[Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

Sean Hogan schogan at us.ibm.com
Thu Nov 17 20:19:44 UTC 2016 

Hi Guys..

   Sorry to bug ya again.. so looks like the selinux packages are not back
ported to 7.1 as I only have selinux-policy-3.13.1-23.el7_1.21.noarch as an
option

Setting the contexts manually  to /etc/ipa/nssdb


Original
[root at server2 ipa]# ls -dZ nssdb
drwxr-xr-x. root root system_u:object_r:etc_t:s0       nssdb

Set to
[root at server2 ipa]# semanage fcontext -a -t cert_t "/etc/ipa/nssdb(/.*)?"
[root at server2 ~]# restorecon -FvvR /etc/ipa/nssdb/

Check for change
[root at server2 ~]# ls -dZ /etc/ipa/nssdb
drwxr-xr-x. root root system_u:object_r:cert_t:s0      /etc/ipa/nssdb

I did this.. re-enrolled the box again but still no host cert showing in
IPA however I do get a result now from getcert list as seen below.   The
install log still shows certmonger failed  .. 2016-11-17T20:05:05Z ERROR
certmonger request for host certificate failed.




getcert list
Number of certificates and requests being tracked: 1.
Request ID '20161117153721':
	status: MONITORING
	stuck: no
	key pair storage:
type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS
Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA
host'
	CA: IPA
	issuer:
	subject:
	expires: unknown
	pre-save command:
	post-save command:
	track: yes
	auto-renew: yes

Not seeing anymore selinux issues either

[root at server2 sudofix]# ausearch -m avc -m user_avc -m selinux_err -i -ts
recent
<no matches>



Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: schogan at us.ibm.com | Tel 919 486 1397









From:	Rob Crittenden <rcritten at redhat.com>
To:	Sean Hogan/Durham/IBM at IBMUS
Cc:	freeipa-users at redhat.com, Jakub Hrozek <jhrozek at redhat.com>,
            Martin Babinsky <mbabinsk at redhat.com>
Date:	11/17/2016 09:14 AM
Subject:	Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server



Sean Hogan wrote:
> Hi Robert,
>
> No I did not cut it off ....there was no reason listed.. that was the
> last line about the issue.
>
> I did find this to be my issue however
> https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat
> guys see if they can pull the new selinux policy packages as I do not
> see them avail right now for my boxes.
>
> [root at server2 log]# ausearch -m avc -m user_avc -m selinux_err -i -ts
recent
> ----
> type=USER_AVC msg=audit(11/17/2016 10:35:04.074:2502) : pid=1 uid=root
> auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received
> setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root
> hostname=? addr=? terminal=?'
> ----
> type=PATH msg=audit(11/17/2016 10:37:21.803:2543) : item=0
> name=/etc/ipa/nssdb inode=16807676 dev=fd:00 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL
> type=SYSCALL msg=audit(11/17/2016 10:37:21.803:2543) : arch=x86_64
> syscall=access success=yes exit=0 a0=0x7fbc870da950 a1=W_OK|R_OK
> a2=0x4000 a3=0xfffffffffffff8e8 items=1 ppid=1 pid=2875 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger
> subj=system_u:system_r:certmonger_t:s0 key=(null)
> type=AVC msg=audit(11/17/2016 10:37:21.803:2543) : avc: denied { write }
> for pid=2875 comm=certmonger name=nssdb dev="dm-0" ino=16807676
> scontext=system_u:system_r:certmonger_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=dir
> ----
> type=PATH msg=audit(11/17/2016 10:37:21.866:2544) : item=0
> name=/etc/ipa/nssdb/cert8.db inode=16807680 dev=fd:00 mode=file,644
> ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0
> objtype=NORMAL
> type=SYSCALL msg=audit(11/17/2016 10:37:21.866:2544) : arch=x86_64
> syscall=open success=yes exit=11 a0=0x7fbc8712a080 a1=O_RDWR a2=0x180
> a3=0x0 items=1 ppid=2875 pid=2918 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
> comm=certmonger exe=/usr/sbin/certmonger
> subj=system_u:system_r:certmonger_t:s0 key=(null)
> type=AVC msg=audit(11/17/2016 10:37:21.866:2544) : avc: denied { write }
> for pid=2918 comm=certmonger name=cert8.db dev="dm-0" ino=16807680
> scontext=system_u:system_r:certmonger_t:s0
> tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

Good catch, that seems like the issue.

> [root at server2 log]# rpm -qf /etc/ipa/nssdb
> ipa-python-4.1.0-18.el7_1.4.x86_64

IIRC it is just ghosted, all files should be owned by something.

> Encryption types.. thanks for the command.. good to know but hate seeing
> the arcfour and des options as I know DISA will not like that.

No DES, Triple DES. You can always remove them if you want, just be
aware of interoperability.

rob

>
> [root at ipa1 ~]# ldapsearch -x -D 'cn=directory manager' -W -s base -b
> cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local krbSupportedEncSaltTypes
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local> with scope baseObject
> # filter: (objectclass=*)
> # requesting: krbSupportedEncSaltTypes
> #
>
> # IPA.LOCAL, kerberos, ipa.local
> dn: cn=IPA.LOCAL,cn=kerberos,dc=ipa,dc=local
> krbSupportedEncSaltTypes: aes256-cts:normal
> krbSupportedEncSaltTypes: aes256-cts:special
> krbSupportedEncSaltTypes: aes128-cts:normal
> krbSupportedEncSaltTypes: aes128-cts:special
> krbSupportedEncSaltTypes: des3-hmac-sha1:normal
> krbSupportedEncSaltTypes: des3-hmac-sha1:special
> krbSupportedEncSaltTypes: arcfour-hmac:normal
> krbSupportedEncSaltTypes: arcfour-hmac:special
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
>
>
> Sean Hogan
>
>
>
> Inactive hide details for Rob Crittenden ---11/17/2016 07:59:55
> AM---Sean Hogan wrote: > Hi Jakub,Rob Crittenden ---11/17/2016 07:59:55
> AM---Sean Hogan wrote: > Hi Jakub,
>
> From: Rob Crittenden <rcritten at redhat.com>
> To: Sean Hogan/Durham/IBM at IBMUS, Jakub Hrozek <jhrozek at redhat.com>
> Cc: freeipa-users at redhat.com, Martin Babinsky <mbabinsk at redhat.com>
> Date: 11/17/2016 07:59 AM
> Subject: Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server
>
> ------------------------------------------------------------------------
>
>
>
> Sean Hogan wrote:
>> Hi Jakub,
>>
>> I ended up re-enrolling the box and it is behaving as expected except I
>> am not getting a host cert. Robert indicated auto host cert no longer
>> avail with rhel 7 but using the --request -cert option on enroll to get
>> a host cert if I wanted one. I did so and get this in the install log
>>
>>
>> *2016-11-16T22:00:53Z DEBUG Starting external process*
>> *2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active'
>> 'certmonger.service'*
>> *2016-11-16T22:00:53Z DEBUG Process finished, return code=0*
>> *2016-11-16T22:00:53Z DEBUG stdout=active*
>>
>> *2016-11-16T22:00:53Z DEBUG stderr=*
>> *2016-11-16T22:00:53Z ERROR certmonger request for host certificate
> failed*
>
> Did you cut off the reason reported for the request failing?
>
>> Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x)
>> IPA server?
>
> You could look in the server logs for details.
>
>> As for crypto on RHEL 6 IPA I have (if this is what you looking for).
>> However this is modified version as it took me a while to get this list
>> to pass tenable scans by modding the dse files.
>> [root at ipa1 ~]# nmap --script ssl-enum-ciphers -p 636 `hostname`
>
> These are the TLS settings for LDAP, not the Kerberos encryption types
> supported. You instead want to run:
>
> $ ldapsearch -x -D 'cn=directory manager' -W -s base -b
> cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes
>
> rob
>
>
>
>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161117/046e26f8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 09331459.jpg
Type: image/jpeg
Size: 27085 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161117/046e26f8/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 09393284.gif
Type: image/gif
Size: 1650 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161117/046e26f8/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161117/046e26f8/attachment-0001.gif>

More information about the Freeipa-users mailing list