabs > >Hi > >I need to run some ipa commands in cron jobs. > >The post here: >https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html >suggests I need to use a keytab file to authenticate kerberos. > >I've tried the prescription there, with variations, without success. > >My current testing framework is to log into the ipa client (RHEL6.7, >ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, >destroy the current tickets, re-establish a tgt for the user with kinit >using the keytab and try to run an ipa command. The ipa command fails >(just like in my cron jobs which use the same kinit command). > >1) Log into ipa client as user test. > >2) Get the keytab >$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p test at EXAMPLE.COM -k >/home/test/test.keytab -P >New Principal Password: >Verify Principal Password: >Keytab successfully retrieved and stored in: /home/test/test.keytab > >I seem to have to reset the password to what it was in this step, >otherwise it gets set to something random and the user test cannot log >into the ipa client any more. > >3) Log into the ipa client as user test. Then >$ kdestroy >$ klist >klist: No credentials cache found (ticket cache >FILE:/tmp/krb5cc_3395_PWO4wH) > >4) kinit from the keytab: >$ kinit -F test at EXAMPLE.COM -k -t /home/test/test.keytab > >5) Check the tickets >$ klist >Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH >Default principal: test at EXAMPLE.COM > >Valid starting Expires Service principal >05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/EXAMPLE.COM at EXAMPLE.COM > >6) Run an ipa command: >$ ipa ping >ipa: ERROR: cannot connect to Gettext('any of the configured servers', >domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, >https://ipa2.example.com/ipa/xml > >Can someone advise what I'm doing wrong in this procedure please (some >strings were changed to anonymize the setting)? > >For completeness of information, the ipa servers are RHEL 7.2, >ipa-server-4.2.0-15.el7_2.6.1.x86_64. > >Thanks > >Roderick Johnstone > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project From hatlam at gmail.com Thu May 5 19:46:48 2016 From: hatlam at gmail.com (Ha T. Lam) Date: Thu, 5 May 2016 12:46:48 -0700 Subject: [Freeipa-users] Dogtag migration to FreeIPA In-Reply-To: <20160505022443.GT1237@dhcp-40-8.bne.redhat.com> References: <20160505022443.GT1237@dhcp-40-8.bne.redhat.com> Message-ID: Hi Fraser, Thank you very much for the immediate response. Our use-case for Dogtag is: our installation engineers request a signing CA cert through the Dogtag web interface, and our admin grants the request, anything following is not managed with Dogtag. So we only use Dogtag for managing the root cert and the signing CA certs (beside OCSP, audit certs, etc that come with the system). I'm not sure how your solution would work in our case, if we import a signing cert into Dogtag and sign other certs that we give to our installation engineers using it, it would change our current cert chain. Reading your reply, I realized I probably misunderstood how FreeIPA worked, I thought I only needed to import Dogtag's Root CA (which is our company Root CA) into FreeIPA's Dogtag for it to work. Just for checking, this would not work, would it? Thanks, Ha On Wed, May 4, 2016 at 7:24 PM, Fraser Tweedale wrote: > On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote: > > Hi, > > > > We have an in-house CA system managed by a stand-alone Dogtag system, we > > would like to integrate it with our FreeIPA system which is already in > use > > and is setup with the company LDAP. I'm new to FreeIPA and I have some > > questions about this process: > > > > 1. Is it possible to add our current Dogtag on top of the FreeIPA system > > directly? If so, how would I achieve that? > > > This is not supported, though it's technically feasible (we just > don't have any code to do it). > > > 2. If it's not possible to do the above, what about setting up a clone of > > the current FreeIPA system and migrate Dogtag during the installation of > > the replica? Is this a better option? > > > Same as above... technically feasible but no way to do it right now. > > > 3. Any other alternative? > > > One alternative is to export your CA signing cert and key, and > install a new Dogtag instance in your FreeIPA environment. The IPA > Dogtag instance would be "detached" from your existing Dogtag > instance but, cryptographically speaking, it would be the same CA. > > You would have to tweak serial number ranges to ensure the new > instance doesn't reuse serial numbers that were already used (a > simple procedure). > > How well this would work in your organisation would depend on what > sorts of things you use the exiting Dogtag for, how clients expect > to renew certificates, etc. I'm happy to answer questions you might > have in considering this approach. > > Cheers, > Fraser > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Thu May 5 20:37:04 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 6 May 2016 06:37:04 +1000 Subject: [Freeipa-users] Dogtag migration to FreeIPA In-Reply-To: References: <20160505022443.GT1237@dhcp-40-8.bne.redhat.com> Message-ID: <20160505203704.GX1237@dhcp-40-8.bne.redhat.com> On Thu, May 05, 2016 at 12:46:48PM -0700, Ha T. Lam wrote: > Hi Fraser, > > Thank you very much for the immediate response. Our use-case for Dogtag is: > our installation engineers request a signing CA cert through the Dogtag web > interface, and our admin grants the request, anything following is not > managed with Dogtag. So we only use Dogtag for managing the root cert and > the signing CA certs (beside OCSP, audit certs, etc that come with the > system). > > I'm not sure how your solution would work in our case, if we import a > signing cert into Dogtag and sign other certs that we give to our > installation engineers using it, it would change our current cert chain. > > Reading your reply, I realized I probably misunderstood how FreeIPA worked, > I thought I only needed to import Dogtag's Root CA (which is our company > Root CA) into FreeIPA's Dogtag for it to work. Just for checking, this > would not work, would it? > Correct; there isn't right now a way to "adopt" an existing CA into an existing Dogtag instance. In either case, because you are issuing admin-approved CA certificates, I don't think FreeIPA fits your use case. In the future we will support sub-CA creation (it is what I am working on) so you might want to evaluate FreeIPA once that feature has landed. Cheers, Fraser > Thanks, > Ha > > On Wed, May 4, 2016 at 7:24 PM, Fraser Tweedale wrote: > > > On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote: > > > Hi, > > > > > > We have an in-house CA system managed by a stand-alone Dogtag system, we > > > would like to integrate it with our FreeIPA system which is already in > > use > > > and is setup with the company LDAP. I'm new to FreeIPA and I have some > > > questions about this process: > > > > > > 1. Is it possible to add our current Dogtag on top of the FreeIPA system > > > directly? If so, how would I achieve that? > > > > > This is not supported, though it's technically feasible (we just > > don't have any code to do it). > > > > > 2. If it's not possible to do the above, what about setting up a clone of > > > the current FreeIPA system and migrate Dogtag during the installation of > > > the replica? Is this a better option? > > > > > Same as above... technically feasible but no way to do it right now. > > > > > 3. Any other alternative? > > > > > One alternative is to export your CA signing cert and key, and > > install a new Dogtag instance in your FreeIPA environment. The IPA > > Dogtag instance would be "detached" from your existing Dogtag > > instance but, cryptographically speaking, it would be the same CA. > > > > You would have to tweak serial number ranges to ensure the new > > instance doesn't reuse serial numbers that were already used (a > > simple procedure). > > > > How well this would work in your organisation would depend on what > > sorts of things you use the exiting Dogtag for, how clients expect > > to renew certificates, etc. I'm happy to answer questions you might > > have in considering this approach. > > > > Cheers, > > Fraser > > From anthony.wan.cheng at gmail.com Thu May 5 21:28:51 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Thu, 5 May 2016 17:28:51 -0400 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> <5724BC4A.3060400@redhat.com> <57275C0E.10003@redhat.com> <5729F3FC.1000306@redhat.com> Message-ID: More updates; it turns out that there were some duplicate and expired certificates as well as incorrect trust attributes; (e.g. seeing 2 instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I deleted the duplicate cert and re-add certificate w/ valid date and fix cert trust attributes along the way. So it went from this [root at test ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u sample.NET IPA CA CT,C,C ipaCert u,u,u Signing-Cert u,u,u Server-Cert u,u,u to this [root at test ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipaCert u,u,u Server-Cert u,u,u sample.NET IPA CA CT,C,C Signing-Cert u,u,u And also re-try resubmit/restart processes but unfortunately error persists ( ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed : Unable to communicate with CMS (Not Found)).) Currently I am on the process to recreate this problem on RHEL 6 to try to get RH support on this. Thanks, Anthony On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng wrote: > On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden wrote: >> Anthony Cheng wrote: >>> >>> Small update, I found an article on the RH solution library >>> (https://access.redhat.com/solutions/2020223) that has the same error >>> code that I am getting and I followed the steps with certutil to update >>> the cert attributes but it is still not working. The article is listed >>> as "Solution in Progress". >>> >>> [root at test ~]# getcert list | more >>> >>> Number of certificates and requests being tracked: 7. >>> >>> Request ID '20111214223243': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC failed at >>> server.Certificate operation cannot be comp >>> >>> leted: Unable to communicate with CMS (Not Found)). >> >> >> Not Found means the CA didn't start. You need to examine the debug and >> selftest logs to determine why. >> >> rob > > selftests.log is empty; there are entries for other time but not for > the test to when I set the clock to renew certs. > > [root at test pki-ca]# clock > Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds > [root at test pki-ca]# > [root at test pki-ca]# > > [root at test pki-ca]# ll * | grep self > -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log > -rw-r-----. 1 pkiuser pkiuser 1206 Apr 7 2015 > selftests.log.20150407143526 > -rw-r-----. 1 pkiuser pkiuser 3673 Jun 30 2015 > selftests.log.20150630163924 > -rw-r-----. 1 pkiuser pkiuser 1217 Aug 31 20:07 > selftests.log.20150831160735 > -rw-r-----. 1 pkiuser pkiuser 3798 Oct 24 14:12 > selftests.log.20151024101159 > > From debug log I see some error messages: > > [28/Jan/2016:21:09:03][main]: SigningUnit init: debug > org.mozilla.jss.crypto.ObjectNotFoundException > [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException > Certificate object not found > at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) > > Full log: > > [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown() > [28/Jan/2016:21:09:02][main]: ============================================ > [28/Jan/2016:21:09:02][main]: ===== DEBUG SUBSYSTEM INITIALIZED ======= > [28/Jan/2016:21:09:02][main]: ============================================ > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > AUDIT_LOG_STARTUP > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > AUDIT_LOG_SHUTDOWN > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_CERT_POLICY > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_CERT_PROFILE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_CRL_PROFILE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_OCSP_PROFILE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_SIGNED_AUDIT > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_ENCRYPTION > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_TRUSTED_PUBLIC_KEY > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > SELFTESTS_EXECUTION > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_DELETE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: LOG_PATH_CHANGE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PRIVATE_KEY_ARCHIVE_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_RECOVERY_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_RECOVERY_REQUEST_ASYNC > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_RECOVERY_AGENT_LOGIN > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_RECOVERY_REQUEST_PROCESSED > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_RECOVERY_REQUEST_PROCESSED_ASYNC > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_GEN_ASYMMETRIC > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > NON_PROFILE_CERT_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PROFILE_CERT_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CERT_REQUEST_PROCESSED > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CERT_STATUS_CHANGE_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CERT_STATUS_CHANGE_REQUEST_PROCESSED > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_FAIL > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: INTER_BOUNDARY > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_FAIL > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CERT_PROFILE_APPROVAL > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PROOF_OF_POSSESSION > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_RETRIEVAL > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_VALIDATION > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CMC_SIGNED_REQUEST_SIG_VERIFY > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > SERVER_SIDE_KEYGEN_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_SESSION_KEY_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > DIVERSIFY_KEY_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > ENCRYPT_DATA_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > OCSP_ADD_CA_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > OCSP_ADD_CA_REQUEST_PROCESSED > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > OCSP_REMOVE_CA_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_RANDOM_DATA_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CIMC_CERT_VERIFICATION > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=log > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized log > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=os > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=os > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=os > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized os > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=jss > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=jss > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_rc4_40_md5 > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_rc2_40_md5 > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_des_sha > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_rc4_128_md5 > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_3des_sha > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_fips_des_sha > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_fips_3des_sha > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher fortezza > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher fortezza_rc4_128_sha > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_null_md5 > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=jss > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized jss > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=dbs > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=dbs > [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init > [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init() > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal > LDAP Database > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password not in memory > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: try > to get it from password store > [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password > store initialized before. > [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password > store initialized. > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: > about to get from passwored store: Internal LDAP Da > tabase > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: > password store available > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: > password for Internal LDAP Database not found, tryi > ng internaldb > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: password ok: store in memory cache > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init ends > [28/Jan/2016:21:09:02][main]: init: before makeConnection errorIfDown is true > [28/Jan/2016:21:09:02][main]: makeConnection: errorIfDown true > [28/Jan/2016:21:09:02][main]: Established LDAP connection using basic > authentication to host test.sample.net port 738 > 9 as cn=Directory Manager > [28/Jan/2016:21:09:02][main]: initializing with mininum 3 and maximum > 15 connections to host test.sample.net port 738 > 9, secure connection, false, authentication type 1 > [28/Jan/2016:21:09:02][main]: increasing minimum connections by 3 > [28/Jan/2016:21:09:02][main]: new total available connections 3 > [28/Jan/2016:21:09:02][main]: new number of connections 3 > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=dbs > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized dbs > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=usrgrp > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=usrgrp > [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init > [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init() > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal > LDAP Database > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: got password from memory > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password found for prompt. > [28/Jan/2016:21:09:03][main]: LdapAuthInfo: password ok: store in memory cache > [28/Jan/2016:21:09:03][main]: LdapAuthInfo: init ends > [28/Jan/2016:21:09:03][main]: init: before makeConnection errorIfDown is false > [28/Jan/2016:21:09:03][main]: makeConnection: errorIfDown false > [28/Jan/2016:21:09:03][main]: Established LDAP connection using basic > authentication to host test.sample.net port 738 > 9 as cn=Directory Manager > [28/Jan/2016:21:09:03][main]: initializing with mininum 3 and maximum > 15 connections to host test.sample.net port 738 > 9, secure connection, false, authentication type 1 > [28/Jan/2016:21:09:03][main]: increasing minimum connections by 3 > [28/Jan/2016:21:09:03][main]: new total available connections 3 > [28/Jan/2016:21:09:03][main]: new number of connections 3 > [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=usrgrp > [28/Jan/2016:21:09:03][main]: CMSEngine: initialized usrgrp > [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=registry > [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=registry > [28/Jan/2016:21:09:03][main]: RegistrySubsystem: start init > [28/Jan/2016:21:09:03][main]: added plugin profileOutput > pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.p > rofile.output.PKCS7Output > [28/Jan/2016:21:09:03][main]: added plugin profileOutput > cmmfOutputImpl CMMF Response Output CMMF Response Output com > .netscape.cms.profile.output.CMMFOutput > [28/Jan/2016:21:09:03][main]: added plugin profileOutput > certOutputImpl Certificate Output Certificate Output com.net > scape.cms.profile.output.CertOutput > [28/Jan/2016:21:09:03][main]: added plugin profileOutput > nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netsc > ape.cms.profile.output.nsNKeyOutput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > submitterInfoInputImpl Submitter Information Input Submitter > Information Input com.netscape.cms.profile.input.SubmitterInfoInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > serialNumRenewInputImpl Certificate Renewal Request Serial Nu > mber Input Certificate Renewal Request Serial Number Input > com.netscape.cms.profile.input.SerialNumRenewInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > dualKeyGenInputImpl Dual Key Generation Input Dual Key Genera > tion Input com.netscape.cms.profile.input.DualKeyGenInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqIn > putImpl com.netscape.cms.profile.input.nsNKeyCertReqInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > fileSigningInputImpl File Signing Input File Signing Input co > m.netscape.cms.profile.input.FileSigningInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > certReqInputImpl Certificate Request Input Certificate Reques > t Input com.netscape.cms.profile.input.CertReqInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > cmcCertReqInputImpl CMC Certificate Request Input CMC Certifi > cate Request Input com.netscape.cms.profile.input.CMCCertReqInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqIn > putImpl com.netscape.cms.profile.input.nsHKeyCertReqInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > subjectDNInputImpl Subject DN Input Subject DN Input com.nets > cape.cms.profile.input.SubjectDNInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > keyGenInputImpl Key Generation Input Key Generation Input com > .netscape.cms.profile.input.KeyGenInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > genericInputImpl Generic Input Generic Input com.netscape.cms > .profile.input.GenericInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput imageInputImpl > Image Input Image Input com.netscape.cms.profi > le.input.ImageInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > subjectNameInputImpl Subject Name Input Subject Name Input co > m.netscape.cms.profile.input.SubjectNameInput > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > basicConstraintsExtConstraintImpl Basic Constraints Exten > sion Constraint Basic Constraints Extension Constraint > com.netscape.cms.profile.constraint.BasicConstraintsExtConstra > int > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > noConstraintImpl No Constraint No Constraint com.netscape > .cms.profile.constraint.NoConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > signingAlgConstraintImpl Signing Algorithm Constraint Sig > ning Algorithm Constraint > com.netscape.cms.profile.constraint.SigningAlgConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > extendedKeyUsageExtConstraintImpl Extended Key Usage Exte > nsion Constraint Extended Key Usage Extension Constraint > com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConst > raint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > extensionConstraintImpl Extension Constraint Extension Co > nstraint com.netscape.cms.profile.constraint.ExtensionConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > subjectNameConstraintImpl Subject Name Constraint Subject > Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > uniqueSubjectNameConstraintImpl Unique Subject Name Const > raint Unique Subject Name Constraint > com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > keyUsageExtConstraintImpl Key Usage Extension Constraint > Key Usage Extension Constraint > com.netscape.cms.profile.constraint.KeyUsageExtConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > renewGracePeriodConstraintImpl Renewal Grace Period Const > raint Renewal Grace Period Constraint > com.netscape.cms.profile.constraint.RenewGracePeriodConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > keyConstraintImpl Key Constraint Key Constraint com.netsc > ape.cms.profile.constraint.KeyConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > nsCertTypeExtConstraintImpl Netscape Certificate Type Ext > ension Constraint Netscape Certificate Type Extension Constraint > com.netscape.cms.profile.constraint.NSCertTypeExtCon > straint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > validityConstraintImpl Validity Constraint Validity Const > raint com.netscape.cms.profile.constraint.ValidityConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > uniqueKeyConstraintImpl Unique Public Key Constraint Uniq > ue Public Key Constraint com.netscape.cms.profile.constraint.UniqueKeyConstraint > [28/Jan/2016:21:09:03][main]: added plugin profile caEnrollImpl > Generic Certificate Enrollment Profile Certificate Au > thority Generic Certificate Enrollment Profile > com.netscape.cms.profile.common.CAEnrollProfile > [28/Jan/2016:21:09:03][main]: added plugin profile > caUserCertEnrollImpl User Certificate Enrollment Profile Certifica > te Authority User Certificate Enrollment Profile > com.netscape.cms.profile.common.UserCertCAEnrollProfile > [28/Jan/2016:21:09:03][main]: added plugin profile > caServerCertEnrollImpl Server Certificate Enrollment Profile Certi > ficate Authority Server Certificate Enrollment Profile > com.netscape.cms.profile.common.ServerCertCAEnrollProfile > [28/Jan/2016:21:09:03][main]: added plugin profile caCACertEnrollImpl > CA Certificate Enrollment Profile Certificate A > uthority CA Certificate Enrollment Profile > com.netscape.cms.profile.common.CACertCAEnrollProfile > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > userKeyDefaultImpl User Supplied Key Default User Supplied K > ey Default com.netscape.cms.profile.def.UserKeyDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > freshestCRLExtDefaultImpl Freshest CRL Extension Default Fre > shest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > authInfoAccessExtDefaultImpl Authority Info Access Extension > Default Authority Info Access Extension Default > com.netscape.cms.profile.def.AuthInfoAccessExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNa > meDefault nsTokenUserKeySubjectNameDefaultImpl > com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > genericExtDefaultImpl Generic Extension Generic Extension co > m.netscape.cms.profile.def.GenericExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > authorityKeyIdentifierExtDefaultImpl Authority Key Identifie > r Extension Default Authority Key Identifier Extension Default > com.netscape.cms.profile.def.AuthorityKeyIdentifierExt > Default > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > issuerAltNameExtDefaultImpl Issuer Alternative Name Extensio > n Default Issuer Alternative Name Extension Default > com.netscape.cms.profile.def.IssuerAltNameExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > basicConstraintsExtDefaultImpl Basic Constraints Extension D > efault Basic Constraints Extension Default > com.netscape.cms.profile.def.BasicConstraintsExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > keyUsageExtDefaultImpl Key Usage Extension Default Key Usage > Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OC > SP No Check Extension Default com.netscape.cms.profile.def.OCSPNoCheckExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > subjectAltNameExtDefaultImpl Subject Alternative Name Extens > ion Default Subject Alternative Name Extension Default > com.netscape.cms.profile.def.SubjectAltNameExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > userValidityDefaultImpl User Supplied Validity Default User > Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > userSubjectNameDefaultImpl User Supplied Subject Name Defaul > t User Supplied Subject Name Default > com.netscape.cms.profile.def.UserSubjectNameDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > subjectDirAttributesExtDefaultImpl Subject Directory Attribu > tes Extension Default Subject Directory Attributes Extension Default > com.netscape.cms.profile.def.SubjectDirAttribute > sExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > certificateVersionDefaultImpl Certificate Version Default Ce > rtificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > extendedKeyUsageExtDefaultImpl Extended Key Usage Extension > Default Extended Key Usage Extension Default > com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > policyConstraintsExtDefaultImpl Policy Constraints Extension > Default Policy Constraints Extension Default > com.netscape.cms.profile.def.PolicyConstraintsExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > crlDistributionPointsExtDefaultImpl CRL Distribution Points > Extension Default CRL Distribution Points Extension Default > com.netscape.cms.profile.def.CRLDistributionPointsExtDefa > ult > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > certificatePoliciesExtDefaultImpl Certificate Policies Exten > sion Default Certificate Policies Extension Default > com.netscape.cms.profile.def.CertificatePoliciesExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > validityDefaultImpl Validity Default Validty Default com.net > scape.cms.profile.def.ValidityDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > privateKeyPeriodExtDefaultImpl Private Key Period Ext Defaul > t Private Key Period Ext Default > com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy noDefaultImpl > No Default No Default com.netscape.cms.profile > .def.NoDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > imageDefaultImpl Image Default Image Default com.netscape.cm > s.profile.def.ImageDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > subjectInfoAccessExtDefaultImpl Subject Info Access Extensio > n Default Subject Info Access Extension Default > com.netscape.cms.profile.def.SubjectInfoAccessExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > autoAssignDefaultImpl Auto Request Assignment Default Auto R > equest Assignment Default com.netscape.cms.profile.def.AutoAssignDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > policyMappingsExtDefaultImpl Policy Mappings Extension Defau > lt Policy Mappings Extension Default > com.netscape.cms.profile.def.PolicyMappingsExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > caValidityDefaultImpl CA Certificate Validity Default CA Cer > tificate Validty Default com.netscape.cms.profile.def.CAValidityDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > userExtensionDefaultImpl User Supplied Extension Default Use > r Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > nsCertTypeExtDefaultImpl Netscape Certificate Type Extension > Default Netscape Certificate Type Extension Default > com.netscape.cms.profile.def.NSCertTypeExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > authTokenSubjectNameDefaultImpl Token Supplied Subject Name > Default Token Supplied Subject Name Default > com.netscape.cms.profile.def.AuthTokenSubjectNameDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > subjectNameDefaultImpl Subject Name Default Subject Name Def > ault com.netscape.cms.profile.def.SubjectNameDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > userSigningAlgDefaultImpl User Supplied Signing Alg Default > User Supplied Signing Alg Default > com.netscape.cms.profile.def.UserSigningAlgDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > subjectKeyIdentifierExtDefaultImpl Subject Key Identifier De > fault Subject Key Identifier Default > com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension > Default Inhibit Any-Policy Extension Default > com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubje > ctNameDefault nsTokenDeviceKeySubjectNameDefaultImpl > com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > nscCommentExtDefaultImpl Netscape Comment Extension Default > Netscape Comment Extension Default > com.netscape.cms.profile.def.NSCCommentExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > signingAlgDefaultImpl Signing Algorithm Default Signing Algo > rithm Default com.netscape.cms.profile.def.SigningAlgDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > nameConstraintsExtDefaultImpl Name Constraints Extension Def > ault Name Constraints Extension Default > com.netscape.cms.profile.def.NameConstraintsExtDefault > [28/Jan/2016:21:09:03][main]: added plugin profileUpdater > subsystemGroupUpdaterImpl Updater for Subsystem Group Updat > er for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater > [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=registry > [28/Jan/2016:21:09:03][main]: CMSEngine: initialized registry > [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=oidmap > [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=oidmap > [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=oidmap > [28/Jan/2016:21:09:03][main]: CMSEngine: initialized oidmap > [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=X500Name > [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=X500Name > [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=X500Name > [28/Jan/2016:21:09:03][main]: CMSEngine: initialized X500Name > [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=request > [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=request > [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=request > [28/Jan/2016:21:09:03][main]: CMSEngine: initialized request > [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=ca > [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=ca > [28/Jan/2016:21:09:03][main]: CertificateAuthority init > [28/Jan/2016:21:09:03][main]: Cert Repot inited > [28/Jan/2016:21:09:03][main]: CRL Repot inited > [28/Jan/2016:21:09:03][main]: Replica Repot inited > [28/Jan/2016:21:09:03][main]: ca.signing Signing Unit nickname > caSigningCert cert-pki-ca > [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name > [28/Jan/2016:21:09:03][main]: Found cert by nickname: 'caSigningCert > cert-pki-ca' with serial number: 1 > [28/Jan/2016:21:09:03][main]: converted to x509CertImpl > [28/Jan/2016:21:09:03][main]: Got private key from cert > [28/Jan/2016:21:09:03][main]: Got public key from cert > [28/Jan/2016:21:09:03][main]: got signing algorithm RSASignatureWithSHA256Digest > [28/Jan/2016:21:09:03][main]: CA signing unit inited > [28/Jan/2016:21:09:03][main]: cachainNum= 0 > [28/Jan/2016:21:09:03][main]: in init - got CA chain from JSS. > [28/Jan/2016:21:09:03][main]: ca.ocsp_signing Signing Unit nickname > ca.ocsp_signing.cert > [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name > [28/Jan/2016:21:09:03][main]: SigningUnit init: debug > org.mozilla.jss.crypto.ObjectNotFoundException > [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException > Certificate object not found > at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) > at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204) > at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) > at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) > at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) > at com.netscape.certsrv.apps.CMS.init(CMS.java:153) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) > at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) > at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) > at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) > at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) > at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) > at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) > at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) > at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) > at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) > at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) > at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) > at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) > at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) > at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) > at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) > at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) > at org.apache.catalina.core.StandardService.start(StandardService.java:516) > at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) > at org.apache.catalina.startup.Catalina.start(Catalina.java:593) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:616) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > [28/Jan/2016:21:09:03][main]: CMSEngine.shutdown() > [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore(): > password store initialized before. > [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore(): > password store initialized. > [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore(): > password store initialized before. > [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore(): > password store initialized. > > > > >> >>> >>> stuck: yes >>> >>> key pair storage: >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS >>> Certifi >>> >>> cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt' >>> >>> certificate: >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS >>> Certificate >>> >>> DB' >>> >>> CA: IPA >>> >>> issuer: CN=Certificate Authority,O=SAMPLE.NET >>> >>> subject: CN=caer.SAMPLE.net ,O=SAMPLE.NET >>> >>> >>> expires: 2016-01-29 14:09:46 UTC >>> >>> eku: id-kp-serverAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> >>> >>> On Mon, May 2, 2016 at 5:35 PM Anthony Cheng >>> > wrote: >>> >>> On Mon, May 2, 2016 at 9:54 AM Rob Crittenden >> > wrote: >>> >>> Anthony Cheng wrote: >>> > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden >>> >>> > >> >>> wrote: >>> > >>> > Anthony Cheng wrote: >>> > > OK so I made process on my cert renew issue; I was >>> able to get kinit >>> > > working so I can follow the rest of the steps here >>> > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) >>> > > >>> > > However, after using >>> > > >>> > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory >>> manager' -w >>> > password >>> > > >>> > > and restarting apache (/sbin/service httpd restart), >>> resubmitting 3 >>> > > certs (ipa-getcert resubmit -i ) and restarting >>> IPA (resubmit >>> > -i ) >>> > > (/sbin/service ipa restart), I still see: >>> > > >>> > > [root at test ~]# ipa-getcert list | more >>> > > Number of certificates and requests being tracked: 8. >>> > > Request ID '20111214223243': >>> > > status: CA_UNREACHABLE >>> > > ca-error: Server failed request, will retry: >>> 4301 (RPC >>> > failed >>> > > at server. Certificate operation cannot be compl >>> > > eted: Unable to communicate with CMS (Not Found)). >>> > >>> > IPA proxies requests to the CA through Apache. This means >>> that while >>> > tomcat started ok it didn't load the dogtag CA >>> application, hence the >>> > Not Found. >>> > >>> > Check the CA debug and selftest logs to see why it failed >>> to start >>> > properly. >>> > >>> > [ snip ] >>> > >>> > Actually after a reboot that error went away and I just get >>> this error >>> > instead "ca-error: Server failed request, will retry: -504 >>> (libcurl >>> > failed to execute the HTTP POST transaction. Peer certificate >>> cannot be >>> > auth enticated with known CA certificates)." from "getcert >>> list" >>> > >>> > Result of service ipa restart is interesting since it shows >>> today's time >>> > when I already changed date/time/disable NTP so somehow the >>> system still >>> > know today's time. >>> > >>> > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert: >>> > CERT_VerifyCertificateNow: verify certificate failed for cert >>> > Server-Cert of family cn=RSA,cn=encryption,cn=config >>> (Netscape Portable >>> > Runtime error -8181 - Peer's Certificate has expired.) >>> >>> Hard to say. I'd confirm that there is no time syncing service >>> running, >>> ntp or otherwise. >>> >>> >>> I found out why the time kept changing; it was due to the fact that >>> it has VM tools installed (i didn't configure this box) so it >>> automatically sync time during bootup. >>> >>> I did still see this error message: >>> >>> ca-error: Server failed request, will retry: 4301 (RPC failed at >>> server. Certificate operation cannot be completed: Unable to >>> communicate with CMS (Not Found)) >>> >>> I tried the step http://www.freeipa.org/page/Troubleshooting with >>> >>> certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt >>> openssl x509 -text -in /tmp/ra.crt >>> certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt >>> service httpd restart >>> >>> So that I can get rid of one of the CA cert that is expired (kept >>> the 1st one) but still getting same error >>> >>> What exactly is CMS and why is it not found? >>> >>> >>> I did notice that the selftest log is empty with a different time: >>> >>> -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 >>> /var/log/pki-ca/selftests.log >>> >>> [root at test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds >>> >>> >>> Here are some debug log after reboot: >>> >>> [root at test pki-ca]# tail -n 100 catalina.out >>> >>> INFO: JK: ajp13 listening on /0.0.0.0:9447 >>> >>> Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start >>> >>> INFO: Jk running ID=0 time=1/23config=null >>> >>> Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start >>> >>> INFO: Server startup in 1722 ms >>> >>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>> >>> INFO: Pausing Coyote HTTP/1.1 on http-9180 >>> >>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>> >>> INFO: Pausing Coyote HTTP/1.1 on http-9443 >>> >>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>> >>> INFO: Pausing Coyote HTTP/1.1 on http-9445 >>> >>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>> >>> INFO: Pausing Coyote HTTP/1.1 on http-9444 >>> >>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>> >>> INFO: Pausing Coyote HTTP/1.1 on http-9446 >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop >>> >>> INFO: Stopping service Catalina >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [Timer-0] but has failed to stop it. This is very like >>> >>> ly to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu >>> >>> t has failed to stop it. This is very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6] >>> >>> but has failed to stop it. This is very likely to create a memory >>> leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/system.flush-6] but has failed t >>> >>> o stop it. This is very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/system.rollover-8] but has faile >>> >>> d to stop it. This is very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/transactions.flush-9] but has fa >>> >>> iled to stop it. This is very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/transactions.rollover-10] but ha >>> >>> s failed to stop it. This is very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [LDAPConnThread-2 ldap://test.sample.net:7389 >>> ] but has failed to stop it. This is >>> very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [LDAPConnThread-3 ldap://test.sample.net:7389 >>> ] but has failed to stop it. This is >>> very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [LDAPConnThread-4 ldap://test.sample.net:7389 >>> ] but has failed to stop it. This is >>> very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearThreadLocalMap >>> >>> SEVERE: A web application created a ThreadLocal with key of type >>> [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a >>> value of type [java.text.SimpleDateFormat] (value >>> [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when >>> the web application was stopped. To prevent a memory leak, the >>> ThreadLocal has been forcibly removed. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearThreadLocalMap >>> >>> SEVERE: A web application created a ThreadLocal with key of type >>> [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a >>> value of type [java.text.SimpleDateFormat] (value >>> [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when >>> the web application was stopped. To prevent a memory leak, the >>> ThreadLocal has been forcibly removed. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>> destroy >>> >>> INFO: Stopping Coyote HTTP/1.1 on http-9180 >>> >>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>> destroy >>> >>> INFO: Stopping Coyote HTTP/1.1 on http-9443 >>> >>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>> destroy >>> >>> INFO: Stopping Coyote HTTP/1.1 on http-9445 >>> >>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>> destroy >>> >>> INFO: Stopping Coyote HTTP/1.1 on http-9444 >>> >>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>> destroy >>> >>> INFO: Stopping Coyote HTTP/1.1 on http-9446 >>> >>> Jan 27, 2016 2:57:36 PM >>> org.apache.catalina.core.AprLifecycleListener init >>> >>> INFO: The APR based Apache Tomcat Native library which allows >>> optimal performance in production environments was not found on the >>> java.library.path: >>> >>> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib >>> >>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>> >>> INFO: Initializing Coyote HTTP/1.1 on http-9180 >>> >>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>> >>> INFO: Initializing Coyote HTTP/1.1 on http-9443 >>> >>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>> >>> INFO: Initializing Coyote HTTP/1.1 on http-9445 >>> >>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>> >>> INFO: Initializing Coyote HTTP/1.1 on http-9444 >>> >>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>> >>> INFO: Initializing Coyote HTTP/1.1 on http-9446 >>> >>> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load >>> >>> INFO: Initialization processed in 2198 ms >>> >>> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start >>> >>> INFO: Starting service Catalina >>> >>> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start >>> >>> INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 >>> >>> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig >>> deployDirectory >>> >>> INFO: Deploying web application directory ROOT >>> >>> Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig >>> deployDirectory >>> >>> INFO: Deploying web application directory ca >>> >>> 64-bit osutil library loaded >>> >>> 64-bit osutil library loaded >>> >>> Certificate object not found >>> >>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>> >>> INFO: Starting Coyote HTTP/1.1 on http-9180 >>> >>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>> >>> INFO: Starting Coyote HTTP/1.1 on http-9443 >>> >>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>> >>> INFO: Starting Coyote HTTP/1.1 on http-9445 >>> >>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>> >>> INFO: Starting Coyote HTTP/1.1 on http-9444 >>> >>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>> >>> INFO: Starting Coyote HTTP/1.1 on http-9446 >>> >>> Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init >>> >>> INFO: JK: ajp13 listening on /0.0.0.0:9447 >>> >>> Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start >>> >>> INFO: Jk running ID=0 time=0/40config=null >>> >>> Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start >>> >>> INFO: Server startup in 2592 ms >>> >>> [root at test pki-ca]# tail -n 100 debug >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> subjectAltNameExtDefaultImpl Subject Alternative Name Extension >>> Default Subject Alternative Name Extension Default >>> com.netscape.cms.profile.def.SubjectAltNameExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> userValidityDefaultImpl User Supplied Validity Default User Supplied >>> Validity Default com.netscape.cms.profile.def.UserValidityDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> userSubjectNameDefaultImpl User Supplied Subject Name Default User >>> Supplied Subject Name Default >>> com.netscape.cms.profile.def.UserSubjectNameDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> subjectDirAttributesExtDefaultImpl Subject Directory Attributes >>> Extension Default Subject Directory Attributes Extension Default >>> com.netscape.cms.profile.def.SubjectDirAttributesExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> certificateVersionDefaultImpl Certificate Version Default >>> Certificate Version Default >>> com.netscape.cms.profile.def.CertificateVersionDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default >>> Extended Key Usage Extension Default >>> com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> policyConstraintsExtDefaultImpl Policy Constraints Extension Default >>> Policy Constraints Extension Default >>> com.netscape.cms.profile.def.PolicyConstraintsExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> crlDistributionPointsExtDefaultImpl CRL Distribution Points >>> Extension Default CRL Distribution Points Extension Default >>> com.netscape.cms.profile.def.CRLDistributionPointsExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> certificatePoliciesExtDefaultImpl Certificate Policies Extension >>> Default Certificate Policies Extension Default >>> com.netscape.cms.profile.def.CertificatePoliciesExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> validityDefaultImpl Validity Default Validty Default >>> com.netscape.cms.profile.def.ValidityDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> privateKeyPeriodExtDefaultImpl Private Key Period Ext Default >>> Private Key Period Ext Default >>> com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> noDefaultImpl No Default No Default >>> com.netscape.cms.profile.def.NoDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> imageDefaultImpl Image Default Image Default >>> com.netscape.cms.profile.def.ImageDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> subjectInfoAccessExtDefaultImpl Subject Info Access Extension >>> Default Subject Info Access Extension Default >>> com.netscape.cms.profile.def.SubjectInfoAccessExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> autoAssignDefaultImpl Auto Request Assignment Default Auto Request >>> Assignment Default com.netscape.cms.profile.def.AutoAssignDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> policyMappingsExtDefaultImpl Policy Mappings Extension Default >>> Policy Mappings Extension Default >>> com.netscape.cms.profile.def.PolicyMappingsExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> caValidityDefaultImpl CA Certificate Validity Default CA Certificate >>> Validty Default com.netscape.cms.profile.def.CAValidityDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> userExtensionDefaultImpl User Supplied Extension Default User >>> Supplied Extension Default >>> com.netscape.cms.profile.def.UserExtensionDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default >>> Netscape Certificate Type Extension Default >>> com.netscape.cms.profile.def.NSCertTypeExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default >>> Token Supplied Subject Name Default >>> com.netscape.cms.profile.def.AuthTokenSubjectNameDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> subjectNameDefaultImpl Subject Name Default Subject Name Default >>> com.netscape.cms.profile.def.SubjectNameDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> userSigningAlgDefaultImpl User Supplied Signing Alg Default User >>> Supplied Signing Alg Default >>> com.netscape.cms.profile.def.UserSigningAlgDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default >>> Subject Key Identifier Default >>> com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default >>> Inhibit Any-Policy Extension Default >>> com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> nsTokenDeviceKeySubjectNameDefaultImpl >>> nsTokenDeviceKeySubjectNameDefault >>> nsTokenDeviceKeySubjectNameDefaultImpl >>> com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape >>> Comment Extension Default >>> com.netscape.cms.profile.def.NSCCommentExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm >>> Default com.netscape.cms.profile.def.SigningAlgDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> nameConstraintsExtDefaultImpl Name Constraints Extension Default >>> Name Constraints Extension Default >>> com.netscape.cms.profile.def.NameConstraintsExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin profileUpdater >>> subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for >>> Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca >>> >>> [27/Jan/2016:15:30:43][main]: CertificateAuthority init >>> >>> [27/Jan/2016:15:30:43][main]: Cert Repot inited >>> >>> [27/Jan/2016:15:30:43][main]: CRL Repot inited >>> >>> [27/Jan/2016:15:30:43][main]: Replica Repot inited >>> >>> [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname >>> caSigningCert cert-pki-ca >>> >>> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token >>> by name >>> >>> [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert >>> cert-pki-ca' with serial number: 1 >>> >>> [27/Jan/2016:15:30:43][main]: converted to x509CertImpl >>> >>> [27/Jan/2016:15:30:43][main]: Got private key from cert >>> >>> [27/Jan/2016:15:30:43][main]: Got public key from cert >>> >>> [27/Jan/2016:15:30:43][main]: got signing algorithm >>> RSASignatureWithSHA256Digest >>> >>> [27/Jan/2016:15:30:43][main]: CA signing unit inited >>> >>> [27/Jan/2016:15:30:43][main]: cachainNum= 0 >>> >>> [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS. >>> >>> [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname >>> ca.ocsp_signing.cert >>> >>> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token >>> by name >>> >>> [27/Jan/2016:15:30:43][main]: SigningUnit init: debug >>> org.mozilla.jss.crypto.ObjectNotFoundException >>> >>> [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException >>> >>> Certificate object not found >>> >>> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) >>> >>> at >>> >>> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204) >>> >>> at >>> >>> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) >>> >>> at >>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) >>> >>> at >>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) >>> >>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) >>> >>> at com.netscape.certsrv.apps.CMS.init(CMS.java:153) >>> >>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) >>> >>> at >>> >>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) >>> >>> at >>> >>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) >>> >>> at >>> >>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) >>> >>> at >>> >>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) >>> >>> at >>> >>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) >>> >>> at >>> >>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) >>> >>> at >>> >>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) >>> >>> at >>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) >>> >>> at >>> >>> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) >>> >>> at >>> >>> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) >>> >>> at >>> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) >>> >>> at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) >>> >>> at >>> >>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) >>> >>> at >>> >>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) >>> >>> at >>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) >>> >>> at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) >>> >>> at >>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) >>> >>> at >>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) >>> >>> at >>> >>> org.apache.catalina.core.StandardService.start(StandardService.java:516) >>> >>> at >>> org.apache.catalina.core.StandardServer.start(StandardServer.java:710) >>> >>> at org.apache.catalina.startup.Catalina.start(Catalina.java:593) >>> >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> >>> at >>> >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>> >>> at >>> >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> >>> at java.lang.reflect.Method.invoke(Method.java:616) >>> >>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) >>> >>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown() >>> >>> >>> >>> >>> > >>> >>> > > Would really greatly appreciate any help on this. >>> > > >>> > > Also I noticed after I do ldapmodify of >>> usercertificate binary >>> > data with >>> > > >>> > > add: usercertificate;binary >>> > > usercertificate;binary: !@#$@!#$#@$ >>> > >>> > You really pasted in binary? Or was this base64-encoded >>> data? >>> > >>> > I wonder if there is a problem in the wiki. If this is >>> really a binary >>> > value you should start with a DER-encoded cert and load >>> it using >>> > something like: >>> > >>> > dn: uid=ipara,ou=people,o=ipaca >>> > changetype: modify >>> > add: usercertificate;binary >>> > usercertificate;binary:< file:///path/to/cert.der >>> > >>> > You can use something like openssl x509 to switch between >>> PEM and DER >>> > formats. >>> > >>> > I have a vague memory that dogtag can deal with a >>> multi-valued >>> > usercertificate attribute. >>> > >>> > rob >>> > >>> > >>> > Yes the wiki stated binary, the result of: >>> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b >>> > uid=ipara,ou=People,o=ipaca -W >>> > >>> > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ... >>> > >>> > But the actual data is from a PEM though. >>> >>> Ok. So I looked at my CA data and it doesn't use the binary >>> subtype, so >>> my entries look like: >>> >>> userCertificate:: MIID.... >>> >>> It might make a difference if dogtag is looking for the subtype >>> or not. >>> >>> rob >>> >>> > >>> > > >>> > > Then I re-run >>> > > >>> > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory >>> manager' -W >>> > -b uid=ipara,ou=People,o=ipaca >>> > > >>> > > I see 2 entries for usercertificate;binary (before >>> modify there >>> > was only >>> > > 1) but they are duplicate and NOT from data that I >>> added. That seems >>> > > incorrect to me. >>> > > >>> > > >>> > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng >>> > > >> >>> >> > >>> > >> >>> > >> >>> wrote: >>> > > >>> > > klist is actually empty; kinit admin fails. >>> Sounds like then >>> > > getcert resubmit has a dependency on kerberoes. I >>> can get a >>> > backup >>> > > image that has a valid ticket but it is only good >>> for 1 day (and >>> > > dated pasted the cert expire). >>> > > >>> > > Also I had asked awhile back about whether there >>> is dependency on >>> > > DIRSRV to renew the cert; didn't get any response >>> but I suspect >>> > > there is a dependency. >>> > > >>> > > Regarding the clock skew, I found out from >>> /var/log/message that >>> > > shows me this so it may be from named: >>> > > >>> > > Jan 28 14:10:42 test named[2911]: Failed to init >>> credentials >>> > (Clock >>> > > skew too great) >>> > > Jan 28 14:10:42 test named[2911]: loading >>> configuration: failure >>> > > Jan 28 14:10:42 test named[2911]: exiting (due to >>> fatal error) >>> > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: >>> Unspecified GSS >>> > > failure. Minor code may provide more information >>> (Creden >>> > > tials cache file '/tmp/krb5cc_496' not found) >>> > > >>> > > I don't have a krb5cc_496 file (since klist is >>> empty), so >>> > sounds to >>> > > me I need to get a kerberoes ticket before going any >>> > further. Also >>> > > is the file /etc/krb5.keytab access/modification >>> time >>> > important? I >>> > > had changed time back to before the cert >>> expiration date and >>> > reboot >>> > > and try renew but the error message about clock >>> skew is still >>> > > there. That seems strange. >>> > > >>> > > Lastly, as a absolute last resort, can I >>> regenerate a new cert >>> > > myself? >>> > > >>> > >>> >>> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html >>> > > >>> > > [root at test /]# klist >>> > > klist: No credentials cache found (ticket cache >>> > FILE:/tmp/krb5cc_0) >>> > > [root at test /]# service ipa start >>> > > Starting Directory Service >>> > > Starting dirsrv: >>> > > PKI-IPA... >>> > [ OK ] >>> > > sample-NET... >>> > [ OK ] >>> > > Starting KDC Service >>> > > Starting Kerberos 5 KDC: >>> [ >>> > OK ] >>> > > Starting KPASSWD Service >>> > > Starting Kerberos 5 Admin Server: >>> [ >>> > OK ] >>> > > Starting DNS Service >>> > > Starting named: >>> > [FAILED] >>> > > Failed to start DNS Service >>> > > Shutting down >>> > > Stopping Kerberos 5 KDC: >>> [ >>> > OK ] >>> > > Stopping Kerberos 5 Admin Server: >>> [ >>> > OK ] >>> > > Stopping named: >>> [ >>> > OK ] >>> > > Stopping httpd: >>> [ >>> > OK ] >>> > > Stopping pki-ca: >>> [ >>> > OK ] >>> > > Shutting down dirsrv: >>> > > PKI-IPA... >>> > [ OK ] >>> > > sample-NET... >>> > [ OK ] >>> > > Aborting ipactl >>> > > [root at test /]# klist >>> > > klist: No credentials cache found (ticket cache >>> > FILE:/tmp/krb5cc_0) >>> > > [root at test /]# service ipa status >>> > > Directory Service: STOPPED >>> > > Failed to get list of services to probe status: >>> > > Directory Server is stopped >>> > > >>> > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka >>> > >>> > >>> > > >> >> >>> wrote: >>> > > >>> > > On 27/04/16 21:54, Anthony Cheng wrote: >>> > > > Hi list, >>> > > > >>> > > > I am trying to renew expired certificates >>> following the >>> > > manual renewal procedure >>> > > > here >>> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) >>> > > but even with >>> > > > resetting the system/hardware clock to a >>> time before >>> > expires, >>> > > I am getting the >>> > > > error "ca-error: Error setting up ccache >>> for local "host" >>> > > service using default >>> > > > keytab: Clock skew too great." >>> > > > >>> > > > With NTP disable and clock reset why would >>> it complain >>> > about >>> > > clock skew and how >>> > > > does it even know about the current time? >>> > > > >>> > > > [root at test certs]# getcert list >>> > > > Number of certificates and requests being >>> tracked: 8. >>> > > > Request ID '20111214223243': >>> > > > status: MONITORING >>> > > > ca-error: Error setting up ccache >>> for local >>> > "host" >>> > > service using >>> > > > default keytab: Clock skew too great. >>> > > > stuck: no >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > > > Certificate >>> > > >>> DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > > > Certificate DB' >>> > > > CA: IPA >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=test.sample.net >>> >>> > >>> > > ,O=sample.NET >>> > > > expires: 2016-01-29 14:09:46 UTC >>> > > > eku: id-kp-serverAuth >>> > > > pre-save command: >>> > > > post-save command: >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20111214223300': >>> > > > status: MONITORING >>> > > > ca-error: Error setting up ccache >>> for local >>> > "host" >>> > > service using >>> > > > default keytab: Clock skew too great. >>> > > > stuck: no >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> > > Certificate >>> > > > >>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> > > Certificate >>> > > > DB' >>> > > > CA: IPA >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=test.sample.net >>> >>> > >>> > > ,O=sample.NET >>> > > > expires: 2016-01-29 14:09:45 UTC >>> > > > eku: id-kp-serverAuth >>> > > > pre-save command: >>> > > > post-save command: >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20111214223316': >>> > > > status: MONITORING >>> > > > ca-error: Error setting up ccache >>> for local >>> > "host" >>> > > service using >>> > > > default keytab: Clock skew too great. >>> > > > stuck: no >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > > > Certificate >>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > > > Certificate DB' >>> > > > CA: IPA >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=test.sample.net >>> >>> > >>> > > ,O=sample.NET >>> > > > expires: 2016-01-29 14:09:45 UTC >>> > > > eku: id-kp-serverAuth >>> > > > pre-save command: >>> > > > post-save command: >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20130519130741': >>> > > > status: NEED_CSR_GEN_PIN >>> > > > ca-error: Internal error: no >>> response to >>> > > > >>> > > >>> > >>> >>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". >>> > > > stuck: yes >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > > > cert-pki-ca',token='NSS Certificate >>> DB',pin='297100916664 >>> > > > ' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > > > cert-pki-ca',token='NSS Certificate DB' >>> > > > CA: dogtag-ipa-renew-agent >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=CA Audit,O=sample.NET >>> > > > expires: 2017-10-13 14:10:49 UTC >>> > > > pre-save command: >>> > /usr/lib64/ipa/certmonger/stop_pkicad >>> > > > post-save command: >>> > > /usr/lib64/ipa/certmonger/renew_ca_cert >>> > > > "auditSigningCert cert-pki-ca" >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20130519130742': >>> > > > status: NEED_CSR_GEN_PIN >>> > > > ca-error: Internal error: no >>> response to >>> > > > >>> > > >>> > >>> >>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". >>> > > > stuck: yes >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > > > cert-pki-ca',token='NSS Certificate >>> DB',pin='297100916664 >>> > > > ' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > > > cert-pki-ca',token='NSS Certificate DB' >>> > > > CA: dogtag-ipa-renew-agent >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=OCSP >>> Subsystem,O=sample.NET >>> > > > expires: 2017-10-13 14:09:49 UTC >>> > > > eku: id-kp-OCSPSigning >>> > > > pre-save command: >>> > /usr/lib64/ipa/certmonger/stop_pkicad >>> > > > post-save command: >>> > > /usr/lib64/ipa/certmonger/renew_ca_cert >>> > > > "ocspSigningCert cert-pki-ca" >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20130519130743': >>> > > > status: NEED_CSR_GEN_PIN >>> > > > ca-error: Internal error: no >>> response to >>> > > > >>> > > >>> > >>> >>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". >>> > > > stuck: yes >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > > > cert-pki-ca',token='NSS Certificate >>> DB',pin='297100916664 >>> > > > ' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > > > cert-pki-ca',token='NSS Certificate DB' >>> > > > CA: dogtag-ipa-renew-agent >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=CA >>> Subsystem,O=sample.NET >>> > > > expires: 2017-10-13 14:09:49 UTC >>> > > > eku: >>> id-kp-serverAuth,id-kp-clientAuth >>> > > > pre-save command: >>> > /usr/lib64/ipa/certmonger/stop_pkicad >>> > > > post-save command: >>> > > /usr/lib64/ipa/certmonger/renew_ca_cert >>> > > > "subsystemCert cert-pki-ca" >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20130519130744': >>> > > > status: MONITORING >>> > > > ca-error: Internal error: no >>> response to >>> > > > >>> > > >>> > >>> >>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". >>> > > > stuck: no >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> > > Certificate >>> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> > > Certificate DB' >>> > > > CA: dogtag-ipa-renew-agent >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=RA >>> Subsystem,O=sample.NET >>> > > > expires: 2017-10-13 14:09:49 UTC >>> > > > eku: >>> id-kp-serverAuth,id-kp-clientAuth >>> > > > pre-save command: >>> > > > post-save command: >>> > > /usr/lib64/ipa/certmonger/renew_ra_cert >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20130519130745': >>> > > > status: NEED_CSR_GEN_PIN >>> > > > ca-error: Internal error: no >>> response to >>> > > > >>> > > >>> > >>> >>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". >>> > > > stuck: yes >>> > > > key pair storage: >>> > > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > > > cert-pki-ca',token='NSS Certificate >>> DB',pin='297100916664 >>> > > > ' >>> > > > certificate: >>> > > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert From rmj at ast.cam.ac.uk Thu May 5 21:31:12 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Thu, 5 May 2016 22:31:12 +0100 Subject: [Freeipa-users] Help needed with keytabs In-Reply-To: <31876291.1462474039879.JavaMail.wam@elwamui-little.atl.sa.earthlink.net> References: <31876291.1462474039879.JavaMail.wam@elwamui-little.atl.sa.earthlink.net> Message-ID: <572BBBA0.9030202@ast.cam.ac.uk> Hi Mike Thanks for sharing your setup. It looks pretty much like mine. I just tried your kinit command syntax and then I can ipa ping successfully. Then I tried my kinit syntax (after a kdestroy) and I can still ipa ping successfully! So, it does work now, but I don't know why it didn't work for me earlier. It feels like some sort of caching problem but I think kdestroy clears the cache. Thanks again for your help. Roderick On 05/05/2016 19:47, Michael ORourke wrote: > > Roderick, > > Here's how we do it. > Create a service account user, for example "svc_useradm". > Then generate a keytab for the service account, and store it somewhere secure. > ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k /root/svc_useradm.keytab > > Now we can leverage the keytab for that user principal. > Example: > [root at infrae2u01 ~]# kdestroy > > [root at infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab svc_useradm at LNX.DR.LOCAL > > [root at infrae2u01 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: svc_useradm at LNX.DR.LOCAL > > Valid starting Expires Service principal > 05/05/16 14:24:12 05/06/16 14:24:12 krbtgt/LNX.DR.LOCAL at LNX.DR.LOCAL > > [root at infrae2u01 ~]# ipa ping > ------------------------------------------ > IPA server version 3.0.0. API version 2.49 > ------------------------------------------ > > If you need to access the service account, then setup a sudo rule to switch user to that account. > Example: "sudo su - svc_useradm" > > -Mike > > -----Original Message----- >> From: Roderick Johnstone >> Sent: May 5, 2016 12:39 PM >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] Help needed with keytabs >> >> Hi >> >> I need to run some ipa commands in cron jobs. >> >> The post here: >> https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html >> suggests I need to use a keytab file to authenticate kerberos. >> >> I've tried the prescription there, with variations, without success. >> >> My current testing framework is to log into the ipa client (RHEL6.7, >> ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, >> destroy the current tickets, re-establish a tgt for the user with kinit >> using the keytab and try to run an ipa command. The ipa command fails >> (just like in my cron jobs which use the same kinit command). >> >> 1) Log into ipa client as user test. >> >> 2) Get the keytab >> $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p test at EXAMPLE.COM -k >> /home/test/test.keytab -P >> New Principal Password: >> Verify Principal Password: >> Keytab successfully retrieved and stored in: /home/test/test.keytab >> >> I seem to have to reset the password to what it was in this step, >> otherwise it gets set to something random and the user test cannot log >> into the ipa client any more. >> >> 3) Log into the ipa client as user test. Then >> $ kdestroy >> $ klist >> klist: No credentials cache found (ticket cache >> FILE:/tmp/krb5cc_3395_PWO4wH) >> >> 4) kinit from the keytab: >> $ kinit -F test at EXAMPLE.COM -k -t /home/test/test.keytab >> >> 5) Check the tickets >> $ klist >> Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH >> Default principal: test at EXAMPLE.COM >> >> Valid starting Expires Service principal >> 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/EXAMPLE.COM at EXAMPLE.COM >> >> 6) Run an ipa command: >> $ ipa ping >> ipa: ERROR: cannot connect to Gettext('any of the configured servers', >> domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, >> https://ipa2.example.com/ipa/xml >> >> Can someone advise what I'm doing wrong in this procedure please (some >> strings were changed to anonymize the setting)? >> >> For completeness of information, the ipa servers are RHEL 7.2, >> ipa-server-4.2.0-15.el7_2.6.1.x86_64. >> >> Thanks >> >> Roderick Johnstone >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From rcritten at redhat.com Thu May 5 21:39:08 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 5 May 2016 17:39:08 -0400 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> <5724BC4A.3060400@redhat.com> <57275C0E.10003@redhat.com> <5729F3FC.1000306@redhat.com> Message-ID: <572BBD7C.4060705@redhat.com> Anthony Cheng wrote: > More updates; it turns out that there were some duplicate and expired > certificates as well as incorrect trust attributes; (e.g. seeing 2 > instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I > deleted the duplicate cert and re-add certificate w/ valid date and > fix cert trust attributes along the way. You're fixing the wrong place. Apache is up and serving which is how you are getting Not Found. It is dogtag that isn't starting for some reason. Maybe Endi has some ideas. rob > > So it went from this > > [root at test ~]# certutil -L -d /etc/httpd/alias > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > ipaCert u,u,u > sample.NET IPA CA CT,C,C > ipaCert u,u,u > Signing-Cert u,u,u > Server-Cert u,u,u > > to this > > [root at test ~]# certutil -L -d /etc/httpd/alias > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > ipaCert u,u,u > Server-Cert u,u,u > sample.NET IPA CA CT,C,C > Signing-Cert u,u,u > > And also re-try resubmit/restart processes but unfortunately error > persists ( ca-error: Server failed request, will retry: 4301 (RPC > failed at server. Certificate operation cannot be completed : Unable > to communicate with CMS (Not Found)).) > > Currently I am on the process to recreate this problem on RHEL 6 to > try to get RH support on this. > > Thanks, Anthony > > > On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng > wrote: >> On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden wrote: >>> Anthony Cheng wrote: >>>> >>>> Small update, I found an article on the RH solution library >>>> (https://access.redhat.com/solutions/2020223) that has the same error >>>> code that I am getting and I followed the steps with certutil to update >>>> the cert attributes but it is still not working. The article is listed >>>> as "Solution in Progress". >>>> >>>> [root at test ~]# getcert list | more >>>> >>>> Number of certificates and requests being tracked: 7. >>>> >>>> Request ID '20111214223243': >>>> >>>> status: CA_UNREACHABLE >>>> >>>> ca-error: Server failed request, will retry: 4301 (RPC failed at >>>> server.Certificate operation cannot be comp >>>> >>>> leted: Unable to communicate with CMS (Not Found)). >>> >>> >>> Not Found means the CA didn't start. You need to examine the debug and >>> selftest logs to determine why. >>> >>> rob >> >> selftests.log is empty; there are entries for other time but not for >> the test to when I set the clock to renew certs. >> >> [root at test pki-ca]# clock >> Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds >> [root at test pki-ca]# >> [root at test pki-ca]# >> >> [root at test pki-ca]# ll * | grep self >> -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log >> -rw-r-----. 1 pkiuser pkiuser 1206 Apr 7 2015 >> selftests.log.20150407143526 >> -rw-r-----. 1 pkiuser pkiuser 3673 Jun 30 2015 >> selftests.log.20150630163924 >> -rw-r-----. 1 pkiuser pkiuser 1217 Aug 31 20:07 >> selftests.log.20150831160735 >> -rw-r-----. 1 pkiuser pkiuser 3798 Oct 24 14:12 >> selftests.log.20151024101159 >> >> From debug log I see some error messages: >> >> [28/Jan/2016:21:09:03][main]: SigningUnit init: debug >> org.mozilla.jss.crypto.ObjectNotFoundException >> [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException >> Certificate object not found >> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) >> >> Full log: >> >> [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown() >> [28/Jan/2016:21:09:02][main]: ============================================ >> [28/Jan/2016:21:09:02][main]: ===== DEBUG SUBSYSTEM INITIALIZED ======= >> [28/Jan/2016:21:09:02][main]: ============================================ >> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug >> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug >> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log >> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> AUDIT_LOG_STARTUP >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> AUDIT_LOG_SHUTDOWN >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CONFIG_CERT_POLICY >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CONFIG_CERT_PROFILE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CONFIG_CRL_PROFILE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CONFIG_OCSP_PROFILE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CONFIG_SIGNED_AUDIT >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CONFIG_ENCRYPTION >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CONFIG_TRUSTED_PUBLIC_KEY >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> SELFTESTS_EXECUTION >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_DELETE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: LOG_PATH_CHANGE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> PRIVATE_KEY_ARCHIVE_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> KEY_RECOVERY_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> KEY_RECOVERY_REQUEST_ASYNC >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> KEY_RECOVERY_AGENT_LOGIN >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> KEY_RECOVERY_REQUEST_PROCESSED >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> KEY_RECOVERY_REQUEST_PROCESSED_ASYNC >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> KEY_GEN_ASYMMETRIC >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> NON_PROFILE_CERT_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> PROFILE_CERT_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CERT_REQUEST_PROCESSED >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CERT_STATUS_CHANGE_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CERT_STATUS_CHANGE_REQUEST_PROCESSED >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_SUCCESS >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_FAIL >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: INTER_BOUNDARY >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_FAIL >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_SUCCESS >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CERT_PROFILE_APPROVAL >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> PROOF_OF_POSSESSION >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_RETRIEVAL >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_VALIDATION >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CMC_SIGNED_REQUEST_SIG_VERIFY >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> SERVER_SIDE_KEYGEN_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> COMPUTE_SESSION_KEY_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> DIVERSIFY_KEY_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> ENCRYPT_DATA_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> OCSP_ADD_CA_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> OCSP_ADD_CA_REQUEST_PROCESSED >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> OCSP_REMOVE_CA_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> COMPUTE_RANDOM_DATA_REQUEST >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE >> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: >> CIMC_CERT_VERIFICATION >> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=log >> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized log >> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=os >> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=os >> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=os >> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized os >> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=jss >> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=jss >> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl >> cipher rsa_rc4_40_md5 >> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl >> cipher rsa_rc2_40_md5 >> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl >> cipher rsa_des_sha >> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl >> cipher rsa_rc4_128_md5 >> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl >> cipher rsa_3des_sha >> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl >> cipher rsa_fips_des_sha >> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl >> cipher rsa_fips_3des_sha >> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl >> cipher fortezza >> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl >> cipher fortezza_rc4_128_sha >> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl >> cipher rsa_null_md5 >> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=jss >> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized jss >> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=dbs >> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=dbs >> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init >> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init() >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal >> LDAP Database >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password not in memory >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: try >> to get it from password store >> [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password >> store initialized before. >> [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password >> store initialized. >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: >> about to get from passwored store: Internal LDAP Da >> tabase >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: >> password store available >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: >> password for Internal LDAP Database not found, tryi >> ng internaldb >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: password ok: store in memory cache >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init ends >> [28/Jan/2016:21:09:02][main]: init: before makeConnection errorIfDown is true >> [28/Jan/2016:21:09:02][main]: makeConnection: errorIfDown true >> [28/Jan/2016:21:09:02][main]: Established LDAP connection using basic >> authentication to host test.sample.net port 738 >> 9 as cn=Directory Manager >> [28/Jan/2016:21:09:02][main]: initializing with mininum 3 and maximum >> 15 connections to host test.sample.net port 738 >> 9, secure connection, false, authentication type 1 >> [28/Jan/2016:21:09:02][main]: increasing minimum connections by 3 >> [28/Jan/2016:21:09:02][main]: new total available connections 3 >> [28/Jan/2016:21:09:02][main]: new number of connections 3 >> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=dbs >> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized dbs >> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=usrgrp >> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=usrgrp >> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init >> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init() >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal >> LDAP Database >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: got password from memory >> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password found for prompt. >> [28/Jan/2016:21:09:03][main]: LdapAuthInfo: password ok: store in memory cache >> [28/Jan/2016:21:09:03][main]: LdapAuthInfo: init ends >> [28/Jan/2016:21:09:03][main]: init: before makeConnection errorIfDown is false >> [28/Jan/2016:21:09:03][main]: makeConnection: errorIfDown false >> [28/Jan/2016:21:09:03][main]: Established LDAP connection using basic >> authentication to host test.sample.net port 738 >> 9 as cn=Directory Manager >> [28/Jan/2016:21:09:03][main]: initializing with mininum 3 and maximum >> 15 connections to host test.sample.net port 738 >> 9, secure connection, false, authentication type 1 >> [28/Jan/2016:21:09:03][main]: increasing minimum connections by 3 >> [28/Jan/2016:21:09:03][main]: new total available connections 3 >> [28/Jan/2016:21:09:03][main]: new number of connections 3 >> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=usrgrp >> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized usrgrp >> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=registry >> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=registry >> [28/Jan/2016:21:09:03][main]: RegistrySubsystem: start init >> [28/Jan/2016:21:09:03][main]: added plugin profileOutput >> pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.p >> rofile.output.PKCS7Output >> [28/Jan/2016:21:09:03][main]: added plugin profileOutput >> cmmfOutputImpl CMMF Response Output CMMF Response Output com >> .netscape.cms.profile.output.CMMFOutput >> [28/Jan/2016:21:09:03][main]: added plugin profileOutput >> certOutputImpl Certificate Output Certificate Output com.net >> scape.cms.profile.output.CertOutput >> [28/Jan/2016:21:09:03][main]: added plugin profileOutput >> nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netsc >> ape.cms.profile.output.nsNKeyOutput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> submitterInfoInputImpl Submitter Information Input Submitter >> Information Input com.netscape.cms.profile.input.SubmitterInfoInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> serialNumRenewInputImpl Certificate Renewal Request Serial Nu >> mber Input Certificate Renewal Request Serial Number Input >> com.netscape.cms.profile.input.SerialNumRenewInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> dualKeyGenInputImpl Dual Key Generation Input Dual Key Genera >> tion Input com.netscape.cms.profile.input.DualKeyGenInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqIn >> putImpl com.netscape.cms.profile.input.nsNKeyCertReqInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> fileSigningInputImpl File Signing Input File Signing Input co >> m.netscape.cms.profile.input.FileSigningInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> certReqInputImpl Certificate Request Input Certificate Reques >> t Input com.netscape.cms.profile.input.CertReqInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> cmcCertReqInputImpl CMC Certificate Request Input CMC Certifi >> cate Request Input com.netscape.cms.profile.input.CMCCertReqInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqIn >> putImpl com.netscape.cms.profile.input.nsHKeyCertReqInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> subjectDNInputImpl Subject DN Input Subject DN Input com.nets >> cape.cms.profile.input.SubjectDNInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> keyGenInputImpl Key Generation Input Key Generation Input com >> .netscape.cms.profile.input.KeyGenInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> genericInputImpl Generic Input Generic Input com.netscape.cms >> .profile.input.GenericInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput imageInputImpl >> Image Input Image Input com.netscape.cms.profi >> le.input.ImageInput >> [28/Jan/2016:21:09:03][main]: added plugin profileInput >> subjectNameInputImpl Subject Name Input Subject Name Input co >> m.netscape.cms.profile.input.SubjectNameInput >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> basicConstraintsExtConstraintImpl Basic Constraints Exten >> sion Constraint Basic Constraints Extension Constraint >> com.netscape.cms.profile.constraint.BasicConstraintsExtConstra >> int >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> noConstraintImpl No Constraint No Constraint com.netscape >> .cms.profile.constraint.NoConstraint >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> signingAlgConstraintImpl Signing Algorithm Constraint Sig >> ning Algorithm Constraint >> com.netscape.cms.profile.constraint.SigningAlgConstraint >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> extendedKeyUsageExtConstraintImpl Extended Key Usage Exte >> nsion Constraint Extended Key Usage Extension Constraint >> com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConst >> raint >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> extensionConstraintImpl Extension Constraint Extension Co >> nstraint com.netscape.cms.profile.constraint.ExtensionConstraint >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> subjectNameConstraintImpl Subject Name Constraint Subject >> Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> uniqueSubjectNameConstraintImpl Unique Subject Name Const >> raint Unique Subject Name Constraint >> com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> keyUsageExtConstraintImpl Key Usage Extension Constraint >> Key Usage Extension Constraint >> com.netscape.cms.profile.constraint.KeyUsageExtConstraint >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> renewGracePeriodConstraintImpl Renewal Grace Period Const >> raint Renewal Grace Period Constraint >> com.netscape.cms.profile.constraint.RenewGracePeriodConstraint >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> keyConstraintImpl Key Constraint Key Constraint com.netsc >> ape.cms.profile.constraint.KeyConstraint >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> nsCertTypeExtConstraintImpl Netscape Certificate Type Ext >> ension Constraint Netscape Certificate Type Extension Constraint >> com.netscape.cms.profile.constraint.NSCertTypeExtCon >> straint >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> validityConstraintImpl Validity Constraint Validity Const >> raint com.netscape.cms.profile.constraint.ValidityConstraint >> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy >> uniqueKeyConstraintImpl Unique Public Key Constraint Uniq >> ue Public Key Constraint com.netscape.cms.profile.constraint.UniqueKeyConstraint >> [28/Jan/2016:21:09:03][main]: added plugin profile caEnrollImpl >> Generic Certificate Enrollment Profile Certificate Au >> thority Generic Certificate Enrollment Profile >> com.netscape.cms.profile.common.CAEnrollProfile >> [28/Jan/2016:21:09:03][main]: added plugin profile >> caUserCertEnrollImpl User Certificate Enrollment Profile Certifica >> te Authority User Certificate Enrollment Profile >> com.netscape.cms.profile.common.UserCertCAEnrollProfile >> [28/Jan/2016:21:09:03][main]: added plugin profile >> caServerCertEnrollImpl Server Certificate Enrollment Profile Certi >> ficate Authority Server Certificate Enrollment Profile >> com.netscape.cms.profile.common.ServerCertCAEnrollProfile >> [28/Jan/2016:21:09:03][main]: added plugin profile caCACertEnrollImpl >> CA Certificate Enrollment Profile Certificate A >> uthority CA Certificate Enrollment Profile >> com.netscape.cms.profile.common.CACertCAEnrollProfile >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> userKeyDefaultImpl User Supplied Key Default User Supplied K >> ey Default com.netscape.cms.profile.def.UserKeyDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> freshestCRLExtDefaultImpl Freshest CRL Extension Default Fre >> shest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> authInfoAccessExtDefaultImpl Authority Info Access Extension >> Default Authority Info Access Extension Default >> com.netscape.cms.profile.def.AuthInfoAccessExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNa >> meDefault nsTokenUserKeySubjectNameDefaultImpl >> com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> genericExtDefaultImpl Generic Extension Generic Extension co >> m.netscape.cms.profile.def.GenericExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> authorityKeyIdentifierExtDefaultImpl Authority Key Identifie >> r Extension Default Authority Key Identifier Extension Default >> com.netscape.cms.profile.def.AuthorityKeyIdentifierExt >> Default >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> issuerAltNameExtDefaultImpl Issuer Alternative Name Extensio >> n Default Issuer Alternative Name Extension Default >> com.netscape.cms.profile.def.IssuerAltNameExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> basicConstraintsExtDefaultImpl Basic Constraints Extension D >> efault Basic Constraints Extension Default >> com.netscape.cms.profile.def.BasicConstraintsExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> keyUsageExtDefaultImpl Key Usage Extension Default Key Usage >> Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OC >> SP No Check Extension Default com.netscape.cms.profile.def.OCSPNoCheckExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> subjectAltNameExtDefaultImpl Subject Alternative Name Extens >> ion Default Subject Alternative Name Extension Default >> com.netscape.cms.profile.def.SubjectAltNameExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> userValidityDefaultImpl User Supplied Validity Default User >> Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> userSubjectNameDefaultImpl User Supplied Subject Name Defaul >> t User Supplied Subject Name Default >> com.netscape.cms.profile.def.UserSubjectNameDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> subjectDirAttributesExtDefaultImpl Subject Directory Attribu >> tes Extension Default Subject Directory Attributes Extension Default >> com.netscape.cms.profile.def.SubjectDirAttribute >> sExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> certificateVersionDefaultImpl Certificate Version Default Ce >> rtificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> extendedKeyUsageExtDefaultImpl Extended Key Usage Extension >> Default Extended Key Usage Extension Default >> com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> policyConstraintsExtDefaultImpl Policy Constraints Extension >> Default Policy Constraints Extension Default >> com.netscape.cms.profile.def.PolicyConstraintsExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> crlDistributionPointsExtDefaultImpl CRL Distribution Points >> Extension Default CRL Distribution Points Extension Default >> com.netscape.cms.profile.def.CRLDistributionPointsExtDefa >> ult >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> certificatePoliciesExtDefaultImpl Certificate Policies Exten >> sion Default Certificate Policies Extension Default >> com.netscape.cms.profile.def.CertificatePoliciesExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> validityDefaultImpl Validity Default Validty Default com.net >> scape.cms.profile.def.ValidityDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> privateKeyPeriodExtDefaultImpl Private Key Period Ext Defaul >> t Private Key Period Ext Default >> com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy noDefaultImpl >> No Default No Default com.netscape.cms.profile >> .def.NoDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> imageDefaultImpl Image Default Image Default com.netscape.cm >> s.profile.def.ImageDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> subjectInfoAccessExtDefaultImpl Subject Info Access Extensio >> n Default Subject Info Access Extension Default >> com.netscape.cms.profile.def.SubjectInfoAccessExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> autoAssignDefaultImpl Auto Request Assignment Default Auto R >> equest Assignment Default com.netscape.cms.profile.def.AutoAssignDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> policyMappingsExtDefaultImpl Policy Mappings Extension Defau >> lt Policy Mappings Extension Default >> com.netscape.cms.profile.def.PolicyMappingsExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> caValidityDefaultImpl CA Certificate Validity Default CA Cer >> tificate Validty Default com.netscape.cms.profile.def.CAValidityDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> userExtensionDefaultImpl User Supplied Extension Default Use >> r Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> nsCertTypeExtDefaultImpl Netscape Certificate Type Extension >> Default Netscape Certificate Type Extension Default >> com.netscape.cms.profile.def.NSCertTypeExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> authTokenSubjectNameDefaultImpl Token Supplied Subject Name >> Default Token Supplied Subject Name Default >> com.netscape.cms.profile.def.AuthTokenSubjectNameDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> subjectNameDefaultImpl Subject Name Default Subject Name Def >> ault com.netscape.cms.profile.def.SubjectNameDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> userSigningAlgDefaultImpl User Supplied Signing Alg Default >> User Supplied Signing Alg Default >> com.netscape.cms.profile.def.UserSigningAlgDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> subjectKeyIdentifierExtDefaultImpl Subject Key Identifier De >> fault Subject Key Identifier Default >> com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension >> Default Inhibit Any-Policy Extension Default >> com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubje >> ctNameDefault nsTokenDeviceKeySubjectNameDefaultImpl >> com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> nscCommentExtDefaultImpl Netscape Comment Extension Default >> Netscape Comment Extension Default >> com.netscape.cms.profile.def.NSCCommentExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> signingAlgDefaultImpl Signing Algorithm Default Signing Algo >> rithm Default com.netscape.cms.profile.def.SigningAlgDefault >> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy >> nameConstraintsExtDefaultImpl Name Constraints Extension Def >> ault Name Constraints Extension Default >> com.netscape.cms.profile.def.NameConstraintsExtDefault >> [28/Jan/2016:21:09:03][main]: added plugin profileUpdater >> subsystemGroupUpdaterImpl Updater for Subsystem Group Updat >> er for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater >> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=registry >> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized registry >> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=oidmap >> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=oidmap >> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=oidmap >> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized oidmap >> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=X500Name >> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=X500Name >> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=X500Name >> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized X500Name >> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=request >> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=request >> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=request >> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized request >> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=ca >> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=ca >> [28/Jan/2016:21:09:03][main]: CertificateAuthority init >> [28/Jan/2016:21:09:03][main]: Cert Repot inited >> [28/Jan/2016:21:09:03][main]: CRL Repot inited >> [28/Jan/2016:21:09:03][main]: Replica Repot inited >> [28/Jan/2016:21:09:03][main]: ca.signing Signing Unit nickname >> caSigningCert cert-pki-ca >> [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name >> [28/Jan/2016:21:09:03][main]: Found cert by nickname: 'caSigningCert >> cert-pki-ca' with serial number: 1 >> [28/Jan/2016:21:09:03][main]: converted to x509CertImpl >> [28/Jan/2016:21:09:03][main]: Got private key from cert >> [28/Jan/2016:21:09:03][main]: Got public key from cert >> [28/Jan/2016:21:09:03][main]: got signing algorithm RSASignatureWithSHA256Digest >> [28/Jan/2016:21:09:03][main]: CA signing unit inited >> [28/Jan/2016:21:09:03][main]: cachainNum= 0 >> [28/Jan/2016:21:09:03][main]: in init - got CA chain from JSS. >> [28/Jan/2016:21:09:03][main]: ca.ocsp_signing Signing Unit nickname >> ca.ocsp_signing.cert >> [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name >> [28/Jan/2016:21:09:03][main]: SigningUnit init: debug >> org.mozilla.jss.crypto.ObjectNotFoundException >> [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException >> Certificate object not found >> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) >> at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204) >> at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) >> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) >> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) >> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) >> at com.netscape.certsrv.apps.CMS.init(CMS.java:153) >> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) >> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) >> at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) >> at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) >> at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) >> at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) >> at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) >> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) >> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) >> at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) >> at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) >> at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) >> at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) >> at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) >> at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) >> at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) >> at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) >> at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) >> at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) >> at org.apache.catalina.core.StandardService.start(StandardService.java:516) >> at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) >> at org.apache.catalina.startup.Catalina.start(Catalina.java:593) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:616) >> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) >> [28/Jan/2016:21:09:03][main]: CMSEngine.shutdown() >> [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore(): >> password store initialized before. >> [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore(): >> password store initialized. >> [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore(): >> password store initialized before. >> [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore(): >> password store initialized. >> >> >> >> >>> >>>> >>>> stuck: yes >>>> >>>> key pair storage: >>>> >>>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS >>>> Certifi >>>> >>>> cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt' >>>> >>>> certificate: >>>> >>>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS >>>> Certificate >>>> >>>> DB' >>>> >>>> CA: IPA >>>> >>>> issuer: CN=Certificate Authority,O=SAMPLE.NET >>>> >>>> subject: CN=caer.SAMPLE.net ,O=SAMPLE.NET >>>> >>>> >>>> expires: 2016-01-29 14:09:46 UTC >>>> >>>> eku: id-kp-serverAuth >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> >>>> >>>> On Mon, May 2, 2016 at 5:35 PM Anthony Cheng >>>> > wrote: >>>> >>>> On Mon, May 2, 2016 at 9:54 AM Rob Crittenden >>> > wrote: >>>> >>>> Anthony Cheng wrote: >>>> > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden >>>> >>>> > >> >>>> wrote: >>>> > >>>> > Anthony Cheng wrote: >>>> > > OK so I made process on my cert renew issue; I was >>>> able to get kinit >>>> > > working so I can follow the rest of the steps here >>>> > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) >>>> > > >>>> > > However, after using >>>> > > >>>> > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory >>>> manager' -w >>>> > password >>>> > > >>>> > > and restarting apache (/sbin/service httpd restart), >>>> resubmitting 3 >>>> > > certs (ipa-getcert resubmit -i ) and restarting >>>> IPA (resubmit >>>> > -i ) >>>> > > (/sbin/service ipa restart), I still see: >>>> > > >>>> > > [root at test ~]# ipa-getcert list | more >>>> > > Number of certificates and requests being tracked: 8. >>>> > > Request ID '20111214223243': >>>> > > status: CA_UNREACHABLE >>>> > > ca-error: Server failed request, will retry: >>>> 4301 (RPC >>>> > failed >>>> > > at server. Certificate operation cannot be compl >>>> > > eted: Unable to communicate with CMS (Not Found)). >>>> > >>>> > IPA proxies requests to the CA through Apache. This means >>>> that while >>>> > tomcat started ok it didn't load the dogtag CA >>>> application, hence the >>>> > Not Found. >>>> > >>>> > Check the CA debug and selftest logs to see why it failed >>>> to start >>>> > properly. >>>> > >>>> > [ snip ] >>>> > >>>> > Actually after a reboot that error went away and I just get >>>> this error >>>> > instead "ca-error: Server failed request, will retry: -504 >>>> (libcurl >>>> > failed to execute the HTTP POST transaction. Peer certificate >>>> cannot be >>>> > auth enticated with known CA certificates)." from "getcert >>>> list" >>>> > >>>> > Result of service ipa restart is interesting since it shows >>>> today's time >>>> > when I already changed date/time/disable NTP so somehow the >>>> system still >>>> > know today's time. >>>> > >>>> > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert: >>>> > CERT_VerifyCertificateNow: verify certificate failed for cert >>>> > Server-Cert of family cn=RSA,cn=encryption,cn=config >>>> (Netscape Portable >>>> > Runtime error -8181 - Peer's Certificate has expired.) >>>> >>>> Hard to say. I'd confirm that there is no time syncing service >>>> running, >>>> ntp or otherwise. >>>> >>>> >>>> I found out why the time kept changing; it was due to the fact that >>>> it has VM tools installed (i didn't configure this box) so it >>>> automatically sync time during bootup. >>>> >>>> I did still see this error message: >>>> >>>> ca-error: Server failed request, will retry: 4301 (RPC failed at >>>> server. Certificate operation cannot be completed: Unable to >>>> communicate with CMS (Not Found)) >>>> >>>> I tried the step http://www.freeipa.org/page/Troubleshooting with >>>> >>>> certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt >>>> openssl x509 -text -in /tmp/ra.crt >>>> certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt >>>> service httpd restart >>>> >>>> So that I can get rid of one of the CA cert that is expired (kept >>>> the 1st one) but still getting same error >>>> >>>> What exactly is CMS and why is it not found? >>>> >>>> >>>> I did notice that the selftest log is empty with a different time: >>>> >>>> -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 >>>> /var/log/pki-ca/selftests.log >>>> >>>> [root at test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds >>>> >>>> >>>> Here are some debug log after reboot: >>>> >>>> [root at test pki-ca]# tail -n 100 catalina.out >>>> >>>> INFO: JK: ajp13 listening on /0.0.0.0:9447 >>>> >>>> Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start >>>> >>>> INFO: Jk running ID=0 time=1/23config=null >>>> >>>> Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start >>>> >>>> INFO: Server startup in 1722 ms >>>> >>>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>>> >>>> INFO: Pausing Coyote HTTP/1.1 on http-9180 >>>> >>>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>>> >>>> INFO: Pausing Coyote HTTP/1.1 on http-9443 >>>> >>>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>>> >>>> INFO: Pausing Coyote HTTP/1.1 on http-9445 >>>> >>>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>>> >>>> INFO: Pausing Coyote HTTP/1.1 on http-9444 >>>> >>>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>>> >>>> INFO: Pausing Coyote HTTP/1.1 on http-9446 >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop >>>> >>>> INFO: Stopping service Catalina >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearReferencesThreads >>>> >>>> SEVERE: A web application appears to have started a thread named >>>> [Timer-0] but has failed to stop it. This is very like >>>> >>>> ly to create a memory leak. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearReferencesThreads >>>> >>>> SEVERE: A web application appears to have started a thread named >>>> [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu >>>> >>>> t has failed to stop it. This is very likely to create a memory leak. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearReferencesThreads >>>> >>>> SEVERE: A web application appears to have started a thread named >>>> [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6] >>>> >>>> but has failed to stop it. This is very likely to create a memory >>>> leak. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearReferencesThreads >>>> >>>> SEVERE: A web application appears to have started a thread named >>>> [/var/lib/pki-ca/logs/system.flush-6] but has failed t >>>> >>>> o stop it. This is very likely to create a memory leak. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearReferencesThreads >>>> >>>> SEVERE: A web application appears to have started a thread named >>>> [/var/lib/pki-ca/logs/system.rollover-8] but has faile >>>> >>>> d to stop it. This is very likely to create a memory leak. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearReferencesThreads >>>> >>>> SEVERE: A web application appears to have started a thread named >>>> [/var/lib/pki-ca/logs/transactions.flush-9] but has fa >>>> >>>> iled to stop it. This is very likely to create a memory leak. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearReferencesThreads >>>> >>>> SEVERE: A web application appears to have started a thread named >>>> [/var/lib/pki-ca/logs/transactions.rollover-10] but ha >>>> >>>> s failed to stop it. This is very likely to create a memory leak. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearReferencesThreads >>>> >>>> SEVERE: A web application appears to have started a thread named >>>> [LDAPConnThread-2 ldap://test.sample.net:7389 >>>> ] but has failed to stop it. This is >>>> very likely to create a memory leak. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearReferencesThreads >>>> >>>> SEVERE: A web application appears to have started a thread named >>>> [LDAPConnThread-3 ldap://test.sample.net:7389 >>>> ] but has failed to stop it. This is >>>> very likely to create a memory leak. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearReferencesThreads >>>> >>>> SEVERE: A web application appears to have started a thread named >>>> [LDAPConnThread-4 ldap://test.sample.net:7389 >>>> ] but has failed to stop it. This is >>>> very likely to create a memory leak. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearThreadLocalMap >>>> >>>> SEVERE: A web application created a ThreadLocal with key of type >>>> [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a >>>> value of type [java.text.SimpleDateFormat] (value >>>> [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when >>>> the web application was stopped. To prevent a memory leak, the >>>> ThreadLocal has been forcibly removed. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>>> clearThreadLocalMap >>>> >>>> SEVERE: A web application created a ThreadLocal with key of type >>>> [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a >>>> value of type [java.text.SimpleDateFormat] (value >>>> [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when >>>> the web application was stopped. To prevent a memory leak, the >>>> ThreadLocal has been forcibly removed. >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>>> destroy >>>> >>>> INFO: Stopping Coyote HTTP/1.1 on http-9180 >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>>> destroy >>>> >>>> INFO: Stopping Coyote HTTP/1.1 on http-9443 >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>>> destroy >>>> >>>> INFO: Stopping Coyote HTTP/1.1 on http-9445 >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>>> destroy >>>> >>>> INFO: Stopping Coyote HTTP/1.1 on http-9444 >>>> >>>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>>> destroy >>>> >>>> INFO: Stopping Coyote HTTP/1.1 on http-9446 >>>> >>>> Jan 27, 2016 2:57:36 PM >>>> org.apache.catalina.core.AprLifecycleListener init >>>> >>>> INFO: The APR based Apache Tomcat Native library which allows >>>> optimal performance in production environments was not found on the >>>> java.library.path: >>>> >>>> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib >>>> >>>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>>> >>>> INFO: Initializing Coyote HTTP/1.1 on http-9180 >>>> >>>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>>> unsupported by NSS. This is probably O.K. unless ECC support has >>>> been installed. >>>> >>>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>>> unsupported by NSS. This is probably O.K. unless ECC support has >>>> been installed. >>>> >>>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>>> >>>> INFO: Initializing Coyote HTTP/1.1 on http-9443 >>>> >>>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>>> unsupported by NSS. This is probably O.K. unless ECC support has >>>> been installed. >>>> >>>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>>> unsupported by NSS. This is probably O.K. unless ECC support has >>>> been installed. >>>> >>>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>>> >>>> INFO: Initializing Coyote HTTP/1.1 on http-9445 >>>> >>>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>>> unsupported by NSS. This is probably O.K. unless ECC support has >>>> been installed. >>>> >>>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>>> unsupported by NSS. This is probably O.K. unless ECC support has >>>> been installed. >>>> >>>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>>> >>>> INFO: Initializing Coyote HTTP/1.1 on http-9444 >>>> >>>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>>> unsupported by NSS. This is probably O.K. unless ECC support has >>>> been installed. >>>> >>>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>>> unsupported by NSS. This is probably O.K. unless ECC support has >>>> been installed. >>>> >>>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>>> >>>> INFO: Initializing Coyote HTTP/1.1 on http-9446 >>>> >>>> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load >>>> >>>> INFO: Initialization processed in 2198 ms >>>> >>>> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start >>>> >>>> INFO: Starting service Catalina >>>> >>>> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start >>>> >>>> INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 >>>> >>>> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig >>>> deployDirectory >>>> >>>> INFO: Deploying web application directory ROOT >>>> >>>> Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig >>>> deployDirectory >>>> >>>> INFO: Deploying web application directory ca >>>> >>>> 64-bit osutil library loaded >>>> >>>> 64-bit osutil library loaded >>>> >>>> Certificate object not found >>>> >>>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>>> >>>> INFO: Starting Coyote HTTP/1.1 on http-9180 >>>> >>>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>>> >>>> INFO: Starting Coyote HTTP/1.1 on http-9443 >>>> >>>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>>> >>>> INFO: Starting Coyote HTTP/1.1 on http-9445 >>>> >>>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>>> >>>> INFO: Starting Coyote HTTP/1.1 on http-9444 >>>> >>>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>>> >>>> INFO: Starting Coyote HTTP/1.1 on http-9446 >>>> >>>> Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init >>>> >>>> INFO: JK: ajp13 listening on /0.0.0.0:9447 >>>> >>>> Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start >>>> >>>> INFO: Jk running ID=0 time=0/40config=null >>>> >>>> Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start >>>> >>>> INFO: Server startup in 2592 ms >>>> >>>> [root at test pki-ca]# tail -n 100 debug >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> subjectAltNameExtDefaultImpl Subject Alternative Name Extension >>>> Default Subject Alternative Name Extension Default >>>> com.netscape.cms.profile.def.SubjectAltNameExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> userValidityDefaultImpl User Supplied Validity Default User Supplied >>>> Validity Default com.netscape.cms.profile.def.UserValidityDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> userSubjectNameDefaultImpl User Supplied Subject Name Default User >>>> Supplied Subject Name Default >>>> com.netscape.cms.profile.def.UserSubjectNameDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> subjectDirAttributesExtDefaultImpl Subject Directory Attributes >>>> Extension Default Subject Directory Attributes Extension Default >>>> com.netscape.cms.profile.def.SubjectDirAttributesExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> certificateVersionDefaultImpl Certificate Version Default >>>> Certificate Version Default >>>> com.netscape.cms.profile.def.CertificateVersionDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default >>>> Extended Key Usage Extension Default >>>> com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> policyConstraintsExtDefaultImpl Policy Constraints Extension Default >>>> Policy Constraints Extension Default >>>> com.netscape.cms.profile.def.PolicyConstraintsExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> crlDistributionPointsExtDefaultImpl CRL Distribution Points >>>> Extension Default CRL Distribution Points Extension Default >>>> com.netscape.cms.profile.def.CRLDistributionPointsExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> certificatePoliciesExtDefaultImpl Certificate Policies Extension >>>> Default Certificate Policies Extension Default >>>> com.netscape.cms.profile.def.CertificatePoliciesExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> validityDefaultImpl Validity Default Validty Default >>>> com.netscape.cms.profile.def.ValidityDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> privateKeyPeriodExtDefaultImpl Private Key Period Ext Default >>>> Private Key Period Ext Default >>>> com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> noDefaultImpl No Default No Default >>>> com.netscape.cms.profile.def.NoDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> imageDefaultImpl Image Default Image Default >>>> com.netscape.cms.profile.def.ImageDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> subjectInfoAccessExtDefaultImpl Subject Info Access Extension >>>> Default Subject Info Access Extension Default >>>> com.netscape.cms.profile.def.SubjectInfoAccessExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> autoAssignDefaultImpl Auto Request Assignment Default Auto Request >>>> Assignment Default com.netscape.cms.profile.def.AutoAssignDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> policyMappingsExtDefaultImpl Policy Mappings Extension Default >>>> Policy Mappings Extension Default >>>> com.netscape.cms.profile.def.PolicyMappingsExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> caValidityDefaultImpl CA Certificate Validity Default CA Certificate >>>> Validty Default com.netscape.cms.profile.def.CAValidityDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> userExtensionDefaultImpl User Supplied Extension Default User >>>> Supplied Extension Default >>>> com.netscape.cms.profile.def.UserExtensionDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default >>>> Netscape Certificate Type Extension Default >>>> com.netscape.cms.profile.def.NSCertTypeExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default >>>> Token Supplied Subject Name Default >>>> com.netscape.cms.profile.def.AuthTokenSubjectNameDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> subjectNameDefaultImpl Subject Name Default Subject Name Default >>>> com.netscape.cms.profile.def.SubjectNameDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> userSigningAlgDefaultImpl User Supplied Signing Alg Default User >>>> Supplied Signing Alg Default >>>> com.netscape.cms.profile.def.UserSigningAlgDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default >>>> Subject Key Identifier Default >>>> com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default >>>> Inhibit Any-Policy Extension Default >>>> com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> nsTokenDeviceKeySubjectNameDefaultImpl >>>> nsTokenDeviceKeySubjectNameDefault >>>> nsTokenDeviceKeySubjectNameDefaultImpl >>>> com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape >>>> Comment Extension Default >>>> com.netscape.cms.profile.def.NSCCommentExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm >>>> Default com.netscape.cms.profile.def.SigningAlgDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>>> nameConstraintsExtDefaultImpl Name Constraints Extension Default >>>> Name Constraints Extension Default >>>> com.netscape.cms.profile.def.NameConstraintsExtDefault >>>> >>>> [27/Jan/2016:15:30:43][main]: added plugin profileUpdater >>>> subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for >>>> Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca >>>> >>>> [27/Jan/2016:15:30:43][main]: CertificateAuthority init >>>> >>>> [27/Jan/2016:15:30:43][main]: Cert Repot inited >>>> >>>> [27/Jan/2016:15:30:43][main]: CRL Repot inited >>>> >>>> [27/Jan/2016:15:30:43][main]: Replica Repot inited >>>> >>>> [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname >>>> caSigningCert cert-pki-ca >>>> >>>> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token >>>> by name >>>> >>>> [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert >>>> cert-pki-ca' with serial number: 1 >>>> >>>> [27/Jan/2016:15:30:43][main]: converted to x509CertImpl >>>> >>>> [27/Jan/2016:15:30:43][main]: Got private key from cert >>>> >>>> [27/Jan/2016:15:30:43][main]: Got public key from cert >>>> >>>> [27/Jan/2016:15:30:43][main]: got signing algorithm >>>> RSASignatureWithSHA256Digest >>>> >>>> [27/Jan/2016:15:30:43][main]: CA signing unit inited >>>> >>>> [27/Jan/2016:15:30:43][main]: cachainNum= 0 >>>> >>>> [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS. >>>> >>>> [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname >>>> ca.ocsp_signing.cert >>>> >>>> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token >>>> by name >>>> >>>> [27/Jan/2016:15:30:43][main]: SigningUnit init: debug >>>> org.mozilla.jss.crypto.ObjectNotFoundException >>>> >>>> [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException >>>> >>>> Certificate object not found >>>> >>>> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) >>>> >>>> at >>>> >>>> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204) >>>> >>>> at >>>> >>>> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) >>>> >>>> at >>>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) >>>> >>>> at >>>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) >>>> >>>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) >>>> >>>> at com.netscape.certsrv.apps.CMS.init(CMS.java:153) >>>> >>>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) >>>> >>>> at >>>> >>>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) >>>> >>>> at >>>> >>>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) >>>> >>>> at >>>> >>>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) >>>> >>>> at >>>> >>>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) >>>> >>>> at >>>> >>>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) >>>> >>>> at >>>> >>>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) >>>> >>>> at >>>> >>>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) >>>> >>>> at >>>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) >>>> >>>> at >>>> >>>> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) >>>> >>>> at >>>> >>>> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) >>>> >>>> at >>>> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) >>>> >>>> at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) >>>> >>>> at >>>> >>>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) >>>> >>>> at >>>> >>>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) >>>> >>>> at >>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) >>>> >>>> at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) >>>> >>>> at >>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) >>>> >>>> at >>>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) >>>> >>>> at >>>> >>>> org.apache.catalina.core.StandardService.start(StandardService.java:516) >>>> >>>> at >>>> org.apache.catalina.core.StandardServer.start(StandardServer.java:710) >>>> >>>> at org.apache.catalina.startup.Catalina.start(Catalina.java:593) >>>> >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> >>>> at >>>> >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>> >>>> at >>>> >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>> >>>> at java.lang.reflect.Method.invoke(Method.java:616) >>>> >>>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) >>>> >>>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) >>>> >>>> [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown() >>>> >>>> >>>> >>>> >>>> > >>>> >>>> > > Would really greatly appreciate any help on this. >>>> > > >>>> > > Also I noticed after I do ldapmodify of >>>> usercertificate binary >>>> > data with >>>> > > >>>> > > add: usercertificate;binary >>>> > > usercertificate;binary: !@#$@!#$#@$ >>>> > >>>> > You really pasted in binary? Or was this base64-encoded >>>> data? >>>> > >>>> > I wonder if there is a problem in the wiki. If this is >>>> really a binary >>>> > value you should start with a DER-encoded cert and load >>>> it using >>>> > something like: >>>> > >>>> > dn: uid=ipara,ou=people,o=ipaca >>>> > changetype: modify >>>> > add: usercertificate;binary >>>> > usercertificate;binary:< file:///path/to/cert.der >>>> > >>>> > You can use something like openssl x509 to switch between >>>> PEM and DER >>>> > formats. >>>> > >>>> > I have a vague memory that dogtag can deal with a >>>> multi-valued >>>> > usercertificate attribute. >>>> > >>>> > rob >>>> > >>>> > >>>> > Yes the wiki stated binary, the result of: >>>> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b >>>> > uid=ipara,ou=People,o=ipaca -W >>>> > >>>> > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ... >>>> > >>>> > But the actual data is from a PEM though. >>>> >>>> Ok. So I looked at my CA data and it doesn't use the binary >>>> subtype, so >>>> my entries look like: >>>> >>>> userCertificate:: MIID.... >>>> >>>> It might make a difference if dogtag is looking for the subtype >>>> or not. >>>> >>>> rob >>>> >>>> > >>>> > > >>>> > > Then I re-run >>>> > > >>>> > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory >>>> manager' -W >>>> > -b uid=ipara,ou=People,o=ipaca >>>> > > >>>> > > I see 2 entries for usercertificate;binary (before >>>> modify there >>>> > was only >>>> > > 1) but they are duplicate and NOT from data that I >>>> added. That seems >>>> > > incorrect to me. >>>> > > >>>> > > >>>> > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng >>>> > > >>> >>>> >>> > >>>> > >>> >>>> > >>> >>> wrote: >>>> > > >>>> > > klist is actually empty; kinit admin fails. >>>> Sounds like then >>>> > > getcert resubmit has a dependency on kerberoes. I >>>> can get a >>>> > backup >>>> > > image that has a valid ticket but it is only good >>>> for 1 day (and >>>> > > dated pasted the cert expire). >>>> > > >>>> > > Also I had asked awhile back about whether there >>>> is dependency on >>>> > > DIRSRV to renew the cert; didn't get any response >>>> but I suspect >>>> > > there is a dependency. >>>> > > >>>> > > Regarding the clock skew, I found out from >>>> /var/log/message that >>>> > > shows me this so it may be from named: >>>> > > >>>> > > Jan 28 14:10:42 test named[2911]: Failed to init >>>> credentials >>>> > (Clock >>>> > > skew too great) >>>> > > Jan 28 14:10:42 test named[2911]: loading >>>> configuration: failure >>>> > > Jan 28 14:10:42 test named[2911]: exiting (due to >>>> fatal error) >>>> > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: >>>> Unspecified GSS >>>> > > failure. Minor code may provide more information >>>> (Creden >>>> > > tials cache file '/tmp/krb5cc_496' not found) >>>> > > >>>> > > I don't have a krb5cc_496 file (since klist is >>>> empty), so >>>> > sounds to >>>> > > me I need to get a kerberoes ticket before going any >>>> > further. Also >>>> > > is the file /etc/krb5.keytab access/modification >>>> time >>>> > important? I >>>> > > had changed time back to before the cert >>>> expiration date and >>>> > reboot >>>> > > and try renew but the error message about clock >>>> skew is still >>>> > > there. That seems strange. >>>> > > >>>> > > Lastly, as a absolute last resort, can I >>>> regenerate a new cert >>>> > > myself? >>>> > > >>>> > >>>> >>>> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html >>>> > > >>>> > > [root at test /]# klist >>>> > > klist: No credentials cache found (ticket cache >>>> > FILE:/tmp/krb5cc_0) >>>> > > [root at test /]# service ipa start >>>> > > Starting Directory Service >>>> > > Starting dirsrv: >>>> > > PKI-IPA... >>>> > [ OK ] >>>> > > sample-NET... >>>> > [ OK ] >>>> > > Starting KDC Service >>>> > > Starting Kerberos 5 KDC: >>>> [ >>>> > OK ] >>>> > > Starting KPASSWD Service >>>> > > Starting Kerberos 5 Admin Server: >>>> [ >>>> > OK ] >>>> > > Starting DNS Service >>>> > > Starting named: >>>> > [FAILED] >>>> > > Failed to start DNS Service >>>> > > Shutting down >>>> > > Stopping Kerberos 5 KDC: >>>> [ >>>> > OK ] >>>> > > Stopping Kerberos 5 Admin Server: >>>> [ >>>> > OK ] >>>> > > Stopping named: >>>> [ >>>> > OK ] >>>> > > Stopping httpd: >>>> [ >>>> > OK ] >>>> > > Stopping pki-ca: >>>> [ >>>> > OK ] >>>> > > Shutting down dirsrv: >>>> > > PKI-IPA... >>>> > [ OK ] >>>> > > sample-NET... >>>> > [ OK ] >>>> > > Aborting ipactl >>>> > > [root at test /]# klist >>>> > > klist: No credentials cache found (ticket cache >>>> > FILE:/tmp/krb5cc_0) >>>> > > [root at test /]# service ipa status >>>> > > Directory Service: STOPPED >>>> > > Failed to get list of services to probe status: >>>> > > Directory Server is stopped >>>> > > >>>> > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka >>>> > >>>> > >>>> > > >>> >>> >>> wrote: >>>> > > >>>> > > On 27/04/16 21:54, Anthony Cheng wrote: >>>> > > > Hi list, >>>> > > > >>>> > > > I am trying to renew expired certificates >>>> following the >>>> > > manual renewal procedure >>>> > > > here >>>> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) >>>> > > but even with >>>> > > > resetting the system/hardware clock to a >>>> time before >>>> > expires, >>>> > > I am getting the >>>> > > > error "ca-error: Error setting up ccache >>>> for local "host" >>>> > > service using default >>>> > > > keytab: Clock skew too great." >>>> > > > >>>> > > > With NTP disable and clock reset why would >>>> it complain >>>> > about >>>> > > clock skew and how >>>> > > > does it even know about the current time? >>>> > > > >>>> > > > [root at test certs]# getcert list >>>> > > > Number of certificates and requests being >>>> tracked: 8. >>>> > > > Request ID '20111214223243': >>>> > > > status: MONITORING >>>> > > > ca-error: Error setting up ccache >>>> for local >>>> > "host" >>>> > > service using >>>> > > > default keytab: Clock skew too great. >>>> > > > stuck: no >>>> > > > key pair storage: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>>> > > > Certificate >>>> > > >>>> DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >>>> > > > certificate: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>>> > > > Certificate DB' >>>> > > > CA: IPA >>>> > > > issuer: CN=Certificate >>>> Authority,O=sample.NET >>>> > > > subject: CN=test.sample.net >>>> >>>> > >>>> > > ,O=sample.NET >>>> > > > expires: 2016-01-29 14:09:46 UTC >>>> > > > eku: id-kp-serverAuth >>>> > > > pre-save command: >>>> > > > post-save command: >>>> > > > track: yes >>>> > > > auto-renew: yes >>>> > > > Request ID '20111214223300': >>>> > > > status: MONITORING >>>> > > > ca-error: Error setting up ccache >>>> for local >>>> > "host" >>>> > > service using >>>> > > > default keytab: Clock skew too great. >>>> > > > stuck: no >>>> > > > key pair storage: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> > > Certificate >>>> > > > >>>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>>> > > > certificate: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> > > Certificate >>>> > > > DB' >>>> > > > CA: IPA >>>> > > > issuer: CN=Certificate >>>> Authority,O=sample.NET >>>> > > > subject: CN=test.sample.net >>>> >>>> > >>>> > > ,O=sample.NET >>>> > > > expires: 2016-01-29 14:09:45 UTC >>>> > > > eku: id-kp-serverAuth >>>> > > > pre-save command: >>>> > > > post-save command: >>>> > > > track: yes >>>> > > > auto-renew: yes >>>> > > > Request ID '20111214223316': >>>> > > > status: MONITORING >>>> > > > ca-error: Error setting up ccache >>>> for local >>>> > "host" >>>> > > service using >>>> > > > default keytab: Clock skew too great. >>>> > > > stuck: no >>>> > > > key pair storage: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> > > > Certificate >>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > > > certificate: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> > > > Certificate DB' >>>> > > > CA: IPA >>>> > > > issuer: CN=Certificate >>>> Authority,O=sample.NET >>>> > > > subject: CN=test.sample.net >>>> >>>> > >>>> > > ,O=sample.NET >>>> > > > expires: 2016-01-29 14:09:45 UTC >>>> > > > eku: id-kp-serverAuth >>>> > > > pre-save command: >>>> > > > post-save command: >>>> > > > track: yes >>>> > > > auto-renew: yes >>>> > > > Request ID '20130519130741': >>>> > > > status: NEED_CSR_GEN_PIN >>>> > > > ca-error: Internal error: no >>>> response to >>>> > > > >>>> > > >>>> > >>>> >>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". >>>> > > > stuck: yes >>>> > > > key pair storage: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>> > > > cert-pki-ca',token='NSS Certificate >>>> DB',pin='297100916664 >>>> > > > ' >>>> > > > certificate: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>> > > > cert-pki-ca',token='NSS Certificate DB' >>>> > > > CA: dogtag-ipa-renew-agent >>>> > > > issuer: CN=Certificate >>>> Authority,O=sample.NET >>>> > > > subject: CN=CA Audit,O=sample.NET >>>> > > > expires: 2017-10-13 14:10:49 UTC >>>> > > > pre-save command: >>>> > /usr/lib64/ipa/certmonger/stop_pkicad >>>> > > > post-save command: >>>> > > /usr/lib64/ipa/certmonger/renew_ca_cert >>>> > > > "auditSigningCert cert-pki-ca" >>>> > > > track: yes >>>> > > > auto-renew: yes >>>> > > > Request ID '20130519130742': >>>> > > > status: NEED_CSR_GEN_PIN >>>> > > > ca-error: Internal error: no >>>> response to >>>> > > > >>>> > > >>>> > >>>> >>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". >>>> > > > stuck: yes >>>> > > > key pair storage: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>> > > > cert-pki-ca',token='NSS Certificate >>>> DB',pin='297100916664 >>>> > > > ' >>>> > > > certificate: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>> > > > cert-pki-ca',token='NSS Certificate DB' >>>> > > > CA: dogtag-ipa-renew-agent >>>> > > > issuer: CN=Certificate >>>> Authority,O=sample.NET >>>> > > > subject: CN=OCSP >>>> Subsystem,O=sample.NET >>>> > > > expires: 2017-10-13 14:09:49 UTC >>>> > > > eku: id-kp-OCSPSigning >>>> > > > pre-save command: >>>> > /usr/lib64/ipa/certmonger/stop_pkicad >>>> > > > post-save command: >>>> > > /usr/lib64/ipa/certmonger/renew_ca_cert >>>> > > > "ocspSigningCert cert-pki-ca" >>>> > > > track: yes >>>> > > > auto-renew: yes >>>> > > > Request ID '20130519130743': >>>> > > > status: NEED_CSR_GEN_PIN >>>> > > > ca-error: Internal error: no >>>> response to >>>> > > > >>>> > > >>>> > >>>> >>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". >>>> > > > stuck: yes >>>> > > > key pair storage: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>> > > > cert-pki-ca',token='NSS Certificate >>>> DB',pin='297100916664 >>>> > > > ' >>>> > > > certificate: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>> > > > cert-pki-ca',token='NSS Certificate DB' >>>> > > > CA: dogtag-ipa-renew-agent >>>> > > > issuer: CN=Certificate >>>> Authority,O=sample.NET >>>> > > > subject: CN=CA >>>> Subsystem,O=sample.NET >>>> > > > expires: 2017-10-13 14:09:49 UTC >>>> > > > eku: >>>> id-kp-serverAuth,id-kp-clientAuth >>>> > > > pre-save command: >>>> > /usr/lib64/ipa/certmonger/stop_pkicad >>>> > > > post-save command: >>>> > > /usr/lib64/ipa/certmonger/renew_ca_cert >>>> > > > "subsystemCert cert-pki-ca" >>>> > > > track: yes >>>> > > > auto-renew: yes >>>> > > > Request ID '20130519130744': >>>> > > > status: MONITORING >>>> > > > ca-error: Internal error: no >>>> response to >>>> > > > >>>> > > >>>> > >>>> >>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". >>>> > > > stuck: no >>>> > > > key pair storage: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> > > Certificate >>>> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > > > certificate: >>>> > > > >>>> > > >>>> > >>>> >>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> > > Certificate DB' >>>> > > > CA: dogtag-ipa-renew-agent >>>> > > > issuer: CN=Certificate >>>> Authority,O=sample.NET >>>> > > > subject: CN=RA >>>> Subsystem,O=sample.NET >>>> > > > expires: 2017-10-13 14:09:49 UTC >>>> > > > eku: >>>> id-kp-serverAuth,id-kp-clientAuth >>>> > > > pre-save command: >>>> > > > post-save command: >>>> > > /usr/lib64/ipa/certmonger/renew_ra_cert >>>> > > > track: yes >>>> > > > auto-renew: yes >>>> > > > Request ID '20130519130745': >>>> > > > status: NEED_CSR_GEN_PIN >>>> > > > ca-error: Internal error: no >>>> response to >>>> > > > >>>> > > >>>> > >>>> >>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". >>>> > > > stuck: yes >>>> > > > key pair storage: >>>> > > > >>>> > >>>> >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>>> > > > cert-pki-ca',token='NSS Certificate >>>> DB',pin='297100916664 >>>> > > > ' >>>> > > > certificate: >>>> > > > >>>> > >>>> >>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert From joshua at azariah.com Thu May 5 21:41:54 2016 From: joshua at azariah.com (Joshua J. Kugler) Date: Thu, 05 May 2016 13:41:54 -0800 Subject: [Freeipa-users] Looking for documentation for Python API Message-ID: <1557170.p9MGeghmZ2@hosanna> [This didn't show up in the archives or list after 12 house, so resending. Sorry if it's a dupe.] I've been googling and looking through the documentation, but I have yet to find official docs for the Python API for FreeIPA. The first result for 'python' when doing a search on www.freeipa.org is http://www.freeipa.org/page/Python_Coding_Style On that page, there is a link to "freeIPA Python API documentation" which goes to https://www.freeipa.org/page/Documentation#Developer_Documentation That page, however, doesn't have one mention of Python, and only one mention of "API" and that is "How to migrate your code to the new LDAP API" which doesn't seem to be related. I did manage to find https://github.com/encukou/freeipa/tree/master/doc/examples which has a couple (very convoluted) examples, but seems far from complete. There is a freeipa-python RPM, but *WHERE* is the documentation for the Python API. Or should I just shell-out to the 'ipa' command from all my python scripts? :) I found https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ and https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt so I'm sure I could work up something with python and requests, but I'd prefer to use the official API if I could. :) Any assistance would be great! j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design joshua at azariah.com - Jabber: pedahzur at gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A From rmj at ast.cam.ac.uk Thu May 5 22:06:37 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Thu, 5 May 2016 23:06:37 +0100 Subject: [Freeipa-users] Help needed with keytabs In-Reply-To: <572BBBA0.9030202@ast.cam.ac.uk> References: <31876291.1462474039879.JavaMail.wam@elwamui-little.atl.sa.earthlink.net> <572BBBA0.9030202@ast.cam.ac.uk> Message-ID: <572BC3ED.20605@ast.cam.ac.uk> Hi again After further testing, it seems like my problems were caused by the use of the -F option on the kinit line. Roderick On 05/05/2016 22:31, Roderick Johnstone wrote: > Hi Mike > > Thanks for sharing your setup. It looks pretty much like mine. > > I just tried your kinit command syntax and then I can ipa ping > successfully. Then I tried my kinit syntax (after a kdestroy) and I can > still ipa ping successfully! > > So, it does work now, but I don't know why it didn't work for me > earlier. It feels like some sort of caching problem but I think kdestroy > clears the cache. > > Thanks again for your help. > > Roderick > > On 05/05/2016 19:47, Michael ORourke wrote: >> >> Roderick, >> >> Here's how we do it. >> Create a service account user, for example "svc_useradm". >> Then generate a keytab for the service account, and store it somewhere >> secure. >> ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k >> /root/svc_useradm.keytab >> >> Now we can leverage the keytab for that user principal. >> Example: >> [root at infrae2u01 ~]# kdestroy >> >> [root at infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab >> svc_useradm at LNX.DR.LOCAL >> >> [root at infrae2u01 ~]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: svc_useradm at LNX.DR.LOCAL >> >> Valid starting Expires Service principal >> 05/05/16 14:24:12 05/06/16 14:24:12 krbtgt/LNX.DR.LOCAL at LNX.DR.LOCAL >> >> [root at infrae2u01 ~]# ipa ping >> ------------------------------------------ >> IPA server version 3.0.0. API version 2.49 >> ------------------------------------------ >> >> If you need to access the service account, then setup a sudo rule to >> switch user to that account. >> Example: "sudo su - svc_useradm" >> >> -Mike >> >> -----Original Message----- >>> From: Roderick Johnstone >>> Sent: May 5, 2016 12:39 PM >>> To: freeipa-users at redhat.com >>> Subject: [Freeipa-users] Help needed with keytabs >>> >>> Hi >>> >>> I need to run some ipa commands in cron jobs. >>> >>> The post here: >>> https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html >>> suggests I need to use a keytab file to authenticate kerberos. >>> >>> I've tried the prescription there, with variations, without success. >>> >>> My current testing framework is to log into the ipa client (RHEL6.7, >>> ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, >>> destroy the current tickets, re-establish a tgt for the user with kinit >>> using the keytab and try to run an ipa command. The ipa command fails >>> (just like in my cron jobs which use the same kinit command). >>> >>> 1) Log into ipa client as user test. >>> >>> 2) Get the keytab >>> $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p test at EXAMPLE.COM -k >>> /home/test/test.keytab -P >>> New Principal Password: >>> Verify Principal Password: >>> Keytab successfully retrieved and stored in: /home/test/test.keytab >>> >>> I seem to have to reset the password to what it was in this step, >>> otherwise it gets set to something random and the user test cannot log >>> into the ipa client any more. >>> >>> 3) Log into the ipa client as user test. Then >>> $ kdestroy >>> $ klist >>> klist: No credentials cache found (ticket cache >>> FILE:/tmp/krb5cc_3395_PWO4wH) >>> >>> 4) kinit from the keytab: >>> $ kinit -F test at EXAMPLE.COM -k -t /home/test/test.keytab >>> >>> 5) Check the tickets >>> $ klist >>> Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH >>> Default principal: test at EXAMPLE.COM >>> >>> Valid starting Expires Service principal >>> 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/EXAMPLE.COM at EXAMPLE.COM >>> >>> 6) Run an ipa command: >>> $ ipa ping >>> ipa: ERROR: cannot connect to Gettext('any of the configured servers', >>> domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, >>> https://ipa2.example.com/ipa/xml >>> >>> Can someone advise what I'm doing wrong in this procedure please (some >>> strings were changed to anonymize the setting)? >>> >>> For completeness of information, the ipa servers are RHEL 7.2, >>> ipa-server-4.2.0-15.el7_2.6.1.x86_64. >>> >>> Thanks >>> >>> Roderick Johnstone >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project > From David.LeVene at blackboard.com Fri May 6 00:03:45 2016 From: David.LeVene at blackboard.com (David LeVene) Date: Fri, 6 May 2016 00:03:45 +0000 Subject: [Freeipa-users] Advise for the best way to achieve AD Caching? In-Reply-To: <9ca667d0-6347-0954-96ba-7408b265814c@redhat.com> References: <9ca667d0-6347-0954-96ba-7408b265814c@redhat.com> Message-ID: Hi Petr, Thanks for the response. I didn't know about Samba 4, so that's worth some further investigation on my part - Thanks. So from what you've said below it can't run as a standalone, but SSSD does allow caching(if a user has authenticated previous).. does IPA have the ability to cache credentials for ~1 hour, so if there is a short loss of network connectivity users still get the OK from the cache? I'm still having a look at SyncRepl from slapd for replication, but not sure how this will work in the event that the Provider is uncontactable - as long as it caches credentials/details for ~ 1 hour that's acceptable. Regards David -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek Sent: Thursday, May 05, 2016 18:17 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching? On 5.5.2016 06:28, David LeVene wrote: > Hey All, > > I'm looking for a bit of direction around the best way to > configure/setup an on-site cache &/or replica from an AD Server which > will be uni-directional (AD -> IPA/slapd) > > The master are multiple AD Servers located around the place, and we exist in a place which is outside of the core network and that network link is a single point of failure. > > What I want to achieve is in the event we lose connectivity with the world users can still authenticate, but if someone is disabled/updated at the top level it replicates down. I've got a test AD Server & have been reviewing IPA, but have hit an issue in that I can't get software installed on the AD Masters for the 389 dir sync software. > > Currently I've configured a synchronization based solution with one way replication from the AD Masters -> IPA. This works fine and I can see all the users being created in IPA - but as the passwords can't be synced without installing software I can't use this method. All methods which can work completely off-line will require access to keys on AD server. This means either some additional software on AD side OR having proper AD server which is hosted locally. This could theoretically be Samba 4 AD server if you want to try that. If your clients are sufficiently new you can try to use SSSD everywhere but it comes with own limitations, e.g. users who never logged in before will not be able to login when the network link is down. I hope this help. Petr^2 Spacek > Another nice thing would be to have a separate domain/tree available so we can split up the staff that are from the master servers and some client related user/passes that won't be in the Global Directory - but managed from the same place. > > Are there any other setup's that will achieve what I require? Have seen slapd with proxy cache but I'm not sure on this options either and configuring slapd with all the ldif files manually seems a little daunting at first sight. > > Thanks in advance, > David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. From mbasti at redhat.com Fri May 6 07:04:59 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 6 May 2016 09:04:59 +0200 Subject: [Freeipa-users] Looking for documentation for Python API In-Reply-To: <1557170.p9MGeghmZ2@hosanna> References: <1557170.p9MGeghmZ2@hosanna> Message-ID: On 05.05.2016 23:41, Joshua J. Kugler wrote: > [This didn't show up in the archives or list after 12 house, so resending. > Sorry if it's a dupe.] > > I've been googling and looking through the documentation, but I have yet to > find official docs for the Python API for FreeIPA. > > The first result for 'python' when doing a search on www.freeipa.org is > http://www.freeipa.org/page/Python_Coding_Style On that page, there is a link > to "freeIPA Python API documentation" which goes to > > https://www.freeipa.org/page/Documentation#Developer_Documentation > > That page, however, doesn't have one mention of Python, and only one mention > of "API" and that is "How to migrate your code to the new LDAP API" which > doesn't seem to be related. I did manage to find > https://github.com/encukou/freeipa/tree/master/doc/examples which has a couple > (very convoluted) examples, but seems far from complete. > > There is a freeipa-python RPM, but *WHERE* is the documentation for the Python > API. Or should I just shell-out to the 'ipa' command from all my python > scripts? :) > > I found https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ and https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt so > I'm sure I could work up something with python and requests, but I'd prefer to > use the official API if I could. :) > > Any assistance would be great! > > j > Hello, since IPA4.2 web UI contains API browser (IPA Server/API Browser) So for example for caacl-add: api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional description") you can try commands in "ipa console" it contains initialized API, just call api.Command.() API.txt provides the same information as API browser, but browser looks better :) Feel free to ask anything, if you identified gaps in docs which are hard to understand for non-IPA developer feel free report it, or feel free to create howTo in freeipa.org page. Martin From pspacek at redhat.com Fri May 6 07:57:02 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 6 May 2016 09:57:02 +0200 Subject: [Freeipa-users] Advise for the best way to achieve AD Caching? In-Reply-To: References: <9ca667d0-6347-0954-96ba-7408b265814c@redhat.com> Message-ID: On 6.5.2016 02:03, David LeVene wrote: > Hi Petr, > > Thanks for the response. > > I didn't know about Samba 4, so that's worth some further investigation on my part - Thanks. > > So from what you've said below it can't run as a standalone, but SSSD does allow caching(if a user has authenticated previous).. does IPA have the ability to cache credentials for ~1 hour, so if there is a short loss of network connectivity users still get the OK from the cache? SSSD's cache will help you only for local authentication on clients (using password). It will not help for LDAP BIND or Kerberos authentication. > I'm still having a look at SyncRepl from slapd for replication, but not sure how this will work in the event that the Provider is uncontactable - as long as it caches credentials/details for ~ 1 hour that's acceptable. AFAIK SyncRepl is not supported on AD side. Sorry, but if you are so reliant on AD technology then you probably need to either pay for new AD server or use Samba 4. Petr^2 Spacek > > Regards > David > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek > Sent: Thursday, May 05, 2016 18:17 > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching? > > On 5.5.2016 06:28, David LeVene wrote: >> Hey All, >> >> I'm looking for a bit of direction around the best way to >> configure/setup an on-site cache &/or replica from an AD Server which >> will be uni-directional (AD -> IPA/slapd) >> >> The master are multiple AD Servers located around the place, and we exist in a place which is outside of the core network and that network link is a single point of failure. >> >> What I want to achieve is in the event we lose connectivity with the world users can still authenticate, but if someone is disabled/updated at the top level it replicates down. I've got a test AD Server & have been reviewing IPA, but have hit an issue in that I can't get software installed on the AD Masters for the 389 dir sync software. >> >> Currently I've configured a synchronization based solution with one way replication from the AD Masters -> IPA. This works fine and I can see all the users being created in IPA - but as the passwords can't be synced without installing software I can't use this method. > > All methods which can work completely off-line will require access to keys on AD server. This means either some additional software on AD side OR having proper AD server which is hosted locally. This could theoretically be Samba 4 AD server if you want to try that. > > If your clients are sufficiently new you can try to use SSSD everywhere but it comes with own limitations, e.g. users who never logged in before will not be able to login when the network link is down. > > I hope this help. > > Petr^2 Spacek > > >> Another nice thing would be to have a separate domain/tree available so we can split up the staff that are from the master servers and some client related user/passes that won't be in the Global Directory - but managed from the same place. >> >> Are there any other setup's that will achieve what I require? Have seen slapd with proxy cache but I'm not sure on this options either and configuring slapd with all the ldif files manually seems a little daunting at first sight. >> >> Thanks in advance, >> David > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. > -- Petr^2 Spacek From pspacek at redhat.com Fri May 6 08:00:42 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 6 May 2016 10:00:42 +0200 Subject: [Freeipa-users] Help needed with keytabs In-Reply-To: <572B772B.3000500@ast.cam.ac.uk> References: <572B772B.3000500@ast.cam.ac.uk> Message-ID: <970d6210-280a-054f-2606-eddc240d0d3c@redhat.com> On 5.5.2016 18:39, Roderick Johnstone wrote: > Hi > > I need to run some ipa commands in cron jobs. > > The post here: > https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html > suggests I need to use a keytab file to authenticate kerberos. > > I've tried the prescription there, with variations, without success. > > My current testing framework is to log into the ipa client (RHEL6.7, > ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy > the current tickets, re-establish a tgt for the user with kinit using the > keytab and try to run an ipa command. The ipa command fails (just like in my > cron jobs which use the same kinit command). > > 1) Log into ipa client as user test. > > 2) Get the keytab > $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p test at EXAMPLE.COM -k > /home/test/test.keytab -P > New Principal Password: > Verify Principal Password: > Keytab successfully retrieved and stored in: /home/test/test.keytab > > I seem to have to reset the password to what it was in this step, otherwise it > gets set to something random and the user test cannot log into the ipa client > any more. > > 3) Log into the ipa client as user test. Then > $ kdestroy > $ klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH) > > 4) kinit from the keytab: > $ kinit -F test at EXAMPLE.COM -k -t /home/test/test.keytab > > 5) Check the tickets > $ klist > Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH > Default principal: test at EXAMPLE.COM > > Valid starting Expires Service principal > 05/05/16 17:24:44 05/06/16 17:24:44 krbtgt/EXAMPLE.COM at EXAMPLE.COM > > 6) Run an ipa command: > $ ipa ping > ipa: ERROR: cannot connect to Gettext('any of the configured servers', > domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, > https://ipa2.example.com/ipa/xml > > Can someone advise what I'm doing wrong in this procedure please (some strings > were changed to anonymize the setting)? Kerberos part seems okay but for some reason connection to IPA servers does not work. I would try following commands: $ ipa --debug ping $ curl 'https://ipa1.example.com/ipa/xml' and see what these print out. Petr^2 Spacek > > For completeness of information, the ipa servers are RHEL 7.2, > ipa-server-4.2.0-15.el7_2.6.1.x86_64. > > Thanks > > Roderick Johnstone From wouter.hummelink at kpn.com Fri May 6 11:33:10 2016 From: wouter.hummelink at kpn.com (wouter.hummelink at kpn.com) Date: Fri, 6 May 2016 11:33:10 +0000 Subject: [Freeipa-users] Duplicate serials in issued ipa certs Message-ID: <2CA71D6C07ADB544847562573DC6BF062AE834E7@CPEMS-KPN309.KPNCNL.LOCAL> Hello, I discovered today that our IPA CA has been issuing certs with duplicate serials, causing issues in several ways when dealing with hosts that have such a cert in place. (Complaints about duplicate serials) Removing the offending cert from the host results in de same type of error These all seem to have been issued from the server that in the past was reinstalled with the same hostname. ipa host-show app ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. IPA cert-find indeed shows 2 issued certs with the same serial (several actually) (anonymized) Serial number (hex): 0xFFF0007 Serial number: 268369927 Status: VALID Subject: CN=app.example.org,O=EXAMPLE.ORG Serial number (hex): 0xFFF0007 Serial number: 268369927 Status: VALID Subject: CN=ipa.example.org,O=EXAMPLE.ORG The ipa client won't let me revoke or otherwise kill these certs with the same error. What to do? Met vriendelijke groet, Wouter Hummelink Cloud Engineer [Description: Beschrijving: Beschrijving: cid:image003.gif at 01CC7CE9.FCFEC140] KPN IT Solutions Platform Organisation Cloud Services Mail: wouter.hummelink at kpn.com Telefoon: +31 (0)6 1288 2447 [cid:image002.png at 01D0DA65.706AE4B0] P Save Paper - Do you really need to print this e-mail? ********************************************************************************************************************************************************* KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, Handelsregister 52959597 Amsterdam The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. Thank you. ********************************************************************************************************************************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 2045 bytes Desc: image001.gif URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 49569 bytes Desc: image002.png URL: From David.LeVene at blackboard.com Fri May 6 12:51:08 2016 From: David.LeVene at blackboard.com (David LeVene) Date: Fri, 6 May 2016 12:51:08 +0000 Subject: [Freeipa-users] Advise for the best way to achieve AD Caching? In-Reply-To: References: <9ca667d0-6347-0954-96ba-7408b265814c@redhat.com> Message-ID: Thanks for the information Petr - As you have recommended another AD server or Samba 4 is the best solution. Cheers David -----Original Message----- From: Petr Spacek [mailto:pspacek at redhat.com] Sent: Friday, May 06, 2016 17:27 To: David LeVene ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching? On 6.5.2016 02:03, David LeVene wrote: > Hi Petr, > > Thanks for the response. > > I didn't know about Samba 4, so that's worth some further investigation on my part - Thanks. > > So from what you've said below it can't run as a standalone, but SSSD does allow caching(if a user has authenticated previous).. does IPA have the ability to cache credentials for ~1 hour, so if there is a short loss of network connectivity users still get the OK from the cache? SSSD's cache will help you only for local authentication on clients (using password). It will not help for LDAP BIND or Kerberos authentication. > I'm still having a look at SyncRepl from slapd for replication, but not sure how this will work in the event that the Provider is uncontactable - as long as it caches credentials/details for ~ 1 hour that's acceptable. AFAIK SyncRepl is not supported on AD side. Sorry, but if you are so reliant on AD technology then you probably need to either pay for new AD server or use Samba 4. Petr^2 Spacek > > Regards > David > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek > Sent: Thursday, May 05, 2016 18:17 > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Advise for the best way to achieve AD Caching? > > On 5.5.2016 06:28, David LeVene wrote: >> Hey All, >> >> I'm looking for a bit of direction around the best way to >> configure/setup an on-site cache &/or replica from an AD Server which >> will be uni-directional (AD -> IPA/slapd) >> >> The master are multiple AD Servers located around the place, and we exist in a place which is outside of the core network and that network link is a single point of failure. >> >> What I want to achieve is in the event we lose connectivity with the world users can still authenticate, but if someone is disabled/updated at the top level it replicates down. I've got a test AD Server & have been reviewing IPA, but have hit an issue in that I can't get software installed on the AD Masters for the 389 dir sync software. >> >> Currently I've configured a synchronization based solution with one way replication from the AD Masters -> IPA. This works fine and I can see all the users being created in IPA - but as the passwords can't be synced without installing software I can't use this method. > > All methods which can work completely off-line will require access to keys on AD server. This means either some additional software on AD side OR having proper AD server which is hosted locally. This could theoretically be Samba 4 AD server if you want to try that. > > If your clients are sufficiently new you can try to use SSSD everywhere but it comes with own limitations, e.g. users who never logged in before will not be able to login when the network link is down. > > I hope this help. > > Petr^2 Spacek > > >> Another nice thing would be to have a separate domain/tree available so we can split up the staff that are from the master servers and some client related user/passes that won't be in the Global Directory - but managed from the same place. >> >> Are there any other setup's that will achieve what I require? Have seen slapd with proxy cache but I'm not sure on this options either and configuring slapd with all the ldif files manually seems a little daunting at first sight. >> >> Thanks in advance, >> David > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project This email and > any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. > -- Petr^2 Spacek This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. From mbasti at redhat.com Fri May 6 13:50:27 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 6 May 2016 15:50:27 +0200 Subject: [Freeipa-users] Unable to configure DNSSEC signing [solved] In-Reply-To: <0a4a01d1a6f1$1a97a510$4fc6ef30$@giesen.me> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> <06ce01d1a530$309269d0$91b73d70$@giesen.me> <070801d1a53f$c64924a0$52db6de0$@giesen.me> <33dbd0d6-445c-1a59-48f4-338fbb1ca01a@redhat.com> <071f01d1a546$acff20b0$06fd6210$@giesen.me> <0a1b01d1a6e1$6822ab50$386801f0$@giesen.me> <0a4a01d1a6f1$1a97a510$4fc6ef30$@giesen.me> Message-ID: After investigation on IRC, it looks that old mkosek/freeipa repo is guilty, this repo should not be used for centos 4.2+ On 05.05.2016 19:11, Gary T. Giesen wrote: > As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and > I have the same problem. > > These are the steps I took: > > # yum update -y > # yum install -y nano net-tools wget > # yum install -y > https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm > # cd /etc/yum.repos.d/ > # wget -N > https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-fr > eeipa-epel-7.repo > # yum install -y haveged > # systemctl start haveged > # systemctl enable haveged > # yum install -y ipa-server ipa-server-dns > # ipa-server-install -r EXAMPLE.COM -n example.com --mkhomedir > --ip-address=192.0.2.10 --idstart=100000 --idmax=199999 --no-ui-redirect > --ssh-trust-dns --setup-dns --no-forwarders --no-reverse > # ipa-dns-install --no-forwarders --no-reverse --dnssec-master > # ipa dnszone-mod example.com --dnssec=true > > > GTG > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gary T. Giesen > Sent: May-05-16 11:19 AM > To: 'Petr Spacek' ; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > I'm not entirely sure if this is what you were asking for, but here's a > manual LDAP query and the associated logs, and then I restarted > ipa-dnskeysyncd and the logs associated with that as well: > > > [root at host /]# date > Thu May 5 10:52:12 EDT 2016 > [root at host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub > '(|(objectClass=idnsZone)(objectClass=idnsS > ecKey)(objectClass=ipk11PublicKey))' > SASL/GSSAPI authentication started > SASL username: user at EXAMPLE.COM > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base with scope subtree # filter: > (|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey) > ) > # requesting: ALL > # > > # example.com., dns, example.com > dn: idnsname=example.com.,cn=dns,dc=example,dc=com > idnsZoneActive: TRUE > idnsSOAexpire: 1209600 > idnsSOAminimum: 3600 > objectClass: idnszone > objectClass: top > objectClass: idnsrecord > idnsAllowTransfer: none; > idnsSOAretry: 900 > idnsSOAserial: 1462338941 > idnsUpdatePolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM > krb5-self * A AAA; grant EXAMPLE.COM krb5-self * SSHFP; > idnsSOArefresh: 3600 > idnsAllowQuery: any; > idnsName: example.com. > idnsSOAmName: host.example.com. > idnsSOArName: hostmaster.example.com. > idnsAllowDynUpdate: TRUE > nSRecord: host.example.com. > mXRecord: 5 mx.example.com. > tXTRecord: v=spf1 ip4:104.207.128.239 ip6:2001:19f0:300:24e1::10 -all > idnsSecInlineSigning: TRUE > > # 2a6519b4-8d9c-11e5-8ced-56000017eb11, keys, sec, dns, example.com > dn: > ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,d > c=example,dc=com > objectClass: ipk11PublicKey > objectClass: ipk11Object > objectClass: top > objectClass: ipaPublicKeyObject > objectClass: ipk11Key > objectClass: ipk11StorageObject > ipk11Wrap: FALSE > ipk11Label: dnssec-replica:host.example.com. > ipaPublicKey:: > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxk6apYsMbT7MH87pCzK > > GyVkpAmp+nOL8Alo/pwfaOALJO6EFfhvw+V+9Lnx1jKObnrAHo0O7j3c8qDqAmewjdS1beFb > GyVkpAmp+beLG > u > > GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+nMoQ3hdYMZEeBQtTLbMrhOAQR6EUksCbG > GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+pvkj > c > > xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+ZDaJ7sm1WMgHupKndUpl2vdvJWtEi2j > xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+41/4 > q > > FOYXAyIgx+3yv7OG9X1D5qBb7v/IqtFuJFRqc0LIdBvWUlHn5LTLYh4rtb2h/6DUK/ZnGlJ+ > FOYXAyIgx+Sss5 > Q > nmuhUiky3cJ0KvQIDAQAB > ipk11Verify: FALSE > ipk11Id:: b4AQWy4+gJz2XABOkWEgnw== > ipk11VerifyRecover: FALSE > ipk11UniqueId: 2a6519b4-8d9c-11e5-8ced-56000017eb11 > > # 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11, keys, sec, dns, example.com > dn: > ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,d > c=example,dc=com > objectClass: ipk11PublicKey > objectClass: ipk11Object > objectClass: top > objectClass: ipaPublicKeyObject > objectClass: ipk11Key > objectClass: ipk11StorageObject > ipk11Wrap: FALSE > ipk11Label: dnssec-replica:host.example.com. > ipaPublicKey:: > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oo1sC+p8/NCfI8r2Te > > 4onEHxk4yrrLWfwfuKl3lN/3QHmahPAjyHNYnm8srL45/lJzNqoZpI4yGyhWtCpNQhnnoD+W67aX > N > > 2KGnshBTYE8IGG2zCHtQ0p5CJtNTNZFyIH4pyNiLfk/QLi1ptzk79f9u6Bwq4RdEKdzEk4R1G58C > w > > cpUlKlG6pzGk+OpiX1a3Iw8ZCfgmYIEOmHSpexz0aRBA4q2ADdRn4dERL/aP+lWC+IQEj749 > cpUlKlG6pzGk+wn+Q > H > > sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+n7XajelYh5YqkOY8PN > sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+cFgL > 9 > O+iB9tqWJJiFChQIDAQAB > ipk11Verify: FALSE > ipk11Id:: L9nKKUY2ypycB3EldvJjVg== > ipk11VerifyRecover: FALSE > ipk11UniqueId: 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11 > > # 70eca210-0ee0-11e6-9e98-56000017eb11, keys, sec, dns, example.com > dn: > ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,d > c=example,dc=com > objectClass: ipk11PublicKey > objectClass: ipk11Object > objectClass: top > objectClass: ipaPublicKeyObject > objectClass: ipk11Key > objectClass: ipk11StorageObject > ipk11Wrap: FALSE > ipk11Label: dnssec-replica:host.example.com. > ipaPublicKey:: > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoAnwbNG7EwTIlWwlWvu > > pPOEQnV7ahv7xMoF0v9qzoEZ+ccx9Wp515IWs6okmX6UhB/HELhO3EP5iCftL2iOq+aTa3Zx > pPOEQnV7ahv7xMoF0v9qzoEZ+8Z/+ > F > > JtpXPFkbCweUiOxr8vq4VLTppLmok0q+Dlm5CYaQUYs5en3d9HFtmaYt3m8JD5a58AkAzozo > JtpXPFkbCweUiOxr8vq4VLTppLmok0q+ACrO > m > > st5aNIkwo/YGdSa0e1tNcb7Xv7RhBSGbFlrpFfwj5uX3QyI57CSxR7S5FYjOD8lG8tmlCjKuuOhH > O > > ST8uzatbirX0kiaVH3ENohDUmEV+zW6T9//TBG2xTRTw6v7TAM21klWMCNKoUYVyh84c34jd > ST8uzatbirX0kiaVH3ENohDUmEV+arVr > Q > PvEPCDzNF6C15NwIDAQAB > ipk11Verify: FALSE > ipk11Id:: teifTM9dTfpDRQgbL8rsFQ== > ipk11VerifyRecover: FALSE > ipk11UniqueId: 70eca210-0ee0-11e6-9e98-56000017eb11 > > # fba8d874-10a2-11e6-86aa-56000017eb11, keys, sec, dns, example.com > dn: > ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,d > c=example,dc=com > objectClass: ipk11PublicKey > objectClass: ipk11Object > objectClass: top > objectClass: ipaPublicKeyObject > objectClass: ipk11Key > objectClass: ipk11StorageObject > ipk11Wrap: FALSE > ipk11Label: dnssec-replica:host.example.com. > ipaPublicKey:: > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9r9+8POEp8nb+jiEi6 > > pvvuWWex2KuHeV1f1qo6LCe3oMSkZ39I73cdJZIfirt2E/D+CWSUMGwbWmNOnMUMIDI8YAnxLQ// > K > > uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+VR1007Dhl5e7dEagHUlEw5OXPQ2jgeq6kCMU > uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+Uteu > 3 > > Nye/G2K51GzAJcAXlrBdVEek02LuhszHtxjYDxevq90my+0GXVb2nU9mPghIKnkwsQeHUoHXH83p > H > > NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+T8KV6sGRqMi8rlGIU9biuYHrmGZca > NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+UuAY > R > NXCIrWIUrDV21cQIDAQAB > ipk11Verify: FALSE > ipk11Id:: WXrLuKBlC8r8UsjjGf2zww== > ipk11VerifyRecover: FALSE > ipk11UniqueId: fba8d874-10a2-11e6-86aa-56000017eb11 > > # a7bac2a6-10a5-11e6-9c20-56000017eb11, keys, sec, dns, example.com > dn: > ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,d > c=example,dc=com > objectClass: ipk11PublicKey > objectClass: ipk11Object > objectClass: top > objectClass: ipaPublicKeyObject > objectClass: ipk11Key > objectClass: ipk11StorageObject > ipk11Wrap: FALSE > ipk11Label: dnssec-replica:host.example.com. > ipaPublicKey:: > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4m3sUosT4X9x8EjwrtQ > > B6mQDmClMNs3M8hCJ6UKvcCH/X+yFH2IAht5L85IOBCqmy8RQSL2fPY6BuCxx0krDPPvFBUfCW2i > / > > X0s2RN+vdZQ6xtCe/Q8CHxTZmXsJLrOS8WsiggbHXh7QqkP8sY4Xl2N14OFDNTmSgtQWKnKj > X0s2RN+Jloy > g > > D03p+lo7BxFmOP9L1C+NGDhiiKjBwVexBNFlYSyUXEFacIDXAIjI/WMgxeCl/9Xu9wwAW5GY > D03p+lo7BxFmOP9L1C+iYOR > D > > KTl9h4JgUDRrge82OBMu0kQt0FyLCdVKl3Kw5GiMazWoTnK8KGpvuZl46whl9IbOYtPeQpHEhhSw > X > w36Ii4Y+e6eYeoQIDAQAB > ipk11Verify: FALSE > ipk11Id:: +Y0cQI+gUJelIpun/N1IYQ== > ipk11VerifyRecover: FALSE > ipk11UniqueId: a7bac2a6-10a5-11e6-9c20-56000017eb11 > > # 2f32c0f8-10c9-11e6-bf47-56000017eb11, keys, sec, dns, example.com > dn: > ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,d > c=example,dc=com > objectClass: ipk11PublicKey > objectClass: ipk11Object > objectClass: top > objectClass: ipaPublicKeyObject > objectClass: ipk11Key > objectClass: ipk11StorageObject > ipk11Wrap: TRUE > ipk11Label: dnssec-replica:host.example.com. > ipaPublicKey:: > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApWEc/C9jgjoCzQ2wTKT > > zJ9obG74mlYyokaP/rZyYA0nIIqrKF1DwArt7wemVzrMf9m8b70MyYlOZm77KJiw1gMD9qzcJieI > m > > +two+BYb6zRAvp4o2HlTwG+x/UpOct8EnakilUh7zOhGFkEyk9m9+WnWBcXGX63lfiodL4sC > +two+BYb6zRAvp4o2HlTwG+rtBd > s > > CIfF6bPH9yHYSYpa4/s/flW/mM7fRMSd0hO3ayYYxSg8INitFHVwnUj/MENxdFejeMPXlyROW/6m > h > > kwBQjhLSYnmzvgiP2rNnA6AJIMX0cxjuxjswNaAS5vULG1Vju51Mb0f8V3RLv5P1L0dQYoY7S5Hb > O > aaO7c+27moTOZPQIDAQAB > ipk11Verify: FALSE > ipk11Id:: mn+arLpqrb1jDdDZXlroUg== > ipk11VerifyRecover: FALSE > ipk11UniqueId: 2f32c0f8-10c9-11e6-bf47-56000017eb11 > > # search result > search: 4 > result: 0 Success > > # numResponses: 8 > # numEntries: 7 > > > > My manual LDAP search (/var/log/dirsrv/slapd-EXAMPLE-COM/access): > > [05/May/2016:10:52:13 -0400] conn=613 fd=109 slot=109 SSL connection from > 2001:db8:300:24e1::10 to 2001:db8:300:24e1::10 > [05/May/2016:10:52:13 -0400] conn=613 TLS1.2 256-bit AES-GCM > [05/May/2016:10:52:13 -0400] conn=613 op=0 BIND dn="" method=sasl version=3 > mech=GSSAPI > [05/May/2016:10:52:13 -0400] conn=613 op=0 RESULT err=14 tag=97 nentries=0 > etime=0, SASL bind in progress > [05/May/2016:10:52:13 -0400] conn=613 op=1 BIND dn="" method=sasl version=3 > mech=GSSAPI > [05/May/2016:10:52:13 -0400] conn=613 op=1 RESULT err=14 tag=97 nentries=0 > etime=0, SASL bind in progress > [05/May/2016:10:52:13 -0400] conn=613 op=2 BIND dn="" method=sasl version=3 > mech=GSSAPI > [05/May/2016:10:52:13 -0400] conn=613 op=2 RESULT err=0 tag=97 nentries=0 > etime=0 dn="uid=user,cn=users,cn=accounts,dc=example,dc=com" > [05/May/2016:10:52:13 -0400] conn=613 op=3 SRCH > base="cn=dns,dc=example,dc=com" scope=2 > filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu > blicKey))" attrs=ALL > [05/May/2016:10:52:13 -0400] conn=613 op=3 RESULT err=0 tag=101 nentries=7 > etime=0 > [05/May/2016:10:52:13 -0400] conn=613 op=4 UNBIND > [05/May/2016:10:52:13 -0400] conn=613 op=4 fd=109 closed - U1 > > > I then restarted ipa-dnskeysyncd (journalctl -u ipa-dnskeysyncd): > > May 05 10:52:19 host.example.com systemd[1]: Stopping IPA key daemon... > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13719]: ipa : INFO > Signal 15 received: Shutting down! > May 05 10:52:19 host.example.com systemd[1]: Started IPA key daemon. > May 05 10:52:19 host.example.com systemd[1]: Starting IPA key daemon... > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing all plugin modules in ipalib.plugins... > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.aci May 05 10:52:19 host.example.com > ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.automember May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.automount May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.baseldap May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.baseuser May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.batch May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.caacl May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.cert May 05 10:52:19 host.example.com > ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.certprofile May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.config May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.delegation May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.dns May 05 10:52:19 host.example.com > ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.domainlevel May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.group May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.hbacrule May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.hbacsvc May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.hbacsvcgroup May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.hbactest May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.host May 05 10:52:19 host.example.com > ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.hostgroup May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.idrange May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.idviews May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.internal May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.kerberos May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.krbtpolicy May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.migration May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.misc May 05 10:52:19 host.example.com > ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.netgroup May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.otpconfig May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.otptoken May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.otptoken_yubikey May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.passwd May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.permission May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.ping May 05 10:52:19 host.example.com > ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.pkinit May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.privilege May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.pwpolicy May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > Starting external process > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > args='klist' '-V' > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Process > finished, return code=0 May 05 10:52:19 host.example.com > ipa-dnskeysyncd[13834]: ipa: DEBUG: > stdout=Kerberos 5 version 1.13.2 > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: stderr= > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.radiusproxy May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.realmdomains May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.role May 05 10:52:19 host.example.com > ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.rpcclient May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.selfservice May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.selinuxusermap May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.server May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.service May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.servicedelegation May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.session May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: WARNING: > session memcached servers not running > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.stageuser May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.sudocmd May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.sudocmdgroup May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.sudorule May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.topology May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.trust May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.user May 05 10:52:19 host.example.com > ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.vault May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipalib.plugins.virtual May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing all plugin modules in ipaserver.plugins... > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipaserver.plugins.dogtag May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipaserver.plugins.join May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipaserver.plugins.ldap2 May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipaserver.plugins.rabase May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > importing plugin module ipaserver.plugins.xmlserver May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > SessionAuthManager.register: name=jsonserver_session_43658512 May 05 > 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > SessionAuthManager.register: name=xmlserver_session_43681424 May 05 10:52:19 > host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > session_auth_duration: 0:20:00 > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > session_auth_duration: 0:20:00 > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > Mounting ipaserver.rpcserver.xmlserver() at '/xml' > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > session_auth_duration: 0:20:00 > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > session_auth_duration: 0:20:00 > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' > May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > session_auth_duration: 0:20:00 > May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' > May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > session_auth_duration: 0:20:00 > May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > Mounting ipaserver.rpcserver.login_password() at '/session/login_password' > May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > session_auth_duration: 0:20:00 > May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: > Mounting ipaserver.rpcserver.change_password() at '/session/change_password' > May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG > Kerberos principal: ipa-dnskeysyncd/host.example.com > May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG > Initializing principal ipa-dnskeysyncd/host.example.com using keytab > /etc/ipa/dnssec/ipa-dnskeysyncd.keytab > May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG > using ccache /tmp/ipa-dnskeysyncd.ccache > May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG > Attempt 1/5: success > May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG > LDAP URL: > ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket/cn%3Ddns%2Cdc%3Dexample%2Cdc > %3Dme??sub?%28%7C%28objectClass%3DidnsZone%29%28objectClass%3DidnsSecKey%29% > 28objectClass%3Dipk11PublicKey%29%29 > May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO > LDAP bind... > May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05 > 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05 > 10:52:21 host.example.com python2[13834]: GSSAPI client step 1 May 05 > 10:52:21 host.example.com python2[13834]: GSSAPI client step 2 > May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO > Commencing sync process > May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None > (not received yet) > May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > idnsname=example.com.,cn=dns,dc=example,dc=com > 203dbe2d-8d9c-11e5-bb23-e7a3b46d8929 > May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: > ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: > {'203dbe2d-8d9c-11e5-bb23-e7a3b46d8929': } May 05 > 10:52:21 host.example.com ipa-dnskeysyncd[13834]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,dc= > example,dc=com 203dbe63-8d9c-11e5-bb23-e7a3b46d8929 > May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,dc= > example,dc=com 9d5e3d66-ccd4-11e5-bb23-e7a3b46d8929 > May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,dc= > example,dc=com 59985f1f-0ee0-11e6-aa2d-e7a3b46d8929 > May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,dc= > example,dc=com dc691799-10a2-11e6-aa2d-e7a3b46d8929 > May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,dc= > example,dc=com 83e74997-10a5-11e6-aa2d-e7a3b46d8929 > May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: > ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,dc= > example,dc=com 0f260699-10c9-11e6-aa2d-e7a3b46d8929 > May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: > ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: > host.example.com:389#krbprincipalname=ipa-dnskeysyncd/host.example.com at examp > le.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(| > (objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))# > 33443 > > > Logs as a result of ipa-dnskeysyncd restart > (/var/log/dirsrv/slapd-EXAMPLE-COM/access): > > [05/May/2016:10:52:20 -0400] conn=614 fd=83 slot=83 connection from local to > /var/run/slapd-EXAMPLE-COM.socket > [05/May/2016:10:52:20 -0400] conn=614 op=0 BIND dn="" method=sasl version=3 > mech=GSSAPI > [05/May/2016:10:52:20 -0400] conn=614 op=0 RESULT err=14 tag=97 nentries=0 > etime=0, SASL bind in progress > [05/May/2016:10:52:20 -0400] conn=614 op=1 BIND dn="" method=sasl version=3 > mech=GSSAPI > [05/May/2016:10:52:20 -0400] conn=614 op=1 RESULT err=14 tag=97 nentries=0 > etime=0, SASL bind in progress > [05/May/2016:10:52:20 -0400] conn=614 op=2 BIND dn="" method=sasl version=3 > mech=GSSAPI > [05/May/2016:10:52:20 -0400] conn=614 op=2 RESULT err=0 tag=97 nentries=0 > etime=0 > dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=service > s,cn=accounts,dc=example,dc=com" > [05/May/2016:10:52:20 -0400] conn=614 op=3 SRCH > base="cn=dns,dc=example,dc=com" scope=2 > filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu > blicKey))" attrs=ALL > [05/May/2016:10:52:20 -0400] conn=614 op=3 RESULT err=269 tag=121 nentries=0 > etime=0 > > > Cheers, > > GTG > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gary T. Giesen > Sent: May-03-16 10:19 AM > To: 'Petr Spacek' ; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > Thanks Petr. I'm on IRC as well if a more interactive troubleshooting > session would be better. > > Cheers, > > GTG > > -----Original Message----- > From: Petr Spacek [mailto:pspacek at redhat.com] > Sent: May-03-16 9:59 AM > To: Gary T. Giesen ; > freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > On 3.5.2016 15:29, Gary T. Giesen wrote: >> All lines from the log file with conn=152. >> >> [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from >> local to /var/run/slapd-EXAMPLE-COM.socket >> [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 >> nentries=0 etime=0, SASL bind in progress >> [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 >> nentries=0 etime=0, SASL bind in progress >> [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 >> nentries=0 >> etime=0 >> dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=s >> ervice >> s,cn=accounts,dc=example,dc=com" >> [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH >> base="cn=dns,dc=example,dc=com" scope=2 >> filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=i >> pk11Pu >> blicKey))" attrs=ALL >> [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 >> nentries=0 >> etime=0 > This seems to be okay, I will think about it a bit more and return back to > you when I find something. > > Petr^2 Spacek > >> -----Original Message----- >> From: Petr Spacek [mailto:pspacek at redhat.com] >> Sent: May-03-16 8:50 AM >> To: Gary T. Giesen ; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >> >> Hmm, this is really weird. >> >> It should log message "Initial LDAP dump is done, sychronizing with >> ODS and BIND" which is apparently not there. Maybe LDAP server is >> doing something weird ... >> >> Could you inspect /var/log/dirsrv/*/access_log and look for lines >> similar to ones in the attached file, please? >> >> It should start with log message like >> "connection from local to /var/run/slapd-*". >> This line will have identifier like "conn=84". We are looking for conn >> number (e.g. "conn=84") which is related to BIND DN >> "dn="krbprincipalname=ipa-dnskeysyncd/*". >> >> If you find the right conn number, look for other lines containing the >> same conn number and operation "SRCH base="cn=dns,*". This SRCH line >> will have specific identifier like "conn=84 op=3". >> >> Now you have identifier for particular operation. Look for RESULT line >> with the same ID. >> >> How does it look? >> >> Can you copy&paste complete all lines with identifier conn=??? you found? >> >> Thanks! >> Petr^2 Spacek >> >> On 3.5.2016 13:37, Gary T. Giesen wrote: >>> See attached. >>> >>> GTG >>> >>> -----Original Message----- >>> From: Petr Spacek [mailto:pspacek at redhat.com] >>> Sent: May-03-16 7:33 AM >>> To: Gary T. Giesen ; >>> freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >>> >>> On 3.5.2016 13:28, Gary T. Giesen wrote: >>>> 1. Confirmed, it was already set to ISMASTER=1 >>>> >>>> 2. Logs: >>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: >> None >>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of >> entry: >>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: >> {'203dbe2d-8d9c-1 >>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of >> entry: >>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of >> entry: >>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of >> entry: >>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of >> entry: >>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of >> entry: >>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of >> entry: >>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: >> host.exa >>> The log seems to be truncated. Please attach it as a file to avoid >>> truncation and line wrapping problems. >>> >>> Thanks >>> Petr^2 Spacek >>> >>>> >>>> 3. # rpm -q ipa-server >>>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>> >>>> -----Original Message----- >>>> From: freeipa-users-bounces at redhat.com >>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >>>> Sent: May-03-16 7:08 AM >>>> To: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >>>> >>>> Okay, this is a problem. It should list your zone example.com >>>> because it has DNSSEC signing enabled. >>>> >>>> Make sure you are working on host.example.com (the host listed by >>>> the ldapsearch above). >>>> >>>> I would check two things: >>>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". >>>> If it does not, re-run ipa-dns-install with --dnssec-master option >>>> to fix >>> that. >>>> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and >>>> make sure that it contains line "debug=True" and restart >>>> ipa-dnskeysyncd when you are done with it. >>>> >>>> The log should be much longer after this change. >>>> >>>> I hope it will help to identify the root cause. >>>> >>>> What IPA version do you use? >>>> $ rpm -q freeipa-server >>>> >>>> Petr^2 Spacek >>>> >>>> >>>> >>>>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has >>>>> had no effect. The only log entries I see are: >>>>> >>>>> # journalctl -u ipa-dnskeysyncd >>>>> >>>>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key >> daemon... >>>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : >>>> INFO >>>>> Signal 15 received: Shutting down! >>>>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >>>>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key >> daemon... >>>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >>>>> session memcached servers not running >>>>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : >>>> INFO >>>>> LDAP bind... >>>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step >>>>> 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client >>>>> step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI >>>>> client step 1 May 02 20:35:54 host.example.com python2[15014]: >>>>> GSSAPI >> client step 2 >>>>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : >>>> INFO >>>>> Commencing sync process >>>>> >>>>> >>>>> >>>>> Can anyone advise on next steps? I've been banging my head against >>>>> a wall for a couple days now and would really appreciate some help. >> >> -- >> Petr^2 Spacek >> > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From ggiesen+freeipa-users at giesen.me Fri May 6 13:51:24 2016 From: ggiesen+freeipa-users at giesen.me (Gary T. Giesen) Date: Fri, 6 May 2016 09:51:24 -0400 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <0ab201d1a6fb$174b7bc0$45e27340$@giesen.me> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> <06ce01d1a530$309269d0$91b73d70$@giesen.me> <070801d1a53f$c64924a0$52db6de0$@giesen.me> <33dbd0d6-445c-1a59-48f4-338fbb1ca01a@redhat.com> <071f01d1a546$acff20b0$06fd6210$@giesen.me> <0a1b01d1a6e1$6822ab50$386801f0$@giesen.me> <0ab201d1a6fb$174b7bc0$45e27340$@giesen.me> Message-ID: <0b2701d1a79e$62d03a60$2870af20$@giesen.me> So thanks to Martin Basti and Petr Spacek, I've found the problem. I was adding the old mkosek/freeipa repository, which when 4.1 was the latest version was correct, but now 4.2 is in base. I wasn't actually installing 4.1 from the mkosek COPR, but it was pulling in the following dependencies from there: jboss-annotations-1.1-api.noarch 1.0.1-0.6.20120212git76e1a2.el7.centos @mkosek-freeipa open-sans-fonts.noarch 1.10-1.el7.centos @mkosek-freeipa pki-base.noarch 10.2.5-6.el7.centos @mkosek-freeipa pki-ca.noarch 10.2.5-6.el7.centos @mkosek-freeipa pki-kra.noarch 10.2.5-6.el7.centos @mkosek-freeipa pki-server.noarch 10.2.5-6.el7.centos @mkosek-freeipa pki-tools.x86_64 10.2.5-6.el7.centos @mkosek-freeipa python-ldap.x86_64 2.4.16-1.el7.centos @mkosek-freeipa python-qrcode-core.noarch 5.0.1-2.el7.centos @mkosek-freeipa relaxngDatatype.noarch 1.0-11.el7 @base resteasy-base-atom-provider.noarch 3.0.6-1.el7.centos @mkosek-freeipa resteasy-base-client.noarch 3.0.6-1.el7.centos @mkosek-freeipa resteasy-base-jackson-provider.noarch 3.0.6-1.el7.centos @mkosek-freeipa resteasy-base-jaxb-provider.noarch 3.0.6-1.el7.centos @mkosek-freeipa resteasy-base-jaxrs.noarch 3.0.6-1.el7.centos @mkosek-freeipa resteasy-base-jaxrs-api.noarch 3.0.6-1.el7.centos @mkosek-freeipa slapi-nis.x86_64 0.54.2-1.el7.centos @mkosek-freeipa Thanks very much to both of you for helping sort this out as I was completely lost. Cheers, GTG -----Original Message----- From: Gary T. Giesen [mailto:ggiesen at giesen.me] Sent: May-05-16 1:11 PM To: 'Petr Spacek' ; freeipa-users at redhat.com Subject: RE: [Freeipa-users] Unable to configure DNSSEC signing As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and I have the same problem. These are the steps I took: # yum update -y # yum install -y nano net-tools wget # yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm # cd /etc/yum.repos.d/ # wget -N https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/repo/epel-7/mkosek- freeipa-epel-7.repo # yum install -y haveged # systemctl start haveged # systemctl enable haveged # yum install -y ipa-server ipa-server-dns # ipa-server-install -r EXAMPLE.COM -n example.com --mkhomedir --ip-address=192.0.2.10 --idstart=100000 --idmax=199999 --no-ui-redirect --ssh-trust-dns --setup-dns --no-forwarders --no-reverse # ipa-dns-install --no-forwarders --no-reverse --dnssec-master # ipa dnszone-mod example.com --dnssec=true GTG -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gary T. Giesen Sent: May-05-16 11:19 AM To: 'Petr Spacek' ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing I'm not entirely sure if this is what you were asking for, but here's a manual LDAP query and the associated logs, and then I restarted ipa-dnskeysyncd and the logs associated with that as well: [root at host /]# date Thu May 5 10:52:12 EDT 2016 [root at host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub '(|(objectClass=idnsZone)(objectClass=idnsS ecKey)(objectClass=ipk11PublicKey))' SASL/GSSAPI authentication started SASL username: user at EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKe y) ) # requesting: ALL # # example.com., dns, example.com dn: idnsname=example.com.,cn=dns,dc=example,dc=com idnsZoneActive: TRUE idnsSOAexpire: 1209600 idnsSOAminimum: 3600 objectClass: idnszone objectClass: top objectClass: idnsrecord idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOAserial: 1462338941 idnsUpdatePolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * A AAA; grant EXAMPLE.COM krb5-self * SSHFP; idnsSOArefresh: 3600 idnsAllowQuery: any; idnsName: example.com. idnsSOAmName: host.example.com. idnsSOArName: hostmaster.example.com. idnsAllowDynUpdate: TRUE nSRecord: host.example.com. mXRecord: 5 mx.example.com. tXTRecord: v=spf1 ip4:104.207.128.239 ip6:2001:19f0:300:24e1::10 -all idnsSecInlineSigning: TRUE # 2a6519b4-8d9c-11e5-8ced-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxk6apYsMbT7MH87pCzK GyVkpAmp+nOL8Alo/pwfaOALJO6EFfhvw+V+9Lnx1jKObnrAHo0O7j3c8qDqAmewjdS1beFb GyVkpAmp+beLG u GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+nMoQ3hdYMZEeBQtTLbMrhOAQR6EUksCbG GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+pvkj c xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+ZDaJ7sm1WMgHupKndUpl2vdvJWtEi2j xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+41/4 q FOYXAyIgx+3yv7OG9X1D5qBb7v/IqtFuJFRqc0LIdBvWUlHn5LTLYh4rtb2h/6DUK/ZnGlJ+ FOYXAyIgx+Sss5 Q nmuhUiky3cJ0KvQIDAQAB ipk11Verify: FALSE ipk11Id:: b4AQWy4+gJz2XABOkWEgnw== ipk11VerifyRecover: FALSE ipk11UniqueId: 2a6519b4-8d9c-11e5-8ced-56000017eb11 # 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oo1sC+p8/NCfI8r2Te 4onEHxk4yrrLWfwfuKl3lN/3QHmahPAjyHNYnm8srL45/lJzNqoZpI4yGyhWtCpNQhnnoD+W67 aX N 2KGnshBTYE8IGG2zCHtQ0p5CJtNTNZFyIH4pyNiLfk/QLi1ptzk79f9u6Bwq4RdEKdzEk4R1G5 8C w cpUlKlG6pzGk+OpiX1a3Iw8ZCfgmYIEOmHSpexz0aRBA4q2ADdRn4dERL/aP+lWC+IQEj749 cpUlKlG6pzGk+wn+Q H sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+n7XajelYh5YqkOY8PN sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+cFgL 9 O+iB9tqWJJiFChQIDAQAB ipk11Verify: FALSE ipk11Id:: L9nKKUY2ypycB3EldvJjVg== ipk11VerifyRecover: FALSE ipk11UniqueId: 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11 # 70eca210-0ee0-11e6-9e98-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoAnwbNG7EwTIlWwlWvu pPOEQnV7ahv7xMoF0v9qzoEZ+ccx9Wp515IWs6okmX6UhB/HELhO3EP5iCftL2iOq+aTa3Zx pPOEQnV7ahv7xMoF0v9qzoEZ+8Z/+ F JtpXPFkbCweUiOxr8vq4VLTppLmok0q+Dlm5CYaQUYs5en3d9HFtmaYt3m8JD5a58AkAzozo JtpXPFkbCweUiOxr8vq4VLTppLmok0q+ACrO m st5aNIkwo/YGdSa0e1tNcb7Xv7RhBSGbFlrpFfwj5uX3QyI57CSxR7S5FYjOD8lG8tmlCjKuuO hH O ST8uzatbirX0kiaVH3ENohDUmEV+zW6T9//TBG2xTRTw6v7TAM21klWMCNKoUYVyh84c34jd ST8uzatbirX0kiaVH3ENohDUmEV+arVr Q PvEPCDzNF6C15NwIDAQAB ipk11Verify: FALSE ipk11Id:: teifTM9dTfpDRQgbL8rsFQ== ipk11VerifyRecover: FALSE ipk11UniqueId: 70eca210-0ee0-11e6-9e98-56000017eb11 # fba8d874-10a2-11e6-86aa-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9r9+8POEp8nb+jiEi6 pvvuWWex2KuHeV1f1qo6LCe3oMSkZ39I73cdJZIfirt2E/D+CWSUMGwbWmNOnMUMIDI8YAnxLQ // K uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+VR1007Dhl5e7dEagHUlEw5OXPQ2jgeq6kCMU uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+Uteu 3 Nye/G2K51GzAJcAXlrBdVEek02LuhszHtxjYDxevq90my+0GXVb2nU9mPghIKnkwsQeHUoHXH8 3p H NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+T8KV6sGRqMi8rlGIU9biuYHrmGZca NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+UuAY R NXCIrWIUrDV21cQIDAQAB ipk11Verify: FALSE ipk11Id:: WXrLuKBlC8r8UsjjGf2zww== ipk11VerifyRecover: FALSE ipk11UniqueId: fba8d874-10a2-11e6-86aa-56000017eb11 # a7bac2a6-10a5-11e6-9c20-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4m3sUosT4X9x8EjwrtQ B6mQDmClMNs3M8hCJ6UKvcCH/X+yFH2IAht5L85IOBCqmy8RQSL2fPY6BuCxx0krDPPvFBUfCW 2i / X0s2RN+vdZQ6xtCe/Q8CHxTZmXsJLrOS8WsiggbHXh7QqkP8sY4Xl2N14OFDNTmSgtQWKnKj X0s2RN+Jloy g D03p+lo7BxFmOP9L1C+NGDhiiKjBwVexBNFlYSyUXEFacIDXAIjI/WMgxeCl/9Xu9wwAW5GY D03p+lo7BxFmOP9L1C+iYOR D KTl9h4JgUDRrge82OBMu0kQt0FyLCdVKl3Kw5GiMazWoTnK8KGpvuZl46whl9IbOYtPeQpHEhh Sw X w36Ii4Y+e6eYeoQIDAQAB ipk11Verify: FALSE ipk11Id:: +Y0cQI+gUJelIpun/N1IYQ== ipk11VerifyRecover: FALSE ipk11UniqueId: a7bac2a6-10a5-11e6-9c20-56000017eb11 # 2f32c0f8-10c9-11e6-bf47-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: TRUE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApWEc/C9jgjoCzQ2wTKT zJ9obG74mlYyokaP/rZyYA0nIIqrKF1DwArt7wemVzrMf9m8b70MyYlOZm77KJiw1gMD9qzcJi eI m +two+BYb6zRAvp4o2HlTwG+x/UpOct8EnakilUh7zOhGFkEyk9m9+WnWBcXGX63lfiodL4sC +two+BYb6zRAvp4o2HlTwG+rtBd s CIfF6bPH9yHYSYpa4/s/flW/mM7fRMSd0hO3ayYYxSg8INitFHVwnUj/MENxdFejeMPXlyROW/ 6m h kwBQjhLSYnmzvgiP2rNnA6AJIMX0cxjuxjswNaAS5vULG1Vju51Mb0f8V3RLv5P1L0dQYoY7S5 Hb O aaO7c+27moTOZPQIDAQAB ipk11Verify: FALSE ipk11Id:: mn+arLpqrb1jDdDZXlroUg== ipk11VerifyRecover: FALSE ipk11UniqueId: 2f32c0f8-10c9-11e6-bf47-56000017eb11 # search result search: 4 result: 0 Success # numResponses: 8 # numEntries: 7 My manual LDAP search (/var/log/dirsrv/slapd-EXAMPLE-COM/access): [05/May/2016:10:52:13 -0400] conn=613 fd=109 slot=109 SSL connection from 2001:db8:300:24e1::10 to 2001:db8:300:24e1::10 [05/May/2016:10:52:13 -0400] conn=613 TLS1.2 256-bit AES-GCM [05/May/2016:10:52:13 -0400] conn=613 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:13 -0400] conn=613 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:13 -0400] conn=613 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=user,cn=users,cn=accounts,dc=example,dc=com" [05/May/2016:10:52:13 -0400] conn=613 op=3 SRCH base="cn=dns,dc=example,dc=com" scope=2 filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11 Pu blicKey))" attrs=ALL [05/May/2016:10:52:13 -0400] conn=613 op=3 RESULT err=0 tag=101 nentries=7 etime=0 [05/May/2016:10:52:13 -0400] conn=613 op=4 UNBIND [05/May/2016:10:52:13 -0400] conn=613 op=4 fd=109 closed - U1 I then restarted ipa-dnskeysyncd (journalctl -u ipa-dnskeysyncd): May 05 10:52:19 host.example.com systemd[1]: Stopping IPA key daemon... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13719]: ipa : INFO Signal 15 received: Shutting down! May 05 10:52:19 host.example.com systemd[1]: Started IPA key daemon. May 05 10:52:19 host.example.com systemd[1]: Starting IPA key daemon... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing all plugin modules in ipalib.plugins... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.aci May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.automember May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.automount May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.batch May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.caacl May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.cert May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.config May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.delegation May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.dns May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.group May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.host May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.idrange May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.idviews May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.internal May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.kerberos May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.migration May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.misc May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.passwd May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.permission May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.ping May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.pkinit May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.privilege May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Starting external process May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: args='klist' '-V' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Process finished, return code=0 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: stderr= May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.role May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.server May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.service May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.session May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: WARNING: session memcached servers not running May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.topology May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.trust May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.user May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.vault May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.virtual May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.join May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_43658512 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_43681424 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Kerberos principal: ipa-dnskeysyncd/host.example.com May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Initializing principal ipa-dnskeysyncd/host.example.com using keytab /etc/ipa/dnssec/ipa-dnskeysyncd.keytab May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG using ccache /tmp/ipa-dnskeysyncd.ccache May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Attempt 1/5: success May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG LDAP URL: ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket/cn%3Ddns%2Cdc%3Dexample%2C dc %3Dme??sub?%28%7C%28objectClass%3DidnsZone%29%28objectClass%3DidnsSecKey%2 9% 28objectClass%3Dipk11PublicKey%29%29 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO LDAP bind... May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:21 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:21 host.example.com python2[13834]: GSSAPI client step 2 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO Commencing sync process May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None (not received yet) May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: idnsname=example.com.,cn=dns,dc=example,dc=com 203dbe2d-8d9c-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-11e5-bb23-e7a3b46d8929': } May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,d c= example,dc=com 203dbe63-8d9c-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,d c= example,dc=com 9d5e3d66-ccd4-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,d c= example,dc=com 59985f1f-0ee0-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,d c= example,dc=com dc691799-10a2-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,d c= example,dc=com 83e74997-10a5-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,d c= example,dc=com 0f260699-10c9-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.example.com:389#krbprincipalname=ipa-dnskeysyncd/host.example.com at exa mp le.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com: (| (objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey) )# 33443 Logs as a result of ipa-dnskeysyncd restart (/var/log/dirsrv/slapd-EXAMPLE-COM/access): [05/May/2016:10:52:20 -0400] conn=614 fd=83 slot=83 connection from local to /var/run/slapd-EXAMPLE-COM.socket [05/May/2016:10:52:20 -0400] conn=614 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:20 -0400] conn=614 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:20 -0400] conn=614 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=servi ce s,cn=accounts,dc=example,dc=com" [05/May/2016:10:52:20 -0400] conn=614 op=3 SRCH base="cn=dns,dc=example,dc=com" scope=2 filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11 Pu blicKey))" attrs=ALL [05/May/2016:10:52:20 -0400] conn=614 op=3 RESULT err=269 tag=121 nentries=0 etime=0 Cheers, GTG -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gary T. Giesen Sent: May-03-16 10:19 AM To: 'Petr Spacek' ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing Thanks Petr. I'm on IRC as well if a more interactive troubleshooting session would be better. Cheers, GTG -----Original Message----- From: Petr Spacek [mailto:pspacek at redhat.com] Sent: May-03-16 9:59 AM To: Gary T. Giesen ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing On 3.5.2016 15:29, Gary T. Giesen wrote: > All lines from the log file with conn=152. > > [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from > local to /var/run/slapd-EXAMPLE-COM.socket > [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 > nentries=0 > etime=0 > dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=s > ervice > s,cn=accounts,dc=example,dc=com" > [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH > base="cn=dns,dc=example,dc=com" scope=2 > filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=i > pk11Pu > blicKey))" attrs=ALL > [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 > nentries=0 > etime=0 This seems to be okay, I will think about it a bit more and return back to you when I find something. Petr^2 Spacek > > -----Original Message----- > From: Petr Spacek [mailto:pspacek at redhat.com] > Sent: May-03-16 8:50 AM > To: Gary T. Giesen ; > freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > Hmm, this is really weird. > > It should log message "Initial LDAP dump is done, sychronizing with > ODS and BIND" which is apparently not there. Maybe LDAP server is > doing something weird ... > > Could you inspect /var/log/dirsrv/*/access_log and look for lines > similar to ones in the attached file, please? > > It should start with log message like > "connection from local to /var/run/slapd-*". > This line will have identifier like "conn=84". We are looking for conn > number (e.g. "conn=84") which is related to BIND DN > "dn="krbprincipalname=ipa-dnskeysyncd/*". > > If you find the right conn number, look for other lines containing the > same conn number and operation "SRCH base="cn=dns,*". This SRCH line > will have specific identifier like "conn=84 op=3". > > Now you have identifier for particular operation. Look for RESULT line > with the same ID. > > How does it look? > > Can you copy&paste complete all lines with identifier conn=??? you found? > > Thanks! > Petr^2 Spacek > > On 3.5.2016 13:37, Gary T. Giesen wrote: >> See attached. >> >> GTG >> >> -----Original Message----- >> From: Petr Spacek [mailto:pspacek at redhat.com] >> Sent: May-03-16 7:33 AM >> To: Gary T. Giesen ; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >> >> On 3.5.2016 13:28, Gary T. Giesen wrote: >>> 1. Confirmed, it was already set to ISMASTER=1 >>> >>> 2. Logs: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: > None >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: > {'203dbe2d-8d9c-1 >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: > host.exa >> >> The log seems to be truncated. Please attach it as a file to avoid >> truncation and line wrapping problems. >> >> Thanks >> Petr^2 Spacek >> >>> >>> >>> 3. # rpm -q ipa-server >>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> >>> -----Original Message----- >>> From: freeipa-users-bounces at redhat.com >>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >>> Sent: May-03-16 7:08 AM >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >>> >>> Okay, this is a problem. It should list your zone example.com >>> because it has DNSSEC signing enabled. >>> >>> Make sure you are working on host.example.com (the host listed by >>> the ldapsearch above). >>> >>> I would check two things: >>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". >>> If it does not, re-run ipa-dns-install with --dnssec-master option >>> to fix >> that. >>> >>> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and >>> make sure that it contains line "debug=True" and restart >>> ipa-dnskeysyncd when you are done with it. >>> >>> The log should be much longer after this change. >>> >>> I hope it will help to identify the root cause. >>> >>> What IPA version do you use? >>> $ rpm -q freeipa-server >>> >>> Petr^2 Spacek >>> >>> >>> >>>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has >>>> had no effect. The only log entries I see are: >>>> >>>> # journalctl -u ipa-dnskeysyncd >>>> >>>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : >>> INFO >>>> Signal 15 received: Shutting down! >>>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >>>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >>>> session memcached servers not running May 02 20:35:53 >>>> host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> LDAP bind... >>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step >>>> 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client >>>> step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI >>>> client step 1 May 02 20:35:54 host.example.com python2[15014]: >>>> GSSAPI > client step 2 >>>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> Commencing sync process >>>> >>>> >>>> >>>> Can anyone advise on next steps? I've been banging my head against >>>> a wall for a couple days now and would really appreciate some help. > > > -- > Petr^2 Spacek > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From pspacek at redhat.com Fri May 6 13:59:09 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 6 May 2016 15:59:09 +0200 Subject: [Freeipa-users] Unable to configure DNSSEC signing In-Reply-To: <0b2701d1a79e$62d03a60$2870af20$@giesen.me> References: <064e01d1a4d4$57605c90$062115b0$@giesen.me> <44f3723b-25ef-4a08-ed1f-69f4197a6b29@redhat.com> <06cc01d1a52e$f3d1d9f0$db758dd0$@giesen.me> <2679aa67-1425-a92c-acd7-7122e19ddfe1@redhat.com> <06ce01d1a530$309269d0$91b73d70$@giesen.me> <070801d1a53f$c64924a0$52db6de0$@giesen.me> <33dbd0d6-445c-1a59-48f4-338fbb1ca01a@redhat.com> <071f01d1a546$acff20b0$06fd6210$@giesen.me> <0a1b01d1a6e1$6822ab50$386801f0$@giesen.me> <0ab201d1a6fb$174b7bc0$45e27340$@giesen.me> <0b2701d1a79e$62d03a60$2870af20$@giesen.me> Message-ID: <8b3b06ef-e301-e2e4-9e19-25d38fc59d0d@redhat.com> On 6.5.2016 15:51, Gary T. Giesen wrote: > So thanks to Martin Basti and Petr Spacek, I've found the problem. I was > adding the old mkosek/freeipa repository, which when 4.1 was the latest > version was correct, but now 4.2 is in base. I wasn't actually installing > 4.1 from the mkosek COPR, but it was pulling in the following dependencies > from there: > > jboss-annotations-1.1-api.noarch 1.0.1-0.6.20120212git76e1a2.el7.centos > > @mkosek-freeipa > open-sans-fonts.noarch 1.10-1.el7.centos > @mkosek-freeipa > pki-base.noarch 10.2.5-6.el7.centos > @mkosek-freeipa > pki-ca.noarch 10.2.5-6.el7.centos > @mkosek-freeipa > pki-kra.noarch 10.2.5-6.el7.centos > @mkosek-freeipa > pki-server.noarch 10.2.5-6.el7.centos > @mkosek-freeipa > pki-tools.x86_64 10.2.5-6.el7.centos > @mkosek-freeipa > python-ldap.x86_64 2.4.16-1.el7.centos python-ldap would be my suspect. Can you confirm that downrading/upgrading the python-ldap package is sufficient to reproduce/fix the issue? Thank you! -- Petr^2 Spacek From sparky at charlietango.com Fri May 6 17:12:08 2016 From: sparky at charlietango.com (Jeffery Harrell) Date: Fri, 6 May 2016 10:12:08 -0700 Subject: [Freeipa-users] Exposing LDAP attributes with hyphens in their names? Message-ID: Hi. I?m very new to IPA; I only picked it up a couple weeks ago. So this may be a remedial question. I?d like to expose, both via the CLI and the GUI, certain LDAP attributes which have hyphens in their names ? e.g., "apple-user-homeurl.? The Param class rejects these attributes because of the hyphens; the name of the Param doesn?t conform to the regular expression so an exception gets thrown. This code does not work: user.user.takes_params = user.user.takes_params + ( Str( 'apple-user-homeurl?', cli_name='appleuserhomeurl', label=_('Apple User Home URL'), doc=_('Apple user home URL.'), ), ) Is there a sensible way of getting around that, or will I have to subclass Param and write a whole bunch of new code to get this to work? Thanks very much. Jeffery -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Fri May 6 19:18:18 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Fri, 6 May 2016 12:18:18 -0700 Subject: [Freeipa-users] SSHFP upload Message-ID: <201605061918.u46JIOhO018136@d03av04.boulder.ibm.com> Hi All, Wondering if someone knows how the SSHFPs of a box are getting uploaded to IPA during ipa-client-install --enable-dns-updates? Is it going over port 389,636,22? Have an issue that on one network my enrolls work fine and everything gets updated. A new network was put in place but still part of the same domain and I get SSHFP failed to upload. I was assuming this has something to do with DNS but Network team says bi directional port 53 is good and I can nslookup. Both new and old networks point to the same IPA DNS server for enrolling. The IPs of the new network still fall in my reverse zone. So My DNS is setup with: test.local 10.in-addr.arpa and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x Results of current Network Enrolled in IPA realm TEST.LOCAL Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TEST.LOCAL trying https://bob.test.local/ipa/xml Forwarding 'env' to server u'https://bob.test.local/ipa/xml' DNS server record set to: dingle.test.local -> IP of dingle Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://bob.test.local/ipa/xml' SSSD enabled Configuring test.local as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. Results of New network Enrolled in IPA realm TEST.LOCAL Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TEST.LOCAL trying https://bob.test.local/ipa/xml Forwarding 'env' to server u'https://bob.test.local/ipa/xml' Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u'https://bob.test.local/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configuring test.local as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete Sean Hogan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 6 19:24:15 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 6 May 2016 15:24:15 -0400 Subject: [Freeipa-users] SSHFP upload In-Reply-To: <201605061918.u46JIOhO018136@d03av04.boulder.ibm.com> References: <201605061918.u46JIOhO018136@d03av04.boulder.ibm.com> Message-ID: <572CEF5F.4030707@redhat.com> Sean Hogan wrote: > Hi All, > > Wondering if someone knows how the SSHFPs of a box are getting uploaded > to IPA during ipa-client-install --enable-dns-updates? Is it going over > port 389,636,22? > > Have an issue that on one network my enrolls work fine and everything > gets updated. A new network was put in place but still part of the same > domain and I get SSHFP failed to upload. I was assuming this has > something to do with DNS but Network team says bi directional port 53 is > good and I can nslookup. Both new and old networks point to the same IPA > DNS server for enrolling. The IPs of the new network still fall in my > reverse zone. > > So My DNS is setup with: > test.local > 10.in-addr.arpa > > and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x It updates over DNS using nsupdate. > Results of current Network Look in /var/log/ipaclient-install.log for details. rob > > > Enrolled in IPA realm TEST.LOCAL > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm TEST.LOCAL > trying *_https://bob.test.local/ipa/xml_* > > Forwarding 'env' to server u'https://bob.test.local/ipa/xml' > DNS server record set to: dingle.test.local -> IP of dingle > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Forwarding 'host_mod' to server u'https://bob.test.local/ipa/xml' > SSSD enabled > Configuring test.local as NIS domain > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Client configuration complete. > > > > > Results of New network > Enrolled in IPA realm TEST.LOCAL > Attempting to get host TGT... > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm TEST.LOCAL > trying *_https://bob.test.local/ipa/xml_* > > Forwarding 'env' to server u'https://bob.test.local/ipa/xml' > Failed to update DNS records. > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > Forwarding 'host_mod' to server u'https://bob.test.local/ipa/xml' > Could not update DNS SSHFP records. > SSSD enabled > Configuring test.local as NIS domain > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Client configuration complete > > > > > > > Sean Hogan > > > > From mbasti at redhat.com Fri May 6 19:25:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 6 May 2016 21:25:50 +0200 Subject: [Freeipa-users] SSHFP upload In-Reply-To: <201605061918.u46JIOhO018136@d03av04.boulder.ibm.com> References: <201605061918.u46JIOhO018136@d03av04.boulder.ibm.com> Message-ID: Hello, records are updated by nslookup do you have allowed dynamic updates in the zone settings? Martin On 06.05.2016 21:18, Sean Hogan wrote: > > Hi All, > > Wondering if someone knows how the SSHFPs of a box are getting > uploaded to IPA during ipa-client-install --enable-dns-updates? Is it > going over port 389,636,22? > > Have an issue that on one network my enrolls work fine and everything > gets updated. A new network was put in place but still part of the > same domain and I get SSHFP failed to upload. I was assuming this has > something to do with DNS but Network team says bi directional port 53 > is good and I can nslookup. Both new and old networks point to the > same IPA DNS server for enrolling. The IPs of the new network still > fall in my reverse zone. > > So My DNS is setup with: > test.local > 10.in-addr.arpa > > and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x > > > > Results of current Network > > > Enrolled in IPA realm TEST.LOCAL > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm TEST.LOCAL > trying *_https://bob.test.local/ipa/xml_* > > Forwarding 'env' to server u'https://bob.test.local/ipa/xml' > DNS server record set to: dingle.test.local -> IP of dingle > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Forwarding 'host_mod' to server u'https://bob.test.local/ipa/xml' > SSSD enabled > Configuring test.local as NIS domain > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Client configuration complete. > > > > > Results of New network > Enrolled in IPA realm TEST.LOCAL > Attempting to get host TGT... > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm TEST.LOCAL > trying *_https://bob.test.local/ipa/xml_* > > Forwarding 'env' to server u'https://bob.test.local/ipa/xml' > Failed to update DNS records. > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > Forwarding 'host_mod' to server u'https://bob.test.local/ipa/xml' > Could not update DNS SSHFP records. > SSSD enabled > Configuring test.local as NIS domain > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Client configuration complete > > > > > > > Sean Hogan > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From devin at pabstatencio.com Fri May 6 19:29:26 2016 From: devin at pabstatencio.com (Devin Acosta) Date: Fri, 06 May 2016 12:29:26 -0700 Subject: [Freeipa-users] nsds5ReplConflict / Replication issue! Message-ID: <572CF096.30802@pabstatencio.com> > I am running the latest FreeIPA on CentOS 7.2. > > I noticed I had a ?nsds5ReplConflict? with an item, i tried to follow > the webpage to rename and delete but that failed. I then tried to have > ipa1-i2x reload from ipa01-aws instance, now now it seems to have gone > maybe worse? > can you please advise how to get back to a healthy system. I initially > added a system account as recommended so i could have say like > Jira/Confluence do User searches against IDM. > > [dacosta at ipa1-i2x ~]$ ldapsearch -x -D "cn=directory manager" -w > ?password' -b "dc=rsinc,dc=local" "nsds5ReplConflict=*" \* > nsds5ReplConflict > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: nsds5ReplConflict=* > # requesting: * nsds5ReplConflict > # > > # 7ad08581-059911e6-b55c83a4-93228cdf + ldapsearch, sysaccounts, etc, > rsinc.loc > al > dn: > nsuniqueid=7ad08581-059911e6-b55c83a4-93228cdf+uid=ldapsearch,cn=sysaccoun > > ts,cn=etc,dc=rsinc,dc=local > userPassword:: e1NTSEF9M3krdTh5TkdYV= > = > uid: ldapsearch > objectClass: account > objectClass: simplesecurityobject > objectClass: top > nsds5ReplConflict: namingConflict > uid=ldapsearch,cn=sysaccounts,cn=etc,dc=rsin > c,dc=local > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > [dacosta at ipa1-i2x ~]$ ./ipa_check_consistency -H "ipa1-i2x.local > ipa01-aws.rsinc.local" -d RSINC.LOCAL > Directory Manager password: > FreeIPA servers: ipa1-i2x ipa01-aws STATE > =================================================== > Active Users ERROR 33 FAIL > Stage Users ERROR 0 FAIL > Preserved Users ERROR 0 FAIL > User Groups ERROR 7 FAIL > Hosts ERROR 82 FAIL > Host Groups ERROR 1 FAIL > HBAC Rules ERROR 2 FAIL > SUDO Rules ERROR 4 FAIL > DNS Zones ERROR 14 FAIL > LDAP Conflicts ERROR YES FAIL > Anonymous BIND ERROR on FAIL > Replication Status ipa02-aws 0 > ipa1-i2x 0 > =================================================== > > > [dacosta at ipa1-i2x ~]$ ipa-replica-manage list > ipa: WARNING: session memcached servers not running > ipa02-aws.rsinc.local: master > ipa01-aws.rsinc.local: master > ipa1-i2x.rsinc.local: master > > > Devin Acosta > Linux Certified Engineer > e: devin at linuxguru.co > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri May 6 19:43:38 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 6 May 2016 21:43:38 +0200 Subject: [Freeipa-users] nsds5ReplConflict / Replication issue! In-Reply-To: <572CF096.30802@pabstatencio.com> References: <572CF096.30802@pabstatencio.com> Message-ID: On 06.05.2016 21:29, Devin Acosta wrote: >> I am running the latest FreeIPA on CentOS 7.2. >> >> I noticed I had a ?nsds5ReplConflict? with an item, i tried to follow >> the webpage to rename and delete but that failed. I then tried to >> have ipa1-i2x reload from ipa01-aws instance, now now it seems to >> have gone maybe worse? >> can you please advise how to get back to a healthy system. I >> initially added a system account as recommended so i could have say >> like Jira/Confluence do User searches against IDM. >> >> [dacosta at ipa1-i2x ~]$ ldapsearch -x -D "cn=directory manager" -w >> ?password' -b "dc=rsinc,dc=local" "nsds5ReplConflict=*" \* >> nsds5ReplConflict >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: nsds5ReplConflict=* >> # requesting: * nsds5ReplConflict >> # >> >> # 7ad08581-059911e6-b55c83a4-93228cdf + ldapsearch, sysaccounts, etc, >> rsinc.loc >> al >> dn: >> nsuniqueid=7ad08581-059911e6-b55c83a4-93228cdf+uid=ldapsearch,cn=sysaccoun >> ts,cn=etc,dc=rsinc,dc=local >> userPassword:: e1NTSEF9M3krdTh5TkdYV= >> = >> uid: ldapsearch >> objectClass: account >> objectClass: simplesecurityobject >> objectClass: top >> nsds5ReplConflict: namingConflict >> uid=ldapsearch,cn=sysaccounts,cn=etc,dc=rsin >> c,dc=local >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> [dacosta at ipa1-i2x ~]$ ./ipa_check_consistency -H "ipa1-i2x.local >> ipa01-aws.rsinc.local" -d RSINC.LOCAL >> Directory Manager password: >> FreeIPA servers: ipa1-i2x ipa01-aws STATE >> =================================================== >> Active Users ERROR 33 FAIL >> Stage Users ERROR 0 FAIL >> Preserved Users ERROR 0 FAIL >> User Groups ERROR 7 FAIL >> Hosts ERROR 82 FAIL >> Host Groups ERROR 1 FAIL >> HBAC Rules ERROR 2 FAIL >> SUDO Rules ERROR 4 FAIL >> DNS Zones ERROR 14 FAIL >> LDAP Conflicts ERROR YES FAIL >> Anonymous BIND ERROR on FAIL >> Replication Status ipa02-aws 0 >> ipa1-i2x 0 >> =================================================== >> >> >> [dacosta at ipa1-i2x ~]$ ipa-replica-manage list >> ipa: WARNING: session memcached servers not running >> ipa02-aws.rsinc.local: master >> ipa01-aws.rsinc.local: master >> ipa1-i2x.rsinc.local: master >> >> >> Devin Acosta >> Linux Certified Engineer >> e: devin at linuxguru.co >> > > > hello, it is not clear to me what is wrong, do you have there conflicts? The output of command is not tool supported by freeIPA, I have no idea what is wrong. to check replication status for each IPA server run ipa-replica-manage -v list can you kinit on all replicas? can you do ldapsearch as directory manager on each server? Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri May 6 20:14:42 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 6 May 2016 22:14:42 +0200 Subject: [Freeipa-users] nsds5ReplConflict / Replication issue! In-Reply-To: <572CF5B9.70104@pabstatencio.com> References: <572CF096.30802@pabstatencio.com> <572CF5B9.70104@pabstatencio.com> Message-ID: <335303a6-9cde-cb29-078b-138d508ed6df@redhat.com> Please keep freeipa-users in loop Well indeed something bad is happening with replication, did you tried reinitialize replica? Maybe guys from DS will know what is happening. Martin On 06.05.2016 21:51, Devin Acosta wrote: > Martin, > > Well it initially started when I noticed errors in the logs about > having a conflict on a record. So i was trying to get that record > cleaned up. I then though oh maybe I should just have it reload > everything from another server, and i wonder if now that's why the box > is just giving strange results. > > i had ipa1-i2x.rsinc.local reload from ipa01-aws.rsinc.local, you can > see the output of the commands below about replication status. I can > still log into ipa1-i2x.rsinc.local, > > [dacosta at ipa1-i2x ~]$ ipa-replica-manage -v list ipa02-aws.rsinc.local > ipa: WARNING: session memcached servers not running > ipa01-aws.rsinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 0 Replica acquired successfully: Incremental > update started > last update ended: 1970-01-01 00:00:00+00:00 > [dacosta at ipa1-i2x ~]$ ipa-replica-manage -v list ipa01-aws.rsinc.local > ipa: WARNING: session memcached servers not running > ipa02-aws.rsinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2016-05-06 19:47:26+00:00 > ipa1-i2x.rsinc.local: replica > last init status: 0 Total update succeeded > last init ended: 2016-05-06 18:46:29+00:00 > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2016-05-06 19:46:59+00:00 > [dacosta at ipa1-i2x ~]$ ipa-replica-manage -v list ipa1-i2x.rsinc.local > ipa: WARNING: session memcached servers not running > ipa01-aws.rsinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 1 Can't acquire busy replica > last update ended: 1970-01-01 00:00:00+00:00 > > I do have these errors on (idm1-i2x) in the errors: > > [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - ruv_compare_ruv: > RUV [changelog max RUV] does not contain element [{replica 4 > ldap://ipa01-aws.rsinc.local:389} 56e2f9e7000000040000 > 572ce681000200040000] which is present in RUV [database RUV] > [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: for replica dc=rsinc,dc=local > there were some differences between the changelog max RUV and the > database RUV. If there are obsolete elements in the database RUV, you > should remove them using the CLEANALLRUV task. If they are not > obsolete, you should check their status to see why there are no > changes from those servers in the changelog. > [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - ruv_compare_ruv: > RUV [changelog max RUV] does not contain element [{replica 91 > ldap://ipa1-i2x.rsinc.local:389} 56f02d3b0000005b0000 > 56f02d600007005b0000] which is present in RUV [database RUV] > [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: for replica o=ipaca there were > some differences between the changelog max RUV and the database RUV. > If there are obsolete elements in the database RUV, you should remove > them using the CLEANALLRUV task. If they are not obsolete, you should > check their status to see why there are no changes from those servers > in the changelog. > [06/May/2016:18:48:46 +0000] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipa1-i2x.rsinc.local at RSINC.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see > e-text)) > [06/May/2016:18:48:46 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [06/May/2016:18:48:46 +0000] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication bind > with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > may provide more information (No Kerberos credentials available)) > [06/May/2016:18:48:46 +0000] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [06/May/2016:18:48:46 +0000] - Listening on All Interfaces port 636 > for LDAPS requests > [06/May/2016:18:48:46 +0000] - Listening on > /var/run/slapd-RSINC-LOCAL.socket for LDAPI requests > [06/May/2016:18:48:50 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication bind > with GSSAPI auth resumed > [06/May/2016:18:49:18 +0000] - Retry count exceeded in delete > [06/May/2016:18:49:18 +0000] DSRetroclPlugin - delete_changerecord: > could not delete change record 436145 (rc: 51) > > Thanks for your help. > > > Martin Basti wrote: >> >> >> >> On 06.05.2016 21:29, Devin Acosta wrote: >>> >>>> >>>> I am running the latest FreeIPA on CentOS 7.2. >>>> >>>> I noticed I had a ?nsds5ReplConflict? with an item, i tried to >>>> follow the webpage to rename and delete but that failed. I then >>>> tried to have ipa1-i2x reload from ipa01-aws instance, now now it >>>> seems to have gone maybe worse? >>>> can you please advise how to get back to a healthy system. I >>>> initially added a system account as recommended so i could have say >>>> like Jira/Confluence do User searches against IDM. >>>> >>>> [dacosta at ipa1-i2x ~]$ ldapsearch -x -D "cn=directory manager" -w >>>> ?password' -b "dc=rsinc,dc=local" "nsds5ReplConflict=*" \* >>>> nsds5ReplConflict >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base with scope subtree >>>> # filter: nsds5ReplConflict=* >>>> # requesting: * nsds5ReplConflict >>>> # >>>> >>>> # 7ad08581-059911e6-b55c83a4-93228cdf + ldapsearch, sysaccounts, >>>> etc, rsinc.loc >>>> al >>>> dn: >>>> nsuniqueid=7ad08581-059911e6-b55c83a4-93228cdf+uid=ldapsearch,cn=sysaccoun >>>> ts,cn=etc,dc=rsinc,dc=local >>>> userPassword:: e1NTSEF9M3krdTh5TkdYV= >>>> = >>>> uid: ldapsearch >>>> objectClass: account >>>> objectClass: simplesecurityobject >>>> objectClass: top >>>> nsds5ReplConflict: namingConflict >>>> uid=ldapsearch,cn=sysaccounts,cn=etc,dc=rsin >>>> c,dc=local >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> >>>> [dacosta at ipa1-i2x ~]$ ./ipa_check_consistency -H "ipa1-i2x.local >>>> ipa01-aws.rsinc.local" -d RSINC.LOCAL >>>> Directory Manager password: >>>> FreeIPA servers: ipa1-i2x ipa01-aws STATE >>>> =================================================== >>>> Active Users ERROR 33 FAIL >>>> Stage Users ERROR 0 FAIL >>>> Preserved Users ERROR 0 FAIL >>>> User Groups ERROR 7 FAIL >>>> Hosts ERROR 82 FAIL >>>> Host Groups ERROR 1 FAIL >>>> HBAC Rules ERROR 2 FAIL >>>> SUDO Rules ERROR 4 FAIL >>>> DNS Zones ERROR 14 FAIL >>>> LDAP Conflicts ERROR YES FAIL >>>> Anonymous BIND ERROR on FAIL >>>> Replication Status ipa02-aws 0 >>>> ipa1-i2x 0 >>>> =================================================== >>>> >>>> >>>> [dacosta at ipa1-i2x ~]$ ipa-replica-manage list >>>> ipa: WARNING: session memcached servers not running >>>> ipa02-aws.rsinc.local: master >>>> ipa01-aws.rsinc.local: master >>>> ipa1-i2x.rsinc.local: master >>>> >>>> >>>> Devin Acosta >>>> Linux Certified Engineer >>>> e: devin at linuxguru.co >>>> >>> >>> >>> >>> >> >> hello, it is not clear to me what is wrong, do you have there conflicts? >> The output of command is not tool supported by freeIPA, I have no idea >> what is wrong. >> >> to check replication status for each IPA server run >> ipa-replica-manage -v list >> >> can you kinit on all replicas? >> can you do ldapsearch as directory manager on each server? >> >> Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Fri May 6 20:18:27 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Fri, 6 May 2016 13:18:27 -0700 Subject: [Freeipa-users] SSHFP upload In-Reply-To: References: <201605061918.u46JIOhO018136@d03av04.boulder.ibm.com> Message-ID: <201605062018.u46KIZYr009420@d01av03.pok.ibm.com> Yes sir.. Dynamic update value is set to true on both test.local and the reverse zone. Form what Robert mentioned I am looking at the install logs now. So this is where DNS update is bombing: 2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-04-26T16:31:08Z DEBUG stdout= 2016-04-26T16:31:08Z DEBUG stderr=; Communication with "Correct DNS server IP"#53 failed: operation canceled could not talk to any default name server 2016-04-26T16:31:08Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/i pa/.dns_update.txt' returned non-zero exit status 1 2016-04-26T16:31:08Z ERROR Failed to update DNS records. And this is where SSHFP updates are bombing: 2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-04-26T16:31:09Z DEBUG stdout= 2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS server IP"#53 failed: operation canceled could not talk to any default name server 2016-04-26T16:31:09Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/i pa/.dns_update.txt' returned non-zero exit status 1 2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records. 2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status 2016-04-26T16:31:09Z DEBUG stdout= 2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service So it looks like it can not talk to port 53 but nslookup is working fine from the box and outputting the server response as the correct dns ip which is in the logs Server: correct IP of DNS server Address: correct IP of DNS server#53 Name: dingle.test.local Address: correct ip of dingle reoslv.conf has 1st listing as the same ip as in the logs and nslookup result. Sean Hogan From: Martin Basti To: Sean Hogan/Durham/IBM at IBMUS, freeipa-users Date: 05/06/2016 12:25 PM Subject: Re: [Freeipa-users] SSHFP upload Hello, records are updated by nslookup do you have allowed dynamic updates in the zone settings? Martin On 06.05.2016 21:18, Sean Hogan wrote: Hi All, Wondering if someone knows how the SSHFPs of a box are getting uploaded to IPA during ipa-client-install --enable-dns-updates? Is it going over port 389,636,22? Have an issue that on one network my enrolls work fine and everything gets updated. A new network was put in place but still part of the same domain and I get SSHFP failed to upload. I was assuming this has something to do with DNS but Network team says bi directional port 53 is good and I can nslookup. Both new and old networks point to the same IPA DNS server for enrolling. The IPs of the new network still fall in my reverse zone. So My DNS is setup with: test.local 10.in-addr.arpa and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x Results of current Network Enrolled in IPA realm TEST.LOCAL Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TEST.LOCAL trying https://bob.test.local/ipa/xml Forwarding 'env' to server u' https://bob.test.local/ipa/xml' DNS server record set to: dingle.test.local -> IP of dingle Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u' https://bob.test.local/ipa/xml' SSSD enabled Configuring test.local as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. Results of New network Enrolled in IPA realm TEST.LOCAL Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TEST.LOCAL trying https://bob.test.local/ipa/xml Forwarding 'env' to server u' https://bob.test.local/ipa/xml' Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u' https://bob.test.local/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configuring test.local as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete Sean Hogan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From devin at pabstatencio.com Fri May 6 20:20:40 2016 From: devin at pabstatencio.com (Devin Acosta) Date: Fri, 06 May 2016 13:20:40 -0700 Subject: [Freeipa-users] nsds5ReplConflict / Replication issue! In-Reply-To: <335303a6-9cde-cb29-078b-138d508ed6df@redhat.com> References: <572CF096.30802@pabstatencio.com> <572CF5B9.70104@pabstatencio.com> <335303a6-9cde-cb29-078b-138d508ed6df@redhat.com> Message-ID: <572CFC98.4000509@pabstatencio.com> I did try to resync idm1-i2x from ipa01-aws, probably was a bad idea.. Is there any way to basically have it resync and get a fresh copy from the other nodes that are ok? ---- Well it initially started when I noticed errors in the logs about having a conflict on a record. So i was trying to get that record cleaned up. I then though oh maybe I should just have it reload everything from another server, and i wonder if now that's why the box is just giving strange results. i had ipa1-i2x.rsinc.local reload from ipa01-aws.rsinc.local, you can see the output of the commands below about replication status. I can still log into ipa1-i2x.rsinc.local, [dacosta at ipa1-i2x ~]$ ipa-replica-manage -v list ipa02-aws.rsinc.local ipa: WARNING: session memcached servers not running ipa01-aws.rsinc.local: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 0 Replica acquired successfully: Incremental update started last update ended: 1970-01-01 00:00:00+00:00 [dacosta at ipa1-i2x ~]$ ipa-replica-manage -v list ipa01-aws.rsinc.local ipa: WARNING: session memcached servers not running ipa02-aws.rsinc.local: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-05-06 19:47:26+00:00 ipa1-i2x.rsinc.local: replica last init status: 0 Total update succeeded last init ended: 2016-05-06 18:46:29+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-05-06 19:46:59+00:00 [dacosta at ipa1-i2x ~]$ ipa-replica-manage -v list ipa1-i2x.rsinc.local ipa: WARNING: session memcached servers not running ipa01-aws.rsinc.local: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 1 Can't acquire busy replica last update ended: 1970-01-01 00:00:00+00:00 I do have these errors on (idm1-i2x) in the errors: [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 4 ldap://ipa01-aws.rsinc.local:389} 56e2f9e7000000040000 572ce681000200040000] which is present in RUV [database RUV] [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=rsinc,dc=local there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 91 ldap://ipa1-i2x.rsinc.local:389} 56f02d3b0000005b0000 56f02d600007005b0000] which is present in RUV [database RUV] [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica o=ipaca there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [06/May/2016:18:48:46 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/ipa1-i2x.rsinc.local at RSINC.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [06/May/2016:18:48:46 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [06/May/2016:18:48:46 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [06/May/2016:18:48:46 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [06/May/2016:18:48:46 +0000] - Listening on All Interfaces port 636 for LDAPS requests [06/May/2016:18:48:46 +0000] - Listening on /var/run/slapd-RSINC-LOCAL.socket for LDAPI requests [06/May/2016:18:48:50 +0000] NSMMReplicationPlugin - agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication bind with GSSAPI auth resumed [06/May/2016:18:49:18 +0000] - Retry count exceeded in delete [06/May/2016:18:49:18 +0000] DSRetroclPlugin - delete_changerecord: could not delete change record 436145 (rc: 51) Thanks for your help. Martin Basti wrote: Martin Basti wrote: > Martin, > > Well it initially started when I noticed errors in the logs about > having a conflict on a record. So i was trying to get that record > cleaned up. I then though oh maybe I should just have it reload > everything from another server, and i wonder if now that's why the box > is just giving strange results. > > i had ipa1-i2x.rsinc.local reload from ipa01-aws.rsinc.local, you can > see the output of the commands below about replication status. I can > still log into ipa1-i2x.rsinc.local, > > [dacosta at ipa1-i2x ~]$ ipa-replica-manage -v list ipa02-aws.rsinc.local > ipa: WARNING: session memcached servers not running > ipa01-aws.rsinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 0 Replica acquired successfully: Incremental > update started > last update ended: 1970-01-01 00:00:00+00:00 > [dacosta at ipa1-i2x ~]$ ipa-replica-manage -v list ipa01-aws.rsinc.local > ipa: WARNING: session memcached servers not running > ipa02-aws.rsinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2016-05-06 19:47:26+00:00 > ipa1-i2x.rsinc.local: replica > last init status: 0 Total update succeeded > last init ended: 2016-05-06 18:46:29+00:00 > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2016-05-06 19:46:59+00:00 > [dacosta at ipa1-i2x ~]$ ipa-replica-manage -v list ipa1-i2x.rsinc.local > ipa: WARNING: session memcached servers not running > ipa01-aws.rsinc.local: replica > last init status: None > last init ended: 1970-01-01 00:00:00+00:00 > last update status: 1 Can't acquire busy replica > last update ended: 1970-01-01 00:00:00+00:00 > > I do have these errors on (idm1-i2x) in the errors: > > [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - ruv_compare_ruv: > RUV [changelog max RUV] does not contain element [{replica 4 > ldap://ipa01-aws.rsinc.local:389} 56e2f9e7000000040000 > 572ce681000200040000] which is present in RUV [database RUV] > [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: for replica dc=rsinc,dc=local > there were some differences between the changelog max RUV and the > database RUV. If there are obsolete elements in the database RUV, you > should remove them using the CLEANALLRUV task. If they are not > obsolete, you should check their status to see why there are no > changes from those servers in the changelog. > [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - ruv_compare_ruv: > RUV [changelog max RUV] does not contain element [{replica 91 > ldap://ipa1-i2x.rsinc.local:389} 56f02d3b0000005b0000 > 56f02d600007005b0000] which is present in RUV [database RUV] > [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: for replica o=ipaca there were > some differences between the changelog max RUV and the database RUV. > If there are obsolete elements in the database RUV, you should remove > them using the CLEANALLRUV task. If they are not obsolete, you should > check their status to see why there are no changes from those servers > in the changelog. > [06/May/2016:18:48:46 +0000] set_krb5_creds - Could not get initial > credentials for principal [ldap/ipa1-i2x.rsinc.local at RSINC.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see > e-text)) > [06/May/2016:18:48:46 +0000] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [06/May/2016:18:48:46 +0000] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [06/May/2016:18:48:46 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication bind > with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > may provide more information (No Kerberos credentials available)) > [06/May/2016:18:48:46 +0000] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [06/May/2016:18:48:46 +0000] - Listening on All Interfaces port 636 > for LDAPS requests > [06/May/2016:18:48:46 +0000] - Listening on > /var/run/slapd-RSINC-LOCAL.socket for LDAPI requests > [06/May/2016:18:48:50 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa01-aws.rsinc.local" (ipa01-aws:389): Replication bind > with GSSAPI auth resumed > [06/May/2016:18:49:18 +0000] - Retry count exceeded in delete > [06/May/2016:18:49:18 +0000] DSRetroclPlugin - delete_changerecord: > could not delete change record 436145 (rc: 51) > > Thanks for your help. > > > Martin Basti wrote: -- Sent from Postbox -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri May 6 20:25:20 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 6 May 2016 22:25:20 +0200 Subject: [Freeipa-users] SSHFP upload In-Reply-To: <201605062018.u46KIcIK032661@d01av04.pok.ibm.com> References: <201605061918.u46JIOhO018136@d03av04.boulder.ibm.com> <201605062018.u46KIcIK032661@d01av04.pok.ibm.com> Message-ID: On 06.05.2016 22:18, Sean Hogan wrote: > > Yes sir.. > > Dynamic update value is set to true on both test.local and the reverse > zone. > > Form what Robert mentioned I am looking at the install logs now. > > > So this is where DNS update is bombing: > 2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt > 2016-04-26T16:31:08Z DEBUG stdout= > 2016-04-26T16:31:08Z DEBUG stderr=; Communication with "Correct DNS > server IP"#53 failed: > operation canceled > could not talk to any default name server > That is weird, maybe do you have allowed TCP/53? It may try to use TCP instead of UDP And please check on "Correct DNS server" if there is any logged entry about dynamic update from client (journalctl -u named[-pkcs11]) Martin > > > 2016-04-26T16:31:08Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate > -g /etc/i > pa/.dns_update.txt' returned non-zero exit status 1 > 2016-04-26T16:31:08Z ERROR Failed to update DNS records. > > And this is where SSHFP updates are bombing: > 2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt > 2016-04-26T16:31:09Z DEBUG stdout= > 2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS > server IP"#53 failed: > operation canceled > could not talk to any default name server > > 2016-04-26T16:31:09Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate > -g /etc/i > pa/.dns_update.txt' returned non-zero exit status 1 > 2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records. > 2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status > 2016-04-26T16:31:09Z DEBUG stdout= > 2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service > > > So it looks like it can not talk to port 53 but nslookup is working > fine from the box and outputting the server response as the correct > dns ip which is in the logs > Server: correct IP of DNS server > Address: correct IP of DNS server#53 > > Name: dingle.test.local > Address: correct ip of dingle > > reoslv.conf has 1st listing as the same ip as in the logs and nslookup > result. > > Sean Hogan > > > > > > Inactive hide details for Martin Basti ---05/06/2016 12:25:59 > PM---Hello, records are updated by nslookup do you have allowed > dMartin Basti ---05/06/2016 12:25:59 PM---Hello, records are updated > by nslookup do you have allowed dynamic updates in the zone settings? > > From: Martin Basti > To: Sean Hogan/Durham/IBM at IBMUS, freeipa-users > Date: 05/06/2016 12:25 PM > Subject: Re: [Freeipa-users] SSHFP upload > > ------------------------------------------------------------------------ > > > > Hello, records are updated by nslookup > > do you have allowed dynamic updates in the zone settings? > > Martin > > > On 06.05.2016 21:18, Sean Hogan wrote: > > Hi All, > > Wondering if someone knows how the SSHFPs of a box are getting > uploaded to IPA during ipa-client-install > --enable-dns-updates? Is it going over port 389,636,22? > > Have an issue that on one network my enrolls work fine and > everything gets updated. A new network was put in place but > still part of the same domain and I get SSHFP failed to > upload. I was assuming this has something to do with DNS but > Network team says bi directional port 53 is good and I can > nslookup. Both new and old networks point to the same IPA DNS > server for enrolling. The IPs of the new network still fall in > my reverse zone. > > So My DNS is setup with: > test.local > 10.in-addr.arpa > > and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x > > > > Results of current Network > > Enrolled in IPA realm TEST.LOCAL > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm TEST.LOCAL > trying *_https://bob.test.local/ipa/xml_* > > Forwarding 'env' to server u'_https://bob.test.local/ipa/xml_' > DNS server record set to: dingle.test.local -> IP of dingle > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Forwarding 'host_mod' to server > u'_https://bob.test.local/ipa/xml_' > SSSD enabled > Configuring test.local as NIS domain > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Client configuration complete. > > > > > Results of New network > Enrolled in IPA realm TEST.LOCAL > Attempting to get host TGT... > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm TEST.LOCAL > trying *_https://bob.test.local/ipa/xml_* > > Forwarding 'env' to server u'_https://bob.test.local/ipa/xml_' > Failed to update DNS records. > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > Forwarding 'host_mod' to server > u'_https://bob.test.local/ipa/xml_' > Could not update DNS SSHFP records. > SSSD enabled > Configuring test.local as NIS domain > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Client configuration complete > > > > > > Sean Hogan > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 105 bytes Desc: not available URL: From mareynol at redhat.com Fri May 6 21:02:09 2016 From: mareynol at redhat.com (Mark Reynolds) Date: Fri, 6 May 2016 17:02:09 -0400 Subject: [Freeipa-users] nsds5ReplConflict / Replication issue! In-Reply-To: <572CF096.30802@pabstatencio.com> References: <572CF096.30802@pabstatencio.com> Message-ID: <572D0651.50307@redhat.com> On 05/06/2016 03:29 PM, Devin Acosta wrote: >> I am running the latest FreeIPA on CentOS 7.2. >> >> I noticed I had a ?nsds5ReplConflict? with an item, i tried to follow >> the webpage to rename and delete but that failed. Is this the page you looked at: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html If it is the same process, what exactly failed? Thanks, Mark >> I then tried to have ipa1-i2x reload from ipa01-aws instance, now now >> it seems to have gone maybe worse? >> can you please advise how to get back to a healthy system. I >> initially added a system account as recommended so i could have say >> like Jira/Confluence do User searches against IDM. >> >> [dacosta at ipa1-i2x ~]$ ldapsearch -x -D "cn=directory manager" -w >> ?password' -b "dc=rsinc,dc=local" "nsds5ReplConflict=*" \* >> nsds5ReplConflict >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: nsds5ReplConflict=* >> # requesting: * nsds5ReplConflict >> # >> >> # 7ad08581-059911e6-b55c83a4-93228cdf + ldapsearch, sysaccounts, etc, >> rsinc.loc >> al >> dn: >> nsuniqueid=7ad08581-059911e6-b55c83a4-93228cdf+uid=ldapsearch,cn=sysaccoun >> ts,cn=etc,dc=rsinc,dc=local >> userPassword:: e1NTSEF9M3krdTh5TkdYV= >> = >> uid: ldapsearch >> objectClass: account >> objectClass: simplesecurityobject >> objectClass: top >> nsds5ReplConflict: namingConflict >> uid=ldapsearch,cn=sysaccounts,cn=etc,dc=rsin >> c,dc=local >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> [dacosta at ipa1-i2x ~]$ ./ipa_check_consistency -H "ipa1-i2x.local >> ipa01-aws.rsinc.local" -d RSINC.LOCAL >> Directory Manager password: >> FreeIPA servers: ipa1-i2x ipa01-aws STATE >> =================================================== >> Active Users ERROR 33 FAIL >> Stage Users ERROR 0 FAIL >> Preserved Users ERROR 0 FAIL >> User Groups ERROR 7 FAIL >> Hosts ERROR 82 FAIL >> Host Groups ERROR 1 FAIL >> HBAC Rules ERROR 2 FAIL >> SUDO Rules ERROR 4 FAIL >> DNS Zones ERROR 14 FAIL >> LDAP Conflicts ERROR YES FAIL >> Anonymous BIND ERROR on FAIL >> Replication Status ipa02-aws 0 >> ipa1-i2x 0 >> =================================================== >> >> >> [dacosta at ipa1-i2x ~]$ ipa-replica-manage list >> ipa: WARNING: session memcached servers not running >> ipa02-aws.rsinc.local: master >> ipa01-aws.rsinc.local: master >> ipa1-i2x.rsinc.local: master >> >> >> Devin Acosta >> Linux Certified Engineer >> e: devin at linuxguru.co >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Fri May 6 21:36:03 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Fri, 6 May 2016 14:36:03 -0700 Subject: [Freeipa-users] SSHFP upload In-Reply-To: References: <201605061918.u46JIOhO018136@d03av04.boulder.ibm.com> <201605062018.u46KIcIK032661@d01av04.pok.ibm.com> Message-ID: <201605062136.u46LaAdm006051@d03av03.boulder.ibm.com> Hi Martin, TCP 53 was not open as per the firewall request and ipa docs. That is corrected now but it is still failing to update sshfp but now instead of can not comm with DNS server I am getting the below. This is on a box that was enrolled... I ipa client-install --uninstall ... remove ca.crt and krb5.keytab and then ran ipa-client-install --enable-dns-update --force 2016-05-06T21:27:16Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-05-06T21:27:16Z DEBUG stdout= 2016-05-06T21:27:16Z DEBUG stderr=; Communication with Correct DNS IP#53 failed: operation canceled ; response to SOA query was unsuccessful 2016-05-06T21:27:16Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 2016-05-06T21:27:16Z WARNING Could not update DNS SSHFP records. 2016-05-06T21:27:16Z DEBUG args=/sbin/service nscd status 2016-05-06T21:27:16Z DEBUG stdout= 2016-05-06T21:27:16Z DEBUG stderr=nscd: unrecognized service Sean Hogan From: Martin Basti To: Sean Hogan/Durham/IBM at IBMUS Cc: freeipa-users Date: 05/06/2016 01:25 PM Subject: Re: [Freeipa-users] SSHFP upload On 06.05.2016 22:18, Sean Hogan wrote: Yes sir.. Dynamic update value is set to true on both test.local and the reverse zone. Form what Robert mentioned I am looking at the install logs now. So this is where DNS update is bombing: 2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-04-26T16:31:08Z DEBUG stdout= 2016-04-26T16:31:08Z DEBUG stderr=; Communication with "Correct DNS server IP"#53 failed: operation canceled could not talk to any default name server That is weird, maybe do you have allowed TCP/53? It may try to use TCP instead of UDP And please check on "Correct DNS server" if there is any logged entry about dynamic update from client (journalctl -u named[-pkcs11]) Martin 2016-04-26T16:31:08Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/i pa/.dns_update.txt' returned non-zero exit status 1 2016-04-26T16:31:08Z ERROR Failed to update DNS records. And this is where SSHFP updates are bombing: 2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-04-26T16:31:09Z DEBUG stdout= 2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS server IP"#53 failed: operation canceled could not talk to any default name server 2016-04-26T16:31:09Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/i pa/.dns_update.txt' returned non-zero exit status 1 2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records. 2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status 2016-04-26T16:31:09Z DEBUG stdout= 2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service So it looks like it can not talk to port 53 but nslookup is working fine from the box and outputting the server response as the correct dns ip which is in the logs Server: correct IP of DNS server Address: correct IP of DNS server#53 Name: dingle.test.local Address: correct ip of dingle reoslv.conf has 1st listing as the same ip as in the logs and nslookup result. Sean Hogan Inactive hide details for Martin Basti ---05/06/2016 12:25:59 PM---Hello, records are updated by nslookup do you have allowed dMartin Basti ---05/06/2016 12:25:59 PM---Hello, records are updated by nslookup do you have allowed dynamic updates in the zone settings? From: Martin Basti To: Sean Hogan/Durham/IBM at IBMUS, freeipa-users Date: 05/06/2016 12:25 PM Subject: Re: [Freeipa-users] SSHFP upload Hello, records are updated by nslookup do you have allowed dynamic updates in the zone settings? Martin On 06.05.2016 21:18, Sean Hogan wrote: Hi All, Wondering if someone knows how the SSHFPs of a box are getting uploaded to IPA during ipa-client-install --enable-dns-updates? Is it going over port 389,636,22? Have an issue that on one network my enrolls work fine and everything gets updated. A new network was put in place but still part of the same domain and I get SSHFP failed to upload. I was assuming this has something to do with DNS but Network team says bi directional port 53 is good and I can nslookup. Both new and old networks point to the same IPA DNS server for enrolling. The IPs of the new network still fall in my reverse zone. So My DNS is setup with: test.local 10.in-addr.arpa and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x Results of current Network Enrolled in IPA realm TEST.LOCAL Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TEST.LOCAL trying https://bob.test.local/ipa/xml Forwarding 'env' to server u' https://bob.test.local/ipa/xml' DNS server record set to: dingle.test.local -> IP of dingle Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u' https://bob.test.local/ipa/xml' SSSD enabled Configuring test.local as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. Results of New network Enrolled in IPA realm TEST.LOCAL Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TEST.LOCAL trying https://bob.test.local/ipa/xml Forwarding 'env' to server u' https://bob.test.local/ipa/xml' Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u' https://bob.test.local/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configuring test.local as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete Sean Hogan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From schogan at us.ibm.com Fri May 6 21:47:27 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Fri, 6 May 2016 14:47:27 -0700 Subject: [Freeipa-users] SSHFP upload In-Reply-To: References: <201605061918.u46JIOhO018136@d03av04.boulder.ibm.com> <201605062018.u46KIcIK032661@d01av04.pok.ibm.com> Message-ID: <201605062147.u46LlZYN026228@d03av05.boulder.ibm.com> Sorry guys... this is on us. They also missed a few other rules in the request so please disregard. But for clarity in resolution: Make sure firewalls have right rules set. In this instance TCP 53 bi directional as the they only did uni directional which spawned the SOA issue. All good now. Thanks for the help. Sean Hogan From: Sean Hogan/Durham/IBM To: Martin Basti Cc: freeipa-users Date: 05/06/2016 02:36 PM Subject: Re: [Freeipa-users] SSHFP upload Hi Martin, TCP 53 was not open as per the firewall request and ipa docs. That is corrected now but it is still failing to update sshfp but now instead of can not comm with DNS server I am getting the below. This is on a box that was enrolled... I ipa client-install --uninstall ... remove ca.crt and krb5.keytab and then ran ipa-client-install --enable-dns-update --force 2016-05-06T21:27:16Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-05-06T21:27:16Z DEBUG stdout= 2016-05-06T21:27:16Z DEBUG stderr=; Communication with Correct DNS IP#53 failed: operation canceled ; response to SOA query was unsuccessful 2016-05-06T21:27:16Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 2016-05-06T21:27:16Z WARNING Could not update DNS SSHFP records. 2016-05-06T21:27:16Z DEBUG args=/sbin/service nscd status 2016-05-06T21:27:16Z DEBUG stdout= 2016-05-06T21:27:16Z DEBUG stderr=nscd: unrecognized service Sean Hogan From: Martin Basti To: Sean Hogan/Durham/IBM at IBMUS Cc: freeipa-users Date: 05/06/2016 01:25 PM Subject: Re: [Freeipa-users] SSHFP upload On 06.05.2016 22:18, Sean Hogan wrote: Yes sir.. Dynamic update value is set to true on both test.local and the reverse zone. Form what Robert mentioned I am looking at the install logs now. So this is where DNS update is bombing: 2016-04-26T16:31:08Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-04-26T16:31:08Z DEBUG stdout= 2016-04-26T16:31:08Z DEBUG stderr=; Communication with "Correct DNS server IP"#53 failed: operation canceled could not talk to any default name server That is weird, maybe do you have allowed TCP/53? It may try to use TCP instead of UDP And please check on "Correct DNS server" if there is any logged entry about dynamic update from client (journalctl -u named[-pkcs11]) Martin 2016-04-26T16:31:08Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/i pa/.dns_update.txt' returned non-zero exit status 1 2016-04-26T16:31:08Z ERROR Failed to update DNS records. And this is where SSHFP updates are bombing: 2016-04-26T16:31:09Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2016-04-26T16:31:09Z DEBUG stdout= 2016-04-26T16:31:09Z DEBUG stderr=; Communication with "Correct DNS server IP"#53 failed: operation canceled could not talk to any default name server 2016-04-26T16:31:09Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g /etc/i pa/.dns_update.txt' returned non-zero exit status 1 2016-04-26T16:31:09Z WARNING Could not update DNS SSHFP records. 2016-04-26T16:31:09Z DEBUG args=/sbin/service nscd status 2016-04-26T16:31:09Z DEBUG stdout= 2016-04-26T16:31:09Z DEBUG stderr=nscd: unrecognized service So it looks like it can not talk to port 53 but nslookup is working fine from the box and outputting the server response as the correct dns ip which is in the logs Server: correct IP of DNS server Address: correct IP of DNS server#53 Name: dingle.test.local Address: correct ip of dingle reoslv.conf has 1st listing as the same ip as in the logs and nslookup result. Sean Hogan Inactive hide details for Martin Basti ---05/06/2016 12:25:59 PM---Hello, records are updated by nslookup do you have allowed dMartin Basti ---05/06/2016 12:25:59 PM---Hello, records are updated by nslookup do you have allowed dynamic updates in the zone settings? From: Martin Basti To: Sean Hogan/Durham/IBM at IBMUS, freeipa-users Date: 05/06/2016 12:25 PM Subject: Re: [Freeipa-users] SSHFP upload Hello, records are updated by nslookup do you have allowed dynamic updates in the zone settings? Martin On 06.05.2016 21:18, Sean Hogan wrote: Hi All, Wondering if someone knows how the SSHFPs of a box are getting uploaded to IPA during ipa-client-install --enable-dns-updates? Is it going over port 389,636,22? Have an issue that on one network my enrolls work fine and everything gets updated. A new network was put in place but still part of the same domain and I get SSHFP failed to upload. I was assuming this has something to do with DNS but Network team says bi directional port 53 is good and I can nslookup. Both new and old networks point to the same IPA DNS server for enrolling. The IPs of the new network still fall in my reverse zone. So My DNS is setup with: test.local 10.in-addr.arpa and the IP scheme for new net is 10.5.x.x, old net is 10.35.x.x Results of current Network Enrolled in IPA realm TEST.LOCAL Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TEST.LOCAL trying https://bob.test.local/ipa/xml Forwarding 'env' to server u' https://bob.test.local/ipa/xml' DNS server record set to: dingle.test.local -> IP of dingle Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u' https://bob.test.local/ipa/xml' SSSD enabled Configuring test.local as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. Results of New network Enrolled in IPA realm TEST.LOCAL Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TEST.LOCAL trying https://bob.test.local/ipa/xml Forwarding 'env' to server u' https://bob.test.local/ipa/xml' Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Forwarding 'host_mod' to server u' https://bob.test.local/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configuring test.local as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete Sean Hogan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From joshua at azariah.com Thu May 5 07:11:22 2016 From: joshua at azariah.com (Joshua J. Kugler) Date: Wed, 04 May 2016 23:11:22 -0800 Subject: [Freeipa-users] Looking for documentation for Python API Message-ID: <2013776.HUlY22jTk1@hosanna> I've been googling and looking through the documentation, but I have yet to find official docs for the Python API for FreeIPA. The first result for 'python' when doing a search on www.freeipa.org is http://www.freeipa.org/page/Python_Coding_Style On that page, there is a link to "freeIPA Python API documentation" which goes to https://www.freeipa.org/page/Documentation#Developer_Documentation That page, however, doesn't have one mention of Python, and only one mention of "API" and that is "How to migrate your code to the new LDAP API" which doesn't seem to be related. I did manage to find https://github.com/encukou/freeipa/tree/master/doc/examples which has a couple (very convoluted) examples, but seems far from complete. There is a freeipa-python RPM, but *WHERE* is the documentation for the Python API. Or should I just shell-out to the 'ipa' command from all my python scripts? :) I found https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ and https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt so I'm sure I could work up something with python and requests, but I'd prefer to use the official API if I could. :) Any assistance would be great! j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design joshua at azariah.com - Jabber: pedahzur at gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A From joshua at azariah.com Sat May 7 07:07:36 2016 From: joshua at azariah.com (Joshua J. Kugler) Date: Fri, 06 May 2016 23:07:36 -0800 Subject: [Freeipa-users] Looking for documentation for Python API In-Reply-To: References: <1557170.p9MGeghmZ2@hosanna> Message-ID: <2410380.zRJEA5Vezc@hosanna> On Friday, May 06, 2016 09:04:59 Martin Basti wrote: > since IPA4.2 web UI contains API browser (IPA Server/API Browser) > > So for example for caacl-add: > api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional > description") > > you can try commands in "ipa console" it contains initialized API, just > call api.Command.() > > API.txt provides the same information as API browser, but browser looks > better :) > > Feel free to ask anything, if you identified gaps in docs which are hard > to understand for non-IPA developer feel free report it, or feel free to > create howTo in freeipa.org page. Thanks for the pointers. I'm looking at automating some user and group additions, group editing, etc. Am I right in assuming that anything that uses the api.Command. will require a kinit before it is run, even if it is via the Python API? If I want to use a user/pass from the script itself (and not have a shell script which does kinit, then fires off my Python script) would I be better off hitting the web API with sessions and JSON-RPC as detailed here: https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ Put another way, since I want to hit the API from a system that might not have sssd installed, nor has joined the realm, I assume it would be *impossible* to use api.Command. as it relies on a Kerberos ticket? To put it yet another way: is there a way to hand a user/pass to the Python API and authenticate that way. Those are the questions I did not see addressed in the docs that I found. There were lots of examples of invoking commands, but I never saw anything about authenticating to the server before running the commands. Thanks again for the pointers, and if there is documentation I missed, feel free to point me in that direction. j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design joshua at azariah.com - Jabber: pedahzur at gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A From harri at afaics.de Sun May 8 11:32:29 2016 From: harri at afaics.de (Harald Dunkel) Date: Sun, 8 May 2016 13:32:29 +0200 Subject: [Freeipa-users] running ipa without local ntp on LXC (debian) Message-ID: <38bf6f71-bd37-22da-b3aa-a1159f201264@afaics.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi folks, the freeipa packages for client and server on Debian depend upon ntp. Is this hard requirement really necessary? Usually ntp is useless in containers (e.g. LXC), since the hardware access is not permitted and since there is exactly one system time managed by dom0. I understand that having the exact time is essential for Kerberos, but the install-server and install-client scripts are very verbose about not having ntp installed. That should be sufficient. I would suggest to drop the hard requirement for ntp in freeipa's debian/control. Regards Harri -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXLyPBAAoJEAqeKp5m04HLsWQIAIzSXjX8l3DtN7ARih6nm7eO NNIy/siHm0V3jepusjMXFdRT1M4IFBG0iGfZbfjdmhBl58OqAxpCVR3W8noh6RNN pbeAHat5SuJdGyFJuCQFjCXs/+k4sL/Qn0irO+5gudH5YeuGa4oP5W6DefBT0I+x DuOTMmpB3USpdnF19wscKusb80u9VSbmaePymH7Wze/NE2T9hWkofBjqfJgC338V iF0PvDWP9KCoWIDBhXgZQv+8BuOXGA2K7m2JoLiHfZyPTPIhFncG1LCqhm/u86r4 RQEEBVOjNntWDbY9zqQLs8BM8QKpEj6jmKa3AiNcxWPdgAwHMkpQPe5P+Gq4Ks8= =EGCL -----END PGP SIGNATURE----- From freeipa at 0xc0dedbad.com Sun May 8 11:47:18 2016 From: freeipa at 0xc0dedbad.com (Peter Fern) Date: Sun, 8 May 2016 21:47:18 +1000 Subject: [Freeipa-users] running ipa without local ntp on LXC (debian) In-Reply-To: <38bf6f71-bd37-22da-b3aa-a1159f201264@afaics.de> References: <38bf6f71-bd37-22da-b3aa-a1159f201264@afaics.de> Message-ID: <572F2746.5010304@0xc0dedbad.com> On 05/08/16 21:32, Harald Dunkel wrote: > Hi folks, > > the freeipa packages for client and server on Debian depend > upon ntp. Is this hard requirement really necessary? Usually > ntp is useless in containers (e.g. LXC), since the hardware > access is not permitted and since there is exactly one system > time managed by dom0. > > I understand that having the exact time is essential for > Kerberos, but the install-server and install-client scripts > are very verbose about not having ntp installed. That should > be sufficient. > > I would suggest to drop the hard requirement for ntp in > freeipa's debian/control. You don't actually have to run NTP, and you can perform the (client-|server-)install using the `--no-ntp` flag. From alexandre at deverteuil.net Sun May 8 22:48:01 2016 From: alexandre at deverteuil.net (Alexandre de Verteuil) Date: Sun, 8 May 2016 18:48:01 -0400 Subject: [Freeipa-users] Who uses FreeIPA? In-Reply-To: <20160503190958.GA1640@deverteuil.net> References: <20160503190958.GA1640@deverteuil.net> Message-ID: <20160508224801.GA2540@deverteuil.net> * Alexandre de Verteuil [2016-05-03 15:09] : > > Tomorrow I am giving a short presentation at my workplace to talk about > it and invite other sysadmins to try it. > > I would like to make a slide showing the current adoption of FreeIPA. I > read that Red Hat uses it internally, but do they actually deploy it in > their client's infrastructures? Are there any big companies that use it? > Even if I only have reports of schools and small businesses would be > good enough to say it's production ready and it has traction. Hello all, Thank you very much for your input. I do encourage you to write a page of success stories, or at least mention that it is being used in small to large scale production sites. Who uses FreeIPA is one of the first questions I am asked when I talk about it. I did my presentation as promised and I received good feedback and people mentioned they were interested in trying it and learning more. I have also repeated the presentation last friday at a smaller scale and this time I have filmed it. https://www.youtube.com/watch?v=JrgIpwptxWk Best regards, -- Alexandre de Verteuil public key ID : 0xDD237C00 http://alexandre.deverteuil.net/ From ftweedal at redhat.com Sun May 8 23:10:22 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 9 May 2016 09:10:22 +1000 Subject: [Freeipa-users] Duplicate serials in issued ipa certs In-Reply-To: <2CA71D6C07ADB544847562573DC6BF062AE834E7@CPEMS-KPN309.KPNCNL.LOCAL> References: <2CA71D6C07ADB544847562573DC6BF062AE834E7@CPEMS-KPN309.KPNCNL.LOCAL> Message-ID: <20160508231022.GB1237@dhcp-40-8.bne.redhat.com> On Fri, May 06, 2016 at 11:33:10AM +0000, wouter.hummelink at kpn.com wrote: > Hello, > > I discovered today that our IPA CA has been issuing certs with duplicate serials, causing issues in several ways when dealing with hosts that have such a cert in place. (Complaints about duplicate serials) > Removing the offending cert from the host results in de same type of error > These all seem to have been issued from the server that in the past was reinstalled with the same hostname. > Can you please describe the history of the server in more detail? (i.e. what do you mean by "was reinstalled" - including whether it was a replica, etc). Also, which FreeIPA version(s) are you using? Thanks, Fraser > ipa host-show app > ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. > > IPA cert-find indeed shows 2 issued certs with the same serial (several actually) > > (anonymized) > Serial number (hex): 0xFFF0007 > Serial number: 268369927 > Status: VALID > Subject: CN=app.example.org,O=EXAMPLE.ORG > > Serial number (hex): 0xFFF0007 > Serial number: 268369927 > Status: VALID > Subject: CN=ipa.example.org,O=EXAMPLE.ORG > > The ipa client won't let me revoke or otherwise kill these certs with the same error. > What to do? > > Met vriendelijke groet, > > Wouter Hummelink > Cloud Engineer > [Description: Beschrijving: Beschrijving: cid:image003.gif at 01CC7CE9.FCFEC140] > KPN IT Solutions > Platform Organisation Cloud Services > Mail: wouter.hummelink at kpn.com > Telefoon: +31 (0)6 1288 2447 > [cid:image002.png at 01D0DA65.706AE4B0] > P Save Paper - Do you really need to print this e-mail? > ********************************************************************************************************************************************************* > KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, Handelsregister 52959597 Amsterdam > The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material. > Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons > and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately > and delete the material. Thank you. > ********************************************************************************************************************************************************* > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From kliu at alumni.warwick.ac.uk Mon May 9 04:14:13 2016 From: kliu at alumni.warwick.ac.uk (Barry) Date: Mon, 9 May 2016 12:14:13 +0800 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire In-Reply-To: <57272BE5.4040203@redhat.com> References: <5723436E.8030206@redhat.com> <57234734.6050601@redhat.com> <57272BE5.4040203@redhat.com> Message-ID: Hello Barry, Can you provide more info? What is your IPA version, OS? CENTOS 6.5 server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64 server 2 - ipa-server-3.0.0-37.el6.x86_64 What are the symptoms you are experiencing? server1 's update not transfer to server 2 but server 2 can transfer to server 1 even cert expired What do you mean by default ipa cert ? if cert is issue then fall back to orginal not expire self sign cert. Can you provide logs from replicas? >From server 2 [09/May/2016:12:09:05 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)) errno 0 (Success) [09/May/2016:12:09:05 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) Can you provide `getcert list` command output? Serevr 1 - Number of certificates and requests being tracked: 0. < NO record Server 2- Number of certificates and requests being tracked: 3. Request ID '20140106083849': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=ABC.COM subject: CN=central02.ABC.com,O=ABC.COM expires: 2015-12-19 06:40:44 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ABC-COM track: yes auto-renew: yes Request ID '20140106083931': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=ABC.COM subject: CN=central02.ABC.com,O=ABC.COM expires: 2015-12-19 06:40:46 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20140106083944': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=ABC.COM subject: CN=IPA RA,O=ABC.COM expires: 2015-11-12 08:41:45 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Can you provide `ipactl status` from both server? Server1 - Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING Server 2 = Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING Now don't want any cert ,just GASSAPI work... Replication uses GSSAPI, at least on new IPA versions, I'm not sure if certificates are involved in this. Martin 2016-05-02 18:28 GMT+08:00 Martin Basti : > Hello, > > Can you try to upgrade server to the same version? > > You did not provided all information I requested. > > Martin > > > On 29.04.2016 19:13, barrykfl at gmail.com wrote: > > server 1: > ipa-server-3.0.0-26.el6_4.4.x86_64 > > server2 > > ipa-server-3.0.0-37.el6.x86_64 > > 2016-04-30 1:10 GMT+08:00 : > >> >> ipa-server-3.0.0-37.el6.x86_64 << here >> >> 2016-04-29 19:36 GMT+08:00 Martin Basti : >> >>> Please keep, user-list in CC >>> >>> You did not send all information I requested. >>> >>> Please use `rpm -ql ipa-server` to get exact version number >>> >>> >>> On 29.04.2016 13:32, barrykfl at gmail.com wrote: >>> >>> Error.is from Gss api And i m thinkbif it relate cert issue. >>> >>> Server1> server 2 fail >>> Server 2 > server1 ok >>> >>> Freeipa 3.0 both >>> >>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive >>> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): >>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may >>> provide more information (Credentials cache file '/tmp/krb5cc_492' not >>> found)) errno 0 (Success) >>> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn= >>> meTocentral02.ABC.com " (central02:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor >>> code may provide more information (Credentials cache file '/tmp/krb5cc_492' >>> not found)) >>> [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [26/Apr/2016:18:40:19 +0800] - Listening on >>> /var/run/slapd-ABC-COM.socket for LDAPI requests >>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= >>> meTocentral02.ABC.com " (central02:389): >>> Replication bind with GSSAPI auth resumed >>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= >>> meTocentral02.ABC.com " (central02:389): >>> Missing data encountered >>> [26/Apr/2016:18:40:23 +0800] >>> >>> >>> On 29.04.2016 13:02, barrykfl at gmail.com wrote: >>> >>> Hi All: >>> >>> Any method can fall back the default ipa cert if I didn't backup orginal? >>> >>> Now the slapd and ipa cert storage quite a mess so they cant replicate >>> even disabled nsslapd:security to off >>> >>> >>> thx >>> Barry >>> >>> >>> Hello Barry, >>> >>> Can you provide more info? >>> >>> What is your IPA version, OS? >>> What are the symptoms you are experiencing? >>> What do you mean by default ipa cert ? >>> Can you provide logs from replicas? >>> Can you provide `getcert list` command output? >>> Can you provide `ipactl status` from both server? >>> >>> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if >>> certificates are involved in this. >>> >>> Martin >>> >>> >>> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Mon May 9 04:15:45 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Mon, 9 May 2016 12:15:45 +0800 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire Message-ID: Hello Barry, Can you provide more info? What is your IPA version, OS? CENTOS 6.5 server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64 server 2 - ipa-server-3.0.0-37.el6.x86_64 What are the symptoms you are experiencing? server1 's update not transfer to server 2 but server 2 can transfer to server 1 even cert expired What do you mean by default ipa cert ? if cert is issue then fall back to orginal not expire self sign cert. Can you provide logs from replicas? >From server 2 [09/May/2016:12:09:05 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown error)) errno 0 (Success) [09/May/2016:12:09:05 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) Can you provide `getcert list` command output? Serevr 1 - Number of certificates and requests being tracked: 0. < NO record Server 2- Number of certificates and requests being tracked: 3. Request ID '20140106083849': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=ABC.COM subject: CN=central02.ABC.com ,O=ABC.COM expires: 2015-12-19 06:40:44 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ABC-COM track: yes auto-renew: yes Request ID '20140106083931': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=ABC.COM subject: CN=central02.ABC.com ,O=ABC.COM expires: 2015-12-19 06:40:46 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20140106083944': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=ABC.COM subject: CN=IPA RA,O=ABC.COM expires: 2015-11-12 08:41:45 UTC eku: id-kp-ABCAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Can you provide `ipactl status` from both server? Server1 - Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING Server 2 = Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING Now don't want any cert ,just GASSAPI work... 2016-05-02 18:28 GMT+08:00 Martin Basti : > Hello, > > Can you try to upgrade server to the same version? > > You did not provided all information I requested. > > Martin > > > On 29.04.2016 19:13, barrykfl at gmail.com wrote: > > server 1: > ipa-server-3.0.0-26.el6_4.4.x86_64 > > server2 > > ipa-server-3.0.0-37.el6.x86_64 > > 2016-04-30 1:10 GMT+08:00 : > >> >> ipa-server-3.0.0-37.el6.x86_64 << here >> >> 2016-04-29 19:36 GMT+08:00 Martin Basti : >> >>> Please keep, user-list in CC >>> >>> You did not send all information I requested. >>> >>> Please use `rpm -ql ipa-server` to get exact version number >>> >>> >>> On 29.04.2016 13:32, barrykfl at gmail.com wrote: >>> >>> Error.is from Gss api And i m thinkbif it relate cert issue. >>> >>> Server1> server 2 fail >>> Server 2 > server1 ok >>> >>> Freeipa 3.0 both >>> >>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive >>> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): >>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may >>> provide more information (Credentials cache file '/tmp/krb5cc_492' not >>> found)) errno 0 (Success) >>> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn= >>> meTocentral02.ABC.com " (central02:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor >>> code may provide more information (Credentials cache file '/tmp/krb5cc_492' >>> not found)) >>> [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [26/Apr/2016:18:40:19 +0800] - Listening on >>> /var/run/slapd-ABC-COM.socket for LDAPI requests >>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= >>> meTocentral02.ABC.com " (central02:389): >>> Replication bind with GSSAPI auth resumed >>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= >>> meTocentral02.ABC.com " (central02:389): >>> Missing data encountered >>> [26/Apr/2016:18:40:23 +0800] >>> >>> >>> On 29.04.2016 13:02, barrykfl at gmail.com wrote: >>> >>> Hi All: >>> >>> Any method can fall back the default ipa cert if I didn't backup orginal? >>> >>> Now the slapd and ipa cert storage quite a mess so they cant replicate >>> even disabled nsslapd:security to off >>> >>> >>> thx >>> Barry >>> >>> >>> Hello Barry, >>> >>> Can you provide more info? >>> >>> What is your IPA version, OS? >>> What are the symptoms you are experiencing? >>> What do you mean by default ipa cert ? >>> Can you provide logs from replicas? >>> Can you provide `getcert list` command output? >>> Can you provide `ipactl status` from both server? >>> >>> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if >>> certificates are involved in this. >>> >>> Martin >>> >>> >>> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wouter.hummelink at kpn.com Mon May 9 05:48:45 2016 From: wouter.hummelink at kpn.com (wouter.hummelink at kpn.com) Date: Mon, 9 May 2016 05:48:45 +0000 Subject: [Freeipa-users] Duplicate serials in issued ipa certs In-Reply-To: <20160508231022.GB1237@dhcp-40-8.bne.redhat.com> References: <2CA71D6C07ADB544847562573DC6BF062AE834E7@CPEMS-KPN309.KPNCNL.LOCAL> <20160508231022.GB1237@dhcp-40-8.bne.redhat.com> Message-ID: <2CA71D6C07ADB544847562573DC6BF062AE87DA1@CPEMS-KPN309.KPNCNL.LOCAL> All 4 of our ipa servers are RHEL7.2 with IPA 4.2. Last august the original CA master was damaged so I moved the CRL role to another server, decommissioned the machine and deleted all the replication agreements and rebuilt the machine. That machine now appears to have issued the certs that have duplicated serials. My immediate problem now is however that I can't deprovision the machine that one of these certs was issued for, nor can I revoke the certs. What would be the proper way to remove these certs from ldap? -----Oorspronkelijk bericht----- Van: Fraser Tweedale [mailto:ftweedal at redhat.com] Verzonden: maandag 9 mei 2016 01:10 Aan: Hummelink, Wouter CC: freeipa-users at redhat.com Onderwerp: Re: [Freeipa-users] Duplicate serials in issued ipa certs On Fri, May 06, 2016 at 11:33:10AM +0000, wouter.hummelink at kpn.com wrote: > Hello, > > I discovered today that our IPA CA has been issuing certs with > duplicate serials, causing issues in several ways when dealing with > hosts that have such a cert in place. (Complaints about duplicate serials) Removing the offending cert from the host results in de same type of error These all seem to have been issued from the server that in the past was reinstalled with the same hostname. > Can you please describe the history of the server in more detail? (i.e. what do you mean by "was reinstalled" - including whether it was a replica, etc). Also, which FreeIPA version(s) are you using? Thanks, Fraser > ipa host-show app > ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. > > IPA cert-find indeed shows 2 issued certs with the same serial > (several actually) > > (anonymized) > Serial number (hex): 0xFFF0007 > Serial number: 268369927 > Status: VALID > Subject: CN=app.example.org,O=EXAMPLE.ORG > > Serial number (hex): 0xFFF0007 > Serial number: 268369927 > Status: VALID > Subject: CN=ipa.example.org,O=EXAMPLE.ORG > > The ipa client won't let me revoke or otherwise kill these certs with the same error. > What to do? > > Met vriendelijke groet, > > Wouter Hummelink > Cloud Engineer > [Description: Beschrijving: Beschrijving: > cid:image003.gif at 01CC7CE9.FCFEC140] > KPN IT Solutions > Platform Organisation Cloud Services > Mail: wouter.hummelink at kpn.com > Telefoon: +31 (0)6 1288 2447 > [cid:image002.png at 01D0DA65.706AE4B0] > P Save Paper - Do you really need to print this e-mail? > ********************************************************************** > ********************************************************************** > ************* KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate > Market BV, Handelsregister 52959597 Amsterdam The information > transmitted is intended only for use by the addressee and may contain confidential and/or privileged material. > Any review, re-transmission, dissemination or other use of it, or the > taking of any action in reliance upon this information by persons > and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. Thank you. > ********************************************************************** > ********************************************************************** > ************* > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From wouter.hummelink at kpn.com Mon May 9 05:48:45 2016 From: wouter.hummelink at kpn.com (wouter.hummelink at kpn.com) Date: Mon, 9 May 2016 05:48:45 +0000 Subject: [Freeipa-users] Duplicate serials in issued ipa certs In-Reply-To: <20160508231022.GB1237@dhcp-40-8.bne.redhat.com> References: <2CA71D6C07ADB544847562573DC6BF062AE834E7@CPEMS-KPN309.KPNCNL.LOCAL> <20160508231022.GB1237@dhcp-40-8.bne.redhat.com> Message-ID: <2CA71D6C07ADB544847562573DC6BF062AE87DA1@CPEMS-KPN309.KPNCNL.LOCAL> All 4 of our ipa servers are RHEL7.2 with IPA 4.2. Last august the original CA master was damaged so I moved the CRL role to another server, decommissioned the machine and deleted all the replication agreements and rebuilt the machine. That machine now appears to have issued the certs that have duplicated serials. My immediate problem now is however that I can't deprovision the machine that one of these certs was issued for, nor can I revoke the certs. What would be the proper way to remove these certs from ldap? -----Oorspronkelijk bericht----- Van: Fraser Tweedale [mailto:ftweedal at redhat.com] Verzonden: maandag 9 mei 2016 01:10 Aan: Hummelink, Wouter CC: freeipa-users at redhat.com Onderwerp: Re: [Freeipa-users] Duplicate serials in issued ipa certs On Fri, May 06, 2016 at 11:33:10AM +0000, wouter.hummelink at kpn.com wrote: > Hello, > > I discovered today that our IPA CA has been issuing certs with > duplicate serials, causing issues in several ways when dealing with > hosts that have such a cert in place. (Complaints about duplicate serials) Removing the offending cert from the host results in de same type of error These all seem to have been issued from the server that in the past was reinstalled with the same hostname. > Can you please describe the history of the server in more detail? (i.e. what do you mean by "was reinstalled" - including whether it was a replica, etc). Also, which FreeIPA version(s) are you using? Thanks, Fraser > ipa host-show app > ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. > > IPA cert-find indeed shows 2 issued certs with the same serial > (several actually) > > (anonymized) > Serial number (hex): 0xFFF0007 > Serial number: 268369927 > Status: VALID > Subject: CN=app.example.org,O=EXAMPLE.ORG > > Serial number (hex): 0xFFF0007 > Serial number: 268369927 > Status: VALID > Subject: CN=ipa.example.org,O=EXAMPLE.ORG > > The ipa client won't let me revoke or otherwise kill these certs with the same error. > What to do? > > Met vriendelijke groet, > > Wouter Hummelink > Cloud Engineer > [Description: Beschrijving: Beschrijving: > cid:image003.gif at 01CC7CE9.FCFEC140] > KPN IT Solutions > Platform Organisation Cloud Services > Mail: wouter.hummelink at kpn.com > Telefoon: +31 (0)6 1288 2447 > [cid:image002.png at 01D0DA65.706AE4B0] > P Save Paper - Do you really need to print this e-mail? > ********************************************************************** > ********************************************************************** > ************* KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate > Market BV, Handelsregister 52959597 Amsterdam The information > transmitted is intended only for use by the addressee and may contain confidential and/or privileged material. > Any review, re-transmission, dissemination or other use of it, or the > taking of any action in reliance upon this information by persons > and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. Thank you. > ********************************************************************** > ********************************************************************** > ************* > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mbasti at redhat.com Mon May 9 07:25:45 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 9 May 2016 09:25:45 +0200 Subject: [Freeipa-users] Who uses FreeIPA? In-Reply-To: <20160508224801.GA2540@deverteuil.net> References: <20160503190958.GA1640@deverteuil.net> <20160508224801.GA2540@deverteuil.net> Message-ID: On 09.05.2016 00:48, Alexandre de Verteuil wrote: > * Alexandre de Verteuil [2016-05-03 15:09] : >> Tomorrow I am giving a short presentation at my workplace to talk about >> it and invite other sysadmins to try it. >> >> I would like to make a slide showing the current adoption of FreeIPA. I >> read that Red Hat uses it internally, but do they actually deploy it in >> their client's infrastructures? Are there any big companies that use it? >> Even if I only have reports of schools and small businesses would be >> good enough to say it's production ready and it has traction. > Hello all, > > Thank you very much for your input. I do encourage you to write a page of > success stories, or at least mention that it is being used in small to > large scale production sites. Who uses FreeIPA is one of the first > questions I am asked when I talk about it. > > I did my presentation as promised and I received good feedback and > people mentioned they were interested in trying it and learning more. I > have also repeated the presentation last friday at a smaller scale and > this time I have filmed it. > > https://www.youtube.com/watch?v=JrgIpwptxWk > > Best regards, Nice video! Please note that docs on fedorahosted are really outdated, please use rather official Red Hat IdM guides https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/ https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/index.html Martin From abokovoy at redhat.com Mon May 9 07:55:40 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 9 May 2016 10:55:40 +0300 Subject: [Freeipa-users] Who uses FreeIPA? In-Reply-To: References: <20160503190958.GA1640@deverteuil.net> <20160508224801.GA2540@deverteuil.net> Message-ID: <20160509075540.ig25eeqrqbpkb5bb@redhat.com> On Mon, 09 May 2016, Martin Basti wrote: > > >On 09.05.2016 00:48, Alexandre de Verteuil wrote: >>* Alexandre de Verteuil [2016-05-03 15:09] : >>>Tomorrow I am giving a short presentation at my workplace to talk about >>>it and invite other sysadmins to try it. >>> >>>I would like to make a slide showing the current adoption of FreeIPA. I >>>read that Red Hat uses it internally, but do they actually deploy it in >>>their client's infrastructures? Are there any big companies that use it? >>>Even if I only have reports of schools and small businesses would be >>>good enough to say it's production ready and it has traction. >>Hello all, >> >>Thank you very much for your input. I do encourage you to write a page of >>success stories, or at least mention that it is being used in small to >>large scale production sites. Who uses FreeIPA is one of the first >>questions I am asked when I talk about it. >> >>I did my presentation as promised and I received good feedback and >>people mentioned they were interested in trying it and learning more. I >>have also repeated the presentation last friday at a smaller scale and >>this time I have filmed it. >> >>https://www.youtube.com/watch?v=JrgIpwptxWk >> >>Best regards, > >Nice video! > >Please note that docs on fedorahosted are really outdated, please use >rather official Red Hat IdM guides > >https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/ >https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html >https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/index.html Also a nit-pick: LDAP is '90ies, not '80ies. First LDAP version is dated 1993, while LDAPv3 as used nowadays came out in 1997. Even X.500 series of standards which conceptually define a store LDAP supposed to access, were first approved in 1988. -- / Alexander Bokovoy From lslebodn at redhat.com Mon May 9 11:17:47 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 9 May 2016 13:17:47 +0200 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire In-Reply-To: References: <5723436E.8030206@redhat.com> <57234734.6050601@redhat.com> <57272BE5.4040203@redhat.com> Message-ID: <20160509111746.GB20260@10.4.128.1> On (09/05/16 12:14), Barry wrote: > Hello Barry, > >Can you provide more info? > >What is your IPA version, OS? > >CENTOS 6.5 > Please upgrade to latest CentOS 6.7 there are known bugs in CentOS 6.5 which are already fixed in CentOS 6.7. LS From andrew+rhlists at dingman.org Sun May 8 19:49:40 2016 From: andrew+rhlists at dingman.org (Andrew C. Dingman) Date: Sun, 08 May 2016 15:49:40 -0400 Subject: [Freeipa-users] ipa-server-upgrade fails and CA cannot start Message-ID: <1462736980.3898.290.camel@dingman.org> For those of you who recognize me from non-public lists and chats, this is a whole different setup from the one we've been discussing there. This is on a RHEL 7 system, and unfortunately for me the CA master in my personal IPA realm. When I attempted to update using yum on April 15th, the ipa-server-update script failed with what seems to be a dbus error, and I have been unable to start the CA (and therefore ipa in general) since. As a result, my personal systems are running on one IPA server, which makes me more than a little nervous. The relevant bit of the upgrade log seems to be: 2016-05-08T19:03:08Z DEBUG stderr= 2016-05-08T19:03:08Z INFO [Upgrading CA schema] 2016-05-08T19:03:08Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd- ACDINGMAN-COM.socket from SchemaCache 2016-05-08T19:03:08Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-ACDINGMAN-COM.socket conn= 2016-05-08T19:03:08Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif 2016-05-08T19:03:08Z DEBUG Not updating schema 2016-05-08T19:03:08Z INFO CA schema update complete (no changes) 2016-05-08T19:03:08Z INFO [Verifying that CA audit signing cert has 2 year validity] 2016-05-08T19:03:08Z DEBUG caSignedLogCert.cfg profile validity range is 720 2016-05-08T19:03:08Z INFO [Update certmonger certificate renewal configuration to version 4] 2016-05-08T19:03:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2016-05-08T19:03:08Z ERROR Failed to get request: bus, object_path and dbus_interface must not be None. 2016-05-08T19:03:08Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-05-08T19:03:08Z DEBUG???File "/usr/lib/python2.7/site- packages/ipapython/admintool.py", line 171, in execute ????return_value = self.run() ? File "/usr/lib/python2.7/site- packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run ????raise admintool.ScriptError(str(e)) 2016-05-08T19:03:08Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: bus, object_path and dbus_interface must not be None. 2016-05-08T19:03:08Z ERROR bus, object_path and dbus_interface must not be None. There's a whole lot more, nearly 4MiB of log even when I reduce it to my most recent attempt to run the upgrade script. "getcert list" successfully shows 8 certificate requests being tracked. Four are in "MONITORING" status, four in "NEED_CA". The NEED_CA requests all indicate expiration back in February, and look like crucial certificates:?CN=CA Subsystem,?CN=IPA RA,?CN=CA Audit and?CN=OCSP Subsystem. On the working replica, all eight are in "MONITORING" status and have expiration dates in 2017 or later. I have not attempted the package update on that system. Should I consider promoting this one to CA master, force-deleting the old one, and reinstalling it as a new system? Please let me know what other information would be helpful for diagnostics. The current state of all packages on the broken master is up to earlier today from the official Red Hat content distribution network. -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaupgrade.log Type: text/x-log Size: 3902031 bytes Desc: not available URL: From ellertalexandre at gmail.com Mon May 9 12:06:02 2016 From: ellertalexandre at gmail.com (Alexandre Ellert) Date: Mon, 9 May 2016 14:06:02 +0200 Subject: [Freeipa-users] export/import users password between two differents IPA environment Message-ID: Hello, I have a broken IPA environnment with very few users and groups and I've setup a fresh new installation. I already recreate users and groups and now need to keep old users passwords. Is there a way to copy/paste users password between these two differents IPA ? Thank you for your help Alexandre From sparky at charlietango.com Mon May 9 15:28:42 2016 From: sparky at charlietango.com (Jeffery Harrell) Date: Mon, 9 May 2016 08:28:42 -0700 Subject: [Freeipa-users] Correct way to install plugins? Message-ID: Good morning. (It?s morning where I am.) I?ve written several plugins for my deployment, including a DHCP plugin, and I?m trying to figure out the best way to deploy them onto production servers. Let?s start with the schema. I could copy a schema file (e.g., 89dhcp.ldif and others) into /etc/dirsrv/slapd-REALM/schema and do a schema reload, or I could use ldapmodify to write the schema directly into the running system so it gets written into /etc/dirsrv/slapd-REALM/schema/99user.ldif. Is there any reason to prefer one over the other? Doing it the first way seems more tidy to me, but it has to be done on each server separately, which makes me wonder if it might cause things to get weird with respect to replication during that short span of time when one server has the schema and the other doesn?t. The Red Hat Directory Server documentation stops short of saying that local schemata should always be installed with ldapmodify into 99user.ldif, but it seems to kind of head-fake in that direction, so I?m not sure what the right method is. Then there are the update files. For the DHCP plugin, for instance, I have a short update file that initializes a few objects (see below). Is it better to just RUN this update against a live server with ipa-ldap-updater, or is it better to INSTALL this file in?/usr/share/ipa/updates so it stays on the server permanently? Will the second approach be better in case of upgrades or whatever? Thanks very much for taking the time. I hope my questions made sense. Jeffery DHCP update file for reference, if necessary: dn: cn=dhcp,$SUFFIX add: objectClass: top add: objectClass: dhcpService add: dhcpStatements: authoritative add: dhcpStatements: default-lease-time 43200 add: dhcpStatements: max-lease-time 86400 add: dhcpStatements: one-lease-per-client on dn: cn=dhcpHosts,cn=Schema Compatibility,cn=plugins,cn=config add: objectClass: top add: objectClass: extensibleObject add: schema-compat-container-group: cn=hosts,cn=dhcp,$SUFFIX add: schema-compat-search-base: cn=computers,cn=accounts,$SUFFIX add: schema-compat-search-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) add: schema-compat-entry-rdn: cn=%{fqdn} add: schema-compat-entry-attribute: objectClass=dhcpHost add: schema-compat-entry-attribute: dhcpHWAddress=ethernet %{macAddress} add: schema-compat-entry-attribute: dhcpStatements=fixed-address %{fqdn} add: schema-compat-entry-attribute: dhcpOption=host-name "%{fqdn}" dn: cn=DHCP Administrators,cn=privileges,cn=pbac,$SUFFIX add: objectClass: top add: objectClass: groupofnames add: objectClass: nestedgroup only: description: DHCP Administrators plugin: update_managed_permissions -------------- next part -------------- An HTML attachment was scrubbed... URL: From devin at pabstatencio.com Mon May 9 15:25:18 2016 From: devin at pabstatencio.com (Devin Acosta) Date: Mon, 09 May 2016 08:25:18 -0700 Subject: [Freeipa-users] ipa-replica-install fails at [6/8]: enable GSSAPI for replication Message-ID: <5730ABDE.9090802@pabstatencio.com> Attempting to create replica fails during ipa-replica-install. I have attached below what I am seeing during attempting to add a replica into my environment. Currently there are (3) Masters. When I try to add the (4th) it dies. The 4th node will only be able to talk to ipa01-aws, ipa02-aws, it will not be able to talk to ipa1-i2x, will that create a problem? I generated the replica from the ipa01-aws instance. ipa02-aws.rsinc.local: master ipa01-aws.rsinc.local: master ipa1-i2x.rsinc.local: master [root at idm1-dev centos]# ipa-replica-install --setup-dns --forwarder=8.8.8.8 --mkhomedir replica-info-idm1-dev.rsinc.local.gpg WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Directory Manager (existing master) password: Existing BIND configuration detected, overwrite? [no]: yes Checking DNS forwarders, please wait ... Using reverse zone(s) 0.31.10.in-addr.arpa. Run connection check to master Check connection from replica to remote master 'ipa01-aws.rsinc.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at RSINC.LOCAL password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'idm1-dev.rsinc.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: configure dirsrv ccache [22/38]: enable SASL mapping fallback [23/38]: restarting directory server [24/38]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [25/38]: updating schema [26/38]: setting Auto Member configuration [27/38]: enabling S4U2Proxy delegation [28/38]: importing CA certificates from LDAP [29/38]: initializing group membership [30/38]: adding master entry [31/38]: initializing domain level [32/38]: configuring Posix uid/gid generation [33/38]: adding replication acis [34/38]: enabling compatibility plugin [35/38]: activating sidgen plugin [36/38]: activating extdom plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the ldap service principals is missing. Replication agreement cannot be converted. Replication error message: Can't acquire busy replica 2016-05-09T02:45:27Z DEBUG Backing up system configuration file '/etc/krb5.keytab' 2016-05-09T02:45:27Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2016-05-09T02:45:27Z DEBUG Starting external process 2016-05-09T02:45:27Z DEBUG args='kadmin.local' '-q' 'ktadd -k /etc/krb5.keytab host/idm1-dev.rsinc.local at RSINC.LOCAL' '-x' 'ipa-setup-override-restrictions' 2016-05-09T02:45:28Z DEBUG Process finished, return code=0 2016-05-09T02:45:28Z DEBUG stdout=Authenticating as principal root/admin at RSINC.LOCAL with password. Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/idm1-dev.rsinc.local at RSINC.LOCAL with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. 2016-05-09T02:45:28Z DEBUG stderr= 2016-05-09T02:45:28Z DEBUG duration: 0 seconds 2016-05-09T02:45:28Z DEBUG [5/8]: adding the password extension to the directory 2016-05-09T02:45:28Z DEBUG Starting external process 2016-05-09T02:45:28Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpQOJQiQ' '-H' 'ldapi://%2fvar%2frun%2fslapd-RSINC-LOCAL.socket' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpsq8EV2' 2016-05-09T02:45:28Z DEBUG Process finished, return code=0 2016-05-09T02:45:28Z DEBUG stdout=add objectclass: top nsSlapdPlugin extensibleObject add cn: ipa_pwd_extop add nsslapd-pluginpath: libipa_pwd_extop add nsslapd-plugininitfunc: ipapwd_init add nsslapd-plugintype: extendedop add nsslapd-pluginbetxn: on add nsslapd-pluginenabled: on add nsslapd-pluginid: ipa_pwd_extop add nsslapd-pluginversion: 1.0 add nsslapd-pluginvendor: RedHat add nsslapd-plugindescription: Support saving passwords in multiple formats for different consumers (krb5, samba, freeradius, etc.) add nsslapd-plugin-depends-on-type: database add nsslapd-realmTree: dc=rsinc,dc=local adding new entry "cn=ipa_pwd_extop,cn=plugins,cn=config" modify complete 2016-05-09T02:45:28Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-RSINC-LOCAL.socket/??base ) 2016-05-09T02:45:28Z DEBUG duration: 0 seconds 2016-05-09T02:45:28Z DEBUG [6/8]: enable GSSAPI for replication 2016-05-09T02:45:28Z DEBUG flushing ldaps://idm1-dev.rsinc.local:636 from SchemaCache 2016-05-09T02:45:28Z DEBUG retrieving schema for SchemaCache url=ldaps://idm1-dev.rsinc.local:636 conn= 2016-05-09T02:45:28Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-05-09T02:45:29Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-05-09T02:45:30Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-05-09T02:45:30Z DEBUG flushing ldaps://ipa01-aws.rsinc.local:636 from SchemaCache 2016-05-09T02:45:30Z DEBUG retrieving schema for SchemaCache url=ldaps://ipa01-aws.rsinc.local:636 conn= 2016-05-09T02:45:31Z INFO Setting agreement cn=meToidm1-dev.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-05-09T02:45:32Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToidm1-dev.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-05-09T02:45:33Z INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 2016-05-09T02:45:33Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-05-09T02:45:33Z DEBUG Unable to find entry for (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-05-09T02:45:33Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-05-09T02:45:34Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-05-09T02:45:35Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-05-09T02:45:35Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-05-09T02:45:35Z DEBUG Unable to find entry for (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-05-09T02:45:35Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-05-09T02:45:36Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-05-09T02:45:37Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-05-09T02:45:37Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-05-09T02:45:37Z DEBUG Unable to find entry for (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-05-09T02:45:37Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-05-09T02:45:38Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-05-09T02:45:39Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-05-09T02:45:39Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) 2016-05-09T02:45:39Z DEBUG Unable to find entry for (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) on ipa01-aws.rsinc.local:636 2016-05-09T02:45:39Z INFO Setting agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-05-09T02:45:40Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToipa01-aws.rsinc.local,cn=replica,cn=dc\=rsinc\,dc\=local,cn=mapping tree,cn=config 2016-05-09T02:45:41Z INFO Replication Update in progress: FALSE: status: 1 Can't acquire busy replica: start: 0: end: 0 2016-05-09T02:45:41Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/idm1-dev.rsinc.local at RSINC.LOCAL) and (krbprincipalname=ldap/ipa01-aws.rsinc.local at RSINC.LOCAL) Thanks. Devin From rcritten at redhat.com Mon May 9 18:33:38 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 9 May 2016 14:33:38 -0400 Subject: [Freeipa-users] export/import users password between two differents IPA environment In-Reply-To: References: Message-ID: <5730D802.30801@redhat.com> Alexandre Ellert wrote: > Hello, > > I have a broken IPA environnment with very few users and groups and > I've setup a fresh new installation. > I already recreate users and groups and now need to keep old users > passwords. Is there a way to copy/paste users password between these > two differents IPA ? If you had done a migration from the old to new IPA then the passwords would have come along. The problem you're going to have is that pre-hashed passwords are only allowed when adding an entry. To be able to do that you'll need to add some user to passSyncManagersDNs and bind as that user when loading the passwords (you can pull them from the old server by binding as Directory Manager). You almost certainly will want to remove the user in passSyncManagersDNs once finished. rob From rcritten at redhat.com Mon May 9 18:45:23 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 9 May 2016 14:45:23 -0400 Subject: [Freeipa-users] Correct way to install plugins? In-Reply-To: References: Message-ID: <5730DAC3.2060502@redhat.com> Jeffery Harrell wrote: > Good morning. (It?s morning where I am.) > > I?ve written several plugins for my deployment, including a DHCP plugin, > and I?m trying to figure out the best way to deploy them onto production > servers. > > Let?s start with the schema. I could copy a schema file (e.g., > 89dhcp.ldif and others) into /etc/dirsrv/slapd-REALM/schema and do a > schema reload, or I could use ldapmodify to write the schema directly > into the running system so it gets written into > /etc/dirsrv/slapd-REALM/schema/99user.ldif. > > Is there any reason to prefer one over the other? Doing it the first way > seems more tidy to me, but it has to be done on each server separately, > which makes me wonder if it might cause things to get weird with respect > to replication during that short span of time when one server has the > schema and the other doesn?t. The Red Hat Directory Server documentation > stops short of saying that local schemata should always be installed > with ldapmodify into 99user.ldif, but it seems to kind of head-fake in > that direction, so I?m not sure what the right method is. The answer is neither: you want to use ipa-ldap-updater --schema-file= You definitely want to do it online so the schema gets replicated (and into 99user.ldif) so entries on non-updated masters don't blow up. > Then there are the update files. For the DHCP plugin, for instance, I > have a short update file that initializes a few objects (see below). Is > it better to just RUN this update against a live server with > ipa-ldap-updater, or is it better to INSTALL this file > in /usr/share/ipa/updates so it stays on the server permanently? Will > the second approach be better in case of upgrades or whatever? I'd install it into /usr/share/ipa/updates. The updater is more or less idempotent so it shouldn't hurt anything to run it multiple times. Once you have things working you might consider submitting your work upstream. There is a long-standing ticket for DHCP integration, https://fedorahosted.org/freeipa/ticket/939 rob > Thanks very much for taking the time. I hope my questions made sense. > > Jeffery > > DHCP update file for reference, if necessary: > > dn: cn=dhcp,$SUFFIX > add: objectClass: top > add: objectClass: dhcpService > add: dhcpStatements: authoritative > add: dhcpStatements: default-lease-time 43200 > add: dhcpStatements: max-lease-time 86400 > add: dhcpStatements: one-lease-per-client on > > dn: cn=dhcpHosts,cn=Schema Compatibility,cn=plugins,cn=config > add: objectClass: top > add: objectClass: extensibleObject > add: schema-compat-container-group: cn=hosts,cn=dhcp,$SUFFIX > add: schema-compat-search-base: cn=computers,cn=accounts,$SUFFIX > add: schema-compat-search-filter: > (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) > add: schema-compat-entry-rdn: cn=%{fqdn} > add: schema-compat-entry-attribute: objectClass=dhcpHost > add: schema-compat-entry-attribute: dhcpHWAddress=ethernet %{macAddress} > add: schema-compat-entry-attribute: dhcpStatements=fixed-address %{fqdn} > add: schema-compat-entry-attribute: dhcpOption=host-name "%{fqdn}" > > dn: cn=DHCP Administrators,cn=privileges,cn=pbac,$SUFFIX > add: objectClass: top > add: objectClass: groupofnames > add: objectClass: nestedgroup > only: description: DHCP Administrators > > plugin: update_managed_permissions > > > From sparky at charlietango.com Mon May 9 18:54:47 2016 From: sparky at charlietango.com (Jeffery Harrell) Date: Mon, 9 May 2016 11:54:47 -0700 Subject: [Freeipa-users] Correct way to install plugins? In-Reply-To: <5730DAC3.2060502@redhat.com> References: <5730DAC3.2060502@redhat.com> Message-ID: Thanks very much, Rob. Would it be best to install the schema file in ?/updates so it lives there permanently, or is it enough to just run it through ipa-ldap-updater the one time? I?m sorry if that?s a dumb question; I?ve only been working with IPA for a couple weeks so I?m still working on building my intuition for it. I?d be happy to share my DHCP plugin, but it?s pretty sketchy. ISC DHCPd?s LDAP support is kind of idiosyncratic, so my plugin is pretty purpose-built for our environment and needs. It might be a starting point for somebody else, though. I?ll put the polish on the code and share a Github link later today or maybe tomorrow. Thanks again for the advice. On May 9, 2016 at 11:45:25 AM, Rob Crittenden (rcritten at redhat.com) wrote: Jeffery Harrell wrote: > Good morning. (It?s morning where I am.) > > I?ve written several plugins for my deployment, including a DHCP plugin, > and I?m trying to figure out the best way to deploy them onto production > servers. > > Let?s start with the schema. I could copy a schema file (e.g., > 89dhcp.ldif and others) into /etc/dirsrv/slapd-REALM/schema and do a > schema reload, or I could use ldapmodify to write the schema directly > into the running system so it gets written into > /etc/dirsrv/slapd-REALM/schema/99user.ldif. > > Is there any reason to prefer one over the other? Doing it the first way > seems more tidy to me, but it has to be done on each server separately, > which makes me wonder if it might cause things to get weird with respect > to replication during that short span of time when one server has the > schema and the other doesn?t. The Red Hat Directory Server documentation > stops short of saying that local schemata should always be installed > with ldapmodify into 99user.ldif, but it seems to kind of head-fake in > that direction, so I?m not sure what the right method is. The answer is neither: you want to use ipa-ldap-updater --schema-file= You definitely want to do it online so the schema gets replicated (and into 99user.ldif) so entries on non-updated masters don't blow up. > Then there are the update files. For the DHCP plugin, for instance, I > have a short update file that initializes a few objects (see below). Is > it better to just RUN this update against a live server with > ipa-ldap-updater, or is it better to INSTALL this file > in /usr/share/ipa/updates so it stays on the server permanently? Will > the second approach be better in case of upgrades or whatever? I'd install it into /usr/share/ipa/updates. The updater is more or less idempotent so it shouldn't hurt anything to run it multiple times. Once you have things working you might consider submitting your work upstream. There is a long-standing ticket for DHCP integration, https://fedorahosted.org/freeipa/ticket/939 rob > Thanks very much for taking the time. I hope my questions made sense. > > Jeffery > > DHCP update file for reference, if necessary: > > dn: cn=dhcp,$SUFFIX > add: objectClass: top > add: objectClass: dhcpService > add: dhcpStatements: authoritative > add: dhcpStatements: default-lease-time 43200 > add: dhcpStatements: max-lease-time 86400 > add: dhcpStatements: one-lease-per-client on > > dn: cn=dhcpHosts,cn=Schema Compatibility,cn=plugins,cn=config > add: objectClass: top > add: objectClass: extensibleObject > add: schema-compat-container-group: cn=hosts,cn=dhcp,$SUFFIX > add: schema-compat-search-base: cn=computers,cn=accounts,$SUFFIX > add: schema-compat-search-filter: > (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) > add: schema-compat-entry-rdn: cn=%{fqdn} > add: schema-compat-entry-attribute: objectClass=dhcpHost > add: schema-compat-entry-attribute: dhcpHWAddress=ethernet %{macAddress} > add: schema-compat-entry-attribute: dhcpStatements=fixed-address %{fqdn} > add: schema-compat-entry-attribute: dhcpOption=host-name "%{fqdn}" > > dn: cn=DHCP Administrators,cn=privileges,cn=pbac,$SUFFIX > add: objectClass: top > add: objectClass: groupofnames > add: objectClass: nestedgroup > only: description: DHCP Administrators > > plugin: update_managed_permissions > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andy.Thompson at e-tcc.com Mon May 9 18:52:25 2016 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Mon, 9 May 2016 18:52:25 +0000 Subject: [Freeipa-users] freeipa as organizational CA Message-ID: <89535b43cea443dd8b6efb4798b3bdc8@TCCCORPEXCH02.TCC.local> Is freeipa in RHEL7.2 able to be used as an organizational CA these days? I have a requirement to set one up and like the IPA interface and tools, but can't sort out the current state in 4.2 to decipher whether this is possible, or even reasonable to try. I need to setup an org sub CA with an offline root CA The dogtag pki-ca in 7.2 appears to be missing some pieces, none of the management themes seem to be available and the console utilities are hit and miss, so I'm looking at this possibility. Seems like overkill but thought I'd toss the idea around. Thanks! -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** From abokovoy at redhat.com Mon May 9 19:23:07 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 9 May 2016 22:23:07 +0300 Subject: [Freeipa-users] freeipa as organizational CA In-Reply-To: <89535b43cea443dd8b6efb4798b3bdc8@TCCCORPEXCH02.TCC.local> References: <89535b43cea443dd8b6efb4798b3bdc8@TCCCORPEXCH02.TCC.local> Message-ID: <20160509192307.5fuvef2ewzsyoyx6@redhat.com> On Mon, 09 May 2016, Andy Thompson wrote: >Is freeipa in RHEL7.2 able to be used as an organizational CA these >days? I have a requirement to set one up and like the IPA interface >and tools, but can't sort out the current state in 4.2 to decipher >whether this is possible, or even reasonable to try. I need to setup >an org sub CA with an offline root CA Sub-CA support is coming in FreeIPA 4.4, hopefully. Current code in RHEL 7.2 does not support sub-CA functionality. >The dogtag pki-ca in 7.2 appears to be missing some pieces, none of the >management themes seem to be available and the console utilities are >hit and miss, so I'm looking at this possibility. Seems like overkill >but thought I'd toss the idea around. I think RHCS is a separate product with support on top of RHEL 7. Check with your Red Hat representatives. -- / Alexander Bokovoy From rcritten at redhat.com Mon May 9 19:28:35 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 9 May 2016 15:28:35 -0400 Subject: [Freeipa-users] Correct way to install plugins? In-Reply-To: References: <5730DAC3.2060502@redhat.com> Message-ID: <5730E4E3.2090803@redhat.com> Jeffery Harrell wrote: > Thanks very much, Rob. Would it be best to install the schema file in > ?/updates so it lives there permanently, or is it enough to just run it > through ipa-ldap-updater the one time? I?m sorry if that?s a dumb > question; I?ve only been working with IPA for a couple weeks so I?m > still working on building my intuition for it. What I would recommend is packaging the whole thing as an rpm. Then you can be sure that the same bits are installed on every master and as changes are needed you can roll them out in a controlled way. And rpm -V will tell you if there are any local customizations. This would involve putting the update files into .../updates. I don't believe there is any downside in putting files there. rob > > I?d be happy to share my DHCP plugin, but it?s pretty sketchy. ISC > DHCPd?s LDAP support is kind of idiosyncratic, so my plugin is pretty > purpose-built for our environment and needs. It might be a starting > point for somebody else, though. I?ll put the polish on the code and > share a Github link later today or maybe tomorrow. > > Thanks again for the advice. > > On May 9, 2016 at 11:45:25 AM, Rob Crittenden (rcritten at redhat.com > ) wrote: > >> Jeffery Harrell wrote: >> > Good morning. (It?s morning where I am.) >> > >> > I?ve written several plugins for my deployment, including a DHCP plugin, >> > and I?m trying to figure out the best way to deploy them onto production >> > servers. >> > >> > Let?s start with the schema. I could copy a schema file (e.g., >> > 89dhcp.ldif and others) into /etc/dirsrv/slapd-REALM/schema and do a >> > schema reload, or I could use ldapmodify to write the schema directly >> > into the running system so it gets written into >> > /etc/dirsrv/slapd-REALM/schema/99user.ldif. >> > >> > Is there any reason to prefer one over the other? Doing it the first way >> > seems more tidy to me, but it has to be done on each server separately, >> > which makes me wonder if it might cause things to get weird with respect >> > to replication during that short span of time when one server has the >> > schema and the other doesn?t. The Red Hat Directory Server documentation >> > stops short of saying that local schemata should always be installed >> > with ldapmodify into 99user.ldif, but it seems to kind of head-fake in >> > that direction, so I?m not sure what the right method is. >> >> The answer is neither: you want to use ipa-ldap-updater >> --schema-file= >> >> You definitely want to do it online so the schema gets replicated (and >> into 99user.ldif) so entries on non-updated masters don't blow up. >> >> > Then there are the update files. For the DHCP plugin, for instance, I >> > have a short update file that initializes a few objects (see below). Is >> > it better to just RUN this update against a live server with >> > ipa-ldap-updater, or is it better to INSTALL this file >> > in /usr/share/ipa/updates so it stays on the server permanently? Will >> > the second approach be better in case of upgrades or whatever? >> >> I'd install it into /usr/share/ipa/updates. The updater is more or less >> idempotent so it shouldn't hurt anything to run it multiple times. >> >> Once you have things working you might consider submitting your work >> upstream. There is a long-standing ticket for DHCP integration, >> https://fedorahosted.org/freeipa/ticket/939 >> >> rob >> >> > Thanks very much for taking the time. I hope my questions made sense. >> > >> > Jeffery >> > >> > DHCP update file for reference, if necessary: >> > >> > dn: cn=dhcp,$SUFFIX >> > add: objectClass: top >> > add: objectClass: dhcpService >> > add: dhcpStatements: authoritative >> > add: dhcpStatements: default-lease-time 43200 >> > add: dhcpStatements: max-lease-time 86400 >> > add: dhcpStatements: one-lease-per-client on >> > >> > dn: cn=dhcpHosts,cn=Schema Compatibility,cn=plugins,cn=config >> > add: objectClass: top >> > add: objectClass: extensibleObject >> > add: schema-compat-container-group: cn=hosts,cn=dhcp,$SUFFIX >> > add: schema-compat-search-base: cn=computers,cn=accounts,$SUFFIX >> > add: schema-compat-search-filter: >> > (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) >> > add: schema-compat-entry-rdn: cn=%{fqdn} >> > add: schema-compat-entry-attribute: objectClass=dhcpHost >> > add: schema-compat-entry-attribute: dhcpHWAddress=ethernet %{macAddress} >> > add: schema-compat-entry-attribute: dhcpStatements=fixed-address %{fqdn} >> > add: schema-compat-entry-attribute: dhcpOption=host-name "%{fqdn}" >> > >> > dn: cn=DHCP Administrators,cn=privileges,cn=pbac,$SUFFIX >> > add: objectClass: top >> > add: objectClass: groupofnames >> > add: objectClass: nestedgroup >> > only: description: DHCP Administrators >> > >> > plugin: update_managed_permissions >> > >> > >> > >> From Andy.Thompson at e-tcc.com Mon May 9 20:31:32 2016 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Mon, 9 May 2016 20:31:32 +0000 Subject: [Freeipa-users] freeipa as organizational CA In-Reply-To: <20160509192307.5fuvef2ewzsyoyx6@redhat.com> References: <89535b43cea443dd8b6efb4798b3bdc8@TCCCORPEXCH02.TCC.local> <20160509192307.5fuvef2ewzsyoyx6@redhat.com> Message-ID: > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > Sent: Monday, May 9, 2016 3:23 PM > To: Andy Thompson > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] freeipa as organizational CA > > On Mon, 09 May 2016, Andy Thompson wrote: > >Is freeipa in RHEL7.2 able to be used as an organizational CA these > >days? I have a requirement to set one up and like the IPA interface > >and tools, but can't sort out the current state in 4.2 to decipher > >whether this is possible, or even reasonable to try. I need to setup > >an org sub CA with an offline root CA > Sub-CA support is coming in FreeIPA 4.4, hopefully. Current code in RHEL > 7.2 does not support sub-CA functionality. > If I can get an exclusion for the sub-CA bits, can that be added at a later time and just run with a root CA for now? Can it perform all of the needs of an org CA outside of an IPA environment? > >The dogtag pki-ca in 7.2 appears to be missing some pieces, none of the > >management themes seem to be available and the console utilities are > >hit and miss, so I'm looking at this possibility. Seems like overkill > >but thought I'd toss the idea around. > I think RHCS is a separate product with support on top of RHEL 7. Check with > your Red Hat representatives. > -- It is a separate product but our contract doesn't cover it so I am pursuing other options -andy From abokovoy at redhat.com Mon May 9 20:43:37 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 9 May 2016 23:43:37 +0300 Subject: [Freeipa-users] freeipa as organizational CA In-Reply-To: References: <89535b43cea443dd8b6efb4798b3bdc8@TCCCORPEXCH02.TCC.local> <20160509192307.5fuvef2ewzsyoyx6@redhat.com> Message-ID: <20160509204337.dsl2xib5fazx3wmi@redhat.com> On Mon, 09 May 2016, Andy Thompson wrote: >> -----Original Message----- >> From: Alexander Bokovoy [mailto:abokovoy at redhat.com] >> Sent: Monday, May 9, 2016 3:23 PM >> To: Andy Thompson >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] freeipa as organizational CA >> >> On Mon, 09 May 2016, Andy Thompson wrote: >> >Is freeipa in RHEL7.2 able to be used as an organizational CA these >> >days? I have a requirement to set one up and like the IPA interface >> >and tools, but can't sort out the current state in 4.2 to decipher >> >whether this is possible, or even reasonable to try. I need to setup >> >an org sub CA with an offline root CA >> Sub-CA support is coming in FreeIPA 4.4, hopefully. Current code in RHEL >> 7.2 does not support sub-CA functionality. >> > >If I can get an exclusion for the sub-CA bits, can that be added at a >later time and just run with a root CA for now? Can it perform all of >the needs of an org CA outside of an IPA environment? Not through the IPA interfaces but standard Dogtag is there, with its (albeit a bit cumbersome) web UI. So I guess you could do what IPA doesn't allow via that one, though there will be no support for these functions. When FreeIPA will get sub-CA support added, an upgrade path should be there to allow creating sub-CAs. -- / Alexander Bokovoy From ftweedal at redhat.com Mon May 9 22:50:33 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 10 May 2016 08:50:33 +1000 Subject: [Freeipa-users] freeipa as organizational CA In-Reply-To: <20160509192307.5fuvef2ewzsyoyx6@redhat.com> References: <89535b43cea443dd8b6efb4798b3bdc8@TCCCORPEXCH02.TCC.local> <20160509192307.5fuvef2ewzsyoyx6@redhat.com> Message-ID: <20160509225033.GM1237@dhcp-40-8.bne.redhat.com> On Mon, May 09, 2016 at 10:23:07PM +0300, Alexander Bokovoy wrote: > On Mon, 09 May 2016, Andy Thompson wrote: > >Is freeipa in RHEL7.2 able to be used as an organizational CA these > >days? I have a requirement to set one up and like the IPA interface > >and tools, but can't sort out the current state in 4.2 to decipher > >whether this is possible, or even reasonable to try. I need to setup > >an org sub CA with an offline root CA > Sub-CA support is coming in FreeIPA 4.4, hopefully. Current code in RHEL > 7.2 does not support sub-CA functionality. > Andy, you can install FreeIPA as a sub-CA of your offline root. Support for creating sub-CAs *within* FreeIPA, under the "main" FreeIPA CA (which in your case is a sub-CA of your offline root), is not yet available but I am working on that. But if you only need one CA as a sub-CA of an offline root, you can use FreeIPA today. > >The dogtag pki-ca in 7.2 appears to be missing some pieces, none of the > >management themes seem to be available and the console utilities are > >hit and miss, so I'm looking at this possibility. Seems like overkill > >but thought I'd toss the idea around. > I think RHCS is a separate product with support on top of RHEL 7. Check > with your Red Hat representatives. > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From barrykfl at gmail.com Tue May 10 00:19:07 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Tue, 10 May 2016 08:19:07 +0800 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire In-Reply-To: <20160509111746.GB20260@10.4.128.1> References: <5723436E.8030206@redhat.com> <57234734.6050601@redhat.com> <57272BE5.4040203@redhat.com> <20160509111746.GB20260@10.4.128.1> Message-ID: Do u meant the error related to OS? 2016?5?9? ??7:17 ? "Lukas Slebodnik" ??? > On (09/05/16 12:14), Barry wrote: > > Hello Barry, > > > >Can you provide more info? > > > >What is your IPA version, OS? > > > >CENTOS 6.5 > > > Please upgrade to latest CentOS 6.7 > there are known bugs in CentOS 6.5 > which are already fixed in CentOS 6.7. > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Tue May 10 07:09:07 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 10 May 2016 09:09:07 +0200 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire In-Reply-To: References: <5723436E.8030206@redhat.com> <57234734.6050601@redhat.com> <57272BE5.4040203@redhat.com> <20160509111746.GB20260@10.4.128.1> Message-ID: <20160510070906.GD23449@10.4.128.1> On (10/05/16 08:19), barrykfl at gmail.com wrote: >Do u meant the error related to OS? I mean that there are known bugs in FreeIPA components. 389-ds, sssd .... CentOS 6.5 is quite old version. I would really recommend to upgrade to the latest CentOS. If there are still problems on latest CentOS then we can try to continue with troubleshooting. It does not worth to spend time with analyzing already fixed bugs. LS From barrykfl at gmail.com Tue May 10 08:07:25 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Tue, 10 May 2016 16:07:25 +0800 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire In-Reply-To: <20160510070906.GD23449@10.4.128.1> References: <5723436E.8030206@redhat.com> <57234734.6050601@redhat.com> <57272BE5.4040203@redhat.com> <20160509111746.GB20260@10.4.128.1> <20160510070906.GD23449@10.4.128.1> Message-ID: Just wonder the freeipa package will have bugs if os too.old. 2016?5?10? ??3:09 ? "Lukas Slebodnik" ??? > On (10/05/16 08:19), barrykfl at gmail.com wrote: > >Do u meant the error related to OS? > I mean that there are known bugs in FreeIPA components. > 389-ds, sssd .... > CentOS 6.5 is quite old version. > > I would really recommend to upgrade to the latest CentOS. > If there are still problems on latest CentOS then > we can try to continue with troubleshooting. > > It does not worth to spend time with analyzing already fixed bugs. > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue May 10 08:16:38 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 10 May 2016 10:16:38 +0200 Subject: [Freeipa-users] ipa-server-upgrade fails and CA cannot start In-Reply-To: <1462736980.3898.290.camel@dingman.org> References: <1462736980.3898.290.camel@dingman.org> Message-ID: <6b61d4d9-1151-35e9-6efa-88934742950b@redhat.com> On 05/08/2016 09:49 PM, Andrew C. Dingman wrote: > For those of you who recognize me from non-public lists and chats, this > is a whole different setup from the one we've been discussing there. > > This is on a RHEL 7 system, and unfortunately for me the CA master in > my personal IPA realm. When I attempted to update using yum on April > 15th, the ipa-server-update script failed with what seems to be a dbus > error, and I have been unable to start the CA (and therefore ipa in > general) since. As a result, my personal systems are running on one IPA > server, which makes me more than a little nervous. > > The relevant bit of the upgrade log seems to be: > > 2016-05-08T19:03:08Z DEBUG stderr= > 2016-05-08T19:03:08Z INFO [Upgrading CA schema] > 2016-05-08T19:03:08Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd- > ACDINGMAN-COM.socket from SchemaCache > 2016-05-08T19:03:08Z DEBUG retrieving schema for SchemaCache > url=ldapi://%2fvar%2frun%2fslapd-ACDINGMAN-COM.socket > conn= > 2016-05-08T19:03:08Z DEBUG Processing schema LDIF file > /usr/share/pki/server/conf/schema-certProfile.ldif > 2016-05-08T19:03:08Z DEBUG Not updating schema > 2016-05-08T19:03:08Z INFO CA schema update complete (no changes) > 2016-05-08T19:03:08Z INFO [Verifying that CA audit signing cert has 2 > year validity] > 2016-05-08T19:03:08Z DEBUG caSignedLogCert.cfg profile validity range > is 720 > 2016-05-08T19:03:08Z INFO [Update certmonger certificate renewal > configuration to version 4] > 2016-05-08T19:03:08Z DEBUG Loading StateFile from > '/var/lib/ipa/sysupgrade/sysupgrade.state' > 2016-05-08T19:03:08Z ERROR Failed to get request: bus, object_path and > dbus_interface must not be None. > 2016-05-08T19:03:08Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2016-05-08T19:03:08Z DEBUG File "/usr/lib/python2.7/site- > packages/ipapython/admintool.py", line 171, in execute > return_value = self.run() > File "/usr/lib/python2.7/site- > packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run > raise admintool.ScriptError(str(e)) > > 2016-05-08T19:03:08Z DEBUG The ipa-server-upgrade command failed, > exception: ScriptError: bus, object_path and dbus_interface must not be > None. > 2016-05-08T19:03:08Z ERROR bus, object_path and dbus_interface must not > be None. > > There's a whole lot more, nearly 4MiB of log even when I reduce it to > my most recent attempt to run the upgrade script. > > "getcert list" successfully shows 8 certificate requests being tracked. > Four are in "MONITORING" status, four in "NEED_CA". The NEED_CA > requests all indicate expiration back in February, and look like > crucial certificates: CN=CA Subsystem, CN=IPA RA, CN=CA Audit > and CN=OCSP Subsystem. > > On the working replica, all eight are in "MONITORING" status and have > expiration dates in 2017 or later. I have not attempted the package > update on that system. Should I consider promoting this one to CA > master, force-deleting the old one, and reinstalling it as a new > system? > > Please let me know what other information would be helpful for > diagnostics. The current state of all packages on the broken master is > up to earlier today from the official Red Hat content distribution > network. > Hello Andrew, Could you paste output of `ipactl start` ? Also when upgrader fails it tends to leave directory server not accessible by changing 389 and 636 port. It could be verified by: $ ldapsearch -ZZ -h `hostname` -D "cn=Directory Manager" -W -s base -b "cn=config" | grep "nsslapd-security\|nsslapd-port" Enter LDAP Password: nsslapd-requiresrestart: cn=config:nsslapd-port nsslapd-port: 389 nsslapd-security: on If there are values other than '389' and 'on' (usually '0' and 'off') then it might the reason why IPA doesn't start. Changing them back to 'on' and 389 might help. But it won't say why the upgrader failed. Maybe it was a one-time glitch or it was related to the expired certs. The error message you got is in code which creates connection to certmonger. But if there are expired certificates. The usual recovery is to move back time a day or two before the first certificate expires and let certmonger to renew the certs. Optionally the renewal can be forced by `getcert resubmit -i $certid` command. -- Petr Vobornik From piolet.y at gmail.com Tue May 10 09:51:26 2016 From: piolet.y at gmail.com (Youenn PIOLET) Date: Tue, 10 May 2016 11:51:26 +0200 Subject: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates In-Reply-To: <20160331074157.GA18277@dhcp-40-8.bne.redhat.com> References: <1459106087.18839.25.camel@stefany.eu> <20160331074157.GA18277@dhcp-40-8.bne.redhat.com> Message-ID: Hi Fraser, Martin, I've got exactly the same problem with no DNS AltName and OU=pki-ipa,O=IPA in the subject. ### certprofile $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert ----------------------------------------------------------- Profile configuration stored in file 'caIPAserviceCert.cfg' ----------------------------------------------------------- Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE ### My /etc/pki/pki-tomcat/ca/CS.cfg : http://pastebin.com/wnVWH8bq ### caIPAserviceCert I'd like to send you my caIPAserviceCert.cfg, two of them are present on my system: - /usr/share/ipa/profiles/caIPAserviceCert.cfg : http://pastebin.com/byddqgSF - /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg : http://pastebin.com/FFUTytDq And a diff between them : $ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg 1,2d0 < profileId=caIPAserviceCert < classId=caEnrollImpl 15c13 < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 --- > policyset.serverCertSet.list=1,2,3,4,5,6,7,8 22c20 < policyset.serverCertSet.1.default.params.name=CN=$$ request.req_subject_name.cn$$, $SUBJECT_DN_O --- > policyset.serverCertSet.1.default.params.name=CN=$ request.req_subject_name.cn$, OU=pki-ipa, O=IPA 48c46 < policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http:// $IPA_CA_RECORD.$DOMAIN/ca/ocsp --- > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= 95,97c93,95 < policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER < policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName < policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http:// $IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin --- > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0= > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0= > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0= https://ipa.example.com/ipa/crl/MasterCRL.bin 100,109d97 < policyset.serverCertSet.10.constraint.class_id=noConstraintImpl < policyset.serverCertSet.10.constraint.name=No Constraint < policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl < policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default < policyset.serverCertSet.10.default.params.critical=false < policyset.serverCertSet.11.constraint.class_id=noConstraintImpl < policyset.serverCertSet.11.constraint.name=No Constraint < policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl < policyset.serverCertSet.11.default.name=User Supplied Extension Default < policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 Thanks by advance for your support, Regards -- Youenn Piolet piolet.y at gmail.com 2016-03-31 9:41 GMT+02:00 Fraser Tweedale : > On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin ?tefany wrote: > > Hello, > > > > I seem to be having some issues with IPA CA feature not generating > > certificates with DNS SubjectAltNames. > > > > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under > > CentOS 7.2 / IPA 4.2 something's different. > > > > Here are the original steps which worked fine for my first use case :: > > > > $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25 > > $ ipa host-add mail.example.com > > $ ipa service-add smtp/mail.example.com > > $ ipa service-add smtp/mail1.example.com > > $ ipa service-add-host smtp/mail.example.com --hosts=mail1.example.com > > $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \ > > -f /etc/pki/tls/certs/postfix.pem \ > > -N CN=mail1.example.com,O=EXAMPLE.COM \ > > -D mail1.example.com -D mail.example.com \ > > -K smtp/mail1.example.com > > (and repeat for every next member of the cluster...) > > > > After this, I would get certificate with something like :: > > $ sudo ipa-getcert list > > Number of certificates and requests being tracked: 3. > > Request ID '20150419153933': > > status: MONITORING > > stuck: no > > key pair storage: > > type=FILE,location='/etc/pki/tls/private/postfix.key' > > certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=mail1.example.com,O=EXAMPLE.COM > > expires: 2017-04-19 15:39:35 UTC > > dns: mail1.example.com,mail.example.com > > principal name: smtp/mail1.example.com at EXAMPLE.COM > > key usage: > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > with Subject line in form of: 'CN=,O=EXAMPLE.COM' and 'dns' > > info line present. > > > > Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm > > getting this :: > > > > $ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create- > > reverse > > $ ipa host-add w3.example.com > > $ ipa service-add HTTP/w3.example.com > > $ ipa service-add HTTP/http1.example.com > > $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com > > $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \ > > -f /etc/pki/tls/certs/httpd.pem \ > > -N CN=http1.example.com,O=EXAMPLE.COM \ > > -D http1.example.com -D w3.example.com \ > > -K HTTP/http1.example.com > > $ sudo ipa-getcert list > > Number of certificates and requests being tracked: 3. > > Request ID '20160327095125': > > status: MONITORING > > stuck: no > > key pair storage: > > type=FILE,location='/etc/pki/tls/private/http.key' > > certificate: type=FILE,location='/etc/pki/tls/certs/http.pem' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=http1.example.com,OU=pki-ipa,O=IPA > > expires: 2018-03-28 09:51:27 UTC > > key usage: > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > Where's the 'CN=,OU=pki-ipa,O=IPA' coming from instead of > > 'CN=,O=EXAMPLE.COM' and why are DNS SubjectAltNames missing? > > > > To be clear, if I don't do :: > > $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com > > > > then certificate is just not issued with 'REJECTED', but once this is > > done properly in described steps, DNS SANs are not happening. > > > > I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only > > against my current IPA 4.2 on CentOS 7.2. > > > > For the actual certificates :: > > $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 15 (0xf) > > Signature Algorithm: sha256WithRSAEncryption > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > > Validity > > Not Before: Apr 19 15:39:35 2015 GMT > > Not After : Apr 19 15:39:35 2017 GMT > > Subject: O=EXAMPLE.COM, CN=mail1.example.com > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > Public-Key: (2048 bit) > > Modulus: > > [cut] > > Exponent: 65537 (0x10001) > > X509v3 extensions: > > X509v3 Authority Key Identifier: > > keyid:[cut] > > > > Authority Information Access: > > OCSP - URI:http://ipa-ca.example.com/ca/ocsp > > > > X509v3 Key Usage: critical > > Digital Signature, Non Repudiation, Key Encipherment, > > Data Encipherment > > X509v3 Extended Key Usage: > > TLS Web Server Authentication, TLS Web Client > > Authentication > > X509v3 CRL Distribution Points: > > > > Full Name: > > URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin > > CRL Issuer: > > DirName: O = ipaca, CN = Certificate Authority > > > > X509v3 Subject Key Identifier: > > [cut] > > X509v3 Subject Alternative Name: > > DNS:mail1.example.com, DNS:mail.example.com, > > othername:, othername: > > Signature Algorithm: sha256WithRSAEncryption > > [cut] > > > > vs. > > > > $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 71 (0x47) > > Signature Algorithm: sha256WithRSAEncryption > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > > Validity > > Not Before: Mar 27 09:51:27 2016 GMT > > Not After : Mar 28 09:51:27 2018 GMT > > Subject: O=IPA, OU=pki-ipa, CN=http1.example.com > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > Public-Key: (2048 bit) > > Modulus: > > [cut] > > Exponent: 65537 (0x10001) > > X509v3 extensions: > > X509v3 Authority Key Identifier: > > keyid:[cut] > > > > Authority Information Access: > > OCSP - URI:http://idmc1.example.com:80/ca/ocsp > > > > X509v3 Key Usage: critical > > Digital Signature, Non Repudiation, Key Encipherment, > > Data Encipherment > > X509v3 Extended Key Usage: > > TLS Web Server Authentication, TLS Web Client > > Authentication > > Signature Algorithm: sha256WithRSAEncryption > > [cut] > > > > so even reference to CRL is missing here, but OCSP is present. > > > > > > Sorry if this is duplicate, but from what I was able to find, DNS > > SubjectAltNames are reported working since CentOS 7.1, and I think I'm > > consistent with http://www.freeipa.org/page/PKI, unless I miss something > > obvious here. > > > > For new features like certificate profiles and ACLs, I haven't changed > > any defaults as far as I know as there was no need for that. > > > > > > Thank you for any support in advance! And Happy Easter! > > > > Martin > > Hi Martin, > > Thanks for the detailed info. Could you please provide the > Dogtag configuration for the default profile, `caIPAserviceCert'? > > ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert > > (Then provide the contents of caIPAserviceCert.cfg) > > Could you also provide the contents of file > `/etc/pki/pki-tomcat/ca/CS.cfg'? > > Regards, > Fraser > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Tue May 10 10:36:47 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Tue, 10 May 2016 18:36:47 +0800 Subject: [Freeipa-users] Upgrade to new IPA Message-ID: Hi all: I m using freeipa 3.0 ...is there a fast way to export username / password and migrate to new 4.0 server not inplace upgrade .? Regards Barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Tue May 10 10:41:52 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Tue, 10 May 2016 18:41:52 +0800 Subject: [Freeipa-users] Restore form backup , start servrer will error but sucess Message-ID: Hi: Restore form backup follow the procedure below: http://www.freeipa.org/page/V3/Backup_and_Restore Now server web page launch but canot access Sorry you are not allowed to access this service. Starting dirsrv: PKI-IPA... [ OK ] WISERS-COM... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached: [ OK ] Starting HTTP Service Starting httpd: [ OK ] Starting CA Service Starting CA Service Traceback (most recent call last): File "/usr/sbin/pki-server", line 88, in cli = PKIServerCLI() File "/usr/sbin/pki-server", line 34, in __init__ super(PKIServerCLI, self).__init__('pki-server', 'PKI server command-line interface') File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__ self.modules = collections.OrderedDict() AttributeError: 'module' object has no attribute 'OrderedDict' Starting pki-ca: [ OK ] Any idea above? -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue May 10 10:43:00 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 10 May 2016 12:43:00 +0200 Subject: [Freeipa-users] Upgrade to new IPA In-Reply-To: References: Message-ID: <711c567d-4796-1fc3-fc5d-ee1c1caeb021@redhat.com> On 05/10/2016 12:36 PM, barrykfl at gmail.com wrote: > Hi all: > > I m using freeipa 3.0 ...is there a fast way to export username / password and > migrate to > new 4.0 server not inplace upgrade .? > The recommended method is to do an inplace upgrade to the latest RHEL/CentOS 6. Then migrate to RHEL 7 by creating a new replica, see the full process here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc -- Petr Vobornik From ftweedal at redhat.com Tue May 10 10:55:33 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 10 May 2016 20:55:33 +1000 Subject: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates In-Reply-To: References: <1459106087.18839.25.camel@stefany.eu> <20160331074157.GA18277@dhcp-40-8.bne.redhat.com> Message-ID: <20160510105533.GQ1237@dhcp-40-8.bne.redhat.com> On Tue, May 10, 2016 at 11:51:26AM +0200, Youenn PIOLET wrote: > Hi Fraser, Martin, > > I've got exactly the same problem with no DNS AltName and OU=pki-ipa,O=IPA > in the subject. > Hi Youenn, I'm currently investigating this issue; the state of the system is clear but I'm still trying to work out how it gets there. Could you confirm whether you are on RHEL / CentOS 7.2, and if so, whether it was installed at 7.2 or an upgrade from 7.1 or an earlier version? Further commentary below. > ### certprofile > $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert > ----------------------------------------------------------- > Profile configuration stored in file 'caIPAserviceCert.cfg' > ----------------------------------------------------------- > Profile ID: caIPAserviceCert > Profile description: Standard profile for network services > Store issued certificates: TRUE > You do not include the caIPAserviceCert.cfg in the diffs below, however, I suspect you will find it to be identical to /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg. Could you please confirm this? > > ### My /etc/pki/pki-tomcat/ca/CS.cfg : > http://pastebin.com/wnVWH8bq > Thanks for sharing; everything looks fine here. > ### caIPAserviceCert > I'd like to send you my caIPAserviceCert.cfg, two of them are present on my > system: > > - /usr/share/ipa/profiles/caIPAserviceCert.cfg : > http://pastebin.com/byddqgSF > (The rest of my reply is just an FYI on where FreeIPA/Dogtag stores profile configurtion.) Profile configurations in /usr/share/ipa/profiles/ are templates owned by IPA, with placeholders that get filled out when IPA imports the profile. > - /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg : > http://pastebin.com/FFUTytDq > Profiles stored here are the default profiles added to a Dogtag instance, however, the files at these locations are not used by running instances. But wait, there's more! You should also find /var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg. This one is used by Dogtag if the file-based ProfileSubsystem is used. FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem which stores profile configuration in LDAP. The file output by the ``ipa certprofile-show`` command will have come from LDAP; this is the version that's actually in use in your IPA installation. Cheers, Fraser > And a diff between them : > > $ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg > 1,2d0 > < profileId=caIPAserviceCert > < classId=caEnrollImpl > 15c13 > < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 > --- > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8 > 22c20 > < policyset.serverCertSet.1.default.params.name=CN=$$ > request.req_subject_name.cn$$, $SUBJECT_DN_O > --- > > policyset.serverCertSet.1.default.params.name=CN=$ > request.req_subject_name.cn$, OU=pki-ipa, O=IPA > 48c46 > < > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http:// > $IPA_CA_RECORD.$DOMAIN/ca/ocsp > --- > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= > 95,97c93,95 > < > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER > < > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName > < policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http:// > $IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin > --- > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0= > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0= > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0= > https://ipa.example.com/ipa/crl/MasterCRL.bin > 100,109d97 > < policyset.serverCertSet.10.constraint.class_id=noConstraintImpl > < policyset.serverCertSet.10.constraint.name=No Constraint > < > policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl > < policyset.serverCertSet.10.default.name=Subject Key Identifier Extension > Default > < policyset.serverCertSet.10.default.params.critical=false > < policyset.serverCertSet.11.constraint.class_id=noConstraintImpl > < policyset.serverCertSet.11.constraint.name=No Constraint > < policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl > < policyset.serverCertSet.11.default.name=User Supplied Extension Default > < policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 > > Thanks by advance for your support, > Regards > > -- > Youenn Piolet > piolet.y at gmail.com > > > 2016-03-31 9:41 GMT+02:00 Fraser Tweedale : > > > On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin ?tefany wrote: > > > Hello, > > > > > > I seem to be having some issues with IPA CA feature not generating > > > certificates with DNS SubjectAltNames. > > > > > > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under > > > CentOS 7.2 / IPA 4.2 something's different. > > > > > > Here are the original steps which worked fine for my first use case :: > > > > > > $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25 > > > $ ipa host-add mail.example.com > > > $ ipa service-add smtp/mail.example.com > > > $ ipa service-add smtp/mail1.example.com > > > $ ipa service-add-host smtp/mail.example.com --hosts=mail1.example.com > > > $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \ > > > -f /etc/pki/tls/certs/postfix.pem \ > > > -N CN=mail1.example.com,O=EXAMPLE.COM \ > > > -D mail1.example.com -D mail.example.com \ > > > -K smtp/mail1.example.com > > > (and repeat for every next member of the cluster...) > > > > > > After this, I would get certificate with something like :: > > > $ sudo ipa-getcert list > > > Number of certificates and requests being tracked: 3. > > > Request ID '20150419153933': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=FILE,location='/etc/pki/tls/private/postfix.key' > > > certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=mail1.example.com,O=EXAMPLE.COM > > > expires: 2017-04-19 15:39:35 UTC > > > dns: mail1.example.com,mail.example.com > > > principal name: smtp/mail1.example.com at EXAMPLE.COM > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > > > > with Subject line in form of: 'CN=,O=EXAMPLE.COM' and 'dns' > > > info line present. > > > > > > Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm > > > getting this :: > > > > > > $ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create- > > > reverse > > > $ ipa host-add w3.example.com > > > $ ipa service-add HTTP/w3.example.com > > > $ ipa service-add HTTP/http1.example.com > > > $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com > > > $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \ > > > -f /etc/pki/tls/certs/httpd.pem \ > > > -N CN=http1.example.com,O=EXAMPLE.COM \ > > > -D http1.example.com -D w3.example.com \ > > > -K HTTP/http1.example.com > > > $ sudo ipa-getcert list > > > Number of certificates and requests being tracked: 3. > > > Request ID '20160327095125': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=FILE,location='/etc/pki/tls/private/http.key' > > > certificate: type=FILE,location='/etc/pki/tls/certs/http.pem' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=http1.example.com,OU=pki-ipa,O=IPA > > > expires: 2018-03-28 09:51:27 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > > > > Where's the 'CN=,OU=pki-ipa,O=IPA' coming from instead of > > > 'CN=,O=EXAMPLE.COM' and why are DNS SubjectAltNames missing? > > > > > > To be clear, if I don't do :: > > > $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com > > > > > > then certificate is just not issued with 'REJECTED', but once this is > > > done properly in described steps, DNS SANs are not happening. > > > > > > I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only > > > against my current IPA 4.2 on CentOS 7.2. > > > > > > For the actual certificates :: > > > $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text > > > Certificate: > > > Data: > > > Version: 3 (0x2) > > > Serial Number: 15 (0xf) > > > Signature Algorithm: sha256WithRSAEncryption > > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > > > Validity > > > Not Before: Apr 19 15:39:35 2015 GMT > > > Not After : Apr 19 15:39:35 2017 GMT > > > Subject: O=EXAMPLE.COM, CN=mail1.example.com > > > Subject Public Key Info: > > > Public Key Algorithm: rsaEncryption > > > Public-Key: (2048 bit) > > > Modulus: > > > [cut] > > > Exponent: 65537 (0x10001) > > > X509v3 extensions: > > > X509v3 Authority Key Identifier: > > > keyid:[cut] > > > > > > Authority Information Access: > > > OCSP - URI:http://ipa-ca.example.com/ca/ocsp > > > > > > X509v3 Key Usage: critical > > > Digital Signature, Non Repudiation, Key Encipherment, > > > Data Encipherment > > > X509v3 Extended Key Usage: > > > TLS Web Server Authentication, TLS Web Client > > > Authentication > > > X509v3 CRL Distribution Points: > > > > > > Full Name: > > > URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin > > > CRL Issuer: > > > DirName: O = ipaca, CN = Certificate Authority > > > > > > X509v3 Subject Key Identifier: > > > [cut] > > > X509v3 Subject Alternative Name: > > > DNS:mail1.example.com, DNS:mail.example.com, > > > othername:, othername: > > > Signature Algorithm: sha256WithRSAEncryption > > > [cut] > > > > > > vs. > > > > > > $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout > > > Certificate: > > > Data: > > > Version: 3 (0x2) > > > Serial Number: 71 (0x47) > > > Signature Algorithm: sha256WithRSAEncryption > > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > > > Validity > > > Not Before: Mar 27 09:51:27 2016 GMT > > > Not After : Mar 28 09:51:27 2018 GMT > > > Subject: O=IPA, OU=pki-ipa, CN=http1.example.com > > > Subject Public Key Info: > > > Public Key Algorithm: rsaEncryption > > > Public-Key: (2048 bit) > > > Modulus: > > > [cut] > > > Exponent: 65537 (0x10001) > > > X509v3 extensions: > > > X509v3 Authority Key Identifier: > > > keyid:[cut] > > > > > > Authority Information Access: > > > OCSP - URI:http://idmc1.example.com:80/ca/ocsp > > > > > > X509v3 Key Usage: critical > > > Digital Signature, Non Repudiation, Key Encipherment, > > > Data Encipherment > > > X509v3 Extended Key Usage: > > > TLS Web Server Authentication, TLS Web Client > > > Authentication > > > Signature Algorithm: sha256WithRSAEncryption > > > [cut] > > > > > > so even reference to CRL is missing here, but OCSP is present. > > > > > > > > > Sorry if this is duplicate, but from what I was able to find, DNS > > > SubjectAltNames are reported working since CentOS 7.1, and I think I'm > > > consistent with http://www.freeipa.org/page/PKI, unless I miss something > > > obvious here. > > > > > > For new features like certificate profiles and ACLs, I haven't changed > > > any defaults as far as I know as there was no need for that. > > > > > > > > > Thank you for any support in advance! And Happy Easter! > > > > > > Martin > > > > Hi Martin, > > > > Thanks for the detailed info. Could you please provide the > > Dogtag configuration for the default profile, `caIPAserviceCert'? > > > > ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert > > > > (Then provide the contents of caIPAserviceCert.cfg) > > > > Could you also provide the contents of file > > `/etc/pki/pki-tomcat/ca/CS.cfg'? > > > > Regards, > > Fraser > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project From mbasti at redhat.com Tue May 10 10:58:38 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 10 May 2016 12:58:38 +0200 Subject: [Freeipa-users] Restore form backup , start servrer will error but sucess In-Reply-To: References: Message-ID: <781b9fed-32eb-8675-1ae3-8802117ef79d@redhat.com> On 10.05.2016 12:41, barrykfl at gmail.com wrote: > Hi: > > Restore form backup follow the procedure below: > http://www.freeipa.org/page/V3/Backup_and_Restore > > Now server web page launch but canot access > Sorry you are not allowed to access this service. > > Starting dirsrv: > PKI-IPA... [ OK ] > WISERS-COM... [ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting MEMCACHE Service > Starting ipa_memcached: [ OK ] > Starting HTTP Service > Starting httpd: [ OK ] > Starting CA Service > > > Starting CA Service > Traceback (most recent call last): > File "/usr/sbin/pki-server", line 88, in > cli = PKIServerCLI() > File "/usr/sbin/pki-server", line 34, in __init__ > super(PKIServerCLI, self).__init__('pki-server', 'PKI server > command-line interface') > File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__ > self.modules = collections.OrderedDict() > AttributeError: 'module' object has no attribute 'OrderedDict' > Starting pki-ca: [ OK ] > > > Any idea above? > > You are using the old python, python 2.7 is required, which version of OS and IPA do you use? Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From kliu at alumni.warwick.ac.uk Tue May 10 11:34:19 2016 From: kliu at alumni.warwick.ac.uk (Barry) Date: Tue, 10 May 2016 19:34:19 +0800 Subject: [Freeipa-users] Restore form backup , start servrer will error but sucess In-Reply-To: <781b9fed-32eb-8675-1ae3-8802117ef79d@redhat.com> References: <781b9fed-32eb-8675-1ae3-8802117ef79d@redhat.com> Message-ID: Ipa 3.0 e47 Centos 6.5 . Just update python? 2016?5?10? ??6:58 ? "Martin Basti" ??? > > > On 10.05.2016 12:41, barrykfl at gmail.com wrote: > > Hi: > > Restore form backup follow the procedure below: > http://www.freeipa.org/page/V3/Backup_and_Restore > > Now server web page launch but canot access > Sorry you are not allowed to access this service. > > Starting dirsrv: > PKI-IPA... [ OK ] > WISERS-COM... [ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting MEMCACHE Service > Starting ipa_memcached: [ OK ] > Starting HTTP Service > Starting httpd: [ OK ] > Starting CA Service > > > Starting CA Service > Traceback (most recent call last): > File "/usr/sbin/pki-server", line 88, in > cli = PKIServerCLI() > File "/usr/sbin/pki-server", line 34, in __init__ > super(PKIServerCLI, self).__init__('pki-server', 'PKI server > command-line interface') > File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__ > self.modules = collections.OrderedDict() > AttributeError: 'module' object has no attribute 'OrderedDict' > Starting pki-ca: [ OK ] > > > Any idea above? > > > > You are using the old python, python 2.7 is required, which version of OS > and IPA do you use? > Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue May 10 11:49:45 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 10 May 2016 13:49:45 +0200 Subject: [Freeipa-users] Restore form backup , start servrer will error but sucess In-Reply-To: References: <781b9fed-32eb-8675-1ae3-8802117ef79d@redhat.com> Message-ID: <6b466458-f831-9930-f4be-b1a048cf030d@redhat.com> No there is not python 2.7 on centos 6.x, maybe there is something wrong in the code, let me check first On 10.05.2016 13:34, Barry wrote: > > Ipa 3.0 e47 > > Centos 6.5 . Just update python? > > 2016?5?10? ??6:58 ? "Martin Basti" > ??? > > > > On 10.05.2016 12:41, barrykfl at gmail.com > wrote: >> Hi: >> >> Restore form backup follow the procedure below: >> http://www.freeipa.org/page/V3/Backup_and_Restore >> >> Now server web page launch but canot access >> Sorry you are not allowed to access this service. >> >> Starting dirsrv: >> PKI-IPA... [ OK ] >> WISERS-COM... [ OK ] >> Starting KDC Service >> Starting Kerberos 5 KDC: [ OK ] >> Starting KPASSWD Service >> Starting Kerberos 5 Admin Server: [ OK ] >> Starting MEMCACHE Service >> Starting ipa_memcached: [ OK ] >> Starting HTTP Service >> Starting httpd: [ OK ] >> Starting CA Service >> >> >> Starting CA Service >> Traceback (most recent call last): >> File "/usr/sbin/pki-server", line 88, in >> cli = PKIServerCLI() >> File "/usr/sbin/pki-server", line 34, in __init__ >> super(PKIServerCLI, self).__init__('pki-server', 'PKI server >> command-line interface') >> File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in >> __init__ >> self.modules = collections.OrderedDict() >> AttributeError: 'module' object has no attribute 'OrderedDict' >> Starting pki-ca: [ OK ] >> >> >> Any idea above? >> >> > > You are using the old python, python 2.7 is required, which > version of OS and IPA do you use? > Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue May 10 12:00:24 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 10 May 2016 14:00:24 +0200 Subject: [Freeipa-users] Restore form backup , start servrer will error but sucess In-Reply-To: <6b466458-f831-9930-f4be-b1a048cf030d@redhat.com> References: <781b9fed-32eb-8675-1ae3-8802117ef79d@redhat.com> <6b466458-f831-9930-f4be-b1a048cf030d@redhat.com> Message-ID: On 05/10/2016 01:49 PM, Martin Basti wrote: > No there is not python 2.7 on centos 6.x, maybe there is something wrong in the > code, let me check first How did you run the backup and restore? AFAIK it was introduced in FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL 7. It is not on RHEL 6. > > > On 10.05.2016 13:34, Barry wrote: >> >> Ipa 3.0 e47 >> >> Centos 6.5 . Just update python? >> >> 2016?5?10? ??6:58 ? "Martin Basti" >> <mbasti at redhat.com> ??? >> >> >> >> On 10.05.2016 12:41, barrykfl at gmail.com wrote: >>> Hi: >>> >>> Restore form backup follow the procedure below: >>> http://www.freeipa.org/page/V3/Backup_and_Restore >>> >>> Now server web page launch but canot access >>> Sorry you are not allowed to access this service. >>> >>> Starting dirsrv: >>> PKI-IPA... [ OK ] >>> WISERS-COM... [ OK ] >>> Starting KDC Service >>> Starting Kerberos 5 KDC: [ OK ] >>> Starting KPASSWD Service >>> Starting Kerberos 5 Admin Server: [ OK ] >>> Starting MEMCACHE Service >>> Starting ipa_memcached: [ OK ] >>> Starting HTTP Service >>> Starting httpd: [ OK ] >>> Starting CA Service >>> >>> >>> Starting CA Service >>> Traceback (most recent call last): >>> File "/usr/sbin/pki-server", line 88, in >>> cli = PKIServerCLI() >>> File "/usr/sbin/pki-server", line 34, in __init__ >>> super(PKIServerCLI, self).__init__('pki-server', 'PKI server >>> command-line interface') >>> File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__ >>> self.modules = collections.OrderedDict() >>> AttributeError: 'module' object has no attribute 'OrderedDict' >>> Starting pki-ca: [ OK ] >>> >>> >>> Any idea above? >>> >>> >> >> You are using the old python, python 2.7 is required, which version of OS >> and IPA do you use? >> Martin >> > > > -- Petr Vobornik From kliu at alumni.warwick.ac.uk Tue May 10 12:12:31 2016 From: kliu at alumni.warwick.ac.uk (Barry) Date: Tue, 10 May 2016 20:12:31 +0800 Subject: [Freeipa-users] Restore form backup , start servrer will error but sucess In-Reply-To: References: <781b9fed-32eb-8675-1ae3-8802117ef79d@redhat.com> <6b466458-f831-9930-f4be-b1a048cf030d@redhat.com> Message-ID: The bottom manual files based backup restore . I remember there s one for 3.0 And test work before. 2016?5?10? ??8:00 ? "Petr Vobornik" ??? > On 05/10/2016 01:49 PM, Martin Basti wrote: > > No there is not python 2.7 on centos 6.x, maybe there is something wrong > in the > > code, let me check first > > How did you run the backup and restore? AFAIK it was introduced in > FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL 7. It is > not on RHEL 6. > > > > > > > On 10.05.2016 13:34, Barry wrote: > >> > >> Ipa 3.0 e47 > >> > >> Centos 6.5 . Just update python? > >> > >> 2016?5?10? ??6:58 ? "Martin Basti" > >> <mbasti at redhat.com> ??? > >> > >> > >> > >> On 10.05.2016 12:41, barrykfl at gmail.com > wrote: > >>> Hi: > >>> > >>> Restore form backup follow the procedure below: > >>> http://www.freeipa.org/page/V3/Backup_and_Restore > >>> > >>> Now server web page launch but canot access > >>> Sorry you are not allowed to access this service. > >>> > >>> Starting dirsrv: > >>> PKI-IPA... [ OK ] > >>> WISERS-COM... [ OK ] > >>> Starting KDC Service > >>> Starting Kerberos 5 KDC: [ OK ] > >>> Starting KPASSWD Service > >>> Starting Kerberos 5 Admin Server: [ OK ] > >>> Starting MEMCACHE Service > >>> Starting ipa_memcached: [ OK ] > >>> Starting HTTP Service > >>> Starting httpd: [ OK ] > >>> Starting CA Service > >>> > >>> > >>> Starting CA Service > >>> Traceback (most recent call last): > >>> File "/usr/sbin/pki-server", line 88, in > >>> cli = PKIServerCLI() > >>> File "/usr/sbin/pki-server", line 34, in __init__ > >>> super(PKIServerCLI, self).__init__('pki-server', 'PKI server > >>> command-line interface') > >>> File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in > __init__ > >>> self.modules = collections.OrderedDict() > >>> AttributeError: 'module' object has no attribute 'OrderedDict' > >>> Starting pki-ca: [ OK ] > >>> > >>> > >>> Any idea above? > >>> > >>> > >> > >> You are using the old python, python 2.7 is required, which version > of OS > >> and IPA do you use? > >> Martin > >> > > > > > > > > > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue May 10 12:16:13 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 10 May 2016 14:16:13 +0200 Subject: [Freeipa-users] Restore form backup , start servrer will error but sucess In-Reply-To: References: <781b9fed-32eb-8675-1ae3-8802117ef79d@redhat.com> <6b466458-f831-9930-f4be-b1a048cf030d@redhat.com> Message-ID: <6a3fb97c-db78-9e56-5f01-12050db9feea@redhat.com> There is no ipa-restore or ipa-backup commands even on RHEL6.7, centos6.7, so I have no idea how you got that commands there. If you just copy files manually it is not working as you can see. Martin On 10.05.2016 14:12, Barry wrote: > > The bottom manual files based backup restore . I remember there s one > for 3.0 > > And test work before. > > 2016?5?10? ??8:00 ? "Petr Vobornik" > ??? > > On 05/10/2016 01:49 PM, Martin Basti wrote: > > No there is not python 2.7 on centos 6.x, maybe there is > something wrong in the > > code, let me check first > > How did you run the backup and restore? AFAIK it was introduced in > FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL 7. > It is > not on RHEL 6. > > > > > > > On 10.05.2016 13:34, Barry wrote: > >> > >> Ipa 3.0 e47 > >> > >> Centos 6.5 . Just update python? > >> > >> 2016?5?10? ??6:58 ? "Martin Basti" > >> < >mbasti at redhat.com > > ??? > >> > >> > >> > >> On 10.05.2016 12:41, barrykfl at gmail.com > > wrote: > >>> Hi: > >>> > >>> Restore form backup follow the procedure below: > >>> http://www.freeipa.org/page/V3/Backup_and_Restore > >>> > >>> Now server web page launch but canot access > >>> Sorry you are not allowed to access this service. > >>> > >>> Starting dirsrv: > >>> PKI-IPA... [ OK ] > >>> WISERS-COM... [ OK ] > >>> Starting KDC Service > >>> Starting Kerberos 5 KDC: [ OK ] > >>> Starting KPASSWD Service > >>> Starting Kerberos 5 Admin Server: [ OK ] > >>> Starting MEMCACHE Service > >>> Starting ipa_memcached: [ OK ] > >>> Starting HTTP Service > >>> Starting httpd: [ OK ] > >>> Starting CA Service > >>> > >>> > >>> Starting CA Service > >>> Traceback (most recent call last): > >>> File "/usr/sbin/pki-server", line 88, in > >>> cli = PKIServerCLI() > >>> File "/usr/sbin/pki-server", line 34, in __init__ > >>> super(PKIServerCLI, self).__init__('pki-server', 'PKI > server > >>> command-line interface') > >>> File "/usr/lib/python2.6/site-packages/pki/cli.py", line > 39, in __init__ > >>> self.modules = collections.OrderedDict() > >>> AttributeError: 'module' object has no attribute 'OrderedDict' > >>> Starting pki-ca: [ OK ] > >>> > >>> > >>> Any idea above? > >>> > >>> > >> > >> You are using the old python, python 2.7 is required, which > version of OS > >> and IPA do you use? > >> Martin > >> > > > > > > > > > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Tue May 10 12:21:12 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Tue, 10 May 2016 20:21:12 +0800 Subject: [Freeipa-users] Restore form backup , start servrer will error but sucess In-Reply-To: <6a3fb97c-db78-9e56-5f01-12050db9feea@redhat.com> References: <781b9fed-32eb-8675-1ae3-8802117ef79d@redhat.com> <6b466458-f831-9930-f4be-b1a048cf030d@redhat.com> <6a3fb97c-db78-9e56-5f01-12050db9feea@redhat.com> Message-ID: So now how can i restore the normal status. Can i export those acc out and restore to new server if same schema.? Manual backup restore i test before should work. 2016?5?10? ??8:16 ? "Martin Basti" ??? > There is no ipa-restore or ipa-backup commands even on RHEL6.7, centos6.7, > so I have no idea how you got that commands there. If you just copy files > manually it is not working as you can see. > > Martin > > On 10.05.2016 14:12, Barry wrote: > > The bottom manual files based backup restore . I remember there s one for > 3.0 > > And test work before. > 2016?5?10? ??8:00 ? "Petr Vobornik" ??? > >> On 05/10/2016 01:49 PM, Martin Basti wrote: >> > No there is not python 2.7 on centos 6.x, maybe there is something >> wrong in the >> > code, let me check first >> >> How did you run the backup and restore? AFAIK it was introduced in >> FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL 7. It is >> not on RHEL 6. >> >> > >> > >> > On 10.05.2016 13:34, Barry wrote: >> >> >> >> Ipa 3.0 e47 >> >> >> >> Centos 6.5 . Just update python? >> >> >> >> 2016?5?10? ??6:58 ? "Martin Basti" >> >> <mbasti at redhat.com> ??? >> >> >> >> >> >> >> >> On 10.05.2016 12:41, barrykfl at gmail.com >> wrote: >> >>> Hi: >> >>> >> >>> Restore form backup follow the procedure below: >> >>> http://www.freeipa.org/page/V3/Backup_and_Restore >> >>> >> >>> Now server web page launch but canot access >> >>> Sorry you are not allowed to access this service. >> >>> >> >>> Starting dirsrv: >> >>> PKI-IPA... [ OK ] >> >>> WISERS-COM... [ OK ] >> >>> Starting KDC Service >> >>> Starting Kerberos 5 KDC: [ OK >> ] >> >>> Starting KPASSWD Service >> >>> Starting Kerberos 5 Admin Server: [ OK >> ] >> >>> Starting MEMCACHE Service >> >>> Starting ipa_memcached: [ OK ] >> >>> Starting HTTP Service >> >>> Starting httpd: [ OK ] >> >>> Starting CA Service >> >>> >> >>> >> >>> Starting CA Service >> >>> Traceback (most recent call last): >> >>> File "/usr/sbin/pki-server", line 88, in >> >>> cli = PKIServerCLI() >> >>> File "/usr/sbin/pki-server", line 34, in __init__ >> >>> super(PKIServerCLI, self).__init__('pki-server', 'PKI server >> >>> command-line interface') >> >>> File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in >> __init__ >> >>> self.modules = collections.OrderedDict() >> >>> AttributeError: 'module' object has no attribute 'OrderedDict' >> >>> Starting pki-ca: [ OK ] >> >>> >> >>> >> >>> Any idea above? >> >>> >> >>> >> >> >> >> You are using the old python, python 2.7 is required, which >> version of OS >> >> and IPA do you use? >> >> Martin >> >> >> > >> > >> > >> >> >> -- >> Petr Vobornik >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jan.karasek at elostech.cz Tue May 10 12:17:07 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Tue, 10 May 2016 14:17:07 +0200 (CEST) Subject: [Freeipa-users] Fwd: AD trust and UPN issue In-Reply-To: <852565823.2893610.1462882452332.JavaMail.zimbra@elostech.cz> References: <852565823.2893610.1462882452332.JavaMail.zimbra@elostech.cz> Message-ID: <1613853266.2893763.1462882627981.JavaMail.zimbra@elostech.cz> Hi all, I have lab environment with IPA server and trust to Active directory. IPA server is in a.example.com. AD DC is in example.com. We have also child AD subdomain ext.examle.com. Everything is fine until the users in AD domain ext.example.com gets the UPN suffix of the root AD domain - example.com - which is pretty common scenario. Example: user at ext.examaple.com is set in AD with UPN user at example.com In this situation I am not able to login into my linux box with user at example.com I have seen some open tickets on this issue 3559 and others, and they are marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current packages. Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. I have default settings - no changes in krb5.conf and sssd.conf after ipa trust-add. Also I have found the workaround to set in krb5.conf (see topic: Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - but no effect. Could you please confirm, that its possible to use IPA with different UPN suffix for users in AD than the domain name in which they are exists ? Is there any additional configuration needed to fix this scenario ? Regards, Jan From piolet.y at gmail.com Tue May 10 12:33:43 2016 From: piolet.y at gmail.com (Youenn PIOLET) Date: Tue, 10 May 2016 14:33:43 +0200 Subject: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates In-Reply-To: <20160510105533.GQ1237@dhcp-40-8.bne.redhat.com> References: <1459106087.18839.25.camel@stefany.eu> <20160331074157.GA18277@dhcp-40-8.bne.redhat.com> <20160510105533.GQ1237@dhcp-40-8.bne.redhat.com> Message-ID: Hi Fraser, thanks a lot for your quick reply! Could you confirm whether you are on RHEL / CentOS 7.2, and if so, > whether it was installed at 7.2 or an upgrade from 7.1 or an earlier > version? > This is a replica that was previously installed in CentOS 7.1. I don't exactly remember but I think I used COPR repository to install FreeIPA 4.2 and then upgraded CentOS to 7.2. Also, I remember my pki got broken after upgrading this replica in 7.2. I had to renew the replica's certificate and force-sync to successfully launch pki-tomcatd. Now this replica is my pki master. > > ### certprofile > > $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert > > ----------------------------------------------------------- > > Profile configuration stored in file 'caIPAserviceCert.cfg' > > ----------------------------------------------------------- > > Profile ID: caIPAserviceCert > > Profile description: Standard profile for network services > > Store issued certificates: TRUE > > > You do not include the caIPAserviceCert.cfg in the diffs below, > however, I suspect you will find it to be identical to > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg. Could you > please confirm this? > Ah true... I did not realised I was actually writing a new file! And you're right, diff is the same (except 2 profileId/classId lignes that don't exist in template + enableBy that differs) FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem > which stores profile configuration in LDAP. The file output by the > ``ipa certprofile-show`` command will have come from LDAP; this is > the version that's actually in use in your IPA installation. > Thanks a lot for your answers. So now, what would you suggest me to do? Replace my /tmp/caIPAserviceCert.cfg with your suggested values and import to LDAP ? Cheers, > > And a diff between them : > > > > $ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg > > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg > > 1,2d0 > > < profileId=caIPAserviceCert > > < classId=caEnrollImpl > > 15c13 > > < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 > > --- > > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8 > > 22c20 > > < policyset.serverCertSet.1.default.params.name=CN=$$ > > request.req_subject_name.cn$$, $SUBJECT_DN_O > > --- > > > policyset.serverCertSet.1.default.params.name=CN=$ > > request.req_subject_name.cn$, OU=pki-ipa, O=IPA > > 48c46 > > < > > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http:// > > $IPA_CA_RECORD.$DOMAIN/ca/ocsp > > --- > > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= > > 95,97c93,95 > > < > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER > > < > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName > > < > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http:// > > $IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin > > --- > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0= > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0= > > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0= > > https://ipa.example.com/ipa/crl/MasterCRL.bin > > 100,109d97 > > < policyset.serverCertSet.10.constraint.class_id=noConstraintImpl > > < policyset.serverCertSet.10.constraint.name=No Constraint > > < > > > policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl > > < policyset.serverCertSet.10.default.name=Subject Key Identifier > Extension > > Default > > < policyset.serverCertSet.10.default.params.critical=false > > < policyset.serverCertSet.11.constraint.class_id=noConstraintImpl > > < policyset.serverCertSet.11.constraint.name=No Constraint > > < policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl > > < policyset.serverCertSet.11.default.name=User Supplied Extension > Default > > < policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 > > > > Thanks by advance for your support, > > Regards > > > > -- > > Youenn Piolet > > piolet.y at gmail.com > > > > > > 2016-03-31 9:41 GMT+02:00 Fraser Tweedale : > > > > > On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin ?tefany wrote: > > > > Hello, > > > > > > > > I seem to be having some issues with IPA CA feature not generating > > > > certificates with DNS SubjectAltNames. > > > > > > > > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now > under > > > > CentOS 7.2 / IPA 4.2 something's different. > > > > > > > > Here are the original steps which worked fine for my first use case > :: > > > > > > > > $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25 > > > > $ ipa host-add mail.example.com > > > > $ ipa service-add smtp/mail.example.com > > > > $ ipa service-add smtp/mail1.example.com > > > > $ ipa service-add-host smtp/mail.example.com --hosts= > mail1.example.com > > > > $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \ > > > > -f /etc/pki/tls/certs/postfix.pem \ > > > > -N CN=mail1.example.com,O=EXAMPLE.COM \ > > > > -D mail1.example.com -D mail.example.com \ > > > > -K smtp/mail1.example.com > > > > (and repeat for every next member of the cluster...) > > > > > > > > After this, I would get certificate with something like :: > > > > $ sudo ipa-getcert list > > > > Number of certificates and requests being tracked: 3. > > > > Request ID '20150419153933': > > > > status: MONITORING > > > > stuck: no > > > > key pair storage: > > > > type=FILE,location='/etc/pki/tls/private/postfix.key' > > > > certificate: > type=FILE,location='/etc/pki/tls/certs/postfix.pem' > > > > CA: IPA > > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > > subject: CN=mail1.example.com,O=EXAMPLE.COM > > > > expires: 2017-04-19 15:39:35 UTC > > > > dns: mail1.example.com,mail.example.com > > > > principal name: smtp/mail1.example.com at EXAMPLE.COM > > > > key usage: > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > > > > > with Subject line in form of: 'CN=,O=EXAMPLE.COM' and > 'dns' > > > > info line present. > > > > > > > > Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm > > > > getting this :: > > > > > > > > $ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create- > > > > reverse > > > > $ ipa host-add w3.example.com > > > > $ ipa service-add HTTP/w3.example.com > > > > $ ipa service-add HTTP/http1.example.com > > > > $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com > > > > $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \ > > > > -f /etc/pki/tls/certs/httpd.pem \ > > > > -N CN=http1.example.com,O=EXAMPLE.COM \ > > > > -D http1.example.com -D w3.example.com \ > > > > -K HTTP/http1.example.com > > > > $ sudo ipa-getcert list > > > > Number of certificates and requests being tracked: 3. > > > > Request ID '20160327095125': > > > > status: MONITORING > > > > stuck: no > > > > key pair storage: > > > > type=FILE,location='/etc/pki/tls/private/http.key' > > > > certificate: type=FILE,location='/etc/pki/tls/certs/http.pem' > > > > CA: IPA > > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > > subject: CN=http1.example.com,OU=pki-ipa,O=IPA > > > > expires: 2018-03-28 09:51:27 UTC > > > > key usage: > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > pre-save command: > > > > post-save command: > > > > track: yes > > > > auto-renew: yes > > > > > > > > Where's the 'CN=,OU=pki-ipa,O=IPA' coming from instead of > > > > 'CN=,O=EXAMPLE.COM' and why are DNS SubjectAltNames > missing? > > > > > > > > To be clear, if I don't do :: > > > > $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com > > > > > > > > then certificate is just not issued with 'REJECTED', but once this is > > > > done properly in described steps, DNS SANs are not happening. > > > > > > > > I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only > > > > against my current IPA 4.2 on CentOS 7.2. > > > > > > > > For the actual certificates :: > > > > $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text > > > > Certificate: > > > > Data: > > > > Version: 3 (0x2) > > > > Serial Number: 15 (0xf) > > > > Signature Algorithm: sha256WithRSAEncryption > > > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > > > > Validity > > > > Not Before: Apr 19 15:39:35 2015 GMT > > > > Not After : Apr 19 15:39:35 2017 GMT > > > > Subject: O=EXAMPLE.COM, CN=mail1.example.com > > > > Subject Public Key Info: > > > > Public Key Algorithm: rsaEncryption > > > > Public-Key: (2048 bit) > > > > Modulus: > > > > [cut] > > > > Exponent: 65537 (0x10001) > > > > X509v3 extensions: > > > > X509v3 Authority Key Identifier: > > > > keyid:[cut] > > > > > > > > Authority Information Access: > > > > OCSP - URI:http://ipa-ca.example.com/ca/ocsp > > > > > > > > X509v3 Key Usage: critical > > > > Digital Signature, Non Repudiation, Key Encipherment, > > > > Data Encipherment > > > > X509v3 Extended Key Usage: > > > > TLS Web Server Authentication, TLS Web Client > > > > Authentication > > > > X509v3 CRL Distribution Points: > > > > > > > > Full Name: > > > > URI: > http://ipa-ca.example.com/ipa/crl/MasterCRL.bin > > > > CRL Issuer: > > > > DirName: O = ipaca, CN = Certificate Authority > > > > > > > > X509v3 Subject Key Identifier: > > > > [cut] > > > > X509v3 Subject Alternative Name: > > > > DNS:mail1.example.com, DNS:mail.example.com, > > > > othername:, othername: > > > > Signature Algorithm: sha256WithRSAEncryption > > > > [cut] > > > > > > > > vs. > > > > > > > > $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout > > > > Certificate: > > > > Data: > > > > Version: 3 (0x2) > > > > Serial Number: 71 (0x47) > > > > Signature Algorithm: sha256WithRSAEncryption > > > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > > > > Validity > > > > Not Before: Mar 27 09:51:27 2016 GMT > > > > Not After : Mar 28 09:51:27 2018 GMT > > > > Subject: O=IPA, OU=pki-ipa, CN=http1.example.com > > > > Subject Public Key Info: > > > > Public Key Algorithm: rsaEncryption > > > > Public-Key: (2048 bit) > > > > Modulus: > > > > [cut] > > > > Exponent: 65537 (0x10001) > > > > X509v3 extensions: > > > > X509v3 Authority Key Identifier: > > > > keyid:[cut] > > > > > > > > Authority Information Access: > > > > OCSP - URI:http://idmc1.example.com:80/ca/ocsp > > > > > > > > X509v3 Key Usage: critical > > > > Digital Signature, Non Repudiation, Key Encipherment, > > > > Data Encipherment > > > > X509v3 Extended Key Usage: > > > > TLS Web Server Authentication, TLS Web Client > > > > Authentication > > > > Signature Algorithm: sha256WithRSAEncryption > > > > [cut] > > > > > > > > so even reference to CRL is missing here, but OCSP is present. > > > > > > > > > > > > Sorry if this is duplicate, but from what I was able to find, DNS > > > > SubjectAltNames are reported working since CentOS 7.1, and I think > I'm > > > > consistent with http://www.freeipa.org/page/PKI, unless I miss > something > > > > obvious here. > > > > > > > > For new features like certificate profiles and ACLs, I haven't > changed > > > > any defaults as far as I know as there was no need for that. > > > > > > > > > > > > Thank you for any support in advance! And Happy Easter! > > > > > > > > Martin > > > > > > Hi Martin, > > > > > > Thanks for the detailed info. Could you please provide the > > > Dogtag configuration for the default profile, `caIPAserviceCert'? > > > > > > ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert > > > > > > (Then provide the contents of caIPAserviceCert.cfg) > > > > > > Could you also provide the contents of file > > > `/etc/pki/pki-tomcat/ca/CS.cfg'? > > > > > > Regards, > > > Fraser > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue May 10 12:38:01 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 10 May 2016 14:38:01 +0200 Subject: [Freeipa-users] Fwd: AD trust and UPN issue In-Reply-To: <1613853266.2893763.1462882627981.JavaMail.zimbra@elostech.cz> References: <852565823.2893610.1462882452332.JavaMail.zimbra@elostech.cz> <1613853266.2893763.1462882627981.JavaMail.zimbra@elostech.cz> Message-ID: <20160510123801.GE4011@hendrix> On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Kar?sek wrote: > Hi all, > I have lab environment with IPA server and trust to Active directory. > IPA server is in a.example.com. > AD DC is in example.com. > We have also child AD subdomain ext.examle.com. > Everything is fine until the users in AD domain ext.example.com gets the UPN suffix of the root AD domain - example.com - which is pretty common scenario. > Example: > user at ext.examaple.com is set in AD with UPN user at example.com > > In this situation I am not able to login into my linux box with user at example.com > I have seen some open tickets on this issue 3559 and others, and they are marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current packages. > Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. > I have default settings - no changes in krb5.conf and sssd.conf after ipa trust-add. > Also I have found the workaround to set in krb5.conf (see topic: Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - but no effect. > Could you please confirm, that its possible to use IPA with different UPN suffix for users in AD than the domain name in which they are exists ? Is there any additional configuration needed to fix this scenario ? In general no, not until 7.3. But it might work with a workaround. Can you try setting: ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal in sssd.conf's domain section on the server? (Yes, server, not client..) This should work without the workaround starting with 7.3.. From ftweedal at redhat.com Tue May 10 13:01:16 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 10 May 2016 23:01:16 +1000 Subject: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates In-Reply-To: References: <1459106087.18839.25.camel@stefany.eu> <20160331074157.GA18277@dhcp-40-8.bne.redhat.com> <20160510105533.GQ1237@dhcp-40-8.bne.redhat.com> Message-ID: <20160510130116.GR1237@dhcp-40-8.bne.redhat.com> On Tue, May 10, 2016 at 02:33:43PM +0200, Youenn PIOLET wrote: > Hi Fraser, thanks a lot for your quick reply! > > Could you confirm whether you are on RHEL / CentOS 7.2, and if so, > > whether it was installed at 7.2 or an upgrade from 7.1 or an earlier > > version? > > > > This is a replica that was previously installed in CentOS 7.1. > I don't exactly remember but I think I used COPR repository to install > FreeIPA 4.2 and then upgraded CentOS to 7.2. > > Also, I remember my pki got broken after upgrading this replica in 7.2. I > had to renew the replica's certificate and force-sync to successfully > launch pki-tomcatd. Now this replica is my pki master. > Thanks for the background. Every piece of evidence can help find the bug :) > > > > ### certprofile > > > $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert > > > ----------------------------------------------------------- > > > Profile configuration stored in file 'caIPAserviceCert.cfg' > > > ----------------------------------------------------------- > > > Profile ID: caIPAserviceCert > > > Profile description: Standard profile for network services > > > Store issued certificates: TRUE > > > > > You do not include the caIPAserviceCert.cfg in the diffs below, > > however, I suspect you will find it to be identical to > > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg. Could you > > please confirm this? > > > > Ah true... I did not realised I was actually writing a new file! > And you're right, diff is the same (except 2 profileId/classId lignes that > don't exist in template + enableBy that differs) > > FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem > > which stores profile configuration in LDAP. The file output by the > > ``ipa certprofile-show`` command will have come from LDAP; this is > > the version that's actually in use in your IPA installation. > > > > Thanks a lot for your answers. > > So now, what would you suggest me to do? > Replace my /tmp/caIPAserviceCert.cfg with your suggested values and import > to LDAP ? > I'd recommend copying the IPA template from /usr/share/ipa/profiles/caIPAserviceCert.cfg, then filling out the params manually and updating the profile. There are four config params that require substitutions; fill them out like below: - policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, o=YOUR-DOMAIN (note the SINGLE '$'s; they are double '$$' in the template) - policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.YOUR-DOMAIN/ca/ocsp - policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca - policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.YOUR-DOMAIN/ipa/crl/MasterCRL.bin Leave other values unchanged. Import the updated profile by running: ipa certprofile-mod caIPAserviceCert --file new.cfg Then certificates should be issued as expected. Cheers, Fraser > Cheers, > > > > > And a diff between them : > > > > > > $ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg > > > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg > > > 1,2d0 > > > < profileId=caIPAserviceCert > > > < classId=caEnrollImpl > > > 15c13 > > > < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 > > > --- > > > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8 > > > 22c20 > > > < policyset.serverCertSet.1.default.params.name=CN=$$ > > > request.req_subject_name.cn$$, $SUBJECT_DN_O > > > --- > > > > policyset.serverCertSet.1.default.params.name=CN=$ > > > request.req_subject_name.cn$, OU=pki-ipa, O=IPA > > > 48c46 > > > < > > > > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http:// > > > $IPA_CA_RECORD.$DOMAIN/ca/ocsp > > > --- > > > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= > > > 95,97c93,95 > > > < > > > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER > > > < > > > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName > > > < > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http:// > > > $IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin > > > --- > > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0= > > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0= > > > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0= > > > https://ipa.example.com/ipa/crl/MasterCRL.bin > > > 100,109d97 > > > < policyset.serverCertSet.10.constraint.class_id=noConstraintImpl > > > < policyset.serverCertSet.10.constraint.name=No Constraint > > > < > > > > > policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl > > > < policyset.serverCertSet.10.default.name=Subject Key Identifier > > Extension > > > Default > > > < policyset.serverCertSet.10.default.params.critical=false > > > < policyset.serverCertSet.11.constraint.class_id=noConstraintImpl > > > < policyset.serverCertSet.11.constraint.name=No Constraint > > > < policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl > > > < policyset.serverCertSet.11.default.name=User Supplied Extension > > Default > > > < policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 > > > > > > Thanks by advance for your support, > > > Regards > > > > > > -- > > > Youenn Piolet > > > piolet.y at gmail.com > > > > > > > > > 2016-03-31 9:41 GMT+02:00 Fraser Tweedale : > > > > > > > On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin ?tefany wrote: > > > > > Hello, > > > > > > > > > > I seem to be having some issues with IPA CA feature not generating > > > > > certificates with DNS SubjectAltNames. > > > > > > > > > > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now > > under > > > > > CentOS 7.2 / IPA 4.2 something's different. > > > > > > > > > > Here are the original steps which worked fine for my first use case > > :: > > > > > > > > > > $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25 > > > > > $ ipa host-add mail.example.com > > > > > $ ipa service-add smtp/mail.example.com > > > > > $ ipa service-add smtp/mail1.example.com > > > > > $ ipa service-add-host smtp/mail.example.com --hosts= > > mail1.example.com > > > > > $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \ > > > > > -f /etc/pki/tls/certs/postfix.pem \ > > > > > -N CN=mail1.example.com,O=EXAMPLE.COM \ > > > > > -D mail1.example.com -D mail.example.com \ > > > > > -K smtp/mail1.example.com > > > > > (and repeat for every next member of the cluster...) > > > > > > > > > > After this, I would get certificate with something like :: > > > > > $ sudo ipa-getcert list > > > > > Number of certificates and requests being tracked: 3. > > > > > Request ID '20150419153933': > > > > > status: MONITORING > > > > > stuck: no > > > > > key pair storage: > > > > > type=FILE,location='/etc/pki/tls/private/postfix.key' > > > > > certificate: > > type=FILE,location='/etc/pki/tls/certs/postfix.pem' > > > > > CA: IPA > > > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > > > subject: CN=mail1.example.com,O=EXAMPLE.COM > > > > > expires: 2017-04-19 15:39:35 UTC > > > > > dns: mail1.example.com,mail.example.com > > > > > principal name: smtp/mail1.example.com at EXAMPLE.COM > > > > > key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > > pre-save command: > > > > > post-save command: > > > > > track: yes > > > > > auto-renew: yes > > > > > > > > > > with Subject line in form of: 'CN=,O=EXAMPLE.COM' and > > 'dns' > > > > > info line present. > > > > > > > > > > Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm > > > > > getting this :: > > > > > > > > > > $ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create- > > > > > reverse > > > > > $ ipa host-add w3.example.com > > > > > $ ipa service-add HTTP/w3.example.com > > > > > $ ipa service-add HTTP/http1.example.com > > > > > $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com > > > > > $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \ > > > > > -f /etc/pki/tls/certs/httpd.pem \ > > > > > -N CN=http1.example.com,O=EXAMPLE.COM \ > > > > > -D http1.example.com -D w3.example.com \ > > > > > -K HTTP/http1.example.com > > > > > $ sudo ipa-getcert list > > > > > Number of certificates and requests being tracked: 3. > > > > > Request ID '20160327095125': > > > > > status: MONITORING > > > > > stuck: no > > > > > key pair storage: > > > > > type=FILE,location='/etc/pki/tls/private/http.key' > > > > > certificate: type=FILE,location='/etc/pki/tls/certs/http.pem' > > > > > CA: IPA > > > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > > > subject: CN=http1.example.com,OU=pki-ipa,O=IPA > > > > > expires: 2018-03-28 09:51:27 UTC > > > > > key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > > pre-save command: > > > > > post-save command: > > > > > track: yes > > > > > auto-renew: yes > > > > > > > > > > Where's the 'CN=,OU=pki-ipa,O=IPA' coming from instead of > > > > > 'CN=,O=EXAMPLE.COM' and why are DNS SubjectAltNames > > missing? > > > > > > > > > > To be clear, if I don't do :: > > > > > $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com > > > > > > > > > > then certificate is just not issued with 'REJECTED', but once this is > > > > > done properly in described steps, DNS SANs are not happening. > > > > > > > > > > I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only > > > > > against my current IPA 4.2 on CentOS 7.2. > > > > > > > > > > For the actual certificates :: > > > > > $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text > > > > > Certificate: > > > > > Data: > > > > > Version: 3 (0x2) > > > > > Serial Number: 15 (0xf) > > > > > Signature Algorithm: sha256WithRSAEncryption > > > > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > > > > > Validity > > > > > Not Before: Apr 19 15:39:35 2015 GMT > > > > > Not After : Apr 19 15:39:35 2017 GMT > > > > > Subject: O=EXAMPLE.COM, CN=mail1.example.com > > > > > Subject Public Key Info: > > > > > Public Key Algorithm: rsaEncryption > > > > > Public-Key: (2048 bit) > > > > > Modulus: > > > > > [cut] > > > > > Exponent: 65537 (0x10001) > > > > > X509v3 extensions: > > > > > X509v3 Authority Key Identifier: > > > > > keyid:[cut] > > > > > > > > > > Authority Information Access: > > > > > OCSP - URI:http://ipa-ca.example.com/ca/ocsp > > > > > > > > > > X509v3 Key Usage: critical > > > > > Digital Signature, Non Repudiation, Key Encipherment, > > > > > Data Encipherment > > > > > X509v3 Extended Key Usage: > > > > > TLS Web Server Authentication, TLS Web Client > > > > > Authentication > > > > > X509v3 CRL Distribution Points: > > > > > > > > > > Full Name: > > > > > URI: > > http://ipa-ca.example.com/ipa/crl/MasterCRL.bin > > > > > CRL Issuer: > > > > > DirName: O = ipaca, CN = Certificate Authority > > > > > > > > > > X509v3 Subject Key Identifier: > > > > > [cut] > > > > > X509v3 Subject Alternative Name: > > > > > DNS:mail1.example.com, DNS:mail.example.com, > > > > > othername:, othername: > > > > > Signature Algorithm: sha256WithRSAEncryption > > > > > [cut] > > > > > > > > > > vs. > > > > > > > > > > $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout > > > > > Certificate: > > > > > Data: > > > > > Version: 3 (0x2) > > > > > Serial Number: 71 (0x47) > > > > > Signature Algorithm: sha256WithRSAEncryption > > > > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > > > > > Validity > > > > > Not Before: Mar 27 09:51:27 2016 GMT > > > > > Not After : Mar 28 09:51:27 2018 GMT > > > > > Subject: O=IPA, OU=pki-ipa, CN=http1.example.com > > > > > Subject Public Key Info: > > > > > Public Key Algorithm: rsaEncryption > > > > > Public-Key: (2048 bit) > > > > > Modulus: > > > > > [cut] > > > > > Exponent: 65537 (0x10001) > > > > > X509v3 extensions: > > > > > X509v3 Authority Key Identifier: > > > > > keyid:[cut] > > > > > > > > > > Authority Information Access: > > > > > OCSP - URI:http://idmc1.example.com:80/ca/ocsp > > > > > > > > > > X509v3 Key Usage: critical > > > > > Digital Signature, Non Repudiation, Key Encipherment, > > > > > Data Encipherment > > > > > X509v3 Extended Key Usage: > > > > > TLS Web Server Authentication, TLS Web Client > > > > > Authentication > > > > > Signature Algorithm: sha256WithRSAEncryption > > > > > [cut] > > > > > > > > > > so even reference to CRL is missing here, but OCSP is present. > > > > > > > > > > > > > > > Sorry if this is duplicate, but from what I was able to find, DNS > > > > > SubjectAltNames are reported working since CentOS 7.1, and I think > > I'm > > > > > consistent with http://www.freeipa.org/page/PKI, unless I miss > > something > > > > > obvious here. > > > > > > > > > > For new features like certificate profiles and ACLs, I haven't > > changed > > > > > any defaults as far as I know as there was no need for that. > > > > > > > > > > > > > > > Thank you for any support in advance! And Happy Easter! > > > > > > > > > > Martin > > > > > > > > Hi Martin, > > > > > > > > Thanks for the detailed info. Could you please provide the > > > > Dogtag configuration for the default profile, `caIPAserviceCert'? > > > > > > > > ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert > > > > > > > > (Then provide the contents of caIPAserviceCert.cfg) > > > > > > > > Could you also provide the contents of file > > > > `/etc/pki/pki-tomcat/ca/CS.cfg'? > > > > > > > > Regards, > > > > Fraser > > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > From rcritten at redhat.com Tue May 10 13:08:19 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 May 2016 09:08:19 -0400 Subject: [Freeipa-users] Restore form backup , start servrer will error but sucess In-Reply-To: References: <781b9fed-32eb-8675-1ae3-8802117ef79d@redhat.com> <6b466458-f831-9930-f4be-b1a048cf030d@redhat.com> <6a3fb97c-db78-9e56-5f01-12050db9feea@redhat.com> Message-ID: <5731DD43.8010508@redhat.com> barrykfl at gmail.com wrote: > So now how can i restore the normal status. > > Can i export those acc out and restore to new server if same schema.? > > Manual backup restore i test before should work. This is a feature design page. The files there are notes, not a full list of things to backup, and definitely not meant as manual instructions. What I'd recommend is to pause, restate what the problems are with as much detail as you can, what you've tried (again, details matter) and basically start this process over again so include the cert renewal problems, replication issues and now the startup problem. There are now something like three separate threads, all asking for similar information and none of which are really making any forward progress. The python error is coming from dogtag so I've cc'd one of their developers to see what they think. That will need to be fixed eventually as well. I've found these threads very difficult to follow but it seems like it started when cert renewal failed and moved onto replication issues which upgrading is probably not going to address and IMHO it is best to not add another variable to the mix. In order to migrate to RHEL 7/IPA 4.x you need a stable system to migrate from, and in that case the latest bits are necessary, as Petr pointed out. rob > > 2016?5?10? ??8:16 ? "Martin Basti" > ??? > > There is no ipa-restore or ipa-backup commands even on RHEL6.7, > centos6.7, so I have no idea how you got that commands there. If you > just copy files manually it is not working as you can see. > > Martin > > > On 10.05.2016 14:12, Barry wrote: >> >> The bottom manual files based backup restore . I remember there s >> one for 3.0 >> >> And test work before. >> >> 2016?5?10? ??8:00 ? "Petr Vobornik" >> <pvoborni at redhat.com >> > ??? >> >> On 05/10/2016 01:49 PM, Martin Basti wrote: >> > No there is not python 2.7 on centos 6.x, maybe there is >> something wrong in the >> > code, let me check first >> >> How did you run the backup and restore? AFAIK it was introduced in >> FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL >> 7. It is >> not on RHEL 6. >> >> > >> > >> > On 10.05.2016 13:34, Barry wrote: >> >> >> >> Ipa 3.0 e47 >> >> >> >> Centos 6.5 . Just update python? >> >> >> >> 2016?5?10? ??6:58 ? "Martin Basti" >> >> <> >mbasti at redhat.com >> > ??? >> >> >> >> >> >> >> >> On 10.05.2016 12:41, barrykfl at gmail.com >> > > wrote: >> >>> Hi: >> >>> >> >>> Restore form backup follow the procedure below: >> >>> http://www.freeipa.org/page/V3/Backup_and_Restore >> >>> >> >>> Now server web page launch but canot access >> >>> Sorry you are not allowed to access this service. >> >>> >> >>> Starting dirsrv: >> >>> PKI-IPA... [ OK ] >> >>> WISERS-COM... [ OK ] >> >>> Starting KDC Service >> >>> Starting Kerberos 5 KDC: [ OK ] >> >>> Starting KPASSWD Service >> >>> Starting Kerberos 5 Admin Server: [ OK ] >> >>> Starting MEMCACHE Service >> >>> Starting ipa_memcached: [ OK ] >> >>> Starting HTTP Service >> >>> Starting httpd: [ OK ] >> >>> Starting CA Service >> >>> >> >>> >> >>> Starting CA Service >> >>> Traceback (most recent call last): >> >>> File "/usr/sbin/pki-server", line 88, in >> >>> cli = PKIServerCLI() >> >>> File "/usr/sbin/pki-server", line 34, in __init__ >> >>> super(PKIServerCLI, self).__init__('pki-server', >> 'PKI server >> >>> command-line interface') >> >>> File "/usr/lib/python2.6/site-packages/pki/cli.py", >> line 39, in __init__ >> >>> self.modules = collections.OrderedDict() >> >>> AttributeError: 'module' object has no attribute >> 'OrderedDict' >> >>> Starting pki-ca: [ OK ] >> >>> >> >>> >> >>> Any idea above? >> >>> >> >>> >> >> >> >> You are using the old python, python 2.7 is required, >> which version of OS >> >> and IPA do you use? >> >> Martin >> >> >> > >> > >> > >> >> >> -- >> Petr Vobornik >> > > > From piolet.y at gmail.com Tue May 10 14:23:08 2016 From: piolet.y at gmail.com (Youenn PIOLET) Date: Tue, 10 May 2016 16:23:08 +0200 Subject: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates In-Reply-To: <20160510130116.GR1237@dhcp-40-8.bne.redhat.com> References: <1459106087.18839.25.camel@stefany.eu> <20160331074157.GA18277@dhcp-40-8.bne.redhat.com> <20160510105533.GQ1237@dhcp-40-8.bne.redhat.com> <20160510130116.GR1237@dhcp-40-8.bne.redhat.com> Message-ID: Thank you so much Fraser, My PKI is now working perfectly! Cheers -- Youenn Piolet piolet.y at gmail.com 2016-05-10 15:01 GMT+02:00 Fraser Tweedale : > On Tue, May 10, 2016 at 02:33:43PM +0200, Youenn PIOLET wrote: > > Hi Fraser, thanks a lot for your quick reply! > > > > Could you confirm whether you are on RHEL / CentOS 7.2, and if so, > > > whether it was installed at 7.2 or an upgrade from 7.1 or an earlier > > > version? > > > > > > > This is a replica that was previously installed in CentOS 7.1. > > I don't exactly remember but I think I used COPR repository to install > > FreeIPA 4.2 and then upgraded CentOS to 7.2. > > > > Also, I remember my pki got broken after upgrading this replica in 7.2. I > > had to renew the replica's certificate and force-sync to successfully > > launch pki-tomcatd. Now this replica is my pki master. > > > Thanks for the background. Every piece of evidence can help find > the bug :) > > > > > > > ### certprofile > > > > $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert > > > > ----------------------------------------------------------- > > > > Profile configuration stored in file 'caIPAserviceCert.cfg' > > > > ----------------------------------------------------------- > > > > Profile ID: caIPAserviceCert > > > > Profile description: Standard profile for network services > > > > Store issued certificates: TRUE > > > > > > > You do not include the caIPAserviceCert.cfg in the diffs below, > > > however, I suspect you will find it to be identical to > > > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg. Could you > > > please confirm this? > > > > > > > Ah true... I did not realised I was actually writing a new file! > > And you're right, diff is the same (except 2 profileId/classId lignes > that > > don't exist in template + enableBy that differs) > > > > FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem > > > which stores profile configuration in LDAP. The file output by the > > > ``ipa certprofile-show`` command will have come from LDAP; this is > > > the version that's actually in use in your IPA installation. > > > > > > > Thanks a lot for your answers. > > > > So now, what would you suggest me to do? > > Replace my /tmp/caIPAserviceCert.cfg with your suggested values and > import > > to LDAP ? > > > I'd recommend copying the IPA template from > /usr/share/ipa/profiles/caIPAserviceCert.cfg, then filling out the > params manually and updating the profile. There are four config > params that require substitutions; fill them out like below: > > - policyset.serverCertSet.1.default.params.name=CN=$ > request.req_subject_name.cn$, o=YOUR-DOMAIN > > (note the SINGLE '$'s; they are double '$$' in the template) > > - policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= > http://ipa-ca.YOUR-DOMAIN/ca/ocsp > > - > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate > Authority,o=ipaca > > - policyset.serverCertSet.9.default.params.crlDistPointsPointName_0= > http://ipa-ca.YOUR-DOMAIN/ipa/crl/MasterCRL.bin > > Leave other values unchanged. Import the updated profile by > running: > > ipa certprofile-mod caIPAserviceCert --file new.cfg > > Then certificates should be issued as expected. > > Cheers, > Fraser > > > > Cheers, > > > > > > > > And a diff between them : > > > > > > > > $ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg > > > > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg > > > > 1,2d0 > > > > < profileId=caIPAserviceCert > > > > < classId=caEnrollImpl > > > > 15c13 > > > > < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 > > > > --- > > > > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8 > > > > 22c20 > > > > < policyset.serverCertSet.1.default.params.name=CN=$$ > > > > request.req_subject_name.cn$$, $SUBJECT_DN_O > > > > --- > > > > > policyset.serverCertSet.1.default.params.name=CN=$ > > > > request.req_subject_name.cn$, OU=pki-ipa, O=IPA > > > > 48c46 > > > > < > > > > > > > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http:// > > > > $IPA_CA_RECORD.$DOMAIN/ca/ocsp > > > > --- > > > > > > policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= > > > > 95,97c93,95 > > > > < > > > > > > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER > > > > < > > > > > > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName > > > > < > > > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http:// > > > > $IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin > > > > --- > > > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0= > > > > > policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0= > > > > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0= > > > > https://ipa.example.com/ipa/crl/MasterCRL.bin > > > > 100,109d97 > > > > < policyset.serverCertSet.10.constraint.class_id=noConstraintImpl > > > > < policyset.serverCertSet.10.constraint.name=No Constraint > > > > < > > > > > > > > policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl > > > > < policyset.serverCertSet.10.default.name=Subject Key Identifier > > > Extension > > > > Default > > > > < policyset.serverCertSet.10.default.params.critical=false > > > > < policyset.serverCertSet.11.constraint.class_id=noConstraintImpl > > > > < policyset.serverCertSet.11.constraint.name=No Constraint > > > > < > policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl > > > > < policyset.serverCertSet.11.default.name=User Supplied Extension > > > Default > > > > < policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 > > > > > > > > Thanks by advance for your support, > > > > Regards > > > > > > > > -- > > > > Youenn Piolet > > > > piolet.y at gmail.com > > > > > > > > > > > > 2016-03-31 9:41 GMT+02:00 Fraser Tweedale : > > > > > > > > > On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin ?tefany wrote: > > > > > > Hello, > > > > > > > > > > > > I seem to be having some issues with IPA CA feature not > generating > > > > > > certificates with DNS SubjectAltNames. > > > > > > > > > > > > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but > now > > > under > > > > > > CentOS 7.2 / IPA 4.2 something's different. > > > > > > > > > > > > Here are the original steps which worked fine for my first use > case > > > :: > > > > > > > > > > > > $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25 > > > > > > $ ipa host-add mail.example.com > > > > > > $ ipa service-add smtp/mail.example.com > > > > > > $ ipa service-add smtp/mail1.example.com > > > > > > $ ipa service-add-host smtp/mail.example.com --hosts= > > > mail1.example.com > > > > > > $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \ > > > > > > -f /etc/pki/tls/certs/postfix.pem \ > > > > > > -N CN=mail1.example.com,O=EXAMPLE.COM \ > > > > > > -D mail1.example.com -D mail.example.com \ > > > > > > -K smtp/mail1.example.com > > > > > > (and repeat for every next member of the cluster...) > > > > > > > > > > > > After this, I would get certificate with something like :: > > > > > > $ sudo ipa-getcert list > > > > > > Number of certificates and requests being tracked: 3. > > > > > > Request ID '20150419153933': > > > > > > status: MONITORING > > > > > > stuck: no > > > > > > key pair storage: > > > > > > type=FILE,location='/etc/pki/tls/private/postfix.key' > > > > > > certificate: > > > type=FILE,location='/etc/pki/tls/certs/postfix.pem' > > > > > > CA: IPA > > > > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > > > > subject: CN=mail1.example.com,O=EXAMPLE.COM > > > > > > expires: 2017-04-19 15:39:35 UTC > > > > > > dns: mail1.example.com,mail.example.com > > > > > > principal name: smtp/mail1.example.com at EXAMPLE.COM > > > > > > key usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > > > pre-save command: > > > > > > post-save command: > > > > > > track: yes > > > > > > auto-renew: yes > > > > > > > > > > > > with Subject line in form of: 'CN=,O=EXAMPLE.COM' and > > > 'dns' > > > > > > info line present. > > > > > > > > > > > > Suddenly, in the current setup, after upgrade from 4.0 to 4.2, > I'm > > > > > > getting this :: > > > > > > > > > > > > $ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 > --a-create- > > > > > > reverse > > > > > > $ ipa host-add w3.example.com > > > > > > $ ipa service-add HTTP/w3.example.com > > > > > > $ ipa service-add HTTP/http1.example.com > > > > > > $ ipa service-add-host HTTP/w3.example.com --hosts= > http1.example.com > > > > > > $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \ > > > > > > -f /etc/pki/tls/certs/httpd.pem \ > > > > > > -N CN=http1.example.com,O=EXAMPLE.COM \ > > > > > > -D http1.example.com -D w3.example.com \ > > > > > > -K HTTP/http1.example.com > > > > > > $ sudo ipa-getcert list > > > > > > Number of certificates and requests being tracked: 3. > > > > > > Request ID '20160327095125': > > > > > > status: MONITORING > > > > > > stuck: no > > > > > > key pair storage: > > > > > > type=FILE,location='/etc/pki/tls/private/http.key' > > > > > > certificate: > type=FILE,location='/etc/pki/tls/certs/http.pem' > > > > > > CA: IPA > > > > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > > > > subject: CN=http1.example.com,OU=pki-ipa,O=IPA > > > > > > expires: 2018-03-28 09:51:27 UTC > > > > > > key usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > > > pre-save command: > > > > > > post-save command: > > > > > > track: yes > > > > > > auto-renew: yes > > > > > > > > > > > > Where's the 'CN=,OU=pki-ipa,O=IPA' coming from instead > of > > > > > > 'CN=,O=EXAMPLE.COM' and why are DNS SubjectAltNames > > > missing? > > > > > > > > > > > > To be clear, if I don't do :: > > > > > > $ ipa service-add-host HTTP/w3.example.com --hosts= > http1.example.com > > > > > > > > > > > > then certificate is just not issued with 'REJECTED', but once > this is > > > > > > done properly in described steps, DNS SANs are not happening. > > > > > > > > > > > > I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but > only > > > > > > against my current IPA 4.2 on CentOS 7.2. > > > > > > > > > > > > For the actual certificates :: > > > > > > $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout > -text > > > > > > Certificate: > > > > > > Data: > > > > > > Version: 3 (0x2) > > > > > > Serial Number: 15 (0xf) > > > > > > Signature Algorithm: sha256WithRSAEncryption > > > > > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > > > > > > Validity > > > > > > Not Before: Apr 19 15:39:35 2015 GMT > > > > > > Not After : Apr 19 15:39:35 2017 GMT > > > > > > Subject: O=EXAMPLE.COM, CN=mail1.example.com > > > > > > Subject Public Key Info: > > > > > > Public Key Algorithm: rsaEncryption > > > > > > Public-Key: (2048 bit) > > > > > > Modulus: > > > > > > [cut] > > > > > > Exponent: 65537 (0x10001) > > > > > > X509v3 extensions: > > > > > > X509v3 Authority Key Identifier: > > > > > > keyid:[cut] > > > > > > > > > > > > Authority Information Access: > > > > > > OCSP - URI:http://ipa-ca.example.com/ca/ocsp > > > > > > > > > > > > X509v3 Key Usage: critical > > > > > > Digital Signature, Non Repudiation, Key > Encipherment, > > > > > > Data Encipherment > > > > > > X509v3 Extended Key Usage: > > > > > > TLS Web Server Authentication, TLS Web Client > > > > > > Authentication > > > > > > X509v3 CRL Distribution Points: > > > > > > > > > > > > Full Name: > > > > > > URI: > > > http://ipa-ca.example.com/ipa/crl/MasterCRL.bin > > > > > > CRL Issuer: > > > > > > DirName: O = ipaca, CN = Certificate Authority > > > > > > > > > > > > X509v3 Subject Key Identifier: > > > > > > [cut] > > > > > > X509v3 Subject Alternative Name: > > > > > > DNS:mail1.example.com, DNS:mail.example.com, > > > > > > othername:, othername: > > > > > > Signature Algorithm: sha256WithRSAEncryption > > > > > > [cut] > > > > > > > > > > > > vs. > > > > > > > > > > > > $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout > > > > > > Certificate: > > > > > > Data: > > > > > > Version: 3 (0x2) > > > > > > Serial Number: 71 (0x47) > > > > > > Signature Algorithm: sha256WithRSAEncryption > > > > > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > > > > > > Validity > > > > > > Not Before: Mar 27 09:51:27 2016 GMT > > > > > > Not After : Mar 28 09:51:27 2018 GMT > > > > > > Subject: O=IPA, OU=pki-ipa, CN=http1.example.com > > > > > > Subject Public Key Info: > > > > > > Public Key Algorithm: rsaEncryption > > > > > > Public-Key: (2048 bit) > > > > > > Modulus: > > > > > > [cut] > > > > > > Exponent: 65537 (0x10001) > > > > > > X509v3 extensions: > > > > > > X509v3 Authority Key Identifier: > > > > > > keyid:[cut] > > > > > > > > > > > > Authority Information Access: > > > > > > OCSP - URI:http://idmc1.example.com:80/ca/ocsp > > > > > > > > > > > > X509v3 Key Usage: critical > > > > > > Digital Signature, Non Repudiation, Key > Encipherment, > > > > > > Data Encipherment > > > > > > X509v3 Extended Key Usage: > > > > > > TLS Web Server Authentication, TLS Web Client > > > > > > Authentication > > > > > > Signature Algorithm: sha256WithRSAEncryption > > > > > > [cut] > > > > > > > > > > > > so even reference to CRL is missing here, but OCSP is present. > > > > > > > > > > > > > > > > > > Sorry if this is duplicate, but from what I was able to find, DNS > > > > > > SubjectAltNames are reported working since CentOS 7.1, and I > think > > > I'm > > > > > > consistent with http://www.freeipa.org/page/PKI, unless I miss > > > something > > > > > > obvious here. > > > > > > > > > > > > For new features like certificate profiles and ACLs, I haven't > > > changed > > > > > > any defaults as far as I know as there was no need for that. > > > > > > > > > > > > > > > > > > Thank you for any support in advance! And Happy Easter! > > > > > > > > > > > > Martin > > > > > > > > > > Hi Martin, > > > > > > > > > > Thanks for the detailed info. Could you please provide the > > > > > Dogtag configuration for the default profile, `caIPAserviceCert'? > > > > > > > > > > ipa certprofile-show --out caIPAserviceCert.cfg > caIPAserviceCert > > > > > > > > > > (Then provide the contents of caIPAserviceCert.cfg) > > > > > > > > > > Could you also provide the contents of file > > > > > `/etc/pki/pki-tomcat/ca/CS.cfg'? > > > > > > > > > > Regards, > > > > > Fraser > > > > > > > > > > -- > > > > > Manage your subscription for the Freeipa-users mailing list: > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jan.karasek at elostech.cz Tue May 10 14:44:14 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Tue, 10 May 2016 16:44:14 +0200 (CEST) Subject: [Freeipa-users] AD trust and UPN issue In-Reply-To: References: Message-ID: <1912109710.2898761.1462891454156.JavaMail.zimbra@elostech.cz> Hi, thank you for the answer. I have already tried that workaround and still no luck. At the moment this is showstopper for us on two different projects at two different customers. Any chance to get it patch before 7.3 arrives ? Thanks, Jan ---------------------------------------------------------------------- Date: Tue, 10 May 2016 14:38:01 +0200 From: Jakub Hrozek To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Fwd: AD trust and UPN issue Message-ID: <20160510123801.GE4011 at hendrix> Content-Type: text/plain; charset=iso-8859-1 On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Kar?sek wrote: > Hi all, > I have lab environment with IPA server and trust to Active directory. > IPA server is in a.example.com. > AD DC is in example.com. > We have also child AD subdomain ext.examle.com. > Everything is fine until the users in AD domain ext.example.com gets the UPN suffix of the root AD domain - example.com - which is pretty common scenario. > Example: > user at ext.examaple.com is set in AD with UPN user at example.com > > In this situation I am not able to login into my linux box with user at example.com > I have seen some open tickets on this issue 3559 and others, and they are marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current packages. > Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. > I have default settings - no changes in krb5.conf and sssd.conf after ipa trust-add. > Also I have found the workaround to set in krb5.conf (see topic: Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - but no effect. > Could you please confirm, that its possible to use IPA with different UPN suffix for users in AD than the domain name in which they are exists ? Is there any additional configuration needed to fix this scenario ? In general no, not until 7.3. But it might work with a workaround. Can you try setting: ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal in sssd.conf's domain section on the server? (Yes, server, not client..) This should work without the workaround starting with 7.3.. Jan Kar?sek ELOS Technologies s.r.o. U Kan?lky 5 120 00 Praha 2 tel. +420 607 008 891 e-mail: jan.karasek at elostech.cz www.elostech.cz ----- Original Message ----- From: "freeipa-users-request" To: freeipa-users at redhat.com Sent: Tuesday, May 10, 2016 4:23:56 PM Subject: Freeipa-users Digest, Vol 94, Issue 63 ---------------------------------------------------------------------- Date: Tue, 10 May 2016 14:38:01 +0200 From: Jakub Hrozek To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Fwd: AD trust and UPN issue Message-ID: <20160510123801.GE4011 at hendrix> Content-Type: text/plain; charset=iso-8859-1 On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Kar?sek wrote: > Hi all, > I have lab environment with IPA server and trust to Active directory. > IPA server is in a.example.com. > AD DC is in example.com. > We have also child AD subdomain ext.examle.com. > Everything is fine until the users in AD domain ext.example.com gets the UPN suffix of the root AD domain - example.com - which is pretty common scenario. > Example: > user at ext.examaple.com is set in AD with UPN user at example.com > > In this situation I am not able to login into my linux box with user at example.com > I have seen some open tickets on this issue 3559 and others, and they are marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current packages. > Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. > I have default settings - no changes in krb5.conf and sssd.conf after ipa trust-add. > Also I have found the workaround to set in krb5.conf (see topic: Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - but no effect. > Could you please confirm, that its possible to use IPA with different UPN suffix for users in AD than the domain name in which they are exists ? Is there any additional configuration needed to fix this scenario ? In general no, not until 7.3. But it might work with a workaround. Can you try setting: ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal in sssd.conf's domain section on the server? (Yes, server, not client..) This should work without the workaround starting with 7.3.. From opensauce17 at gmail.com Tue May 10 14:45:35 2016 From: opensauce17 at gmail.com (opensauce .) Date: Tue, 10 May 2016 16:45:35 +0200 Subject: [Freeipa-users] Determining the Renewal Master/First Master and backup restore strategies - Problems and Issues Message-ID: Hi All, I would like to get right into my current issues. Operating system : CentOS Linux release 7.2.1511 (Core) Kernel Version : 3.10.0-327.10.1.el7.x86_64 IPA server Version : ipa-server-4.2.0-15.el7_2.6.x86_64 VM platform : ProxMox Virtual Environment Version 3.4-9/4b51d87a I have prepared, what I would call the "first" master, by preparing and installing the machine via the following method : *Source* http://www.freeipa.org/page/Quick_Start_Guide#Getting_started_with_IPA https://www.certdepot.net/rhel7-configure-freeipa-server/ Standard FreeIPA version distributed with the OS yum install freeipa-server yum install ipa-server-dns ipa-server-install --setup-dns --forwarder=x.x.x.x -a PASSWORD --hostname= ipatester1.xxxxx.com --realm IPATESTER.XXXX.XXX -p PASSWORD -n xxxx.xxx -U firewall-cmd --permanent --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns} firewall-cmd --reload The first master is installed and now I would create a replica instance for multi master replications. First, create the replica file from first master : ipa-replica-prepare ipahostname --ip-address x.x.x.x Copy the replica master info file to the new replica master. Then run the replica install script : ipa-replica-install --setup-dns --setup-ca --forwarder=x.x.x.x /var/lib/ipa/replica-info-ipahostname.gpg firewall-cmd --permanent --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns} firewall-cmd --reload I now have 2 multi-masters with replication agreements. ipatester1 - first master ipatester2 - replica master >From master to replica : ipa-replica-conncheck --replica ipatester2 Check connection from master to remote replica 'ipatester2.macrolan.co.za': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following UDP ports could not be verified as open: 88, 464 This can happen if they are already bound to an application and ipa-replica-conncheck cannot attach own UDP responder. Connection from master to replica is OK. >From replica to master : ipa-replica-conncheck --master ipatester1 Check connection from replica to remote master 'ipatester1.macrolan.co.za': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED *QUESTION 1 : Determining the Renewal Master/First Master* Source : http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master According to the above source, identifying the Renewal Master/First Master can be done with the following ldap search command : ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=example,dc=com' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn However, when I run this ldapsearch I get presented with both masters in the results : *# extended LDIF* *#* *# LDAPv3* *# base with scope subtree* *# filter: (&(cn=CA)(ipaConfigString=caRenewalMaster))* *# requesting: dn* *#* *# CA, ipatester1.xxxxx.xxx, masters, ipa, etc, ipatester.xxxxx.xxx* *dn: cn=CA,cn=ipatester1.xxxxx.xxx,cn=masters,cn=ipa,cn=etc,dc=ipatester,dc=xxxx,dc=xxx* *# CA, ipatester2.xxxxx.xxx, masters, ipa, etc, ipatester.xxxxx.xxx* *dn: cn=CA,cn=ipatester2.xxxxx.xxx,cn=masters,cn=ipa,cn=etc,dc=ipatester,dc=xxxx,dc=xxx* *# search result* *search: 2* *result: 0 Success* *# numResponses: 3* *# numEntries: 2* The above source also states : "There should only one master at a time, otherwise the renewed certificates will step all over each other" Two masters appear in the ldapsearch when the replica, installed from the first master, includes a CA installation. Is this correct? Does this mean that the two are indeed both renewal masters? If so, how is it possible to ensure that when a CA is installed as a replica, that is does not take on the role as a renewal master? The CRL generation master seems more straightforward and involves the editing of /etc/pki/pki-tomcat.ca/CS.config and the /etc/httpd/conf.d/ipa-pki-proxy.conf. What is the best method within the IPA environment to test the CRL generation? *QUESTION 2 : Restoring data to the first master from a ipa FULL backup using the ipa-backup, ipa-restore and the ipa-replica-manage / ipa-csreplica-manage re-initialize commands* As a test I created 5 standard users on the first master. The replication was successful to the replication master as all users appeared on the replication masters user list. I made a backup of the first master using the /usr/sbin/ipa-backup -v command. I then deleted all 5 users from the first master and the replication action-ed the deletion to the replication master. This mimics a loss of data that would need to be restored. My restore procedure involves a uninstall of the ipa-server on the first master and then a restore of the latest backup using the ipa-restore command. Is this the correct method? i.e first uninstall the ipa-server and then restore because this would mean replication agreements would possibly need to be removed - but since the data will be restored, my assumption is that no replication agreements need to be removed. Is this correct? Should I use the first master to restore to or should I rather use a replica master to restore to? Following this procedure, I am able to restore the first master back to an instance before the deletion. All 5 users are back. However, now replication does not exist between the first master and the replica master. I attempt an re-initialize from the replica master to the first master using the ipa-replica-manage command : ipa-replica-manage re-initialize ipatester1 and ipa-csreplica-manage re-initialize ipatester1. I have experienced inconsistent results using this method of restore. When running the ip-replica-manage --reinitialize command from the replica master I was experiencing credential issues connecting to ldap and hence why I would like confirmation whether this would be the best method of restore when restoring IPA data and not restoring from a snap shot. As of recently I am getting consistent results. I suspect the issues I have been experiencing relate to not having all the correct ports open on both the first master and the replica master. I have chosen to have all the necessary ports open using UDP and TCP. I thank anyone in advance who responds to this message. Regards, Mike Hyland www.macrolan.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sparky at charlietango.com Tue May 10 19:39:28 2016 From: sparky at charlietango.com (Jeffery Harrell) Date: Tue, 10 May 2016 12:39:28 -0700 Subject: [Freeipa-users] DHCP plugin (don't get your hopes up) Message-ID: As promised yesterday, here?s the link to my bespoke DHCP plugin. It?s really nothing, just a little thing I whipped up for my own use. https://github.com/jefferyharrell/IPA-dhcp -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew+rhlists at dingman.org Tue May 10 23:14:26 2016 From: andrew+rhlists at dingman.org (Andrew C. Dingman) Date: Tue, 10 May 2016 19:14:26 -0400 Subject: [Freeipa-users] ipa-server-upgrade fails and CA cannot start In-Reply-To: <6b61d4d9-1151-35e9-6efa-88934742950b@redhat.com> References: <1462736980.3898.290.camel@dingman.org> <6b61d4d9-1151-35e9-6efa-88934742950b@redhat.com> Message-ID: <1462922066.3795.9.camel@dingman.org> On Tue, 2016-05-10 at 10:16 +0200, Petr Vobornik wrote: > On 05/08/2016 09:49 PM, Andrew C. Dingman wrote: > >? > > "getcert list" successfully shows 8 certificate requests being > > tracked. > > Four are in "MONITORING" status, four in "NEED_CA". The NEED_CA > > requests all indicate expiration back in February, and look like > > crucial certificates: CN=CA Subsystem, CN=IPA RA, CN=CA Audit > > and CN=OCSP Subsystem. > > > > On the working replica, all eight are in "MONITORING" status and > > have > > expiration dates in 2017 or later. I have not attempted the package > > update on that system. Should I consider promoting this one to CA > > master, force-deleting the old one, and reinstalling it as a new > > system? > > > > Please let me know what other information would be helpful for > > diagnostics. The current state of all packages on the broken master > > is > > up to earlier today from the official Red Hat content distribution > > network. > > > Hello Andrew, > > Could you paste output of `ipactl start` ? [andrew at ipa2 ~]$ sudo ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Shutting down Aborting ipactl [andrew at ipa2 ~]$ There's a pause of several minutes between "Starting pki-tomcatd Service" and "Failed". Full output from "sudo ipactl -d start" is at ?h ttps://paste.fedoraproject.org/364876/14629214/?but it mostly consists of: ipa: DEBUG: stderr= ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300 ipa: DEBUG: Waiting until the CA is running ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no- check-certificate' 'https://ipa2.acdingman.com:8443/ca/admin/ca/getS tatus' ipa: DEBUG: Process finished, return code=8 ipa: DEBUG: stdout= ipa: DEBUG: stderr=--2016-05-10 18:53:33--??https://ipa2.acdingman.c om:8443/ca/admin/ca/getStatus Resolving ipa2.acdingman.com (ipa2.acdingman.com)... 2001:19f0:300:2a63::64, 104.156.251.79 Connecting to ipa2.acdingman.com (ipa2.acdingman.com)|2001:19f0:300:2a63::64|:8443... connected. HTTP request sent, awaiting response...? ? HTTP/1.1 500 Internal Server Error ? Server: Apache-Coyote/1.1 ? Content-Type: text/html;charset=utf-8 ? Content-Language: en ? Content-Length: 2134 ? Date: Tue, 10 May 2016 22:53:55 GMT ? Connection: close 2016-05-10 18:53:55 ERROR 500: Internal Server Error. repeated once a second for nearly five minutes. > Also when upgrader fails it tends to leave directory server not > accessible by changing 389 and 636 port. > > It could be verified by: > > $ ldapsearch -ZZ -h `hostname` -D "cn=Directory Manager" -W -s base > -b > "cn=config" | grep "nsslapd-security\|nsslapd-port" > Enter LDAP Password: > nsslapd-requiresrestart: cn=config:nsslapd-port > nsslapd-port: 389 > nsslapd-security: on > > If there are values other than '389' and 'on' (usually '0' and 'off') > then it might the reason why IPA doesn't start. Changing them back to > 'on' and 389 might help. Nope, my output looks just like your sample. > But it won't say why the upgrader failed. Maybe it was a one-time > glitch > or it was related to the expired certs. > > The error message you got is in code which creates connection to > certmonger. > > But if there are expired certificates. The usual recovery is to move > back time a day or two before the first certificate expires and let > certmonger to renew the certs. Optionally the renewal can be forced > by > `getcert resubmit -i $certid` command. Do I risk hurting the functional replica if I do that? I presume with time months off from each other they wouldn't even talk until I got the time correct on the broken system, but that's based on the assumption that they mostly use GSSAPI authentication. If anything is certificate- based the time tolerances could be much larger. -Andrew From mkosek at redhat.com Wed May 11 08:48:56 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 11 May 2016 10:48:56 +0200 Subject: [Freeipa-users] Get Creation Time / Last Login Time for Users In-Reply-To: References: Message-ID: On 05/05/2016 03:23 AM, Jeff Hallyburton wrote: > Hello, > > We're looking for a way to get last login time and creation time for > users configured in FreeIPA. This information doesn't seem to be in > the WebUI and ipa user-status only provides limited information (last > failed/successful logins in seconds since epoch). Is there a > supported way to get this information? > > Jeff Hallyburton > Strategic Systems Engineer > Bloomip Inc. > Web: http://www.bloomip.com > > Engineering Support: support at bloomip.com > Billing Support: billing at bloomip.com > Customer Support Portal: https://my.bloomip.com > Hi, Could you use ldapsearch? # ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=rhel72" createtimestamp krbLastSuccessfulAuth ... # admin, users, accounts, rhel72 dn: uid=admin,cn=users,cn=accounts,dc=rhel72 createtimestamp: 20160308160512Z krbLastSuccessfulAuth: 20160511084800Z # labadmin, users, accounts, rhel72 dn: uid=labadmin,cn=users,cn=accounts,dc=rhel72 createtimestamp: 20160321081650Z krbLastSuccessfulAuth: 20160321082135Z ... Martin From mkosek at redhat.com Wed May 11 08:52:17 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 11 May 2016 10:52:17 +0200 Subject: [Freeipa-users] Looking for documentation for Python API In-Reply-To: <2410380.zRJEA5Vezc@hosanna> References: <1557170.p9MGeghmZ2@hosanna> <2410380.zRJEA5Vezc@hosanna> Message-ID: <20eddb00-e064-9390-018d-1896c5b85e9a@redhat.com> On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: > On Friday, May 06, 2016 09:04:59 Martin Basti wrote: >> since IPA4.2 web UI contains API browser (IPA Server/API Browser) >> >> So for example for caacl-add: >> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional >> description") >> >> you can try commands in "ipa console" it contains initialized API, just >> call api.Command.() >> >> API.txt provides the same information as API browser, but browser looks >> better :) >> >> Feel free to ask anything, if you identified gaps in docs which are hard >> to understand for non-IPA developer feel free report it, or feel free to >> create howTo in freeipa.org page. > > Thanks for the pointers. I'm looking at automating some user and group > additions, group editing, etc. Am I right in assuming that anything that uses > the api.Command. will require a kinit before it is run, > even if it is via the Python API? If I want to use a user/pass from the script > itself (and not have a shell script which does kinit, then fires off my Python > script) would I be better off hitting the web API with sessions and JSON-RPC as > detailed here: > > https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ > > Put another way, since I want to hit the API from a system that might not have > sssd installed, nor has joined the realm, I assume it would be *impossible* to > use api.Command. as it relies on a Kerberos ticket? To put it yet > another way: is there a way to hand a user/pass to the Python API and > authenticate that way. The API itself can be hit with user/password, as noted in Alexander's blog. If you want to use the actual Python API, Kerberos may be the only way. But I think Jan or Petr may had some other (hacky) way to pass user+password there too. > Those are the questions I did not see addressed in the docs that I found. > There were lots of examples of invoking commands, but I never saw anything > about authenticating to the server before running the commands. > > Thanks again for the pointers, and if there is documentation I missed, feel > free to point me in that direction. From mkosek at redhat.com Wed May 11 08:58:23 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 11 May 2016 10:58:23 +0200 Subject: [Freeipa-users] Automatic consistency checking In-Reply-To: <732497752.48841134.1462458942340.JavaMail.zimbra@redhat.com> References: <732497752.48841134.1462458942340.JavaMail.zimbra@redhat.com> Message-ID: <1159bffc-a7b1-d7a3-6415-ccc2b1cbae60@redhat.com> On 05/05/2016 04:35 PM, Martin Basti wrote: > > > On 05.05.2016 15:54, Andrew Holway wrote: > > Hello, > > We've been using Freeipa on Centos for a while and found one day that the > replication stuff was broken and that the LDAP database on our pair of IPA > servers was inconsistent. We didn't know how long this had been broken for > but we were not able to repair it either. > > We use AWS so we've now deployed RHEL AMI's and are now using IdM so we can > get support when this is breaking but I am a bit stuck how to monitor that > the replication is still working. > > So is there some monitoring mechanisms in FreeIPA? > > Cheers, > > Andrew > > > > This is planned for future, you can use Right. This is the long term plan and design: http://www.freeipa.org/page/V4/Monitor_Replication_Topology Ludwig (CCed) had some ideas already, I am not sure if all of them are in the design. > https://github.com/peterpakos/ipa_check_consistency (community script without > any guarantee) to check your servers. From mkosek at redhat.com Wed May 11 10:28:52 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 11 May 2016 12:28:52 +0200 Subject: [Freeipa-users] Exposing LDAP attributes with hyphens in their names? In-Reply-To: References: Message-ID: <9072ad68-b208-b1ca-bcef-8d9e79ef3873@redhat.com> On 05/06/2016 07:12 PM, Jeffery Harrell wrote: > Hi. I?m very new to IPA; I only picked it up a couple weeks ago. So this may be > a remedial question. > > I?d like to expose, both via the CLI and the GUI, certain LDAP attributes which > have hyphens in their names ? e.g., "apple-user-homeurl.? The Param class > rejects these attributes because of the hyphens; the name of the Param doesn?t > conform to the regular expression so an exception gets thrown. This code does > not work: > > |user.user.takes_params = user.user.takes_params + ( Str( 'apple-user-homeurl?', > cli_name='appleuserhomeurl', label=_('Apple User Home URL'), doc=_('Apple user > home URL.'), ), ) | > > Is there a sensible way of getting around that, or will I have to subclass Param > and write a whole bunch of new code to get this to work? > > Thanks very much. > > Jeffery Did you check the documentation we have so far? http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf http://abbra.fedorapeople.org/guide.html CCing Jan for reference. Martin From pvoborni at redhat.com Wed May 11 11:03:01 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 11 May 2016 13:03:01 +0200 Subject: [Freeipa-users] DHCP plugin (don't get your hopes up) In-Reply-To: References: Message-ID: <5b848a05-c7fe-22f0-a317-0516aac406d0@redhat.com> On 05/10/2016 09:39 PM, Jeffery Harrell wrote: > As promised yesterday, here?s the link to my bespoke DHCP plugin. It?s really > nothing, just a little thing I whipped up for my own use. > > https://github.com/jefferyharrell/IPA-dhcp > > Very nice. This is probably the most complex 'external' IPA plugin I've seen. You must have put quite a lot of effort into making it happen. Were there any areas in code/docs/wiki/... you encountered which you would like to see improved in FreeIPA or maybe some obstacles removed so that plugins like this can be made easier? Regards -- Petr Vobornik From Andy.Thompson at e-tcc.com Wed May 11 11:59:07 2016 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 11 May 2016 11:59:07 +0000 Subject: [Freeipa-users] freeipa as organizational CA In-Reply-To: <20160509204337.dsl2xib5fazx3wmi@redhat.com> References: <89535b43cea443dd8b6efb4798b3bdc8@TCCCORPEXCH02.TCC.local> <20160509192307.5fuvef2ewzsyoyx6@redhat.com> <20160509204337.dsl2xib5fazx3wmi@redhat.com> Message-ID: <51dd47579bb0481ca9f711f489a90eff@TCCCORPEXCH02.TCC.local> > > > >If I can get an exclusion for the sub-CA bits, can that be added at a > >later time and just run with a root CA for now? Can it perform all of > >the needs of an org CA outside of an IPA environment? > Not through the IPA interfaces but standard Dogtag is there, with its (albeit a > bit cumbersome) web UI. So I guess you could do what IPA doesn't allow via > that one, though there will be no support for these functions. > What functions does IPA not allow? -andy From Andy.Thompson at e-tcc.com Wed May 11 12:06:39 2016 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 11 May 2016 12:06:39 +0000 Subject: [Freeipa-users] freeipa as organizational CA In-Reply-To: <20160509225033.GM1237@dhcp-40-8.bne.redhat.com> References: <89535b43cea443dd8b6efb4798b3bdc8@TCCCORPEXCH02.TCC.local> <20160509192307.5fuvef2ewzsyoyx6@redhat.com> <20160509225033.GM1237@dhcp-40-8.bne.redhat.com> Message-ID: <51210d0815dc474c8c246c5d59af2ac0@TCCCORPEXCH02.TCC.local> > Andy, you can install FreeIPA as a sub-CA of your offline root. > Support for creating sub-CAs *within* FreeIPA, under the "main" > FreeIPA CA (which in your case is a sub-CA of your offline root), is not yet > available but I am working on that. But if you only need one CA as a sub-CA > of an offline root, you can use FreeIPA today. > I've got this setup and working with an openssl minted root CA, I've minted a few certs and it all seems to work well enough. I'm trying to sort out what features I might be missing using the FreeIPA implementation in this setup as compared to setting up dogtag, ejbca or looking at the RHCS product. I've tried accessing the dogtag web console and it doesn't work on the IPA server. Thanks! -andy From abokovoy at redhat.com Wed May 11 13:04:23 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 11 May 2016 09:04:23 -0400 (EDT) Subject: [Freeipa-users] freeipa as organizational CA In-Reply-To: <51dd47579bb0481ca9f711f489a90eff@TCCCORPEXCH02.TCC.local> References: <89535b43cea443dd8b6efb4798b3bdc8@TCCCORPEXCH02.TCC.local> <20160509192307.5fuvef2ewzsyoyx6@redhat.com> <20160509204337.dsl2xib5fazx3wmi@redhat.com> <51dd47579bb0481ca9f711f489a90eff@TCCCORPEXCH02.TCC.local> Message-ID: <783508170.64026005.1462971863509.JavaMail.zimbra@redhat.com> ----- Original Message ----- > > > > > >If I can get an exclusion for the sub-CA bits, can that be added at a > > >later time and just run with a root CA for now? Can it perform all of > > >the needs of an org CA outside of an IPA environment? > > Not through the IPA interfaces but standard Dogtag is there, with its > > (albeit a > > bit cumbersome) web UI. So I guess you could do what IPA doesn't allow via > > that one, though there will be no support for these functions. > > > > What functions does IPA not allow? I meant support as in 'Red Hat would not support your use of Dogtag behind FreeIPA beyond what is officially supported in FreeIPA", not the actual features of Dogtag. -- / Alexander Bokovoy From ftweedal at redhat.com Wed May 11 13:07:12 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 11 May 2016 23:07:12 +1000 Subject: [Freeipa-users] freeipa as organizational CA In-Reply-To: <51210d0815dc474c8c246c5d59af2ac0@TCCCORPEXCH02.TCC.local> References: <89535b43cea443dd8b6efb4798b3bdc8@TCCCORPEXCH02.TCC.local> <20160509192307.5fuvef2ewzsyoyx6@redhat.com> <20160509225033.GM1237@dhcp-40-8.bne.redhat.com> <51210d0815dc474c8c246c5d59af2ac0@TCCCORPEXCH02.TCC.local> Message-ID: <20160511130712.GX1237@dhcp-40-8.bne.redhat.com> On Wed, May 11, 2016 at 12:06:39PM +0000, Andy Thompson wrote: > > Andy, you can install FreeIPA as a sub-CA of your offline root. > > Support for creating sub-CAs *within* FreeIPA, under the "main" > > FreeIPA CA (which in your case is a sub-CA of your offline root), is not yet > > available but I am working on that. But if you only need one CA as a sub-CA > > of an offline root, you can use FreeIPA today. > > > > I've got this setup and working with an openssl minted root CA, I've minted a few certs and it all seems to work well enough. I'm trying to sort out what features I might be missing using the FreeIPA implementation in this setup as compared to setting up dogtag, ejbca or looking at the RHCS product. > > I've tried accessing the dogtag web console and it doesn't work on the IPA server. > The full Dogtag web UI is available on port 8443. If you features like token processing or dedicated OCSP instance, these are only officially supported as part of RHCS. Cheers, Fraser From jpazdziora at redhat.com Wed May 11 13:50:01 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 11 May 2016 15:50:01 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> <20160503084513.GC22308@10.4.128.1> <20160503210346.GA9681@10.4.128.1> <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> Message-ID: <20160511135001.GF29312@redhat.com> On Tue, May 03, 2016 at 09:27:44PM +0000, Hosakote Nagesh, Pawan wrote: > Our apps are running in a docker image based on Ubuntu 14.04 that cannot be changed to redhat. We want to install freeipa-clietn within this docker so that our app > Uses freeipa ldap as against default ldap. > > The freeipa-client gets successfully installed in Ubuntu 14.04 plain machine, that why is why I am hoping making it run in a Ubun14.04 docker should also be very much possible. > > As you can see the things get stuck in not starting bus process properly(this problem is not seen in ubuntu on plain machine). I cannot see much debug statements by enabling ?debug option in ipa-client-install. > Its not clear why this process doesn?t get started and what is missing in container as against plain machine which is making this install fail. > > I am on to this issue for 2 full days now. I am pasting whatever debug statements I got during install, here: > > Command > ????? > ipa-client-install ?domain= ?server= hostname=jupyterhub.com --no-ntp --no-dns-sshfp > > > > Log (After Error starts to happen) > ????? > Attached > > My main suspect is dbus service unable to start in this container where it launches on a plain machine. Certainly. What steps did you take to make dbus startable in the container? Do you have the dbus package installed? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From outbackdingo at gmail.com Wed May 11 14:13:32 2016 From: outbackdingo at gmail.com (Outback Dingo) Date: Wed, 11 May 2016 16:13:32 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <20160511135001.GF29312@redhat.com> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> <20160503084513.GC22308@10.4.128.1> <20160503210346.GA9681@10.4.128.1> <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> <20160511135001.GF29312@redhat.com> Message-ID: On Wed, May 11, 2016 at 3:50 PM, Jan Pazdziora wrote: > On Tue, May 03, 2016 at 09:27:44PM +0000, Hosakote Nagesh, Pawan wrote: > > Our apps are running in a docker image based on Ubuntu 14.04 that cannot > be changed to redhat. We want to install freeipa-clietn within this docker > so that our app > > Uses freeipa ldap as against default ldap. > > > > The freeipa-client gets successfully installed in Ubuntu 14.04 plain > machine, that why is why I am hoping making it run in a Ubun14.04 docker > should also be very much possible. > > > > As you can see the things get stuck in not starting bus process > properly(this problem is not seen in ubuntu on plain machine). I cannot see > much debug statements by enabling ?debug option in ipa-client-install. > > Its not clear why this process doesn?t get started and what is missing > in container as against plain machine which is making this install fail. > > > > I am on to this issue for 2 full days now. I am pasting whatever debug > statements I got during install, here: > > > > Command > > ????? > > ipa-client-install ?domain= ?server= hostname= > jupyterhub.com --no-ntp --no-dns-sshfp > > > > > > > > Log (After Error starts to happen) > > ????? > > Attached > > > > My main suspect is dbus service unable to start in this container where > it launches on a plain machine. > > Certainly. > > What steps did you take to make dbus startable in the container? Do > you have the dbus package installed? > > not to fork the subject, but it would be nice it there was a freeipa server on docker.... > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zwolfinger at myemma.com Wed May 11 14:14:59 2016 From: zwolfinger at myemma.com (Zak Wolfinger) Date: Wed, 11 May 2016 09:14:59 -0500 Subject: [Freeipa-users] Ubuntu 16.04 / FreeIPA 4.3 install Message-ID: I?m trying to set up FreeIPA as a replica. I?ve followed the instructions in section 4 here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#prepping-replica The replica install appears to be successful, but when I try to do ?ipactl start? I get this: IPA is not configured (see man pages of ipa-server-install for help) I?ve looked through the man pages but I?m not seeing what needs to be done. Can anyone offer suggestions? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From mbasti at redhat.com Wed May 11 14:19:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 11 May 2016 16:19:48 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> <20160503084513.GC22308@10.4.128.1> <20160503210346.GA9681@10.4.128.1> <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> <20160511135001.GF29312@redhat.com> Message-ID: <062d6728-1922-3bbc-634b-eab9cbb0ac96@redhat.com> On 11.05.2016 16:13, Outback Dingo wrote: > > > On Wed, May 11, 2016 at 3:50 PM, Jan Pazdziora > wrote: > > On Tue, May 03, 2016 at 09:27:44PM +0000, Hosakote Nagesh, Pawan > wrote: > > Our apps are running in a docker image based on Ubuntu 14.04 > that cannot be changed to redhat. We want to install > freeipa-clietn within this docker so that our app > > Uses freeipa ldap as against default ldap. > > > > The freeipa-client gets successfully installed in Ubuntu 14.04 > plain machine, that why is why I am hoping making it run in a > Ubun14.04 docker should also be very much possible. > > > > As you can see the things get stuck in not starting bus process > properly(this problem is not seen in ubuntu on plain machine). I > cannot see much debug statements by enabling ?debug option in > ipa-client-install. > > Its not clear why this process doesn?t get started and what is > missing in container as against plain machine which is making this > install fail. > > > > I am on to this issue for 2 full days now. I am pasting whatever > debug statements I got during install, here: > > > > Command > > ????? > > ipa-client-install ?domain= ?server= > hostname=jupyterhub.com --no-ntp > --no-dns-sshfp > > > > > > > > Log (After Error starts to happen) > > ????? > > Attached > > > > My main suspect is dbus service unable to start in this > container where it launches on a plain machine. > > Certainly. > > What steps did you take to make dbus startable in the container? Do > you have the dbus package installed? > > > not to fork the subject, but it would be nice it there was a freeipa > server on docker.... https://hub.docker.com/r/adelton/freeipa-server/ this? > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management > Engineering, Red Hat > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From outbackdingo at gmail.com Wed May 11 14:29:03 2016 From: outbackdingo at gmail.com (Outback Dingo) Date: Wed, 11 May 2016 16:29:03 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <062d6728-1922-3bbc-634b-eab9cbb0ac96@redhat.com> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> <20160503084513.GC22308@10.4.128.1> <20160503210346.GA9681@10.4.128.1> <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> <20160511135001.GF29312@redhat.com> <062d6728-1922-3bbc-634b-eab9cbb0ac96@redhat.com> Message-ID: On Wed, May 11, 2016 at 4:19 PM, Martin Basti wrote: > > > On 11.05.2016 16:13, Outback Dingo wrote: > > > > On Wed, May 11, 2016 at 3:50 PM, Jan Pazdziora > wrote: > >> On Tue, May 03, 2016 at 09:27:44PM +0000, Hosakote Nagesh, Pawan wrote: >> > Our apps are running in a docker image based on Ubuntu 14.04 that >> cannot be changed to redhat. We want to install freeipa-clietn within this >> docker so that our app >> > Uses freeipa ldap as against default ldap. >> > >> > The freeipa-client gets successfully installed in Ubuntu 14.04 plain >> machine, that why is why I am hoping making it run in a Ubun14.04 docker >> should also be very much possible. >> > >> > As you can see the things get stuck in not starting bus process >> properly(this problem is not seen in ubuntu on plain machine). I cannot see >> much debug statements by enabling ?debug option in ipa-client-install. >> > Its not clear why this process doesn?t get started and what is missing >> in container as against plain machine which is making this install fail. >> > >> > I am on to this issue for 2 full days now. I am pasting whatever debug >> statements I got during install, here: >> > >> > Command >> > ????? >> > ipa-client-install ?domain= ?server= hostname= >> jupyterhub.com --no-ntp --no-dns-sshfp >> > >> > >> > >> > Log (After Error starts to happen) >> > ????? >> > Attached >> > >> > My main suspect is dbus service unable to start in this container where >> it launches on a plain machine. >> >> Certainly. >> >> What steps did you take to make dbus startable in the container? Do >> you have the dbus package installed? >> >> > not to fork the subject, but it would be nice it there was a freeipa > server on docker.... > > > https://hub.docker.com/r/adelton/freeipa-server/ > > this? > possibly, maybe, ive not tried to deploy this under DC/OS mesosphere yet... might give it a go > > > >> -- >> Jan Pazdziora >> Senior Principal Software Engineer, Identity Management Engineering, Red >> Hat >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Wed May 11 14:31:40 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 11 May 2016 16:31:40 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <062d6728-1922-3bbc-634b-eab9cbb0ac96@redhat.com> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> <20160503084513.GC22308@10.4.128.1> <20160503210346.GA9681@10.4.128.1> <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> <20160511135001.GF29312@redhat.com> <062d6728-1922-3bbc-634b-eab9cbb0ac96@redhat.com> Message-ID: <20160511143140.GH29312@redhat.com> On Wed, May 11, 2016 at 04:19:48PM +0200, Martin Basti wrote: > On 11.05.2016 16:13, Outback Dingo wrote: > > > >not to fork the subject, but it would be nice it there was a freeipa > >server on docker.... > > https://hub.docker.com/r/adelton/freeipa-server/ Also http://www.freeipa.org/page/Docker and https://github.com/adelton/docker-freeipa. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From zwolfinger at myemma.com Wed May 11 14:41:29 2016 From: zwolfinger at myemma.com (Zak Wolfinger) Date: Wed, 11 May 2016 09:41:29 -0500 Subject: [Freeipa-users] Ubuntu 16.04 / FreeIPA 4.3 install In-Reply-To: References: Message-ID: > On May 11, 2016, at 9:14 AM, Zak Wolfinger wrote: > > I?m trying to set up FreeIPA as a replica. I?ve followed the instructions in section 4 here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#prepping-replica > > The replica install appears to be successful, but when I try to do ?ipactl start? I get this: > > IPA is not configured (see man pages of ipa-server-install for help) > > I?ve looked through the man pages but I?m not seeing what needs to be done. > > Can anyone offer suggestions? > > I tried doing an isa-server-install ?uninstall and doing my isa-replica-install again. Now I?m seeing this: [error] UNWILLING_TO_PERFORM: {'info': 'modification of attribute nsds5replicabinddngroup is not allowed in replica entry', 'desc': 'Server is unwilling to perform'} The old server is FreeIPA 3.0 and the new replica is obviously 4.3. Am I missing something? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sparky at charlietango.com Wed May 11 15:17:22 2016 From: sparky at charlietango.com (Jeffery Harrell) Date: Wed, 11 May 2016 08:17:22 -0700 Subject: [Freeipa-users] DHCP plugin (don't get your hopes up) In-Reply-To: <5b848a05-c7fe-22f0-a317-0516aac406d0@redhat.com> References: <5b848a05-c7fe-22f0-a317-0516aac406d0@redhat.com> Message-ID: Thanks. It was a pretty long weekend?s work. As for easier, I?ll be honest: I was really only able to do what I did by thoroughly reading the IPA source code. There?s some quite good documentation embedded in some of the Python source files, so the Python side was pretty easy, but I found the JavaScript side to be a real challenge. It was very trial-and-error. I still have no idea why I can?t get an attribute_table to work in place of a multivalue (see?install/ui/js/freeipa/widget.js). I think a quite important thing to pass on to others is how to debug IPA: You can use self.log.debug() calls in Python?(to the pre-configured logging framework) if you invoke the ipa command as ?ipa -d -e in_server=True? and that?s very helpful ? but to make that work I had to install a global anyone all-permissions ACI. Otherwise I got an insufficient-access error that threw me out of the program before any LDAP create/update/delete calls could complete. Maybe I missed a command-line option or something. On the JavaScript side, what worked best for me was to use Firebug with Firefox and make console.log() calls. I gather that you can basically do that without Firebug, but I?m not a web developer, so I went with what I knew ? or rather vaguely remembered from the last time I wrote a web page, back in the 90s. As for the rest, it really boiled down to monkey-see-monkey-do mimicry. I can?t find a range validator in the source code, so I want to write my own. Let me go grep the source to find examples of validators and see how they?re written. And so on. The hard parts were when I wanted to do things that I don?t think FreeIPA does itself, like a validator that executes an LDAP query. I had to flail my way through that one and probably did it all wrong. I do have one concrete suggestion. You might maybe consider taking some chunk of functionality and packaging it as a separate, installable ?reference plugin.? DNS might be too complex for that, considering it has its tendrils in host.js etc. Maybe automount might be a good candidate. I bring this up because a good example is the best documentation. When somebody asks ?How do I write a plugin?? you can just point and say ?Why, like this.? Just a thought. On May 11, 2016 at 4:03:04 AM, Petr Vobornik (pvoborni at redhat.com) wrote: On 05/10/2016 09:39 PM, Jeffery Harrell wrote: > As promised yesterday, here?s the link to my bespoke DHCP plugin. It?s really > nothing, just a little thing I whipped up for my own use. > > https://github.com/jefferyharrell/IPA-dhcp > > Very nice. This is probably the most complex 'external' IPA plugin I've seen. You must have put quite a lot of effort into making it happen. Were there any areas in code/docs/wiki/... you encountered which you would like to see improved in FreeIPA or maybe some obstacles removed so that plugins like this can be made easier? Regards -- Petr Vobornik -------------- next part -------------- An HTML attachment was scrubbed... URL: From sparky at charlietango.com Wed May 11 15:19:23 2016 From: sparky at charlietango.com (Jeffery Harrell) Date: Wed, 11 May 2016 08:19:23 -0700 Subject: [Freeipa-users] Exposing LDAP attributes with hyphens in their names? In-Reply-To: <9072ad68-b208-b1ca-bcef-8d9e79ef3873@redhat.com> References: <9072ad68-b208-b1ca-bcef-8d9e79ef3873@redhat.com> Message-ID: I?ve read Extending FreeIPA back to front (several times!) but I could spend more time alone with an iPad and a copy of the Guide. Thanks for the link. On May 11, 2016 at 3:28:55 AM, Martin Kosek (mkosek at redhat.com) wrote: On 05/06/2016 07:12 PM, Jeffery Harrell wrote: > Hi. I?m very new to IPA; I only picked it up a couple weeks ago. So this may be > a remedial question. > > I?d like to expose, both via the CLI and the GUI, certain LDAP attributes which > have hyphens in their names ? e.g., "apple-user-homeurl.? The Param class > rejects these attributes because of the hyphens; the name of the Param doesn?t > conform to the regular expression so an exception gets thrown. This code does > not work: > > |user.user.takes_params = user.user.takes_params + ( Str( 'apple-user-homeurl?', > cli_name='appleuserhomeurl', label=_('Apple User Home URL'), doc=_('Apple user > home URL.'), ), ) | > > Is there a sensible way of getting around that, or will I have to subclass Param > and write a whole bunch of new code to get this to work? > > Thanks very much. > > Jeffery Did you check the documentation we have so far? http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf http://abbra.fedorapeople.org/guide.html CCing Jan for reference. Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From outbackdingo at gmail.com Wed May 11 15:33:55 2016 From: outbackdingo at gmail.com (Outback Dingo) Date: Wed, 11 May 2016 17:33:55 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <20160511143140.GH29312@redhat.com> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> <20160503084513.GC22308@10.4.128.1> <20160503210346.GA9681@10.4.128.1> <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> <20160511135001.GF29312@redhat.com> <062d6728-1922-3bbc-634b-eab9cbb0ac96@redhat.com> <20160511143140.GH29312@redhat.com> Message-ID: On Wed, May 11, 2016 at 4:31 PM, Jan Pazdziora wrote: > On Wed, May 11, 2016 at 04:19:48PM +0200, Martin Basti wrote: > > On 11.05.2016 16:13, Outback Dingo wrote: > > > > > >not to fork the subject, but it would be nice it there was a freeipa > > >server on docker.... > > > > https://hub.docker.com/r/adelton/freeipa-server/ > > Also http://www.freeipa.org/page/Docker and > https://github.com/adelton/docker-freeipa. > > great now the question im afraid to ask is how can i migrate my running FreeIPA into the docker freeipa and save myself a whole server :) > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Wed May 11 15:53:51 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 11 May 2016 17:53:51 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: References: <20160503084513.GC22308@10.4.128.1> <20160503210346.GA9681@10.4.128.1> <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> <20160511135001.GF29312@redhat.com> <062d6728-1922-3bbc-634b-eab9cbb0ac96@redhat.com> <20160511143140.GH29312@redhat.com> Message-ID: <20160511155351.GC31959@redhat.com> On Wed, May 11, 2016 at 05:33:55PM +0200, Outback Dingo wrote: > > On Wed, May 11, 2016 at 04:19:48PM +0200, Martin Basti wrote: > > > > > > https://hub.docker.com/r/adelton/freeipa-server/ > > > > Also http://www.freeipa.org/page/Docker and > > https://github.com/adelton/docker-freeipa. > > great now the question im afraid to ask is how can i migrate my running > FreeIPA into the docker freeipa and save myself a whole server :) Start by understanding that FreeIPA in container is still proof of concept. You probably already have at least one replica -- just create the FreeIPA server in the container as another replica in your environment. That way you can test it gradually -- point clients to it, add it to DNS. I would not recommend attempting to convert existing installation in one swoop, by replacing it in place. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From outbackdingo at gmail.com Wed May 11 15:56:35 2016 From: outbackdingo at gmail.com (Outback Dingo) Date: Wed, 11 May 2016 17:56:35 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <20160511155351.GC31959@redhat.com> References: <20160503084513.GC22308@10.4.128.1> <20160503210346.GA9681@10.4.128.1> <738CAE10-A036-4B3D-BFFF-3AC738B91921@ebay.com> <20160511135001.GF29312@redhat.com> <062d6728-1922-3bbc-634b-eab9cbb0ac96@redhat.com> <20160511143140.GH29312@redhat.com> <20160511155351.GC31959@redhat.com> Message-ID: On Wed, May 11, 2016 at 5:53 PM, Jan Pazdziora wrote: > On Wed, May 11, 2016 at 05:33:55PM +0200, Outback Dingo wrote: > > > On Wed, May 11, 2016 at 04:19:48PM +0200, Martin Basti wrote: > > > > > > > > https://hub.docker.com/r/adelton/freeipa-server/ > > > > > > Also http://www.freeipa.org/page/Docker and > > > https://github.com/adelton/docker-freeipa. > > > > great now the question im afraid to ask is how can i migrate my running > > FreeIPA into the docker freeipa and save myself a whole server :) > > Start by understanding that FreeIPA in container is still proof of > concept. > > You probably already have at least one replica -- just create the > FreeIPA server in the container as another replica in your environment. > That way you can test it gradually -- point clients to it, add it to > DNS. I would not recommend attempting to convert existing installation > in one swoop, by replacing it in place. > yupp step by step, small personal enviironment mostly for personal dev lab and dns for my domains. > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Wed May 11 16:17:03 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 11 May 2016 17:17:03 +0100 Subject: [Freeipa-users] a user delegated to control a OU and realmd join - how.. Message-ID: <1462983423.4953.59.camel@yahoo.co.uk> .. if possible, would you know? hi everybody, I'm trying, and hoping it is possible to realm join an AD but is such a way so I tap my IPA into specific OU within that AD. The thing is - I'm thinking it would make user access control ideal from the start as I need only users from that OU, but also because I'm only granted access to the user/group who has control over that OU. I'm?trying that but I see: ! The computer account RIDER already exists, but is not in the desired organizational unit. adcli: joining domain ccc.bb.aa failed: The computer account RIDER already exists, ?! Failed to join the domain I'm doing this: $ realm join ccc.bb.aa --user=private-user --computer-ou=private and computer is in OU=private of ccc.bb.aa so is the user private-user many thanks. L##SELECTION_END## -------------- next part -------------- An HTML attachment was scrubbed... URL: From alexanders.mailinglists+nospam at gmail.com Wed May 11 21:07:24 2016 From: alexanders.mailinglists+nospam at gmail.com (Alexander Skwar) Date: Wed, 11 May 2016 23:07:24 +0200 Subject: [Freeipa-users] LDAP access for user authentication? In-Reply-To: References: Message-ID: Hello FreeIPA List :-) For protecting a web application, we are going to use a Web Application Firewall (SES from USP). This WAF appliance needs to have a user ?database?. And for that, we would like to use FreeIPA 4.2 on RHEL 7.2. The WAF can access external authentication ?adapters? over various methods. Among them would be SOAP or LDAP. But not Kerberos... We're fixed on using this particular appliance. Is it possible to use FreeIPA as an authentication source over LDAP? It would be so, that users would have an account in IPA. And on the WAF, there'd be a login form (or HTTP basic auth), where the user would enter username and password (and maybe there might even be 2FA, like SMS text or Google Authenticator or such - but for now, that would be out of scope). The WAF would then send username and password to FreeIPA (using LDAP) and would need to get back, whether the combination was good or not. Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even know of some good howtos or links? Any gotchas, that we'd need to be aware of? Thanks a lot and ?Viele Gr??e? ? Alexander Skwar -------------- next part -------------- An HTML attachment was scrubbed... URL: From marc.boorshtein at tremolosecurity.com Wed May 11 21:23:17 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Wed, 11 May 2016 17:23:17 -0400 Subject: [Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389? Message-ID: I've got a potential use case where I want to authenticate users using their AD credentials, store accounts and permissions in FreeIPA but not have a cross forest trust. One way to do this is to have SSSD talk LDAP to a virtual directory which would route the bind to AD but all other operations to the 389 backing IPA. Kerberos wouldn't work, but if you're interested in password or ssh key based auth it should work, right? Then you'd still get the HBAC benefits? Thanks Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com Twitter - @mlbiam / @tremolosecurity From rcritten at redhat.com Wed May 11 22:06:12 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 May 2016 18:06:12 -0400 Subject: [Freeipa-users] LDAP access for user authentication? In-Reply-To: References: Message-ID: <5733ACD4.7060601@redhat.com> Alexander Skwar wrote: > Hello FreeIPA List :-) > > For protecting a web application, we are going to use a Web Application > Firewall (SES from USP). This WAF appliance needs to have a user > ?database?. And for that, we would like to use FreeIPA 4.2 on RHEL 7.2. > > The WAF can access external authentication ?adapters? over various > methods. Among them would be SOAP or LDAP. But not Kerberos... We're > fixed on using this particular appliance. > > Is it possible to use FreeIPA as an authentication source over LDAP? > > It would be so, that users would have an account in IPA. And on the WAF, > there'd be a login form (or HTTP basic auth), where the user would enter > username and password (and maybe there might even be 2FA, like SMS text > or Google Authenticator or such - but for now, that would be out of scope). > > The WAF would then send username and password to FreeIPA (using LDAP) > and would need to get back, whether the combination was good or not. > > Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even > know of some good howtos or links? Any gotchas, that we'd need to be > aware of? Yes it's possible, see http://www.freeipa.org/page/HowTo/LDAP rob From Dan.Watson at bcferries.com Wed May 11 23:17:39 2016 From: Dan.Watson at bcferries.com (Watson, Dan) Date: Wed, 11 May 2016 17:17:39 -0600 Subject: [Freeipa-users] getent passwd returns username@domain.com for username Message-ID: Hi All, I've run into some strangeness and I just haven't been able to find a solution online. On my existing RHEL 6.5 servers everything runs fine. I do not use the IPA client install but rather manually setup SSSD, LDAP and Kerberos. We've got a RHEL 6.8 machine that just was added to IPA and it's showing some strangeness. RHEL 6.5: getent passwd ... username:*:12345678:12345678:User Name:/home/username:/bin/bash ... RHEL 6.8: getent passwd ... username at domain.com:*:12345678:12345678:User Name:/home/username:/bin/bash ... They have the same sssd.conf, the same krb5.conf and all the same LDAP config files. Has anyone seen this before? Thanks! Dan From prasun.gera at gmail.com Thu May 12 03:28:49 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Wed, 11 May 2016 23:28:49 -0400 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC0379B@cd-exchange01.CD-PRD.candeal.ca> References: <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> <5720D80E.7070003@redhat.com> <0984AB34E553F54B8705D776686863E70AC034DC@cd-exchange01.CD-PRD.candeal.ca> <5720DA04.3090506@redhat.com> <0984AB34E553F54B8705D776686863E70AC036FA@cd-exchange01.CD-PRD.candeal.ca> <20160427171859.h5g7ync3m3adcjwu@redhat.com> <0984AB34E553F54B8705D776686863E70AC0379B@cd-exchange01.CD-PRD.candeal.ca> Message-ID: Hi everyone, I had a pretty similar failure on my replica yesterday. The replica was not reachable, and I asked someone to have a look at the system. They presumably rebooted it. When it came back up, ipactl wouldn't start, and the symptoms were pretty similar to those described in this thread. I followed the solution of copying dse.ldif.startOK to dse.ldif, and that started everything. However, I see some errors in dirsrv's logs. It is constantly printing lines like "DSRetroclPlugin - delete_changerecord: could not delete change record 418295". Is that normal ? How do I confirm that the replica is back and fully functional ? Why did this happen in the first place ? On Wed, Apr 27, 2016 at 1:41 PM, Gady Notrica wrote: > All good!!! > > Gady > > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > Sent: April 27, 2016 1:19 PM > To: Gady Notrica > Cc: Ludwig Krispenz; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > On Wed, 27 Apr 2016, Gady Notrica wrote: > >Hello Ludwig, > > > >Is there a reason why my AD show offline? > > > >[root at cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA : > >online CD-PRD : offline > wbinfo output is irrelevant for RHEL 7.2-based IPA trusts. > > You need to make sure that 'getent passwd CD-PRD\\Administrator' > resolves via SSSD. > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Thu May 12 06:58:35 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 12 May 2016 08:58:35 +0200 Subject: [Freeipa-users] Looking for documentation for Python API In-Reply-To: <20eddb00-e064-9390-018d-1896c5b85e9a@redhat.com> References: <1557170.p9MGeghmZ2@hosanna> <2410380.zRJEA5Vezc@hosanna> <20eddb00-e064-9390-018d-1896c5b85e9a@redhat.com> Message-ID: On 11.5.2016 10:52, Martin Kosek wrote: > On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: >> On Friday, May 06, 2016 09:04:59 Martin Basti wrote: >>> since IPA4.2 web UI contains API browser (IPA Server/API Browser) >>> >>> So for example for caacl-add: >>> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional >>> description") >>> >>> you can try commands in "ipa console" it contains initialized API, just >>> call api.Command.() >>> >>> API.txt provides the same information as API browser, but browser looks >>> better :) >>> >>> Feel free to ask anything, if you identified gaps in docs which are hard >>> to understand for non-IPA developer feel free report it, or feel free to >>> create howTo in freeipa.org page. >> >> Thanks for the pointers. I'm looking at automating some user and group >> additions, group editing, etc. Am I right in assuming that anything that uses >> the api.Command. will require a kinit before it is run, >> even if it is via the Python API? If I want to use a user/pass from the script >> itself (and not have a shell script which does kinit, then fires off my Python >> script) would I be better off hitting the web API with sessions and JSON-RPC as >> detailed here: >> >> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ >> >> Put another way, since I want to hit the API from a system that might not have >> sssd installed, nor has joined the realm, I assume it would be *impossible* to >> use api.Command. as it relies on a Kerberos ticket? To put it yet >> another way: is there a way to hand a user/pass to the Python API and >> authenticate that way. > > The API itself can be hit with user/password, as noted in Alexander's blog. If > you want to use the actual Python API, Kerberos may be the only way. But I > think Jan or Petr may had some other (hacky) way to pass user+password there too. I don't think we support anything but Kerberos on the client side in our Python API. It might be possible to somehow emulate what the web UI does, but I haven't personally ever attempted to do that. Petr, have you? > >> Those are the questions I did not see addressed in the docs that I found. >> There were lots of examples of invoking commands, but I never saw anything >> about authenticating to the server before running the commands. >> >> Thanks again for the pointers, and if there is documentation I missed, feel >> free to point me in that direction. > -- Jan Cholasta From jcholast at redhat.com Thu May 12 07:09:13 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 12 May 2016 09:09:13 +0200 Subject: [Freeipa-users] Exposing LDAP attributes with hyphens in their names? In-Reply-To: References: <9072ad68-b208-b1ca-bcef-8d9e79ef3873@redhat.com> Message-ID: <81093c5b-48dd-8555-1e24-32d955070ac9@redhat.com> Hi, see also this recent commit to get an idea how to deal with attributes with "weird" names: . On 11.5.2016 17:19, Jeffery Harrell wrote: > I?ve read Extending FreeIPA back to front (several times!) but I could > spend more time alone with an iPad and a copy of the Guide. Thanks for > the link. > > > On May 11, 2016 at 3:28:55 AM, Martin Kosek (mkosek at redhat.com > ) wrote: > >> On 05/06/2016 07:12 PM, Jeffery Harrell wrote: >> > Hi. I?m very new to IPA; I only picked it up a couple weeks ago. So this may be >> > a remedial question. >> > >> > I?d like to expose, both via the CLI and the GUI, certain LDAP attributes which >> > have hyphens in their names ? e.g., "apple-user-homeurl.? The Param class >> > rejects these attributes because of the hyphens; the name of the Param doesn?t >> > conform to the regular expression so an exception gets thrown. This code does >> > not work: >> > >> > |user.user.takes_params = user.user.takes_params + ( Str( 'apple-user-homeurl?', >> > cli_name='appleuserhomeurl', label=_('Apple User Home URL'), doc=_('Apple user >> > home URL.'), ), ) | >> > >> > Is there a sensible way of getting around that, or will I have to subclass Param >> > and write a whole bunch of new code to get this to work? >> > >> > Thanks very much. >> > >> > Jeffery >> >> Did you check the documentation we have so far? >> >> http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf >> http://abbra.fedorapeople.org/guide.html >> >> CCing Jan for reference. >> >> Martin -- Jan Cholasta From lslebodn at redhat.com Thu May 12 07:08:35 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 12 May 2016 09:08:35 +0200 Subject: [Freeipa-users] getent passwd returns username@domain.com for username In-Reply-To: References: Message-ID: <20160512070835.GA23546@10.4.128.1> On (11/05/16 17:17), Watson, Dan wrote: >Hi All, > >I've run into some strangeness and I just haven't been able to find a solution online. > >On my existing RHEL 6.5 servers everything runs fine. I do not use the IPA client install but rather manually setup SSSD, LDAP and Kerberos. We've got a RHEL 6.8 machine that just was added to IPA and it's showing some strangeness. > >RHEL 6.5: >getent passwd >... >username:*:12345678:12345678:User Name:/home/username:/bin/bash >... > The output looks like with disabled option use_fully_qualified_names. >RHEL 6.8: >getent passwd >... >username at domain.com:*:12345678:12345678:User Name:/home/username:/bin/bash >... > The output looks like with enabled option use_fully_qualified_names. By default it should be false. However, if you use default_domain_suffix then the default value is true. https://fedorahosted.org/sssd/ticket/2569 This bug fix was introduced in 1.13.0 LS From harald.dunkel at aixigo.de Thu May 12 07:42:44 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Thu, 12 May 2016 09:42:44 +0200 Subject: [Freeipa-users] sssd went away, failed to restart In-Reply-To: <20160223124602.GH2468@mail.corp.redhat.com> References: <56CB16AF.9060303@aixigo.de> <20160222145152.GB3321@hendrix.arn.redhat.com> <56CC063E.7080900@aixigo.de> <20160223090003.GA3131@hendrix.redhat.com> <56CC2C86.8040109@aixigo.de> <20160223105825.GC2468@mail.corp.redhat.com> <56CC4A05.5040503@aixigo.de> <20160223124602.GH2468@mail.corp.redhat.com> Message-ID: Hi folks, On 02/23/16 13:46, Lukas Slebodnik wrote: > On (23/02/16 13:01), Harald Dunkel wrote: >> On 02/23/2016 11:58 AM, Lukas Slebodnik wrote: >>> I would rather focus on different thing. >>> Why is sssd_be process blocked for long time? >>> >> >> I have no idea. Was it really blocked? >> > It needn't be blocked itself. But it was busy > with some non-blocking operation which main process > considered as bad state. > > Would you mind to share sssd log files with > high debug level? > It happened again :-(.This *really* needs to be fixed. I wouldn't like to move back to ypbind. Logfiles are attached. sssd is version 1.13.3. The server was rebooted at 05:56. At 06:03:18 sssd wrote the first logfile entries. Every helpful comment is highly appreciated. Harri -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd.log Type: text/x-log Size: 8422 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd_example.com.log Type: text/x-log Size: 15870 bytes Desc: not available URL: From lkrispen at redhat.com Thu May 12 08:25:04 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 12 May 2016 10:25:04 +0200 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: References: <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> <5720D80E.7070003@redhat.com> <0984AB34E553F54B8705D776686863E70AC034DC@cd-exchange01.CD-PRD.candeal.ca> <5720DA04.3090506@redhat.com> <0984AB34E553F54B8705D776686863E70AC036FA@cd-exchange01.CD-PRD.candeal.ca> <20160427171859.h5g7ync3m3adcjwu@redhat.com> <0984AB34E553F54B8705D776686863E70AC0379B@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <57343DE0.1020908@redhat.com> On 05/12/2016 05:28 AM, Prasun Gera wrote: > Hi everyone, > I had a pretty similar failure on my replica yesterday. The replica > was not reachable, and I asked someone to have a look at the system. > They presumably rebooted it. When it came back up, ipactl wouldn't > start, and the symptoms were pretty similar to those described in this > thread. I followed the solution of copying dse.ldif.startOK > to dse.ldif, and that started everything. This is very strange, it should not be possible to loose a dse.ldif, although you are now teh second person reporting this. I have seen 0 length dse.ldif.tmp if a VM was powerd off while ds was active, but from DS point of view it is not possible to complete loos the dse.ldif. The dse.ldif stores the configuration information including replication agreements and and when ever this is updated the new state is written to disk. The procedure is like this: -create a dse.ldif.tmp (this is the only time a 0 byte dse.ldif* file exists -write the config to dse.ldif.tmp -rename dse.ldif to dse.ldif.bak -rename dse.ldif.tmp to dse.ldif So, if the machine or the server crashes during this process there should be always a dse.ldif.tmp or dse.ldif.bak containing the current or latest information. If anyone has an idea how on a VM when powering it off can completely loose these files I would like to know. > However, I see some errors in dirsrv's logs. It is constantly printing > lines like "DSRetroclPlugin - delete_changerecord: could not delete > change record 418295". Is that normal ? Unfortunately it can be. If after a crash the beginning of the retro cl is incorrectly calculated, changelog trimming might try to remov no longer existing records, it is annoying but harmless, so far we have not further investigated how to prevent this. > How do I confirm that the replica is back and fully functional ? Why > did this happen in the first place ? > > On Wed, Apr 27, 2016 at 1:41 PM, Gady Notrica > wrote: > > All good!!! > > Gady > > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com > ] > Sent: April 27, 2016 1:19 PM > To: Gady Notrica > Cc: Ludwig Krispenz; freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > On Wed, 27 Apr 2016, Gady Notrica wrote: > >Hello Ludwig, > > > >Is there a reason why my AD show offline? > > > >[root at cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA : > >online CD-PRD : offline > wbinfo output is irrelevant for RHEL 7.2-based IPA trusts. > > You need to make sure that 'getent passwd CD-PRD\\Administrator' > resolves via SSSD. > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Thu May 12 08:26:35 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 12 May 2016 10:26:35 +0200 Subject: [Freeipa-users] sssd went away, failed to restart In-Reply-To: References: <56CB16AF.9060303@aixigo.de> <20160222145152.GB3321@hendrix.arn.redhat.com> <56CC063E.7080900@aixigo.de> <20160223090003.GA3131@hendrix.redhat.com> <56CC2C86.8040109@aixigo.de> <20160223105825.GC2468@mail.corp.redhat.com> <56CC4A05.5040503@aixigo.de> <20160223124602.GH2468@mail.corp.redhat.com> Message-ID: <20160512082634.GB23546@10.4.128.1> On (12/05/16 09:42), Harald Dunkel wrote: >Hi folks, > >On 02/23/16 13:46, Lukas Slebodnik wrote: >> On (23/02/16 13:01), Harald Dunkel wrote: >>> On 02/23/2016 11:58 AM, Lukas Slebodnik wrote: >>>> I would rather focus on different thing. >>>> Why is sssd_be process blocked for long time? >>>> >>> >>> I have no idea. Was it really blocked? >>> >> It needn't be blocked itself. But it was busy >> with some non-blocking operation which main process >> considered as bad state. >> >> Would you mind to share sssd log files with >> high debug level? >> > >It happened again :-(.This *really* needs to be fixed. >I wouldn't like to move back to ypbind. > I would like to If I knew what to fix and how to reliably reproduce. >Logfiles are attached. sssd is version 1.13.3. The server >was rebooted at 05:56. At 06:03:18 sssd wrote the first >logfile entries. > I cannot see in log files that sssd was started. Log files seems to be truncated and there seems to be probllem with network communication. [be_resolve_server_process] (0x0200): Found address for server ipa2.example.com: [172.29.96.4] TTL 7200 [init_timeout] (0x0040): Client timed out before Identification [0x12d50c0]! [sdap_kinit_done] (0x0080): Communication with KDC timed out, trying the next one [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa2.example.com' as 'not working' Do you have mounted nfs on /var/log/ or anywhere else? It can explain a lot if there are network related issues. LS From prasun.gera at gmail.com Thu May 12 08:45:08 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 12 May 2016 04:45:08 -0400 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <57343DE0.1020908@redhat.com> References: <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> <5720D80E.7070003@redhat.com> <0984AB34E553F54B8705D776686863E70AC034DC@cd-exchange01.CD-PRD.candeal.ca> <5720DA04.3090506@redhat.com> <0984AB34E553F54B8705D776686863E70AC036FA@cd-exchange01.CD-PRD.candeal.ca> <20160427171859.h5g7ync3m3adcjwu@redhat.com> <0984AB34E553F54B8705D776686863E70AC0379B@cd-exchange01.CD-PRD.candeal.ca> <57343DE0.1020908@redhat.com> Message-ID: Trying to provide some additional information if it helps. Here's the timeline of events from logs: Some logs from the failure: May 11 17:34:03 localhost ns-slapd: [11/May/2016:17:34:03 -0400] dse - The configuration file /etc/dirsrv/slapd-DOMAINNAME-EDU/dse.ldif was not restored from backup /etc/dirsrv/slapd-DOMAINNAME-EDU/dse.ldif.tmp, error -1 May 11 17:34:03 localhost ns-slapd: [11/May/2016:17:34:03 -0400] dse - The configuration file /etc/dirsrv/slapd-DOMAINNAME-EDU/dse.ldif was not restored from backup /etc/dirsrv/slapd-DOMAINNAME-EDU/dse.ldif.bak, error 0 May 11 17:34:03 localhost ns-slapd: [11/May/2016:17:34:03 -0400] startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-DOMAINNAME-EDU/dse.ldif. It is mandatory. May 11 17:34:03 localhost systemd: dirsrv at DOMAINNAME-EDU.service: control process exited, code=exited status=1 May 11 17:34:03 localhost systemd: Failed to start 389 Directory Server DOMAINNAME-EDU.. May 11 17:34:03 localhost systemd: Unit dirsrv at DOMAINNAME-EDU.service entered failed state. May 11 17:34:03 localhost systemd: dirsrv at DOMAINNAME-EDU.service failed. May 11 17:34:03 localhost ipactl: Job for dirsrv at DOMAINNAME-EDU.service failed because the control process exited with error code. See "systemctl status dirsrv at DOMAINNAME-EDU.service" and "journalctl -xe" for details. May 11 17:34:04 localhost ipactl: Failed to start Directory Service: Command ''/bin/systemctl' 'start' 'dirsrv at DOMAINNAME-EDU.service'' returned non-zero exit status 1 May 11 17:34:04 localhost ipactl: Starting Directory Service May 11 17:34:04 localhost systemd: ipa.service: main process exited, code=exited, status=1/FAILURE May 11 17:34:04 localhost systemd: Failed to start Identity, Policy, Audit. May 11 17:34:04 localhost systemd: Unit ipa.service entered failed state. May 11 17:34:04 localhost systemd: ipa.service failed. May 11 19:33:15 localhost ns-slapd: [11/May/2016:19:33:15 -0400] dse - The configuration file /etc/dirsrv/slapd-DOMAINNAME-EDU/dse.ldif was not restored from backup /etc/dirsrv/slapd-DOMAINNAME-EDU/dse.ldif.tmp, error -1 May 11 19:33:15 localhost ns-slapd: [11/May/2016:19:33:15 -0400] dse - The configuration file /etc/dirsrv/slapd-DOMAINNAME-EDU/dse.ldif was not restored from backup /etc/dirsrv/slapd-DOMAINNAME-EDU/dse.ldif.bak, error -1 May 11 19:33:15 localhost ns-slapd: [11/May/2016:19:33:15 -0400] config - The given config file /etc/dirsrv/slapd-DOMAINNAME-EDU/dse.ldif could not be accessed, Netscape Portable Runtime error -5950 (File not found.) May 11 19:33:15 localhost ns-slapd: [11/May/2016:19:33:15 -0400] schema - Could not add attribute type "objectClass" to the schema: attribute type objectClass: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" May 11 19:33:15 localhost ns-slapd: [11/May/2016:19:33:15 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes May 11 19:33:15 localhost ns-slapd: [11/May/2016:19:33:15 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes May 11 19:33:15 localhost ns-slapd: [11/May/2016:19:33:15 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes May 11 19:33:15 localhost ns-slapd: [11/May/2016:19:33:15 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes ... lots of similar messages 11/May/2016:17:19:34 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 111 (Connection refused) [11/May/2016:17:19:34 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [11/May/2016:17:24:34 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 111 (Connection refused) [11/May/2016:17:24:34 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [11/May/2016:17:29:34 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 111 (Connection refused) [11/May/2016:17:29:34 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [11/May/2016:17:32:21 -0400] - slapd shutting down - signaling operation threads - op stack size 17 max work q size 14 max work q stack size 14 [11/May/2016:17:32:21 -0400] - slapd shutting down - waiting for 28 threads to terminate [11/May/2016:17:32:21 -0400] - slapd shutting down - closing down internal subsystems and plugins [11/May/2016:17:32:24 -0400] nis-plugin - error sending request to portmap or rpcbind on 6: Broken pipe [11/May/2016:17:32:24 -0400] nis-plugin - retried sending request to portmap or rpcbind on 11, and succeeded [11/May/2016:17:32:24 -0400] nis-plugin - error sending request to portmap or rpcbind on 11: Broken pipe [11/May/2016:17:32:24 -0400] nis-plugin - retried sending request to portmap or rpcbind on 6, and succeeded [11/May/2016:17:32:24 -0400] nis-plugin - error sending request to portmap or rpcbind on 6: Broken pipe [11/May/2016:17:32:24 -0400] nis-plugin - retried sending request to portmap or rpcbind on 11, and succeeded [11/May/2016:17:32:24 -0400] nis-plugin - error sending request to portmap or rpcbind on 11: Broken pipe ... lots of similar messages Logs after trying the fix: [11/May/2016:23:19:49 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [11/May/2016:23:19:49 -0400] - 389-Directory/1.3.4.0 B2016.070.190 starting up [11/May/2016:23:19:49 -0400] - WARNING: changelog: entry cache size 2097152B is less than db size 13729792B; We recommend to increase the entry cache size nsslapd-cachememsize. [11/May/2016:23:19:49 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [11/May/2016:23:19:50 -0400] nis-plugin - warning: no entries in domain= domainname.edu,map=netgroup [11/May/2016:23:19:50 -0400] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=domainname,dc=edu [11/May/2016:23:19:50 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=domainname,dc=edu [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=dns,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=dns,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=dns,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=dns,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=domainname,dc=edu does not exist [11/May/2016:23:19:51 -0400] NSACLPlugin - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [11/May/2016:23:19:51 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=domainname,dc=edu--no CoS Templates found, which should be added before the CoS Definition. [11/May/2016:23:19:52 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica o=ipaca. Check if DB RUV needs to be updated [11/May/2016:23:19:52 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/idm_replica.com at DOMAINNAME.EDU] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [11/May/2016:23:19:52 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: disordely shutdown for replica dc=domainname,dc=edu. Check if DB RUV needs to be updated [11/May/2016:23:19:52 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [11/May/2016:23:19:52 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [11/May/2016:23:19:52 -0400] NSMMReplicationPlugin - agmt="cn= meToidm_master.cc.gt.atl.ga.us" (idm_master:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [11/May/2016:23:19:52 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-idm_replica.com-pki-tomcat" (idm_master:389): Unable to acquire replica: the replica instructed us to go into backoff mode. Will retry later. [11/May/2016:23:19:52 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 404054 (rc: 32) [11/May/2016:23:19:52 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [11/May/2016:23:19:52 -0400] - Listening on All Interfaces port 636 for LDAPS requests [11/May/2016:23:19:52 -0400] - Listening on /var/run/slapd-DOMAINNAME-EDU.socket for LDAPI requests [11/May/2016:23:19:52 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 404055 (rc: 32) [11/May/2016:23:19:52 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 404056 (rc: 32) [11/May/2016:23:19:52 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 404057 (rc: 32) [11/May/2016:23:19:52 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 404058 (rc: 32) ... lots of similar messages On Thu, May 12, 2016 at 4:25 AM, Ludwig Krispenz wrote: > > On 05/12/2016 05:28 AM, Prasun Gera wrote: > > Hi everyone, > I had a pretty similar failure on my replica yesterday. The replica was > not reachable, and I asked someone to have a look at the system. They > presumably rebooted it. When it came back up, ipactl wouldn't start, and > the symptoms were pretty similar to those described in this thread. I > followed the solution of copying dse.ldif.startOK to dse.ldif, and that > started everything. > > This is very strange, it should not be possible to loose a dse.ldif, > although you are now teh second person reporting this. I have seen 0 length > dse.ldif.tmp if a VM was powerd off while ds was active, but from DS point > of view it is not possible to complete loos the dse.ldif. > The dse.ldif stores the configuration information including replication > agreements and and when ever this is updated the new state is written to > disk. The procedure is like this: > -create a dse.ldif.tmp (this is the only time a 0 byte dse.ldif* file > exists > -write the config to dse.ldif.tmp > -rename dse.ldif to dse.ldif.bak > -rename dse.ldif.tmp to dse.ldif > > So, if the machine or the server crashes during this process there should > be always a dse.ldif.tmp or dse.ldif.bak containing the current or latest > information. If anyone has an idea how on a VM when powering it off can > completely loose these files I would like to know. > > However, I see some errors in dirsrv's logs. It is constantly printing > lines like "DSRetroclPlugin - delete_changerecord: could not delete change > record 418295". Is that normal ? > > Unfortunately it can be. If after a crash the beginning of the retro cl is > incorrectly calculated, changelog trimming might try to remov no longer > existing records, it is annoying but harmless, so far we have not further > investigated how to prevent this. > > How do I confirm that the replica is back and fully functional ? Why did > this happen in the first place ? > > On Wed, Apr 27, 2016 at 1:41 PM, Gady Notrica > wrote: > >> All good!!! >> >> Gady >> >> -----Original Message----- >> From: Alexander Bokovoy [mailto:abokovoy at redhat.com] >> Sent: April 27, 2016 1:19 PM >> To: Gady Notrica >> Cc: Ludwig Krispenz; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] krb5kdc service not starting >> >> On Wed, 27 Apr 2016, Gady Notrica wrote: >> >Hello Ludwig, >> > >> >Is there a reason why my AD show offline? >> > >> >[root at cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA : >> >online CD-PRD : offline >> wbinfo output is irrelevant for RHEL 7.2-based IPA trusts. >> >> You need to make sure that 'getent passwd CD-PRD\\Administrator' >> resolves via SSSD. >> >> -- >> / Alexander Bokovoy >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From harald.dunkel at aixigo.de Thu May 12 09:03:13 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Thu, 12 May 2016 11:03:13 +0200 Subject: [Freeipa-users] sssd went away, failed to restart In-Reply-To: <20160512082634.GB23546@10.4.128.1> References: <56CB16AF.9060303@aixigo.de> <20160222145152.GB3321@hendrix.arn.redhat.com> <56CC063E.7080900@aixigo.de> <20160223090003.GA3131@hendrix.redhat.com> <56CC2C86.8040109@aixigo.de> <20160223105825.GC2468@mail.corp.redhat.com> <56CC4A05.5040503@aixigo.de> <20160223124602.GH2468@mail.corp.redhat.com> <20160512082634.GB23546@10.4.128.1> Message-ID: On 05/12/16 10:26, Lukas Slebodnik wrote: > On (12/05/16 09:42), Harald Dunkel wrote: >> >> It happened again :-(.This *really* needs to be fixed. >> I wouldn't like to move back to ypbind. >> > I would like to If I knew what to fix and how to reliably reproduce. > It would be very nice if sssd could become more reliable at startup time. It gives up to easy. And it is not restarted in case of a problem, which is fatal for a service providing access to a user database. >> Logfiles are attached. sssd is version 1.13.3. The server >> was rebooted at 05:56. At 06:03:18 sssd wrote the first >> logfile entries. >> > I cannot see in log files that sssd was started. : : (Thu May 12 05:56:12 2016) [sssd] [monitor_quit] (0x0020): Child [sudo] exited gracefully (Thu May 12 05:56:12 2016) [sssd] [monitor_quit] (0x0020): Terminating [nss][441] (Thu May 12 05:56:12 2016) [sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully (Thu May 12 06:03:18 2016) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for example.com: /var/lib/sss/db/cache_example.com.ldb (Thu May 12 06:03:20 2016) [sssd] [get_ping_config] (0x0100): Time between service pings for [example.com]: [10] (Thu May 12 06:03:20 2016) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [example.com]: [60] (Thu May 12 06:03:20 2016) [sssd] [start_service] (0x0100): Queueing service example.com for startup (Thu May 12 06:03:22 2016) [sssd] [sbus_server_init_new_connection] (0x0200): Entering. : : > Log files seems to be truncated and there seems to be probllem > with network communication. > > [be_resolve_server_process] (0x0200): Found address for server ipa2.example.com: [172.29.96.4] TTL 7200 > [init_timeout] (0x0040): Client timed out before Identification [0x12d50c0]! > [sdap_kinit_done] (0x0080): Communication with KDC timed out, trying the next one > [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa2.example.com' as 'not working' > You have cut off the time stamps. Here they are: (Thu May 12 06:03:31 2016) [sssd[be[example.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa2.example.com: [172.29.96.4] TTL 7200 (Thu May 12 06:03:36 2016) [sssd[be[example.com]]] [init_timeout] (0x0040): Client timed out before Identification [0x12d50c0]! (Thu May 12 06:03:37 2016) [sssd[be[example.com]]] [sdap_kinit_done] (0x0080): Communication with KDC timed out, trying the next one (Thu May 12 06:03:37 2016) [sssd[be[example.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa2.example.com' as 'not working' Obviously the 5 secs timeout is not sufficient for stable operation. I am not sure if thats the reason for sssd to go away, though. > Do you have mounted nfs on /var/log/ or anywhere else? Surely not. All mount points are local. > It can explain a lot if there are network related issues. > I don't see why there should be any network related issues. The ipa servers were available all the time. The network is configured static. Regards Harri From lslebodn at redhat.com Thu May 12 11:48:07 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 12 May 2016 13:48:07 +0200 Subject: [Freeipa-users] sssd went away, failed to restart In-Reply-To: References: <20160222145152.GB3321@hendrix.arn.redhat.com> <56CC063E.7080900@aixigo.de> <20160223090003.GA3131@hendrix.redhat.com> <56CC2C86.8040109@aixigo.de> <20160223105825.GC2468@mail.corp.redhat.com> <56CC4A05.5040503@aixigo.de> <20160223124602.GH2468@mail.corp.redhat.com> <20160512082634.GB23546@10.4.128.1> Message-ID: <20160512114807.GD23546@10.4.128.1> On (12/05/16 11:03), Harald Dunkel wrote: >On 05/12/16 10:26, Lukas Slebodnik wrote: >> On (12/05/16 09:42), Harald Dunkel wrote: >>> >>> It happened again :-(.This *really* needs to be fixed. >>> I wouldn't like to move back to ypbind. >>> >> I would like to If I knew what to fix and how to reliably reproduce. >> > >It would be very nice if sssd could become more reliable at >startup time. It gives up to easy. And it is not restarted >in case of a problem, which is fatal for a service providing >access to a user database. > It would be nice if you could provide reliable reproducer. I'm sorry we do not have a crystall ball and sssd log files did not help either. They are truncated. I would like to fix it but I do not know what to fix. Is there anything interesting/suspicious in syslog/journald from the same time? >>> Logfiles are attached. sssd is version 1.13.3. The server >>> was rebooted at 05:56. At 06:03:18 sssd wrote the first >>> logfile entries. >>> >> I cannot see in log files that sssd was started. > >: >: >(Thu May 12 05:56:12 2016) [sssd] [monitor_quit] (0x0020): Child [sudo] exited gracefully >(Thu May 12 05:56:12 2016) [sssd] [monitor_quit] (0x0020): Terminating [nss][441] >(Thu May 12 05:56:12 2016) [sssd] [monitor_quit] (0x0020): Child [nss] exited gracefully >(Thu May 12 06:03:18 2016) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for example.com: /var/lib/sss/db/cache_example.com.ldb >(Thu May 12 06:03:20 2016) [sssd] [get_ping_config] (0x0100): Time between service pings for [example.com]: [10] >(Thu May 12 06:03:20 2016) [sssd] [get_ping_config] (0x0100): Time between SIGTERM and SIGKILL for [example.com]: [60] >(Thu May 12 06:03:20 2016) [sssd] [start_service] (0x0100): Queueing service example.com for startup >(Thu May 12 06:03:22 2016) [sssd] [sbus_server_init_new_connection] (0x0200): Entering. >: >: > I saw these lines but I miss messages about startup of sssd. something like: [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb [dp_get_options] (0x0400): Option lookup_family_order has value ipv4_first [dp_get_options] (0x0400): Option dns_resolver_timeout has value 6 [dp_get_options] (0x0400): Option dns_resolver_op_timeout has value 6 [dp_get_options] (0x0400): Option dns_discovery_domain has no value [be_res_get_opts] (0x0100): Lookup order: ipv4_first [recreate_ares_channel] (0x0100): Initializing new c-ares channel [fo_context_init] (0x0400): Created new fail over context, retry timeout is 30 [confdb_get_domain_internal] (0x0400): No enumeration for [example.com]! [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 [sysdb_domain_init_internal] (0x0200): DB File for example.com: /var/lib/sss/db/cache_example.com.ldb [sbus_init_connection] (0x0400): Adding connection 0x55b875a67cc0 [sbus_add_watch] (0x2000): 0x55b875a68ae0/0x55b875a67590 (15), -/W (enabled) [sbus_toggle_watch] (0x4000): 0x55b875a68ae0/0x55b875a675e0 (15), R/- (disabled) [sbus_opath_hash_add_iface] (0x0400): Registering interface org.freedesktop.sssd.service with path /org/freedesktop/sssd/service [sbus_conn_register_path] (0x0400): Registering object path /org/freedesktop/sssd/service with D-Bus connection [sbus_opath_hash_add_iface] (0x0400): Registering interface org.freedesktop.DBus.Properties with path /org/freedesktop/sssd/service [sbus_opath_hash_add_iface] (0x0400): Registering interface org.freedesktop.DBus.Introspectable with path /org/freedesktop/sssd/service [monitor_common_send_id] (0x0100): Sending ID: (%BE_example.com,1) >> Log files seems to be truncated and there seems to be probllem >> with network communication. >> >> [be_resolve_server_process] (0x0200): Found address for server ipa2.example.com: [172.29.96.4] TTL 7200 >> [init_timeout] (0x0040): Client timed out before Identification [0x12d50c0]! >> [sdap_kinit_done] (0x0080): Communication with KDC timed out, trying the next one >> [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa2.example.com' as 'not working' >> > >You have cut off the time stamps. Here they are: > That was on purpose. Because it's clear that "Communication with KDC timed out" The question is why? 6 seconds must be enough unless you try to connect the the server which is located in opposite site of globe. >(Thu May 12 06:03:31 2016) [sssd[be[example.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa2.example.com: [172.29.96.4] TTL 7200 >(Thu May 12 06:03:36 2016) [sssd[be[example.com]]] [init_timeout] (0x0040): Client timed out before Identification [0x12d50c0]! >(Thu May 12 06:03:37 2016) [sssd[be[example.com]]] [sdap_kinit_done] (0x0080): Communication with KDC timed out, trying the next one >(Thu May 12 06:03:37 2016) [sssd[be[example.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa2.example.com' as 'not working' > >Obviously the 5 secs timeout is not sufficient for stable >operation. I am not sure if thats the reason for sssd to >go away, though. > That default value of ldap_opt_timeout is 6 seconds. You might try to increase it but it will not help if ipa2.example.com is unresponsive. It will just complicate situation because sssd will try to fallback later to another server (ipa1.example.com). You might see in log files that communication with ipa1.example.com was succesfull. >> Do you have mounted nfs on /var/log/ or anywhere else? > >Surely not. All mount points are local. > Thank you. >> It can explain a lot if there are network related issues. >> > >I don't see why there should be any network related issues. >The ipa servers were available all the time. The network >is configured static. > If there is not problem with network then can you explain why sssd was not able to communicate with ipa2.example.com? LS From pspacek at redhat.com Thu May 12 13:25:54 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 12 May 2016 15:25:54 +0200 Subject: [Freeipa-users] Announcing bind-dyndb-ldap version 9.0 Message-ID: <9485c6ce-fdae-32f4-83f7-7d6e185127e0@redhat.com> The FreeIPA team is proud to announce bind-dyndb-ldap version 9.0. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 24+: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6efaecbe9f Latest news: 9.0 ==== [1] Automatic empty zones conflicting with forward zones with policy 'only' are now automatically unloaded. Warning is issued if the conflicting forward zone has policy 'first' but the zone is not unloaded. Conflict occurs if empty zone and forward zone are super/sub/equal domains. !!! This changes semantics of data in LDAP. !!! Users without FreeIPA version 4.3.2+ have to upgrade their data manually. == Upgrading == A server can be upgraded by installing updated RPM. BIND has to be restarted manually after the RPM installation. Downgrading back to any 8.x version is supported but automatic empty zone unload might not happen after downgrade. FreeIPA users should upgrade to version 4.3.2 or newer to auto-upgrade zone configuration in LDAP. == Feedback == Please provide comments, report bugs and send any other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr^2 Spacek From harald.dunkel at aixigo.de Thu May 12 13:35:46 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Thu, 12 May 2016 15:35:46 +0200 Subject: [Freeipa-users] sssd went away, failed to restart In-Reply-To: <20160512114807.GD23546@10.4.128.1> References: <20160222145152.GB3321@hendrix.arn.redhat.com> <56CC063E.7080900@aixigo.de> <20160223090003.GA3131@hendrix.redhat.com> <56CC2C86.8040109@aixigo.de> <20160223105825.GC2468@mail.corp.redhat.com> <56CC4A05.5040503@aixigo.de> <20160223124602.GH2468@mail.corp.redhat.com> <20160512082634.GB23546@10.4.128.1> <20160512114807.GD23546@10.4.128.1> Message-ID: On 05/12/16 13:48, Lukas Slebodnik wrote: > It would be nice if you could provide reliable reproducer. > I'm sorry we do not have a crystall ball and sssd log files > did not help either. They are truncated. > Thats all I got. > I would like to fix it but I do not know what to fix. > > Is there anything interesting/suspicious in syslog/journald > from the same time? > "journalctl -u sssd" says May 12 06:03:15 srvvm01.ac.example.com sssd[373]: Starting up May 12 06:03:21 srvvm01.ac.example.com sssd[be[417]: Starting up May 12 06:03:26 srvvm01.ac.example.com sssd[438]: Starting up May 12 06:03:26 srvvm01.ac.example.com sssd[440]: Starting up May 12 06:03:26 srvvm01.ac.example.com sssd[437]: Starting up May 12 06:03:26 srvvm01.ac.example.com sssd[439]: Starting up May 12 06:03:29 srvvm01.ac.example.com sssd[441]: Starting up May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1 May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1 May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1 May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 2 May 12 06:04:05 srvvm01.ac.example.com systemd[1]: sssd.service start operation timed out. Terminating. May 12 06:04:05 srvvm01.ac.example.com sssd[438]: Shutting down May 12 06:04:05 srvvm01.ac.example.com sssd[437]: Shutting down May 12 06:04:05 srvvm01.ac.example.com sssd[be[417]: Shutting down May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Failed to start System Security Services Daemon. May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Unit sssd.service entered failed state. AFAICS we have to focus in sssd_example.com.log on the log file entries between 06:03:29 and 06:04:05. Did you notice the "Backend is online, starting delayed online authentication" close to the end of the log file? Is this expected? What should have happened next? : : >> You have cut off the time stamps. Here they are: >> > That was on purpose. Because it's clear that "Communication with KDC timed out" > The question is why? > 6 seconds must be enough unless you try to connect the the server > which is located in opposite site of globe. > Sorry to say, but this assumption is not justified. Next to network lag there can be other delays (swapped out jobs, out of entropy on /dev/random, a disk needs to spin up, high load, DNS not responding, whatever). Would you agree that this is OT, since sssd *did* find ipa1 within a reasonable time? Regards Harri From harald.dunkel at aixigo.de Thu May 12 14:16:47 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Thu, 12 May 2016 16:16:47 +0200 Subject: [Freeipa-users] ipa -v ping lies about the cert database In-Reply-To: <571F895F.3060108@ubuntu.com> References: <5710DB60.7070508@redhat.com> <57148953.1070904@redhat.com> <5714CE39.9030704@ubuntu.com> <15ebb4fd-49e1-da66-d0a1-94d13da4e60f@aixigo.de> <571F895F.3060108@ubuntu.com> Message-ID: On 04/26/16 17:29, Timo Aaltonen wrote: > > I guess 4.3.1 would need to be in sid first, and it just got rejected > because of the minified javascript (bug #787593). Don't know when > that'll get fixed. > Since 24beta is out without fixing https://fedorahosted.org/freeipa/ticket/5639 I wonder if the Fedora folks really care about this bug. Did they kick out the freeipa RPMs for breaking the guidelines? Do you think it would be possible to put freeipa packages suitable for Debian/sid & Ubuntu on freeipa.org, in parallel to the RPMs for Fedora? Regards Harri From gjn at gjn.priv.at Thu May 12 14:41:11 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 12 May 2016 16:41:11 +0200 Subject: [Freeipa-users] DNSSEC NSEC3 Parameter Message-ID: <2080819.5b3ocLUXhc@techz> Hello, I have the Problem to find the correct way for NSEC3PARAM ? With your Help I have this found ipa dnszone-mod example.com. --nsec3param-rec " " But it dos not work correct ? Now the question, is this the correct way ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" to insert the NSEC3PARAMETER ?? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From Dan.Watson at bcferries.com Thu May 12 17:23:27 2016 From: Dan.Watson at bcferries.com (Watson, Dan) Date: Thu, 12 May 2016 11:23:27 -0600 Subject: [Freeipa-users] getent passwd returns username@domain.com for username In-Reply-To: <20160512070835.GA23546@10.4.128.1> References: <20160512070835.GA23546@10.4.128.1> Message-ID: Tuned out to be the default_domain_suffix setting. It appears our RHEL 6.5 installs ignore it but RHEL 6.8 doesn't. Now that the setting actually does something I've discovered my setting was wrong. Thanks! Dan -----Original Message----- From: Lukas Slebodnik [mailto:lslebodn at redhat.com] Sent: May 12, 2016 12:09 AM To: Watson, Dan Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] getent passwd returns username at domain.com for username On (11/05/16 17:17), Watson, Dan wrote: >Hi All, > >I've run into some strangeness and I just haven't been able to find a solution online. > >On my existing RHEL 6.5 servers everything runs fine. I do not use the IPA client install but rather manually setup SSSD, LDAP and Kerberos. We've got a RHEL 6.8 machine that just was added to IPA and it's showing some strangeness. > >RHEL 6.5: >getent passwd >... >username:*:12345678:12345678:User Name:/home/username:/bin/bash >... > The output looks like with disabled option use_fully_qualified_names. >RHEL 6.8: >getent passwd >... >username at domain.com:*:12345678:12345678:User Name:/home/username:/bin/bash >... > The output looks like with enabled option use_fully_qualified_names. By default it should be false. However, if you use default_domain_suffix then the default value is true. https://fedorahosted.org/sssd/ticket/2569 This bug fix was introduced in 1.13.0 LS From mkosek at redhat.com Fri May 13 07:40:05 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 13 May 2016 09:40:05 +0200 Subject: [Freeipa-users] DNSSEC NSEC3 Parameter In-Reply-To: <2080819.5b3ocLUXhc@techz> References: <2080819.5b3ocLUXhc@techz> Message-ID: On 05/12/2016 04:41 PM, G?nther J. Niederwimmer wrote: > Hello, > I have the Problem to find the correct way for NSEC3PARAM ? > > With your Help I have this found > > ipa dnszone-mod example.com. --nsec3param-rec " > " > > But it dos not work correct ? > > Now the question, is this the correct way > > ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > > to insert the NSEC3PARAMETER ?? This should be right, there were related fixes by https://fedorahosted.org/freeipa/ticket/4413 Your second command works in my test environment: # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" # dig -t nsec3param example.com. +short 1 7 100 F9BA6264232B7283 Martin From tjaalton at ubuntu.com Fri May 13 08:47:48 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Fri, 13 May 2016 11:47:48 +0300 Subject: [Freeipa-users] Ubuntu 16.04 / FreeIPA 4.3 install In-Reply-To: References: Message-ID: <573594B4.4080300@ubuntu.com> On 11.05.2016 17:14, Zak Wolfinger wrote: > I?m trying to set up FreeIPA as a replica. I?ve followed the > instructions in section 4 here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#prepping-replica > > The replica install appears to be successful, but when I try to do > ?ipactl start? I get this: > > IPA is not configured (see man pages of ipa-server-install for help) > > I?ve looked through the man pages but I?m not seeing what needs to be > done. 4.3 on ubuntu supports only domain level 1 replicas, so you need to have 4.3 server installed first and then install a client and promote it to a replica. -- t From abokovoy at redhat.com Fri May 13 09:46:12 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 13 May 2016 12:46:12 +0300 Subject: [Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389? In-Reply-To: References: Message-ID: <20160513094612.fbixzgs4p3mwxnyg@redhat.com> On Wed, 11 May 2016, Marc Boorshtein wrote: >I've got a potential use case where I want to authenticate users using >their AD credentials, store accounts and permissions in FreeIPA but >not have a cross forest trust. One way to do this is to have SSSD >talk LDAP to a virtual directory which would route the bind to AD but >all other operations to the 389 backing IPA. Kerberos wouldn't work, >but if you're interested in password or ssh key based auth it should >work, right? Then you'd still get the HBAC benefits? There is more than just look up in LDAP when talking to AD DCs. Trust ensures we have enough correctly set security descriptors on the objects we use to represent our identity to access AD DCs. If that part is missing, you get all kinds of problems. Replacing trust by something that is effectively attempting to simulate trust but not being a trust scenario is, of course, possible. However, I don't see this as something we'd like to put any reasonable time to develop because it is a corner case with disproportional amount of development time investment. You may disagree and that's fine, but this doesn't change the fact that somebody needs to invest time into it. -- / Alexander Bokovoy From abokovoy at redhat.com Fri May 13 09:49:57 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 13 May 2016 12:49:57 +0300 Subject: [Freeipa-users] Looking for documentation for Python API In-Reply-To: References: <1557170.p9MGeghmZ2@hosanna> <2410380.zRJEA5Vezc@hosanna> <20eddb00-e064-9390-018d-1896c5b85e9a@redhat.com> Message-ID: <20160513094957.sxjh4kq56byge4ks@redhat.com> On Thu, 12 May 2016, Jan Cholasta wrote: >On 11.5.2016 10:52, Martin Kosek wrote: >>On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: >>>On Friday, May 06, 2016 09:04:59 Martin Basti wrote: >>>>since IPA4.2 web UI contains API browser (IPA Server/API Browser) >>>> >>>>So for example for caacl-add: >>>>api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional >>>>description") >>>> >>>>you can try commands in "ipa console" it contains initialized API, just >>>>call api.Command.() >>>> >>>>API.txt provides the same information as API browser, but browser looks >>>>better :) >>>> >>>>Feel free to ask anything, if you identified gaps in docs which are hard >>>>to understand for non-IPA developer feel free report it, or feel free to >>>>create howTo in freeipa.org page. >>> >>>Thanks for the pointers. I'm looking at automating some user and group >>>additions, group editing, etc. Am I right in assuming that anything that uses >>>the api.Command. will require a kinit before it is run, >>>even if it is via the Python API? If I want to use a user/pass from the script >>>itself (and not have a shell script which does kinit, then fires off my Python >>>script) would I be better off hitting the web API with sessions and JSON-RPC as >>>detailed here: >>> >>>https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ >>> >>>Put another way, since I want to hit the API from a system that might not have >>>sssd installed, nor has joined the realm, I assume it would be *impossible* to >>>use api.Command. as it relies on a Kerberos ticket? To put it yet >>>another way: is there a way to hand a user/pass to the Python API and >>>authenticate that way. >> >>The API itself can be hit with user/password, as noted in Alexander's blog. If >>you want to use the actual Python API, Kerberos may be the only way. But I >>think Jan or Petr may had some other (hacky) way to pass user+password there too. > >I don't think we support anything but Kerberos on the client side in >our Python API. It might be possible to somehow emulate what the web >UI does, but I haven't personally ever attempted to do that. Petr, >have you? It should be relatively easy to update IPA cli code to accept a jar with a cookie and use that if Kerberos ccache is missing or empty. -- / Alexander Bokovoy From marc.boorshtein at tremolosecurity.com Fri May 13 10:27:19 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Fri, 13 May 2016 06:27:19 -0400 Subject: [Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389? In-Reply-To: <20160513094612.fbixzgs4p3mwxnyg@redhat.com> References: <20160513094612.fbixzgs4p3mwxnyg@redhat.com> Message-ID: Thanks Alexander. I wasn't looking to get anything developed, just curious if it would work or even if it there was something I could try on my end like a change to a directory setting to see if it would even work. Understood that there's more in the connection between the ipaclient and the DC then just LDAP. Thanks Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com Twitter - @mlbiam / @tremolosecurity On Fri, May 13, 2016 at 5:46 AM, Alexander Bokovoy wrote: > On Wed, 11 May 2016, Marc Boorshtein wrote: >> >> I've got a potential use case where I want to authenticate users using >> their AD credentials, store accounts and permissions in FreeIPA but >> not have a cross forest trust. One way to do this is to have SSSD >> talk LDAP to a virtual directory which would route the bind to AD but >> all other operations to the 389 backing IPA. Kerberos wouldn't work, >> but if you're interested in password or ssh key based auth it should >> work, right? Then you'd still get the HBAC benefits? > > There is more than just look up in LDAP when talking to AD DCs. Trust > ensures we have enough correctly set security descriptors on the objects > we use to represent our identity to access AD DCs. If that part is > missing, you get all kinds of problems. > > Replacing trust by something that is effectively attempting to simulate > trust but not being a trust scenario is, of course, possible. However, I > don't see this as something we'd like to put any reasonable time to > develop because it is a corner case with disproportional amount of > development time investment. You may disagree and that's fine, but this > doesn't change the fact that somebody needs to invest time into it. > -- > / Alexander Bokovoy From pvoborni at redhat.com Fri May 13 10:50:10 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 13 May 2016 12:50:10 +0200 Subject: [Freeipa-users] Looking for documentation for Python API In-Reply-To: <20160513094957.sxjh4kq56byge4ks@redhat.com> References: <1557170.p9MGeghmZ2@hosanna> <2410380.zRJEA5Vezc@hosanna> <20eddb00-e064-9390-018d-1896c5b85e9a@redhat.com> <20160513094957.sxjh4kq56byge4ks@redhat.com> Message-ID: <44d87ae0-2353-7abe-6f66-219fe2e85f4f@redhat.com> On 05/13/2016 11:49 AM, Alexander Bokovoy wrote: > On Thu, 12 May 2016, Jan Cholasta wrote: >> On 11.5.2016 10:52, Martin Kosek wrote: >>> On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: >>>> On Friday, May 06, 2016 09:04:59 Martin Basti wrote: >>>>> since IPA4.2 web UI contains API browser (IPA Server/API Browser) >>>>> >>>>> So for example for caacl-add: >>>>> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional >>>>> description") >>>>> >>>>> you can try commands in "ipa console" it contains initialized API, >>>>> just >>>>> call api.Command.() >>>>> >>>>> API.txt provides the same information as API browser, but browser >>>>> looks >>>>> better :) >>>>> >>>>> Feel free to ask anything, if you identified gaps in docs which are >>>>> hard >>>>> to understand for non-IPA developer feel free report it, or feel >>>>> free to >>>>> create howTo in freeipa.org page. >>>> >>>> Thanks for the pointers. I'm looking at automating some user and group >>>> additions, group editing, etc. Am I right in assuming that anything >>>> that uses >>>> the api.Command. will require a kinit before it >>>> is run, >>>> even if it is via the Python API? If I want to use a user/pass from >>>> the script >>>> itself (and not have a shell script which does kinit, then fires off >>>> my Python >>>> script) would I be better off hitting the web API with sessions and >>>> JSON-RPC as >>>> detailed here: >>>> >>>> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ >>>> >>>> >>>> Put another way, since I want to hit the API from a system that >>>> might not have >>>> sssd installed, nor has joined the realm, I assume it would be >>>> *impossible* to >>>> use api.Command. as it relies on a Kerberos ticket? To >>>> put it yet >>>> another way: is there a way to hand a user/pass to the Python API and >>>> authenticate that way. >>> >>> The API itself can be hit with user/password, as noted in Alexander's >>> blog. If >>> you want to use the actual Python API, Kerberos may be the only way. >>> But I >>> think Jan or Petr may had some other (hacky) way to pass >>> user+password there too. >> >> I don't think we support anything but Kerberos on the client side in >> our Python API. It might be possible to somehow emulate what the web >> UI does, but I haven't personally ever attempted to do that. Petr, >> have you? > It should be relatively easy to update IPA cli code to accept a jar with > a cookie and use that if Kerberos ccache is missing or empty. > I implemented it a year ago, but the patch was not merged: https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html -- Petr Vobornik From gjn at gjn.priv.at Fri May 13 11:14:32 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 13 May 2016 13:14:32 +0200 Subject: [Freeipa-users] DNSSEC active (?) ods-ksmutil Message-ID: <5441777.IjQLvK8XRb@techz> Hello, I have activated now my domain with DNSSEC but I mean I have a Problem to set it ACTIVE ? I install and Test it from https://www.freeipa.org/page/Howto/DNSSEC but my output from sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key ds- seen --zone example.com --keytag 40447 is Cannot open destination file, will not make backup. No keys in the READY state matched your parameters, please check the parameters when i say sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key list --verbose SQLite database set to: /var/opendnssec/kasp.db Keys: Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: examle.com KSK publish 2016-05-14 00:16:00 (ready) 3072 8 6145b3b71c448dfc1130d0f9d2caac79 SoftHSM 40447 example.com ZSK active 2016-08-11 10:16:00 (retire) 2048 8 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 SoftHSM 60630 The DS Record are published in the ".com" Domain dig +rrcomments example.com DS ;; ANSWER SECTION: example.com. 85610 IN DS 40447 8 1 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 example.com. 85610 IN DS 40447 8 2 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 Is this the correct status or have I to change anything ? Have I to change the KSK status form publish to active or is this correct ? Thanks for a answer -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From pspacek at redhat.com Fri May 13 11:35:57 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 13 May 2016 13:35:57 +0200 Subject: [Freeipa-users] DNSSEC active (?) ods-ksmutil In-Reply-To: <5441777.IjQLvK8XRb@techz> References: <5441777.IjQLvK8XRb@techz> Message-ID: <6376ae07-ba36-94eb-ecf4-220842966170@redhat.com> On 13.5.2016 13:14, G?nther J. Niederwimmer wrote: > Hello, > I have activated now my domain with DNSSEC but I mean I have a Problem to set > it ACTIVE ? > > I install and Test it from > https://www.freeipa.org/page/Howto/DNSSEC > > but my output from > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key ds- > seen --zone example.com --keytag 40447 > is > > Cannot open destination file, will not make backup. > No keys in the READY state matched your parameters, please check the > parameters This is correct. Configured TTL did not expire yet so the key is not "ready". See the column "Date of next transition". You will be able to activate the key when this time passes. For detailed info please see https://wiki.opendnssec.org/display/DOCS/Key+States If you are going to use DNSSEC please make sure to use very latests FreeIPA 4.3.1 or newer. We fixed a lot of bugs in the last release. Petr^2 Spacek > > when i say > > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key list > --verbose > SQLite database set to: /var/opendnssec/kasp.db > Keys: > Zone: Keytype: State: Date of next > transition (to): Size: Algorithm: CKA_ID: > Repository: Keytag: > examle.com KSK publish 2016-05-14 00:16:00 > (ready) 3072 8 6145b3b71c448dfc1130d0f9d2caac79 SoftHSM > 40447 > example.com ZSK active 2016-08-11 10:16:00 > (retire) 2048 8 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 SoftHSM > 60630 > > The DS Record are published in the ".com" Domain > > dig +rrcomments example.com DS > ;; ANSWER SECTION: > example.com. 85610 IN DS 40447 8 1 > 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 > example.com. 85610 IN DS 40447 8 2 > 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 > > Is this the correct status or have I to change anything ? > > Have I to change the KSK status form publish to active or is this correct ? > > Thanks for a answer From gjn at gjn.priv.at Fri May 13 12:07:38 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 13 May 2016 14:07:38 +0200 Subject: [Freeipa-users] DNSSEC active (?) ods-ksmutil In-Reply-To: <6376ae07-ba36-94eb-ecf4-220842966170@redhat.com> References: <5441777.IjQLvK8XRb@techz> <6376ae07-ba36-94eb-ecf4-220842966170@redhat.com> Message-ID: <1498657.QACHOrYr48@techz> Hello Petr, thank you for the answer Am Freitag, 13. Mai 2016, 13:35:57 CEST schrieb Petr Spacek: > On 13.5.2016 13:14, G?nther J. Niederwimmer wrote: > > Cannot open destination file, will not make backup. > > No keys in the READY state matched your parameters, please check the > > parameters > > This is correct. Configured TTL did not expire yet so the key is not > "ready". See the column "Date of next transition". You will be able to > activate the key when this time passes. > > For detailed info please see > https://wiki.opendnssec.org/display/DOCS/Key+States > > If you are going to use DNSSEC please make sure to use very latests FreeIPA > 4.3.1 or newer. We fixed a lot of bugs in the last release. My system is a CentOS 7.2, can I found the newer FreeIPA rpm on any repository for this System ? This is my private Server and I hope this is running correct ? > Petr^2 Spacek > > > when i say > > > > sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key > > list --verbose > > SQLite database set to: /var/opendnssec/kasp.db > > Keys: > > Zone: Keytype: State: Date of next > > transition (to): Size: Algorithm: CKA_ID: > > Repository: Keytag: > > examle.com KSK publish 2016-05-14 > > 00:16:00 (ready) 3072 8 6145b3b71c448dfc1130d0f9d2caac79 > > SoftHSM 40447 > > example.com ZSK active 2016-08-11 > > 10:16:00 (retire) 2048 8 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 > > SoftHSM 60630 > > > > The DS Record are published in the ".com" Domain > > > > dig +rrcomments example.com DS > > ;; ANSWER SECTION: > > example.com. 85610 IN DS 40447 8 1 > > 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 > > example.com. 85610 IN DS 40447 8 2 > > 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 > > > > Is this the correct status or have I to change anything ? > > > > Have I to change the KSK status form publish to active or is this correct > > ? > > > > Thanks for a answer -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From abokovoy at redhat.com Fri May 13 12:31:54 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 13 May 2016 15:31:54 +0300 Subject: [Freeipa-users] Looking for documentation for Python API In-Reply-To: <44d87ae0-2353-7abe-6f66-219fe2e85f4f@redhat.com> References: <1557170.p9MGeghmZ2@hosanna> <2410380.zRJEA5Vezc@hosanna> <20eddb00-e064-9390-018d-1896c5b85e9a@redhat.com> <20160513094957.sxjh4kq56byge4ks@redhat.com> <44d87ae0-2353-7abe-6f66-219fe2e85f4f@redhat.com> Message-ID: <20160513123154.7hzynumxmb4fuf65@redhat.com> On Fri, 13 May 2016, Petr Vobornik wrote: >On 05/13/2016 11:49 AM, Alexander Bokovoy wrote: >> On Thu, 12 May 2016, Jan Cholasta wrote: >>> On 11.5.2016 10:52, Martin Kosek wrote: >>>> On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: >>>>> On Friday, May 06, 2016 09:04:59 Martin Basti wrote: >>>>>> since IPA4.2 web UI contains API browser (IPA Server/API Browser) >>>>>> >>>>>> So for example for caacl-add: >>>>>> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional >>>>>> description") >>>>>> >>>>>> you can try commands in "ipa console" it contains initialized API, >>>>>> just >>>>>> call api.Command.() >>>>>> >>>>>> API.txt provides the same information as API browser, but browser >>>>>> looks >>>>>> better :) >>>>>> >>>>>> Feel free to ask anything, if you identified gaps in docs which are >>>>>> hard >>>>>> to understand for non-IPA developer feel free report it, or feel >>>>>> free to >>>>>> create howTo in freeipa.org page. >>>>> >>>>> Thanks for the pointers. I'm looking at automating some user and group >>>>> additions, group editing, etc. Am I right in assuming that anything >>>>> that uses >>>>> the api.Command. will require a kinit before it >>>>> is run, >>>>> even if it is via the Python API? If I want to use a user/pass from >>>>> the script >>>>> itself (and not have a shell script which does kinit, then fires off >>>>> my Python >>>>> script) would I be better off hitting the web API with sessions and >>>>> JSON-RPC as >>>>> detailed here: >>>>> >>>>> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ >>>>> >>>>> >>>>> Put another way, since I want to hit the API from a system that >>>>> might not have >>>>> sssd installed, nor has joined the realm, I assume it would be >>>>> *impossible* to >>>>> use api.Command. as it relies on a Kerberos ticket? To >>>>> put it yet >>>>> another way: is there a way to hand a user/pass to the Python API and >>>>> authenticate that way. >>>> >>>> The API itself can be hit with user/password, as noted in Alexander's >>>> blog. If >>>> you want to use the actual Python API, Kerberos may be the only way. >>>> But I >>>> think Jan or Petr may had some other (hacky) way to pass >>>> user+password there too. >>> >>> I don't think we support anything but Kerberos on the client side in >>> our Python API. It might be possible to somehow emulate what the web >>> UI does, but I haven't personally ever attempted to do that. Petr, >>> have you? >> It should be relatively easy to update IPA cli code to accept a jar with >> a cookie and use that if Kerberos ccache is missing or empty. >> > >I implemented it a year ago, but the patch was not merged: >https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html I can revive it. I think it brings sufficient value to get merged. -- / Alexander Bokovoy From pspacek at redhat.com Fri May 13 12:39:02 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 13 May 2016 14:39:02 +0200 Subject: [Freeipa-users] DNSSEC active (?) ods-ksmutil In-Reply-To: <1498657.QACHOrYr48@techz> References: <5441777.IjQLvK8XRb@techz> <6376ae07-ba36-94eb-ecf4-220842966170@redhat.com> <1498657.QACHOrYr48@techz> Message-ID: <15ff6ae4-4557-9cf2-ca65-74ec265f3f28@redhat.com> On 13.5.2016 14:07, G?nther J. Niederwimmer wrote: > Hello Petr, > > thank you for the answer > > Am Freitag, 13. Mai 2016, 13:35:57 CEST schrieb Petr Spacek: >> On 13.5.2016 13:14, G?nther J. Niederwimmer wrote: >>> Cannot open destination file, will not make backup. >>> No keys in the READY state matched your parameters, please check the >>> parameters >> >> This is correct. Configured TTL did not expire yet so the key is not >> "ready". See the column "Date of next transition". You will be able to >> activate the key when this time passes. >> >> For detailed info please see >> https://wiki.opendnssec.org/display/DOCS/Key+States >> >> If you are going to use DNSSEC please make sure to use very latests FreeIPA >> 4.3.1 or newer. We fixed a lot of bugs in the last release. > > My system is a CentOS 7.2, can I found the newer FreeIPA rpm on any repository > for this System ? You might either try https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ or wait for CentOS 7.3. Petr^2 Spacek > This is my private Server and I hope this is running correct ? > >> Petr^2 Spacek >> >>> when i say >>> >>> sudo -u ods SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf ods-ksmutil key >>> list --verbose >>> SQLite database set to: /var/opendnssec/kasp.db >>> Keys: >>> Zone: Keytype: State: Date of next >>> transition (to): Size: Algorithm: CKA_ID: >>> Repository: Keytag: >>> examle.com KSK publish 2016-05-14 >>> 00:16:00 (ready) 3072 8 6145b3b71c448dfc1130d0f9d2caac79 >>> SoftHSM 40447 >>> example.com ZSK active 2016-08-11 >>> 10:16:00 (retire) 2048 8 d7fe5c98d5f3f89aefb9e8dfb92ebcb1 >>> SoftHSM 60630 >>> >>> The DS Record are published in the ".com" Domain >>> >>> dig +rrcomments example.com DS >>> ;; ANSWER SECTION: >>> example.com. 85610 IN DS 40447 8 1 >>> 4E04D91BF29E1941E00CC36B13BC3F50BBA5C913 >>> example.com. 85610 IN DS 40447 8 2 >>> 92EE9E785D07C2BBCA83DFB1156D4D01052B441B8F3898734 >>> >>> Is this the correct status or have I to change anything ? >>> >>> Have I to change the KSK status form publish to active or is this correct >>> ? >>> >>> Thanks for a answer > > -- Petr^2 Spacek From lslebodn at redhat.com Fri May 13 12:45:15 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 13 May 2016 14:45:15 +0200 Subject: [Freeipa-users] sssd went away, failed to restart In-Reply-To: References: <20160223090003.GA3131@hendrix.redhat.com> <56CC2C86.8040109@aixigo.de> <20160223105825.GC2468@mail.corp.redhat.com> <56CC4A05.5040503@aixigo.de> <20160223124602.GH2468@mail.corp.redhat.com> <20160512082634.GB23546@10.4.128.1> <20160512114807.GD23546@10.4.128.1> Message-ID: <20160513124514.GB21625@10.4.128.1> On (12/05/16 15:35), Harald Dunkel wrote: >On 05/12/16 13:48, Lukas Slebodnik wrote: >> It would be nice if you could provide reliable reproducer. >> I'm sorry we do not have a crystall ball and sssd log files >> did not help either. They are truncated. >> > >Thats all I got. > and that's the reason why we cannot help more :-( >> I would like to fix it but I do not know what to fix. >> >> Is there anything interesting/suspicious in syslog/journald >> from the same time? >> > >"journalctl -u sssd" says > It is not helpful either. We asked to find *ANYTHING* interesting/suspicious in syslog/journald So it needn't be related to sssd. It can be realted to swapping, out of entropy, disk needs to spin up, high load, DNS not responding, whatever But it's task for you to find out what trigger the problem. We do not have an access to problematic machines. So try to find a reason which trigger the problem and provide reasonable reproducer. LS From lslebodn at redhat.com Fri May 13 12:48:25 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 13 May 2016 14:48:25 +0200 Subject: [Freeipa-users] ipa -v ping lies about the cert database In-Reply-To: References: <5710DB60.7070508@redhat.com> <57148953.1070904@redhat.com> <5714CE39.9030704@ubuntu.com> <15ebb4fd-49e1-da66-d0a1-94d13da4e60f@aixigo.de> <571F895F.3060108@ubuntu.com> Message-ID: <20160513124824.GC21625@10.4.128.1> On (12/05/16 16:16), Harald Dunkel wrote: >On 04/26/16 17:29, Timo Aaltonen wrote: >> >> I guess 4.3.1 would need to be in sid first, and it just got rejected >> because of the minified javascript (bug #787593). Don't know when >> that'll get fixed. >> > >Since 24beta is out without fixing > > https://fedorahosted.org/freeipa/ticket/5639 > You might see in ticket that planned milestone is "Future Releases" that isn't any particular release (4.4.x ...) It basically mean that patches are welcome. That's how it works in open source world. LS From sbose at redhat.com Fri May 13 13:14:10 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 13 May 2016 15:14:10 +0200 Subject: [Freeipa-users] a user delegated to control a OU and realmd join - how.. In-Reply-To: <1462983423.4953.59.camel@yahoo.co.uk> References: <1462983423.4953.59.camel@yahoo.co.uk> Message-ID: <20160513131410.GD5249@p.Speedport_W_724V_Typ_A_05011603_00_009> On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > .. if possible, would you know? > hi everybody, > I'm trying, and hoping it is possible to realm join an AD but is such a > way so I tap my IPA into specific OU within that AD. I'm not exactly sure what you mean here. Do you want to join a computer which is already a client in an IPA domain to AD as well? If this is the case I would recommend to consider the IPA trust feature. Joining 2 domain is in general possible with SSSD but has to be done with very great care, e.g. by using different keytabs for each domain. > The thing is - I'm thinking it would make user access control ideal > from the start as I need only users from that OU, but also because I'm > only granted access to the user/group who has control over that OU. > I'm?trying that but I see: > > ! The computer account RIDER already exists, but is not in the desired > organizational unit. > adcli: joining domain ccc.bb.aa failed: The computer account RIDER > already exists, Computer account names in AD must be unique even if they are added to different OUs. So if there is already a computer called RIDER joined to AD and it is not your computer you have to rename your computer to join. If it is your computer and you want to create it in a different OU you have to delete to old computer object first and then do a fresh join. HTH bye, Sumit > ?! Failed to join the domain > > I'm doing this: > $ realm join ccc.bb.aa --user=private-user --computer-ou=private > > and computer is in OU=private of ccc.bb.aa > so is the user private-user > > many thanks. > L##SELECTION_END## > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From heil at terminal-consulting.de Fri May 13 13:25:05 2016 From: heil at terminal-consulting.de (Thomas Heil) Date: Fri, 13 May 2016 15:25:05 +0200 Subject: [Freeipa-users] otp question to limit brute force vector for web applications Message-ID: <5735D5B1.2080508@terminal-consulting.de> Hi, I would like to reduce the vector of brute force attacks in my web application written in php. Users can login via passord and otp which are hosted on freeipa. To achieve this I would like to check the otp first, so no password auth is done on the freeipa server and no user can be locked out. If the otp is correct, the user is now allowed to to login via password+otp. unfortunately, there is no api method that can check only the otp for a user with an identity. Would it be possible to expose such a new method? kind regards -- Thomas -- From bahanw042014 at gmail.com Fri May 13 14:09:36 2016 From: bahanw042014 at gmail.com (bahan w) Date: Fri, 13 May 2016 16:09:36 +0200 Subject: [Freeipa-users] ipa user-add, two entries in the ldap Message-ID: Hello ! I performed recently an ipa user-add for a new user and when I check in the ldap, I can see two entries for it : - One in uid=,cn=users,cn=compat,dc= - One in uid=,cn=users,cn=accounts,dc= Is it normal ? I know that my user is the one defined in the tree cn=users,cn=accounts,dc=. What is exactly the entry in cn=users,cn=compat,dc= please ? BR. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From bahanw042014 at gmail.com Fri May 13 14:10:12 2016 From: bahanw042014 at gmail.com (bahan w) Date: Fri, 13 May 2016 16:10:12 +0200 Subject: [Freeipa-users] ipa user-add, two entries in the ldap In-Reply-To: References: Message-ID: Please ignore the character "-" in . On Fri, May 13, 2016 at 4:09 PM, bahan w wrote: > Hello ! > > I performed recently an ipa user-add for a new user and when I check in > the ldap, I can see two entries for it : > - One in uid=,cn=users,cn=compat,dc= > - One in uid=,cn=users,cn=accounts,dc= > > Is it normal ? > I know that my user is the one defined in the tree > cn=users,cn=accounts,dc=. > > What is exactly the entry in cn=users,cn=compat,dc= please ? > > BR. > > Bahan > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Fri May 13 14:12:46 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 13 May 2016 16:12:46 +0200 Subject: [Freeipa-users] otp question to limit brute force vector for web applications In-Reply-To: <5735D5B1.2080508@terminal-consulting.de> References: <5735D5B1.2080508@terminal-consulting.de> Message-ID: <4eac3887-af0f-ad5b-3efa-1290f5a10c42@redhat.com> On 13.5.2016 15:25, Thomas Heil wrote: > Hi, > > I would like to reduce the vector of brute force attacks in my web > application written in php. Users can login via passord and otp which > are hosted on freeipa. > > To achieve this I would like to check the otp first, so no password auth > is done on the freeipa server and no user can be locked out. > > If the otp is correct, the user is now allowed to to login via password+otp. > > unfortunately, there is no api method that can check only the otp for a > user with an identity. > > Would it be possible to expose such a new method? This would open a new attack vector so it is a bad idea. Attacker must not be able to distinguish case where password OR OTP is correct/wrong. If you allow this, the attacker will be able to crack OTP first and then continue with password, so you are making it easier. Do not do that :-) -- Petr^2 Spacek From pspacek at redhat.com Fri May 13 14:15:40 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 13 May 2016 16:15:40 +0200 Subject: [Freeipa-users] ipa user-add, two entries in the ldap In-Reply-To: References: Message-ID: <135428d6-6f00-02b7-5963-d6b253f671ad@redhat.com> On 13.5.2016 16:10, bahan w wrote: > Please ignore the character "-" in . > > On Fri, May 13, 2016 at 4:09 PM, bahan w wrote: > >> Hello ! >> >> I performed recently an ipa user-add for a new user and when I check in >> the ldap, I can see two entries for it : >> - One in uid=,cn=users,cn=compat,dc= >> - One in uid=,cn=users,cn=accounts,dc= >> >> Is it normal ? >> I know that my user is the one defined in the tree >> cn=users,cn=accounts,dc=. >> >> What is exactly the entry in cn=users,cn=compat,dc= please ? This is auto-generated entry which is used for old clients: See http://www.freeipa.org/page/HowTo/LDAP#Unix_clients and man ipa-compat-manage -- Petr^2 Spacek From heil at terminal-consulting.de Fri May 13 15:24:54 2016 From: heil at terminal-consulting.de (Thomas Heil) Date: Fri, 13 May 2016 17:24:54 +0200 Subject: [Freeipa-users] otp question to limit brute force vector for web applications In-Reply-To: <4eac3887-af0f-ad5b-3efa-1290f5a10c42@redhat.com> References: <5735D5B1.2080508@terminal-consulting.de> <4eac3887-af0f-ad5b-3efa-1290f5a10c42@redhat.com> Message-ID: <5735F1C6.2010409@terminal-consulting.de> Hi, On 13.05.2016 16:12, Petr Spacek wrote: > On 13.5.2016 15:25, Thomas Heil wrote: >> Hi, >> >> I would like to reduce the vector of brute force attacks in my web >> application written in php. Users can login via passord and otp which >> are hosted on freeipa. >> >> To achieve this I would like to check the otp first, so no password auth >> is done on the freeipa server and no user can be locked out. >> >> If the otp is correct, the user is now allowed to to login via password+otp. >> >> unfortunately, there is no api method that can check only the otp for a >> user with an identity. >> >> Would it be possible to expose such a new method? > > This would open a new attack vector so it is a bad idea. > > Attacker must not be able to distinguish case where password OR OTP is > correct/wrong. If you allow this, the attacker will be able to crack OTP first > and then continue with password, so you are making it easier. Okay you are right with that. Sorry. My intention is to avoid to be vulnerable for brute force attacks. I have a trust with an active directory and want to avoid that the user on ad side is locked if otp is wrong. Is this possible? > > Do not do that :-) > Indeed, I will not do that. cheers thomas From harri at afaics.de Fri May 13 19:31:35 2016 From: harri at afaics.de (Harald Dunkel) Date: Fri, 13 May 2016 21:31:35 +0200 Subject: [Freeipa-users] sssd went away, failed to restart In-Reply-To: <20160513124514.GB21625@10.4.128.1> References: <20160223090003.GA3131@hendrix.redhat.com> <56CC2C86.8040109@aixigo.de> <20160223105825.GC2468@mail.corp.redhat.com> <56CC4A05.5040503@aixigo.de> <20160223124602.GH2468@mail.corp.redhat.com> <20160512082634.GB23546@10.4.128.1> <20160512114807.GD23546@10.4.128.1> <20160513124514.GB21625@10.4.128.1> Message-ID: <67121926-8bfa-3f79-451e-74cb0c9b845f@afaics.de> On 05/13/16 14:45, Lukas Slebodnik wrote: > On (12/05/16 15:35), Harald Dunkel wrote: >> On 05/12/16 13:48, Lukas Slebodnik wrote: > >>> I would like to fix it but I do not know what to fix. >>> >>> Is there anything interesting/suspicious in syslog/journald >>> from the same time? >>> >> >> "journalctl -u sssd" says >> > It is not helpful either. > We asked to find *ANYTHING* interesting/suspicious in syslog/journald > So it needn't be related to sssd. > Understood. Below is the complete journalctl and syslog from reboot till sssd being marked as failed by systemd. The only problems I see in between are the authentication failures and "user unknown" error messages. The log files on the ipa servers don't show any signs of a problem either (esp. krb5kdc.log, the slapd log files, and kernel.log of the ipa1 server). > It can be realted to swapping, out of entropy, disk needs to spin up, > high load, DNS not responding, whatever > > But it's task for you to find out what trigger the problem. > We do not have an access to problematic machines. > Does it really matter *why* this host is slow or why ipa1 didn't answer? My point is that sssd should be sufficiently stable to startup even when its slow "somehow" and when the first ipa server it tried appears to be unreachable. Looking at the log files I have the impression that ipa2 works as expected, and yet sssd on the client went Guru for some reason it didn't write into the log file. > So try to find a reason which trigger the problem and provide > reasonable reproducer. > I'd love to give you more information, but this is a production system. Rebooting the host to find some way to reproduce the problem is painful for a lot of people. Since the client runs Jessie I will try to backport Timo's freeipa 4.3.1 packages for Debian/Ubuntu. sssd is already up-to-date. ipa1 and ipa2 are running Centos 7 and freeipa 4.2; hopefully thats OK. And I am setting up additional servers ipa3 and ipa4 to improve availability. Regards Harri -------------- next part -------------- -- Logs begin at Sat 2016-05-07 01:00:34 CEST, end at Fri 2016-05-13 20:14:51 CEST. -- May 12 06:01:57 srvvm01.ac.example.com systemd-journal[24]: Runtime journal is using 8.0M (max allowed 3.1G, trying to leave 4.0G free of 31.4G available ? current limit 3.1G). May 12 06:01:57 srvvm01.ac.example.com systemd-journal[24]: Runtime journal is using 8.0M (max allowed 3.1G, trying to leave 4.0G free of 31.4G available ? current limit 3.1G). May 12 06:01:57 srvvm01.ac.example.com systemd-journal[24]: Journal started May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Mounted Debug File System. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Mounted Huge Pages File System. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Mounted POSIX Message Queue File System. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Started Remount Root and Kernel File Systems. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Started Various fixups to make systemd work better on Debian. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Load/Save Random Seed... May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Local File Systems (Pre). May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Reached target Local File Systems (Pre). May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Local File Systems. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Reached target Local File Systems. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Starting Remote File Systems. May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Started Trigger Flushing of Journal to Persistent Storage. May 12 06:02:06 srvvm01.ac.example.com systemd-journal[24]: Permanent journal is using 2.4G (max allowed 2.0G, trying to leave 4.0G free of 2.1T available ? current limit 2.4G). May 12 06:02:14 srvvm01.ac.example.com systemd-journal[24]: Time spent on flushing to /var is 8.301385s for 16 entries. May 12 06:01:59 srvvm01.ac.example.com logger[65]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_resolv: May 12 06:01:59 srvvm01.ac.example.com logger[66]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_sendmail: May 12 06:02:15 srvvm01.ac.example.com logger[94]: /etc/network/if-up.d/sendmail (dynamic) update_interface: lo up May 12 06:02:15 srvvm01.ac.example.com logger[95]: /etc/network/if-up.d/sendmail (dynamic) update_sendmail: lo up May 12 06:02:15 srvvm01.ac.example.com logger[132]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_resolv: May 12 06:02:15 srvvm01.ac.example.com logger[133]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_sendmail: May 12 06:02:15 srvvm01.ac.example.com logger[145]: /etc/network/if-up.d/sendmail (dynamic) update_interface: eth0 up May 12 06:02:15 srvvm01.ac.example.com logger[146]: /etc/network/if-up.d/sendmail (dynamic) update_provider: eth0 up ac.example.com. May 12 06:02:15 srvvm01.ac.example.com logger[147]: /etc/network/if-up.d/sendmail (dynamic) update_host: eth0 up ac.example.com. 10.19.96.11 May 12 06:02:15 srvvm01.ac.example.com logger[148]: /etc/network/if-up.d/sendmail (dynamic) update_sendmail: eth0 up ac.example.com. 10.19.96.11 May 12 06:02:15 srvvm01.ac.example.com logger[164]: /etc/network/if-up.d/sendmail (dynamic) update_interface: --all up May 12 06:02:35 srvvm01.ac.example.com logger[165]: /etc/network/if-up.d/sendmail (dynamic) update_sendmail: --all up May 12 06:01:57 srvvm01.ac.example.com systemd[1]: Started Copy rules generated while the root was ro. May 12 06:01:58 srvvm01.ac.example.com systemd[1]: Started LSB: ebtables ruleset management. May 12 06:01:58 srvvm01.ac.example.com systemd[1]: Started LSB: IPv6 Recursive DNS Server discovery. May 12 06:01:58 srvvm01.ac.example.com systemd[1]: Started LSB: Tune IDE hard disks. May 12 06:02:03 srvvm01.ac.example.com systemd[1]: Started Load/Save Random Seed. May 12 06:02:03 srvvm01.ac.example.com systemd[1]: Starting LSB: Raise network interfaces.... May 12 06:02:16 srvvm01.ac.example.com systemd[1]: Started Create Volatile Files and Directories. May 12 06:02:16 srvvm01.ac.example.com systemd[1]: Starting Update UTMP about System Boot/Shutdown... May 12 06:02:19 srvvm01.ac.example.com systemd[1]: Started Update UTMP about System Boot/Shutdown. May 12 06:02:35 srvvm01.ac.example.com systemd[1]: Started LSB: Raise network interfaces.. May 12 06:02:35 srvvm01.ac.example.com systemd[1]: Starting Network. May 12 06:02:41 srvvm01.ac.example.com anacron[178]: Anacron 2.3 started on 2016-05-12 May 12 06:02:42 srvvm01.ac.example.com hdparm[21]: Setting parameters of disc: (none). May 12 06:02:42 srvvm01.ac.example.com rdnssd[29]: Starting IPv6 Recursive DNS Server discovery Daemon: rdnssd. May 12 06:02:42 srvvm01.ac.example.com networking[67]: Configuring network interfaces...done. May 12 06:02:46 srvvm01.ac.example.com cron[179]: (CRON) INFO (pidfile fd = 3) May 12 06:02:48 srvvm01.ac.example.com anacron[178]: Normal exit (0 jobs run) May 12 06:02:49 srvvm01.ac.example.com logger[220]: /etc/init.d/sendmail start May 12 06:02:51 srvvm01.ac.example.com cron[179]: (dreger) ORPHAN (no passwd entry) May 12 06:02:51 srvvm01.ac.example.com cron[179]: (adminteam) ORPHAN (no passwd entry) May 12 06:02:51 srvvm01.ac.example.com cron[179]: (CRON) INFO (Running @reboot jobs) May 12 06:02:59 srvvm01.ac.example.com ntpd[219]: ntpd 4.2.6p5 at 1.2349-o Wed Oct 28 20:16:08 UTC 2015 (1) May 12 06:02:59 srvvm01.ac.example.com lldpd[235]: created chroot directory /var/run/lldpd May 12 06:02:59 srvvm01.ac.example.com lldpd[235]: /etc/localtime copied to chroot May 12 06:02:59 srvvm01.ac.example.com lldpd[235]: protocol LLDP enabled May 12 06:02:59 srvvm01.ac.example.com lldpd[235]: protocol CDPv1 disabled May 12 06:02:59 srvvm01.ac.example.com lldpd[235]: protocol CDPv2 disabled May 12 06:02:59 srvvm01.ac.example.com lldpd[235]: protocol SONMP disabled May 12 06:02:59 srvvm01.ac.example.com lldpd[235]: protocol EDP disabled May 12 06:02:59 srvvm01.ac.example.com lldpd[235]: protocol FDP disabled May 12 06:02:59 srvvm01.ac.example.com lldpd[235]: libevent 2.0.21-stable initialized with epoll method May 12 06:03:00 srvvm01.ac.example.com ntpd[236]: proto: precision = 0.101 usec May 12 06:03:00 srvvm01.ac.example.com ntp[186]: Starting NTP server: ntpd. May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Starting Certificate monitoring and PKI enrollment... May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Starting System Logging Service... May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Starting Clam AntiVirus userspace daemon... May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Started Clam AntiVirus userspace daemon. May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Starting LSB: ClamAV virus milter... May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Started LLDP daemon. May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Started /etc/rc.local Compatibility. May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Started LSB: Start NTP daemon. May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Started LSB: start Samba daemons for the AD DC. May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Started LSB: start Samba NetBIOS nameserver (nmbd). May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Starting Dovecot IMAP/POP3 email server... May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Started Dovecot IMAP/POP3 email server. May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Starting LSB: start Samba SMB/CIFS daemon (smbd)... May 12 06:03:00 srvvm01.ac.example.com systemd[1]: Started LSB: start Samba SMB/CIFS daemon (smbd). May 12 06:03:06 srvvm01.ac.example.com ntpd[236]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 May 12 06:03:06 srvvm01.ac.example.com ntpd[236]: Listen and drop on 1 v6wildcard :: UDP 123 May 12 06:03:06 srvvm01.ac.example.com ntpd[236]: Listen normally on 2 lo 127.0.0.1 UDP 123 May 12 06:03:06 srvvm01.ac.example.com ntpd[236]: Listen normally on 3 eth0 10.19.96.11 UDP 123 May 12 06:03:06 srvvm01.ac.example.com ntpd[236]: Listen normally on 4 lo ::1 UDP 123 May 12 06:03:06 srvvm01.ac.example.com ntpd[236]: Listen normally on 5 eth0 fe80::220:8cff:fe8a:5183 UDP 123 May 12 06:03:06 srvvm01.ac.example.com ntpd[236]: peers refreshed May 12 06:03:06 srvvm01.ac.example.com ntpd[236]: Listening on routing socket on fd #22 for interface updates May 12 06:03:06 srvvm01.ac.example.com ntpd[236]: authreadkeys: file /etc/ntp/keys: No such file or directory May 12 06:03:09 srvvm01.ac.example.com lldpcli[234]: cannot find configuration file/directory /etc/lldpd.conf May 12 06:03:09 srvvm01.ac.example.com lldpcli[234]: unknown command from argument 1: `#` May 12 06:03:09 srvvm01.ac.example.com lldpcli[234]: an error occurred while executing last command May 12 06:03:09 srvvm01.ac.example.com lldpcli[234]: unknown command from argument 1: `#` May 12 06:03:09 srvvm01.ac.example.com lldpcli[234]: an error occurred while executing last command May 12 06:03:09 srvvm01.ac.example.com lldpcli[234]: lldpd should resume operations May 12 06:03:10 srvvm01.ac.example.com systemd[1]: Started System Logging Service. May 12 06:03:11 srvvm01.ac.example.com sendmail[194]: Starting Mail Transport Agent (MTA): sendmailMakefile:290: warning: overriding recipe for target '/etc/aliases.news.db' May 12 06:03:14 srvvm01.ac.example.com sendmail[194]: Makefile:287: warning: ignoring old recipe for target '/etc/aliases.news.db' May 12 06:03:14 srvvm01.ac.example.com sendmail[194]: Makefile:344: warning: overriding recipe for target '/etc/aliases.news' May 12 06:03:14 srvvm01.ac.example.com sendmail[194]: Makefile:287: warning: ignoring old recipe for target '/etc/aliases.news' May 12 06:03:13 srvvm01.ac.example.com systemd[1]: Started Zabbix Agent. May 12 06:03:14 srvvm01.ac.example.com sshd[183]: Server listening on 0.0.0.0 port 22. May 12 06:03:14 srvvm01.ac.example.com sshd[183]: Server listening on :: port 22. May 12 06:03:15 srvvm01.ac.example.com dovecot[241]: master: Dovecot v2.2.18 starting up for imap, pop3 (core dumps disabled) May 12 06:03:15 srvvm01.ac.example.com sssd[373]: Starting up May 12 06:03:16 srvvm01.ac.example.com dovecot[241]: Warning: fd limit (ulimit -n) is lower than required under max. load (1024 < 3000), because of default_client_limit May 12 06:03:18 srvvm01.ac.example.com clamav-milter[372]: +++ Started at Thu May 12 06:03:18 2016 May 12 06:03:20 srvvm01.ac.example.com clamd[239]: Received 1 file descriptor(s) from systemd. May 12 06:03:20 srvvm01.ac.example.com clamd[239]: clamd daemon 0.99 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) May 12 06:03:20 srvvm01.ac.example.com clamd[239]: Running as user clamav (UID 111, GID 143) May 12 06:03:20 srvvm01.ac.example.com clamd[239]: Log file size limited to 4294967295bytes. May 12 06:03:20 srvvm01.ac.example.com clamd[239]: Reading databases from /var/lib/clamav May 12 06:03:20 srvvm01.ac.example.com clamd[239]: Not loading PUA signatures. May 12 06:03:20 srvvm01.ac.example.com clamd[239]: Bytecode: Security mode set to "TrustSigned". May 12 06:03:18 srvvm01.ac.example.com systemd[1]: Started LSB: ClamAV virus milter. May 12 06:03:20 srvvm01.ac.example.com systemd[1]: Started LSB: INN news server. May 12 06:03:20 srvvm01.ac.example.com freshclam[180]: ClamAV update process started at Thu May 12 06:03:20 2016 May 12 06:03:20 srvvm01.ac.example.com freshclam[180]: WARNING: Your ClamAV installation is OUTDATED! May 12 06:03:20 srvvm01.ac.example.com freshclam[180]: WARNING: Local version: 0.99 Recommended version: 0.99.2 May 12 06:03:20 srvvm01.ac.example.com freshclam[180]: DON'T PANIC! Read http://www.clamav.net/support/faq May 12 06:03:20 srvvm01.ac.example.com clamav-milter[240]: Starting Sendmail milter plugin for ClamAV: clamav-milter. May 12 06:03:20 srvvm01.ac.example.com inn2[189]: Starting news server: innd. May 12 06:03:20 srvvm01.ac.example.com innd[415]: SERVER descriptors 1023 May 12 06:03:20 srvvm01.ac.example.com innd[415]: SERVER outgoing 1010 May 12 06:03:20 srvvm01.ac.example.com innd[415]: SERVER ccsetup control:12 May 12 06:03:20 srvvm01.ac.example.com innd[415]: SERVER lcsetup localconn:14 May 12 06:03:21 srvvm01.ac.example.com freshclam[180]: main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) May 12 06:03:21 srvvm01.ac.example.com freshclam[180]: daily.cld is up to date (version: 21529, sigs: 139560, f-level: 63, builder: neo) May 12 06:03:21 srvvm01.ac.example.com freshclam[180]: bytecode.cld is up to date (version: 277, sigs: 47, f-level: 63, builder: neo) May 12 06:03:21 srvvm01.ac.example.com sssd[be[417]: Starting up May 12 06:03:22 srvvm01.ac.example.com innd[415]: SERVER rcsetup remconn:15 May 12 06:03:22 srvvm01.ac.example.com innd[415]: SERVER rcsetup remconn:17 May 12 06:03:22 srvvm01.ac.example.com innd[415]: controlchan! spawned controlchan!:21:proc:425 May 12 06:03:23 srvvm01.ac.example.com innd[415]: SERVER perl filtering enabled May 12 06:03:23 srvvm01.ac.example.com innd[415]: SERVER starting May 12 06:03:23 srvvm01.ac.example.com dovecot[392]: imap-login: Disconnected (disconnected before auth was ready, waited 2 secs): user=<>, rip=10.19.102.238, lip=10.19.96.11, TLS handshaking: Disconnected, session= May 12 06:03:23 srvvm01.ac.example.com dovecot[392]: imap-login: Disconnected (disconnected before auth was ready, waited 2 secs): user=<>, rip=10.19.102.238, lip=10.19.96.11, TLS handshaking: Disconnected, session=<1jpOPZ0yBQCsE2bu> May 12 06:03:26 srvvm01.ac.example.com sssd[438]: Starting up May 12 06:03:26 srvvm01.ac.example.com sssd[440]: Starting up May 12 06:03:26 srvvm01.ac.example.com sssd[437]: Starting up May 12 06:03:25 srvvm01.ac.example.com systemd[1]: Started Certificate monitoring and PKI enrollment. May 12 06:03:26 srvvm01.ac.example.com sssd[439]: Starting up May 12 06:03:29 srvvm01.ac.example.com sssd[441]: Starting up May 12 06:03:37 srvvm01.ac.example.com ipa-submit[445]: GSSAPI client step 1 May 12 06:03:37 srvvm01.ac.example.com ipa-submit[445]: GSSAPI client step 1 May 12 06:03:37 srvvm01.ac.example.com ipa-submit[445]: GSSAPI client step 1 May 12 06:03:37 srvvm01.ac.example.com ipa-submit[445]: GSSAPI client step 1 May 12 06:03:37 srvvm01.ac.example.com ipa-submit[445]: GSSAPI client step 2 May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1 May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1 May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1 May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 2 May 12 06:03:42 srvvm01.ac.example.com dovecot[392]: imap-login: Disconnected (no auth attempts in 19 secs): user=<>, rip=10.0.142.199, lip=10.19.96.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=<9T14Pp0yjwAFkY7H> May 12 06:03:42 srvvm01.ac.example.com dovecot[392]: imap-login: Disconnected (no auth attempts in 19 secs): user=<>, rip=10.0.142.199, lip=10.19.96.11, TLS handshaking, session=<50d4Pp0yjgAFkY7H> May 12 06:03:42 srvvm01.ac.example.com dovecot[392]: imap-login: Disconnected (no auth attempts in 21 secs): user=<>, rip=10.0.142.199, lip=10.19.96.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session= May 12 06:03:42 srvvm01.ac.example.com dovecot[392]: imap-login: Disconnected (no auth attempts in 21 secs): user=<>, rip=10.0.142.199, lip=10.19.96.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session= May 12 06:03:47 srvvm01.ac.example.com controlchan[425]: starting May 12 06:03:56 srvvm01.ac.example.com sshd[485]: Connection closed by 10.19.96.127 [preauth] May 12 06:03:57 srvvm01.ac.example.com clamd[239]: Loaded 4353011 signatures. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: Global size limit set to 104857600 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: File size limit set to 26214400 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: Recursion level limit set to 16. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: Files limit set to 10000. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxEmbeddedPE limit set to 10485760 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxHTMLNormalize limit set to 10485760 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxHTMLNoTags limit set to 2097152 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxScriptNormalize limit set to 5242880 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxZipTypeRcg limit set to 1048576 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxPartitions limit set to 50. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxIconsPE limit set to 100. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: PCREMatchLimit limit set to 10000. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: PCRERecMatchLimit limit set to 5000. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: PCREMaxFileSize limit set to 26214400. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Archive support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Algorithmic detection enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Portable Executable support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: ELF support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Mail files support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: OLE2 support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: PDF support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: SWF support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: HTML support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Self checking every 3600 seconds. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: Global size limit set to 104857600 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: File size limit set to 26214400 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: Recursion level limit set to 16. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: Files limit set to 10000. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxEmbeddedPE limit set to 10485760 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxHTMLNormalize limit set to 10485760 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxHTMLNoTags limit set to 2097152 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxScriptNormalize limit set to 5242880 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxZipTypeRcg limit set to 1048576 bytes. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxPartitions limit set to 50. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: MaxIconsPE limit set to 100. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: PCREMatchLimit limit set to 10000. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: PCRERecMatchLimit limit set to 5000. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Limits: PCREMaxFileSize limit set to 26214400. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Archive support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Algorithmic detection enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Portable Executable support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: ELF support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Mail files support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: OLE2 support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: PDF support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: SWF support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: HTML support enabled. May 12 06:04:04 srvvm01.ac.example.com clamd[239]: Self checking every 3600 seconds. May 12 06:04:05 srvvm01.ac.example.com systemd[1]: sssd.service start operation timed out. Terminating. May 12 06:04:05 srvvm01.ac.example.com sssd[438]: Shutting down May 12 06:04:05 srvvm01.ac.example.com sssd[437]: Shutting down May 12 06:04:05 srvvm01.ac.example.com sssd[be[417]: Shutting down May 12 06:04:05 srvvm01.ac.example.com sssd[439]: Shutting down May 12 06:04:05 srvvm01.ac.example.com auth[490]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:05 srvvm01.ac.example.com auth[490]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user1 rhost=10.0.142.199 May 12 06:04:05 srvvm01.ac.example.com auth[449]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:05 srvvm01.ac.example.com auth[429]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:05 srvvm01.ac.example.com auth[449]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user2 rhost=10.19.97.188 May 12 06:04:05 srvvm01.ac.example.com auth[429]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user3 rhost=10.19.97.179 May 12 06:04:05 srvvm01.ac.example.com auth[490]: pam_sss(dovecot:auth): Request to sssd failed. Bad address May 12 06:04:05 srvvm01.ac.example.com auth[449]: pam_sss(dovecot:auth): Request to sssd failed. Bad address May 12 06:04:05 srvvm01.ac.example.com sssd[441]: Shutting down May 12 06:04:05 srvvm01.ac.example.com auth[429]: pam_sss(dovecot:auth): Request to sssd failed. Bad address May 12 06:04:05 srvvm01.ac.example.com sssd[440]: Shutting down May 12 06:04:05 srvvm01.ac.example.com sshd[482]: Invalid user user4 from 10.19.96.197 May 12 06:04:06 srvvm01.ac.example.com auth[478]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[475]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[474]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[473]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[427]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[444]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[433]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[430]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[430]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user5 rhost=10.19.97.177 May 12 06:04:06 srvvm01.ac.example.com auth[428]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[448]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[431]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[432]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[477]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com sendmail[389]: alias database /etc/mail/aliases.user rebuilt by root May 12 06:04:06 srvvm01.ac.example.com auth[426]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[484]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[489]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[488]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[487]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com sshd[482]: input_userauth_request: invalid user user5 [preauth] May 12 06:04:06 srvvm01.ac.example.com auth[478]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user6 rhost=10.19.98.10 May 12 06:04:06 srvvm01.ac.example.com auth[475]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user5 rhost=10.19.97.186 May 12 06:04:06 srvvm01.ac.example.com auth[474]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user6 rhost=10.19.98.10 May 12 06:04:06 srvvm01.ac.example.com auth[473]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user6 rhost=10.19.98.10 May 12 06:04:06 srvvm01.ac.example.com auth[427]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user7 rhost=10.19.98.158 May 12 06:04:06 srvvm01.ac.example.com auth[444]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user8 rhost=10.19.97.141 May 12 06:04:06 srvvm01.ac.example.com auth[433]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user9 rhost=10.19.102.239 May 12 06:04:06 srvvm01.ac.example.com auth[436]: pam_unix(dovecot:auth): check pass; user unknown May 12 06:04:06 srvvm01.ac.example.com auth[430]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[428]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user11 rhost=10.19.97.13 May 12 06:04:06 srvvm01.ac.example.com auth[448]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user12 rhost=10.19.102.240 May 12 06:04:06 srvvm01.ac.example.com auth[431]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user13 rhost=10.19.97.159 May 12 06:04:06 srvvm01.ac.example.com auth[432]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user14 rhost=10.19.97.90 May 12 06:04:06 srvvm01.ac.example.com auth[478]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[475]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[474]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[473]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[427]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[444]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[433]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[436]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user15 rhost=10.19.102.238 May 12 06:04:06 srvvm01.ac.example.com auth[428]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[448]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[431]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[432]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[477]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[426]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[484]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[489]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[488]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[487]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com auth[436]: pam_sss(dovecot:auth): Request to sssd failed. Connection refused May 12 06:04:06 srvvm01.ac.example.com sendmail[389]: /etc/mail/aliases.user: 917 aliases, longest 569 bytes, 19796 bytes total May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Failed to start System Security Services Daemon. May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Unit sssd.service entered failed state. May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Starting User and Group Name Lookups. May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Reached target User and Group Name Lookups. May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Starting Login Service... May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Starting Permit User Sessions... May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Started Permit User Sessions. May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Started Getty on tty1. May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Starting Container Getty on /dev/pts/3... May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Started Container Getty on /dev/pts/3. May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Starting Container Getty on /dev/pts/2... May 12 06:04:06 srvvm01.ac.example.com systemd-logind[492]: New seat seat0. May 12 06:04:06 srvvm01.ac.example.com systemd[1]: Started Login Service. May 12 06:04:06 srvvm01.ac.example.com sshd[482]: Failed none for invalid user user5 from 10.19.96.197 port 36750 ssh2 May 12 06:04:06 srvvm01.ac.example.com sshd[482]: Failed password for invalid user user5 from 10.19.96.197 port 36750 ssh2 May 12 06:04:06 srvvm01.ac.example.com sshd[482]: Failed password for invalid user user5 from 10.19.96.197 port 36750 ssh2 -------------- next part -------------- May 12 05:55:58 srvvm01 systemd[1]: Stopping System Logging Service... May 12 05:55:59 srvvm01 kernel: [1020200.459525] bonding: bond1: link status definitely up for interface eth4, 1000 Mbps full duplex May 12 05:56:00 srvvm01 kernel: [1020200.816246] igb 0000:81:00.0 eth2: igb: eth2 NIC Link is Down May 12 05:56:00 srvvm01 kernel: [1020200.843263] igb 0000:81:00.1 eth3: igb: eth3 NIC Link is Down May 12 05:56:00 srvvm01 kernel: [1020200.859487] bonding: bond1: link status definitely down for interface eth2, disabling it May 12 05:56:03 srvvm01 kernel: [1020204.243953] igb 0000:81:00.2 eth4: igb: eth4 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX May 12 05:56:03 srvvm01 kernel: [1020204.256836] bonding: bond1: link status definitely up for interface eth4, 1000 Mbps full duplex May 12 05:56:06 srvvm01 kernel: [1020207.139979] br0: port 12(veth7RLOHG) entered disabled state May 12 05:56:12 srvvm01 rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="218" x-info="http://www.rsyslog.com"] exiting on signal 15. May 12 06:03:10 srvvm01 rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="238" x-info="http://www.rsyslog.com"] start May 12 06:03:10 srvvm01 systemd[1]: Mounted Debug File System. May 12 06:03:10 srvvm01 systemd[1]: Mounted Huge Pages File System. May 12 06:03:10 srvvm01 rsyslogd-2039: Could not open output pipe '/dev/xconsole': No such file or directory [try http://www.rsyslog.com/e/2039 ] May 12 06:03:10 srvvm01 systemd[1]: Mounted POSIX Message Queue File System. May 12 06:03:10 srvvm01 systemd[1]: Started Remount Root and Kernel File Systems. May 12 06:03:10 srvvm01 systemd[1]: Started Various fixups to make systemd work better on Debian. May 12 06:03:10 srvvm01 systemd[1]: Starting Load/Save Random Seed... May 12 06:03:10 srvvm01 systemd[1]: Starting Local File Systems (Pre). May 12 06:03:10 srvvm01 systemd[1]: Reached target Local File Systems (Pre). May 12 06:03:10 srvvm01 systemd[1]: Starting Local File Systems. May 12 06:03:10 srvvm01 systemd[1]: Reached target Local File Systems. May 12 06:03:10 srvvm01 systemd[1]: Starting Remote File Systems. May 12 06:03:10 srvvm01 rsyslogd-2007: action 'action 19' suspended, next retry is Thu May 12 06:03:40 2016 [try http://www.rsyslog.com/e/2007 ] May 12 06:03:10 srvvm01 systemd[1]: Started Trigger Flushing of Journal to Persistent Storage. May 12 06:03:10 srvvm01 logger[65]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_resolv: May 12 06:03:10 srvvm01 logger[66]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_sendmail: May 12 06:03:10 srvvm01 logger[94]: /etc/network/if-up.d/sendmail (dynamic) update_interface: lo up May 12 06:03:10 srvvm01 logger[95]: /etc/network/if-up.d/sendmail (dynamic) update_sendmail: lo up May 12 06:03:10 srvvm01 logger[132]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_resolv: May 12 06:03:10 srvvm01 logger[133]: /etc/resolvconf/update-libc.d/sendmail (dynamic) update_sendmail: May 12 06:03:10 srvvm01 logger[145]: /etc/network/if-up.d/sendmail (dynamic) update_interface: eth0 up May 12 06:03:10 srvvm01 logger[146]: /etc/network/if-up.d/sendmail (dynamic) update_provider: eth0 up ac.example.com. May 12 06:03:10 srvvm01 logger[147]: /etc/network/if-up.d/sendmail (dynamic) update_host: eth0 up ac.example.com. 10.19.96.11 May 12 06:03:10 srvvm01 logger[148]: /etc/network/if-up.d/sendmail (dynamic) update_sendmail: eth0 up ac.example.com. 10.19.96.11 May 12 06:03:10 srvvm01 logger[164]: /etc/network/if-up.d/sendmail (dynamic) update_interface: --all up May 12 06:03:10 srvvm01 logger[165]: /etc/network/if-up.d/sendmail (dynamic) update_sendmail: --all up May 12 06:03:10 srvvm01 systemd[1]: Started Copy rules generated while the root was ro. May 12 06:03:10 srvvm01 systemd[1]: Started LSB: ebtables ruleset management. May 12 06:03:10 srvvm01 systemd[1]: Started LSB: IPv6 Recursive DNS Server discovery. May 12 06:03:10 srvvm01 systemd[1]: Started LSB: Tune IDE hard disks. May 12 06:03:10 srvvm01 systemd[1]: Started Load/Save Random Seed. May 12 06:03:10 srvvm01 systemd[1]: Starting LSB: Raise network interfaces.... May 12 06:03:10 srvvm01 systemd[1]: Started Create Volatile Files and Directories. May 12 06:03:10 srvvm01 systemd[1]: Starting Update UTMP about System Boot/Shutdown... May 12 06:03:10 srvvm01 systemd[1]: Started Update UTMP about System Boot/Shutdown. May 12 06:03:10 srvvm01 systemd[1]: Started LSB: Raise network interfaces.. May 12 06:03:10 srvvm01 systemd[1]: Starting Network. May 12 06:03:10 srvvm01 anacron[178]: Anacron 2.3 started on 2016-05-12 May 12 06:03:10 srvvm01 hdparm[21]: Setting parameters of disc: (none). May 12 06:03:10 srvvm01 rdnssd[29]: Starting IPv6 Recursive DNS Server discovery Daemon: rdnssd. May 12 06:03:10 srvvm01 networking[67]: Configuring network interfaces...done. May 12 06:03:10 srvvm01 cron[179]: (CRON) INFO (pidfile fd = 3) May 12 06:03:10 srvvm01 anacron[178]: Normal exit (0 jobs run) May 12 06:03:10 srvvm01 logger[220]: /etc/init.d/sendmail start May 12 06:03:10 srvvm01 cron[179]: (dreger) ORPHAN (no passwd entry) May 12 06:03:10 srvvm01 cron[179]: (adminteam) ORPHAN (no passwd entry) May 12 06:03:10 srvvm01 cron[179]: (CRON) INFO (Running @reboot jobs) May 12 06:03:10 srvvm01 ntpd[219]: ntpd 4.2.6p5 at 1.2349-o Wed Oct 28 20:16:08 UTC 2015 (1) May 12 06:03:10 srvvm01 lldpd[235]: created chroot directory /var/run/lldpd May 12 06:03:10 srvvm01 lldpd[235]: /etc/localtime copied to chroot May 12 06:03:10 srvvm01 lldpd[235]: protocol LLDP enabled May 12 06:03:10 srvvm01 lldpd[235]: protocol CDPv1 disabled May 12 06:03:10 srvvm01 lldpd[235]: protocol CDPv2 disabled May 12 06:03:10 srvvm01 lldpd[235]: protocol SONMP disabled May 12 06:03:10 srvvm01 lldpd[235]: protocol EDP disabled May 12 06:03:10 srvvm01 lldpd[235]: protocol FDP disabled May 12 06:03:10 srvvm01 lldpd[235]: libevent 2.0.21-stable initialized with epoll method May 12 06:03:10 srvvm01 ntpd[236]: proto: precision = 0.101 usec May 12 06:03:10 srvvm01 ntp[186]: Starting NTP server: ntpd. May 12 06:03:10 srvvm01 systemd[1]: Starting Certificate monitoring and PKI enrollment... May 12 06:03:10 srvvm01 systemd[1]: Starting System Logging Service... May 12 06:03:10 srvvm01 systemd[1]: Starting Clam AntiVirus userspace daemon... May 12 06:03:10 srvvm01 systemd[1]: Started Clam AntiVirus userspace daemon. May 12 06:03:10 srvvm01 systemd[1]: Starting LSB: ClamAV virus milter... May 12 06:03:10 srvvm01 systemd[1]: Started LLDP daemon. May 12 06:03:10 srvvm01 systemd[1]: Started /etc/rc.local Compatibility. May 12 06:03:10 srvvm01 systemd[1]: Started LSB: Start NTP daemon. May 12 06:03:10 srvvm01 systemd[1]: Started LSB: start Samba daemons for the AD DC. May 12 06:03:10 srvvm01 systemd[1]: Started LSB: start Samba NetBIOS nameserver (nmbd). May 12 06:03:10 srvvm01 systemd[1]: Starting Dovecot IMAP/POP3 email server... May 12 06:03:10 srvvm01 systemd[1]: Started Dovecot IMAP/POP3 email server. May 12 06:03:10 srvvm01 systemd[1]: Starting LSB: start Samba SMB/CIFS daemon (smbd)... May 12 06:03:10 srvvm01 systemd[1]: Started LSB: start Samba SMB/CIFS daemon (smbd). May 12 06:03:10 srvvm01 ntpd[236]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 May 12 06:03:10 srvvm01 ntpd[236]: Listen and drop on 1 v6wildcard :: UDP 123 May 12 06:03:10 srvvm01 ntpd[236]: Listen normally on 2 lo 127.0.0.1 UDP 123 May 12 06:03:10 srvvm01 ntpd[236]: Listen normally on 3 eth0 10.19.96.11 UDP 123 May 12 06:03:11 srvvm01 ntpd[236]: Listen normally on 4 lo ::1 UDP 123 May 12 06:03:11 srvvm01 ntpd[236]: Listen normally on 5 eth0 fe80::220:8cff:fe8a:5183 UDP 123 May 12 06:03:11 srvvm01 ntpd[236]: peers refreshed May 12 06:03:11 srvvm01 ntpd[236]: Listening on routing socket on fd #22 for interface updates May 12 06:03:11 srvvm01 ntpd[236]: authreadkeys: file /etc/ntp/keys: No such file or directory May 12 06:03:11 srvvm01 lldpcli[234]: cannot find configuration file/directory /etc/lldpd.conf May 12 06:03:11 srvvm01 lldpcli[234]: unknown command from argument 1: `#` May 12 06:03:11 srvvm01 lldpcli[234]: an error occurred while executing last command May 12 06:03:11 srvvm01 lldpcli[234]: unknown command from argument 1: `#` May 12 06:03:11 srvvm01 lldpcli[234]: an error occurred while executing last command May 12 06:03:11 srvvm01 lldpcli[234]: lldpd should resume operations May 12 06:03:11 srvvm01 systemd[1]: Started System Logging Service. May 12 06:03:11 srvvm01 sendmail[194]: Starting Mail Transport Agent (MTA): sendmailMakefile:290: warning: overriding recipe for target '/etc/aliases.news.db' May 12 06:03:14 srvvm01 sendmail[194]: Makefile:287: warning: ignoring old recipe for target '/etc/aliases.news.db' May 12 06:03:14 srvvm01 sendmail[194]: Makefile:344: warning: overriding recipe for target '/etc/aliases.news' May 12 06:03:14 srvvm01 sendmail[194]: Makefile:287: warning: ignoring old recipe for target '/etc/aliases.news' May 12 06:03:14 srvvm01 systemd[1]: Started Zabbix Agent. May 12 06:03:16 srvvm01 dovecot: master: Dovecot v2.2.18 starting up for imap, pop3 (core dumps disabled) May 12 06:03:16 srvvm01 sssd: Starting up May 12 06:03:16 srvvm01 dovecot[241]: Warning: fd limit (ulimit -n) is lower than required under max. load (1024 < 3000), because of default_client_limit May 12 06:03:18 srvvm01 clamav-milter[372]: +++ Started at Thu May 12 06:03:18 2016 May 12 06:03:20 srvvm01 clamd[239]: Received 1 file descriptor(s) from systemd. May 12 06:03:20 srvvm01 clamd[239]: clamd daemon 0.99 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) May 12 06:03:20 srvvm01 clamd[239]: Running as user clamav (UID 111, GID 143) May 12 06:03:20 srvvm01 clamd[239]: Log file size limited to 4294967295bytes. May 12 06:03:20 srvvm01 clamd[239]: Reading databases from /var/lib/clamav May 12 06:03:20 srvvm01 clamd[239]: Not loading PUA signatures. May 12 06:03:20 srvvm01 clamd[239]: Bytecode: Security mode set to "TrustSigned". May 12 06:03:20 srvvm01 systemd[1]: Started LSB: ClamAV virus milter. May 12 06:03:20 srvvm01 systemd[1]: Started LSB: INN news server. May 12 06:03:20 srvvm01 freshclam[180]: ClamAV update process started at Thu May 12 06:03:20 2016 May 12 06:03:20 srvvm01 freshclam[180]: WARNING: Your ClamAV installation is OUTDATED! May 12 06:03:20 srvvm01 freshclam[180]: WARNING: Local version: 0.99 Recommended version: 0.99.2 May 12 06:03:20 srvvm01 freshclam[180]: DON'T PANIC! Read http://www.clamav.net/support/faq May 12 06:03:20 srvvm01 clamav-milter[240]: Starting Sendmail milter plugin for ClamAV: clamav-milter. May 12 06:03:20 srvvm01 inn2[189]: Starting news server: innd. May 12 06:03:20 srvvm01 innd: SERVER descriptors 1023 May 12 06:03:21 srvvm01 innd: SERVER outgoing 1010 May 12 06:03:21 srvvm01 innd: SERVER ccsetup control:12 May 12 06:03:21 srvvm01 innd: SERVER lcsetup localconn:14 May 12 06:03:21 srvvm01 freshclam[180]: main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) May 12 06:03:21 srvvm01 freshclam[180]: daily.cld is up to date (version: 21529, sigs: 139560, f-level: 63, builder: neo) May 12 06:03:21 srvvm01 freshclam[180]: bytecode.cld is up to date (version: 277, sigs: 47, f-level: 63, builder: neo) May 12 06:03:21 srvvm01 sssd[be[example.com]]: Starting up May 12 06:03:22 srvvm01 innd: SERVER rcsetup remconn:15 May 12 06:03:22 srvvm01 innd: SERVER rcsetup remconn:17 May 12 06:03:22 srvvm01 innd: controlchan! spawned controlchan!:21:proc:425 May 12 06:03:23 srvvm01 innd: SERVER perl filtering enabled May 12 06:03:25 srvvm01 innd: SERVER starting May 12 06:03:25 srvvm01 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 2 secs): user=<>, rip=10.19.102.238, lip=10.19.96.11, TLS handshaking: Disconnected, session= May 12 06:03:26 srvvm01 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 2 secs): user=<>, rip=10.19.102.238, lip=10.19.96.11, TLS handshaking: Disconnected, session=<1jpOPZ0yBQCsE2bu> May 12 06:03:26 srvvm01 sssd[sudo]: Starting up May 12 06:03:26 srvvm01 sssd[ssh]: Starting up May 12 06:03:26 srvvm01 sssd[nss]: Starting up May 12 06:03:26 srvvm01 systemd[1]: Started Certificate monitoring and PKI enrollment. May 12 06:03:26 srvvm01 sssd[pam]: Starting up May 12 06:03:29 srvvm01 sssd[pac]: Starting up May 12 06:03:42 srvvm01 dovecot: imap-login: Disconnected (no auth attempts in 19 secs): user=<>, rip=10.0.142.199, lip=10.19.96.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=<9T14Pp0yjwAFkY7H> May 12 06:03:42 srvvm01 dovecot: imap-login: Disconnected (no auth attempts in 19 secs): user=<>, rip=10.0.142.199, lip=10.19.96.11, TLS handshaking, session=<50d4Pp0yjgAFkY7H> May 12 06:03:42 srvvm01 dovecot: imap-login: Disconnected (no auth attempts in 21 secs): user=<>, rip=10.0.142.199, lip=10.19.96.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session= May 12 06:03:42 srvvm01 dovecot: imap-login: Disconnected (no auth attempts in 21 secs): user=<>, rip=10.0.142.199, lip=10.19.96.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session= May 12 06:03:47 srvvm01 controlchan[425]: starting May 12 06:03:57 srvvm01 clamd[239]: Loaded 4353011 signatures. May 12 06:04:04 srvvm01 clamd[239]: TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd. May 12 06:04:04 srvvm01 clamd[239]: LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd. May 12 06:04:04 srvvm01 clamd[239]: Limits: Global size limit set to 104857600 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: File size limit set to 26214400 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: Recursion level limit set to 16. May 12 06:04:04 srvvm01 clamd[239]: Limits: Files limit set to 10000. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxEmbeddedPE limit set to 10485760 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxHTMLNormalize limit set to 10485760 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxHTMLNoTags limit set to 2097152 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxScriptNormalize limit set to 5242880 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxZipTypeRcg limit set to 1048576 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxPartitions limit set to 50. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxIconsPE limit set to 100. May 12 06:04:04 srvvm01 clamd[239]: Limits: PCREMatchLimit limit set to 10000. May 12 06:04:04 srvvm01 clamd[239]: Limits: PCRERecMatchLimit limit set to 5000. May 12 06:04:04 srvvm01 clamd[239]: Limits: PCREMaxFileSize limit set to 26214400. May 12 06:04:04 srvvm01 clamd[239]: Archive support enabled. May 12 06:04:04 srvvm01 clamd[239]: Algorithmic detection enabled. May 12 06:04:04 srvvm01 clamd[239]: Portable Executable support enabled. May 12 06:04:04 srvvm01 clamd[239]: ELF support enabled. May 12 06:04:04 srvvm01 clamd[239]: Mail files support enabled. May 12 06:04:04 srvvm01 clamd[239]: OLE2 support enabled. May 12 06:04:04 srvvm01 clamd[239]: PDF support enabled. May 12 06:04:04 srvvm01 clamd[239]: SWF support enabled. May 12 06:04:04 srvvm01 clamd[239]: HTML support enabled. May 12 06:04:04 srvvm01 clamd[239]: Self checking every 3600 seconds. May 12 06:04:04 srvvm01 clamd[239]: Limits: Global size limit set to 104857600 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: File size limit set to 26214400 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: Recursion level limit set to 16. May 12 06:04:04 srvvm01 clamd[239]: Limits: Files limit set to 10000. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxEmbeddedPE limit set to 10485760 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxHTMLNormalize limit set to 10485760 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxHTMLNoTags limit set to 2097152 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxScriptNormalize limit set to 5242880 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxZipTypeRcg limit set to 1048576 bytes. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxPartitions limit set to 50. May 12 06:04:04 srvvm01 clamd[239]: Limits: MaxIconsPE limit set to 100. May 12 06:04:04 srvvm01 clamd[239]: Limits: PCREMatchLimit limit set to 10000. May 12 06:04:04 srvvm01 clamd[239]: Limits: PCRERecMatchLimit limit set to 5000. May 12 06:04:04 srvvm01 clamd[239]: Limits: PCREMaxFileSize limit set to 26214400. May 12 06:04:04 srvvm01 clamd[239]: Archive support enabled. May 12 06:04:04 srvvm01 clamd[239]: Algorithmic detection enabled. May 12 06:04:04 srvvm01 clamd[239]: Portable Executable support enabled. May 12 06:04:04 srvvm01 clamd[239]: ELF support enabled. May 12 06:04:04 srvvm01 clamd[239]: Mail files support enabled. May 12 06:04:04 srvvm01 clamd[239]: OLE2 support enabled. May 12 06:04:04 srvvm01 clamd[239]: PDF support enabled. May 12 06:04:04 srvvm01 clamd[239]: SWF support enabled. May 12 06:04:04 srvvm01 clamd[239]: HTML support enabled. May 12 06:04:04 srvvm01 clamd[239]: Self checking every 3600 seconds. May 12 06:04:05 srvvm01 systemd[1]: sssd.service start operation timed out. Terminating. May 12 06:04:05 srvvm01 sssd[sudo]: Shutting down May 12 06:04:05 srvvm01 sssd[nss]: Shutting down May 12 06:04:05 srvvm01 sssd[be[example.com]]: Shutting down May 12 06:04:05 srvvm01 sssd[pam]: Shutting down May 12 06:04:06 srvvm01 sssd[pac]: Shutting down May 12 06:04:06 srvvm01 sssd[ssh]: Shutting down May 12 06:04:06 srvvm01 sendmail[389]: alias database /etc/mail/aliases.user rebuilt by root May 12 06:04:06 srvvm01 sendmail[389]: /etc/mail/aliases.user: 917 aliases, longest 569 bytes, 19796 bytes total May 12 06:04:06 srvvm01 systemd[1]: Failed to start System Security Services Daemon. May 12 06:04:06 srvvm01 systemd[1]: Unit sssd.service entered failed state. May 12 06:04:06 srvvm01 systemd[1]: Starting User and Group Name Lookups. May 12 06:04:06 srvvm01 systemd[1]: Reached target User and Group Name Lookups. May 12 06:04:06 srvvm01 systemd[1]: Starting Login Service... May 12 06:04:06 srvvm01 systemd[1]: Starting Permit User Sessions... May 12 06:04:06 srvvm01 systemd[1]: Started Permit User Sessions. May 12 06:04:06 srvvm01 systemd[1]: Started Getty on tty1. May 12 06:04:06 srvvm01 systemd[1]: Starting Container Getty on /dev/pts/3... May 12 06:04:06 srvvm01 systemd[1]: Started Container Getty on /dev/pts/3. May 12 06:04:06 srvvm01 systemd[1]: Starting Container Getty on /dev/pts/2... May 12 06:04:06 srvvm01 systemd[1]: Started Login Service. May 12 06:04:06 srvvm01 sendmail[389]: alias database /etc/mail/aliases rebuilt by root May 12 06:04:06 srvvm01 sendmail[389]: /etc/mail/aliases: 214 aliases, longest 435 bytes, 11818 bytes total May 12 06:04:09 srvvm01 sendmail[389]: alias database /etc/aliases.news rebuilt by root May 12 06:04:09 srvvm01 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=, method=PLAIN, rip=10.0.142.199, lip=10.19.96.11, TLS, session= May 12 06:04:09 srvvm01 sendmail[389]: /etc/aliases.news: 235 aliases, longest 115 bytes, 27926 bytes total May 12 06:04:09 srvvm01 sendmail[513]: alias database /etc/mail/aliases.user rebuilt by root May 12 06:04:09 srvvm01 sendmail[513]: /etc/mail/aliases.user: 917 aliases, longest 569 bytes, 19796 bytes total May 12 06:04:09 srvvm01 sendmail[513]: alias database /etc/mail/aliases rebuilt by root May 12 06:04:09 srvvm01 sendmail[513]: /etc/mail/aliases: 214 aliases, longest 435 bytes, 11818 bytes total -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From akaczka86 at gmail.com Fri May 13 22:01:02 2016 From: akaczka86 at gmail.com (Adam Kaczka) Date: Fri, 13 May 2016 18:01:02 -0400 Subject: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN Message-ID: Hi all, I have inherited a IPA system that has an expired cert and the old admins have left; I followed ( http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but running into errors when I try to renew the CA certs even after time is reset. Also tried the troubleshooting under ( http://www.freeipa.org/page/Troubleshooting#Authentication_Errors); specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt" to add the cert in the database. >From the output of getcert list, I see both CA_UNREACHABLE and NEED_CSR_GEN_PIN. I followed redhat article here ( https://access.redhat.com/solutions/1142913) which verified key file password is correct and I have reset time. However the NEED_CSR_GEN_PIN status remains. My company actually has redhat support but when they built this IPA whoever built it was using Centos 6 so I am out of luck here. Would really appreciate any help since I am stuck at this point? What else I can do at this point? e.g. Is generate a new CA cert necessary, etc.? Version: ipa-pki-ca-theme.noarch 9.0.3-7.el6 @base ipa-pki-common-theme.noarch 9.0.3-7.el6 @base ipa-pmincho-fonts.noarch 003.02-3.1.el6 @base ipa-python.x86_64 3.0.0-47.el6.centos.2 @updates ipa-server.x86_64 3.0.0-47.el6.centos.2 @updates ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2 @updates Part of error logs from /var/log/pki-ca/debug after I reset clock; I see these errors which I think is relevlant?: [27/Dec/2015:14:12:01][main]: SigningUnit init: debug org.mozilla.jss.crypto.ObjectNotFoundException Certificate object not found [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException Certificate object not found [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown() Result seems to show key file password is correct: certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f /etc/dirsrv/slapd-REALM-NET/pwdfile.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa ############################ NSS Certificate DB:Server-Cert certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u REALM.COM IPA CA CT,C, certutil -L -d /etc/dirsrv/slapd-REALM-COM Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u REALM.COM IPA CA CT,C,C Output of getcert list: Number of certificates and requests being tracked: 7. Request ID '21135214223243': status: CA_UNREACHABLE ca-error: Server at https://host.example.net/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate oper ation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfil e='/etc/dirsrv/slapd-example-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=example.NET subject: CN=host.example.net,O=example.NET expires: 2016-03-29 14:09:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '21135214223300': status: CA_UNREACHABLE ca-error: Server at https://host.example.net/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate oper ation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile=' /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=example.NET subject: CN=host.example.net,O=example.NET expires: 2016-03-29 14:09:45 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert- pki-ca&serial_num=61&renewal=true&xml=true". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=example.NET subject: CN=CA Audit,O=example.NET expires: 2017-10-13 14:10:49 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu m=60&renewal=true&xml=true". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate D B',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=example.NET subject: CN=OCSP Subsystem,O=example.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu m=62&renewal=true&xml=true". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' ,pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=example.NET subject: CN=CA Subsystem,O=example.NET expires: 2017-10-13 14:09:49 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING ca-error: Internal error: no response to " http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu m=64&renewal=true&xml=true". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/al ias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=example.NET subject: CN=RA Subsystem,O=example.NET expires: 2017-10-13 14:09:49 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130519130745': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu m=63&renewal=true&xml=true". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',p in set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=example.NET subject: CN=host.example.net,O=example.NET expires: 2017-10-13 14:09:49 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Regards, Adam -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Fri May 13 22:25:09 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sat, 14 May 2016 01:25:09 +0300 Subject: [Freeipa-users] How RBAC defined. Message-ID: Hi List, i have one working setup with HBAC and sudo rules. I would like to know more about RBAC. like what is RBAC and what can be achieved with RBAC. anyone please share some good topics about this as i am getting so many and the information's mentioned on those are different. Thanks & Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Sat May 14 17:49:42 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sat, 14 May 2016 19:49:42 +0200 Subject: [Freeipa-users] DNSSEC NSEC3 Parameter In-Reply-To: References: <2080819.5b3ocLUXhc@techz> Message-ID: <2784443.Cm2UdZKHuC@techz> Hello, Thanks for answer, Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: > On 05/12/2016 04:41 PM, G?nther J. Niederwimmer wrote: > > Hello, > > I have the Problem to find the correct way for NSEC3PARAM ? > > > > With your Help I have this found > > > > ipa dnszone-mod example.com. --nsec3param-rec " > > " > > > > But it dos not work correct ? > > > > Now the question, is this the correct way > > > > ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > > > > to insert the NSEC3PARAMETER ?? > > This should be right, there were related fixes by > https://fedorahosted.org/freeipa/ticket/4413 > > Your second command works in my test environment: > # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" > # dig -t nsec3param example.com. +short > 1 7 100 F9BA6264232B7283 The question is now, I mean the Parameter is wrong ? I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9) dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE and a dig -t nsec3param example.com. +short the relult is 1 0 10 ............ 1 is sha1 so I mean (?) "0" is the correct parameter ?. "10" is the default for Bind so I hope this is working now correct Thanks for testing and answer -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From datakid at gmail.com Sun May 15 01:11:27 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Sun, 15 May 2016 11:11:27 +1000 Subject: [Freeipa-users] After successful ipa-client-install, sssd not used? Message-ID: Hola, We successfully installed ipa-server, and then successfully joined an AD in a one way trust. All in IPA are Centos 7.2 latest updates. I can successfully get info from AD by using: $id username on the server. I can successfully *join* the new ipa server with a client using ipa-client-install. (both on stdout and /var/log/ipaclient-install look good). I have followed these instructions to add an external mapped group, an internal group and a HBAC. http://www.freeipa.org/page/Active_Directory_trust_setup But, for some reason I can't then login to that client using AD credentials. In fact, on the client in question, all indicators are that the username being used is "unknown". I see little to nothing in /var/log/sssd/*, a few lines, late, in /var/log/dirsrv/slapd..../. Most of the live logging of auth seems to be in /var/log/secure. My feeling is that the client successfully joins, but then isn't using sssd as it's authentication system. Where should I start looking? The logs aren't showing me anything of note. What should I test? How can I test? I have had this working previously on a test domain, but it's hard to know what I've done differently due to time and how long it took to get it working last time. Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Sun May 15 15:31:56 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 15 May 2016 17:31:56 +0200 Subject: [Freeipa-users] After successful ipa-client-install, sssd not used? In-Reply-To: References: Message-ID: <20160515153156.GK4038@hendrix> On Sun, May 15, 2016 at 11:11:27AM +1000, Lachlan Musicman wrote: > Hola, > > We successfully installed ipa-server, and then successfully joined an AD in > a one way trust. > All in IPA are Centos 7.2 latest updates. > > I can successfully get info from AD by using: $id username on the server. > > I can successfully *join* the new ipa server with a client using > ipa-client-install. (both on stdout and /var/log/ipaclient-install look > good). > > I have followed these instructions to add an external mapped group, an > internal group and a HBAC. > > http://www.freeipa.org/page/Active_Directory_trust_setup > > > But, for some reason I can't then login to that client using AD > credentials. > > In fact, on the client in question, all indicators are that the username > being used is "unknown". I see little to nothing in /var/log/sssd/*, a few > lines, late, in /var/log/dirsrv/slapd..../. Most of the live logging of > auth seems to be in /var/log/secure. SSSD doesn't log anything except critical failures by default. Please follow https://fedorahosted.org/sssd/wiki/Troubleshooting to see what's going on on the client. > > My feeling is that the client successfully joins, but then isn't using sssd > as it's authentication system. > > Where should I start looking? The logs aren't showing me anything of note. > What should I test? How can I test? > > I have had this working previously on a test domain, but it's hard to know > what I've done differently due to time and how long it took to get it > working last time. > > Cheers > L. > > > > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From bentech4you at gmail.com Sun May 15 19:16:53 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sun, 15 May 2016 22:16:53 +0300 Subject: [Freeipa-users] How RBAC defined. In-Reply-To: References: Message-ID: HI List, anyone please help me by sending some updated documents. On Sat, May 14, 2016 at 1:25 AM, Ben .T.George wrote: > Hi List, > > i have one working setup with HBAC and sudo rules. > > I would like to know more about RBAC. like what is RBAC and what can be > achieved with RBAC. > > anyone please share some good topics about this as i am getting so many > and the information's mentioned on those are different. > > Thanks & Regards, > Ben > -------------- next part -------------- An HTML attachment was scrubbed... URL: From marc.boorshtein at tremolosecurity.com Mon May 16 00:45:35 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Sun, 15 May 2016 20:45:35 -0400 Subject: [Freeipa-users] How RBAC defined. In-Reply-To: References: Message-ID: > I would like to know more about RBAC. like what is RBAC and what can be > achieved with RBAC. > > anyone please share some good topics about this as i am getting so many and > the information's mentioned on those are different. I can imagine. RBAC (Role Based Access Control) was created on the idea that what systems, applications and entitlements you need should be based on your job function. Its a way of mapping business policies to to technical authorizations. An example would be that someone in accounts payable shouldn't have access to the same systems as someone from accounts receivable. So in RBAC terms you would have a "Role" called "Accounts Payable" that might map to groups in a directory for "access to check system" and "access to vendor system" but another "Role" called Accounts Receivable that has access to other groups. Then you have something to audit against "Why does someone with Role X have groups that aren't tied to that role?". In practice, this rarely works. Few enterprises do that good of a job defining the roles and responsibilities for their employees at an HR level that trying to enforce those roles in technology is hopeless. Also, RBAC models are very rigid and hard to change so if you need to grant someone access to a system thats "one off" to get something done it breaks the entire model (unless your technology can handle it). What often happens is you get into a situation where every user could have their own role, completely breaking the RBAC model. In my decade plus of identity management implementations across pretty much every vendor and several industries I can't think of any RBAC based models that were successful, but several that were complete failures. I was told going into a meeting at one large customer "Don't even mention RBAC or the meeting will be ended and we'll be out." Hope that helps Thanks Marc From barrykfl at gmail.com Mon May 16 03:22:31 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Mon, 16 May 2016 11:22:31 +0800 Subject: [Freeipa-users] revise back cert of freeipa Message-ID: Hi : Before I use goddy cert and everything workfine for a year now the cert expired. and break the muial agreement .whatever command I type it shown cant contact ldap server. can I just fall back the ipa self sign cert if I have backup? pls advise the detail procedure Regards. Barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Mon May 16 03:28:22 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Mon, 16 May 2016 13:28:22 +1000 Subject: [Freeipa-users] AD Primary Groups are ignored in FreeIPA? Message-ID: Hola, We have an interesting scenario that is hard to find any information on. Due to permission restrictions, a NAS that is mounted and visible by both AD and 'nix clients, every user belongs to a particular primary group. When we try doing idoverride's on the groups, it fails with the Primary Group. In some cases, the primary group doesn't even appear in a getent or id request. Sometimes it appears with incorrect name or GID. We have found it hard to get repeatable "failures", but here are two: 1. getent group (where groupname is any group, but is a primary group for a subset of members) - does not return any member that has groupname as a primary group in AD. 2. Overriding a group if the user has that group as a primary group (in AD), it will override the name, but not the GID. else, the override works. There were a number of other unusual results that are hard to explain how to reproduce because it was all so seemingly random. I feel like it would be an obvious need - to translate or override AD primary groups to FreeIPA groups, but this doesn't seem possible. Have we set IPA up incorrectly, or are we hitting on something else? I found this AD support problem for Win2003, but I feel like it's old and would surely have been solved? https://support.microsoft.com/en-us/kb/275523 Also, their solution ("hack AD, then hack your other LDAP software") is, for some reason, funny to me. Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From Lachlan.Simpson at petermac.org Mon May 16 03:49:24 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Mon, 16 May 2016 03:49:24 +0000 Subject: [Freeipa-users] After successful ipa-client-install, sssd not used? In-Reply-To: <20160515153156.GK4038@hendrix> References: <20160515153156.GK4038@hendrix> Message-ID: <0137003026EBE54FBEC540C5600C03C435E205@PMC-EXMBX02.petermac.org.au> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Monday, 16 May 2016 1:32 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] After successful ipa-client-install, sssd not used? > > SSSD doesn't log anything except critical failures by default. Please follow > https://fedorahosted.org/sssd/wiki/Troubleshooting to see what's going on on the > client. Thanks. Turns out the AD DNS had some bad entries that were poisoning our results. They have been solved now. Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. From bentech4you at gmail.com Mon May 16 05:02:37 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 16 May 2016 08:02:37 +0300 Subject: [Freeipa-users] How RBAC defined. In-Reply-To: References: Message-ID: HI Marc, thanks for the explanation. can you please share some kind of implementation guide for this? On Mon, May 16, 2016 at 3:45 AM, Marc Boorshtein < marc.boorshtein at tremolosecurity.com> wrote: > > I would like to know more about RBAC. like what is RBAC and what can be > > achieved with RBAC. > > > > anyone please share some good topics about this as i am getting so many > and > > the information's mentioned on those are different. > > I can imagine. RBAC (Role Based Access Control) was created on the > idea that what systems, applications and entitlements you need should > be based on your job function. Its a way of mapping business policies > to to technical authorizations. An example would be that someone in > accounts payable shouldn't have access to the same systems as someone > from accounts receivable. So in RBAC terms you would have a "Role" > called "Accounts Payable" that might map to groups in a directory for > "access to check system" and "access to vendor system" but another > "Role" called Accounts Receivable that has access to other groups. > Then you have something to audit against "Why does someone with Role X > have groups that aren't tied to that role?". > > In practice, this rarely works. Few enterprises do that good of a job > defining the roles and responsibilities for their employees at an HR > level that trying to enforce those roles in technology is hopeless. > Also, RBAC models are very rigid and hard to change so if you need to > grant someone access to a system thats "one off" to get something done > it breaks the entire model (unless your technology can handle it). > What often happens is you get into a situation where every user could > have their own role, completely breaking the RBAC model. > > In my decade plus of identity management implementations across pretty > much every vendor and several industries I can't think of any RBAC > based models that were successful, but several that were complete > failures. I was told going into a meeting at one large customer > "Don't even mention RBAC or the meeting will be ended and we'll be > out." > > Hope that helps > > Thanks > Marc > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon May 16 06:47:03 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 16 May 2016 08:47:03 +0200 Subject: [Freeipa-users] DNSSEC NSEC3 Parameter In-Reply-To: <2784443.Cm2UdZKHuC@techz> References: <2080819.5b3ocLUXhc@techz> <2784443.Cm2UdZKHuC@techz> Message-ID: <5d0978b4-6131-e101-5f12-e0b7ffffae97@redhat.com> On 05/14/2016 07:49 PM, G?nther J. Niederwimmer wrote: > Hello, > > Thanks for answer, > > Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: >> On 05/12/2016 04:41 PM, G?nther J. Niederwimmer wrote: >>> Hello, >>> I have the Problem to find the correct way for NSEC3PARAM ? >>> >>> With your Help I have this found >>> >>> ipa dnszone-mod example.com. --nsec3param-rec " >>> " >>> >>> But it dos not work correct ? >>> >>> Now the question, is this the correct way >>> >>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >>> >>> to insert the NSEC3PARAMETER ?? >> >> This should be right, there were related fixes by >> https://fedorahosted.org/freeipa/ticket/4413 >> >> Your second command works in my test environment: >> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >> # dig -t nsec3param example.com. +short >> 1 7 100 F9BA6264232B7283 > > The question is now, I mean the Parameter is wrong ? > > I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9) > > dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N > INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE > > and a > > dig -t nsec3param example.com. +short > > the relult is > > 1 0 10 ............ > > 1 is sha1 > so I mean (?) "0" is the correct parameter ?. > "10" is the default for Bind > > so I hope this is working now correct > > Thanks for testing and answer Ahh, now I understand what you were asking about. The validators we have in DNS records are only limited, mostly to check that you are entering the right number of fields or that the data type is OK. They usually do not do any more complex evaluation. I would let Petr Spacek say if we need to change anything in FreeIPA in this case. Martin From abokovoy at redhat.com Mon May 16 08:29:56 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 16 May 2016 11:29:56 +0300 Subject: [Freeipa-users] How RBAC defined. In-Reply-To: References: Message-ID: <20160516082956.jh5t63omts34kzdt@redhat.com> On Sat, 14 May 2016, Ben .T.George wrote: >Hi List, > >i have one working setup with HBAC and sudo rules. > >I would like to know more about RBAC. like what is RBAC and what can be >achieved with RBAC. > >anyone please share some good topics about this as i am getting so many and >the information's mentioned on those are different. FreeIPA implements RBAC only for accessing data in LDAP. Practically, it is used to delegate permissions to modify certain attributes of objects entries stored in LDAP. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html -- / Alexander Bokovoy From peljasz at yahoo.co.uk Mon May 16 08:34:28 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Mon, 16 May 2016 09:34:28 +0100 Subject: [Freeipa-users] a user delegated to control a OU and realmd join - how.. In-Reply-To: <20160513131410.GD5249@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <1462983423.4953.59.camel@yahoo.co.uk> <20160513131410.GD5249@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: On 13/05/16 14:14, Sumit Bose wrote: > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: >> .. if possible, would you know? >> hi everybody, >> I'm trying, and hoping it is possible to realm join an AD but is such a >> way so I tap my IPA into specific OU within that AD. > I'm not exactly sure what you mean here. Do you want to join a computer > which is already a client in an IPA domain to AD as well? If this is the > case I would recommend to consider the IPA trust feature. Joining 2 > domain is in general possible with SSSD but has to be done with very > great care, e.g. by using different keytabs for each domain. > >> The thing is - I'm thinking it would make user access control ideal >> from the start as I need only users from that OU, but also because I'm >> only granted access to the user/group who has control over that OU. >> I'm trying that but I see: >> >> ! The computer account RIDER already exists, but is not in the desired >> organizational unit. >> adcli: joining domain ccc.bb.aa failed: The computer account RIDER >> already exists, > Computer account names in AD must be unique even if they are added to > different OUs. So if there is already a computer called RIDER joined to > AD and it is not your computer you have to rename your computer to join. > If it is your computer and you want to create it in a different OU you > have to delete to old computer object first and then do a fresh join. hi Sumit, for me it did not work because of this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1258488 > HTH > > bye, > Sumit > >> ! Failed to join the domain >> >> I'm doing this: >> $ realm join ccc.bb.aa --user=private-user --computer-ou=private >> >> and computer is in OU=private of ccc.bb.aa >> so is the user private-user >> >> many thanks. >> L##SELECTION_END## >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From prashant at apigee.com Mon May 16 10:20:54 2016 From: prashant at apigee.com (Prashant Bapat) Date: Mon, 16 May 2016 15:50:54 +0530 Subject: [Freeipa-users] Enforce use of OTP token for all users. Message-ID: Any suggestions on how to achieve this ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Mon May 16 10:28:42 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 16 May 2016 12:28:42 +0200 Subject: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN In-Reply-To: References: Message-ID: <5d528401-3a58-dc81-8113-e015369766a5@redhat.com> On 05/14/2016 12:01 AM, Adam Kaczka wrote: > Hi all, > > I have inherited a IPA system that has an expired cert and the old admins have > left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but > running into errors when I try to renew the CA certs even after time is reset. > Also tried the troubleshooting under > (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors); > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt" > to add the cert in the database. > > From the output of getcert list, I see both CA_UNREACHABLE and > NEED_CSR_GEN_PIN. I followed redhat article here > (https://access.redhat.com/solutions/1142913) which verified key file password > is correct and I have reset time. However the NEED_CSR_GEN_PIN status remains. > My company actually has redhat support but when they built this IPA whoever > built it was using Centos 6 so I am out of luck here. > > Would really appreciate any help since I am stuck at this point? What else I > can do at this point? e.g. Is generate a new CA cert necessary, etc.? Hi, you don't need to renew CA cert, it seems to be valid. But your server cert is expired. It expired on 2016-03-29. 1. Move date back before this date, e.g., 2016-03-27. 2. Verify that IPA is running `ipactl status`. Maybe restart will be needed. 3. run `getcert list` to see if certmonger can communicate with CA 4. if certmonger doesn't renew the certs automatically, run `getcert resubmit -i $certid` for the expired cert. > > Version: > ipa-pki-ca-theme.noarch 9.0.3-7.el6 @base > ipa-pki-common-theme.noarch 9.0.3-7.el6 @base > ipa-pmincho-fonts.noarch 003.02-3.1.el6 @base > ipa-python.x86_64 3.0.0-47.el6.centos.2 @updates > ipa-server.x86_64 3.0.0-47.el6.centos.2 @updates > ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2 @updates > > Part of error logs from /var/log/pki-ca/debug after I reset clock; I see these > errors which I think is relevlant?: > [27/Dec/2015:14:12:01][main]: SigningUnit init: debug > org.mozilla.jss.crypto.ObjectNotFoundException > Certificate object not found > [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException > Certificate object not found > [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown() > > Result seems to show key file password is correct: > certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f > /etc/dirsrv/slapd-REALM-NET/pwdfile.txt > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and > Certificate Services" > < 0> rsa ############################ NSS Certificate DB:Server-Cert > > > certutil -L -d /var/lib/pki-ca/alias > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > > > certutil -L -d /etc/httpd/alias > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > ipaCert u,u,u > REALM.COM IPA CA CT,C, > > > certutil -L -d /etc/dirsrv/slapd-REALM-COM > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > REALM.COM IPA CA CT,C,C > > > Output of getcert list: > > Number of certificates and requests being tracked: 7. > Request ID '21135214223243': > status: CA_UNREACHABLE > ca-error: Server at https://host.example.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate oper > ation cannot be completed: Unable to communicate with CMS (Not Found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfil > e='/etc/dirsrv/slapd-example-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=example.NET > subject: CN=host.example.net ,O=example.NET > expires: 2016-03-29 14:09:46 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '21135214223300': > status: CA_UNREACHABLE > ca-error: Server at https://host.example.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate oper > ation cannot be completed: Unable to communicate with CMS (Not Found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB',pinfile=' > /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB' > CA: IPA > issuer: CN=Certificate Authority,O=example.NET > subject: CN=host.example.net ,O=example.NET > expires: 2016-03-29 14:09:45 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert- > pki-ca&serial_num=61&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate > DB',pin set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=CA Audit,O=example.NET > expires: 2017-10-13 14:10:49 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > m=60&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate D > B',pin set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=OCSP Subsystem,O=example.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > m=62&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > ,pin set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=CA Subsystem,O=example.NET > expires: 2017-10-13 14:09:49 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > m=64&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate > DB',pinfile='/etc/httpd/al > ias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=RA Subsystem,O=example.NET > expires: 2017-10-13 14:09:49 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130519130745': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > m=63&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',p > in set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=host.example.net ,O=example.NET > expires: 2017-10-13 14:09:49 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > > Regards, Adam > > > -- Petr Vobornik From pvoborni at redhat.com Mon May 16 10:33:58 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 16 May 2016 12:33:58 +0200 Subject: [Freeipa-users] Enforce use of OTP token for all users. In-Reply-To: References: Message-ID: <3fd0ac51-ace7-caca-4819-d7ae58edb604@redhat.com> On 05/16/2016 12:20 PM, Prashant Bapat wrote: > Any suggestions on how to achieve this ? > `ipa config-mod --user-auth-type=otp` will force otp auth for users with an OTP token. -- Petr Vobornik From pspacek at redhat.com Mon May 16 11:13:04 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 16 May 2016 13:13:04 +0200 Subject: [Freeipa-users] DNSSEC NSEC3 Parameter In-Reply-To: <5d0978b4-6131-e101-5f12-e0b7ffffae97@redhat.com> References: <2080819.5b3ocLUXhc@techz> <2784443.Cm2UdZKHuC@techz> <5d0978b4-6131-e101-5f12-e0b7ffffae97@redhat.com> Message-ID: <4195ff7c-99d5-c27b-2169-f848ca194c30@redhat.com> On 16.5.2016 08:47, Martin Kosek wrote: > On 05/14/2016 07:49 PM, G?nther J. Niederwimmer wrote: >> Hello, >> >> Thanks for answer, >> >> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: >>> On 05/12/2016 04:41 PM, G?nther J. Niederwimmer wrote: >>>> Hello, >>>> I have the Problem to find the correct way for NSEC3PARAM ? >>>> >>>> With your Help I have this found >>>> >>>> ipa dnszone-mod example.com. --nsec3param-rec " >>>> " >>>> >>>> But it dos not work correct ? >>>> >>>> Now the question, is this the correct way >>>> >>>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >>>> >>>> to insert the NSEC3PARAMETER ?? >>> >>> This should be right, there were related fixes by >>> https://fedorahosted.org/freeipa/ticket/4413 >>> >>> Your second command works in my test environment: >>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 f9ba6264232b7283" >>> # dig -t nsec3param example.com. +short >>> 1 7 100 F9BA6264232B7283 >> >> The question is now, I mean the Parameter is wrong ? >> >> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation (bind 9) >> >> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N >> INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE >> >> and a >> >> dig -t nsec3param example.com. +short >> >> the relult is >> >> 1 0 10 ............ >> >> 1 is sha1 >> so I mean (?) "0" is the correct parameter ?. >> "10" is the default for Bind >> >> so I hope this is working now correct >> >> Thanks for testing and answer > > Ahh, now I understand what you were asking about. The validators we have in DNS > records are only limited, mostly to check that you are entering the right > number of fields or that the data type is OK. They usually do not do any more > complex evaluation. I would let Petr Spacek say if we need to change anything > in FreeIPA in this case. Looking at https://tools.ietf.org/html/rfc5155#section-4 http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml#dnssec-nsec3-parameters-2 The only valid value for NSEC3PARAM flags is 0 (at the moment, this might change in future). -- Petr^2 Spacek From gjn at gjn.priv.at Mon May 16 11:44:13 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Mon, 16 May 2016 13:44:13 +0200 Subject: [Freeipa-users] DNSSEC NSEC3 Parameter In-Reply-To: <4195ff7c-99d5-c27b-2169-f848ca194c30@redhat.com> References: <2080819.5b3ocLUXhc@techz> <5d0978b4-6131-e101-5f12-e0b7ffffae97@redhat.com> <4195ff7c-99d5-c27b-2169-f848ca194c30@redhat.com> Message-ID: <3661586.hRX9Qjer4W@techz> Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek: > On 16.5.2016 08:47, Martin Kosek wrote: > > On 05/14/2016 07:49 PM, G?nther J. Niederwimmer wrote: > >> Hello, > >> > >> Thanks for answer, > >> > >> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: > >>> On 05/12/2016 04:41 PM, G?nther J. Niederwimmer wrote: > >>>> Hello, > >>>> I have the Problem to find the correct way for NSEC3PARAM ? > >>>> > >>>> With your Help I have this found > >>>> > >>>> ipa dnszone-mod example.com. --nsec3param-rec " > >>>> " > >>>> > >>>> But it dos not work correct ? > >>>> > >>>> Now the question, is this the correct way > >>>> > >>>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 > >>>> f9ba6264232b7283" > >>>> > >>>> to insert the NSEC3PARAMETER ?? > >>> > >>> This should be right, there were related fixes by > >>> https://fedorahosted.org/freeipa/ticket/4413 > >>> > >>> Your second command works in my test environment: > >>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 > >>> f9ba6264232b7283" > >>> # dig -t nsec3param example.com. +short > >>> 1 7 100 F9BA6264232B7283 > >> > >> The question is now, I mean the Parameter is wrong ? > >> > >> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation > >> (bind 9) > >> > >> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) > >> -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE > >> > >> and a > >> > >> dig -t nsec3param example.com. +short > >> > >> the relult is > >> > >> 1 0 10 ............ > >> > >> 1 is sha1 > >> so I mean (?) "0" is the correct parameter ?. > >> "10" is the default for Bind > >> > >> so I hope this is working now correct > >> > >> Thanks for testing and answer > > > > Ahh, now I understand what you were asking about. The validators we have > > in DNS records are only limited, mostly to check that you are entering > > the right number of fields or that the data type is OK. They usually do > > not do any more complex evaluation. I would let Petr Spacek say if we > > need to change anything in FreeIPA in this case. > > Looking at > https://tools.ietf.org/html/rfc5155#section-4 > http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-paramet > ers.xhtml#dnssec-nsec3-parameters-2 Petr, I read this all, but I mean I read it wrong ;-) A nicer way to implement this, is a automatic configuration only with a button :-)). Thanks for the Help, > The only valid value for NSEC3PARAM flags is 0 (at the moment, this might > change in future). From gjn at gjn.priv.at Mon May 16 12:03:29 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Mon, 16 May 2016 14:03:29 +0200 Subject: [Freeipa-users] FreeIPA DNS Module (named.conf) Message-ID: <8365375.B2xTiAS9Q2@techz> Hello, I have a question about the named.conf, is it possible to change the named.conf, to mace ACL or views, or is named.conf overwritten from freeipa- module ? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From bentech4you at gmail.com Mon May 16 12:15:13 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 16 May 2016 15:15:13 +0300 Subject: [Freeipa-users] How RBAC defined. In-Reply-To: <20160516082956.jh5t63omts34kzdt@redhat.com> References: <20160516082956.jh5t63omts34kzdt@redhat.com> Message-ID: HI So basically RBAC cannot apply against system user (ssh) ? On Mon, May 16, 2016 at 11:29 AM, Alexander Bokovoy wrote: > On Sat, 14 May 2016, Ben .T.George wrote: > >> Hi List, >> >> i have one working setup with HBAC and sudo rules. >> >> I would like to know more about RBAC. like what is RBAC and what can be >> achieved with RBAC. >> >> anyone please share some good topics about this as i am getting so many >> and >> the information's mentioned on those are different. >> > FreeIPA implements RBAC only for accessing data in LDAP. Practically, it > is used to delegate permissions to modify certain attributes of objects > entries stored in LDAP. > > See > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon May 16 12:20:56 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 16 May 2016 15:20:56 +0300 Subject: [Freeipa-users] How RBAC defined. In-Reply-To: References: <20160516082956.jh5t63omts34kzdt@redhat.com> Message-ID: <20160516122056.6g5jsyalogybtr3b@redhat.com> On Mon, 16 May 2016, Ben .T.George wrote: >HI > >So basically RBAC cannot apply against system user (ssh) ? For enforcing anything at a client side we have HBAC. For enforcing permission checks in the LDAP database we have RBAC. -- / Alexander Bokovoy From gjn at gjn.priv.at Mon May 16 12:47:15 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Mon, 16 May 2016 14:47:15 +0200 Subject: [Freeipa-users] FreeIPa and Mailserver (LDAP) Message-ID: <2180771.cfu5rrhrlW@techz> Hello, In FreeIpa UI it is possible to insert more then one EmailAdresses, but i can't found a way to figure out to have the correct Password / Mailaddresses together (Dovecot) the only way I found is user / password. My search Filter is in the Moment user_filter = (&(objectClass=posixaccount)(objectClass=inetorgperson) (memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com)(mail=%u)) I mean I must have a "mailalias" or ..... Have any a Idea or a Hint for this Problem? Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From abokovoy at redhat.com Mon May 16 12:59:16 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 16 May 2016 15:59:16 +0300 Subject: [Freeipa-users] FreeIPa and Mailserver (LDAP) In-Reply-To: <2180771.cfu5rrhrlW@techz> References: <2180771.cfu5rrhrlW@techz> Message-ID: <20160516125916.m5cpv6fr3lcenfgu@redhat.com> On Mon, 16 May 2016, G?nther J. Niederwimmer wrote: >Hello, > >In FreeIpa UI it is possible to insert more then one EmailAdresses, but i >can't found a way to figure out to have the correct Password / Mailaddresses >together (Dovecot) the only way I found is user / password. > >My search Filter is in the Moment >user_filter = (&(objectClass=posixaccount)(objectClass=inetorgperson) >(memberof=cn=mailusers,cn=groups,cn=accounts,dc=example,dc=com)(mail=%u)) > >I mean I must have a "mailalias" or ..... > >Have any a Idea or a Hint for this Problem? We don't have support for application-specific passwords. Mailaddress/password pair looks like the same thing, so it is not supported. -- / Alexander Bokovoy From mbasti at redhat.com Mon May 16 13:05:00 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 16 May 2016 15:05:00 +0200 Subject: [Freeipa-users] DNSSEC NSEC3 Parameter In-Reply-To: <3661586.hRX9Qjer4W@techz> References: <2080819.5b3ocLUXhc@techz> <5d0978b4-6131-e101-5f12-e0b7ffffae97@redhat.com> <4195ff7c-99d5-c27b-2169-f848ca194c30@redhat.com> <3661586.hRX9Qjer4W@techz> Message-ID: On 16.05.2016 13:44, G?nther J. Niederwimmer wrote: > Am Montag, 16. Mai 2016, 13:13:04 CEST schrieb Petr Spacek: >> On 16.5.2016 08:47, Martin Kosek wrote: >>> On 05/14/2016 07:49 PM, G?nther J. Niederwimmer wrote: >>>> Hello, >>>> >>>> Thanks for answer, >>>> >>>> Am Freitag, 13. Mai 2016, 09:40:05 CEST schrieb Martin Kosek: >>>>> On 05/12/2016 04:41 PM, G?nther J. Niederwimmer wrote: >>>>>> Hello, >>>>>> I have the Problem to find the correct way for NSEC3PARAM ? >>>>>> >>>>>> With your Help I have this found >>>>>> >>>>>> ipa dnszone-mod example.com. --nsec3param-rec " >>>>>> " >>>>>> >>>>>> But it dos not work correct ? >>>>>> >>>>>> Now the question, is this the correct way >>>>>> >>>>>> ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 >>>>>> f9ba6264232b7283" >>>>>> >>>>>> to insert the NSEC3PARAMETER ?? >>>>> This should be right, there were related fixes by >>>>> https://fedorahosted.org/freeipa/ticket/4413 >>>>> >>>>> Your second command works in my test environment: >>>>> # ipa dnszone-mod example.com. --nsec3param-rec "1 7 100 >>>>> f9ba6264232b7283" >>>>> # dig -t nsec3param example.com. +short >>>>> 1 7 100 F9BA6264232B7283 >>>> The question is now, I mean the Parameter is wrong ? >>>> >>>> I make a test without Freeipa on a "normal" DNS (DNSSEC) installation >>>> (bind 9) >>>> >>>> dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) >>>> -N INCREMENT -o $ZONE -t $ZONEDIR/$ZONEFILE >>>> >>>> and a >>>> >>>> dig -t nsec3param example.com. +short >>>> >>>> the relult is >>>> >>>> 1 0 10 ............ >>>> >>>> 1 is sha1 >>>> so I mean (?) "0" is the correct parameter ?. >>>> "10" is the default for Bind >>>> >>>> so I hope this is working now correct >>>> >>>> Thanks for testing and answer >>> Ahh, now I understand what you were asking about. The validators we have >>> in DNS records are only limited, mostly to check that you are entering >>> the right number of fields or that the data type is OK. They usually do >>> not do any more complex evaluation. I would let Petr Spacek say if we >>> need to change anything in FreeIPA in this case. >> Looking at >> https://tools.ietf.org/html/rfc5155#section-4 >> http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-paramet >> ers.xhtml#dnssec-nsec3-parameters-2 > Petr, I read this all, but I mean I read it wrong ;-) > > A nicer way to implement this, is a automatic configuration only with a button > :-)). > > Thanks for the Help, Hello, can you please file a RFE ticket? https://fedorahosted.org/freeipa/newticket And would be nice to provide what kind of default values are suitable for it in that ticket. Martin >> The only valid value for NSEC3PARAM flags is 0 (at the moment, this might >> change in future). > > From abokovoy at redhat.com Mon May 16 13:23:19 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 16 May 2016 16:23:19 +0300 Subject: [Freeipa-users] Fedora 24 single sign-on improvements Message-ID: <20160516132319.bi5xull4bxhmq5pw@redhat.com> Hi, my article detailing on Fedora 24 improvements for single sign-on use is published by Fedora Magazine: https://fedoramagazine.org/single-sign-on-improvements-fedora-24/ -- / Alexander Bokovoy From mkosek at redhat.com Mon May 16 13:24:25 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 16 May 2016 15:24:25 +0200 Subject: [Freeipa-users] otp question to limit brute force vector for web applications In-Reply-To: <5735F1C6.2010409@terminal-consulting.de> References: <5735D5B1.2080508@terminal-consulting.de> <4eac3887-af0f-ad5b-3efa-1290f5a10c42@redhat.com> <5735F1C6.2010409@terminal-consulting.de> Message-ID: On 05/13/2016 05:24 PM, Thomas Heil wrote: > Hi, > > On 13.05.2016 16:12, Petr Spacek wrote: >> On 13.5.2016 15:25, Thomas Heil wrote: >>> Hi, >>> >>> I would like to reduce the vector of brute force attacks in my web >>> application written in php. Users can login via passord and otp which >>> are hosted on freeipa. >>> >>> To achieve this I would like to check the otp first, so no password auth >>> is done on the freeipa server and no user can be locked out. >>> >>> If the otp is correct, the user is now allowed to to login via password+otp. >>> >>> unfortunately, there is no api method that can check only the otp for a >>> user with an identity. >>> >>> Would it be possible to expose such a new method? >> >> This would open a new attack vector so it is a bad idea. >> >> Attacker must not be able to distinguish case where password OR OTP is >> correct/wrong. If you allow this, the attacker will be able to crack OTP first >> and then continue with password, so you are making it easier. > > Okay you are right with that. Sorry. > > My intention is to avoid to be vulnerable for brute force attacks. I > have a trust with an active directory and want to avoid that the user on > ad side is locked if otp is wrong. > > Is this possible? Not at the moment. We have an RFE filed, but we cannot augment AD user authentication with OTP yet: https://fedorahosted.org/freeipa/ticket/4876 Martin From mkosek at redhat.com Mon May 16 13:27:39 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 16 May 2016 15:27:39 +0200 Subject: [Freeipa-users] AD Primary Groups are ignored in FreeIPA? In-Reply-To: References: Message-ID: <016ec124-749b-2528-18ab-03b971aebe7d@redhat.com> On 05/16/2016 05:28 AM, Lachlan Musicman wrote: > Hola, > > We have an interesting scenario that is hard to find any information on. > > Due to permission restrictions, a NAS that is mounted and visible by both AD and > 'nix clients, every user belongs to a particular primary group. > > When we try doing idoverride's on the groups, it fails with the Primary Group. > In some cases, the primary group doesn't even appear in a getent or id request. > Sometimes it appears with incorrect name or GID. > > We have found it hard to get repeatable "failures", but here are two: > > 1. getent group (where groupname is any group, but is a primary > group for a subset of members) > > - does not return any member that has groupname as a primary group in AD. > > 2. Overriding a group > > if the user has that group as a primary group (in AD), it will override the > name, but not the GID. > else, the override works. > > There were a number of other unusual results that are hard to explain how to > reproduce because it was all so seemingly random. > > > I feel like it would be an obvious need - to translate or override AD primary > groups to FreeIPA groups, but this doesn't seem possible. > > Have we set IPA up incorrectly, or are we hitting on something else? > > I found this AD support problem for Win2003, but I feel like it's old and would > surely have been solved? https://support.microsoft.com/en-us/kb/275523 > > Also, their solution ("hack AD, then hack your other LDAP software") is, for > some reason, funny to me. > > Cheers > L. Hello Lachlan, It seems you are looking for this extension: https://fedorahosted.org/sssd/ticket/1872 It is not done yet, there is a plenty of information in the ticket comments. Please let us know if this does not help. Martin From mkosek at redhat.com Mon May 16 13:33:21 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 16 May 2016 15:33:21 +0200 Subject: [Freeipa-users] FreeIPA DNS Module (named.conf) In-Reply-To: <8365375.B2xTiAS9Q2@techz> References: <8365375.B2xTiAS9Q2@techz> Message-ID: <0964c240-a99d-7c59-7e91-c493432f5ef7@redhat.com> On 05/16/2016 02:03 PM, G?nther J. Niederwimmer wrote: > Hello, > > I have a question about the named.conf, is it possible to change the > named.conf, to mace ACL or views, or is named.conf overwritten from freeipa- > module ? > Hello, FreeIPA indeed replaces default named.conf during installation and then later extends it when updates are needed. So it may not be too safe adding your own changes there and turning it into shared DNS with FreeIPA (though it should work if done after installation, Petr Spacek will know better). As for DNS Views, see https://fedorahosted.org/freeipa/ticket/2802 for information. Thanks, Martin From jhrozek at redhat.com Mon May 16 13:45:00 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 16 May 2016 15:45:00 +0200 Subject: [Freeipa-users] AD Primary Groups are ignored in FreeIPA? In-Reply-To: <016ec124-749b-2528-18ab-03b971aebe7d@redhat.com> References: <016ec124-749b-2528-18ab-03b971aebe7d@redhat.com> Message-ID: <20160516134500.GB28149@hendrix> On Mon, May 16, 2016 at 03:27:39PM +0200, Martin Kosek wrote: > On 05/16/2016 05:28 AM, Lachlan Musicman wrote: > > Hola, > > > > We have an interesting scenario that is hard to find any information on. > > > > Due to permission restrictions, a NAS that is mounted and visible by both AD and > > 'nix clients, every user belongs to a particular primary group. > > > > When we try doing idoverride's on the groups, it fails with the Primary Group. > > In some cases, the primary group doesn't even appear in a getent or id request. > > Sometimes it appears with incorrect name or GID. > > > > We have found it hard to get repeatable "failures", but here are two: > > > > 1. getent group (where groupname is any group, but is a primary > > group for a subset of members) > > > > - does not return any member that has groupname as a primary group in AD. > > > > 2. Overriding a group > > > > if the user has that group as a primary group (in AD), it will override the > > name, but not the GID. > > else, the override works. > > > > There were a number of other unusual results that are hard to explain how to > > reproduce because it was all so seemingly random. > > > > > > I feel like it would be an obvious need - to translate or override AD primary > > groups to FreeIPA groups, but this doesn't seem possible. > > > > Have we set IPA up incorrectly, or are we hitting on something else? > > > > I found this AD support problem for Win2003, but I feel like it's old and would > > surely have been solved? https://support.microsoft.com/en-us/kb/275523 > > > > Also, their solution ("hack AD, then hack your other LDAP software") is, for > > some reason, funny to me. > > > > Cheers > > L. > > Hello Lachlan, > > It seems you are looking for this extension: > https://fedorahosted.org/sssd/ticket/1872 > > It is not done yet, there is a plenty of information in the ticket comments. > Please let us know if this does not help. I think for IPA-AD trust, this ticket is not related that much, the ticket is more about direct SSSD->AD integration. I keep Lachlan's mail unread to circle back when I have a bit more time to test, but in general, it is required for the group override object to also exist so that SSSD can resolve the overriden gid with getgrgid(). However, it seems that the OP already did that, which is why I would like to test their usecase a bit more locally. From abokovoy at redhat.com Mon May 16 13:46:15 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 16 May 2016 16:46:15 +0300 Subject: [Freeipa-users] AD Primary Groups are ignored in FreeIPA? In-Reply-To: References: Message-ID: <20160516134615.vjop2sf5equkbfxq@redhat.com> On Mon, 16 May 2016, Lachlan Musicman wrote: >Hola, > >We have an interesting scenario that is hard to find any information on. > >Due to permission restrictions, a NAS that is mounted and visible by both >AD and 'nix clients, every user belongs to a particular primary group. What scope these primary groups have in AD? >When we try doing idoverride's on the groups, it fails with the Primary >Group. In some cases, the primary group doesn't even appear in a getent or >id request. Sometimes it appears with incorrect name or GID. > >We have found it hard to get repeatable "failures", but here are two: > >1. getent group (where groupname is any group, but is a primary >group for a subset of members) > > - does not return any member that has groupname as a primary group in AD. > >2. Overriding a group > >if the user has that group as a primary group (in AD), it will override the >name, but not the GID. >else, the override works. > >There were a number of other unusual results that are hard to explain how >to reproduce because it was all so seemingly random. Primary groups in AD are a bit complex. SSSD needs to improve on their handling as, for example, Samba only recognizes primary groups from AD, not any others, and there should be some coherence to make things actually work correctly. >I feel like it would be an obvious need - to translate or override AD >primary groups to FreeIPA groups, but this doesn't seem possible. There is only one primary group for a user. For Kerberos operations we currently don't take ID overrides into account when constructing MS-PAC, so if AD users comes with GSSAPI to a FreeIPA client, its primary group SID will stay pinned to AD's group, ignoring ID overrides. I'm not sure it would be possible to amend primary group SIDs with ID overrides in general because a numeric value in the override for a gid does not mean there is an actual group with a proper SID and name in FreeIPA for that gid. There is another issue, though. If a users' primary group has a domain local scope, FreeIPA will not be able to use that group through the forest boundary, at least, it should be ignored according to the AD specs. -- / Alexander Bokovoy From pspacek at redhat.com Mon May 16 14:21:17 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 16 May 2016 16:21:17 +0200 Subject: [Freeipa-users] FreeIPA DNS Module (named.conf) In-Reply-To: <0964c240-a99d-7c59-7e91-c493432f5ef7@redhat.com> References: <8365375.B2xTiAS9Q2@techz> <0964c240-a99d-7c59-7e91-c493432f5ef7@redhat.com> Message-ID: <5ba5adb0-42aa-1dca-7212-ee3d1139b2e1@redhat.com> On 16.5.2016 15:33, Martin Kosek wrote: > On 05/16/2016 02:03 PM, G?nther J. Niederwimmer wrote: >> Hello, >> >> I have a question about the named.conf, is it possible to change the >> named.conf, to mace ACL or views, or is named.conf overwritten from freeipa- >> module ? >> > > Hello, > > FreeIPA indeed replaces default named.conf during installation and then later > extends it when updates are needed. So it may not be too safe adding your own > changes there and turning it into shared DNS with FreeIPA (though it should > work if done after installation, Petr Spacek will know better). > > As for DNS Views, see > https://fedorahosted.org/freeipa/ticket/2802 > for information. I will add few details: You can define views manually in named.conf. Then the DNS zones defined in IPA will show up in the view which contains "dynamic-db" definition created by IPA. In other words, you can use IPA to manage single view and do everything else manually in named.conf. named.conf can be overwritten by IPA from time to time, so make backups often :-) We would like to get rid of this behavior but https://fedorahosted.org/freeipa/ticket/5858 suggests that it is not a priority for the next release. Of course, helping hands are more than welcome! :-) -- Petr^2 Spacek From akaczka86 at gmail.com Mon May 16 15:45:27 2016 From: akaczka86 at gmail.com (Adam Kaczka) Date: Mon, 16 May 2016 11:45:27 -0400 Subject: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN In-Reply-To: <5d528401-3a58-dc81-8113-e015369766a5@redhat.com> References: <5d528401-3a58-dc81-8113-e015369766a5@redhat.com> Message-ID: Certmonger cannot communicate with CA; the result of getlist cert shows: RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) After setting time back, from /var/log/pki-ca/debug I get: [30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException Certificate object not found at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) at com.netscape.certsrv.apps.CMS.init(CMS.java:153) at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4738) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) [30/Dec/2015:08:10:25][main]: CMSEngine.shutdown() [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [30/Dec/2015:08:10:33][TP-Processor2]: according to ccMode, authorization for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default authz mgr: {2}. [30/Dec/2015:08:10:33][TP-Processor3]: according to ccMode, authorization for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default authz mgr: {2}. On Mon, May 16, 2016 at 6:28 AM, Petr Vobornik wrote: > On 05/14/2016 12:01 AM, Adam Kaczka wrote: > > Hi all, > > > > I have inherited a IPA system that has an expired cert and the old > admins have > > left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > but > > running into errors when I try to renew the CA certs even after time is > reset. > > Also tried the troubleshooting under > > (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors); > > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > > /tmp/ra.crt" > > to add the cert in the database. > > > > From the output of getcert list, I see both CA_UNREACHABLE and > > NEED_CSR_GEN_PIN. I followed redhat article here > > (https://access.redhat.com/solutions/1142913) which verified key file > password > > is correct and I have reset time. However the NEED_CSR_GEN_PIN status > remains. > > My company actually has redhat support but when they built this IPA > whoever > > built it was using Centos 6 so I am out of luck here. > > > > Would really appreciate any help since I am stuck at this point? What > else I > > can do at this point? e.g. Is generate a new CA cert necessary, etc.? > > Hi, > > you don't need to renew CA cert, it seems to be valid. But your server > cert is expired. It expired on 2016-03-29. > > 1. Move date back before this date, e.g., 2016-03-27. > 2. Verify that IPA is running `ipactl status`. Maybe restart will be > needed. > 3. run `getcert list` to see if certmonger can communicate with CA > 4. if certmonger doesn't renew the certs automatically, run `getcert > resubmit -i $certid` for the expired cert. > > > > > Version: > > ipa-pki-ca-theme.noarch 9.0.3-7.el6 > @base > > ipa-pki-common-theme.noarch 9.0.3-7.el6 > @base > > ipa-pmincho-fonts.noarch 003.02-3.1.el6 > @base > > ipa-python.x86_64 3.0.0-47.el6.centos.2 > @updates > > ipa-server.x86_64 3.0.0-47.el6.centos.2 > @updates > > ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2 > @updates > > > > Part of error logs from /var/log/pki-ca/debug after I reset clock; I see > these > > errors which I think is relevlant?: > > [27/Dec/2015:14:12:01][main]: SigningUnit init: debug > > org.mozilla.jss.crypto.ObjectNotFoundException > > Certificate object not found > > [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException > > Certificate object not found > > [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown() > > > > Result seems to show key file password is correct: > > certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f > > /etc/dirsrv/slapd-REALM-NET/pwdfile.txt > > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private > Key and > > Certificate Services" > > < 0> rsa ############################ NSS Certificate > DB:Server-Cert > > > > > > certutil -L -d /var/lib/pki-ca/alias > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > ocspSigningCert cert-pki-ca u,u,u > > subsystemCert cert-pki-ca u,u,u > > Server-Cert cert-pki-ca u,u,u > > auditSigningCert cert-pki-ca u,u,Pu > > caSigningCert cert-pki-ca CTu,Cu,Cu > > > > > > certutil -L -d /etc/httpd/alias > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > Server-Cert u,u,u > > ipaCert u,u,u > > REALM.COM IPA CA > CT,C, > > > > > > certutil -L -d /etc/dirsrv/slapd-REALM-COM > > > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > > > Server-Cert > u,u,u > > REALM.COM IPA CA > CT,C,C > > > > > > Output of getcert list: > > > > Number of certificates and requests being tracked: 7. > > Request ID '21135214223243': > > status: CA_UNREACHABLE > > ca-error: Server at https://host.example.net/ipa/xml failed > request, > > will retry: 4301 (RPC failed at server. Certificate oper > > ation cannot be completed: Unable to communicate with CMS (Not Found)). > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfil > > e='/etc/dirsrv/slapd-example-NET//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=host.example.net >,O=example.NET > > expires: 2016-03-29 14:09:46 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '21135214223300': > > status: CA_UNREACHABLE > > ca-error: Server at https://host.example.net/ipa/xml failed > request, > > will retry: 4301 (RPC failed at server. Certificate oper > > ation cannot be completed: Unable to communicate with CMS (Not Found)). > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile=' > > /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=host.example.net >,O=example.NET > > expires: 2016-03-29 14:09:45 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert- > > pki-ca&serial_num=61&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate > > DB',pin set > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=CA Audit,O=example.NET > > expires: 2017-10-13 14:10:49 UTC > > key usage: digitalSignature,nonRepudiation > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > > m=60&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate D > > B',pin set > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=OCSP Subsystem,O=example.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > > m=62&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > ,pin set > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=CA Subsystem,O=example.NET > > expires: 2017-10-13 14:09:49 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > > m=64&renewal=true&xml=true". > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > > DB',pinfile='/etc/httpd/al > > ias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=RA Subsystem,O=example.NET > > expires: 2017-10-13 14:09:49 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > > m=63&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',p > > in set > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=host.example.net >,O=example.NET > > expires: 2017-10-13 14:09:49 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > > > Regards, Adam > > > > > > > > > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Mon May 16 15:51:23 2016 From: prashant at apigee.com (Prashant Bapat) Date: Mon, 16 May 2016 21:21:23 +0530 Subject: [Freeipa-users] Enforce use of OTP token for all users. In-Reply-To: <3fd0ac51-ace7-caca-4819-d7ae58edb604@redhat.com> References: <3fd0ac51-ace7-caca-4819-d7ae58edb604@redhat.com> Message-ID: Thanks for the reply. Yes it will. But my question is a bit different. I want to be able to ensure that each and every user is forced to setup atleast 1 OTP. I have set "Default user authentication types" to "password + OTP". With this users who have OTP, have to use OTP. But if a user does not have OTP they can login with just password. Can they be forced to setup an OTP ? On 16 May 2016 at 16:03, Petr Vobornik wrote: > On 05/16/2016 12:20 PM, Prashant Bapat wrote: > > Any suggestions on how to achieve this ? > > > > `ipa config-mod --user-auth-type=otp` will force otp auth for users with > an OTP token. > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Mon May 16 16:00:24 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Mon, 16 May 2016 17:00:24 +0100 Subject: [Freeipa-users] IPA as subdomain, part of AD ? Message-ID: <1463414424.9501.6.camel@yahoo.co.uk> hi users/devel I'm trying to grasp the concepts - can IPA be plugged into AD domain, be part of it as a subdomain? I'm guessing it'd be quite common scenario, I see wiki describes opposite arrangement, but how##SELECTION_END## how to have IPA as ipa.activedir.local whereas activedir.local is top domain of an enterprise? Would this still be - setting cross-domain trust? many thanks L. -------------- next part -------------- An HTML attachment was scrubbed... URL: From xlegs231 at gmail.com Mon May 16 16:03:42 2016 From: xlegs231 at gmail.com (Stefan Zecevic) Date: Mon, 16 May 2016 09:03:42 -0700 Subject: [Freeipa-users] Mac OS 10.11.4 issue: Cannot change expired Kerberos passwords on GUI login Message-ID: Hello all, I have been testing to see if freeIPA is a workable solution in our mixed CentOS and Macintosh environment. I've been doing all this testing on virtual machines. So far, on my own, everything I need seems to be working with the exception of resetting expired passwords on the Macintosh (v10.11.4) GUI. The symptoms are exactly as described in this thread: https://www.redhat.com/archives/freeipa-users/2013-August/msg00043.html When looking around this mailing list, I saw thread that details an alternative approach to setting up Macintosh clients. It was written by R?zvan Corneliu C.R. VILT and can be found here: https://www.redhat.com/archives/freeipa-users/2013-August/msg00043.html I have some questions for the author himself or anyone who has replicated his work: - Which OS X versions has this been tested on? - Does changing a expired password work on an OS X GUI login? - Does the LDIF file included in that thread only work for MIT Kerberos or does it also work for Heimdal? Thank you, Stefan Zecevic -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon May 16 17:56:01 2016 From: simo at redhat.com (Simo Sorce) Date: Mon, 16 May 2016 13:56:01 -0400 Subject: [Freeipa-users] Mac OS 10.11.4 issue: Cannot change expired Kerberos passwords on GUI login In-Reply-To: References: Message-ID: <1463421361.18643.42.camel@redhat.com> On Mon, 2016-05-16 at 09:03 -0700, Stefan Zecevic wrote: > Hello all, > > I have been testing to see if freeIPA is a workable solution in our mixed > CentOS and Macintosh environment. I've been doing all this testing on > virtual machines. So far, on my own, everything I need seems to be working > with the exception of resetting expired passwords on the Macintosh > (v10.11.4) GUI. The symptoms are exactly as described in this thread: > https://www.redhat.com/archives/freeipa-users/2013-August/msg00043.html > > When looking around this mailing list, I saw thread that details an > alternative approach to setting up Macintosh clients. It was written by > R?zvan Corneliu C.R. VILT and can be found here: > https://www.redhat.com/archives/freeipa-users/2013-August/msg00043.html Hi Stefan, this link is the same as the above, perhaps a copy/paste error ? Simo. > > I have some questions for the author himself or anyone who has replicated > his work: > > - Which OS X versions has this been tested on? > - Does changing a expired password work on an OS X GUI login? > - Does the LDIF file included in that thread only work for MIT Kerberos > or does it also work for Heimdal? > > > Thank you, > Stefan Zecevic > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Mon May 16 17:59:34 2016 From: simo at redhat.com (Simo Sorce) Date: Mon, 16 May 2016 13:59:34 -0400 Subject: [Freeipa-users] IPA as subdomain, part of AD ? In-Reply-To: <1463414424.9501.6.camel@yahoo.co.uk> References: <1463414424.9501.6.camel@yahoo.co.uk> Message-ID: <1463421574.18643.44.camel@redhat.com> On Mon, 2016-05-16 at 17:00 +0100, lejeczek wrote: > hi users/devel > > I'm trying to grasp the concepts - can IPA be plugged into AD domain, > be part of it as a subdomain? No, the only trust type we handle is a Forest level trust, so FreeIPA needs to be its own forest in AD terms. > I'm guessing it'd be quite common scenario, I see wiki describes > opposite arrangement, but how##SELECTION_END## how to have IPA as > ipa.activedir.local whereas activedir.local is top domain of an > enterprise? > Would this still be - setting cross-domain trust? It would still create a trust between 2 different forests, it's just so happen that one of them will be in a DNS subdomain. For this to work, no other windows machine may have used the ipa.activedir.local domain before. Simo. -- Simo Sorce * Red Hat, Inc * New York From schogan at us.ibm.com Mon May 16 18:08:00 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Mon, 16 May 2016 11:08:00 -0700 Subject: [Freeipa-users] IPA and RSA Message-ID: <201605161808.u4GI8D04025354@d03av05.boulder.ibm.com> Hello all, New req coming down the pipe which is RSA 2 factor auth and IPA integration. Does anyone have a good source to start reading up on this? I have been reading the freeipa docs and setting up the otp and what not.. but wondering if anyone has specific RSA integration docs/info? Sean Hogan -------------- next part -------------- An HTML attachment was scrubbed... URL: From xlegs231 at gmail.com Mon May 16 18:35:11 2016 From: xlegs231 at gmail.com (Stefan Zecevic) Date: Mon, 16 May 2016 11:35:11 -0700 Subject: [Freeipa-users] Mac OS 10.11.4 issue: Cannot change expired Kerberos passwords on GUI login In-Reply-To: <1463421361.18643.42.camel@redhat.com> References: <1463421361.18643.42.camel@redhat.com> Message-ID: Sorry, the second link should be https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html Stefan Zecevic The little commuter in the big red scooter On Mon, May 16, 2016 at 10:56 AM, Simo Sorce wrote: > On Mon, 2016-05-16 at 09:03 -0700, Stefan Zecevic wrote: > > Hello all, > > > > I have been testing to see if freeIPA is a workable solution in our mixed > > CentOS and Macintosh environment. I've been doing all this testing on > > virtual machines. So far, on my own, everything I need seems to be > working > > with the exception of resetting expired passwords on the Macintosh > > (v10.11.4) GUI. The symptoms are exactly as described in this thread: > > https://www.redhat.com/archives/freeipa-users/2013-August/msg00043.html > > > > When looking around this mailing list, I saw thread that details an > > alternative approach to setting up Macintosh clients. It was written by > > R?zvan Corneliu C.R. VILT and can be found here: > > https://www.redhat.com/archives/freeipa-users/2013-August/msg00043.html > > Hi Stefan, > this link is the same as the above, perhaps a copy/paste error ? > > Simo. > > > > > I have some questions for the author himself or anyone who has replicated > > his work: > > > > - Which OS X versions has this been tested on? > > - Does changing a expired password work on an OS X GUI login? > > - Does the LDIF file included in that thread only work for MIT > Kerberos > > or does it also work for Heimdal? > > > > > > Thank you, > > Stefan Zecevic > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From GiuseppeSarno at fico.com Mon May 16 21:19:21 2016 From: GiuseppeSarno at fico.com (Giuseppe Sarno) Date: Mon, 16 May 2016 21:19:21 +0000 Subject: [Freeipa-users] Can't set nsslapd-sizelimit Message-ID: <65F212C00E7D9244933A5F61416B3089341D7956@mbx025-wd-ca-2.exch025.domain.local> Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap structure and I tried to run the code against freeIPA/389DS. While running this example I noticed that 389DS takes quite some time to load profile data from the different ldap nodes (~2000 entries). In a previous prototype using OpenDJ we had to increase the parameter ds-cfg-size-limit: to ~1000 with good results. I am wondering now whether we can do the same for the freeIPA/389DS server. I found the following pages but I could not work out what the exact command should be to modify those parameters. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html I attempted the following but received a ObjectClass violation: [centos at ldap-389ds-ireland ~]$ ldapmodify -h ldap-389ds-ip -D "cn=Directory Manager" -w '' -f slimit modifying entry "dc=ldap,dc=adeptra,dc=com" ldap_modify: Object class violation (65) additional info: attribute "nsslapd-sizelimit" not allowed slimit: dn: dc=ldap,dc=example,dc=com changetype: modify add:nsslapd-sizelimit nsslapd-sizelimit: 1000 I also attempted using a user dn but with the same result. Can anybody help ? Thanks, Giuseppe. Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac (Adeptra) Limited (Co. No. 03295455) are registered in England and Wales and have a registered office address of Cottons Centre, 5th Floor, Hays Lane, London, SE1 2QP. This email and any files transmitted with it are confidential, proprietary and intended solely for the individual or entity to whom they are addressed. If you have received this email in error please delete it immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: From akaczka86 at gmail.com Mon May 16 21:56:20 2016 From: akaczka86 at gmail.com (Adam Kaczka) Date: Mon, 16 May 2016 17:56:20 -0400 Subject: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN In-Reply-To: References: <5d528401-3a58-dc81-8113-e015369766a5@redhat.com> Message-ID: I found from [root at host pki-ca]# tail -n 100 /var/log/pki-ca/system that CA chain is missing; so I am thinking I may have to use ipa-server-certinstall to reinstall the two certs. 5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException 2003.main - [27/Jan/2016:14:35:33 EST] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException 2003.TP-Processor3 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet caDisplayBySerial: The CA chain is missing or could not be obtained from the remote Certificate Manager or Registr ation Manager. The remote server could be down. 2003.TP-Processor2 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet caDisplayBySerial: The CA chain is missing or could not be obtained from the remote Certificate Manager or Registr ation Manager. The remote server could be down. 2000.main - [28/Jan/2016:07:43:00 EST] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException 2000.TP-Processor2 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet caDisplayBySerial: The CA chain is missing or could not be obtained from the remote Certificate Manager or Registr ation Manager. The remote server could be down. 2000.TP-Processor3 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet caDisplayBySerial: The CA chain is missing or could not be obtained from the remote Certificate Manager or Registr ation Manager. The remote server could be down. 2085.main - [03/Feb/2016:08:57:05 EST] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException 2085.TP-Processor2 - [27/Jan/2016:14:05:03 EST] [20] [3] Servlet caDisplayBySerial: The CA chain is missing or could not be obtained from the remote Certificate Manager or Registr ation Manager. The remote server could be down. On Mon, May 16, 2016 at 11:45 AM, Adam Kaczka wrote: > Certmonger cannot communicate with CA; the result of getlist cert shows: > > RPC failed at server. Certificate operation cannot be completed: Unable > to communicate with CMS (Not Found) > > After setting time back, from /var/log/pki-ca/debug I get: > > [30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException > Certificate object not found > at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) > at > com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205) > at > com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) > at com.netscape.certsrv.apps.CMS.init(CMS.java:153) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425) > at > org.apache.catalina.core.StandardContext.start(StandardContext.java:4738) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) > at > org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) > at > org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) > at > org.apache.catalina.core.StandardHost.start(StandardHost.java:722) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) > at > org.apache.catalina.core.StandardService.start(StandardService.java:516) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:710) > at org.apache.catalina.startup.Catalina.start(Catalina.java:593) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > [30/Dec/2015:08:10:25][main]: CMSEngine.shutdown() > [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization > for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz > mgr: {2}. > [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization > for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz > mgr: {2}. > [30/Dec/2015:08:10:33][TP-Processor2]: according to ccMode, authorization > for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default > authz mgr: {2}. > [30/Dec/2015:08:10:33][TP-Processor3]: according to ccMode, authorization > for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default > authz mgr: {2}. > > > On Mon, May 16, 2016 at 6:28 AM, Petr Vobornik > wrote: > >> On 05/14/2016 12:01 AM, Adam Kaczka wrote: >> > Hi all, >> > >> > I have inherited a IPA system that has an expired cert and the old >> admins have >> > left; I followed ( >> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but >> > running into errors when I try to renew the CA certs even after time is >> reset. >> > Also tried the troubleshooting under >> > (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors); >> > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > >> /tmp/ra.crt" >> > to add the cert in the database. >> > >> > From the output of getcert list, I see both CA_UNREACHABLE and >> > NEED_CSR_GEN_PIN. I followed redhat article here >> > (https://access.redhat.com/solutions/1142913) which verified key file >> password >> > is correct and I have reset time. However the NEED_CSR_GEN_PIN status >> remains. >> > My company actually has redhat support but when they built this IPA >> whoever >> > built it was using Centos 6 so I am out of luck here. >> > >> > Would really appreciate any help since I am stuck at this point? What >> else I >> > can do at this point? e.g. Is generate a new CA cert necessary, etc.? >> >> Hi, >> >> you don't need to renew CA cert, it seems to be valid. But your server >> cert is expired. It expired on 2016-03-29. >> >> 1. Move date back before this date, e.g., 2016-03-27. >> 2. Verify that IPA is running `ipactl status`. Maybe restart will be >> needed. >> 3. run `getcert list` to see if certmonger can communicate with CA >> 4. if certmonger doesn't renew the certs automatically, run `getcert >> resubmit -i $certid` for the expired cert. >> >> > >> > Version: >> > ipa-pki-ca-theme.noarch 9.0.3-7.el6 >> @base >> > ipa-pki-common-theme.noarch 9.0.3-7.el6 >> @base >> > ipa-pmincho-fonts.noarch 003.02-3.1.el6 >> @base >> > ipa-python.x86_64 3.0.0-47.el6.centos.2 >> @updates >> > ipa-server.x86_64 3.0.0-47.el6.centos.2 >> @updates >> > ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2 >> @updates >> > >> > Part of error logs from /var/log/pki-ca/debug after I reset clock; I >> see these >> > errors which I think is relevlant?: >> > [27/Dec/2015:14:12:01][main]: SigningUnit init: debug >> > org.mozilla.jss.crypto.ObjectNotFoundException >> > Certificate object not found >> > [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException >> > Certificate object not found >> > [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown() >> > >> > Result seems to show key file password is correct: >> > certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f >> > /etc/dirsrv/slapd-REALM-NET/pwdfile.txt >> > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private >> Key and >> > Certificate Services" >> > < 0> rsa ############################ NSS Certificate >> DB:Server-Cert >> > >> > >> > certutil -L -d /var/lib/pki-ca/alias >> > >> > Certificate Nickname Trust >> Attributes >> > >> SSL,S/MIME,JAR/XPI >> > >> > ocspSigningCert cert-pki-ca u,u,u >> > subsystemCert cert-pki-ca u,u,u >> > Server-Cert cert-pki-ca u,u,u >> > auditSigningCert cert-pki-ca u,u,Pu >> > caSigningCert cert-pki-ca CTu,Cu,Cu >> > >> > >> > certutil -L -d /etc/httpd/alias >> > >> > Certificate Nickname Trust >> Attributes >> > >> SSL,S/MIME,JAR/XPI >> > >> > Server-Cert u,u,u >> > ipaCert >> u,u,u >> > REALM.COM IPA CA >> CT,C, >> > >> > >> > certutil -L -d /etc/dirsrv/slapd-REALM-COM >> > >> > Certificate Nickname Trust >> Attributes >> > >> SSL,S/MIME,JAR/XPI >> > >> > Server-Cert >> u,u,u >> > REALM.COM IPA CA >> CT,C,C >> > >> > >> > Output of getcert list: >> > >> > Number of certificates and requests being tracked: 7. >> > Request ID '21135214223243': >> > status: CA_UNREACHABLE >> > ca-error: Server at https://host.example.net/ipa/xml failed >> request, >> > will retry: 4301 (RPC failed at server. Certificate oper >> > ation cannot be completed: Unable to communicate with CMS (Not Found)). >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfil >> > e='/etc/dirsrv/slapd-example-NET//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=example.NET >> > subject: CN=host.example.net > >,O=example.NET >> > expires: 2016-03-29 14:09:46 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '21135214223300': >> > status: CA_UNREACHABLE >> > ca-error: Server at https://host.example.net/ipa/xml failed >> request, >> > will retry: 4301 (RPC failed at server. Certificate oper >> > ation cannot be completed: Unable to communicate with CMS (Not Found)). >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB',pinfile=' >> > /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=example.NET >> > subject: CN=host.example.net > >,O=example.NET >> > expires: 2016-03-29 14:09:45 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130741': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert- >> > pki-ca&serial_num=61&renewal=true&xml=true". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate >> > DB',pin set >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=example.NET >> > subject: CN=CA Audit,O=example.NET >> > expires: 2017-10-13 14:10:49 UTC >> > key usage: digitalSignature,nonRepudiation >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "auditSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130742': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu >> > m=60&renewal=true&xml=true". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate D >> > B',pin set >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=example.NET >> > subject: CN=OCSP Subsystem,O=example.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-OCSPSigning >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "ocspSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130743': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu >> > m=62&renewal=true&xml=true". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' >> > ,pin set >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=example.NET >> > subject: CN=CA Subsystem,O=example.NET >> > expires: 2017-10-13 14:09:49 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "subsystemCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130744': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu >> > m=64&renewal=true&xml=true". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> > DB',pinfile='/etc/httpd/al >> > ias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=example.NET >> > subject: CN=RA Subsystem,O=example.NET >> > expires: 2017-10-13 14:09:49 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130745': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu >> > m=63&renewal=true&xml=true". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB',p >> > in set >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=example.NET >> > subject: CN=host.example.net > >,O=example.NET >> > expires: 2017-10-13 14:09:49 UTC >> > key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > >> > >> > Regards, Adam >> > >> > >> > >> >> >> -- >> Petr Vobornik >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jduino at oblong.com Mon May 16 23:01:33 2016 From: jduino at oblong.com (John Duino) Date: Mon, 16 May 2016 16:01:33 -0700 Subject: [Freeipa-users] How to determine cause/source of user lockout? Message-ID: Is there a (relatively easy) way to determine what is causing a user account to be locked out? The admin account on our 'primary' ipa host is locked out frequently, but somewhat randomly; sometimes it will be less than 5 minutes it is available, and other times several hours. ipa user-status admin will show something like: Failed logins: 6 Last successful authentication: 20160516214142Z Last failed authentication: 20160516224718Z Time now: 2016-05-16T22:52:00Z ipa user-unlock admin does unlock it. But parsing through the various logs on the affected host doesn't give me what I need to know, primarily, which host(s) are trying to access admin and causing it to lock. FreeIPA 4.2.0 on CentOS 7.2.1511 -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Mon May 16 23:06:18 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Mon, 16 May 2016 16:06:18 -0700 Subject: [Freeipa-users] IPA and RSA In-Reply-To: <201605161808.u4GI8D04025354@d03av05.boulder.ibm.com> References: <201605161808.u4GI8D04025354@d03av05.boulder.ibm.com> Message-ID: <201605162306.u4GN6R8i017535@d01av04.pok.ibm.com> Forgot to mention this is for ipa-server-3.0.0-47.el6_7.1.x86_64 Thanks Sean Hogan From: Sean Hogan/Durham/IBM at IBMUS To: freeipa-users Date: 05/16/2016 04:01 PM Subject: [Freeipa-users] IPA and RSA Sent by: freeipa-users-bounces at redhat.com Hello all, New req coming down the pipe which is RSA 2 factor auth and IPA integration. Does anyone have a good source to start reading up on this? I have been reading the freeipa docs and setting up the otp and what not.. but wondering if anyone has specific RSA integration docs/info? Sean Hogan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From Lachlan.Simpson at petermac.org Tue May 17 01:39:22 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Tue, 17 May 2016 01:39:22 +0000 Subject: [Freeipa-users] AD Primary Groups are ignored in FreeIPA? In-Reply-To: <016ec124-749b-2528-18ab-03b971aebe7d@redhat.com> References: <016ec124-749b-2528-18ab-03b971aebe7d@redhat.com> Message-ID: <0137003026EBE54FBEC540C5600C03C435E623@PMC-EXMBX02.petermac.org.au> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Martin Kosek > Sent: Monday, 16 May 2016 11:28 PM > To: Lachlan Musicman; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA? > > On 05/16/2016 05:28 AM, Lachlan Musicman wrote: > > Hola, > > > > We have an interesting scenario that is hard to find any information on. > > > > Due to permission restrictions, a NAS that is mounted and visible by > > both AD and 'nix clients, every user belongs to a particular primary group. > > > > When we try doing idoverride's on the groups, it fails with the Primary Group. > > In some cases, the primary group doesn't even appear in a getent or id request. > > Sometimes it appears with incorrect name or GID. > > > > We have found it hard to get repeatable "failures", but here are two: > > > > 1. getent group (where groupname is any group, but is a > > primary group for a subset of members) > > > > - does not return any member that has groupname as a primary group in AD. > > > > 2. Overriding a group > > > > if the user has that group as a primary group (in AD), it will > > override the name, but not the GID. > > else, the override works. > > > > There were a number of other unusual results that are hard to explain > > how to reproduce because it was all so seemingly random. > > > > > > I feel like it would be an obvious need - to translate or override AD > > primary groups to FreeIPA groups, but this doesn't seem possible. > > > > Have we set IPA up incorrectly, or are we hitting on something else? > > > > I found this AD support problem for Win2003, but I feel like it's old > > and would surely have been solved? > > https://support.microsoft.com/en-us/kb/275523 > > > > Also, their solution ("hack AD, then hack your other LDAP software") > > is, for some reason, funny to me. > > It seems you are looking for this extension: > https://fedorahosted.org/sssd/ticket/1872 > > It is not done yet, there is a plenty of information in the ticket comments. > Please let us know if this does not help. Martin, Thanks for your response. This doesn't quite fit our issues. This is explicitly about *private* groups in NIX (where adding new user creates GID==UID and enrols that user). Our problem is explicitly a *Primary Groups in AD* problem. Users that exist in AD have a primary group (traditionally "Domain Users") which we are using for other reasons (access control based on groups to files that are mounted on both AD and NIX servers). In FreeIPA ( ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 on fully up to date Centos 7.2), after joining the AD (domain.org) in a one way trust as a subdomain (unix.domain.org), when we query AD, it explicitly ignores AD based Primary Groups - membership and overrides seem to fail. Does that make sense? I can see that it's vaguely related to the private group, but only in so much as it's the group that is assigned to the user (if you look in /etc/passwd on our pre-IPA system, our user data look like: lsimpson:x:1542:10007::/home/lsimpson:/bin/bash where 10007 is the id of the primary group in AD). Obviously this data is no longer in /etc/passwd, but it doesn't seem to be able to be affected (via idoverrides). Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. From barrykfl at gmail.com Tue May 17 03:24:45 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Tue, 17 May 2016 11:24:45 +0800 Subject: [Freeipa-users] Renable 7389 port on multimaster Message-ID: Hi : 2 servers configured as multi master nut one of them cannot telnet 7389 how can I check and renable it ? Server cannot telnet 7389 ....should I reinstall CA service ...is it rerelated ? Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING thks barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From Lachlan.Simpson at petermac.org Tue May 17 03:21:19 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Tue, 17 May 2016 03:21:19 +0000 Subject: [Freeipa-users] AD Primary Groups are ignored in FreeIPA? In-Reply-To: <20160516134615.vjop2sf5equkbfxq@redhat.com> References: <20160516134615.vjop2sf5equkbfxq@redhat.com> Message-ID: <0137003026EBE54FBEC540C5600C03C435E7F9@PMC-EXMBX02.petermac.org.au> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Alexander Bokovoy > Sent: Monday, 16 May 2016 11:46 PM > To: Lachlan Musicman > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA? > > On Mon, 16 May 2016, Lachlan Musicman wrote: > >Hola, > > > >We have an interesting scenario that is hard to find any information on. > > > >Due to permission restrictions, a NAS that is mounted and visible by > >both AD and 'nix clients, every user belongs to a particular primary group. > What scope these primary groups have in AD? They are a mix of Global and Universal. > >When we try doing idoverride's on the groups, it fails with the Primary > >Group. In some cases, the primary group doesn't even appear in a getent > >or id request. Sometimes it appears with incorrect name or GID. > > > >We have found it hard to get repeatable "failures", but here are two: > > > >1. getent group (where groupname is any group, but is a > >primary group for a subset of members) > > > > - does not return any member that has groupname as a primary group in AD. > > > >2. Overriding a group > > > >if the user has that group as a primary group (in AD), it will override > >the name, but not the GID. > >else, the override works. > > > >There were a number of other unusual results that are hard to explain > >how to reproduce because it was all so seemingly random. > Primary groups in AD are a bit complex. SSSD needs to improve on their handling > as, for example, Samba only recognizes primary groups from AD, not any others, > and there should be some coherence to make things actually work correctly. Yep - for us it's a samba issue at the bottom (the last yak to shave is the samba straddling both windows and linux domains, which is a solved problem/fixed constraint). > > >I feel like it would be an obvious need - to translate or override AD > >primary groups to FreeIPA groups, but this doesn't seem possible. > There is only one primary group for a user. For Kerberos operations we currently > don't take ID overrides into account when constructing MS-PAC, so if AD users > comes with GSSAPI to a FreeIPA client, its primary group SID will stay pinned to > AD's group, ignoring ID overrides. What is MS-PAC? > I'm not sure it would be possible to amend primary group SIDs with ID overrides in > general because a numeric value in the override for a gid does not mean there is > an actual group with a proper SID and name in FreeIPA for that gid. Not interested in changing the SID. I want to change the GID. When the AD groups are read in FreeIPA they are given a GID like 1718800000. I want that GID to be the same as it is in AD - eg 10004. That way, when a user rights to the shared drive on the linux side, the file is given the group ownership 10004. Which, when read on the Windows side, correctly maps to a group of users (instead of an individual). This is working in the current non-IPA system, but that system is not integrated. We want to integrate, hence FreeIPA. > There is another issue, though. If a users' primary group has a domain local > scope, FreeIPA will not be able to use that group through the forest boundary, at > least, it should be ignored according to the AD specs. Ah, hence the scope question. No, none are Domain Local to my knowledge. Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. From datakid at gmail.com Tue May 17 05:08:37 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Tue, 17 May 2016 15:08:37 +1000 Subject: [Freeipa-users] HBAC access denied, all AD groups not detected Message-ID: FWIW, We are seeing the issues that are described here: https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html I was about to write when I found this, it explains exactly what I am seeing - right down to the "impossible to reproduce because it's so (seemingly) random". I am about to read up on the SSSD trouble shooting in order to up the logs &etc, but here is some output I can share - note that this all happened in ~5 minutes. As you can see, clearing the cache has various unpredictable effects. Both users should return the same list of groups. This was performed on a FreeIPA client. [root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) 10004(bioinf-core at unix.petermac.org.au) 10005(rcf-staff at unix.petermac.org.au) 10007(cluster-user at unix.petermac.org.au) 10011(facs-compute at unix.petermac.org.au) [root at emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) [root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) 10007(cluster-user at unix.petermac.org.au) [root at emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd [root at emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) 10004(bioinf-core at unix.petermac.org.au) 10005(rcf-staff at unix.petermac.org.au) 10007(cluster-user at unix.petermac.org.au) 10011(facs-compute at unix.petermac.org.au) [root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) 10011(facs-compute at unix.petermac.org.au) 10004(bioinf-core at unix.petermac.org.au) 10005(rcf-staff at unix.petermac.org.au) [root at emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) 10004(bioinf-core at unix.petermac.org.au) 10005(rcf-staff at unix.petermac.org.au) 10007(cluster-user at unix.petermac.org.au) 10011(facs-compute at unix.petermac.org.au) [root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) 10011(facs-compute at unix.petermac.org.au) 10004(bioinf-core at unix.petermac.org.au) 10005(rcf-staff at unix.petermac.org.au) [root at emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd [root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) 10011(facs-compute at unix.petermac.org.au) 10004(bioinf-core at unix.petermac.org.au) 10005(rcf-staff at unix.petermac.org.au) [root at emts-facs ~]# systemctl stop sssd [root at emts-facs ~]# rm -rf /var/lib/sss/db/* [root at emts-facs ~]# systemctl start sssd [root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) 10007(cluster-user at unix.petermac.org.au) [root at emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) 10007(cluster-user at unix.petermac.org.au) [root at emts-facs ~]# systemctl stop sssd; sss_cache -E; systemctl start sssd [root at emts-facs ~]# id "ellul jason" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) [root at emts-facs ~]# id "simpsonlachlan" | tr "," "\n" | grep 10 1750673801(external - exchange 2010 users at petermac.org.au) 10007(cluster-user at unix.petermac.org.au) Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue May 17 05:39:35 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 17 May 2016 08:39:35 +0300 Subject: [Freeipa-users] AD Primary Groups are ignored in FreeIPA? In-Reply-To: <0137003026EBE54FBEC540C5600C03C435E7F9@PMC-EXMBX02.petermac.org.au> References: <20160516134615.vjop2sf5equkbfxq@redhat.com> <0137003026EBE54FBEC540C5600C03C435E7F9@PMC-EXMBX02.petermac.org.au> Message-ID: <20160517053935.4kzm6se6skubrgsl@redhat.com> On Tue, 17 May 2016, Simpson Lachlan wrote: >> >I feel like it would be an obvious need - to translate or override AD >> >primary groups to FreeIPA groups, but this doesn't seem possible. >> There is only one primary group for a user. For Kerberos operations we currently >> don't take ID overrides into account when constructing MS-PAC, so if AD users >> comes with GSSAPI to a FreeIPA client, its primary group SID will stay pinned to >> AD's group, ignoring ID overrides. > >What is MS-PAC? https://msdn.microsoft.com/en-us/library/cc237917.aspx > >> I'm not sure it would be possible to amend primary group SIDs with ID overrides in >> general because a numeric value in the override for a gid does not mean there is >> an actual group with a proper SID and name in FreeIPA for that gid. > > >Not interested in changing the SID. I want to change the GID. When the >AD groups are read in FreeIPA they are given a GID like 1718800000. > >I want that GID to be the same as it is in AD - eg 10004. That way, >when a user rights to the shared drive on the linux side, the file is >given the group ownership 10004. Which, when read on the Windows side, >correctly maps to a group of users (instead of an individual). This is >working in the current non-IPA system, but that system is not >integrated. We want to integrate, hence FreeIPA. So you have POSIX attributes defined in AD already? Why then you are using POSIX attributes defined in IPA? You could have defined an ID range type that forces SSSD to use POSIX attributes from Active Directory. -- / Alexander Bokovoy From peljasz at yahoo.co.uk Tue May 17 08:27:55 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 17 May 2016 09:27:55 +0100 Subject: [Freeipa-users] a user delegated to control a OU and realmd join - how.. In-Reply-To: <20160513131410.GD5249@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <1462983423.4953.59.camel@yahoo.co.uk> <20160513131410.GD5249@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <1463473675.9501.12.camel@yahoo.co.uk> On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > .. if possible, would you know? > > hi everybody, > > I'm trying, and hoping it is possible to realm join an AD but is > > such a > > way so I tap my IPA into specific OU within that AD. > > I'm not exactly sure what you mean here. Do you want to join a > computer > which is already a client in an IPA domain to AD as well? If this is > the > case I would recommend to consider the IPA trust feature. Joining 2 > domain is in general possible with SSSD but has to be done with very > great care, e.g. by using different keytabs for each domain. Can IPA domain establish a trust between win AD if IPA admin only has admin control over an OU in win AD ? I know very little about AD and only started with IPA - I don't suppose control of OU delegated to a user makes that user AD admin. I guess what I'm thinking, asking, is - what would be the correct possible way to plug in, connect IPA domain to win AD when one has admin control only over a OU in win AD? many thanks L. > > > > The thing is - I'm thinking it would make user access control ideal > > from the start as I need only users from that OU, but also because I'm > > only granted access to the user/group who has control over that OU. > > I'm?trying that but I see: > > > > ! The computer account RIDER already exists, but is not in the desired > > organizational unit. > > adcli: joining domain ccc.bb.aa failed: The computer account RIDER > > already exists, > > > > > Computer account names in AD must be unique even if they are added to > different OUs. So if there is already a computer called RIDER joined to > AD and it is not your computer you have to rename your computer to join. > If it is your computer and you want to create it in a different OU you > have to delete to old computer object first and then do a fresh join. > > HTH > > bye, > Sumit > > > > > > ?! Failed to join the domain > > > > I'm doing this: > > $ realm join ccc.bb.aa --user=private-user --computer-ou=private > > > > and computer is in OU=private of ccc.bb.aa > > so is the user private-user > > > > many thanks. > > L##SELECTION_END## > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > for more info on the project > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From razvan.vilt at me.com Tue May 17 07:29:56 2016 From: razvan.vilt at me.com (=?utf-8?Q?=22R=C4=83zvan_Corneliu_C=2ER=2E_VILT=22?=) Date: Tue, 17 May 2016 10:29:56 +0300 Subject: [Freeipa-users] Mac OS 10.11.4 issue: Cannot change expired Kerberos passwords on GUI login In-Reply-To: <1463421361.18643.42.camel@redhat.com> References: <1463421361.18643.42.camel@redhat.com> Message-ID: <45B954F9-93F1-4602-83E3-E97AFAA7ACDE@me.com> > I have some questions for the author himself or anyone who has replicated > his work: > > - Which OS X versions has this been tested on? 10.6.7 through 10.10.4 (latest Snow Leopard through latest Yosemite in May 2015). The client had two Snow Leopards, one or two Lions, 10 Mountain Lions and the rest were Mavericks slowly upgraded during the project to Yosemite. > - Does changing a expired password work on an OS X GUI login? I don't recall testing it. I recall testing the password change with the Kerberos "Ticket Viewer.app" and from the Users and Groups applet of System Preferences. > - Does the LDIF file included in that thread only work for MIT Kerberos > or does it also work for Heimdal? It should work for both. IIRC FreeIPA uses MIT while OS X uses Heimdal. Let's start with a bit of background: The project that I worked on was for an all Apple house (50+ of OS X installations, hundreds of iOS and only 2 Windows stations). It took place between late November 2014 and February 2015 and I monitored it through May 2015. I reasonably sure that we haven't set password expiration. One of the criteria for the project was to actually migrate the original passwords stored in almost clear-text in OpenDirectory to the FreeIPA server (80 lines of code and the /var/db/authdb file). We've migrated the file sharing to Samba and NetATalk. Samba was a royal pain for LDAP+Kerberos in user mode. We migrated L2TP/IPSec and PPTP using Winbind for authentication (again with LDAP+Kerberos). We migrated mail and calendar to Postfix+Dovecot+SOGo. And we've also migrated a few simple (static) websites. Mostly unrelated to IPA we also migrated DHCP and DNS. DiscoveryD gave us major headaches. The interesting part that we've accomplished was that we've managed to do the migration almost transparently because FreeIPA was seen as a Kerberized OD Server. As such, the clients were able to use Kerberized logins to each others services (local file shares and such). -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue May 17 10:49:12 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 17 May 2016 12:49:12 +0200 Subject: [Freeipa-users] Can't set nsslapd-sizelimit In-Reply-To: <65F212C00E7D9244933A5F61416B3089341D7956@mbx025-wd-ca-2.exch025.domain.local> References: <65F212C00E7D9244933A5F61416B3089341D7956@mbx025-wd-ca-2.exch025.domain.local> Message-ID: <573AF728.6020302@redhat.com> On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: > > Hello, > > I am new to freeIPA and I am recently working on a project to > integrate freeIPA with some legacy application which uses LDAP for > user management. > > I have initially created our own ldap structure and I tried to run the > code against freeIPA/389DS. While running this example I noticed that > 389DS takes quite some time to load profile data from the different > ldap nodes (~2000 entries). In a previous prototype using OpenDJ we > had to increase the parameter ds-cfg-size-limit: to ~1000 with good > results. I am wondering now whether we can do the same for the > freeIPA/389DS server. I found the following pages but I could not work > out what the exact command should be to modify those parameters. > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html > > http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html > > I attempted the following but received a ObjectClass violation: > > [centos at ldap-389ds-ireland ~]$ ldapmodify -h ldap-389ds-ip -D > "cn=Directory Manager" -w '' -f slimit > > modifying entry "dc=ldap,dc=adeptra,dc=com" > > ldap_modify: Object class violation (65) > > additional info: attribute "nsslapd-sizelimit" not allowed > > slimit: > > dn: dc=ldap,dc=example,dc=com > > changetype: modify > > add:nsslapd-sizelimit > > nsslapd-sizelimit: 1000 > > I also attempted using a user dn but with the same result. > the example in the doc is unfortunately incorrect, nsslapd-sizelimit is the general limit in cn=config, the attribute per user is nsSizeLimit ( as used in the text in teh doc). And you have to add it to a user used for binding > > Can anybody help ? > > Thanks, > > Giuseppe. > > > Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac > (Adeptra) Limited (Co. No. 03295455) are registered in England and > Wales and have a registered office address of Cottons Centre, 5th > Floor, Hays Lane, London, SE1 2QP. > > This email and any files transmitted with it are confidential, > proprietary and intended solely for the individual or entity to whom > they are addressed. If you have received this email in error please > delete it immediately. > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue May 17 10:59:01 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 17 May 2016 13:59:01 +0300 Subject: [Freeipa-users] Can't set nsslapd-sizelimit In-Reply-To: <65F212C00E7D9244933A5F61416B3089341D7956@mbx025-wd-ca-2.exch025.domain.local> References: <65F212C00E7D9244933A5F61416B3089341D7956@mbx025-wd-ca-2.exch025.domain.local> Message-ID: <20160517105901.a33nznzemdipofnr@redhat.com> On Mon, 16 May 2016, Giuseppe Sarno wrote: >Hello, >I am new to freeIPA and I am recently working on a project to integrate >freeIPA with some legacy application which uses LDAP for user >management. I have initially created our own ldap structure and I >tried to run the code against freeIPA/389DS. While running this example >I noticed that 389DS takes quite some time to load profile data from >the different ldap nodes (~2000 entries). In a previous prototype using >OpenDJ we had to increase the parameter ds-cfg-size-limit: to ~1000 >with good results. I am wondering now whether we can do the same for >the freeIPA/389DS server. I found the following pages but I could not >work out what the exact command should be to modify those parameters. > >https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html > >http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html > >I attempted the following but received a ObjectClass violation: > >[centos at ldap-389ds-ireland ~]$ ldapmodify -h ldap-389ds-ip -D "cn=Directory Manager" -w '' -f slimit >modifying entry "dc=ldap,dc=adeptra,dc=com" >ldap_modify: Object class violation (65) > additional info: attribute "nsslapd-sizelimit" not allowed > >slimit: >dn: dc=ldap,dc=example,dc=com >changetype: modify >add:nsslapd-sizelimit >nsslapd-sizelimit: 1000 > >I also attempted using a user dn but with the same result. nsslapd-sizelimit is either set globally in cn=config or should be set per bind DN entry. Your dc=ldap,dc=adeptra,dc=com is not an entry that can be used for LDAP BIND operation, a user entry would be usable. But if your intent was to set it globally, just set it for a DN named cn=config. -- / Alexander Bokovoy From pspacek at redhat.com Tue May 17 11:24:01 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 17 May 2016 13:24:01 +0200 Subject: [Freeipa-users] IPA as subdomain, part of AD ? In-Reply-To: <1463421574.18643.44.camel@redhat.com> References: <1463414424.9501.6.camel@yahoo.co.uk> <1463421574.18643.44.camel@redhat.com> Message-ID: On 16.5.2016 19:59, Simo Sorce wrote: > On Mon, 2016-05-16 at 17:00 +0100, lejeczek wrote: >> hi users/devel >> >> I'm trying to grasp the concepts - can IPA be plugged into AD domain, >> be part of it as a subdomain? > > No, the only trust type we handle is a Forest level trust, so FreeIPA > needs to be its own forest in AD terms. > >> I'm guessing it'd be quite common scenario, I see wiki describes >> opposite arrangement, but how##SELECTION_END## how to have IPA as >> ipa.activedir.local whereas activedir.local is top domain of an >> enterprise? >> Would this still be - setting cross-domain trust? > > It would still create a trust between 2 different forests, it's just so > happen that one of them will be in a DNS subdomain. > > For this to work, no other windows machine may have used the > ipa.activedir.local domain before. Please see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html -- Petr^2 Spacek From pspacek at redhat.com Tue May 17 11:28:27 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 17 May 2016 13:28:27 +0200 Subject: [Freeipa-users] Can't set nsslapd-sizelimit In-Reply-To: <65F212C00E7D9244933A5F61416B3089341D7956@mbx025-wd-ca-2.exch025.domain.local> References: <65F212C00E7D9244933A5F61416B3089341D7956@mbx025-wd-ca-2.exch025.domain.local> Message-ID: <4c66c15b-82e1-d280-cae2-753935cd065c@redhat.com> On 16.5.2016 23:19, Giuseppe Sarno wrote: > Hello, > I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. > I have initially created our own ldap structure and I tried to run the code against freeIPA/389DS. While running this example I noticed that 389DS takes quite some time to load profile data from the different ldap nodes (~2000 entries). In a previous prototype using OpenDJ we had to increase the parameter ds-cfg-size-limit: to ~1000 with good results. I am wondering now whether we can do the same for the freeIPA/389DS server. I found the following pages but I could not work out what the exact command should be to modify those parameters. > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html > > http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html > > I attempted the following but received a ObjectClass violation: > > [centos at ldap-389ds-ireland ~]$ ldapmodify -h ldap-389ds-ip -D "cn=Directory Manager" -w '' -f slimit > modifying entry "dc=ldap,dc=adeptra,dc=com" > ldap_modify: Object class violation (65) > additional info: attribute "nsslapd-sizelimit" not allowed System-wide config is stored in "cn=config". For further details please see https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Finding_Directory_Entries.html#Setting_Resource_Limits_Based_on_the_Bind_DN-Setting_Resource_Limits_Using_the_Command_Line Petr^2 Spacek > slimit: > dn: dc=ldap,dc=example,dc=com > changetype: modify > add:nsslapd-sizelimit > nsslapd-sizelimit: 1000 > > I also attempted using a user dn but with the same result. From mbabinsk at redhat.com Tue May 17 11:30:21 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 17 May 2016 13:30:21 +0200 Subject: [Freeipa-users] Can't set nsslapd-sizelimit In-Reply-To: <65F212C00E7D9244933A5F61416B3089341D7956@mbx025-wd-ca-2.exch025.domain.local> References: <65F212C00E7D9244933A5F61416B3089341D7956@mbx025-wd-ca-2.exch025.domain.local> Message-ID: On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: > Hello, > > I am new to freeIPA and I am recently working on a project to integrate > freeIPA with some legacy application which uses LDAP for user management. > > I have initially created our own ldap structure and I tried to run the > code against freeIPA/389DS. While running this example I noticed that > 389DS takes quite some time to load profile data from the different ldap > nodes (~2000 entries). In a previous prototype using OpenDJ we had to > increase the parameter ds-cfg-size-limit: to ~1000 with good results. I > am wondering now whether we can do the same for the freeIPA/389DS > server. I found the following pages but I could not work out what the > exact command should be to modify those parameters. > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html > > > > http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html > > > > I attempted the following but received a ObjectClass violation: > > > > [centos at ldap-389ds-ireland ~]$ ldapmodify -h ldap-389ds-ip -D > "cn=Directory Manager" -w '' -f slimit > > modifying entry "dc=ldap,dc=adeptra,dc=com" > > ldap_modify: Object class violation (65) > > additional info: attribute "nsslapd-sizelimit" not allowed > > > > slimit: > > dn: dc=ldap,dc=example,dc=com > > changetype: modify > > add:nsslapd-sizelimit > > nsslapd-sizelimit: 1000 > > > > I also attempted using a user dn but with the same result. > > > > Can anybody help ? > > > > Thanks, > > Giuseppe. > > > > > > Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac (Adeptra) > Limited (Co. No. 03295455) are registered in England and Wales and have > a registered office address of Cottons Centre, 5th Floor, Hays Lane, > London, SE1 2QP. > > This email and any files transmitted with it are confidential, > proprietary and intended solely for the individual or entity to whom > they are addressed. If you have received this email in error please > delete it immediately. > > Hi Guiseppe, the best way to tweak directory server configuration is this: 1.) stop directory server (systemctl stop dirsrv at EXAMPLE-COM 2.) edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file: locate the nsslapd-sizelimit entry and change the value 3.) start directory server (systemctl start dirsrv at EXAMPLE-COM) You should see the new value if you search for it in the 'cn=config' subtree which hosts the configuration (not the dc=example,dc=com suffix you use). -- Martin^3 Babinsky From jhrozek at redhat.com Tue May 17 12:34:59 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 17 May 2016 14:34:59 +0200 Subject: [Freeipa-users] HBAC access denied, all AD groups not detected In-Reply-To: References: Message-ID: <20160517123459.GB3441@hendrix> On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote: > FWIW, > > We are seeing the issues that are described here: > > https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html > > I was about to write when I found this, it explains exactly what I am > seeing - right down to the "impossible to reproduce because it's so > (seemingly) random". > > > I am about to read up on the SSSD trouble shooting in order to up the logs > &etc, but here is some output I can share - note that this all happened in > ~5 minutes. As you can see, clearing the cache has various unpredictable > effects. Both users should return the same list of groups. This was > performed on a FreeIPA client. There were some bugs related to external groups, what server and client packages version are you running? From simo at redhat.com Tue May 17 13:19:27 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 17 May 2016 09:19:27 -0400 Subject: [Freeipa-users] a user delegated to control a OU and realmd join - how.. In-Reply-To: <1463473675.9501.12.camel@yahoo.co.uk> References: <1462983423.4953.59.camel@yahoo.co.uk> <20160513131410.GD5249@p.Speedport_W_724V_Typ_A_05011603_00_009> <1463473675.9501.12.camel@yahoo.co.uk> Message-ID: <1463491167.18643.71.camel@redhat.com> On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote: > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > .. if possible, would you know? > > > hi everybody, > > > I'm trying, and hoping it is possible to realm join an AD but is > > > such a > > > way so I tap my IPA into specific OU within that AD. > > > > I'm not exactly sure what you mean here. Do you want to join a > > computer > > which is already a client in an IPA domain to AD as well? If this is > > the > > case I would recommend to consider the IPA trust feature. Joining 2 > > domain is in general possible with SSSD but has to be done with very > > great care, e.g. by using different keytabs for each domain. > Can IPA domain establish a trust between win AD if IPA admin only has > admin control over an OU in win AD ? No, you need to be a Domain Admin with full privileges. > I know very little about AD and only started with IPA - I don't suppose > control of OU delegated to a user makes that user AD admin. It doesn't. > I guess what I'm thinking, asking, is - what would be the correct > possible way to plug in, connect IPA domain to win AD when one has > admin control only over a OU in win AD? Not sure you can even do sync, there isn't really much you can do with those privileges, you are basically just allowed to administer a "group". Simo. -- Simo Sorce * Red Hat, Inc * New York From peljasz at yahoo.co.uk Tue May 17 13:46:37 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 17 May 2016 14:46:37 +0100 Subject: [Freeipa-users] win2012 r2 and trust type = realm Message-ID: <1463492797.9501.17.camel@yahoo.co.uk> hi users/devs I've used wiki pages to set AD - IPA trust, and it always end up being realm type of trust (@ AC DC end) whereas wiki shows forest type. What am I doing wrong? I think I must be doing something wrong for having that trust established (or I least I think I have it) when @IPA end I do: $ kinit Administrator at ad_dom Password for Administrator at ad_dom:? kinit: KDC reply did not match expectations while getting initial credentials regards L.##SELECTION_END## -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue May 17 13:51:42 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 17 May 2016 15:51:42 +0200 Subject: [Freeipa-users] Can't set nsslapd-sizelimit In-Reply-To: <573AF728.6020302@redhat.com> References: <65F212C00E7D9244933A5F61416B3089341D7956@mbx025-wd-ca-2.exch025.domain.local> <573AF728.6020302@redhat.com> Message-ID: <573B21EE.8060207@redhat.com> On 05/17/2016 12:49 PM, Ludwig Krispenz wrote: > > On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: >> >> Hello, >> >> I am new to freeIPA and I am recently working on a project to >> integrate freeIPA with some legacy application which uses LDAP for >> user management. >> >> I have initially created our own ldap structure and I tried to run >> the code against freeIPA/389DS. While running this example I noticed >> that 389DS takes quite some time to load profile data from the >> different ldap nodes (~2000 entries). In a previous prototype using >> OpenDJ we had to increase the parameter ds-cfg-size-limit: to ~1000 >> with good results. I am wondering now whether we can do the same for >> the freeIPA/389DS server. I found the following pages but I could not >> work out what the exact command should be to modify those parameters. >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html >> >> http://directory.fedoraproject.org/docs/389ds/howto/howto-ldapsearchmanyattr.html >> >> I attempted the following but received a ObjectClass violation: >> >> [centos at ldap-389ds-ireland ~]$ ldapmodify -h ldap-389ds-ip -D >> "cn=Directory Manager" -w '' -f slimit >> >> modifying entry "dc=ldap,dc=adeptra,dc=com" >> >> ldap_modify: Object class violation (65) >> >> additional info: attribute "nsslapd-sizelimit" not allowed >> >> slimit: >> >> dn: dc=ldap,dc=example,dc=com >> >> changetype: modify >> >> add:nsslapd-sizelimit >> >> nsslapd-sizelimit: 1000 >> >> I also attempted using a user dn but with the same result. >> > the example in the doc is unfortunately incorrect, in the latest doc it is corected: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Finding_Directory_Entries.html#Setting_Resource_Limits_Based_on_the_Bind_DN-Setting_Resource_Limits_Using_the_Command_Line > nsslapd-sizelimit is the general limit in cn=config, the attribute per > user is nsSizeLimit ( as used in the text in teh doc). > And you have to add it to a user used for binding >> >> Can anybody help ? >> >> Thanks, >> >> Giuseppe. >> >> >> Fair Isaac Services Limited (Co. No. 01998476) and Fair Isaac >> (Adeptra) Limited (Co. No. 03295455) are registered in England and >> Wales and have a registered office address of Cottons Centre, 5th >> Floor, Hays Lane, London, SE1 2QP. >> >> This email and any files transmitted with it are confidential, >> proprietary and intended solely for the individual or entity to whom >> they are addressed. If you have received this email in error please >> delete it immediately. >> >> > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: From jefferyharrell at gmail.com Mon May 16 23:54:40 2016 From: jefferyharrell at gmail.com (Jeffery Harrell) Date: Mon, 16 May 2016 16:54:40 -0700 Subject: [Freeipa-users] Changing spec.page_length? Message-ID: Is there a ?soft? way to change the number of rows in tables like the hosts and DNS records search facets? I think I?d happily trade a little interactivity when going from one facet to another for the ability to see four or five times as much information on a single screen at once. I get that I can write a JavaScript mod that pokes into the individual tables and modifies?spec.page_length, but is there an easier way? A setting somewhere maybe? The source code suggests the answer is no but I figured it couldn?t hurt to ask. Thanks, Jeffery -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue May 17 14:10:03 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 17 May 2016 17:10:03 +0300 Subject: [Freeipa-users] win2012 r2 and trust type = realm In-Reply-To: <1463492797.9501.17.camel@yahoo.co.uk> References: <1463492797.9501.17.camel@yahoo.co.uk> Message-ID: <20160517141003.tnuwbcp7utp652el@redhat.com> On Tue, 17 May 2016, lejeczek wrote: >hi users/devs > >I've used wiki pages to set AD - IPA trust, and it always end up being >realm type of trust (@ AC DC end) whereas wiki shows forest type. >What am I doing wrong? Probably because you are choosing wrong type of trust on AD side. Remove any trust with the same name as IPA on AD side and try to create the trust using 'ipa trust-add' command, as described in the wiki or in the documentation. >I think I must be doing something wrong for having that trust >established (or I least I think I have it) when @IPA end I do: > >$ kinit Administrator at ad_dom >Password for Administrator at ad_dom:? >kinit: KDC reply did not match expectations while getting initial >credentials This is unrelated. In Kerberos realm is supposed to be in UPPER CASE. If you specified it in lower case, AD DC would accept that and would issue a ticket with corrected principal name but 'kinit' utility would not accept the changed principal. kinit Administrator at AD_DOM is what would you need to try. However, being able to kinit as AD user from IPA machine has nothing to do with IPA - AD trust. -- / Alexander Bokovoy From rcritten at redhat.com Tue May 17 14:11:47 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 May 2016 10:11:47 -0400 Subject: [Freeipa-users] Renable 7389 port on multimaster In-Reply-To: References: Message-ID: <573B26A3.9050307@redhat.com> barrykfl at gmail.com wrote: > Hi : > > > 2 servers configured as multi master nut one of them cannot telnet 7389 > > how can I check and renable it ? > > Server cannot telnet 7389 ....should I reinstall CA service ...is it > rerelated ? > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING You'd need to see if a CA is configured on this master at all. If no CA is configured you can add using ipa-ca-install. rob From rcritten at redhat.com Tue May 17 14:18:05 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 May 2016 10:18:05 -0400 Subject: [Freeipa-users] How to determine cause/source of user lockout? In-Reply-To: References: Message-ID: <573B281D.10907@redhat.com> John Duino wrote: > Is there a (relatively easy) way to determine what is causing a user > account to be locked out? The admin account on our 'primary' ipa host is > locked out frequently, but somewhat randomly; sometimes it will be less > than 5 minutes it is available, and other times several hours. > > ipa user-status admin will show something like: > Failed logins: 6 > Last successful authentication: 20160516214142Z > Last failed authentication: 20160516224718Z > Time now: 2016-05-16T22:52:00Z > > ipa user-unlock admin does unlock it. > > But parsing through the various logs on the affected host doesn't give > me what I need to know, primarily, which host(s) are trying to access > admin and causing it to lock. > > FreeIPA 4.2.0 on CentOS 7.2.1511 I think you'd need to poke around in the KDC and 389-ds access log to find the auth attempts. I guess I'd look for PREAUTH_FAILED in /var/log/krb5kdc.log and look for err=49 in the 389-ds logs and then correlate the conn value with a BIND to see who was authenticating. rob From rcritten at redhat.com Tue May 17 14:18:54 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 May 2016 10:18:54 -0400 Subject: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN In-Reply-To: References: <5d528401-3a58-dc81-8113-e015369766a5@redhat.com> Message-ID: <573B284E.3020008@redhat.com> Adam Kaczka wrote: > I found from [root at host pki-ca]# tail -n 100 /var/log/pki-ca/system that > CA chain is missing; so I am thinking I may have to use > |ipa-server-certinstall| to reinstall the two certs. I really doubt it. I'm not sure what can't be found, maybe one of the dogtag devs has an idea. > > 5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object > certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException > 2003.main - [27/Jan/2016:14:35:33 EST] [3] [3] CASigningUnit: Object > certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException > 2003.TP-Processor3 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet > caDisplayBySerial: The CA chain is missing or could not be obtained from > the remote Certificate Manager or Registr > ation Manager. The remote server could be down. > 2003.TP-Processor2 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet > caDisplayBySerial: The CA chain is missing or could not be obtained from > the remote Certificate Manager or Registr > ation Manager. The remote server could be down. > 2000.main - [28/Jan/2016:07:43:00 EST] [3] [3] CASigningUnit: Object > certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException > 2000.TP-Processor2 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet > caDisplayBySerial: The CA chain is missing or could not be obtained from > the remote Certificate Manager or Registr > ation Manager. The remote server could be down. > 2000.TP-Processor3 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet > caDisplayBySerial: The CA chain is missing or could not be obtained from > the remote Certificate Manager or Registr > ation Manager. The remote server could be down. > 2085.main - [03/Feb/2016:08:57:05 EST] [3] [3] CASigningUnit: Object > certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException > 2085.TP-Processor2 - [27/Jan/2016:14:05:03 EST] [20] [3] Servlet > caDisplayBySerial: The CA chain is missing or could not be obtained from > the remote Certificate Manager or Registr > ation Manager. The remote server could be down. > > > On Mon, May 16, 2016 at 11:45 AM, Adam Kaczka > wrote: > > Certmonger cannot communicate with CA; the result of getlist cert shows: > > RPC failed at server. Certificate operation cannot be completed: > Unable to communicate with CMS (Not Found) > > After setting time back, from /var/log/pki-ca/debug I get: > > [30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException > Certificate object not found > at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) > at > com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205) > at > com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) > at com.netscape.certsrv.apps.CMS.init(CMS.java:153) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425) > at > org.apache.catalina.core.StandardContext.start(StandardContext.java:4738) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) > at > org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) > at > org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) > at > org.apache.catalina.core.StandardHost.start(StandardHost.java:722) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) > at > org.apache.catalina.core.StandardService.start(StandardService.java:516) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:710) > at > org.apache.catalina.startup.Catalina.start(Catalina.java:593) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > [30/Dec/2015:08:10:25][main]: CMSEngine.shutdown() > [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, > authorization for servlet: caProfileSubmit is LDAP based, not XML > {1}, use default authz mgr: {2}. > [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, > authorization for servlet: caProfileSubmit is LDAP based, not XML > {1}, use default authz mgr: {2}. > [30/Dec/2015:08:10:33][TP-Processor2]: according to ccMode, > authorization for servlet: caDisplayBySerial is LDAP based, not XML > {1}, use default authz mgr: {2}. > [30/Dec/2015:08:10:33][TP-Processor3]: according to ccMode, > authorization for servlet: caDisplayBySerial is LDAP based, not XML > {1}, use default authz mgr: {2}. > > > On Mon, May 16, 2016 at 6:28 AM, Petr Vobornik > wrote: > > On 05/14/2016 12:01 AM, Adam Kaczka wrote: > > Hi all, > > > > I have inherited a IPA system that has an expired cert and the old admins have > > left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but > > running into errors when I try to renew the CA certs even after time is reset. > > Also tried the troubleshooting under > > (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors); > > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt" > > to add the cert in the database. > > > > From the output of getcert list, I see both CA_UNREACHABLE and > > NEED_CSR_GEN_PIN. I followed redhat article here > > (https://access.redhat.com/solutions/1142913) which verified key > file password > > is correct and I have reset time. However the NEED_CSR_GEN_PIN status remains. > > My company actually has redhat support but when they built this IPA whoever > > built it was using Centos 6 so I am out of luck here. > > > > Would really appreciate any help since I am stuck at this point? What else I > > can do at this point? e.g. Is generate a new CA cert necessary, etc.? > > Hi, > > you don't need to renew CA cert, it seems to be valid. But your > server > cert is expired. It expired on 2016-03-29. > > 1. Move date back before this date, e.g., 2016-03-27. > 2. Verify that IPA is running `ipactl status`. Maybe restart > will be needed. > 3. run `getcert list` to see if certmonger can communicate with CA > 4. if certmonger doesn't renew the certs automatically, run `getcert > resubmit -i $certid` for the expired cert. > > > > > Version: > > ipa-pki-ca-theme.noarch 9.0.3-7.el6 > @base > > ipa-pki-common-theme.noarch 9.0.3-7.el6 > @base > > ipa-pmincho-fonts.noarch 003.02-3.1.el6 > @base > > ipa-python.x86_64 3.0.0-47.el6.centos.2 > @updates > > ipa-server.x86_64 3.0.0-47.el6.centos.2 > @updates > > ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2 > @updates > > > > Part of error logs from /var/log/pki-ca/debug after I reset > clock; I see these > > errors which I think is relevlant?: > > [27/Dec/2015:14:12:01][main]: SigningUnit init: debug > > org.mozilla.jss.crypto.ObjectNotFoundException > > Certificate object not found > > [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException > > Certificate object not found > > [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown() > > > > Result seems to show key file password is correct: > > certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f > > /etc/dirsrv/slapd-REALM-NET/pwdfile.txt > > certutil: Checking token "NSS Certificate DB" in slot "NSS > User Private Key and > > Certificate Services" > > < 0> rsa ############################ NSS Certificate > DB:Server-Cert > > > > > > certutil -L -d /var/lib/pki-ca/alias > > > > Certificate Nickname > Trust Attributes > > > SSL,S/MIME,JAR/XPI > > > > ocspSigningCert cert-pki-ca > u,u,u > > subsystemCert cert-pki-ca > u,u,u > > Server-Cert cert-pki-ca > u,u,u > > auditSigningCert cert-pki-ca > u,u,Pu > > caSigningCert cert-pki-ca > CTu,Cu,Cu > > > > > > certutil -L -d /etc/httpd/alias > > > > Certificate Nickname > Trust Attributes > > > SSL,S/MIME,JAR/XPI > > > > Server-Cert > u,u,u > > ipaCert > u,u,u > > REALM.COM IPA CA > CT,C, > > > > > > certutil -L -d /etc/dirsrv/slapd-REALM-COM > > > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > > > Server-Cert u,u,u > > REALM.COM IPA CA > CT,C,C > > > > > > Output of getcert list: > > > > Number of certificates and requests being tracked: 7. > > Request ID '21135214223243': > > status: CA_UNREACHABLE > > ca-error: Server athttps://host.example.net/ipa/xml failed request, > > will retry: 4301 (RPC failed at server. Certificate oper > > ation cannot be completed: Unable to communicate with CMS (Not Found)). > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfil > > e='/etc/dirsrv/slapd-example-NET//pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=host.example.net > ,O=example.NET > > expires: 2016-03-29 14:09:46 UTC > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '21135214223300': > > status: CA_UNREACHABLE > > ca-error: Server athttps://host.example.net/ipa/xml failed request, > > will retry: 4301 (RPC failed at server. Certificate oper > > ation cannot be completed: Unable to communicate with CMS (Not Found)). > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > > DB',pinfile=' > > /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=host.example.net > ,O=example.NET > > expires: 2016-03-29 14:09:45 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert- > > pki-ca&serial_num=61&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate > > DB',pin set > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=CA Audit,O=example.NET > > expires: 2017-10-13 14:10:49 UTC > > key usage: digitalSignature,nonRepudiation > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > > m=60&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate D > > B',pin set > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=OCSP Subsystem,O=example.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > > m=62&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > ,pin set > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=CA Subsystem,O=example.NET > > expires: 2017-10-13 14:09:49 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > > m=64&renewal=true&xml=true". > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > > DB',pinfile='/etc/httpd/al > > ias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=RA Subsystem,O=example.NET > > expires: 2017-10-13 14:09:49 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > > m=63&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',p > > in set > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=example.NET > > subject: CN=host.example.net > ,O=example.NET > > expires: 2017-10-13 14:09:49 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > > > Regards, Adam > > > > > > > > > -- > Petr Vobornik > > > > > From peljasz at yahoo.co.uk Tue May 17 15:11:25 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 17 May 2016 16:11:25 +0100 Subject: [Freeipa-users] win2012 r2 and trust type = realm In-Reply-To: <20160517141003.tnuwbcp7utp652el@redhat.com> References: <1463492797.9501.17.camel@yahoo.co.uk> <20160517141003.tnuwbcp7utp652el@redhat.com> Message-ID: <1463497885.9501.19.camel@yahoo.co.uk> On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote: > On Tue, 17 May 2016, lejeczek wrote: > > hi users/devs > > > > I've used wiki pages to set AD - IPA trust, and it always end up > > being > > realm type of trust (@ AC DC end) whereas wiki shows forest type. > > What am I doing wrong? > Probably because you are choosing wrong type of trust on AD side. > > Remove any trust with the same name as IPA on AD side and try to > create > the trust using 'ipa trust-add' command, as described in the wiki or > in > the documentation. > but ipa trust-add renders one-way type of trust, at least here for me, is this correct? I go to AD DC and see only one-way trust. > > > > I think I must be doing something wrong for having that trust > > established (or I least I think I have it) when @IPA end I do: > > > > $ kinit Administrator at ad_dom > > Password for Administrator at ad_dom:? > > kinit: KDC reply did not match expectations while getting initial > > credentials > > > > This is unrelated. In Kerberos realm is supposed to be in UPPER CASE. If > you specified it in lower case, AD DC would accept that and would issue > a ticket with corrected principal name but 'kinit' utility would not > accept the changed principal. > > kinit Administrator at AD_DOM is what would you need to try. However, being > able to kinit as AD user from IPA machine has nothing to do with IPA - > AD trust. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Tue May 17 15:27:28 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Tue, 17 May 2016 08:27:28 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> <5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> <57225110.1000708@redhat.com> <57237E09.5090603@redhat.com> <201604292025.u3TKPbqC002081@d01av05.pok.ibm.com> <5723C5A9.6080607@redhat.com> Message-ID: <201605171528.u4HFSj96017806@d03av05.boulder.ibm.com> Hello, This is an older thread now but our mitigation guys found a solution in fixing this that I think you all may want as the output has now changed from the 13 ciphers that would not change to the below. Its a rather easy fix as well and possible I missed it with assumptions. You need to modify both the realm name dse and the pki dse ldifs. I was only modifying the realm dse. /etc/dirsrv/slapd-PKI-IPA/dse.ldif /etc/dirsrv/slapd-RELAM-NAME/dse.ldif [bob at dingle ~]# nmap --script ssl-enum-ciphers -p 636 `hostname` Starting Nmap 5.51 ( http://nmap.org ) at 2016-05-17 10:59 EDT Nmap scan report for dingle at bob.local (IP of dingle) Host is up (0.00015s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (7) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | Compressors (1) |_ uncompressed Sean Hogan From: Sean Hogan/Durham/IBM To: Rob Crittenden Cc: freeipa-users at redhat.com, Noriko Hosoi Date: 04/29/2016 01:49 PM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Thanks Rob... appreciate the help.. can you send me what you have in nss.conf, server.xml as well? If I start off playing with something you see working without issue then maybe I can come up with something or am I wrong thinking those might affect anything? IE .. can you send me the entire cn=encryption, cn=config section like this dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20150420131850Z modifyTimestamp: 20150420131906Z nsSSL3Ciphers: -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5 ,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_ sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha numSubordinates: 1 Sean Hogan From: Rob Crittenden To: Sean Hogan/Durham/IBM at IBMUS Cc: freeipa-users at redhat.com, Noriko Hosoi Date: 04/29/2016 01:36 PM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sean Hogan wrote: > Apparently making it the master ca will not work at this point since the > replica is removed. So still stuck with non-changing ciphers. Other services running on the box have zero impact on the ciphers available. I'm not sure what is wrong because it took me just a minute to stop dirsrv, modify dse.ldif with the list I provided, restart it and confirm that the cipher list was better. Entries in cn=config are not replicated. rob > > > Sean Hogan > > > > > > Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob, > I stopped IPA, modified dse.ldif, restarted with the Sean > Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified > dse.ldif, restarted with the cipher list and it started without is > > From: Sean Hogan/Durham/IBM > To: Rob Crittenden > Cc: freeipa-users at redhat.com, Noriko Hosoi > Date: 04/29/2016 08:56 AM > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > > ------------------------------------------------------------------------ > > > Hi Rob, > > I stopped IPA, modified dse.ldif, restarted with the cipher list and it > started without issue however Same 13 ciphers. You know.. thinking about > this now.. I going to try something. The box I am testing on it a > replica master and not the first replica. I did not think this would > make a difference since I removed the replica from the realm before > testing but maybe it will not change anything thinking its stuck in the > old realm? > > Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 > 11:51 EDT > Nmap scan report for > Host is up (0.000082s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (13) > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA256 > | TLS_RSA_WITH_AES_128_GCM_SHA256 > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | TLS_RSA_WITH_DES_CBC_SHA > | TLS_RSA_WITH_RC4_128_MD5 > | TLS_RSA_WITH_RC4_128_SHA > | Compressors (1) > > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20150420131850Z > modifyTimestamp: 20150420131906Z > nsSSL3Ciphers: > -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5 > ,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_ > sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r > c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha > numSubordinates: 1 > > > > > > Sean Hogan > > > > > > > > > Inactive hide details for Rob Crittenden ---04/29/2016 08:30:29 > AM---Sean Hogan wrote: > Hi Noriko,Rob Crittenden ---04/29/2016 08:30:29 > AM---Sean Hogan wrote: > Hi Noriko, > > From: Rob Crittenden > To: Sean Hogan/Durham/IBM at IBMUS, Noriko Hosoi > Cc: freeipa-users at redhat.com > Date: 04/29/2016 08:30 AM > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > ------------------------------------------------------------------------ > > > > Sean Hogan wrote: > > Hi Noriko, > > > > Thanks for the suggestions, > > > > I had to trim out the GCM ciphers in order to get IPA to start back up > > or I would get the unknown cipher message > > The trick is getting the cipher name right (it doesn't always follow a > pattern) and explicitly disabling some ciphers as they are enabled by > default. > > Try this string: > > -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha > > I have an oldish install but I think it will still do what you need: > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT > Nmap scan report for pacer.example.com (192.168.126.2) > Host is up (0.00053s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2: > | ciphers: > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C > | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C > | compressors: > | NULL > | cipher preference: server > |_ least strength: C > > Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds > > $ sslscan pacer.example.com:636 |grep Accept > Accepted TLSv1 256 bits AES256-SHA > Accepted TLSv1 128 bits AES128-SHA > Accepted TLSv1 112 bits DES-CBC3-SHA > Accepted TLS11 256 bits AES256-SHA > Accepted TLS11 128 bits AES128-SHA > Accepted TLS11 112 bits DES-CBC3-SHA > Accepted TLS12 256 bits AES256-SHA256 > Accepted TLS12 256 bits AES256-SHA > Accepted TLS12 128 bits AES128-GCM-SHA256 > Accepted TLS12 128 bits AES128-SHA256 > Accepted TLS12 128 bits AES128-SHA > Accepted TLS12 112 bits DES-CBC3-SHA > > rob > > > > > Nmap is still showing the same 13 ciphers as before though like nothing > > had changed and I did ipactl stop, made modification, ipactl start > > > > tarting Nmap 5.51 ( http://nmap.org ) at 2016-04-28 > > 18:44 EDT > > Nmap scan report for > > Host is up (0.000053s latency). > > PORT STATE SERVICE > > 636/tcp open ldapssl > > | ssl-enum-ciphers: > > | TLSv1.2 > > | Ciphers (13) > > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA256 > > | TLS_RSA_WITH_AES_128_GCM_SHA256 > > | TLS_RSA_WITH_AES_256_CBC_SHA > > | TLS_RSA_WITH_AES_256_CBC_SHA256 > > | TLS_RSA_WITH_DES_CBC_SHA > > | TLS_RSA_WITH_RC4_128_MD5 > > | TLS_RSA_WITH_RC4_128_SHA > > | Compressors (1) > > |_ uncompressed > > > > Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds > > > > Current Config: > > > > dse.ldif > > dn: cn=encryption,cn=config > > objectClass: top > > objectClass: nsEncryptionConfig > > cn: encryption > > nsSSLSessionTimeout: 0 > > nsSSLClientAuth: allowed > > nsSSL2: off > > nsSSL3: off > > creatorsName: cn=server,cn=plugins,cn=config > > modifiersName: cn=directory manager > > createTimestamp: 20150420131850Z > > modifyTimestamp: 20150420131906Z > > nsSSL3Ciphers: > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_ > > > rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha > > > ,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_ > > aes_256_sha,+rsa_aes_256_sha > > numSubordinates: 1 > > > > > > nss.conf > > # SSL 3 ciphers. SSL 2 is disabled by default. > > NSSCipherSuite > > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > > > Does nss.conf have anything to do with the dir srv ciphers? I know the > > 389 docs says they are tied together so the way I have been looking at > > it is nss.conf lists the allowed ciphers where dse.ldif lists which ones > > to use for 389 from nss.conf. Is that correct? Is there any other place > > where ciphers would be ignored? > > > > nss-3.19.1-8.el6_7.x86_64 > > sssd-ipa-1.12.4-47.el6_7.4.x86_64 > > ipa-client-3.0.0-47.el6_7.1.x86_64 > > ipa-server-selinux-3.0.0-47.el6_7.1.x86_64 > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-python-3.0.0-47.el6_7.1.x86_64 > > ipa-server-3.0.0-47.el6_7.1.x86_64 > > libipa_hbac-python-1.12.4-47.el6_7.4.x86_64 > > ipa-admintools-3.0.0-47.el6_7.1.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > 389-ds-base-libs-1.2.11.15-68.el6_7.x86_64 > > > > > > I need to get rid of any rc4s > > > > Sean Hogan > > > > > > > > > > > > Inactive hide details for Noriko Hosoi ---04/28/2016 12:08:59 PM---Thank > > you for including me in the loop, Ludwig. On 04/28/201Noriko Hosoi > > ---04/28/2016 12:08:59 PM---Thank you for including me in the loop, > > Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > > From: Noriko Hosoi > > To: Ludwig Krispenz , freeipa-users at redhat.com > > Date: 04/28/2016 12:08 PM > > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > > Sent by: freeipa-users-bounces at redhat.com > > > > ------------------------------------------------------------------------ > > > > > > > > Thank you for including me in the loop, Ludwig. > > > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > If I remember correctly we did the change in default ciphers and the > > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > > adding Noriko to get confirmation. > > > > Ludwig is right. The way how to set nsSSL3Ciphers has been changed > > since 1.3.3 which is available on RHEL-7. > > > > This is one of the newly supported values of nsSSL3Ciphers: > > > > Notes: if the value contains +all, then *-*is removed > > from the list._ > > > __http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_ > > > > On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if > > "+all" is found in the value, all the available ciphers are enabled. > > > > To workaround it, could you try explicitely setting ciphers as follows? > > nsSSL3Ciphers: > > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha, > > > +tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha, > > > +tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > > > Thanks, > > --noriko > > > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > > wanted to add Noriko, but hit send to quickly > > > > On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > > > On 04/28/2016 12:06 PM, Martin Kosek wrote: > > On 04/28/2016 01:23 AM, Sean Hogan wrote: > > Hi Martin, > > > > No joy on placing - in front of the RC4s > > > > > > I modified my nss.conf to now read > > # SSL 3 ciphers. SSL 2 is disabled by > > default. > > NSSCipherSuite > > > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha > > > > > > # SSL Protocol: > > # Cryptographic protocols that provide > > communication security. > > # NSS handles the specified protocols as > > "ranges", and automatically > > # negotiates the use of the strongest > > protocol for a connection starting > > # with the maximum specified protocol > > and downgrading as necessary to the > > # minimum specified protocol that can be > > used between two processes. > > # Since all protocol ranges are > > completely inclusive, and no protocol in > > the > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > dse.ldif > > > > dn: cn=encryption,cn=config > > objectClass: top > > objectClass: nsEncryptionConfig > > cn: encryption > > nsSSLSessionTimeout: 0 > > nsSSLClientAuth: allowed > > nsSSL2: off > > nsSSL3: off > > creatorsName: > > cn=server,cn=plugins,cn=config > > modifiersName: cn=directory manager > > createTimestamp: 20150420131850Z > > modifyTimestamp: 20150420131906Z > > nsSSL3Ciphers: > > > +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 > > > > _56_sha,-tls_dhe_dss_1024_rc4_sha > > numSubordinates: 1 > > > > > > > > But I still get this with nmap.. I > > thought the above would remove > > -tls_rsa_export1024_with_rc4_56_sha but > > still showing. Is it the fact that I > am not > > offering > > -tls_rsa_export1024_with_rc4_56_sha? If > > so.. not really understanding > > where it is coming from cept the +all > > from DS but the - should be negating > that? > > > > Starting Nmap 5.51 ( _http://nmap.org_ > > __ > > ) at 2016-04-27 > 17:37 EDT > > Nmap scan report for > > Host is up (0.000086s latency). > > PORT STATE SERVICE > > 636/tcp open ldapssl > > | ssl-enum-ciphers: > > | TLSv1.2 > > | Ciphers (13) > > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA256 > > | TLS_RSA_WITH_AES_128_GCM_SHA256 > > | TLS_RSA_WITH_AES_256_CBC_SHA > > | TLS_RSA_WITH_AES_256_CBC_SHA256 > > | TLS_RSA_WITH_DES_CBC_SHA > > | TLS_RSA_WITH_RC4_128_MD5 > > | TLS_RSA_WITH_RC4_128_SHA > > | Compressors (1) > > |_ uncompressed > > > > Nmap done: 1 IP address (1 host up) > > scanned in 0.32 seconds > > > > > > > > It seems no matter what config I put > > into nss.conf or dse.ldif nothing changes > > with my nmap results. Is there supposed > > to be a be a section to add TLS ciphers > > instead of SSL Not sure now, CCing > Ludwig who was involved in > > the original RHEL-6 > > implementation. If I remember correctly we > did the change in default > > ciphers and the option for handling in 389-ds > 1.3.3, > > so it would not be in RHEL6, adding Noriko to get > > confirmation. > > > > but the below comments about changing ciphers in > > dse.ldif could help in using the "old" way to set ciphers > > Just to be sure, when you are modifying > > dse.ldif, the procedure > > should be always following: > > > > 1) Stop Directory Server service > > 2) Modify dse.ldif > > 3) Start Directory Server service > > > > Otherwise it won't get applied and will get > > overwritten later. > > > > In any case, the ciphers with RHEL-6 should be > > secure enough, the ones in > > FreeIPA 4.3.1 should be even better. This is for > > example an nmap taken on > > FreeIPA Demo instance that runs on FreeIPA 4.3.1: > > > > $ nmap --script ssl-enum-ciphers -p 636 > > ipa.demo1.freeipa.org > > > > Starting Nmap 7.12 ( _https://nmap.org_ > > ) at 2016-04-28 12:02 CEST > > Nmap scan report for ipa.demo1.freeipa.org > > (209.132.178.99) > > Host is up (0.18s latency). > > PORT STATE SERVICE > > 636/tcp open ldapssl > > | ssl-enum-ciphers: > > | TLSv1.2: > > | ciphers: > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > > (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > > (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > > (secp256r1) - A > > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh > > 2048) - A > > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa > > 2048) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa > 2048) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa > > 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa > 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa > > 2048) - A > > | compressors: > > | NULL > > | cipher preference: server > > |_ least strength: A > > > > Nmap done: 1 IP address (1 host up) scanned in > > 21.12 seconds > > > > Martin > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From rmeggins at redhat.com Tue May 17 15:33:45 2016 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 17 May 2016 09:33:45 -0600 Subject: [Freeipa-users] How to determine cause/source of user lockout? In-Reply-To: <573B281D.10907@redhat.com> References: <573B281D.10907@redhat.com> Message-ID: On 05/17/2016 08:18 AM, Rob Crittenden wrote: > John Duino wrote: >> Is there a (relatively easy) way to determine what is causing a user >> account to be locked out? The admin account on our 'primary' ipa host is >> locked out frequently, but somewhat randomly; sometimes it will be less >> than 5 minutes it is available, and other times several hours. >> >> ipa user-status admin will show something like: >> Failed logins: 6 >> Last successful authentication: 20160516214142Z >> Last failed authentication: 20160516224718Z >> Time now: 2016-05-16T22:52:00Z >> >> ipa user-unlock admin does unlock it. >> >> But parsing through the various logs on the affected host doesn't give >> me what I need to know, primarily, which host(s) are trying to access >> admin and causing it to lock. >> >> FreeIPA 4.2.0 on CentOS 7.2.1511 > > I think you'd need to poke around in the KDC and 389-ds access log to > find the auth attempts. I guess I'd look for PREAUTH_FAILED in > /var/log/krb5kdc.log and look for err=49 in the 389-ds logs and then > correlate the conn value with a BIND to see who was authenticating. For 389 you can use the logconv.pl tool > > rob > From abokovoy at redhat.com Tue May 17 15:36:26 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 17 May 2016 18:36:26 +0300 Subject: [Freeipa-users] win2012 r2 and trust type = realm In-Reply-To: <1463497885.9501.19.camel@yahoo.co.uk> References: <1463492797.9501.17.camel@yahoo.co.uk> <20160517141003.tnuwbcp7utp652el@redhat.com> <1463497885.9501.19.camel@yahoo.co.uk> Message-ID: <20160517153626.zmvqzmchdslk3jlm@redhat.com> On Tue, 17 May 2016, lejeczek wrote: >On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote: >> On Tue, 17 May 2016, lejeczek wrote: >> > hi users/devs >> > >> > I've used wiki pages to set AD - IPA trust, and it always end up >> > being >> > realm type of trust (@ AC DC end) whereas wiki shows forest type. >> > What am I doing wrong? >> Probably because you are choosing wrong type of trust on AD side. >> >> Remove any trust with the same name as IPA on AD side and try to >> create >> the trust using 'ipa trust-add' command, as described in the wiki or >> in >> the documentation. >> >but ipa trust-add renders one-way type of trust, at least here for me, >is this correct? >I go to AD DC and see only one-way trust. By default 4.2+ does one-way forest trust, that's right. AD users can login to IPA-managed services, that's what is supported. Two-way trust can be established with --two-way=true option to 'ipa trust-add' but it does not mean you'll get ability to login to Windows machines as IPA user. This is not supported yet. One-way or two-way trust type right now is a technical detail on how trust operations are implemented. -- / Alexander Bokovoy From stephen.berg.ctr at nrlssc.navy.mil Tue May 17 15:38:32 2016 From: stephen.berg.ctr at nrlssc.navy.mil (Stephen Berg (Contractor)) Date: Tue, 17 May 2016 10:38:32 -0500 Subject: [Freeipa-users] Read-only permission with no authentication Message-ID: I'm trying to set up an account that will only have read permissions to FreeIPA's user and host info to get some automated documentation tasks running. Basically I want to set up a cron job on a FreeIPA server that will read info using the ipa command line tools like "ipa user-find", "ipa user-show --all" and some of the host commands. After it reads that info I can handle it in perl to maintain some documentation requirements. But I don't want to be forced into saving a password anywhere along the way if I can avoid it. Is there a way to set an account so it will be able to run those ipa commands in a read-only state but not have any authentication requirement? -- Stephen Berg Systems Administrator NRL Code: 7320 Office: 228-688-5738 stephen.berg.ctr at nrlssc.navy.mil -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue May 17 16:02:37 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 17 May 2016 19:02:37 +0300 Subject: [Freeipa-users] Read-only permission with no authentication In-Reply-To: References: Message-ID: <20160517160237.gk5bfxv736mbrlvn@redhat.com> On Tue, 17 May 2016, Stephen Berg (Contractor) wrote: >I'm trying to set up an account that will only have read permissions >to FreeIPA's user and host info to get some automated documentation >tasks running. Basically I want to set up a cron job on a FreeIPA >server that will read info using the ipa command line tools like "ipa >user-find", "ipa user-show --all" and some of the host commands. >After it reads that info I can handle it in perl to maintain some >documentation requirements. But I don't want to be forced into saving >a password anywhere along the way if I can avoid it. > >Is there a way to set an account so it will be able to run those ipa >commands in a read-only state but not have any authentication >requirement? No, it is not possible. On IPA server side all connections to the management framework are always authenticated. You can use an approach described in https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ to obtain authentication token and get requests to the IPA server with that token. However, this implies you still need to authenticate first. Another approach would be to create a service, obtain a keytab with a key for that service and run your 'ipa ...' calls with the Kerberos authentication based on that keytab. On reasonably recent systems you can use GSS-Proxy to make sure your script is not having direct access to the keytab and that would also make possible re-acquiring the ticket on your behalf by GSS-Proxy. -- / Alexander Bokovoy From john+freeipa at themeyers.us Tue May 17 16:21:58 2016 From: john+freeipa at themeyers.us (John Meyers) Date: Tue, 17 May 2016 12:21:58 -0400 Subject: [Freeipa-users] Unable to enumerate IPA users from AD side of 2-way trust due to kerberos error Message-ID: <573B4526.7000102@themeyers.us> All, I have established a 2-way forest trust between FreeIPA (4.2.4-1.fc23) and AD (Windows 2012R2). The IPA side works perfect and AD users can authenticate against IPA resources. However, when one tries to add an IPA user or group to a Windows permission set (e.g. an NTFS ACL or user right), Windows successfully obtains a Kerberos ticket for the IPA user but then fails when trying to obtain the LDAP principal of the IPA server. KDC logs follows: krb5kdc[19373](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) adserver.addomain NEEDED_PREAUTH: admin at IPADOMAIN for krbtgt/IPADOMAIN at IPADOMAIN, Additional pre-authentication required krb5kdc[19373](info): closing down fd 12 krb5kdc[19373](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) adserver.addomain: ISSUE: authtime 1463500682, etypes {rep=18 tkt=18 ses=18}, admin at IPADOMAIN for krbtgt/IPADOMAIN at IPADOMAIN ----> Great! We've successfully authenticated as our IPA admin user from Windows. But now the wheels come off the wagon. krb5kdc[19373](info): closing down fd 12 krb5kdc[19373](info): TGS_REQ (5 etypes {18 17 23 24 -135}) adserver.addomain: LOOKING_UP_SERVER: authtime 0, admin at IPADOMAIN for ldap/ipaserver.ipadomain/ipadomain at IPADOMAIN, Server not found in Kerberos database krb5kdc[19373](info): closing down fd 12 ---> Oh oh! For some odd reason Windows is appending the lowercase '/ipadomain' the kerberos request. ldap/ipaserver.ipadomain at IPADOMAIN exists as a principal, ldap/ipaserver.ipadomain/ipadomain at IPADOMAIN does not. Since we can't authenticate to LDAP, we can't resolve a user. Help would be appreciated. John From abokovoy at redhat.com Tue May 17 16:31:56 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 17 May 2016 19:31:56 +0300 Subject: [Freeipa-users] Unable to enumerate IPA users from AD side of 2-way trust due to kerberos error In-Reply-To: <573B4526.7000102@themeyers.us> References: <573B4526.7000102@themeyers.us> Message-ID: <20160517163156.nvnt3r2w7a2xy5qg@redhat.com> On Tue, 17 May 2016, John Meyers wrote: >All, > >I have established a 2-way forest trust between FreeIPA (4.2.4-1.fc23) >and AD (Windows 2012R2). The IPA side works perfect and AD users can >authenticate against IPA resources. However, when one tries to add an >IPA user or group to a Windows permission set (e.g. an NTFS ACL or user >right), Windows successfully obtains a Kerberos ticket for the IPA user >but then fails when trying to obtain the LDAP principal of the IPA >server. KDC logs follows: The other leg is not supported. Read http://www.freeipa.org/page/V4/One-way_trust#Design for details. -- / Alexander Bokovoy From rcritten at redhat.com Tue May 17 17:36:36 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 May 2016 13:36:36 -0400 Subject: [Freeipa-users] Read-only permission with no authentication In-Reply-To: <20160517160237.gk5bfxv736mbrlvn@redhat.com> References: <20160517160237.gk5bfxv736mbrlvn@redhat.com> Message-ID: <573B56A4.9000003@redhat.com> Alexander Bokovoy wrote: > On Tue, 17 May 2016, Stephen Berg (Contractor) wrote: >> I'm trying to set up an account that will only have read permissions >> to FreeIPA's user and host info to get some automated documentation >> tasks running. Basically I want to set up a cron job on a FreeIPA >> server that will read info using the ipa command line tools like "ipa >> user-find", "ipa user-show --all" and some of the host commands. After >> it reads that info I can handle it in perl to maintain some >> documentation requirements. But I don't want to be forced into saving >> a password anywhere along the way if I can avoid it. >> >> Is there a way to set an account so it will be able to run those ipa >> commands in a read-only state but not have any authentication >> requirement? > No, it is not possible. On IPA server side all connections to the > management framework are always authenticated. > > You can use an approach described in > https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ > to obtain authentication token and get requests to the IPA server with > that token. However, this implies you still need to authenticate first. > > Another approach would be to create a service, obtain a keytab with a > key for that service and run your 'ipa ...' calls with the Kerberos > authentication based on that keytab. On reasonably recent systems you > can use GSS-Proxy to make sure your script is not having direct access > to the keytab and that would also make possible re-acquiring the ticket > on your behalf by GSS-Proxy. For users, depending on configuration, you can use an anonymous LDAP bind and skip the ipa tool. I'm pretty sure that hosts require an authenticated user to read the entries. rob From prasun.gera at gmail.com Tue May 17 19:11:42 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Tue, 17 May 2016 15:11:42 -0400 Subject: [Freeipa-users] How to determine cause/source of user lockout? In-Reply-To: References: <573B281D.10907@redhat.com> Message-ID: If it's the admin account, there would be a pretty good likelihood of bruteforce attempts if your server is on the internet. One option is to rename it to something else. On 17 May 2016 11:36 a.m., "Rich Megginson" wrote: > On 05/17/2016 08:18 AM, Rob Crittenden wrote: > >> John Duino wrote: >> >>> Is there a (relatively easy) way to determine what is causing a user >>> account to be locked out? The admin account on our 'primary' ipa host is >>> locked out frequently, but somewhat randomly; sometimes it will be less >>> than 5 minutes it is available, and other times several hours. >>> >>> ipa user-status admin will show something like: >>> Failed logins: 6 >>> Last successful authentication: 20160516214142Z >>> Last failed authentication: 20160516224718Z >>> Time now: 2016-05-16T22:52:00Z >>> >>> ipa user-unlock admin does unlock it. >>> >>> But parsing through the various logs on the affected host doesn't give >>> me what I need to know, primarily, which host(s) are trying to access >>> admin and causing it to lock. >>> >>> FreeIPA 4.2.0 on CentOS 7.2.1511 >>> >> >> I think you'd need to poke around in the KDC and 389-ds access log to >> find the auth attempts. I guess I'd look for PREAUTH_FAILED in >> /var/log/krb5kdc.log and look for err=49 in the 389-ds logs and then >> correlate the conn value with a BIND to see who was authenticating. >> > > For 389 you can use the logconv.pl tool > > >> rob >> >> > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Tue May 17 22:35:14 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Wed, 18 May 2016 08:35:14 +1000 Subject: [Freeipa-users] HBAC access denied, all AD groups not detected In-Reply-To: <20160517123459.GB3441@hendrix> References: <20160517123459.GB3441@hendrix> Message-ID: Hmmm, I also now see https://fedorahosted.org/sssd/ticket/2642 and https://bugzilla.redhat.com/show_bug.cgi?id=1217127 Versions being run: sssd-client-1.13.0-40.el7_2.4.x86_64 sssd-ad-1.13.0-40.el7_2.4.x86_64 sssd-proxy-1.13.0-40.el7_2.4.x86_64 sssd-1.13.0-40.el7_2.4.x86_64 sssd-common-1.13.0-40.el7_2.4.x86_64 sssd-common-pac-1.13.0-40.el7_2.4.x86_64 sssd-ipa-1.13.0-40.el7_2.4.x86_64 sssd-ldap-1.13.0-40.el7_2.4.x86_64 python-sssdconfig-1.13.0-40.el7_2.4.noarch sssd-krb5-common-1.13.0-40.el7_2.4.x86_64 sssd-krb5-1.13.0-40.el7_2.4.x86_64 ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 17 May 2016 at 22:34, Jakub Hrozek wrote: > On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote: > > FWIW, > > > > We are seeing the issues that are described here: > > > > > https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html > > > > I was about to write when I found this, it explains exactly what I am > > seeing - right down to the "impossible to reproduce because it's so > > (seemingly) random". > > > > > > I am about to read up on the SSSD trouble shooting in order to up the > logs > > &etc, but here is some output I can share - note that this all happened > in > > ~5 minutes. As you can see, clearing the cache has various unpredictable > > effects. Both users should return the same list of groups. This was > > performed on a FreeIPA client. > > There were some bugs related to external groups, what server and client > packages version are you running? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Tue May 17 23:46:49 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Wed, 18 May 2016 09:46:49 +1000 Subject: [Freeipa-users] HBAC access denied, all AD groups not detected In-Reply-To: References: <20160517123459.GB3441@hendrix> Message-ID: It's worth noting that, in difference to the bug report: 1. We aren't making changes to the overrides. The overrides exist, they just aren't propagating evenly or consistently. 2. We are seeing these errors in the various logs: sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8929]]]] [k5c_send_data] (0x0200): Received error code 0 krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8931]]]] [k5c_send_data] (0x0200): Received error code 1432158214 sssd_nss.log:Error: 3, 0, Account info lookup failed sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 22 error message: Account info lookup failed sssd_nss.log:Error: 3, 22, Account info lookup failed sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 18 May 2016 at 08:35, Lachlan Musicman wrote: > Hmmm, I also now see > > https://fedorahosted.org/sssd/ticket/2642 > and > https://bugzilla.redhat.com/show_bug.cgi?id=1217127 > > Versions being run: > > sssd-client-1.13.0-40.el7_2.4.x86_64 > sssd-ad-1.13.0-40.el7_2.4.x86_64 > sssd-proxy-1.13.0-40.el7_2.4.x86_64 > sssd-1.13.0-40.el7_2.4.x86_64 > sssd-common-1.13.0-40.el7_2.4.x86_64 > sssd-common-pac-1.13.0-40.el7_2.4.x86_64 > sssd-ipa-1.13.0-40.el7_2.4.x86_64 > sssd-ldap-1.13.0-40.el7_2.4.x86_64 > python-sssdconfig-1.13.0-40.el7_2.4.noarch > sssd-krb5-common-1.13.0-40.el7_2.4.x86_64 > sssd-krb5-1.13.0-40.el7_2.4.x86_64 > > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > On 17 May 2016 at 22:34, Jakub Hrozek wrote: > >> On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote: >> > FWIW, >> > >> > We are seeing the issues that are described here: >> > >> > >> https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html >> > >> > I was about to write when I found this, it explains exactly what I am >> > seeing - right down to the "impossible to reproduce because it's so >> > (seemingly) random". >> > >> > >> > I am about to read up on the SSSD trouble shooting in order to up the >> logs >> > &etc, but here is some output I can share - note that this all happened >> in >> > ~5 minutes. As you can see, clearing the cache has various unpredictable >> > effects. Both users should return the same list of groups. This was >> > performed on a FreeIPA client. >> >> There were some bugs related to external groups, what server and client >> packages version are you running? >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed May 18 07:40:26 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 18 May 2016 09:40:26 +0200 Subject: [Freeipa-users] HBAC access denied, all AD groups not detected In-Reply-To: References: <20160517123459.GB3441@hendrix> Message-ID: <20160518074026.GA23970@hendrix> On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: > Hmmm, I also now see > > https://fedorahosted.org/sssd/ticket/2642 > and > https://bugzilla.redhat.com/show_bug.cgi?id=1217127 > > Versions being run: > > sssd-client-1.13.0-40.el7_2.4.x86_64 > sssd-ad-1.13.0-40.el7_2.4.x86_64 > sssd-proxy-1.13.0-40.el7_2.4.x86_64 > sssd-1.13.0-40.el7_2.4.x86_64 > sssd-common-1.13.0-40.el7_2.4.x86_64 > sssd-common-pac-1.13.0-40.el7_2.4.x86_64 > sssd-ipa-1.13.0-40.el7_2.4.x86_64 > sssd-ldap-1.13.0-40.el7_2.4.x86_64 > python-sssdconfig-1.13.0-40.el7_2.4.noarch > sssd-krb5-common-1.13.0-40.el7_2.4.x86_64 > sssd-krb5-1.13.0-40.el7_2.4.x86_64 > > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 The reason I asked about the server versions is https://bugzilla.redhat.com/show_bug.cgi?id=1304333 I'm not too familiar with how the centos versioning works, can you check if that bug is mentioned in the rpm changelog? From jhrozek at redhat.com Wed May 18 07:41:51 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 18 May 2016 09:41:51 +0200 Subject: [Freeipa-users] HBAC access denied, all AD groups not detected In-Reply-To: References: <20160517123459.GB3441@hendrix> Message-ID: <20160518074151.GB23970@hendrix> On Wed, May 18, 2016 at 09:46:49AM +1000, Lachlan Musicman wrote: > It's worth noting that, in difference to the bug report: > > 1. We aren't making changes to the overrides. The overrides exist, they > just aren't propagating evenly or consistently. > 2. We are seeing these errors in the various logs: > > > sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]] > [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) > sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]] > [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) > > > krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8929]]]] > [k5c_send_data] (0x0200): Received error code 0 > krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8931]]]] > [k5c_send_data] (0x0200): Received error code 1432158214 > > sssd_nss.log:Error: 3, 0, Account info lookup failed > sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply] > (0x1000): Got reply from Data Provider - DP error code: 3 errno: 22 error > message: Account info lookup failed > sssd_nss.log:Error: 3, 22, Account info lookup failed > sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply] > (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error > message: Account info lookup failed You need to look into the failures in the domain log that happened in the same time as these. Some failures are recoverable, in some other cases we're just reporting failure even if we just didn't match any entry (yes, that a subtle bug we should fix). From abokovoy at redhat.com Wed May 18 07:51:46 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 18 May 2016 10:51:46 +0300 Subject: [Freeipa-users] HBAC access denied, all AD groups not detected In-Reply-To: <20160518074026.GA23970@hendrix> References: <20160517123459.GB3441@hendrix> <20160518074026.GA23970@hendrix> Message-ID: <20160518075146.xs2w4y6kdfhjdxus@redhat.com> On Wed, 18 May 2016, Jakub Hrozek wrote: >On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: >> Hmmm, I also now see >> >> https://fedorahosted.org/sssd/ticket/2642 >> and >> https://bugzilla.redhat.com/show_bug.cgi?id=1217127 >> >> Versions being run: >> >> sssd-client-1.13.0-40.el7_2.4.x86_64 >> sssd-ad-1.13.0-40.el7_2.4.x86_64 >> sssd-proxy-1.13.0-40.el7_2.4.x86_64 >> sssd-1.13.0-40.el7_2.4.x86_64 >> sssd-common-1.13.0-40.el7_2.4.x86_64 >> sssd-common-pac-1.13.0-40.el7_2.4.x86_64 >> sssd-ipa-1.13.0-40.el7_2.4.x86_64 >> sssd-ldap-1.13.0-40.el7_2.4.x86_64 >> python-sssdconfig-1.13.0-40.el7_2.4.noarch >> sssd-krb5-common-1.13.0-40.el7_2.4.x86_64 >> sssd-krb5-1.13.0-40.el7_2.4.x86_64 >> >> ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 > >The reason I asked about the server versions is >https://bugzilla.redhat.com/show_bug.cgi?id=1304333 > >I'm not too familiar with how the centos versioning works, can you check >if that bug is mentioned in the rpm changelog? No, these packages are not at the level where all known membership bugs were fixed. RHEL 7.2 build should be ipa-4.2.0-15.el7_2.15. A corresponding CentOS build is already available in updates and it is ipa-4.2.0-15.el7.centos.15 -- / Alexander Bokovoy From lists at nerens.com Wed May 18 08:27:47 2016 From: lists at nerens.com (Marc Peiser) Date: Wed, 18 May 2016 10:27:47 +0200 Subject: [Freeipa-users] Limiting directory listing for all users in self service Message-ID: Hi all, We're busy rolling out freeipa internally and one thing we would like to limit is the ability for normal users to view all users in the directory via the self service portal. We only want the user to see their particular details. Is this possible? Thanks, Marc -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed May 18 08:44:05 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 18 May 2016 10:44:05 +0200 Subject: [Freeipa-users] Limiting directory listing for all users in self service In-Reply-To: References: Message-ID: <23658b50-38c8-ccb1-975d-a19319ebd500@redhat.com> On 18.5.2016 10:27, Marc Peiser wrote: > Hi all, > > We're busy rolling out freeipa internally and one thing we would like to > limit is the ability for normal users to view all users in the directory > via the self service portal. We only want the user to see their particular > details. Is this possible? This could theoretically be done using ACI in LDAP but please see https://www.redhat.com/archives/freeipa-users/2016-March/msg00071.html for elaborate discussion. It would have significant consequences. -- Petr^2 Spacek From andrew.holway at gmail.com Wed May 18 09:13:52 2016 From: andrew.holway at gmail.com (Andrew Holway) Date: Wed, 18 May 2016 11:13:52 +0200 Subject: [Freeipa-users] Reverse DNS Message-ID: Hello, I see that our default installation of IdM is working quite well without rdns configured (its on AWS). We're not doing anything complicated with it yet but is there anything that definitely will not work? Cheers, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Wed May 18 09:32:49 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 18 May 2016 10:32:49 +0100 Subject: [Freeipa-users] a user delegated to control a OU and realmd join - how.. In-Reply-To: <1463491167.18643.71.camel@redhat.com> References: <1462983423.4953.59.camel@yahoo.co.uk> <20160513131410.GD5249@p.Speedport_W_724V_Typ_A_05011603_00_009> <1463473675.9501.12.camel@yahoo.co.uk> <1463491167.18643.71.camel@redhat.com> Message-ID: <1463563969.4267.5.camel@yahoo.co.uk> On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote: > On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote: > > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > > .. if possible, would you know? > > > > hi everybody, > > > > I'm trying, and hoping it is possible to realm join an AD but > > > > is > > > > such a > > > > way so I tap my IPA into specific OU within that AD. > > > > > > I'm not exactly sure what you mean here. Do you want to join a > > > computer > > > which is already a client in an IPA domain to AD as well? If this > > > is > > > the > > > case I would recommend to consider the IPA trust feature. Joining > > > 2 > > > domain is in general possible with SSSD but has to be done with > > > very > > > great care, e.g. by using different keytabs for each domain. > > Can IPA domain establish a trust between win AD if IPA admin only > > has > > admin control over an OU in win AD ? > > No, you need to be a Domain Admin with full privileges. many thanks Simo, when I try user who only has delegated admin/management over a OU I see: Active Directory domain administrator's password:? ipa: ERROR: Insufficient access: CIFS server denied your credentials. Would joining an IPA server to winAD with realmd be kind of one way trust? Is it even possible(with no reasons against doing so) to join IPA server/domain to AD? I mean I did that and I could get AD users IDs but there was some problem with krb5, config got messed up and daemon would not start. > > > > I know very little about AD and only started with IPA - I don't suppose > > control of OU delegated to a user makes that user AD admin. > > > > > It doesn't. > > > > > > I guess what I'm thinking, asking, is - what would be the correct > > possible way to plug in, connect IPA domain to win AD when one has > > admin control only over a OU in win AD? > > > > > Not sure you can even do sync, there isn't really much you can do with > those privileges, you are basically just allowed to administer a > "group". > > Simo. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed May 18 09:49:10 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 18 May 2016 12:49:10 +0300 Subject: [Freeipa-users] a user delegated to control a OU and realmd join - how.. In-Reply-To: <1463563969.4267.5.camel@yahoo.co.uk> References: <1462983423.4953.59.camel@yahoo.co.uk> <20160513131410.GD5249@p.Speedport_W_724V_Typ_A_05011603_00_009> <1463473675.9501.12.camel@yahoo.co.uk> <1463491167.18643.71.camel@redhat.com> <1463563969.4267.5.camel@yahoo.co.uk> Message-ID: <20160518094910.ddwzwqueoknx74bp@redhat.com> On Wed, 18 May 2016, lejeczek wrote: >On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote: >> On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote: >> > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: >> > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: >> > > > .. if possible, would you know? >> > > > hi everybody, >> > > > I'm trying, and hoping it is possible to realm join an AD but >> > > > is >> > > > such a >> > > > way so I tap my IPA into specific OU within that AD. >> > > >> > > I'm not exactly sure what you mean here. Do you want to join a >> > > computer >> > > which is already a client in an IPA domain to AD as well? If this >> > > is >> > > the >> > > case I would recommend to consider the IPA trust feature. Joining >> > > 2 >> > > domain is in general possible with SSSD but has to be done with >> > > very >> > > great care, e.g. by using different keytabs for each domain. >> > Can IPA domain establish a trust between win AD if IPA admin only >> > has >> > admin control over an OU in win AD ? >> >> No, you need to be a Domain Admin with full privileges. >many thanks Simo, >when I try user who only has delegated admin/management over a OU I >see: >Active Directory domain administrator's password:? >ipa: ERROR: Insufficient access: CIFS server denied your credentials. That's correct. You need to be a member of Domain Admins group of the forest root domain or a member of Enteprise Admins group in the forest. >Would joining an IPA server to winAD with realmd be kind of one way >trust? No, not at all. Trust != joining a machine to AD domain. >Is it even possible(with no reasons against doing so) to join IPA >server/domain to AD? No. A machine in Active Directory can only be a member of a single domain. It cannot be a servant of two masters. >I mean I did that and I could get AD users IDs but there was some >problem with krb5, config got messed up and daemon would not start. If you like to enjoy broken configurations, it is up to you. There is probably a reason why obvious things don't work. If you want to know more about Active Directory, feel free to read specs at MSDN. Start with MS-ADTS: https://msdn.microsoft.com/en-us/library/cc223122.aspx -- / Alexander Bokovoy From rmj at ast.cam.ac.uk Wed May 18 10:08:49 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Wed, 18 May 2016 11:08:49 +0100 Subject: [Freeipa-users] Advice sought on monitoring freeipa status Message-ID: <573C3F31.6020108@ast.cam.ac.uk> Hi I'm trying to set up some monitoring of our freeipa installation. To start with, I'd like to know eg: 1) If replication stopped 2) Whether the ldap datatbases on replicas are inconsistent with each other. We have RHEL7 freeipa servers and RHEL6 and RHEL7 clients, all with latest distribution packages. I see a number of pages at www.ipa.org about monitoring freeipa in various ways, but I'm not sure any were actually implemented yet. Then I found this: https://github.com/peterpakos/ipa_check_consistency which looks useful but seems to require a plain text password for a privileged ldap account to be embedded in a file, which is less than ideal. So, I was wondering, as a stop gap, whether its possible to control the server that the ipa commands talk to at the command line? One could then run a cron job to iterate through the servers and compare various outputs from ipa commands. However, the ipa man page suggests the ipa command will go for either the server explicitly set in /etc/ipa/default.conf or if unavailable use those set in the DNS _SRV_ records. Maybe there is a better way to do this that I missed altogether? Roderick Johnstone From mbasti at redhat.com Wed May 18 10:16:53 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 18 May 2016 12:16:53 +0200 Subject: [Freeipa-users] Reverse DNS In-Reply-To: References: Message-ID: On 18.05.2016 11:13, Andrew Holway wrote: > Hello, > > I see that our default installation of IdM is working quite well > without rdns configured (its on AWS). We're not doing anything > complicated with it yet but is there anything that definitely will not > work? > > Cheers, > > Andrew > > Hello, IPA services and clients are able to work without reverse DNS if you are using something else in environment, you must find out if reverse records are needed :) Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Wed May 18 10:37:58 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Wed, 18 May 2016 18:37:58 +0800 Subject: [Freeipa-users] want to make new replicas but cert expire Message-ID: Hi: I type ipa-replica-install server --ip 192.168.1.3 it show my cert expire n....where location I should input the cert ? trusted by the user.) preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked thkx -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Wed May 18 10:52:22 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 18 May 2016 13:52:22 +0300 Subject: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version In-Reply-To: <20160502110410.bupgyvoqegs54s6u@redhat.com> References: <570CF37E.7000700@redhat.com> <572731C9.2020304@redhat.com> <20160502110410.bupgyvoqegs54s6u@redhat.com> Message-ID: HI All again repo is down. Regards, Ben On Mon, May 2, 2016 at 2:04 PM, Alexander Bokovoy wrote: > On Mon, 02 May 2016, Ben .T.George wrote: > >> HI >> >> thanks >> >> yes now it's working and yesterday it was not. >> > COPR service SLA is weaker than primary Fedora repositories. Basically, > we have no promise COPR would be available all the time. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Wed May 18 11:38:27 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 18 May 2016 14:38:27 +0300 Subject: [Freeipa-users] AD users home directory automount Message-ID: HI LIst, Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare) Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed May 18 12:40:42 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 18 May 2016 14:40:42 +0200 Subject: [Freeipa-users] a user delegated to control a OU and realmd join - how.. In-Reply-To: References: <1462983423.4953.59.camel@yahoo.co.uk> <20160513131410.GD5249@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160518124042.GL12978@p.Speedport_W_724V_Typ_A_05011603_00_009> On Mon, May 16, 2016 at 09:34:28AM +0100, lejeczek wrote: > > > On 13/05/16 14:14, Sumit Bose wrote: > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > .. if possible, would you know? > > > hi everybody, > > > I'm trying, and hoping it is possible to realm join an AD but is such a > > > way so I tap my IPA into specific OU within that AD. > > I'm not exactly sure what you mean here. Do you want to join a computer > > which is already a client in an IPA domain to AD as well? If this is the > > case I would recommend to consider the IPA trust feature. Joining 2 > > domain is in general possible with SSSD but has to be done with very > > great care, e.g. by using different keytabs for each domain. > > > > > The thing is - I'm thinking it would make user access control ideal > > > from the start as I need only users from that OU, but also because I'm > > > only granted access to the user/group who has control over that OU. > > > I'm trying that but I see: > > > > > > ! The computer account RIDER already exists, but is not in the desired > > > organizational unit. > > > adcli: joining domain ccc.bb.aa failed: The computer account RIDER > > > already exists, > > Computer account names in AD must be unique even if they are added to > > different OUs. So if there is already a computer called RIDER joined to > > AD and it is not your computer you have to rename your computer to join. > > If it is your computer and you want to create it in a different OU you > > have to delete to old computer object first and then do a fresh join. > hi Sumit, for me it did not work because of this bug: > https://bugzilla.redhat.com/show_bug.cgi?id=1258488 You might want to have a look at the test build at http://koji.fedoraproject.org/koji/taskinfo?taskID=14148923 which includes a patch which should fix for bz1258488. bye, Sumit > > HTH > > > > bye, > > Sumit > > > > > ! Failed to join the domain > > > > > > I'm doing this: > > > $ realm join ccc.bb.aa --user=private-user --computer-ou=private > > > > > > and computer is in OU=private of ccc.bb.aa > > > so is the user private-user > > > > > > many thanks. > > > L##SELECTION_END## > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > From mrorourke at earthlink.net Wed May 18 13:00:33 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Wed, 18 May 2016 09:00:33 -0400 (EDT) Subject: [Freeipa-users] AD users home directory automount Message-ID: <12849668.1463576434373.JavaMail.wam@elwamui-hound.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: From alexanders.mailinglists+nospam at gmail.com Wed May 18 13:13:58 2016 From: alexanders.mailinglists+nospam at gmail.com (Alexander Skwar) Date: Wed, 18 May 2016 15:13:58 +0200 Subject: [Freeipa-users] LDAP access for user authentication? In-Reply-To: <5733ACD4.7060601@redhat.com> References: <5733ACD4.7060601@redhat.com> Message-ID: Hello Rob 2016-05-12 0:06 GMT+02:00 Rob Crittenden : > > Alexander Skwar wrote: >> The WAF would then send username and password to FreeIPA (using LDAP) >> and would need to get back, whether the combination was good or not. >> >> Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even >> know of some good howtos or links? Any gotchas, that we'd need to be >> aware of? > > > Yes it's possible, see http://www.freeipa.org/page/HowTo/LDAP > I created the user uid=system as shown in the howto. But my appliance is having issues (so to say). I'm getting errors like this one: [?] 2016-05-18 14:55:35,003 +0200 ERROR [CC:Eoyfcf1mV9E$] [RC:7f0100-4094-2016.05.18_1255.33.733-001] audit:writeLog() - [AUDIT] [USER_AUTH_FAILED_TECH] user="ask" logmsg="Authentication failed due to a technical problem. Reason: '[SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636' / cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636 / javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - Inappropriate Authentication]'" 2016-05-18 14:55:35,006 +0200 ERROR [CC:Eoyfcf1mV9E$] [RC:7f0100-4094-2016.05.18_1255.33.733-001] exception:logExceptionStackTrace() - [SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636' com.usp.sls.toolkit.error.SLSException: [SYSTEM] [ERR_INTERNAL_STATE] Invalid internal state! Reason: 'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636' at com.usp.sls.ldap.adapter.LdapUtil.getSLSException(LdapUtil.java:410) at com.usp.sls.ldap.service.LDAPServiceWrapper.openContext(LDAPServiceWrapper.java:203) [?] Important parts here: - [USER_AUTH_FAILED_TECH] - javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - Inappropriate Authentication] I suppose, the "tech" user doesn't have the sufficient rights. In the Howto, it says: Note: IPA 4.0 is going to change the default stance on data from nearly everything is readable to nothing is readable, by default. You will eventually need to add some Access Control Instructions (ACI's) to grant read access to the parts of the LDAP tree you will need. What would be good ACIs to grant read access to cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user? Thanks again, Alexander -- => Google+ => http://plus.skwar.me <== => Chat (Jabber/Google Talk) => a.skwar at gmail.com <== From bentech4you at gmail.com Wed May 18 14:03:51 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 18 May 2016 17:03:51 +0300 Subject: [Freeipa-users] AD users home directory automount In-Reply-To: <12849668.1463576434373.JavaMail.wam@elwamui-hound.atl.sa.earthlink.net> References: <12849668.1463576434373.JavaMail.wam@elwamui-hound.atl.sa.earthlink.net> Message-ID: HI, Thanks for the reply. actually i don't want to share from my Trusted AD. My san has cifs and NFS capability. in this case how can i proceed? usually while installing client, i used to give below options ipa-client-install --server global.ipa.local --domain ipa.local --mkhomedir --fixed-primary so whenever user loggedin, it creates home directory automatically under /home/DOMAIN/user. regards, Ben On Wed, May 18, 2016 at 4:00 PM, Michael ORourke wrote: > Yes, because you can point the automount maps to whatever device you > want. NFSv4 might be more tricky to setup on a SAN device and may or may > not work depending on the software/firmware of the device. NFSv3 is a well > supported protocol across SAN vendors and you should not have any problems > setting that up. I've used Openfiler on a white-box SAN with home dirs and > automount maps which is working fine for us. > I wonder if you could do some sort of CIFS home dir automount with a SAN > that is joined to an AD domain which is trusted by FreeIPA? Seems like > this would be feasible. > > -Mike > > -----Original Message----- > From: "Ben .T.George" > Sent: May 18, 2016 7:38 AM > To: freeipa-users > Subject: [Freeipa-users] AD users home directory automount > > HI LIst, > > Is it possible to mount home directories of AD authenticated users from > external source(like san or fileshare) > > Regards, > Ben > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jbaird at follett.com Wed May 18 14:10:08 2016 From: jbaird at follett.com (Baird, Josh) Date: Wed, 18 May 2016 14:10:08 +0000 Subject: [Freeipa-users] AD users home directory automount In-Reply-To: References: <12849668.1463576434373.JavaMail.wam@elwamui-hound.atl.sa.earthlink.net> Message-ID: I would start by reading the documentation [1]. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/automount.html Josh From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ben .T.George Sent: Wednesday, May 18, 2016 10:04 AM To: Michael ORourke Cc: freeipa-users Subject: Re: [Freeipa-users] AD users home directory automount HI, Thanks for the reply. actually i don't want to share from my Trusted AD. My san has cifs and NFS capability. in this case how can i proceed? usually while installing client, i used to give below options ipa-client-install --server global.ipa.local --domain ipa.local --mkhomedir --fixed-primary so whenever user loggedin, it creates home directory automatically under /home/DOMAIN/user. regards, Ben On Wed, May 18, 2016 at 4:00 PM, Michael ORourke > wrote: Yes, because you can point the automount maps to whatever device you want. NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device. NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setting that up. I've used Openfiler on a white-box SAN with home dirs and automount maps which is working fine for us. I wonder if you could do some sort of CIFS home dir automount with a SAN that is joined to an AD domain which is trusted by FreeIPA? Seems like this would be feasible. -Mike -----Original Message----- From: "Ben .T.George" Sent: May 18, 2016 7:38 AM To: freeipa-users Subject: [Freeipa-users] AD users home directory automount HI LIst, Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare) Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 18 14:21:46 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 May 2016 10:21:46 -0400 Subject: [Freeipa-users] LDAP access for user authentication? In-Reply-To: References: <5733ACD4.7060601@redhat.com> Message-ID: <573C7A7A.4000003@redhat.com> Alexander Skwar wrote: > Hello Rob > > 2016-05-12 0:06 GMT+02:00 Rob Crittenden : >> >> Alexander Skwar wrote: > >>> The WAF would then send username and password to FreeIPA (using LDAP) >>> and would need to get back, whether the combination was good or not. >>> >>> Is that scenario doable with FreeIPA and LDAP? Would anyone maybe even >>> know of some good howtos or links? Any gotchas, that we'd need to be >>> aware of? >> >> >> Yes it's possible, see http://www.freeipa.org/page/HowTo/LDAP >> > > I created the user uid=system as shown in the howto. But my appliance > is having issues (so to say). I'm getting errors like this one: > > [?] > 2016-05-18 14:55:35,003 +0200 ERROR [CC:Eoyfcf1mV9E$] > [RC:7f0100-4094-2016.05.18_1255.33.733-001] audit:writeLog() - [AUDIT] > [USER_AUTH_FAILED_TECH] user="ask" logmsg="Authentication failed due > to a technical problem. Reason: '[SYSTEM] [ERR_INTERNAL_STATE] Invalid > internal state! Reason: > 'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636' > / cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636 > / javax.naming.AuthenticationNotSupportedException: [LDAP: error code > 48 - Inappropriate Authentication]'" > 2016-05-18 14:55:35,006 +0200 ERROR [CC:Eoyfcf1mV9E$] > [RC:7f0100-4094-2016.05.18_1255.33.733-001] > exception:logExceptionStackTrace() - [SYSTEM] [ERR_INTERNAL_STATE] > Invalid internal state! Reason: > 'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636' > com.usp.sls.toolkit.error.SLSException: [SYSTEM] [ERR_INTERNAL_STATE] > Invalid internal state! Reason: > 'cn=users,cn=accounts,dc=hydrus,dc=intern at ldaps://192.168.94.147:636' > at com.usp.sls.ldap.adapter.LdapUtil.getSLSException(LdapUtil.java:410) > at com.usp.sls.ldap.service.LDAPServiceWrapper.openContext(LDAPServiceWrapper.java:203) > [?] > > > Important parts here: > > - [USER_AUTH_FAILED_TECH] > - javax.naming.AuthenticationNotSupportedException: [LDAP: error code > 48 - Inappropriate Authentication] > > I suppose, the "tech" user doesn't have the sufficient rights. Is your user "tech?" It doesn't appear to be though this logging leaves much to be desired. LDAP err 48 means a bind was tried using a bad mechanism, like trying to do a simple bind when stronger auth is required, for example. Or you try to bind with a user that has no password. What is confusing to me is that the DN doesn't include uid=system, so it may be a configuration error on your part. > > In the Howto, it says: > > Note: IPA 4.0 is going to change the default stance on data from > nearly everything is readable to nothing is readable, by default. You > will eventually need to add some Access Control Instructions (ACI's) > to grant read access to the parts of the LDAP tree you will need. > > > > What would be good ACIs to grant read access to > cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user? This is not the problem. rob > > Thanks again, > > > Alexander > From alexanders.mailinglists+nospam at gmail.com Wed May 18 15:03:55 2016 From: alexanders.mailinglists+nospam at gmail.com (Alexander Skwar) Date: Wed, 18 May 2016 17:03:55 +0200 Subject: [Freeipa-users] LDAP access for user authentication? In-Reply-To: <573C7A7A.4000003@redhat.com> References: <5733ACD4.7060601@redhat.com> <573C7A7A.4000003@redhat.com> Message-ID: Hello Rob 2016-05-18 16:21 GMT+02:00 Rob Crittenden : > Alexander Skwar wrote: >> >> Hello Rob >> >> 2016-05-12 0:06 GMT+02:00 Rob Crittenden : >>> >>> >>> Alexander Skwar wrote: >> Important parts here: >> >> - [USER_AUTH_FAILED_TECH] >> - javax.naming.AuthenticationNotSupportedException: [LDAP: error code >> 48 - Inappropriate Authentication] >> >> I suppose, the "tech" user doesn't have the sufficient rights. > > > Is your user "tech?" It doesn't appear to be though this logging leaves much > to be desired. Well, according to the howto, I created a user with "DN: uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern". That's also what I configured as the ?Technical user DN? in my appliance (? uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern). The password is correct. I double checked. On the IPA server, I can do: local at bbva-auth01-prod ~ % ldapsearch -x -D uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern -W | head # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # computers, compat, hydrus.intern dn: cn=computers,cn=compat,dc=hydrus,dc=intern ? > LDAP err 48 means a bind was tried using a bad mechanism, like trying to do > a simple bind when stronger auth is required, for example. Or you try to > bind with a user that has no password. Thanks. > What is confusing to me is that the DN doesn't include uid=system, so it may > be a configuration error on your part. I bet that this will eventually be the reason :) Hmm? Yes, that's indeed confusing. Playing a bit with the appliance, it was indeed a configuration error on my part. The Bind DN was set wrong. After fixing this, everything is working :) Thanks a lot, that was indeed a helpful hint! >> What would be good ACIs to grant read access to >> cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user? > > > This is not the problem. And that was also quite helpful. I was looking there, and thus in the wrong direction. Thanks again, Alexander -- => Google+ => http://plus.skwar.me <== => Chat (Jabber/Google Talk) => a.skwar at gmail.com <== From rcritten at redhat.com Wed May 18 15:10:32 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 May 2016 11:10:32 -0400 Subject: [Freeipa-users] LDAP access for user authentication? In-Reply-To: References: <5733ACD4.7060601@redhat.com> <573C7A7A.4000003@redhat.com> Message-ID: <573C85E8.9060700@redhat.com> Alexander Skwar wrote: > Hello Rob > > 2016-05-18 16:21 GMT+02:00 Rob Crittenden : >> Alexander Skwar wrote: >>> >>> Hello Rob >>> >>> 2016-05-12 0:06 GMT+02:00 Rob Crittenden : >>>> >>>> >>>> Alexander Skwar wrote: > >>> Important parts here: >>> >>> - [USER_AUTH_FAILED_TECH] >>> - javax.naming.AuthenticationNotSupportedException: [LDAP: error code >>> 48 - Inappropriate Authentication] >>> >>> I suppose, the "tech" user doesn't have the sufficient rights. >> >> >> Is your user "tech?" It doesn't appear to be though this logging leaves much >> to be desired. > > > Well, according to the howto, I created a user with "DN: > uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern". That's also > what I configured as the ?Technical user DN? in my appliance (? > uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern). > > The password is correct. I double checked. On the IPA server, I can do: > > local at bbva-auth01-prod ~ % ldapsearch -x -D > uid=system,cn=sysaccounts,cn=etc,dc=hydrus,dc=intern -W | head > # extended LDIF > # > # LDAPv3 > # base (default) with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # computers, compat, hydrus.intern > dn: cn=computers,cn=compat,dc=hydrus,dc=intern > ? > >> LDAP err 48 means a bind was tried using a bad mechanism, like trying to do >> a simple bind when stronger auth is required, for example. Or you try to >> bind with a user that has no password. > > Thanks. > >> What is confusing to me is that the DN doesn't include uid=system, so it may >> be a configuration error on your part. > > I bet that this will eventually be the reason :) > > Hmm? Yes, that's indeed confusing. Playing a bit with the appliance, > it was indeed a configuration error on my part. The Bind DN was set > wrong. > > After fixing this, everything is working :) > > Thanks a lot, that was indeed a helpful hint! > > >>> What would be good ACIs to grant read access to >>> cn=users,cn=accounts,dc=hydrus,dc=intern to this uid=system user? >> >> >> This is not the problem. > > And that was also quite helpful. I was looking there, and thus in the > wrong direction. > > Thanks again, Cool, glad you got it working. If you wanted to share your experience in the form of a HOWTO we can help make that happen. rob From rcritten at redhat.com Wed May 18 18:01:40 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 May 2016 14:01:40 -0400 Subject: [Freeipa-users] want to make new replicas but cert expire In-Reply-To: References: Message-ID: <573CAE04.7080908@redhat.com> barrykfl at gmail.com wrote: > Hi: > > I type ipa-replica-install server --ip 192.168.1.3 > > it show my cert expire n....where location I should input the cert ? > > trusted by the user.) > preparation of replica failed: cannot connect to > 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno > -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been > marked You need to sort out your expired certs before you can create a new master. Why not just renew the GoDaddy certs? rob From john+freeipa at themeyers.us Wed May 18 21:19:10 2016 From: john+freeipa at themeyers.us (John Meyers) Date: Wed, 18 May 2016 17:19:10 -0400 Subject: [Freeipa-users] How does one authenticate Windows login against IPA Message-ID: <573CDC4E.10700@themeyers.us> All, FreeIPA as we've discovered has some wonderful Windows integration capability, but it is all predicated on Windows AD being the authoritative source of user information. 2-Way trusts are great, but they only work for kerberotized applications, not native Windows rights (that would require FreeIPA to act as global catalog as I learned from Alexander). The winsync capability does not, as it turns out, sync native IPA users to AD. The million dollar question is if you are 90% Linux shop and FreeIPA is your authoritative user repository (AD is a blank slate), how do you perform local Windows login authentication for the 10% of Windows machines against FreeIPA? Thank you all! John From coy.hile at coyhile.com Wed May 18 22:03:08 2016 From: coy.hile at coyhile.com (Coy Hile) Date: Wed, 18 May 2016 18:03:08 -0400 Subject: [Freeipa-users] How does one authenticate Windows login against IPA In-Reply-To: <573CDC4E.10700@themeyers.us> References: <573CDC4E.10700@themeyers.us> Message-ID: <646363C4-A12C-4135-B3BF-A83CA0136A04@coyhile.com> When I've done this in the past, I used mit directly, not IPA. I set up a one way trust, then used "shadow objects" for users mapped using alternateSecurityID. I've setup the same one way trust testing with freeipa, but unfortunately I had to use kadmin.local to do it. I don't know that that's actually supported. Simo? -c Sent from my iPad > On May 18, 2016, at 17:19, John Meyers wrote: > > All, > > FreeIPA as we've discovered has some wonderful Windows integration > capability, but it is all predicated on Windows AD being the > authoritative source of user information. 2-Way trusts are great, but > they only work for kerberotized applications, not native Windows rights > (that would require FreeIPA to act as global catalog as I learned from > Alexander). The winsync capability does not, as it turns out, sync > native IPA users to AD. > > The million dollar question is if you are 90% Linux shop and FreeIPA is > your authoritative user repository (AD is a blank slate), how do you > perform local Windows login authentication for the 10% of Windows > machines against FreeIPA? > > Thank you all! > > John > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From john+freeipa at themeyers.us Wed May 18 22:26:55 2016 From: john+freeipa at themeyers.us (John Meyers) Date: Wed, 18 May 2016 18:26:55 -0400 Subject: [Freeipa-users] How does one authenticate Windows login against IPA In-Reply-To: <646363C4-A12C-4135-B3BF-A83CA0136A04@coyhile.com> References: <573CDC4E.10700@themeyers.us> <646363C4-A12C-4135-B3BF-A83CA0136A04@coyhile.com> Message-ID: <573CEC2F.4080105@themeyers.us> Thanks. I've experimented with that as well with vanilla MIT kerberos (prior to using FreeIPA) and I agree it works just fine. However, the limitation I always found was that it is not practical to manually create the "shadow objects" and then keep in them in sync. I was hoping the "winsync" feature would actually be able to handle that part of it, but it only seems to be able to deal with accounts that come from AD initially. On 5/18/16 6:03 PM, Coy Hile wrote: > When I've done this in the past, I used mit directly, not IPA. I set up a one way trust, then used "shadow objects" for users mapped using alternateSecurityID. I've setup the same one way trust testing with freeipa, but unfortunately I had to use kadmin.local to do it. I don't know that that's actually supported. Simo? > > -c > > Sent from my iPad > >> On May 18, 2016, at 17:19, John Meyers wrote: >> >> All, >> >> FreeIPA as we've discovered has some wonderful Windows integration >> capability, but it is all predicated on Windows AD being the >> authoritative source of user information. 2-Way trusts are great, but >> they only work for kerberotized applications, not native Windows rights >> (that would require FreeIPA to act as global catalog as I learned from >> Alexander). The winsync capability does not, as it turns out, sync >> native IPA users to AD. >> >> The million dollar question is if you are 90% Linux shop and FreeIPA is >> your authoritative user repository (AD is a blank slate), how do you >> perform local Windows login authentication for the 10% of Windows >> machines against FreeIPA? >> >> Thank you all! >> >> John >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From barrykfl at gmail.com Wed May 18 23:04:20 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Thu, 19 May 2016 07:04:20 +0800 Subject: [Freeipa-users] want to make new replicas but cert expire In-Reply-To: <573CAE04.7080908@redhat.com> References: <573CAE04.7080908@redhat.com> Message-ID: Already change a new cert no.errror prompt when start server. But using ipa-replica install.same error out. So.i.should miss some.folder not yet replace. 2016?5?19? ??2:01 ? "Rob Crittenden" ??? > barrykfl at gmail.com wrote: > >> Hi: >> >> I type ipa-replica-install server --ip 192.168.1.3 >> >> it show my cert expire n....where location I should input the cert ? >> >> trusted by the user.) >> preparation of replica failed: cannot connect to >> 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno >> -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been >> marked >> > > You need to sort out your expired certs before you can create a new master. > > Why not just renew the GoDaddy certs? > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Lachlan.Simpson at petermac.org Wed May 18 23:17:05 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Wed, 18 May 2016 23:17:05 +0000 Subject: [Freeipa-users] HBAC access denied, all AD groups not detected In-Reply-To: <20160518074026.GA23970@hendrix> References: <20160517123459.GB3441@hendrix> <20160518074026.GA23970@hendrix> Message-ID: <0137003026EBE54FBEC540C5600C03C435F4FD@PMC-EXMBX02.petermac.org.au> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Wednesday, 18 May 2016 5:40 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] HBAC access denied, all AD groups not detected > > On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: > > Hmmm, I also now see > > > > https://fedorahosted.org/sssd/ticket/2642 > > and > > https://bugzilla.redhat.com/show_bug.cgi?id=1217127 > > > > Versions being run: > > > > sssd-client-1.13.0-40.el7_2.4.x86_64 > > sssd-ad-1.13.0-40.el7_2.4.x86_64 > > sssd-proxy-1.13.0-40.el7_2.4.x86_64 > > sssd-1.13.0-40.el7_2.4.x86_64 > > sssd-common-1.13.0-40.el7_2.4.x86_64 > > sssd-common-pac-1.13.0-40.el7_2.4.x86_64 > > sssd-ipa-1.13.0-40.el7_2.4.x86_64 > > sssd-ldap-1.13.0-40.el7_2.4.x86_64 > > python-sssdconfig-1.13.0-40.el7_2.4.noarch > > sssd-krb5-common-1.13.0-40.el7_2.4.x86_64 > > sssd-krb5-1.13.0-40.el7_2.4.x86_64 > > > > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > The reason I asked about the server versions is > https://bugzilla.redhat.com/show_bug.cgi?id=1304333 > > I'm not too familiar with how the centos versioning works, can you check if that > bug is mentioned in the rpm changelog? "You are not authorized to access bug #1304333." :( This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. From mrorourke at earthlink.net Wed May 18 23:49:10 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Wed, 18 May 2016 19:49:10 -0400 (GMT-04:00) Subject: [Freeipa-users] How does one authenticate Windows login against IPA Message-ID: <17180411.1463615351351.JavaMail.wam@elwamui-muscovy.atl.sa.earthlink.net> What about using the pGina project on the Windows side? Reference: http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/ -Mike -----Original Message----- >From: John Meyers >Sent: May 18, 2016 5:19 PM >To: freeipa-users at redhat.com >Subject: [Freeipa-users] How does one authenticate Windows login against IPA > >All, > >FreeIPA as we've discovered has some wonderful Windows integration >capability, but it is all predicated on Windows AD being the >authoritative source of user information. 2-Way trusts are great, but >they only work for kerberotized applications, not native Windows rights >(that would require FreeIPA to act as global catalog as I learned from >Alexander). The winsync capability does not, as it turns out, sync >native IPA users to AD. > >The million dollar question is if you are 90% Linux shop and FreeIPA is >your authoritative user repository (AD is a blank slate), how do you >perform local Windows login authentication for the 10% of Windows >machines against FreeIPA? > >Thank you all! > >John > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project From mrorourke at earthlink.net Thu May 19 00:55:02 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Wed, 18 May 2016 20:55:02 -0400 (EDT) Subject: [Freeipa-users] AD users home directory automount Message-ID: <21122711.1463619303433.JavaMail.wam@elwamui-muscovy.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: From datakid at gmail.com Thu May 19 01:43:36 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Thu, 19 May 2016 11:43:36 +1000 Subject: [Freeipa-users] AD group membership Message-ID: Hi, We seem to have some progress, after reading this blog post about sssd performance tuning. https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ So now we see that on the FreeIPA server, everything is stable and always produces the results we expect with regard to users and group membership. It's also a bit speedier, which is nice. Unfortunately, on the clients, we are still seeing groups "disappearing" occasionally, We found this thread from late last year that seemed to state exactly what we are seeing, although our sssd_pac.log is empty. I have just added debug_level = 7 to [pac] in sssd.conf on server and client. https://www.redhat.com/archives/freeipa-users/2015-December/msg00180.html Did anything come of this? Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From john+freeipa at themeyers.us Thu May 19 03:20:33 2016 From: john+freeipa at themeyers.us (John Meyers) Date: Wed, 18 May 2016 23:20:33 -0400 Subject: [Freeipa-users] How does one authenticate Windows login against IPA In-Reply-To: <17180411.1463615351351.JavaMail.wam@elwamui-muscovy.atl.sa.earthlink.net> References: <17180411.1463615351351.JavaMail.wam@elwamui-muscovy.atl.sa.earthlink.net> Message-ID: <573D3101.2000200@themeyers.us> Even if you get that to work, you are still stuck with same issue discussed earlier in this thread -- you need to have a Windows account, either local or AD, to be able to login and grant rights against. pGina just handles the authentication part. The only way to do either a 1-way Kerberos trust (AD->IPA) or pGina is to somehow sync native IPA users to AD (or Samba AD) to create the "shadow account"? Winsync will not do this. On 5/18/16 7:49 PM, Michael ORourke wrote: > What about using the pGina project on the Windows side? > > Reference: > http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/ > > -Mike > > -----Original Message----- >> From: John Meyers >> Sent: May 18, 2016 5:19 PM >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] How does one authenticate Windows login against IPA >> >> All, >> >> FreeIPA as we've discovered has some wonderful Windows integration >> capability, but it is all predicated on Windows AD being the >> authoritative source of user information. 2-Way trusts are great, but >> they only work for kerberotized applications, not native Windows rights >> (that would require FreeIPA to act as global catalog as I learned from >> Alexander). The winsync capability does not, as it turns out, sync >> native IPA users to AD. >> >> The million dollar question is if you are 90% Linux shop and FreeIPA is >> your authoritative user repository (AD is a blank slate), how do you >> perform local Windows login authentication for the 10% of Windows >> machines against FreeIPA? >> >> Thank you all! >> >> John >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Thu May 19 06:07:04 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 19 May 2016 09:07:04 +0300 Subject: [Freeipa-users] AD group membership In-Reply-To: References: Message-ID: <20160519060704.ka7txevst6apzr6e@redhat.com> On Thu, 19 May 2016, Lachlan Musicman wrote: >Hi, > >We seem to have some progress, after reading this blog post about sssd >performance tuning. > >https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ > >So now we see that on the FreeIPA server, everything is stable and always >produces the results we expect with regard to users and group membership. >It's also a bit speedier, which is nice. > >Unfortunately, on the clients, we are still seeing groups "disappearing" >occasionally, You've been told in another thread to upgrade IPA and SSSD packages to what is in CentOS 7 updates. There was recently (May 12th) a release of RHEL 7.2.4 updates which CentOS already picked up. This release included fixes to incomplete group membership you mention. -- / Alexander Bokovoy From abokovoy at redhat.com Thu May 19 06:09:20 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 19 May 2016 09:09:20 +0300 Subject: [Freeipa-users] How does one authenticate Windows login against IPA In-Reply-To: <573CDC4E.10700@themeyers.us> References: <573CDC4E.10700@themeyers.us> Message-ID: <20160519060920.5vwyhawes7v3z2sm@redhat.com> On Wed, 18 May 2016, John Meyers wrote: >All, > >FreeIPA as we've discovered has some wonderful Windows integration >capability, but it is all predicated on Windows AD being the >authoritative source of user information. 2-Way trusts are great, but >they only work for kerberotized applications, not native Windows rights >(that would require FreeIPA to act as global catalog as I learned from >Alexander). The winsync capability does not, as it turns out, sync >native IPA users to AD. > >The million dollar question is if you are 90% Linux shop and FreeIPA is >your authoritative user repository (AD is a blank slate), how do you >perform local Windows login authentication for the 10% of Windows >machines against FreeIPA? As I said before, we currently don't have answer to this question. Development work still continues. Some people were able to do logins with 'REALM\Username' but then assigning permissions does not work anyway in Windows due to lack of GC support on IPA side. -- / Alexander Bokovoy From pgb205 at yahoo.com Thu May 19 06:10:48 2016 From: pgb205 at yahoo.com (pgb205) Date: Thu, 19 May 2016 06:10:48 +0000 (UTC) Subject: [Freeipa-users] Advise on the best way to configure the following References: <641892922.4764872.1463638248562.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <641892922.4764872.1463638248562.JavaMail.yahoo@mail.yahoo.com> We have:AD->winsync->FIPA1<->replica<->FIPA2etc to multiple other replicas from FIPA1 What we want is to establish separate set of FIPA replicas which wold still have information from AD and yet would not 'pollute' the FIPA1/FIPA2 replicas above. So far we have considered following options:1. Set up new FIPA3 replica to grab its information from FIPA1.This didn't work as two-way-trust would replicate 'bad' information from FIPA3 back to FIPA1/2 2. One way trust between replicas.Somehow establish one way replication from FIPA1->FIPA3. 'Good' information gets to FIPA3. But new additions on FIPA3 won't make it back to 'clean' environment.From reading posts on the list this is impossible.? 3. Setup separate winsync 'channels' from AD directly to FIPA3. Ie AD->winsync->FIPA3.The problem with this is winsync of user accounts is possible, but password sync requires there to be only one point of contact between AD domain and FIPA domain.That is all AD controllers contact one and only one FIPA controller using passsync utility. So there is no way (if I understand correctly) to do:AD->sync->FIPA1? ? ? ->sync->FIPA3 If my understanding above is correct what would be the correct way of setting up separate FIPA environments, sourced from the same AD domain and to replicate both users and passwords? thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From Lachlan.Simpson at petermac.org Thu May 19 06:26:13 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Thu, 19 May 2016 06:26:13 +0000 Subject: [Freeipa-users] AD group membership In-Reply-To: <20160519060704.ka7txevst6apzr6e@redhat.com> References: <20160519060704.ka7txevst6apzr6e@redhat.com> Message-ID: <0137003026EBE54FBEC540C5600C03C435F9D9@PMC-EXMBX02.petermac.org.au> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Alexander Bokovoy > Sent: Thursday, 19 May 2016 4:07 PM > To: Lachlan Musicman > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD group membership > > On Thu, 19 May 2016, Lachlan Musicman wrote: > >Hi, > > > >We seem to have some progress, after reading this blog post about sssd > >performance tuning. > > > >https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-la > >rge-ipa-ad-trust-deployments/ > > > >So now we see that on the FreeIPA server, everything is stable and > >always produces the results we expect with regard to users and group > membership. > >It's also a bit speedier, which is nice. > > > >Unfortunately, on the clients, we are still seeing groups "disappearing" > >occasionally, > You've been told in another thread to upgrade IPA and SSSD packages to what is > in CentOS 7 updates. There was recently (May 12th) a release of RHEL 7.2.4 > updates which CentOS already picked up. This release included fixes to > incomplete group membership you mention. Yes - it seems to be working and stable, even post reboot. Thanks for your help. Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. From datakid at gmail.com Thu May 19 06:33:45 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Thu, 19 May 2016 16:33:45 +1000 Subject: [Freeipa-users] File user and group ownership listings... Message-ID: Now that groups are working as expected, we have noticed that when listing a directory the user and group now have full domain qualifiers. This doesn't look great. We've also noticed that we now need to chown :group at subdomain filename (with default_domain_suffix set). Is there a reason why when the group's name and ID is the same across both domains, it can't be considered the same group for file ownership reasons? cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu May 19 07:11:46 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 19 May 2016 10:11:46 +0300 Subject: [Freeipa-users] File user and group ownership listings... In-Reply-To: References: Message-ID: <20160519071146.23f3lqly4653kjqw@redhat.com> On Thu, 19 May 2016, Lachlan Musicman wrote: >Now that groups are working as expected, we have noticed that when listing >a directory the user and group now have full domain qualifiers. > >This doesn't look great. We've also noticed that we now need to > >chown :group at subdomain filename > >(with default_domain_suffix set). > > >Is there a reason why when the group's name and ID is the same across both >domains, it can't be considered the same group for file ownership reasons? In POSIX systems user and group IDs are two different namespaces. We force so-called private groups to have the same ID as the user to simplify some of hard identity mapping problems between POSIX and Windows environments. In Windows world security identifier (SID) namespace is the same for all objects. -- / Alexander Bokovoy From jhrozek at redhat.com Thu May 19 07:11:50 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 19 May 2016 09:11:50 +0200 Subject: [Freeipa-users] HBAC access denied, all AD groups not detected In-Reply-To: <0137003026EBE54FBEC540C5600C03C435F4FD@PMC-EXMBX02.petermac.org.au> References: <20160517123459.GB3441@hendrix> <20160518074026.GA23970@hendrix> <0137003026EBE54FBEC540C5600C03C435F4FD@PMC-EXMBX02.petermac.org.au> Message-ID: <20160519071150.GA3960@hendrix> On Wed, May 18, 2016 at 11:17:05PM +0000, Simpson Lachlan wrote: > > -----Original Message----- > > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > > bounces at redhat.com] On Behalf Of Jakub Hrozek > > Sent: Wednesday, 18 May 2016 5:40 PM > > To: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] HBAC access denied, all AD groups not detected > > > > On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: > > > Hmmm, I also now see > > > > > > https://fedorahosted.org/sssd/ticket/2642 > > > and > > > https://bugzilla.redhat.com/show_bug.cgi?id=1217127 > > > > > > Versions being run: > > > > > > sssd-client-1.13.0-40.el7_2.4.x86_64 > > > sssd-ad-1.13.0-40.el7_2.4.x86_64 > > > sssd-proxy-1.13.0-40.el7_2.4.x86_64 > > > sssd-1.13.0-40.el7_2.4.x86_64 > > > sssd-common-1.13.0-40.el7_2.4.x86_64 > > > sssd-common-pac-1.13.0-40.el7_2.4.x86_64 > > > sssd-ipa-1.13.0-40.el7_2.4.x86_64 > > > sssd-ldap-1.13.0-40.el7_2.4.x86_64 > > > python-sssdconfig-1.13.0-40.el7_2.4.noarch > > > sssd-krb5-common-1.13.0-40.el7_2.4.x86_64 > > > sssd-krb5-1.13.0-40.el7_2.4.x86_64 > > > > > > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > > > The reason I asked about the server versions is > > https://bugzilla.redhat.com/show_bug.cgi?id=1304333 > > > > I'm not too familiar with how the centos versioning works, can you check if that > > bug is mentioned in the rpm changelog? > > > "You are not authorized to access bug #1304333." :( > This email (including any attachments or links) may contain > confidential and/or legally privileged information and is > intended only to be read or used by the addressee. If you > are not the intended addressee, any use, distribution, > disclosure or copying of this email is strictly > prohibited. > Confidentiality and legal privilege attached to this email > (including any attachments) are not waived or lost by > reason of its mistaken delivery to you. > If you have received this email in error, please delete it > and notify us immediately by telephone or email. Peter > MacCallum Cancer Centre provides no guarantee that this > transmission is free of virus or that it has not been > intercepted or altered and will not be liable for any delay > in its receipt. Ah, sorry, there must have been some private customer information in the bugzilla. Here is the corresponding upstream ticket: https://fedorahosted.org/freeipa/ticket/5573 From jhrozek at redhat.com Thu May 19 07:22:28 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 19 May 2016 09:22:28 +0200 Subject: [Freeipa-users] File user and group ownership listings... In-Reply-To: References: Message-ID: <20160519072228.GB3960@hendrix> On Thu, May 19, 2016 at 04:33:45PM +1000, Lachlan Musicman wrote: > Now that groups are working as expected, we have noticed that when listing > a directory the user and group now have full domain qualifiers. > > This doesn't look great. We've also noticed that we now need to > > chown :group at subdomain filename This is something that will work in 7.3. There is currently a limitation in our cache that forces us to use fully-qualified names for users from trusted domains. From prashant at apigee.com Thu May 19 08:33:38 2016 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 19 May 2016 14:03:38 +0530 Subject: [Freeipa-users] Advice sought on monitoring freeipa status In-Reply-To: <573C3F31.6020108@ast.cam.ac.uk> References: <573C3F31.6020108@ast.cam.ac.uk> Message-ID: For the replication issues please see http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationmonitoring.html This has a perl script that you can use. As for the authentication of the user monitoring replication, we thought about it and ended up allowing anonymous reads on the replication status. Thus you don't store any user/password at all. In addition to this, we use Monit heavily. Its pretty flexible. --Prashant On 18 May 2016 at 15:38, Roderick Johnstone wrote: > Hi > > I'm trying to set up some monitoring of our freeipa installation. To start > with, I'd like to know eg: > > 1) If replication stopped > > 2) Whether the ldap datatbases on replicas are inconsistent with each > other. > > We have RHEL7 freeipa servers and RHEL6 and RHEL7 clients, all with latest > distribution packages. > > I see a number of pages at www.ipa.org about monitoring freeipa in > various ways, but I'm not sure any were actually implemented yet. > > Then I found this: https://github.com/peterpakos/ipa_check_consistency > which looks useful but seems to require a plain text password for a > privileged ldap account to be embedded in a file, which is less than ideal. > > So, I was wondering, as a stop gap, whether its possible to control the > server that the ipa commands talk to at the command line? > > One could then run a cron job to iterate through the servers and compare > various outputs from ipa commands. However, the ipa man page suggests the > ipa command will go for either the server explicitly set in > /etc/ipa/default.conf or if unavailable use those set in the DNS _SRV_ > records. > > Maybe there is a better way to do this that I missed altogether? > > Roderick Johnstone > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Thu May 19 08:35:35 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Thu, 19 May 2016 16:35:35 +0800 Subject: [Freeipa-users] Renewal of new cert concept Message-ID: Hi: As stated in the guidline online.../root/ipa.crt is the server cert generated by 3rd patry CA ? or the CA cert itself that need to pair with server cert later. thx Give the CSR to your external CA and have them issue you a new certificate. We assume that the resulting certificate is saved into the /root/ipa.crt file. We also assume that the /root/external-ca.pem file contains the external CA certificate chain in the PEM format. The renewal needs to be done on the IdM CA designated for managing renewals. One way to identify the first-installed IdM server is to see if the value for subsystem.select is New: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu May 19 10:51:11 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 19 May 2016 12:51:11 +0200 Subject: [Freeipa-users] Changing spec.page_length? In-Reply-To: References: Message-ID: <86bb3655-2ead-59d6-c9a5-7b74e87537cf@redhat.com> On 05/17/2016 01:54 AM, Jeffery Harrell wrote: > Is there a ?soft? way to change the number of rows in tables like the hosts and > DNS records search facets? I think I?d happily trade a little interactivity when > going from one facet to another for the ability to see four or five times as > much information on a single screen at once. I get that I can write a JavaScript > mod that pokes into the individual tables and modifies spec.page_length, but is > there an easier way? A setting somewhere maybe? The source code suggests the > answer is no but I figured it couldn?t hurt to ask. There is no such nice way in FreeIPA currently (as you have found out). The best you can do now is writing a UI plugin (as you have also found out). But you can sign to the respective RFE and watch the progress or even provide patches if you are JavaScript savvy: https://fedorahosted.org/freeipa/ticket/5742 Martin From coy.hile at coyhile.com Thu May 19 11:12:14 2016 From: coy.hile at coyhile.com (Coy Hile) Date: Thu, 19 May 2016 07:12:14 -0400 Subject: [Freeipa-users] How does one authenticate Windows login against IPA In-Reply-To: <573D3101.2000200@themeyers.us> References: <17180411.1463615351351.JavaMail.wam@elwamui-muscovy.atl.sa.earthlink.net> <573D3101.2000200@themeyers.us> Message-ID: Right, you have some process that creates the shadow accounts with a random, unknown, unused pass. This assumes you have some workflow for provisioning rather than doing ad hoc ipa user add as a human. Sent from my iPad > On May 18, 2016, at 23:20, John Meyers wrote: > > Even if you get that to work, you are still stuck with same issue > discussed earlier in this thread -- you need to have a Windows account, > either local or AD, to be able to login and grant rights against. pGina > just handles the authentication part. The only way to do either a 1-way > Kerberos trust (AD->IPA) or pGina is to somehow sync native IPA users to > AD (or Samba AD) to create the "shadow account"? Winsync will not do this. > > > >> On 5/18/16 7:49 PM, Michael ORourke wrote: >> What about using the pGina project on the Windows side? >> >> Reference: >> http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/ >> >> -Mike >> >> -----Original Message----- >>> From: John Meyers >>> Sent: May 18, 2016 5:19 PM >>> To: freeipa-users at redhat.com >>> Subject: [Freeipa-users] How does one authenticate Windows login against IPA >>> >>> All, >>> >>> FreeIPA as we've discovered has some wonderful Windows integration >>> capability, but it is all predicated on Windows AD being the >>> authoritative source of user information. 2-Way trusts are great, but >>> they only work for kerberotized applications, not native Windows rights >>> (that would require FreeIPA to act as global catalog as I learned from >>> Alexander). The winsync capability does not, as it turns out, sync >>> native IPA users to AD. >>> >>> The million dollar question is if you are 90% Linux shop and FreeIPA is >>> your authoritative user repository (AD is a blank slate), how do you >>> perform local Windows login authentication for the 10% of Windows >>> machines against FreeIPA? >>> >>> Thank you all! >>> >>> John >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From john+freeipa at themeyers.us Thu May 19 14:09:13 2016 From: john+freeipa at themeyers.us (John Meyers) Date: Thu, 19 May 2016 10:09:13 -0400 Subject: [Freeipa-users] How does one authenticate Windows login against IPA In-Reply-To: <646363C4-A12C-4135-B3BF-A83CA0136A04@coyhile.com> References: <573CDC4E.10700@themeyers.us> <646363C4-A12C-4135-B3BF-A83CA0136A04@coyhile.com> Message-ID: <573DC909.7040905@themeyers.us> (apologize for possible double post) Can you share the details of how you managed to this with FreeIPA (even if it includes kadmin.local work)? Many thanks! On 5/18/16 6:03 PM, Coy Hile wrote: > When I've done this in the past, I used mit directly, not IPA. I set up a one way trust, then used "shadow objects" for users mapped using alternateSecurityID. I've setup the same one way trust testing with freeipa, but unfortunately I had to use kadmin.local to do it. I don't know that that's actually supported. Simo? > > -c > > Sent from my iPad > >> On May 18, 2016, at 17:19, John Meyers wrote: >> >> All, >> >> FreeIPA as we've discovered has some wonderful Windows integration >> capability, but it is all predicated on Windows AD being the >> authoritative source of user information. 2-Way trusts are great, but >> they only work for kerberotized applications, not native Windows rights >> (that would require FreeIPA to act as global catalog as I learned from >> Alexander). The winsync capability does not, as it turns out, sync >> native IPA users to AD. >> >> The million dollar question is if you are 90% Linux shop and FreeIPA is >> your authoritative user repository (AD is a blank slate), how do you >> perform local Windows login authentication for the 10% of Windows >> machines against FreeIPA? >> >> Thank you all! >> >> John >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From peljasz at yahoo.co.uk Thu May 19 14:12:14 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Thu, 19 May 2016 15:12:14 +0100 Subject: [Freeipa-users] authconfig vs ipa-client-install Message-ID: <7be0af49-5213-0a15-c541-f844b1abe871@yahoo.co.uk> hi evebody I'd like to ask how does, what ipa installation does ot a box, relate to authconfig? I am specifically thinking of the fact that authconfig does not indicate that IPAv2 is used, on a box which is IPA member/client. Is it because it is for some older IPA, that "v2"? If yes, then should authconf not reflect somehow that IPA is configured and used? many thanks. L. From mkosek at redhat.com Thu May 19 14:22:06 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 19 May 2016 16:22:06 +0200 Subject: [Freeipa-users] authconfig vs ipa-client-install In-Reply-To: <7be0af49-5213-0a15-c541-f844b1abe871@yahoo.co.uk> References: <7be0af49-5213-0a15-c541-f844b1abe871@yahoo.co.uk> Message-ID: <8ce576ba-6204-c593-d7cb-831d59d9b056@redhat.com> On 05/19/2016 04:12 PM, lejeczek wrote: > hi evebody > > I'd like to ask how does, what ipa installation does ot a box, relate to > authconfig? > > I am specifically thinking of the fact that authconfig does not indicate that > IPAv2 is used, on a box which is IPA member/client. > > Is it because it is for some older IPA, that "v2"? If yes, then should authconf > not reflect somehow that IPA is configured and used? The IPAv2 related options in authconfig are rather outdated and will be removed in future (we are having all sort of discussions what to do with authconfig). Please simply use ipa-client-install if you are joining IPA. If you are joining AD, use realmd. If you are connecting to some other Identity system, you can use authconfig (and probably just enable SSSD) or edit PAM in the worst case. There is some information in this doc: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Authentication.html#configuring-auth-with-idm HTH, Martin From guillermo.fuentes at modernizingmedicine.com Thu May 19 15:43:53 2016 From: guillermo.fuentes at modernizingmedicine.com (Guillermo Fuentes) Date: Thu, 19 May 2016 11:43:53 -0400 Subject: [Freeipa-users] LDAP server failover via altServer attribute? Message-ID: Hello all, As OS X allows LDAP server failover via the altServer attribute (RFC4512) from RootDSE, it would be great to be able to configure our Macs to connect to a single FreeIPA server and add other FreeIPA servers as multiple altServer values. The current schema doesn't seem to support adding this attribute. Can this be done in a way I'm missing? Thanks in advance! GUILLERMO FUENTES SR. SYSTEMS ADMINISTRATOR 561-880-2998 x1337 guillermo.fuentes at modmed.com [image: [ Modernizing Medicine ]] [image: [ Facebook ]] [image: [ LinkedIn ]] [image: [ YouTube ]] [image: [ Twitter ]] [image: [ Blog ]] [image: [ Instagram ]] -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Thu May 19 16:42:27 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Thu, 19 May 2016 17:42:27 +0100 Subject: [Freeipa-users] AD membership realmd way + samba? Message-ID: <05cef9a3-fbfa-99be-5a9a-ec807c732aa0@yahoo.co.uk> hi users/devs I've poked around samba list but was suggested to ask sssd people, I thought IPA's might know as well. Having joined AD with realm - can samba take advantage of this membership? And if so then to what extent? many thanks, L. From erik at infochimps.com Thu May 19 22:18:43 2016 From: erik at infochimps.com (Erik Mackdanz) Date: Thu, 19 May 2016 17:18:43 -0500 Subject: [Freeipa-users] Mostly working trust, SSH failure Message-ID: Hello, I've set up a one-way trust to an Active Directory domain. Things seem to roughly work, but something's missing. Can any kind soul spot a problem with my configuration, or advise on how to further troubleshoot? Facts: - An AD user gets 'Access denied' when SSH'ing by password to the FreeIPA host. This is my concern. - This AD user has not been locked out. - getent passwd succeeds for the AD user - A FreeIPA user can successfully SSH by password to the same FreeIPA host. - That FreeIPA user can then successfully kinit as the AD user (the same AD user denied above) - HBAC is set to the default allow_all rule, which is enabled. Running the HBAC Test tool on the AD user confirms that they are authorized for sshd. This tells me something is awry in sssd.conf or sshd_config or pam.d or HBAC. Thanks, Erik I've got sssd debug to 9. Here's some output: (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_fo_reset_svc] (0x1000): Resetting all servers in service na.bazzlegroup.com (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'na.bazzlegroup.com' as 'neutra l' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [set_server_common_status] (0x0100): Marking server 'deda9w1004.na.bazzlegroup.com' as 'name not resolved' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'deda9w1004.na.bazzlegroup.com' as 'neutral' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'deda9w1004.na.bazzlegrou p.com' as 'neutral' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'na.bazzlegroup.com' as 'neutra l' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [set_server_common_status] (0x0100): Marking server 'usbe9w2003.na.bazzlegroup.com' as 'name not resolved' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'usbe9w2003.na.bazzlegroup.com' as 'neutral' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'usbe9w2003.na.bazzlegrou p.com' as 'neutral' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com offline (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_mark_subdom_offline] (0x4000): Subdomain already inactive (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [1432158262]: Subdoma in is inactive. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 1432158262 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ipa_account_info_error_text] (0x0020): Bug: dp_error is OK on failed request (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158262,Account info lookup f ailed (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f3bf48f92c0 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sbus_dispatch] (0x4000): Dispatching. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamH andler on path /org/freedesktop/sssd/dataprovider (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_req_set_domain] (0x0400): Changing request domain from [platform.schlitz] to [na.bazzlegroup.com] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_pam_handler] (0x0100): Got request with the following data (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): domain: na.bazzlegroup.com (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): user: MRFUN at na.bazzlegroup.com (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): service: sshd (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): tty: ssh (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): ruser: (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): rhost: 172.27.246.142 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): authtok type: 1 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): priv: 1 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): cli_pid: 9864 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [pam_print_data] (0x0100): logon name: not set (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [MRFUN at na.bazzlegroup.com] is empty, ru nning request [0x7f3bf4928fb0] immediately. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_setup] (0x4000): No mapping for: MRFUN at na.bazzlegroup.com (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f3bf48ff0a0 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f3bf498a870 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Running timer event 0x7f3bf48ff0a0 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Destroying timer event 0x7f3bf498a870 "ltdb_timeout" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Ending timer event 0x7f3bf48ff0a0 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [get_server_status] (0x1000): Status of server 'ipafour.platform.schlitz' is 'working' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipafour.platform.schlitz' i s 'working' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [get_server_status] (0x1000): Status of server 'ipafour.platform.schlitz' is 'working' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_resolve_server_process] (0x0200): Found address for server ipafour.platform.schlitz: [172.30.8.119] TTL 7200 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://ipafour.platform.schlitz' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_auth_resolve_done] (0x2000): Subdomain na.bazzlegroup.com is inactive, will proceed off line (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [9892] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [child_handler_setup] (0x2000): Signal handler set up for pid [9892] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [child_sig_handler] (0x1000): Waiting for child [9892]. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [child_sig_handler] (0x0100): child [9892] finished successfully. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [parse_krb5_child_response] (0x1000): child response [0][3][40]. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_WORKING. Called from: src/providers/ krb5/krb5_auth.c: krb5_auth_done: 1039 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipafour.platform.schlitz' as 'wo rking' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [set_server_common_status] (0x0100): Marking server 'ipafour.platform.schlitz' as 'workin g' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'ipafour.platform.infochim ps' as 'working' (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:456139433] for user [MRFUN at na. bazzlegroup.com]. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f3bf498c360 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f3bf498c420 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Running timer event 0x7f3bf498c360 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Destroying timer event 0x7f3bf498c420 "ltdb_timeout" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Ending timer event 0x7f3bf498c360 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f3bf498c130 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f3bf491f660 (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Running timer event 0x7f3bf498c130 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Destroying timer event 0x7f3bf491f660 "ltdb_timeout" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): Ending timer event 0x7f3bf498c130 "ltdb_callback" (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sysdb_cache_auth] (0x4000): Offline credentials expiration is [0] days. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [check_failed_login_attempts] (0x4000): Failed login attempts [0], allowed failed login atte mpts [0], failed login delay [5]. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [sysdb_cache_auth] (0x0100): Cached credentials not available. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0) (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_auth_cache_creds] (0x0020): Offline authentication failed (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [check_wait_queue] (0x1000): Wait queue for user [MRFUN at na.bazzlegroup.com] is empty. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f3bf4928fb0] done. (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, ) [Success (Permission de nied)] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_pam_handler_callback] (0x0100): Sending result [6][na.bazzlegroup.com] (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] [be_pam_handler_callback] (0x0100): Sent result [6][na.bazzlegroup.com] My sssd.conf: [domain/platform.schlitz] debug_level = 9 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = platform.schlitz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipafour.platform.schlitz chpass_provider = ipa ipa_server = ipafour.platform.schlitz ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa [sssd] services = nss, sudo, pam, ssh, pac config_file_version = 2 debug_level = 9 domains = platform.schlitz [nss] memcache_timeout = 600 homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] sshd_config: HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication yes GSSAPICleanupCredentials no X11Forwarding yes UsePrivilegeSeparation sandbox # Default for new installations. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server KerberosAuthentication no PubkeyAuthentication yes UsePAM yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody GSSAPIAuthentication yes /etc/pam.d/sshd auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare /etc/pam.d/password-auth: # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so From Lachlan.Simpson at petermac.org Thu May 19 22:54:34 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Thu, 19 May 2016 22:54:34 +0000 Subject: [Freeipa-users] File user and group ownership listings... In-Reply-To: <20160519072228.GB3960@hendrix> References: <20160519072228.GB3960@hendrix> Message-ID: <0137003026EBE54FBEC540C5600C03C435FB2E@PMC-EXMBX02.petermac.org.au> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: Thursday, 19 May 2016 5:22 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] File user and group ownership listings... > > On Thu, May 19, 2016 at 04:33:45PM +1000, Lachlan Musicman wrote: > > Now that groups are working as expected, we have noticed that when > > listing a directory the user and group now have full domain qualifiers. > > > > This doesn't look great. We've also noticed that we now need to > > > > chown :group at subdomain filename > > This is something that will work in 7.3. There is currently a limitation in our cache > that forces us to use fully-qualified names for users from trusted domains. Fantastic. Thanks for all the hard work! Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. From Lachlan.Simpson at petermac.org Thu May 19 22:55:42 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Thu, 19 May 2016 22:55:42 +0000 Subject: [Freeipa-users] File user and group ownership listings... In-Reply-To: <20160519071146.23f3lqly4653kjqw@redhat.com> References: <20160519071146.23f3lqly4653kjqw@redhat.com> Message-ID: <0137003026EBE54FBEC540C5600C03C435FB3C@PMC-EXMBX02.petermac.org.au> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Alexander Bokovoy > Sent: Thursday, 19 May 2016 5:12 PM > To: Lachlan Musicman > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] File user and group ownership listings... > > On Thu, 19 May 2016, Lachlan Musicman wrote: > >Now that groups are working as expected, we have noticed that when > >listing a directory the user and group now have full domain qualifiers. > > > >This doesn't look great. We've also noticed that we now need to > > > >chown :group at subdomain filename > > > >(with default_domain_suffix set). > > > > > >Is there a reason why when the group's name and ID is the same across > >both domains, it can't be considered the same group for file ownership reasons? > In POSIX systems user and group IDs are two different namespaces. We force > so-called private groups to have the same ID as the user to simplify some of hard > identity mapping problems between POSIX and Windows environments. In > Windows world security identifier (SID) namespace is the same for all objects. Ah, ok then. Thanks! Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. From datakid at gmail.com Fri May 20 00:36:30 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Fri, 20 May 2016 10:36:30 +1000 Subject: [Freeipa-users] SSSD, sudo and FQDNs Message-ID: Hola, We couldn't get sssd and sudo to work and discovered this on the SSSD troubleshooting page: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO#Knownissues Is this on the radar to be solved at all or is it unsolvable? Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri May 20 07:02:00 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 20 May 2016 09:02:00 +0200 Subject: [Freeipa-users] Mostly working trust, SSH failure In-Reply-To: References: Message-ID: <20160520070200.GA3384@hendrix> On Thu, May 19, 2016 at 05:18:43PM -0500, Erik Mackdanz wrote: > Hello, > > I've set up a one-way trust to an Active Directory domain. Things > seem to roughly work, but something's missing. > > Can any kind soul spot a problem with my configuration, or advise on > how to further troubleshoot? > > Facts: > > - An AD user gets 'Access denied' when SSH'ing by password to the > FreeIPA host. This is my concern. > > - This AD user has not been locked out. > > - getent passwd succeeds for the AD user > > - A FreeIPA user can successfully SSH by password to the same FreeIPA > host. > > - That FreeIPA user can then successfully kinit as the AD user (the > same AD user denied above) > > - HBAC is set to the default allow_all rule, which is enabled. > Running the HBAC Test tool on the AD user confirms that they are > authorized for sshd. > > This tells me something is awry in sssd.conf or sshd_config or pam.d > or HBAC. > > Thanks, > Erik > > I've got sssd debug to 9. Here's some output: > > [...] > (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] > [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account > (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] > [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com > offline > (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] > [be_mark_subdom_offline] (0x4000): Subdomain already inactive > (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] Here it looks like sssd previously had issues connectying to AD and went offline. Can you search the logs a bit earlier for the first occurence of "Marking subdomain xxx as offline" ? Can you kinit as that user? From jhrozek at redhat.com Fri May 20 07:02:35 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 20 May 2016 09:02:35 +0200 Subject: [Freeipa-users] SSSD, sudo and FQDNs In-Reply-To: References: Message-ID: <20160520070235.GB3384@hendrix> On Fri, May 20, 2016 at 10:36:30AM +1000, Lachlan Musicman wrote: > Hola, > > We couldn't get sssd and sudo to work and discovered this on the SSSD > troubleshooting page: > > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO#Knownissues > > Is this on the radar to be solved at all or is it unsolvable? On the radar for 7.3. From sbose at redhat.com Fri May 20 07:52:33 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 20 May 2016 09:52:33 +0200 Subject: [Freeipa-users] AD membership realmd way + samba? In-Reply-To: <05cef9a3-fbfa-99be-5a9a-ec807c732aa0@yahoo.co.uk> References: <05cef9a3-fbfa-99be-5a9a-ec807c732aa0@yahoo.co.uk> Message-ID: <20160520075233.GA27915@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, May 19, 2016 at 05:42:27PM +0100, lejeczek wrote: > hi users/devs > > I've poked around samba list but was suggested to ask sssd people, I thought > IPA's might know as well. > > Having joined AD with realm - can samba take advantage of this membership? > And if so then to what extent? realmd can use different backends to join the AD domain Samba's net utility or adcli, this can be chosen with the --membership-software option. If you use net Samba should work out-of-the-box. adcli does not write the host keys into Samba's internal secrets.tdb and hence you might need some additional configuration on the Samba side, see the 'kerberos method' entry in the smb.conf man page for details. HTH bye, Sumit > > many thanks, > > L. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From harald.dunkel at aixigo.de Fri May 20 08:00:57 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Fri, 20 May 2016 10:00:57 +0200 Subject: [Freeipa-users] ipa -v ping lies about the cert database In-Reply-To: <20160513124824.GC21625@10.4.128.1> References: <5710DB60.7070508@redhat.com> <57148953.1070904@redhat.com> <5714CE39.9030704@ubuntu.com> <15ebb4fd-49e1-da66-d0a1-94d13da4e60f@aixigo.de> <571F895F.3060108@ubuntu.com> <20160513124824.GC21625@10.4.128.1> Message-ID: <47f5588e-13f2-a55f-3488-e0e4d5910c89@aixigo.de> On 05/13/16 14:48, Lukas Slebodnik wrote: > You might see in ticket that planned milestone is "Future Releases" > that isn't any particular release (4.4.x ...) > > It basically mean that patches are welcome. > That's how it works in open source world. > > LS > Sorry, I got confused about the comment on https://bugzilla.redhat.com/show_bug.cgi?id=1296665. I thought the "Changing version to '24'." means it is supposed to be fixed for F24. This bug was reported >4 months ago. Regards Harri From mbasti at redhat.com Fri May 20 08:36:18 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 20 May 2016 10:36:18 +0200 Subject: [Freeipa-users] LDAP server failover via altServer attribute? In-Reply-To: References: Message-ID: <334bc017-4945-e11b-c5fc-18044d0ab02b@redhat.com> Hello, IPA uses SRV records for failover to another replica/LDAP. I don't know how it works on MACs, but in case that there is no possibility to use SRV, you may need to file a RFE ticket (https://fedorahosted.org/freeipa/newticket) Martin On 19.05.2016 17:43, Guillermo Fuentes wrote: > Hello all, > > As OS X allows LDAP server failover via the altServer attribute > (RFC4512) from RootDSE, it would be great to be able to configure our > Macs to connect to a single FreeIPA server and add other FreeIPA > servers as multiple altServer values. > The current schema doesn't seem to support adding this attribute. > Can this be done in a way I'm missing? > > Thanks in advance! > > GUILLERMO FUENTES > SR. SYSTEMS ADMINISTRATOR > > 561-880-2998 x1337 > > guillermo.fuentes at modmed.com > > > [ Modernizing Medicine ] > [ Facebook ] [ > LinkedIn ] [ > YouTube ] [ > Twitter ] [ Blog ] > [ Instagram ] > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 20 14:38:56 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 May 2016 10:38:56 -0400 Subject: [Freeipa-users] LDAP server failover via altServer attribute? In-Reply-To: <334bc017-4945-e11b-c5fc-18044d0ab02b@redhat.com> References: <334bc017-4945-e11b-c5fc-18044d0ab02b@redhat.com> Message-ID: <573F2180.5050107@redhat.com> Martin Basti wrote: > Hello, > > IPA uses SRV records for failover to another replica/LDAP. > > I don't know how it works on MACs, but in case that there is no > possibility to use SRV, you may need to file a RFE ticket > (https://fedorahosted.org/freeipa/newticket) Agreed, SRV records are the preferred mechanism. I was curious though so played with this a bit and it is possible to add altServer values: $ ldapmodify -x -D 'cn=directory manager' -W Enter LDAP Password: dn: changetype: modify add: altServer altServer: ldap://gyre.example.com modifying entry "" ^D $ ldapsearch -LLL -x -b "" -s base altServer dn: altServer: ldap://gyre.example.com My test rig is a single master so I don't know if this replicates or not. rob > > Martin > > > On 19.05.2016 17:43, Guillermo Fuentes wrote: >> Hello all, >> >> As OS X allows LDAP server failover via the altServer attribute >> (RFC4512) from RootDSE, it would be great to be able to configure our >> Macs to connect to a single FreeIPA server and add other FreeIPA >> servers as multiple altServer values. >> The current schema doesn't seem to support adding this attribute. >> Can this be done in a way I'm missing? >> >> Thanks in advance! >> >> GUILLERMO FUENTES >> SR. SYSTEMS ADMINISTRATOR >> >> 561-880-2998 x1337 >> >> guillermo.fuentes at modmed.com >> >> >> [ Modernizing Medicine ] >> [ Facebook ] [ >> LinkedIn ] [ >> YouTube ] [ >> Twitter ] [ Blog ] >> [ Instagram ] >> >> >> >> >> >> > > > From erik at infochimps.com Fri May 20 17:31:24 2016 From: erik at infochimps.com (Erik Mackdanz) Date: Fri, 20 May 2016 12:31:24 -0500 Subject: [Freeipa-users] Mostly working trust, SSH failure In-Reply-To: <20160520070200.GA3384@hendrix> References: <20160520070200.GA3384@hendrix> Message-ID: Thanks Jakub, Yes, the "marking subdomain ... inactive" portion is below. There are failures in resolving the Global Catalog via SRV, but what I've read says that should be okay because we fall back to the SID<->UID mapping. With dig, I can reproduce sssd's finding that those SRV records don't exist. Is the DNS failure as fatal as it appears? Yes, we can kinit AD users. We can also 'getent' AD users and groups (at least the group we authorized in our trust). Does it matter that the user we used to establish the trust was later demoted? (Was domain admin, now regular user). Cheers, Erik [ipa_srv_ad_acct_retried] (0x0400): Sudomain re-set, will retry lookup [be_fo_reset_svc] (0x1000): Resetting all servers in service na.bazzlegroup.com [set_srv_data_status] (0x0100): Marking SRV lookup of service 'na.bazzlegroup.com' as 'neutral' [set_server_common_status] (0x0100): Marking server 'deda9w1004.na.bazzlegroup.com' as 'name not resolved' [fo_set_port_status] (0x0100): Marking port 389 of server 'deda9w1004.na.bazzlegroup.com' as 'neutral' [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'deda9w1004.na.bazzlegroup.com' as 'neutral' [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP [set_srv_data_status] (0x0100): Marking SRV lookup of service 'na.bazzlegroup.com' as 'neutral' [set_server_common_status] (0x0100): Marking server 'usbe9w2003.na.bazzlegroup.com' as 'name not resolved' [fo_set_port_status] (0x0100): Marking port 389 of server 'usbe9w2003.na.bazzlegroup.com' as 'neutral' [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'usbe9w2003.na.bazzlegroup.com' as 'neutral' [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account [sdap_id_op_connect_step] (0x4000): beginning to connect [fo_resolve_service_send] (0x0100): Trying to resolve service 'gc_na.bazzlegroup.com' [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'not working' [fo_resolve_service_send] (0x0020): No available servers for service 'gc_na.bazzlegroup.com' [be_resolve_server_done] (0x1000): Server resolution failed: 5 [sdap_id_op_connect_done] (0x0400): Failed to connect to server, but ignore mark offline is enabled. [sdap_id_op_connect_done] (0x4000): notify error to op #1: 5 [Input/output error] [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com offline [be_mark_subdom_offline] (0x1000): Marking subdomain na.bazzlegroup.com as inactive [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [1432158262]: Subdomain is inactive. [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 1432158262 [sdap_id_op_destroy] (0x4000): releasing operation connection On Fri, May 20, 2016 at 2:02 AM, Jakub Hrozek wrote: > On Thu, May 19, 2016 at 05:18:43PM -0500, Erik Mackdanz wrote: >> Hello, >> >> I've set up a one-way trust to an Active Directory domain. Things >> seem to roughly work, but something's missing. >> >> Can any kind soul spot a problem with my configuration, or advise on >> how to further troubleshoot? >> >> Facts: >> >> - An AD user gets 'Access denied' when SSH'ing by password to the >> FreeIPA host. This is my concern. >> >> - This AD user has not been locked out. >> >> - getent passwd succeeds for the AD user >> >> - A FreeIPA user can successfully SSH by password to the same FreeIPA >> host. >> >> - That FreeIPA user can then successfully kinit as the AD user (the >> same AD user denied above) >> >> - HBAC is set to the default allow_all rule, which is enabled. >> Running the HBAC Test tool on the AD user confirms that they are >> authorized for sshd. >> >> This tells me something is awry in sssd.conf or sshd_config or pam.d >> or HBAC. >> >> Thanks, >> Erik >> >> I've got sssd debug to 9. Here's some output: >> >> > > [...] > >> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >> [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account >> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >> [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com >> offline >> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >> [be_mark_subdom_offline] (0x4000): Subdomain already inactive >> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] > > Here it looks like sssd previously had issues connectying to AD and went > offline. Can you search the logs a bit earlier for the first occurence of > "Marking subdomain xxx as offline" ? Can you kinit as that user? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From guillermo.fuentes at modernizingmedicine.com Fri May 20 19:13:40 2016 From: guillermo.fuentes at modernizingmedicine.com (Guillermo Fuentes) Date: Fri, 20 May 2016 15:13:40 -0400 Subject: [Freeipa-users] LDAP server failover via altServer attribute? In-Reply-To: <573F2180.5050107@redhat.com> References: <334bc017-4945-e11b-c5fc-18044d0ab02b@redhat.com> <573F2180.5050107@redhat.com> Message-ID: SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc = yes" and removing the KDC server ("kdc = xxx") entries from the /Library/Preferences/edu.mit.Kerberos config file does the trick. For LDAP, although you can enable it, I can't see it documented anywhere so I'm assuming that isn't the recommended way for the Mac. This can be enabled by running this for the LDAP server you're using: sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option "Use DNS replicas" "true" Adding the altServer values with the Directory Manager credentials worked and I'm happy to report that the failover on the Mac works great with FreeIPA! As suggested by Rob, for three servers, on server ipa1: $ ldapmodify -x -D 'cn=directory manager' -W Enter LDAP Password: dn: changetype: modify add: altServer altServer: ldap://ipa2.example.com - add: altServer altServer: ldap://ipa3.example.com modifying entry "" ^D The altServer values didn't replicate so I had to add them to each of the FreeIPA servers. Then, tell the Mac (testing on OS X v10.11.5) to use the altServer attribute to look for replicas in case of failover: sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option "Use altServer replicas" "true" And, viola! Highly available authentication with a FreeIPA cluster for the Mac! Thanks so much for your help! Guillermo On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden wrote: > Martin Basti wrote: > >> Hello, >> >> IPA uses SRV records for failover to another replica/LDAP. >> >> I don't know how it works on MACs, but in case that there is no >> possibility to use SRV, you may need to file a RFE ticket >> (https://fedorahosted.org/freeipa/newticket) >> > > Agreed, SRV records are the preferred mechanism. I was curious though so > played with this a bit and it is possible to add altServer values: > > $ ldapmodify -x -D 'cn=directory manager' -W > Enter LDAP Password: > dn: > changetype: modify > add: altServer > altServer: ldap://gyre.example.com > > modifying entry "" > ^D > > $ ldapsearch -LLL -x -b "" -s base altServer > dn: > altServer: ldap://gyre.example.com > > My test rig is a single master so I don't know if this replicates or not. > > rob > > >> Martin >> >> >> On 19.05.2016 17:43, Guillermo Fuentes wrote: >> >>> Hello all, >>> >>> As OS X allows LDAP server failover via the altServer attribute >>> (RFC4512) from RootDSE, it would be great to be able to configure our >>> Macs to connect to a single FreeIPA server and add other FreeIPA >>> servers as multiple altServer values. >>> The current schema doesn't seem to support adding this attribute. >>> Can this be done in a way I'm missing? >>> >>> Thanks in advance! >>> >>> GUILLERMO FUENTES >>> SR. SYSTEMS ADMINISTRATOR >>> >>> 561-880-2998 x1337 >>> >>> guillermo.fuentes at modmed.com >>> >>> >>> [ Modernizing Medicine ] >>> [ Facebook ] >>> [ >>> LinkedIn ] >>> [ >>> YouTube ] >>> [ >>> Twitter ] [ Blog ] >>> [ Instagram ] >>> >>> >>> >>> >>> >>> >>> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From razvan.vilt at me.com Fri May 20 19:45:32 2016 From: razvan.vilt at me.com (=?utf-8?Q?=22R=C4=83zvan_Corneliu_C=2ER=2E_VILT=22?=) Date: Fri, 20 May 2016 22:45:32 +0300 Subject: [Freeipa-users] LDAP server failover via altServer attribute? In-Reply-To: References: <334bc017-4945-e11b-c5fc-18044d0ab02b@redhat.com> <573F2180.5050107@redhat.com> Message-ID: Hi guys, Regarding the Macs, there are a few notes: 1) The template kerberos setup can be pushed through LDAP (cn=KerberosClient and cn=KerberosKDC,cn=config) 2) The LDAP replicas can be also configured in cn=config and it is cached by OpenDirectory in the following format: dn: cn=ldapreplicas, cn=config, dc=example, dc=com objectClass: apple-configuration apple-ldap-replica: ldap://192.168.1.1 apple-ldap-replica: ldap://192.168.2.2 apple-ldap-writable-replica: ldap://192.168.1.1 apple-ldap-writable-replica: ldap://192.168.2.2 apple-xml-plist: base64 encode of: --------------------- GUID 01234567-89AB-CDEF-0123-456789ABCDEF IPaddresses 192.168.1.1 10.0.0.1 PrimaryMaster ipa-server.example.org ReplicaName Master Replicas ipa-bkserver.example.org ---------------------- 3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL. If you do this manually instead of OpenDirectory compatible way, your machine doesn't create an account for itself in IPA so service access without login are not available, it doesn't download the root CA automatically and you don't get SSO out of the box. > On 20 mai 2016, at 22:13, Guillermo Fuentes wrote: > > SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc = yes" and removing the KDC server ("kdc = xxx") entries from the /Library/Preferences/edu.mit.Kerberos config file does the trick. > > For LDAP, although you can enable it, I can't see it documented anywhere so I'm assuming that isn't the recommended way for the Mac. This can be enabled by running this for the LDAP server you're using: > sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option "Use DNS replicas" "true" > > Adding the altServer values with the Directory Manager credentials worked and I'm happy to report that the failover on the Mac works great with FreeIPA! > > As suggested by Rob, for three servers, on server ipa1: > $ ldapmodify -x -D 'cn=directory manager' -W > Enter LDAP Password: > dn: > changetype: modify > add: altServer > altServer: ldap://ipa2.example.com > - > add: altServer > altServer: ldap://ipa3.example.com > > modifying entry "" > ^D > > The altServer values didn't replicate so I had to add them to each of the FreeIPA servers. > > Then, tell the Mac (testing on OS X v10.11.5) to use the altServer attribute to look for replicas in case of failover: > sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option "Use altServer replicas" "true" > > And, viola! Highly available authentication with a FreeIPA cluster for the Mac! > > Thanks so much for your help! > Guillermo > > > On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden > wrote: > Martin Basti wrote: > Hello, > > IPA uses SRV records for failover to another replica/LDAP. > > I don't know how it works on MACs, but in case that there is no > possibility to use SRV, you may need to file a RFE ticket > (https://fedorahosted.org/freeipa/newticket ) > > Agreed, SRV records are the preferred mechanism. I was curious though so played with this a bit and it is possible to add altServer values: > > $ ldapmodify -x -D 'cn=directory manager' -W > Enter LDAP Password: > dn: > changetype: modify > add: altServer > altServer: ldap://gyre.example.com > > modifying entry "" > ^D > > $ ldapsearch -LLL -x -b "" -s base altServer > dn: > altServer: ldap://gyre.example.com > > My test rig is a single master so I don't know if this replicates or not. > > rob > > > Martin > > > On 19.05.2016 17:43, Guillermo Fuentes wrote: > Hello all, > > As OS X allows LDAP server failover via the altServer attribute > (RFC4512) from RootDSE, it would be great to be able to configure our > Macs to connect to a single FreeIPA server and add other FreeIPA > servers as multiple altServer values. > The current schema doesn't seem to support adding this attribute. > Can this be done in a way I'm missing? > > Thanks in advance! > > GUILLERMO FUENTES > SR. SYSTEMS ADMINISTRATOR > > 561-880-2998 x1337 > > guillermo.fuentes at modmed.com > > > > [ Modernizing Medicine ] > > [ Facebook ] > [ > LinkedIn ] > [ > YouTube ] > [ > Twitter ] > [ Blog ] > > [ Instagram ] > > > > > > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From kbass at kenbass.com Sat May 21 18:41:34 2016 From: kbass at kenbass.com (Ken Bass) Date: Sat, 21 May 2016 14:41:34 -0400 Subject: [Freeipa-users] sudo 2FA not working Message-ID: <5740ABDE.6000905@kenbass.com> Hello, I installed a brand new IPA server to a clean Centos 7.2 and a brand new client to a clean Centos 7.2 install. My main requirement for this is using 2FA. Seeing this was my main reason for trying IPA, so far the results are frustrating. I cannot assign 2FA to the 'admin' user on the IPA server so I can perform admin. Another issue is that even when I sucessfully log in with my 'test' user. I can run 'klist' and there is a ticket. But if I type 'kinit test' (same user I already have a ticket for), I see 'kinit: Generic preauthentication failure while getting initial credentials' And the main reason I am posting - sudo 2FA: To test, I created a new usergroup called 'superusers'. And defined a sudo rule for 'ALL'. When I log in using a 2FA enabled account and type 'sudo -l' I get the loop of -sh-4.2$ sudo -l First Factor: Sorry, try again. First Factor: It will not accept the correct password. If I disable 2FA for this user it works fine. Or if I add a '!authenticate' option to the rule it works. Obviously both solutions defeat the entire concept of using 2FA. sudo_debug log log shows: May 21 13:56:33 sudo[5251] -> expand_prompt @ ./check.c:287 May 21 13:56:33 sudo[5251] <- expand_prompt @ ./check.c:398 := [sudo] password for test: May 21 13:56:33 sudo[5251] -> verify_user @ ./auth/sudo_auth.c:193 May 21 13:56:33 sudo[5251] -> sudo_pam_verify @ ./auth/pam.c:131 May 21 13:56:33 sudo[5251] -> converse @ ./auth/pam.c:305 May 21 13:56:33 sudo[5251] -> auth_getpass @ ./auth/sudo_auth.c:347 May 21 13:56:33 sudo[5251] -> tgetpass @ ./tgetpass.c:76 May 21 13:56:33 sudo[5251] -> tty_present @ ./tgetpass.c:329 May 21 13:56:33 sudo[5251] <- tty_present @ ./tgetpass.c:333 := true May 21 13:56:33 sudo[5251] -> term_noecho @ ./term.c:88 May 21 13:56:33 sudo[5251] <- term_noecho @ ./term.c:99 := 1 May 21 13:56:33 sudo[5251] -> getln @ ./tgetpass.c:272 May 21 13:57:20 sudo[5251] <- getln @ ./tgetpass.c:315 := ******** May 21 13:57:20 sudo[5251] -> term_restore @ ./term.c:73 May 21 13:57:20 sudo[5251] <- term_restore @ ./term.c:82 := 1 May 21 13:57:20 sudo[5251] <- tgetpass @ ./tgetpass.c:202 := ******** May 21 13:57:20 sudo[5251] <- auth_getpass @ ./auth/sudo_auth.c:365 := ******** May 21 13:57:20 sudo[5251] <- converse @ ./auth/pam.c:387 := 19 May 21 13:57:20 sudo[5251] <- sudo_pam_verify @ ./auth/pam.c:177 := 1 May 21 13:57:20 sudo[5251] -> pass_warn @ ./auth/sudo_auth.c:331 May 21 13:57:20 sudo[5251] <- pass_warn @ ./auth/sudo_auth.c:339 May 21 13:57:20 sudo[5251] -> sudo_pam_verify @ ./auth/pam.c:131 May 21 13:57:21 sudo[5251] -> converse @ ./auth/pam.c:305 May 21 13:57:21 sudo[5251] -> auth_getpass @ ./auth/sudo_auth.c:347 May 21 13:57:21 sudo[5251] -> tgetpass @ ./tgetpass.c:76 May 21 13:57:21 sudo[5251] -> tty_present @ ./tgetpass.c:329 May 21 13:57:21 sudo[5251] <- tty_present @ ./tgetpass.c:333 := true May 21 13:57:21 sudo[5251] -> term_noecho @ ./term.c:88 May 21 13:57:21 sudo[5251] <- term_noecho @ ./term.c:99 := 1 May 21 13:57:21 sudo[5251] -> getln @ ./tgetpass.c:272 The expand_prompt is not the prompt I am seeing for the 2FA case, it is the 'First Factor:' prompt similar to a console login. In the sssd log, I also see before I am prompted for the 'First Factor:'. (Sat May 21 14:19:21 2016) [sssd[be[ [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Sat May 21 14:19:21 2016) [sssd[be[ [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. Everytime I enter the password for the 'First Factor' prompt, I see an entry on the IPA server KDC with 'NEEDED_PREAUTH: test at ...'. I think that is normal, but I never see an eventual ticket issue like I do with console/ssh login. Any suggestions/help on getting sudo with 2FA working? Thanks, Ken From kbass at kenbass.com Sat May 21 19:07:17 2016 From: kbass at kenbass.com (Ken Bass) Date: Sat, 21 May 2016 15:07:17 -0400 Subject: [Freeipa-users] sudo 2FA not working In-Reply-To: <5740ABDE.6000905@kenbass.com> References: <5740ABDE.6000905@kenbass.com> Message-ID: <5740B1E5.2030603@kenbass.com> Adding to my own question after doing some further research: This appears to be a bug in SSSD. https://bugzilla.redhat.com/show_bug.cgi?id=1276868 It was fixed via commit https://git.fedorahosted.org/cgit/sssd.git/commit/?id=4a01e6a6fd66e622b80739472a0aa06d1c79a6a9 on 3/14/2016. I am wondering why this has yet to be released for centos 7.2 yet? There have been two sssd updates since then, the latest 9 days ago and it does not appear that it was included. I also wonder how something so basic could slip through the cracks? It would appear it has never worked. I understand weird / odd use case bugs, but this is out of the box clean install no modifications - simply turn on 2FA and test sudo. On 05/21/2016 02:41 PM, Ken Bass wrote: > And the main reason I am posting - sudo 2FA: > > To test, I created a new usergroup called 'superusers'. And defined a > sudo rule for 'ALL'. When I log in using a 2FA enabled account and > type 'sudo -l' I get the > loop of > > -sh-4.2$ sudo -l > First Factor: > Sorry, try again. > First Factor: > > It will not accept the correct password. From lslebodn at redhat.com Sat May 21 19:33:28 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Sat, 21 May 2016 21:33:28 +0200 Subject: [Freeipa-users] sudo 2FA not working In-Reply-To: <5740B1E5.2030603@kenbass.com> References: <5740ABDE.6000905@kenbass.com> <5740B1E5.2030603@kenbass.com> Message-ID: <20160521193327.GA11832@10.4.128.1> On (21/05/16 15:07), Ken Bass wrote: >Adding to my own question after doing some further research: > >This appears to be a bug in SSSD. >https://bugzilla.redhat.com/show_bug.cgi?id=1276868 >It was fixed via commit https://git.fedorahosted.org/cgit/sssd.git/commit/?id=4a01e6a6fd66e622b80739472a0aa06d1c79a6a9 >on 3/14/2016. > >I am wondering why this has yet to be released for centos 7.2 yet? There have >been two sssd updates since then, the latest 9 days ago and it does not >appear that it was included. I also wonder how something so basic could slip >through the cracks? It would appear it has never worked. I understand weird / >odd use case bugs, but this is out of the box clean install no modifications >- simply turn on 2FA and test sudo. > If you have a Red Hat supscription then please open a case. Meanwhilem you can use backported version from fedora which contains the fix. https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/ LS From jhrozek at redhat.com Sun May 22 11:48:28 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 22 May 2016 13:48:28 +0200 Subject: [Freeipa-users] Mostly working trust, SSH failure In-Reply-To: References: <20160520070200.GA3384@hendrix> Message-ID: <431137CA-112B-4E2B-BEC2-546DC0FC7345@redhat.com> > On 20 May 2016, at 19:31, Erik Mackdanz wrote: > > Thanks Jakub, > > Yes, the "marking subdomain ... inactive" portion is below. > > There are failures in resolving the Global Catalog via SRV, but what > I've read says that should be okay because we fall back to the > SID<->UID mapping. With dig, I can reproduce sssd's finding that > those SRV records don't exist. Is the DNS failure as fatal as it > appears? Yes, I think that's the issue. I don't think we fall back to LDAP lookups. (btw we have a bug where we use the domain name, not the forest name for GC lookups SRV query..) > > Yes, we can kinit AD users. We can also 'getent' AD users and groups > (at least the group we authorized in our trust). > > Does it matter that the user we used to establish the trust was later > demoted? (Was domain admin, now regular user). > > Cheers, > Erik > > > [ipa_srv_ad_acct_retried] (0x0400): Sudomain re-set, will retry lookup > [be_fo_reset_svc] (0x1000): Resetting all servers in service na.bazzlegroup.com > [set_srv_data_status] (0x0100): Marking SRV lookup of service > 'na.bazzlegroup.com' as 'neutral' > [set_server_common_status] (0x0100): Marking server > 'deda9w1004.na.bazzlegroup.com' as 'name not resolved' > [fo_set_port_status] (0x0100): Marking port 389 of server > 'deda9w1004.na.bazzlegroup.com' as 'neutral' > [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP > [fo_set_port_status] (0x0400): Marking port 389 of duplicate server > 'deda9w1004.na.bazzlegroup.com' as 'neutral' > [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP > [set_srv_data_status] (0x0100): Marking SRV lookup of service > 'na.bazzlegroup.com' as 'neutral' > [set_server_common_status] (0x0100): Marking server > 'usbe9w2003.na.bazzlegroup.com' as 'name not resolved' > [fo_set_port_status] (0x0100): Marking port 389 of server > 'usbe9w2003.na.bazzlegroup.com' as 'neutral' > [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP > [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP > [fo_set_port_status] (0x0400): Marking port 389 of duplicate server > 'usbe9w2003.na.bazzlegroup.com' as 'neutral' > [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account > [sdap_id_op_connect_step] (0x4000): beginning to connect > [fo_resolve_service_send] (0x0100): Trying to resolve service > 'gc_na.bazzlegroup.com' > [get_port_status] (0x1000): Port status of port 0 for server '(no > name)' is 'not working' > [fo_resolve_service_send] (0x0020): No available servers for service > 'gc_na.bazzlegroup.com' > [be_resolve_server_done] (0x1000): Server resolution failed: 5 > [sdap_id_op_connect_done] (0x0400): Failed to connect to server, but > ignore mark offline is enabled. > [sdap_id_op_connect_done] (0x4000): notify error to op #1: 5 > [Input/output error] > [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com offline > [be_mark_subdom_offline] (0x1000): Marking subdomain > na.bazzlegroup.com as inactive > [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: > [1432158262]: Subdomain is inactive. > [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 1432158262 > [sdap_id_op_destroy] (0x4000): releasing operation connection > > On Fri, May 20, 2016 at 2:02 AM, Jakub Hrozek wrote: >> On Thu, May 19, 2016 at 05:18:43PM -0500, Erik Mackdanz wrote: >>> Hello, >>> >>> I've set up a one-way trust to an Active Directory domain. Things >>> seem to roughly work, but something's missing. >>> >>> Can any kind soul spot a problem with my configuration, or advise on >>> how to further troubleshoot? >>> >>> Facts: >>> >>> - An AD user gets 'Access denied' when SSH'ing by password to the >>> FreeIPA host. This is my concern. >>> >>> - This AD user has not been locked out. >>> >>> - getent passwd succeeds for the AD user >>> >>> - A FreeIPA user can successfully SSH by password to the same FreeIPA >>> host. >>> >>> - That FreeIPA user can then successfully kinit as the AD user (the >>> same AD user denied above) >>> >>> - HBAC is set to the default allow_all rule, which is enabled. >>> Running the HBAC Test tool on the AD user confirms that they are >>> authorized for sshd. >>> >>> This tells me something is awry in sssd.conf or sshd_config or pam.d >>> or HBAC. >>> >>> Thanks, >>> Erik >>> >>> I've got sssd debug to 9. Here's some output: >>> >>> >> >> [...] >> >>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >>> [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account >>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >>> [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com >>> offline >>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >>> [be_mark_subdom_offline] (0x4000): Subdomain already inactive >>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >> >> Here it looks like sssd previously had issues connectying to AD and went >> offline. Can you search the logs a bit earlier for the first occurence of >> "Marking subdomain xxx as offline" ? Can you kinit as that user? >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From guillermo.fuentes at modernizingmedicine.com Sun May 22 18:31:07 2016 From: guillermo.fuentes at modernizingmedicine.com (Guillermo Fuentes) Date: Sun, 22 May 2016 14:31:07 -0400 Subject: [Freeipa-users] LDAP server failover via altServer attribute? In-Reply-To: References: <334bc017-4945-e11b-c5fc-18044d0ab02b@redhat.com> <573F2180.5050107@redhat.com> Message-ID: This is great info Razvan. Thanks for sharing it! We provision Macs by pushing configuration scripts via Munki. Can you point me where I can find more documentation about this? Thanks again, Guillermo On Fri, May 20, 2016 at 3:45 PM, "R?zvan Corneliu C.R. VILT" < razvan.vilt at me.com> wrote: > Hi guys, > > Regarding the Macs, there are a few notes: > > 1) The template kerberos setup can be pushed through LDAP > (cn=KerberosClient and cn=KerberosKDC,cn=config) > 2) The LDAP replicas can be also configured in cn=config and it is cached > by OpenDirectory in the following format: > > dn: cn=ldapreplicas, cn=config, dc=example, dc=com > objectClass: apple-configuration > apple-ldap-replica: ldap://192.168.1.1 > apple-ldap-replica: ldap://192.168.2.2 > apple-ldap-writable-replica: ldap://192.168.1.1 > apple-ldap-writable-replica: ldap://192.168.2.2 > apple-xml-plist: base64 encode of: > --------------------- > > http://www.apple.com/DTDs/PropertyList-1.0.dtd"> > > > GUID > 01234567-89AB-CDEF-0123-456789ABCDEF > IPaddresses > > 192.168.1.1 > 10.0.0.1 > > PrimaryMaster > ipa-server.example.org > ReplicaName > Master > Replicas > > ipa-bkserver.example.org > > > > > ---------------------- > > 3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL > and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL. > > > If you do this manually instead of OpenDirectory compatible way, your > machine doesn't create an account for itself in IPA so service access > without login are not available, it doesn't download the root CA > automatically and you don't get SSO out of the box. > > > On 20 mai 2016, at 22:13, Guillermo Fuentes < > guillermo.fuentes at modernizingmedicine.com> wrote: > > SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc > = yes" and removing the KDC server ("kdc = xxx") entries from the > /Library/Preferences/edu.mit.Kerberos config file does the trick. > > For LDAP, although you can enable it, I can't see it documented anywhere > so I'm assuming that isn't the recommended way for the Mac. This can be > enabled by running this for the LDAP server you're using: > sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option > "Use DNS replicas" "true" > > Adding the altServer values with the Directory Manager credentials worked > and I'm happy to report that the failover on the Mac works great with > FreeIPA! > > As suggested by Rob, for three servers, on server ipa1: > $ ldapmodify -x -D 'cn=directory manager' -W > Enter LDAP Password: > dn: > changetype: modify > add: altServer > altServer: ldap://ipa2.example.com > - > add: altServer > altServer: ldap://ipa3.example.com > > modifying entry "" > ^D > > The altServer values didn't replicate so I had to add them to each of the > FreeIPA servers. > > Then, tell the Mac (testing on OS X v10.11.5) to use the altServer > attribute to look for replicas in case of failover: > sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option > "Use altServer replicas" "true" > > And, viola! Highly available authentication with a FreeIPA cluster for the > Mac! > > Thanks so much for your help! > Guillermo > > > On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden > wrote: > >> Martin Basti wrote: >> >>> Hello, >>> >>> IPA uses SRV records for failover to another replica/LDAP. >>> >>> I don't know how it works on MACs, but in case that there is no >>> possibility to use SRV, you may need to file a RFE ticket >>> (https://fedorahosted.org/freeipa/newticket) >>> >> >> Agreed, SRV records are the preferred mechanism. I was curious though so >> played with this a bit and it is possible to add altServer values: >> >> $ ldapmodify -x -D 'cn=directory manager' -W >> Enter LDAP Password: >> dn: >> changetype: modify >> add: altServer >> altServer: ldap://gyre.example.com >> >> modifying entry "" >> ^D >> >> $ ldapsearch -LLL -x -b "" -s base altServer >> dn: >> altServer: ldap://gyre.example.com >> >> My test rig is a single master so I don't know if this replicates or not. >> >> rob >> >> >>> Martin >>> >>> >>> On 19.05.2016 17:43, Guillermo Fuentes wrote: >>> >>>> Hello all, >>>> >>>> As OS X allows LDAP server failover via the altServer attribute >>>> (RFC4512) from RootDSE, it would be great to be able to configure our >>>> Macs to connect to a single FreeIPA server and add other FreeIPA >>>> servers as multiple altServer values. >>>> The current schema doesn't seem to support adding this attribute. >>>> Can this be done in a way I'm missing? >>>> >>>> Thanks in advance! >>>> >>>> GUILLERMO FUENTES >>>> SR. SYSTEMS ADMINISTRATOR >>>> >>>> 561-880-2998 x1337 >>>> >>>> guillermo.fuentes at modmed.com >>>> >>>> >>>> [ Modernizing Medicine ] >>>> [ Facebook ] >>>> [ >>>> LinkedIn ] >>>> [ >>>> YouTube ] >>>> [ >>>> Twitter ] [ Blog ] >>>> [ Instagram ] >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >> > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From razvan.vilt at me.com Mon May 23 08:24:50 2016 From: razvan.vilt at me.com (=?utf-8?Q?=22R=C4=83zvan_Corneliu_C=2ER=2E_VILT=22?=) Date: Mon, 23 May 2016 11:24:50 +0300 Subject: [Freeipa-users] LDAP server failover via altServer attribute? In-Reply-To: References: <334bc017-4945-e11b-c5fc-18044d0ab02b@redhat.com> <573F2180.5050107@redhat.com> Message-ID: <2A750C8C-CA83-440B-8D8B-65B3F4ABDA9E@me.com> Hi Guillermo, In February I published my findings for switching IPA in OpenDirectory compatible mode. See: https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html Start by reading that thread. More recently, Stefan Zecevic picked this up and opened up some interesting test cases for the setup in this thread: https://www.redhat.com/archives/freeipa-users/2016-May/msg00310.html There's also a ticket for implementing these changes in IPA 4.4 . I'm willing to invest 4 hours per week into this if anyone else joins. I have VMware virtual machines for every x86 OS X release possible (from Tiger to El Capitan) and for historical reasons I also have a few PPC releases in QEMU format. I can host the VMs on a server but I need some help configuring the 389 directory server plugins to automatically generate the needed extra attributes (authAuthority and altSecurityIdentities). I personally think that cn=config should be also automatically generated. Cheers, R?zvan > On 22 mai 2016, at 21:31, Guillermo Fuentes wrote: > > This is great info Razvan. Thanks for sharing it! > We provision Macs by pushing configuration scripts via Munki. > Can you point me where I can find more documentation about this? > Thanks again, > Guillermo > > On Fri, May 20, 2016 at 3:45 PM, "R?zvan Corneliu C.R. VILT" > wrote: > Hi guys, > > Regarding the Macs, there are a few notes: > > 1) The template kerberos setup can be pushed through LDAP (cn=KerberosClient and cn=KerberosKDC,cn=config) > 2) The LDAP replicas can be also configured in cn=config and it is cached by OpenDirectory in the following format: > > dn: cn=ldapreplicas, cn=config, dc=example, dc=com > objectClass: apple-configuration > apple-ldap-replica: ldap://192.168.1.1 <> > apple-ldap-replica: ldap://192.168.2.2 <> > apple-ldap-writable-replica: ldap://192.168.1.1 <> > apple-ldap-writable-replica: ldap://192.168.2.2 <> > apple-xml-plist: base64 encode of: > --------------------- > > "> > > > GUID > 01234567-89AB-CDEF-0123-456789ABCDEF > IPaddresses > > 192.168.1.1 > 10.0.0.1 > > PrimaryMaster > ipa-server.example.org > ReplicaName > Master > Replicas > > ipa-bkserver.example.org > > > > > ---------------------- > > 3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL. > > > If you do this manually instead of OpenDirectory compatible way, your machine doesn't create an account for itself in IPA so service access without login are not available, it doesn't download the root CA automatically and you don't get SSO out of the box. > > >> On 20 mai 2016, at 22:13, Guillermo Fuentes > wrote: >> >> SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc = yes" and removing the KDC server ("kdc = xxx") entries from the /Library/Preferences/edu.mit.Kerberos config file does the trick. >> >> For LDAP, although you can enable it, I can't see it documented anywhere so I'm assuming that isn't the recommended way for the Mac. This can be enabled by running this for the LDAP server you're using: >> sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option "Use DNS replicas" "true" >> >> Adding the altServer values with the Directory Manager credentials worked and I'm happy to report that the failover on the Mac works great with FreeIPA! >> >> As suggested by Rob, for three servers, on server ipa1: >> $ ldapmodify -x -D 'cn=directory manager' -W >> Enter LDAP Password: >> dn: >> changetype: modify >> add: altServer >> altServer: ldap://ipa2.example.com >> - >> add: altServer >> altServer: ldap://ipa3.example.com >> >> modifying entry "" >> ^D >> >> The altServer values didn't replicate so I had to add them to each of the FreeIPA servers. >> >> Then, tell the Mac (testing on OS X v10.11.5) to use the altServer attribute to look for replicas in case of failover: >> sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option "Use altServer replicas" "true" >> >> And, viola! Highly available authentication with a FreeIPA cluster for the Mac! >> >> Thanks so much for your help! >> Guillermo >> >> >> On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden > wrote: >> Martin Basti wrote: >> Hello, >> >> IPA uses SRV records for failover to another replica/LDAP. >> >> I don't know how it works on MACs, but in case that there is no >> possibility to use SRV, you may need to file a RFE ticket >> (https://fedorahosted.org/freeipa/newticket ) >> >> Agreed, SRV records are the preferred mechanism. I was curious though so played with this a bit and it is possible to add altServer values: >> >> $ ldapmodify -x -D 'cn=directory manager' -W >> Enter LDAP Password: >> dn: >> changetype: modify >> add: altServer >> altServer: ldap://gyre.example.com >> >> modifying entry "" >> ^D >> >> $ ldapsearch -LLL -x -b "" -s base altServer >> dn: >> altServer: ldap://gyre.example.com >> >> My test rig is a single master so I don't know if this replicates or not. >> >> rob >> >> >> Martin >> >> >> On 19.05.2016 17:43, Guillermo Fuentes wrote: >> Hello all, >> >> As OS X allows LDAP server failover via the altServer attribute >> (RFC4512) from RootDSE, it would be great to be able to configure our >> Macs to connect to a single FreeIPA server and add other FreeIPA >> servers as multiple altServer values. >> The current schema doesn't seem to support adding this attribute. >> Can this be done in a way I'm missing? >> >> Thanks in advance! >> >> GUILLERMO FUENTES >> SR. SYSTEMS ADMINISTRATOR >> >> 561-880-2998 x1337 >> >> guillermo.fuentes at modmed.com > >> >> >> [ Modernizing Medicine ] > >> [ Facebook ] > [ >> LinkedIn ] > [ >> YouTube ] > [ >> Twitter ] > [ Blog ] >> > [ Instagram ] >> > >> >> >> >> >> >> >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Mon May 23 12:42:33 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 23 May 2016 15:42:33 +0300 Subject: [Freeipa-users] What id my AD domain user password not available Message-ID: Hi LIst, my Windows domain Admin is not giving domain admin user password. in this case how can i proceed ipa trust-add regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Mon May 23 13:13:35 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 23 May 2016 15:13:35 +0200 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: References: Message-ID: <1c0edb16-150b-bd57-a3d3-a53d5b55e43e@redhat.com> On 05/23/2016 02:42 PM, Ben .T.George wrote: > Hi LIst, > > my Windows domain Admin is not giving domain admin user password. > > in this case how can i proceed ipa trust-add > > regards, > Ben > > Hi Ben, You can ask your AD domain admin to create a shared secret for establishing trust. See the corresponding chapter in the guide for creating trusts[1] for more details. [1] http://www.freeipa.org/page/Active_Directory_trust_setup#When_AD_administrator_credentials_aren.27t_available -- Martin^3 Babinsky From bentech4you at gmail.com Mon May 23 13:20:29 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 23 May 2016 16:20:29 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: <1c0edb16-150b-bd57-a3d3-a53d5b55e43e@redhat.com> References: <1c0edb16-150b-bd57-a3d3-a53d5b55e43e@redhat.com> Message-ID: Hi Thanks for your reply. I saw this before but the thing is i cant able to follow up this one as i am not completely getting those steps ipa trust-add --type=ad "ad_domain" --trust-secret Is asking for key and what i need to gave ? And the shown gif screens and current AD windows are different for me. Regards Ben On 23 May 2016 16:13, "Martin Babinsky" wrote: > On 05/23/2016 02:42 PM, Ben .T.George wrote: > >> Hi LIst, >> >> my Windows domain Admin is not giving domain admin user password. >> >> in this case how can i proceed ipa trust-add >> >> regards, >> Ben >> >> >> > Hi Ben, > > You can ask your AD domain admin to create a shared secret for > establishing trust. See the corresponding chapter in the guide for creating > trusts[1] for more details. > > [1] > http://www.freeipa.org/page/Active_Directory_trust_setup#When_AD_administrator_credentials_aren.27t_available > > -- > Martin^3 Babinsky > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrorourke at earthlink.net Mon May 23 13:22:17 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Mon, 23 May 2016 09:22:17 -0400 (GMT-04:00) Subject: [Freeipa-users] What id my AD domain user password not available Message-ID: <25397150.1464009738833.JavaMail.wam@elwamui-karabash.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Mon May 23 14:07:11 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 23 May 2016 17:07:11 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: <25397150.1464009738833.JavaMail.wam@elwamui-karabash.atl.sa.earthlink.net> References: <25397150.1464009738833.JavaMail.wam@elwamui-karabash.atl.sa.earthlink.net> Message-ID: HI He is local only but he is asking so many questions. first of all he is refusing to give domain admin users password . questions he is asking is: Is this trust relationship is two directional? If, yes why IPA require two directional trust? can we build this trust one directional? can we achieve this with normal domain user? and hs is opposing to enter password in command line and i was going though the rust using a pre-shared key and its too hard for me to understand as i have no windows experience regards, Ben On Mon, May 23, 2016 at 4:22 PM, Michael ORourke wrote: > A couple of ways to go about this. If he is local to you, you could > explain that you need to establish a trust with his domain and you need his > assistance for a few minutes while you type the command to join, then have > him type in the password. You need to assure that the DNS forward/stub > zones are setup and working too. If he is remote, you could use some > screen share software and share out your desktop and walk him through the > part where he has to type the admin password. There is also a way to > create a trust using a pre-shared key. That may be more acceptable to > him. > > -Mike > > -----Original Message----- > From: "Ben .T.George" > Sent: May 23, 2016 8:42 AM > To: freeipa-users > Subject: [Freeipa-users] What id my AD domain user password not available > > Hi LIst, > > my Windows domain Admin is not giving domain admin user password. > > in this case how can i proceed ipa trust-add > > regards, > Ben > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrorourke at earthlink.net Mon May 23 14:31:07 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Mon, 23 May 2016 10:31:07 -0400 (GMT-04:00) Subject: [Freeipa-users] What id my AD domain user password not available Message-ID: <33533537.1464013868206.JavaMail.wam@elwamui-karabash.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Mon May 23 14:44:29 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 23 May 2016 17:44:29 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: <33533537.1464013868206.JavaMail.wam@elwamui-karabash.atl.sa.earthlink.net> References: <33533537.1464013868206.JavaMail.wam@elwamui-karabash.atl.sa.earthlink.net> Message-ID: HI yea that GIf screen i shared with him. but that doesn't show how to take shared key. In my case DNS is handled by 3rd party appliances and from their side they created A record for my IPA server. bth forward and reverse is working is this forwader is mandatory thing from DNS side? Regards, ben On Mon, May 23, 2016 at 5:31 PM, Michael ORourke wrote: > Actually one of his questions doesn't make sense, because last I checked, > normal domain users do not have permissions to create a forest trust. > I believe the default is a one-way trust, so maybe his concerns about the > bi-directional trust is really a non-issue. > If he refuses to type in the admin password in a linux console session > (extreme paranoia?), then perhaps you could give him a link to the tutorial > on using a pre-shared key and have him setup the AD side and give you the > key. You don't have to be a Windows expert to do this, just ask your > domain admin to do the steps for you. Also, you will need to setup a > separate DNS zone and some forwarding rules. Otherwise you are going to > have problems. > > -Mike > > > -----Original Message----- > From: "Ben .T.George" > Sent: May 23, 2016 10:07 AM > To: Michael ORourke > Cc: freeipa-users > Subject: Re: [Freeipa-users] What id my AD domain user password not > available > > HI > > He is local only but he is asking so many questions. > > first of all he is refusing to give domain admin users password . > > questions he is asking is: > > Is this trust relationship is two directional? If, yes why IPA require two > directional trust? > can we build this trust one directional? > can we achieve this with normal domain user? > > and hs is opposing to enter password in command line and i was going > though the rust using a pre-shared key and its too hard for me to > understand as i have no windows experience > > regards, > Ben > > On Mon, May 23, 2016 at 4:22 PM, Michael ORourke > wrote: > >> A couple of ways to go about this. If he is local to you, you could >> explain that you need to establish a trust with his domain and you need his >> assistance for a few minutes while you type the command to join, then have >> him type in the password. You need to assure that the DNS forward/stub >> zones are setup and working too. If he is remote, you could use some >> screen share software and share out your desktop and walk him through the >> part where he has to type the admin password. There is also a way to >> create a trust using a pre-shared key. That may be more acceptable to >> him. >> >> -Mike >> >> -----Original Message----- >> From: "Ben .T.George" >> Sent: May 23, 2016 8:42 AM >> To: freeipa-users >> Subject: [Freeipa-users] What id my AD domain user password not available >> >> Hi LIst, >> >> my Windows domain Admin is not giving domain admin user password. >> >> in this case how can i proceed ipa trust-add >> >> regards, >> Ben >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From arthur at deus.pro Mon May 23 15:06:55 2016 From: arthur at deus.pro (Arthur Fayzullin) Date: Mon, 23 May 2016 20:06:55 +0500 Subject: [Freeipa-users] question about automount config Message-ID: <552e1d8a-1e60-26aa-19eb-a0f02fa6b3bf@deus.pro> Good day, colleagues! I am confused about how automount work and howto configure it. I have tried to configure it according to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html document (paragraph 9.1.1 and chapter 20). I have tried to make it work on 3 servers: 1. ipa server; 2. nfs server (node00); 3. nfs client (postgres). *** so here how it configured on ipa server: $ ipa automountlocation-tofiles amantai /etc/auto.master: /- /etc/auto.direct /home /etc/auto.home --------------------------- /etc/auto.direct: --------------------------- /etc/auto.home: * -sec=kr5i,rw,fstype=nfs4 node00.glavsn.ab:/home/& maps not connected to /etc/auto.master: $ ipa service-find nfs ------------------ 2 services matched ------------------ ????????: nfs/node00.glavsn.ab at GLAVSN.AB Keytab: True Managed by: node00.glavsn.ab ????????: nfs/postgres.glavsn.ab at GLAVSN.AB Keytab: True Managed by: postgres.glavsn.ab *** here is nfs server config: $ sudo klist -k ??????: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/node00.glavsn.ab at GLAVSN.AB 1 host/node00.glavsn.ab at GLAVSN.AB 1 host/node00.glavsn.ab at GLAVSN.AB 1 host/node00.glavsn.ab at GLAVSN.AB 2 nfs/node00.glavsn.ab at GLAVSN.AB 2 nfs/node00.glavsn.ab at GLAVSN.AB 2 nfs/node00.glavsn.ab at GLAVSN.AB 2 nfs/node00.glavsn.ab at GLAVSN.AB $ cat /etc/exports /home *(rw,sec=sys:krb5:krb5i:krb5p) $ sudo firewall-cmd --list-all public (default, active) interfaces: bridge0 enp1s0 sources: services: dhcpv6-client nfs ssh ports: 8001/tcp masquerade: no forward-ports: icmp-blocks: rich rules: $ getenforce Enforcing *** here nfs client config: # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/postgres.glavsn.ab at GLAVSN.AB 1 host/postgres.glavsn.ab at GLAVSN.AB 1 host/postgres.glavsn.ab at GLAVSN.AB 1 host/postgres.glavsn.ab at GLAVSN.AB 1 nfs/postgres.glavsn.ab at GLAVSN.AB 1 nfs/postgres.glavsn.ab at GLAVSN.AB 1 nfs/postgres.glavsn.ab at GLAVSN.AB 1 nfs/postgres.glavsn.ab at GLAVSN.AB # firewall-cmd --list-all FedoraServer (default, active) interfaces: ens3 sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: icmp-blocks: rich rules: # mount -l (contains next string) auto.home on /home type autofs (rw,relatime,fd=25,pgrp=960,timeout=300,minproto=5,maxproto=5,indirect) # ll /home/afayzullin ls says that it cannot access /home/afayzullin: no such file or directory I have run # ipa-client-automount --location=amantai on client and it has completed successfully. I have tried to disable selinux, drop iptables rules. And now I am little confused about what to do next. May if someone has faced with automount config can give me some advice, or if there is any howto config automount, or some can advise howto debug this situation? From stacy.redmond at blueshieldca.com Mon May 23 17:14:37 2016 From: stacy.redmond at blueshieldca.com (Redmond, Stacy) Date: Mon, 23 May 2016 17:14:37 +0000 Subject: [Freeipa-users] AD replication and password passthrough Message-ID: <5434D6A65FEF2B428D5CC8D77FA7DA71608C8B07@wexc201p.bsc.bscal.com> Is there a way to setup replication from AD, and just use passthrough to AD for passwords, vs having to synchronize passwords. I am getting a lot of pushback from the AD team on installing the password sync software due to issues in the past. I would like to setup replication, but still use AD to authenticate passwords. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrorourke at earthlink.net Mon May 23 17:20:57 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Mon, 23 May 2016 13:20:57 -0400 (EDT) Subject: [Freeipa-users] What id my AD domain user password not available Message-ID: <23064155.1464024058750.JavaMail.wam@elwamui-karabash.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: From zwolfinger at myemma.com Mon May 23 17:56:48 2016 From: zwolfinger at myemma.com (Zak Wolfinger) Date: Mon, 23 May 2016 12:56:48 -0500 Subject: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ? Message-ID: <8DB43F91-F9C7-4A3B-A090-452CF958D43C@myemma.com> Does anyone have this combo working? I?m running into problems with pki-tomcat and tomcat for pwm conflicting and need some pointers. Thanks! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From bentech4you at gmail.com Mon May 23 18:22:21 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 23 May 2016 21:22:21 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: <23064155.1464024058750.JavaMail.wam@elwamui-karabash.atl.sa.earthlink.net> References: <23064155.1464024058750.JavaMail.wam@elwamui-karabash.atl.sa.earthlink.net> Message-ID: HI in my case i have 2 domains AD DNS : corp.example.kw.com main DNS ( from appliance) : kw.example.com and all the linux box are pointed to kw.example.com so i put my IPA server hostname as : ipa.kw.example.com and created A & PTR on kw.example.com is that the correct way? Regards, Ben On Mon, May 23, 2016 at 8:20 PM, Michael ORourke wrote: > Ben, > > Yes, that is a requirement. Just creating the A & PTR records for you > FreeIPA server is not enough. You will need to keep the DNS zones separate > too, example: > Windows AD Domain: mydomain.com > FreeIPA Realm/Domain: subdomain.mydomain.com > > You cannot have a cross-forest trust between two domains with the same DNS > zone name. So if you have a flat DNS namespace, then you will want to plan > accordingly to move all the linux boxes that will participate in the > FreeIPA domain into the new DNS zone. > > -Mike > > -----Original Message----- > From: "Ben .T.George" > Sent: May 23, 2016 10:44 AM > To: Michael ORourke > Cc: freeipa-users > Subject: Re: [Freeipa-users] What id my AD domain user password not > available > > HI > > yea that GIf screen i shared with him. but that doesn't show how to take > shared key. > > In my case DNS is handled by 3rd party appliances and from their side they > created A record for my IPA server. bth forward and reverse is working > > is this forwader is mandatory thing from DNS side? > > Regards, > ben > > On Mon, May 23, 2016 at 5:31 PM, Michael ORourke > wrote: > >> Actually one of his questions doesn't make sense, because last I checked, >> normal domain users do not have permissions to create a forest trust. >> I believe the default is a one-way trust, so maybe his concerns about the >> bi-directional trust is really a non-issue. >> If he refuses to type in the admin password in a linux console session >> (extreme paranoia?), then perhaps you could give him a link to the tutorial >> on using a pre-shared key and have him setup the AD side and give you the >> key. You don't have to be a Windows expert to do this, just ask your >> domain admin to do the steps for you. Also, you will need to setup a >> separate DNS zone and some forwarding rules. Otherwise you are going to >> have problems. >> >> -Mike >> >> >> -----Original Message----- >> From: "Ben .T.George" >> Sent: May 23, 2016 10:07 AM >> To: Michael ORourke >> Cc: freeipa-users >> Subject: Re: [Freeipa-users] What id my AD domain user password not >> available >> >> HI >> >> He is local only but he is asking so many questions. >> >> first of all he is refusing to give domain admin users password . >> >> questions he is asking is: >> >> Is this trust relationship is two directional? If, yes why IPA require >> two directional trust? >> can we build this trust one directional? >> can we achieve this with normal domain user? >> >> and hs is opposing to enter password in command line and i was going >> though the rust using a pre-shared key and its too hard for me to >> understand as i have no windows experience >> >> regards, >> Ben >> >> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke > > wrote: >> >>> A couple of ways to go about this. If he is local to you, you could >>> explain that you need to establish a trust with his domain and you need his >>> assistance for a few minutes while you type the command to join, then have >>> him type in the password. You need to assure that the DNS forward/stub >>> zones are setup and working too. If he is remote, you could use some >>> screen share software and share out your desktop and walk him through the >>> part where he has to type the admin password. There is also a way to >>> create a trust using a pre-shared key. That may be more acceptable to >>> him. >>> >>> -Mike >>> >>> -----Original Message----- >>> From: "Ben .T.George" >>> Sent: May 23, 2016 8:42 AM >>> To: freeipa-users >>> Subject: [Freeipa-users] What id my AD domain user password not >>> available >>> >>> Hi LIst, >>> >>> my Windows domain Admin is not giving domain admin user password. >>> >>> in this case how can i proceed ipa trust-add >>> >>> regards, >>> Ben >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From askstack at yahoo.com Mon May 23 18:31:02 2016 From: askstack at yahoo.com (Ask Stack) Date: Mon, 23 May 2016 18:31:02 +0000 (UTC) Subject: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab References: <361801029.1315557.1464028262337.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <361801029.1315557.1464028262337.JavaMail.yahoo@mail.yahoo.com> My company's ipa-client-install fail very often. Debug logs show the process always failed at getting the /etc/krb5.keytab . Is there a way to modify the script to increase number of attempts to create /etc/krb5.keytab ? I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain host TGT (defaults to 5)." But it comes after setting up the "/etc/krb5.keytab" file. Thanks. server ipa-server-3.0.0-47.el6_7.1.x86_64 cleint ipa-client-3.0.0-47.el6_7.2.x86_64 ipa-client-3.0.0-50.el6.1.x86_64 #SUCCESSFUL ATTEMPT \n \n \n \n \n \n Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=TEST.COM 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM 2016-05-23T14:40:49Z DEBUG args=kdestroy 2016-05-23T14:40:49Z DEBUG stdout= 2016-05-23T14:40:49Z DEBUG stderr= #FAILED ATTEMPT \n \n \n \n \n \n ipa-getkeytab: ../../../libraries/libldap/extended.c:177: ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. Certificate subject base is: O=TEST.COM 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM 2016-05-23T14:37:08Z DEBUG args=kdestroy 2016-05-23T14:37:08Z DEBUG stdout= 2016-05-23T14:37:08Z DEBUG stderr= -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon May 23 18:57:26 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 May 2016 14:57:26 -0400 Subject: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab In-Reply-To: <361801029.1315557.1464028262337.JavaMail.yahoo@mail.yahoo.com> References: <361801029.1315557.1464028262337.JavaMail.yahoo.ref@mail.yahoo.com> <361801029.1315557.1464028262337.JavaMail.yahoo@mail.yahoo.com> Message-ID: <57435296.3030502@redhat.com> Ask Stack wrote: > My company's ipa-client-install fail very often. Debug logs show the > process always failed at getting the /etc/krb5.keytab . > Is there a way to modify the script to increase number of attempts to > create /etc/krb5.keytab ? > > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain > host TGT (defaults to 5)." But it comes after setting up the > "/etc/krb5.keytab" file. > Thanks. > > server > ipa-server-3.0.0-47.el6_7.1.x86_64 > > cleint > ipa-client-3.0.0-47.el6_7.2.x86_64 > ipa-client-3.0.0-50.el6.1.x86_64 > > > #SUCCESSFUL ATTEMPT > > \n > \n > \n > \n > \n > \n > > Keytab successfully retrieved and stored in: /etc/krb5.keytab > Certificate subject base is: O=TEST.COM > > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM > 2016-05-23T14:40:49Z DEBUG args=kdestroy > 2016-05-23T14:40:49Z DEBUG stdout= > 2016-05-23T14:40:49Z DEBUG stderr= > > > > #FAILED ATTEMPT > > \n > \n > \n > \n > \n > \n > > ipa-getkeytab: ../../../libraries/libldap/extended.c:177: > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. > Certificate subject base is: O=TEST.COM > > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM > 2016-05-23T14:37:08Z DEBUG args=kdestroy > 2016-05-23T14:37:08Z DEBUG stdout= > 2016-05-23T14:37:08Z DEBUG stderr= There is no retry capability and in some cases would be impossible to add (the one-time password case). Can you check /var/log/krb5kdc on the IPA master it connected to, and the 389-ds access and errors logs as well. Perhaps one of those will have more information on why things failed. rob From askstack at yahoo.com Mon May 23 19:49:04 2016 From: askstack at yahoo.com (Ask Stack) Date: Mon, 23 May 2016 19:49:04 +0000 (UTC) Subject: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab In-Reply-To: <57435296.3030502@redhat.com> References: <361801029.1315557.1464028262337.JavaMail.yahoo.ref@mail.yahoo.com> <361801029.1315557.1464028262337.JavaMail.yahoo@mail.yahoo.com> <57435296.3030502@redhat.com> Message-ID: <1389058644.1292312.1464032944247.JavaMail.yahoo@mail.yahoo.com> RobThanks for the reply. I didn't find anything obvious in /var/log/dirsrv/slapd-/access and errors? and /var/log/krb5kdc.log?Do you know which service is responsible for providing? "/etc/krb5.keytab" to the client? On Monday, May 23, 2016 2:57 PM, Rob Crittenden wrote: Ask Stack wrote: > My company's ipa-client-install fail very often. Debug logs show the > process always failed at getting the /etc/krb5.keytab . > Is there a way to modify the script to increase number of attempts to > create /etc/krb5.keytab ? > > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain > host TGT (defaults to 5)." But it comes after setting up the > "/etc/krb5.keytab" file. > Thanks. > > server > ipa-server-3.0.0-47.el6_7.1.x86_64 > > cleint > ipa-client-3.0.0-47.el6_7.2.x86_64 > ipa-client-3.0.0-50.el6.1.x86_64 > > > #SUCCESSFUL ATTEMPT > > \n > \n > \n > \n > \n > \n > > Keytab successfully retrieved and stored in: /etc/krb5.keytab > Certificate subject base is: O=TEST.COM > > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM > 2016-05-23T14:40:49Z DEBUG args=kdestroy > 2016-05-23T14:40:49Z DEBUG stdout= > 2016-05-23T14:40:49Z DEBUG stderr= > > > > #FAILED ATTEMPT > > \n > \n > \n > \n > \n > \n > > ipa-getkeytab: ../../../libraries/libldap/extended.c:177: > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. > Certificate subject base is: O=TEST.COM > > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM > 2016-05-23T14:37:08Z DEBUG args=kdestroy > 2016-05-23T14:37:08Z DEBUG stdout= > 2016-05-23T14:37:08Z DEBUG stderr= There is no retry capability and in some cases would be impossible to add (the one-time password case). Can you check /var/log/krb5kdc on the IPA master it connected to, and the 389-ds access and errors logs as well. Perhaps one of those will have more information on why things failed. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From erik at infochimps.com Mon May 23 21:04:38 2016 From: erik at infochimps.com (Erik Mackdanz) Date: Mon, 23 May 2016 16:04:38 -0500 Subject: [Freeipa-users] Mostly working trust, SSH failure In-Reply-To: <431137CA-112B-4E2B-BEC2-546DC0FC7345@redhat.com> References: <20160520070200.GA3384@hendrix> <431137CA-112B-4E2B-BEC2-546DC0FC7345@redhat.com> Message-ID: For the bug you mentioned ([1], downstream [2]), there is a patch but it's not publicly accessible. Are you able post the patch to this list? It may help us determine if we are directly affected. Thanks, Erik [1] https://fedorahosted.org/sssd/ticket/3015 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1336688 On Sun, May 22, 2016 at 6:48 AM, Jakub Hrozek wrote: > >> On 20 May 2016, at 19:31, Erik Mackdanz wrote: >> >> Thanks Jakub, >> >> Yes, the "marking subdomain ... inactive" portion is below. >> >> There are failures in resolving the Global Catalog via SRV, but what >> I've read says that should be okay because we fall back to the >> SID<->UID mapping. With dig, I can reproduce sssd's finding that >> those SRV records don't exist. Is the DNS failure as fatal as it >> appears? > > Yes, I think that's the issue. I don't think we fall back to LDAP lookups. (btw we have a bug where we use the domain name, not the forest name for GC lookups SRV query..) > >> >> Yes, we can kinit AD users. We can also 'getent' AD users and groups >> (at least the group we authorized in our trust). >> >> Does it matter that the user we used to establish the trust was later >> demoted? (Was domain admin, now regular user). >> >> Cheers, >> Erik >> >> >> [ipa_srv_ad_acct_retried] (0x0400): Sudomain re-set, will retry lookup >> [be_fo_reset_svc] (0x1000): Resetting all servers in service na.bazzlegroup.com >> [set_srv_data_status] (0x0100): Marking SRV lookup of service >> 'na.bazzlegroup.com' as 'neutral' >> [set_server_common_status] (0x0100): Marking server >> 'deda9w1004.na.bazzlegroup.com' as 'name not resolved' >> [fo_set_port_status] (0x0100): Marking port 389 of server >> 'deda9w1004.na.bazzlegroup.com' as 'neutral' >> [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP >> [fo_set_port_status] (0x0400): Marking port 389 of duplicate server >> 'deda9w1004.na.bazzlegroup.com' as 'neutral' >> [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP >> [set_srv_data_status] (0x0100): Marking SRV lookup of service >> 'na.bazzlegroup.com' as 'neutral' >> [set_server_common_status] (0x0100): Marking server >> 'usbe9w2003.na.bazzlegroup.com' as 'name not resolved' >> [fo_set_port_status] (0x0100): Marking port 389 of server >> 'usbe9w2003.na.bazzlegroup.com' as 'neutral' >> [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP >> [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP >> [fo_set_port_status] (0x0400): Marking port 389 of duplicate server >> 'usbe9w2003.na.bazzlegroup.com' as 'neutral' >> [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account >> [sdap_id_op_connect_step] (0x4000): beginning to connect >> [fo_resolve_service_send] (0x0100): Trying to resolve service >> 'gc_na.bazzlegroup.com' >> [get_port_status] (0x1000): Port status of port 0 for server '(no >> name)' is 'not working' >> [fo_resolve_service_send] (0x0020): No available servers for service >> 'gc_na.bazzlegroup.com' >> [be_resolve_server_done] (0x1000): Server resolution failed: 5 >> [sdap_id_op_connect_done] (0x0400): Failed to connect to server, but >> ignore mark offline is enabled. >> [sdap_id_op_connect_done] (0x4000): notify error to op #1: 5 >> [Input/output error] >> [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com offline >> [be_mark_subdom_offline] (0x1000): Marking subdomain >> na.bazzlegroup.com as inactive >> [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: >> [1432158262]: Subdomain is inactive. >> [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 1432158262 >> [sdap_id_op_destroy] (0x4000): releasing operation connection >> >> On Fri, May 20, 2016 at 2:02 AM, Jakub Hrozek wrote: >>> On Thu, May 19, 2016 at 05:18:43PM -0500, Erik Mackdanz wrote: >>>> Hello, >>>> >>>> I've set up a one-way trust to an Active Directory domain. Things >>>> seem to roughly work, but something's missing. >>>> >>>> Can any kind soul spot a problem with my configuration, or advise on >>>> how to further troubleshoot? >>>> >>>> Facts: >>>> >>>> - An AD user gets 'Access denied' when SSH'ing by password to the >>>> FreeIPA host. This is my concern. >>>> >>>> - This AD user has not been locked out. >>>> >>>> - getent passwd succeeds for the AD user >>>> >>>> - A FreeIPA user can successfully SSH by password to the same FreeIPA >>>> host. >>>> >>>> - That FreeIPA user can then successfully kinit as the AD user (the >>>> same AD user denied above) >>>> >>>> - HBAC is set to the default allow_all rule, which is enabled. >>>> Running the HBAC Test tool on the AD user confirms that they are >>>> authorized for sshd. >>>> >>>> This tells me something is awry in sssd.conf or sshd_config or pam.d >>>> or HBAC. >>>> >>>> Thanks, >>>> Erik >>>> >>>> I've got sssd debug to 9. Here's some output: >>>> >>>> >>> >>> [...] >>> >>>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >>>> [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account >>>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >>>> [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com >>>> offline >>>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >>>> [be_mark_subdom_offline] (0x4000): Subdomain already inactive >>>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >>> >>> Here it looks like sssd previously had issues connectying to AD and went >>> offline. Can you search the logs a bit earlier for the first occurence of >>> "Marking subdomain xxx as offline" ? Can you kinit as that user? >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > From rcritten at redhat.com Mon May 23 21:10:07 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 May 2016 17:10:07 -0400 Subject: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab In-Reply-To: <1389058644.1292312.1464032944247.JavaMail.yahoo@mail.yahoo.com> References: <361801029.1315557.1464028262337.JavaMail.yahoo.ref@mail.yahoo.com> <361801029.1315557.1464028262337.JavaMail.yahoo@mail.yahoo.com> <57435296.3030502@redhat.com> <1389058644.1292312.1464032944247.JavaMail.yahoo@mail.yahoo.com> Message-ID: <574371AF.8000406@redhat.com> Ask Stack wrote: > Rob > Thanks for the reply. > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and > errors and /var/log/krb5kdc.log > Do you know which service is responsible for providing > "/etc/krb5.keytab" to the client? It uses an LDAP extended operation so 389-ds. Any errors would be in the KDC log or, more likely, in the 389-ds logs. rob > > On Monday, May 23, 2016 2:57 PM, Rob Crittenden wrote: > > > Ask Stack wrote: > > > My company's ipa-client-install fail very often. Debug logs show the > > process always failed at getting the /etc/krb5.keytab . > > Is there a way to modify the script to increase number of attempts to > > create /etc/krb5.keytab ? > > > > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain > > host TGT (defaults to 5)." But it comes after setting up the > > "/etc/krb5.keytab" file. > > Thanks. > > > > server > > ipa-server-3.0.0-47.el6_7.1.x86_64 > > > > cleint > > ipa-client-3.0.0-47.el6_7.2.x86_64 > > ipa-client-3.0.0-50.el6.1.x86_64 > > > > > > #SUCCESSFUL ATTEMPT > > > > \n > > \n > > \n > > \n > > \n > > \n > > > > Keytab successfully retrieved and stored in: /etc/krb5.keytab > > Certificate subject base is: O=TEST.COM > > > > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM > > 2016-05-23T14:40:49Z DEBUG args=kdestroy > > 2016-05-23T14:40:49Z DEBUG stdout= > > 2016-05-23T14:40:49Z DEBUG stderr= > > > > > > > > #FAILED ATTEMPT > > > > \n > > \n > > \n > > \n > > \n > > \n > > > > ipa-getkeytab: ../../../libraries/libldap/extended.c:177: > > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. > > Certificate subject base is: O=TEST.COM > > > > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM > > 2016-05-23T14:37:08Z DEBUG args=kdestroy > > 2016-05-23T14:37:08Z DEBUG stdout= > > 2016-05-23T14:37:08Z DEBUG stderr= > > > There is no retry capability and in some cases would be impossible to > add (the one-time password case). Can you check /var/log/krb5kdc on the > IPA master it connected to, and the 389-ds access and errors logs as > well. Perhaps one of those will have more information on why things failed. > > rob > > > > From rcritten at redhat.com Mon May 23 21:26:45 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 May 2016 17:26:45 -0400 Subject: [Freeipa-users] Mostly working trust, SSH failure In-Reply-To: References: <20160520070200.GA3384@hendrix> <431137CA-112B-4E2B-BEC2-546DC0FC7345@redhat.com> Message-ID: <57437595.4040609@redhat.com> Erik Mackdanz wrote: > For the bug you mentioned ([1], downstream [2]), there is a patch but > it's not publicly accessible. Are you able post the patch to this > list? It may help us determine if we are directly affected. https://lists.fedorahosted.org/archives/list/sssd-devel at lists.fedorahosted.org/thread/TUZ6ZWLRZ6QSMUHV44PRT75T6OVBGILK/ rob > > Thanks, > Erik > > [1] https://fedorahosted.org/sssd/ticket/3015 > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1336688 > > On Sun, May 22, 2016 at 6:48 AM, Jakub Hrozek wrote: >> >>> On 20 May 2016, at 19:31, Erik Mackdanz wrote: >>> >>> Thanks Jakub, >>> >>> Yes, the "marking subdomain ... inactive" portion is below. >>> >>> There are failures in resolving the Global Catalog via SRV, but what >>> I've read says that should be okay because we fall back to the >>> SID<->UID mapping. With dig, I can reproduce sssd's finding that >>> those SRV records don't exist. Is the DNS failure as fatal as it >>> appears? >> >> Yes, I think that's the issue. I don't think we fall back to LDAP lookups. (btw we have a bug where we use the domain name, not the forest name for GC lookups SRV query..) >> >>> >>> Yes, we can kinit AD users. We can also 'getent' AD users and groups >>> (at least the group we authorized in our trust). >>> >>> Does it matter that the user we used to establish the trust was later >>> demoted? (Was domain admin, now regular user). >>> >>> Cheers, >>> Erik >>> >>> >>> [ipa_srv_ad_acct_retried] (0x0400): Sudomain re-set, will retry lookup >>> [be_fo_reset_svc] (0x1000): Resetting all servers in service na.bazzlegroup.com >>> [set_srv_data_status] (0x0100): Marking SRV lookup of service >>> 'na.bazzlegroup.com' as 'neutral' >>> [set_server_common_status] (0x0100): Marking server >>> 'deda9w1004.na.bazzlegroup.com' as 'name not resolved' >>> [fo_set_port_status] (0x0100): Marking port 389 of server >>> 'deda9w1004.na.bazzlegroup.com' as 'neutral' >>> [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP >>> [fo_set_port_status] (0x0400): Marking port 389 of duplicate server >>> 'deda9w1004.na.bazzlegroup.com' as 'neutral' >>> [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP >>> [set_srv_data_status] (0x0100): Marking SRV lookup of service >>> 'na.bazzlegroup.com' as 'neutral' >>> [set_server_common_status] (0x0100): Marking server >>> 'usbe9w2003.na.bazzlegroup.com' as 'name not resolved' >>> [fo_set_port_status] (0x0100): Marking port 389 of server >>> 'usbe9w2003.na.bazzlegroup.com' as 'neutral' >>> [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP >>> [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP >>> [fo_set_port_status] (0x0400): Marking port 389 of duplicate server >>> 'usbe9w2003.na.bazzlegroup.com' as 'neutral' >>> [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account >>> [sdap_id_op_connect_step] (0x4000): beginning to connect >>> [fo_resolve_service_send] (0x0100): Trying to resolve service >>> 'gc_na.bazzlegroup.com' >>> [get_port_status] (0x1000): Port status of port 0 for server '(no >>> name)' is 'not working' >>> [fo_resolve_service_send] (0x0020): No available servers for service >>> 'gc_na.bazzlegroup.com' >>> [be_resolve_server_done] (0x1000): Server resolution failed: 5 >>> [sdap_id_op_connect_done] (0x0400): Failed to connect to server, but >>> ignore mark offline is enabled. >>> [sdap_id_op_connect_done] (0x4000): notify error to op #1: 5 >>> [Input/output error] >>> [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com offline >>> [be_mark_subdom_offline] (0x1000): Marking subdomain >>> na.bazzlegroup.com as inactive >>> [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: >>> [1432158262]: Subdomain is inactive. >>> [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 1432158262 >>> [sdap_id_op_destroy] (0x4000): releasing operation connection >>> >>> On Fri, May 20, 2016 at 2:02 AM, Jakub Hrozek wrote: >>>> On Thu, May 19, 2016 at 05:18:43PM -0500, Erik Mackdanz wrote: >>>>> Hello, >>>>> >>>>> I've set up a one-way trust to an Active Directory domain. Things >>>>> seem to roughly work, but something's missing. >>>>> >>>>> Can any kind soul spot a problem with my configuration, or advise on >>>>> how to further troubleshoot? >>>>> >>>>> Facts: >>>>> >>>>> - An AD user gets 'Access denied' when SSH'ing by password to the >>>>> FreeIPA host. This is my concern. >>>>> >>>>> - This AD user has not been locked out. >>>>> >>>>> - getent passwd succeeds for the AD user >>>>> >>>>> - A FreeIPA user can successfully SSH by password to the same FreeIPA >>>>> host. >>>>> >>>>> - That FreeIPA user can then successfully kinit as the AD user (the >>>>> same AD user denied above) >>>>> >>>>> - HBAC is set to the default allow_all rule, which is enabled. >>>>> Running the HBAC Test tool on the AD user confirms that they are >>>>> authorized for sshd. >>>>> >>>>> This tells me something is awry in sssd.conf or sshd_config or pam.d >>>>> or HBAC. >>>>> >>>>> Thanks, >>>>> Erik >>>>> >>>>> I've got sssd debug to 9. Here's some output: >>>>> >>>>> >>>> >>>> [...] >>>> >>>>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >>>>> [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account >>>>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >>>>> [be_mark_dom_offline] (0x1000): Marking subdomain na.bazzlegroup.com >>>>> offline >>>>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >>>>> [be_mark_subdom_offline] (0x4000): Subdomain already inactive >>>>> (Thu May 19 20:43:34 2016) [sssd[be[platform.schlitz]]] >>>> >>>> Here it looks like sssd previously had issues connectying to AD and went >>>> offline. Can you search the logs a bit earlier for the first occurence of >>>> "Marking subdomain xxx as offline" ? Can you kinit as that user? >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> > From barrykfl at gmail.com Tue May 24 09:36:08 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Tue, 24 May 2016 17:36:08 +0800 Subject: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert??? Message-ID: hi all: Thx ad title ipa : ERROR cert validation failed for "CN=server.abc.com,O=WISER S.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) preparation of replica failed: cannot connect to 'https://server.ABC.com:944 4/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi ficate has expired. cannot connect to 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie nt': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue May 24 10:39:44 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 24 May 2016 12:39:44 +0200 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: References: <1c0edb16-150b-bd57-a3d3-a53d5b55e43e@redhat.com> Message-ID: <4a27ef1c-8ce0-8c07-faa1-6846170f4db6@redhat.com> On 05/23/2016 03:20 PM, Ben .T.George wrote: > Hi > > Thanks for your reply. > > I saw this before but the thing is i cant able to follow up this one as i am not > completely getting those steps > > ipa trust-add --type=ad "ad_domain" --trust-secret > > Is asking for key and what i need to gave ? > > And the shown gif screens and current AD windows are different for me. Hi, Try checking the procedure in the guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#create-trust-shared-secret Maybe it will help you understand what needs to be clicked on AD side. HTH, Martin > Regards > Ben > > On 23 May 2016 16:13, "Martin Babinsky" > wrote: > > On 05/23/2016 02:42 PM, Ben .T.George wrote: > > Hi LIst, > > my Windows domain Admin is not giving domain admin user password. > > in this case how can i proceed ipa trust-add > > regards, > Ben > > > > Hi Ben, > > You can ask your AD domain admin to create a shared secret for establishing > trust. See the corresponding chapter in the guide for creating trusts[1] for > more details. > > [1] > http://www.freeipa.org/page/Active_Directory_trust_setup#When_AD_administrator_credentials_aren.27t_available > > > -- > Martin^3 Babinsky > > > From prasun.gera at gmail.com Tue May 24 13:01:16 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Tue, 24 May 2016 09:01:16 -0400 Subject: [Freeipa-users] question about automount config In-Reply-To: <552e1d8a-1e60-26aa-19eb-a0f02fa6b3bf@deus.pro> References: <552e1d8a-1e60-26aa-19eb-a0f02fa6b3bf@deus.pro> Message-ID: You can stop the autofs daemon, and run it in foreground with automount -fvv. Then try to access the mount point in parallel. The logs from the foreground run should shed some light. Also, does your autofs setup work without kerberos ? As a first step it to work with non-kerberised nfs. On Mon, May 23, 2016 at 11:06 AM, Arthur Fayzullin wrote: > Good day, colleagues! > I am confused about how automount work and howto configure it. I have > tried to configure it according to > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html > document (paragraph 9.1.1 and chapter 20). > I have tried to make it work on 3 servers: > 1. ipa server; > 2. nfs server (node00); > 3. nfs client (postgres). > > > *** so here how it configured on ipa server: > $ ipa automountlocation-tofiles amantai > /etc/auto.master: > /- /etc/auto.direct > /home /etc/auto.home > --------------------------- > /etc/auto.direct: > --------------------------- > /etc/auto.home: > * -sec=kr5i,rw,fstype=nfs4 node00.glavsn.ab:/home/& > > maps not connected to /etc/auto.master: > > $ ipa service-find nfs > ------------------ > 2 services matched > ------------------ > ????????: nfs/node00.glavsn.ab at GLAVSN.AB > Keytab: True > Managed by: node00.glavsn.ab > > ????????: nfs/postgres.glavsn.ab at GLAVSN.AB > Keytab: True > Managed by: postgres.glavsn.ab > > > *** here is nfs server config: > $ sudo klist -k > ??????: > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/node00.glavsn.ab at GLAVSN.AB > 1 host/node00.glavsn.ab at GLAVSN.AB > 1 host/node00.glavsn.ab at GLAVSN.AB > 1 host/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > > $ cat /etc/exports > /home *(rw,sec=sys:krb5:krb5i:krb5p) > > $ sudo firewall-cmd --list-all > public (default, active) > interfaces: bridge0 enp1s0 > sources: > services: dhcpv6-client nfs ssh > ports: 8001/tcp > masquerade: no > forward-ports: > icmp-blocks: > rich rules: > > $ getenforce > Enforcing > > > *** here nfs client config: > # klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > > # firewall-cmd --list-all > FedoraServer (default, active) > interfaces: ens3 > sources: > services: cockpit dhcpv6-client ssh > ports: > protocols: > masquerade: no > forward-ports: > icmp-blocks: > rich rules: > > # mount -l (contains next string) > auto.home on /home type autofs > (rw,relatime,fd=25,pgrp=960,timeout=300,minproto=5,maxproto=5,indirect) > > # ll /home/afayzullin > ls says that it cannot access /home/afayzullin: no such file or directory > > I have run > # ipa-client-automount --location=amantai > on client and it has completed successfully. > > I have tried to disable selinux, drop iptables rules. And now I am > little confused about what to do next. May if someone has faced with > automount config can give me some advice, or if there is any howto > config automount, or some can advise howto debug this situation? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From askstack at yahoo.com Tue May 24 13:16:17 2016 From: askstack at yahoo.com (Ask Stack) Date: Tue, 24 May 2016 13:16:17 +0000 (UTC) Subject: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab In-Reply-To: <574371AF.8000406@redhat.com> References: <361801029.1315557.1464028262337.JavaMail.yahoo.ref@mail.yahoo.com> <361801029.1315557.1464028262337.JavaMail.yahoo@mail.yahoo.com> <57435296.3030502@redhat.com> <1389058644.1292312.1464032944247.JavaMail.yahoo@mail.yahoo.com> <574371AF.8000406@redhat.com> Message-ID: <48735154.1757078.1464095777671.JavaMail.yahoo@mail.yahoo.com> Sorry for asking the dumb question again. Where are the 389-ds logs? I can't find them in /var/log/ .? On Monday, May 23, 2016 5:10 PM, Rob Crittenden wrote: Ask Stack wrote: > Rob > Thanks for the reply. > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and > errors? and /var/log/krb5kdc.log > Do you know which service is responsible for providing > "/etc/krb5.keytab" to the client? It uses an LDAP extended operation so 389-ds. Any errors would be in the KDC log or, more likely, in the 389-ds logs. rob > > On Monday, May 23, 2016 2:57 PM, Rob Crittenden wrote: > > > Ask Stack wrote: > >? > My company's ipa-client-install fail very often. Debug logs show the >? > process always failed at getting the /etc/krb5.keytab . >? > Is there a way to modify the script to increase number of attempts to >? > create /etc/krb5.keytab ? >? > >? > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain >? > host TGT (defaults to 5)." But it comes after setting up the >? > "/etc/krb5.keytab" file. >? > Thanks. >? > >? > server >? > ipa-server-3.0.0-47.el6_7.1.x86_64 >? > >? > cleint >? > ipa-client-3.0.0-47.el6_7.2.x86_64 >? > ipa-client-3.0.0-50.el6.1.x86_64 >? > >? > >? > #SUCCESSFUL ATTEMPT >? > >? > \n >? > \n >? > \n >? > \n >? > \n >? > \n >? > >? > Keytab successfully retrieved and stored in: /etc/krb5.keytab >? > Certificate subject base is: O=TEST.COM >? > >? > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM >? > 2016-05-23T14:40:49Z DEBUG args=kdestroy >? > 2016-05-23T14:40:49Z DEBUG stdout= >? > 2016-05-23T14:40:49Z DEBUG stderr= >? > >? > >? > >? > #FAILED ATTEMPT >? > >? > \n >? > \n >? > \n >? > \n >? > \n >? > \n >? > >? > ipa-getkeytab: ../../../libraries/libldap/extended.c:177: >? > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. >? > Certificate subject base is: O=TEST.COM >? > >? > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM >? > 2016-05-23T14:37:08Z DEBUG args=kdestroy >? > 2016-05-23T14:37:08Z DEBUG stdout= >? > 2016-05-23T14:37:08Z DEBUG stderr= > > > There is no retry capability and in some cases would be impossible to > add (the one-time password case). Can you check /var/log/krb5kdc on the > IPA master it connected to, and the 389-ds access and errors logs as > well. Perhaps one of those will have more information on why things failed. > > rob > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From traiano at gmail.com Tue May 24 13:34:46 2016 From: traiano at gmail.com (Traiano Welcome) Date: Tue, 24 May 2016 16:34:46 +0300 Subject: [Freeipa-users] Error when adding new users via UI: Message-ID: Hi I have IPA server 4,2 running on centos 7 (ipa-server-4.2.0-15.el7.centos.3.x86_64). This morning, after many months of stable operation, I tried to add a user and got this error via the web interface: --- Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. --- So basically, can't add any new users. Would anyone know how I can troubleshoot this kind of IPA error, or possibly have come across and resolved it before ? Thanks in advance, Traiano Would anyone know From rcritten at redhat.com Tue May 24 13:56:45 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 May 2016 09:56:45 -0400 Subject: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab In-Reply-To: <48735154.1757078.1464095777671.JavaMail.yahoo@mail.yahoo.com> References: <361801029.1315557.1464028262337.JavaMail.yahoo.ref@mail.yahoo.com> <361801029.1315557.1464028262337.JavaMail.yahoo@mail.yahoo.com> <57435296.3030502@redhat.com> <1389058644.1292312.1464032944247.JavaMail.yahoo@mail.yahoo.com> <574371AF.8000406@redhat.com> <48735154.1757078.1464095777671.JavaMail.yahoo@mail.yahoo.com> Message-ID: <57445D9D.6070706@redhat.com> Ask Stack wrote: > Sorry for asking the dumb question again. Where are the 389-ds logs? I > can't find them in /var/log/ . /var/log/dirsrv/slapd-REALM What you'll want to look for is the BIND from the client and all results for that connection. The errors log tends to just log critical problems so it may not have much. rob > > > On Monday, May 23, 2016 5:10 PM, Rob Crittenden wrote: > > > Ask Stack wrote: > > Rob > > Thanks for the reply. > > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and > > errors and /var/log/krb5kdc.log > > Do you know which service is responsible for providing > > "/etc/krb5.keytab" to the client? > > It uses an LDAP extended operation so 389-ds. Any errors would be in the > KDC log or, more likely, in the 389-ds logs. > > rob > > > > > > On Monday, May 23, 2016 2:57 PM, Rob Crittenden > wrote: > > > > > > Ask Stack wrote: > > > > > My company's ipa-client-install fail very often. Debug logs show the > > > process always failed at getting the /etc/krb5.keytab . > > > Is there a way to modify the script to increase number of attempts to > > > create /etc/krb5.keytab ? > > > > > > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to > obtain > > > host TGT (defaults to 5)." But it comes after setting up the > > > "/etc/krb5.keytab" file. > > > Thanks. > > > > > > server > > > ipa-server-3.0.0-47.el6_7.1.x86_64 > > > > > > cleint > > > ipa-client-3.0.0-47.el6_7.2.x86_64 > > > ipa-client-3.0.0-50.el6.1.x86_64 > > > > > > > > > #SUCCESSFUL ATTEMPT > > > > > > \n > > > \n > > > \n > > > \n > > > \n > > > \n > > > > > > Keytab successfully retrieved and stored in: /etc/krb5.keytab > > > Certificate subject base is: O=TEST.COM > > > > > > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM > > > 2016-05-23T14:40:49Z DEBUG args=kdestroy > > > 2016-05-23T14:40:49Z DEBUG stdout= > > > 2016-05-23T14:40:49Z DEBUG stderr= > > > > > > > > > > > > #FAILED ATTEMPT > > > > > > \n > > > \n > > > \n > > > \n > > > \n > > > \n > > > > > > ipa-getkeytab: ../../../libraries/libldap/extended.c:177: > > > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. > > > Certificate subject base is: O=TEST.COM > > > > > > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM > > > 2016-05-23T14:37:08Z DEBUG args=kdestroy > > > 2016-05-23T14:37:08Z DEBUG stdout= > > > 2016-05-23T14:37:08Z DEBUG stderr= > > > > > > There is no retry capability and in some cases would be impossible to > > add (the one-time password case). Can you check /var/log/krb5kdc on the > > IPA master it connected to, and the 389-ds access and errors logs as > > well. Perhaps one of those will have more information on why things > failed. > > > > rob > > > > > > > > > > > From rcritten at redhat.com Tue May 24 14:01:54 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 May 2016 10:01:54 -0400 Subject: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert??? In-Reply-To: References: Message-ID: <57445ED2.10701@redhat.com> barrykfl at gmail.com wrote: > hi all: > > > Thx ad title > > ipa : ERROR cert validation failed for "CN=server.abc.com > ,O=WISER S.COM " > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) > preparation of replica failed: cannot connect to > 'https://server.ABC.com:944 4/ca/ee/ca/profileSubmitSSLClient': > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi ficate has expired. > cannot connect to > 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie nt': > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. The root of all your problems is that your certificates are expired. Fixing this should be your priority. This is probably going to involve going back in time to when the certificates are still valid, restarting IPA, restarting certmonger and waiting for things to properly renew. It can take some time as the certificates don't all renew at once. I suspect that once renewed and returned to current time the rest of your problems will, for the most part, go away. rob From mkosek at redhat.com Tue May 24 14:06:45 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 24 May 2016 16:06:45 +0200 Subject: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ? In-Reply-To: <8DB43F91-F9C7-4A3B-A090-452CF958D43C@myemma.com> References: <8DB43F91-F9C7-4A3B-A090-452CF958D43C@myemma.com> Message-ID: <6801b59a-deb7-6d0c-2c42-b461e6c40817@redhat.com> On 05/23/2016 07:56 PM, Zak Wolfinger wrote: > Does anyone have this combo working? I?m running into problems with pki-tomcat and tomcat for pwm conflicting and need some pointers. > > Thanks! You may need to do it on FreeIPA replica without a CA then or isolate these somehow (containers?) For the record, PWM question came here couple times already on this list, as part of the discussion, we also recommended actually using some of the alternatives we were building in FreeIPA: https://www.redhat.com/archives/freeipa-users/2016-April/msg00205.html Martin From rcritten at redhat.com Tue May 24 14:07:44 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 May 2016 10:07:44 -0400 Subject: [Freeipa-users] Error when adding new users via UI: In-Reply-To: References: Message-ID: <57446030.60801@redhat.com> Traiano Welcome wrote: > Hi > > I have IPA server 4,2 running on centos 7 > (ipa-server-4.2.0-15.el7.centos.3.x86_64). > > This morning, after many months of stable operation, I tried to add a > user and got this error via the web interface: > > --- > Operations error: Allocation of a new value for range cn=posix > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config > failed! Unable to proceed. > --- > > So basically, can't add any new users. > > Would anyone know how I can troubleshoot this kind of IPA error, or > possibly have come across and resolved it before ? At install a range of 100k id's is allocated to IPA. With each new master this range is divided in half. It appears you've exhausted one of the masters. What you need to do is take an inventory of what ranges (if any) are allocated to various masters then you should be able to move things around (this is assuming of course that you haven't exhausted the entire range). ipa-replica-manage list will give you a list of the IPA masters. ipa-replica-manage dnarange-show and ipa-replica-manage dnanextrange-show will help discover what is available. If you have things in nextrange then I'd start there with reallocation. Setting a next range of 0-0 removes the next range (e.g. make it available for a primary range). Take care when actually re-assigning ranges. rob From mkosek at redhat.com Tue May 24 14:15:43 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 24 May 2016 16:15:43 +0200 Subject: [Freeipa-users] Error when adding new users via UI: In-Reply-To: <57446030.60801@redhat.com> References: <57446030.60801@redhat.com> Message-ID: On 05/24/2016 04:07 PM, Rob Crittenden wrote: > Traiano Welcome wrote: >> Hi >> >> I have IPA server 4,2 running on centos 7 >> (ipa-server-4.2.0-15.el7.centos.3.x86_64). >> >> This morning, after many months of stable operation, I tried to add a >> user and got this error via the web interface: >> >> --- >> Operations error: Allocation of a new value for range cn=posix >> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config >> failed! Unable to proceed. >> --- >> >> So basically, can't add any new users. >> >> Would anyone know how I can troubleshoot this kind of IPA error, or >> possibly have come across and resolved it before ? > > At install a range of 100k id's is allocated to IPA. With each new master this > range is divided in half. It appears you've exhausted one of the masters. > > What you need to do is take an inventory of what ranges (if any) are allocated > to various masters then you should be able to move things around (this is > assuming of course that you haven't exhausted the entire range). > > ipa-replica-manage list will give you a list of the IPA masters. > > ipa-replica-manage dnarange-show and ipa-replica-manage > dnanextrange-show will help discover what is available. > > If you have things in nextrange then I'd start there with reallocation. Setting > a next range of 0-0 removes the next range (e.g. make it available for a > primary range). > > Take care when actually re-assigning ranges. > > rob > For the record, what currently did not work is when user is being added on a master that does not have direct replication connect to other master with available range. This is improved from FreeIPA 4.3.1+: https://fedorahosted.org/freeipa/ticket/4026 Martin From charles.brooks at bia.gov Tue May 24 15:47:11 2016 From: charles.brooks at bia.gov (Brooks, Charles) Date: Tue, 24 May 2016 15:47:11 +0000 Subject: [Freeipa-users] What is the correct repo for Centos 7.2(1511) Message-ID: How do I determine the correct repo to use for Centos 7.2.1511 ? The only Centos 7 repos are marked "unofficial ... Use at your own risk". The download page leads to ... https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3/ but that only has Fedora 23/24/Rawhide repos listed. A search for "freeipa centos7 copr" goes to ... https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/ but that repo is build 124140 from 7 months ago. Another Centos7 repo is at ... https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ for build 173456 about 2 months ago. *===============* *Charles E. Brooks* Security Administrator Computer Incident Response Team Division of Information Security Office of Information Technology Bureau of Indian Affairs 12220 Sunrise Valley Drive Reston, VA 20191 Office Phone: +1-703-390-6606 charles.brooks at bia.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue May 24 16:06:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 24 May 2016 18:06:56 +0200 Subject: [Freeipa-users] What is the correct repo for Centos 7.2(1511) In-Reply-To: References: Message-ID: <2e704a47-055b-4f9c-2884-2b0939979ac1@redhat.com> On 24.05.2016 17:47, Brooks, Charles wrote: > > How do I determine the correct repo to use for Centos 7.2.1511 ? > The only Centos 7 repos are marked "unofficial ... Use at your own risk". > > The download page leads to > ... https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3/ > but that only has Fedora 23/24/Rawhide repos listed. > > > A search for "freeipa centos7 copr" goes to > ... https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/ > but that repo is build 124140 from 7 months ago. > > > Another Centos7 repo is at > ... > https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ > for build 173456 about 2 months ago. > > > * > * > > *=============== > * > > * > * > > *Charles E. Brooks* > > > Security Administrator > > Computer Incident Response Team > > Division of Information Security > > Office of Information Technology > > Bureau of Indian Affairs > > 12220 Sunrise Valley Drive > > Reston, VA 20191 > > > Office Phone: +1-703-390-6606 > > charles.brooks at bia.gov > > > Hello, all copr repos are "Use at your own risk" Supported IPA (4.2) is in default repositories. IPA 4.3 (at your own risk) is at https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From pgb205 at yahoo.com Tue May 24 16:12:48 2016 From: pgb205 at yahoo.com (pgb205) Date: Tue, 24 May 2016 16:12:48 +0000 (UTC) Subject: [Freeipa-users] Forcing passync to periodically sync passwords References: <1700203362.1517232.1464106368863.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1700203362.1517232.1464106368863.JavaMail.yahoo@mail.yahoo.com> Currently passync is only triggered one the domain controller where the password change is made.Is there a way to trigger passync to run periodically and resend information to freeipa even if there are no changes? -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue May 24 16:22:33 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 24 May 2016 19:22:33 +0300 Subject: [Freeipa-users] Forcing passync to periodically sync passwords In-Reply-To: <1700203362.1517232.1464106368863.JavaMail.yahoo@mail.yahoo.com> References: <1700203362.1517232.1464106368863.JavaMail.yahoo.ref@mail.yahoo.com> <1700203362.1517232.1464106368863.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160524162233.h5v7zf7kb2e3ehi2@redhat.com> On Tue, 24 May 2016, pgb205 wrote: >Currently passync is only triggered one the domain controller where the >password change is made.Is there a way to trigger passync to run >periodically and resend information to freeipa even if there are no >changes? Passsync implements an interface on AD DC side that is activated only when AD user changes the password. There is no way to access clear text password at other time. -- / Alexander Bokovoy From pgb205 at yahoo.com Tue May 24 17:36:29 2016 From: pgb205 at yahoo.com (pgb205) Date: Tue, 24 May 2016 17:36:29 +0000 (UTC) Subject: [Freeipa-users] Forcing passync to periodically sync passwords In-Reply-To: <20160524162233.h5v7zf7kb2e3ehi2@redhat.com> References: <1700203362.1517232.1464106368863.JavaMail.yahoo.ref@mail.yahoo.com> <1700203362.1517232.1464106368863.JavaMail.yahoo@mail.yahoo.com> <20160524162233.h5v7zf7kb2e3ehi2@redhat.com> Message-ID: <739594213.1602910.1464111389824.JavaMail.yahoo@mail.yahoo.com> Alexander, thank you for such a quick reply. The reason im looking at this is that I want to synchronize from AD to several FIPA domains, but as you mention it's only1-1 passync option. This results in my not being able to synchronize passwords to second idm domain. Other options I've considered are:1. Run multiple instances of passsync on each DC. Both will intercept password change but will send to different ipa replicas in different freeipa domains. >From this link it doesn't seem to be possible however#48174 (RFE: Support for running multiple instances of the PassSync service) ? 389 Project | | | | | | | | | | | #48174 (RFE: Support for running multiple instances of the PassSync service... | | | | 2. backing up/copying freeipa database that does have user/pass to second idm domainThis is not something I'm looking to do but if there is no other way I'd be willing to consider somehow grabbing files from ipa-repplica.domain.comand moving to ipa-server.example.net. Is this a route that's even worth looking into ? Any other options that you are aware of to make this setup possible. 1AD->FIPA1.com? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?->FIPA2.comwith password replication to both? thanks From: Alexander Bokovoy To: pgb205 Cc: Freeipa-users Sent: Tuesday, May 24, 2016 12:22 PM Subject: Re: [Freeipa-users] Forcing passync to periodically sync passwords On Tue, 24 May 2016, pgb205 wrote: >Currently passync is only triggered one the domain controller where the >password change is made.Is there a way to trigger passync to run >periodically and resend information to freeipa even if there are no >changes? Passsync implements an interface on AD DC side that is activated only when AD user changes the password. There is no way to access clear text password at other time. -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue May 24 17:50:29 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 24 May 2016 20:50:29 +0300 Subject: [Freeipa-users] Forcing passync to periodically sync passwords In-Reply-To: <739594213.1602910.1464111389824.JavaMail.yahoo@mail.yahoo.com> References: <1700203362.1517232.1464106368863.JavaMail.yahoo.ref@mail.yahoo.com> <1700203362.1517232.1464106368863.JavaMail.yahoo@mail.yahoo.com> <20160524162233.h5v7zf7kb2e3ehi2@redhat.com> <739594213.1602910.1464111389824.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160524175029.i67u6aw56fpiuocq@redhat.com> On Tue, 24 May 2016, pgb205 wrote: >Alexander, thank you for such a quick reply. >The reason im looking at this is that I want to synchronize from AD to >several FIPA domains, but as you mention it's only1-1 passync option. >This results in my not being able to synchronize passwords to second >idm domain. Other options I've considered are:1. Run multiple >instances of passsync on each DC. Both will intercept password change >but will send to different ipa replicas in different freeipa domains. >From this link it doesn't seem to be possible however#48174 (RFE: >Support for running multiple instances of the PassSync service) ? 389 >Project > >| | >#48174 (RFE: Support for running multiple instances of the PassSync service... > >2. backing up/copying freeipa database that does have user/pass to >second idm domainThis is not something I'm looking to do but if there >is no other way I'd be willing to consider somehow grabbing files from >ipa-repplica.domain.comand moving to ipa-server.example.net. Is this a >route that's even worth looking into ? Any other options that you are >aware of to make this setup possible. 1AD->FIPA1.com? ? ? ? ? ? ? ? ? ? >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?->FIPA2.comwith password replication >to both? I don't think it is possible to achieve what you want this way. Why can't you go with a cross-forest trust? It doesn't need any replication as passwords will always be authenticated by AD. AD can have multiple forest trusts established so there is no problem with FIPA1.com, FIPA2.com, ..., FIPAN.com. -- / Alexander Bokovoy From askstack at yahoo.com Tue May 24 18:45:45 2016 From: askstack at yahoo.com (Ask Stack) Date: Tue, 24 May 2016 18:45:45 +0000 (UTC) Subject: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab In-Reply-To: <57445D9D.6070706@redhat.com> References: <361801029.1315557.1464028262337.JavaMail.yahoo.ref@mail.yahoo.com> <361801029.1315557.1464028262337.JavaMail.yahoo@mail.yahoo.com> <57435296.3030502@redhat.com> <1389058644.1292312.1464032944247.JavaMail.yahoo@mail.yahoo.com> <574371AF.8000406@redhat.com> <48735154.1757078.1464095777671.JavaMail.yahoo@mail.yahoo.com> <57445D9D.6070706@redhat.com> Message-ID: <294181123.2027710.1464115546113.JavaMail.yahoo@mail.yahoo.com> Thank you. On Tuesday, May 24, 2016 9:56 AM, Rob Crittenden wrote: Ask Stack wrote: > Sorry for asking the dumb question again. Where are the 389-ds logs? I > can't find them in /var/log/ . /var/log/dirsrv/slapd-REALM What you'll want to look for is the BIND from the client and all results for that connection. The errors log tends to just log critical problems so it may not have much. rob > > > On Monday, May 23, 2016 5:10 PM, Rob Crittenden wrote: > > > Ask Stack wrote: >? > Rob >? > Thanks for the reply. >? > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and >? > errors? and /var/log/krb5kdc.log >? > Do you know which service is responsible for providing >? > "/etc/krb5.keytab" to the client? > > It uses an LDAP extended operation so 389-ds. Any errors would be in the > KDC log or, more likely, in the 389-ds logs. > > rob > > >? > >? > On Monday, May 23, 2016 2:57 PM, Rob Crittenden > wrote: >? > >? > >? > Ask Stack wrote: >? > >? >? > My company's ipa-client-install fail very often. Debug logs show the >? >? > process always failed at getting the /etc/krb5.keytab . >? >? > Is there a way to modify the script to increase number of attempts to >? >? > create /etc/krb5.keytab ? >? >? > >? >? > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to > obtain >? >? > host TGT (defaults to 5)." But it comes after setting up the >? >? > "/etc/krb5.keytab" file. >? >? > Thanks. >? >? > >? >? > server >? >? > ipa-server-3.0.0-47.el6_7.1.x86_64 >? >? > >? >? > cleint >? >? > ipa-client-3.0.0-47.el6_7.2.x86_64 >? >? > ipa-client-3.0.0-50.el6.1.x86_64 >? >? > >? >? > >? >? > #SUCCESSFUL ATTEMPT >? >? > >? >? > \n >? >? > \n >? >? > \n >? >? > \n >? >? > \n >? >? > \n >? >? > >? >? > Keytab successfully retrieved and stored in: /etc/krb5.keytab >? >? > Certificate subject base is: O=TEST.COM >? >? > >? >? > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM >? >? > 2016-05-23T14:40:49Z DEBUG args=kdestroy >? >? > 2016-05-23T14:40:49Z DEBUG stdout= >? >? > 2016-05-23T14:40:49Z DEBUG stderr= >? >? > >? >? > >? >? > >? >? > #FAILED ATTEMPT >? >? > >? >? > \n >? >? > \n >? >? > \n >? >? > \n >? >? > \n >? >? > \n >? >? > >? >? > ipa-getkeytab: ../../../libraries/libldap/extended.c:177: >? >? > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. >? >? > Certificate subject base is: O=TEST.COM >? >? > >? >? > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM >? >? > 2016-05-23T14:37:08Z DEBUG args=kdestroy >? >? > 2016-05-23T14:37:08Z DEBUG stdout= >? >? > 2016-05-23T14:37:08Z DEBUG stderr= >? > >? > >? > There is no retry capability and in some cases would be impossible to >? > add (the one-time password case). Can you check /var/log/krb5kdc on the >? > IPA master it connected to, and the 389-ds access and errors logs as >? > well. Perhaps one of those will have more information on why things > failed. >? > >? > rob >? > >? > >? > >? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Lachlan.Simpson at petermac.org Tue May 24 23:21:49 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Tue, 24 May 2016 23:21:49 +0000 Subject: [Freeipa-users] AD replication and password passthrough In-Reply-To: <5434D6A65FEF2B428D5CC8D77FA7DA71608CCD3F@wexc201p.bsc.bscal.com> References: <5434D6A65FEF2B428D5CC8D77FA7DA71608C8B07@wexc201p.bsc.bscal.com> <0137003026EBE54FBEC540C5600C03C4360804@PMC-EXMBX02.petermac.org.au> <5434D6A65FEF2B428D5CC8D77FA7DA71608CCD3F@wexc201p.bsc.bscal.com> Message-ID: <0137003026EBE54FBEC540C5600C03C4360961@PMC-EXMBX02.petermac.org.au> We were doing this by utilising overrides (changing user names, /home/ s, etc), but I think we had to back out of that plan because we encountered issues. We may go back. Using Host Based Access Control (HBAC) and sudo is a powerful set of tools. What did you want to do that wasn?t covered by those three? L. From: Redmond, Stacy [mailto:stacy.redmond at blueshieldca.com] Sent: Wednesday, 25 May 2016 9:15 AM To: Simpson Lachlan Subject: RE: AD replication and password passthrough I am replacing ODS, and would like to replicate AD (ad.foo.com) to my new IPA installation (ipa.foo.com) but in all the documentation it says I have to install passsync on AD to synchronize passwords, I would rather just tell ipa to authorize the user via password from AD. I have a one way trust setup now, just would rather have everything in IPA, but use AD passwords due to new requirements. From: Simpson Lachlan [mailto:Lachlan.Simpson at petermac.org] Sent: Tuesday, May 24, 2016 4:09 PM To: Redmond, Stacy > Subject: RE: AD replication and password passthrough ** BSCA security warning: Do not click links or trust the content unless you expected this email and trust the sender ? This email originated outside of Blue Shield. ** It depends on what you mean. If, by replication, you mean using FreeIPA as a backup AD server, it would need to be a two way trust. If you have a separate subdomain, it?s definitely possible with a one way trust. Cheers L. From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Redmond, Stacy Sent: Tuesday, 24 May 2016 3:15 AM To: freeipa-users at redhat.com Subject: [Freeipa-users] AD replication and password passthrough Is there a way to setup replication from AD, and just use passthrough to AD for passwords, vs having to synchronize passwords. I am getting a lot of pushback from the AD team on installing the password sync software due to issues in the past. I would like to setup replication, but still use AD to authenticate passwords. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kliu at alumni.warwick.ac.uk Wed May 25 02:36:47 2016 From: kliu at alumni.warwick.ac.uk (Barry) Date: Wed, 25 May 2016 10:36:47 +0800 Subject: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert??? In-Reply-To: <57445ED2.10701@redhat.com> References: <57445ED2.10701@redhat.com> Message-ID: Hi: Which location i should renew cert? Http/alias Etc/dirsrv/slapd* Enough? 2016?5?24? ??10:01 ? "Rob Crittenden" ??? > barrykfl at gmail.com wrote: > >> hi all: >> >> >> Thx ad title >> >> ipa : ERROR cert validation failed for "CN=server.abc.com >> ,O=WISER S.COM " >> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) >> preparation of replica failed: cannot connect to >> 'https://server.ABC.com:944 4/ca/ee/ca/profileSubmitSSLClient': >> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi ficate has expired. >> cannot connect to >> 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie nt': >> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. >> > > The root of all your problems is that your certificates are expired. > Fixing this should be your priority. This is probably going to involve > going back in time to when the certificates are still valid, restarting > IPA, restarting certmonger and waiting for things to properly renew. It can > take some time as the certificates don't all renew at once. > > I suspect that once renewed and returned to current time the rest of your > problems will, for the most part, go away. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed May 25 11:30:35 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 25 May 2016 13:30:35 +0200 Subject: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert??? In-Reply-To: References: <57445ED2.10701@redhat.com> Message-ID: On 25.05.2016 04:36, Barry wrote: > > Hi: > > Which location i should renew cert? > Http/alias > Etc/dirsrv/slapd* > > Enough? > We need to know if you have IPA configured with * externaly signed CA * or selfsigned CA * or if you have any other certificates from different CAs If I remember correctly you wrote in one email that you have a certificate from godaddy, which certificate? In case you have self signed CA certificate you should follow: http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Martin > 2016?5?24? ??10:01 ? "Rob Crittenden" > ??? > > barrykfl at gmail.com wrote: > > hi all: > > > Thx ad title > > ipa : ERROR cert validation failed for > "CN=server.abc.com > ,O=WISER S.COM > " > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) > preparation of replica failed: cannot connect to > 'https://server.ABC.com:944 > 4/ca/ee/ca/profileSubmitSSLClient': > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi ficate > has expired. > cannot connect to > 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie > nt': > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. > > > The root of all your problems is that your certificates are > expired. Fixing this should be your priority. This is probably > going to involve going back in time to when the certificates are > still valid, restarting IPA, restarting certmonger and waiting for > things to properly renew. It can take some time as the > certificates don't all renew at once. > > I suspect that once renewed and returned to current time the rest > of your problems will, for the most part, go away. > > rob > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Wed May 25 12:48:11 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 25 May 2016 13:48:11 +0100 Subject: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain Message-ID: <9c909796-257c-0caa-0c76-5c2c8cf31d80@yahoo.co.uk> hi there, I'm trying to set up a replica with: --setup-dns --no-forwarders --setup-ca installer fails at: [10/23]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. more from log: 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA certificate database 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1015, in __import_ca_chain chain = self.__get_ca_chain() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 997, in __get_ca_chain raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused 2016-05-25T12:38:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute what might be the problem? many thanks, L. From rcritten at redhat.com Wed May 25 13:19:04 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 May 2016 09:19:04 -0400 Subject: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain In-Reply-To: <9c909796-257c-0caa-0c76-5c2c8cf31d80@yahoo.co.uk> References: <9c909796-257c-0caa-0c76-5c2c8cf31d80@yahoo.co.uk> Message-ID: <5745A648.8020704@redhat.com> lejeczek wrote: > hi there, > > I'm trying to set up a replica with: --setup-dns --no-forwarders --setup-ca > > installer fails at: > > [10/23]: importing CA chain to RA certificate database > [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] > Connection refused > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > more from log: > > 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA > certificate database > 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > method() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 1015, in __import_ca_chain > chain = self.__get_ca_chain() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 997, in __get_ca_chain > raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) > RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused > > 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA > chain: [Errno 111] Connection refused > 2016-05-25T12:38:31Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > > what might be the problem? It is failing getting the CA chain from dogtag. It uses port 8080 by default. I'd check your firewall and that the remote CA is up. I'm surprised the port checker didn't discover this if it is a firewall issue and that would be a bug (either the port not being checked or not using the proxy). rob From peljasz at yahoo.co.uk Wed May 25 14:37:49 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 25 May 2016 15:37:49 +0100 Subject: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain In-Reply-To: <5745A648.8020704@redhat.com> References: <9c909796-257c-0caa-0c76-5c2c8cf31d80@yahoo.co.uk> <5745A648.8020704@redhat.com> Message-ID: On 25/05/16 14:19, Rob Crittenden wrote: > lejeczek wrote: >> hi there, >> >> I'm trying to set up a replica with: --setup-dns >> --no-forwarders --setup-ca >> >> installer fails at: >> >> [10/23]: importing CA chain to RA certificate database >> [error] RuntimeError: Unable to retrieve CA chain: >> [Errno 111] >> Connection refused >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> more from log: >> >> 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain >> to RA >> certificate database >> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call >> last): >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> >> line 418, in start_creation >> run_step(full_msg, method) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> >> line 408, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line >> 1015, in __import_ca_chain >> chain = self.__get_ca_chain() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line >> 997, in __get_ca_chain >> raise RuntimeError("Unable to retrieve CA chain: %s" >> % str(e)) >> RuntimeError: Unable to retrieve CA chain: [Errno 111] >> Connection refused >> >> 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable >> to retrieve CA >> chain: [Errno 111] Connection refused >> 2016-05-25T12:38:31Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", >> line 171, in >> execute >> >> what might be the problem? > > It is failing getting the CA chain from dogtag. It uses > port 8080 by default. I'd check your firewall and that the > remote CA is up. > thanks Rob, I opened 8080/tcp (it was closed) but still a failure I get, different error though: [2/23]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. I noticed - /var/log/pki-ca-install.log does NOT exist and log file: Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2016-05-25T14:12:21Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: I nsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is s trongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn : ERROR ....... server failed to restart 2016-05-25T14:12:21Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' ' CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 2016-05-25T14:12:21Z CRITICAL See the installation logs and the following files/directories for mor e information: can I ask a question? - my nss.conf is pretty plain-vanilla, uses :443 - why does installer complain about it being used and I have to change the port for installer to start? > I'm surprised the port checker didn't discover this if it > is a firewall issue and that would be a bug (either the > port not being checked or not using the proxy). > > rob From erik at infochimps.com Wed May 25 14:43:55 2016 From: erik at infochimps.com (Erik Mackdanz) Date: Wed, 25 May 2016 09:43:55 -0500 Subject: [Freeipa-users] Mostly working trust, SSH failure [SOLVED] Message-ID: On Mon, May 23, 2016 at 4:26 PM, Rob Crittenden wrote: > https://lists.fedorahosted.org/archives/list/sssd-devel at lists.fedorahosted.org/thread/TUZ6ZWLRZ6QSMUHV44PRT75T6OVBGILK/ This was exactly our issue. We were able to build a patched version, and our forest AD user could log in successfully. Many thanks Jakub, Rob, and the rest of the freeipa/sssd communities! Erik From jhrozek at redhat.com Wed May 25 14:50:54 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 25 May 2016 16:50:54 +0200 Subject: [Freeipa-users] Mostly working trust, SSH failure [SOLVED] In-Reply-To: References: Message-ID: <20160525145054.GG28297@hendrix> On Wed, May 25, 2016 at 09:43:55AM -0500, Erik Mackdanz wrote: > On Mon, May 23, 2016 at 4:26 PM, Rob Crittenden wrote: > > https://lists.fedorahosted.org/archives/list/sssd-devel at lists.fedorahosted.org/thread/TUZ6ZWLRZ6QSMUHV44PRT75T6OVBGILK/ > > This was exactly our issue. We were able to build a patched version, > and our forest AD user could log in successfully. > > Many thanks Jakub, Rob, and the rest of the freeipa/sssd communities! > Erik I'm glad it works now, although the credit goes to Sumit who actually found and fixed the issue. FWIW, I just submitted the fixed build for RHEL-7.2 testing, if that goes well, the fix should appear in the next RHEL-7.2 batch of updates.. From rcritten at redhat.com Wed May 25 15:46:44 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 May 2016 11:46:44 -0400 Subject: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain In-Reply-To: References: <9c909796-257c-0caa-0c76-5c2c8cf31d80@yahoo.co.uk> <5745A648.8020704@redhat.com> Message-ID: <5745C8E4.1050106@redhat.com> lejeczek wrote: > > > On 25/05/16 14:19, Rob Crittenden wrote: >> lejeczek wrote: >>> hi there, >>> >>> I'm trying to set up a replica with: --setup-dns --no-forwarders >>> --setup-ca >>> >>> installer fails at: >>> >>> [10/23]: importing CA chain to RA certificate database >>> [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] >>> Connection refused >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> more from log: >>> >>> 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA >>> certificate database >>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 418, in start_creation >>> run_step(full_msg, method) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 408, in run_step >>> method() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >>> 1015, in __import_ca_chain >>> chain = self.__get_ca_chain() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >>> 997, in __get_ca_chain >>> raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) >>> RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection >>> refused >>> >>> 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA >>> chain: [Errno 111] Connection refused >>> 2016-05-25T12:38:31Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >>> execute >>> >>> what might be the problem? >> >> It is failing getting the CA chain from dogtag. It uses port 8080 by >> default. I'd check your firewall and that the remote CA is up. >> > thanks Rob, > I opened 8080/tcp (it was closed) but still a failure I get, different > error though: > > [2/23]: configuring certificate server instance > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpY2oGh1'' returned non-zero exit status 1 > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the > installation logs and the following files/directories for more information: > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki-ca-install.log > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki/pki-tomcat > [error] RuntimeError: CA configuration failed. > > I noticed - /var/log/pki-ca-install.log does NOT exist > and log file: > > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > Installation failed. > 2016-05-25T14:12:21Z DEBUG > stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: I > nsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is s > trongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html > InsecureRequestWarning) > pkispawn : ERROR ....... server failed to restart > > 2016-05-25T14:12:21Z CRITICAL Failed to configure CA instance: Command > ''/usr/sbin/pkispawn' '-s' ' > CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 > 2016-05-25T14:12:21Z CRITICAL See the installation logs and the > following files/directories for mor > e information: You need to look in those files/directories for more details. Dogtag doesn't return much on failures and we display what we have but all the real meat is in those logs. > can I ask a question? - my nss.conf is pretty plain-vanilla, uses :443 - > why does installer complain about it being used and I have to change the > port for installer to start? Because there is no easy way to determine what is using that port. If it is mod_ssl or some other web server instead then things go sideways pretty fast. rob > >> I'm surprised the port checker didn't discover this if it is a >> firewall issue and that would be a bug (either the port not being >> checked or not using the proxy). >> >> rob > From peljasz at yahoo.co.uk Wed May 25 18:49:09 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 25 May 2016 19:49:09 +0100 Subject: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain In-Reply-To: <5745C8E4.1050106@redhat.com> References: <9c909796-257c-0caa-0c76-5c2c8cf31d80@yahoo.co.uk> <5745A648.8020704@redhat.com> <5745C8E4.1050106@redhat.com> Message-ID: On 25/05/16 16:46, Rob Crittenden wrote: > lejeczek wrote: >> >> >> On 25/05/16 14:19, Rob Crittenden wrote: >>> lejeczek wrote: >>>> hi there, >>>> >>>> I'm trying to set up a replica with: --setup-dns >>>> --no-forwarders >>>> --setup-ca >>>> >>>> installer fails at: >>>> >>>> [10/23]: importing CA chain to RA certificate database >>>> [error] RuntimeError: Unable to retrieve CA chain: >>>> [Errno 111] >>>> Connection refused >>>> Your system may be partly configured. >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> more from log: >>>> >>>> 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA >>>> chain to RA >>>> certificate database >>>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call >>>> last): >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> >>>> line 418, in start_creation >>>> run_step(full_msg, method) >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> >>>> line 408, in run_step >>>> method() >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line >>>> 1015, in __import_ca_chain >>>> chain = self.__get_ca_chain() >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line >>>> 997, in __get_ca_chain >>>> raise RuntimeError("Unable to retrieve CA chain: >>>> %s" % str(e)) >>>> RuntimeError: Unable to retrieve CA chain: [Errno 111] >>>> Connection >>>> refused >>>> >>>> 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: >>>> Unable to retrieve CA >>>> chain: [Errno 111] Connection refused >>>> 2016-05-25T12:38:31Z DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", >>>> line 171, in >>>> execute >>>> >>>> what might be the problem? >>> >>> It is failing getting the CA chain from dogtag. It uses >>> port 8080 by >>> default. I'd check your firewall and that the remote CA >>> is up. >>> >> thanks Rob, >> I opened 8080/tcp (it was closed) but still a failure I >> get, different >> error though: >> >> [2/23]: configuring certificate server instance >> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >> Failed to >> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' >> 'CA' '-f' >> '/tmp/tmpY2oGh1'' returned non-zero exit status 1 >> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See >> the >> installation logs and the following files/directories for >> more information: >> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >> /var/log/pki-ca-install.log >> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >> /var/log/pki/pki-tomcat >> [error] RuntimeError: CA configuration failed. >> >> I noticed - /var/log/pki-ca-install.log does NOT exist >> and log file: >> >> Storing deployment configuration into >> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >> Installation failed. >> 2016-05-25T14:12:21Z DEBUG >> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >> I >> nsecureRequestWarning: Unverified HTTPS request is being >> made. Adding >> certificate verification is s >> trongly advised. See: >> https://urllib3.readthedocs.org/en/latest/security.html >> InsecureRequestWarning) >> pkispawn : ERROR ....... server failed to restart >> >> 2016-05-25T14:12:21Z CRITICAL Failed to configure CA >> instance: Command >> ''/usr/sbin/pkispawn' '-s' ' >> CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 >> 2016-05-25T14:12:21Z CRITICAL See the installation logs >> and the >> following files/directories for mor >> e information: > > You need to look in those files/directories for more > details. Dogtag doesn't return much on failures and we > display what we have but all the real meat is in those logs. > >> can I ask a question? - my nss.conf is pretty >> plain-vanilla, uses :443 - >> why does installer complain about it being used and I >> have to change the >> port for installer to start? > > Because there is no easy way to determine what is using > that port. If it is mod_ssl or some other web server > instead then things go sideways pretty fast. > but will it all not brake precisely because I have to change port? I then take a glance and see https:/// only and installer it not take that port into account, so how will whole IPA work if nss listens on non-standard port? regards > rob > >> >>> I'm surprised the port checker didn't discover this if >>> it is a >>> firewall issue and that would be a bug (either the port >>> not being >>> checked or not using the proxy). >>> >>> rob >> > From rcritten at redhat.com Wed May 25 19:27:35 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 May 2016 15:27:35 -0400 Subject: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain In-Reply-To: References: <9c909796-257c-0caa-0c76-5c2c8cf31d80@yahoo.co.uk> <5745A648.8020704@redhat.com> <5745C8E4.1050106@redhat.com> Message-ID: <5745FCA7.4020705@redhat.com> lejeczek wrote: > > > On 25/05/16 16:46, Rob Crittenden wrote: >> lejeczek wrote: >>> >>> >>> On 25/05/16 14:19, Rob Crittenden wrote: >>>> lejeczek wrote: >>>>> hi there, >>>>> >>>>> I'm trying to set up a replica with: --setup-dns --no-forwarders >>>>> --setup-ca >>>>> >>>>> installer fails at: >>>>> >>>>> [10/23]: importing CA chain to RA certificate database >>>>> [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] >>>>> Connection refused >>>>> Your system may be partly configured. >>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>>> >>>>> more from log: >>>>> >>>>> 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA >>>>> certificate database >>>>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last): >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>> line 418, in start_creation >>>>> run_step(full_msg, method) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>> line 408, in run_step >>>>> method() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>>> line >>>>> 1015, in __import_ca_chain >>>>> chain = self.__get_ca_chain() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>>> line >>>>> 997, in __get_ca_chain >>>>> raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) >>>>> RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection >>>>> refused >>>>> >>>>> 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to >>>>> retrieve CA >>>>> chain: [Errno 111] Connection refused >>>>> 2016-05-25T12:38:31Z DEBUG File >>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >>>>> 171, in >>>>> execute >>>>> >>>>> what might be the problem? >>>> >>>> It is failing getting the CA chain from dogtag. It uses port 8080 by >>>> default. I'd check your firewall and that the remote CA is up. >>>> >>> thanks Rob, >>> I opened 8080/tcp (it was closed) but still a failure I get, different >>> error though: >>> >>> [2/23]: configuring certificate server instance >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to >>> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' >>> '/tmp/tmpY2oGh1'' returned non-zero exit status 1 >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the >>> installation logs and the following files/directories for more >>> information: >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>> /var/log/pki-ca-install.log >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>> /var/log/pki/pki-tomcat >>> [error] RuntimeError: CA configuration failed. >>> >>> I noticed - /var/log/pki-ca-install.log does NOT exist >>> and log file: >>> >>> Storing deployment configuration into >>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >>> Installation failed. >>> 2016-05-25T14:12:21Z DEBUG >>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: I >>> nsecureRequestWarning: Unverified HTTPS request is being made. Adding >>> certificate verification is s >>> trongly advised. See: >>> https://urllib3.readthedocs.org/en/latest/security.html >>> InsecureRequestWarning) >>> pkispawn : ERROR ....... server failed to restart >>> >>> 2016-05-25T14:12:21Z CRITICAL Failed to configure CA instance: Command >>> ''/usr/sbin/pkispawn' '-s' ' >>> CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 >>> 2016-05-25T14:12:21Z CRITICAL See the installation logs and the >>> following files/directories for mor >>> e information: >> >> You need to look in those files/directories for more details. Dogtag >> doesn't return much on failures and we display what we have but all >> the real meat is in those logs. >> >>> can I ask a question? - my nss.conf is pretty plain-vanilla, uses :443 - >>> why does installer complain about it being used and I have to change the >>> port for installer to start? >> >> Because there is no easy way to determine what is using that port. If >> it is mod_ssl or some other web server instead then things go sideways >> pretty fast. >> > but will it all not brake precisely because I have to change port? I > then take a glance and see https:/// only and installer it not take that > port into account, so how will whole IPA work if nss listens on > non-standard port? I'm not sure I follow. The installer will (or should) change nss.conf to listen on 443. The default is 8443. If you take a vanilla instance and install mod_ssl and mod_nss on it then Apache will listen on ports 443 and 8443. IPA requires mod_nss to listen on 443 so the install will fail. This is what we are trying to prevent. It isn't a mod_nss or mod_ssl issue but only one thing can listen on any given port. The installer looks at things just enough to detect that something might be wrong and it blows up so it can be manually addressed because whatever we did automatically would be wrong and potentially catastrophic for somebody's use case. rob From bob at jackland.demon.co.uk Wed May 25 19:51:35 2016 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Wed, 25 May 2016 20:51:35 +0100 Subject: [Freeipa-users] Adding groupOfUniqueNames to all freeipa replicas for Zenoss LDAP authentication Message-ID: Hello, We are trying to get Zenoss login authentication to use freeipa over LDAP. Group mappings don't currently work and we think this is because Zenoss requires the groupOfUniqueNames object class. I managed to add the object class to a test VM using vsphere_groupmod.ldif taken from http://www.freeipa.org/page/HowTo/vsphere5_integration - content of vsphere_groupmod.ldif - dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=groupOfUniqueNames - add: schema-compat-entry-attribute schema-compat-entry-attribute: uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") - apply with - ldapmodify -x -D "cn=Directory Manager" -f vsphere_groupmod.ldif -W However, the following command seemed to freeze - ipa permission-mod "System: Read Group Compat Tree" --includedattrs uniquemember and I had to kill it then subsequent ldapsearch commands froze. Rebooting the VM seemed to fix things and the groupOfUniqueNames object class appeared in the schema. I'd like to apply this to our live system which uses a master and two replicas running IPA v4.2.0 on RHEL 7.2. Do I need to make the same change to all three servers ? Can I leave the replicas connected or do I need to break the replication and re-establish it? Do I need the "ipa permission-mod" if so then how do I avoid it freezing ? Many thanks Bob Hinton From barrykfl at gmail.com Thu May 26 03:44:39 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Thu, 26 May 2016 11:44:39 +0800 Subject: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert??? In-Reply-To: References: <57445ED2.10701@redhat.com> Message-ID: externaly signed CA - Godaddy Exppired. Already add new to db /etc/https/alias / -L and config nickname map in /etc/http/config.d/nss.conf Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to? Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname map in dse.ldif Start stop IPA no cert issue . but server ipa prepare fail. IPA replica still say cert expiry , any where I missed ? Thanks 2016-05-25 19:30 GMT+08:00 Martin Basti : > > > On 25.05.2016 04:36, Barry wrote: > > Hi: > > Which location i should renew cert? > Http/alias > Etc/dirsrv/slapd* > > Enough? > > > We need to know if you have IPA configured with > * externaly signed CA > * or selfsigned CA > * or if you have any other certificates from different CAs > > If I remember correctly you wrote in one email that you have a certificate > from godaddy, which certificate? > > In case you have self signed CA certificate you should follow: > http://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > Martin > > 2016?5?24? ??10:01 ? "Rob Crittenden" ??? > >> barrykfl at gmail.com wrote: >> >>> hi all: >>> >>> >>> Thx ad title >>> >>> ipa : ERROR cert validation failed for "CN=server.abc.com >>> ,O=WISER S.COM " >>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) >>> preparation of replica failed: cannot connect to >>> 'https://server.ABC.com:944 4/ca/ee/ca/profileSubmitSSLClient': >>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi ficate has expired. >>> cannot connect to >>> 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie nt': >>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. >>> >> >> The root of all your problems is that your certificates are expired. >> Fixing this should be your priority. This is probably going to involve >> going back in time to when the certificates are still valid, restarting >> IPA, restarting certmonger and waiting for things to properly renew. It can >> take some time as the certificates don't all renew at once. >> >> I suspect that once renewed and returned to current time the rest of your >> problems will, for the most part, go away. >> >> rob >> > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Thu May 26 05:42:42 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 26 May 2016 07:42:42 +0200 Subject: [Freeipa-users] mod_nss FreeIPA Message-ID: <9097789.25kNdePVmS@techz> Hello, can any help to find the correct way to configure a Webserver with IPA. (mod_nss) I can't create a correct DB in /etc/httpd/alias I search on the INet and read the install Log from ipa-server but it is for me not possible to found a working way :-(. Thanks for a answer ? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From gjn at gjn.priv.at Thu May 26 06:01:08 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 26 May 2016 08:01:08 +0200 Subject: [Freeipa-users] DNSSEC Problem with Ipa-server (ldap?) Message-ID: <9511190.FBU49x7kfW@techz> Hello, I installed the DNS-Module for IPA Server (update to 4.3.1, info from the List) But now I have missing Entry in the Zone File (?) I have no signed "A" or "AAAA" Entys in the Zone File? My test for This Domain on "http;//dnsviz.net I Have entry for /MX, /SOA, /TXT, /NS, but I miss /A, /AAAA Is this problem know ? Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From dkupka at redhat.com Thu May 26 06:09:17 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 26 May 2016 08:09:17 +0200 Subject: [Freeipa-users] mod_nss FreeIPA In-Reply-To: <9097789.25kNdePVmS@techz> References: <9097789.25kNdePVmS@techz> Message-ID: <2422e6da-20b3-89d3-9ea5-78c407d41f62@redhat.com> On 26/05/16 07:42, G?nther J. Niederwimmer wrote: > Hello, > > can any help to find the correct way to configure a Webserver with IPA. > (mod_nss) > > I can't create a correct DB in /etc/httpd/alias > > I search on the INet and read the install Log from ipa-server but it is for me > not possible to found a working way :-(. > > Thanks for a answer ? > Hello G?nther, I'm not sure if I understand your question. What I take from you message is: I want a IPA webserver with NSSDB in /etc/httpd/alias. The answer then is: ipa-server-install creates that DB for apache and populates it with certificates. So there is nothing to do. From one of my test servers: # certutil -d /etc/httpd/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipaCert u,u,u Server-Cert u,u,u EXAMPLE.TEST IPA CA CT,C,C Signing-Cert u,u,u If this is not what you was asking please try to explain what you want to achieve with more details. -- David Kupka From abokovoy at redhat.com Thu May 26 06:41:38 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 26 May 2016 09:41:38 +0300 Subject: [Freeipa-users] mod_nss FreeIPA In-Reply-To: <9097789.25kNdePVmS@techz> References: <9097789.25kNdePVmS@techz> Message-ID: <20160526064138.b4k5fa6n67myiitl@redhat.com> On Thu, 26 May 2016, G?nther J. Niederwimmer wrote: >Hello, > >can any help to find the correct way to configure a Webserver with IPA. >(mod_nss) > >I can't create a correct DB in /etc/httpd/alias > >I search on the INet and read the install Log from ipa-server but it is for me >not possible to found a working way :-(. So you want to set up a web server on an IPA client and have this web server to use mod_nss with certificates from IPA CA? -- / Alexander Bokovoy From gjn at gjn.priv.at Thu May 26 06:46:34 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 26 May 2016 08:46:34 +0200 Subject: [Freeipa-users] mod_nss FreeIPA In-Reply-To: <2422e6da-20b3-89d3-9ea5-78c407d41f62@redhat.com> References: <9097789.25kNdePVmS@techz> <2422e6da-20b3-89d3-9ea5-78c407d41f62@redhat.com> Message-ID: <20626294.S5YAPZUdxV@techz> Hello David, Am Donnerstag, 26. Mai 2016, 08:09:17 CEST schrieb David Kupka: > On 26/05/16 07:42, G?nther J. Niederwimmer wrote: > > Hello, > > > > can any help to find the correct way to configure a Webserver with IPA. > > (mod_nss) > > > > I can't create a correct DB in /etc/httpd/alias > > > > I search on the INet and read the install Log from ipa-server but it is > > for me not possible to found a working way :-(. > > > > Thanks for a answer ? > > Hello G?nther, > > I'm not sure if I understand your question. What I take from you message is: > > I want a IPA webserver with NSSDB in /etc/httpd/alias. ;-) No and Yes. I want a new WEBSERVER on a ipa-client with IPA Certificate ? Afterward I like to create a "DANE" Entry from this Certificate for this webserver ? Bat I fail with the first configuration > The answer then is: > > ipa-server-install creates that DB for apache and populates it with > certificates. So there is nothing to do. Yes, and I can't found the way IPA create this ... > From one of my test servers: > > # certutil -d /etc/httpd/alias/ -L > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > ipaCert u,u,u > Server-Cert u,u,u > EXAMPLE.TEST IPA CA CT,C,C > Signing-Cert u,u,u > > > If this is not what you was asking please try to explain what you want > to achieve with more details. Thanks David for the answer, I have on the Master also Signing-Cert u,u,u ipaCert u,u,u Server-Cert u,u,u XXXX.XXX CA CT,C,C and on the replica this, Server-Cert u,u,u XXXX.XXX IPA CA CT,C,C ipaCert u,u,u I mean I must have a NSSDB like this from the replica, on my Webserver ? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From gjn at gjn.priv.at Thu May 26 06:52:37 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 26 May 2016 08:52:37 +0200 Subject: [Freeipa-users] mod_nss FreeIPA In-Reply-To: <20160526064138.b4k5fa6n67myiitl@redhat.com> References: <9097789.25kNdePVmS@techz> <20160526064138.b4k5fa6n67myiitl@redhat.com> Message-ID: <2914147.j8ki2yQYsR@techz> Hello Alexander, Am Donnerstag, 26. Mai 2016, 09:41:38 CEST schrieb Alexander Bokovoy: > On Thu, 26 May 2016, G?nther J. Niederwimmer wrote: > >Hello, > > > >can any help to find the correct way to configure a Webserver with IPA. > >(mod_nss) > > > >I can't create a correct DB in /etc/httpd/alias > > > >I search on the INet and read the install Log from ipa-server but it is for > >me not possible to found a working way :-(. > > So you want to set up a web server on an IPA client and have this web > server to use mod_nss with certificates from IPA CA? YES.... YES...... ;-) You have 100 Points ..... ;-) Thanks -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From abokovoy at redhat.com Thu May 26 07:01:41 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 26 May 2016 10:01:41 +0300 Subject: [Freeipa-users] mod_nss FreeIPA In-Reply-To: <2914147.j8ki2yQYsR@techz> References: <9097789.25kNdePVmS@techz> <20160526064138.b4k5fa6n67myiitl@redhat.com> <2914147.j8ki2yQYsR@techz> Message-ID: <20160526070141.qmgyat2yotdrpfho@redhat.com> On Thu, 26 May 2016, G?nther J. Niederwimmer wrote: >Hello Alexander, > >Am Donnerstag, 26. Mai 2016, 09:41:38 CEST schrieb Alexander Bokovoy: >> On Thu, 26 May 2016, G?nther J. Niederwimmer wrote: >> >Hello, >> > >> >can any help to find the correct way to configure a Webserver with IPA. >> >(mod_nss) >> > >> >I can't create a correct DB in /etc/httpd/alias >> > >> >I search on the INet and read the install Log from ipa-server but it is for >> >me not possible to found a working way :-(. >> >> So you want to set up a web server on an IPA client and have this web >> server to use mod_nss with certificates from IPA CA? > >YES.... YES...... ;-) > >You have 100 Points ..... ;-) You have two options: mod_ssl and mod_nss. For mod_ssl we have it documented: http://www.freeipa.org/page/Apache_SNI_With_Kerberos For mod_nss it is mostly the same except that mod_nss brings working nss configuration in the rpm package already and all you need is to initialize NSS database in /etc/httpd/alias. Use instructions to setup SSL from http://www.freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA while the page above contains full MediaWiki setup, the MediaWiki part is isolated and the rest is basically the same for any mod_nss based web server. -- / Alexander Bokovoy From pspacek at redhat.com Thu May 26 08:11:59 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 26 May 2016 10:11:59 +0200 Subject: [Freeipa-users] DNSSEC Problem with Ipa-server (ldap?) In-Reply-To: <9511190.FBU49x7kfW@techz> References: <9511190.FBU49x7kfW@techz> Message-ID: <61aa0eef-cdd5-c96e-54df-2be354061e69@redhat.com> On 26.5.2016 08:01, G?nther J. Niederwimmer wrote: > Hello, > I installed the DNS-Module for IPA Server (update to 4.3.1, info from the > List) > > But now I have missing Entry in the Zone File (?) I have no signed "A" or > "AAAA" Entys in the Zone File? > > My test for This Domain on "http;//dnsviz.net > > I Have entry for /MX, /SOA, /TXT, /NS, but I miss /A, /AAAA > > Is this problem know ? Hello, can you be more specific? What exactly do you see and what is the problem? It would be good to compare output from command "ipa dnsrecord-show" with output from "dig" command and see if there are any differences. -- Petr^2 Spacek From gjn at gjn.priv.at Thu May 26 09:00:06 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 26 May 2016 11:00:06 +0200 Subject: [Freeipa-users] mod_nss FreeIPA In-Reply-To: <20160526070141.qmgyat2yotdrpfho@redhat.com> References: <9097789.25kNdePVmS@techz> <2914147.j8ki2yQYsR@techz> <20160526070141.qmgyat2yotdrpfho@redhat.com> Message-ID: <3826238.8Nfl2VEUZx@techz> Hello Alander, Thanks for the links, I hope it is for me possible to install it correct ? The next question is, is it possible to integrate this in a owncloud installation ? This is the Background, to create this webserver for owncloud and with users from IPA ? A hard way ......... ;-). Am Donnerstag, 26. Mai 2016, 10:01:41 CEST schrieb Alexander Bokovoy: > On Thu, 26 May 2016, G?nther J. Niederwimmer wrote: > >Hello Alexander, > > > >Am Donnerstag, 26. Mai 2016, 09:41:38 CEST schrieb Alexander Bokovoy: > >> On Thu, 26 May 2016, G?nther J. Niederwimmer wrote: > >> >Hello, > >> > > >> >can any help to find the correct way to configure a Webserver with IPA. > >> >(mod_nss) > >> > > >> >I can't create a correct DB in /etc/httpd/alias > >> > > >> >I search on the INet and read the install Log from ipa-server but it is > >> >for > >> >me not possible to found a working way :-(. > >> > >> So you want to set up a web server on an IPA client and have this web > >> server to use mod_nss with certificates from IPA CA? > > > >YES.... YES...... ;-) > > > >You have 100 Points ..... ;-) > > You have two options: mod_ssl and mod_nss. > For mod_ssl we have it documented: > http://www.freeipa.org/page/Apache_SNI_With_Kerberos > > For mod_nss it is mostly the same except that mod_nss brings working nss > configuration in the rpm package already and all you need is to > initialize NSS database in /etc/httpd/alias. > > Use instructions to setup SSL from > http://www.freeipa.org/page/Setting_up_MediaWiki_to_run_against_FreeIPA > > while the page above contains full MediaWiki setup, the MediaWiki part > is isolated and the rest is basically the same for any mod_nss based web > server. Thanks for the help, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From piolet.y at gmail.com Thu May 26 10:08:11 2016 From: piolet.y at gmail.com (Youenn PIOLET) Date: Thu, 26 May 2016 12:08:11 +0200 Subject: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates In-Reply-To: References: <1459106087.18839.25.camel@stefany.eu> <20160331074157.GA18277@dhcp-40-8.bne.redhat.com> <20160510105533.GQ1237@dhcp-40-8.bne.redhat.com> <20160510130116.GR1237@dhcp-40-8.bne.redhat.com> Message-ID: Hi there, For your information : I just realised today that the certificate signing using web interface was still broken. I've got 3 caIPAserviceCert.cfg files on my system : Locate caIPAserviceCert.cfg output 1. New profile : /usr/share/ipa/profiles/caIPAserviceCert.cfg 2. Old broken profile : /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg 3. Old broken profile : /var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg LDAP profile version was not OK, back to the older version of profile. I fixed it back. FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem > which stores profile configuration in LDAP. > I think my Dogtag (in IPA web interface) was still using the files (and replacing the LDAP entry after a while? Or did it happen when a added a new replica?). I've replaced : 2. /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg 3. /var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg with new profile versions. Now everything works, including the web interface. I'll let you know if my profile got changed back again in LDAP after a while, but I guess now I replaced the files there are no risks. I wonder if Thanks again for your previous help Fraser, I hope these information may help you finding the bug that could be related to replica installation with old profiles still present in master filesystem. Cheers, -- Youenn Piolet piolet.y at gmail.com 2016-05-10 16:23 GMT+02:00 Youenn PIOLET : > Thank you so much Fraser, > My PKI is now working perfectly! > > Cheers > > -- > Youenn Piolet > piolet.y at gmail.com > > > 2016-05-10 15:01 GMT+02:00 Fraser Tweedale : > >> On Tue, May 10, 2016 at 02:33:43PM +0200, Youenn PIOLET wrote: >> > Hi Fraser, thanks a lot for your quick reply! >> > >> > Could you confirm whether you are on RHEL / CentOS 7.2, and if so, >> > > whether it was installed at 7.2 or an upgrade from 7.1 or an earlier >> > > version? >> > > >> > >> > This is a replica that was previously installed in CentOS 7.1. >> > I don't exactly remember but I think I used COPR repository to install >> > FreeIPA 4.2 and then upgraded CentOS to 7.2. >> > >> > Also, I remember my pki got broken after upgrading this replica in 7.2. >> I >> > had to renew the replica's certificate and force-sync to successfully >> > launch pki-tomcatd. Now this replica is my pki master. >> > >> Thanks for the background. Every piece of evidence can help find >> the bug :) >> >> > >> > > > ### certprofile >> > > > $ ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert >> > > > ----------------------------------------------------------- >> > > > Profile configuration stored in file 'caIPAserviceCert.cfg' >> > > > ----------------------------------------------------------- >> > > > Profile ID: caIPAserviceCert >> > > > Profile description: Standard profile for network services >> > > > Store issued certificates: TRUE >> > > > >> > > You do not include the caIPAserviceCert.cfg in the diffs below, >> > > however, I suspect you will find it to be identical to >> > > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg. Could you >> > > please confirm this? >> > > >> > >> > Ah true... I did not realised I was actually writing a new file! >> > And you're right, diff is the same (except 2 profileId/classId lignes >> that >> > don't exist in template + enableBy that differs) >> > >> > FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem >> > > which stores profile configuration in LDAP. The file output by the >> > > ``ipa certprofile-show`` command will have come from LDAP; this is >> > > the version that's actually in use in your IPA installation. >> > > >> > >> > Thanks a lot for your answers. >> > >> > So now, what would you suggest me to do? >> > Replace my /tmp/caIPAserviceCert.cfg with your suggested values and >> import >> > to LDAP ? >> > >> I'd recommend copying the IPA template from >> /usr/share/ipa/profiles/caIPAserviceCert.cfg, then filling out the >> params manually and updating the profile. There are four config >> params that require substitutions; fill them out like below: >> >> - policyset.serverCertSet.1.default.params.name=CN=$ >> request.req_subject_name.cn$, o=YOUR-DOMAIN >> >> (note the SINGLE '$'s; they are double '$$' in the template) >> >> - policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= >> http://ipa-ca.YOUR-DOMAIN/ca/ocsp >> >> - >> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate >> Authority,o=ipaca >> >> - policyset.serverCertSet.9.default.params.crlDistPointsPointName_0= >> http://ipa-ca.YOUR-DOMAIN/ipa/crl/MasterCRL.bin >> >> Leave other values unchanged. Import the updated profile by >> running: >> >> ipa certprofile-mod caIPAserviceCert --file new.cfg >> >> Then certificates should be issued as expected. >> >> Cheers, >> Fraser >> >> >> > Cheers, >> > >> > >> > > > And a diff between them : >> > > > >> > > > $ diff /usr/share/ipa/profiles/caIPAserviceCert.cfg >> > > > /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg >> > > > 1,2d0 >> > > > < profileId=caIPAserviceCert >> > > > < classId=caEnrollImpl >> > > > 15c13 >> > > > < policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 >> > > > --- >> > > > > policyset.serverCertSet.list=1,2,3,4,5,6,7,8 >> > > > 22c20 >> > > > < policyset.serverCertSet.1.default.params.name=CN=$$ >> > > > request.req_subject_name.cn$$, $SUBJECT_DN_O >> > > > --- >> > > > > policyset.serverCertSet.1.default.params.name=CN=$ >> > > > request.req_subject_name.cn$, OU=pki-ipa, O=IPA >> > > > 48c46 >> > > > < >> > > > >> > > >> policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http:// >> > > > $IPA_CA_RECORD.$DOMAIN/ca/ocsp >> > > > --- >> > > > > >> policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= >> > > > 95,97c93,95 >> > > > < >> > > > >> > > >> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER >> > > > < >> > > > >> > > >> policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName >> > > > < >> > > >> policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http:// >> > > > $IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin >> > > > --- >> > > > > >> policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0= >> > > > > >> policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0= >> > > > > policyset.serverCertSet.9.default.params.crlDistPointsPointName_0= >> > > > https://ipa.example.com/ipa/crl/MasterCRL.bin >> > > > 100,109d97 >> > > > < policyset.serverCertSet.10.constraint.class_id=noConstraintImpl >> > > > < policyset.serverCertSet.10.constraint.name=No Constraint >> > > > < >> > > > >> > > >> policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl >> > > > < policyset.serverCertSet.10.default.name=Subject Key Identifier >> > > Extension >> > > > Default >> > > > < policyset.serverCertSet.10.default.params.critical=false >> > > > < policyset.serverCertSet.11.constraint.class_id=noConstraintImpl >> > > > < policyset.serverCertSet.11.constraint.name=No Constraint >> > > > < >> policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl >> > > > < policyset.serverCertSet.11.default.name=User Supplied Extension >> > > Default >> > > > < policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 >> > > > >> > > > Thanks by advance for your support, >> > > > Regards >> > > > >> > > > -- >> > > > Youenn Piolet >> > > > piolet.y at gmail.com >> > > > >> > > > >> > > > 2016-03-31 9:41 GMT+02:00 Fraser Tweedale : >> > > > >> > > > > On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin ?tefany wrote: >> > > > > > Hello, >> > > > > > >> > > > > > I seem to be having some issues with IPA CA feature not >> generating >> > > > > > certificates with DNS SubjectAltNames. >> > > > > > >> > > > > > I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but >> now >> > > under >> > > > > > CentOS 7.2 / IPA 4.2 something's different. >> > > > > > >> > > > > > Here are the original steps which worked fine for my first use >> case >> > > :: >> > > > > > >> > > > > > $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25 >> > > > > > $ ipa host-add mail.example.com >> > > > > > $ ipa service-add smtp/mail.example.com >> > > > > > $ ipa service-add smtp/mail1.example.com >> > > > > > $ ipa service-add-host smtp/mail.example.com --hosts= >> > > mail1.example.com >> > > > > > $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \ >> > > > > > -f /etc/pki/tls/certs/postfix.pem \ >> > > > > > -N CN=mail1.example.com,O=EXAMPLE.COM \ >> > > > > > -D mail1.example.com -D mail.example.com >> \ >> > > > > > -K smtp/mail1.example.com >> > > > > > (and repeat for every next member of the cluster...) >> > > > > > >> > > > > > After this, I would get certificate with something like :: >> > > > > > $ sudo ipa-getcert list >> > > > > > Number of certificates and requests being tracked: 3. >> > > > > > Request ID '20150419153933': >> > > > > > status: MONITORING >> > > > > > stuck: no >> > > > > > key pair storage: >> > > > > > type=FILE,location='/etc/pki/tls/private/postfix.key' >> > > > > > certificate: >> > > type=FILE,location='/etc/pki/tls/certs/postfix.pem' >> > > > > > CA: IPA >> > > > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM >> > > > > > subject: CN=mail1.example.com,O=EXAMPLE.COM >> > > > > > expires: 2017-04-19 15:39:35 UTC >> > > > > > dns: mail1.example.com,mail.example.com >> > > > > > principal name: smtp/mail1.example.com at EXAMPLE.COM >> > > > > > key usage: >> > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > > > > > eku: id-kp-serverAuth,id-kp-clientAuth >> > > > > > pre-save command: >> > > > > > post-save command: >> > > > > > track: yes >> > > > > > auto-renew: yes >> > > > > > >> > > > > > with Subject line in form of: 'CN=,O=EXAMPLE.COM' and >> > > 'dns' >> > > > > > info line present. >> > > > > > >> > > > > > Suddenly, in the current setup, after upgrade from 4.0 to 4.2, >> I'm >> > > > > > getting this :: >> > > > > > >> > > > > > $ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 >> --a-create- >> > > > > > reverse >> > > > > > $ ipa host-add w3.example.com >> > > > > > $ ipa service-add HTTP/w3.example.com >> > > > > > $ ipa service-add HTTP/http1.example.com >> > > > > > $ ipa service-add-host HTTP/w3.example.com --hosts= >> http1.example.com >> > > > > > $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \ >> > > > > > -f /etc/pki/tls/certs/httpd.pem \ >> > > > > > -N CN=http1.example.com,O=EXAMPLE.COM \ >> > > > > > -D http1.example.com -D w3.example.com \ >> > > > > > -K HTTP/http1.example.com >> > > > > > $ sudo ipa-getcert list >> > > > > > Number of certificates and requests being tracked: 3. >> > > > > > Request ID '20160327095125': >> > > > > > status: MONITORING >> > > > > > stuck: no >> > > > > > key pair storage: >> > > > > > type=FILE,location='/etc/pki/tls/private/http.key' >> > > > > > certificate: >> type=FILE,location='/etc/pki/tls/certs/http.pem' >> > > > > > CA: IPA >> > > > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM >> > > > > > subject: CN=http1.example.com,OU=pki-ipa,O=IPA >> > > > > > expires: 2018-03-28 09:51:27 UTC >> > > > > > key usage: >> > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > > > > > eku: id-kp-serverAuth,id-kp-clientAuth >> > > > > > pre-save command: >> > > > > > post-save command: >> > > > > > track: yes >> > > > > > auto-renew: yes >> > > > > > >> > > > > > Where's the 'CN=,OU=pki-ipa,O=IPA' coming from >> instead of >> > > > > > 'CN=,O=EXAMPLE.COM' and why are DNS SubjectAltNames >> > > missing? >> > > > > > >> > > > > > To be clear, if I don't do :: >> > > > > > $ ipa service-add-host HTTP/w3.example.com --hosts= >> http1.example.com >> > > > > > >> > > > > > then certificate is just not issued with 'REJECTED', but once >> this is >> > > > > > done properly in described steps, DNS SANs are not happening. >> > > > > > >> > > > > > I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but >> only >> > > > > > against my current IPA 4.2 on CentOS 7.2. >> > > > > > >> > > > > > For the actual certificates :: >> > > > > > $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout >> -text >> > > > > > Certificate: >> > > > > > Data: >> > > > > > Version: 3 (0x2) >> > > > > > Serial Number: 15 (0xf) >> > > > > > Signature Algorithm: sha256WithRSAEncryption >> > > > > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority >> > > > > > Validity >> > > > > > Not Before: Apr 19 15:39:35 2015 GMT >> > > > > > Not After : Apr 19 15:39:35 2017 GMT >> > > > > > Subject: O=EXAMPLE.COM, CN=mail1.example.com >> > > > > > Subject Public Key Info: >> > > > > > Public Key Algorithm: rsaEncryption >> > > > > > Public-Key: (2048 bit) >> > > > > > Modulus: >> > > > > > [cut] >> > > > > > Exponent: 65537 (0x10001) >> > > > > > X509v3 extensions: >> > > > > > X509v3 Authority Key Identifier: >> > > > > > keyid:[cut] >> > > > > > >> > > > > > Authority Information Access: >> > > > > > OCSP - URI:http://ipa-ca.example.com/ca/ocsp >> > > > > > >> > > > > > X509v3 Key Usage: critical >> > > > > > Digital Signature, Non Repudiation, Key >> Encipherment, >> > > > > > Data Encipherment >> > > > > > X509v3 Extended Key Usage: >> > > > > > TLS Web Server Authentication, TLS Web Client >> > > > > > Authentication >> > > > > > X509v3 CRL Distribution Points: >> > > > > > >> > > > > > Full Name: >> > > > > > URI: >> > > http://ipa-ca.example.com/ipa/crl/MasterCRL.bin >> > > > > > CRL Issuer: >> > > > > > DirName: O = ipaca, CN = Certificate Authority >> > > > > > >> > > > > > X509v3 Subject Key Identifier: >> > > > > > [cut] >> > > > > > X509v3 Subject Alternative Name: >> > > > > > DNS:mail1.example.com, DNS:mail.example.com, >> > > > > > othername:, othername: >> > > > > > Signature Algorithm: sha256WithRSAEncryption >> > > > > > [cut] >> > > > > > >> > > > > > vs. >> > > > > > >> > > > > > $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout >> > > > > > Certificate: >> > > > > > Data: >> > > > > > Version: 3 (0x2) >> > > > > > Serial Number: 71 (0x47) >> > > > > > Signature Algorithm: sha256WithRSAEncryption >> > > > > > Issuer: O=EXAMPLE.COM, CN=Certificate Authority >> > > > > > Validity >> > > > > > Not Before: Mar 27 09:51:27 2016 GMT >> > > > > > Not After : Mar 28 09:51:27 2018 GMT >> > > > > > Subject: O=IPA, OU=pki-ipa, CN=http1.example.com >> > > > > > Subject Public Key Info: >> > > > > > Public Key Algorithm: rsaEncryption >> > > > > > Public-Key: (2048 bit) >> > > > > > Modulus: >> > > > > > [cut] >> > > > > > Exponent: 65537 (0x10001) >> > > > > > X509v3 extensions: >> > > > > > X509v3 Authority Key Identifier: >> > > > > > keyid:[cut] >> > > > > > >> > > > > > Authority Information Access: >> > > > > > OCSP - URI:http://idmc1.example.com:80/ca/ocsp >> > > > > > >> > > > > > X509v3 Key Usage: critical >> > > > > > Digital Signature, Non Repudiation, Key >> Encipherment, >> > > > > > Data Encipherment >> > > > > > X509v3 Extended Key Usage: >> > > > > > TLS Web Server Authentication, TLS Web Client >> > > > > > Authentication >> > > > > > Signature Algorithm: sha256WithRSAEncryption >> > > > > > [cut] >> > > > > > >> > > > > > so even reference to CRL is missing here, but OCSP is present. >> > > > > > >> > > > > > >> > > > > > Sorry if this is duplicate, but from what I was able to find, >> DNS >> > > > > > SubjectAltNames are reported working since CentOS 7.1, and I >> think >> > > I'm >> > > > > > consistent with http://www.freeipa.org/page/PKI, unless I miss >> > > something >> > > > > > obvious here. >> > > > > > >> > > > > > For new features like certificate profiles and ACLs, I haven't >> > > changed >> > > > > > any defaults as far as I know as there was no need for that. >> > > > > > >> > > > > > >> > > > > > Thank you for any support in advance! And Happy Easter! >> > > > > > >> > > > > > Martin >> > > > > >> > > > > Hi Martin, >> > > > > >> > > > > Thanks for the detailed info. Could you please provide the >> > > > > Dogtag configuration for the default profile, `caIPAserviceCert'? >> > > > > >> > > > > ipa certprofile-show --out caIPAserviceCert.cfg >> caIPAserviceCert >> > > > > >> > > > > (Then provide the contents of caIPAserviceCert.cfg) >> > > > > >> > > > > Could you also provide the contents of file >> > > > > `/etc/pki/pki-tomcat/ca/CS.cfg'? >> > > > > >> > > > > Regards, >> > > > > Fraser >> > > > > >> > > > > -- >> > > > > Manage your subscription for the Freeipa-users mailing list: >> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > Go to http://freeipa.org for more info on the project >> > > >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Thu May 26 10:12:37 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Thu, 26 May 2016 11:12:37 +0100 Subject: [Freeipa-users] ipa-server-install --uninstall leaves httpd crippled ? Message-ID: <623a78b4-56bb-3389-4fbf-de5398923917@yahoo.co.uk> hi people I've noticed that --uninstall leaves httpd unable to restart. I think it's what was not cleaned up in /etc/httpd/alias I logs I see: [Thu May 26 11:03:43.318091 2016] [:error] [pid 6930] NSS initialization failed. Certificate database: /etc/httpd/alias. [Thu May 26 11:03:43.318113 2016] [:error] [pid 6930] SSL Library Error: -8177 The security password entered is incorrect am I correct? Should the process not take care of that db? regards L. From peljasz at yahoo.co.uk Thu May 26 11:06:59 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Thu, 26 May 2016 12:06:59 +0100 Subject: [Freeipa-users] where the hell is that CA? Message-ID: <362bf741-025d-c218-0e6f-c89a96c9eb31@yahoo.co.uk> hi everybody I'm trying to set up a replica but process fails: [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). ipa.ipapython.install.cli.install_tool(Replica): ERROR A CA is already configured on this system. I've even removed all the .rpm I thought were relevant, reinstalled but problem persists. many thanks, L. From mbabinsk at redhat.com Thu May 26 11:43:34 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 26 May 2016 13:43:34 +0200 Subject: [Freeipa-users] ipa-server-install --uninstall leaves httpd crippled ? In-Reply-To: <623a78b4-56bb-3389-4fbf-de5398923917@yahoo.co.uk> References: <623a78b4-56bb-3389-4fbf-de5398923917@yahoo.co.uk> Message-ID: <38c233c1-aa8e-5976-c592-2277f95e0e7d@redhat.com> On 05/26/2016 12:12 PM, lejeczek wrote: > hi people > > I've noticed that --uninstall leaves httpd unable to restart. > > I think it's what was not cleaned up in /etc/httpd/alias > > I logs I see: > > [Thu May 26 11:03:43.318091 2016] [:error] [pid 6930] NSS initialization > failed. Certificate database: /etc/httpd/alias. > [Thu May 26 11:03:43.318113 2016] [:error] [pid 6930] SSL Library Error: > -8177 The security password entered is incorrect > > am I correct? Should the process not take care of that db? > > regards > > L. > Hi, this is a known issue and we have a ticket for it: https://fedorahosted.org/freeipa/ticket/4639 -- Martin^3 Babinsky From akasurde at redhat.com Thu May 26 11:48:30 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Thu, 26 May 2016 17:18:30 +0530 Subject: [Freeipa-users] ipa-server-install --uninstall leaves httpd crippled ? In-Reply-To: <38c233c1-aa8e-5976-c592-2277f95e0e7d@redhat.com> References: <623a78b4-56bb-3389-4fbf-de5398923917@yahoo.co.uk> <38c233c1-aa8e-5976-c592-2277f95e0e7d@redhat.com> Message-ID: <5746E28E.9020201@redhat.com> Hi all, I am able to reproduce this issue. Here is some last messages of /var/log/httpd/error_log [Thu May 26 17:13:36.269546 2016] [mpm_prefork:notice] [pid 17657] AH00170: caught SIGWINCH, shutting down gracefully [Thu May 26 17:14:42.196661 2016] [core:notice] [pid 23685] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Thu May 26 17:14:42.208531 2016] [suexec:notice] [pid 23685] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu May 26 17:14:42.208561 2016] [:warn] [pid 23685] NSSSessionCacheTimeout is deprecated. Ignoring. [Thu May 26 17:14:42.599338 2016] [:error] [pid 23685] Password for slot internal is incorrect. [Thu May 26 17:14:42.602821 2016] [:error] [pid 23685] NSS initialization failed. Certificate database: /etc/httpd/alias. [Thu May 26 17:14:42.602849 2016] [:error] [pid 23685] SSL Library Error: -8177 The security password entered is incorrect Steps used to reproduce: 1. Install httpd 2. Install ipa-server 3. Configure ipa-server 4. Uninstall ipa-server On 05/26/2016 05:13 PM, Martin Babinsky wrote: > On 05/26/2016 12:12 PM, lejeczek wrote: >> hi people >> >> I've noticed that --uninstall leaves httpd unable to restart. >> >> I think it's what was not cleaned up in /etc/httpd/alias >> >> I logs I see: >> >> [Thu May 26 11:03:43.318091 2016] [:error] [pid 6930] NSS initialization >> failed. Certificate database: /etc/httpd/alias. >> [Thu May 26 11:03:43.318113 2016] [:error] [pid 6930] SSL Library Error: >> -8177 The security password entered is incorrect >> >> am I correct? Should the process not take care of that db? >> >> regards >> >> L. >> > Hi, > > this is a known issue and we have a ticket for it: > > https://fedorahosted.org/freeipa/ticket/4639 > -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io From rcritten at redhat.com Thu May 26 13:37:30 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 26 May 2016 09:37:30 -0400 Subject: [Freeipa-users] ipa-server-install --uninstall leaves httpd crippled ? In-Reply-To: <5746E28E.9020201@redhat.com> References: <623a78b4-56bb-3389-4fbf-de5398923917@yahoo.co.uk> <38c233c1-aa8e-5976-c592-2277f95e0e7d@redhat.com> <5746E28E.9020201@redhat.com> Message-ID: <5746FC1A.2010204@redhat.com> Abhijeet Kasurde wrote: > Hi all, > > I am able to reproduce this issue. > > Here is some last messages of /var/log/httpd/error_log > > [Thu May 26 17:13:36.269546 2016] [mpm_prefork:notice] [pid 17657] > AH00170: caught SIGWINCH, shutting down gracefully > [Thu May 26 17:14:42.196661 2016] [core:notice] [pid 23685] SELinux > policy enabled; httpd running as context system_u:system_r:httpd_t:s0 > [Thu May 26 17:14:42.208531 2016] [suexec:notice] [pid 23685] AH01232: > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > [Thu May 26 17:14:42.208561 2016] [:warn] [pid 23685] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Thu May 26 17:14:42.599338 2016] [:error] [pid 23685] Password for slot > internal is incorrect. > [Thu May 26 17:14:42.602821 2016] [:error] [pid 23685] NSS > initialization failed. Certificate database: /etc/httpd/alias. > [Thu May 26 17:14:42.602849 2016] [:error] [pid 23685] SSL Library > Error: -8177 The security password entered is incorrect > > Steps used to reproduce: > > 1. Install httpd > 2. Install ipa-server > 3. Configure ipa-server > 4. Uninstall ipa-server Try changing NSSPassPhraseDialog to builtin in nss.conf and restarting. IIRC the original databases are restored but the IPA password is being used. rob > > On 05/26/2016 05:13 PM, Martin Babinsky wrote: >> On 05/26/2016 12:12 PM, lejeczek wrote: >>> hi people >>> >>> I've noticed that --uninstall leaves httpd unable to restart. >>> >>> I think it's what was not cleaned up in /etc/httpd/alias >>> >>> I logs I see: >>> >>> [Thu May 26 11:03:43.318091 2016] [:error] [pid 6930] NSS initialization >>> failed. Certificate database: /etc/httpd/alias. >>> [Thu May 26 11:03:43.318113 2016] [:error] [pid 6930] SSL Library Error: >>> -8177 The security password entered is incorrect >>> >>> am I correct? Should the process not take care of that db? >>> >>> regards >>> >>> L. >>> >> Hi, >> >> this is a known issue and we have a ticket for it: >> >> https://fedorahosted.org/freeipa/ticket/4639 >> > From rcritten at redhat.com Thu May 26 13:41:33 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 26 May 2016 09:41:33 -0400 Subject: [Freeipa-users] where the hell is that CA? In-Reply-To: <362bf741-025d-c218-0e6f-c89a96c9eb31@yahoo.co.uk> References: <362bf741-025d-c218-0e6f-c89a96c9eb31@yahoo.co.uk> Message-ID: <5746FD0D.3000705@redhat.com> lejeczek wrote: > hi everybody > > I'm trying to set up a replica but process fails: > > [37/38]: tuning directory server > [38/38]: configuring directory to start on boot > Done configuring directory server (dirsrv). > ipa.ipapython.install.cli.install_tool(Replica): ERROR A CA is > already configured on this system. > > I've even removed all the .rpm I thought were relevant, reinstalled but > problem persists. > > many thanks, > > L. > It is seeing the existence of /var/lib/pki/pki-tomcat/ca Try: pkidestroy -i pki-tomcat -s ca rob From rcritten at redhat.com Thu May 26 14:13:07 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 26 May 2016 10:13:07 -0400 Subject: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert??? In-Reply-To: References: <57445ED2.10701@redhat.com> Message-ID: <57470473.9000805@redhat.com> barrykfl at gmail.com wrote: > externaly signed CA - Godaddy Exppired. > > Already add new to db /etc/https/alias / -L and config nickname map in > /etc/http/config.d/nss.conf > Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to? > Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname map in dse.ldif > > Start stop IPA no cert issue . but server ipa prepare fail. > > IPA replica still say cert expiry , any where I missed ? > ipa-replica-prepare needs certificates, one for the new web server and one for the new LDAP server. If certificates aren't provided on the cli it will attempt to get them from the IPA CA. Your CA not working, hence the failure. rob > > Thanks > > > 2016-05-25 19:30 GMT+08:00 Martin Basti >: > > > > On 25.05.2016 04:36, Barry wrote: >> >> Hi: >> >> Which location i should renew cert? >> Http/alias >> Etc/dirsrv/slapd* >> >> Enough? >> > > We need to know if you have IPA configured with > * externaly signed CA > * or selfsigned CA > * or if you have any other certificates from different CAs > > If I remember correctly you wrote in one email that you have a > certificate from godaddy, which certificate? > > In case you have self signed CA certificate you should follow: > http://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > Martin >> 2016?5?24? ??10:01 ? "Rob Crittenden" > > ??? >> >> barrykfl at gmail.com >> wrote: >> >> hi all: >> >> >> Thx ad title >> >> ipa : ERROR cert validation failed for >> "CN=server.abc.com >> ,O=WISER S.COM >> <http://S.COM>" >> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has >> expired.) >> preparation of replica failed: cannot connect to >> 'https://server.ABC.com:944 >> 4/ca/ee/ca/profileSubmitSSLClient': >> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi >> ficate has expired. >> cannot connect to >> 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie >> nt': >> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has >> expired. >> >> >> The root of all your problems is that your certificates are >> expired. Fixing this should be your priority. This is probably >> going to involve going back in time to when the certificates >> are still valid, restarting IPA, restarting certmonger and >> waiting for things to properly renew. It can take some time as >> the certificates don't all renew at once. >> >> I suspect that once renewed and returned to current time the >> rest of your problems will, for the most part, go away. >> >> rob >> >> >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > From peljasz at yahoo.co.uk Thu May 26 15:15:06 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Thu, 26 May 2016 16:15:06 +0100 Subject: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain In-Reply-To: <5745FCA7.4020705@redhat.com> References: <9c909796-257c-0caa-0c76-5c2c8cf31d80@yahoo.co.uk> <5745A648.8020704@redhat.com> <5745C8E4.1050106@redhat.com> <5745FCA7.4020705@redhat.com> Message-ID: <7ca6ffed-3a53-3fd6-822b-09f92a3ac9f3@yahoo.co.uk> On 25/05/16 20:27, Rob Crittenden wrote: > lejeczek wrote: >> >> >> On 25/05/16 16:46, Rob Crittenden wrote: >>> lejeczek wrote: >>>> >>>> >>>> On 25/05/16 14:19, Rob Crittenden wrote: >>>>> lejeczek wrote: >>>>>> hi there, >>>>>> >>>>>> I'm trying to set up a replica with: --setup-dns >>>>>> --no-forwarders >>>>>> --setup-ca >>>>>> >>>>>> installer fails at: >>>>>> >>>>>> [10/23]: importing CA chain to RA certificate database >>>>>> [error] RuntimeError: Unable to retrieve CA chain: >>>>>> [Errno 111] >>>>>> Connection refused >>>>>> Your system may be partly configured. >>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean >>>>>> up. >>>>>> >>>>>> more from log: >>>>>> >>>>>> 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA >>>>>> chain to RA >>>>>> certificate database >>>>>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent >>>>>> call last): >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> >>>>>> line 418, in start_creation >>>>>> run_step(full_msg, method) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> >>>>>> line 408, in run_step >>>>>> method() >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>>>> >>>>>> line >>>>>> 1015, in __import_ca_chain >>>>>> chain = self.__get_ca_chain() >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>>>> >>>>>> line >>>>>> 997, in __get_ca_chain >>>>>> raise RuntimeError("Unable to retrieve CA chain: >>>>>> %s" % str(e)) >>>>>> RuntimeError: Unable to retrieve CA chain: [Errno >>>>>> 111] Connection >>>>>> refused >>>>>> >>>>>> 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: >>>>>> Unable to >>>>>> retrieve CA >>>>>> chain: [Errno 111] Connection refused >>>>>> 2016-05-25T12:38:31Z DEBUG File >>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", >>>>>> line >>>>>> 171, in >>>>>> execute >>>>>> >>>>>> what might be the problem? >>>>> >>>>> It is failing getting the CA chain from dogtag. It >>>>> uses port 8080 by >>>>> default. I'd check your firewall and that the remote >>>>> CA is up. >>>>> >>>> thanks Rob, >>>> I opened 8080/tcp (it was closed) but still a failure I >>>> get, different >>>> error though: >>>> >>>> [2/23]: configuring certificate server instance >>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>>> Failed to >>>> configure CA instance: Command ''/usr/sbin/pkispawn' >>>> '-s' 'CA' '-f' >>>> '/tmp/tmpY2oGh1'' returned non-zero exit status 1 >>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>>> See the >>>> installation logs and the following files/directories >>>> for more >>>> information: >>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>>> /var/log/pki-ca-install.log >>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL >>>> /var/log/pki/pki-tomcat >>>> [error] RuntimeError: CA configuration failed. >>>> >>>> I noticed - /var/log/pki-ca-install.log does NOT exist >>>> and log file: >>>> >>>> Storing deployment configuration into >>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >>>> Installation failed. >>>> 2016-05-25T14:12:21Z DEBUG >>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >>>> I >>>> nsecureRequestWarning: Unverified HTTPS request is >>>> being made. Adding >>>> certificate verification is s >>>> trongly advised. See: >>>> https://urllib3.readthedocs.org/en/latest/security.html >>>> InsecureRequestWarning) >>>> pkispawn : ERROR ....... server failed to restart >>>> >>>> 2016-05-25T14:12:21Z CRITICAL Failed to configure CA >>>> instance: Command >>>> ''/usr/sbin/pkispawn' '-s' ' >>>> CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 >>>> 2016-05-25T14:12:21Z CRITICAL See the installation logs >>>> and the >>>> following files/directories for mor >>>> e information: >>> >>> You need to look in those files/directories for more >>> details. Dogtag >>> doesn't return much on failures and we display what we >>> have but all >>> the real meat is in those logs. >>> >>>> can I ask a question? - my nss.conf is pretty >>>> plain-vanilla, uses :443 - >>>> why does installer complain about it being used and I >>>> have to change the >>>> port for installer to start? >>> >>> Because there is no easy way to determine what is using >>> that port. If >>> it is mod_ssl or some other web server instead then >>> things go sideways >>> pretty fast. >>> >> but will it all not brake precisely because I have to >> change port? I >> then take a glance and see https:/// only and installer >> it not take that >> port into account, so how will whole IPA work if nss >> listens on >> non-standard port? > > I'm not sure I follow. The installer will (or should) > change nss.conf to listen on 443. The default is 8443. > > If you take a vanilla instance and install mod_ssl and > mod_nss on it then Apache will listen on ports 443 and > 8443. IPA requires mod_nss to listen on 443 so the install > will fail. This is what we are trying to prevent. It isn't > a mod_nss or mod_ssl issue but only one thing can listen > on any given port. > > The installer looks at things just enough to detect that > something might be wrong and it blows up so it can be > manually addressed because whatever we did automatically > would be wrong and potentially catastrophic for somebody's > use case. > > > rob > when it fails with: [1/24]: creating certificate server user [2/24]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpNF7gTf'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. first - this: /var/log/pki-ca-install.log never gets created, might be bug? second is install log: nstalling CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2016-05-26T15:07:25Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn : ERROR ....... server failed to restart 2016-05-26T15:07:25Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpNF7gTf'' returned non-zero exit status 1 2016-05-26T15:07:25Z CRITICAL See the installation logs and the following files/directories for more information: 2016-05-26T15:07:25Z CRITICAL /var/log/pki-ca-install.log 2016-05-26T15:07:25Z CRITICAL /var/log/pki/pki-tomcat third is: pki-ca-spawn.%%%.log 2016-05-26 16:06:24 pkispawn : DEBUG ........... chmod 660 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf 2016-05-26 16:06:24 pkispawn : DEBUG ........... chown 17:17 /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf 2016-05-26 16:06:24 pkispawn : INFO ....... executing 'certutil -N -d /tmp/tmp-LqkPbX -f /root/.dogtag/pki-tomcat/ca/password.conf' 2016-05-26 16:06:24 pkispawn : INFO ....... executing 'systemctl daemon-reload' 2016-05-26 16:06:24 pkispawn : INFO ....... executing 'systemctl start pki-tomcatd at pki-tomcat.service' 2016-05-26 16:06:24 pkispawn : DEBUG ........... No connection - server may still be down 2016-05-26 16:06:24 pkispawn : DEBUG ........... No connection - exception thrown: 404 Client Error: Not Found ... ... Error: Not Found 2016-05-26 16:07:25 pkispawn : ERROR ....... server failed to restart 2016-05-26 16:07:25 pkispawn : DEBUG ....... Error Type: Exception 2016-05-26 16:07:25 pkispawn : DEBUG ....... Error Message: server failed to restart 2016-05-26 16:07:25 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main rv = scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 234, in spawn raise Exception("server failed to restart") Is it replica's own pki-tomcatd at pki-tomcat.service that fails? If so then this makes it all strange: systemctl status -l pki-tomcatd at pki-tomcat.service ? pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled; vendor preset: disabled) Active: active (running) since Thu 2016-05-26 16:06:24 BST; 6min ago Process: 14276 ExecStartPre=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS) Main PID: 14415 (java) CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd at pki-tomcat.service ??14415 /usr/lib/jvm/jre/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM org.apache.catalina.startup.HostConfig deployDescriptor May 26 16:06:33 work5 server[14415]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 2,589 ms May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM org.apache.coyote.AbstractProtocol start May 26 16:06:33 work5 server[14415]: INFO: Starting ProtocolHandler ["http-bio-8080"] May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM org.apache.coyote.AbstractProtocol start May 26 16:06:33 work5 server[14415]: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] May 26 16:06:33 work5 server[14415]: PKIListener: org.apache.catalina.core.StandardServer[after_start] May 26 16:06:33 work5 server[14415]: PKIListener: Subsystem CA is running. May 26 16:06:33 work5 server[14415]: May 26, 2016 4:06:33 PM org.apache.catalina.startup.Catalina start May 26 16:06:33 work5 server[14415]: INFO: Server startup in 6805 ms I really cannot find anything blatantly obvious in those logs. From jhrozek at redhat.com Thu May 26 15:25:22 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 26 May 2016 17:25:22 +0200 Subject: [Freeipa-users] pam_hbac: a PAM module to enforce IPA HBAC rules Message-ID: <20160526152522.GA14651@hendrix> Hi, me and Pavel Reichl were developing pam_hbac and today we tagged our first release. pam_hbac is a standalone PAM module for enforcing HBAC access control defined on an FreeIPA server. It is meant as a solution for platforms that do not ship with SSSD like Solaris or for setups where you can't use id_provider=ipa, like Amazon Linux or RHEL-5 machines using the compat tree. The project is being developed on github: https://github.com/jhrozek/pam_hbac You can grab the first release here: https://github.com/jhrozek/pam_hbac/releases Pavel and I also wrote a introductory blog post to get you started: https://jhrozek.wordpress.com/2016/05/26/pam_hbac-a-pam-module-to-enforce-ipa-access-control-rules/ Enjoy! From zwolfinger at myemma.com Thu May 26 15:31:23 2016 From: zwolfinger at myemma.com (Zak Wolfinger) Date: Thu, 26 May 2016 10:31:23 -0500 Subject: [Freeipa-users] FreeIPA 3 w/NO CA to version 4.3 with CA? Message-ID: I?m following the instructions on how to migrate from FreeIPA version 3.0 to 4.3. Our 3.0 implementation does NOT have CA running. We want to enable CA Server with 4.3. Can we enable CA after the migration? Instructions to do so? or Can we enable CA during the isa-replica-install phase? The instructions say to use ?dirsrv-cert-file ?dirsrv-pin ?http-cert-file ?http-pin flags, but isa-replica-prepare in version 3 doesn?t seem to support ?dirsrv-cert-file. Thanks for your help! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From john+freeipa at themeyers.us Thu May 26 16:06:38 2016 From: john+freeipa at themeyers.us (John Meyers) Date: Thu, 26 May 2016 12:06:38 -0400 Subject: [Freeipa-users] mod_auth_krb issues with AD trust Message-ID: <57471F0E.4070601@themeyers.us> All, I have two-way trust established between IPA.DOMAIN.COM and AD.DOMAIN.COM. The users are sync'ed via a replication agreement and password sync so user at IPA.DOMAIN.COM is the same person as user at AD.DOMAIN.COM. With "KrbLocalUserMapping On" in the Apache config, everything works great for users in the IPA domain. The realm is properly stripped off and the end applications work very well with IPA. However, if a user from the AD domain authenticates, mod_auth_krb does not strip off the realm and returns "krb5_aname_to_localname() failed: Supplied data not handled by this plugin", passing the untouched string to the end application which promptly chokes on it. I tried adding AD.DOMAIN.COM to "KrbAuthRealms" in the Apache configuration. That didn't do it. Then I tried adding "auth_to_local = RULE:[1:$1@$0](^.*@AD\.DOMAIN\.COM)s/@.*//" to /etc/krb5.conf under the IPA realm. That STILL didn't do it and that is about the end of my knowledge on kerberos realm mapping and stripping. Any help would be appreciated. John From abokovoy at redhat.com Thu May 26 16:20:22 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 26 May 2016 19:20:22 +0300 Subject: [Freeipa-users] mod_auth_krb issues with AD trust In-Reply-To: <57471F0E.4070601@themeyers.us> References: <57471F0E.4070601@themeyers.us> Message-ID: <20160526162022.7zzonrhnseubu24m@redhat.com> On Thu, 26 May 2016, John Meyers wrote: >All, > >I have two-way trust established between IPA.DOMAIN.COM and >AD.DOMAIN.COM. The users are sync'ed via a replication agreement and >password sync so user at IPA.DOMAIN.COM is the same person as >user at AD.DOMAIN.COM. Trust doesn't use synchronization. Your AD users are not IPA users and will never be with trust. >With "KrbLocalUserMapping On" in the Apache config, everything works >great for users in the IPA domain. The realm is properly stripped off >and the end applications work very well with IPA. > >However, if a user from the AD domain authenticates, mod_auth_krb does >not strip off the realm and returns "krb5_aname_to_localname() failed: >Supplied data not handled by this plugin", passing the untouched string >to the end application which promptly chokes on it. I tried adding >AD.DOMAIN.COM to "KrbAuthRealms" in the Apache configuration. That >didn't do it. Then I tried adding "auth_to_local = >RULE:[1:$1@$0](^.*@AD\.DOMAIN\.COM)s/@.*//" to /etc/krb5.conf under the >IPA realm. That STILL didn't do it and that is about the end of my >knowledge on kerberos realm mapping and stripping. > >Any help would be appreciated. SSSD on RHEL 7.x and Fedora 22+ provides a localauth plugin to Kerberos that allows to map Kerberos principal to a user known by SSSD. Effectively, user at AD.DOMAIN.COM principal would be mapped to user at ad.domain.com by SSSD localauth plugin automatically and aname_to_localname() should succeed. mmod_auth_krb5 should work just fine with this setup if you remove 'KrbLocalUserMapping On" and would add all allowed realms to KrbAuthRealms. -- / Alexander Bokovoy From mrorourke at earthlink.net Thu May 26 16:29:42 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Thu, 26 May 2016 12:29:42 -0400 (GMT-04:00) Subject: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ? Message-ID: <7959298.1464280183480.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> Did you try installing PWM on a separate instance, or are you trying to install it on the FreeIPA server? I don't recall any issues with pki-tomcat when I setup PWM (older version), but I installed it on a VM that was joined to FreeIPA. -Mike -----Original Message----- >From: Zak Wolfinger >Sent: May 23, 2016 1:56 PM >To: freeipa-users at redhat.com >Subject: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ? > >Does anyone have this combo working? I?m running into problems with pki-tomcat and tomcat for pwm conflicting and need some pointers. > >Thanks! From john+freeipa at themeyers.us Thu May 26 16:45:37 2016 From: john+freeipa at themeyers.us (John Meyers) Date: Thu, 26 May 2016 12:45:37 -0400 Subject: [Freeipa-users] mod_auth_krb issues with AD trust In-Reply-To: <20160526162022.7zzonrhnseubu24m@redhat.com> References: <57471F0E.4070601@themeyers.us> <20160526162022.7zzonrhnseubu24m@redhat.com> Message-ID: <57472831.2010902@themeyers.us> Alexander, I use both trust AND synchronization. Our IPA is authoritative. We add the "ntUser" objectclass and related attributes and 389ds automatically creates a corresponding AD account and password changes are likewise propagated. This is necessary since FreeIPA can not act as a Global Catalog. It works fantastically. On the AD side, we use the "altSecurityIdentities" attribute to tell AD that user at IPA.DOMAIN.COM is the same person as user at AD.DOMAIN.COM. I guess there isn't a similar mapping on the IPA side such that when I authenticate from user at AD.ACTIFIO.COM IPA will would recognize it as an alias of a local domain user? I did try your suggestion. Removing KrbLocalUserMapping does indeed clear up the aname_to_localname() issue, however, now REMOTE_USER gets the fully qualified realm string for all users, including the native IPA domain users, and the downstream applications that consume it break as they just expect a username. There is a fix for this that works - it's a very old Apache module called mod_map_user, but it seems to only work on older versions of Apache and I was hoping to avoid having to get that custom. John On 5/26/16 12:20 PM, Alexander Bokovoy wrote: > On Thu, 26 May 2016, John Meyers wrote: >> All, >> >> I have two-way trust established between IPA.DOMAIN.COM and >> AD.DOMAIN.COM. The users are sync'ed via a replication agreement and >> password sync so user at IPA.DOMAIN.COM is the same person as >> user at AD.DOMAIN.COM. > Trust doesn't use synchronization. Your AD users are not IPA users and > will never be with trust. > >> With "KrbLocalUserMapping On" in the Apache config, everything works >> great for users in the IPA domain. The realm is properly stripped off >> and the end applications work very well with IPA. >> >> However, if a user from the AD domain authenticates, mod_auth_krb does >> not strip off the realm and returns "krb5_aname_to_localname() failed: >> Supplied data not handled by this plugin", passing the untouched string >> to the end application which promptly chokes on it. I tried adding >> AD.DOMAIN.COM to "KrbAuthRealms" in the Apache configuration. That >> didn't do it. Then I tried adding "auth_to_local = >> RULE:[1:$1@$0](^.*@AD\.DOMAIN\.COM)s/@.*//" to /etc/krb5.conf under the >> IPA realm. That STILL didn't do it and that is about the end of my >> knowledge on kerberos realm mapping and stripping. >> >> Any help would be appreciated. > SSSD on RHEL 7.x and Fedora 22+ provides a localauth plugin to Kerberos > that allows to map Kerberos principal to a user known by SSSD. > Effectively, user at AD.DOMAIN.COM principal would be mapped to > user at ad.domain.com by SSSD localauth plugin automatically and > aname_to_localname() should succeed. > > mmod_auth_krb5 should work just fine with this setup if you remove > 'KrbLocalUserMapping On" and would add all allowed realms to > KrbAuthRealms. From zwolfinger at myemma.com Thu May 26 16:56:55 2016 From: zwolfinger at myemma.com (Zak Wolfinger) Date: Thu, 26 May 2016 11:56:55 -0500 Subject: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ? In-Reply-To: <7959298.1464280183480.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> References: <7959298.1464280183480.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> Message-ID: <39D33783-ADFE-481D-B098-B5ACC9039BFE@myemma.com> I was trying to do it on the same instance. I think I figured it out. PWM uses port 8080 by default, but FreeIPA has an interface to the CA server on the same port. Changed PWM to a different port and it works. Thanks! > On May 26, 2016, at 11:29 AM, Michael ORourke wrote: > > Did you try installing PWM on a separate instance, or are you trying to install it on the FreeIPA server? I don't recall any issues with pki-tomcat when I setup PWM (older version), but I installed it on a VM that was joined to FreeIPA. > > -Mike > > > -----Original Message----- >> From: Zak Wolfinger >> Sent: May 23, 2016 1:56 PM >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] FreeIPA 4.3 with PWM 1.7 ? >> >> Does anyone have this combo working? I?m running into problems with pki-tomcat and tomcat for pwm conflicting and need some pointers. >> >> Thanks! > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From mrorourke at earthlink.net Thu May 26 16:58:23 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Thu, 26 May 2016 12:58:23 -0400 (GMT-04:00) Subject: [Freeipa-users] What id my AD domain user password not available Message-ID: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu May 26 17:08:46 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 26 May 2016 19:08:46 +0200 Subject: [Freeipa-users] FreeIPA 3 w/NO CA to version 4.3 with CA? In-Reply-To: References: Message-ID: <0d67f5e1-d4e6-cd9b-afd2-a000d599ac9c@redhat.com> On 26.05.2016 17:31, Zak Wolfinger wrote: > I?m following the instructions on how to migrate from FreeIPA version 3.0 to 4.3. Our 3.0 implementation does NOT have CA running. We want to enable CA Server with 4.3. > > Can we enable CA after the migration? Instructions to do so? > > or > > Can we enable CA during the isa-replica-install phase? The instructions say to use ?dirsrv-cert-file ?dirsrv-pin ?http-cert-file ?http-pin flags, but isa-replica-prepare in version 3 doesn?t seem to support ?dirsrv-cert-file. > > > Thanks for your help! > > > You cannot install CA together with ipa-replica-install. You have to install replica first and then run ipa-ca-install on the new replica. I'm not sure but it should be possible to use this options with ipa-replica-install Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu May 26 17:28:40 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 26 May 2016 20:28:40 +0300 Subject: [Freeipa-users] mod_auth_krb issues with AD trust In-Reply-To: <57472831.2010902@themeyers.us> References: <57471F0E.4070601@themeyers.us> <20160526162022.7zzonrhnseubu24m@redhat.com> <57472831.2010902@themeyers.us> Message-ID: <20160526172840.ecc64mvu6yffgwdi@redhat.com> On Thu, 26 May 2016, John Meyers wrote: >Alexander, > >I use both trust AND synchronization. Our IPA is authoritative. We add >the "ntUser" objectclass and related attributes and 389ds automatically >creates a corresponding AD account and password changes are likewise >propagated. This is necessary since FreeIPA can not act as a Global >Catalog. It works fantastically. Interesting use of winsync. :) >On the AD side, we use the "altSecurityIdentities" attribute to tell AD >that user at IPA.DOMAIN.COM is the same person as user at AD.DOMAIN.COM. I >guess there isn't a similar mapping on the IPA side such that when I >authenticate from user at AD.ACTIFIO.COM IPA will would recognize it as an >alias of a local domain user? We have some code in 4.4 that will support aliases for Kerberos principals more clearly. >I did try your suggestion. Removing KrbLocalUserMapping does indeed >clear up the aname_to_localname() issue, however, now REMOTE_USER gets >the fully qualified realm string for all users, including the native IPA >domain users, and the downstream applications that consume it break as >they just expect a username. Well, what about using mod_rewrite to reassemble REMOTE_USER? If REMOTE_USER is set by mod_auth_kerb, use mod_rewrite's RewriteRule [E=NEW_REMOTE_USER:%1] and RewriteCond before that to drop the suffix. This implies you have ability to redefine variable looked up by the applications from REMOTE_USER to NEW_REMOTE_USER. -- / Alexander Bokovoy From bentech4you at gmail.com Thu May 26 19:32:28 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Thu, 26 May 2016 22:32:28 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> References: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> Message-ID: Hi All i have given share key and the status is like below. [root at zkwipamstr01 ~]# ipa trust-add --type=ad "corp.example.com.kw" --trust-secret Shared secret for the trust: -------------------------------------------------------- Added Active Directory trust for realm "corp.example.com.kw" -------------------------------------------------------- Realm name: corp.example.com.kw Domain NetBIOS name: MTC_TABS Domain Security Identifier: S-1-5-21-4225188509-189646935-2695072313 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Waiting for confirmation by remote side what is this means "Waiting for confirmation by remote side" . how can i check that. from my AD side, i cannot see the screens shown in that gif(tutorial) Please anyone help me. Thanks & Regards, Ben On Thu, May 26, 2016 at 7:58 PM, Michael ORourke wrote: > That looks good. I see you are using an external DNS source for the IPA > domain, correct? You may need to do some additional steps on the FreeIPA > server, because by default it will configure BIND and populate resource > records for the IPA domain (for example, SRV records like _ldap_._ > tcp.kw.example.com). I'm not familiar with setting up FreeIPA with an > external DNS, but I'm sure there are some instructions out there. > > -Mike > > -----Original Message----- > From: "Ben .T.George" > Sent: May 23, 2016 2:22 PM > To: Michael ORourke > Cc: freeipa-users > Subject: Re: [Freeipa-users] What id my AD domain user password not > available > > HI > > in my case i have 2 domains > > AD DNS : corp.example.kw.com > main DNS ( from appliance) : kw.example.com > > and all the linux box are pointed to kw.example.com > > so i put my IPA server hostname as : ipa.kw.example.com and created A & > PTR on kw.example.com > > is that the correct way? > > Regards, > Ben > > On Mon, May 23, 2016 at 8:20 PM, Michael ORourke > wrote: > >> Ben, >> >> Yes, that is a requirement. Just creating the A & PTR records for you >> FreeIPA server is not enough. You will need to keep the DNS zones separate >> too, example: >> Windows AD Domain: mydomain.com >> FreeIPA Realm/Domain: subdomain.mydomain.com >> >> You cannot have a cross-forest trust between two domains with the same >> DNS zone name. So if you have a flat DNS namespace, then you will want to >> plan accordingly to move all the linux boxes that will participate in the >> FreeIPA domain into the new DNS zone. >> >> -Mike >> >> -----Original Message----- >> From: "Ben .T.George" >> Sent: May 23, 2016 10:44 AM >> To: Michael ORourke >> Cc: freeipa-users >> Subject: Re: [Freeipa-users] What id my AD domain user password not >> available >> >> HI >> >> yea that GIf screen i shared with him. but that doesn't show how to take >> shared key. >> >> In my case DNS is handled by 3rd party appliances and from their side >> they created A record for my IPA server. bth forward and reverse is working >> >> is this forwader is mandatory thing from DNS side? >> >> Regards, >> ben >> >> On Mon, May 23, 2016 at 5:31 PM, Michael ORourke > > wrote: >> >>> Actually one of his questions doesn't make sense, because last I >>> checked, normal domain users do not have permissions to create a forest >>> trust. >>> I believe the default is a one-way trust, so maybe his concerns about >>> the bi-directional trust is really a non-issue. >>> If he refuses to type in the admin password in a linux console session >>> (extreme paranoia?), then perhaps you could give him a link to the tutorial >>> on using a pre-shared key and have him setup the AD side and give you the >>> key. You don't have to be a Windows expert to do this, just ask your >>> domain admin to do the steps for you. Also, you will need to setup a >>> separate DNS zone and some forwarding rules. Otherwise you are going to >>> have problems. >>> >>> -Mike >>> >>> >>> -----Original Message----- >>> From: "Ben .T.George" >>> Sent: May 23, 2016 10:07 AM >>> To: Michael ORourke >>> Cc: freeipa-users >>> Subject: Re: [Freeipa-users] What id my AD domain user password not >>> available >>> >>> HI >>> >>> He is local only but he is asking so many questions. >>> >>> first of all he is refusing to give domain admin users password . >>> >>> questions he is asking is: >>> >>> Is this trust relationship is two directional? If, yes why IPA require >>> two directional trust? >>> can we build this trust one directional? >>> can we achieve this with normal domain user? >>> >>> and hs is opposing to enter password in command line and i was going >>> though the rust using a pre-shared key and its too hard for me to >>> understand as i have no windows experience >>> >>> regards, >>> Ben >>> >>> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke < >>> mrorourke at earthlink.net> wrote: >>> >>>> A couple of ways to go about this. If he is local to you, you could >>>> explain that you need to establish a trust with his domain and you need his >>>> assistance for a few minutes while you type the command to join, then have >>>> him type in the password. You need to assure that the DNS forward/stub >>>> zones are setup and working too. If he is remote, you could use some >>>> screen share software and share out your desktop and walk him through the >>>> part where he has to type the admin password. There is also a way to >>>> create a trust using a pre-shared key. That may be more acceptable to >>>> him. >>>> >>>> -Mike >>>> >>>> >>>> -----Original Message----- >>>> From: "Ben .T.George" >>>> Sent: May 23, 2016 8:42 AM >>>> To: freeipa-users >>>> Subject: [Freeipa-users] What id my AD domain user password not >>>> available >>>> >>>> Hi LIst, >>>> >>>> my Windows domain Admin is not giving domain admin user password. >>>> >>>> in this case how can i proceed ipa trust-add >>>> >>>> regards, >>>> Ben >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From john+freeipa at themeyers.us Thu May 26 20:15:31 2016 From: john+freeipa at themeyers.us (John Meyers) Date: Thu, 26 May 2016 16:15:31 -0400 Subject: [Freeipa-users] mod_auth_krb issues with AD trust In-Reply-To: <20160526172840.ecc64mvu6yffgwdi@redhat.com> References: <57471F0E.4070601@themeyers.us> <20160526162022.7zzonrhnseubu24m@redhat.com> <57472831.2010902@themeyers.us> <20160526172840.ecc64mvu6yffgwdi@redhat.com> Message-ID: <57475963.1000202@themeyers.us> Thanks! For the use case where IPA, and not AD, is the authoritative source it's actually working out very well if we can solve this last issue. With regard to the work in 4.4, from what I've read about it, I am not 100% sure it will work. In this case the "alternate principal" is a cross-domain one. I'm not expecting IPA to issue a ticket for it. What I'm looking for is what AD can do -- if you authenticate with a principal from a trusted domain AND you find a match for that principal as an "alternate" for a user on the IPA domain, from a directory perspective don't treat that a foreign user (e.g. assign a posix UID from the foreign domain's range, apply external group mappings) but rather accept the foreign principal as the local IPA domain user itself and apply the UID, group membership, etc as if the user authenticated with a local IPA principal. John On 5/26/16 1:28 PM, Alexander Bokovoy wrote: > On Thu, 26 May 2016, John Meyers wrote: >> Alexander, >> >> I use both trust AND synchronization. Our IPA is authoritative. We add >> the "ntUser" objectclass and related attributes and 389ds automatically >> creates a corresponding AD account and password changes are likewise >> propagated. This is necessary since FreeIPA can not act as a Global >> Catalog. It works fantastically. > Interesting use of winsync. :) > >> On the AD side, we use the "altSecurityIdentities" attribute to tell AD >> that user at IPA.DOMAIN.COM is the same person as user at AD.DOMAIN.COM. I >> guess there isn't a similar mapping on the IPA side such that when I >> authenticate from user at AD.ACTIFIO.COM IPA will would recognize it as an >> alias of a local domain user? > We have some code in 4.4 that will support aliases for Kerberos > principals more clearly. > >> I did try your suggestion. Removing KrbLocalUserMapping does indeed >> clear up the aname_to_localname() issue, however, now REMOTE_USER gets >> the fully qualified realm string for all users, including the native IPA >> domain users, and the downstream applications that consume it break as >> they just expect a username. > Well, what about using mod_rewrite to reassemble REMOTE_USER? If > REMOTE_USER is set by mod_auth_kerb, use mod_rewrite's RewriteRule > [E=NEW_REMOTE_USER:%1] and RewriteCond before that to drop the suffix. > > This implies you have ability to redefine variable looked up by the > applications from REMOTE_USER to NEW_REMOTE_USER. > From bentech4you at gmail.com Thu May 26 23:08:07 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 27 May 2016 02:08:07 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: References: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> Message-ID: HI i ran some commands from AD side and the Trust status got changed.Below is the command i used on AD netdom trust /d: /verify Before it was : "waiting for confirmation by remote side" and not it got changed to "Trust type: Active Directory domain" But when i am trying to map AD group, it not going through root at zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external 'MTC_TABS\Domain Users' [member user]: [member group]: Group name: ad_admins_external Description: ad_domain admins external map Failed members: member user: *member group: MTC_TABS\Domain Users: trusted domain object not found * ------------------------- Number of members added 0 ------------------------- This is what my trust properties from AD. Trust type is showing as realm [image: Inline image 1] How can i fix this issue. On Thu, May 26, 2016 at 10:32 PM, Ben .T.George wrote: > Hi All > > i have given share key and the status is like below. > > > [root at zkwipamstr01 ~]# ipa trust-add --type=ad "corp.example.com.kw" > --trust-secret > Shared secret for the trust: > -------------------------------------------------------- > Added Active Directory trust for realm "corp.example.com.kw" > -------------------------------------------------------- > Realm name: corp.example.com.kw > Domain NetBIOS name: MTC_TABS > Domain Security Identifier: S-1-5-21-4225188509-189646935-2695072313 > SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, > S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, > S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, > S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 > SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, > S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, > S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, > S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 > Trust direction: Trusting forest > Trust type: Active Directory domain > Trust status: Waiting for confirmation by remote side > > > what is this means "Waiting for confirmation by remote side" . how can i > check that. from my AD side, i cannot see the screens shown in that > gif(tutorial) > > Please anyone help me. > > > Thanks & Regards, > Ben > > On Thu, May 26, 2016 at 7:58 PM, Michael ORourke > wrote: > >> That looks good. I see you are using an external DNS source for the IPA >> domain, correct? You may need to do some additional steps on the FreeIPA >> server, because by default it will configure BIND and populate resource >> records for the IPA domain (for example, SRV records like _ldap_._ >> tcp.kw.example.com). I'm not familiar with setting up FreeIPA with an >> external DNS, but I'm sure there are some instructions out there. >> >> -Mike >> >> -----Original Message----- >> From: "Ben .T.George" >> Sent: May 23, 2016 2:22 PM >> To: Michael ORourke >> Cc: freeipa-users >> Subject: Re: [Freeipa-users] What id my AD domain user password not >> available >> >> HI >> >> in my case i have 2 domains >> >> AD DNS : corp.example.kw.com >> main DNS ( from appliance) : kw.example.com >> >> and all the linux box are pointed to kw.example.com >> >> so i put my IPA server hostname as : ipa.kw.example.com and created A & >> PTR on kw.example.com >> >> is that the correct way? >> >> Regards, >> Ben >> >> On Mon, May 23, 2016 at 8:20 PM, Michael ORourke > > wrote: >> >>> Ben, >>> >>> Yes, that is a requirement. Just creating the A & PTR records for you >>> FreeIPA server is not enough. You will need to keep the DNS zones separate >>> too, example: >>> Windows AD Domain: mydomain.com >>> FreeIPA Realm/Domain: subdomain.mydomain.com >>> >>> You cannot have a cross-forest trust between two domains with the same >>> DNS zone name. So if you have a flat DNS namespace, then you will want to >>> plan accordingly to move all the linux boxes that will participate in the >>> FreeIPA domain into the new DNS zone. >>> >>> -Mike >>> >>> -----Original Message----- >>> From: "Ben .T.George" >>> Sent: May 23, 2016 10:44 AM >>> To: Michael ORourke >>> Cc: freeipa-users >>> Subject: Re: [Freeipa-users] What id my AD domain user password not >>> available >>> >>> HI >>> >>> yea that GIf screen i shared with him. but that doesn't show how to take >>> shared key. >>> >>> In my case DNS is handled by 3rd party appliances and from their side >>> they created A record for my IPA server. bth forward and reverse is working >>> >>> is this forwader is mandatory thing from DNS side? >>> >>> Regards, >>> ben >>> >>> On Mon, May 23, 2016 at 5:31 PM, Michael ORourke < >>> mrorourke at earthlink.net> wrote: >>> >>>> Actually one of his questions doesn't make sense, because last I >>>> checked, normal domain users do not have permissions to create a forest >>>> trust. >>>> I believe the default is a one-way trust, so maybe his concerns about >>>> the bi-directional trust is really a non-issue. >>>> If he refuses to type in the admin password in a linux console session >>>> (extreme paranoia?), then perhaps you could give him a link to the tutorial >>>> on using a pre-shared key and have him setup the AD side and give you the >>>> key. You don't have to be a Windows expert to do this, just ask your >>>> domain admin to do the steps for you. Also, you will need to setup a >>>> separate DNS zone and some forwarding rules. Otherwise you are going to >>>> have problems. >>>> >>>> -Mike >>>> >>>> >>>> -----Original Message----- >>>> From: "Ben .T.George" >>>> Sent: May 23, 2016 10:07 AM >>>> To: Michael ORourke >>>> Cc: freeipa-users >>>> Subject: Re: [Freeipa-users] What id my AD domain user password not >>>> available >>>> >>>> HI >>>> >>>> He is local only but he is asking so many questions. >>>> >>>> first of all he is refusing to give domain admin users password . >>>> >>>> questions he is asking is: >>>> >>>> Is this trust relationship is two directional? If, yes why IPA require >>>> two directional trust? >>>> can we build this trust one directional? >>>> can we achieve this with normal domain user? >>>> >>>> and hs is opposing to enter password in command line and i was going >>>> though the rust using a pre-shared key and its too hard for me to >>>> understand as i have no windows experience >>>> >>>> regards, >>>> Ben >>>> >>>> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke < >>>> mrorourke at earthlink.net> wrote: >>>> >>>>> A couple of ways to go about this. If he is local to you, you could >>>>> explain that you need to establish a trust with his domain and you need his >>>>> assistance for a few minutes while you type the command to join, then have >>>>> him type in the password. You need to assure that the DNS forward/stub >>>>> zones are setup and working too. If he is remote, you could use some >>>>> screen share software and share out your desktop and walk him through the >>>>> part where he has to type the admin password. There is also a way to >>>>> create a trust using a pre-shared key. That may be more acceptable to >>>>> him. >>>>> >>>>> -Mike >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: "Ben .T.George" >>>>> Sent: May 23, 2016 8:42 AM >>>>> To: freeipa-users >>>>> Subject: [Freeipa-users] What id my AD domain user password not >>>>> available >>>>> >>>>> Hi LIst, >>>>> >>>>> my Windows domain Admin is not giving domain admin user password. >>>>> >>>>> in this case how can i proceed ipa trust-add >>>>> >>>>> regards, >>>>> Ben >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 25602 bytes Desc: not available URL: From Lachlan.Simpson at petermac.org Thu May 26 23:14:07 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Thu, 26 May 2016 23:14:07 +0000 Subject: [Freeipa-users] Inconsistant results with HBAC and SSH? Message-ID: <0137003026EBE54FBEC540C5600C03C4361755@PMC-EXMBX02.petermac.org.au> With the ?allow all? HBAC rule enabled, we have no trouble logging in to any machine via ssh. When we disable the ?allow all? rule and make specific per-machine rules (as per the idea of ?host based? in HBAC), we get unpredictable results, primarily resulting in an inability to login via ssh. This result is intermittent ? sometimes we can login, but sometimes we can?t. HBAC has been created and appears fine on server [root at vmpr-linuxidm ~]# ipa hbactest --user="pmci\ellul jason" --host=emts-facs.unix.petermac.org.au --service=ssh -------------------- Access granted: True -------------------- Matched rules: ad_users Matched rules: allow_all Matched rules: FACS Computing Not matched rules: Computing Cluster Using the allow_all HBAC all users can log in fine but if we disable it users can no longer always login. When the user tries to log in we see the following on the host sssd logs: [sssd[be[unix.petermac.org.au]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=34fb2be6-2137-11e6-9853-005056b00bfd,cn=hbac,dc=unix,dc=petermac,dc=org,dc=au]. [sssd[be[unix.petermac.org.au]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set [sssd[be[unix.petermac.org.au]]] [hbac_attrs_to_rule] (0x1000): Processing rule [ad_users] [sssd[be[unix.petermac.org.au]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [ad_users] [sssd[be[unix.petermac.org.au]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [ad_users] [sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set to 'all'. [sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [ad_users] [sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set to 'all'. [sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [ad_users] [sssd[be[unix.petermac.org.au]]] [hbac_attrs_to_rule] (0x1000): Processing rule [FACS Computing] [sssd[be[unix.petermac.org.au]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [FACS Computing] [sssd[be[unix.petermac.org.au]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [FACS Computing] [sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set to 'all'. [sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [FACS Computing] [sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [FACS Computing] [sssd[be[unix.petermac.org.au]]] [hbac_eval_user_element] (0x1000): [41] groups for [Ellul Jason at petermac.org.au] [sssd[be[unix.petermac.org.au]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules [sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, ) [Success (Permission denied)] [sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sending result [6][petermac.org.au] [sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sent result [6][petermac.org.au] [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][petermac.org.au] [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied. [sssd[pam]] [pam_reply] (0x0200): blen: 32 [sssd[pam]] [client_recv] (0x0200): Client disconnected! [sssd[nss]] [client_recv] (0x0200): Client disconnected! Which states Access denied by HBAC rules. On server we still see [root at vmpr-linuxidm ~]# ipa hbactest --user="pmci\ellul jason" --host=emts-facs.unix.petermac.org.au --service=ssh -------------------- Access granted: True -------------------- Matched rules: ad_users Matched rules: FACS Computing Not matched rules: Computing Cluster [root at vmpr-linuxidm ~]# ipa hbacrule-show Rule name: ad_users Rule name: ad_users Host category: all Service category: all Enabled: TRUE User Groups: ad_users [root at vmpr-linuxidm ~]# ipa hbacrule-show Rule name: FACS Computing Rule name: FACS Computing Service category: all Description: This server is running Flow Logic. Current server name is emts-facs.unix.petermac.org.au Enabled: TRUE User Groups: facs-compute Hosts: emts-facs.unix.petermac.org.au On the host (emts-facs.unix.petermac.org.au) it shows the user is in the correct groups: 10011(facs-compute) and 1718800004(ad_users) which are both posix groups local to freeIPA [root at emts-facs ~]# id "pmci\ellul jason" uid=1501(jellul at petermac.org.au) gid=1501(jellul) groups=1501(jellul),1750642900(secure file transfer users at petermac.org.au),10011(facs-compute),10004(bioinf-core),10005(rcf-staff),1718800004(ad_users) (NB: group list truncated for brevity) Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. From ftweedal at redhat.com Thu May 26 23:50:17 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 27 May 2016 09:50:17 +1000 Subject: [Freeipa-users] DNS SubjectAltName missing in provisioned certificates In-Reply-To: References: <1459106087.18839.25.camel@stefany.eu> <20160331074157.GA18277@dhcp-40-8.bne.redhat.com> <20160510105533.GQ1237@dhcp-40-8.bne.redhat.com> <20160510130116.GR1237@dhcp-40-8.bne.redhat.com> Message-ID: <20160526235017.GB17798@dhcp-40-8.bne.redhat.com> On Thu, May 26, 2016 at 12:08:11PM +0200, Youenn PIOLET wrote: > Hi there, > > For your information : > I just realised today that the certificate signing using web interface was > still broken. > > I've got 3 caIPAserviceCert.cfg files on my system : > > Locate caIPAserviceCert.cfg output > 1. New profile : /usr/share/ipa/profiles/caIPAserviceCert.cfg > 2. Old broken profile : /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg > 3. Old broken profile : > /var/lib/pki/pki-tomcat/ca/profiles/ca/caIPAserviceCert.cfg > LDAP profile version was not OK, back to the older version of profile. I > fixed it back. > > FreeIPA since v4.2 configures Dogtag to use the LDAPProfileSubsystem > > which stores profile configuration in LDAP. > > > > I think my Dogtag (in IPA web interface) was still using the files (and > replacing the LDAP entry after a while? Or did it happen when a added a new > replica?). > Yes - installing a new replica will re-clobber the profile configuration. Patches to fix the problem are merged upstream and will make their way into an upcoming bugfix release. Thanks, Fraser From Lachlan.Simpson at petermac.org Fri May 27 01:10:40 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Fri, 27 May 2016 01:10:40 +0000 Subject: [Freeipa-users] Inconsistant results with HBAC and SSH? In-Reply-To: <0137003026EBE54FBEC540C5600C03C4361755@PMC-EXMBX02.petermac.org.au> References: <0137003026EBE54FBEC540C5600C03C4361755@PMC-EXMBX02.petermac.org.au> Message-ID: <0137003026EBE54FBEC540C5600C03C43619BF@PMC-EXMBX02.petermac.org.au> > With the ?allow all? HBAC rule enabled, we have no trouble logging in to any > machine via ssh. When we disable the ?allow all? rule and make specific per- > machine rules (as per the idea of ?host based? in HBAC), we get unpredictable > results, primarily resulting in an inability to login via ssh. This result is intermittent > ? sometimes we can login, but sometimes we can?t. One noted way to "break" the HBAC is a long period of inactivity in that shell. Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. From abokovoy at redhat.com Fri May 27 04:05:54 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 27 May 2016 07:05:54 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: References: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> Message-ID: <20160527040554.dglitdvlfcg2asif@redhat.com> On Fri, 27 May 2016, Ben .T.George wrote: >HI > >i ran some commands from AD side and the Trust status got changed.Below is >the command i used on AD > >netdom trust /d: /verify > > >Before it was : "waiting for confirmation by remote side" and not it got >changed to "Trust type: Active Directory domain" > >But when i am trying to map AD group, it not going through > > >root at zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external >'MTC_TABS\Domain Users' >[member user]: >[member group]: > Group name: ad_admins_external > Description: ad_domain admins external map > Failed members: > member user: > *member group: MTC_TABS\Domain Users: trusted domain object not found * >------------------------- >Number of members added 0 >------------------------- > >This is what my trust properties from AD. Trust type is showing as realm It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos realm trust which is *not* what IPA provides. >[image: Inline image 1] > >How can i fix this issue. Use correct type of trust when establishing trust on AD side. If your Windows version does not allow to specify proper trust type, I'm afraid, there is nothing we can help with. -- / Alexander Bokovoy From jhrozek at redhat.com Fri May 27 07:22:17 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 27 May 2016 09:22:17 +0200 Subject: [Freeipa-users] Inconsistant results with HBAC and SSH? In-Reply-To: <0137003026EBE54FBEC540C5600C03C43619BF@PMC-EXMBX02.petermac.org.au> References: <0137003026EBE54FBEC540C5600C03C4361755@PMC-EXMBX02.petermac.org.au> <0137003026EBE54FBEC540C5600C03C43619BF@PMC-EXMBX02.petermac.org.au> Message-ID: <20160527072217.GC3291@hendrix> On Fri, May 27, 2016 at 01:10:40AM +0000, Simpson Lachlan wrote: > > With the ?allow all? HBAC rule enabled, we have no trouble logging in to any > > machine via ssh. When we disable the ?allow all? rule and make specific per- > > machine rules (as per the idea of ?host based? in HBAC), we get unpredictable > > results, primarily resulting in an inability to login via ssh. This result is intermittent > > ? sometimes we can login, but sometimes we can?t. > > One noted way to "break" the HBAC is a long period of inactivity in that shell. Typically, this is because of issues in group membership for that user. Does id report all the groups the user should be a member of? With recent enough SSSD, the hbac evaluator prints more verbose debug messages (down to the individual elements of HBAC rules) to see why exactly the rules didn't match. There were fixes in the latest 7.2.z IPA update to help fix a problem with the same AD group being a member of multiple IPA external groups, maybe that would fix your problem. From bentech4you at gmail.com Fri May 27 07:24:05 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 27 May 2016 10:24:05 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: <20160527040554.dglitdvlfcg2asif@redhat.com> References: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> <20160527040554.dglitdvlfcg2asif@redhat.com> Message-ID: HI Alex. I Am using windows 2008 R2. when i am giving IPA's DNS name and click next, the trust wizard is not going through. But if i am selecting realm trust , atleast the wizard completes. So which AD version is recommended ? Regards, Ben On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy wrote: > On Fri, 27 May 2016, Ben .T.George wrote: > >> HI >> >> i ran some commands from AD side and the Trust status got changed.Below is >> the command i used on AD >> >> netdom trust /d: /verify >> >> >> Before it was : "waiting for confirmation by remote side" and not it got >> changed to "Trust type: Active Directory domain" >> >> But when i am trying to map AD group, it not going through >> >> >> root at zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external >> 'MTC_TABS\Domain Users' >> [member user]: >> [member group]: >> Group name: ad_admins_external >> Description: ad_domain admins external map >> Failed members: >> member user: >> *member group: MTC_TABS\Domain Users: trusted domain object not found * >> ------------------------- >> Number of members added 0 >> ------------------------- >> >> This is what my trust properties from AD. Trust type is showing as realm >> > It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos > realm trust which is *not* what IPA provides. > > [image: Inline image 1] >> >> How can i fix this issue. >> > Use correct type of trust when establishing trust on AD side. If your > Windows version does not allow to specify proper trust type, I'm afraid, > there is nothing we can help with. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Fri May 27 07:36:12 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 27 May 2016 10:36:12 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: References: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> <20160527040554.dglitdvlfcg2asif@redhat.com> Message-ID: This is what i am getting [image: Inline image 1] [image: Inline image 3] [image: Inline image 4] And that wizand end with nothing. Please anyone share more info regarding this Regards, Ben On Fri, May 27, 2016 at 10:24 AM, Ben .T.George wrote: > HI Alex. > > I Am using windows 2008 R2. > > when i am giving IPA's DNS name and click next, the trust wizard is not > going through. But if i am selecting realm trust , atleast the wizard > completes. > > So which AD version is recommended ? > > Regards, > Ben > > On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy > wrote: > >> On Fri, 27 May 2016, Ben .T.George wrote: >> >>> HI >>> >>> i ran some commands from AD side and the Trust status got changed.Below >>> is >>> the command i used on AD >>> >>> netdom trust /d: /verify >>> >>> >>> Before it was : "waiting for confirmation by remote side" and not it got >>> changed to "Trust type: Active Directory domain" >>> >>> But when i am trying to map AD group, it not going through >>> >>> >>> root at zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external >>> 'MTC_TABS\Domain Users' >>> [member user]: >>> [member group]: >>> Group name: ad_admins_external >>> Description: ad_domain admins external map >>> Failed members: >>> member user: >>> *member group: MTC_TABS\Domain Users: trusted domain object not found * >>> ------------------------- >>> Number of members added 0 >>> ------------------------- >>> >>> This is what my trust properties from AD. Trust type is showing as realm >>> >> It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos >> realm trust which is *not* what IPA provides. >> >> [image: Inline image 1] >>> >>> How can i fix this issue. >>> >> Use correct type of trust when establishing trust on AD side. If your >> Windows version does not allow to specify proper trust type, I'm afraid, >> there is nothing we can help with. >> >> -- >> / Alexander Bokovoy >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 55106 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 23119 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 27320 bytes Desc: not available URL: From abokovoy at redhat.com Fri May 27 07:53:39 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 27 May 2016 10:53:39 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: References: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> <20160527040554.dglitdvlfcg2asif@redhat.com> Message-ID: <20160527075339.3adp5oodpzup62qe@redhat.com> On Fri, 27 May 2016, Ben .T.George wrote: >This is what i am getting > >[image: Inline image 1] >[image: Inline image 3] >[image: Inline image 4] > >And that wizand end with nothing. Please anyone share more info regarding >this The wizard asks you to enter the name of the domain, forest, or realm for the trust. You are entering hostname of IPA master. This is never going to fly. In Active Directory terms: - forest is a set of AD domains - it is named after the first AD domain created in the forest - this domain is called 'forest root domain' In FreeIPA we have a single 'domain' from Active Directory perspective: - this is the domain corresponding to Kerberos realm name, (ipa.local in your case) - Forest name = forest root domain name = ipa.local The wizard will then use DNS SRV records to discover IPA masters (AD DCs for Active Directory view). > >Regards, >Ben > >On Fri, May 27, 2016 at 10:24 AM, Ben .T.George >wrote: > >> HI Alex. >> >> I Am using windows 2008 R2. >> >> when i am giving IPA's DNS name and click next, the trust wizard is not >> going through. But if i am selecting realm trust , atleast the wizard >> completes. >> >> So which AD version is recommended ? >> >> Regards, >> Ben >> >> On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy >> wrote: >> >>> On Fri, 27 May 2016, Ben .T.George wrote: >>> >>>> HI >>>> >>>> i ran some commands from AD side and the Trust status got changed.Below >>>> is >>>> the command i used on AD >>>> >>>> netdom trust /d: /verify >>>> >>>> >>>> Before it was : "waiting for confirmation by remote side" and not it got >>>> changed to "Trust type: Active Directory domain" >>>> >>>> But when i am trying to map AD group, it not going through >>>> >>>> >>>> root at zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external >>>> 'MTC_TABS\Domain Users' >>>> [member user]: >>>> [member group]: >>>> Group name: ad_admins_external >>>> Description: ad_domain admins external map >>>> Failed members: >>>> member user: >>>> *member group: MTC_TABS\Domain Users: trusted domain object not found * >>>> ------------------------- >>>> Number of members added 0 >>>> ------------------------- >>>> >>>> This is what my trust properties from AD. Trust type is showing as realm >>>> >>> It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos >>> realm trust which is *not* what IPA provides. >>> >>> [image: Inline image 1] >>>> >>>> How can i fix this issue. >>>> >>> Use correct type of trust when establishing trust on AD side. If your >>> Windows version does not allow to specify proper trust type, I'm afraid, >>> there is nothing we can help with. >>> >>> -- >>> / Alexander Bokovoy >>> >> >> -- / Alexander Bokovoy From bentech4you at gmail.com Fri May 27 08:04:25 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 27 May 2016 11:04:25 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: <20160527075339.3adp5oodpzup62qe@redhat.com> References: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> <20160527040554.dglitdvlfcg2asif@redhat.com> <20160527075339.3adp5oodpzup62qe@redhat.com> Message-ID: HI Alex, Thanks for the information i have removed old trust and recreating agan [image: Inline image 1] [image: Inline image 2] [image: Inline image 4] And with PA domain (idm.local) also same, it's not creating trust. Regards, Ben On Fri, May 27, 2016 at 10:53 AM, Alexander Bokovoy wrote: > On Fri, 27 May 2016, Ben .T.George wrote: > >> This is what i am getting >> >> [image: Inline image 1] >> [image: Inline image 3] >> [image: Inline image 4] >> >> And that wizand end with nothing. Please anyone share more info regarding >> this >> > The wizard asks you to enter the name of the domain, forest, or realm > for the trust. You are entering hostname of IPA master. This is never > going to fly. > > In Active Directory terms: > - forest is a set of AD domains > - it is named after the first AD domain created in the forest > - this domain is called 'forest root domain' > > In FreeIPA we have a single 'domain' from Active Directory perspective: > - this is the domain corresponding to Kerberos realm name, (ipa.local > in your case) > - Forest name = forest root domain name = ipa.local > > The wizard will then use DNS SRV records to discover IPA masters (AD DCs > for Active Directory view). > > > >> Regards, >> Ben >> >> On Fri, May 27, 2016 at 10:24 AM, Ben .T.George >> wrote: >> >> HI Alex. >>> >>> I Am using windows 2008 R2. >>> >>> when i am giving IPA's DNS name and click next, the trust wizard is not >>> going through. But if i am selecting realm trust , atleast the wizard >>> completes. >>> >>> So which AD version is recommended ? >>> >>> Regards, >>> Ben >>> >>> On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy >>> wrote: >>> >>> On Fri, 27 May 2016, Ben .T.George wrote: >>>> >>>> HI >>>>> >>>>> i ran some commands from AD side and the Trust status got changed.Below >>>>> is >>>>> the command i used on AD >>>>> >>>>> netdom trust /d: /verify >>>>> >>>>> >>>>> Before it was : "waiting for confirmation by remote side" and not it >>>>> got >>>>> changed to "Trust type: Active Directory domain" >>>>> >>>>> But when i am trying to map AD group, it not going through >>>>> >>>>> >>>>> root at zkwipamstr01 ~]# ipa group-add-member ad_admins_external >>>>> --external >>>>> 'MTC_TABS\Domain Users' >>>>> [member user]: >>>>> [member group]: >>>>> Group name: ad_admins_external >>>>> Description: ad_domain admins external map >>>>> Failed members: >>>>> member user: >>>>> *member group: MTC_TABS\Domain Users: trusted domain object not >>>>> found * >>>>> ------------------------- >>>>> Number of members added 0 >>>>> ------------------------- >>>>> >>>>> This is what my trust properties from AD. Trust type is showing as >>>>> realm >>>>> >>>>> It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos >>>> realm trust which is *not* what IPA provides. >>>> >>>> [image: Inline image 1] >>>> >>>>> >>>>> How can i fix this issue. >>>>> >>>>> Use correct type of trust when establishing trust on AD side. If your >>>> Windows version does not allow to specify proper trust type, I'm afraid, >>>> there is nothing we can help with. >>>> >>>> -- >>>> / Alexander Bokovoy >>>> >>>> >>> >>> > > > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 28160 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 55244 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 21928 bytes Desc: not available URL: From tomek at pipebreaker.pl Fri May 27 12:28:48 2016 From: tomek at pipebreaker.pl (Tomasz Torcz) Date: Fri, 27 May 2016 14:28:48 +0200 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 Message-ID: <20160527122848.GA333519@mother.pipebreaker.pl> Hi, In my home environment I'm using two-server FreeIPA configuration on Fedora. Initially installed on fedora 19 in November 2013, it have been upgraded every Fedora release. It generally works OK, but somewhat degrades during operation. Recently I've jumped to F24 in hope my problems will be resolved, but they weren't. Thus this email and plea for assistance. In the meantime there was a problem with expired certificates, but it solved with the help of rcrit on IRC. I'm using freeipa-server-4.3.1-1.fc24.x86_64. One of the servers is called kaitain.pipebreaker.pl, the other okda.pipebreaker.pl. Currently I encounter following main problems: 1) named is not servicing all the records from LDAP 2) can't login to WebUI on kaitain.pipebreaker.pl 3) can't login to WebUI on okda.pipebreaker.pl 4) pycparser.lextab/lextab.py/yacctab.py permission errors More details: ----- ad 1) named problems Recently I've added new AAAA host entry to my zone (.pipebreaker.pl). It is visible in CLI, but named doesn't resolve it: $ ipa dnsrecord-find pipebreaker.pl microstation Record name: microstation AAAA record: 2001:6a0:200:d1::2 ---------------------------- Number of entries returned 1 ---------------------------- $ host microstation ; host microstation.pipebreaker.pl Host microstation not found: 3(NXDOMAIN) Host microstation.pipebreaker.pl not found: 3(NXDOMAIN) Entries added previously resolve fine. I see no errors reported in named-pkcs11.service logs. ----- ad 2) can't login to webui at kaitain When I open a WebUI while having valid ticket, I'm shown my user page, i.e. https://kaitain.pipebreaker.pl/ipa/ui/#/e/user/details/zdzichu is opened. But when I logout from WebUI and try to login as admin, I receive: The password or username you entered is incorrect. The password is certainly correct, I can use it for 'kinit admin' successfully. /var/log/httpd/error log contains: [Fri May 27 14:17:37.104341 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] mod_wsgi (pid=1882): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Fri May 27 14:17:37.106932 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] Traceback (most recent call last): [Fri May 27 14:17:37.106985 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/share/ipa/wsgi.py", line 63, in application [Fri May 27 14:17:37.107436 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return api.Backend.wsgi_dispatch(environ, start_response) [Fri May 27 14:17:37.107461 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in __call__ [Fri May 27 14:17:37.107769 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return self.route(environ, start_response) [Fri May 27 14:17:37.107786 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 273, in route [Fri May 27 14:17:37.107808 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return app(environ, start_response) [Fri May 27 14:17:37.107829 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 943, in __call__ [Fri May 27 14:17:37.107848 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] self.kinit(user, self.api.env.realm, password, ipa_ccache_name) [Fri May 27 14:17:37.107887 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit [Fri May 27 14:17:37.107918 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] raise CCacheError(message=unicode(e)) [Fri May 27 14:17:37.136615 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639107): No credentials cache found What cache is it talking about? How can I refresh it? ----- ad 3) cannot login to webui on okda When I go to https://okda.pipebreaker.pl/ipa/ui/ (the other server), I see "Loading?" screen for couple of seconds, and afterwards "Gateway timeout" message. Everything seems to be running on this server: root at okda ~$ ipactl status WARNING: yacc table file version is out of date Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful There are no logs generated in httpd's error_log during login. There are some problems in system log: May 27 14:25:48 okda.pipebreaker.pl server[2364]: May 27, 2016 2:25:48 PM org.apache.catalina.core.ContainerBase backgroundProcess May 27 14:25:48 okda.pipebreaker.pl server[2364]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm at 5ad7c518 background process May 27 14:25:48 okda.pipebreaker.pl server[2364]: java.lang.NullPointerException May 27 14:25:48 okda.pipebreaker.pl server[2364]: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:109) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1127) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5642) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349) May 27 14:25:48 okda.pipebreaker.pl server[2364]: at java.lang.Thread.run(Thread.java:745) as you can see, those logs do not contain any clue what's is wrong. ----- ad 4) pycparser.lextab/lextab.py/yacctab.py permission errors I observe following errors in dnskeysyncd logs: May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: yacc table file version is out of date May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' Also (related?) error during 'ipactl' invocations: $ ipactl status WARNING: yacc table file version is out of date ? Warnings appear even after switching SELinux to permissive. Please help me with resolving those problems. What logs should I provide? I see no similiar issues described at http://www.freeipa.org/page/Troubleshooting -- Tomasz Torcz ,,If you try to upissue this patchset I shall be seeking xmpp: zdzichubg at chrome.pl an IP-routable hand grenade.'' -- Andrew Morton (LKML) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From mkosek at redhat.com Fri May 27 13:01:03 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 27 May 2016 15:01:03 +0200 Subject: [Freeipa-users] Adding groupOfUniqueNames to all freeipa replicas for Zenoss LDAP authentication In-Reply-To: References: Message-ID: On 05/25/2016 09:51 PM, Bob Hinton wrote: > Hello, > > We are trying to get Zenoss login authentication to use freeipa over > LDAP. Group mappings don't currently work and we think this is because > Zenoss requires the groupOfUniqueNames object class. > > I managed to add the object class to a test VM using > vsphere_groupmod.ldif taken from > http://www.freeipa.org/page/HowTo/vsphere5_integration - > > content of vsphere_groupmod.ldif - > > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: objectclass=groupOfUniqueNames > - > add: schema-compat-entry-attribute > schema-compat-entry-attribute: > uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") > - > > apply with - > > ldapmodify -x -D "cn=Directory Manager" -f vsphere_groupmod.ldif -W > > However, the following command seemed to freeze - > > ipa permission-mod "System: Read Group Compat Tree" --includedattrs > uniquemember > > and I had to kill it then subsequent ldapsearch commands froze. That's... strange. Looks like a DS bug. > Rebooting the VM seemed to fix things and the groupOfUniqueNames object > class appeared in the schema. > > I'd like to apply this to our live system which uses a master and two > replicas running IPA v4.2.0 on RHEL 7.2. > > Do I need to make the same change to all three servers ? Changes in cn=config needs to be done on all servers as the tree is not replicated. Normal permission changes are replicated (unless the permission is about cn=config tree). > Can I leave the > replicas connected or do I need to break the replication and > re-establish it? I do not see reason why you would need to break the replication between replicas. > Do I need the "ipa permission-mod" if so then how do I > avoid it freezing ? I think the freeze is a bug, I would try reproducing with the latest and greatest 389-ds-base (I do not know what version you are using), the bug may be already fixed (there were some bugs fixed). And yes, the command is needed, so that the new attribute is allowed to be served. HTH, Martin From bob at jackland.demon.co.uk Fri May 27 13:17:08 2016 From: bob at jackland.demon.co.uk (Bob Hinton) Date: Fri, 27 May 2016 14:17:08 +0100 Subject: [Freeipa-users] Adding groupOfUniqueNames to all freeipa replicas for Zenoss LDAP authentication In-Reply-To: References: Message-ID: Hi Martin, On 27/05/2016 14:01, Martin Kosek wrote: > On 05/25/2016 09:51 PM, Bob Hinton wrote: >> Hello, >> >> We are trying to get Zenoss login authentication to use freeipa over >> LDAP. Group mappings don't currently work and we think this is because >> Zenoss requires the groupOfUniqueNames object class. >> >> I managed to add the object class to a test VM using >> vsphere_groupmod.ldif taken from >> http://www.freeipa.org/page/HowTo/vsphere5_integration - >> >> content of vsphere_groupmod.ldif - >> >> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config >> changetype: modify >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: objectclass=groupOfUniqueNames >> - >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: >> uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") >> - >> >> apply with - >> >> ldapmodify -x -D "cn=Directory Manager" -f vsphere_groupmod.ldif -W >> >> However, the following command seemed to freeze - >> >> ipa permission-mod "System: Read Group Compat Tree" --includedattrs >> uniquemember >> >> and I had to kill it then subsequent ldapsearch commands froze. > That's... strange. Looks like a DS bug. I tried this on one of the three live servers after using ipa-backup on each of them and it completed without hanging so this suggests a problem with my test VM rather than a bug. > >> Rebooting the VM seemed to fix things and the groupOfUniqueNames object >> class appeared in the schema. >> >> I'd like to apply this to our live system which uses a master and two >> replicas running IPA v4.2.0 on RHEL 7.2. >> >> Do I need to make the same change to all three servers ? > Changes in cn=config needs to be done on all servers as the tree is not > replicated. Normal permission changes are replicated (unless the permission is > about cn=config tree). Yes. I've now spotted that the change is confined to the single live server. I'll apply it to the other two when we've got the connectivity with Zenoss working. >> Can I leave the >> replicas connected or do I need to break the replication and >> re-establish it? > I do not see reason why you would need to break the replication between replicas. > >> Do I need the "ipa permission-mod" if so then how do I >> avoid it freezing ? > I think the freeze is a bug, I would try reproducing with the latest and > greatest 389-ds-base (I do not know what version you are using), the bug may be > already fixed (there were some bugs fixed). My test VM is quite old, since it didn't happen on the live server and that is more up to date, it suggests either a bug that has been fixed or a problem with the test VM. > > And yes, the command is needed, so that the new attribute is allowed to be served. > > HTH, > Martin > . > Thanks Bob From brian at interlinx.bc.ca Fri May 27 13:27:00 2016 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Fri, 27 May 2016 09:27:00 -0400 Subject: [Freeipa-users] dynamic dns working for forward zone but not reverse zone Message-ID: <1464355620.30702.235.camel@interlinx.bc.ca> I have a FreeIPA 4.2.0 on CentOS 7.2. ?I have dynamic DNS updates working for a forward zone but they are failing (NOTAUTH) for a reverse zone. ?Here are configuration of the two zones: ? dn: idnsname=example.com.,cn=dns,dc=example,dc=com ? Zone name: example.com. ? Active zone: TRUE ? Authoritative nameserver: server.example.com. ? Administrator e-mail address: hostmaster.example.com. ? SOA serial: 1464354354 ? SOA refresh: 3600 ? SOA retry: 900 ? SOA expire: 1209600 ? SOA minimum: 3600 ? BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; grant linux_home_nsupdate wildcard * ANY; ? Dynamic update: TRUE ? Allow query: any; ? Allow transfer: 10.75.22.1; ? mxrecord: 200 linux ? nsrecord: server.example.com. ? objectclass: idnszone, top, idnsrecord ? txtrecord: "v=spf1 a:server.klug.on.ca" ? dn: idnsname=0.8.10.in-addr.arpa.,cn=dns,dc=example,dc=com ? Zone name: 0.8.10.in-addr.arpa. ? Active zone: TRUE ? Authoritative nameserver: server.example.com. ? Administrator e-mail address: hostmaster ? SOA serial: 1464354356 ? SOA refresh: 3600 ? SOA retry: 900 ? SOA expire: 1209600 ? SOA minimum: 3600 ? BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.8.10.in-addr.arpa. PTR; grant linux_home_nsupdate wildcard * ANY; ? Dynamic update: TRUE ? Allow query: any; ? Allow transfer: none; ? nsrecord: server.example.com. ? objectclass: idnszone, top, idnsrecord Here are example updates to the two zones: # nsupdate -y linux_home_nsupdate: -d /tmp/fwdupdate? Creating key... namefromtext keycreate Sending update to 10.75.22.247#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:??53154 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 ;; ZONE SECTION: ;example.com. IN SOA ;; UPDATE SECTION: chost.example.com. 0 ANY A chost.example.com. 60 IN A 10.8.0.2 ;; TSIG PSEUDOSECTION: linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355147 300 16 oRoIWfkmmmCKQWj9NrrRDw== 53154 NOERROR 0? Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:??53154 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;example.com. IN SOA ;; TSIG PSEUDOSECTION: linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355225 300 16 3IVCZr+MjyD75sHr53LEHw== 53154 NOERROR 0? # nsupdate -y linux_home_nsupdate: -d /tmp/revupdate? Creating key... namefromtext keycreate Sending update to 10.75.22.247#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:??26720 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 ;; ZONE SECTION: ;0.10.8.in-addr.arpa. IN SOA ;; UPDATE SECTION: 2.0.10.8.in-addr.arpa. 0 ANY PTR 2.0.10.8.in-addr.arpa. 60 IN PTR chost.example.com. ;; TSIG PSEUDOSECTION: linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355166 300 16 ooWRdNhQ1170LkSjIiCqSA== 26720 NOERROR 0? Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id:??26720 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;0.10.8.in-addr.arpa. IN SOA ;; TSIG PSEUDOSECTION: linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355244 300 16 N5Dg0rMokW9sNGGO9BwGNQ== 26720 NOERROR 0? When the first update is done the following is logged by named-pkcs11: client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': deleting rrset at 'chost.example.com' A client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': adding an RR at 'chost.example.com' A Nothing is logged for the second update attempt. Any ideas why one is working and the other is not? Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From qubitrenegade at gmail.com Thu May 26 20:24:25 2016 From: qubitrenegade at gmail.com (Foo Bar) Date: Thu, 26 May 2016 15:24:25 -0500 Subject: [Freeipa-users] How to reset admin password in 4.2.0 Message-ID: Hello, How do I reset the admin password in FreeIPA 4.2.0 running on CentOS7? Some details: Some months ago I stood up FreeIPA as a POC in our lab. I was pulled into other projects, and in my infinite wisdom forgot to put the admin password in our password store. New we've got users trying to use it, but I'm unable to login with the admin credentials, or login to the web gui using my Windows Domain Admin credentials. (I am able to authenticate using my Windows Domain credentials to linux servers joined to the FreeIPA domain though...) I've tried the instructions found here: https://www.redhat.com/archives/freeipa-users/2011-May/msg00144.html But as the freeipa domain is a sub sub sub domain of our windows domain, I have no idea how to build the OU tree. i.e. Windows domain is foo.com, FreeIPA domain is biz.baz.bar.foo.com. I've tried: - uid=admin,cn=users,cn=accounts,dc=biz,dc=baz,dc=bar,dc=foo,dc=com - uid=admin,cn=users,cn=accounts,cn=biz,cn=baz,cn=bar,dc=foo,dc=com - uid=admin,cn=users,cn=accounts,dc=biz.baz.bar.foo,dc=com and I'm sure a few other iteration, but no matter what, I get the error: >> ldap_start_tls: Operations error (1) >> additional info: SSL connection already established. According to this page: http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password As of 3.2.2 "the procedure" is automated in ipa-replica-prepare... I'm confused by this statement, because the implication seems to be that the password reset policy is automated in the replica-prepare... "tool"? the help options say "Prepare a file for replica installation." So I'm not really sure how that helps... I found these instructions on how to reset the directory manager password... http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html But I don't think that's what I want as I'm trying to reset the "admin" password. So at this point I'm pretty well lost and desperate for hints... Is there any documentation on resetting the admin password for 4.2.0? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From kay.y.zhou at ericsson.com Fri May 27 09:30:31 2016 From: kay.y.zhou at ericsson.com (Kay Zhou Y) Date: Fri, 27 May 2016 09:30:31 +0000 Subject: [Freeipa-users] IPA 2.2 Certificate Renewal issue Message-ID: Hi, This is Kay. I am not sure if the email address is correct, and I am really appreciate if there is any help for my issue. it's baffling for few days, and the expire date is coming soon.. :( There is a IPA 2.2 environment, and three "Server-Cert"( two 389-ds and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC. Two years ago, these certs were renewed by other guys according to this document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and it was successful then the certificates has been renewed until 20160605. But recently I want to renew it again since the expire date is coming. Then I follow the above guide, however things not go well. As below, it's the 8 certs which certmonger are tracking: root at ecnshlx3039-test2(SH):~ #getcert list Number of certificates and requests being tracked: 8. Request ID '20120704140859': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile=' /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM track: yes auto-renew: yes Request ID '20120704140922': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/e tc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20120704141150': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/ alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20140605220249': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alia s/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=IPA RA,O=DRUTT.COM expires: 2014-06-24 14:08:50 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160527075219': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB ',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=CA Audit,O=DRUTT.COM expires: 2014-06-24 14:08:42 UTC pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160527075220': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' ,pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=OCSP Subsystem,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160527075221': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',p in='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=CA Subsystem,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160527075222': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin ='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Follow all the steps in the guide, the result is just first three certificates are renewed to 20160622 if I set system time to 20140623(which the four CA subsystem certs and CA cert are valid). But other five are not renewed at all (the four CA subsystem certs and CA cert). there is no error information during these steps. I google a lot but still found nothing could resolve it. and then I found there was a similar thread: https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.html But unfortunately the solution is not available for my issue either. Since I am not familiar with Freeipa, so it bothers me so much. Any help will be really appreciate. Thansks in advance! Thanks, BR//Kay -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 27 15:36:44 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 May 2016 11:36:44 -0400 Subject: [Freeipa-users] How to reset admin password in 4.2.0 In-Reply-To: References: Message-ID: <5748698C.2090304@redhat.com> Foo Bar wrote: > Hello, > > How do I reset the admin password in FreeIPA 4.2.0 running on CentOS7? > > Some details: > > Some months ago I stood up FreeIPA as a POC in our lab. I was pulled > into other projects, and in my infinite wisdom forgot to put the admin > password in our password store. New we've got users trying to use it, > but I'm unable to login with the admin credentials, or login to the web > gui using my Windows Domain Admin credentials. (I am able to > authenticate using my Windows Domain credentials to linux servers joined > to the FreeIPA domain though...) > > I've tried the instructions found here: > https://www.redhat.com/archives/freeipa-users/2011-May/msg00144.html > > But as the freeipa domain is a sub sub sub domain of our windows domain, > I have no idea how to build the OU tree. i.e. Windows domain is foo.com > , FreeIPA domain is biz.baz.bar.foo.com > . I've tried: > > - uid=admin,cn=users,cn=accounts,dc=biz,dc=baz,dc=bar,dc=foo,dc=com > - uid=admin,cn=users,cn=accounts,cn=biz,cn=baz,cn=bar,dc=foo,dc=com > - uid=admin,cn=users,cn=accounts,dc=biz.baz.bar.foo,dc=com > > and I'm sure a few other iteration, but no matter what, I get the error: > > >> ldap_start_tls: Operations error (1) > >> additional info: SSL connection already established. It depends on the ldappasswd command-line you're using but this has nothing to do with the DN you are using, it is failing well before it gets to that. Including the command-line you're using would help. Try this: $ ldappasswd -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=example,dc=com You can get the appropriate basedn from /etc/ipa/default.conf. > According to this page: > http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password > > As of 3.2.2 "the procedure" is automated in ipa-replica-prepare... I'm > confused by this statement, because the implication seems to be that the > password reset policy is automated in the replica-prepare... "tool"? > the help options say "Prepare a file for replica installation." So > I'm not really sure how that helps... The IPA wiki instructions are what to do if you change the Directory Manager password, not HOW to do it (it links to 389-ds for that). > I found these instructions on how to reset the directory manager > password... > > http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html > > But I don't think that's what I want as I'm trying to reset the "admin" > password. > > So at this point I'm pretty well lost and desperate for hints... > > Is there any documentation on resetting the admin password for 4.2.0? > > Thanks! > > From rcritten at redhat.com Fri May 27 15:41:18 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 May 2016 11:41:18 -0400 Subject: [Freeipa-users] IPA 2.2 Certificate Renewal issue In-Reply-To: References: Message-ID: <57486A9E.2050909@redhat.com> Kay Zhou Y wrote: > Hi, > > This is Kay. > > I am not sure if the email address is correct, and I am really > appreciate if there is any help for my issue. it?s baffling for few > days, and the expire date is coming soon.. L > > There is a IPA 2.2 environment, and three ?Server-Cert?(two 389-ds and > the Apache certs) will be expired at 2016-06-05 22:03:17 UTC. > > Two years ago, these certs were renewed by other guys according to this > document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal > > and it was successful then the certificates has been renewed until 20160605. > > But recently I want to renew it again since the expire date is coming. > Then I follow the above guide, however things not go well. The problem looks to be because the IPA RA cert (ipaCert) isn't matching what dogtag expects. See the wiki page starting at "For ipaCert, stored in /etc/httpd/alias you have another job to do..." You'll want to be sure that description correctly matches the certificate in the Apache database and confirm that the usercertificate value in LDAP matches the cert being presented. rob > > As below, it?s the 8 certs which certmonger are tracking: > > root at ecnshlx3039-test2(SH):~ #getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20120704140859': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: > EXCEPTION (Invalid Credential.)). > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile=' > /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=DRUTT.COM > > subject: CN=ipa1.drutt.com,O=DRUTT.COM > > expires: 2016-06-05 22:03:17 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > DRUTT-COM > > track: yes > > auto-renew: yes > > Request ID '20120704140922': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: > EXCEPTION (Invalid Credential.)). > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/e > tc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=DRUTT.COM > > subject: CN=ipa1.drutt.com,O=DRUTT.COM > > expires: 2016-06-05 22:03:17 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20120704141150': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: > EXCEPTION (Invalid Credential.)). > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/httpd/ > alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=DRUTT.COM > > subject: CN=ipa1.drutt.com,O=DRUTT.COM > > expires: 2016-06-05 22:03:17 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > Request ID '20140605220249': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > DB',pinfile='/etc/httpd/alia > s/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=DRUTT.COM > > subject: CN=IPA RA,O=DRUTT.COM > > expires: 2014-06-24 14:08:50 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20160527075219': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate > DB ',pin='565569846212' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=DRUTT.COM > > subject: CN=CA Audit,O=DRUTT.COM > > expires: 2014-06-24 14:08:42 UTC > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20160527075220': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate > DB' ,pin='565569846212' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=DRUTT.COM > > subject: CN=OCSP Subsystem,O=DRUTT.COM > > expires: 2014-06-24 14:08:41 UTC > > eku: id-kp-OCSPSigning > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20160527075221': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate > DB',p in='565569846212' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=DRUTT.COM > > subject: CN=CA Subsystem,O=DRUTT.COM > > expires: 2014-06-24 14:08:41 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20160527075222': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate > DB',pin ='565569846212' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=DRUTT.COM > > subject: CN=ipa1.drutt.com,O=DRUTT.COM > > expires: 2014-06-24 14:08:41 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Follow all the steps in the guide, the result is just first three > certificates are renewed to 20160622 if I set system time to > 20140623(which the four CA subsystem certs and CA cert are valid). > > But other five are not renewed at all (the four CA subsystem certs and > CA cert). there is no error information during these steps. > > I google a lot but still found nothing could resolve it. and then I > found there was a similar thread: > https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.html > > But unfortunately the solution is not available for my issue either. > > Since I am not familiar with Freeipa, so it bothers me so much. > > Any help will be really appreciate. Thansks in advance! > > Thanks, > > BR//Kay > > > From michael.rainey.ctr at nrlssc.navy.mil Fri May 27 21:11:04 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Fri, 27 May 2016 16:11:04 -0500 Subject: [Freeipa-users] Recovering from an IPA master server failure Message-ID: Greetings community, I've run into an interesting problem which may be old hat to all of you. I was working to bring down my first IPA server and did it improperly. It was a rookie mistake, but I'm willing to view it as an exercise in recovering from a massive master server failure. The original master server is gone with no way of recovering and I have managed to replace the master server with one of my replicas, but I find myself in a situation where I cannot remove the original master server from the directory. It is still seen as a master server and the webUI will not let me delete the system. Is there a process somewhere that will walk me through the process of demoting the server so I can delete it from the directory? Your help is greatly appreciated. -- *Michael Rainey* -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Fri May 27 23:03:24 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 27 May 2016 19:03:24 -0400 Subject: [Freeipa-users] OCSP and CRL in certs for java firefox plugin Message-ID: I've set up a couple of dell idrac card's ssl certs signed by ipa CA. I've also added the ipa CA to java's trusted CAs. However, when you try to launch the idrac java console, it will still show an error that the site is untrusted. Upon clicking on "more information", the message says that although the cert is signed by the CA, it cannot verify the revocation status. I found this page http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs , which explains potential problems with this since the main ipa server itself is also using an ssl cert signed by the ipa CA. So the client cannot verify the revocation if it can't reach the CA. Is there any solution to this ? Anyone tried this with idrac cards ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Fri May 27 23:22:03 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 27 May 2016 19:22:03 -0400 Subject: [Freeipa-users] OCSP and CRL in certs for java firefox plugin In-Reply-To: References: Message-ID: It looks like that issue was fixed and the OCSP and CRL uris in the certs are now http. So I'm not sure why java is complaining. On Fri, May 27, 2016 at 7:03 PM, Prasun Gera wrote: > I've set up a couple of dell idrac card's ssl certs signed by ipa CA. I've > also added the ipa CA to java's trusted CAs. However, when you try to > launch the idrac java console, it will still show an error that the site is > untrusted. Upon clicking on "more information", the message says that > although the cert is signed by the CA, it cannot verify the revocation > status. I found this page > http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs , which > explains potential problems with this since the main ipa server itself is > also using an ssl cert signed by the ipa CA. So the client cannot verify > the revocation if it can't reach the CA. Is there any solution to this ? > Anyone tried this with idrac cards ? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Fri May 27 23:26:10 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 27 May 2016 19:26:10 -0400 Subject: [Freeipa-users] OCSP and CRL in certs for java firefox plugin In-Reply-To: References: Message-ID: I've identified the problem. The uris seem to be incorrect. This looks like some substitution gone wrong. Instead of using the actual ipa server's address, it points to a generic placeholder type text (ipa-ca.domain.com). Relevant part of the certificate: Authority Information Access: OCSP - URI:*http://ipa-ca.domain.com/ca/ocsp * X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:*http://ipa-ca.domain.com/ipa/crl/MasterCRL.bin * This is on RHEL 7.2, idm 4.2 btw On Fri, May 27, 2016 at 7:22 PM, Prasun Gera wrote: > It looks like that issue was fixed and the OCSP and CRL uris in the certs > are now http. So I'm not sure why java is complaining. > > On Fri, May 27, 2016 at 7:03 PM, Prasun Gera > wrote: > >> I've set up a couple of dell idrac card's ssl certs signed by ipa CA. >> I've also added the ipa CA to java's trusted CAs. However, when you try to >> launch the idrac java console, it will still show an error that the site is >> untrusted. Upon clicking on "more information", the message says that >> although the cert is signed by the CA, it cannot verify the revocation >> status. I found this page >> http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs , which >> explains potential problems with this since the main ipa server itself is >> also using an ssl cert signed by the ipa CA. So the client cannot verify >> the revocation if it can't reach the CA. Is there any solution to this ? >> Anyone tried this with idrac cards ? >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sat May 28 02:19:05 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 27 May 2016 22:19:05 -0400 Subject: [Freeipa-users] OCSP and CRL in certs for java firefox plugin In-Reply-To: References: Message-ID: <57490019.8000504@redhat.com> Prasun Gera wrote: > I've identified the problem. The uris seem to be incorrect. This looks > like some substitution gone wrong. Instead of using the actual ipa > server's address, it points to a generic placeholder type text > (ipa-ca.domain.com ). Relevant part of the > certificate: A generic name is used in case the server that issued the cert goes away. Create an entry in DNS for this generic name and things should work as expected. rob > > Authority Information Access: > OCSP - URI:*http://ipa-ca.domain.com/ca/ocsp* > > X509v3 Key Usage: critical > Digital Signature, Non Repudiation, Key Encipherment, > Data Encipherment > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication > X509v3 CRL Distribution Points: > > Full Name: > URI:*http://ipa-ca.domain.com/ipa/crl/MasterCRL.bin* > > > This is on RHEL 7.2, idm 4.2 btw > > On Fri, May 27, 2016 at 7:22 PM, Prasun Gera > wrote: > > It looks like that issue was fixed and the OCSP and CRL uris in the > certs are now http. So I'm not sure why java is complaining. > > On Fri, May 27, 2016 at 7:03 PM, Prasun Gera > wrote: > > I've set up a couple of dell idrac card's ssl certs signed by > ipa CA. I've also added the ipa CA to java's trusted CAs. > However, when you try to launch the idrac java console, it will > still show an error that the site is untrusted. Upon clicking on > "more information", the message says that although the cert is > signed by the CA, it cannot verify the revocation status. I > found this page > http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs , > which explains potential problems with this since the main ipa > server itself is also using an ssl cert signed by the ipa CA. So > the client cannot verify the revocation if it can't reach the > CA. Is there any solution to this ? Anyone tried this with idrac > cards ? > > > > > From prasun.gera at gmail.com Sat May 28 03:30:51 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 27 May 2016 23:30:51 -0400 Subject: [Freeipa-users] OCSP and CRL in certs for java firefox plugin In-Reply-To: <57490019.8000504@redhat.com> References: <57490019.8000504@redhat.com> Message-ID: The problem is that I'm not using ipa for dns. dns is handled externally, and I don't have admin access. I have 1 master and 1 replica, and all the clients are enrolled with --server=a,--server=b during installation, and I think it works perfectly fine. Is it possible to instruct ipa to use some alternative for the certs ? If it's not possible to list multiple uris, even just the master would be fine. It would at least work when the master is up, which it doesn't right now. Secondly, I'm a bit confused regarding the dns too. This error is on a client system like my laptop, which is an entirely unrelated system from the ipa clients. The connection is over the internet. So the dns mapping would have to be visible globally for my laptop to see it. However, the name of the ipa domain is not the same the same as the name of domain in the server addresses. (This was for some historic reason in NIS, and I didn't change the domain name during migration). So what ipa is suggesting is something like ipa-ca.abc.com, whereas all my servers are like server1.pqr.xyz.com. I don't think it is anyway possible to do this right now since I don't control abc.com. On Fri, May 27, 2016 at 10:19 PM, Rob Crittenden wrote: > Prasun Gera wrote: > >> I've identified the problem. The uris seem to be incorrect. This looks >> like some substitution gone wrong. Instead of using the actual ipa >> server's address, it points to a generic placeholder type text >> (ipa-ca.domain.com ). Relevant part of the >> certificate: >> > > A generic name is used in case the server that issued the cert goes away. > Create an entry in DNS for this generic name and things should work as > expected. > > rob > > >> Authority Information Access: >> OCSP - URI:*http://ipa-ca.domain.com/ca/ocsp* >> >> X509v3 Key Usage: critical >> Digital Signature, Non Repudiation, Key Encipherment, >> Data Encipherment >> X509v3 Extended Key Usage: >> TLS Web Server Authentication, TLS Web Client >> Authentication >> X509v3 CRL Distribution Points: >> >> Full Name: >> URI:*http://ipa-ca.domain.com/ipa/crl/MasterCRL.bin* >> >> >> This is on RHEL 7.2, idm 4.2 btw >> >> On Fri, May 27, 2016 at 7:22 PM, Prasun Gera > > wrote: >> >> It looks like that issue was fixed and the OCSP and CRL uris in the >> certs are now http. So I'm not sure why java is complaining. >> >> On Fri, May 27, 2016 at 7:03 PM, Prasun Gera > > wrote: >> >> I've set up a couple of dell idrac card's ssl certs signed by >> ipa CA. I've also added the ipa CA to java's trusted CAs. >> However, when you try to launch the idrac java console, it will >> still show an error that the site is untrusted. Upon clicking on >> "more information", the message says that although the cert is >> signed by the CA, it cannot verify the revocation status. I >> found this page >> http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs , >> which explains potential problems with this since the main ipa >> server itself is also using an ssl cert signed by the ipa CA. So >> the client cannot verify the revocation if it can't reach the >> CA. Is there any solution to this ? Anyone tried this with idrac >> cards ? >> >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Sat May 28 11:22:05 2016 From: mbasti at redhat.com (Martin Basti) Date: Sat, 28 May 2016 13:22:05 +0200 Subject: [Freeipa-users] Recovering from an IPA master server failure In-Reply-To: References: Message-ID: On 27.05.2016 23:11, Michael Rainey (Contractor) wrote: > > Greetings community, > > I've run into an interesting problem which may be old hat to all of > you. I was working to bring down my first IPA server and did it > improperly. It was a rookie mistake, but I'm willing to view it as an > exercise in recovering from a massive master server failure. > > The original master server is gone with no way of recovering and I > have managed to replace the master server with one of my replicas, but > I find myself in a situation where I cannot remove the original master > server from the directory. It is still seen as a master server and > the webUI will not let me delete the system. Is there a process > somewhere that will walk me through the process of demoting the server > so I can delete it from the directory? > > Your help is greatly appreciated. > > -- > *Michael Rainey* > > Hello, have you tried ipa-replica-manage del [--cleanup] [--force] on the current replicas? Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Sun May 29 07:18:28 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sun, 29 May 2016 09:18:28 +0200 Subject: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias Message-ID: <27123231.2vVFdNkPoa@techz> Hello I found any Help for the IPA Certificate but I found no way to import the IPA CA ? I like to create a webserver with a owncloud virtualhost and other.. But it is for me not possible to create the /etc/httpd/alias correct ? I found this in IPC DOCS certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt but with this command line I have a Error /etc/ipa/ca.crt have wrong format ? Have any a link with a working example Thanks, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From kbass at kenbass.com Sun May 29 15:33:25 2016 From: kbass at kenbass.com (Ken Bass) Date: Sun, 29 May 2016 11:33:25 -0400 Subject: [Freeipa-users] Centos 7.2 ipa-backup failure Message-ID: <574B0BC5.2080705@kenbass.com> Today I tried my very first ipa-backup attempt. The command reported 'The ipa-backup command was successful' YET I saw: /usr/sbin/db2ldif: line 157: 22567 Segmentation fault /usr/sbin/ns-slapd db2ldif -D /etc/dirsrv/slapd-DOMAIN-NET -n userRoot -a "/var/l ib/dirsrv/slapd-DOMAIN-NET/ldif/DOMAIN-NET-userRoot.ldif" -r I am running Centos 7.2. After googling, I did find - https://fedorahosted.org/freeipa/ticket/5571 https://fedorahosted.org/389/ticket/48388 How am I supposed to backup this box? I want to run the backup-script nightly to generate the tarball so I can use another script to backup it up along with other stuff. It is a small system with no replication. As a Centos 7.2 user am I just out of luck since it appears the various bugs I am encountering with this software are not being fixed except in newer versions of freeipa and sssd which are not available via the standard repos? From bentech4you at gmail.com Sun May 29 17:11:36 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sun, 29 May 2016 20:11:36 +0300 Subject: [Freeipa-users] Install best practice - Message-ID: Hi I would like to know how can i proceed with best practices My AD domain is : corp.examle.com.kw My DNS (appliances ) : kw.test.com All my clients are pointed to kw.test.com including AD. How can i proceed with Free IPA installation? where i need to manage DNS of freeipa master server? creating new DNS zone in kw.test.com will be little bit difficult. which will be best configuration with minimal changes in existing setup. Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Sun May 29 18:11:17 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sun, 29 May 2016 20:11:17 +0200 Subject: [Freeipa-users] Install best practice - In-Reply-To: References: Message-ID: On Sun, May 29, 2016 at 7:11 PM, Ben .T.George wrote: > Hi > > I would like to know how can i proceed with best practices > > My AD domain is : corp.examle.com.kw > My DNS (appliances ) : kw.test.com > > All my clients are pointed to kw.test.com including AD. > > How can i proceed with Free IPA installation? where i need to manage DNS > of freeipa master server? > > > creating new DNS zone in kw.test.com will be little bit difficult. > > which will be best configuration with minimal changes in existing setup. > the easiest would be to create a zone and delegating that to the ipa hosts. No other change necessary. Not sure if this is a 'best practice', but this is how we have been running our environment for years without any problems. -- regards, Natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Mon May 30 05:14:54 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Mon, 30 May 2016 08:14:54 +0300 Subject: [Freeipa-users] Install best practice - In-Reply-To: References: Message-ID: Hi thanks for the reply. "the easiest would be to create a zone and delegating that to the ipa hosts. No other change necessary." can you explain little more. You mean need to create separate DNS zone ? regards, Ben On Sun, May 29, 2016 at 9:11 PM, Natxo Asenjo wrote: > > > On Sun, May 29, 2016 at 7:11 PM, Ben .T.George > wrote: > >> Hi >> >> I would like to know how can i proceed with best practices >> >> My AD domain is : corp.examle.com.kw >> My DNS (appliances ) : kw.test.com >> >> All my clients are pointed to kw.test.com including AD. >> >> How can i proceed with Free IPA installation? where i need to manage DNS >> of freeipa master server? >> >> >> creating new DNS zone in kw.test.com will be little bit difficult. >> >> which will be best configuration with minimal changes in existing setup. >> > > the easiest would be to create a zone and delegating that to the ipa > hosts. No other change necessary. > > Not sure if this is a 'best practice', but this is how we have been > running our environment for years without any problems. > > -- > regards, > Natxo > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon May 30 06:23:15 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2016 08:23:15 +0200 Subject: [Freeipa-users] Adding groupOfUniqueNames to all freeipa replicas for Zenoss LDAP authentication In-Reply-To: References: Message-ID: On 05/27/2016 03:17 PM, Bob Hinton wrote: > Hi Martin, > > On 27/05/2016 14:01, Martin Kosek wrote: >> On 05/25/2016 09:51 PM, Bob Hinton wrote: >>> Hello, >>> >>> We are trying to get Zenoss login authentication to use freeipa over >>> LDAP. Group mappings don't currently work and we think this is because >>> Zenoss requires the groupOfUniqueNames object class. >>> >>> I managed to add the object class to a test VM using >>> vsphere_groupmod.ldif taken from >>> http://www.freeipa.org/page/HowTo/vsphere5_integration - >>> >>> content of vsphere_groupmod.ldif - >>> >>> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config >>> changetype: modify >>> add: schema-compat-entry-attribute >>> schema-compat-entry-attribute: objectclass=groupOfUniqueNames >>> - >>> add: schema-compat-entry-attribute >>> schema-compat-entry-attribute: >>> uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") >>> - >>> >>> apply with - >>> >>> ldapmodify -x -D "cn=Directory Manager" -f vsphere_groupmod.ldif -W >>> >>> However, the following command seemed to freeze - >>> >>> ipa permission-mod "System: Read Group Compat Tree" --includedattrs >>> uniquemember >>> >>> and I had to kill it then subsequent ldapsearch commands froze. >> That's... strange. Looks like a DS bug. > I tried this on one of the three live servers after using ipa-backup on > each of them and it completed without hanging so this suggests a problem > with my test VM rather than a bug. > >> >>> Rebooting the VM seemed to fix things and the groupOfUniqueNames object >>> class appeared in the schema. >>> >>> I'd like to apply this to our live system which uses a master and two >>> replicas running IPA v4.2.0 on RHEL 7.2. >>> >>> Do I need to make the same change to all three servers ? >> Changes in cn=config needs to be done on all servers as the tree is not >> replicated. Normal permission changes are replicated (unless the permission is >> about cn=config tree). > Yes. I've now spotted that the change is confined to the single live > server. I'll apply it to the other two when we've got the connectivity > with Zenoss working. >>> Can I leave the >>> replicas connected or do I need to break the replication and >>> re-establish it? >> I do not see reason why you would need to break the replication between replicas. >> >>> Do I need the "ipa permission-mod" if so then how do I >>> avoid it freezing ? >> I think the freeze is a bug, I would try reproducing with the latest and >> greatest 389-ds-base (I do not know what version you are using), the bug may be >> already fixed (there were some bugs fixed). > My test VM is quite old, since it didn't happen on the live server and > that is more up to date, it suggests either a bug that has been fixed or > a problem with the test VM. Ok, thanks for info. It looks like you are in a "green state" then :-) Martin >> >> And yes, the command is needed, so that the new attribute is allowed to be served. >> >> HTH, >> Martin >> . >> > Thanks > > Bob > From natxo.asenjo at gmail.com Mon May 30 07:46:40 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Mon, 30 May 2016 09:46:40 +0200 Subject: [Freeipa-users] Install best practice - In-Reply-To: References: Message-ID: On Mon, May 30, 2016 at 7:14 AM, Ben .T.George wrote: > Hi > > thanks for the reply. > > "the easiest would be to create a zone and delegating that to the ipa > hosts. No other change necessary." > > can you explain little more. You mean need to create separate DNS zone ? > > create a zone in your dns appliances unix.example.com.kw (name it what you like). Delegate the dns managment of that zone to the freeipa dns servers/domain controllers. Create glue records so clients can find those servers. A normal dns delegated zone, in short. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon May 30 11:43:07 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 30 May 2016 13:43:07 +0200 Subject: [Freeipa-users] dynamic dns working for forward zone but not reverse zone In-Reply-To: <1464355620.30702.235.camel@interlinx.bc.ca> References: <1464355620.30702.235.camel@interlinx.bc.ca> Message-ID: <47f694d2-4351-3c3c-fa13-f63da234c689@redhat.com> On 27.5.2016 15:27, Brian J. Murrell wrote: > I have a FreeIPA 4.2.0 on CentOS 7.2. I have dynamic DNS updates > working for a forward zone but they are failing (NOTAUTH) for a reverse > zone. Here are configuration of the two zones: > > dn: idnsname=example.com.,cn=dns,dc=example,dc=com > Zone name: example.com. > Active zone: TRUE > Authoritative nameserver: server.example.com. > Administrator e-mail address: hostmaster.example.com. > SOA serial: 1464354354 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP; grant linux_home_nsupdate wildcard * ANY; > Dynamic update: TRUE > Allow query: any; > Allow transfer: 10.75.22.1; > mxrecord: 200 linux > nsrecord: server.example.com. > objectclass: idnszone, top, idnsrecord > txtrecord: "v=spf1 a:server.klug.on.ca" > > > dn: idnsname=0.8.10.in-addr.arpa.,cn=dns,dc=example,dc=com > Zone name: 0.8.10.in-addr.arpa. > Active zone: TRUE > Authoritative nameserver: server.example.com. > Administrator e-mail address: hostmaster > SOA serial: 1464354356 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > BIND update policy: grant EXAMPLE.COM krb5-subdomain 0.8.10.in-addr.arpa. PTR; grant linux_home_nsupdate wildcard * ANY; > Dynamic update: TRUE > Allow query: any; > Allow transfer: none; > nsrecord: server.example.com. > objectclass: idnszone, top, idnsrecord > > Here are example updates to the two zones: > > # nsupdate -y linux_home_nsupdate: -d /tmp/fwdupdate > Creating key... > namefromtext > keycreate > Sending update to 10.75.22.247#53 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154 > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 > ;; ZONE SECTION: > ;example.com. IN SOA > > ;; UPDATE SECTION: > chost.example.com. 0 ANY A > chost.example.com. 60 IN A 10.8.0.2 > > ;; TSIG PSEUDOSECTION: > linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355147 300 16 oRoIWfkmmmCKQWj9NrrRDw== 53154 NOERROR 0 > > > Reply from update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 53154 > ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 > ;; ZONE SECTION: > ;example.com. IN SOA > > ;; TSIG PSEUDOSECTION: > linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355225 300 16 3IVCZr+MjyD75sHr53LEHw== 53154 NOERROR 0 > > > # nsupdate -y linux_home_nsupdate: -d /tmp/revupdate > Creating key... > namefromtext > keycreate > Sending update to 10.75.22.247#53 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 26720 > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 > ;; ZONE SECTION: > ;0.10.8.in-addr.arpa. IN SOA > > ;; UPDATE SECTION: > 2.0.10.8.in-addr.arpa. 0 ANY PTR > 2.0.10.8.in-addr.arpa. 60 IN PTR chost.example.com. > > ;; TSIG PSEUDOSECTION: > linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355166 300 16 ooWRdNhQ1170LkSjIiCqSA== 26720 NOERROR 0 > > > Reply from update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 26720 > ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 > ;; ZONE SECTION: > ;0.10.8.in-addr.arpa. IN SOA > > ;; TSIG PSEUDOSECTION: > linux_home_nsupdate. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1464355244 300 16 N5Dg0rMokW9sNGGO9BwGNQ== 26720 NOERROR 0 > > When the first update is done the following is logged by named-pkcs11: > > client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': deleting rrset at 'chost.example.com' A > client 10.75.22.253#51414/key linux_home_nsupdate: updating zone 'example.com/IN': adding an RR at 'chost.example.com' A > > Nothing is logged for the second update attempt. > > Any ideas why one is working and the other is not? This is really weird. Can you query the SOA record from the reverse zone, please? $ dig @10.75.22.247 0.10.8.in-addr.arpa. SOA -- Petr^2 Spacek From pspacek at redhat.com Mon May 30 11:45:40 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 30 May 2016 13:45:40 +0200 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 @ Fedora 24 In-Reply-To: <20160527122848.GA333519@mother.pipebreaker.pl> References: <20160527122848.GA333519@mother.pipebreaker.pl> Message-ID: On 27.5.2016 14:28, Tomasz Torcz wrote: > Hi, > > In my home environment I'm using two-server FreeIPA configuration on Fedora. > Initially installed on fedora 19 in November 2013, it have been upgraded every > Fedora release. It generally works OK, but somewhat degrades during operation. > Recently I've jumped to F24 in hope my problems will be resolved, but they weren't. > Thus this email and plea for assistance. > > In the meantime there was a problem with expired certificates, but it solved > with the help of rcrit on IRC. > > I'm using freeipa-server-4.3.1-1.fc24.x86_64. One of the servers is called > kaitain.pipebreaker.pl, the other okda.pipebreaker.pl. > > Currently I encounter following main problems: > 1) named is not servicing all the records from LDAP > 2) can't login to WebUI on kaitain.pipebreaker.pl > 3) can't login to WebUI on okda.pipebreaker.pl > 4) pycparser.lextab/lextab.py/yacctab.py permission errors > > More details: > ----- > ad 1) named problems > Recently I've added new AAAA host entry to my zone (.pipebreaker.pl). It is > visible in CLI, but named doesn't resolve it: > > $ ipa dnsrecord-find pipebreaker.pl microstation > Record name: microstation > AAAA record: 2001:6a0:200:d1::2 > ---------------------------- > Number of entries returned 1 > ---------------------------- > > $ host microstation ; host microstation.pipebreaker.pl > Host microstation not found: 3(NXDOMAIN) > Host microstation.pipebreaker.pl not found: 3(NXDOMAIN) > > Entries added previously resolve fine. I see no errors reported > in named-pkcs11.service logs. > > ----- > > ad 2) can't login to webui at kaitain > When I open a WebUI while having valid ticket, I'm shown my user page, > i.e. https://kaitain.pipebreaker.pl/ipa/ui/#/e/user/details/zdzichu is opened. > But when I logout from WebUI and try to login as admin, I receive: > > The password or username you entered is incorrect. > > The password is certainly correct, I can use it for 'kinit admin' successfully. > /var/log/httpd/error log contains: > > [Fri May 27 14:17:37.104341 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] mod_wsgi (pid=1882): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. > [Fri May 27 14:17:37.106932 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] Traceback (most recent call last): > [Fri May 27 14:17:37.106985 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/share/ipa/wsgi.py", line 63, in application > [Fri May 27 14:17:37.107436 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return api.Backend.wsgi_dispatch(environ, start_response) > [Fri May 27 14:17:37.107461 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in __call__ > [Fri May 27 14:17:37.107769 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return self.route(environ, start_response) > [Fri May 27 14:17:37.107786 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 273, in route > [Fri May 27 14:17:37.107808 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return app(environ, start_response) > [Fri May 27 14:17:37.107829 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 943, in __call__ > [Fri May 27 14:17:37.107848 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] self.kinit(user, self.api.env.realm, password, ipa_ccache_name) > [Fri May 27 14:17:37.107887 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit > [Fri May 27 14:17:37.107918 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] raise CCacheError(message=unicode(e)) > [Fri May 27 14:17:37.136615 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639107): No credentials cache found > > What cache is it talking about? How can I refresh it? > > ----- > > > ad 3) cannot login to webui on okda > > When I go to https://okda.pipebreaker.pl/ipa/ui/ (the other server), I see "Loading?" screen > for couple of seconds, and afterwards "Gateway timeout" message. Everything > seems to be running on this server: > > root at okda ~$ ipactl status > WARNING: yacc table file version is out of date > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > There are no logs generated in httpd's error_log during login. > There are some problems in system log: > May 27 14:25:48 okda.pipebreaker.pl server[2364]: May 27, 2016 2:25:48 PM org.apache.catalina.core.ContainerBase backgroundProcess > May 27 14:25:48 okda.pipebreaker.pl server[2364]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm at 5ad7c518 background process > May 27 14:25:48 okda.pipebreaker.pl server[2364]: java.lang.NullPointerException > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:109) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1127) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5642) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at java.lang.Thread.run(Thread.java:745) > > as you can see, those logs do not contain any clue what's is wrong. > > > ----- > > ad 4) pycparser.lextab/lextab.py/yacctab.py permission errors > I observe following errors in dnskeysyncd logs: > > May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' > May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: yacc table file version is out of date > May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' > > Also (related?) error during 'ipactl' invocations: > $ ipactl status > WARNING: yacc table file version is out of date > ? > > Warnings appear even after switching SELinux to permissive. > > > Please help me with resolving those problems. What logs should I provide? > I see no similiar issues described at http://www.freeipa.org/page/Troubleshooting Fedora 24 is broken at the moment so there is nothing you can do before it is fixed & released. Sorry. -- Petr^2 Spacek From arthur at deus.pro Mon May 30 12:05:39 2016 From: arthur at deus.pro (Arthur Fayzullin) Date: Mon, 30 May 2016 17:05:39 +0500 Subject: [Freeipa-users] question about automount config In-Reply-To: References: <552e1d8a-1e60-26aa-19eb-a0f02fa6b3bf@deus.pro> Message-ID: <842ba43d-58ef-adcf-9dad-de382ea0b883@deus.pro> thanks! I'll try to debug at my test environment. 24.05.2016 18:01, Prasun Gera ?????: > You can stop the autofs daemon, and run it in foreground with > automount -fvv. Then try to access the mount point in parallel. The > logs from the foreground run should shed some light. Also, does your > autofs setup work without kerberos ? As a first step it to work with > non-kerberised nfs. > > On Mon, May 23, 2016 at 11:06 AM, Arthur Fayzullin > wrote: > > Good day, colleagues! > I am confused about how automount work and howto configure it. I have > tried to configure it according to > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html > document (paragraph 9.1.1 and chapter 20). > I have tried to make it work on 3 servers: > 1. ipa server; > 2. nfs server (node00); > 3. nfs client (postgres). > > > *** so here how it configured on ipa server: > $ ipa automountlocation-tofiles amantai > /etc/auto.master: > /- /etc/auto.direct > /home /etc/auto.home > --------------------------- > /etc/auto.direct: > --------------------------- > /etc/auto.home: > * -sec=kr5i,rw,fstype=nfs4 node00.glavsn.ab:/home/& > > maps not connected to /etc/auto.master: > > $ ipa service-find nfs > ------------------ > 2 services matched > ------------------ > ????????: nfs/node00.glavsn.ab at GLAVSN.AB > Keytab: True > Managed by: node00.glavsn.ab > > ????????: nfs/postgres.glavsn.ab at GLAVSN.AB > Keytab: True > Managed by: postgres.glavsn.ab > > > *** here is nfs server config: > $ sudo klist -k > ??????: > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/node00.glavsn.ab at GLAVSN.AB > 1 host/node00.glavsn.ab at GLAVSN.AB > 1 host/node00.glavsn.ab at GLAVSN.AB > 1 host/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > > $ cat /etc/exports > /home *(rw,sec=sys:krb5:krb5i:krb5p) > > $ sudo firewall-cmd --list-all > public (default, active) > interfaces: bridge0 enp1s0 > sources: > services: dhcpv6-client nfs ssh > ports: 8001/tcp > masquerade: no > forward-ports: > icmp-blocks: > rich rules: > > $ getenforce > Enforcing > > > *** here nfs client config: > # klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > > # firewall-cmd --list-all > FedoraServer (default, active) > interfaces: ens3 > sources: > services: cockpit dhcpv6-client ssh > ports: > protocols: > masquerade: no > forward-ports: > icmp-blocks: > rich rules: > > # mount -l (contains next string) > auto.home on /home type autofs > (rw,relatime,fd=25,pgrp=960,timeout=300,minproto=5,maxproto=5,indirect) > > # ll /home/afayzullin > ls says that it cannot access /home/afayzullin: no such file or > directory > > I have run > # ipa-client-automount --location=amantai > on client and it has completed successfully. > > I have tried to disable selinux, drop iptables rules. And now I am > little confused about what to do next. May if someone has faced with > automount config can give me some advice, or if there is any howto > config automount, or some can advise howto debug this situation? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From seli.irithyl at gmail.com Mon May 30 12:20:01 2016 From: seli.irithyl at gmail.com (seli irithyl) Date: Mon, 30 May 2016 14:20:01 +0200 Subject: [Freeipa-users] Unable to access to web ui Message-ID: Hi, Since last update, I'am unable to log in to web ui with FF (e.g. blank page) Any idea where too look for ? Best regards, Seli -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon May 30 14:20:29 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2016 16:20:29 +0200 Subject: [Freeipa-users] OCSP and CRL in certs for java firefox plugin In-Reply-To: References: <57490019.8000504@redhat.com> Message-ID: <7543eeee-105c-89ca-543a-d43b37b0b9c9@redhat.com> On 05/28/2016 05:30 AM, Prasun Gera wrote: > The problem is that I'm not using ipa for dns. dns is handled externally, and I > don't have admin access. I have 1 master and 1 replica, and all the clients are > enrolled with --server=a,--server=b during installation, and I think it works > perfectly fine. Is it possible to instruct ipa to use some alternative for the > certs ? If it's not possible to list multiple uris, even just the master would > be fine. It would at least work when the master is up, which it doesn't right now. ipa-ca.$DOMAIN OCSP/CRL is currently hardcoded in the Certificate Profiles, you would need to edit them with different value (which may then make FreeIPA upgrades funny). I still think the easiest solution may be to simply request DNS change in your external DNS and create the ipa-ca DNS record - it is a simple list of IPA CA server's IP addresses. > Secondly, I'm a bit confused regarding the dns too. This error is on a client > system like my laptop, which is an entirely unrelated system from the ipa > clients. The connection is over the internet. So the dns mapping would have to > be visible globally for my laptop to see it. However, the name of the ipa domain > is not the same the same as the name of domain in the server addresses. (This > was for some historic reason in NIS, and I didn't change the domain name during > migration). So what ipa is suggesting is something like ipa-ca.abc.com > , whereas all my servers are like server1.pqr.xyz.com > . I don't think it is anyway possible to do this > right now since I don't control abc.com . This feature uses the primary FreeIPA DNS domain, which is derived from it's realm. This is the same approach as with AD. If you do not have access to this DNS domain, I expect you will have trouble if you want to for example start using AD Trusts which expects working primary DNS domain with proper SRV records (FreeIPA servers can still live in other domain though). To summarize, your options seem to be: * Create ipa-ca DNS record in your primary domain * Update the main default certificate profile (present in FreeIPA 4.2+) * Migrate whole FreeIPA deployment to other DNS primary you would control (pqr.xyz.com) - which is a lot of work but may unblock you in future if you want to start the mentioned AD trusts. Martin > On Fri, May 27, 2016 at 10:19 PM, Rob Crittenden > wrote: > > Prasun Gera wrote: > > I've identified the problem. The uris seem to be incorrect. This looks > like some substitution gone wrong. Instead of using the actual ipa > server's address, it points to a generic placeholder type text > (ipa-ca.domain.com > ). Relevant part of the > certificate: > > > A generic name is used in case the server that issued the cert goes away. > Create an entry in DNS for this generic name and things should work as expected. > > rob > > > Authority Information Access: > OCSP - URI:*http://ipa-ca.domain.com/ca/ocsp* > > X509v3 Key Usage: critical > Digital Signature, Non Repudiation, Key Encipherment, > Data Encipherment > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication > X509v3 CRL Distribution Points: > > Full Name: > URI:*http://ipa-ca.domain.com/ipa/crl/MasterCRL.bin* > > > This is on RHEL 7.2, idm 4.2 btw > > On Fri, May 27, 2016 at 7:22 PM, Prasun Gera > >> wrote: > > It looks like that issue was fixed and the OCSP and CRL uris in the > certs are now http. So I'm not sure why java is complaining. > > On Fri, May 27, 2016 at 7:03 PM, Prasun Gera > >> wrote: > > I've set up a couple of dell idrac card's ssl certs signed by > ipa CA. I've also added the ipa CA to java's trusted CAs. > However, when you try to launch the idrac java console, it will > still show an error that the site is untrusted. Upon clicking on > "more information", the message says that although the cert is > signed by the CA, it cannot verify the revocation status. I > found this page > http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs , > which explains potential problems with this since the main ipa > server itself is also using an ssl cert signed by the ipa CA. So > the client cannot verify the revocation if it can't reach the > CA. Is there any solution to this ? Anyone tried this with idrac > cards ? > > > > > > > > > From mkosek at redhat.com Mon May 30 14:23:08 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2016 16:23:08 +0200 Subject: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias In-Reply-To: <27123231.2vVFdNkPoa@techz> References: <27123231.2vVFdNkPoa@techz> Message-ID: <7796b209-275b-0dab-7e22-bd1a47e5a960@redhat.com> On 05/29/2016 09:18 AM, G?nther J. Niederwimmer wrote: > Hello > I found any Help for the IPA Certificate but I found no way to import the IPA > CA ? > I like to create a webserver with a owncloud virtualhost and other.. > > But it is for me not possible to create the /etc/httpd/alias correct ? > > I found this in IPC DOCS > > certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt > > but with this command line I have a Error /etc/ipa/ca.crt have wrong format ? > > Have any a link with a working example I have hard time understanding what the use case is, but it looks like you are looking for information in http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure Martin From mkosek at redhat.com Mon May 30 14:32:31 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2016 16:32:31 +0200 Subject: [Freeipa-users] Centos 7.2 ipa-backup failure In-Reply-To: <574B0BC5.2080705@kenbass.com> References: <574B0BC5.2080705@kenbass.com> Message-ID: <084c5c67-cb9b-314c-8325-4cd7ff7d2b25@redhat.com> On 05/29/2016 05:33 PM, Ken Bass wrote: > Today I tried my very first ipa-backup attempt. The command reported 'The > ipa-backup command was successful' > > YET I saw: > > /usr/sbin/db2ldif: line 157: 22567 Segmentation fault /usr/sbin/ns-slapd > db2ldif -D /etc/dirsrv/slapd-DOMAIN-NET -n userRoot -a "/var/l > ib/dirsrv/slapd-DOMAIN-NET/ldif/DOMAIN-NET-userRoot.ldif" -r > > I am running Centos 7.2. After googling, I did find - > https://fedorahosted.org/freeipa/ticket/5571 > https://fedorahosted.org/389/ticket/48388 > > How am I supposed to backup this box? I want to run the backup-script nightly > to generate the tarball so I can use another script to backup it up along with > other stuff. It is a small system with no replication. > > As a Centos 7.2 user am I just out of luck since it appears the various bugs I > am encountering with this software are not being fixed except in newer versions > of freeipa and sssd which are not available > via the standard repos? Hello Ken, I am sorry to hear about your trouble. The standard way for people with RHEL subscription is to request a RHEL fix from support, but if you do not have it, you would need to deal with it other way. As this is a DS issue (linked from FreeIPA ticket), you can try raising awareness in RHEL-7 product of the 389-ds-base and ask for backport of this issue to RHEL-7.2.x stream. Alternatively, projects may have own CentOS repos where they can publish builds of upcoming releases, like FreeIPA has: https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ Martin From mkosek at redhat.com Mon May 30 14:34:34 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2016 16:34:34 +0200 Subject: [Freeipa-users] Install best practice - In-Reply-To: References: Message-ID: On 05/29/2016 07:11 PM, Ben .T.George wrote: > Hi > > I would like to know how can i proceed with best practices > > My AD domain is : corp.examle.com.kw > My DNS (appliances ) : kw.test.com > > All my clients are pointed to kw.test.com including AD. > > How can i proceed with Free IPA installation? where i need to manage DNS of > freeipa master server? > > > creating new DNS zone in kw.test.com will be little bit > difficult. > > which will be best configuration with minimal changes in existing setup. The best resources for this topic is probably http://www.freeipa.org/page/Deployment_Recommendations#Considerations_for_Active_Directory_integration_on_DNS_level This may be related: http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain Martin From mbasti at redhat.com Mon May 30 14:36:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 30 May 2016 16:36:50 +0200 Subject: [Freeipa-users] Unable to access to web ui In-Reply-To: References: Message-ID: <025e4e9e-c387-697a-0cae-94c957d3187e@redhat.com> On 30.05.2016 14:20, seli irithyl wrote: > Hi, > > Since last update, I'am unable to log in to web ui with FF (e.g. blank > page) > Any idea where too look for ? > > Best regards, > > Seli > > > > > Hello, can you provide version of the freeIPA, firefox. Does it work from different browser? does it work from private mode? Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon May 30 14:46:09 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 May 2016 16:46:09 +0200 Subject: [Freeipa-users] Unable to access to web ui In-Reply-To: <025e4e9e-c387-697a-0cae-94c957d3187e@redhat.com> References: <025e4e9e-c387-697a-0cae-94c957d3187e@redhat.com> Message-ID: <576cb80c-a91b-f6e4-f534-ce659afe1df6@redhat.com> On 05/30/2016 04:36 PM, Martin Basti wrote: > > > On 30.05.2016 14:20, seli irithyl wrote: >> Hi, >> >> Since last update, I'am unable to log in to web ui with FF (e.g. blank page) >> Any idea where too look for ? >> >> Best regards, >> >> Seli >> >> >> >> >> > Hello, > > can you provide version of the freeIPA, firefox. Does it work from different > browser? does it work from private mode? + does [CTRL]+F5 helps? Do advise in http://www.freeipa.org/page/Troubleshooting#Web_UI help? From sbose at redhat.com Mon May 30 15:22:33 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 30 May 2016 17:22:33 +0200 Subject: [Freeipa-users] dns location based discovery In-Reply-To: <7ea56741-a81c-3db9-8988-36ae3ed05ddd@dds.nl> References: <7ea56741-a81c-3db9-8988-36ae3ed05ddd@dds.nl> Message-ID: <20160530152233.GT6640@p.Speedport_W_724V_Typ_A_05011603_00_009> On Mon, May 30, 2016 at 05:13:35PM +0200, Winfried de Heiden wrote: > Hi all, > > The sssd-ipa man page will tell: > > ?????? ipa_enable_dns_sites (boolean) > ?????????? Enables DNS sites - location based service discovery. > > ?????????? If true and service discovery (see Service Discovery paragraph at > the bottom of the man page) is enabled, then the SSSD will first attempt > ?????????? location based discovery using a query that contains > "_location.hostname.example.com" and then fall back to traditional SRV > discovery. If the > ?????????? location based discovery succeeds, the IPA servers located with the > location based discovery are treated as primary servers and the IPA servers > ?????????? located using the traditional SRV discovery are used as back up > servers > > After enabling it in a EL 6.8 IPA client (together with some debugging) this > will show up in the sssd logging: > > (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] > [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service > 'ldap'. Will use DNS discovery domain '_location.ipa-client-6.blabla.bla' > (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] [resolv_getsrv_send] > (0x0100): Trying to resolve SRV record of > '_ldap._tcp._location.ipa-client-6.blabla.bla' > > Since this option is mentioned in the sssd-ipa man page, it sugests I could > implement this location based service discovery. > > But how? Any documentation on this? How to implement on the server? How to > implement a location on the client (while running ipa-client-install) > > Hope someone can help, it would be nice a client will choose the correct server > based on it's location... In this case SSSD was a bit faster then the server side. Please monitor https://fedorahosted.org/freeipa/ticket/2008 for the progress. There is a link to a design page with more details as well. HTH bye, Sumit P.S. I changed the mailing-list address to @redhat.com. > > > Winny > > > From jhrozek at redhat.com Mon May 30 15:54:15 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 30 May 2016 17:54:15 +0200 Subject: [Freeipa-users] dns location based discovery In-Reply-To: <20160530152233.GT6640@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <7ea56741-a81c-3db9-8988-36ae3ed05ddd@dds.nl> <20160530152233.GT6640@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160530155415.GC18297@hendrix> On Mon, May 30, 2016 at 05:22:33PM +0200, Sumit Bose wrote: > On Mon, May 30, 2016 at 05:13:35PM +0200, Winfried de Heiden wrote: > > Hi all, > > > > The sssd-ipa man page will tell: > > > > ?????? ipa_enable_dns_sites (boolean) > > ?????????? Enables DNS sites - location based service discovery. > > > > ?????????? If true and service discovery (see Service Discovery paragraph at > > the bottom of the man page) is enabled, then the SSSD will first attempt > > ?????????? location based discovery using a query that contains > > "_location.hostname.example.com" and then fall back to traditional SRV > > discovery. If the > > ?????????? location based discovery succeeds, the IPA servers located with the > > location based discovery are treated as primary servers and the IPA servers > > ?????????? located using the traditional SRV discovery are used as back up > > servers > > > > After enabling it in a EL 6.8 IPA client (together with some debugging) this > > will show up in the sssd logging: > > > > (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] > > [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service > > 'ldap'. Will use DNS discovery domain '_location.ipa-client-6.blabla.bla' > > (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] [resolv_getsrv_send] > > (0x0100): Trying to resolve SRV record of > > '_ldap._tcp._location.ipa-client-6.blabla.bla' > > > > Since this option is mentioned in the sssd-ipa man page, it sugests I could > > implement this location based service discovery. > > > > But how? Any documentation on this? How to implement on the server? How to > > implement a location on the client (while running ipa-client-install) > > > > Hope someone can help, it would be nice a client will choose the correct server > > based on it's location... > > In this case SSSD was a bit faster then the server side. Please monitor > https://fedorahosted.org/freeipa/ticket/2008 for the progress. There is > a link to a design page with more details as well. > > HTH > > bye, > Sumit > > P.S. I changed the mailing-list address to @redhat.com. btw Winfried, I saw today the case you filed. Please note that for AD users (which is IIRC the majority of your environment), SSSD should already choose the right site. The RFE Sumit linked is 'just' about the IPA side of the equation. From wdh at dds.nl Mon May 30 16:16:23 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Mon, 30 May 2016 18:16:23 +0200 Subject: [Freeipa-users] dns location based discovery In-Reply-To: <20160530155415.GC18297@hendrix> References: <7ea56741-a81c-3db9-8988-36ae3ed05ddd@dds.nl> <20160530152233.GT6640@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160530155415.GC18297@hendrix> Message-ID: <330ebb09-ce59-77a0-65f6-6a1a917ff663@dds.nl> An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon May 30 16:39:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 30 May 2016 18:39:10 +0200 Subject: [Freeipa-users] dns location based discovery In-Reply-To: <330ebb09-ce59-77a0-65f6-6a1a917ff663@dds.nl> References: <7ea56741-a81c-3db9-8988-36ae3ed05ddd@dds.nl> <20160530152233.GT6640@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160530155415.GC18297@hendrix> <330ebb09-ce59-77a0-65f6-6a1a917ff663@dds.nl> Message-ID: <745f6efb-e27a-ec4b-b7dd-b48a7b23b2ba@redhat.com> On 30.05.2016 18:16, Winfried de Heiden wrote: > Hi all, > Thanks for the quick answer even though I send it to the wrong email > address. > About "Please note that for AD users (which is IIRC the majority of > your environment), SSSD should > already choose the right site." I noticed that, but I was curious > about the IPA part as well.... > > Now, it looks like this is going to be an item for IPA 4.4 > (http://www.freeipa.org/page/V4/DNS_Location_Mechanism/) > Willl it be? Yes it will be there (unless something very very bad happen) > > IPA 4.4 is announced "the end of May". When can we expect Freeipa 4.4, > I curious to test.... Soon :) Martin > > Kind regards, > > Winny// > /// > > / > Op 30-05-16 om 17:54 schreef Jakub Hrozek: >> On Mon, May 30, 2016 at 05:22:33PM +0200, Sumit Bose wrote: >>> On Mon, May 30, 2016 at 05:13:35PM +0200, Winfried de Heiden wrote: >>>> Hi all, >>>> >>>> The sssd-ipa man page will tell: >>>> >>>> ipa_enable_dns_sites (boolean) >>>> Enables DNS sites - location based service discovery. >>>> >>>> If true and service discovery (see Service Discovery paragraph at >>>> the bottom of the man page) is enabled, then the SSSD will first attempt >>>> location based discovery using a query that contains >>>> "_location.hostname.example.com" and then fall back to traditional SRV >>>> discovery. If the >>>> location based discovery succeeds, the IPA servers located with the >>>> location based discovery are treated as primary servers and the IPA servers >>>> located using the traditional SRV discovery are used as back up >>>> servers >>>> >>>> After enabling it in a EL 6.8 IPA client (together with some debugging) this >>>> will show up in the sssd logging: >>>> >>>> (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] >>>> [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service >>>> 'ldap'. Will use DNS discovery domain '_location.ipa-client-6.blabla.bla' >>>> (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] [resolv_getsrv_send] >>>> (0x0100): Trying to resolve SRV record of >>>> '_ldap._tcp._location.ipa-client-6.blabla.bla' >>>> >>>> Since this option is mentioned in the sssd-ipa man page, it sugests I could >>>> implement this location based service discovery. >>>> >>>> But how? Any documentation on this? How to implement on the server? How to >>>> implement a location on the client (while running ipa-client-install) >>>> >>>> Hope someone can help, it would be nice a client will choose the correct server >>>> based on it's location... >>> In this case SSSD was a bit faster then the server side. Please monitor >>> https://fedorahosted.org/freeipa/ticket/2008 for the progress. There is >>> a link to a design page with more details as well. >>> >>> HTH >>> >>> bye, >>> Sumit >>> >>> P.S. I changed the mailing-list address to @redhat.com. >> btw Winfried, I saw today the case you filed. Please note that for AD >> users (which is IIRC the majority of your environment), SSSD should >> already choose the right site. The RFE Sumit linked is 'just' about the >> IPA side of the equation. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kbass at kenbass.com Mon May 30 16:57:44 2016 From: kbass at kenbass.com (Ken Bass) Date: Mon, 30 May 2016 12:57:44 -0400 Subject: [Freeipa-users] Centos 7.2 ipa-backup failure In-Reply-To: <084c5c67-cb9b-314c-8325-4cd7ff7d2b25@redhat.com> References: <574B0BC5.2080705@kenbass.com> <084c5c67-cb9b-314c-8325-4cd7ff7d2b25@redhat.com> Message-ID: <574C7108.5010004@kenbass.com> On 05/30/2016 10:32 AM, Martin Kosek wrote: > On 05/29/2016 05:33 PM, Ken Bass wrote: >> Today I tried my very first ipa-backup attempt. The command reported 'The >> ipa-backup command was successful' >> >> YET I saw: >> >> /usr/sbin/db2ldif: line 157: 22567 Segmentation fault /usr/sbin/ns-slapd >> db2ldif -D /etc/dirsrv/slapd-DOMAIN-NET -n userRoot -a "/var/l >> ib/dirsrv/slapd-DOMAIN-NET/ldif/DOMAIN-NET-userRoot.ldif" -r >> >> I am running Centos 7.2. After googling, I did find - >> https://fedorahosted.org/freeipa/ticket/5571 >> https://fedorahosted.org/389/ticket/48388 >> >> How am I supposed to backup this box? I want to run the backup-script nightly >> to generate the tarball so I can use another script to backup it up along with >> other stuff. It is a small system with no replication. >> >> As a Centos 7.2 user am I just out of luck since it appears the various bugs I >> am encountering with this software are not being fixed except in newer versions >> of freeipa and sssd which are not available >> via the standard repos? > Hello Ken, > > I am sorry to hear about your trouble. The standard way for people with RHEL > subscription is to request a RHEL fix from support, but if you do not have it, > you would need to deal with it other way. Correct, I do not have a RHEL subscription. However my justification for using Centos 7.2, rather than Fedora, was that I would be using a production quality product. The same as the 'big guys' so to speak. So when I am running into a bunch of issues it makes me wonder how this stuff got through Q&A in the first place. > > As this is a DS issue (linked from FreeIPA ticket), you can try raising > awareness in RHEL-7 product of the 389-ds-base and ask for backport of this > issue to RHEL-7.2.x stream. I dont think it is solely a DS issue. The ipa-backup script is reporting command successful when something internal is seg faulting. That would seem like someone is not checking a return code in the ipa-backup script. At least the ipa-backup script should be reporting a failure since I assume the backup is incomplete. > Alternatively, projects may have own CentOS repos > where they can publish builds of upcoming releases, like FreeIPA has: > > https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ I had thought about using that, but it warns it is not for production, and with the number of issues I have encountered in the production version, I worry that the copr version would be even worse, and that if there are any issues the response will just be don't use it for production. Do you know how stable the software being fed to the copr is? While perhaps overkill, I am only using this for 2 boxes with 2 users -- mainly for the 2FA component. I am not doing anything fancy like replication, etc. I had replaced some custom radius server code and openldap stuff with freeIPA since it helped with enrolling tokens via freeOTP and such. The freeIPA is better integrated into sssd than my custom solution (though I had to install sssd from copr due to basic bugs in the sudo 2FA code). From wdh at dds.nl Mon May 30 18:58:03 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Mon, 30 May 2016 20:58:03 +0200 Subject: [Freeipa-users] dns location based discovery In-Reply-To: <745f6efb-e27a-ec4b-b7dd-b48a7b23b2ba@redhat.com> References: <7ea56741-a81c-3db9-8988-36ae3ed05ddd@dds.nl> <20160530152233.GT6640@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160530155415.GC18297@hendrix> <330ebb09-ce59-77a0-65f6-6a1a917ff663@dds.nl> <745f6efb-e27a-ec4b-b7dd-b48a7b23b2ba@redhat.com> Message-ID: <83668928-b8c8-ec19-f88e-7752dbbc7aa7@dds.nl> An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Mon May 30 20:53:00 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Mon, 30 May 2016 16:53:00 -0400 Subject: [Freeipa-users] OCSP and CRL in certs for java firefox plugin In-Reply-To: <7543eeee-105c-89ca-543a-d43b37b0b9c9@redhat.com> References: <57490019.8000504@redhat.com> <7543eeee-105c-89ca-543a-d43b37b0b9c9@redhat.com> Message-ID: > > > To summarize, your options seem to be: > * Create ipa-ca DNS record in your primary domain > * Update the main default certificate profile (present in FreeIPA 4.2+) > * Migrate whole FreeIPA deployment to other DNS primary you would control > (pqr.xyz.com) - which is a lot of work but may unblock you in future if > you > want to start the mentioned AD trusts. > > Martin > Thanks Martin for the suggestions. In the short term, updating the external will probably not work. Eventually, migration to a domain that I can control will be a better idea, but that will involve a lot more work. Is there any documentation on doing the migration ? My deployment is actually fairly simple right now. We just use it internally for our small lab, mostly as a replacement for NIS. No AD or windows machines. Hence, I didn't bother with a lot of complex dns stuff to begin with. I guess, the only thing we need to preserve is usernames, groups and passwords in the migration. Regarding your second point, how do I go about updating the cert profile ? Is there any documentation ? If this is not a standard feature, do you think I should open an RFE ? Also, I'm surprised that nothing broke yet despite the OCSP/CRL stuff not working ever. Isn't this important security-wise? Yet, browsers don't seem to complain by default for https certs once the CA is trusted. Only the java plugin brought this to my attention. > > > On Fri, May 27, 2016 at 10:19 PM, Rob Crittenden > > wrote: > > > > Prasun Gera wrote: > > > > I've identified the problem. The uris seem to be incorrect. This > looks > > like some substitution gone wrong. Instead of using the actual > ipa > > server's address, it points to a generic placeholder type text > > (ipa-ca.domain.com > > ). Relevant part of the > > certificate: > > > > > > A generic name is used in case the server that issued the cert goes > away. > > Create an entry in DNS for this generic name and things should work > as expected. > > > > rob > > > > > > Authority Information Access: > > OCSP - URI:*http://ipa-ca.domain.com/ca/ocsp* > > > > X509v3 Key Usage: critical > > Digital Signature, Non Repudiation, Key > Encipherment, > > Data Encipherment > > X509v3 Extended Key Usage: > > TLS Web Server Authentication, TLS Web Client > > Authentication > > X509v3 CRL Distribution Points: > > > > Full Name: > > URI:* > http://ipa-ca.domain.com/ipa/crl/MasterCRL.bin* > > > > > > This is on RHEL 7.2, idm 4.2 btw > > > > On Fri, May 27, 2016 at 7:22 PM, Prasun Gera < > prasun.gera at gmail.com > > > > >> > wrote: > > > > It looks like that issue was fixed and the OCSP and CRL > uris in the > > certs are now http. So I'm not sure why java is complaining. > > > > On Fri, May 27, 2016 at 7:03 PM, Prasun Gera < > prasun.gera at gmail.com > > > > >> > wrote: > > > > I've set up a couple of dell idrac card's ssl certs > signed by > > ipa CA. I've also added the ipa CA to java's trusted > CAs. > > However, when you try to launch the idrac java console, > it will > > still show an error that the site is untrusted. Upon > clicking on > > "more information", the message says that although the > cert is > > signed by the CA, it cannot verify the revocation > status. I > > found this page > > http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs , > > which explains potential problems with this since the > main ipa > > server itself is also using an ssl cert signed by the > ipa CA. So > > the client cannot verify the revocation if it can't > reach the > > CA. Is there any solution to this ? Anyone tried this > with idrac > > cards ? > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue May 31 06:48:17 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 31 May 2016 08:48:17 +0200 Subject: [Freeipa-users] Centos 7.2 ipa-backup failure In-Reply-To: <574C7108.5010004@kenbass.com> References: <574B0BC5.2080705@kenbass.com> <084c5c67-cb9b-314c-8325-4cd7ff7d2b25@redhat.com> <574C7108.5010004@kenbass.com> Message-ID: <4f493959-802c-91d6-8ac1-a012f95ab439@redhat.com> On 05/30/2016 06:57 PM, Ken Bass wrote: > On 05/30/2016 10:32 AM, Martin Kosek wrote: >> On 05/29/2016 05:33 PM, Ken Bass wrote: >>> Today I tried my very first ipa-backup attempt. The command reported 'The >>> ipa-backup command was successful' >>> >>> YET I saw: >>> >>> /usr/sbin/db2ldif: line 157: 22567 Segmentation fault /usr/sbin/ns-slapd >>> db2ldif -D /etc/dirsrv/slapd-DOMAIN-NET -n userRoot -a "/var/l >>> ib/dirsrv/slapd-DOMAIN-NET/ldif/DOMAIN-NET-userRoot.ldif" -r >>> >>> I am running Centos 7.2. After googling, I did find - >>> https://fedorahosted.org/freeipa/ticket/5571 >>> https://fedorahosted.org/389/ticket/48388 >>> >>> How am I supposed to backup this box? I want to run the backup-script nightly >>> to generate the tarball so I can use another script to backup it up along with >>> other stuff. It is a small system with no replication. >>> >>> As a Centos 7.2 user am I just out of luck since it appears the various bugs I >>> am encountering with this software are not being fixed except in newer versions >>> of freeipa and sssd which are not available >>> via the standard repos? >> Hello Ken, >> >> I am sorry to hear about your trouble. The standard way for people with RHEL >> subscription is to request a RHEL fix from support, but if you do not have it, >> you would need to deal with it other way. > Correct, I do not have a RHEL subscription. However my justification for using > Centos 7.2, rather than Fedora, > was that I would be using a production quality product. The same as the 'big > guys' so to speak. Right. > So when I am running into > a bunch of issues it makes me wonder how this stuff got through Q&A in the > first place. You obviously must be hitting some scenario or have a configuration environment that was not tested. Filing a RHEL Bug should help also to ensure that this scenario is tested. >> As this is a DS issue (linked from FreeIPA ticket), you can try raising >> awareness in RHEL-7 product of the 389-ds-base and ask for backport of this >> issue to RHEL-7.2.x stream. > > I dont think it is solely a DS issue. The ipa-backup script is reporting > command successful when something internal is seg faulting. > That would seem like someone is not checking a return code in the ipa-backup > script. At least the ipa-backup script should be reporting a failure since I > assume the backup is incomplete. That *is* a good point and is worth filing upstream ticket https://fedorahosted.org/freeipa/newticket If you can also help FreeIPA with a code contribution, it would help project immensely as there is a lots of tickets... >> Alternatively, projects may have own CentOS repos >> where they can publish builds of upcoming releases, like FreeIPA has: >> >> https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ > > I had thought about using that, but it warns it is not for production, and with > the number of issues I have encountered in the production > version, I worry that the copr version would be even worse, and that if there > are any issues the response will just be don't use it for production. It is true that these packages are provided as builds of FreeIPA upstream project, with "community support", i.e. this mailing list and voluntary based help. RHEL is officially QE'd and supported, so the base CentOS packages should be more stable, yes - though with lower amount of updates, given the QE and support related processes. It is a trade-off as usual. > Do you know how stable the software being fed to the copr is? While perhaps > overkill, I am only using this for 2 boxes with 2 users -- mainly for the 2FA > component. I am not doing anything > fancy like replication, etc. I had replaced some custom radius server code and > openldap stuff with freeIPA since it helped with enrolling tokens via freeOTP > and such. The freeIPA is better > integrated into sssd than my custom solution (though I had to install sssd from > copr due to basic bugs in the sudo 2FA code). It is hard to quantify stability, so I would go with "more stable than git builds as it goes through Upstream QE test suite, less stable than RHEL bits - that are production ready". Martin From mkosek at redhat.com Tue May 31 06:53:05 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 31 May 2016 08:53:05 +0200 Subject: [Freeipa-users] OCSP and CRL in certs for java firefox plugin In-Reply-To: References: <57490019.8000504@redhat.com> <7543eeee-105c-89ca-543a-d43b37b0b9c9@redhat.com> Message-ID: On 05/30/2016 10:53 PM, Prasun Gera wrote: > > To summarize, your options seem to be: > * Create ipa-ca DNS record in your primary domain > * Update the main default certificate profile (present in FreeIPA 4.2+) > * Migrate whole FreeIPA deployment to other DNS primary you would control > (pqr.xyz.com ) - which is a lot of work but may unblock > you in future if you > want to start the mentioned AD trusts. > > Martin > > > Thanks Martin for the suggestions. In the short term, updating the external will > probably not work. Eventually, migration to a domain that I can control will be > a better idea, but that will involve a lot more work. Is there any documentation > on doing the migration ? My deployment is actually fairly simple right now. We > just use it internally for our small lab, mostly as a replacement for NIS. No AD > or windows machines. Hence, I didn't bother with a lot of complex dns stuff to > begin with. I guess, the only thing we need to preserve is usernames, groups and > passwords in the migration. If you use only users, groups and passwords, the migration may actually not be that painful as you can migrate with "ipa migrate-ds" command as advised in http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA and then enrolling your clients with the new FreeIPA realm. We have a RFE for a more complete migration tracked https://fedorahosted.org/freeipa/ticket/3656 that was being worked on as a thesis. > Regarding your second point, how do I go about updating the cert profile ? Is > there any documentation ? If this is not a standard feature, do you think I > should open an RFE ? Certificate Profiles is a standard feature in FreeIPA 4.2+. Profile edit is not that straightforward, but if you download current one for the profile, you should be able to figure out what line to edit (and then you just upload the profile again). > Also, I'm surprised that nothing broke yet despite the OCSP/CRL stuff not > working ever. Isn't this important security-wise? Yet, browsers don't seem to > complain by default for https certs once the CA is trusted. Only the java plugin > brought this to my attention. Yeah, browsers generally not care about CRL/OCSP unless explicitly enabled. I know that at least Firefox has a setting to always check for certificate validity. > > > > On Fri, May 27, 2016 at 10:19 PM, Rob Crittenden > > >> wrote: > > > > Prasun Gera wrote: > > > > I've identified the problem. The uris seem to be incorrect. This > looks > > like some substitution gone wrong. Instead of using the actual ipa > > server's address, it points to a generic placeholder type text > > (ipa-ca.domain.com > > > ). Relevant part of the > > certificate: > > > > > > A generic name is used in case the server that issued the cert goes away. > > Create an entry in DNS for this generic name and things should work > as expected. > > > > rob > > > > > > Authority Information Access: > > OCSP - URI:*http://ipa-ca.domain.com/ca/ocsp* > > > > X509v3 Key Usage: critical > > Digital Signature, Non Repudiation, Key > Encipherment, > > Data Encipherment > > X509v3 Extended Key Usage: > > TLS Web Server Authentication, TLS Web Client > > Authentication > > X509v3 CRL Distribution Points: > > > > Full Name: > > > URI:*http://ipa-ca.domain.com/ipa/crl/MasterCRL.bin* > > > > > > This is on RHEL 7.2, idm 4.2 btw > > > > On Fri, May 27, 2016 at 7:22 PM, Prasun Gera > > > > > > > >>> wrote: > > > > It looks like that issue was fixed and the OCSP and CRL uris in the > > certs are now http. So I'm not sure why java is complaining. > > > > On Fri, May 27, 2016 at 7:03 PM, Prasun Gera > > > > > > >>> wrote: > > > > I've set up a couple of dell idrac card's ssl certs > signed by > > ipa CA. I've also added the ipa CA to java's trusted CAs. > > However, when you try to launch the idrac java console, > it will > > still show an error that the site is untrusted. Upon > clicking on > > "more information", the message says that although the > cert is > > signed by the CA, it cannot verify the revocation status. I > > found this page > > http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs , > > which explains potential problems with this since the > main ipa > > server itself is also using an ssl cert signed by the > ipa CA. So > > the client cannot verify the revocation if it can't > reach the > > CA. Is there any solution to this ? Anyone tried this > with idrac > > cards ? > > > > > > > > > > > > > > > > > > > > From tba at statsbiblioteket.dk Tue May 31 09:19:12 2016 From: tba at statsbiblioteket.dk (Tony Brian Albers) Date: Tue, 31 May 2016 09:19:12 +0000 Subject: [Freeipa-users] Sudo ALL rule Message-ID: <1464686352.12900.8.camel@statsbiblioteket.dk> Hi guys, I'm implementing FreeIPA to auhenticate users on a small HPC cluster here. For a few of these I need a sudo rule that in essence does the same as the standard ALL(ALL) rule. How do I implement that in FreeIPA? I've found some links/guides on the net, but they don't seem appropriate for our version, 4.2.0 Any help is appreciated. /tony -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 From brian at interlinx.bc.ca Tue May 31 10:50:05 2016 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Tue, 31 May 2016 06:50:05 -0400 Subject: [Freeipa-users] dynamic dns working for forward zone but not reverse zone In-Reply-To: <47f694d2-4351-3c3c-fa13-f63da234c689@redhat.com> References: <1464355620.30702.235.camel@interlinx.bc.ca> <47f694d2-4351-3c3c-fa13-f63da234c689@redhat.com> Message-ID: <1464691805.30702.372.camel@interlinx.bc.ca> On Mon, 2016-05-30 at 13:43 +0200, Petr Spacek wrote: > > Can you query the SOA record from the reverse zone, please? > > $ dig @10.75.22.247 0.10.8.in-addr.arpa. SOA Ahhh. ?That's the problem. ?The subnet is 10.8.0.0/24 so the query should be for 0.8.10.in-addr.arpa. Sometimes it just takes a fresh set of eyes to stop seeing what we want to see and see what's really there. ?Thanks for being those eyes for me. Cheers, b. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From pbrezina at redhat.com Tue May 31 12:37:37 2016 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Tue, 31 May 2016 14:37:37 +0200 Subject: [Freeipa-users] Sudo ALL rule In-Reply-To: <1464686352.12900.8.camel@statsbiblioteket.dk> References: <1464686352.12900.8.camel@statsbiblioteket.dk> Message-ID: <574D8591.20804@redhat.com> On 05/31/2016 11:19 AM, Tony Brian Albers wrote: > Hi guys, > > I'm implementing FreeIPA to auhenticate users on a small HPC cluster > here. For a few of these I need a sudo rule that in essence does the > same as the standard ALL(ALL) rule. How do I implement that in FreeIPA? > > I've found some links/guides on the net, but they don't seem appropriate > for our version, 4.2.0 > > Any help is appreciated. > > /tony Hi, the IPA alternative to keyword all is category "all". The following command should do what you want: $ ipa sudorule-add allow-all --usercat=all --hostcat=all --cmdcat=all From rcritten at redhat.com Tue May 31 15:06:09 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 31 May 2016 11:06:09 -0400 Subject: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias In-Reply-To: <27123231.2vVFdNkPoa@techz> References: <27123231.2vVFdNkPoa@techz> Message-ID: <574DA861.9000702@redhat.com> G?nther J. Niederwimmer wrote: > Hello > I found any Help for the IPA Certificate but I found no way to import the IPA > CA ? > I like to create a webserver with a owncloud virtualhost and other.. > > But it is for me not possible to create the /etc/httpd/alias correct ? > > I found this in IPC DOCS > > certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt > > but with this command line I have a Error /etc/ipa/ca.crt have wrong format ? > > Have any a link with a working example Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled clients so the documentation is written from that perspective. You can grab a copy from any enrolled system, including an IPA Master. Otherwise the command looks ok assuming you were sitting in /etc/httpd/alias when the command was executed (-d .). rob From rcritten at redhat.com Tue May 31 15:10:13 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 31 May 2016 11:10:13 -0400 Subject: [Freeipa-users] IPA 2.2 Certificate Renewal issue In-Reply-To: References: <57486A9E.2050909@redhat.com> Message-ID: <574DA955.2030004@redhat.com> Kay Zhou Y wrote: > Hi Rob, > > Thanks for your reply. > > And about your suggestion, actually I have done it. but it just renew the two 389-ds certs and Apache certs. > Since the ipaCert and subsystem certs are expired at 20140624, so I must roll back time before it. then begin to renew, but after I done this: > > "Let's force renewal on all of the certificates: > # for line in `getcert list | grep Request | cut -d "'" -f2`; do getcert resubmit -i $line; done > ..." > > According to the wiki, (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA subsystem certificates will be renewed. But it did not. Ok, what state are the certificates in? When you go back in time are you restarting the pki-cad service before attempting to do the renewal? > Finally after I finish all action mentioned in the wiki page, I still can't renew ipaCert and other four CA subsystem certificates. > And the two 389-ds and apache certs will still expired after the date 20160623 ( expire date of ipaCert 20140624 + two years). > > If there is any other guide or doc about the ipaCert and CA subsystem certificates? Not really for IPA 2.x rob > Thanks a lot for your support! > > Thanks, > BR//Kay > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Friday, May 27, 2016 11:41 PM > To: Kay Zhou Y; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue > > Kay Zhou Y wrote: >> Hi, >> >> This is Kay. >> >> I am not sure if the email address is correct, and I am really >> appreciate if there is any help for my issue. it's baffling for few >> days, and the expire date is coming soon.. L >> >> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds and >> the Apache certs) will be expired at 2016-06-05 22:03:17 UTC. >> >> Two years ago, these certs were renewed by other guys according to >> this >> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal >> >> and it was successful then the certificates has been renewed until 20160605. >> >> But recently I want to renew it again since the expire date is coming. >> Then I follow the above guide, however things not go well. > > The problem looks to be because the IPA RA cert (ipaCert) isn't matching what dogtag expects. See the wiki page starting at > > "For ipaCert, stored in /etc/httpd/alias you have another job to do..." > > You'll want to be sure that description correctly matches the certificate in the Apache database and confirm that the usercertificate value in LDAP matches the cert being presented. > > rob > >> >> As below, it's the 8 certs which certmonger are tracking: >> >> root at ecnshlx3039-test2(SH):~ #getcert list >> >> Number of certificates and requests being tracked: 8. >> >> Request ID '20120704140859': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC failed >> at server. Certificate operation cannot be completed: >> EXCEPTION (Invalid Credential.)). >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cer >> t',token='NSS >> Certificate DB',pinfile=' >> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cer >> t',token='NSS >> Certificate DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2016-06-05 22:03:17 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> DRUTT-COM >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20120704140922': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC failed >> at server. Certificate operation cannot be completed: >> EXCEPTION (Invalid Credential.)). >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >> ,token='NSS >> Certificate DB',pinfile='/e >> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >> ,token='NSS >> Certificate DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2016-06-05 22:03:17 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20120704141150': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC failed >> at server. Certificate operation cannot be completed: >> EXCEPTION (Invalid Credential.)). >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N >> SS >> Certificate >> DB',pinfile='/etc/httpd/ >> alias/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N >> SS >> Certificate DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2016-06-05 22:03:17 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20140605220249': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> DB',pinfile='/etc/httpd/alia >> s/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=IPA RA,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:50 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075219': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate >> DB ',pin='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=CA Audit,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:42 UTC >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075220': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate >> DB' ,pin='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=OCSP Subsystem,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:41 UTC >> >> eku: id-kp-OCSPSigning >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075221': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate >> DB',p in='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=CA Subsystem,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:41 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075222': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate >> DB',pin ='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:41 UTC >> >> eku: id-kp-serverAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Follow all the steps in the guide, the result is just first three >> certificates are renewed to 20160622 if I set system time to >> 20140623(which the four CA subsystem certs and CA cert are valid). >> >> But other five are not renewed at all (the four CA subsystem certs and >> CA cert). there is no error information during these steps. >> >> I google a lot but still found nothing could resolve it. and then I >> found there was a similar thread: >> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.ht >> ml >> >> But unfortunately the solution is not available for my issue either. >> >> Since I am not familiar with Freeipa, so it bothers me so much. >> >> Any help will be really appreciate. Thansks in advance! >> >> Thanks, >> >> BR//Kay >> >> >> > From michael.rainey.ctr at nrlssc.navy.mil Tue May 31 15:36:52 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Tue, 31 May 2016 10:36:52 -0500 Subject: [Freeipa-users] FreeIPA4.2: Recovering from an IPA master server failure Message-ID: Greetings community, I've run into an interesting problem which may be old hat to all of you. I was working to bring down my IPA master server and did it improperly. It was a rookie mistake, but I'm willing to view it as an exercise in recovering from a massive system failure. The original master server is gone with no way of recovering and I have managed to replace the server by promoting one of my replicas, but I find myself in a situation where I cannot remove the original master server from the LDAP directory. It is still seen as a master server and the webUI will not let me delete the system from directory server. Is there a process somewhere that will walk me through demoting the old server so I can delete it from the directory and officially promote its replacement? For reference, I followed the steps located at this link. Centos 7.2 / freeIPA 4.2 Your help is greatly appreciated. -- *Michael Rainey* -------------- next part -------------- An HTML attachment was scrubbed... URL: From wdh at dds.nl Tue May 31 15:41:17 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Tue, 31 May 2016 17:41:17 +0200 Subject: [Freeipa-users] dns location based discovery In-Reply-To: <745f6efb-e27a-ec4b-b7dd-b48a7b23b2ba@redhat.com> References: <7ea56741-a81c-3db9-8988-36ae3ed05ddd@dds.nl> <20160530152233.GT6640@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160530155415.GC18297@hendrix> <330ebb09-ce59-77a0-65f6-6a1a917ff663@dds.nl> <745f6efb-e27a-ec4b-b7dd-b48a7b23b2ba@redhat.com> Message-ID: <031afa1e-e640-68c2-d198-ec2902577f13@dds.nl> An HTML attachment was scrubbed... URL: