[Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Sean Hogan schogan at us.ibm.com
Thu Nov 17 16:04:50 UTC 2016 

Hi Robert,

No I did not cut it off ....there was no reason listed.. that was the last
line about the issue.

I did find this to be my issue however
https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat guys
see if they can pull the new selinux policy packages as I do not see them
avail right now for my boxes.

[root at server2 log]# ausearch -m avc -m user_avc -m selinux_err -i -ts
recent
----
type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root
auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received
setenforce notice (enforcing=0)  exe=/usr/lib/systemd/systemd sauid=root
hostname=? addr=? terminal=?'
----
type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0
name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64
syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK a2=0x4000
a3=0xfffffffffffff8e8 items=1 ppid=1 pid=2875 auid=unset uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc:  denied  { write }
for  pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676
scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
----
type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0
name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644
ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0
objtype=NORMAL
type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64
syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180
a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=certmonger exe=/usr/sbin/certmonger
subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc:  denied  { write }
for  pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680
scontext=system_u:system_r:certmonger_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

[root at server2 log]# rpm -qf /etc/ipa/nssdb
ipa-python-4.1.0-18.el7_1.4.x86_64



Encryption types.. thanks for the command.. good to know but hate seeing
the arcfour and des options as I know DISA will not like that.

[root at ipa1 ~]# ldapsearch -x -D 'cn=directory manager' -W -s base -b
cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local> with scope baseObject
# filter: (objectclass=*)
# requesting: krbSupportedEncSaltTypes
#

# IPA.LOCAL, kerberos, ipa.local
dn: cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local
krbSupportedEncSaltTypes: aes256-cts:normal
krbSupportedEncSaltTypes: aes256-cts:special
krbSupportedEncSaltTypes: aes128-cts:normal
krbSupportedEncSaltTypes: aes128-cts:special
krbSupportedEncSaltTypes: des3-hmac-sha1:normal
krbSupportedEncSaltTypes: des3-hmac-sha1:special
krbSupportedEncSaltTypes: arcfour-hmac:normal
krbSupportedEncSaltTypes: arcfour-hmac:special

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1




Sean Hogan





From:	Rob Crittenden <rcritten at redhat.com>
To:	Sean Hogan/Durham/IBM at IBMUS, Jakub Hrozek <jhrozek at redhat.com>
Cc:	freeipa-users at redhat.com, Martin Babinsky <mbabinsk at redhat.com>
Date:	11/17/2016 07:59 AM
Subject:	Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server



Sean Hogan wrote:
> Hi Jakub,
>
> I ended up re-enrolling the box and it is behaving as expected except I
> am not getting a host cert. Robert indicated auto host cert no longer
> avail with rhel 7 but using the --request -cert option on enroll to get
> a host cert if I wanted one. I did so and get this in the install log
>
>
> *2016-11-16T22:00:53Z DEBUG Starting external process*
> *2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active'
> 'certmonger.service'*
> *2016-11-16T22:00:53Z DEBUG Process finished, return code=0*
> *2016-11-16T22:00:53Z DEBUG stdout=active*
>
> *2016-11-16T22:00:53Z DEBUG stderr=*
> *2016-11-16T22:00:53Z ERROR certmonger request for host certificate
failed*

Did you cut off the reason reported for the request failing?

> Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x)
> IPA server?

You could look in the server logs for details.

> As for crypto on RHEL 6 IPA I have (if this is what you looking for).
> However this is modified version as it took me a while to get this list
> to pass tenable scans by modding the dse files.
> [root at ipa1 ~]# nmap --script ssl-enum-ciphers -p 636 `hostname`

These are the TLS settings for LDAP, not the Kerberos encryption types
supported. You instead want to run:

$ ldapsearch -x -D 'cn=directory manager' -W -s base -b
cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes

rob



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161117/3b3cc535/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161117/3b3cc535/attachment.gif>

More information about the Freeipa-users mailing list