From yamakasi.014 at gmail.com Sat Oct 1 15:04:21 2016 From: yamakasi.014 at gmail.com (Matt .) Date: Sat, 1 Oct 2016 17:04:21 +0200 Subject: [Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user Message-ID: Hi guys, I have installed successfully an external CA Certificate for https/LDAP but now I get this on my ipa-commands: ipa domainlevel-get ipa: ERROR: cert validation failed for "CN=*.mysubdomain.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) What can cause this ? I'm on FreeIPA, version: 4.4.1 I hope we can sort this out. Thanks, Matt From jrichard at placeiq.com Sat Oct 1 17:23:04 2016 From: jrichard at placeiq.com (Jim Richard) Date: Sat, 1 Oct 2016 13:23:04 -0400 Subject: [Freeipa-users] Replica created with expired certs In-Reply-To: <57EE27F6.3080904@redhat.com> References: <5EE38BB7-ED9B-4001-8F64-DB7CD2319C02@placeiq.com> <57EBAD23.4090604@redhat.com> <17A0F251-F5DF-447C-AB64-C053E83369D0@placeiq.com> <57ED04DF.2040707@redhat.com> <0B1B6EC8-C4DF-4BFB-9157-51A0814DB73C@placeiq.com> <57EE27F6.3080904@redhat.com> Message-ID: <4C187B6F-AC57-43ED-8732-574B00036852@placeiq.com> Hi Rob: First I wanted to thank you for all of your valuable input/tips. As you well know, everything about certs, certmonger, dogtag and FreeIPA can get very complicated - there?s no easy answer, so many things can go wrong :) But, your answers to my questions got me thinking, gave me some clues, pointed me in the right direction. I wanted to take the time to specifically thank you because these concepts have mystified me for quite a while, our FreeIPA system has been running for more than a year with everything regarding certs kinda wacky and with me just praying that that fact didn?t crash everything and make the most important function for us (ssh, sssd, authentication, sso) stop working. With your help I have certainly not become an expert but have gone from pretty much clueless to having somewhat of a clue :) That?s progress !! My issue with the CA certs themselves is solved thanks to you pointing out the issue with creating replicas in 3.0 which has been fixed in 3.3 - the issue that can be solved by manually exporting a new cacert.p12 file and boom, new replicas created with expired certs issue solved. And then there was the issue of ?sec error legacy database? which would manifest itself in various forms and can be caused by many things - it is temporarily solved by restarting httpd but then just comes right back. Based on your input I started looking at the certs/certmonger/getcert list - on all my nodes/hosts and noticed that many of them had bogus certs with principal names pointed at hosts that no longer existed. No other way to describe them other than WTF !!. My theory now is that all the nodes calling in to the CA with all those bogus certs were just overloading the CA and so after restarting httpd, it would temporarily clear up until all the nodes starting calling in to the CA again - or something like that. Anyways, Ansible to the rescue?. I exported a list of hosts from my IPA system, that became my Ansible inventory file. Now, throw together a quick playbook to look at every host, identify the bogus cert or certs and tell certmonger to stop tracking them. The simple Ansible playbook follows here. Run that against all hosts and bingo !!! - my httpd logs on the CA are no longer getting spammed with bogus cert requests, ?sec error legacy database? errors are not happening, etc , etc. In short, my FreeIPA CA situation is now, I hope and pray, fairly stable. So HUGE shout out to you Rob !!! --- - hosts: ipa-hosts gather_facts: False tasks: - name: get request id shell: ipa-getcert list -r | gawk -F\' '/Request/ {print $2}' register: my_id #- debug: var=my_id - name: kill bad certs shell: ipa-getcert stop-tracking -i {{ item }} with_items: "{{ my_id.stdout_lines }}" Jim Richard SYSTEM ADMINISTRATOR III (646) 338-8905 > On Sep 30, 2016, at 4:53 AM, Rob Crittenden wrote: > > Jim Richard wrote: >> Can I and how? >> >> delete all certs for all hosts >> >> I mean, we only use FreeIPA for user login/sssd >> >> That said, do we even need those certs? > > There is no simple answer, really. > > Yes, you can deleted all certs for all hosts (not recommended as some of those are for IPA services). I doubt it would do anything positive and if the certificate is tracked by certmonger on the client it would eventually renew. > > Do you need the certs? Only you would know that, but chances are the vast majority aren't being used. > > In 3.0 when a client is registered a host certificate is obtained for it. This certificate was never used and in 4.something it isn't requested at all unless an option is passed to ipa-client-install. > > rob > >> >> >> >> >> Jim Richard >> >> >> >> SYSTEM ADMINISTRATOR III >> /(646) 338-8905 / >> >> >> dvertising > -initiative-nai-as-100th-member/>PlaceIQ:Location >> Data Accuracy >> >> >> >> >>> On Sep 29, 2016, at 8:53 PM, Jim Richard >> > wrote: >>> >>> another interesting thing, my httpd/error_logs are constantly getting >>> spammed with: (I removed the stuff between the single quotes) >>> >>> Notice those names don?t match, should they? >>> >>> Me thinks not since those ?principal=? items are ALMOST all hosts that >>> no longer exist in the FreeIPA system. I rare few do exist. >>> >>> So, that?s weird :) >>> >>> [Thu Sep 29 20:44:59 2016] [error] ipa: INFO: >>> host/aerospike-cl1-203.nym1.placeiq.net at PLACEIQ.NET >>> : >>> cert_request(u????????..', >>> principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq.net at PLACEIQ.NET >>> ', >>> add=True): CertificateOperationError >>> >>> [Thu Sep 29 20:45:06 2016] [error] ipa: INFO: >>> host/aerospike-cl2-210.nym1.placeiq.net at PLACEIQ.NET >>> : >>> cert_request(u????????..', >>> principal=u'host/017.prod07.nym1.placeiq.net at PLACEIQ.NET >>> ', >>> add=True): CertificateOperationError >>> >>> [Thu Sep 29 20:45:09 2016] [error] ipa: INFO: >>> host/adsgateway-14.nym1.placeiq.net at PLACEIQ.NET >>> : >>> cert_request(u?????????...', >>> principal=u'host/025.prod07.nym1.placeiq.net at PLACEIQ.NET >>> ', >>> add=True): CertificateOperationError >>> >>> [Thu Sep 29 20:45:29 2016] [error] ipa: INFO: >>> host/ttsandbox-022.nym1.placeiq.net at PLACEIQ.NET >>> : >>> cert_request(u??????????.', >>> principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq.net at PLACEIQ.NET >>> ', >>> add=True): CertificateOperationError >>> >>> >>> >>> >>> >>> >>> >>> Jim Richard >>> >>> >>> >>> SYSTEM ADMINISTRATOR III >>> /(646) 338-8905 / >>> >>> >>> advertisin > g-initiative-nai-as-100th-member/>PlaceIQ:Location >>> Data Accuracy >>> >>> >>> >>> >>>> On Sep 29, 2016, at 8:11 AM, Rob Crittenden >>> > wrote: >>>> >>>> Natxo Asenjo wrote: >>>>> hi Jim, >>>>> >>>>> On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard >>>> >>>>> > wrote: >>>>> >>>>> Thanks Rob, that worked. >>>>> >>>>> Still on the subject of certs, any idea how to solve this error: >>>>> >>>>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The >>>>> certificate/key database is in an old, unsupported format. >>>>> >>>>> I see that in the gui when querying hosts as well as from cli when I >>>>> ipa-show or ipa-find >>>>> >>>>> >>>>> I have had this too, and we did not find a solution (search my recent >>>>> posts on the archives). As a workaround I have created replicas and >>>>> decommissioned the older replicas. >>>> >>>> On the one hand I'm glad this fixed it for you. On the other it is a >>>> rather unsatisfying answer. Unfortunately NSS doesn't always provide >>>> the most context with its error messages. This error is usually seen >>>> when one tries to open a non-existent database, which in this case is >>>> a very strange thing, especially since it goes from working to >>>> non-working in the same apache process over a few minutes. >>>> >>>> I'm not sure how I'd troubleshoot this if it were easily >>>> reproducible. I suspect we'd need to figure out which database cannot >>>> be found (most likely /etc/httpd/alias) and go from there. An strace >>>> is a brute-force way to see the file open but finding the right >>>> process to attach to is a bit of an art. >>>> >>>> rob >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jrichard at placeiq.com Sat Oct 1 19:36:23 2016 From: jrichard at placeiq.com (Jim Richard) Date: Sat, 1 Oct 2016 15:36:23 -0400 Subject: [Freeipa-users] Certificate format error reported by GUI In-Reply-To: <45626024-0cbb-88be-6adc-63dd47bb3d4b@redhat.com> References: <14E35142-15BB-4108-BFC9-A7BB84CB60CF@placeiq.com> <1e2b525b-3aff-636f-ff84-e781299ce86f@redhat.com> <45626024-0cbb-88be-6adc-63dd47bb3d4b@redhat.com> Message-ID: <77AD2B1C-AD70-4B60-8BA6-4D1FDD76A4E9@placeiq.com> Hi Pavel: Yes, my httpd logs were flooded with cert errors from hosts trying to renew bogus certs. How 100 or so out of 1000 hosts ended up with certs that were not valid is unknown at this time but using Ansible I cleaned all those up and it looks like I?m in good shape now. Here?s the playbook I used to find certs that were problematic and tell certmonger to stop tracking them: --- - hosts: ipa-hosts gather_facts: False tasks: - name: get request id shell: ipa-getcert list -r |gawk -F\' '/Request/ {print $2}' register: my_id #- debug: var=my_id - name: kill bad certs shell: ipa-getcert stop-tracking -i {{ item }} with_items: "{{ my_id.stdout_lines }}" Jim Richard SYSTEM ADMINISTRATOR III (646) 338-8905 > On Sep 30, 2016, at 3:42 AM, Pavel Vomacka wrote: > > Ah, ok, does /var/log/httpd/error_log contain any error after looking at hosts using GUI? And could you please send output of ipactl status after the error ocurres? > > On 09/30/2016 02:40 AM, Jim Richard wrote: >> Hi Paul, 3.0.0 on Centos 6.8 >> >> >> Jim Richard >> SYSTEM ADMINISTRATOR III >> (646) 338-8905 >> >> >> >>> On Sep 29, 2016, at 11:58 AM, Pavel Vomacka > wrote: >>> >>> Hello, >>> >>> which version of FreeIPA do you use? >>> On 09/28/2016 12:42 AM, Jim Richard wrote: >>>> When I try to look at hosts under the hosts tab. ipactl restart or just restarting httpd seems to clear it up for a short period. >>>> >>>> Three replicas in the environment, it only happens when I look at hosts using the GUI at one of the three replicas. >>>> >>>> >>>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. >>>> >>>> >>>> Jim Richard >>>> SYSTEM ADMINISTRATOR III >>>> (646) 338-8905 >>>> >>>> >>>> >>>> >>>> >>> >>> -- >>> Pavel^3 Vomacka >> > > -- > Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Sun Oct 2 08:16:37 2016 From: yamakasi.014 at gmail.com (Matt .) Date: Sun, 2 Oct 2016 10:16:37 +0200 Subject: [Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user In-Reply-To: References: Message-ID: Hi, No-one has any idea here ? My Root Cert is installed OK. # certutil -d /etc/pki/pki-tomcat/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u COMODOExternalCARoot C,C,C COMODORSADomainValidationSecureServerCA C,C,C Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu COMODORSAAddTrustCA C,C,C I hope this helps. Cheers, Matt 2016-10-01 17:04 GMT+02:00 Matt . : > Hi guys, > > I have installed successfully an external CA Certificate for > https/LDAP but now I get this on my ipa-commands: > > ipa domainlevel-get > > ipa: ERROR: cert validation failed for > "CN=*.mysubdomain.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain > Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate > issuer has been marked as not trusted by the user.) > > What can cause this ? > > I'm on FreeIPA, version: 4.4.1 > > I hope we can sort this out. > > Thanks, > > Matt From pvoborni at redhat.com Mon Oct 3 08:48:45 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 3 Oct 2016 10:48:45 +0200 Subject: [Freeipa-users] Certificate format error reported by GUI In-Reply-To: <77AD2B1C-AD70-4B60-8BA6-4D1FDD76A4E9@placeiq.com> References: <14E35142-15BB-4108-BFC9-A7BB84CB60CF@placeiq.com> <1e2b525b-3aff-636f-ff84-e781299ce86f@redhat.com> <45626024-0cbb-88be-6adc-63dd47bb3d4b@redhat.com> <77AD2B1C-AD70-4B60-8BA6-4D1FDD76A4E9@placeiq.com> Message-ID: <8b7b43a7-32e6-bd9d-01a3-088567b465d2@redhat.com> Hi Jim, I'm glad that then ansible way help you. By any chance, do you have the old httpd error_log at hand? I think that IPA on RHEL 6 might suffer from an issue that under certain conditions(unknown) some cert request might put NSS database to incorrect state which then causes IPA framework failures for all cert operations. Do you see in error_log similar sequence described at: https://www.redhat.com/archives/freeipa-users/2016-September/msg00250.html Namely: 1. one cert_request causes: [Thu Sep 15 13:08:23 2016] [error] ipa: DEBUG: response: NetworkError: cannot connect to 'https://xx.xxx.xxx.xx:443/ca/agent/ca/doRevoke': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. And then all following cert ops end with: cert_show(u'15'): NetworkError [Thu Sep 15 13:08:26 2016] [error] ipa: DEBUG: response: NetworkError: cannot connect to 'https://xx.xxx.xxx.xxl:443/ca/agent/ca/displayBySerial': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. On 10/01/2016 09:36 PM, Jim Richard wrote: > Hi Pavel: > > Yes, my httpd logs were flooded with cert errors from hosts trying to renew > bogus certs. > > How 100 or so out of 1000 hosts ended up with certs that were not valid is > unknown at this time but using Ansible I cleaned all those up and it looks like > I?m in good shape now. > > Here?s the playbook I used to find certs that were problematic and tell > certmonger to stop tracking them: > > --- > - hosts: ipa-hosts > gather_facts: False > > tasks: > > - name: get request id > shell: ipa-getcert list -r |gawk -F\' '/Request/ {print $2}' > register: my_id > > #- debug: var=my_id > > - name: kill bad certs > shell: ipa-getcert stop-tracking -i {{ item }} > with_items: "{{ my_id.stdout_lines }}" > > > Jim > Richard > > > > SYSTEM ADMINISTRATOR III > /(646) 338-8905 / > > > PlaceIQ:Location > Data Accuracy > > > > >> On Sep 30, 2016, at 3:42 AM, Pavel Vomacka > > wrote: >> >> Ah, ok, does /var/log/httpd/error_log contain any error after looking at hosts >> using GUI? And could you please send output of ipactl status after the error >> ocurres? >> >> >> On 09/30/2016 02:40 AM, Jim Richard wrote: >>> Hi Paul, 3.0.0 on Centos 6.8 >>> >>> >>> Jim Richard >>> >>> SYSTEM ADMINISTRATOR III >>> /(646) 338-8905 / >>> >>> >>> PlaceIQ:Location Data Accuracy >>> >>> >>> >>> >>>> On Sep 29, 2016, at 11:58 AM, Pavel Vomacka >>> > wrote: >>>> >>>> Hello, >>>> >>>> which version of FreeIPA do you use? >>>> >>>> On 09/28/2016 12:42 AM, Jim Richard wrote: >>>>> When I try to look at hosts under the hosts tab. ipactl restart or just >>>>> restarting httpd seems to clear it up for a short period. >>>>> >>>>> Three replicas in the environment, it only happens when I look at hosts >>>>> using the GUI at one of the three replicas. >>>>> >>>>> >>>>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key >>>>> database is in an old, unsupported format. >>>>> >>>>> >>>>> Jim Richard >>>>> >>>>> SYSTEM ADMINISTRATOR III >>>>> /(646) 338-8905 / >>>>> >>>>> >>>>> PlaceIQ:Location Data Accuracy >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Pavel^3 Vomacka >>> >> >> -- >> Pavel^3 Vomacka > > > -- Petr Vobornik From tbordaz at redhat.com Mon Oct 3 12:02:40 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 3 Oct 2016 14:02:40 +0200 Subject: [Freeipa-users] cleanallruv - no replica's :( In-Reply-To: References: Message-ID: <57F248E0.2000108@redhat.com> On 09/30/2016 10:41 PM, Matt Wells wrote: > Hey all I hoped anyone may be able to assist. I had 2 dead replica's > and use the cleanallruv.pl as they refused to > leave otherwise. > ` /usr/sbin/cleanallruv.pl -v -D "cn=directory > manager" -w - -b 'dc=mosaic451,dc=com' -r 17 ` > 17 being the bad guy. Well it ran `woohoo` but deleted all of my > replica's. The state it's in now is I can make changes on Box1 ( the > one I ran it on ) and they replicate to Box2 but never come back. > If I delete it on Box2 it never get's to Box1 however Box2 say's he > has that happy replication agreement. > So it's almost a split brain scenario. I hoped someone may be able to > assist. > Can I just re-cut the replication agreement from Box2 and run it on > Box1; he's a full grown IPA so if I did that wouldn't I need to > --uninstall him? > > What do you guys think? > > Hi Matt, It is not clear to me what you mean with 'deleted all of my replica's'. Do you mean that after cleanallruv completed, the RUV does not contains any element ? If replication works B1 -> B2 and fail B2->B1 would it be possible to get samples of DS access logs showing that. Also it would be useful to have some RUV dumps on both B1 and B2 after the updates (|ldapsearch -xLLL -D "cn=directory manager" -W -b \ '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))') regards thierry | -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Oct 3 15:32:27 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 3 Oct 2016 11:32:27 -0400 Subject: [Freeipa-users] another certmonger question In-Reply-To: References: <57EA5B17.8000307@redhat.com> <57ECF80E.6010406@redhat.com> <57EE2623.3010303@redhat.com> Message-ID: <57F27A0B.2090802@redhat.com> Natxo Asenjo wrote: > > > On Fri, Sep 30, 2016 at 10:45 AM, Rob Crittenden > wrote: > > Natxo Asenjo wrote: > > > > On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden > > >> wrote: > > Natxo Asenjo wrote: > > > > On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden > > > > >>> wrote: > > > It's hard to say, it may in fact not be a problem. > > It is really a matter of what service the > certificate(s) > are related > to. I'd look at the serial numbers and then > correlate those > to the > issued certificates. > > I'd also do a service-find on the hostname to see > if any > services > have certificates issued and with what serial numbers. > > > I agree, it could be that. But just for testing I have > created a vm, > joined it to the domain and resubmitted the certificate. > > Now there are two valid host certificates with the same > subject: > > > $ ipa cert-find --subject=throwaway.unix.iriszorg.nl > > > > > >> > ---------------------- > 2 certificates matched > ---------------------- > Serial number (hex): 0x3FFE0002 > Serial number: 1073610754 > Status: VALID > Subject: CN=throwaway.unix.iriszorg.nl > > > > > >>,O=UNIX.IRISZORG.NL > > > > > Serial number (hex): 0x3FFE0003 > Serial number: 1073610755 > Status: VALID > Subject: CN=throwaway.unix.iriszorg.nl > > > > > >>,O=UNIX.IRISZORG.NL > > > > ---------------------------- > Number of entries returned 2 > ---------------------------- > > > So it certmonger in this centos 6.8 32bit host is > renewing but not > having the old certificate revoked. > > > I'd check the Apache log to find the cert_request call to > see if you > can see if there are any issues raised. It should be doing a > cert_revoke at the same time. > > Can you should how this certificate is being tracked? > > > sure: > > $ sudo getcert list > Number of certificates and requests being tracked: 1. > Request ID '20160929100945': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine > Certificate - > throwaway.unix.iriszorg.nl > >',token='NSS Certificate DB' > certificate: > type=NSSDB,location='/etc/pki/nssdb',nickname='IPA > Machine Certificate - throwaway.unix.iriszorg.nl > > >',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL > > > subject: CN=throwaway.unix.iriszorg.nl > > >,O=UNIX.IRISZORG.NL > > > expires: 2018-09-30 10:13:17 UTC > principal name: > host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL > > > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > now, let's resubmit: > > $ sudo ipa-getcert resubmit -i 20160929100945 > Resubmitting "20160929100945" to "IPA". > [jose.admin at throwaway ~]$ sudo getcert list > Number of certificates and requests being tracked: 1. > Request ID '20160929100945': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine > Certificate - > throwaway.unix.iriszorg.nl > >',token='NSS Certificate DB' > certificate: > type=NSSDB,location='/etc/pki/nssdb',nickname='IPA > Machine Certificate - throwaway.unix.iriszorg.nl > > >',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL > > > subject: CN=throwaway.unix.iriszorg.nl > > >,O=UNIX.IRISZORG.NL > > > expires: 2018-09-30 20:41:28 UTC > principal name: > host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL > > > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > so it has been successfully renewed. > > In the access_log of the kdc I see this: > > 172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST > https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient > > HTTP/1.1" 200 1913 > 172.20.6.81 - host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL > > > > [29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929 > > and in the error_log: > [Thu Sep 29 22:41:28.626669 2016 ] [:error] > [pid 4617] ipa: INFO: > [xmlserver] host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL > > >: > cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr++lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbtW9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOipB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJDEytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5NV1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmgASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHMAegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQAEgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4LmlyaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxBVTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUgXWL3vdW/I31tQxv5Yjy! MZy4x8kw! > > DQYJKoZIhv > cNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv/J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CHfdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mhehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqNyCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=', > > principal=u'host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL > > >', add=True, > version=u'2.51'): SUCCESS > > and now I have 3 valid certificates: > > $ ipa cert-find --subject=throwaway.unix.iriszorg.nl > > > > ---------------------- > 3 certificates matched > ---------------------- > Serial number (hex): 0xFF9000D > Serial number: 267976717 > Status: VALID > Subject: CN=throwaway.unix.iriszorg.nl > > >,O=UNIX.IRISZORG.NL > > > > Serial number (hex): 0x3FFE0002 > Serial number: 1073610754 > Status: VALID > Subject: CN=throwaway.unix.iriszorg.nl > > >,O=UNIX.IRISZORG.NL > > > > Serial number (hex): 0x3FFE0003 > Serial number: 1073610755 > Status: VALID > Subject: CN=throwaway.unix.iriszorg.nl > > >,O=UNIX.IRISZORG.NL > > > ---------------------------- > Number of entries returned 3 > ---------------------------- > > > Ok, let me start by saying that this is not a bug in either > certmonger or dogtag. IPA is supposed to do the revocation in the > cert_request command. > > The steps IPA _should_ be taking are: > > 1. Figure out if we are doing a certificate for a host or a service. > 2. See if the requester is allowed to manage this entry > 3. Look at the entry to see if it has a usercertificate attribute. > If so revoke that serial number, then clear the usercertificate > value in the host or service entry (via service_mod or host_mod) > 4. Request a new certificate > 5. Update IPA with the new value > > Does a certificate appear in ipa host-show > throwaway.unix.iriszorg.nl , and > which certificate serial number? > > > $ ipa host-show throwaway > Host name: throwaway.unix.iriszorg.nl > Certificate: > MIIE0DCCA7igAwIBAgIED/kADTANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MjA0MTI4WhcNMTgwOTMwMjA0MTI4WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw! GA1UEAwwVQ 2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQB6KplOoHG5d2+3c5J/TSE/qxWkfObqPdpzYSMg5ma+PKL7ofuEgtozfoZfH/GXKIKtUpPZCJL2NQQKauagdIwto7PX184FcohCjJxHD30RRbc6q2rm3PE7Q1vDzSxW1ZCFELmpvK0XN4YX1tz6iaPgo2B7wuyhbZpT4Vd2itT1rOQ6cAnAB7BFhVNj5XDPDoMaHabtWRJVLlIOMeGyrZDUMxmoPys5g1c1SZM1ld+8+zdgqIVEsdTo9qThqPraTUi8GTjP4QvuQkLbnlFO6KQe5RqfbVXA0gKVWDtepY7h+cBQxMa/eHROFtnhW/w1+FdKHDPvOdj8aTF1tSIU2RYP, > > MIIE0DCCA7igAwIBAgIEP/4AAjANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAwOTUwWhcNMTgwOTMwMTAwOTUwWjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw! GA1UEAwwVQ 2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCvTRaJrl3J7Ky4VkFVfkwIGoaxocXrllYSjXZzhzHV0zJtlVeQGmHwulyrEbEzaRuMqbXe7c8WseOgU/K+UwByGiZoyxUmHgBmu2mv8Cln48UbESEAm0py4hRMmE7UzIhsHzTAKjUfyQXujB21S+FYwd97QymGRgn7kJ2TtH99zslQO0kMC//LmctUxIfTOOcrBgOojIEpcbzTeWNcyuN5+MHr6H2DNUYQZpvnDBv7XVphrk7ACrh4ETeYW5E1fFl84CdSxWehhWILF6t2WdA4RSjvtg3zvMPL+uVU8w1aru33dMuCKqvMG3iaRrDjVZ4k9/36lpf4/r1PwKYxusvg, > > MIIE0DCCA7igAwIBAgIEP/4AAzANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAxMzE3WhcNMTgwOTMwMTAxMzE3WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw! GA1UEAwwVQ 2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCh6lySZa1AyUyP8AuaLUDj6X0Lt/tGS+ZIw/O248FVMJDwvLvkFUxOjTAK1mip0AHxkib+QtKqFgN9lbidnxeKFYNN2komTfLgFV+G+8kBIInxWbU1OsuYw4J6xCu5IE+F7jfdHX1yw6HSgDixYgKHe9mw+8HTbUR1a/ntZ90pmai8I7daem9bMrPHGSSChjcbjif6YNZ8ibmilqq0vw8CEwQopXFToO/mHfbXNDw6gJY5rKu19fWPi3VRQdQxKKtwY/gXg39q4FWBymDaMwjErC7G4AnGeeTYp4iFYZkfcjYvdxGXGF0CpLgunvcMMQ0rTYx5w1MrLbbnqjq1qBZO > Principal name: host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL > > Password: False > Keytab: True > Managed by: throwaway.unix.iriszorg.nl > > Subject: CN=throwaway.unix.iriszorg.nl > ,O=UNIX.IRISZORG.NL > > Serial Number: 267976717 > Serial Number (hex): 0xFF9000D > Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL > > Not Before: Thu Sep 29 20:41:28 2016 UTC > Not After: Sun Sep 30 20:41:28 2018 UTC > Fingerprint (MD5): 52:a1:06:a1:39:27:bc:ed:dd:45:f5:36:32:11:99:c1 > Fingerprint (SHA1): > 81:d4:01:5a:26:83:9c:c4:fb:76:fb:c3:29:cd:32:c1:8a:4c:eb:45 > SSH public key fingerprint: > 61:66:4D:D7:E6:83:B3:31:BB:50:C3:28:11:79:FD:42 (ssh-rsa), > > 71:80:40:26:50:64:CD:FE:9A:FB:8D:DA:55:56:18:95 (ssh-dss) > > > so it shows the three certificates but the serial is 267976717 Sadly I don't have much useful information for you. This is what I found. usercertificate is a multi-valued LDAP attribute but IPA 3.0 only really operates on the "first" value returned (I didn't look at more recent versions). In this case it is the 267976717 cert. The other certs shown without details are for the other serial numbers that cert-find is reporting. I can't see a way that this first usercertificate value isn't revoked and removed upon renewal so I can't quite figure out how you got into this state (and so easily as I understand it). I wasn't able to reproduce it myself. Do you have any idea how wide-spread this is in your infrastructure? I can see that once in this state that any "extra" certs would just be stuck there, never to be revoked. rob From richard.harmonson at gmail.com Tue Oct 4 04:25:33 2016 From: richard.harmonson at gmail.com (Richard Harmonson) Date: Mon, 3 Oct 2016 21:25:33 -0700 Subject: [Freeipa-users] DNS ceases on both Master & Replica after several days Message-ID: After successful installation and use of DNS with forwarding first on a Master and Replica, several days pass then it stops. Using 'ipactl status' shows named service stopped. Using 'ipactl restart' services, DNS is running but stops again several days later. Rinse and repeat. All other services show running with using 'ipactl status.' Interesting, both the Master and Replica fail. It is never just one. Suggestions on where to begin looking? and how? -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Tue Oct 4 06:21:04 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 4 Oct 2016 08:21:04 +0200 Subject: [Freeipa-users] another certmonger question In-Reply-To: <57F27A0B.2090802@redhat.com> References: <57EA5B17.8000307@redhat.com> <57ECF80E.6010406@redhat.com> <57EE2623.3010303@redhat.com> <57F27A0B.2090802@redhat.com> Message-ID: hi, On Mon, Oct 3, 2016 at 5:32 PM, Rob Crittenden wrote: > > usercertificate is a multi-valued LDAP attribute but IPA 3.0 only really > operates on the "first" value returned (I didn't look at more recent > versions). In this case it is the 267976717 cert. The other certs shown > without details are for the other serial numbers that cert-find is reporting > I can't see a way that this first usercertificate value isn't revoked and > removed upon renewal so I can't quite figure out how you got into this > state (and so easily as I understand it). I wasn't able to reproduce it > myself. Do you have any idea how wide-spread this is in your infrastructure? > > I can see that once in this state that any "extra" certs would just be > stuck there, never to be revoked. > This is happening all over the place. I guess I will have to script this: retrieve the usercertificate attribute of the host computers, get their 'not before/not after' and serial number values, and revoke the oldest valid ones in case there is more than one valid one. This should not be very hard. I need to monitor the certmonger status as well, a nagios plugin should do the trick. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Tue Oct 4 07:12:26 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 4 Oct 2016 09:12:26 +0200 Subject: [Freeipa-users] DNS ceases on both Master & Replica after several days In-Reply-To: References: Message-ID: <650a4643-f9af-037f-f949-30f5d3e06664@redhat.com> On 10/04/2016 06:25 AM, Richard Harmonson wrote: > After successful installation and use of DNS with forwarding first on a > Master and Replica, several days pass then it stops. Using 'ipactl > status' shows named service stopped. Using 'ipactl restart' services, > DNS is running but stops again several days later. Rinse and repeat. > > All other services show running with using 'ipactl status.' Interesting, > both the Master and Replica fail. It is never just one. > > Suggestions on where to begin looking? and how? > > There should be some information in the journal log. Try to issue `journalctl -u named-pkcs11.service` and look into the output for errors. -- Martin^3 Babinsky From ftweedal at redhat.com Tue Oct 4 09:14:47 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 4 Oct 2016 19:14:47 +1000 Subject: [Freeipa-users] FreeIPA as CA for your own internal webservices In-Reply-To: References: Message-ID: <20161004091447.GM20504@dhcp-40-8.bne.redhat.com> On Fri, Sep 30, 2016 at 09:17:35AM +0200, Matt . wrote: > Hi Guys, > > I'm wondering how it's possible to use FreeIPA as your own CA for > apache vhosts and such. > > I need to many certificates for subdomains (wildcards) that its > undoable and I would like to use my FreeIAP installs for this. > > I installed the root certificate on windows from my IPA install and > that works, FreeIPA itself is now trusted. But how to do this for > other webservices no matter what software I use ? > You'll have to add the IPA CA certificate to all trust stores used by the programs that talk to services that present a certificate issued by FreeIPA. Adding the CA cert to the shared "system" trust store is sufficient for many programs. Some programs (including most browsers) bundle their own trust store or have trusted certs configured some other way. If you run into difficult with a specific system or program let us know and we can try to help :) Cheers, Fraser > I hope someone can give me direction here. > > Thanks! > > Matt > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From desantis at mail.usf.edu Tue Oct 4 15:14:57 2016 From: desantis at mail.usf.edu (John Desantis) Date: Tue, 4 Oct 2016 11:14:57 -0400 Subject: [Freeipa-users] Question about removed replica Message-ID: Hello all, Like a case of herpes, I'm back! Anyways, I was hoping some lingering questions could be answered regarding some visible entries via ldapsearch, which manifest a removed replica's hostname [1]. Running the ipa-replica-manage and ipa-csreplica-manage commands do not show the host in question any longer, but when I run a few directory searches on each replica using the commands below: # ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replica # ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replicationagreement I'm able to see the old host on the master, but not on the replicas. See below. # master, replica id 4: ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replica|grep oldhost nsDS5ReplicaBindDN: krbprincipalname=ldap/oldhost.dom.dom.dom at DOM.DOM.DOM,cn=services,cn=accounts,dc=dom,dc=dom,dc=dom ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replicationagreement|grep oldhost nsds50ruv: {replica 24 ldap://oldhost.dom.dom.dom:389} 5447f252000000180000 5447f861000000180000 nsruvReplicaLastModified: {replica 24 ldap://oldhost.dom.dom.dom:389} 00000000 nsds50ruv: {replica 24 ldap://oldhost.dom.dom.dom:389} 5447f252000000180000 5447f56b000200180000 nsruvReplicaLastModified: {replica 24 ldap://oldhost.dom.dom.dom:389} 00000000 It's listed twice due to the other hosts in the topology. # replica id 22 ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replica|grep oldhost ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replicationagreement|grep oldhost # replica id 21 ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replica|grep oldhost ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replicationagreement|grep oldhost The other two replicas no longer have the reference to the old host after the CLEANALLRUV and CLEANRUV tasks performed by ldapmodify. I then read via [2] that the dse.ldif could be manually edited to remove references, but I'm not sure if that should be done if the general opinion is that the old references aren't going to cause a problem. Based upon the information above, is having a reference to the hold host via the ldapsearch outputs above going to be a problem? If the entry shouldn't be there, should the ldapmodify be performed against the "cn=meTomaster.dom.dom.dom,cn=replica,cn=dc\3Ddom\2Cdc\3Ddom\2Cdc\3Ddom,cn=mapping tree,cn=config" bases? For reference, these are the commands I ran to get to state [1]: # master ldapmodify -x -W -h localhost -D "cn=directory manager" < References: <57EA5B17.8000307@redhat.com> <57ECF80E.6010406@redhat.com> <57EE2623.3010303@redhat.com> <57F27A0B.2090802@redhat.com> Message-ID: <57F401D2.1030808@redhat.com> Natxo Asenjo wrote: > hi, > > On Mon, Oct 3, 2016 at 5:32 PM, Rob Crittenden > wrote: > > > usercertificate is a multi-valued LDAP attribute but IPA 3.0 only > really operates on the "first" value returned (I didn't look at more > recent versions). In this case it is the 267976717 cert. The other > certs shown without details are for the other serial numbers that > cert-find is reporting > > I can't see a way that this first usercertificate value isn't > revoked and removed upon renewal so I can't quite figure out how you > got into this state (and so easily as I understand it). I wasn't > able to reproduce it myself. Do you have any idea how wide-spread > this is in your infrastructure? > > I can see that once in this state that any "extra" certs would just > be stuck there, never to be revoked. > > > This is happening all over the place. > > I guess I will have to script this: retrieve the usercertificate > attribute of the host computers, get their 'not before/not after' and > serial number values, and revoke the oldest valid ones in case there is > more than one valid one. This should not be very hard. > > > I need to monitor the certmonger status as well, a nagios plugin should > do the trick. > You may want to open a bug against RHEL 6 on this as well. rob From mareynol at redhat.com Tue Oct 4 22:54:11 2016 From: mareynol at redhat.com (Mark Reynolds) Date: Tue, 4 Oct 2016 18:54:11 -0400 Subject: [Freeipa-users] cleanallruv - no replica's :( In-Reply-To: References: Message-ID: <4d5ffb64-2694-78bb-6568-498bb3c0c83b@redhat.com> On 09/30/2016 04:41 PM, Matt Wells wrote: > Hey all I hoped anyone may be able to assist. I had 2 dead replica's > and use the cleanallruv.pl as they refused to > leave otherwise. > ` /usr/sbin/cleanallruv.pl -v -D "cn=directory > manager" -w - -b 'dc=mosaic451,dc=com' -r 17 ` > 17 being the bad guy. Well it ran `woohoo` but deleted all of my > replica's. The state it's in now is I can make changes on Box1 ( the > one I ran it on ) and they replicate to Box2 but never come back. > If I delete it on Box2 it never get's to Box1 however Box2 say's he > has that happy replication agreement. > So it's almost a split brain scenario. I hoped someone may be able to > assist. You need to look at the Directory Servers errors log to tell what is going wrong with replication. Can you post some errors log output from each box? /var/log/dirsrv/slapd-INSTANCE/errors Thanks, Mark > Can I just re-cut the replication agreement from Box2 and run it on > Box1; he's a full grown IPA so if I did that wouldn't I need to > --uninstall him? > > What do you guys think? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Wed Oct 5 00:20:08 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 5 Oct 2016 10:20:08 +1000 Subject: [Freeipa-users] certificate list problems using web ui after upgrading to FreeIPA 4.2.0-15 In-Reply-To: <01cafbc4-68a6-bcb7-bcec-4716b2ce068a@carcano.ch> References: <01cafbc4-68a6-bcb7-bcec-4716b2ce068a@carcano.ch> Message-ID: <20161005002008.GQ20504@dhcp-40-8.bne.redhat.com> On Thu, Sep 29, 2016 at 11:13:22PM +0200, Marco Antonio Carcano wrote: > Hi all, > > I?ve just upgraded from FreeIPA 4.1 to FreeIPA 4.2.0-15 on a CentOS 7 > (7.2.1511) and I?m no more able to list certificates using the web ui > > when I go on ?Authentication?, ?Certificates? and chose ?Certificates? I > got the following error > > Certificate operation cannot be completed: Unable to communicate with CMS > (Internal Server Error) > > and tomcat logs contain the following exception: > > Sep 29, 2016 4:54:35 PM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Allocate exception for servlet Resteasy > java.lang.ClassNotFoundException: > com.netscape.ca.CertificateAuthorityApplication > at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720) > at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571) > at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:28 > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:95) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > at > org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:864) > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:134) > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:40 > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) > at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > > So it complains it cannot find class > com.netscape.ca.CertificateAuthorityApplication - that?s right > > The funny thing is that command line works like a charm > > pa caacl-find > ---------------- > 1 CA ACL matched > ---------------- > ACL name: hosts_services_caIPAserviceCert > Enabled: TRUE > Host category: all > Service category: all > Profiles: caIPAserviceCert > ---------------------------- > Number of entries returned 1 > ?????????????? > > ipa cert-show > Serial number: 1 > Certificate: > MIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtJVEM0 > VS5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5 > ? > iI2rFqRTA+AF3xpqYBtOP+WwcBaue+OZ/GEsPOiyvcV1ZX6FWcKsmBf/T > t7A9 > Subject: CN=Certificate Authority,O=ME.LOCAL > Issuer: CN=Certificate Authority,O=ME.LOCAL > Not Before: Tue Dec 02 08:05:42 2014 UTC > Not After: Sat Dec 02 08:05:42 2034 UTC > Fingerprint (MD5): 59:4c:bb:dc:6a:e2:ff:17:6c:34:3e:f4:7e:fa:69:2e > Fingerprint (SHA1): > 74:c1:b3:a1:a1:25:5c:02:e8:ef:c5:30:14:fd:f0:58:79:6d:60:33 > Serial number (hex): 0x1 > Serial number: 1 > > By the way, the weird thing is that before migrating I added a replica node > (so a fresh installation of FreeIPA 4.2.0-15) and the replica works > perfectly, without this problem > > It seems to be a problem somehow related to the upgrade process > > How can I manage? Any suggestion? By the way, does anybody know which JAR > contains com.netscape.ca.CertificateAuthorityApplication? I suppose it was > /usr/share/java/pki/pki-ca.jar, but it contains only CertificateAuthority > class: > > jar tf /usr/share/java/pki/pki-ca.jar |grep "CertificateAuthority" > com/netscape/ca/CertificateAuthority.class > > Thanks > > Marco > As you guess, something went awry during the uprade process - specifically: the follow upgrade scriptlet was not executed for some reason: /usr/share/pki/server/upgrade/10.1.99/04-ReplaceRESTEasyApplicationClass Perhaps it was not the only one. Run `pki-server-upgrade' manually, as root, and see if that fixes it. If not, let us spend some time off-list examining the state of your PKI deployment and what needs to be done to fix it up. Cheers, Fraser From richard.harmonson at gmail.com Wed Oct 5 01:10:40 2016 From: richard.harmonson at gmail.com (Richard Harmonson) Date: Tue, 4 Oct 2016 18:10:40 -0700 Subject: [Freeipa-users] DNS ceases on both Master & Replica after several days Message-ID: > > On 10/04/2016 06:25 AM, Richard Harmonson wrote: > > After successful installation and use of DNS with forwarding first on a > > Master and Replica, several days pass then it stops. Using 'ipactl > > status' shows named service stopped. Using 'ipactl restart' services, > > DNS is running but stops again several days later. Rinse and repeat. > > > > All other services show running with using 'ipactl status.' Interesting, > > both the Master and Replica fail. It is never just one. > > > > Suggestions on where to begin looking? and how? > > > > > > There should be some information in the journal log. Try to issue > `journalctl -u named-pkcs11.service` and look into the output for errors. > > -- > Martin^3 Babinsky > Very helpful, Martin. Thank you. I found several the following in journal. I, believe, they fall within a time period that is consistent with my observations. Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: configuring command channel from '/etc/rndc.key' Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: configuring command channel from '/etc/rndc.key' Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: reloading configuration succeeded Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: reloading zones succeeded Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: zt.c:186: REQUIRE(ztp != ((void *)0) && *ztp == ((void *)0)) failed, back trace Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: #0 0x5576112a8110 in ?? Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: #1 0x7fde02d93c4a in ?? Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: #2 0x7fde0316ff22 in ?? Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: #3 0x7fddfb1462ba in ?? Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: #4 0x7fddfb1464b0 in ?? Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: #5 0x7fddfb146604 in ?? Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: #6 0x7fde02db690c in ?? Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: #7 0x7fde00ee25ca in ?? Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: #8 0x7fddfff5cf6d in ?? Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: exiting (due to assertion failure) Oct 02 03:21:02 ds1.mydomain.net systemd[1]: Reloaded Berkeley Internet Name Domai Oct 02 03:21:02 ds1.mydomain.net named-pkcs11[3300]: exiting (due to assertion failure) -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Oct 5 06:59:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 5 Oct 2016 08:59:40 +0200 Subject: [Freeipa-users] DNS ceases on both Master & Replica after several days In-Reply-To: References: Message-ID: <4763acf7-c86b-c09d-641b-44000e4cb02a@redhat.com> On 05.10.2016 03:10, Richard Harmonson wrote: > > On 10/04/2016 06:25 AM, Richard Harmonson wrote: > > After successful installation and use of DNS with forwarding > first on a > > Master and Replica, several days pass then it stops. Using 'ipactl > > status' shows named service stopped. Using 'ipactl restart' > services, > > DNS is running but stops again several days later. Rinse and repeat. > > > > All other services show running with using 'ipactl status.' > Interesting, > > both the Master and Replica fail. It is never just one. > > > > Suggestions on where to begin looking? and how? > > > > > > There should be some information in the journal log. Try to issue > `journalctl -u named-pkcs11.service` and look into the output for > errors. > > -- > Martin^3 Babinsky > > > Very helpful, Martin. Thank you. > > I found several the following in journal. I, believe, they fall within > a time period that is consistent with my observations. > > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: configuring command channel from '/etc/rndc.key' > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: configuring command channel from '/etc/rndc.key' > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: reloading configuration succeeded > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: reloading zones succeeded > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: zt.c:186: REQUIRE(ztp != ((void *)0) && *ztp == > ((void *)0)) failed, back trace > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: #0 0x5576112a8110 in ?? > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: #1 0x7fde02d93c4a in ?? > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: #2 0x7fde0316ff22 in ?? > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: #3 0x7fddfb1462ba in ?? > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: #4 0x7fddfb1464b0 in ?? > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: #5 0x7fddfb146604 in ?? > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: #6 0x7fde02db690c in ?? > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: #7 0x7fde00ee25ca in ?? > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: #8 0x7fddfff5cf6d in ?? > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: exiting (due to assertion failure) > Oct 02 03:21:02 ds1.mydomain.net systemd[1]: > Reloaded Berkeley Internet Name Domai > Oct 02 03:21:02 ds1.mydomain.net > named-pkcs11[3300]: exiting (due to assertion failure) > > > > Hello, what is your IPA version? Do you have coredump? We need backtrace https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Debugging/Coredump Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Oct 5 08:07:02 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 5 Oct 2016 10:07:02 +0200 Subject: [Freeipa-users] DNS ceases on both Master & Replica after several days In-Reply-To: <4763acf7-c86b-c09d-641b-44000e4cb02a@redhat.com> References: <4763acf7-c86b-c09d-641b-44000e4cb02a@redhat.com> Message-ID: <76d24cb4-07bb-f344-d026-bd7d0e276c6c@redhat.com> On 5.10.2016 08:59, Martin Basti wrote: > > > On 05.10.2016 03:10, Richard Harmonson wrote: >> >> On 10/04/2016 06:25 AM, Richard Harmonson wrote: >> > After successful installation and use of DNS with forwarding >> first on a >> > Master and Replica, several days pass then it stops. Using 'ipactl >> > status' shows named service stopped. Using 'ipactl restart' >> services, >> > DNS is running but stops again several days later. Rinse and repeat. >> > >> > All other services show running with using 'ipactl status.' >> Interesting, >> > both the Master and Replica fail. It is never just one. >> > >> > Suggestions on where to begin looking? and how? >> > >> > >> >> There should be some information in the journal log. Try to issue >> `journalctl -u named-pkcs11.service` and look into the output for >> errors. >> >> -- >> Martin^3 Babinsky >> >> >> Very helpful, Martin. Thank you. >> >> I found several the following in journal. I, believe, they fall within a >> time period that is consistent with my observations. >> >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: configuring command channel from '/etc/rndc.key' >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: configuring command channel from '/etc/rndc.key' >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: reloading configuration succeeded >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: reloading zones succeeded >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: zt.c:186: REQUIRE(ztp != ((void *)0) && *ztp == ((void >> *)0)) failed, back trace >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: #0 0x5576112a8110 in ?? >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: #1 0x7fde02d93c4a in ?? >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: #2 0x7fde0316ff22 in ?? >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: #3 0x7fddfb1462ba in ?? >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: #4 0x7fddfb1464b0 in ?? >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: #5 0x7fddfb146604 in ?? >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: #6 0x7fde02db690c in ?? >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: #7 0x7fde00ee25ca in ?? >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: #8 0x7fddfff5cf6d in ?? >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: exiting (due to assertion failure) >> Oct 02 03:21:02 ds1.mydomain.net systemd[1]: >> Reloaded Berkeley Internet Name Domai >> Oct 02 03:21:02 ds1.mydomain.net >> named-pkcs11[3300]: exiting (due to assertion failure) >> >> >> >> > > Hello, > > what is your IPA version? > > Do you have coredump? We need backtrace > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Debugging/Coredump In short, this is likely fixed in bind-dyndb-ldap 10.1. Please upgrade. https://bugzilla.redhat.com/show_bug.cgi?id=1362162#c6 -- Petr^2 Spacek From deepak_dimri at hotmail.com Wed Oct 5 09:16:15 2016 From: deepak_dimri at hotmail.com (Deepak Dimri) Date: Wed, 5 Oct 2016 09:16:15 +0000 Subject: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private Cloud Message-ID: Hi All, I want to understand if there are any best practices wrt FreeIPA Server deployment in Public vis a vis Private cloud. Lets assume a case that most IPA Clients are hosted in private clouds at multiple data centers or across AWS VPCs. In this situation hosting of freeIPA in the public cloud i reckon would be an easier approach (clients can connect over the internet). The other option would be to host FreeIPA Server in private cloud, which would be more secure, but then you need to make changes in your network/FW settings across private clouds. Are there any major security concerns if FreeIPA is deployed in public cloud? Any examples of freeIPA running in public cloud in production? Many Thanks, Deepak -------------- next part -------------- An HTML attachment was scrubbed... URL: From desantis at mail.usf.edu Wed Oct 5 13:07:42 2016 From: desantis at mail.usf.edu (John Desantis) Date: Wed, 5 Oct 2016 09:07:42 -0400 Subject: [Freeipa-users] Question about removed replica, take two Message-ID: Hello all (again), I think my reference to a disease prevented my message from being delivered, despite seeing it posted on the list archive. I apologize in advance for the additional "noise". Anyways, I was hoping some lingering questions could be answered regarding some visible entries via ldapsearch, which manifest a removed replica's hostname [1]. Running the ipa-replica-manage and ipa-csreplica-manage commands do not show the host in question any longer, but when I run a few directory searches on each replica using the commands below: # ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replica # ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replicationagreement I'm able to see the old host on the master, but not on the replicas. See below. # master, replica id 4: ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replica|grep oldhost nsDS5ReplicaBindDN: krbprincipalname=ldap/oldhost.dom.dom.dom at DOM.DOM.DOM,cn=services,cn=accounts,dc=dom,dc=dom,dc=dom ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replicationagreement|grep oldhost nsds50ruv: {replica 24 ldap://oldhost.dom.dom.dom:389} 5447f252000000180000 5447f861000000180000 nsruvReplicaLastModified: {replica 24 ldap://oldhost.dom.dom.dom:389} 00000000 nsds50ruv: {replica 24 ldap://oldhost.dom.dom.dom:389} 5447f252000000180000 5447f56b000200180000 nsruvReplicaLastModified: {replica 24 ldap://oldhost.dom.dom.dom:389} 00000000 It's listed twice due to the other hosts in the topology. # replica id 22 ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replica|grep oldhost ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replicationagreement|grep oldhost # replica id 21 ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replica|grep oldhost ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory manager" -b "cn=config" objectclass=nsds5replicationagreement|grep oldhost The other two replicas no longer have the reference to the old host after the CLEANALLRUV and CLEANRUV tasks performed by ldapmodify. I then read via [2] that the dse.ldif could be manually edited to remove references, but I'm not sure if that should be done if the general opinion is that the old references aren't going to cause a problem. Based upon the information above, is having a reference to the hold host via the ldapsearch outputs above going to be a problem? If the entry shouldn't be there, should the ldapmodify be performed against the "cn=meTomaster.dom.dom.dom,cn=replica,cn=dc\3Ddom\2Cdc\3Ddom\2Cdc\3Ddom,cn=mapping tree,cn=config" bases? For reference, these are the commands I ran to get to state [1]: # master ldapmodify -x -W -h localhost -D "cn=directory manager" < Hi folks, Working on a hairy multiple AD Forest integration issue in AWS and would appreciate a sanity check - I've been wrong so many times about IPA setup and navigating transitive AD trusts so many times I figured it was time to ask questions first before falling on my face again, heh. After reading the documentation we ended up getting a new domain name to run our IPA server on -- seemed easier than creating and delegating a subdomain off of the primary AD server. This is what we have: AD Forest #1: company-test.org AD Forest #2: company-aws.org IPA Server : company-ipa.org The IPA server at company-ipa.org has successfully created 1-way trusts to the AD servers for company-test.org and company-aws.org I'm at the point now where I'm ready to try installing IPA clients and have a simple sanity check question: ## Can I launch a server in AWS with a hostname of "test.company-aws.org" yet bind it to my IPA server at "ipa.company-ipa.org" so it can manage users etc. ? ## I was thinking of a command like: # ipa-client-install \ --domain company-aws.org \ --server ipa.company-ipa.org \ --realm COMPANY-AWS.ORG Would appreciate a quick sanity check on if this is possible or supported. The ipa-client-install command is failing ("cant verify that server is an IPA server ..." ) but I'm not sure if it's because I've got a config / DNS / port problem or if I'm (once again) trying to do something stupid with IPA ... Regards, Chris From abokovoy at redhat.com Wed Oct 5 14:13:54 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 5 Oct 2016 17:13:54 +0300 Subject: [Freeipa-users] Novice question: can client hostname be in a different DNS domain than the IPA service? In-Reply-To: <57F50802.3030501@sonsorol.org> References: <57F50802.3030501@sonsorol.org> Message-ID: <20161005141354.iys2t7oj4dkih2st@redhat.com> On ke, 05 loka 2016, Chris Dagdigian wrote: > >Hi folks, > >Working on a hairy multiple AD Forest integration issue in AWS and >would appreciate a sanity check - I've been wrong so many times about >IPA setup and navigating transitive AD trusts so many times I figured >it was time to ask questions first before falling on my face again, >heh. > >After reading the documentation we ended up getting a new domain name >to run our IPA server on -- seemed easier than creating and delegating >a subdomain off of the primary AD server. > >This is what we have: > >AD Forest #1: company-test.org >AD Forest #2: company-aws.org >IPA Server : company-ipa.org > >The IPA server at company-ipa.org has successfully created 1-way >trusts to the AD servers for company-test.org and company-aws.org > >I'm at the point now where I'm ready to try installing IPA clients and >have a simple sanity check question: > >## >Can I launch a server in AWS with a hostname of "test.company-aws.org" >yet bind it to my IPA server at "ipa.company-ipa.org" so it can manage >users etc. ? >## > >I was thinking of a command like: > ># ipa-client-install \ > --domain company-aws.org \ > --server ipa.company-ipa.org \ > --realm COMPANY-AWS.ORG > >Would appreciate a quick sanity check on if this is possible or >supported. The ipa-client-install command is failing ("cant verify >that server is an IPA server ..." ) but I'm not sure if it's because >I've got a config / DNS / port problem or if I'm (once again) trying >to do something stupid with IPA ... You need to read this: http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain to understand all limitations and problems. This is technical description. For higher level, see http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/ -- / Alexander Bokovoy From dag at sonsorol.org Wed Oct 5 14:36:21 2016 From: dag at sonsorol.org (Chris Dagdigian) Date: Wed, 05 Oct 2016 10:36:21 -0400 Subject: [Freeipa-users] Novice question: can client hostname be in a different DNS domain than the IPA service? In-Reply-To: <20161005141354.iys2t7oj4dkih2st@redhat.com> References: <57F50802.3030501@sonsorol.org> <20161005141354.iys2t7oj4dkih2st@redhat.com> Message-ID: <57F50FE5.3000707@sonsorol.org> Alexander Bokovoy wrote: > You need to read this: > http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain > to understand all limitations and problems. > > This is technical description. For higher level, see > http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/ Thank you very much! Greatly appreciate the fast and useful responses on this list -- the archive has been a huge help along with the RedHat IDM documentation. My primary use case is SSH login for users with credentials coming from multiple AD Forests so it looks like I'm going down the path of "Option 3 ? Use Indirect Integration with IdM" as referenced in the http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/ blog posting -- seems like we lose quite a bit of Kerberos SSO features but for now I'm OK with that. This is Free-IPA at the moment but will be migrated to RHEL-IDM if successful. Regards, Chris From lkrispen at redhat.com Wed Oct 5 14:43:12 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 05 Oct 2016 16:43:12 +0200 Subject: [Freeipa-users] Question about removed replica, take two In-Reply-To: References: Message-ID: <57F51180.9040703@redhat.com> Hi, the RUV in the replication agreement is maintained to control changelog trimming, no changes should be deleted from the changelog which have not been seen by all consumers. Since not always a connection for a replication agreement can be established, eg if the consumer is down, this information is made persistent and kept in the replication agreement. So, if you have references to removed servers in the agreement this should do no harm since teh changes have alredy be removed from the changelog during cleanallruv. The only scenario a problem could arise is if you reinstall a replica on one of the removed with a new replica ID, then you could end up with two replica ids with the same url and get the attrlist_replace errors. The removal of the replica id from the replication agreement RUV is noe handled by cleanallruv (upstream ticket #48414), but you can edit the dse.ldif and remove them manually Regards, Ludwig On 10/05/2016 03:07 PM, John Desantis wrote: > Hello all (again), > > I think my reference to a disease prevented my message from being > delivered, despite seeing it posted on the list archive. I apologize > in advance for the additional "noise". > > Anyways, I was hoping some lingering questions could be answered > regarding some visible entries via ldapsearch, which manifest a > removed replica's hostname [1]. > > Running the ipa-replica-manage and ipa-csreplica-manage commands do > not show the host in question any longer, but when I run a few > directory searches on each replica using the commands below: > > # ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory > manager" -b "cn=config" objectclass=nsds5replica > # ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory > manager" -b "cn=config" objectclass=nsds5replicationagreement > > I'm able to see the old host on the master, but not on the replicas. See below. > > # master, replica id 4: > ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory > manager" -b "cn=config" objectclass=nsds5replica|grep oldhost > nsDS5ReplicaBindDN: > krbprincipalname=ldap/oldhost.dom.dom.dom at DOM.DOM.DOM,cn=services,cn=accounts,dc=dom,dc=dom,dc=dom > > ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory > manager" -b "cn=config" objectclass=nsds5replicationagreement|grep > oldhost > nsds50ruv: {replica 24 ldap://oldhost.dom.dom.dom:389} > 5447f252000000180000 5447f861000000180000 > nsruvReplicaLastModified: {replica 24 ldap://oldhost.dom.dom.dom:389} 00000000 > nsds50ruv: {replica 24 ldap://oldhost.dom.dom.dom:389} > 5447f252000000180000 5447f56b000200180000 > nsruvReplicaLastModified: {replica 24 ldap://oldhost.dom.dom.dom:389} 00000000 > > It's listed twice due to the other hosts in the topology. > > # replica id 22 > ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory > manager" -b "cn=config" objectclass=nsds5replica|grep oldhost > ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory > manager" -b "cn=config" objectclass=nsds5replicationagreement|grep > oldhost > > # replica id 21 > ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory > manager" -b "cn=config" objectclass=nsds5replica|grep oldhost > ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory > manager" -b "cn=config" objectclass=nsds5replicationagreement|grep > oldhost > > The other two replicas no longer have the reference to the old host > after the CLEANALLRUV and CLEANRUV tasks performed by ldapmodify. I > then read via [2] that the dse.ldif could be manually edited to remove > references, but I'm not sure if that should be done if the general > opinion is that the old references aren't going to cause a problem. > Based upon the information above, is having a reference to the hold > host via the ldapsearch outputs above going to be a problem? If the > entry shouldn't be there, should the ldapmodify be performed against > the "cn=meTomaster.dom.dom.dom,cn=replica,cn=dc\3Ddom\2Cdc\3Ddom\2Cdc\3Ddom,cn=mapping > tree,cn=config" bases? > > For reference, these are the commands I ran to get to state [1]: > > # master > ldapmodify -x -W -h localhost -D "cn=directory manager" < dn: cn=replica,cn=dc\3Ddom\2Cdc\3Ddom\2Cdc\3Ddom,cn=mapping tree,cn=config > changetype: modify > replace: nsds5task > nsds5task: CLEANALLRUV24 > EOF > > ldapmodify -a -x -W -h localhost -D "cn=directory manager" < dn: cn=abort 24,cn=abort cleanallruv,cn=tasks,cn=config > objectclass: extensibleObject > cn: abort 24 > replica-base-dn: dc=dom,dc=dom,dc=dom > replica-id: 24 > EOF > > ldapmodify -h localhost -p 389 -x -W -D "cn=directory manager" < dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config > changetype: add > objectclass: top > objectclass: extensibleObject > replica-base-dn: dc=dom,dc=dom,dc=dom > replica-id: 97 > cn: clean 97 > EOF > > # single host which hung on CLEANALLRUV > ldapmodify -a -x -W -h localhost -D "cn=directory manager" < dn: cn=replica,cn=dc\3Ddom\2Cdc\3Ddom\2Cdc\3Ddom,cn=mapping tree,cn=config > changetype: modify > replace: nsds5task > nsds5task: CLEANRUV24 > EOF > > > [1] https://www.redhat.com/archives/freeipa-users/2016-August/msg00331.html > [2] https://www.redhat.com/archives/freeipa-users/2015-June/msg00382.html > > Thanks! > John DeSantis > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From desantis at mail.usf.edu Wed Oct 5 18:34:09 2016 From: desantis at mail.usf.edu (John Desantis) Date: Wed, 5 Oct 2016 14:34:09 -0400 Subject: [Freeipa-users] Question about removed replica, take two In-Reply-To: <57F51180.9040703@redhat.com> References: <57F51180.9040703@redhat.com> Message-ID: Ludwig, Thank you! John DeSantis 2016-10-05 10:43 GMT-04:00 Ludwig Krispenz : > Hi, > > the RUV in the replication agreement is maintained to control changelog > trimming, no changes should be deleted from the changelog which have not > been seen by all consumers. Since not always a connection for a replication > agreement can be established, eg if the consumer is down, this information > is made persistent and kept in the replication agreement. > So, if you have references to removed servers in the agreement this should > do no harm since teh changes have alredy be removed from the changelog > during cleanallruv. > The only scenario a problem could arise is if you reinstall a replica on one > of the removed with a new replica ID, then you could end up with two replica > ids with the same url and get the attrlist_replace errors. > > The removal of the replica id from the replication agreement RUV is noe > handled by cleanallruv (upstream ticket #48414), but you can edit the > dse.ldif and remove them manually > > Regards, > Ludwig > > > On 10/05/2016 03:07 PM, John Desantis wrote: >> >> Hello all (again), >> >> I think my reference to a disease prevented my message from being >> delivered, despite seeing it posted on the list archive. I apologize >> in advance for the additional "noise". >> >> Anyways, I was hoping some lingering questions could be answered >> regarding some visible entries via ldapsearch, which manifest a >> removed replica's hostname [1]. >> >> Running the ipa-replica-manage and ipa-csreplica-manage commands do >> not show the host in question any longer, but when I run a few >> directory searches on each replica using the commands below: >> >> # ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory >> manager" -b "cn=config" objectclass=nsds5replica >> # ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory >> manager" -b "cn=config" objectclass=nsds5replicationagreement >> >> I'm able to see the old host on the master, but not on the replicas. See >> below. >> >> # master, replica id 4: >> ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory >> manager" -b "cn=config" objectclass=nsds5replica|grep oldhost >> nsDS5ReplicaBindDN: >> >> krbprincipalname=ldap/oldhost.dom.dom.dom at DOM.DOM.DOM,cn=services,cn=accounts,dc=dom,dc=dom,dc=dom >> >> ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory >> manager" -b "cn=config" objectclass=nsds5replicationagreement|grep >> oldhost >> nsds50ruv: {replica 24 ldap://oldhost.dom.dom.dom:389} >> 5447f252000000180000 5447f861000000180000 >> nsruvReplicaLastModified: {replica 24 ldap://oldhost.dom.dom.dom:389} >> 00000000 >> nsds50ruv: {replica 24 ldap://oldhost.dom.dom.dom:389} >> 5447f252000000180000 5447f56b000200180000 >> nsruvReplicaLastModified: {replica 24 ldap://oldhost.dom.dom.dom:389} >> 00000000 >> >> It's listed twice due to the other hosts in the topology. >> >> # replica id 22 >> ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory >> manager" -b "cn=config" objectclass=nsds5replica|grep oldhost >> ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory >> manager" -b "cn=config" objectclass=nsds5replicationagreement|grep >> oldhost >> >> # replica id 21 >> ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory >> manager" -b "cn=config" objectclass=nsds5replica|grep oldhost >> ldapsearch -Y GSSAPI -o ldif-wrap=no -h localhost -D "cn=directory >> manager" -b "cn=config" objectclass=nsds5replicationagreement|grep >> oldhost >> >> The other two replicas no longer have the reference to the old host >> after the CLEANALLRUV and CLEANRUV tasks performed by ldapmodify. I >> then read via [2] that the dse.ldif could be manually edited to remove >> references, but I'm not sure if that should be done if the general >> opinion is that the old references aren't going to cause a problem. >> Based upon the information above, is having a reference to the hold >> host via the ldapsearch outputs above going to be a problem? If the >> entry shouldn't be there, should the ldapmodify be performed against >> the >> "cn=meTomaster.dom.dom.dom,cn=replica,cn=dc\3Ddom\2Cdc\3Ddom\2Cdc\3Ddom,cn=mapping >> tree,cn=config" bases? >> >> For reference, these are the commands I ran to get to state [1]: >> >> # master >> ldapmodify -x -W -h localhost -D "cn=directory manager" <> dn: cn=replica,cn=dc\3Ddom\2Cdc\3Ddom\2Cdc\3Ddom,cn=mapping tree,cn=config >> changetype: modify >> replace: nsds5task >> nsds5task: CLEANALLRUV24 >> EOF >> >> ldapmodify -a -x -W -h localhost -D "cn=directory manager" <> dn: cn=abort 24,cn=abort cleanallruv,cn=tasks,cn=config >> objectclass: extensibleObject >> cn: abort 24 >> replica-base-dn: dc=dom,dc=dom,dc=dom >> replica-id: 24 >> EOF >> >> ldapmodify -h localhost -p 389 -x -W -D "cn=directory manager" <> dn: cn=clean 97,cn=cleanallruv,cn=tasks,cn=config >> changetype: add >> objectclass: top >> objectclass: extensibleObject >> replica-base-dn: dc=dom,dc=dom,dc=dom >> replica-id: 97 >> cn: clean 97 >> EOF >> >> # single host which hung on CLEANALLRUV >> ldapmodify -a -x -W -h localhost -D "cn=directory manager" <> dn: cn=replica,cn=dc\3Ddom\2Cdc\3Ddom\2Cdc\3Ddom,cn=mapping tree,cn=config >> changetype: modify >> replace: nsds5task >> nsds5task: CLEANRUV24 >> EOF >> >> >> [1] >> https://www.redhat.com/archives/freeipa-users/2016-August/msg00331.html >> [2] https://www.redhat.com/archives/freeipa-users/2015-June/msg00382.html >> >> Thanks! >> John DeSantis >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, > Eric Shander > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From dag at sonsorol.org Wed Oct 5 18:46:21 2016 From: dag at sonsorol.org (Chris Dagdigian) Date: Wed, 05 Oct 2016 14:46:21 -0400 Subject: [Freeipa-users] Debugging SSH password-based authentication when IPA client is in a different DNS domain Message-ID: <57F54A7D.20201@sonsorol.org> Hello again, Following up on an early query about configuring IPA clients that are in different DNS domains than the IPA server domain & realm This is our setup: AD Servers & IPA: ------------------------ AD Forest #1: company-test.org AD Forest #2: company-aws.org IPA Server : company-ipa.org I don't really need Kerberos or Kerberized SSO -- I really just want to get SSH logins via passwords working before moving on to SSH keys - my understanding of the way I'm configuring things basically breaks Kerberos but should allow other user and authentication services to work. Client Machine: ------------------ Hostname: client.company-aws.org I was able to configure a client in the domain 'company-aws.org' by abusing the ipa-client-install command: $ client.company-aws.org> # ipa-client-install --server ipa.company-ipa.org --domain company-ipa.com Barring the usual warnings about losing autodiscover based failover the above command actually worked and took me pretty far. I can launch an AWS host and give it the standard "company-aws.org" hostname but still bind it explicitly to an IPA server running in a different DNS domain and realm. The nice thing is that it appears that everything but SSH w/ passwords is working on the client machine with the different DNS domain name # id user at company-test.org works # id user at company-aws.org works # id works # getent passwd user at company-test.org works # getent passwd user at company-aws.org works # getent passwd works # su - user at company-test.org works # su - user at company-aws.org works # su - works What fails are things like: $ ssh localhost -l user at company-aws.org The client sees a standard "Permission Denied, please try again" error On the client host I mainly see this in /var/log/messages: client.company-aws.org: [sssd[krb5_child[2311]]]: Cannot find KDC for realm "COMPANY-AWS.ORG" I'm hesitant to make significant changes for fear of breaking the fact that my client can actually resolve users and passwords! I'm incredibly happy to even have the basic identities being recognized. The problem with configuring SSH for password logins seems like it could be somewhere in krb5.conf, ssh_config, sshd_config, sssd.conf or even down in the PAM configuration and I'm not really where to start troubleshooting "just SSH" when everything else seems to be working OK. Any tips, tricks or URLs for configuring the local SSH client on IPA clients would be appreciated. I suspect I'm a victim of either a dumb mistake or something that needs a manual tweak after doing an IPA client install where the client hostname is different from the IPA domain and realm. Can provide config files and logs but did not want to spam a huge message in case there was a simple set of things I should be looking at -Chris From abokovoy at redhat.com Wed Oct 5 18:53:24 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 5 Oct 2016 21:53:24 +0300 Subject: [Freeipa-users] Debugging SSH password-based authentication when IPA client is in a different DNS domain In-Reply-To: <57F54A7D.20201@sonsorol.org> References: <57F54A7D.20201@sonsorol.org> Message-ID: <20161005185324.adpsrm44gbebkhu2@redhat.com> On ke, 05 loka 2016, Chris Dagdigian wrote: >Hello again, > >Following up on an early query about configuring IPA clients that are >in different DNS domains than the IPA server domain & realm > >This is our setup: > >AD Servers & IPA: >------------------------ >AD Forest #1: company-test.org >AD Forest #2: company-aws.org >IPA Server : company-ipa.org > >I don't really need Kerberos or Kerberized SSO -- I really just want >to get SSH logins via passwords working before moving on to SSH keys - >my understanding of the way I'm configuring things basically breaks >Kerberos but should allow other user and authentication services to >work. > >Client Machine: >------------------ >Hostname: client.company-aws.org > >I was able to configure a client in the domain 'company-aws.org' by >abusing the ipa-client-install command: > >$ client.company-aws.org> # ipa-client-install --server >ipa.company-ipa.org --domain company-ipa.com > >Barring the usual warnings about losing autodiscover based failover >the above command actually worked and took me pretty far. I can launch >an AWS host and give it the standard "company-aws.org" hostname but >still bind it explicitly to an IPA server running in a different DNS >domain and realm. > >The nice thing is that it appears that everything but SSH w/ passwords >is working on the client machine with the different DNS domain name > > # id user at company-test.org works > # id user at company-aws.org works > # id works > # getent passwd user at company-test.org works > # getent passwd user at company-aws.org works > # getent passwd works > # su - user at company-test.org works > # su - user at company-aws.org works > # su - works > > >What fails are things like: > > $ ssh localhost -l user at company-aws.org > >The client sees a standard "Permission Denied, please try again" error > >On the client host I mainly see this in /var/log/messages: > > client.company-aws.org: [sssd[krb5_child[2311]]]: Cannot find KDC >for realm "COMPANY-AWS.ORG" > >I'm hesitant to make significant changes for fear of breaking the fact >that my client can actually resolve users and passwords! I'm >incredibly happy to even have the basic identities being recognized. As http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain explains, you need to have proper mapping of domains to realms and have proper definitions for those realms. We don't see your krb5.conf, so if it deviates from what the wiki describes, you need to be explicit in your details. -- / Alexander Bokovoy From dag at sonsorol.org Wed Oct 5 19:14:14 2016 From: dag at sonsorol.org (Chris Dagdigian) Date: Wed, 05 Oct 2016 15:14:14 -0400 Subject: [Freeipa-users] Debugging SSH password-based authentication when IPA client is in a different DNS domain In-Reply-To: <20161005185324.adpsrm44gbebkhu2@redhat.com> References: <57F54A7D.20201@sonsorol.org> <20161005185324.adpsrm44gbebkhu2@redhat.com> Message-ID: <57F55106.2040702@sonsorol.org> Alexander Bokovoy wrote: > As > http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain > explains, you need to have proper mapping of domains to realms and have > proper definitions for those realms. > > We don't see your krb5.conf, so if it deviates from what the wiki > describes, you need to be explicit in your details. Much appreciated. Here is the krb5.conf file -- I commented out the Include line for /var/lib/sss/pubconf/krb5.include.d/ and brought that data into the /etc/krb5.conf file so I only had a single file and set of settings to look at: Regards, Chris #File modified by ipa-client-install #includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = COMPANY-IDM.ORG dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] COMPANY-IDM.ORG = { kdc = usaeilidmp001.COMPANY-IDM.org:88 master_kdc = usaeilidmp001.COMPANY-IDM.org:88 admin_server = usaeilidmp001.COMPANY-IDM.org:749 default_domain = COMPANY-IDM.org pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .COMPANY-IDM.org = COMPANY-IDM.ORG COMPANY-IDM.org = COMPANY-IDM.ORG .company-aws.org = COMPANY-IDM.ORG company-aws.org = COMPANY-IDM.ORG .company-test.org = COMPANY-IDM.ORG company-test.org = COMPANY-IDM.ORG [capaths] company-aws.org = { COMPANY-IDM.ORG = company-aws.org } COMPANY-IDM.ORG = { company-aws.org = company-aws.org } company-test.org = { COMPANY-IDM.ORG = company-test.org } COMPANY-IDM.ORG = { company-test.org = company-test.org } From abokovoy at redhat.com Wed Oct 5 19:30:32 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 5 Oct 2016 22:30:32 +0300 Subject: [Freeipa-users] Debugging SSH password-based authentication when IPA client is in a different DNS domain In-Reply-To: <57F55106.2040702@sonsorol.org> References: <57F54A7D.20201@sonsorol.org> <20161005185324.adpsrm44gbebkhu2@redhat.com> <57F55106.2040702@sonsorol.org> Message-ID: <20161005193032.rbefrokoynm56zoy@redhat.com> On ke, 05 loka 2016, Chris Dagdigian wrote: > >Alexander Bokovoy wrote: >>As http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain >>explains, you need to have proper mapping of domains to realms and have >>proper definitions for those realms. >> >>We don't see your krb5.conf, so if it deviates from what the wiki >>describes, you need to be explicit in your details. >Much appreciated. Here is the krb5.conf file -- I commented out the >Include line for /var/lib/sss/pubconf/krb5.include.d/ and brought that >data into the /etc/krb5.conf file so I only had a single file and set >of settings to look at: you don't have explicit definition for the AD realms and you don't allow Kerberos to discover neither realms nor their KDCs via DNS SRV records. The latter happened because you have used --server option when configuring the client -- man page for ipa-client-install has a section explaining discovery and influence of options on it. That's your problem. It also reveals that your reading of the wiki was cursory, but that's another problem. :) -- / Alexander Bokovoy From dag at sonsorol.org Wed Oct 5 20:12:51 2016 From: dag at sonsorol.org (Chris Dagdigian) Date: Wed, 05 Oct 2016 16:12:51 -0400 Subject: [Freeipa-users] Debugging SSH password-based authentication when IPA client is in a different DNS domain In-Reply-To: <20161005193032.rbefrokoynm56zoy@redhat.com> References: <57F54A7D.20201@sonsorol.org> <20161005185324.adpsrm44gbebkhu2@redhat.com> <57F55106.2040702@sonsorol.org> <20161005193032.rbefrokoynm56zoy@redhat.com> Message-ID: <57F55EC3.7050706@sonsorol.org> Alexander Bokovoy wrote: > you don't have explicit definition for the AD realms and you don't allow > Kerberos to discover neither realms nor their KDCs via DNS SRV records. > > The latter happened because you have used --server option when > configuring the client -- man page for ipa-client-install has a section > explaining discovery and influence of options on it. > > That's your problem. It also reveals that your reading of the wiki was > cursory, but that's another problem. :) > > Huge thanks to Alexander Bokovoy for his patient guidance. Following up to close out this thread with a solution that worked for our multi AD forest setup where client DNS name is different from IDM/IPA domain/realm There were 2 changes needed to /etc/krb5.conf to get password login via SSH working along with everything else ... Change #1 was simplifying the [domain_realm] settings down to a very tightly scoped config that would allow additional things to be auto discovered via DNS Change #2 was setting "dns_lookup_realm = true" and "dns_lookup_kdc = true" in [libdefaults] -- this was the main thing I missed because the wiki page at http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain displays example config with these values already set to true. These settings were actually false on my client's krb5.conf file due to the way I ran the ipa-client-install command. It was my mistake to not carefully compare the full file contents. So wrapping it all up, this is the /etc/krb5.conf file that enabled password logins via SSH - the other change in the file below is I commented out the includedir file and put those settings into the /etc/krb5.conf file so I could have everything in one place for troubleshooting. To recap our setup we have 2 AD Forests and an IDM/IPA server running on it's own domain name rather than subdomain AD Servers & IPA: ------------------------ AD Forest #1: company-test.org AD Forest #2: company-aws.org IPA Server : company-ipa.org (successful 1-way trusts to company-test.org and company-aws.org) IPA Client: Client test hostname: client.company-aws.org -Chris ####----------------- #File modified by ipa-client-install #includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = COMPANY-IDM.ORG dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] COMPANY-IDM.ORG = { kdc = usaeilidmp001.COMPANY-IDM.org:88 master_kdc = usaeilidmp001.COMPANY-IDM.org:88 admin_server = usaeilidmp001.COMPANY-IDM.org:749 default_domain = COMPANY-IDM.org pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] client.company-aws.org = COMPANY-IDM.ORG [capaths] company-aws.org = { COMPANY-IDM.ORG = company-aws.org } COMPANY-IDM.ORG = { company-aws.org = company-aws.org } company-test.org = { COMPANY-IDM.ORG = company-test.org } COMPANY-IDM.ORG = { company-test.org = company-test.org } From pspacek at redhat.com Thu Oct 6 07:33:44 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 6 Oct 2016 09:33:44 +0200 Subject: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private Cloud In-Reply-To: References: Message-ID: <84841c8a-8a01-b50b-9d26-b52ec6c3d06e@redhat.com> On 5.10.2016 11:16, Deepak Dimri wrote: > Hi All, > > I want to understand if there are any best practices wrt FreeIPA Server deployment in Public vis a vis Private cloud. Lets assume a case that most IPA Clients are hosted in private clouds at multiple data centers or across AWS VPCs. In this situation hosting of freeIPA in the public cloud i reckon would be an easier approach (clients can connect over the internet). The other option would be to host FreeIPA Server in private cloud, which would be more secure, but then you need to make changes in your network/FW settings across private clouds. Are there any major security concerns if FreeIPA is deployed in public cloud? Properly configured FreeIPA can run on public Internet. I would recommend you to read thread https://www.redhat.com/archives/freeipa-users/2014-April/msg00246.html . > Any examples of freeIPA running in public cloud in production? Here you go: https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ -- Petr^2 Spacek From deepak_dimri at hotmail.com Thu Oct 6 12:54:29 2016 From: deepak_dimri at hotmail.com (Deepak Dimri) Date: Thu, 6 Oct 2016 12:54:29 +0000 Subject: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private Cloud In-Reply-To: <84841c8a-8a01-b50b-9d26-b52ec6c3d06e@redhat.com> References: , <84841c8a-8a01-b50b-9d26-b52ec6c3d06e@redhat.com> Message-ID: Awesome.. Thanks Petr I will see if i can get some more pointers on it and its great to see the case study. Already loving FreeIPA with such a wonderful support from you all! regards, Deepak ________________________________ From: freeipa-users-bounces at redhat.com on behalf of Petr Spacek Sent: Thursday, October 6, 2016 3:33 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private Cloud On 5.10.2016 11:16, Deepak Dimri wrote: > Hi All, > > I want to understand if there are any best practices wrt FreeIPA Server deployment in Public vis a vis Private cloud. Lets assume a case that most IPA Clients are hosted in private clouds at multiple data centers or across AWS VPCs. In this situation hosting of freeIPA in the public cloud i reckon would be an easier approach (clients can connect over the internet). The other option would be to host FreeIPA Server in private cloud, which would be more secure, but then you need to make changes in your network/FW settings across private clouds. Are there any major security concerns if FreeIPA is deployed in public cloud? Properly configured FreeIPA can run on public Internet. I would recommend you to read thread https://www.redhat.com/archives/freeipa-users/2014-April/msg00246.html . > Any examples of freeIPA running in public cloud in production? Here you go: https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ The GNOME Infrastructure is now powered by FreeIPA! www.dragonsreach.it As preannounced here the GNOME Infrastructure switched to a new Account Management System which is reachable at https://account.gnome.org. All the details will follow. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Freeipa-users Info Page - Red Hat www.redhat.com Freeipa-users -- List dedicated to discussions about use, configuration and deployment of the IPA server. About Freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From alessandro.demaria at gmail.com Thu Oct 6 14:48:10 2016 From: alessandro.demaria at gmail.com (Alessandro De Maria) Date: Thu, 6 Oct 2016 15:48:10 +0100 Subject: [Freeipa-users] Error looking up public keys Message-ID: Hello, We are moving some of our servers to use 16.04 and for all new installs I have noticed that I am unable to fetch the ssh_authorized keys from the server. /usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zzzzzzz.com ademaria (Thu Oct 6 11:29:59:823635 2016) [/usr/bin/sss_ssh_authorizedkeys] [main] (0x0020): sss_ssh_get_ent() failed (14): Bad address Error looking up public keys This only happens on Ubuntu 16.04. We have a number of 12.04 that work perfectly. The configuration seems ok or at least matches the one on 12.04. I increased the debug level on sssd and sss_ssh and this is the output I get (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x67b890][18] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x67b890][18] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x67b890][18] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Requested domain [prod.zzzzzzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_parse_request] (0x0400): Parsing name [ademaria][prod.zzzzzzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'ademaria' matched without domain, user is ademaria (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): using default domain [prod.zzzzzzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] (0x0400): Requesting SSH user public keys for [ademaria] from [prod.zzzzzzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40b850:1:ademaria at prod.zzzzzzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_dp_get_account_msg] (0x0400): Creating request for [prod.zzzzzzz][0x1][BE_REQ_USER][1][name=ademaria] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0x658390 (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40b850:1:ademaria at prod.zzzzzzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0x658390 (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x65a7b0 (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_user_pubkeys_search_next] (0x0400): Requesting SSH user public keys for [ademaria at prod.zzzzzzz] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x666a00 (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x666ac0 (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Running timer event 0x666a00 "ltdb_callback" (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 0x666ac0 "ltdb_timeout" (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ldb] (0x4000): Ending timer event 0x666a00 "ltdb_callback" (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x4000): Mssing element, nothing to do. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x4000): Mssing element, nothing to do. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0040): NSS_InitContext failed [-8015]. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): cert_to_ssh_key failed. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): decode_and_add_base64_data failed. (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal error, killing connection! (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [client_destructor] (0x2000): Terminated client [0x67b890][18] (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40b850:1:ademaria at prod.zzzzzzz] (Thu Oct 6 15:42:10 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x6566b0 (Thu Oct 6 15:42:10 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Thu Oct 6 15:42:10 2016) [sssd[ssh]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Thu Oct 6 15:42:10 2016) [sssd[ssh]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu Oct 6 15:42:20 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): dbus conn: 0x6566b0 (Thu Oct 6 15:42:20 2016) [sssd[ssh]] [sbus_dispatch] (0x4000): Dispatching. (Thu Oct 6 15:42:20 2016) [sssd[ssh]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Thu Oct 6 15:42:20 2016) [sssd[ssh]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit Could you help me understand what is the issue with it? Regards Alessandro -- Alessandro De Maria alessandro.demaria at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Thu Oct 6 16:06:35 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 6 Oct 2016 18:06:35 +0200 Subject: [Freeipa-users] Error looking up public keys In-Reply-To: References: Message-ID: <20161006160635.GD1843@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Oct 06, 2016 at 03:48:10PM +0100, Alessandro De Maria wrote: > Hello, > > We are moving some of our servers to use 16.04 and for all new installs I > have noticed that I am unable to fetch the ssh_authorized keys from the > server. > > /usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zzzzzzz.com ademaria > (Thu Oct 6 11:29:59:823635 2016) [/usr/bin/sss_ssh_authorizedkeys] [main] > (0x0020): sss_ssh_get_ent() failed (14): Bad address > Error looking up public keys > > This only happens on Ubuntu 16.04. We have a number of 12.04 that work > perfectly. > > The configuration seems ok or at least matches the one on 12.04. > I increased the debug level on sssd and sss_ssh and this is the output I get ... > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0040): > NSS_InitContext failed [-8015]. > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data] > (0x0040): cert_to_ssh_key failed. > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): > decode_and_add_base64_data failed. > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal > error, killing connection! ... Newer version of SSSD can derive ssh-keys from valid X.509 certificates stored in the LDAP entry of the user. Unfortunately it looks like in your build of SSSD needs a fix for https://fedorahosted.org/sssd/ticket/2977. Please open a ticket for your distribution to include the patch for this issue which is linked at the end of the ticket. As a workaround you can set 'ldap_user_certificate = noSuchAttribute' in the [domain/...] section of sssd.conf. This should prevent SSSD from reading the certificate stored in the user entry. After changing sssd.conf you should invalidate the cache by calling 'sss_cache -E' and restart SSSD. HTH bye, Sumit > > Could you help me understand what is the issue with it? > > Regards > Alessandro > > -- > Alessandro De Maria > alessandro.demaria at gmail.com > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From a.stepanenko at gw.spb.ru Thu Oct 6 16:23:32 2016 From: a.stepanenko at gw.spb.ru (=?UTF-8?B?0KHRgtC10L/QsNC90LXQvdC60L4g0JDQu9C10LrRgdC10Lk=?=) Date: Thu, 6 Oct 2016 19:23:32 +0300 Subject: [Freeipa-users] FreeIPA and Samba Message-ID: <7c64a862-ebbe-deab-8aeb-db3d115e5aa2@gw.spb.ru> Hello. I've read the topic about FreeIPA and SAMBA http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA If I understand clearly, samba's client must be present in FreeIPA AD. Unfortunately, it does not work for me. I can't join some work desktops to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has ldap support ldap admin dn ldap group suffix ldap idmap suffix ldap machine suffix ldap passwd sync ldap suffix ldap user suffix Does it work with IPA ? Thanks. -- With best regards. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3709 bytes Desc: ?????????????????????????? ???????????? S/MIME URL: From loris at lgs.com.ve Thu Oct 6 17:31:26 2016 From: loris at lgs.com.ve (Loris Santamaria) Date: Thu, 06 Oct 2016 13:31:26 -0400 Subject: [Freeipa-users] FreeIPA and Samba In-Reply-To: <7c64a862-ebbe-deab-8aeb-db3d115e5aa2@gw.spb.ru> References: <7c64a862-ebbe-deab-8aeb-db3d115e5aa2@gw.spb.ru> Message-ID: <1475775086.2849.3.camel@lgs.com.ve> The document you are linking to explains how to configure a samba file server in a freeipa domain, which is one of many ways you can configure and use a samba server. What do you want to achieve with samba, and what is your current setup? El jue, 06-10-2016 a las 19:23 +0300, ?????????? ??????? escribi?: > Hello. > > I've read the topic about FreeIPA and SAMBA? > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit > h_IPA > > If I understand clearly, samba's client must be present in > FreeIPA??AD.? > Unfortunately, it does not work for me. I can't join some work > desktops? > to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has? > ldap support > > ?????????ldap admin dn > ?????????ldap group suffix > ?????????ldap idmap suffix > ?????????ldap machine suffix > ?????????ldap passwd sync > ?????????ldap suffix > ?????????ldap user suffix > > Does it work with IPA ? > > Thanks. > -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford From michael.rainey.ctr at nrlssc.navy.mil Thu Oct 6 17:44:54 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Thu, 6 Oct 2016 12:44:54 -0500 Subject: [Freeipa-users] Question about an error in the logs. Message-ID: Hello, I've been reviewing an error log for IPA located in /var/log/dirsrv//error. I've noticed there is an error that keeps repeating. [06/Oct/2016:09:56:03 -0500] attrlist_replace - attr_replace (nsslapd-referral, ldap://kodiak.:389/o%3Dipaca) failed. [06/Oct/2016:09:56:03 -0500] attrlist_replace - attr_replace (nsslapd-referral, ldap://voge.:389/o%3Dipaca) failed. [06/Oct/2016:09:56:03 -0500] attrlist_replace - attr_replace (nsslapd-referral, ldap://voge.:389/o%3Dipaca) failed. [06/Oct/2016:09:56:03 -0500] attrlist_replace - attr_replace (nsslapd-referral, ldap://voge.:389/o%3Dipaca) failed. [06/Oct/2016:09:56:06 -0500] attrlist_replace - attr_replace (nsslapd-referral, ldap://fitch.:389/o%3Dipaca) failed. [06/Oct/2016:09:56:06 -0500] attrlist_replace - attr_replace (nsslapd-referral, ldap://fitch.:389/o%3Dipaca) failed. [06/Oct/2016:09:56:06 -0500] attrlist_replace - attr_replace (nsslapd-referral, ldap://fitch.:389/o%3Dipaca) failed. I was wondering if this is a sign of a larger problem. All of my replicas continue to be updated as changes are made and users are able to log into their systems. Everything seems to be fine. Sincerely, Scientific Linux 7.2 64-bit 1.13.0-40.el7_2.12 -- *Michael Rainey* -------------- next part -------------- An HTML attachment was scrubbed... URL: From a.stepanenko at gw.spb.ru Thu Oct 6 20:51:09 2016 From: a.stepanenko at gw.spb.ru (=?UTF-8?B?0KHRgtC10L/QsNC90LXQvdC60L4g0JDQu9C10LrRgdC10Lk=?=) Date: Thu, 6 Oct 2016 23:51:09 +0300 Subject: [Freeipa-users] FreeIPA and Samba In-Reply-To: <1475775086.2849.3.camel@lgs.com.ve> References: <7c64a862-ebbe-deab-8aeb-db3d115e5aa2@gw.spb.ru> <1475775086.2849.3.camel@lgs.com.ve> Message-ID: Thank you for your reply. I've got Samba server for a company, accounts are created by hand. Clients are different windows or linux desktops. I want to install FreeIPA and have one area for managing accounts (SMB, SSH-access for others servers). Now, I prepare clean samba installation for testing. It would be great to use FreeIPA as authorization server for samba. I was looking for information about samba + freeIPA, but I found only this document. Maybe, I miss obvious things. 06.10.2016 20:31, Loris Santamaria ?????: > The document you are linking to explains how to configure a samba file > server in a freeipa domain, which is one of many ways you can configure > and use a samba server. > > What do you want to achieve with samba, and what is your current setup? > > > El jue, 06-10-2016 a las 19:23 +0300, ?????????? ??????? escribi?: >> Hello. >> >> I've read the topic about FreeIPA and SAMBA >> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit >> h_IPA >> >> If I understand clearly, samba's client must be present in >> FreeIPA AD. >> Unfortunately, it does not work for me. I can't join some work >> desktops >> to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has >> ldap support >> >> ldap admin dn >> ldap group suffix >> ldap idmap suffix >> ldap machine suffix >> ldap passwd sync >> ldap suffix >> ldap user suffix >> >> Does it work with IPA ? >> >> Thanks. >> -- ? ?????????, ?????????? ???????, ???????????? ?????? ?????????????? ??????????, ??? "?????? ??? ?????" ????: http//gw.spb.ru ???.: +7 (812) 409-00-90 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3709 bytes Desc: ?????????????????????????? ???????????? S/MIME URL: From alessandro.demaria at gmail.com Thu Oct 6 20:55:30 2016 From: alessandro.demaria at gmail.com (Alessandro De Maria) Date: Thu, 6 Oct 2016 21:55:30 +0100 Subject: [Freeipa-users] Error looking up public keys In-Reply-To: <20161006160635.GD1843@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20161006160635.GD1843@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: The workaround worked thank you! On 6 Oct 2016 5:09 pm, "Sumit Bose" wrote: > On Thu, Oct 06, 2016 at 03:48:10PM +0100, Alessandro De Maria wrote: > > Hello, > > > > We are moving some of our servers to use 16.04 and for all new installs I > > have noticed that I am unable to fetch the ssh_authorized keys from the > > server. > > > > /usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zzzzzzz.com ademaria > > (Thu Oct 6 11:29:59:823635 2016) [/usr/bin/sss_ssh_authorizedkeys] > [main] > > (0x0020): sss_ssh_get_ent() failed (14): Bad address > > Error looking up public keys > > > > This only happens on Ubuntu 16.04. We have a number of 12.04 that work > > perfectly. > > > > The configuration seems ok or at least matches the one on 12.04. > > I increased the debug level on sssd and sss_ssh and this is the output I > get > > ... > > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0040): > > NSS_InitContext failed [-8015]. > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data] > > (0x0040): cert_to_ssh_key failed. > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): > > decode_and_add_base64_data failed. > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal > > error, killing connection! > > ... > > Newer version of SSSD can derive ssh-keys from valid X.509 certificates > stored in the LDAP entry of the user. Unfortunately it looks like in > your build of SSSD needs a fix for > https://fedorahosted.org/sssd/ticket/2977. Please open a ticket for your > distribution to include the patch for this issue which is linked at the > end of the ticket. > > As a workaround you can set 'ldap_user_certificate = noSuchAttribute' in > the [domain/...] section of sssd.conf. This should prevent SSSD from > reading the certificate stored in the user entry. After changing > sssd.conf you should invalidate the cache by calling 'sss_cache -E' and > restart SSSD. > > HTH > > bye, > Sumit > > > > > Could you help me understand what is the issue with it? > > > > Regards > > Alessandro > > > > -- > > Alessandro De Maria > > alessandro.demaria at gmail.com > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri Oct 7 07:20:23 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 7 Oct 2016 09:20:23 +0200 Subject: [Freeipa-users] Error looking up public keys In-Reply-To: References: <20161006160635.GD1843@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20161007072023.GF1843@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Oct 06, 2016 at 09:55:30PM +0100, Alessandro De Maria wrote: > The workaround worked thank you! Great, glad I could help. bye, Sumit > > On 6 Oct 2016 5:09 pm, "Sumit Bose" wrote: > > > On Thu, Oct 06, 2016 at 03:48:10PM +0100, Alessandro De Maria wrote: > > > Hello, > > > > > > We are moving some of our servers to use 16.04 and for all new installs I > > > have noticed that I am unable to fetch the ssh_authorized keys from the > > > server. > > > > > > /usr/bin/sss_ssh_authorizedkeys --debug 10 -d prod.zzzzzzz.com ademaria > > > (Thu Oct 6 11:29:59:823635 2016) [/usr/bin/sss_ssh_authorizedkeys] > > [main] > > > (0x0020): sss_ssh_get_ent() failed (14): Bad address > > > Error looking up public keys > > > > > > This only happens on Ubuntu 16.04. We have a number of 12.04 that work > > > perfectly. > > > > > > The configuration seems ok or at least matches the one on 12.04. > > > I increased the debug level on sssd and sss_ssh and this is the output I > > get > > > > ... > > > > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0040): > > > NSS_InitContext failed [-8015]. > > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [decode_and_add_base64_data] > > > (0x0040): cert_to_ssh_key failed. > > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): > > > decode_and_add_base64_data failed. > > > (Thu Oct 6 15:42:01 2016) [sssd[ssh]] [ssh_cmd_done] (0x0020): Fatal > > > error, killing connection! > > > > ... > > > > Newer version of SSSD can derive ssh-keys from valid X.509 certificates > > stored in the LDAP entry of the user. Unfortunately it looks like in > > your build of SSSD needs a fix for > > https://fedorahosted.org/sssd/ticket/2977. Please open a ticket for your > > distribution to include the patch for this issue which is linked at the > > end of the ticket. > > > > As a workaround you can set 'ldap_user_certificate = noSuchAttribute' in > > the [domain/...] section of sssd.conf. This should prevent SSSD from > > reading the certificate stored in the user entry. After changing > > sssd.conf you should invalidate the cache by calling 'sss_cache -E' and > > restart SSSD. > > > > HTH > > > > bye, > > Sumit > > > > > > > > Could you help me understand what is the issue with it? > > > > > > Regards > > > Alessandro > > > > > > -- > > > Alessandro De Maria > > > alessandro.demaria at gmail.com > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > From alessandro.demaria at gmail.com Fri Oct 7 10:34:30 2016 From: alessandro.demaria at gmail.com (Alessandro De Maria) Date: Fri, 7 Oct 2016 11:34:30 +0100 Subject: [Freeipa-users] IP SAN in certificates Message-ID: Hello, I am running the following command to create a certificate for etcd ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt", "-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zzzzzz", "-D", "dock07.prod.zzzz", "-A", "10.0.1.67", "-K", "etcd/dock07.prod.zzzz" ca-error: Server at https://id1.prod.zzzzzz/ipa/xml denied our request, > giving up: 2100 (RPC failed at server. Insufficient access: Subject alt > name type IP Address is forbidden). I believe FreeIPA does not currently support IPs as the SAN of a certificate. Is this still the case? is there a workaroud? Regards Alessandro -- Alessandro De Maria alessandro.demaria at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Oct 7 13:30:35 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 7 Oct 2016 09:30:35 -0400 Subject: [Freeipa-users] IP SAN in certificates In-Reply-To: References: Message-ID: <57F7A37B.4070005@redhat.com> Alessandro De Maria wrote: > Hello, > > I am running the following command to create a certificate for etcd > > ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt", > "-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zzzzzz", "-D", > "dock07.prod.zzzz", "-A", "10.0.1.67", "-K", "etcd/dock07.prod.zzzz" > > ca-error: Server at https://id1.prod.zzzzzz/ipa/xml denied our > request, giving up: 2100 (RPC failed at server. Insufficient > access: Subject alt name type IP Address is forbidden). > > > > I believe FreeIPA does not currently support IPs as the SAN of a > certificate. > > Is this still the case? is there a workaroud? Still the case (and not likely to change AFAIK) and the only workaround is in code. rob From jan.karasek at elostech.cz Fri Oct 7 13:38:19 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Fri, 7 Oct 2016 15:38:19 +0200 (CEST) Subject: [Freeipa-users] IPA - AD trust - LDAP signing In-Reply-To: References: Message-ID: <2044824344.403190.1475847499736.JavaMail.zimbra@elostech.cz> Hi all, I am having the trouble with IPA-AD trust. We have scenario, where on the AD side the LDAP signing policy is on - this is company standard and can not be changed. Is there any chance to let the IPA use LDAP signing on IPA side ? I guess IPA use SASL LDAP bind but without signing. What I am not understanding now is that IPA is still able to obtain info from AD LDAP although DC servers keeps complaining about unsigned LDAP connections - event 2889. https://support.microsoft.com/en-us/kb/935834 https://technet.microsoft.com/en-us/library/dd941849(v=ws.10).aspx Thanks for help. Jan Kar?sek -------------- next part -------------- An HTML attachment was scrubbed... URL: From fdinoto at gmail.com Fri Oct 7 19:14:17 2016 From: fdinoto at gmail.com (Fil Di Noto) Date: Fri, 7 Oct 2016 12:14:17 -0700 Subject: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue Message-ID: I'm trying to interpret these log messages. It seems like server ipa03 has no principal for the DNS service and is not able to replicate LDAP to the other 3 IPA servers. If that is correct: 1. Is "DNS" the service principal it should be using? 2. How do I correct this? (what concerns me is that ipa03 is the server I designated as the server where administrative changes are made in case manual replication is needed) Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to the LDAP server was lost Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get initial credentials (TGT) using principal 'DNS/ipa03.example.com' and keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for DNS/ipa03.example.com at EXAMPLE.COM) Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl will reconnect in 60 seconds Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to the LDAP server was lost Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get initial credentials (TGT) using principal 'DNS/ipa03.example.com' and keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for DNS/ipa03.example.com at EXAMPLE.COM) Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl will reconnect in 60 seconds Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to the LDAP server was lost Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get initial credentials (TGT) using principal 'DNS/ipa03.example.com' and keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for DNS/ipa03.example.com at EXAMPLE.COM) Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl will reconnect in 60 seconds From matt.wells at mosaic451.com Fri Oct 7 20:03:27 2016 From: matt.wells at mosaic451.com (Matt Wells) Date: Fri, 07 Oct 2016 20:03:27 +0000 Subject: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue In-Reply-To: References: Message-ID: That's correct. Apparently it's on able to use the Kerberos credential to utilize that service associated with the server. Have you examined the key tab itself? Read it in and see what's inside of it. On Fri, Oct 7, 2016, 12:20 Fil Di Noto wrote: > I'm trying to interpret these log messages. It seems like server ipa03 > has no principal for the DNS service and is not able to replicate LDAP > to the other 3 IPA servers. If that is correct: > > 1. Is "DNS" the service principal it should be using? > 2. How do I correct this? > (what concerns me is that ipa03 is the server I designated as > the server where administrative changes are made in case manual > replication is needed) > > > Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to > the LDAP server was lost > Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get > initial credentials (TGT) using principal 'DNS/ipa03.example.com' and > keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for > DNS/ipa03.example.com at EXAMPLE.COM) > Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl > will reconnect in 60 seconds > Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to > the LDAP server was lost > Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get > initial credentials (TGT) using principal 'DNS/ipa03.example.com' and > keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for > DNS/ipa03.example.com at EXAMPLE.COM) > Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl > will reconnect in 60 seconds > Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to > the LDAP server was lost > Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get > initial credentials (TGT) using principal 'DNS/ipa03.example.com' and > keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for > DNS/ipa03.example.com at EXAMPLE.COM) > Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl > will reconnect in 60 seconds > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Matt Wells Chief Systems Architect RHCA II, RHCVA - #110-000-353 (702) 808-0424 matt.wells at mosaic451.com Las Vegas | Phoenix | Portland Mosaic451.com CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or may otherwise be privileged. If you are not intended recipient, you are hereby notified that you have received this transmittal in error and that any review, dissemination, distribution or copying of this transmittal is strictly prohibited. If you have received this communication in error, please notify this office, and immediately delete this message and all its attachments, if any. 1* -------------- next part -------------- An HTML attachment was scrubbed... URL: From fdinoto at gmail.com Fri Oct 7 20:24:40 2016 From: fdinoto at gmail.com (Fil Di Noto) Date: Fri, 7 Oct 2016 13:24:40 -0700 Subject: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue In-Reply-To: References: Message-ID: klist /etc/named.keytab klist: Bad format in credentials cache It's actually like this on all the servers, and I assume it is only showing up in the logs for the 1 server because that is the server where we make changes and it is trying to push changes out to the rest. If it were any other server than an IPA server I would just manually ipa-getkeytab, but since it's also a KDC I'm having doubts about how to proceed. What do you think Matt? On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells wrote: > That's correct. Apparently it's on able to use the Kerberos credential to > utilize that service associated with the server. > Have you examined the key tab itself? Read it in and see what's inside of > it. > > > On Fri, Oct 7, 2016, 12:20 Fil Di Noto wrote: >> >> I'm trying to interpret these log messages. It seems like server ipa03 >> has no principal for the DNS service and is not able to replicate LDAP >> to the other 3 IPA servers. If that is correct: >> >> 1. Is "DNS" the service principal it should be using? >> 2. How do I correct this? >> (what concerns me is that ipa03 is the server I designated as >> the server where administrative changes are made in case manual >> replication is needed) >> >> >> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to >> the LDAP server was lost >> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get >> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >> DNS/ipa03.example.com at EXAMPLE.COM) >> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl >> will reconnect in 60 seconds >> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to >> the LDAP server was lost >> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get >> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >> DNS/ipa03.example.com at EXAMPLE.COM) >> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl >> will reconnect in 60 seconds >> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to >> the LDAP server was lost >> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get >> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >> DNS/ipa03.example.com at EXAMPLE.COM) >> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl >> will reconnect in 60 seconds >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Matt Wells > Chief Systems Architect > RHCA II, RHCVA - #110-000-353 > (702) 808-0424 > matt.wells at mosaic451.com > Las Vegas | Phoenix | Portland Mosaic451.com > CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or > may otherwise be privileged. If you are not intended recipient, you are > hereby notified that you have received this transmittal in error and that > any review, dissemination, distribution or copying of this transmittal is > strictly prohibited. If you have received this communication in error, > please notify this office, and immediately delete this message and all its > attachments, if any. > 1* From fdinoto at gmail.com Fri Oct 7 21:05:59 2016 From: fdinoto at gmail.com (Fil Di Noto) Date: Fri, 7 Oct 2016 14:05:59 -0700 Subject: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue In-Reply-To: References: Message-ID: I forgot to add the -k in the klist command. Actually the keytab looks correct. I noticed the file permissions were 0400 named:named but all other service keytabs I see are 0600. I thought that might be an issue so I tried changing the permissions to 0600 on all the servers but it hasn't changed the result. Any clue on whether those permissions (0400) are correct? I know folks like to do named like that with chroots and such but that seems wrong to me. On Fri, Oct 7, 2016 at 1:24 PM, Fil Di Noto wrote: > klist /etc/named.keytab > klist: Bad format in credentials cache > > It's actually like this on all the servers, and I assume it is only > showing up in the logs for the 1 server because that is the server > where we make changes and it is trying to push changes out to the > rest. > > If it were any other server than an IPA server I would just manually > ipa-getkeytab, but since it's also a KDC I'm having doubts about how > to proceed. What do you think Matt? > > On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells wrote: >> That's correct. Apparently it's on able to use the Kerberos credential to >> utilize that service associated with the server. >> Have you examined the key tab itself? Read it in and see what's inside of >> it. >> >> >> On Fri, Oct 7, 2016, 12:20 Fil Di Noto wrote: >>> >>> I'm trying to interpret these log messages. It seems like server ipa03 >>> has no principal for the DNS service and is not able to replicate LDAP >>> to the other 3 IPA servers. If that is correct: >>> >>> 1. Is "DNS" the service principal it should be using? >>> 2. How do I correct this? >>> (what concerns me is that ipa03 is the server I designated as >>> the server where administrative changes are made in case manual >>> replication is needed) >>> >>> >>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to >>> the LDAP server was lost >>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get >>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>> DNS/ipa03.example.com at EXAMPLE.COM) >>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl >>> will reconnect in 60 seconds >>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to >>> the LDAP server was lost >>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get >>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>> DNS/ipa03.example.com at EXAMPLE.COM) >>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl >>> will reconnect in 60 seconds >>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to >>> the LDAP server was lost >>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get >>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>> DNS/ipa03.example.com at EXAMPLE.COM) >>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl >>> will reconnect in 60 seconds >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> -- >> Matt Wells >> Chief Systems Architect >> RHCA II, RHCVA - #110-000-353 >> (702) 808-0424 >> matt.wells at mosaic451.com >> Las Vegas | Phoenix | Portland Mosaic451.com >> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or >> may otherwise be privileged. If you are not intended recipient, you are >> hereby notified that you have received this transmittal in error and that >> any review, dissemination, distribution or copying of this transmittal is >> strictly prohibited. If you have received this communication in error, >> please notify this office, and immediately delete this message and all its >> attachments, if any. >> 1* From fdinoto at gmail.com Fri Oct 7 21:45:44 2016 From: fdinoto at gmail.com (Fil Di Noto) Date: Fri, 7 Oct 2016 14:45:44 -0700 Subject: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue In-Reply-To: References: Message-ID: Found it. Nothing to do with keytabs or their permissions. It was settings in named.conf (sasl_user) which had the wrong server name. On Fri, Oct 7, 2016 at 2:05 PM, Fil Di Noto wrote: > I forgot to add the -k in the klist command. Actually the keytab looks > correct. I noticed the file permissions were 0400 named:named but all > other service keytabs I see are 0600. I thought that might be an issue > so I tried changing the permissions to 0600 on all the servers but it > hasn't changed the result. > > Any clue on whether those permissions (0400) are correct? I know folks > like to do named like that with chroots and such but that seems wrong > to me. > > On Fri, Oct 7, 2016 at 1:24 PM, Fil Di Noto wrote: >> klist /etc/named.keytab >> klist: Bad format in credentials cache >> >> It's actually like this on all the servers, and I assume it is only >> showing up in the logs for the 1 server because that is the server >> where we make changes and it is trying to push changes out to the >> rest. >> >> If it were any other server than an IPA server I would just manually >> ipa-getkeytab, but since it's also a KDC I'm having doubts about how >> to proceed. What do you think Matt? >> >> On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells wrote: >>> That's correct. Apparently it's on able to use the Kerberos credential to >>> utilize that service associated with the server. >>> Have you examined the key tab itself? Read it in and see what's inside of >>> it. >>> >>> >>> On Fri, Oct 7, 2016, 12:20 Fil Di Noto wrote: >>>> >>>> I'm trying to interpret these log messages. It seems like server ipa03 >>>> has no principal for the DNS service and is not able to replicate LDAP >>>> to the other 3 IPA servers. If that is correct: >>>> >>>> 1. Is "DNS" the service principal it should be using? >>>> 2. How do I correct this? >>>> (what concerns me is that ipa03 is the server I designated as >>>> the server where administrative changes are made in case manual >>>> replication is needed) >>>> >>>> >>>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to >>>> the LDAP server was lost >>>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get >>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>>> DNS/ipa03.example.com at EXAMPLE.COM) >>>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl >>>> will reconnect in 60 seconds >>>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to >>>> the LDAP server was lost >>>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get >>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>>> DNS/ipa03.example.com at EXAMPLE.COM) >>>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl >>>> will reconnect in 60 seconds >>>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to >>>> the LDAP server was lost >>>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get >>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>>> DNS/ipa03.example.com at EXAMPLE.COM) >>>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl >>>> will reconnect in 60 seconds >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >>> -- >>> Matt Wells >>> Chief Systems Architect >>> RHCA II, RHCVA - #110-000-353 >>> (702) 808-0424 >>> matt.wells at mosaic451.com >>> Las Vegas | Phoenix | Portland Mosaic451.com >>> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or >>> may otherwise be privileged. If you are not intended recipient, you are >>> hereby notified that you have received this transmittal in error and that >>> any review, dissemination, distribution or copying of this transmittal is >>> strictly prohibited. If you have received this communication in error, >>> please notify this office, and immediately delete this message and all its >>> attachments, if any. >>> 1* From mc at carcano.ch Sat Oct 8 13:00:11 2016 From: mc at carcano.ch (Marco Antonio Carcano) Date: Sat, 8 Oct 2016 15:00:11 +0200 Subject: [Freeipa-users] certificate list problems using web ui after upgrading to FreeIPA 4.2.0-15 SOLVED In-Reply-To: <20161005002008.GQ20504@dhcp-40-8.bne.redhat.com> References: <01cafbc4-68a6-bcb7-bcec-4716b2ce068a@carcano.ch> <20161005002008.GQ20504@dhcp-40-8.bne.redhat.com> Message-ID: Thank you Fraser, it solved - despite the error about replacing Jettison with Jackson pki-server-upgrade Upgrading from version 10.1.99 to 10.2.0: 1. Move web application context file (Yes/No) [Y]: Y 2. Replace Jettison with Jackson (Yes/No) [Y]: Y ERROR: Failed upgrading pki-tomcat instance. Continue (Yes/No) [Y]? Y 3. Added RESTEasy client (Yes/No) [Y]: Y 4. Replace RESTEasy application class (Yes/No) [Y]: Y 5. Remove config path from web.xml (Yes/No) [Y]: Y Upgrading from version 10.2.0 to 10.2.1: 1. Add TLS Range Support (Yes/No) [Y]: Y Upgrading from version 10.2.1 to 10.2.2: 1. Add TLS Range Support (Yes/No) [Y]: Y Upgrading from version 10.2.2 to 10.2.3: 1. Move Web application deployment locations (Yes/No) [Y]: Y 2. Enabled Web application auto deploy (Yes/No) [Y]: Y 3. Remove dependency on Jackson 2 (Yes/No) [Y]: Y Upgrading from version 10.2.3 to 10.2.4: 1. Fix instance work folder ownership (Yes/No) [Y]: Y 2. Fix bindPWPrompt for internalDB (Yes/No) [Y]: Y Upgrading from version 10.2.4 to 10.2.5: 1. Add missing OCSP Get Servlet Mapping to upgraded Dogtag 9 instances (Yes/No) [Y]: Y 2. Fix nuxwdog listener class (Yes/No) [Y]: Y Upgrading from version 10.2.5 to 10.2.5: 1. Add new KRA audit events (Yes/No) [Y]: Y pki-tomcat instance: Configuration version: 10.1.99 Last completed scriptlet: 1 pki-tomcat/ca subsystem: Configuration version: 10.2.5 Upgrade incomplete. Il 05/10/16 02:20, Fraser Tweedale ha scritto: > On Thu, Sep 29, 2016 at 11:13:22PM +0200, Marco Antonio Carcano wrote: >> Hi all, >> >> I?ve just upgraded from FreeIPA 4.1 to FreeIPA 4.2.0-15 on a CentOS 7 >> (7.2.1511) and I?m no more able to list certificates using the web ui >> >> when I go on ?Authentication?, ?Certificates? and chose ?Certificates? I >> got the following error >> >> Certificate operation cannot be completed: Unable to communicate with CMS >> (Internal Server Error) >> >> and tomcat logs contain the following exception: >> >> Sep 29, 2016 4:54:35 PM org.apache.catalina.core.StandardWrapperValve invoke >> SEVERE: Allocate exception for servlet Resteasy >> java.lang.ClassNotFoundException: >> com.netscape.ca.CertificateAuthorityApplication >> at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720) >> at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571) >> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:28 >> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:95) >> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:606) >> at >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) >> at >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) >> at >> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) >> at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) >> at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) >> at >> org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:864) >> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:134) >> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:40 >> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) >> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) >> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> at java.lang.Thread.run(Thread.java:745) >> >> So it complains it cannot find class >> com.netscape.ca.CertificateAuthorityApplication - that?s right >> >> The funny thing is that command line works like a charm >> >> pa caacl-find >> ---------------- >> 1 CA ACL matched >> ---------------- >> ACL name: hosts_services_caIPAserviceCert >> Enabled: TRUE >> Host category: all >> Service category: all >> Profiles: caIPAserviceCert >> ---------------------------- >> Number of entries returned 1 >> ?????????????? >> >> ipa cert-show >> Serial number: 1 >> Certificate: >> MIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtJVEM0 >> VS5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5 >> ? >> iI2rFqRTA+AF3xpqYBtOP+WwcBaue+OZ/GEsPOiyvcV1ZX6FWcKsmBf/T >> t7A9 >> Subject: CN=Certificate Authority,O=ME.LOCAL >> Issuer: CN=Certificate Authority,O=ME.LOCAL >> Not Before: Tue Dec 02 08:05:42 2014 UTC >> Not After: Sat Dec 02 08:05:42 2034 UTC >> Fingerprint (MD5): 59:4c:bb:dc:6a:e2:ff:17:6c:34:3e:f4:7e:fa:69:2e >> Fingerprint (SHA1): >> 74:c1:b3:a1:a1:25:5c:02:e8:ef:c5:30:14:fd:f0:58:79:6d:60:33 >> Serial number (hex): 0x1 >> Serial number: 1 >> >> By the way, the weird thing is that before migrating I added a replica node >> (so a fresh installation of FreeIPA 4.2.0-15) and the replica works >> perfectly, without this problem >> >> It seems to be a problem somehow related to the upgrade process >> >> How can I manage? Any suggestion? By the way, does anybody know which JAR >> contains com.netscape.ca.CertificateAuthorityApplication? I suppose it was >> /usr/share/java/pki/pki-ca.jar, but it contains only CertificateAuthority >> class: >> >> jar tf /usr/share/java/pki/pki-ca.jar |grep "CertificateAuthority" >> com/netscape/ca/CertificateAuthority.class >> >> Thanks >> >> Marco >> > As you guess, something went awry during the uprade process - > specifically: the follow upgrade scriptlet was not executed for some > reason: > > /usr/share/pki/server/upgrade/10.1.99/04-ReplaceRESTEasyApplicationClass > > Perhaps it was not the only one. > > Run `pki-server-upgrade' manually, as root, and see if that fixes > it. If not, let us spend some time off-list examining the state of > your PKI deployment and what needs to be done to fix it up. > > Cheers, > Fraser From amostech at gmail.com Sun Oct 9 00:47:02 2016 From: amostech at gmail.com (Arthur Morales Sampaio) Date: Sun, 09 Oct 2016 00:47:02 +0000 Subject: [Freeipa-users] FreeIpa Server + NFSv4 Kerberos mount problem. Message-ID: Good morning, my name is Arthur and I am working on the integration of FreeIPA and NFSv4 mounting for home directory sharing for authenticated users. This is the first time I am doing this so the problem could be simple. It's been already a week that I have been struggling with this and I don't know where else to ask for help. I have read pretty much everything that is to be read online regarding Freeipa integration. Here is my scenario: - FreeIPA server 4.2.0 - Centos7 - FreeNAS (NFSv4 server) 10 - FreeBSD (bundled with FreeNAS) - Client Ubuntu 16.04. Installed IPA client using ipa-client-install and imported LDAP credentials. Kerberos login is working properly I can log into the machines using IPA users. But can't mount NFS4 using sec=krb5 option. I have a functional FreeIPA server with Kerberos authentication working properly. But I can't get NFSv4 authenticated to work in freeipa-clients. Following is the error that I am getting: I know that this might not be enough detail for me to get help for this problem. But the thing is that I don't know how to enable a more verbosity functionality for this. The desired behavior would be to create mounts for home directories of users and enable kerberos security to mount them. Meaning that I need only the owners to be able to mount them. This is something that is very confusing for me. Wouldn't I be required to somehow pass to the mount command the username or any credentials of the kerberos user just so the NFS server would know *WHO* is trying to mount the directory? I really exhausted my resources in trying to fix this issue. Does FreeIPA work with NFSv4? I sincerely appreciate your help on this one. Best regards, Arthur -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan at instinctualsoftware.com Sun Oct 9 01:05:23 2016 From: alan at instinctualsoftware.com (Alan Latteri) Date: Sat, 8 Oct 2016 18:05:23 -0700 Subject: [Freeipa-users] FreeIpa Server + NFSv4 Kerberos mount problem. In-Reply-To: References: Message-ID: <0053AB8D-5EB8-4FFA-9947-3216D0D92354@instinctualsoftware.com> I think you problem is FreeNAS and not IPA itself. In FreeNAS 10 they will have built in IPA functionality. > On Oct 8, 2016, at 5:47 PM, Arthur Morales Sampaio wrote: > > Good morning, my name is Arthur and I am working on the integration of FreeIPA and NFSv4 mounting for home directory sharing for authenticated users. > > This is the first time I am doing this so the problem could be simple. It's been already a week that I have been struggling with this and I don't know where else to ask for help. I have read pretty much everything that is to be read online regarding Freeipa integration. > > Here is my scenario: > - FreeIPA server 4.2.0 - Centos7 > - FreeNAS (NFSv4 server) 10 - FreeBSD (bundled with FreeNAS) > - Client Ubuntu 16.04. Installed IPA client using ipa-client-install and imported LDAP credentials. Kerberos login is working properly I can log into the machines using IPA users. But can't mount NFS4 using sec=krb5 option. > > I have a functional FreeIPA server with Kerberos authentication working properly. But I can't get NFSv4 authenticated to work in freeipa-clients. > > Following is the error that I am getting: > > > > I know that this might not be enough detail for me to get help for this problem. But the thing is that I don't know how to enable a more verbosity functionality for this. > > The desired behavior would be to create mounts for home directories of users and enable kerberos security to mount them. Meaning that I need only the owners to be able to mount them. > > This is something that is very confusing for me. Wouldn't I be required to somehow pass to the mount command the username or any credentials of the kerberos user just so the NFS server would know WHO is trying to mount the directory? > > I really exhausted my resources in trying to fix this issue. > > Does FreeIPA work with NFSv4? > > I sincerely appreciate your help on this one. > > Best regards, > Arthur > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From amostech at gmail.com Sun Oct 9 14:57:51 2016 From: amostech at gmail.com (Arthur Morales Sampaio) Date: Sun, 09 Oct 2016 14:57:51 +0000 Subject: [Freeipa-users] FreeIpa Server + NFSv4 Kerberos mount problem. In-Reply-To: <0053AB8D-5EB8-4FFA-9947-3216D0D92354@instinctualsoftware.com> References: <0053AB8D-5EB8-4FFA-9947-3216D0D92354@instinctualsoftware.com> Message-ID: Alan, thank you very much for your prompt answer, I didnt completely understand your point. So basically FreeNAS would be incompatible with FreeIPA? If that is the case, my alternative would be to set up another NFS server? Did you by any chance get this working before? The reason why I am asking you this is just because I have followed so many guides already and I even tried a separate Ubuntu NFS server which also didn't work. If this approach of using FreeIPA + NFSv4 works is there any recommended scenario that would lead to a working solution between them? Thank you very much. Arthur. On Sat, Oct 8, 2016 at 6:05 PM Alan Latteri wrote: > I think you problem is FreeNAS and not IPA itself. In FreeNAS 10 they > will have built in IPA functionality. > > On Oct 8, 2016, at 5:47 PM, Arthur Morales Sampaio > wrote: > > Good morning, my name is Arthur and I am working on the integration of > FreeIPA and NFSv4 mounting for home directory sharing for authenticated > users. > > This is the first time I am doing this so the problem could be simple. > It's been already a week that I have been struggling with this and I don't > know where else to ask for help. I have read pretty much everything that is > to be read online regarding Freeipa integration. > > Here is my scenario: > - FreeIPA server 4.2.0 - Centos7 > - FreeNAS (NFSv4 server) 10 - FreeBSD (bundled with FreeNAS) > - Client Ubuntu 16.04. Installed IPA client using ipa-client-install and > imported LDAP credentials. Kerberos login is working properly I can log > into the machines using IPA users. But can't mount NFS4 using sec=krb5 > option. > > I have a functional FreeIPA server with Kerberos authentication working > properly. But I can't get NFSv4 authenticated to work in freeipa-clients. > > Following is the error that I am getting: > > > > I know that this might not be enough detail for me to get help for this > problem. But the thing is that I don't know how to enable a more verbosity > functionality for this. > > The desired behavior would be to create mounts for home directories of > users and enable kerberos security to mount them. Meaning that I need only > the owners to be able to mount them. > > This is something that is very confusing for me. Wouldn't I be required to > somehow pass to the mount command the username or any credentials of the > kerberos user just so the NFS server would know *WHO* is trying to mount > the directory? > > I really exhausted my resources in trying to fix this issue. > > Does FreeIPA work with NFSv4? > > I sincerely appreciate your help on this one. > > Best regards, > Arthur > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From harenberg at physik.uni-wuppertal.de Sun Oct 9 14:56:46 2016 From: harenberg at physik.uni-wuppertal.de (Torsten Harenberg) Date: Sun, 9 Oct 2016 16:56:46 +0200 Subject: [Freeipa-users] FreeIpa Server + NFSv4 Kerberos mount problem. In-Reply-To: References: Message-ID: <5d1be255-1863-d6bc-8886-55ce544bff49@physik.uni-wuppertal.de> Hi Arthur, we also could not get Ubuntu 16.04 to run with out Kerberized NFS Server. Ubuntu 14.04 runs without problems. Maybe you can try that? You could have been hit by: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1604396 The advice to upgrade the kernel did unfortunately not help for us (as you can see in my comments). Best regards, Torsten -- <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> <> <> <> Dr. Torsten Harenberg harenberg at physik.uni-wuppertal.de <> <> Bergische Universitaet <> <> FB C - Physik Tel.: +49 (0)202 439-3521 <> <> Gaussstr. 20 Fax : +49 (0)202 439-2811 <> <> 42097 Wuppertal <> <> <> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><> From ftweedal at redhat.com Sun Oct 9 23:59:26 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 10 Oct 2016 09:59:26 +1000 Subject: [Freeipa-users] IP SAN in certificates In-Reply-To: <57F7A37B.4070005@redhat.com> References: <57F7A37B.4070005@redhat.com> Message-ID: <20161009235926.GN20504@dhcp-40-8.bne.redhat.com> On Fri, Oct 07, 2016 at 09:30:35AM -0400, Rob Crittenden wrote: > Alessandro De Maria wrote: > > Hello, > > > > I am running the following command to create a certificate for etcd > > > > ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt", > > "-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zzzzzz", "-D", > > "dock07.prod.zzzz", "-A", "10.0.1.67", "-K", "etcd/dock07.prod.zzzz" > > > > ca-error: Server at https://id1.prod.zzzzzz/ipa/xml denied our > > request, giving up: 2100 (RPC failed at server. Insufficient > > access: Subject alt name type IP Address is forbidden). > > > > > > > > I believe FreeIPA does not currently support IPs as the SAN of a > > certificate. > > > > Is this still the case? is there a workaroud? > > Still the case (and not likely to change AFAIK) and the only workaround is > in code. > There have occasionally been discussions about this. It might be possible in the future, if we implement an extensible cert request authorisation mechanism. Won't happen anytime soon, though. > rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From a.stepanenko at gw.spb.ru Mon Oct 10 20:35:20 2016 From: a.stepanenko at gw.spb.ru (=?UTF-8?B?0KHRgtC10L/QsNC90LXQvdC60L4g0JDQu9C10LrRgdC10Lk=?=) Date: Mon, 10 Oct 2016 23:35:20 +0300 Subject: [Freeipa-users] FreeIPA and Samba In-Reply-To: References: <7c64a862-ebbe-deab-8aeb-db3d115e5aa2@gw.spb.ru> <1475775086.2849.3.camel@lgs.com.ve> Message-ID: I read again the topic http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP It works exactly as I wanted ipa-adtrust-install created next configuration: $ net conf list [global] workgroup = WORKGROUP netbios name = SMB realm = GW.SPB.RU kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes log level = 1 max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=gw,dc=spb,dc=ru ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork But I don't understand why it wasn't put to smb.conf directly. The second problem is 'passdb backend'. I didn't find any documentation about this module. An attempt to replace a file socket on net connection was failed. And I had to make LDAP replication. It was easy, but " ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), not only ldap-server. I need to continue to read documentation. However the problem was solved. 06.10.2016 23:51, ?????????? ??????? ?????: > Thank you for your reply. > > I've got Samba server for a company, accounts are created by hand. > Clients are different windows or linux desktops. > > I want to install FreeIPA and have one area for managing accounts > (SMB, SSH-access for others servers). Now, I prepare clean samba > installation for testing. It would be great to use FreeIPA as > authorization server for samba. > > I was looking for information about samba + freeIPA, but I found only > this document. Maybe, I miss obvious things. > > > 06.10.2016 20:31, Loris Santamaria ?????: >> The document you are linking to explains how to configure a samba file >> server in a freeipa domain, which is one of many ways you can configure >> and use a samba server. >> >> What do you want to achieve with samba, and what is your current setup? >> >> >> El jue, 06-10-2016 a las 19:23 +0300, ?????????? ??????? escribi?: >>> Hello. >>> >>> I've read the topic about FreeIPA and SAMBA >>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit >>> h_IPA >>> >>> If I understand clearly, samba's client must be present in >>> FreeIPA AD. >>> Unfortunately, it does not work for me. I can't join some work >>> desktops >>> to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has >>> ldap support >>> >>> ldap admin dn >>> ldap group suffix >>> ldap idmap suffix >>> ldap machine suffix >>> ldap passwd sync >>> ldap suffix >>> ldap user suffix >>> >>> Does it work with IPA ? >>> >>> Thanks. >>> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3709 bytes Desc: ?????????????????????????? ???????????? S/MIME URL: From jpopowitch at cappex.com Mon Oct 10 21:30:49 2016 From: jpopowitch at cappex.com (John Popowitch) Date: Mon, 10 Oct 2016 21:30:49 +0000 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors Message-ID: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> Hello FreeIPA community. I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. I had to reboot one of the servers and now IPA won't run saying, "Upgrade required: please run ipa-server-upgrade command." But when I run ipa-server-upgrade I get an error: ipa: ERROR: Upgrade failed with This entry already exists When I run it in debug mode the last action before the error is: ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions: DEBUG: Updating managed permission: System: Modify Certificate Profile It appears that several of the other managed permissions are processed successfully. When I look in the UI on one of the other servers it appears that this permission exists under IPA Server -> Role Based Access Control -> Permissions. I'm not familiar with FreeIPA so any help would be greatly appreciated. Thanks in advance. -John -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan at instinctualsoftware.com Mon Oct 10 21:35:02 2016 From: alan at instinctualsoftware.com (Alan Latteri) Date: Mon, 10 Oct 2016 14:35:02 -0700 Subject: [Freeipa-users] FreeIPA and Samba In-Reply-To: References: <7c64a862-ebbe-deab-8aeb-db3d115e5aa2@gw.spb.ru> <1475775086.2849.3.camel@lgs.com.ve> Message-ID: Nice, I think that page may also solve my problem. Going to try it soon. > On Oct 10, 2016, at 1:35 PM, ?????????? ??????? wrote: > > I read again the topic http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP > It works exactly as I wanted > > ipa-adtrust-install created next configuration: > $ net conf list > [global] > workgroup = WORKGROUP > netbios name = SMB > realm = GW.SPB.RU > kerberos method = dedicated keytab > dedicated keytab file = FILE:/etc/samba/samba.keytab > create krb5 conf = no > security = user > domain master = yes > domain logons = yes > log level = 1 > max log size = 100000 > log file = /var/log/samba/log.%m > passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket > disable spoolss = yes > ldapsam:trusted = yes > ldap ssl = off > ldap suffix = dc=gw,dc=spb,dc=ru > ldap user suffix = cn=users,cn=accounts > ldap group suffix = cn=groups,cn=accounts > ldap machine suffix = cn=computers,cn=accounts > rpc_server:epmapper = external > rpc_server:lsarpc = external > rpc_server:lsass = external > rpc_server:lsasd = external > rpc_server:samr = external > rpc_server:netlogon = external > rpc_server:tcpip = yes > rpc_daemon:epmd = fork > rpc_daemon:lsasd = fork > > But I don't understand why it wasn't put to smb.conf directly. > > The second problem is 'passdb backend'. I didn't find any documentation about this module. An attempt to replace a file socket on net connection was failed. And I had to make LDAP replication. It was easy, but " ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), not only ldap-server. I need to continue to read documentation. However the problem was solved. > > 06.10.2016 23:51, ?????????? ??????? ?????: >> Thank you for your reply. >> >> I've got Samba server for a company, accounts are created by hand. Clients are different windows or linux desktops. >> >> I want to install FreeIPA and have one area for managing accounts (SMB, SSH-access for others servers). Now, I prepare clean samba installation for testing. It would be great to use FreeIPA as authorization server for samba. >> >> I was looking for information about samba + freeIPA, but I found only this document. Maybe, I miss obvious things. >> >> >> 06.10.2016 20:31, Loris Santamaria ?????: >>> The document you are linking to explains how to configure a samba file >>> server in a freeipa domain, which is one of many ways you can configure >>> and use a samba server. >>> >>> What do you want to achieve with samba, and what is your current setup? >>> >>> >>> El jue, 06-10-2016 a las 19:23 +0300, ?????????? ??????? escribi?: >>>> Hello. >>>> >>>> I've read the topic about FreeIPA and SAMBA >>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit >>>> h_IPA >>>> >>>> If I understand clearly, samba's client must be present in >>>> FreeIPA AD. >>>> Unfortunately, it does not work for me. I can't join some work >>>> desktops >>>> to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has >>>> ldap support >>>> >>>> ldap admin dn >>>> ldap group suffix >>>> ldap idmap suffix >>>> ldap machine suffix >>>> ldap passwd sync >>>> ldap suffix >>>> ldap user suffix >>>> >>>> Does it work with IPA ? >>>> >>>> Thanks. >>>> >> >> >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From fdinoto at gmail.com Tue Oct 11 01:48:23 2016 From: fdinoto at gmail.com (Fil Di Noto) Date: Mon, 10 Oct 2016 18:48:23 -0700 Subject: [Freeipa-users] Replication attrlist_replace nsslapd-referral failed Message-ID: After an IPA server is re-initialized it immediately begins failing incremental updates. I checked the kerberos logs and things appear to be ok there, I can manually test LDAP from all servers against all other servers. There is an DS5ReplicaBindDN entry in "dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for an IPA server that no longer exists. But all IPA living servers have an entry for all other living servers. There is the correct number of cn=master, and cn=ca, and the caRenewalMaster is set on the correct master. "ipa-replica-manage del --force --clean " does not remove the entry. There were some RUV from the old servers also and I cleaned them. The man page says if a clean is run on the wrong ID then the server should be re-initialized, so I just did that on purpose and re-initialized the one of the servers and that has cleared the NSMMReplicationPlugin error (so far) but I am still getting the attrlist_replace error. I'm getting no indication of kerberos problems.Could it be the NSACLPlugin ? It preceeds the other error every time but that is probably just regular startup procedure, and having an ACL for something that doesn't exist doesn't feel like a fatal error to me. I didn't do the KRA install. [root at ipa05 slapd-example-com]# tail -f errors [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist [10/Oct/2016:23:27:57 +0000] agmt="cn=meToipa07.example.com" (ipa07:389) - Can't locate CSN 57fc2e7f000a000d0000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=meToipa07.example.com" (ipa07:389): CSN 57fc2e7f000a000d0000 not found, we aren't as up to date, or we purged [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - agmt="cn=meToipa07.example.com" (ipa07:389): Data required to update replica has been purged. The replica must be reinitialized. [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - agmt="cn=meToipa07.example.com" (ipa07:389): Incremental update failed and requires administrator action [10/Oct/2016:23:29:09 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa07.example.com:389/o%3Dipaca) failed. From datakid at gmail.com Tue Oct 11 03:06:54 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Tue, 11 Oct 2016 14:06:54 +1100 Subject: [Freeipa-users] sssd 1.14.1, HBAC still not working? Message-ID: Hola, I've set up a test domain that's as much as possible the same as the prod domain, and successfully got a one way trust against the AD: cantos 7.2, ipa 4.2.0-15/api2.156, sssd (copr) 1.14.1-3 On that test domain I believe I have HBAC working successfully. Once I could show that it was working successfully on the test domain we updated all the clients in the prod domain to sssd 1.14.1-3, updated the IPA server, ran ipa-server-upgrade and we disabled "allow all" in the HBAC. And it doesn't work? Two users could login, but none of the others could, and the sudo rules weren't applied in so much as the one user that could login but shouldn't have had sudo, did. I tried stopping sssd/clearing cache/start sssd/waiting; and stopping sssd/deleting /var/lib/sss/db/* /start sssd/waiting. Neither of those worked, so I enabled allow all again. Now I have a bunch of log files to look through, but no clear indication of what might have gone wrong from a quick read. I can see in the logs where one person is ok'd by HBAC for sshd and another two are denied - when they should have all been ok'd. And I can infer that the reasoning is that HBAC has declared person2 + person3 to not be in a group they most definitely are in from the error messages. But there is no indication of why sssd hasn't properly picked up that person2 is in the correct group? I guess the question is, where do I start fixing this? Which logs should I be reading? What can I compare between the two set ups (dev and prod) that might give me insight, given that they are largely set up identically? Cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Tue Oct 11 04:28:55 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Tue, 11 Oct 2016 15:28:55 +1100 Subject: [Freeipa-users] sssd 1.14.1, HBAC still not working? In-Reply-To: References: Message-ID: After further testing, I've discovered that the dev system wasn't working as well as I thought it was: HBAC and sshd don't seem to be playing well together on one server, but fine on the other? ie, I can run the same commands from both ipa-server and ipa-client: ipa hbactest --user=user1 --host=ipa-server.unixdev.petermac.org.au --service=sshd ipa hbactest --user=user1 --host=ipa-client.unixdev.petermac.org.au --service=sshd and every response is: to the ipa-client -------------------- Access granted: True -------------------- Matched rules: Admin Users (w sudo) Matched rules: Users to the ipa-server -------------------- Access granted: True -------------------- Matched rules: Cluster Admin Users (sudo) Not matched rules: Cluster Users but when I try to login to the ipa-server, I get an instance disconnect? I can login happily to the ipa-client no problems. Is there a special rule about sshd and the ipa-server? cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 11 October 2016 at 14:06, Lachlan Musicman wrote: > Hola, > > I've set up a test domain that's as much as possible the same as the prod > domain, and successfully got a one way trust against the AD: cantos 7.2, > ipa 4.2.0-15/api2.156, sssd (copr) 1.14.1-3 > > On that test domain I believe I have HBAC working successfully. > > Once I could show that it was working successfully on the test domain we > updated all the clients in the prod domain to sssd 1.14.1-3, updated the > IPA server, ran ipa-server-upgrade and we disabled "allow all" in the HBAC. > > And it doesn't work? Two users could login, but none of the others could, > and the sudo rules weren't applied in so much as the one user that could > login but shouldn't have had sudo, did. > > I tried stopping sssd/clearing cache/start sssd/waiting; and stopping > sssd/deleting /var/lib/sss/db/* /start sssd/waiting. > > Neither of those worked, so I enabled allow all again. > > Now I have a bunch of log files to look through, but no clear indication > of what might have gone wrong from a quick read. > > I can see in the logs where one person is ok'd by HBAC for sshd and > another two are denied - when they should have all been ok'd. And I can > infer that the reasoning is that HBAC has declared person2 + person3 to not > be in a group they most definitely are in from the error messages. But > there is no indication of why sssd hasn't properly picked up that person2 > is in the correct group? > > I guess the question is, where do I start fixing this? Which logs should I > be reading? > > What can I compare between the two set ups (dev and prod) that might give > me insight, given that they are largely set up identically? > > Cheers > L. > > > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Oct 11 06:52:57 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 11 Oct 2016 08:52:57 +0200 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> On 10.10.2016 23:30, John Popowitch wrote: > > Hello FreeIPA community. > > I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. > > I had to reboot one of the servers and now IPA won't run saying, > "Upgrade required: please run ipa-server-upgrade command." > > But when I run ipa-server-upgrade I get an error: > > ipa: ERROR: Upgrade failed with This entry already exists > > When I run it in debug mode the last action before the error is: > > ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions: > DEBUG: Updating managed permission: System: Modify Certificate Profile > > It appears that several of the other managed permissions are processed > successfully. > > When I look in the UI on one of the other servers it appears that this > permission exists under IPA Server -> Role Based Access Control -> > Permissions. > > I'm not familiar with FreeIPA so any help would be greatly appreciated. > > Thanks in advance. > > -John > > > Hello, can you post the related part of ipaupgrade.log here? Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue Oct 11 07:06:42 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 11 Oct 2016 09:06:42 +0200 Subject: [Freeipa-users] Replication attrlist_replace nsslapd-referral failed In-Reply-To: References: Message-ID: <57FC8F82.5000105@redhat.com> Hi, you don't specify the version you are using: If it is 389-ds-base-1.3.4.0-33.el7_2.x86_64 the following may apply: >>> we have identified an issue with this version, it includes a fix for 389-ds ticket #48766, which was incomplete and resolved shortly after the release of this version (it is missing the latest patch for #49766 and for #48954). You can try to go back to 1.3.4.0-32 or if you have support get a hotfix from our support. <<< Sorry for this, On 10/11/2016 03:48 AM, Fil Di Noto wrote: > After an IPA server is re-initialized it immediately begins failing > incremental updates. I checked the kerberos logs and things appear to > be ok there, I can manually test LDAP from all servers against all > other servers. > > There is an DS5ReplicaBindDN entry in "dn: > cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for > an IPA server that no longer exists. But all IPA living servers have > an entry for all other living servers. > There is the correct number of cn=master, and cn=ca, and the > caRenewalMaster is set on the correct master. > > "ipa-replica-manage del --force --clean " does not remove the entry. > > There were some RUV from the old servers also and I cleaned them. The > man page says if a clean is run on the wrong ID then the server should > be re-initialized, so I just did that on purpose and re-initialized > the one of the servers and that has cleared the NSMMReplicationPlugin > error (so far) but I am still getting the attrlist_replace error. > > I'm getting no indication of kerberos problems.Could it be the > NSACLPlugin ? It preceeds the other error every time but that is > probably just regular startup procedure, and having an ACL for > something that doesn't exist doesn't feel like a fatal error to me. I > didn't do the KRA install. > > [root at ipa05 slapd-example-com]# tail -f errors > [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=example,dc=com does not exist > [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target > cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not > exist > [10/Oct/2016:23:27:57 +0000] agmt="cn=meToipa07.example.com" > (ipa07:389) - Can't locate CSN 57fc2e7f000a000d0000 in the changelog > (DB rc=-30988). If replication stops, the consumer may need to be > reinitialized. > [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - changelog program > - agmt="cn=meToipa07.example.com" (ipa07:389): CSN > 57fc2e7f000a000d0000 not found, we aren't as up to date, or we purged > [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa07.example.com" (ipa07:389): Data required to update > replica has been purged. The replica must be reinitialized. > [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa07.example.com" (ipa07:389): Incremental update failed > and requires administrator action > [10/Oct/2016:23:29:09 +0000] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa07.example.com:389/o%3Dipaca) failed. > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From jhrozek at redhat.com Tue Oct 11 08:03:33 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 11 Oct 2016 10:03:33 +0200 Subject: [Freeipa-users] sssd 1.14.1, HBAC still not working? In-Reply-To: References: Message-ID: <20161011080333.3rkhhocjitsz6hqt@hendrix> On Tue, Oct 11, 2016 at 03:28:55PM +1100, Lachlan Musicman wrote: > After further testing, I've discovered that the dev system wasn't working > as well as I thought it was: HBAC and sshd don't seem to be playing well > together on one server, but fine on the other? > > ie, I can run the same commands from both ipa-server and ipa-client: > > ipa hbactest --user=user1 --host=ipa-server.unixdev.petermac.org.au > --service=sshd > ipa hbactest --user=user1 --host=ipa-client.unixdev.petermac.org.au > --service=sshd > > > and every response is: > > to the ipa-client > -------------------- > Access granted: True > -------------------- > Matched rules: Admin Users (w sudo) > Matched rules: Users > > to the ipa-server > -------------------- > Access granted: True > -------------------- > Matched rules: Cluster Admin Users (sudo) > Not matched rules: Cluster Users > > > but when I try to login to the ipa-server, I get an instance disconnect? I > can login happily to the ipa-client no problems. > > Is there a special rule about sshd and the ipa-server? No, there shouldn't be. Can you generate sssd logs on the instance that is acting up and send them to me? It's best to run date and expire the cache before the test as well: sss_cache -E; date; ssh user at host; date so that we can cross-check the logs knowing the time of the test. If you don't mind I'd like to share the logs with other SSSD developers because I think I already tried to look into this issue and couldn't find the root cause in the past, so maybe others will spot something.. From jpopowitch at cappex.com Tue Oct 11 13:53:42 2016 From: jpopowitch at cappex.com (John Popowitch) Date: Tue, 11 Oct 2016 13:53:42 +0000 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> Message-ID: <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> 2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify Certificate Profile 2016-10-10T19:51:38Z DEBUG Destroyed connection context.ldap2_82077392 2016-10-10T19:51:38Z ERROR Upgrade failed with This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 306, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 905, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 877, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 852, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1400, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 433, in execute anonymous_read_aci) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 529, in update_permission ldap.add_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1428, in add_entry self.conn.add_s(str(entry.dn), attrs.items()) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 938, in error_handler raise errors.DuplicateEntry() DuplicateEntry: This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 314, in __upgrade raise RuntimeError(e) RuntimeError: This entry already exists 2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry already exists 2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server 2016-10-10T19:51:38Z DEBUG Starting external process 2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv at AWS-CAPPEX-COM.service' 2016-10-10T19:51:40Z DEBUG Process finished, return code=0 2016-10-10T19:51:40Z DEBUG stdout= 2016-10-10T19:51:40Z DEBUG stderr= 2016-10-10T19:51:40Z DEBUG duration: 1 seconds 2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG duration: 0 seconds 2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-10-10T19:51:40Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run raise admintool.ScriptError(str(e)) 2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: ('IPA upgrade failed.', 1) 2016-10-10T19:51:40Z ERROR ('IPA upgrade failed.', 1) From: Martin Basti [mailto:mbasti at redhat.com] Sent: Tuesday, October 11, 2016 1:53 AM To: John Popowitch; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors On 10.10.2016 23:30, John Popowitch wrote: Hello FreeIPA community. I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. I had to reboot one of the servers and now IPA won't run saying, "Upgrade required: please run ipa-server-upgrade command." But when I run ipa-server-upgrade I get an error: ipa: ERROR: Upgrade failed with This entry already exists When I run it in debug mode the last action before the error is: ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions: DEBUG: Updating managed permission: System: Modify Certificate Profile It appears that several of the other managed permissions are processed successfully. When I look in the UI on one of the other servers it appears that this permission exists under IPA Server -> Role Based Access Control -> Permissions. I'm not familiar with FreeIPA so any help would be greatly appreciated. Thanks in advance. -John Hello, can you post the related part of ipaupgrade.log here? Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Oct 11 14:47:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 11 Oct 2016 16:47:17 +0200 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> That's weird because the code is checking if a permission exists before it tries to add a new one Can you try to remove 'System: Modify Certificate Profile' manually from LDAP and re-run ipa-server-upgrade? On 11.10.2016 15:53, John Popowitch wrote: > > 2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify > Certificate Profile > > 2016-10-10T19:51:38Z DEBUG Destroyed connection context.ldap2_82077392 > > 2016-10-10T19:51:38Z ERROR Upgrade failed with This entry already exists > > 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 306, in __upgrade > > self.modified = (ld.update(self.files) or self.modified) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 905, in update > > self._run_updates(all_updates) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 877, in _run_updates > > self._run_update_plugin(update['plugin']) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 852, in _run_update_plugin > > restart_ds, updates = self.api.Updater[plugin_name]() > > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line > 1400, in __call__ > > return self.execute(**options) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", > line 433, in execute > > anonymous_read_aci) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", > line 529, in update_permission > > ldap.add_entry(entry) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1428, in add_entry > > self.conn.add_s(str(entry.dn), attrs.items()) > > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > > self.gen.throw(type, value, traceback) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 938, in error_handler > > raise errors.DuplicateEntry() > > DuplicateEntry: This entry already exists > > 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 418, in start_creation > > run_step(full_msg, method) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 408, in run_step > > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 314, in __upgrade > > raise RuntimeError(e) > > RuntimeError: This entry already exists > > 2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry already > exists > > 2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server > > 2016-10-10T19:51:38Z DEBUG Starting external process > > 2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' > 'dirsrv at AWS-CAPPEX-COM.service' > > 2016-10-10T19:51:40Z DEBUG Process finished, return code=0 > > 2016-10-10T19:51:40Z DEBUG stdout= > > 2016-10-10T19:51:40Z DEBUG stderr= > > 2016-10-10T19:51:40Z DEBUG duration: 1 seconds > > 2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG duration: 0 seconds > > 2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > > 2016-10-10T19:51:40Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, > in execute > > return_value = self.run() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 50, in run > > raise admintool.ScriptError(str(e)) > > 2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, > exception: ScriptError: ('IPA upgrade failed.', 1) > > 2016-10-10T19:51:40Z ERROR ('IPA upgrade failed.', 1) > > *From:*Martin Basti [mailto:mbasti at redhat.com] > *Sent:* Tuesday, October 11, 2016 1:53 AM > *To:* John Popowitch; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me > to run ipa-server-upgrade, but has errors > > On 10.10.2016 23:30, John Popowitch wrote: > > Hello FreeIPA community. > > I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. > > I had to reboot one of the servers and now IPA won't run saying, > "Upgrade required: please run ipa-server-upgrade command." > > But when I run ipa-server-upgrade I get an error: > > ipa: ERROR: Upgrade failed with This entry already exists > > When I run it in debug mode the last action before the error is: > > ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions: > DEBUG: Updating managed permission: System: Modify Certificate Profile > > It appears that several of the other managed permissions are > processed successfully. > > When I look in the UI on one of the other servers it appears that > this permission exists under IPA Server -> Role Based Access > Control -> Permissions. > > I'm not familiar with FreeIPA so any help would be greatly > appreciated. > > Thanks in advance. > > -John > > > > > Hello, > > can you post the related part of ipaupgrade.log here? > > Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpopowitch at cappex.com Tue Oct 11 15:21:59 2016 From: jpopowitch at cappex.com (John Popowitch) Date: Tue, 11 Oct 2016 15:21:59 +0000 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> Message-ID: <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> I agree that is weird. Several of the other managed permissions are updated successfully and they are very similar. Yes, I can try to remove the permission manually. Is there any risk in corrupting or breaking the system? This is, I believe, one of three IPA servers in a multi-master replication. And we run our production website (basically our company) off of these servers. Assuming it's safe enough to do, could I delete that permission via the UI or does it need to be directly via LDAP? From: Martin Basti [mailto:mbasti at redhat.com] Sent: Tuesday, October 11, 2016 9:47 AM To: John Popowitch; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors That's weird because the code is checking if a permission exists before it tries to add a new one Can you try to remove 'System: Modify Certificate Profile' manually from LDAP and re-run ipa-server-upgrade? On 11.10.2016 15:53, John Popowitch wrote: 2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify Certificate Profile 2016-10-10T19:51:38Z DEBUG Destroyed connection context.ldap2_82077392 2016-10-10T19:51:38Z ERROR Upgrade failed with This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 306, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 905, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 877, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 852, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1400, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 433, in execute anonymous_read_aci) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 529, in update_permission ldap.add_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1428, in add_entry self.conn.add_s(str(entry.dn), attrs.items()) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 938, in error_handler raise errors.DuplicateEntry() DuplicateEntry: This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 314, in __upgrade raise RuntimeError(e) RuntimeError: This entry already exists 2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry already exists 2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server 2016-10-10T19:51:38Z DEBUG Starting external process 2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv at AWS-CAPPEX-COM.service' 2016-10-10T19:51:40Z DEBUG Process finished, return code=0 2016-10-10T19:51:40Z DEBUG stdout= 2016-10-10T19:51:40Z DEBUG stderr= 2016-10-10T19:51:40Z DEBUG duration: 1 seconds 2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG duration: 0 seconds 2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-10-10T19:51:40Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run raise admintool.ScriptError(str(e)) 2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: ('IPA upgrade failed.', 1) 2016-10-10T19:51:40Z ERROR ('IPA upgrade failed.', 1) From: Martin Basti [mailto:mbasti at redhat.com] Sent: Tuesday, October 11, 2016 1:53 AM To: John Popowitch; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors On 10.10.2016 23:30, John Popowitch wrote: Hello FreeIPA community. I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. I had to reboot one of the servers and now IPA won't run saying, "Upgrade required: please run ipa-server-upgrade command." But when I run ipa-server-upgrade I get an error: ipa: ERROR: Upgrade failed with This entry already exists When I run it in debug mode the last action before the error is: ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions: DEBUG: Updating managed permission: System: Modify Certificate Profile It appears that several of the other managed permissions are processed successfully. When I look in the UI on one of the other servers it appears that this permission exists under IPA Server -> Role Based Access Control -> Permissions. I'm not familiar with FreeIPA so any help would be greatly appreciated. Thanks in advance. -John Hello, can you post the related part of ipaupgrade.log here? Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Oct 11 15:38:22 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 11 Oct 2016 17:38:22 +0200 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> On 11.10.2016 17:21, John Popowitch wrote: > > I agree that is weird. > > Several of the other managed permissions are updated successfully and > they are very similar. > > Yes, I can try to remove the permission manually. > > Is there any risk in corrupting or breaking the system? > This is, I believe, one of three IPA servers in a multi-master > replication. > > And we run our production website (basically our company) off of these > servers. > > Assuming it's safe enough to do, could I delete that permission via > the UI or does it need to be directly via LDAP? > Upgrade will re-create permission. You have to directly using LDAP as Directory Manager Also please check in: cn=certprofiles,cn=ca,$SUFFIX if you have this ACI there aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfil ter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Mod ify Certificate Profile";allow (write) groupdn = "ldap:///cn=System: Modify C ertificate Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab ,dc=eng,dc=brq,dc=redhat,dc=com";) This may also cause an issue, so if removing of permission itself did not help (or permission does not exist) you may need to remove this ACI Martin > *From:*Martin Basti [mailto:mbasti at redhat.com] > *Sent:* Tuesday, October 11, 2016 9:47 AM > *To:* John Popowitch; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me > to run ipa-server-upgrade, but has errors > > That's weird because the code is checking if a permission exists > before it tries to add a new one > > Can you try to remove 'System: Modify Certificate Profile' manually > from LDAP and re-run ipa-server-upgrade? > > On 11.10.2016 15:53, John Popowitch wrote: > > 2016-10-10T19:51:38Z DEBUG Updating managed permission: System: > Modify Certificate Profile > > 2016-10-10T19:51:38Z DEBUG Destroyed connection context.ldap2_82077392 > > 2016-10-10T19:51:38Z ERROR Upgrade failed with This entry already > exists > > 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 306, in __upgrade > > self.modified = (ld.update(self.files) or self.modified) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 905, in update > > self._run_updates(all_updates) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 877, in _run_updates > > self._run_update_plugin(update['plugin']) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 852, in _run_update_plugin > > restart_ds, updates = self.api.Updater[plugin_name]() > > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line > 1400, in __call__ > > return self.execute(**options) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", > line 433, in execute > > anonymous_read_aci) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", > line 529, in update_permission > > ldap.add_entry(entry) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 1428, in add_entry > > self.conn.add_s(str(entry.dn), attrs.items()) > > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > > self.gen.throw(type, value, traceback) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 938, in error_handler > > raise errors.DuplicateEntry() > > DuplicateEntry: This entry already exists > > 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > > run_step(full_msg, method) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 314, in __upgrade > > raise RuntimeError(e) > > RuntimeError: This entry already exists > > 2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry > already exists > > 2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server > > 2016-10-10T19:51:38Z DEBUG Starting external process > > 2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' > 'dirsrv at AWS-CAPPEX-COM.service ' > > 2016-10-10T19:51:40Z DEBUG Process finished, return code=0 > > 2016-10-10T19:51:40Z DEBUG stdout= > > 2016-10-10T19:51:40Z DEBUG stderr= > > 2016-10-10T19:51:40Z DEBUG duration: 1 seconds > > 2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG duration: 0 seconds > > 2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > > 2016-10-10T19:51:40Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > 171, in execute > > return_value = self.run() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 50, in run > > raise admintool.ScriptError(str(e)) > > 2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, > exception: ScriptError: ('IPA upgrade failed.', 1) > > 2016-10-10T19:51:40Z ERROR ('IPA upgrade failed.', 1) > > *From:*Martin Basti [mailto:mbasti at redhat.com] > *Sent:* Tuesday, October 11, 2016 1:53 AM > *To:* John Popowitch; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants > me to run ipa-server-upgrade, but has errors > > On 10.10.2016 23:30, John Popowitch wrote: > > Hello FreeIPA community. > > I've inherited a group of three FreeIPA v4.2 servers on CentOS > 7.2. > > I had to reboot one of the servers and now IPA won't run > saying, "Upgrade required: please run ipa-server-upgrade command." > > But when I run ipa-server-upgrade I get an error: > > ipa: ERROR: Upgrade failed with This entry already exists > > When I run it in debug mode the last action before the error is: > > ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions: > DEBUG: Updating managed permission: System: Modify Certificate > Profile > > It appears that several of the other managed permissions are > processed successfully. > > When I look in the UI on one of the other servers it appears > that this permission exists under IPA Server -> Role Based > Access Control -> Permissions. > > I'm not familiar with FreeIPA so any help would be greatly > appreciated. > > Thanks in advance. > > -John > > > > > > Hello, > > can you post the related part of ipaupgrade.log here? > > Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpopowitch at cappex.com Tue Oct 11 15:48:57 2016 From: jpopowitch at cappex.com (John Popowitch) Date: Tue, 11 Oct 2016 15:48:57 +0000 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> Message-ID: <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> Thanks, Martin. But I'm afraid you've gone beyond my level of LDAP knowledge. How would I check for that ACI? -John From: Martin Basti [mailto:mbasti at redhat.com] Sent: Tuesday, October 11, 2016 10:38 AM To: John Popowitch; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors On 11.10.2016 17:21, John Popowitch wrote: I agree that is weird. Several of the other managed permissions are updated successfully and they are very similar. Yes, I can try to remove the permission manually. Is there any risk in corrupting or breaking the system? This is, I believe, one of three IPA servers in a multi-master replication. And we run our production website (basically our company) off of these servers. Assuming it's safe enough to do, could I delete that permission via the UI or does it need to be directly via LDAP? Upgrade will re-create permission. You have to directly using LDAP as Directory Manager Also please check in: cn=certprofiles,cn=ca,$SUFFIX if you have this ACI there aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfil ter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Mod ify Certificate Profile";allow (write) groupdn = "ldap:///cn=System: Modify C ertificate Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab ,dc=eng,dc=brq,dc=redhat,dc=com";) This may also cause an issue, so if removing of permission itself did not help (or permission does not exist) you may need to remove this ACI Martin From: Martin Basti [mailto:mbasti at redhat.com] Sent: Tuesday, October 11, 2016 9:47 AM To: John Popowitch; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors That's weird because the code is checking if a permission exists before it tries to add a new one Can you try to remove 'System: Modify Certificate Profile' manually from LDAP and re-run ipa-server-upgrade? On 11.10.2016 15:53, John Popowitch wrote: 2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify Certificate Profile 2016-10-10T19:51:38Z DEBUG Destroyed connection context.ldap2_82077392 2016-10-10T19:51:38Z ERROR Upgrade failed with This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 306, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 905, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 877, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 852, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1400, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 433, in execute anonymous_read_aci) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 529, in update_permission ldap.add_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1428, in add_entry self.conn.add_s(str(entry.dn), attrs.items()) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 938, in error_handler raise errors.DuplicateEntry() DuplicateEntry: This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 314, in __upgrade raise RuntimeError(e) RuntimeError: This entry already exists 2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry already exists 2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server 2016-10-10T19:51:38Z DEBUG Starting external process 2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv at AWS-CAPPEX-COM.service' 2016-10-10T19:51:40Z DEBUG Process finished, return code=0 2016-10-10T19:51:40Z DEBUG stdout= 2016-10-10T19:51:40Z DEBUG stderr= 2016-10-10T19:51:40Z DEBUG duration: 1 seconds 2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG duration: 0 seconds 2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-10-10T19:51:40Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run raise admintool.ScriptError(str(e)) 2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: ('IPA upgrade failed.', 1) 2016-10-10T19:51:40Z ERROR ('IPA upgrade failed.', 1) From: Martin Basti [mailto:mbasti at redhat.com] Sent: Tuesday, October 11, 2016 1:53 AM To: John Popowitch; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors On 10.10.2016 23:30, John Popowitch wrote: Hello FreeIPA community. I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. I had to reboot one of the servers and now IPA won't run saying, "Upgrade required: please run ipa-server-upgrade command." But when I run ipa-server-upgrade I get an error: ipa: ERROR: Upgrade failed with This entry already exists When I run it in debug mode the last action before the error is: ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions: DEBUG: Updating managed permission: System: Modify Certificate Profile It appears that several of the other managed permissions are processed successfully. When I look in the UI on one of the other servers it appears that this permission exists under IPA Server -> Role Based Access Control -> Permissions. I'm not familiar with FreeIPA so any help would be greatly appreciated. Thanks in advance. -John Hello, can you post the related part of ipaupgrade.log here? Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From ianh at brownpapertickets.com Tue Oct 11 16:13:29 2016 From: ianh at brownpapertickets.com (Ian Harding) Date: Tue, 11 Oct 2016 09:13:29 -0700 Subject: [Freeipa-users] Different Database Generation ID Message-ID: <4d75f35b-4f1d-9d3e-4afd-98fde30e72c8@brownpapertickets.com> I have this error in the log of my FreeIPA server freeipa-sea.bpt.rocks: [11/Oct/2016:09:04:39 -0700] NSMMReplicationPlugin - agmt="cn=masterAgreement1-seattlenfs.bpt.rocks-pki-tomcat" (seattlenfs:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. So I did this: ipa-replica-manage re-initialize --from freeipa-sea.bpt.rocks on seattlenfs But the error continues. I think I know why. freeipa-sea had a meltdown and I had to rebuild it, and established it as a replica of seattlenfs. Unfortunately, I think seattlenfs was a replica of the original freeipa-sea. It seems like a bad idea to reinitialize themselves from each other, and in fact it's warned against here: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Troubleshooting_Replication_Related_Problems.html "... Also, M2 should not initialize M1 back. " But in looking at my bash history I have indeed done that as well. Is there any way out of this mess? These two servers actually DO replicate, most of the time. They stop for no reason and restarting the ipa services on freeipa-sea does get them started again. -- Ian Harding IT Director Brown Paper Tickets 1-800-838-3006 ext 7186 http://www.brownpapertickets.com From mbasti at redhat.com Tue Oct 11 16:18:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 11 Oct 2016 18:18:21 +0200 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> Here you have example kinit admin ldapsearch -Y GSSAPI -b 'cn=certprofiles,cn=ca,dc=,dc=' -s base aci On 11.10.2016 17:48, John Popowitch wrote: > > Thanks, Martin. > > But I'm afraid you've gone beyond my level of LDAP knowledge. > > How would I check for that ACI? > > -John > > *From:*Martin Basti [mailto:mbasti at redhat.com] > *Sent:* Tuesday, October 11, 2016 10:38 AM > *To:* John Popowitch; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me > to run ipa-server-upgrade, but has errors > > On 11.10.2016 17:21, John Popowitch wrote: > > I agree that is weird. > > Several of the other managed permissions are updated successfully > and they are very similar. > > Yes, I can try to remove the permission manually. > > Is there any risk in corrupting or breaking the system? > This is, I believe, one of three IPA servers in a multi-master > replication. > > And we run our production website (basically our company) off of > these servers. > > Assuming it's safe enough to do, could I delete that permission > via the UI or does it need to be directly via LDAP? > > > Upgrade will re-create permission. > > You have to directly using LDAP as Directory Manager > > Also please check in: cn=certprofiles,cn=ca,$SUFFIX > > if you have this ACI there > > aci: (targetattr = "cn || description || > ipacertprofilestoreissued")(targetfil > ter = "(objectclass=ipacertprofile)")(version 3.0;acl > "permission:System: Mod > ify Certificate Profile";allow (write) groupdn = "ldap:///cn=System > : Modify C > ertificate > Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab > ,dc=eng,dc=brq,dc=redhat,dc=com";) > > This may also cause an issue, so if removing of permission itself did > not help (or permission does not exist) you may need to remove this ACI > > Martin > > > *From:*Martin Basti [mailto:mbasti at redhat.com] > *Sent:* Tuesday, October 11, 2016 9:47 AM > *To:* John Popowitch; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me > to run ipa-server-upgrade, but has errors > > That's weird because the code is checking if a permission exists > before it tries to add a new one > > Can you try to remove 'System: Modify Certificate Profile' manually > from LDAP and re-run ipa-server-upgrade? > > On 11.10.2016 15:53, John Popowitch wrote: > > 2016-10-10T19:51:38Z DEBUG Updating managed permission: System: > Modify Certificate Profile > > 2016-10-10T19:51:38Z DEBUG Destroyed connection context.ldap2_82077392 > > 2016-10-10T19:51:38Z ERROR Upgrade failed with This entry already > exists > > 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 306, in __upgrade > > self.modified = (ld.update(self.files) or self.modified) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 905, in update > > self._run_updates(all_updates) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 877, in _run_updates > > self._run_update_plugin(update['plugin']) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 852, in _run_update_plugin > > restart_ds, updates = self.api.Updater[plugin_name]() > > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line > 1400, in __call__ > > return self.execute(**options) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", > line 433, in execute > > anonymous_read_aci) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", > line 529, in update_permission > > ldap.add_entry(entry) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 1428, in add_entry > > self.conn.add_s(str(entry.dn), attrs.items()) > > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > > self.gen.throw(type, value, traceback) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 938, in error_handler > > raise errors.DuplicateEntry() > > DuplicateEntry: This entry already exists > > 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > > run_step(full_msg, method) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 314, in __upgrade > > raise RuntimeError(e) > > RuntimeError: This entry already exists > > 2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry > already exists > > 2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server > > 2016-10-10T19:51:38Z DEBUG Starting external process > > 2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' > 'dirsrv at AWS-CAPPEX-COM.service ' > > 2016-10-10T19:51:40Z DEBUG Process finished, return code=0 > > 2016-10-10T19:51:40Z DEBUG stdout= > > 2016-10-10T19:51:40Z DEBUG stderr= > > 2016-10-10T19:51:40Z DEBUG duration: 1 seconds > > 2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-10-10T19:51:40Z DEBUG duration: 0 seconds > > 2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > > 2016-10-10T19:51:40Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > 171, in execute > > return_value = self.run() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 50, in run > > raise admintool.ScriptError(str(e)) > > 2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, > exception: ScriptError: ('IPA upgrade failed.', 1) > > 2016-10-10T19:51:40Z ERROR ('IPA upgrade failed.', 1) > > *From:*Martin Basti [mailto:mbasti at redhat.com] > *Sent:* Tuesday, October 11, 2016 1:53 AM > *To:* John Popowitch; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants > me to run ipa-server-upgrade, but has errors > > On 10.10.2016 23:30, John Popowitch wrote: > > Hello FreeIPA community. > > I've inherited a group of three FreeIPA v4.2 servers on CentOS > 7.2. > > I had to reboot one of the servers and now IPA won't run > saying, "Upgrade required: please run ipa-server-upgrade command." > > But when I run ipa-server-upgrade I get an error: > > ipa: ERROR: Upgrade failed with This entry already exists > > When I run it in debug mode the last action before the error is: > > ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions: > DEBUG: Updating managed permission: System: Modify Certificate > Profile > > It appears that several of the other managed permissions are > processed successfully. > > When I look in the UI on one of the other servers it appears > that this permission exists under IPA Server -> Role Based > Access Control -> Permissions. > > I'm not familiar with FreeIPA so any help would be greatly > appreciated. > > Thanks in advance. > > -John > > > > > > > Hello, > > can you post the related part of ipaupgrade.log here? > > Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cbennett at ftdi.com Tue Oct 11 17:36:09 2016 From: cbennett at ftdi.com (Bennett, Chip) Date: Tue, 11 Oct 2016 17:36:09 +0000 Subject: [Freeipa-users] Password Complexity Requirements Seems Insufficient Message-ID: <198A481E432CAD48801198FBEB67C7AF0D794710@USDGPEMSPMBX01.FTDCORP.NET> I just joined this list, so if this question has been asked before (and I'll bet it has), I apologize in advance. A google search was unrevealing, so I'm asking here: we're running FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password complexity requirements are limited to setting the number of character classes to require, i.e. setting it to "2" would require your new password to be any two of the character classes. What if you wanted new passwords to meet specific class requirements, i.e. a mix of UL, LC, and numbers. It looks like you would use a value of "3" to accomplish this, but that would also allow UC, LC, and special, or LC, numbers, and special, but you don't want to allow the those: how would you specify that? Also, what if you had a requirement for more than one of the character classes, i.e. you want to require two UC characters or two special characters? Thanks in advance for the help, Chip Bennett This message is solely for the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bpk678 at gmail.com Tue Oct 11 18:41:19 2016 From: bpk678 at gmail.com (Brendan Kearney) Date: Tue, 11 Oct 2016 14:41:19 -0400 Subject: [Freeipa-users] bind-dyndb-ldap issues Message-ID: <9aa5d2d2-67da-a198-171f-2d3c758eaeae@gmail.com> i am using bind-dyndb-ldap on fedora 24 without FreeIPA, and continue to have my logs swamped with errors about "check failed" from settings.c and fwd.c. i am completely up to date with every package, so the latest versions of everything are installed. [settings.c : 420: setting_update_from_ldap_entry] check failed: ignore [settings.c : 436: setting_update_from_ldap_entry] check failed: ignore [fwd.c : 378: fwd_setting_isexplicit] check failed: not found i have two boxes running a named instance each, in a "master/master" config. each has the zone data configured per below. the uri refers to the local ip of each server. dynamic-db "bpk2.com" { library "ldap.so"; arg "uri ldap://192.168.88.1/"; arg "base cn=dns,ou=Daemons,dc=bpk2,dc=com"; arg "auth_method simple"; arg "bind_dn cn=dnsUser,dc=bpk2,dc=com"; arg "password dnsPass"; arg "fake_mname server1.bpk2.com."; arg "dyn_update yes"; arg "connections 2"; arg "verbose_checks yes"; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; my dns container is defined in openldap as such: dn: cn=dns,ou=Daemons,dc=bpk2,dc=com cn: dns idnspersistentsearch: FALSE idnszonerefresh: 30 objectclass: top objectclass: nsContainer objectclass: idnsConfigObject where and how can i find the source of my issue? these issues are causing performance issues on the rest of my network. because of these errors, ldap throws errors about deferred operations for binding, too many executing, and pending operations. additionally, recursion also seems to be impacted. this is noticed most when streaming content. buffering, stuttering and pixelation are seen in the video streams. it could be the swamping of logs killing I/O or the actual recurision, but 100% the video issues are related. the log events match up exactly with the buffering. i had this issue with bind-dyndb-ldap and fedora 20 up until i recently upgraded. i went from F20 to F24, and put things on nice new SSDs, instead of spinning disks. the problem followed the upgrade. are there configuration items i am missing? are there tweaks i can do to improve something? how do i get rid of these errors, so dns performance (or the log swamping) is not affecting the rest of my network? thank you, brendan From jpopowitch at cappex.com Tue Oct 11 19:27:33 2016 From: jpopowitch at cappex.com (John Popowitch) Date: Tue, 11 Oct 2016 19:27:33 +0000 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> Message-ID: <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> It doesn't look like there are any entries. # ldapsearch -x -b 'cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com' -s base aci # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: aci # # certprofiles, ca, aws.cappex.com dn: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 So how would one remove the 'Modify Certificate Profile' managed permission from LDAP? From: Martin Basti [mailto:mbasti at redhat.com] Sent: Tuesday, October 11, 2016 11:18 AM To: John Popowitch; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors Here you have example kinit admin ldapsearch -Y GSSAPI -b 'cn=certprofiles,cn=ca,dc=,dc=' -s base aci On 11.10.2016 17:48, John Popowitch wrote: Thanks, Martin. But I'm afraid you've gone beyond my level of LDAP knowledge. How would I check for that ACI? -John From: Martin Basti [mailto:mbasti at redhat.com] Sent: Tuesday, October 11, 2016 10:38 AM To: John Popowitch; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors On 11.10.2016 17:21, John Popowitch wrote: I agree that is weird. Several of the other managed permissions are updated successfully and they are very similar. Yes, I can try to remove the permission manually. Is there any risk in corrupting or breaking the system? This is, I believe, one of three IPA servers in a multi-master replication. And we run our production website (basically our company) off of these servers. Assuming it's safe enough to do, could I delete that permission via the UI or does it need to be directly via LDAP? Upgrade will re-create permission. You have to directly using LDAP as Directory Manager Also please check in: cn=certprofiles,cn=ca,$SUFFIX if you have this ACI there aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfil ter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Mod ify Certificate Profile";allow (write) groupdn = "ldap:///cn=System: Modify C ertificate Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab ,dc=eng,dc=brq,dc=redhat,dc=com";) This may also cause an issue, so if removing of permission itself did not help (or permission does not exist) you may need to remove this ACI Martin From: Martin Basti [mailto:mbasti at redhat.com] Sent: Tuesday, October 11, 2016 9:47 AM To: John Popowitch; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors That's weird because the code is checking if a permission exists before it tries to add a new one Can you try to remove 'System: Modify Certificate Profile' manually from LDAP and re-run ipa-server-upgrade? On 11.10.2016 15:53, John Popowitch wrote: 2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify Certificate Profile 2016-10-10T19:51:38Z DEBUG Destroyed connection context.ldap2_82077392 2016-10-10T19:51:38Z ERROR Upgrade failed with This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 306, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 905, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 877, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 852, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1400, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 433, in execute anonymous_read_aci) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 529, in update_permission ldap.add_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1428, in add_entry self.conn.add_s(str(entry.dn), attrs.items()) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 938, in error_handler raise errors.DuplicateEntry() DuplicateEntry: This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 314, in __upgrade raise RuntimeError(e) RuntimeError: This entry already exists 2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry already exists 2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server 2016-10-10T19:51:38Z DEBUG Starting external process 2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv at AWS-CAPPEX-COM.service' 2016-10-10T19:51:40Z DEBUG Process finished, return code=0 2016-10-10T19:51:40Z DEBUG stdout= 2016-10-10T19:51:40Z DEBUG stderr= 2016-10-10T19:51:40Z DEBUG duration: 1 seconds 2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-10-10T19:51:40Z DEBUG duration: 0 seconds 2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-10-10T19:51:40Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run raise admintool.ScriptError(str(e)) 2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: ('IPA upgrade failed.', 1) 2016-10-10T19:51:40Z ERROR ('IPA upgrade failed.', 1) From: Martin Basti [mailto:mbasti at redhat.com] Sent: Tuesday, October 11, 2016 1:53 AM To: John Popowitch; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors On 10.10.2016 23:30, John Popowitch wrote: Hello FreeIPA community. I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. I had to reboot one of the servers and now IPA won't run saying, "Upgrade required: please run ipa-server-upgrade command." But when I run ipa-server-upgrade I get an error: ipa: ERROR: Upgrade failed with This entry already exists When I run it in debug mode the last action before the error is: ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions: DEBUG: Updating managed permission: System: Modify Certificate Profile It appears that several of the other managed permissions are processed successfully. When I look in the UI on one of the other servers it appears that this permission exists under IPA Server -> Role Based Access Control -> Permissions. I'm not familiar with FreeIPA so any help would be greatly appreciated. Thanks in advance. -John Hello, can you post the related part of ipaupgrade.log here? Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Oct 11 19:44:09 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 11 Oct 2016 22:44:09 +0300 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: <20161011194409.466mqip5224rontc@redhat.com> On ti, 11 loka 2016, John Popowitch wrote: >It doesn't look like there are any entries. > ># ldapsearch -x -b 'cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com' -s base aci 'ldapsearch -x' is 'use simple authentication instead of SASL' -- given that you didn't specify any identity for simple authentication, you are running an anonymous search. Martin asked you to 'kinit' as administrator and then use SASL GSSAPI. ACIs only available for retrieval to administrators. It is not a surprise that anonymous access does not see them. It would be good if you would have followed the example: >Here you have example > >kinit admin > >ldapsearch -Y GSSAPI -b 'cn=certprofiles,cn=ca,dc=,dc=' -s base aci > >On 11.10.2016 17:48, John Popowitch wrote: >Thanks, Martin. >But I'm afraid you've gone beyond my level of LDAP knowledge. >How would I check for that ACI? >-John > >From: Martin Basti [mailto:mbasti at redhat.com] >Sent: Tuesday, October 11, 2016 10:38 AM >To: John Popowitch; freeipa-users at redhat.com >Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors > > > > >On 11.10.2016 17:21, John Popowitch wrote: >I agree that is weird. >Several of the other managed permissions are updated successfully and they are very similar. >Yes, I can try to remove the permission manually. >Is there any risk in corrupting or breaking the system? >This is, I believe, one of three IPA servers in a multi-master replication. >And we run our production website (basically our company) off of these servers. >Assuming it's safe enough to do, could I delete that permission via the UI or does it need to be directly via LDAP? > >Upgrade will re-create permission. > >You have to directly using LDAP as Directory Manager > >Also please check in: cn=certprofiles,cn=ca,$SUFFIX > >if you have this ACI there > >aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfil > ter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Mod > ify Certificate Profile";allow (write) groupdn = "ldap:///cn=System: Modify C > ertificate Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab > ,dc=eng,dc=brq,dc=redhat,dc=com";) > >This may also cause an issue, so if removing of permission itself did not help (or permission does not exist) you may need to remove this ACI > >Martin > > > > >From: Martin Basti [mailto:mbasti at redhat.com] >Sent: Tuesday, October 11, 2016 9:47 AM >To: John Popowitch; freeipa-users at redhat.com >Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors > > >That's weird because the code is checking if a permission exists before it tries to add a new one > >Can you try to remove 'System: Modify Certificate Profile' manually from LDAP and re-run ipa-server-upgrade? > > > >On 11.10.2016 15:53, John Popowitch wrote: >2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify Certificate Profile >2016-10-10T19:51:38Z DEBUG Destroyed connection context.ldap2_82077392 >2016-10-10T19:51:38Z ERROR Upgrade failed with This entry already exists >2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 306, in __upgrade > self.modified = (ld.update(self.files) or self.modified) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 905, in update > self._run_updates(all_updates) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 877, in _run_updates > self._run_update_plugin(update['plugin']) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 852, in _run_update_plugin > restart_ds, updates = self.api.Updater[plugin_name]() > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1400, in __call__ > return self.execute(**options) > File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 433, in execute > anonymous_read_aci) > File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 529, in update_permission > ldap.add_entry(entry) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1428, in add_entry > self.conn.add_s(str(entry.dn), attrs.items()) > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > self.gen.throw(type, value, traceback) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 938, in error_handler > raise errors.DuplicateEntry() >DuplicateEntry: This entry already exists > >2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 314, in __upgrade > raise RuntimeError(e) >RuntimeError: This entry already exists > >2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry already exists >2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server >2016-10-10T19:51:38Z DEBUG Starting external process >2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv at AWS-CAPPEX-COM.service' >2016-10-10T19:51:40Z DEBUG Process finished, return code=0 >2016-10-10T19:51:40Z DEBUG stdout= >2016-10-10T19:51:40Z DEBUG stderr= >2016-10-10T19:51:40Z DEBUG duration: 1 seconds >2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration >2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG duration: 0 seconds >2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >2016-10-10T19:51:40Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run > raise admintool.ScriptError(str(e)) > >2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: ('IPA upgrade failed.', 1) >2016-10-10T19:51:40Z ERROR ('IPA upgrade failed.', 1) > > > >From: Martin Basti [mailto:mbasti at redhat.com] >Sent: Tuesday, October 11, 2016 1:53 AM >To: John Popowitch; freeipa-users at redhat.com >Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors > > > > >On 10.10.2016 23:30, John Popowitch wrote: >Hello FreeIPA community. >I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. >I had to reboot one of the servers and now IPA won't run saying, "Upgrade required: please run ipa-server-upgrade command." >But when I run ipa-server-upgrade I get an error: >ipa: ERROR: Upgrade failed with This entry already exists >When I run it in debug mode the last action before the error is: >ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions: DEBUG: Updating managed permission: System: Modify Certificate Profile >It appears that several of the other managed permissions are processed successfully. >When I look in the UI on one of the other servers it appears that this permission exists under IPA Server -> Role Based Access Control -> Permissions. >I'm not familiar with FreeIPA so any help would be greatly appreciated. >Thanks in advance. >-John > > > > > > > >Hello, > >can you post the related part of ipaupgrade.log here? > >Martin > > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From jpopowitch at cappex.com Tue Oct 11 20:01:47 2016 From: jpopowitch at cappex.com (John Popowitch) Date: Tue, 11 Oct 2016 20:01:47 +0000 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <20161011194409.466mqip5224rontc@redhat.com> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> <20161011194409.466mqip5224rontc@redhat.com> Message-ID: <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> Ah, yes, thank you, Alexander. I agree it would help if I followed the example better. It would also help if I understood the example so a little description of what each command does would be very helpful. It looks like that ACI record does exist. Now how would I remove these LDAP records? -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Tuesday, October 11, 2016 2:44 PM To: John Popowitch Cc: Martin Basti; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors On ti, 11 loka 2016, John Popowitch wrote: >It doesn't look like there are any entries. > ># ldapsearch -x -b 'cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com' -s >base aci 'ldapsearch -x' is 'use simple authentication instead of SASL' -- given that you didn't specify any identity for simple authentication, you are running an anonymous search. Martin asked you to 'kinit' as administrator and then use SASL GSSAPI. ACIs only available for retrieval to administrators. It is not a surprise that anonymous access does not see them. It would be good if you would have followed the example: >Here you have example > >kinit admin > >ldapsearch -Y GSSAPI -b 'cn=certprofiles,cn=ca,dc=,dc=' >-s base aci > >On 11.10.2016 17:48, John Popowitch wrote: >Thanks, Martin. >But I'm afraid you've gone beyond my level of LDAP knowledge. >How would I check for that ACI? >-John > >From: Martin Basti [mailto:mbasti at redhat.com] >Sent: Tuesday, October 11, 2016 10:38 AM >To: John Popowitch; >freeipa-users at redhat.com >Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >run ipa-server-upgrade, but has errors > > > > >On 11.10.2016 17:21, John Popowitch wrote: >I agree that is weird. >Several of the other managed permissions are updated successfully and they are very similar. >Yes, I can try to remove the permission manually. >Is there any risk in corrupting or breaking the system? >This is, I believe, one of three IPA servers in a multi-master replication. >And we run our production website (basically our company) off of these servers. >Assuming it's safe enough to do, could I delete that permission via the UI or does it need to be directly via LDAP? > >Upgrade will re-create permission. > >You have to directly using LDAP as Directory Manager > >Also please check in: cn=certprofiles,cn=ca,$SUFFIX > >if you have this ACI there > >aci: (targetattr = "cn || description || >ipacertprofilestoreissued")(targetfil > ter = "(objectclass=ipacertprofile)")(version 3.0;acl >"permission:System: Mod ify Certificate Profile";allow (write) groupdn >= "ldap:///cn=System: Modify C ertificate >Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab > ,dc=eng,dc=brq,dc=redhat,dc=com";) > >This may also cause an issue, so if removing of permission itself did >not help (or permission does not exist) you may need to remove this ACI > >Martin > > > > >From: Martin Basti [mailto:mbasti at redhat.com] >Sent: Tuesday, October 11, 2016 9:47 AM >To: John Popowitch; >freeipa-users at redhat.com >Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >run ipa-server-upgrade, but has errors > > >That's weird because the code is checking if a permission exists before >it tries to add a new one > >Can you try to remove 'System: Modify Certificate Profile' manually from LDAP and re-run ipa-server-upgrade? > > > >On 11.10.2016 15:53, John Popowitch wrote: >2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify >Certificate Profile 2016-10-10T19:51:38Z DEBUG Destroyed connection >context.ldap2_82077392 2016-10-10T19:51:38Z ERROR Upgrade failed with >This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 306, in __upgrade > self.modified = (ld.update(self.files) or self.modified) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 905, in update > self._run_updates(all_updates) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 877, in _run_updates > self._run_update_plugin(update['plugin']) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 852, in _run_update_plugin > restart_ds, updates = self.api.Updater[plugin_name]() > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1400, in __call__ > return self.execute(**options) > File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 433, in execute > anonymous_read_aci) > File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 529, in update_permission > ldap.add_entry(entry) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1428, in add_entry > self.conn.add_s(str(entry.dn), attrs.items()) > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > self.gen.throw(type, value, traceback) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 938, in error_handler > raise errors.DuplicateEntry() >DuplicateEntry: This entry already exists > >2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 314, in __upgrade > raise RuntimeError(e) >RuntimeError: This entry already exists > >2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry already exists >2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server >2016-10-10T19:51:38Z DEBUG Starting external process >2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv at AWS-CAPPEX-COM.service' >2016-10-10T19:51:40Z DEBUG Process finished, return code=0 >2016-10-10T19:51:40Z DEBUG stdout= 2016-10-10T19:51:40Z DEBUG stderr= >2016-10-10T19:51:40Z DEBUG duration: 1 seconds >2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration >2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >2016-10-10T19:51:40Z DEBUG duration: 0 seconds >2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >2016-10-10T19:51:40Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run > raise admintool.ScriptError(str(e)) > >2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, >exception: ScriptError: ('IPA upgrade failed.', 1) 2016-10-10T19:51:40Z >ERROR ('IPA upgrade failed.', 1) > > > >From: Martin Basti [mailto:mbasti at redhat.com] >Sent: Tuesday, October 11, 2016 1:53 AM >To: John Popowitch; >freeipa-users at redhat.com >Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >run ipa-server-upgrade, but has errors > > > > >On 10.10.2016 23:30, John Popowitch wrote: >Hello FreeIPA community. >I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. >I had to reboot one of the servers and now IPA won't run saying, "Upgrade required: please run ipa-server-upgrade command." >But when I run ipa-server-upgrade I get an error: >ipa: ERROR: Upgrade failed with This entry already exists When I run it >in debug mode the last action before the error is: >ipa.ipaserver.install.plugins.update_managed_permissions.update_managed >_permissions: DEBUG: Updating managed permission: System: Modify Certificate Profile It appears that several of the other managed permissions are processed successfully. >When I look in the UI on one of the other servers it appears that this permission exists under IPA Server -> Role Based Access Control -> Permissions. >I'm not familiar with FreeIPA so any help would be greatly appreciated. >Thanks in advance. >-John > > > > > > > >Hello, > >can you post the related part of ipaupgrade.log here? > >Martin > > > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From fdinoto at gmail.com Tue Oct 11 20:26:39 2016 From: fdinoto at gmail.com (Fil Di Noto) Date: Tue, 11 Oct 2016 13:26:39 -0700 Subject: [Freeipa-users] Replication attrlist_replace nsslapd-referral failed In-Reply-To: References: Message-ID: Things have been working better (so far) after taking some steps I read here: https://www.redhat.com/archives/freeipa-users/2016-January/msg00257.html On Mon, Oct 10, 2016 at 6:48 PM, Fil Di Noto wrote: > After an IPA server is re-initialized it immediately begins failing > incremental updates. I checked the kerberos logs and things appear to > be ok there, I can manually test LDAP from all servers against all > other servers. > > There is an DS5ReplicaBindDN entry in "dn: > cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" for > an IPA server that no longer exists. But all IPA living servers have > an entry for all other living servers. > There is the correct number of cn=master, and cn=ca, and the > caRenewalMaster is set on the correct master. > > "ipa-replica-manage del --force --clean " does not remove the entry. > > There were some RUV from the old servers also and I cleaned them. The > man page says if a clean is run on the wrong ID then the server should > be re-initialized, so I just did that on purpose and re-initialized > the one of the servers and that has cleared the NSMMReplicationPlugin > error (so far) but I am still getting the attrlist_replace error. > > I'm getting no indication of kerberos problems.Could it be the > NSACLPlugin ? It preceeds the other error every time but that is > probably just regular startup procedure, and having an ACL for > something that doesn't exist doesn't feel like a fatal error to me. I > didn't do the KRA install. > > [root at ipa05 slapd-example-com]# tail -f errors > [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target > cn=vaults,cn=kra,dc=example,dc=com does not exist > [10/Oct/2016:23:27:57 +0000] NSACLPlugin - The ACL target > cn=casigningcert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not > exist > [10/Oct/2016:23:27:57 +0000] agmt="cn=meToipa07.example.com" > (ipa07:389) - Can't locate CSN 57fc2e7f000a000d0000 in the changelog > (DB rc=-30988). If replication stops, the consumer may need to be > reinitialized. > [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - changelog program > - agmt="cn=meToipa07.example.com" (ipa07:389): CSN > 57fc2e7f000a000d0000 not found, we aren't as up to date, or we purged > [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa07.example.com" (ipa07:389): Data required to update > replica has been purged. The replica must be reinitialized. > [10/Oct/2016:23:27:57 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa07.example.com" (ipa07:389): Incremental update failed > and requires administrator action > [10/Oct/2016:23:29:09 +0000] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa07.example.com:389/o%3Dipaca) failed. From tyrell at jentink.net Tue Oct 11 22:35:57 2016 From: tyrell at jentink.net (Tyrell Jentink) Date: Tue, 11 Oct 2016 15:35:57 -0700 Subject: [Freeipa-users] IPA Client Install problems Message-ID: First off... new to the list, thank you in advance for your assistance! My server is Fedora 24 Server, running in a VirtualBox virtual machine. I have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories, and dnf says it's up to date. FreeIPA has a trust set up with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to be working... The first client I connected was a Raspberry Pi running Pidora. This client appears to have connected fine, and appears to be working (I guess I haven't tried logging in as an ActiveDirectory user; But it's certainly NOT having any DNS issues, as other clients are; See below...) Then I tried connecting a second client, a system running Fedora 24 with FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to plan... Here's the output of ipa-client-install: > Discovery was successful! > Client hostname: trainmaster.ipa.rxrhouse.net > Realm: IPA.RXRHOUSE.NET > DNS Domain: ipa.rxrhouse.net > IPA Server: ipa-pdc.ipa.rxrhouse.net > BaseDN: dc=ipa,dc=rxrhouse,dc=net > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > Attempting to sync time using ntpd. Will timeout after 15 seconds > Attempting to sync time using ntpd. Will timeout after 15 seconds > Unable to sync time with NTP server, assuming the time is in sync. Please > check > > that 123 UDP port is opened. > User authorized to enroll computers: admin > Password for admin at IPA.RXRHOUSE.NET: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET > Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET > Valid From: Thu Sep 08 17:27:47 2016 UTC > Valid Until: Mon Sep 08 17:27:47 2036 UTC > Enrolled in IPA realm IPA.RXRHOUSE.NET > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET > trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json > Forwarding 'ping' to json server ' > https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Forwarding 'ca_is_enabled' to json server ' > https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Systemwide CA database updated. > Failed to update DNS records. > Missing reverse record(s) for address(es): 10.42.0.100. > Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub > Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Forwarding 'host_mod' to json server ' > https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Could not update DNS SSHFP records. > SSSD enabled > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Configuring ipa.rxrhouse.net as NIS domain. > Client configuration complete. Of concern, the installer failed to update DNS records, resulting in a missing reverse record, and eventually failing to update the DNS SSHFP records. Looking in the Web UI for FreeIPA server, I see that the client is registered, but it doesn't have any SSH keys , and as expected, doesn't have a reverse zone... But the Raspberry Pi DOES. Just to be fully sure something was wrong... I tried connecting with a clean install of Fedora 24 running in a virtual machine, and had the same issue. I've googled around, and can't find anyone having any similar issues... And I didn't accidentally stumble across anything interesting while exploring logs... But I honestly don't know where to look. TO BE CLEAR, things appear to work just fine from freeipa-client version 3.3.3-4.fc20 on pidora on a Raspberry Pi, but it's NOT working with the latest versions from Fedora 24 on x86_64 hardware... Where should I look first? Thank you for any assistance... -- Tyrell Jentink -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Oct 11 22:52:27 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Oct 2016 18:52:27 -0400 Subject: [Freeipa-users] IPA Client Install problems In-Reply-To: References: Message-ID: <57FD6D2B.5040308@redhat.com> Tyrell Jentink wrote: > First off... new to the list, thank you in advance for your assistance! > > My server is Fedora 24 Server, running in a VirtualBox virtual machine. > I have FreeIPA Server 4.3.2-2.fc24, installed from the standard > repositories, and dnf says it's up to date. FreeIPA has a trust set up > with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to > be working... > > The first client I connected was a Raspberry Pi running Pidora. This > client appears to have connected fine, and appears to be working (I > guess I haven't tried logging in as an ActiveDirectory user; But it's > certainly NOT having any DNS issues, as other clients are; See below...) > > Then I tried connecting a second client, a system running Fedora 24 with > FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to > plan... Here's the output of ipa-client-install: > > Discovery was successful! > Client hostname: trainmaster.ipa.rxrhouse.net > > Realm: IPA.RXRHOUSE.NET > DNS Domain: ipa.rxrhouse.net > IPA Server: ipa-pdc.ipa.rxrhouse.net > BaseDN: dc=ipa,dc=rxrhouse,dc=net > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > Attempting to sync time using ntpd. Will timeout after 15 seconds > Attempting to sync time using ntpd. Will timeout after 15 seconds > Unable to sync time with NTP server, assuming the time is in sync. > Please check > > that 123 UDP port is opened. > User authorized to enroll computers: admin > Password for admin at IPA.RXRHOUSE.NET : > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET > > Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET > > Valid From: Thu Sep 08 17:27:47 2016 UTC > Valid Until: Mon Sep 08 17:27:47 2036 UTC > Enrolled in IPA realm IPA.RXRHOUSE.NET > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET > > trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json > Forwarding 'ping' to json server > 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Forwarding 'ca_is_enabled' to json server > 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Systemwide CA database updated. > Failed to update DNS records. > Missing reverse record(s) for address(es): 10.42.0.100. > Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub > Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Forwarding 'host_mod' to json server > 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' > Could not update DNS SSHFP records. > SSSD enabled > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Configuring ipa.rxrhouse.net as NIS domain. > Client configuration complete. > > > Of concern, the installer failed to update DNS records, resulting in a > missing reverse record, and eventually failing to update the DNS SSHFP > records. Looking in the Web UI for FreeIPA server, I see that the > client is registered, but it doesn't have any SSH keys , and as > expected, doesn't have a reverse zone... But the Raspberry Pi DOES. > > Just to be fully sure something was wrong... I tried connecting with a > clean install of Fedora 24 running in a virtual machine, and had the > same issue. I've googled around, and can't find anyone having any > similar issues... And I didn't accidentally stumble across anything > interesting while exploring logs... But I honestly don't know where to > look. > > TO BE CLEAR, things appear to work just fine from freeipa-client version > 3.3.3-4.fc20 on pidora on a Raspberry Pi, but it's NOT working with the > latest versions from Fedora 24 on x86_64 hardware... > > Where should I look first? Thank you for any assistance... Look in /var/log/ipaclient-install.log for debug logging of the install. rob From alan at instinctualsoftware.com Wed Oct 12 00:43:21 2016 From: alan at instinctualsoftware.com (Alan Latteri) Date: Tue, 11 Oct 2016 17:43:21 -0700 Subject: [Freeipa-users] FreeIPA and Samba In-Reply-To: References: <7c64a862-ebbe-deab-8aeb-db3d115e5aa2@gw.spb.ru> <1475775086.2849.3.camel@lgs.com.ve> Message-ID: I am trying to get this to work, but our Samba server is not the same machine as out IPA server, and these instructions seem to assume that. Any ideas? All I need is the 1 windows machine in our network to be able to access our linux based server, using the same user/pass as that of our IPA authenticated linux machines. > On Oct 10, 2016, at 1:35 PM, ?????????? ??????? wrote: > > I read again the topic http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP > It works exactly as I wanted > > ipa-adtrust-install created next configuration: > $ net conf list > [global] > workgroup = WORKGROUP > netbios name = SMB > realm = GW.SPB.RU > kerberos method = dedicated keytab > dedicated keytab file = FILE:/etc/samba/samba.keytab > create krb5 conf = no > security = user > domain master = yes > domain logons = yes > log level = 1 > max log size = 100000 > log file = /var/log/samba/log.%m > passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket > disable spoolss = yes > ldapsam:trusted = yes > ldap ssl = off > ldap suffix = dc=gw,dc=spb,dc=ru > ldap user suffix = cn=users,cn=accounts > ldap group suffix = cn=groups,cn=accounts > ldap machine suffix = cn=computers,cn=accounts > rpc_server:epmapper = external > rpc_server:lsarpc = external > rpc_server:lsass = external > rpc_server:lsasd = external > rpc_server:samr = external > rpc_server:netlogon = external > rpc_server:tcpip = yes > rpc_daemon:epmd = fork > rpc_daemon:lsasd = fork > > But I don't understand why it wasn't put to smb.conf directly. > > The second problem is 'passdb backend'. I didn't find any documentation about this module. An attempt to replace a file socket on net connection was failed. And I had to make LDAP replication. It was easy, but " ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), not only ldap-server. I need to continue to read documentation. However the problem was solved. > > 06.10.2016 23:51, ?????????? ??????? ?????: >> Thank you for your reply. >> >> I've got Samba server for a company, accounts are created by hand. Clients are different windows or linux desktops. >> >> I want to install FreeIPA and have one area for managing accounts (SMB, SSH-access for others servers). Now, I prepare clean samba installation for testing. It would be great to use FreeIPA as authorization server for samba. >> >> I was looking for information about samba + freeIPA, but I found only this document. Maybe, I miss obvious things. >> >> >> 06.10.2016 20:31, Loris Santamaria ?????: >>> The document you are linking to explains how to configure a samba file >>> server in a freeipa domain, which is one of many ways you can configure >>> and use a samba server. >>> >>> What do you want to achieve with samba, and what is your current setup? >>> >>> >>> El jue, 06-10-2016 a las 19:23 +0300, ?????????? ??????? escribi?: >>>> Hello. >>>> >>>> I've read the topic about FreeIPA and SAMBA >>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit >>>> h_IPA >>>> >>>> If I understand clearly, samba's client must be present in >>>> FreeIPA AD. >>>> Unfortunately, it does not work for me. I can't join some work >>>> desktops >>>> to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has >>>> ldap support >>>> >>>> ldap admin dn >>>> ldap group suffix >>>> ldap idmap suffix >>>> ldap machine suffix >>>> ldap passwd sync >>>> ldap suffix >>>> ldap user suffix >>>> >>>> Does it work with IPA ? >>>> >>>> Thanks. >>>> >> >> >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From tyrell at jentink.net Wed Oct 12 01:24:41 2016 From: tyrell at jentink.net (Tyrell Jentink) Date: Tue, 11 Oct 2016 18:24:41 -0700 Subject: [Freeipa-users] IPA Client Install problems In-Reply-To: <57FD6D2B.5040308@redhat.com> References: <57FD6D2B.5040308@redhat.com> Message-ID: Thank you, Rob. For reference, my full log can be found here: http://pastebin.com/6VLaQjYw But I would postulate that the interesting bit is this: > 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > trainmaster.ipa.rxrhouse.net. 0 ANY A > > >> Outgoing update query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971 > > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; QUESTION SECTION: > > ;350449427.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > > >> ;; ADDITIONAL SECTION: > > 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1476223815 >> 1476223815 3 NOERROR 683 YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA >> AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow >> KKADAgEBoSEwHxsDRE5TGxhpcGEtcGRjLmlwYS5yeHJob3VzZS5uZXSj >> ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIeFubKS/x0aKfc7u/f9Z5Ro8 >> pZZ4RkIlwOWAAuiSxJNmoaIhYgYNitn2pkAII+eKtdialtAI/1418exm >> sM7zahCj0MWpBIYQZB4tsN9JZMaKF7SK5TlewH9mZitjd+hbQ5iwjklV >> 8P6OOMsIRIytywnd8eD/988GQz3C5CfBU1pQM5Bkox4vSRawZJRUy0xx >> C8H4nOOPsJZd9AozsaAZSR4EeA05IbW+gxxIeXjShPDwRF6fs4sNxZUt >> FEkdujVZOaM4M4olLadzScsXDi2pO/8WqjJdDwMfLD95+CHSiFMSyJqy >> nwem6dzJTJvyLTq4fKO+ajmUHw5tV30Pg7w9krEiFSTuFkCmKW1a2GQo >> 5Lm3VQF34cnYTA+5K8yEwLiTqX+kgfAwge2gAwIBEqKB5QSB4u9m77de >> VD1pQ+DUyBKaC2jOgD/uUWAyfNNojNAtKAMGbHzDWSRASe1Xd+RNgwIa >> QdT2PC6kHbJMz9jaJu/0fxC9JmPp6Qe6p8CGaQ6IvPGm4838TlGdGhuS >> YpUwVAEqvl85S23+yT3Qo/O8Qffhi4i/WDdiBHGGDrKF4CCZXJrr/F+L Pd8oabRE81h+ >> 4Tu7KBTApBwWYFYQSct7Q9ZrFiUuQzbpc2ZjXaVLi3ai uvH2NLWvLwxt8Z8PYRHgTrEYb/QfEluP2qfbo6XuO4UHoF7rN8d28bnw >> bhUsEYaVs1r8Pxk= 0 > > >> >> 2016-10-11T22:10:15Z DEBUG stderr=Reply from SOA query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18681 > > ;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > > ;trainmaster.ipa.rxrhouse.net. IN SOA > > >> ;; AUTHORITY SECTION: > > ipa.rxrhouse.net. 60 IN SOA ipa-pdc.ipa.rxrhouse.net. >> hostmaster.ipa.rxrhouse.net. 1476221978 3600 900 1209600 3600 > > >> ;; ADDITIONAL SECTION: > > ipa-pdc.ipa.rxrhouse.net. 353 IN A 10.42.0.11 > > >> Found zone name: ipa.rxrhouse.net > > The master is: ipa-pdc.ipa.rxrhouse.net > > start_gssrequest > > Found realm from ticket: IPA.RXRHOUSE.NET > > send_gssrequest > > recvmsg reply from GSS-TSIG query > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971 > > ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;350449427.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > > >> ;; ANSWER SECTION: > > 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466641678 >> 1466728078 3 NOERROR 101 YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MjMw >> MDI3NThapQUCAwVDn6YDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg >> AwIBAaELMAkbB2FkLXBkYyQ= 0 > > >> dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS >> failure. Minor code may provide more information, Minor = Message stream >> modified. > > >> 2016-10-11T22:10:15Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g >> /etc/ipa/.dns_update.txt' returned non-zero exit status 1 > > 2016-10-11T22:10:15Z ERROR Failed to update DNS records. > > > This isn't the first time I've seen this "Unspecified GSS failure [...] Message stream modified" error, and I suspect it to be the root of my problem... But my google-foo is not strong with this one... I'm not sure how to proceed. On Tue, Oct 11, 2016 at 3:52 PM, Rob Crittenden wrote: > Tyrell Jentink wrote: > >> First off... new to the list, thank you in advance for your assistance! >> >> My server is Fedora 24 Server, running in a VirtualBox virtual machine. >> I have FreeIPA Server 4.3.2-2.fc24, installed from the standard >> repositories, and dnf says it's up to date. FreeIPA has a trust set up >> with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to >> be working... >> >> The first client I connected was a Raspberry Pi running Pidora. This >> client appears to have connected fine, and appears to be working (I >> guess I haven't tried logging in as an ActiveDirectory user; But it's >> certainly NOT having any DNS issues, as other clients are; See below...) >> >> Then I tried connecting a second client, a system running Fedora 24 with >> FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to >> plan... Here's the output of ipa-client-install: >> >> Discovery was successful! >> Client hostname: trainmaster.ipa.rxrhouse.net >> >> Realm: IPA.RXRHOUSE.NET >> DNS Domain: ipa.rxrhouse.net >> IPA Server: ipa-pdc.ipa.rxrhouse.net > > >> BaseDN: dc=ipa,dc=rxrhouse,dc=net >> Continue to configure the system with these values? [no]: yes >> Synchronizing time with KDC... >> Attempting to sync time using ntpd. Will timeout after 15 seconds >> Attempting to sync time using ntpd. Will timeout after 15 seconds >> Unable to sync time with NTP server, assuming the time is in sync. >> Please check >> >> that 123 UDP port is opened. >> User authorized to enroll computers: admin >> Password for admin at IPA.RXRHOUSE.NET : >> Successfully retrieved CA cert >> Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET >> >> Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET >> >> Valid From: Thu Sep 08 17:27:47 2016 UTC >> Valid Until: Mon Sep 08 17:27:47 2036 UTC >> Enrolled in IPA realm IPA.RXRHOUSE.NET >> Created /etc/ipa/default.conf >> New SSSD config will be created >> Configured sudoers in /etc/nsswitch.conf >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET >> >> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json >> Forwarding 'ping' to json server >> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' >> Forwarding 'ca_is_enabled' to json server >> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' >> Systemwide CA database updated. >> Failed to update DNS records. >> Missing reverse record(s) for address(es): 10.42.0.100. >> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub >> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub >> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >> Forwarding 'host_mod' to json server >> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' >> Could not update DNS SSHFP records. >> SSSD enabled >> Configured /etc/openldap/ldap.conf >> NTP enabled >> Configured /etc/ssh/ssh_config >> Configured /etc/ssh/sshd_config >> Configuring ipa.rxrhouse.net as NIS domain. >> Client configuration complete. >> >> >> Of concern, the installer failed to update DNS records, resulting in a >> missing reverse record, and eventually failing to update the DNS SSHFP >> records. Looking in the Web UI for FreeIPA server, I see that the >> client is registered, but it doesn't have any SSH keys , and as >> expected, doesn't have a reverse zone... But the Raspberry Pi DOES. >> >> Just to be fully sure something was wrong... I tried connecting with a >> clean install of Fedora 24 running in a virtual machine, and had the >> same issue. I've googled around, and can't find anyone having any >> similar issues... And I didn't accidentally stumble across anything >> interesting while exploring logs... But I honestly don't know where to >> look. >> >> TO BE CLEAR, things appear to work just fine from freeipa-client version >> 3.3.3-4.fc20 on pidora on a Raspberry Pi, but it's NOT working with the >> latest versions from Fedora 24 on x86_64 hardware... >> >> Where should I look first? Thank you for any assistance... >> > > Look in /var/log/ipaclient-install.log for debug logging of the install. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From loris at lgs.com.ve Wed Oct 12 01:47:51 2016 From: loris at lgs.com.ve (Loris Santamaria) Date: Tue, 11 Oct 2016 21:47:51 -0400 Subject: [Freeipa-users] FreeIPA and Samba In-Reply-To: References: <7c64a862-ebbe-deab-8aeb-db3d115e5aa2@gw.spb.ru> <1475775086.2849.3.camel@lgs.com.ve> Message-ID: <1476236871.2776.15.camel@lgs.com.ve> If you just need to join a handful of windows machines to a freeIPA domain, try with these instructions: https://www.redhat.com/archives/freeipa-users/2013-September/msg00226.h tml Best regards? El mar, 11-10-2016 a las 17:43 -0700, Alan Latteri escribi?: > > > > > I am trying to get this to work, but our Samba server is not the same machine as out IPA server, and these instructions seem to assume that. ?Any ideas? ?All I need is the 1 windows machine in our network to be able to access our linux based server, using the same user/pass as that of our IPA authenticated linux machines. > > > > > On Oct 10, 2016, at 1:35 PM, ?????????? ??????? wrote: > > > > ?? > > ???? > > ?? > > ? I read again the topic > > > > ??????http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Se rver_With_IPA/NTMLSSP > > > > > > ??????It works exactly as I wanted?ipa-adtrust-install created next configuration: > > > > ???? > > ?????? > > ???? > > ????$ net conf list > > > > ????[global] > > > > ??????????? workgroup = WORKGROUP > > > > ??????????? netbios name = SMB > > > > ??????????? realm = GW.SPB.RU > > > > ??????????? kerberos method = dedicated keytab > > > > ??????????? dedicated keytab file = FILE:/etc/samba/samba.keytab > > > > ??????????? create krb5 conf = no > > > > ??????????? security = user > > > > ??????????? domain master = yes > > > > ??????????? domain logons = yes > > > > ??????????? log level = 1 > > > > ??????????? max log size = 100000 > > > > ??????????? log file = /var/log/samba/log.%m > > > > ??????????? passdb backend = > > ????ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket > > > > ??????????? disable spoolss = yes > > > > ??????????? ldapsam:trusted = yes > > > > ??????????? ldap ssl = off > > > > ??????????? ldap suffix = dc=gw,dc=spb,dc=ru > > > > ??????????? ldap user suffix = cn=users,cn=accounts > > > > ??????????? ldap group suffix = cn=groups,cn=accounts > > > > ??????????? ldap machine suffix = cn=computers,cn=accounts > > > > ??????????? rpc_server:epmapper = external > > > > ??????????? rpc_server:lsarpc = external > > > > ??????????? rpc_server:lsass = external > > > > ??????????? rpc_server:lsasd = external > > > > ??????????? rpc_server:samr = external > > > > ??????????? rpc_server:netlogon = external > > > > ??????????? rpc_server:tcpip = yes > > > > ??????????? rpc_daemon:epmd = fork > > > > ??????????? rpc_daemon:lsasd = fork > > > > ???? > > > > ????But I don't understand why it wasn't put to smb.conf directly. > > > > ???? > > > > ????The second problem is 'passdb backend'. I didn't find any > > > > ????documentation about this module. An attempt to replace a file socket > > > > ????on net connection was failed. And I had to make LDAP replication. It > > ????was easy, but " > > ???? > > ????ipa-replica-prepare" installed whole IPA server (tomcat, java, > > ????ldap), not only ldap-server. I need to continue to read > > ????documentation. However the problem was solved.? > > > > ???? > > > > ????06.10.2016 23:51, ?????????? ??????? > > ???????????: > > > > ???? > > > > > Thank you for your reply.? > > > ?????? > > > > > > > > > ??????I've got Samba server for a company, accounts are created by hand. > > > ??????Clients are different windows or linux desktops.? > > > > > > ?????? > > > > > > > > > ??????I want to install FreeIPA and have one area for managing accounts > > > > > > ??????(SMB, SSH-access for others servers). Now, I prepare clean samba > > > > > > ??????installation for testing. It would be great to use FreeIPA as > > > ??????authorization server for samba.? > > > > > > ?????? > > > > > > > > > ??????I was looking for information about samba + freeIPA, but I found > > > ??????only this document. Maybe, I miss obvious things.? > > > > > > ?????? > > > > > > ?????? > > > > > > ??????06.10.2016 20:31, Loris Santamaria ?????:? > > > > > > > The document you are linking to explains > > > > ????????how to configure a samba file? > > > > > > > > > > > > ????????server in a freeipa domain, which is one of many ways you can > > > > ????????configure? > > > > > > > > ????????and use a samba server.? > > > > > > > > ???????? > > > > > > > > > > > > ????????What do you want to achieve with samba, and what is your current > > > > ????????setup?? > > > > > > > > ???????? > > > > > > > > ???????? > > > > > > > > > > > > ????????El jue, 06-10-2016 a las 19:23 +0300, ?????????? ??????? > > > > ????????escribi?:? > > > > > > > > > Hello.? > > > > > ?????????? > > > > > > > > > > ??????????I've read the topic about FreeIPA and SAMBA? > > > > > > > > > > > > > > > ??????????http://www.freeipa.org/page/Howto/Integrating_a_Sam ba_File_Server_Wit > > > > > ?????????? > > > > > > > > > > ??????????h_IPA? > > > > > > > > > > ?????????? > > > > > > > > > > > > > > > ??????????If I understand clearly, samba's client must be present in? > > > > > > > > > > ??????????FreeIPA? AD.? > > > > > > > > > > > > > > > ??????????Unfortunately, it does not work for me. I can't join some work > > > > > ?????????? > > > > > > > > > > ??????????desktops? > > > > > > > > > > > > > > > ??????????to AD. Is it possible to make Samba auth trough LDAP IPA ? > > > > > ??????????Samba has? > > > > > > > > > > ??????????ldap support? > > > > > > > > > > ?????????? > > > > > > > > > > ??????????????????? ldap admin dn? > > > > > > > > > > ??????????????????? ldap group suffix? > > > > > > > > > > ??????????????????? ldap idmap suffix? > > > > > > > > > > ??????????????????? ldap machine suffix? > > > > > > > > > > ??????????????????? ldap passwd sync? > > > > > > > > > > ??????????????????? ldap suffix? > > > > > > > > > > ??????????????????? ldap user suffix? > > > > > > > > > > ?????????? > > > > > > > > > > ??????????Does it work with IPA ?? > > > > > > > > > > ?????????? > > > > > > > > > > ??????????Thanks.? > > > > > > > > > > ?????????? > > > > > > > > ?????? > > > > > > ?????? > > > > > > ?????? > > > ?????? > > > > > ???? > > > > ?? > > > > > > --? > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > --? Loris Santamaria???linux user #70506???xmpp:loris at lgs.com.ve Links Global Services, C.A.????????????http://www.lgs.com.ve Tel: 0286 952.06.87??Cel: 0414 095.00.10??sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- An HTML attachment was scrubbed... URL: From rns at unimelb.edu.au Wed Oct 12 04:23:51 2016 From: rns at unimelb.edu.au (Robert Sturrock) Date: Wed, 12 Oct 2016 15:23:51 +1100 Subject: [Freeipa-users] External (AD) groups and sudo/hbac in IPA 4.2 Message-ID: Hi All. We?re attempting to setup an IPA (4.2) service on RHEL7.2 to provide better connectivity to our (large) organisational AD service for Linux clients. We have setup IPA and configured a suitable AD trust (with SID POSIX mapping) in the hope that users will be able to access IPA resources (hosts, storage) using existing AD credentials and groups. This working fine - we can login to Linux hosts using AD credentials and see the AD groups. However, it would appear that in order to use AD group membership as the basis for Linux HBAC or sudo, we need to firstly _map_ the AD groups to an equivalent IPA (POSIX) group? Is this correct? I can see that it?s possible to define ?external? *users* (not groups) in some cases, but this function appears to be deprecated. We have large numbers of groups in our AD (~50k), so obviously that?s a lot of mapping! Regards, Robert. From datakid at gmail.com Wed Oct 12 04:56:26 2016 From: datakid at gmail.com (Lachlan Musicman) Date: Wed, 12 Oct 2016 15:56:26 +1100 Subject: [Freeipa-users] External (AD) groups and sudo/hbac in IPA 4.2 In-Reply-To: References: Message-ID: On 12 October 2016 at 15:23, Robert Sturrock wrote: > Hi All. > > We?re attempting to setup an IPA (4.2) service on RHEL7.2 to provide > better connectivity to our (large) organisational AD service for Linux > clients. > > We have setup IPA and configured a suitable AD trust (with SID POSIX > mapping) in the hope that users will be able to access IPA resources > (hosts, storage) using existing AD credentials and groups. This working > fine - we can login to Linux hosts using AD credentials and see the AD > groups. > > However, it would appear that in order to use AD group membership as the > basis for Linux HBAC or sudo, we need to firstly _map_ the AD groups to an > equivalent IPA (POSIX) group? Is this correct? > > I can see that it?s possible to define ?external? *users* (not groups) in > some cases, but this function appears to be deprecated. > > We have large numbers of groups in our AD (~50k), so obviously that?s a > lot of mapping! > > Hi Rob, It should work with groups no problems. We found a few issues with sssd <1.14. To get the up to date sssd for the hosts, the best bet is the COPR repos https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-14/ As for groups working with HBAC, it should work no problems. Yes to mapping though. Here is the process: 1. Create an external group for your AD users/groups 2. Add AD group name to that external group (this AD group's existence will be confirmed by IPA->AD trust or command will fail) 3. Create POSIX group 4. add group created in step 1 to group created in step 3 And here are some example commands to do that, as we executed them here, in the same order: ipa group-add --desc="petermac.org.au external map" ad_users_external --external ipa group-add-member ad_external --external 'PMCI\Bioinf-Cluster' ipa group-add --desc="petermac.org.au AD users" ad_users ipa group-add-member ad_users --groups ad_users_external Let me know how you go L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Oct 12 05:35:43 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 12 Oct 2016 08:35:43 +0300 Subject: [Freeipa-users] External (AD) groups and sudo/hbac in IPA 4.2 In-Reply-To: References: Message-ID: <20161012053543.erier5bvjnz533tw@redhat.com> On ke, 12 loka 2016, Robert Sturrock wrote: >Hi All. > >We?re attempting to setup an IPA (4.2) service on RHEL7.2 to provide >better connectivity to our (large) organisational AD service for Linux >clients. > >We have setup IPA and configured a suitable AD trust (with SID POSIX >mapping) in the hope that users will be able to access IPA resources >(hosts, storage) using existing AD credentials and groups. This >working fine - we can login to Linux hosts using AD credentials and see >the AD groups. > >However, it would appear that in order to use AD group membership as >the basis for Linux HBAC or sudo, we need to firstly _map_ the AD >groups to an equivalent IPA (POSIX) group? Is this correct? In HBAC and SUDO rules you need to make sure two things are in place: - on the host level the identities which are subject to the rules are available in POSIX namespace - on the LDAP server level the identities which are subject to the rules are real LDAP objects in IPA LDAP server. This is how LDAP schema is built. AD users and groups do not exist in IPA LDAP server, thus they need to be somehow presented there. This is important technical limitation, an alternative to which is inherent integrity inconsistency. We don't want to have inconsistent data relationships. 'External' groups are means to solve this, thanks to the nested group support in IPA LDAP. On the host level SSSD translates these 'external' group members to POSIX identities and since POSIX group namespace is flat, this works well. > >I can see that it?s possible to define ?external? *users* (not groups) >in some cases, but this function appears to be deprecated. You don't need to map groups only, the mechanism we built allows you to specify any resolvable (by SSSD on IPA master) SID of an object from Active Directory. This means that specifying ipa group-add-member my_external_group --external 'AD\ShinyUser' is going to work in the same way as ipa group-add-member my_external_group --external 'AD\Shiny Members' -- as long as SIDs for 'AD\ShinyUser' and 'AD\Shiny Members' objects are resolvable by SSSD on the IPA master in question, you can add them as members of the 'my_external_group'. Your 'my_external_group' can have a mixture of members and SSSD will do a resolution of those when performing HBAC rules checks. This all works because POSIX namespace has no nested groups, so any nested group membership that leads 'AD\ShinyUser' to be a member of a POSIX group will result in 'AD\ShinyUser' to be treated as a member of a POSIX group in question. Where did you find a sign or statement that mapping 'external' users is a deprecated feature? >We have large numbers of groups in our AD (~50k), so obviously that?s a >lot of mapping! Do you really need to have all ~50K groups mapped to assign access controls on the Linux side? While those ~50K on the AD side may make sense for AD access, we found out that in many cases access patterns on the Linux side are quite different to the group distribution on AD side so people end up creating a different group distribution, thus making the use of 'external' groups a feature rather than a limitation. -- / Alexander Bokovoy From rakesh.rajasekharan at gmail.com Wed Oct 12 05:56:22 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Wed, 12 Oct 2016 11:26:22 +0530 Subject: [Freeipa-users] Server unwilling to perform error Message-ID: Hi There, I am running Freeipa version 4.2.0 I have been noticing that frequently I get this error "ipa: ERROR: Server is unwilling to perform: Entry permanently locked." when I try to run any ipa commands like ipa user-find or user-status Finally i see that my admin account has been locked and I need to unlock it manually I dont see anything in the krb5kdc.log. Are there any other specific logs that can give me pointers as to what could be going wrong as I see this almost daily Thanks, Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Oct 12 06:35:48 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 12 Oct 2016 08:35:48 +0200 Subject: [Freeipa-users] bind-dyndb-ldap issues In-Reply-To: <9aa5d2d2-67da-a198-171f-2d3c758eaeae@gmail.com> References: <9aa5d2d2-67da-a198-171f-2d3c758eaeae@gmail.com> Message-ID: Hello, these are debug messages and are harmless. Apparently you have verbose/debug messages enabled in named.conf: arg "verbose_checks yes"; If you want to get rid of these messages, just remove the line. What version of bind-dyndb-ldap are you using? Sufficiently new versions should use SyncRepl to pull all data from LDAP to memory (on start) so the read performance should be nearly identical as with plain BIND. Of course, writes/DNS updates will generate load on your LDAP server so the server needs to handle the load. Petr^2 Spacek On 11.10.2016 20:41, Brendan Kearney wrote: > i am using bind-dyndb-ldap on fedora 24 without FreeIPA, and continue to have > my logs swamped with errors about "check failed" from settings.c and fwd.c. i > am completely up to date with every package, so the latest versions of > everything are installed. > > [settings.c : 420: setting_update_from_ldap_entry] check failed: ignore > [settings.c : 436: setting_update_from_ldap_entry] check failed: ignore > [fwd.c : 378: fwd_setting_isexplicit] check failed: not found > > i have two boxes running a named instance each, in a "master/master" config. > each has the zone data configured per below. the uri refers to the local ip > of each server. > > dynamic-db "bpk2.com" { > library "ldap.so"; > arg "uri ldap://192.168.88.1/"; > arg "base cn=dns,ou=Daemons,dc=bpk2,dc=com"; > arg "auth_method simple"; > arg "bind_dn cn=dnsUser,dc=bpk2,dc=com"; > arg "password dnsPass"; > > arg "fake_mname server1.bpk2.com."; > arg "dyn_update yes"; > arg "connections 2"; > arg "verbose_checks yes"; > }; > > zone "." IN { > type hint; > file "named.ca"; > }; > > include "/etc/named.rfc1912.zones"; > > my dns container is defined in openldap as such: > > dn: cn=dns,ou=Daemons,dc=bpk2,dc=com > cn: dns > idnspersistentsearch: FALSE > idnszonerefresh: 30 > objectclass: top > objectclass: nsContainer > objectclass: idnsConfigObject > > where and how can i find the source of my issue? these issues are causing > performance issues on the rest of my network. because of these errors, ldap > throws errors about deferred operations for binding, too many executing, and > pending operations. additionally, recursion also seems to be impacted. this > is noticed most when streaming content. buffering, stuttering and pixelation > are seen in the video streams. it could be the swamping of logs killing I/O > or the actual recurision, but 100% the video issues are related. the log > events match up exactly with the buffering. > > i had this issue with bind-dyndb-ldap and fedora 20 up until i recently > upgraded. i went from F20 to F24, and put things on nice new SSDs, instead of > spinning disks. the problem followed the upgrade. are there configuration > items i am missing? are there tweaks i can do to improve something? how do i > get rid of these errors, so dns performance (or the log swamping) is not > affecting the rest of my network? > > thank you, > > brendan From a.stepanenko at gw.spb.ru Wed Oct 12 08:22:52 2016 From: a.stepanenko at gw.spb.ru (Aleksey Stepanenko) Date: Wed, 12 Oct 2016 11:22:52 +0300 Subject: [Freeipa-users] FreeIPA and Samba In-Reply-To: References: <7c64a862-ebbe-deab-8aeb-db3d115e5aa2@gw.spb.ru> <1475775086.2849.3.camel@lgs.com.ve> Message-ID: My Samba server and IPA server are different machines too. I made LDAP replication IPA-SAMBA ( https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=6 ). Unfortunately, it makes full replication (not only ldap-server), but it works. My Windows machine are not joined to a domain. 12.10.2016 03:43, Alan Latteri ?????: > I am trying to get this to work, but our Samba server is not the same > machine as out IPA server, and these instructions seem to assume that. > Any ideas? All I need is the 1 windows machine in our network to be > able to access our linux based server, using the same user/pass as > that of our IPA authenticated linux machines. > > >> On Oct 10, 2016, at 1:35 PM, ?????????? ??????? >> > wrote: >> >> I read again the topic >> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP >> It works exactly as I wanted >> >> ipa-adtrust-install created next configuration: >> >> $ net conf list >> [global] >> workgroup = WORKGROUP >> netbios name = SMB >> realm = GW.SPB.RU >> kerberos method = dedicated keytab >> dedicated keytab file = FILE:/etc/samba/samba.keytab >> create krb5 conf = no >> security = user >> domain master = yes >> domain logons = yes >> log level = 1 >> max log size = 100000 >> log file = /var/log/samba/log.%m >> passdb backend = >> ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket >> disable spoolss = yes >> ldapsam:trusted = yes >> ldap ssl = off >> ldap suffix = dc=gw,dc=spb,dc=ru >> ldap user suffix = cn=users,cn=accounts >> ldap group suffix = cn=groups,cn=accounts >> ldap machine suffix = cn=computers,cn=accounts >> rpc_server:epmapper = external >> rpc_server:lsarpc = external >> rpc_server:lsass = external >> rpc_server:lsasd = external >> rpc_server:samr = external >> rpc_server:netlogon = external >> rpc_server:tcpip = yes >> rpc_daemon:epmd = fork >> rpc_daemon:lsasd = fork >> >> But I don't understand why it wasn't put to smb.conf directly. >> >> The second problem is 'passdb backend'. I didn't find any >> documentation about this module. An attempt to replace a file socket >> on net connection was failed. And I had to make LDAP replication. It >> was easy, but " ipa-replica-prepare" installed whole IPA server >> (tomcat, java, ldap), not only ldap-server. I need to continue to >> read documentation. However the problem was solved. >> >> 06.10.2016 23:51, ?????????? ??????? ?????: >>> Thank you for your reply. >>> >>> I've got Samba server for a company, accounts are created by hand. >>> Clients are different windows or linux desktops. >>> >>> I want to install FreeIPA and have one area for managing accounts >>> (SMB, SSH-access for others servers). Now, I prepare clean samba >>> installation for testing. It would be great to use FreeIPA as >>> authorization server for samba. >>> >>> I was looking for information about samba + freeIPA, but I found >>> only this document. Maybe, I miss obvious things. >>> >>> >>> 06.10.2016 20:31, Loris Santamaria ?????: >>>> The document you are linking to explains how to configure a samba file >>>> server in a freeipa domain, which is one of many ways you can >>>> configure >>>> and use a samba server. >>>> >>>> What do you want to achieve with samba, and what is your current >>>> setup? >>>> >>>> >>>> El jue, 06-10-2016 a las 19:23 +0300, ?????????? ??????? escribi?: >>>>> Hello. >>>>> >>>>> I've read the topic about FreeIPA and SAMBA >>>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit >>>>> h_IPA >>>>> >>>>> If I understand clearly, samba's client must be present in >>>>> FreeIPA AD. >>>>> Unfortunately, it does not work for me. I can't join some work >>>>> desktops >>>>> to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has >>>>> ldap support >>>>> >>>>> ldap admin dn >>>>> ldap group suffix >>>>> ldap idmap suffix >>>>> ldap machine suffix >>>>> ldap passwd sync >>>>> ldap suffix >>>>> ldap user suffix >>>>> >>>>> Does it work with IPA ? >>>>> >>>>> Thanks. >>>>> >>> >>> >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- ? ?????????, ?????????? ???????, ???????????? ?????? ?????????????? ??????????, ??? "?????? ??? ?????" ????: http//gw.spb.ru ???.: +7 (812) 409-00-90 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3709 bytes Desc: ?????????????????????????? ???????????? S/MIME URL: From mbasti at redhat.com Wed Oct 12 10:45:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 12 Oct 2016 12:45:41 +0200 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> <20161011194409.466mqip5224rontc@redhat.com> <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: <738ef5d0-be03-125e-2b19-3fd93ff359c7@redhat.com> On 11.10.2016 22:01, John Popowitch wrote: > Ah, yes, thank you, Alexander. > I agree it would help if I followed the example better. > It would also help if I understood the example so a little description of what each command does would be very helpful. Sorry, we don't have time to explain everything here. `man ldapsearch` is your friend > It looks like that ACI record does exist. > Now how would I remove these LDAP records? I dig deeper into code, and actually this error is not caused by ACIs, because it even does not get there. I think that this may be caused by replication conflict on permission entry that caused the IPA doesn't see it but DS refuses to add it there. Can you please check as Directory Manager if there are any replication conflicts using this command? ldapsearch -D 'cn=directory manager' -W -b 'dc=aws,dc=cappex,dc=com' "nsds5ReplConflict=*" \* nsds5ReplConflict Please check if there is replication conflict on entry 'System: Modify Certificate Profile' More info about replication conflicts: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html > > > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > Sent: Tuesday, October 11, 2016 2:44 PM > To: John Popowitch > Cc: Martin Basti; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors > > On ti, 11 loka 2016, John Popowitch wrote: >> It doesn't look like there are any entries. >> >> # ldapsearch -x -b 'cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com' -s >> base aci > 'ldapsearch -x' is 'use simple authentication instead of SASL' -- given that you didn't specify any identity for simple authentication, you are running an anonymous search. Martin asked you to 'kinit' as administrator and then use SASL GSSAPI. > > ACIs only available for retrieval to administrators. It is not a surprise that anonymous access does not see them. > > It would be good if you would have followed the example: >> Here you have example >> >> kinit admin >> >> ldapsearch -Y GSSAPI -b 'cn=certprofiles,cn=ca,dc=,dc=' >> -s base aci >> >> On 11.10.2016 17:48, John Popowitch wrote: >> Thanks, Martin. >> But I'm afraid you've gone beyond my level of LDAP knowledge. >> How would I check for that ACI? >> -John >> >> From: Martin Basti [mailto:mbasti at redhat.com] >> Sent: Tuesday, October 11, 2016 10:38 AM >> To: John Popowitch; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >> run ipa-server-upgrade, but has errors >> >> >> >> >> On 11.10.2016 17:21, John Popowitch wrote: >> I agree that is weird. >> Several of the other managed permissions are updated successfully and they are very similar. >> Yes, I can try to remove the permission manually. >> Is there any risk in corrupting or breaking the system? >> This is, I believe, one of three IPA servers in a multi-master replication. >> And we run our production website (basically our company) off of these servers. >> Assuming it's safe enough to do, could I delete that permission via the UI or does it need to be directly via LDAP? >> >> Upgrade will re-create permission. >> >> You have to directly using LDAP as Directory Manager >> >> Also please check in: cn=certprofiles,cn=ca,$SUFFIX >> >> if you have this ACI there >> >> aci: (targetattr = "cn || description || >> ipacertprofilestoreissued")(targetfil >> ter = "(objectclass=ipacertprofile)")(version 3.0;acl >> "permission:System: Mod ify Certificate Profile";allow (write) groupdn >> = "ldap:///cn=System: Modify C ertificate >> Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab >> ,dc=eng,dc=brq,dc=redhat,dc=com";) >> >> This may also cause an issue, so if removing of permission itself did >> not help (or permission does not exist) you may need to remove this ACI >> >> Martin >> >> >> >> >> From: Martin Basti [mailto:mbasti at redhat.com] >> Sent: Tuesday, October 11, 2016 9:47 AM >> To: John Popowitch; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >> run ipa-server-upgrade, but has errors >> >> >> That's weird because the code is checking if a permission exists before >> it tries to add a new one >> >> Can you try to remove 'System: Modify Certificate Profile' manually from LDAP and re-run ipa-server-upgrade? >> >> >> >> On 11.10.2016 15:53, John Popowitch wrote: >> 2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify >> Certificate Profile 2016-10-10T19:51:38Z DEBUG Destroyed connection >> context.ldap2_82077392 2016-10-10T19:51:38Z ERROR Upgrade failed with >> This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 306, in __upgrade >> self.modified = (ld.update(self.files) or self.modified) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 905, in update >> self._run_updates(all_updates) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 877, in _run_updates >> self._run_update_plugin(update['plugin']) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 852, in _run_update_plugin >> restart_ds, updates = self.api.Updater[plugin_name]() >> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1400, in __call__ >> return self.execute(**options) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 433, in execute >> anonymous_read_aci) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 529, in update_permission >> ldap.add_entry(entry) >> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1428, in add_entry >> self.conn.add_s(str(entry.dn), attrs.items()) >> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ >> self.gen.throw(type, value, traceback) >> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 938, in error_handler >> raise errors.DuplicateEntry() >> DuplicateEntry: This entry already exists >> >> 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step >> method() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 314, in __upgrade >> raise RuntimeError(e) >> RuntimeError: This entry already exists >> >> 2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry already exists >> 2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server >> 2016-10-10T19:51:38Z DEBUG Starting external process >> 2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv at AWS-CAPPEX-COM.service' >> 2016-10-10T19:51:40Z DEBUG Process finished, return code=0 >> 2016-10-10T19:51:40Z DEBUG stdout= 2016-10-10T19:51:40Z DEBUG stderr= >> 2016-10-10T19:51:40Z DEBUG duration: 1 seconds >> 2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration >> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG duration: 0 seconds >> 2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >> 2016-10-10T19:51:40Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute >> return_value = self.run() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run >> raise admintool.ScriptError(str(e)) >> >> 2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, >> exception: ScriptError: ('IPA upgrade failed.', 1) 2016-10-10T19:51:40Z >> ERROR ('IPA upgrade failed.', 1) >> >> >> >> From: Martin Basti [mailto:mbasti at redhat.com] >> Sent: Tuesday, October 11, 2016 1:53 AM >> To: John Popowitch; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >> run ipa-server-upgrade, but has errors >> >> >> >> >> On 10.10.2016 23:30, John Popowitch wrote: >> Hello FreeIPA community. >> I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. >> I had to reboot one of the servers and now IPA won't run saying, "Upgrade required: please run ipa-server-upgrade command." >> But when I run ipa-server-upgrade I get an error: >> ipa: ERROR: Upgrade failed with This entry already exists When I run it >> in debug mode the last action before the error is: >> ipa.ipaserver.install.plugins.update_managed_permissions.update_managed >> _permissions: DEBUG: Updating managed permission: System: Modify Certificate Profile It appears that several of the other managed permissions are processed successfully. >> When I look in the UI on one of the other servers it appears that this permission exists under IPA Server -> Role Based Access Control -> Permissions. >> I'm not familiar with FreeIPA so any help would be greatly appreciated. >> Thanks in advance. >> -John >> >> >> >> >> >> >> >> Hello, >> >> can you post the related part of ipaupgrade.log here? >> >> Martin >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > From lkrispen at redhat.com Wed Oct 12 13:48:00 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 12 Oct 2016 15:48:00 +0200 Subject: [Freeipa-users] Different Database Generation ID In-Reply-To: <4d75f35b-4f1d-9d3e-4afd-98fde30e72c8@brownpapertickets.com> References: <4d75f35b-4f1d-9d3e-4afd-98fde30e72c8@brownpapertickets.com> Message-ID: <57FE3F10.2000303@redhat.com> Hi, you get the "different database generation" if one side is built from scratch or reimported from a plain ldif without repl stat e information. replication will only work if both sides have the same data origin. About initlializing back and forth it depends on your topology if it can become a problem. If a replica is reinitialized it's changelog is recreated (the old one will no longer match) and if you do it again in the other direction you remove the changelog there as well - and then can msis changes not yet replicated to other replicas and you can run into the "csn not found problems". I looked up one of your previous posts about which version of 389-ds you are using, and it looks like you have one we know has some issues, as stated several times on this list :-( About your observation that replication is stopping and working again after restarting, this can be a problem of the replication agreement going into fatal state instead of retrying. Restarting the server overcomes this, but you could achieve it by disabling the agreement. Ludwig On 10/11/2016 06:13 PM, Ian Harding wrote: > I have this error in the log of my FreeIPA server freeipa-sea.bpt.rocks: > > [11/Oct/2016:09:04:39 -0700] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-seattlenfs.bpt.rocks-pki-tomcat" > (seattlenfs:389): The remote replica has a different database generation > ID than the local database. You may have to reinitialize the remote > replica, or the local replica. > > So I did this: > > ipa-replica-manage re-initialize --from freeipa-sea.bpt.rocks > > on seattlenfs > > But the error continues. > > I think I know why. freeipa-sea had a meltdown and I had to rebuild it, > and established it as a replica of seattlenfs. Unfortunately, I think > seattlenfs was a replica of the original freeipa-sea. > > It seems like a bad idea to reinitialize themselves from each other, and > in fact it's warned against here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Troubleshooting_Replication_Related_Problems.html > > "... Also, M2 should not initialize M1 back." > > But in looking at my bash history I have indeed done that as well. > > Is there any way out of this mess? These two servers actually DO > replicate, most of the time. They stop for no reason and restarting the > ipa services on freeipa-sea does get them started again. > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From fdinoto at gmail.com Wed Oct 12 14:09:04 2016 From: fdinoto at gmail.com (Fil Di Noto) Date: Wed, 12 Oct 2016 07:09:04 -0700 Subject: [Freeipa-users] Replica has no RUV Message-ID: What do you do if a replica has no RUV, it may have been deleted. I've tried disconnecting/connecting it to the other replicas to see if it would re-build it but it doesn't Re-initializing it doesn't seem to fix it either. From karl.forner at gmail.com Wed Oct 12 17:06:59 2016 From: karl.forner at gmail.com (Karl Forner) Date: Wed, 12 Oct 2016 19:06:59 +0200 Subject: [Freeipa-users] network ports requirements for a replica Message-ID: Hello, A very simple question, but I could not find the answer. I'd like to setup a replica on another network than my master. Is it possible to setup the replication using only https, or other ports must be available ? Thanks, Karl -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Oct 12 17:25:15 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 12 Oct 2016 20:25:15 +0300 Subject: [Freeipa-users] network ports requirements for a replica In-Reply-To: References: Message-ID: <20161012172515.s4smyln2ozkxlf7x@redhat.com> On ke, 12 loka 2016, Karl Forner wrote: >Hello, > >A very simple question, but I could not find the answer. I'd like to setup >a replica on another network than my master. Is it possible to setup the >replication using only https, or other ports must be available ? This is all documented, did you read the guide? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prepping-replica.html ---- The replica requires additional ports to be open In addition to the standard IdM server port requirements described in Section 2.1.4, ?Port Requirements?, make sure the following port requirements are complied as well: During the replica setup process, keep the TCP port 22 open. This port is required in order to use SSH to connect to the master server. If one of the servers is running Red Hat Enterprise Linux 6 and has a CA installed, keep also TCP port 7389 open during and after the replica configuration. In a purely Red Hat Enterprise Linux 7 environment, port 7389 is not required. ---- Section 2.1.4: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports -- / Alexander Bokovoy From deepak_dimri at hotmail.com Wed Oct 12 17:34:15 2016 From: deepak_dimri at hotmail.com (Deepak Dimri) Date: Wed, 12 Oct 2016 17:34:15 +0000 Subject: [Freeipa-users] FreeIPA Server installation on unbuntu 14.0 Message-ID: Hi All, I am trying to install freeIPA server on ubuntu 14.0 but i am getting Error "Unable to locate package freeipa-server" below is what i am trying: apt-get install freeipa-server -y Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package freeipa-server apt-get install freeipa-client -y works just fine.. i have tried enabling universe repository in /etc/apt/sources.list and ran apt-get update but no luck either still getting Unable to locate package freeipa-server. How can i install ipa server on ubuntu? Thanks, Deepak -------------- next part -------------- An HTML attachment was scrubbed... URL: From jruybal at owneriq.com Wed Oct 12 17:39:13 2016 From: jruybal at owneriq.com (Joshua Ruybal) Date: Wed, 12 Oct 2016 10:39:13 -0700 Subject: [Freeipa-users] 3rd Party http certs breaking Apache Message-ID: Hi, I'm trying to add 3rd party certs for the webgui and ldap as documented here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I'm able to add the CA cert. Then add the chained cert and key via ipa-server-certinstall tool. However when I try to restart httpd, it fails and I get the following error in the logs. [Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init: ( ipa-test.example.com:443) You configured HTTP(80) on the standard HTTPS(443) port! [Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598] NSSSessionCacheTimeout is deprecated. Ignoring. [Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error: -8102 Certificate key usage inadequate for attempted operation. [Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. I've looked into the key, but everything seems to work as expected. Has anyone seen this before? Environment: IPA VERSION: 4.2.0, API_VERSION: 2.156 CentOS 7.2 Thanks, --Josh -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Oct 12 17:40:39 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 12 Oct 2016 20:40:39 +0300 Subject: [Freeipa-users] FreeIPA Server installation on unbuntu 14.0 In-Reply-To: References: Message-ID: <20161012174039.irbx4ojxekojs4n7@redhat.com> On ke, 12 loka 2016, Deepak Dimri wrote: >Hi All, > > >I am trying to install freeIPA server on ubuntu 14.0 but i am getting Error "Unable to locate package freeipa-server" below is what i am trying: > > >apt-get install freeipa-server -y > >Reading package lists... Done > >Building dependency tree > >Reading state information... Done > >E: Unable to locate package freeipa-server > > >apt-get install freeipa-client -y works just fine.. > > >i have tried enabling universe repository in /etc/apt/sources.list and ran apt-get update but no luck either still getting Unable to locate package freeipa-server. > > >How can i install ipa server on ubuntu? Use newer Ubuntu. -- / Alexander Bokovoy From rcritten at redhat.com Wed Oct 12 17:57:16 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Oct 2016 13:57:16 -0400 Subject: [Freeipa-users] 3rd Party http certs breaking Apache In-Reply-To: References: Message-ID: <57FE797C.1000604@redhat.com> Joshua Ruybal wrote: > Hi, > > I'm trying to add 3rd party certs for the webgui and ldap as documented > here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > I'm able to add the CA cert. > > Then add the chained cert and key via ipa-server-certinstall tool. > However when I try to restart httpd, it fails and I get the following > error in the logs. > > > [Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232: > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > [Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init: > (ipa-test.example.com:443 ) You > configured HTTP(80) on the standard HTTPS(443) port! > [Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error: > -8102 Certificate key usage inadequate for attempted operation. > [Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify > certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf > so the server can start until the problem can be resolved. > > > I've looked into the key, but everything seems to work as expected. > > Has anyone seen this before? > > Environment: > IPA VERSION: 4.2.0, API_VERSION: 2.156 > CentOS 7.2 You set NSSNickname to Signing-Cert? What is the nickname of the cert you imported? # certutil -L -d /etc/httpd/alias rob From jruybal at owneriq.com Wed Oct 12 18:42:54 2016 From: jruybal at owneriq.com (Joshua Ruybal) Date: Wed, 12 Oct 2016 11:42:54 -0700 Subject: [Freeipa-users] 3rd Party http certs breaking Apache In-Reply-To: <57FE797C.1000604@redhat.com> References: <57FE797C.1000604@redhat.com> Message-ID: Can confirm nss.conf has NSSNickname set to Signing-Cert. I set the nickname of the Root CA issuing the 3rd party Certs to "LetsEncrypt_X1" On Wed, Oct 12, 2016 at 10:57 AM, Rob Crittenden wrote: > Joshua Ruybal wrote: > >> Hi, >> >> I'm trying to add 3rd party certs for the webgui and ldap as documented >> here: https://www.freeipa.org/page/Using_3rd_part_certificates_for >> _HTTP/LDAP >> >> I'm able to add the CA cert. >> >> Then add the chained cert and key via ipa-server-certinstall tool. >> However when I try to restart httpd, it fails and I get the following >> error in the logs. >> >> >> [Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232: >> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) >> [Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init: >> (ipa-test.example.com:443 ) You >> configured HTTP(80) on the standard HTTPS(443) port! >> [Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598] >> NSSSessionCacheTimeout is deprecated. Ignoring. >> [Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error: >> -8102 Certificate key usage inadequate for attempted operation. >> [Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify >> certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf >> so the server can start until the problem can be resolved. >> >> >> I've looked into the key, but everything seems to work as expected. >> >> Has anyone seen this before? >> >> Environment: >> IPA VERSION: 4.2.0, API_VERSION: 2.156 >> CentOS 7.2 >> > > You set NSSNickname to Signing-Cert? What is the nickname of the cert you > imported? > > # certutil -L -d /etc/httpd/alias > > rob > > -- *Joshua Ruybal | Systems Engineer* o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549> e: jruybal at owneriq.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpopowitch at cappex.com Wed Oct 12 19:30:11 2016 From: jpopowitch at cappex.com (John Popowitch) Date: Wed, 12 Oct 2016 19:30:11 +0000 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <738ef5d0-be03-125e-2b19-3fd93ff359c7@redhat.com> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> <20161011194409.466mqip5224rontc@redhat.com> <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> <738ef5d0-be03-125e-2b19-3fd93ff359c7@redhat.com> Message-ID: <8A55E6003C19B34498C07A259B643BA90108635B@mbx032-e1-va-6.exch032.serverpod.net> I ran the following on each of my three servers: kinit admin ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "nsds5ReplConflict=*" \* nsds5ReplConflict There are 49, 57, 49 entries returned by that query on the respective server. Here is the one related to 'System: Modify Certificate Profile' from the first server: # CA Administrator + c93bf230-a32311e5-b492895f-f9294e47, privileges, pbac, aws .cappex.com dn: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=priv ileges,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Add CA ACL+nsuniqueid=c93bf269-a32311e5-b492895f-f9294e47 ,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Delete CA ACL+nsuniqueid=c93bf26d-a32311e5-b492895f-f9294 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Manage CA ACL Membership+nsuniqueid=c93bf271-a32311e5-b49 2895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Modify CA ACL+nsuniqueid=c93bf275-a32311e5-b492895f-f9294 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Delete Certificate Profile+nsuniqueid=c93bf27c-a32311e5-b 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Import Certificate Profile+nsuniqueid=c93bf280-a32311e5-b 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com objectClass: groupofnames objectClass: top objectClass: nestedgroup cn: CA Administrator description: CA Administrator nsds5ReplConflict: namingConflict cn=CA Administrator,cn=privileges,cn=pbac,dc =aws,dc=cappex,dc=com Here are the related entries from the second server: # CA Administrator + c93bf230-a32311e5-b492895f-f9294e47, privileges, pbac, aws .cappex.com dn: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=priv ileges,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Add CA ACL+nsuniqueid=c93bf269-a32311e5-b492895f-f9294e47 ,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Delete CA ACL+nsuniqueid=c93bf26d-a32311e5-b492895f-f9294 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Manage CA ACL Membership+nsuniqueid=c93bf271-a32311e5-b49 2895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Modify CA ACL+nsuniqueid=c93bf275-a32311e5-b492895f-f9294 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Delete Certificate Profile+nsuniqueid=c93bf27c-a32311e5-b 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Import Certificate Profile+nsuniqueid=c93bf280-a32311e5-b 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com objectClass: groupofnames objectClass: top objectClass: nestedgroup cn: CA Administrator description: CA Administrator nsds5ReplConflict: namingConflict cn=ca administrator,cn=privileges,cn=pbac,dc =aws,dc=cappex,dc=com # System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per missions, pbac, aws.cappex.com dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895 f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn= privileges,cn=pbac,dc=aws,dc=cappex,dc=com ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify Certificate Profile objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 ipaPermDefaultAttr: description ipaPermDefaultAttr: ipacertprofilestoreissued ipaPermDefaultAttr: cn ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com nsds5ReplConflict: namingConflict cn=system: modify certificate profile,cn=per missions,cn=pbac,dc=aws,dc=cappex,dc=com And from the third server: # CA Administrator + c93bf230-a32311e5-b492895f-f9294e47, privileges, pbac, aws .cappex.com dn: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=priv ileges,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Add CA ACL+nsuniqueid=c93bf269-a32311e5-b492895f-f9294e47 ,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Delete CA ACL+nsuniqueid=c93bf26d-a32311e5-b492895f-f9294 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Manage CA ACL Membership+nsuniqueid=c93bf271-a32311e5-b49 2895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Modify CA ACL+nsuniqueid=c93bf275-a32311e5-b492895f-f9294 e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Delete Certificate Profile+nsuniqueid=c93bf27c-a32311e5-b 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Import Certificate Profile+nsuniqueid=c93bf280-a32311e5-b 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com memberOf: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws, dc=cappex,dc=com objectClass: groupofnames objectClass: top objectClass: nestedgroup cn: CA Administrator description: CA Administrator nsds5ReplConflict: namingConflict cn=CA Administrator,cn=privileges,cn=pbac,dc =aws,dc=cappex,dc=com Thank you for sending a link with more info on replication conflicts. I'm reading it now. -John -----Original Message----- From: Martin Basti [mailto:mbasti at redhat.com] Sent: Wednesday, October 12, 2016 5:46 AM To: John Popowitch; Alexander Bokovoy Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors On 11.10.2016 22:01, John Popowitch wrote: > Ah, yes, thank you, Alexander. > I agree it would help if I followed the example better. > It would also help if I understood the example so a little description of what each command does would be very helpful. Sorry, we don't have time to explain everything here. `man ldapsearch` is your friend > It looks like that ACI record does exist. > Now how would I remove these LDAP records? I dig deeper into code, and actually this error is not caused by ACIs, because it even does not get there. I think that this may be caused by replication conflict on permission entry that caused the IPA doesn't see it but DS refuses to add it there. Can you please check as Directory Manager if there are any replication conflicts using this command? ldapsearch -D 'cn=directory manager' -W -b 'dc=aws,dc=cappex,dc=com' "nsds5ReplConflict=*" \* nsds5ReplConflict Please check if there is replication conflict on entry 'System: Modify Certificate Profile' More info about replication conflicts: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html > > > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > Sent: Tuesday, October 11, 2016 2:44 PM > To: John Popowitch > Cc: Martin Basti; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors > > On ti, 11 loka 2016, John Popowitch wrote: >> It doesn't look like there are any entries. >> >> # ldapsearch -x -b 'cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com' -s >> base aci > 'ldapsearch -x' is 'use simple authentication instead of SASL' -- given that you didn't specify any identity for simple authentication, you are running an anonymous search. Martin asked you to 'kinit' as administrator and then use SASL GSSAPI. > > ACIs only available for retrieval to administrators. It is not a surprise that anonymous access does not see them. > > It would be good if you would have followed the example: >> Here you have example >> >> kinit admin >> >> ldapsearch -Y GSSAPI -b 'cn=certprofiles,cn=ca,dc=,dc=' >> -s base aci >> >> On 11.10.2016 17:48, John Popowitch wrote: >> Thanks, Martin. >> But I'm afraid you've gone beyond my level of LDAP knowledge. >> How would I check for that ACI? >> -John >> >> From: Martin Basti [mailto:mbasti at redhat.com] >> Sent: Tuesday, October 11, 2016 10:38 AM >> To: John Popowitch; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >> run ipa-server-upgrade, but has errors >> >> >> >> >> On 11.10.2016 17:21, John Popowitch wrote: >> I agree that is weird. >> Several of the other managed permissions are updated successfully and they are very similar. >> Yes, I can try to remove the permission manually. >> Is there any risk in corrupting or breaking the system? >> This is, I believe, one of three IPA servers in a multi-master replication. >> And we run our production website (basically our company) off of these servers. >> Assuming it's safe enough to do, could I delete that permission via the UI or does it need to be directly via LDAP? >> >> Upgrade will re-create permission. >> >> You have to directly using LDAP as Directory Manager >> >> Also please check in: cn=certprofiles,cn=ca,$SUFFIX >> >> if you have this ACI there >> >> aci: (targetattr = "cn || description || >> ipacertprofilestoreissued")(targetfil >> ter = "(objectclass=ipacertprofile)")(version 3.0;acl >> "permission:System: Mod ify Certificate Profile";allow (write) groupdn >> = "ldap:///cn=System: Modify C ertificate >> Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab >> ,dc=eng,dc=brq,dc=redhat,dc=com";) >> >> This may also cause an issue, so if removing of permission itself did >> not help (or permission does not exist) you may need to remove this ACI >> >> Martin >> >> >> >> >> From: Martin Basti [mailto:mbasti at redhat.com] >> Sent: Tuesday, October 11, 2016 9:47 AM >> To: John Popowitch; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >> run ipa-server-upgrade, but has errors >> >> >> That's weird because the code is checking if a permission exists before >> it tries to add a new one >> >> Can you try to remove 'System: Modify Certificate Profile' manually from LDAP and re-run ipa-server-upgrade? >> >> >> >> On 11.10.2016 15:53, John Popowitch wrote: >> 2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify >> Certificate Profile 2016-10-10T19:51:38Z DEBUG Destroyed connection >> context.ldap2_82077392 2016-10-10T19:51:38Z ERROR Upgrade failed with >> This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 306, in __upgrade >> self.modified = (ld.update(self.files) or self.modified) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 905, in update >> self._run_updates(all_updates) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 877, in _run_updates >> self._run_update_plugin(update['plugin']) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 852, in _run_update_plugin >> restart_ds, updates = self.api.Updater[plugin_name]() >> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1400, in __call__ >> return self.execute(**options) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 433, in execute >> anonymous_read_aci) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 529, in update_permission >> ldap.add_entry(entry) >> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1428, in add_entry >> self.conn.add_s(str(entry.dn), attrs.items()) >> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ >> self.gen.throw(type, value, traceback) >> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 938, in error_handler >> raise errors.DuplicateEntry() >> DuplicateEntry: This entry already exists >> >> 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step >> method() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 314, in __upgrade >> raise RuntimeError(e) >> RuntimeError: This entry already exists >> >> 2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry already exists >> 2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server >> 2016-10-10T19:51:38Z DEBUG Starting external process >> 2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv at AWS-CAPPEX-COM.service' >> 2016-10-10T19:51:40Z DEBUG Process finished, return code=0 >> 2016-10-10T19:51:40Z DEBUG stdout= 2016-10-10T19:51:40Z DEBUG stderr= >> 2016-10-10T19:51:40Z DEBUG duration: 1 seconds >> 2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration >> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >> 2016-10-10T19:51:40Z DEBUG duration: 0 seconds >> 2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >> 2016-10-10T19:51:40Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute >> return_value = self.run() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run >> raise admintool.ScriptError(str(e)) >> >> 2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, >> exception: ScriptError: ('IPA upgrade failed.', 1) 2016-10-10T19:51:40Z >> ERROR ('IPA upgrade failed.', 1) >> >> >> >> From: Martin Basti [mailto:mbasti at redhat.com] >> Sent: Tuesday, October 11, 2016 1:53 AM >> To: John Popowitch; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >> run ipa-server-upgrade, but has errors >> >> >> >> >> On 10.10.2016 23:30, John Popowitch wrote: >> Hello FreeIPA community. >> I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. >> I had to reboot one of the servers and now IPA won't run saying, "Upgrade required: please run ipa-server-upgrade command." >> But when I run ipa-server-upgrade I get an error: >> ipa: ERROR: Upgrade failed with This entry already exists When I run it >> in debug mode the last action before the error is: >> ipa.ipaserver.install.plugins.update_managed_permissions.update_managed >> _permissions: DEBUG: Updating managed permission: System: Modify Certificate Profile It appears that several of the other managed permissions are processed successfully. >> When I look in the UI on one of the other servers it appears that this permission exists under IPA Server -> Role Based Access Control -> Permissions. >> I'm not familiar with FreeIPA so any help would be greatly appreciated. >> Thanks in advance. >> -John >> >> >> >> >> >> >> >> Hello, >> >> can you post the related part of ipaupgrade.log here? >> >> Martin >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > From flo at redhat.com Wed Oct 12 20:17:48 2016 From: flo at redhat.com (Florence Blanc-Renaud) Date: Wed, 12 Oct 2016 22:17:48 +0200 Subject: [Freeipa-users] Password Complexity Requirements Seems Insufficient In-Reply-To: <198A481E432CAD48801198FBEB67C7AF0D794710@USDGPEMSPMBX01.FTDCORP.NET> References: <198A481E432CAD48801198FBEB67C7AF0D794710@USDGPEMSPMBX01.FTDCORP.NET> Message-ID: <9ef96d38-3358-f56a-f025-d95dd168a854@redhat.com> On 10/11/2016 07:36 PM, Bennett, Chip wrote: > I just joined this list, so if this question has been asked before (and > I?ll bet it has), I apologize in advance. > > > > A google search was unrevealing, so I?m asking here: we?re running > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password > complexity requirements are limited to setting the number of character > classes to require, i.e. setting it to ?2? would require your new > password to be any two of the character classes. > > > > What if you wanted new passwords to meet specific class requirements, > i.e. a mix of UL, LC, and numbers. It looks like you would use a value > of ?3? to accomplish this, but that would also allow UC, LC, and > special, or LC, numbers, and special, but you don?t want to allow the > those: how would you specify that? > Hi, as far as I know, it is only possible to specify the number of different character classes. The doc chapter "Creating Password Policies in the Web UI" [1] describes the following: --- Character classes sets the number of different categories of character that must be used in the password. This does not set which classes must be used; it sets the number of different (unspecified) classes which must be used in a password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 22.1, ?Password Policy Settings?. This is part of setting the complexity requirements. --- hope this clarifies, Flo [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.html#creating-group-policy-ui > > > Also, what if you had a requirement for more than one of the character > classes, i.e. you want to require two UC characters or two special > characters? > > > > Thanks in advance for the help, > > Chip Bennett > > > > > This message is solely for the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. ?? > > From cbennett at ftdi.com Wed Oct 12 20:21:26 2016 From: cbennett at ftdi.com (Bennett, Chip) Date: Wed, 12 Oct 2016 20:21:26 +0000 Subject: [Freeipa-users] Password Complexity Requirements Seems Insufficient In-Reply-To: <9ef96d38-3358-f56a-f025-d95dd168a854@redhat.com> References: <198A481E432CAD48801198FBEB67C7AF0D794710@USDGPEMSPMBX01.FTDCORP.NET> <9ef96d38-3358-f56a-f025-d95dd168a854@redhat.com> Message-ID: <198A481E432CAD48801198FBEB67C7AF0D796A67@USDGPEMSPMBX01.FTDCORP.NET> Flo, Thanks for getting back to me. I had seen this in the documentation. I was just hoping that I was missing something. I guess I'm just surprised that a product designed to manage authentication wouldn't have a way to be more specific in the complexity requirements. Thanks again! Chip -----Original Message----- From: Florence Blanc-Renaud [mailto:flo at redhat.com] Sent: Wednesday, October 12, 2016 3:18 PM To: Bennett, Chip ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient On 10/11/2016 07:36 PM, Bennett, Chip wrote: > I just joined this list, so if this question has been asked before > (and I'll bet it has), I apologize in advance. > > > > A google search was unrevealing, so I'm asking here: we're running > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password > complexity requirements are limited to setting the number of character > classes to require, i.e. setting it to "2" would require your new > password to be any two of the character classes. > > > > What if you wanted new passwords to meet specific class requirements, > i.e. a mix of UL, LC, and numbers. It looks like you would use a > value of "3" to accomplish this, but that would also allow UC, LC, and > special, or LC, numbers, and special, but you don't want to allow the > those: how would you specify that? > Hi, as far as I know, it is only possible to specify the number of different character classes. The doc chapter "Creating Password Policies in the Web UI" [1] describes the following: --- Character classes sets the number of different categories of character that must be used in the password. This does not set which classes must be used; it sets the number of different (unspecified) classes which must be used in a password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 22.1, "Password Policy Settings". This is part of setting the complexity requirements. --- hope this clarifies, Flo [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.html#creating-group-policy-ui > > > Also, what if you had a requirement for more than one of the character > classes, i.e. you want to require two UC characters or two special > characters? > > > > Thanks in advance for the help, > > Chip Bennett > > > > > This message is solely for the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. > > This message is solely for the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. From Lachlan.Simpson at petermac.org Wed Oct 12 22:24:53 2016 From: Lachlan.Simpson at petermac.org (Simpson Lachlan) Date: Wed, 12 Oct 2016 22:24:53 +0000 Subject: [Freeipa-users] Password Complexity Requirements Seems Insufficient In-Reply-To: <198A481E432CAD48801198FBEB67C7AF0D796A67@USDGPEMSPMBX01.FTDCORP.NET> References: <198A481E432CAD48801198FBEB67C7AF0D794710@USDGPEMSPMBX01.FTDCORP.NET> <9ef96d38-3358-f56a-f025-d95dd168a854@redhat.com> <198A481E432CAD48801198FBEB67C7AF0D796A67@USDGPEMSPMBX01.FTDCORP.NET> Message-ID: <0137003026EBE54FBEC540C5600C03C43B4628@PAPR-EXMBX1.petermac.org.au> > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > bounces at redhat.com] On Behalf Of Bennett, Chip > Sent: Thursday, 13 October 2016 7:21 AM > To: Florence Blanc-Renaud; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems > Insufficient > > Flo, > > Thanks for getting back to me. I had seen this in the documentation. I was just > hoping that I was missing something. I guess I'm just surprised that a product > designed to manage authentication wouldn't have a way to be more specific in the > complexity requirements. I don't know. Those type of complexity requirements are multifaceted, complex and somewhat arbitrary. Given that each then requires regex, I'm quite happy that the devs focus on getting other aspects of FreeIPA to work over password complexity. As xkcd noted a couple of years ago, password length is better for security than anything else. Complex arrangements of different character classes is neither human or UX friendly nor where contemporary security theory is focused - try 2FA, public/private keys, etc. While I understand that large organisations have policy that often drags well behind contemporary theory, I don't think it's fair to expect software to also allow for that. Cheers L. > > Thanks again! > Chip > > -----Original Message----- > From: Florence Blanc-Renaud [mailto:flo at redhat.com] > Sent: Wednesday, October 12, 2016 3:18 PM > To: Bennett, Chip ; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems > Insufficient > > On 10/11/2016 07:36 PM, Bennett, Chip wrote: > > I just joined this list, so if this question has been asked before > > (and I'll bet it has), I apologize in advance. > > > > > > > > A google search was unrevealing, so I'm asking here: we're running > > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password > > complexity requirements are limited to setting the number of character > > classes to require, i.e. setting it to "2" would require your new > > password to be any two of the character classes. > > > > > > > > What if you wanted new passwords to meet specific class requirements, > > i.e. a mix of UL, LC, and numbers. It looks like you would use a > > value of "3" to accomplish this, but that would also allow UC, LC, and > > special, or LC, numbers, and special, but you don't want to allow the > > those: how would you specify that? > > > Hi, > > as far as I know, it is only possible to specify the number of different character > classes. The doc chapter "Creating Password Policies in the Web UI" [1] describes > the following: > --- > Character classes sets the number of different categories of character that must be > used in the password. This does not set which classes must be used; it sets the > number of different (unspecified) classes which must be used in a password. For > example, a character class can be a number, special character, or capital; the > complete list of categories is in Table 22.1, "Password Policy Settings". This is part > of setting the complexity requirements. > --- > > hope this clarifies, > Flo > > [1] > https://access.redhat.com/documentation/en- > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ > Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht > ml#creating-group-policy-ui > > > > > > > > Also, what if you had a requirement for more than one of the character > > classes, i.e. you want to require two UC characters or two special > > characters? > > > > > > > > Thanks in advance for the help, > > > > Chip Bennett > > > > > > > > > > This message is solely for the intended recipient(s) and may contain > > confidential and privileged information. Any unauthorized review, use, > > disclosure or distribution is prohibited. > > > > > > > This message is solely for the intended recipient(s) and may contain confidential > and privileged information. > Any unauthorized review, use, disclosure or distribution is prohibited. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. From bpk678 at gmail.com Wed Oct 12 23:42:12 2016 From: bpk678 at gmail.com (Brendan Kearney) Date: Wed, 12 Oct 2016 19:42:12 -0400 Subject: [Freeipa-users] bind-dyndb-ldap issues In-Reply-To: References: <9aa5d2d2-67da-a198-171f-2d3c758eaeae@gmail.com> Message-ID: <9fa6a73f-b3a7-f73c-2147-18c4653ba567@gmail.com> On 10/12/2016 02:35 AM, Petr Spacek wrote: > Hello, > > these are debug messages and are harmless. Apparently you have verbose/debug > messages enabled in named.conf: > > arg "verbose_checks yes"; > > If you want to get rid of these messages, just remove the line. > > What version of bind-dyndb-ldap are you using? > > Sufficiently new versions should use SyncRepl to pull all data from LDAP to > memory (on start) so the read performance should be nearly identical as with > plain BIND. > > Of course, writes/DNS updates will generate load on your LDAP server so the > server needs to handle the load. > > Petr^2 Spacek > > On 11.10.2016 20:41, Brendan Kearney wrote: >> i am using bind-dyndb-ldap on fedora 24 without FreeIPA, and continue to have >> my logs swamped with errors about "check failed" from settings.c and fwd.c. i >> am completely up to date with every package, so the latest versions of >> everything are installed. >> >> [settings.c : 420: setting_update_from_ldap_entry] check failed: ignore >> [settings.c : 436: setting_update_from_ldap_entry] check failed: ignore >> [fwd.c : 378: fwd_setting_isexplicit] check failed: not found >> >> i have two boxes running a named instance each, in a "master/master" config. >> each has the zone data configured per below. the uri refers to the local ip >> of each server. >> >> dynamic-db "bpk2.com" { >> library "ldap.so"; >> arg "uri ldap://192.168.88.1/"; >> arg "base cn=dns,ou=Daemons,dc=bpk2,dc=com"; >> arg "auth_method simple"; >> arg "bind_dn cn=dnsUser,dc=bpk2,dc=com"; >> arg "password dnsPass"; >> >> arg "fake_mname server1.bpk2.com."; >> arg "dyn_update yes"; >> arg "connections 2"; >> arg "verbose_checks yes"; >> }; >> >> zone "." IN { >> type hint; >> file "named.ca"; >> }; >> >> include "/etc/named.rfc1912.zones"; >> >> my dns container is defined in openldap as such: >> >> dn: cn=dns,ou=Daemons,dc=bpk2,dc=com >> cn: dns >> idnspersistentsearch: FALSE >> idnszonerefresh: 30 >> objectclass: top >> objectclass: nsContainer >> objectclass: idnsConfigObject >> >> where and how can i find the source of my issue? these issues are causing >> performance issues on the rest of my network. because of these errors, ldap >> throws errors about deferred operations for binding, too many executing, and >> pending operations. additionally, recursion also seems to be impacted. this >> is noticed most when streaming content. buffering, stuttering and pixelation >> are seen in the video streams. it could be the swamping of logs killing I/O >> or the actual recurision, but 100% the video issues are related. the log >> events match up exactly with the buffering. >> >> i had this issue with bind-dyndb-ldap and fedora 20 up until i recently >> upgraded. i went from F20 to F24, and put things on nice new SSDs, instead of >> spinning disks. the problem followed the upgrade. are there configuration >> items i am missing? are there tweaks i can do to improve something? how do i >> get rid of these errors, so dns performance (or the log swamping) is not >> affecting the rest of my network? >> >> thank you, >> >> brendan i am running 10.1.1 on F24. why or how would those error logs be related to LDAP seeing an influx of updates, that wind up causing LDAP operations to queue up and require pended transactions, etc? are there tweaks and tuning options i should have in my LDAP to manage this? thanks, brendan From listeranon at gmail.com Wed Oct 12 23:53:11 2016 From: listeranon at gmail.com (Anon Lister) Date: Wed, 12 Oct 2016 19:53:11 -0400 Subject: [Freeipa-users] Password Complexity Requirements Seems Insufficient In-Reply-To: <0137003026EBE54FBEC540C5600C03C43B4628@PAPR-EXMBX1.petermac.org.au> References: <198A481E432CAD48801198FBEB67C7AF0D794710@USDGPEMSPMBX01.FTDCORP.NET> <9ef96d38-3358-f56a-f025-d95dd168a854@redhat.com> <198A481E432CAD48801198FBEB67C7AF0D796A67@USDGPEMSPMBX01.FTDCORP.NET> <0137003026EBE54FBEC540C5600C03C43B4628@PAPR-EXMBX1.petermac.org.au> Message-ID: Unfortunately, policy and regulation often lag behind current theory by several decades. For what it's worth, I'd second being able to set more complicated policies as a useful feature. On Oct 12, 2016 6:38 PM, "Simpson Lachlan" wrote: > > -----Original Message----- > > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- > > bounces at redhat.com] On Behalf Of Bennett, Chip > > Sent: Thursday, 13 October 2016 7:21 AM > > To: Florence Blanc-Renaud; freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems > > Insufficient > > > > Flo, > > > > Thanks for getting back to me. I had seen this in the documentation. > I was just > > hoping that I was missing something. I guess I'm just surprised that a > product > > designed to manage authentication wouldn't have a way to be more > specific in the > > complexity requirements. > > > I don't know. Those type of complexity requirements are multifaceted, > complex and somewhat arbitrary. Given that each then requires regex, I'm > quite happy that the devs focus on getting other aspects of FreeIPA to work > over password complexity. > > As xkcd noted a couple of years ago, password length is better for > security than anything else. > > Complex arrangements of different character classes is neither human or UX > friendly nor where contemporary security theory is focused - try 2FA, > public/private keys, etc. While I understand that large organisations have > policy that often drags well behind contemporary theory, I don't think it's > fair to expect software to also allow for that. > > Cheers > L. > > > > > > > > > > Thanks again! > > Chip > > > > -----Original Message----- > > From: Florence Blanc-Renaud [mailto:flo at redhat.com] > > Sent: Wednesday, October 12, 2016 3:18 PM > > To: Bennett, Chip ; freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems > > Insufficient > > > > On 10/11/2016 07:36 PM, Bennett, Chip wrote: > > > I just joined this list, so if this question has been asked before > > > (and I'll bet it has), I apologize in advance. > > > > > > > > > > > > A google search was unrevealing, so I'm asking here: we're running > > > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password > > > complexity requirements are limited to setting the number of character > > > classes to require, i.e. setting it to "2" would require your new > > > password to be any two of the character classes. > > > > > > > > > > > > What if you wanted new passwords to meet specific class requirements, > > > i.e. a mix of UL, LC, and numbers. It looks like you would use a > > > value of "3" to accomplish this, but that would also allow UC, LC, and > > > special, or LC, numbers, and special, but you don't want to allow the > > > those: how would you specify that? > > > > > Hi, > > > > as far as I know, it is only possible to specify the number of different > character > > classes. The doc chapter "Creating Password Policies in the Web UI" [1] > describes > > the following: > > --- > > Character classes sets the number of different categories of character > that must be > > used in the password. This does not set which classes must be used; it > sets the > > number of different (unspecified) classes which must be used in a > password. For > > example, a character class can be a number, special character, or > capital; the > > complete list of categories is in Table 22.1, "Password Policy > Settings". This is part > > of setting the complexity requirements. > > --- > > > > hope this clarifies, > > Flo > > > > [1] > > https://access.redhat.com/documentation/en- > > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_ > Authentication_and_ > > Policy_Guide/Setting_Different_Password_Policies_ > for_Different_User_Groups.ht > > ml#creating-group-policy-ui > > > > > > > > > > > > > Also, what if you had a requirement for more than one of the character > > > classes, i.e. you want to require two UC characters or two special > > > characters? > > > > > > > > > > > > Thanks in advance for the help, > > > > > > Chip Bennett > > > > > > > > > > > > > > > This message is solely for the intended recipient(s) and may contain > > > confidential and privileged information. Any unauthorized review, use, > > > disclosure or distribution is prohibited. > > > > > > > > > > > > This message is solely for the intended recipient(s) and may contain > confidential > > and privileged information. > > Any unauthorized review, use, disclosure or distribution is prohibited. > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > This email (including any attachments or links) may contain > confidential and/or legally privileged information and is > intended only to be read or used by the addressee. If you > are not the intended addressee, any use, distribution, > disclosure or copying of this email is strictly > prohibited. > Confidentiality and legal privilege attached to this email > (including any attachments) are not waived or lost by > reason of its mistaken delivery to you. > If you have received this email in error, please delete it > and notify us immediately by telephone or email. Peter > MacCallum Cancer Centre provides no guarantee that this > transmission is free of virus or that it has not been > intercepted or altered and will not be liable for any delay > in its receipt. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ezajko at root.ba Thu Oct 13 02:32:22 2016 From: ezajko at root.ba (Ernedin Zajko) Date: Thu, 13 Oct 2016 04:32:22 +0200 Subject: [Freeipa-users] Password Complexity Requirements Seems Insufficient In-Reply-To: References: <198A481E432CAD48801198FBEB67C7AF0D794710@USDGPEMSPMBX01.FTDCORP.NET> <9ef96d38-3358-f56a-f025-d95dd168a854@redhat.com> <198A481E432CAD48801198FBEB67C7AF0D796A67@USDGPEMSPMBX01.FTDCORP.NET> <0137003026EBE54FBEC540C5600C03C43B4628@PAPR-EXMBX1.petermac.org.au> Message-ID: Hi Anton, maybe you can "talk" directly to ds: http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html regards, --- Ernedin ZAJKO ezajko at root.ba > 340282366920938463463374607431768211456 On Thu, Oct 13, 2016 at 1:53 AM, Anon Lister wrote: > Unfortunately, policy and regulation often lag behind current theory by > several decades. For what it's worth, I'd second being able to set more > complicated policies as a useful feature. > > > On Oct 12, 2016 6:38 PM, "Simpson Lachlan" > wrote: >> >> > -----Original Message----- >> > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- >> > bounces at redhat.com] On Behalf Of Bennett, Chip >> > Sent: Thursday, 13 October 2016 7:21 AM >> > To: Florence Blanc-Renaud; freeipa-users at redhat.com >> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems >> > Insufficient >> > >> > Flo, >> > >> > Thanks for getting back to me. I had seen this in the documentation. >> > I was just >> > hoping that I was missing something. I guess I'm just surprised that a >> > product >> > designed to manage authentication wouldn't have a way to be more >> > specific in the >> > complexity requirements. >> >> >> I don't know. Those type of complexity requirements are multifaceted, >> complex and somewhat arbitrary. Given that each then requires regex, I'm >> quite happy that the devs focus on getting other aspects of FreeIPA to work >> over password complexity. >> >> As xkcd noted a couple of years ago, password length is better for >> security than anything else. >> >> Complex arrangements of different character classes is neither human or UX >> friendly nor where contemporary security theory is focused - try 2FA, >> public/private keys, etc. While I understand that large organisations have >> policy that often drags well behind contemporary theory, I don't think it's >> fair to expect software to also allow for that. >> >> Cheers >> L. >> >> >> >> >> >> >> > >> > Thanks again! >> > Chip >> > >> > -----Original Message----- >> > From: Florence Blanc-Renaud [mailto:flo at redhat.com] >> > Sent: Wednesday, October 12, 2016 3:18 PM >> > To: Bennett, Chip ; freeipa-users at redhat.com >> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems >> > Insufficient >> > >> > On 10/11/2016 07:36 PM, Bennett, Chip wrote: >> > > I just joined this list, so if this question has been asked before >> > > (and I'll bet it has), I apologize in advance. >> > > >> > > >> > > >> > > A google search was unrevealing, so I'm asking here: we're running >> > > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password >> > > complexity requirements are limited to setting the number of character >> > > classes to require, i.e. setting it to "2" would require your new >> > > password to be any two of the character classes. >> > > >> > > >> > > >> > > What if you wanted new passwords to meet specific class requirements, >> > > i.e. a mix of UL, LC, and numbers. It looks like you would use a >> > > value of "3" to accomplish this, but that would also allow UC, LC, and >> > > special, or LC, numbers, and special, but you don't want to allow the >> > > those: how would you specify that? >> > > >> > Hi, >> > >> > as far as I know, it is only possible to specify the number of different >> > character >> > classes. The doc chapter "Creating Password Policies in the Web UI" [1] >> > describes >> > the following: >> > --- >> > Character classes sets the number of different categories of character >> > that must be >> > used in the password. This does not set which classes must be used; it >> > sets the >> > number of different (unspecified) classes which must be used in a >> > password. For >> > example, a character class can be a number, special character, or >> > capital; the >> > complete list of categories is in Table 22.1, "Password Policy >> > Settings". This is part >> > of setting the complexity requirements. >> > --- >> > >> > hope this clarifies, >> > Flo >> > >> > [1] >> > https://access.redhat.com/documentation/en- >> > >> > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ >> > >> > Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht >> > ml#creating-group-policy-ui >> > >> > >> > > >> > > >> > > Also, what if you had a requirement for more than one of the character >> > > classes, i.e. you want to require two UC characters or two special >> > > characters? >> > > >> > > >> > > >> > > Thanks in advance for the help, >> > > >> > > Chip Bennett >> > > >> > > >> > > >> > > >> > > This message is solely for the intended recipient(s) and may contain >> > > confidential and privileged information. Any unauthorized review, use, >> > > disclosure or distribution is prohibited. >> > > >> > > >> > >> > >> > This message is solely for the intended recipient(s) and may contain >> > confidential >> > and privileged information. >> > Any unauthorized review, use, disclosure or distribution is prohibited. >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> This email (including any attachments or links) may contain >> confidential and/or legally privileged information and is >> intended only to be read or used by the addressee. If you >> are not the intended addressee, any use, distribution, >> disclosure or copying of this email is strictly >> prohibited. >> Confidentiality and legal privilege attached to this email >> (including any attachments) are not waived or lost by >> reason of its mistaken delivery to you. >> If you have received this email in error, please delete it >> and notify us immediately by telephone or email. Peter >> MacCallum Cancer Centre provides no guarantee that this >> transmission is free of virus or that it has not been >> intercepted or altered and will not be liable for any delay >> in its receipt. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mbasti at redhat.com Thu Oct 13 07:12:28 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 13 Oct 2016 09:12:28 +0200 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <8A55E6003C19B34498C07A259B643BA90108635B@mbx032-e1-va-6.exch032.serverpod.net> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> <20161011194409.466mqip5224rontc@redhat.com> <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> <738ef5d0-be03-125e-2b19-3fd93ff359c7@redhat.com> <8A55E6003C19B34498C07A259B643BA90108635B@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: Oh you are lucky to have ~150 replication conflicts :) How did you get those? Did you run upgrade in parallel or did you have some network issues? You have to manually fix all replication conflicts and the re-run ipa-server-upgrade Please follow guide I posted previously, sorry :( Martin On 12.10.2016 21:30, John Popowitch wrote: > I ran the following on each of my three servers: > kinit admin > ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "nsds5ReplConflict=*" \* nsds5ReplConflict > There are 49, 57, 49 entries returned by that query on the respective server. > Here is the one related to 'System: Modify Certificate Profile' from the first server: > > # CA Administrator + c93bf230-a32311e5-b492895f-f9294e47, privileges, pbac, aws > .cappex.com > dn: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=priv > ileges,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Add CA ACL+nsuniqueid=c93bf269-a32311e5-b492895f-f9294e47 > ,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Delete CA ACL+nsuniqueid=c93bf26d-a32311e5-b492895f-f9294 > e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Manage CA ACL Membership+nsuniqueid=c93bf271-a32311e5-b49 > 2895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Modify CA ACL+nsuniqueid=c93bf275-a32311e5-b492895f-f9294 > e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Delete Certificate Profile+nsuniqueid=c93bf27c-a32311e5-b > 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Import Certificate Profile+nsuniqueid=c93bf280-a32311e5-b > 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b > 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > objectClass: groupofnames > objectClass: top > objectClass: nestedgroup > cn: CA Administrator > description: CA Administrator > nsds5ReplConflict: namingConflict cn=CA Administrator,cn=privileges,cn=pbac,dc > =aws,dc=cappex,dc=com > > > Here are the related entries from the second server: > > # CA Administrator + c93bf230-a32311e5-b492895f-f9294e47, privileges, pbac, aws > .cappex.com > dn: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=priv > ileges,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Add CA ACL+nsuniqueid=c93bf269-a32311e5-b492895f-f9294e47 > ,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Delete CA ACL+nsuniqueid=c93bf26d-a32311e5-b492895f-f9294 > e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Manage CA ACL Membership+nsuniqueid=c93bf271-a32311e5-b49 > 2895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Modify CA ACL+nsuniqueid=c93bf275-a32311e5-b492895f-f9294 > e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Delete Certificate Profile+nsuniqueid=c93bf27c-a32311e5-b > 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Import Certificate Profile+nsuniqueid=c93bf280-a32311e5-b > 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b > 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > objectClass: groupofnames > objectClass: top > objectClass: nestedgroup > cn: CA Administrator > description: CA Administrator > nsds5ReplConflict: namingConflict cn=ca administrator,cn=privileges,cn=pbac,dc > =aws,dc=cappex,dc=com > > # System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per > missions, pbac, aws.cappex.com > dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895 > f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn= > privileges,cn=pbac,dc=aws,dc=cappex,dc=com > ipaPermTargetFilter: (objectclass=ipacertprofile) > ipaPermRight: write > ipaPermBindRuleType: permission > ipaPermissionType: V2 > ipaPermissionType: MANAGED > ipaPermissionType: SYSTEM > cn: System: Modify Certificate Profile > objectClass: ipapermission > objectClass: top > objectClass: groupofnames > objectClass: ipapermissionv2 > ipaPermDefaultAttr: description > ipaPermDefaultAttr: ipacertprofilestoreissued > ipaPermDefaultAttr: cn > ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com > nsds5ReplConflict: namingConflict cn=system: modify certificate profile,cn=per > missions,cn=pbac,dc=aws,dc=cappex,dc=com > > > And from the third server: > > # CA Administrator + c93bf230-a32311e5-b492895f-f9294e47, privileges, pbac, aws > .cappex.com > dn: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn=priv > ileges,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Add CA ACL+nsuniqueid=c93bf269-a32311e5-b492895f-f9294e47 > ,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Delete CA ACL+nsuniqueid=c93bf26d-a32311e5-b492895f-f9294 > e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Manage CA ACL Membership+nsuniqueid=c93bf271-a32311e5-b49 > 2895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Modify CA ACL+nsuniqueid=c93bf275-a32311e5-b492895f-f9294 > e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Delete Certificate Profile+nsuniqueid=c93bf27c-a32311e5-b > 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Import Certificate Profile+nsuniqueid=c93bf280-a32311e5-b > 492895f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > memberOf: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws, > dc=cappex,dc=com > objectClass: groupofnames > objectClass: top > objectClass: nestedgroup > cn: CA Administrator > description: CA Administrator > nsds5ReplConflict: namingConflict cn=CA Administrator,cn=privileges,cn=pbac,dc > =aws,dc=cappex,dc=com > > > Thank you for sending a link with more info on replication conflicts. > I'm reading it now. > -John > > > > -----Original Message----- > From: Martin Basti [mailto:mbasti at redhat.com] > Sent: Wednesday, October 12, 2016 5:46 AM > To: John Popowitch; Alexander Bokovoy > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors > > > > On 11.10.2016 22:01, John Popowitch wrote: >> Ah, yes, thank you, Alexander. >> I agree it would help if I followed the example better. >> It would also help if I understood the example so a little description of what each command does would be very helpful. > Sorry, we don't have time to explain everything here. `man ldapsearch` is your friend > > >> It looks like that ACI record does exist. >> Now how would I remove these LDAP records? > I dig deeper into code, and actually this error is not caused by ACIs, > because it even does not get there. I think that this may be caused by > replication conflict on permission entry that caused the IPA doesn't see > it but DS refuses to add it there. > > Can you please check as Directory Manager if there are any replication > conflicts using this command? > ldapsearch -D 'cn=directory manager' -W -b 'dc=aws,dc=cappex,dc=com' > "nsds5ReplConflict=*" \* nsds5ReplConflict > > Please check if there is replication conflict on entry 'System: Modify > Certificate Profile' > > More info about replication conflicts: > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html >> >> -----Original Message----- >> From: Alexander Bokovoy [mailto:abokovoy at redhat.com] >> Sent: Tuesday, October 11, 2016 2:44 PM >> To: John Popowitch >> Cc: Martin Basti; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors >> >> On ti, 11 loka 2016, John Popowitch wrote: >>> It doesn't look like there are any entries. >>> >>> # ldapsearch -x -b 'cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com' -s >>> base aci >> 'ldapsearch -x' is 'use simple authentication instead of SASL' -- given that you didn't specify any identity for simple authentication, you are running an anonymous search. Martin asked you to 'kinit' as administrator and then use SASL GSSAPI. >> >> ACIs only available for retrieval to administrators. It is not a surprise that anonymous access does not see them. >> >> It would be good if you would have followed the example: >>> Here you have example >>> >>> kinit admin >>> >>> ldapsearch -Y GSSAPI -b 'cn=certprofiles,cn=ca,dc=,dc=' >>> -s base aci >>> >>> On 11.10.2016 17:48, John Popowitch wrote: >>> Thanks, Martin. >>> But I'm afraid you've gone beyond my level of LDAP knowledge. >>> How would I check for that ACI? >>> -John >>> >>> From: Martin Basti [mailto:mbasti at redhat.com] >>> Sent: Tuesday, October 11, 2016 10:38 AM >>> To: John Popowitch; >>> freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >>> run ipa-server-upgrade, but has errors >>> >>> >>> >>> >>> On 11.10.2016 17:21, John Popowitch wrote: >>> I agree that is weird. >>> Several of the other managed permissions are updated successfully and they are very similar. >>> Yes, I can try to remove the permission manually. >>> Is there any risk in corrupting or breaking the system? >>> This is, I believe, one of three IPA servers in a multi-master replication. >>> And we run our production website (basically our company) off of these servers. >>> Assuming it's safe enough to do, could I delete that permission via the UI or does it need to be directly via LDAP? >>> >>> Upgrade will re-create permission. >>> >>> You have to directly using LDAP as Directory Manager >>> >>> Also please check in: cn=certprofiles,cn=ca,$SUFFIX >>> >>> if you have this ACI there >>> >>> aci: (targetattr = "cn || description || >>> ipacertprofilestoreissued")(targetfil >>> ter = "(objectclass=ipacertprofile)")(version 3.0;acl >>> "permission:System: Mod ify Certificate Profile";allow (write) groupdn >>> = "ldap:///cn=System: Modify C ertificate >>> Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab >>> ,dc=eng,dc=brq,dc=redhat,dc=com";) >>> >>> This may also cause an issue, so if removing of permission itself did >>> not help (or permission does not exist) you may need to remove this ACI >>> >>> Martin >>> >>> >>> >>> >>> From: Martin Basti [mailto:mbasti at redhat.com] >>> Sent: Tuesday, October 11, 2016 9:47 AM >>> To: John Popowitch; >>> freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >>> run ipa-server-upgrade, but has errors >>> >>> >>> That's weird because the code is checking if a permission exists before >>> it tries to add a new one >>> >>> Can you try to remove 'System: Modify Certificate Profile' manually from LDAP and re-run ipa-server-upgrade? >>> >>> >>> >>> On 11.10.2016 15:53, John Popowitch wrote: >>> 2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify >>> Certificate Profile 2016-10-10T19:51:38Z DEBUG Destroyed connection >>> context.ldap2_82077392 2016-10-10T19:51:38Z ERROR Upgrade failed with >>> This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 306, in __upgrade >>> self.modified = (ld.update(self.files) or self.modified) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 905, in update >>> self._run_updates(all_updates) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 877, in _run_updates >>> self._run_update_plugin(update['plugin']) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 852, in _run_update_plugin >>> restart_ds, updates = self.api.Updater[plugin_name]() >>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1400, in __call__ >>> return self.execute(**options) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 433, in execute >>> anonymous_read_aci) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py", line 529, in update_permission >>> ldap.add_entry(entry) >>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1428, in add_entry >>> self.conn.add_s(str(entry.dn), attrs.items()) >>> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ >>> self.gen.throw(type, value, traceback) >>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 938, in error_handler >>> raise errors.DuplicateEntry() >>> DuplicateEntry: This entry already exists >>> >>> 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation >>> run_step(full_msg, method) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step >>> method() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 314, in __upgrade >>> raise RuntimeError(e) >>> RuntimeError: This entry already exists >>> >>> 2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry already exists >>> 2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server >>> 2016-10-10T19:51:38Z DEBUG Starting external process >>> 2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv at AWS-CAPPEX-COM.service' >>> 2016-10-10T19:51:40Z DEBUG Process finished, return code=0 >>> 2016-10-10T19:51:40Z DEBUG stdout= 2016-10-10T19:51:40Z DEBUG stderr= >>> 2016-10-10T19:51:40Z DEBUG duration: 1 seconds >>> 2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration >>> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >>> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >>> 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >>> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >>> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >>> 2016-10-10T19:51:40Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' >>> 2016-10-10T19:51:40Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' >>> 2016-10-10T19:51:40Z DEBUG duration: 0 seconds >>> 2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>> 2016-10-10T19:51:40Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute >>> return_value = self.run() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run >>> raise admintool.ScriptError(str(e)) >>> >>> 2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed, >>> exception: ScriptError: ('IPA upgrade failed.', 1) 2016-10-10T19:51:40Z >>> ERROR ('IPA upgrade failed.', 1) >>> >>> >>> >>> From: Martin Basti [mailto:mbasti at redhat.com] >>> Sent: Tuesday, October 11, 2016 1:53 AM >>> To: John Popowitch; >>> freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to >>> run ipa-server-upgrade, but has errors >>> >>> >>> >>> >>> On 10.10.2016 23:30, John Popowitch wrote: >>> Hello FreeIPA community. >>> I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. >>> I had to reboot one of the servers and now IPA won't run saying, "Upgrade required: please run ipa-server-upgrade command." >>> But when I run ipa-server-upgrade I get an error: >>> ipa: ERROR: Upgrade failed with This entry already exists When I run it >>> in debug mode the last action before the error is: >>> ipa.ipaserver.install.plugins.update_managed_permissions.update_managed >>> _permissions: DEBUG: Updating managed permission: System: Modify Certificate Profile It appears that several of the other managed permissions are processed successfully. >>> When I look in the UI on one of the other servers it appears that this permission exists under IPA Server -> Role Based Access Control -> Permissions. >>> I'm not familiar with FreeIPA so any help would be greatly appreciated. >>> Thanks in advance. >>> -John >>> >>> >>> >>> >>> >>> >>> >>> Hello, >>> >>> can you post the related part of ipaupgrade.log here? >>> >>> Martin >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project From pspacek at redhat.com Thu Oct 13 07:25:31 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 13 Oct 2016 09:25:31 +0200 Subject: [Freeipa-users] bind-dyndb-ldap issues In-Reply-To: <9fa6a73f-b3a7-f73c-2147-18c4653ba567@gmail.com> References: <9aa5d2d2-67da-a198-171f-2d3c758eaeae@gmail.com> <9fa6a73f-b3a7-f73c-2147-18c4653ba567@gmail.com> Message-ID: <9d385550-5626-ce05-3bcc-0785e6c14349@redhat.com> On 13.10.2016 01:42, Brendan Kearney wrote: > On 10/12/2016 02:35 AM, Petr Spacek wrote: >> Hello, >> >> these are debug messages and are harmless. Apparently you have verbose/debug >> messages enabled in named.conf: >> >> arg "verbose_checks yes"; >> >> If you want to get rid of these messages, just remove the line. >> >> What version of bind-dyndb-ldap are you using? >> >> Sufficiently new versions should use SyncRepl to pull all data from LDAP to >> memory (on start) so the read performance should be nearly identical as with >> plain BIND. >> >> Of course, writes/DNS updates will generate load on your LDAP server so the >> server needs to handle the load. >> >> Petr^2 Spacek >> >> On 11.10.2016 20:41, Brendan Kearney wrote: >>> i am using bind-dyndb-ldap on fedora 24 without FreeIPA, and continue to have >>> my logs swamped with errors about "check failed" from settings.c and fwd.c. i >>> am completely up to date with every package, so the latest versions of >>> everything are installed. >>> >>> [settings.c : 420: setting_update_from_ldap_entry] check failed: ignore >>> [settings.c : 436: setting_update_from_ldap_entry] check failed: ignore >>> [fwd.c : 378: fwd_setting_isexplicit] check failed: not found >>> >>> i have two boxes running a named instance each, in a "master/master" config. >>> each has the zone data configured per below. the uri refers to the local ip >>> of each server. >>> >>> dynamic-db "bpk2.com" { >>> library "ldap.so"; >>> arg "uri ldap://192.168.88.1/"; >>> arg "base cn=dns,ou=Daemons,dc=bpk2,dc=com"; >>> arg "auth_method simple"; >>> arg "bind_dn cn=dnsUser,dc=bpk2,dc=com"; >>> arg "password dnsPass"; >>> >>> arg "fake_mname server1.bpk2.com."; >>> arg "dyn_update yes"; >>> arg "connections 2"; >>> arg "verbose_checks yes"; >>> }; >>> >>> zone "." IN { >>> type hint; >>> file "named.ca"; >>> }; >>> >>> include "/etc/named.rfc1912.zones"; >>> >>> my dns container is defined in openldap as such: >>> >>> dn: cn=dns,ou=Daemons,dc=bpk2,dc=com >>> cn: dns >>> idnspersistentsearch: FALSE >>> idnszonerefresh: 30 >>> objectclass: top >>> objectclass: nsContainer >>> objectclass: idnsConfigObject >>> >>> where and how can i find the source of my issue? these issues are causing >>> performance issues on the rest of my network. because of these errors, ldap >>> throws errors about deferred operations for binding, too many executing, and >>> pending operations. additionally, recursion also seems to be impacted. this >>> is noticed most when streaming content. buffering, stuttering and pixelation >>> are seen in the video streams. it could be the swamping of logs killing I/O >>> or the actual recurision, but 100% the video issues are related. the log >>> events match up exactly with the buffering. >>> >>> i had this issue with bind-dyndb-ldap and fedora 20 up until i recently >>> upgraded. i went from F20 to F24, and put things on nice new SSDs, instead of >>> spinning disks. the problem followed the upgrade. are there configuration >>> items i am missing? are there tweaks i can do to improve something? how do i >>> get rid of these errors, so dns performance (or the log swamping) is not >>> affecting the rest of my network? >>> >>> thank you, >>> >>> brendan > > i am running 10.1.1 on F24. > > why or how would those error logs be related to LDAP seeing an influx of > updates, Again, these are just debug logs. Do not get confused by word 'failed' here, it just means that return code from a function is not ISC_R_SUCCESS. In some cases it is expected and does not imply error condition. (You can mentally replace word 'failed' with string 'debug: function returned '). These two cases are just fine: - ISC_R_IGNORE from setting_update_from_ldap_entry function means that there was no update to particular setting in the LDAP a entry - plugin processed the change notification from LDAP server and found nothing new. - ISC_R_NOTFOUND from fwd_setting_isexplicit is most likely fine as well, it is an internal function which determines if a zone has explicitly configured forwarding. It is not :-) > that wind up causing LDAP operations to queue up and require pended > transactions, etc? Again, these are not errors and certainly do not indicate anything bad. Disable the debug logs if you do not want see it, but in any case, these are part of normal operation. > are there tweaks and tuning options i should have in my > LDAP to manage this? If you see a performance problem, you need to dig deeper. Bind-dyndb-ldap is most likely not a root cause because it does "nothing" from performance perspective :-) I would inspect disk I/O on the LDAP and DNS servers to see if I/O subsystem is saturated (or not). DNS server is keeping its transaction logs on disk so big number of updates might generate a lot of synchronous I/O. LDAP is even worse from this perspective. If you have a lot of DNS updates and beefy servers, you might increase "connections" parameter in named.conf. It will use more LDAP connections and parallelize updates to different zones, which might or might not help in your case. I hope this description helps to understand the situation. -- Petr^2 Spacek From deepak_dimri at hotmail.com Thu Oct 13 08:15:21 2016 From: deepak_dimri at hotmail.com (Deepak Dimri) Date: Thu, 13 Oct 2016 08:15:21 +0000 Subject: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0 In-Reply-To: <20161012174039.irbx4ojxekojs4n7@redhat.com> References: , <20161012174039.irbx4ojxekojs4n7@redhat.com> Message-ID: Hi Alexander, I have tried it on ubuntu 16.04 as well but no luck either. Getting the same error: sudo apt-get install freeipa-server Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package freeipa-server any other ideas? I dont find any good response to this issue either.. Thanks Much, Deepak ________________________________ From: Alexander Bokovoy Sent: Wednesday, October 12, 2016 1:40 PM To: Deepak Dimri Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0 On ke, 12 loka 2016, Deepak Dimri wrote: >Hi All, > > >I am trying to install freeIPA server on ubuntu 14.0 but i am getting Error "Unable to locate package freeipa-server" below is what i am trying: > > >apt-get install freeipa-server -y > >Reading package lists... Done > >Building dependency tree > >Reading state information... Done > >E: Unable to locate package freeipa-server > > >apt-get install freeipa-client -y works just fine.. > > >i have tried enabling universe repository in /etc/apt/sources.list and ran apt-get update but no luck either still getting Unable to locate package freeipa-server. > > >How can i install ipa server on ubuntu? Use newer Ubuntu. -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Oct 13 09:06:53 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 13 Oct 2016 12:06:53 +0300 Subject: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0 In-Reply-To: References: <20161012174039.irbx4ojxekojs4n7@redhat.com> Message-ID: <20161013090653.ppqcjc3rdcbl6pf5@redhat.com> On to, 13 loka 2016, Deepak Dimri wrote: > >Hi Alexander, > >I have tried it on ubuntu 16.04 as well but no luck either. Getting the same error: > > >sudo apt-get install freeipa-server > >Reading package lists... Done > >Building dependency tree > >Reading state information... Done > >E: Unable to locate package freeipa-server > >any other ideas? I dont find any good response to this issue either.. Check your repos. It is definitely part of Ubuntu 16.04: https://launchpad.net/ubuntu/xenial/+source/freeipa See also https://www.redhat.com/archives/freeipa-users/2016-May/msg00255.html (and search for mailing list archives before asking questions again) -- / Alexander Bokovoy From jpopowitch at cappex.com Thu Oct 13 13:50:21 2016 From: jpopowitch at cappex.com (John Popowitch) Date: Thu, 13 Oct 2016 13:50:21 +0000 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> <20161011194409.466mqip5224rontc@redhat.com> <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> <738ef5d0-be03-125e-2b19-3fd93ff359c7@redhat.com> <8A55E6003C19B34498C07A259B643BA90108635B@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: <8A55E6003C19B34498C07A259B643BA90108671B@mbx032-e1-va-6.exch032.serverpod.net> Yeah, so very lucky. I have no idea how this happened. As I said before I inherited these servers so I don't really know what was done to get them to this state. I'm guessing most if not all of the conflicts are naming conflicts for standard entries which were setup on all three servers. Please help me to understand what this upgrade does. What does ipa-server-upgrade do? Each server has IPA RPMs for v4.2.0. Does this command upgrade RPMs? Does it need to be run on each server? Thanks for your help. -John -----Original Message----- From: Martin Basti [mailto:mbasti at redhat.com] Sent: Thursday, October 13, 2016 2:12 AM To: John Popowitch; Alexander Bokovoy Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors Oh you are lucky to have ~150 replication conflicts :) How did you get those? Did you run upgrade in parallel or did you have some network issues? You have to manually fix all replication conflicts and the re-run ipa-server-upgrade Please follow guide I posted previously, sorry :( Martin From jpopowitch at cappex.com Thu Oct 13 13:54:17 2016 From: jpopowitch at cappex.com (John Popowitch) Date: Thu, 13 Oct 2016 13:54:17 +0000 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> <20161011194409.466mqip5224rontc@redhat.com> <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> <738ef5d0-be03-125e-2b19-3fd93ff359c7@redhat.com> <8A55E6003C19B34498C07A259B643BA90108635B@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: <8A55E6003C19B34498C07A259B643BA901086787@mbx032-e1-va-6.exch032.serverpod.net> Also, it seems like most of these conflicts are nearly identical. Which leads me to believe I should delete the duplicates. The URL you shared seems to talk about renaming and keeping the conflicting records. Should I rename them or remove them? -----Original Message----- From: John Popowitch Sent: Thursday, October 13, 2016 8:50 AM To: 'Martin Basti'; Alexander Bokovoy Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors Yeah, so very lucky. I have no idea how this happened. As I said before I inherited these servers so I don't really know what was done to get them to this state. I'm guessing most if not all of the conflicts are naming conflicts for standard entries which were setup on all three servers. Please help me to understand what this upgrade does. What does ipa-server-upgrade do? Each server has IPA RPMs for v4.2.0. Does this command upgrade RPMs? Does it need to be run on each server? Thanks for your help. -John -----Original Message----- From: Martin Basti [mailto:mbasti at redhat.com] Sent: Thursday, October 13, 2016 2:12 AM To: John Popowitch; Alexander Bokovoy Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors Oh you are lucky to have ~150 replication conflicts :) How did you get those? Did you run upgrade in parallel or did you have some network issues? You have to manually fix all replication conflicts and the re-run ipa-server-upgrade Please follow guide I posted previously, sorry :( Martin From mbasti at redhat.com Thu Oct 13 14:27:59 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 13 Oct 2016 16:27:59 +0200 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <8A55E6003C19B34498C07A259B643BA90108671B@mbx032-e1-va-6.exch032.serverpod.net> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> <20161011194409.466mqip5224rontc@redhat.com> <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> <738ef5d0-be03-125e-2b19-3fd93ff359c7@redhat.com> <8A55E6003C19B34498C07A259B643BA90108635B@mbx032-e1-va-6.exch032.serverpod.net> <8A55E6003C19B34498C07A259B643BA90108671B@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: <522b21ac-19af-e1eb-a7cc-fceb4e40313f@redhat.com> On 13.10.2016 15:50, John Popowitch wrote: > Yeah, so very lucky. > I have no idea how this happened. > As I said before I inherited these servers so I don't really know what was done to get them to this state. > I'm guessing most if not all of the conflicts are naming conflicts for standard entries which were setup on all three servers. > > Please help me to understand what this upgrade does. > What does ipa-server-upgrade do? It upgrades configuration of services and LDAP data to fit the current version installed from RPMs. > Each server has IPA RPMs for v4.2.0. > Does this command upgrade RPMs? No, ipa-server-upgrade is called from RPM upgrade process. First new RPMs are installed, then ipa-server-upgrade is executed. In your case ipa-server-upgrade failed so it should be rerun because there might be configs that needs upgrade. > Does it need to be run on each server? Yes, as I said it is part of RPM installation. ipa-server-upgrade is idempotent so it can be called multiple times. I recommend to execute it again to be sure. (first remove conflicts) > > Thanks for your help. > -John > > -----Original Message----- > From: Martin Basti [mailto:mbasti at redhat.com] > Sent: Thursday, October 13, 2016 2:12 AM > To: John Popowitch; Alexander Bokovoy > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors > > Oh you are lucky to have ~150 replication conflicts :) > > How did you get those? Did you run upgrade in parallel or did you have some network issues? > > > You have to manually fix all replication conflicts and the re-run > ipa-server-upgrade > > Please follow guide I posted previously, sorry :( > > > Martin > From rcritten at redhat.com Thu Oct 13 14:31:03 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Oct 2016 10:31:03 -0400 Subject: [Freeipa-users] Password Complexity Requirements Seems Insufficient In-Reply-To: References: <198A481E432CAD48801198FBEB67C7AF0D794710@USDGPEMSPMBX01.FTDCORP.NET> <9ef96d38-3358-f56a-f025-d95dd168a854@redhat.com> <198A481E432CAD48801198FBEB67C7AF0D796A67@USDGPEMSPMBX01.FTDCORP.NET> <0137003026EBE54FBEC540C5600C03C43B4628@PAPR-EXMBX1.petermac.org.au> Message-ID: <57FF9AA7.8080500@redhat.com> Ernedin Zajko wrote: > Hi Anton, > > maybe you can "talk" directly to ds: > http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html > regards, That won't work. IPA re-implements password policy because it is baked into 389-ds and not plugable or extensible. There are some open tickets for enhancing IPA password policies but other features have taken precedence thus far: https://fedorahosted.org/freeipa/ticket/2445 https://fedorahosted.org/freeipa/ticket/5948 rob > > --- Ernedin ZAJKO > ezajko at root.ba > >> 340282366920938463463374607431768211456 > > > > On Thu, Oct 13, 2016 at 1:53 AM, Anon Lister wrote: >> Unfortunately, policy and regulation often lag behind current theory by >> several decades. For what it's worth, I'd second being able to set more >> complicated policies as a useful feature. >> >> >> On Oct 12, 2016 6:38 PM, "Simpson Lachlan" >> wrote: >>> >>>> -----Original Message----- >>>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users- >>>> bounces at redhat.com] On Behalf Of Bennett, Chip >>>> Sent: Thursday, 13 October 2016 7:21 AM >>>> To: Florence Blanc-Renaud; freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] Password Complexity Requirements Seems >>>> Insufficient >>>> >>>> Flo, >>>> >>>> Thanks for getting back to me. I had seen this in the documentation. >>>> I was just >>>> hoping that I was missing something. I guess I'm just surprised that a >>>> product >>>> designed to manage authentication wouldn't have a way to be more >>>> specific in the >>>> complexity requirements. >>> >>> >>> I don't know. Those type of complexity requirements are multifaceted, >>> complex and somewhat arbitrary. Given that each then requires regex, I'm >>> quite happy that the devs focus on getting other aspects of FreeIPA to work >>> over password complexity. >>> >>> As xkcd noted a couple of years ago, password length is better for >>> security than anything else. >>> >>> Complex arrangements of different character classes is neither human or UX >>> friendly nor where contemporary security theory is focused - try 2FA, >>> public/private keys, etc. While I understand that large organisations have >>> policy that often drags well behind contemporary theory, I don't think it's >>> fair to expect software to also allow for that. >>> >>> Cheers >>> L. >>> >>> >>> >>> >>> >>> >>>> >>>> Thanks again! >>>> Chip >>>> >>>> -----Original Message----- >>>> From: Florence Blanc-Renaud [mailto:flo at redhat.com] >>>> Sent: Wednesday, October 12, 2016 3:18 PM >>>> To: Bennett, Chip ; freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] Password Complexity Requirements Seems >>>> Insufficient >>>> >>>> On 10/11/2016 07:36 PM, Bennett, Chip wrote: >>>>> I just joined this list, so if this question has been asked before >>>>> (and I'll bet it has), I apologize in advance. >>>>> >>>>> >>>>> >>>>> A google search was unrevealing, so I'm asking here: we're running >>>>> FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password >>>>> complexity requirements are limited to setting the number of character >>>>> classes to require, i.e. setting it to "2" would require your new >>>>> password to be any two of the character classes. >>>>> >>>>> >>>>> >>>>> What if you wanted new passwords to meet specific class requirements, >>>>> i.e. a mix of UL, LC, and numbers. It looks like you would use a >>>>> value of "3" to accomplish this, but that would also allow UC, LC, and >>>>> special, or LC, numbers, and special, but you don't want to allow the >>>>> those: how would you specify that? >>>>> >>>> Hi, >>>> >>>> as far as I know, it is only possible to specify the number of different >>>> character >>>> classes. The doc chapter "Creating Password Policies in the Web UI" [1] >>>> describes >>>> the following: >>>> --- >>>> Character classes sets the number of different categories of character >>>> that must be >>>> used in the password. This does not set which classes must be used; it >>>> sets the >>>> number of different (unspecified) classes which must be used in a >>>> password. For >>>> example, a character class can be a number, special character, or >>>> capital; the >>>> complete list of categories is in Table 22.1, "Password Policy >>>> Settings". This is part >>>> of setting the complexity requirements. >>>> --- >>>> >>>> hope this clarifies, >>>> Flo >>>> >>>> [1] >>>> https://access.redhat.com/documentation/en- >>>> >>>> US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ >>>> >>>> Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht >>>> ml#creating-group-policy-ui >>>> >>>> >>>>> >>>>> >>>>> Also, what if you had a requirement for more than one of the character >>>>> classes, i.e. you want to require two UC characters or two special >>>>> characters? >>>>> >>>>> >>>>> >>>>> Thanks in advance for the help, >>>>> >>>>> Chip Bennett >>>>> >>>>> >>>>> >>>>> >>>>> This message is solely for the intended recipient(s) and may contain >>>>> confidential and privileged information. Any unauthorized review, use, >>>>> disclosure or distribution is prohibited. >>>>> >>>>> >>>> >>>> >>>> This message is solely for the intended recipient(s) and may contain >>>> confidential >>>> and privileged information. >>>> Any unauthorized review, use, disclosure or distribution is prohibited. >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> This email (including any attachments or links) may contain >>> confidential and/or legally privileged information and is >>> intended only to be read or used by the addressee. If you >>> are not the intended addressee, any use, distribution, >>> disclosure or copying of this email is strictly >>> prohibited. >>> Confidentiality and legal privilege attached to this email >>> (including any attachments) are not waived or lost by >>> reason of its mistaken delivery to you. >>> If you have received this email in error, please delete it >>> and notify us immediately by telephone or email. Peter >>> MacCallum Cancer Centre provides no guarantee that this >>> transmission is free of virus or that it has not been >>> intercepted or altered and will not be liable for any delay >>> in its receipt. >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > From mbasti at redhat.com Thu Oct 13 14:36:26 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 13 Oct 2016 16:36:26 +0200 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <8A55E6003C19B34498C07A259B643BA901086787@mbx032-e1-va-6.exch032.serverpod.net> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> <20161011194409.466mqip5224rontc@redhat.com> <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> <738ef5d0-be03-125e-2b19-3fd93ff359c7@redhat.com> <8A55E6003C19B34498C07A259B643BA90108635B@mbx032-e1-va-6.exch032.serverpod.net> <8A55E6003C19B34498C07A259B643BA901086787@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: <23df9603-1f89-5050-8e05-ceb3525049d7@redhat.com> On 13.10.2016 15:54, John Popowitch wrote: > Also, it seems like most of these conflicts are nearly identical. > Which leads me to believe I should delete the duplicates. > The URL you shared seems to talk about renaming and keeping the conflicting records. > Should I rename them or remove them? Make sure that there is exactly one right entry (from each set of conflicts), the best might be to rename one duplicated entry (DS will tell you if entry already exists as worst case) and remove other duplications. Please note that memberOf attributes are generated dynamically so you don't need to change them it should be updated when you remove/update DN of entries. Martin > > -----Original Message----- > From: John Popowitch > Sent: Thursday, October 13, 2016 8:50 AM > To: 'Martin Basti'; Alexander Bokovoy > Cc: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors > > Yeah, so very lucky. > I have no idea how this happened. > As I said before I inherited these servers so I don't really know what was done to get them to this state. > I'm guessing most if not all of the conflicts are naming conflicts for standard entries which were setup on all three servers. > > Please help me to understand what this upgrade does. > What does ipa-server-upgrade do? > Each server has IPA RPMs for v4.2.0. > Does this command upgrade RPMs? > Does it need to be run on each server? > > Thanks for your help. > -John > > -----Original Message----- > From: Martin Basti [mailto:mbasti at redhat.com] > Sent: Thursday, October 13, 2016 2:12 AM > To: John Popowitch; Alexander Bokovoy > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors > > Oh you are lucky to have ~150 replication conflicts :) > > How did you get those? Did you run upgrade in parallel or did you have some network issues? > > > You have to manually fix all replication conflicts and the re-run ipa-server-upgrade > > Please follow guide I posted previously, sorry :( > > > Martin > From jpopowitch at cappex.com Thu Oct 13 14:41:08 2016 From: jpopowitch at cappex.com (John Popowitch) Date: Thu, 13 Oct 2016 14:41:08 +0000 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <23df9603-1f89-5050-8e05-ceb3525049d7@redhat.com> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> <20161011194409.466mqip5224rontc@redhat.com> <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> <738ef5d0-be03-125e-2b19-3fd93ff359c7@redhat.com> <8A55E6003C19B34498C07A259B643BA90108635B@mbx032-e1-va-6.exch032.serverpod.net> <8A55E6003C19B34498C07A259B643BA901086787@mbx032-e1-va-6.exch032.serverpod.net> <23df9603-1f89-5050-8e05-ceb3525049d7@redhat.com> Message-ID: <8A55E6003C19B34498C07A259B643BA901086811@mbx032-e1-va-6.exch032.serverpod.net> Thanks so much for your help, Martin, and Alexander for keeping me honest. I think I have enough to start working on resolving the replication conflicts. I'm sure I'll have more questions, but this is definitely the right place to get them answered. -----Original Message----- From: Martin Basti [mailto:mbasti at redhat.com] Sent: Thursday, October 13, 2016 9:36 AM To: John Popowitch; Alexander Bokovoy Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors On 13.10.2016 15:54, John Popowitch wrote: > Also, it seems like most of these conflicts are nearly identical. > Which leads me to believe I should delete the duplicates. > The URL you shared seems to talk about renaming and keeping the conflicting records. > Should I rename them or remove them? Make sure that there is exactly one right entry (from each set of conflicts), the best might be to rename one duplicated entry (DS will tell you if entry already exists as worst case) and remove other duplications. Please note that memberOf attributes are generated dynamically so you don't need to change them it should be updated when you remove/update DN of entries. Martin > > -----Original Message----- > From: John Popowitch > Sent: Thursday, October 13, 2016 8:50 AM > To: 'Martin Basti'; Alexander Bokovoy > Cc: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to > run ipa-server-upgrade, but has errors > > Yeah, so very lucky. > I have no idea how this happened. > As I said before I inherited these servers so I don't really know what was done to get them to this state. > I'm guessing most if not all of the conflicts are naming conflicts for standard entries which were setup on all three servers. > > Please help me to understand what this upgrade does. > What does ipa-server-upgrade do? > Each server has IPA RPMs for v4.2.0. > Does this command upgrade RPMs? > Does it need to be run on each server? > > Thanks for your help. > -John > > -----Original Message----- > From: Martin Basti [mailto:mbasti at redhat.com] > Sent: Thursday, October 13, 2016 2:12 AM > To: John Popowitch; Alexander Bokovoy > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to > run ipa-server-upgrade, but has errors > > Oh you are lucky to have ~150 replication conflicts :) > > How did you get those? Did you run upgrade in parallel or did you have some network issues? > > > You have to manually fix all replication conflicts and the re-run > ipa-server-upgrade > > Please follow guide I posted previously, sorry :( > > > Martin > From jacquelin.charbonnel at univ-angers.fr Thu Oct 13 15:45:32 2016 From: jacquelin.charbonnel at univ-angers.fr (Jacquelin Charbonnel) Date: Thu, 13 Oct 2016 17:45:32 +0200 Subject: [Freeipa-users] diskless workstations in an IPA domain Message-ID: <7031a9b1-b0c6-5f9a-77e2-9c64d2b0769d@univ-angers.fr> Hi everybody, What is the best practice to enroll diskless Fedora24 workstations (under stateless Linux) into a IPA domain ? Each diskless workstation mounts its filesystem in RO mode from a single NFS share, with some specific directories (like /var/lib/sss) mapped RW in RAM. Thank you for any help! Jacquelin -- Jacquelin Charbonnel - (+33)2 4173 5397 CNRS Mathrice/LAREMA - Campus universitaire d'Angers From jbaird at follett.com Thu Oct 13 17:35:26 2016 From: jbaird at follett.com (Baird, Josh) Date: Thu, 13 Oct 2016 17:35:26 +0000 Subject: [Freeipa-users] Naming conventions/practices for HBAC/sudo/etc Message-ID: Hi all, I realize that this with vary from instance to instance, but I'm curious on how others are handling naming conventions for things like HBAC rules, sudo rules, etc. Here is how I am handling things today: * External groups have an 'external' prefix (eg, external_groupname) * Hostgroups have a $group prefix (eg, groupX_webservers) * sudo rules are classified by the group name (eg, EmailAdmins) This example sudo rule would allow members of the 'EmailAdmins' group access to run certain commands/command-groups on specific host-groups (eg, groupX_webservers). * HBAC rules are classified by the group name (eg, allow_EmailAdmins) This example HBAC rule would allow members of the 'EmailAdmins' group access to certain host-groups (eg, groupX_webservers). When this group needs to access additional groups of servers, I just modify the existing HBAC rule and add the new group. There are many different ways to handle this. I have thought about classifying HBAC rules by hostgroup instead of user group. In this case, I would have an HBAC rule named 'allow_Webservers' where I would specify individual user-groups that require access to the host(s). My opinion on this is likely to change as our environment (and use cases) continues to expand. What is working in your environment? What would you change if you could start over? It would be great if this discussion could eventually lead to a 'best practices' document/wiki-page for naming conventions and practices. Thanks, Josh From jhrozek at redhat.com Thu Oct 13 18:33:46 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 13 Oct 2016 20:33:46 +0200 Subject: [Freeipa-users] diskless workstations in an IPA domain In-Reply-To: <7031a9b1-b0c6-5f9a-77e2-9c64d2b0769d@univ-angers.fr> References: <7031a9b1-b0c6-5f9a-77e2-9c64d2b0769d@univ-angers.fr> Message-ID: <20161013183346.lma47povg2tde6dw@hendrix> On Thu, Oct 13, 2016 at 05:45:32PM +0200, Jacquelin Charbonnel wrote: > Hi everybody, > > What is the best practice to enroll diskless Fedora24 workstations (under > stateless Linux) into a IPA domain ? > Each diskless workstation mounts its filesystem in RO mode from a single > NFS share, with some specific directories (like /var/lib/sss) mapped RW in > RAM. I can't speak for other components, but /var/lib/sss/ is the only directory sssd writes to (except tmpfiles, but I guess /tmp would also be a writable fs?) From pvoborni at redhat.com Thu Oct 13 19:17:43 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 13 Oct 2016 21:17:43 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.4.2 Message-ID: <35f41ae2-9596-3b20-cf0c-35e5f34e1ad8@redhat.com> The FreeIPA team would like to announce FreeIPA 4.4.2 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository . This announcement is also available on http://www.freeipa.org/page/Releases/4.4.2 Fedora 25 update: https://bodhi.fedoraproject.org/updates/freeipa-4.4.2-1.fc25 == Highlights in 4.4.2 == === Known Issues === * ipa-ca-install fails on replica when master is CA-less #6226 * ipa cert-find command doesn't return revocation reason in output, Web UI then cannot display proper state of a certificate #6269 === Bug fixes === FreeIPA 4.4.2 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 40 bug-fixes which details can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on upgrade page . == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Resolved tickets == * 4802 Investigate & document if TLS 1.2 is properly supported * 5557 Strict dependency of optional package pam_krb5 * 5644 dnsrecord-del incompatible with admintools < ver 3.2 and server >= ver 3.2 * 5725 failed ipa-server-install --uninstall returns exit code 0 * 5754 ipa-client-install man page has incorrect data on hostname * 5755 test_0006_service_show in test_cert_plugin uses global variable wrong * 5809 ipa-server-install fails when using external certificates that encapsulate RDN components in double quotes * 5814 Change IP address validation errors to warnings [support for cloud environments] * 5818 webui: "Restore" option is not available for a preserved user in detailed info * 5822 Cannot create user with username exactly 255 charaters long * 5855 method get_primary_key_from_dn does not work for netgroups properly * 6057 adding two way non transitive(external) trust displays internal error on the console * 6095 ipa command stuck forever on higher versioned client with lower versioned server * 6155 [tracker] Failed to configure CA instance * 6190 Regressions found by test: ipa.test_ipalib.test_parameters * 6203 dnsrecord-add does not prompt for missing record parts internactively * 6212 Pretty-print mismatches in tests * 6216 webui: cert_revoke should use --cacn to set correct CA when revoking certificate * 6221 Certificate revocation in service-del and host-del isn't aware of Sub CAs * 6230 installer: external CA step 1 successful but reports ScriptError * 6238 Unable to view certificates issued by Sub CA in Web UI * 6256 [tracker] Revoke certificate on lightweight CA deletion * 6257 Implement ca-enable/disable commands. * 6260 cert-request: use better error message when CA is disabled * 6273 Command autocompletion without installed server prints an error message * 6279 CLI always sends default command version * 6285 Tests: Regex errors in trust tests * 6288 ipa-certupdate fails with "CA is not configured" * 6294 TypeError in installer * 6296 client-install with IPv6 address fails on link-local address (always) * 6300 Remove the assertion of incorrect return code from replica_promotion tests * 6301 Fix replica_promotion tests * 6304 cert-find --certificate does not work for certificates not in LDAP * 6306 Add cleanup to integration trust tests * 6309 cert-request does not raise error when CSR does not match profile pattern * 6312 Failing ldap backend test because service not found * 6313 Failing test in test_ipalib/test_plugable * 6322 Add krb5kdc restart to integration trust tests * 6323 Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap * 6326 Update host test with ipa-join * 6327 regression in `ipa cert-revoke --help` * 6328 ipa trust-fetch-domains throws internal error * 6329 WinSync users who have First.Last casing creates users who can have their password set * 6330 Invalid description for --hostname option in ipa-server-install man page * 6333 Skipped test_ipalib/test_text::test_TestLang::test_test_lang in outoftree suite * 6338 [Tests] Remove SSSD restart from integration tests * 6341 Certificate UI on details page shows add button even if user doesn't have write right * 6349 Tests: incomplete cleanup of CA plugin XMLRPC tests * 6366 Extend CA ACL tests for test cases with CSR containing Subject Alt Name * 6368 otpd doesn't properly handle closing of ldap connection * 6373 test_util.test_assert_deepequal fails * 6382 Test: disable test for wrong client domain in domain level 0 * 6385 ipa-server-install --external-ca fails with AttributeError * 6390 python-dns 1.15.0 breaks FreeIPA * 6391 make FreeIPA codebase ready for pylint in Fedora rawhide * 5791 CA fails to start after doing ipa-ca-install --external-ca == Detailed changelog since 4.4.1 == === Christian Heimes (1) === * Use RSA-OAEP instead of RSA PKCS#1 v1.5 === David Kupka (2) === * UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling * schema cache: Store and check info for pre-schema servers === Florence Blanc-Renaud (2) === * Fix regression introduced in ipa-certupdate * Fix ipa-certupdate for CA-less installation === Fraser Tweedale (10) === * Add commentary about CA deletion to plugin doc * spec: require Dogtag >= 10.3.5-6 * cert-request: raise error when request fails * Make host/service cert revocation aware of lightweight CAs * cert-request: raise CertificateOperationError if CA disabled * Use Dogtag REST API for certificate requests * Add HTTPRequestError class * Allow Dogtag RestClient to perform requests without logging in * Add ca-disable and ca-enable commands * Track lightweight CAs on replica installation === Jan Cholasta (8) === * test_plugable: update the rest of test_init * dns: re-introduce --raw in dnsrecord-del * client: remove hard dependency on pam_krb5 * cert: fix cert-find --certificate when the cert is not in LDAP * dns: fix crash in interactive mode against old servers * dns: prompt for missing record parts in CLI * dns: normalize record type read interactively in dnsrecord_add * cli: use full name when executing a command === Lenka Doudova (11) === * Tests: Certificate revocation * Tests: Remove invalid certplugin tests * Tests: Remove usage of krb5 ccache from test_ipaserver/test_ldap * Tests: Fix host attributes in ipa-join host test * Tests: Update host test with ipa-join * Tests: Add krb5kdc.service restart to integration trust tests * Tests: Remove SSSD restart from integration tests * Tests: Fix integration sudo tests setup and checks * Tests: Fix failing ldap.backend test * Tests: Add cleanup to integration trust tests * Tests: Fix regex errors in integration trust tests === Martin Babinsky (13) === * disable warnings reported by pylint-1.6.4-1 * mod_nss: use more robust quoting of NSSNickname directive * Move character escaping function to ipautil * Make Continuous installer continuous only during execution phase * use separate exception handlers for executors and validators * ipa passwd: use correct normalizer for user principals * trust-fetch-domains: contact forest DCs when fetching trust domain info * netgroup: avoid extraneous LDAP search when retrieving primary key from DN * ldapupdate: Use proper inheritance in BadSyntax exception * raise ValidationError when deprecated param is passed to command * Always fetch forest info from root DCs when establishing one-way trust * factor out `populate_remote_domain` method into module-level function * Always fetch forest info from root DCs when establishing two-way trust === Martin Basti (17) === * test_text: add test ipa.pot file for tests * Test: dont use global variable for iteration in test_cert_plugin * Use constant for user and group patterns * Fix regexp patterns in parameters to not enforce length * Add check for IP addresses into DNS installer * Fix missing config.ips in promote_check * Abstract procedures for IP address warnings * Catch DNS exceptions during emptyzones named.conf upgrade * Start named during configuration upgrade. * Tests: extend DNS cmdline tests with lowercased record type * Show warning when net/broadcast IP address is used in installer * Allow multicast addresses in A/AAAA records * Allow broadcast ip addresses * Allow network ip addresses * Fix parse errors with link-local addresses * Fix ScriptError to always return string from __str__ * Set zanata project-version fo 4.4 branch === Milan Kub?k (3) === * ipatests: Implement tests with CSRs requesting SAN * ipatests: Fix name property on a service tracker * ipatests: provide context manager for keytab usage in RPC tests === Nathaniel McCallum (1) === * Properly handle LDAP socket closures in ipa-otpd === Oleg Fayans (4) === * Test: disabled wrong client domain tests for domlevel 0 * Changed addressing to the client hosts to be replicas * Several fixes in replica_promotion tests * Removed incorrect check for returncode === Petr Spacek (1) === * Fix compatibility with python-dns 1.15.0 === Pavel Vomacka (5) === * WebUI: hide buttons in certificate widget according to acl * Add 'Restore' option to action dropdown menu * WebUI add support for sub-CAs while revoking certificates * WebUI: Fix showing certificates issued by sub-CA * Add support for additional options taken from table facet === Stanislav Laznicka (5) === * Make installer quit more nicely on external CA installation * Fix test_util.test_assert_deepequal test * Pretty-print structures in assert_deepequal * Remove update_from_dict() method * Updated help/man information about hostname === Tomas Krizek (4) === * Keep NSS trust flags of existing certificates * Update ipa-server-install man page for hostname * Add help info about certificate revocation reasons * Don't show error messages in bash completion -- Petr Vobornik From jpopowitch at cappex.com Thu Oct 13 20:23:36 2016 From: jpopowitch at cappex.com (John Popowitch) Date: Thu, 13 Oct 2016 20:23:36 +0000 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <9c3ecf8d-e1cd-cab6-b46c-a7101a86debd@redhat.com> <8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> <20161011194409.466mqip5224rontc@redhat.com> <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> <738ef5d0-be03-125e-2b19-3fd93ff359c7@redhat.com> <8A55E6003C19B34498C07A259B643BA90108635B@mbx032-e1-va-6.exch032.serverpod.net> <8A55E6003C19B34498C07A259B643BA901086787@mbx032-e1-va-6.exch032.serverpod.net> <23df9603-1f89-5050-8e05-ceb3525049d7@redhat.com> Message-ID: <8A55E6003C19B34498C07A259B643BA901086B16@mbx032-e1-va-6.exch032.serverpod.net> Ok, so I'm looking at fixing the conflicts for ' System: Modify Certificate Profile'. I ran this on each server: ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "cn=*Modify Certificate Profile*" \* nsds5ReplConflict And now to make things interesting, this query has different results on each server. Server #1: # System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per missions, pbac, aws.cappex.com dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895 f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn= privileges,cn=pbac,dc=aws,dc=cappex,dc=com ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify Certificate Profile objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 ipaPermDefaultAttr: description ipaPermDefaultAttr: ipacertprofilestoreissued ipaPermDefaultAttr: cn ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com nsds5ReplConflict: namingConflict cn=System: Modify Certificate Profile,cn=per missions,cn=pbac,dc=aws,dc=cappex,dc=com Server #2: # System: Modify Certificate Profile, permissions, pbac, aws.cappex.com dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap pex,dc=com ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify Certificate Profile objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 member: cn=CA Administrator,cn=privileges,cn=pbac,dc=aws,dc=cappex,dc=com ipaPermDefaultAttr: description ipaPermDefaultAttr: ipacertprofilestoreissued ipaPermDefaultAttr: cn ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com # System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per missions, pbac, aws.cappex.com dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895 f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn= privileges,cn=pbac,dc=aws,dc=cappex,dc=com ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify Certificate Profile objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 ipaPermDefaultAttr: description ipaPermDefaultAttr: ipacertprofilestoreissued ipaPermDefaultAttr: cn ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com nsds5ReplConflict: namingConflict cn=system: modify certificate profile,cn=per missions,cn=pbac,dc=aws,dc=cappex,dc=com Server #3: # System: Modify Certificate Profile, permissions, pbac, aws.cappex.com dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap pex,dc=com member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn= privileges,cn=pbac,dc=aws,dc=cappex,dc=com ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermRight: write ipaPermBindRuleType: permission ipaPermissionType: V2 ipaPermissionType: MANAGED ipaPermissionType: SYSTEM cn: System: Modify Certificate Profile objectClass: ipapermission objectClass: top objectClass: groupofnames objectClass: ipapermissionv2 ipaPermDefaultAttr: description ipaPermDefaultAttr: ipacertprofilestoreissued ipaPermDefaultAttr: cn ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com I realize that this is a horrible state of replication. My question is, what happens if I modify or delete an entry on one server that doesn't exist on another? Thanks. -John From mbasti at redhat.com Thu Oct 13 20:57:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 13 Oct 2016 22:57:48 +0200 Subject: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors In-Reply-To: <8A55E6003C19B34498C07A259B643BA901086B16@mbx032-e1-va-6.exch032.serverpod.net> References: <8A55E6003C19B34498C07A259B643BA901085418@mbx032-e1-va-6.exch032.serverpod.net> <1d480805-5cfd-6f8f-395d-f562e427fe08@redhat.com> <8A55E6003C19B34498C07A259B643BA901085932@mbx032-e1-va-6.exch032.serverpod.net> <2f167792-c27d-884a-49b6-546194251ccb@redhat.com> <8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net> <92ed5b0e-84d9-65c4-6364-afa578191448@redhat.com> <8A55E6003C19B34498C07A259B643BA901085A98@mbx032-e1-va-6.exch032.serverpod.net> <20161011194409.466mqip5224rontc@redhat.com> <8A55E6003C19B34498C07A259B643BA901085CF7@mbx032-e1-va-6.exch032.serverpod.net> <738ef5d0-be03-125e-2b19-3fd93ff359c7@redhat.com> <8A55E6003C19B34498C07A259B643BA90108635B@mbx032-e1-va-6.exch032.serverpod.net> <8A55E6003C19B34498C07A259B643BA901086787@mbx032-e1-va-6.exch032.serverpod.net> <23df9603-1f89-5050-8e05-ceb3525049d7@redhat.com> <8A55E6003C19B34498C07A259B643BA901086B16@mbx032-e1-va-6.exch032.serverpod.net> Message-ID: On 13.10.2016 22:23, John Popowitch wrote: > Ok, so I'm looking at fixing the conflicts for ' System: Modify Certificate Profile'. > I ran this on each server: > ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "cn=*Modify Certificate Profile*" \* nsds5ReplConflict > > And now to make things interesting, this query has different results on each server. > Server #1: > # System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per > missions, pbac, aws.cappex.com > dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895 > f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn= > privileges,cn=pbac,dc=aws,dc=cappex,dc=com > ipaPermTargetFilter: (objectclass=ipacertprofile) > ipaPermRight: write > ipaPermBindRuleType: permission > ipaPermissionType: V2 > ipaPermissionType: MANAGED > ipaPermissionType: SYSTEM > cn: System: Modify Certificate Profile > objectClass: ipapermission > objectClass: top > objectClass: groupofnames > objectClass: ipapermissionv2 > ipaPermDefaultAttr: description > ipaPermDefaultAttr: ipacertprofilestoreissued > ipaPermDefaultAttr: cn > ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com > nsds5ReplConflict: namingConflict cn=System: Modify Certificate Profile,cn=per > missions,cn=pbac,dc=aws,dc=cappex,dc=com > > Server #2: > # System: Modify Certificate Profile, permissions, pbac, aws.cappex.com > dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap > pex,dc=com > ipaPermTargetFilter: (objectclass=ipacertprofile) > ipaPermRight: write > ipaPermBindRuleType: permission > ipaPermissionType: V2 > ipaPermissionType: MANAGED > ipaPermissionType: SYSTEM > cn: System: Modify Certificate Profile > objectClass: ipapermission > objectClass: top > objectClass: groupofnames > objectClass: ipapermissionv2 > member: cn=CA Administrator,cn=privileges,cn=pbac,dc=aws,dc=cappex,dc=com > ipaPermDefaultAttr: description > ipaPermDefaultAttr: ipacertprofilestoreissued > ipaPermDefaultAttr: cn > ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com > > # System: Modify Certificate Profile + c93bf284-a32311e5-b492895f-f9294e47, per > missions, pbac, aws.cappex.com > dn: cn=System: Modify Certificate Profile+nsuniqueid=c93bf284-a32311e5-b492895 > f-f9294e47,cn=permissions,cn=pbac,dc=aws,dc=cappex,dc=com > member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn= > privileges,cn=pbac,dc=aws,dc=cappex,dc=com > ipaPermTargetFilter: (objectclass=ipacertprofile) > ipaPermRight: write > ipaPermBindRuleType: permission > ipaPermissionType: V2 > ipaPermissionType: MANAGED > ipaPermissionType: SYSTEM > cn: System: Modify Certificate Profile > objectClass: ipapermission > objectClass: top > objectClass: groupofnames > objectClass: ipapermissionv2 > ipaPermDefaultAttr: description > ipaPermDefaultAttr: ipacertprofilestoreissued > ipaPermDefaultAttr: cn > ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com > nsds5ReplConflict: namingConflict cn=system: modify certificate profile,cn=per > missions,cn=pbac,dc=aws,dc=cappex,dc=com > > Server #3: > # System: Modify Certificate Profile, permissions, pbac, aws.cappex.com > dn: cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=aws,dc=cap > pex,dc=com > member: cn=CA Administrator+nsuniqueid=c93bf230-a32311e5-b492895f-f9294e47,cn= > privileges,cn=pbac,dc=aws,dc=cappex,dc=com > ipaPermTargetFilter: (objectclass=ipacertprofile) > ipaPermRight: write > ipaPermBindRuleType: permission > ipaPermissionType: V2 > ipaPermissionType: MANAGED > ipaPermissionType: SYSTEM > cn: System: Modify Certificate Profile > objectClass: ipapermission > objectClass: top > objectClass: groupofnames > objectClass: ipapermissionv2 > ipaPermDefaultAttr: description > ipaPermDefaultAttr: ipacertprofilestoreissued > ipaPermDefaultAttr: cn > ipaPermLocation: cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com > > I realize that this is a horrible state of replication. > My question is, what happens if I modify or delete an entry on one server that doesn't exist on another? > Thanks. > -John > You can remove them on all servers because it is replicated, so the one correct (you chose) will be replicated everywhere, IIRC the conflicting entries are not replicated, they has just local validity, so you must remove those Conflict marks (see dirsrv docs I posted) and then it will be replicated Probably you can remove all System: permissions which have replication conflict, ipa-server-upgrade will recreate those entries. However you must fix the "privilege" entries manually (like CA Administrator) Please fix all conflicts before running ipa-server-upgrade, otherwise it may fail randomly Martin From jacquelin.charbonnel at univ-angers.fr Thu Oct 13 22:41:23 2016 From: jacquelin.charbonnel at univ-angers.fr (Jacquelin Charbonnel) Date: Fri, 14 Oct 2016 00:41:23 +0200 Subject: [Freeipa-users] diskless workstations in an IPA domain In-Reply-To: <20161013183346.lma47povg2tde6dw@hendrix> References: <7031a9b1-b0c6-5f9a-77e2-9c64d2b0769d@univ-angers.fr> <20161013183346.lma47povg2tde6dw@hendrix> Message-ID: <9b2c063d-4300-99f1-1f82-b1c504cf31d0@univ-angers.fr> Thank you for this information. Yes, /tmp is writable. My problem is : access are sometimes definitively refused for random user who wants to log in diskless workstations. But if this banned user tries to connect to the single machine which mounts the fs in rw mode, it's work, and this solve immediately its problem on all the other stateless machines !? Strange... Le 13/10/2016 ? 20:33, Jakub Hrozek a ?crit : > On Thu, Oct 13, 2016 at 05:45:32PM +0200, Jacquelin Charbonnel wrote: >> Hi everybody, >> >> What is the best practice to enroll diskless Fedora24 workstations (under >> stateless Linux) into a IPA domain ? >> Each diskless workstation mounts its filesystem in RO mode from a single >> NFS share, with some specific directories (like /var/lib/sss) mapped RW in >> RAM. > > I can't speak for other components, but /var/lib/sss/ is the only > directory sssd writes to (except tmpfiles, but I guess /tmp would also > be a writable fs?) > -- Jacquelin Charbonnel - (+33)2 4173 5397 CNRS Mathrice/LAREMA - Campus universitaire d'Angers From jhrozek at redhat.com Fri Oct 14 07:38:20 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Oct 2016 09:38:20 +0200 Subject: [Freeipa-users] diskless workstations in an IPA domain In-Reply-To: <9b2c063d-4300-99f1-1f82-b1c504cf31d0@univ-angers.fr> References: <7031a9b1-b0c6-5f9a-77e2-9c64d2b0769d@univ-angers.fr> <20161013183346.lma47povg2tde6dw@hendrix> <9b2c063d-4300-99f1-1f82-b1c504cf31d0@univ-angers.fr> Message-ID: <20161014073820.mlkidtgsaangjlnu@hendrix> On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote: > Thank you for this information. Yes, /tmp is writable. > > My problem is : access are sometimes definitively refused for random user > who wants to log in diskless workstations. > But if this banned user tries to connect to the single machine which mounts > the fs in rw mode, it's work, and this solve immediately its problem on all > the other stateless machines !? Strange... I'm sorry, but without some logs from journald or syslog or sssd, I don't know what to advice. I just know that at least in the past there were people running SSSD on diskless nodes because we still have a rwtab file in the sssd tree and it contains just a single line: dirs @sharedstatedir@/sss (@sharedstatedir@ is an autoconf macro which normally expands to /var/lib..) From sbose at redhat.com Fri Oct 14 07:44:11 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 14 Oct 2016 09:44:11 +0200 Subject: [Freeipa-users] diskless workstations in an IPA domain In-Reply-To: <9b2c063d-4300-99f1-1f82-b1c504cf31d0@univ-angers.fr> References: <7031a9b1-b0c6-5f9a-77e2-9c64d2b0769d@univ-angers.fr> <20161013183346.lma47povg2tde6dw@hendrix> <9b2c063d-4300-99f1-1f82-b1c504cf31d0@univ-angers.fr> Message-ID: <20161014074411.GI4864@p.Speedport_W_724V_Typ_A_05011603_00_009> On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote: > Thank you for this information. Yes, /tmp is writable. > > My problem is : access are sometimes definitively refused for random user > who wants to log in diskless workstations. > But if this banned user tries to connect to the single machine which mounts > the fs in rw mode, it's work, and this solve immediately its problem on all > the other stateless machines !? Strange... Maybe it is the selinux_provider, iirc at least in older version it used to write some data somewhere below /etc/selinux/. You can easily test this by setting 'selinux_provider = none' in the domain section in ssd.conf. HTH bye, Sumit > > Le 13/10/2016 ? 20:33, Jakub Hrozek a ?crit : > > On Thu, Oct 13, 2016 at 05:45:32PM +0200, Jacquelin Charbonnel wrote: > > > Hi everybody, > > > > > > What is the best practice to enroll diskless Fedora24 workstations (under > > > stateless Linux) into a IPA domain ? > > > Each diskless workstation mounts its filesystem in RO mode from a single > > > NFS share, with some specific directories (like /var/lib/sss) mapped RW in > > > RAM. > > > > I can't speak for other components, but /var/lib/sss/ is the only > > directory sssd writes to (except tmpfiles, but I guess /tmp would also > > be a writable fs?) > > > > -- > Jacquelin Charbonnel - (+33)2 4173 5397 > CNRS Mathrice/LAREMA - Campus universitaire d'Angers > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mkosek at redhat.com Fri Oct 14 07:58:11 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 14 Oct 2016 09:58:11 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.4.2 In-Reply-To: <35f41ae2-9596-3b20-cf0c-35e5f34e1ad8@redhat.com> References: <35f41ae2-9596-3b20-cf0c-35e5f34e1ad8@redhat.com> Message-ID: On 10/13/2016 09:17 PM, Petr Vobornik wrote: > The FreeIPA team would like to announce FreeIPA 4.4.2 release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. Builds > for Fedora 24 will be available in the official COPR repository > . > > This announcement is also available on > http://www.freeipa.org/page/Releases/4.4.2 > > Fedora 25 update: > https://bodhi.fedoraproject.org/updates/freeipa-4.4.2-1.fc25 Please note that the FreeIPA Public demo was also upgraded to the version 4.4.2, if you want to try it out! Demo location: https://ipa.demo1.freeipa.org/ipa/ui/ The selected new features that may be best exhibited in the FreeIPA Web UI: * Improved Topology Management: - IPA Server -> Topology -> Graph - https://ipa.demo1.freeipa.org/ipa/ui/#/p/topology-graph * Added Overview of IPA server roles: - IPA Server -> Topology -> Server Roles - https://ipa.demo1.freeipa.org/ipa/ui/#/e/server_role/search - You can click on a role - You can also see roles of a server: - https://ipa.demo1.freeipa.org/ipa/ui/#/e/server/details/ipa.demo1.freeipa.org * Added DNS Location Mechanism: - IPA Server -> Topology -> IPA Locations - You can add a location - In the location details, you can add the servers to it (you can only test UI as changing a location of IPA server requires DNS server restart) * Added support for Sub-CAs - Open Authentication -> Certificate Authorities - Add new CA Authority, with subject like "CN=Certificate Authority,O=VPN,O=DEMO1.FREEIPA.ORG" - Set ACL for authority in "CA ACLs" so that Admin can use this CA - Generate new certificate: - Open for example a test Service - Click Options -> New Certificate - Follow the steps (and use the new Sub-CA). I typed these options to get the CSR: - cd /tmp/ - mkdir test - cd test/ - certutil -N -d . - certutil -R -d . -a -g 2048 -s 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 'ipa.demo1.freeipa.org' - Paste the CSR blob to FreeIPA, it should pass - It will show that Issuer is "CN = Certificate Authority,O = VPN,O = DEMO1.FREEIPA.ORG", i.e. our new Sub-CA Enjoy! Martin From jhrozek at redhat.com Fri Oct 14 08:02:20 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Oct 2016 10:02:20 +0200 Subject: [Freeipa-users] diskless workstations in an IPA domain In-Reply-To: <20161014074411.GI4864@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <7031a9b1-b0c6-5f9a-77e2-9c64d2b0769d@univ-angers.fr> <20161013183346.lma47povg2tde6dw@hendrix> <9b2c063d-4300-99f1-1f82-b1c504cf31d0@univ-angers.fr> <20161014074411.GI4864@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20161014080220.niriyjmrhvu3xqil@hendrix> On Fri, Oct 14, 2016 at 09:44:11AM +0200, Sumit Bose wrote: > On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote: > > Thank you for this information. Yes, /tmp is writable. > > > > My problem is : access are sometimes definitively refused for random user > > who wants to log in diskless workstations. > > But if this banned user tries to connect to the single machine which mounts > > the fs in rw mode, it's work, and this solve immediately its problem on all > > the other stateless machines !? Strange... > > Maybe it is the selinux_provider, iirc at least in older version it used > to write some data somewhere below /etc/selinux/. You can easily test > this by setting 'selinux_provider = none' in the domain section in > ssd.conf. Aah, that's probably it. We no longer write to the directory directly, but we call libsemanage functions that do. From coy.hile at coyhile.com Fri Oct 14 13:29:47 2016 From: coy.hile at coyhile.com (Coy Hile) Date: Fri, 14 Oct 2016 13:29:47 +0000 Subject: [Freeipa-users] Announcing FreeIPA 4.4.2 Message-ID: <20161014132947.Horde.4NfsuN0bgi5bFzQStD0NQ1i@webmail-new.coyhile.com> Will there be builds in a COPR for rhel/cents 7? Sent via the Samsung GALAXY S? 5, an AT&T 4G LTE smartphone -------- Original message -------- From: Martin Kosek Date: 10/14/16 3:58 AM (GMT-05:00) To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Announcing FreeIPA 4.4.2 > On 10/13/2016 09:17 PM, Petr Vobornik wrote: >> The FreeIPA team would like to announce FreeIPA 4.4.2 release! >> >> It can be downloaded from http://www.freeipa.org/page/Downloads. Builds >> for Fedora 24 will be available in the official COPR repository >> . >> >> This announcement is also available on >> http://www.freeipa.org/page/Releases/4.4.2 >> >> Fedora 25 update: >> https://bodhi.fedoraproject.org/updates/freeipa-4.4.2-1.fc25 > > Please note that the FreeIPA Public demo was also upgraded to the version > 4.4.2, if you want to try it out! > > Demo location: https://ipa.demo1.freeipa.org/ipa/ui/ > > The selected new features that may be best exhibited in the FreeIPA Web UI: > > * Improved Topology Management: > - IPA Server -> Topology -> Graph > - https://ipa.demo1.freeipa.org/ipa/ui/#/p/topology-graph > > * Added Overview of IPA server roles: > - IPA Server -> Topology -> Server Roles > - https://ipa.demo1.freeipa.org/ipa/ui/#/e/server_role/search > - You can click on a role > > - You can also see roles of a server: > - > https://ipa.demo1.freeipa.org/ipa/ui/#/e/server/details/ipa.demo1.freeipa.org > > * Added DNS Location Mechanism: > - IPA Server -> Topology -> IPA Locations > - You can add a location > - In the location details, you can add the servers to it (you can only test > UI as changing a location of IPA server requires DNS server restart) > > * Added support for Sub-CAs > - Open Authentication -> Certificate Authorities > - Add new CA Authority, with subject like "CN=Certificate > Authority,O=VPN,O=DEMO1.FREEIPA.ORG" > - Set ACL for authority in "CA ACLs" so that Admin can use this CA > - Generate new certificate: > - Open for example a test Service > - Click Options -> New Certificate > - Follow the steps (and use the new Sub-CA). I typed these > options to get > the CSR: > - cd /tmp/ > - mkdir test > - cd test/ > - certutil -N -d . > - certutil -R -d . -a -g 2048 -s > 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 > 'ipa.demo1.freeipa.org' > - Paste the CSR blob to FreeIPA, it should pass > - It will show that Issuer is "CN = Certificate Authority,O = VPN,O = > DEMO1.FREEIPA.ORG", i.e. our new Sub-CA > > Enjoy! > Martin > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From michael at sykosoft.com Fri Oct 14 14:17:53 2016 From: michael at sykosoft.com (Michael S. Moody) Date: Fri, 14 Oct 2016 10:17:53 -0400 Subject: [Freeipa-users] Hourly messages in error log Message-ID: We're seeing the following messages in the error log: [11/Oct/2016:16:23:29 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:23:29 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:23:29 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:23:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:23:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:23:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:38:29 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:38:29 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:38:29 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:38:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:38:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:38:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:53:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:53:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:53:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:53:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:53:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:16:53:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:00:00 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:00:00 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:00:00 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:00:03 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:00:03 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:00:03 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:08:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:08:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:08:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:08:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:08:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:08:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:23:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:23:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:23:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:23:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:23:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:23:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:38:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:38:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:38:30 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:38:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:38:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:38:31 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa1.eu-west-1.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:53:29 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:53:29 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. [11/Oct/2016:17:53:29 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.west-2.production.example.com:389/o%3Dipaca) failed. I'm wondering, if it is at all related to this: [michael.moody at ipa1 ~]$ ldapsearch -ZZ -h ipa1.west-2.production.example.com -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId" p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied Enter LDAP Password: nsDS5ReplicaId: 96 nsds50ruv: {replicageneration} 56941682000000600000 nsds50ruv: {replica 96 ldap://ipa1.west-2.production.example.com:389} 5694168b nsds50ruv: {replica 76 ldap://ipa1.eu-west-1.production.example.com:389} 57d8a nsds50ruv: {replica 81 ldap://ipa1.eu-west-1.production.example.com:389} 57d33 nsds50ruv: {replica 86 ldap://ipa2.west-2.production.example.com:389} 5696e792 nsds50ruv: {replica 91 ldap://ipa2.west-2.production.example.com:389} 56941bab nsds50ruv: {replica 97 ldap://ipa2.west-2.production.example.com:389} 569416ae [michael.moody at ipa1 ~]$ ldapsearch -ZZ -h ipa2.west-2.production.example.com -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId" p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied Enter LDAP Password: nsDS5ReplicaId: 86 nsds50ruv: {replicageneration} 56941682000000600000 nsds50ruv: {replica 86 ldap://ipa2.west-2.production.example.com:389} 5696e792 nsds50ruv: {replica 96 ldap://ipa1.west-2.production.example.com:389} 5694168b nsds50ruv: {replica 91 ldap://ipa2.west-2.production.example.com:389} 56941bab nsds50ruv: {replica 97 ldap://ipa2.west-2.production.example.com:389} 569416ae nsds50ruv: {replica 81 ldap://ipa1.eu-west-1.production.example.com:389} 57d33 nsds50ruv: {replica 76 ldap://ipa1.eu-west-1.production.example.com:389} 57d8a [michael.moody at ipa1 ~]$ ldapsearch -ZZ -h ipa1.eu-west-1.production.example.com -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId" p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied Enter LDAP Password: nsDS5ReplicaId: 76 nsds50ruv: {replicageneration} 56941682000000600000 nsds50ruv: {replica 76 ldap://ipa1.eu-west-1.production.example.com:389} 57d8a nsds50ruv: {replica 96 ldap://ipa1.west-2.production.example.com:389} 5694168b nsds50ruv: {replica 81 ldap://ipa1.eu-west-1.production.example.com:389} 57d33 nsds50ruv: {replica 86 ldap://ipa2.west-2.production.example.com:389} 5696e792 nsds50ruv: {replica 91 ldap://ipa2.west-2.production.example.com:389} 56941bab nsds50ruv: {replica 97 ldap://ipa2.west-2.production.example.com:389} 569416ae Any pointers would be greatly appreciated. Thanks, Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From deepak_dimri at hotmail.com Fri Oct 14 16:58:52 2016 From: deepak_dimri at hotmail.com (Deepak Dimri) Date: Fri, 14 Oct 2016 16:58:52 +0000 Subject: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 Message-ID: Hi All, I am trying to configure replication between two FreeIPA centos 7 servers. As per the document i need same FreeIPA version running on both the machines, which i have, and run ipa-replica-prepare on the master and then simply run ipa-replica-install on the replica server along with replica file. But i am unable to get pass the below error message: [root at ip-172-31-23-230 ipa]# ipa-replica-install /var/lib/ipa/replica-info-replica.ipa.com.gpg ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client is already configured on this system. Please uninstall it first before configuring the replica, using 'ipa-client-install --uninstall'. What should i be doing to get around this error? the error looks missleading as i am trying to install replica and not ipa client Thanks, Deepak -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Fri Oct 14 19:36:36 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 14 Oct 2016 21:36:36 +0200 Subject: [Freeipa-users] 2FA using FreeIPA In-Reply-To: References: <20160916084326.GA10405@10.4.128.1> Message-ID: <20161014193635.GA5384@10.4.128.1> On (21/09/16 08:49), Deepak Dimri wrote: >hi LS, >I am using IPA Server - VERSION: 4.2.0, API_VERSION: 2.156sssd version on my IPA server: 1.13.0sssd version on my IPA client (ubuntu): 1.11.8 >I have new "testhip2user" created in IPA Server with 2FA enabled. My /etc/ssh/sshd_config has this entry Could you try with newer version of sssd on client (ubuntu 16.04) It is possible that libkrb5 (MIT) is too old and does not support OTP. LS From lslebodn at redhat.com Fri Oct 14 19:46:10 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 14 Oct 2016 21:46:10 +0200 Subject: [Freeipa-users] sss / nsswitch In-Reply-To: References: <20160913070354.GE32073@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160913083917.GF32073@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160913130716.GL6703@10.4.128.1> <20160923082710.GA10982@10.4.128.1> Message-ID: <20161014194609.GB5384@10.4.128.1> On (23/09/16 10:31), Rob Verduijn wrote: >2016-09-23 10:27 GMT+02:00 Lukas Slebodnik : > >> On (13/09/16 16:18), Rob Verduijn wrote: >> >2016-09-13 15:07 GMT+02:00 Lukas Slebodnik : >> > >> >> On (13/09/16 10:39), Sumit Bose wrote: >> >> >On Tue, Sep 13, 2016 at 10:13:12AM +0200, Rob Verduijn wrote: >> >> >> Hi, >> >> >> >> >> >> Thanks that did it. >> >> >> >> >> >> Is there a less painfull way to be notified of these changes ? >> >> >> >> >> >> My nfs configuration gets broken much more than I like because of >> >> changes >> >> >> like these. >> >> >> I know fedora is supposed to be testing grounds unstable software, >> but I >> >> >> would really like to hear a heads up more often. >> >> > >> >> >The change was mentioned in the upstream release notes of SSSD-1.14.1 >> >> >https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1 but of >> course I >> >> >cannot be expected to read all upstream release note before running >> 'dnf >> >> >update'. >> >> > >> >> >The change was necessary because before the plugin was in the >> >> >sssd-common package and this caused that some nfs dependencies were >> >> >pulled in even on systems where nfs is not needed at all. Since neither >> >> >SSSD nor nfs-idmap strictly require the plugin the new package is not >> >> >automatically installed during update. >> >> > >> >> >> >> Sorry for troubles. We can add weak dependency info sssd-common on >> >> sssd-nfs-idmap and it might be installed by default. >> >> IIRC dnf does not inform about suggested packages; but recommends minght >> >> work. Feel free ot file a BZ. >> >> >> >> The reason why it is in separate package is "container world". >> >> You need to have install packge sssd-nfs-idmap on host >> >> but sssd can be running in container. >> >> >> >> LS >> >> >> > >> > >> >I probably should've noticed that the version number went from 1.13.x to >> >1.14.x which usually is something noteworthy. >> >I'll just add the release notes from sssd to my list of must reads when >> >there is an update. >> > >> The package sssd-nfs-idmap should be installed with sssd-1.14.1-3 >> It needn't be due to weak dependencies. But recommended packages >> are installed by default with dnf. >> >> rpm -q --recommends sssd-common-1.14.1-3 >> libsss_autofs(x86-64) = 1.14.1-3.fc24 >> libsss_sudo = 1.14.1-3.fc24 >> sssd-nfs-idmap = 1.14.1-3.fc24 >> >> LS >> > >Does this also apply when you run dnf update ? > [root at 38f0074bee78 /]# rpm -q sssd sssd-1.13.4-3.fc24.x86_64 [root at 38f0074bee78 /]# ls -l /usr/lib64/libnfsidmap/sss.so -rwxr-xr-x. 1 root root 32232 May 13 09:42 /usr/lib64/libnfsidmap/sss.so [root at 38f0074bee78 /]# dnf update sssd Last metadata expiration check: 0:13:13 ago on Fri Oct 14 19:28:24 2016. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: adcli x86_64 0.8.0-2.fc24 fedora 93 k http-parser x86_64 2.7.1-2.fc24 updates 34 k jansson x86_64 2.9-1.fc24 updates 40 k sssd-nfs-idmap x86_64 1.14.1-3.fc24 updates 69 k Upgrading: libini_config x86_64 1.3.0-29.fc24 updates 66 k libipa_hbac x86_64 1.14.1-3.fc24 updates 76 k libsss_idmap x86_64 1.14.1-3.fc24 updates 80 k python3-sssdconfig noarch 1.14.1-3.fc24 updates 102 k sssd x86_64 1.14.1-3.fc24 updates 68 k sssd-ad x86_64 1.14.1-3.fc24 updates 188 k sssd-client x86_64 1.14.1-3.fc24 updates 132 k sssd-common x86_64 1.14.1-3.fc24 updates 1.2 M sssd-common-pac x86_64 1.14.1-3.fc24 updates 113 k sssd-ipa x86_64 1.14.1-3.fc24 updates 260 k sssd-krb5 x86_64 1.14.1-3.fc24 updates 107 k sssd-krb5-common x86_64 1.14.1-3.fc24 updates 135 k sssd-ldap x86_64 1.14.1-3.fc24 updates 174 k sssd-proxy x86_64 1.14.1-3.fc24 updates 102 k Transaction Summary ================================================================================ Install 4 Packages Upgrade 14 Packages Total download size: 3.0 M Is this ok [y/N]: N Operation aborted. [root at 38f0074bee78 /]# dnf update --best --setopt=install_weak_deps=false sssd Last metadata expiration check: 0:15:34 ago on Fri Oct 14 19:28:24 2016. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: http-parser x86_64 2.7.1-2.fc24 updates 34 k jansson x86_64 2.9-1.fc24 updates 40 k Upgrading: libini_config x86_64 1.3.0-29.fc24 updates 66 k libipa_hbac x86_64 1.14.1-3.fc24 updates 76 k libsss_idmap x86_64 1.14.1-3.fc24 updates 80 k python3-sssdconfig noarch 1.14.1-3.fc24 updates 102 k sssd x86_64 1.14.1-3.fc24 updates 68 k sssd-ad x86_64 1.14.1-3.fc24 updates 188 k sssd-client x86_64 1.14.1-3.fc24 updates 132 k sssd-common x86_64 1.14.1-3.fc24 updates 1.2 M sssd-common-pac x86_64 1.14.1-3.fc24 updates 113 k sssd-ipa x86_64 1.14.1-3.fc24 updates 260 k sssd-krb5 x86_64 1.14.1-3.fc24 updates 107 k sssd-krb5-common x86_64 1.14.1-3.fc24 updates 135 k sssd-ldap x86_64 1.14.1-3.fc24 updates 174 k sssd-proxy x86_64 1.14.1-3.fc24 updates 102 k Transaction Summary Transaction Summary ================================================================================ Install 2 Packages Upgrade 14 Packages Total download size: 2.8 M Is this ok [y/N]: N Operation aborted. And you might see that weak dependencies are not installed without "--best" either. [root at 38f0074bee78 /]# dnf update --setopt=install_weak_deps=false sssd Last metadata expiration check: 0:16:54 ago on Fri Oct 14 19:28:24 2016. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: http-parser x86_64 2.7.1-2.fc24 updates 34 k jansson x86_64 2.9-1.fc24 updates 40 k Upgrading: libini_config x86_64 1.3.0-29.fc24 updates 66 k libipa_hbac x86_64 1.14.1-3.fc24 updates 76 k libsss_idmap x86_64 1.14.1-3.fc24 updates 80 k python3-sssdconfig noarch 1.14.1-3.fc24 updates 102 k sssd x86_64 1.14.1-3.fc24 updates 68 k sssd-ad x86_64 1.14.1-3.fc24 updates 188 k sssd-client x86_64 1.14.1-3.fc24 updates 132 k sssd-common x86_64 1.14.1-3.fc24 updates 1.2 M sssd-common-pac x86_64 1.14.1-3.fc24 updates 113 k sssd-ipa x86_64 1.14.1-3.fc24 updates 260 k sssd-krb5 x86_64 1.14.1-3.fc24 updates 107 k sssd-krb5-common x86_64 1.14.1-3.fc24 updates 135 k sssd-ldap x86_64 1.14.1-3.fc24 updates 174 k sssd-proxy x86_64 1.14.1-3.fc24 updates 102 k Skipping packages with conflicts: (add '--best --allowerasing' to command line to force their upgrade): adcli x86_64 0.8.0-2.fc24 fedora 93 k sssd-nfs-idmap x86_64 1.14.1-3.fc24 updates 69 k Transaction Summary ================================================================================ Install 2 Packages Upgrade 14 Packages Skip 2 Packages Total download size: 2.8 M Is this ok [y/N]: N Operation aborted. LS From mbasti at redhat.com Sat Oct 15 08:54:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Sat, 15 Oct 2016 10:54:56 +0200 Subject: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 In-Reply-To: References: Message-ID: On 14.10.2016 18:58, Deepak Dimri wrote: > > Hi All, > > > I am trying to configure replication between two FreeIPA centos 7 > servers. As per the document i need same FreeIPA version running on > both the machines, which i have, and run ipa-replica-prepare on the > master and then simply run ipa-replica-install on the replica server > along with replica file. But i am unable to get pass the below error > message: > > > [root at ip-172-31-23-230 ipa]# ipa-replica-install > /var/lib/ipa/replica-info-replica.ipa.com.gpg > > ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client > is already configured on this system. > > Please uninstall it first before configuring the replica, using > 'ipa-client-install --uninstall'. > > > What should i be doing to get around this error? the error looks > missleading as i am trying to install replica and not ipa client > > > Thanks, > > Deepak > > > Hi, have you tried ipa-client-install --uninstall? Replica cannot be installed on system where client is already installed (with domain level 0, your case) Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From deepak_dimri at hotmail.com Sat Oct 15 10:41:30 2016 From: deepak_dimri at hotmail.com (Deepak Dimri) Date: Sat, 15 Oct 2016 10:41:30 +0000 Subject: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 In-Reply-To: References: , Message-ID: Thanks Martin for the reply. when i try 'ipa-client-install --uninstall' then i am getting bellow message: ipa-client-install --uninstall IPA client is configured as a part of IPA server on this system. Refer to ipa-server-install for uninstallation. How can i raise domain level to 1 in v4? i tried ipa domainlevel-set 1 but i am getting ipa: ERROR: unknown command 'domainlevel-set' Thanks again for your help on this. Best Regards, Deepak ________________________________ From: Martin Basti Sent: Saturday, October 15, 2016 4:54 AM To: Deepak Dimri; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 On 14.10.2016 18:58, Deepak Dimri wrote: Hi All, I am trying to configure replication between two FreeIPA centos 7 servers. As per the document i need same FreeIPA version running on both the machines, which i have, and run ipa-replica-prepare on the master and then simply run ipa-replica-install on the replica server along with replica file. But i am unable to get pass the below error message: [root at ip-172-31-23-230 ipa]# ipa-replica-install /var/lib/ipa/replica-info-replica.ipa.com.gpg ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client is already configured on this system. Please uninstall it first before configuring the replica, using 'ipa-client-install --uninstall'. What should i be doing to get around this error? the error looks missleading as i am trying to install replica and not ipa client Thanks, Deepak Hi, have you tried ipa-client-install --uninstall? Replica cannot be installed on system where client is already installed (with domain level 0, your case) Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From tjaalton at ubuntu.com Sat Oct 15 19:39:41 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Sat, 15 Oct 2016 22:39:41 +0300 Subject: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1 In-Reply-To: <83h98dpftq.fsf@echidna.jochen.org> References: <57192380.4090400@ubuntu.com> <83h98dpftq.fsf@echidna.jochen.org> Message-ID: On 15.10.2016 22:33, Jochen Hein wrote: > Timo Aaltonen writes: > >> Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! > > Thanks for your work on packaging FreeIPA for Ubuntu (and Debian). I've > just updated my laptop to Ubuntu 16.10, and now the freeipa packages are > "orphaned", because these packages seems to be missing from yakkety. Is > there a reason for this? I didn't see a bugreport for it. > > I guess for an already enrolled client an actual package for sssd and > kerberos will be ok, but freeipa for new clients would be fine. > > BTW, most of my servers run Debian - freeipa packages would be most > welcome. Right now I use older packages to enroll Debian hosts. Looks like it was due to a misunderstanding.. it got removed from Debian first (because of new uploads getting blocked due to minified javascript not being actual source), then added back and synced to yakkety, but again removed from there for the same reason it got removed from Debian.. I'll check if it can be added back. -- t From jochen at jochen.org Sat Oct 15 19:33:53 2016 From: jochen at jochen.org (Jochen Hein) Date: Sat, 15 Oct 2016 21:33:53 +0200 Subject: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1 In-Reply-To: <57192380.4090400@ubuntu.com> (Timo Aaltonen's message of "Thu, 21 Apr 2016 22:01:20 +0300") References: <57192380.4090400@ubuntu.com> Message-ID: <83h98dpftq.fsf@echidna.jochen.org> Timo Aaltonen writes: > Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! Thanks for your work on packaging FreeIPA for Ubuntu (and Debian). I've just updated my laptop to Ubuntu 16.10, and now the freeipa packages are "orphaned", because these packages seems to be missing from yakkety. Is there a reason for this? I didn't see a bugreport for it. I guess for an already enrolled client an actual package for sssd and kerberos will be ok, but freeipa for new clients would be fine. BTW, most of my servers run Debian - freeipa packages would be most welcome. Right now I use older packages to enroll Debian hosts. Jochen -- The only problem with troubleshooting is that the trouble shoots back. From jochen at jochen.org Sun Oct 16 05:00:39 2016 From: jochen at jochen.org (Jochen Hein) Date: Sun, 16 Oct 2016 07:00:39 +0200 Subject: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1 In-Reply-To: (Timo Aaltonen's message of "Sat, 15 Oct 2016 22:39:41 +0300") References: <57192380.4090400@ubuntu.com> <83h98dpftq.fsf@echidna.jochen.org> Message-ID: <83d1j0q45k.fsf@echidna.jochen.org> Timo Aaltonen writes: > On 15.10.2016 22:33, Jochen Hein wrote: >> Timo Aaltonen writes: >> >>> Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! >> >> Thanks for your work on packaging FreeIPA for Ubuntu (and Debian). I've >> just updated my laptop to Ubuntu 16.10, and now the freeipa packages are >> "orphaned", because these packages seems to be missing from yakkety. Is >> there a reason for this? I didn't see a bugreport for it. > > Looks like it was due to a misunderstanding.. it got removed from Debian > first (because of new uploads getting blocked due to minified javascript > not being actual source), then added back and synced to yakkety, but > again removed from there for the same reason it got removed from Debian.. That's what I've feared. > I'll check if it can be added back. Thanks for looking into it. Jochen -- The only problem with troubleshooting is that the trouble shoots back. From gjn at gjn.priv.at Sun Oct 16 10:22:52 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sun, 16 Oct 2016 12:22:52 +0200 Subject: [Freeipa-users] Best and Secure Way for a System Account Message-ID: <12955976.8G96f2fpOL@techz> Hello, IPA 4.3.1 I have a big Problem with my LDAP Read User (ldapbind) I like to install dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin for this, but now I cant read this Attributes :-(. Is this the actual way to implement a System Account # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D https://www.freeipa.org/page/HowTo/LDAP#System_Accounts The IPA Docs have no time stamp to found out, is this actual or old :-(. Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From zhenglei at kylinos.cn Mon Oct 17 00:44:13 2016 From: zhenglei at kylinos.cn (=?utf-8?B?6YOR56OK?=) Date: Mon, 17 Oct 2016 08:44:13 +0800 Subject: [Freeipa-users] help Message-ID: Hello everyone, I'm using freeipa, and having a test and research with the function of freeipa. At the same time, I have carried on the chinese translation to the web interface, also added own function module in web interface. However, For these changes I don't know how to interact with the community, please help me. Thank you very much! -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Mon Oct 17 05:29:15 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 17 Oct 2016 07:29:15 +0200 Subject: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 In-Reply-To: References: Message-ID: <22363f8f-60da-030d-6656-cc9f32d42713@redhat.com> On 10/15/2016 12:41 PM, Deepak Dimri wrote: > Thanks Martin for the reply. > > when i try 'ipa-client-install --uninstall' then i am getting bellow > message: > > > ipa-client-install --uninstall > IPA client is configured as a part of IPA server on this system. > Refer to ipa-server-install for uninstallation. > > > How can i raise domain level to 1 in v4? i tried > > ipa *domainlevel-set* 1 > > but i am getting ipa: ERROR: unknown command 'domainlevel-set' > > Thanks again for your help on this. > > Best Regards, > Deepak > > Hi Deepak, IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica promotion and domain levels other than 0. The error from ipa-replica-install comes probably from a leftovers of previous client enrollment. Just run `ipa-client-install --uninstall -U` and then re-run replica installation as usual. > ------------------------------------------------------------------------ > *From:* Martin Basti > *Sent:* Saturday, October 15, 2016 4:54 AM > *To:* Deepak Dimri; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Not able to pass through > ipa-replica-install on centos 7 > > > > > On 14.10.2016 18:58, Deepak Dimri wrote: >> >> Hi All, >> >> >> I am trying to configure replication between two FreeIPA centos 7 >> servers. As per the document i need same FreeIPA version running on >> both the machines, which i have, and run ipa-replica-prepare on the >> master and then simply run ipa-replica-install on the replica server >> along with replica file. But i am unable to get pass the below error >> message: >> >> >> [root at ip-172-31-23-230 ipa]# ipa-replica-install >> /var/lib/ipa/replica-info-replica.ipa.com.gpg >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client >> is already configured on this system. >> >> Please uninstall it first before configuring the replica, using >> 'ipa-client-install --uninstall'. >> >> >> What should i be doing to get around this error? the error looks >> missleading as i am trying to install replica and not ipa client >> >> >> Thanks, >> >> Deepak >> >> >> > Hi, > > have you tried ipa-client-install --uninstall? > > Replica cannot be installed on system where client is already installed > (with domain level 0, your case) > > Martin > > -- Martin^3 Babinsky From mbabinsk at redhat.com Mon Oct 17 05:35:26 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 17 Oct 2016 07:35:26 +0200 Subject: [Freeipa-users] Best and Secure Way for a System Account In-Reply-To: <12955976.8G96f2fpOL@techz> References: <12955976.8G96f2fpOL@techz> Message-ID: On 10/16/2016 12:22 PM, G?nther J. Niederwimmer wrote: > Hello, > > IPA 4.3.1 > > I have a big Problem with my LDAP Read User (ldapbind) I like to install > dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin for > this, but now I cant read this Attributes :-(. > > Is this the actual way to implement a System Account > > # ldapmodify -x -D 'cn=Directory Manager' -W > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > changetype: add > objectclass: account > objectclass: simplesecurityobject > uid: system > userPassword: secret123 > passwordExpirationTime: 20380119031407Z > nsIdleTimeout: 0 > > ^D > > https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > > The IPA Docs have no time stamp to found out, is this actual or old :-(. > > Thanks for a answer, > Hi Gunther, that LDIF look ok to me. Do not forget that you must set up the correct ACIs in order for the system account to see the 'mailAlternaleAddress' attribute. -- Martin^3 Babinsky From dkupka at redhat.com Mon Oct 17 05:39:24 2016 From: dkupka at redhat.com (David Kupka) Date: Mon, 17 Oct 2016 07:39:24 +0200 Subject: [Freeipa-users] help In-Reply-To: References: Message-ID: On 17/10/16 02:44, ?? wrote: > Hello everyone, > I'm using freeipa, and having a test and research with the function of freeipa. At the same time, I have carried on the chinese translation to the web interface, also added own function module in web interface. However, For these changes I don't know how to interact with the community, please help me. Thank you very much! > > > Hello! Do you have problem with developing your own module? Ask on freeipa-devel at redhat.com Is your module complete, you think that it will be useful for a lot of FreeIPA users and want it in upstream? Create pull request on GitHub (https://github.com/freeipa/freeipa ). Do you want to contribute the translations? Submit it via zanata (https://fedora.zanata.org/project/view/freeipa ). HTH, -- David Kupka From mbabinsk at redhat.com Mon Oct 17 05:46:59 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 17 Oct 2016 07:46:59 +0200 Subject: [Freeipa-users] help In-Reply-To: References: Message-ID: On 10/17/2016 02:44 AM, ?? wrote: > Hello everyone, > I'm using freeipa, and having a test and research with the function > of freeipa. At the same time, I have carried on the chinese translation > to the web interface, also added own function module in web interface. > However, For these changes I don't know how to interact with the > community, please help me. Thank you very much! > > That depends on what are you trying to achieve. If you wish to contribute your translations to the upstream, you may have a look at our Zanata project page: https://fedora.zanata.org/project/view/freeipa/ We periodically push our message strings there so the community can translate them. We then pull the changes into the upstream repo. You may wish to read http://zanata.org/help/ for more information about this workflow. If you would like to contribute your code to the upstream, make sure you read our Contribution guide: http://www.freeipa.org/page/Contribute Otherwise feel free to ask questions on this list, we will try our best to help you out. -- Martin^3 Babinsky From zhenglei at kylinos.cn Mon Oct 17 06:09:05 2016 From: zhenglei at kylinos.cn (=?utf-8?B?6YOR56OK?=) Date: Mon, 17 Oct 2016 14:09:05 +0800 Subject: [Freeipa-users] help In-Reply-To: References: Message-ID: I have set the freeipa environment, added the translation and the log module. Some screenshot are as follows: The log module mainly records for freeipa server to perform operations. My question is that I don't know there is any useful for community or freeipa users. If there is useful for us, I don't know how to submit to community and interact with somebody. ------------------ ?? ?????????? -------------------------- ?????? ?? Phone?18684703229 Email?zhenglei at kylinos.cn Company????????????? Address???????????????????? ------------------ Original ------------------ From: "David Kupka"; Date: Mon, Oct 17, 2016 01:39 PM To: "??"; "freeipa-users"; Subject: Re: [Freeipa-users] help On 17/10/16 02:44, ?? wrote: > Hello everyone, > I'm using freeipa, and having a test and research with the function of freeipa. At the same time, I have carried on the chinese translation to the web interface, also added own function module in web interface. However, For these changes I don't know how to interact with the community, please help me. Thank you very much! > > > Hello! Do you have problem with developing your own module? Ask on freeipa-devel at redhat.com Is your module complete, you think that it will be useful for a lot of FreeIPA users and want it in upstream? Create pull request on GitHub (https://github.com/freeipa/freeipa ). Do you want to contribute the translations? Submit it via zanata (https://fedora.zanata.org/project/view/freeipa ). HTH, -- David Kupka -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Oct 17 07:12:33 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 17 Oct 2016 09:12:33 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.4.2 In-Reply-To: <20161014132947.Horde.4NfsuN0bgi5bFzQStD0NQ1i@webmail-new.coyhile.com> References: <20161014132947.Horde.4NfsuN0bgi5bFzQStD0NQ1i@webmail-new.coyhile.com> Message-ID: On 10/14/2016 03:29 PM, Coy Hile wrote: > > > Will there be builds in a COPR for rhel/cents 7? I would recommend waiting on RHEL-7.3, which should be released soon enough. RHEL-7.3 contains an IdM/FreeIPA version that is very close to upstream version 4.4.2. Martin From karl.forner at gmail.com Mon Oct 17 08:27:55 2016 From: karl.forner at gmail.com (Karl Forner) Date: Mon, 17 Oct 2016 10:27:55 +0200 Subject: [Freeipa-users] network ports requirements for a replica In-Reply-To: <20161012172515.s4smyln2ozkxlf7x@redhat.com> References: <20161012172515.s4smyln2ozkxlf7x@redhat.com> Message-ID: Thanks Alexander, unfortunately I could only find outdated documentation. I just realized that my question is not precise enough. Suppose I have a master running in its LAN, with all required ports open. Now I want to setup a replica running in a docker in a AWS EC2 instance. >From your answer, I understand that during the replica setup process, all I need (because I do not use RHEL) is a ssh port between the master and the replica. What about the after-setup replica synchronization ? Does it also only use ssh ? Regards, Karl On Wed, Oct 12, 2016 at 7:25 PM, Alexander Bokovoy wrote: > On ke, 12 loka 2016, Karl Forner wrote: > >> Hello, >> >> A very simple question, but I could not find the answer. I'd like to setup >> a replica on another network than my master. Is it possible to setup the >> replication using only https, or other ports must be available ? >> > This is all documented, did you read the guide? > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ > Policy_Guide/prepping-replica.html > > ---- > The replica requires additional ports to be open > In addition to the standard IdM server port requirements described > in Section 2.1.4, ?Port Requirements?, make sure the following port > requirements are complied as well: > > During the replica setup process, keep the TCP port 22 open. > This port is required in order to use SSH to connect to the master > server. > If one of the servers is running Red Hat Enterprise Linux 6 and > has a CA installed, keep also TCP port 7389 open during and after the > replica configuration. In a purely Red Hat Enterprise Linux 7 > environment, port 7389 is not required. ---- > > Section 2.1.4: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ > Policy_Guide/installing-ipa.html#prereq-ports > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Oct 17 08:33:07 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 17 Oct 2016 11:33:07 +0300 Subject: [Freeipa-users] network ports requirements for a replica In-Reply-To: References: <20161012172515.s4smyln2ozkxlf7x@redhat.com> Message-ID: <20161017083307.rnnsmpmu3irg5dxh@redhat.com> On ma, 17 loka 2016, Karl Forner wrote: >Thanks Alexander, unfortunately I could only find outdated documentation. >I just realized that my question is not precise enough. The documentation I linked is the up-to-date one. >Suppose I have a master running in its LAN, with all required ports open. >Now I want to setup a replica running in a docker in a AWS EC2 instance. It does not matter. > >From your answer, I understand that during the replica setup process, >all I need (because I do not use RHEL) is a ssh port between the master >and the replica. You did not read carefully what I quoted. SSH port is in addition to the ports required to be open for normal IPA master. Just follow documentation. >What about the after-setup replica synchronization ? >Does it also only use ssh ? No, it is not. Please read the documentation, it has all the details, really. -- / Alexander Bokovoy From karl.forner at gmail.com Mon Oct 17 08:46:08 2016 From: karl.forner at gmail.com (Karl Forner) Date: Mon, 17 Oct 2016 10:46:08 +0200 Subject: [Freeipa-users] network ports requirements for a replica In-Reply-To: <20161017083307.rnnsmpmu3irg5dxh@redhat.com> References: <20161012172515.s4smyln2ozkxlf7x@redhat.com> <20161017083307.rnnsmpmu3irg5dxh@redhat.com> Message-ID: On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy wrote: > On ma, 17 loka 2016, Karl Forner wrote: > >> Thanks Alexander, unfortunately I could only find outdated documentation. >> I just realized that my question is not precise enough. >> > The documentation I linked is the up-to-date one. > Yes I know. I was explaining... > > >> From your answer, I understand that during the replica setup process, >> all I need (because I do not use RHEL) is a ssh port between the master >> and the replica. >> > You did not read carefully what I quoted. SSH port is in addition to the > ports required to be open for normal IPA master. > I did read. I wrote "between the master and the replica". Each server has its own set of open ports in its own network, used by its clients. What I want to know is what ports are used by the replication process, i.e. what ports must I open on my firewall to enable the replication. Maybe all the ports are used for that purpose, but this is not, unless mistaken, clearly stated in the documentation. In that case, this may be a security problem opening that many ports in the firewall. Thanks for your patience. Karl -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Mon Oct 17 09:58:29 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 17 Oct 2016 11:58:29 +0200 Subject: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0 In-Reply-To: References: <20161012174039.irbx4ojxekojs4n7@redhat.com> Message-ID: <20161017095828.GC26018@10.4.128.1> On (13/10/16 08:15), Deepak Dimri wrote: > >Hi Alexander, > >I have tried it on ubuntu 16.04 as well but no luck either. Getting the same error: > > >sudo apt-get install freeipa-server > >Reading package lists... Done > >Building dependency tree > >Reading state information... Done > >E: Unable to locate package freeipa-server > >any other ideas? I dont find any good response to this issue either.. > freeipa-server is only in xenial (16.04 + universe) http://packages.ubuntu.com/xenial/freeipa-server LS From b.candler at pobox.com Mon Oct 17 10:03:31 2016 From: b.candler at pobox.com (Brian Candler) Date: Mon, 17 Oct 2016 11:03:31 +0100 Subject: [Freeipa-users] FreeIPA as domain controller? Message-ID: Sorry if this is a frequently asked question, but it's not easy to find a simple answer. * Can I use FreeIPA (v4) as a domain controller for Windows machines to join? * If not, what's the recommended free/open solution? Would it be to set up a Samba4 domain controller, and then set up cross-realm trust between FreeIPA and Samba4? (That is: assuming I want central AAA for both Linux boxes and Windows boxes) Things I found: * http://www.freeipa.org/page/About ... but it only mentions FreeIPA v2 and v3 * https://sambaxp.org/archive_data/SambaXP2016-SLIDES/thu/track2/sambaxp2016-thu-track2-Alexander_Bokovoy-Andreas_Schneider-SambaAndFreeIPAAnUpdateOnActiveDirectoryIntegration.pdf ... report on work-in-progress. It does say: " FreeIPA Domain Controller is unlike Samba AD ? Windows cannot be joined to FreeIPA". But it's not clear if this is an eventual goal, or whether it's likely to remain this way. I guess keeping a lot of MS-specific nonsense out of FreeIPA is a good thing :-) Thanks, Brian. From abokovoy at redhat.com Mon Oct 17 10:12:00 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 17 Oct 2016 13:12:00 +0300 Subject: [Freeipa-users] network ports requirements for a replica In-Reply-To: References: <20161012172515.s4smyln2ozkxlf7x@redhat.com> <20161017083307.rnnsmpmu3irg5dxh@redhat.com> Message-ID: <20161017101200.ah522tvpvdonnc46@redhat.com> On ma, 17 loka 2016, Karl Forner wrote: >On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy >wrote: > >> On ma, 17 loka 2016, Karl Forner wrote: >> >>> Thanks Alexander, unfortunately I could only find outdated documentation. >>> I just realized that my question is not precise enough. >>> >> The documentation I linked is the up-to-date one. >> > >Yes I know. I was explaining... > > >> >> >>> From your answer, I understand that during the replica setup process, >>> all I need (because I do not use RHEL) is a ssh port between the master >>> and the replica. >>> >> You did not read carefully what I quoted. SSH port is in addition to the >> ports required to be open for normal IPA master. >> > >I did read. I wrote "between the master and the replica". Each server has >its own set of open ports in its own network, used by its clients. IPA replica is a client of IPA master, there isn't much difference, except where Kerberos tickets are obtained from as each master/replica host own KDC with exactly same keys, so they are able to 'short cut' it here. However, the rest stands. >What I want to know is what ports are used by the replication process, i.e. >what ports must I open on my firewall to enable the replication. Exactly the same ports as specified in the documentation. >Maybe all the ports are used for that purpose, but this is not, unless >mistaken, clearly stated in the documentation. You are mistaken and the mistake most likely comes from your idea that somehow IPA master/replica are different from other IPA clients. They are not, they are IPA clients themselves. Replication exchange is built on LDAP protocol. >In that case, this may be a security problem opening that many ports in the >firewall. Nothing prevents you from organizing a proper VPN or other types of tunneling between the networks. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Oct 17 10:14:10 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 17 Oct 2016 13:14:10 +0300 Subject: [Freeipa-users] FreeIPA as domain controller? In-Reply-To: References: Message-ID: <20161017101410.776yd3eqqahwk6ua@redhat.com> On ma, 17 loka 2016, Brian Candler wrote: >Sorry if this is a frequently asked question, but it's not easy to >find a simple answer. > >* Can I use FreeIPA (v4) as a domain controller for Windows machines >to join? No. >* If not, what's the recommended free/open solution? Would it be to >set up a Samba4 domain controller, and then set up cross-realm trust >between FreeIPA and Samba4? Yes. We are not yet at the point you could use IPA-hosted identities to login to Windows machines joined to AD, though, regardless which AD implementation it is. >(That is: assuming I want central AAA for both Linux boxes and Windows >boxes) > >Things I found: > >* http://www.freeipa.org/page/About > >... but it only mentions FreeIPA v2 and v3 > >* https://sambaxp.org/archive_data/SambaXP2016-SLIDES/thu/track2/sambaxp2016-thu-track2-Alexander_Bokovoy-Andreas_Schneider-SambaAndFreeIPAAnUpdateOnActiveDirectoryIntegration.pdf > >... report on work-in-progress. It does say: > >" FreeIPA Domain Controller is unlike Samba AD ? Windows cannot be >joined to FreeIPA". But it's not clear if this is an eventual goal, >or whether it's likely to remain this way. Eventual goal is to allow IPA-hosted identities to be used to login to Windows machines joined to Samba AD. -- / Alexander Bokovoy From karl.forner at gmail.com Mon Oct 17 10:58:46 2016 From: karl.forner at gmail.com (Karl Forner) Date: Mon, 17 Oct 2016 12:58:46 +0200 Subject: [Freeipa-users] network ports requirements for a replica In-Reply-To: <20161017101200.ah522tvpvdonnc46@redhat.com> References: <20161012172515.s4smyln2ozkxlf7x@redhat.com> <20161017083307.rnnsmpmu3irg5dxh@redhat.com> <20161017101200.ah522tvpvdonnc46@redhat.com> Message-ID: Thank you ! This is at last crystal clear for me ! Thank you also for the VPN/tunneling suggestion, I'll look into it. On Mon, Oct 17, 2016 at 12:12 PM, Alexander Bokovoy wrote: > On ma, 17 loka 2016, Karl Forner wrote: > >> On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy >> wrote: >> >> On ma, 17 loka 2016, Karl Forner wrote: >>> >>> Thanks Alexander, unfortunately I could only find outdated documentation. >>>> I just realized that my question is not precise enough. >>>> >>>> The documentation I linked is the up-to-date one. >>> >>> >> Yes I know. I was explaining... >> >> >> >>> >>> From your answer, I understand that during the replica setup process, >>>> all I need (because I do not use RHEL) is a ssh port between the master >>>> and the replica. >>>> >>>> You did not read carefully what I quoted. SSH port is in addition to the >>> ports required to be open for normal IPA master. >>> >>> >> I did read. I wrote "between the master and the replica". Each server has >> its own set of open ports in its own network, used by its clients. >> > IPA replica is a client of IPA master, there isn't much difference, > except where Kerberos tickets are obtained from as each master/replica > host own KDC with exactly same keys, so they are able to 'short cut' it > here. However, the rest stands. > > What I want to know is what ports are used by the replication process, i.e. >> what ports must I open on my firewall to enable the replication. >> > Exactly the same ports as specified in the documentation. > > Maybe all the ports are used for that purpose, but this is not, unless >> mistaken, clearly stated in the documentation. >> > You are mistaken and the mistake most likely comes from your idea that > somehow IPA master/replica are different from other IPA clients. They > are not, they are IPA clients themselves. Replication exchange is built > on LDAP protocol. > > In that case, this may be a security problem opening that many ports in the >> firewall. >> > Nothing prevents you from organizing a proper VPN or other types of > tunneling > between the networks. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jan.karasek at elostech.cz Mon Oct 17 11:27:40 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Mon, 17 Oct 2016 13:27:40 +0200 (CEST) Subject: [Freeipa-users] Unable to resolve AD users from IPA client In-Reply-To: References: Message-ID: <1754985103.903268.1476703660969.JavaMail.zimbra@elostech.cz> Hi, please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2. AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain of AD - vs.example.cz. Trust is set as one-way trust. User's POSIX attributes are stored in AD. ipa idrange-find ---------------- 3 ranges matched ---------------- Range name: CEN.EXAMPLE.CZ First Posix ID of the range: 98800000 Number of IDs in the range: 200000 Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 Range type: Active Directory trust range with POSIX attributes Range name: EXAMPLE.CZ_id_range First Posix ID of the range: 68800000 Number of IDs in the range: 200000 Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 Range type: Active Directory trust range with POSIX attributes Range name: VS.EXAMPLE.CZ_id_range First Posix ID of the range: 930000000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 3 ---------------------------- I have no problem to resolve AD users from both IPA server: IPA Server: root#:id tst99654 at cen.example.cz uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) - this is correct but from IPA client: root#:id tst99654 at cen.example.cz id: tst99654 at cen.example.cz: no such user ==> sssd_vs.example.cz.log <== (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654] (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) All IPA clients have the same result - No such user. On the other hand kerberos works fine - I can do kinit with AD users both on IPA servers and clients. All IPA clients use the same DNS server as IPA servers. On IPA server, I can see that it is able to find test user in AD. Log is captured during IPA client request for id: (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=cen,dc=example,dc=cz]. (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=tst99654,OU=CSUsers,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.cen.example.cz/DC=DomainDnsZones,DC=cen,DC=example,DC=cz (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_save_user] (0x0400): Save user ... I can provide full log from IPA server, but its quite long. Could you point me what else I could try ? Thank you . Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Mon Oct 17 11:49:23 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 17 Oct 2016 13:49:23 +0200 Subject: [Freeipa-users] Unable to resolve AD users from IPA client In-Reply-To: <1754985103.903268.1476703660969.JavaMail.zimbra@elostech.cz> References: <1754985103.903268.1476703660969.JavaMail.zimbra@elostech.cz> Message-ID: <20161017114923.GA9339@p.Speedport_W_724V_Typ_A_05011603_00_009> On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Kar?sek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2. > AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain of AD - vs.example.cz. > Trust is set as one-way trust. User's POSIX attributes are stored in AD. > > ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: CEN.EXAMPLE.CZ > First Posix ID of the range: 98800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: EXAMPLE.CZ_id_range > First Posix ID of the range: 68800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: VS.EXAMPLE.CZ_id_range > First Posix ID of the range: 930000000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > ---------------------------- > Number of entries returned 3 > ---------------------------- > > I have no problem to resolve AD users from both IPA server: > > IPA Server: > root#:id tst99654 at cen.example.cz > uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) - this is correct Can you send your sssd.conf from the server? I wonder why the AD groups are returned with a short name 'csunix' while the user is returned with the full name (tst99654 at cen.example.cz). bye, Sumit > > but from IPA client: > root#:id tst99654 at cen.example.cz > id: tst99654 at cen.example.cz: no such user > > ==> sssd_vs.example.cz.log <== > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) > > All IPA clients have the same result - No such user. On the other hand kerberos works fine - I can do kinit with AD users both on IPA servers and clients. All IPA clients use the same DNS server as IPA servers. > > > On IPA server, I can see that it is able to find test user in AD. Log is captured during IPA client request for id: > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=cen,dc=example,dc=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=tst99654,OU=CSUsers,DC=cen,DC=example,DC=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.cen.example.cz/DC=DomainDnsZones,DC=cen,DC=example,DC=cz > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_save_user] (0x0400): Save user > ... > > > I can provide full log from IPA server, but its quite long. Could you point me what else I could try ? > > Thank you . > > Jan > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Mon Oct 17 11:51:41 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 17 Oct 2016 13:51:41 +0200 Subject: [Freeipa-users] Unable to resolve AD users from IPA client In-Reply-To: <1754985103.903268.1476703660969.JavaMail.zimbra@elostech.cz> References: <1754985103.903268.1476703660969.JavaMail.zimbra@elostech.cz> Message-ID: <20161017115141.ug26fx7rhhaijrgj@hendrix> On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Kar?sek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2. > AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain of AD - vs.example.cz. > Trust is set as one-way trust. User's POSIX attributes are stored in AD. > > ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: CEN.EXAMPLE.CZ > First Posix ID of the range: 98800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: EXAMPLE.CZ_id_range > First Posix ID of the range: 68800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: VS.EXAMPLE.CZ_id_range > First Posix ID of the range: 930000000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > ---------------------------- > Number of entries returned 3 > ---------------------------- > > I have no problem to resolve AD users from both IPA server: > > IPA Server: > root#:id tst99654 at cen.example.cz > uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) - this is correct > > but from IPA client: > root#:id tst99654 at cen.example.cz > id: tst99654 at cen.example.cz: no such user > > ==> sssd_vs.example.cz.log <== > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) > > All IPA clients have the same result - No such user. On the other hand kerberos works fine - I can do kinit with AD users both on IPA servers and clients. All IPA clients use the same DNS server as IPA servers. > > > On IPA server, I can see that it is able to find test user in AD. Log is captured during IPA client request for id: > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=cen,dc=example,dc=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=tst99654,OU=CSUsers,DC=cen,DC=example,DC=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.cen.example.cz/DC=DomainDnsZones,DC=cen,DC=example,DC=cz > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_save_user] (0x0400): Save user > ... > > > I can provide full log from IPA server, but its quite long. Could you point me what else I could try ? the most typical cause is that the IPA client cannot resolve all the POSIX information from the server. Check if all the groups are resolvable by ID: getent group 5001 getent group 930000008 alternatively, tail /var/log/sssd/sssd_nss.log on the IPA *server* and watch if all requests that come from the DS UID (typically the dirsrv user, see getent passwd dirsrv) are resolvable on the server. From gjn at gjn.priv.at Mon Oct 17 12:25:31 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Mon, 17 Oct 2016 14:25:31 +0200 Subject: [Freeipa-users] Best and Secure Way for a System Account In-Reply-To: References: <12955976.8G96f2fpOL@techz> Message-ID: <3469566.I6xoSU5hl8@techz> Hello Martin and List Thanks for the answer and Help. I mean my big Problem is to understand the way to configure a ACI :-(. I can't found any example or docs to configure this correct :-(. I mean this is a problem for the professional LIGA in FreeIPA , and I am not a professional :-(.. I make this, for all LDAP configured Apps ipa group-add systemers --nonposix #group ipa pwpolicy-add systemers --maxlife=20000 --minclasses=3 --priority=0 #forever-passwords ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos="" --shell=/usr/sbin/nologin --email="" --random #user This user (ldapbind) is only in group systemers But now I have to create for this user a ACI to read the uid, passwd,mail,mailAlternateAddress... mailAlternateAddress is in "objectClass mailrecipient" I mean I must have a ACI like access to attribute= ............ Have any a hint or link to understand this Problem? Thanks for a answer and help, Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky: > On 10/16/2016 12:22 PM, G?nther J. Niederwimmer wrote: > > Hello, > > > > IPA 4.3.1 > > > > I have a big Problem with my LDAP Read User (ldapbind) I like to install > > dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin > > for this, but now I cant read this Attributes :-(. > > > > Is this the actual way to implement a System Account > > > > # ldapmodify -x -D 'cn=Directory Manager' -W > > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: secret123 > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > > > ^D > > > > https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > > > > The IPA Docs have no time stamp to found out, is this actual or old :-(. > > > > Thanks for a answer, > > Hi Gunther, > > that LDIF look ok to me. > > Do not forget that you must set up the correct ACIs in order for the > system account to see the 'mailAlternaleAddress' attribute. -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From mbabinsk at redhat.com Mon Oct 17 12:41:01 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 17 Oct 2016 14:41:01 +0200 Subject: [Freeipa-users] Best and Secure Way for a System Account In-Reply-To: <3469566.I6xoSU5hl8@techz> References: <12955976.8G96f2fpOL@techz> <3469566.I6xoSU5hl8@techz> Message-ID: On 10/17/2016 02:25 PM, G?nther J. Niederwimmer wrote: > Hello Martin and List > > Thanks for the answer and Help. > > I mean my big Problem is to understand the way to configure a ACI :-(. > > I can't found any example or docs to configure this correct :-(. > > I mean this is a problem for the professional LIGA in FreeIPA , and I am not a > professional :-(.. > > I make this, for all LDAP configured Apps > > ipa group-add systemers --nonposix #group > > ipa pwpolicy-add systemers --maxlife=20000 --minclasses=3 --priority=0 > #forever-passwords > > ipa user-add ldapbind --first=ldapbind --last=systemer --homedir=/ --gecos="" > --shell=/usr/sbin/nologin --email="" --random #user > > This user (ldapbind) is only in group systemers > > But now I have to create for this user a ACI to read the uid, > passwd,mail,mailAlternateAddress... > > mailAlternateAddress is in "objectClass mailrecipient" > > I mean I must have a ACI like > access to attribute= ............ > > Have any a hint or link to understand this Problem? > > Thanks for a answer and help, > > > Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky: >> On 10/16/2016 12:22 PM, G?nther J. Niederwimmer wrote: >>> Hello, >>> >>> IPA 4.3.1 >>> >>> I have a big Problem with my LDAP Read User (ldapbind) I like to install >>> dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin >>> for this, but now I cant read this Attributes :-(. >>> >>> Is this the actual way to implement a System Account >>> >>> # ldapmodify -x -D 'cn=Directory Manager' -W >>> dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com >>> changetype: add >>> objectclass: account >>> objectclass: simplesecurityobject >>> uid: system >>> userPassword: secret123 >>> passwordExpirationTime: 20380119031407Z >>> nsIdleTimeout: 0 >>> >>> ^D >>> >>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts >>> >>> The IPA Docs have no time stamp to found out, is this actual or old :-(. >>> >>> Thanks for a answer, >> >> Hi Gunther, >> >> that LDIF look ok to me. >> >> Do not forget that you must set up the correct ACIs in order for the >> system account to see the 'mailAlternaleAddress' attribute. > See the following document for a step-by-step guide on how to write ACIs: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html To allow the system account read access to your custom attributes, you can use LDIF like this (untested, hopefully I got it right from the top of my head): """ dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)")(version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) """ save it to file and then call ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif to add this ACI to cn=users subtree. The ACI then applies to all entries in the subtree. -- Martin^3 Babinsky From b.candler at pobox.com Mon Oct 17 13:56:04 2016 From: b.candler at pobox.com (Brian Candler) Date: Mon, 17 Oct 2016 14:56:04 +0100 Subject: [Freeipa-users] FreeIPA as domain controller? In-Reply-To: <20161017101410.776yd3eqqahwk6ua@redhat.com> References: <20161017101410.776yd3eqqahwk6ua@redhat.com> Message-ID: <3546af31-1dcb-910f-b7f0-cfb2cedd7237@pobox.com> On 17/10/2016 11:14, Alexander Bokovoy wrote: > We are not yet at the point you could use IPA-hosted identities to login > to Windows machines joined to AD, though, regardless which AD > implementation it is. > That's very helpful, thank you. So basically it means that for the time being, our admins will need two identities (one in each realm) and there is not much benefit in setting up cross-realm trust. Would there be any benefit the other way round - creating identities in S4 and using them to login to FreeIPA-joined *nix boxes? I guess the problem then is where posix attributes like uid and gid come from. Regards, Brian. From abokovoy at redhat.com Mon Oct 17 14:06:09 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 17 Oct 2016 17:06:09 +0300 Subject: [Freeipa-users] FreeIPA as domain controller? In-Reply-To: <3546af31-1dcb-910f-b7f0-cfb2cedd7237@pobox.com> References: <20161017101410.776yd3eqqahwk6ua@redhat.com> <3546af31-1dcb-910f-b7f0-cfb2cedd7237@pobox.com> Message-ID: <20161017140609.bkzaneja3oukmrtg@redhat.com> On ma, 17 loka 2016, Brian Candler wrote: >On 17/10/2016 11:14, Alexander Bokovoy wrote: >>We are not yet at the point you could use IPA-hosted identities to login >>to Windows machines joined to AD, though, regardless which AD >>implementation it is. >> >That's very helpful, thank you. So basically it means that for the >time being, our admins will need two identities (one in each realm) >and there is not much benefit in setting up cross-realm trust. > >Would there be any benefit the other way round - creating identities >in S4 and using them to login to FreeIPA-joined *nix boxes? I guess >the problem then is where posix attributes like uid and gid come from. This works for Samba AD > 4.4. The code in Samba that supports forest trust is a bit new (and was written by Red Hat's request) so depending on what version you are using your experience will vary. IPA supports different methods for mapping IDs, including algorithmic ones. We default to algorithmic ID range if existing POSIX IDs aren't found. See ID MAPPING section in sssd-ad man page for details. You don't need to configure anything in SSSD, though, because it is done automatically based on the ID ranges in IPA. -- / Alexander Bokovoy From b.candler at pobox.com Mon Oct 17 14:13:50 2016 From: b.candler at pobox.com (Brian Candler) Date: Mon, 17 Oct 2016 15:13:50 +0100 Subject: [Freeipa-users] Best and Secure Way for a System Account In-Reply-To: References: Message-ID: <33a12325-e07d-c6f9-18c0-21b9253fddf6@pobox.com> On 17/10/2016 14:56, freeipa-users-request at redhat.com wrote: > But now I have to create for this user a ACI to read the uid, > passwd,mail,mailAlternateAddress... > > mailAlternateAddress is in "objectClass mailrecipient" > > I mean I must have a ACI like > access to attribute= ............ > > Have any a hint or link to understand this Problem? I found this guide very helpful, specifically for allowing access to a NT password hash attribute for doing wireless authentication. http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html They are doing it the correct way here: by creating a service principal for the RADIUS server, which it uses to get a kerberos ticket and authenticate itself to the directory. But you could also use similar steps to apply those permissions to a regular user. And the related guide if you're interested: http://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html Regards, Brian. From b.candler at pobox.com Mon Oct 17 14:23:57 2016 From: b.candler at pobox.com (Brian Candler) Date: Mon, 17 Oct 2016 15:23:57 +0100 Subject: [Freeipa-users] FreeIPA as domain controller? In-Reply-To: <20161017140609.bkzaneja3oukmrtg@redhat.com> References: <20161017101410.776yd3eqqahwk6ua@redhat.com> <3546af31-1dcb-910f-b7f0-cfb2cedd7237@pobox.com> <20161017140609.bkzaneja3oukmrtg@redhat.com> Message-ID: <00bad80b-85d7-5f2b-444c-b1e5d87d9bbc@pobox.com> On 17/10/2016 15:06, Alexander Bokovoy wrote: >> Would there be any benefit the other way round - creating identities >> in S4 and using them to login to FreeIPA-joined *nix boxes? I guess >> the problem then is where posix attributes like uid and gid come from. > This works for Samba AD > 4.4. The code in Samba that supports forest > trust is a bit new (and was written by Red Hat's request) so depending > on what version you are using your experience will vary. > > IPA supports different methods for mapping IDs, including algorithmic > ones. We default to algorithmic ID range if existing POSIX IDs aren't > found. > > See ID MAPPING section in sssd-ad man page for details. You don't need > to configure anything in SSSD, though, because it is done automatically > based on the ID ranges in IPA. OK, but let me just see if I can clarify. Given the following scenario: SAMBA . . . . . . FREEIPA | | USER SERVER The server isn't joined directly to the Samba domain, but the manpage for sssd-ad says "This provider requires that the machine be joined to the AD domain". So is it true that: 1. The server is not configured to use sssd-ad? Does it automatically use this module if, because of trust relationships, a user from the Samba domain logs into it? Would it need configuration, or does it pick up everything it needs from the DNS? 2. If I create the posix uids/gids as extra attributes in the Samba domain, the algorithmic ID mapping isn't required? Thanks, Brian. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Oct 17 14:52:26 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 17 Oct 2016 17:52:26 +0300 Subject: [Freeipa-users] FreeIPA as domain controller? In-Reply-To: <00bad80b-85d7-5f2b-444c-b1e5d87d9bbc@pobox.com> References: <20161017101410.776yd3eqqahwk6ua@redhat.com> <3546af31-1dcb-910f-b7f0-cfb2cedd7237@pobox.com> <20161017140609.bkzaneja3oukmrtg@redhat.com> <00bad80b-85d7-5f2b-444c-b1e5d87d9bbc@pobox.com> Message-ID: <20161017145226.ex7htijbefj2qvnv@redhat.com> On ma, 17 loka 2016, Brian Candler wrote: >On 17/10/2016 15:06, Alexander Bokovoy wrote: >>>Would there be any benefit the other way round - creating >>>identities in S4 and using them to login to FreeIPA-joined *nix >>>boxes? I guess the problem then is where posix attributes like uid >>>and gid come from. >>This works for Samba AD > 4.4. The code in Samba that supports forest >>trust is a bit new (and was written by Red Hat's request) so depending >>on what version you are using your experience will vary. >> >>IPA supports different methods for mapping IDs, including algorithmic >>ones. We default to algorithmic ID range if existing POSIX IDs aren't >>found. >> >>See ID MAPPING section in sssd-ad man page for details. You don't need >>to configure anything in SSSD, though, because it is done automatically >>based on the ID ranges in IPA. > >OK, but let me just see if I can clarify. Given the following scenario: > >SAMBA . . . . . . FREEIPA > | | >USER SERVER > >The server isn't joined directly to the Samba domain, but the manpage >for sssd-ad says "This provider requires that the machine be joined to >the AD domain". > >So is it true that: > >1. The server is not configured to use sssd-ad? Does it automatically >use this module if, because of trust relationships, a user from the >Samba domain logs into it? Would it need configuration, or does it >pick up everything it needs from the DNS? In case of IPA client, SSSD is configured to use SSSD's 'ipa' provider. The provider is more complex than sssd-ldap or sssd-ad, it derives a lot of own configuration based on the content of IPA LDAP server. In case of trust to AD, it derives dynamically configurations of 'subdomains' for IPA domain. These subdomains are driven by 'sssd-ad'-like provider. To cut it short, the same ID MAPPING mechanism is in use if ID range in IPA corresponding to the AD domain discovered via forest trust is set to 'Active Directory domain range'. See 'ipa help idrange' for more details. When you establish trust between AD and IPA, the ranges for AD domains are created automatically. There is a code that attempts to look up in AD and understand whether POSIX attributes are stored there. In such case ID range for the AD domains would be set to 'Active Directory domain range with POSIX attributes'. > >2. If I create the posix uids/gids as extra attributes in the Samba >domain, the algorithmic ID mapping isn't required? If you set ID range for corresponding AD domain in IPA to be 'ipa-ad-trust-posix' and make sure all users that need to logon to IPA have POSIX attributes, then it should work. I think most of this is described in the Windows Integration Guide for RHEL7. -- / Alexander Bokovoy From jruybal at owneriq.com Mon Oct 17 18:32:31 2016 From: jruybal at owneriq.com (Joshua Ruybal) Date: Mon, 17 Oct 2016 11:32:31 -0700 Subject: [Freeipa-users] Problems after install 3rd Party Certs Message-ID: Hi, We've recently tried to change our https web certs for our IPA servers following the instructions listed here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP The web gui is successfully using https now, however we are having several other problems. Enrollment now fails for new hosts, and we're unable to install replicas. Specifically we're seeing this error: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. Any advice on this? ipa-server 3.0.0 CentOS 6.7 Thanks, --Josh -------------- next part -------------- An HTML attachment was scrubbed... URL: From jruybal at owneriq.com Mon Oct 17 18:36:27 2016 From: jruybal at owneriq.com (Joshua Ruybal) Date: Mon, 17 Oct 2016 11:36:27 -0700 Subject: [Freeipa-users] Problems after install 3rd Party Certs In-Reply-To: References: Message-ID: Forgot to add. After some digging I saw the CA needed to be added to the nssdbs I've added the CA cert to: [root at ipa02 ipa02]# certutil -A -d /etc/pki/nssdb -n 'NewCA' -t CT,C,C -a -i fullchain.pem [root at ipa02 ipa02]# certutil -A -d /etc/httpd/alias -n 'NewCA' -t CT,C,C -a -i fullchain.pem On Mon, Oct 17, 2016 at 11:32 AM, Joshua Ruybal wrote: > Hi, > > We've recently tried to change our https web certs for our IPA servers > following the instructions listed here: https://www.freeipa.org/ > page/Using_3rd_part_certificates_for_HTTP/LDAP > > The web gui is successfully using https now, however we are having several > other problems. > > Enrollment now fails for new hosts, and we're unable to install replicas. > > Specifically we're seeing this error: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's > certificate issuer has been marked as not trusted by the user. > > Any advice on this? > > ipa-server 3.0.0 > CentOS 6.7 > > Thanks, > > --Josh > -- *Joshua Ruybal | Systems Engineer* o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549> e: jruybal at owneriq.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From tjaalton at ubuntu.com Mon Oct 17 22:12:59 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Tue, 18 Oct 2016 01:12:59 +0300 Subject: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1 In-Reply-To: <83d1j0q45k.fsf@echidna.jochen.org> References: <57192380.4090400@ubuntu.com> <83h98dpftq.fsf@echidna.jochen.org> <83d1j0q45k.fsf@echidna.jochen.org> Message-ID: On 16.10.2016 08:00, Jochen Hein wrote: > Timo Aaltonen writes: > >> On 15.10.2016 22:33, Jochen Hein wrote: >>> Timo Aaltonen writes: >>> >>>> Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! >>> >>> Thanks for your work on packaging FreeIPA for Ubuntu (and Debian). I've >>> just updated my laptop to Ubuntu 16.10, and now the freeipa packages are >>> "orphaned", because these packages seems to be missing from yakkety. Is >>> there a reason for this? I didn't see a bugreport for it. >> >> Looks like it was due to a misunderstanding.. it got removed from Debian >> first (because of new uploads getting blocked due to minified javascript >> not being actual source), then added back and synced to yakkety, but >> again removed from there for the same reason it got removed from Debian.. > > That's what I've feared. > >> I'll check if it can be added back. > > Thanks for looking into it. The dropped binaries are back, you can find them from yakkety-updates. -- t From yamakasi.014 at gmail.com Mon Oct 17 22:30:43 2016 From: yamakasi.014 at gmail.com (Matt .) Date: Tue, 18 Oct 2016 00:30:43 +0200 Subject: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure. Message-ID: Hi Guys, I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24 I already checked some info and: ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX Gives me TU instead of MII as expected. Any suggestions further ? Thanks, Matt 2016-10-17T22:19:10Z DEBUG Starting external process 2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a 2016-10-17T22:19:10Z DEBUG Process finished, return code=255 2016-10-17T22:19:10Z DEBUG stdout= 2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found 2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-10-17T22:19:11Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1867, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1770, in upgrade_configuration certificate_renewal_update(ca, ds, http), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1027, in certificate_renewal_update ds.start_tracking_certificates(serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 996, in start_tracking_certificates 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 307, in track_server_cert nsscert = x509.load_certificate(cert, dbdir=self.secdir) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in load_certificate return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin 016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. 2016-10-17T22:19:11Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. 2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information From jochen at jochen.org Tue Oct 18 04:11:24 2016 From: jochen at jochen.org (Jochen Hein) Date: Tue, 18 Oct 2016 06:11:24 +0200 Subject: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1 In-Reply-To: (Timo Aaltonen's message of "Tue, 18 Oct 2016 01:12:59 +0300") References: <57192380.4090400@ubuntu.com> <83h98dpftq.fsf@echidna.jochen.org> <83d1j0q45k.fsf@echidna.jochen.org> Message-ID: <834m4apa8j.fsf@echidna.jochen.org> Timo Aaltonen writes: > On 16.10.2016 08:00, Jochen Hein wrote: >> Timo Aaltonen writes: >> >>> On 15.10.2016 22:33, Jochen Hein wrote: >>>> Timo Aaltonen writes: >>> >>> Looks like it was due to a misunderstanding.. it got removed from Debian >>> first (because of new uploads getting blocked due to minified javascript >>> not being actual source), then added back and synced to yakkety, but >>> again removed from there for the same reason it got removed from Debian.. > > The dropped binaries are back, you can find them from yakkety-updates. Thanks! Jochen -- The only problem with troubleshooting is that the trouble shoots back. From zhenglei at kylinos.cn Tue Oct 18 05:45:05 2016 From: zhenglei at kylinos.cn (=?utf-8?B?6YOR56OK?=) Date: Tue, 18 Oct 2016 13:45:05 +0800 Subject: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure. In-Reply-To: References: Message-ID: May be you should specify the specific $SUFFIX according to your environment. ------------------ ?? ?????????? -------------------------- ?????? ?? Phone?18684703229 Email?zhenglei at kylinos.cn Company????????????? Address???????????????????? ------------------ Original ------------------ From: "Matt ."; Date: Tue, Oct 18, 2016 06:30 AM To: "freeipa-users at redhat.com"; Subject: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure. Hi Guys, I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24 I already checked some info and: ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX Gives me TU instead of MII as expected. Any suggestions further ? Thanks, Matt 2016-10-17T22:19:10Z DEBUG Starting external process 2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a 2016-10-17T22:19:10Z DEBUG Process finished, return code=255 2016-10-17T22:19:10Z DEBUG stdout= 2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found 2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-10-17T22:19:11Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1867, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1770, in upgrade_configuration certificate_renewal_update(ca, ds, http), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1027, in certificate_renewal_update ds.start_tracking_certificates(serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 996, in start_tracking_certificates 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 307, in track_server_cert nsscert = x509.load_certificate(cert, dbdir=self.secdir) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in load_certificate return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin 016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. 2016-10-17T22:19:11Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. 2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Tue Oct 18 05:49:07 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 18 Oct 2016 07:49:07 +0200 Subject: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure. In-Reply-To: References: Message-ID: On 10/18/2016 12:30 AM, Matt . wrote: > Hi Guys, > > I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24 > > I already checked some info and: > > ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX > > Gives me TU instead of MII as expected. > > Any suggestions further ? > > Thanks, > > Matt > > > 2016-10-17T22:19:10Z DEBUG Starting external process > 2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d > /etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a > 2016-10-17T22:19:10Z DEBUG Process finished, return code=255 > 2016-10-17T22:19:10Z DEBUG stdout= > 2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: Server-Cert > : PR_FILE_NOT_FOUND_ERROR: File not found > > 2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2016-10-17T22:19:11Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, > in execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 46, in run > server.upgrade() > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > line 1867, in upgrade > upgrade_configuration() > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > line 1770, in upgrade_configuration > certificate_renewal_update(ca, ds, http), > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > line 1027, in certificate_renewal_update > ds.start_tracking_certificates(serverid) > File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", > line 996, in start_tracking_certificates > 'restart_dirsrv %s' % serverid) > File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", > line 307, in track_server_cert > nsscert = x509.load_certificate(cert, dbdir=self.secdir) > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in > load_certificate > return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin > > > 016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed, > exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) > security library failure. > 2016-10-17T22:19:11Z ERROR Unexpected error - see > /var/log/ipaupgrade.log for details: > NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. > 2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for more information > Hmmm strange, looks like your DS certificate got lost or has some strange nickname in your directory server's NSS database. Is this CA-less install, externally signed CA or 'self-signed' CA? Master or replica? -- Martin^3 Babinsky From yamakasi.014 at gmail.com Tue Oct 18 08:06:06 2016 From: yamakasi.014 at gmail.com (Matt .) Date: Tue, 18 Oct 2016 10:06:06 +0200 Subject: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure. In-Reply-To: References: Message-ID: Hi Martin, Indeed strange as another master where I did the upgrade on went fine. It is/was a master with CA and Externally Signed CA, which was perfectly sychned to the other master. I finally uninstalled the ipa server and did a new replica install on it with dns and CA and all went smooth and fine. I also had some weird DNS error and bind didn't want to start anymore because of expecting a ; I thought this had something todo with a forwarder which wasn't. For now I'm good, but do you want extra info ? Thanks, Matt 2016-10-18 7:49 GMT+02:00 Martin Babinsky : > On 10/18/2016 12:30 AM, Matt . wrote: >> >> Hi Guys, >> >> I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24 >> >> I already checked some info and: >> >> ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX >> >> Gives me TU instead of MII as expected. >> >> Any suggestions further ? >> >> Thanks, >> >> Matt >> >> >> 2016-10-17T22:19:10Z DEBUG Starting external process >> 2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d >> /etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a >> 2016-10-17T22:19:10Z DEBUG Process finished, return code=255 >> 2016-10-17T22:19:10Z DEBUG stdout= >> 2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: >> Server-Cert >> : PR_FILE_NOT_FOUND_ERROR: File not found >> >> 2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect >> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >> 2016-10-17T22:19:11Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, >> in execute >> return_value = self.run() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 46, in run >> server.upgrade() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1867, in upgrade >> upgrade_configuration() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1770, in upgrade_configuration >> certificate_renewal_update(ca, ds, http), >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1027, in certificate_renewal_update >> ds.start_tracking_certificates(serverid) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >> line 996, in start_tracking_certificates >> 'restart_dirsrv %s' % serverid) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >> line 307, in track_server_cert >> nsscert = x509.load_certificate(cert, dbdir=self.secdir) >> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in >> load_certificate >> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin >> >> >> 016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed, >> exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) >> security library failure. >> 2016-10-17T22:19:11Z ERROR Unexpected error - see >> /var/log/ipaupgrade.log for details: >> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. >> 2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See >> /var/log/ipaupgrade.log for more information >> > > Hmmm strange, > > looks like your DS certificate got lost or has some strange nickname in your > directory server's NSS database. > > Is this CA-less install, externally signed CA or 'self-signed' CA? Master or > replica? > > -- > Martin^3 Babinsky > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From deepak_dimri at hotmail.com Tue Oct 18 11:52:52 2016 From: deepak_dimri at hotmail.com (Deepak Dimri) Date: Tue, 18 Oct 2016 11:52:52 +0000 Subject: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 In-Reply-To: <22363f8f-60da-030d-6656-cc9f32d42713@redhat.com> References: , <22363f8f-60da-030d-6656-cc9f32d42713@redhat.com> Message-ID: Thanks Martin, I had to run ipa-server-install --uninstall -U to get rid of IPA client error message on the replica server and then re run ipa-replica-install script to run it ok. But it does not look clean through - as i understand we do need to run ipa-server-install script ( same as master) on the replica server but that script by default installs the ipa client which then cause replica install to fail. Is there any way i can avoid IPA client installation on replica? Thanks, Deepak ________________________________ From: Martin Babinsky Sent: Monday, October 17, 2016 1:29 AM To: Deepak Dimri; Martin Basti; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 On 10/15/2016 12:41 PM, Deepak Dimri wrote: > Thanks Martin for the reply. > > when i try 'ipa-client-install --uninstall' then i am getting bellow > message: > > > ipa-client-install --uninstall > IPA client is configured as a part of IPA server on this system. > Refer to ipa-server-install for uninstallation. > > > How can i raise domain level to 1 in v4? i tried > > ipa *domainlevel-set* 1 > > but i am getting ipa: ERROR: unknown command 'domainlevel-set' > > Thanks again for your help on this. > > Best Regards, > Deepak > > Hi Deepak, IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica promotion and domain levels other than 0. The error from ipa-replica-install comes probably from a leftovers of previous client enrollment. Just run `ipa-client-install --uninstall -U` and then re-run replica installation as usual. > ------------------------------------------------------------------------ > *From:* Martin Basti > *Sent:* Saturday, October 15, 2016 4:54 AM > *To:* Deepak Dimri; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Not able to pass through > ipa-replica-install on centos 7 > > > > > On 14.10.2016 18:58, Deepak Dimri wrote: >> >> Hi All, >> >> >> I am trying to configure replication between two FreeIPA centos 7 >> servers. As per the document i need same FreeIPA version running on >> both the machines, which i have, and run ipa-replica-prepare on the >> master and then simply run ipa-replica-install on the replica server >> along with replica file. But i am unable to get pass the below error >> message: >> >> >> [root at ip-172-31-23-230 ipa]# ipa-replica-install >> /var/lib/ipa/replica-info-replica.ipa.com.gpg >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client >> is already configured on this system. >> >> Please uninstall it first before configuring the replica, using >> 'ipa-client-install --uninstall'. >> >> >> What should i be doing to get around this error? the error looks >> missleading as i am trying to install replica and not ipa client >> >> >> Thanks, >> >> Deepak >> >> >> > Hi, > > have you tried ipa-client-install --uninstall? > > Replica cannot be installed on system where client is already installed > (with domain level 0, your case) > > Martin > > -- Martin^3 Babinsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From b.candler at pobox.com Tue Oct 18 12:35:40 2016 From: b.candler at pobox.com (Brian Candler) Date: Tue, 18 Oct 2016 13:35:40 +0100 Subject: [Freeipa-users] FreeIPA as domain controller? In-Reply-To: <20161017145226.ex7htijbefj2qvnv@redhat.com> References: <20161017101410.776yd3eqqahwk6ua@redhat.com> <3546af31-1dcb-910f-b7f0-cfb2cedd7237@pobox.com> <20161017140609.bkzaneja3oukmrtg@redhat.com> <00bad80b-85d7-5f2b-444c-b1e5d87d9bbc@pobox.com> <20161017145226.ex7htijbefj2qvnv@redhat.com> Message-ID: <5e7c77ac-70d0-2921-d431-0af9fe04b2f4@pobox.com> On 17/10/2016 15:52, Alexander Bokovoy wrote: > If you set ID range for corresponding AD domain in IPA to be > 'ipa-ad-trust-posix' and make sure all users that need to logon to IPA > have POSIX attributes, then it should work. > > I think most of this is described in the Windows Integration Guide for > RHEL7. Thank you. Final question. Suppose I use just the ipa-client package with sssd-ad pointing to Samba4 (or even real Windows AD). Is that likely to be a satisfactory solution for managing the *nix boxes, or would I be better of with two separate domains? For example, would I lose the features that FreeIPA gives me like host-based access controls, sudo controls, central storage of ssh public keys? Thanks, Brian. From mbasti at redhat.com Tue Oct 18 12:40:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 18 Oct 2016 14:40:07 +0200 Subject: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 In-Reply-To: References: <22363f8f-60da-030d-6656-cc9f32d42713@redhat.com> Message-ID: <5098a342-766d-c7d4-c4ab-a02411957c9c@redhat.com> On 18.10.2016 13:52, Deepak Dimri wrote: > > Thanks Martin, I had to run ipa-server-install --uninstall -U to get > rid of IPA client error message on the replica server and then re run > ipa-replica-install script to run it ok. But it does not look clean > through - as i understand we do need to run ipa-server-install script > ( same as master) on the replica server but that script by default > installs the ipa client which then cause replica install to fail. Is > there any way i can avoid IPA client installation on replica? > > You need to run ipa-replica-install installer and client is required part of any server. Can you be more specific what kind of errors are you getting? Logs? Martin^2 > > Thanks, > > Deepak > > > > ------------------------------------------------------------------------ > *From:* Martin Babinsky > *Sent:* Monday, October 17, 2016 1:29 AM > *To:* Deepak Dimri; Martin Basti; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Not able to pass through > ipa-replica-install on centos 7 > On 10/15/2016 12:41 PM, Deepak Dimri wrote: > > Thanks Martin for the reply. > > > > when i try 'ipa-client-install --uninstall' then i am getting bellow > > message: > > > > > > ipa-client-install --uninstall > > IPA client is configured as a part of IPA server on this system. > > Refer to ipa-server-install for uninstallation. > > > > > > How can i raise domain level to 1 in v4? i tried > > > > ipa *domainlevel-set* 1 > > > > but i am getting ipa: ERROR: unknown command 'domainlevel-set' > > > > Thanks again for your help on this. > > > > Best Regards, > > Deepak > > > > > > Hi Deepak, > > IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica > promotion and domain levels other than 0. > > The error from ipa-replica-install comes probably from a leftovers of > previous client enrollment. > > Just run `ipa-client-install --uninstall -U` and then re-run replica > installation as usual. > > > ------------------------------------------------------------------------ > > *From:* Martin Basti > > *Sent:* Saturday, October 15, 2016 4:54 AM > > *To:* Deepak Dimri; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] Not able to pass through > > ipa-replica-install on centos 7 > > > > > > > > > > On 14.10.2016 18:58, Deepak Dimri wrote: > >> > >> Hi All, > >> > >> > >> I am trying to configure replication between two FreeIPA centos 7 > >> servers. As per the document i need same FreeIPA version running on > >> both the machines, which i have, and run ipa-replica-prepare on the > >> master and then simply run ipa-replica-install on the replica server > >> along with replica file. But i am unable to get pass the below error > >> message: > >> > >> > >> [root at ip-172-31-23-230 ipa]# ipa-replica-install > >> /var/lib/ipa/replica-info-replica.ipa.com.gpg > >> > >> ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client > >> is already configured on this system. > >> > >> Please uninstall it first before configuring the replica, using > >> 'ipa-client-install --uninstall'. > >> > >> > >> What should i be doing to get around this error? the error looks > >> missleading as i am trying to install replica and not ipa client > >> > >> > >> Thanks, > >> > >> Deepak > >> > >> > >> > > Hi, > > > > have you tried ipa-client-install --uninstall? > > > > Replica cannot be installed on system where client is already installed > > (with domain level 0, your case) > > > > Martin > > > > > > > -- > Martin^3 Babinsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From deepak_dimri at hotmail.com Tue Oct 18 14:59:34 2016 From: deepak_dimri at hotmail.com (Deepak Dimri) Date: Tue, 18 Oct 2016 14:59:34 +0000 Subject: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 In-Reply-To: <5098a342-766d-c7d4-c4ab-a02411957c9c@redhat.com> References: <22363f8f-60da-030d-6656-cc9f32d42713@redhat.com> , <5098a342-766d-c7d4-c4ab-a02411957c9c@redhat.com> Message-ID: Hi Martin, Before running ipa-replica-install do i need to run ipa-server-install script on the replica? I am installing ipa-server-install script on the replica and then If i install ipa-replica-install without uninstalling ipa server then i get below errors: [root at ip-172-31-23-230 ipa]# ipa-replica-install /var/lib/ipa/replica-info-replica.ipa.com.gpg ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client is already configured on this system. Please uninstall it first before configuring the replica, using 'ipa-client-install --uninstall'. when i try 'ipa-client-install --uninstall' then i am getting bellow ipa-client-install --uninstall IPA client is configured as a part of IPA server on this system. Refer to ipa-server-install for uninstallation Thanks, Deepak ________________________________ From: Martin Basti Sent: Tuesday, October 18, 2016 8:40 AM To: Deepak Dimri; Martin Babinsky; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 On 18.10.2016 13:52, Deepak Dimri wrote: Thanks Martin, I had to run ipa-server-install --uninstall -U to get rid of IPA client error message on the replica server and then re run ipa-replica-install script to run it ok. But it does not look clean through - as i understand we do need to run ipa-server-install script ( same as master) on the replica server but that script by default installs the ipa client which then cause replica install to fail. Is there any way i can avoid IPA client installation on replica? You need to run ipa-replica-install installer and client is required part of any server. Can you be more specific what kind of errors are you getting? Logs? Martin^2 Thanks, Deepak ________________________________ From: Martin Babinsky Sent: Monday, October 17, 2016 1:29 AM To: Deepak Dimri; Martin Basti; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 On 10/15/2016 12:41 PM, Deepak Dimri wrote: > Thanks Martin for the reply. > > when i try 'ipa-client-install --uninstall' then i am getting bellow > message: > > > ipa-client-install --uninstall > IPA client is configured as a part of IPA server on this system. > Refer to ipa-server-install for uninstallation. > > > How can i raise domain level to 1 in v4? i tried > > ipa *domainlevel-set* 1 > > but i am getting ipa: ERROR: unknown command 'domainlevel-set' > > Thanks again for your help on this. > > Best Regards, > Deepak > > Hi Deepak, IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica promotion and domain levels other than 0. The error from ipa-replica-install comes probably from a leftovers of previous client enrollment. Just run `ipa-client-install --uninstall -U` and then re-run replica installation as usual. > ------------------------------------------------------------------------ > *From:* Martin Basti > *Sent:* Saturday, October 15, 2016 4:54 AM > *To:* Deepak Dimri; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Not able to pass through > ipa-replica-install on centos 7 > > > > > On 14.10.2016 18:58, Deepak Dimri wrote: >> >> Hi All, >> >> >> I am trying to configure replication between two FreeIPA centos 7 >> servers. As per the document i need same FreeIPA version running on >> both the machines, which i have, and run ipa-replica-prepare on the >> master and then simply run ipa-replica-install on the replica server >> along with replica file. But i am unable to get pass the below error >> message: >> >> >> [root at ip-172-31-23-230 ipa]# ipa-replica-install >> /var/lib/ipa/replica-info-replica.ipa.com.gpg >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client >> is already configured on this system. >> >> Please uninstall it first before configuring the replica, using >> 'ipa-client-install --uninstall'. >> >> >> What should i be doing to get around this error? the error looks >> missleading as i am trying to install replica and not ipa client >> >> >> Thanks, >> >> Deepak >> >> >> > Hi, > > have you tried ipa-client-install --uninstall? > > Replica cannot be installed on system where client is already installed > (with domain level 0, your case) > > Martin > > -- Martin^3 Babinsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Tue Oct 18 15:02:21 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 18 Oct 2016 17:02:21 +0200 Subject: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 In-Reply-To: References: <22363f8f-60da-030d-6656-cc9f32d42713@redhat.com> <5098a342-766d-c7d4-c4ab-a02411957c9c@redhat.com> Message-ID: On 10/18/2016 04:59 PM, Deepak Dimri wrote: > Hi Martin, Before running ipa-replica-install do i need to run > ipa-server-install script on the replica? > > > I am installing ipa-server-install script on the replica and then If i > install ipa-replica-install without uninstalling ipa server then i get > below errors: > No there should be *no* IPa server neither client installed on the replica machine, there just needs to be *some* IPA master in some other machine to prepare a replica file. Just run ipa-replica-install on the replica and make sure that *no* ipa-server-install/ipa-client-install were run before that. >>> [root at ip-172-31-23-230 ipa]# >>> ipa-replica-install /var/lib/ipa/replica-info-replica.ipa.com.gpg >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA >>> client is already configured on this system. >>> Please uninstall it first before configuring the replica, >>> using 'ipa-client-install --uninstall'. >>> >>> when i try 'ipa-client-install --uninstall' then i am getting bellow >>> >>> ipa-client-install --uninstall IPA client is configured as a part of >>> IPA server on this system. Refer to ipa-server-install for uninstallation >>> > Thanks, > > Deepak > > > > ------------------------------------------------------------------------ > *From:* Martin Basti > *Sent:* Tuesday, October 18, 2016 8:40 AM > *To:* Deepak Dimri; Martin Babinsky; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Not able to pass through > ipa-replica-install on centos 7 > > > > > On 18.10.2016 13:52, Deepak Dimri wrote: >> >> Thanks Martin, I had to run ipa-server-install --uninstall -U to get >> rid of IPA client error message on the replica server and then re run >> ipa-replica-install script to run it ok. But it does not look clean >> through - as i understand we do need to run ipa-server-install script >> ( same as master) on the replica server but that script by default >> installs the ipa client which then cause replica install to fail. Is >> there any way i can avoid IPA client installation on replica? >> >> > > You need to run ipa-replica-install installer and client is required > part of any server. Can you be more specific what kind of errors are you > getting? Logs? > > Martin^2 >> >> Thanks, >> >> Deepak >> >> >> >> ------------------------------------------------------------------------ >> *From:* Martin Babinsky >> *Sent:* Monday, October 17, 2016 1:29 AM >> *To:* Deepak Dimri; Martin Basti; freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] Not able to pass through >> ipa-replica-install on centos 7 >> >> On 10/15/2016 12:41 PM, Deepak Dimri wrote: >> > Thanks Martin for the reply. >> > >> > when i try 'ipa-client-install --uninstall' then i am getting bellow >> > message: >> > >> > >> > ipa-client-install --uninstall >> > IPA client is configured as a part of IPA server on this system. >> > Refer to ipa-server-install for uninstallation. >> > >> > >> > How can i raise domain level to 1 in v4? i tried >> > >> > ipa *domainlevel-set* 1 >> > >> > but i am getting ipa: ERROR: unknown command 'domainlevel-set' >> > >> > Thanks again for your help on this. >> > >> > Best Regards, >> > Deepak >> > >> > >> >> Hi Deepak, >> >> IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica >> promotion and domain levels other than 0. >> >> The error from ipa-replica-install comes probably from a leftovers of >> previous client enrollment. >> >> Just run `ipa-client-install --uninstall -U` and then re-run replica >> installation as usual. >> >> > ------------------------------------------------------------------------ >> > *From:* Martin Basti >> > *Sent:* Saturday, October 15, 2016 4:54 AM >> > *To:* Deepak Dimri; freeipa-users at redhat.com >> > *Subject:* Re: [Freeipa-users] Not able to pass through >> > ipa-replica-install on centos 7 >> > >> > >> > >> > >> > On 14.10.2016 18:58, Deepak Dimri wrote: >> >> >> >> Hi All, >> >> >> >> >> >> I am trying to configure replication between two FreeIPA centos 7 >> >> servers. As per the document i need same FreeIPA version running on >> >> both the machines, which i have, and run ipa-replica-prepare on the >> >> master and then simply run ipa-replica-install on the replica server >> >> along with replica file. But i am unable to get pass the below error >> >> message: >> >> >> >> >> >> [root at ip-172-31-23-230 ipa]# ipa-replica-install >> >> /var/lib/ipa/replica-info-replica.ipa.com.gpg >> >> >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client >> >> is already configured on this system. >> >> >> >> Please uninstall it first before configuring the replica, using >> >> 'ipa-client-install --uninstall'. >> >> >> >> >> >> What should i be doing to get around this error? the error looks >> >> missleading as i am trying to install replica and not ipa client >> >> >> >> >> >> Thanks, >> >> >> >> Deepak >> >> >> >> >> >> >> > Hi, >> > >> > have you tried ipa-client-install --uninstall? >> > >> > Replica cannot be installed on system where client is already installed >> > (with domain level 0, your case) >> > >> > Martin >> > >> > >> >> >> -- >> Martin^3 Babinsky > -- Martin^3 Babinsky From mbasti at redhat.com Tue Oct 18 15:15:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 18 Oct 2016 17:15:56 +0200 Subject: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 In-Reply-To: References: <22363f8f-60da-030d-6656-cc9f32d42713@redhat.com> <5098a342-766d-c7d4-c4ab-a02411957c9c@redhat.com> Message-ID: <8d6f80c0-508b-29a1-4520-8e1b83a9d74c@redhat.com> On 18.10.2016 17:02, Martin Babinsky wrote: > On 10/18/2016 04:59 PM, Deepak Dimri wrote: >> Hi Martin, Before running ipa-replica-install do i need to run >> ipa-server-install script on the replica? >> >> >> I am installing ipa-server-install script on the replica and then If i >> install ipa-replica-install without uninstalling ipa server then i get >> below errors: >> > Please read docs. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#install-replica > No there should be *no* IPa server neither client installed on the > replica machine, there just needs to be *some* IPA master in some > other machine to prepare a replica file. > > Just run ipa-replica-install on the replica and make sure that *no* > ipa-server-install/ipa-client-install were run before that. > >>>> [root at ip-172-31-23-230 ipa]# >>>> ipa-replica-install /var/lib/ipa/replica-info-replica.ipa.com.gpg >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA >>>> client is already configured on this system. >>>> Please uninstall it first before configuring the replica, >>>> using 'ipa-client-install --uninstall'. >>>> >>>> when i try 'ipa-client-install --uninstall' then i am getting bellow >>>> >>>> ipa-client-install --uninstall IPA client is configured as a part of >>>> IPA server on this system. Refer to ipa-server-install for >>>> uninstallation >>>> >> Thanks, >> >> Deepak >> >> >> >> ------------------------------------------------------------------------ >> *From:* Martin Basti >> *Sent:* Tuesday, October 18, 2016 8:40 AM >> *To:* Deepak Dimri; Martin Babinsky; freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] Not able to pass through >> ipa-replica-install on centos 7 >> >> >> >> >> On 18.10.2016 13:52, Deepak Dimri wrote: >>> >>> Thanks Martin, I had to run ipa-server-install --uninstall -U to get >>> rid of IPA client error message on the replica server and then re run >>> ipa-replica-install script to run it ok. But it does not look clean >>> through - as i understand we do need to run ipa-server-install script >>> ( same as master) on the replica server but that script by default >>> installs the ipa client which then cause replica install to fail. Is >>> there any way i can avoid IPA client installation on replica? >>> >>> >> >> You need to run ipa-replica-install installer and client is required >> part of any server. Can you be more specific what kind of errors are you >> getting? Logs? >> >> Martin^2 >>> >>> Thanks, >>> >>> Deepak >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> *From:* Martin Babinsky >>> *Sent:* Monday, October 17, 2016 1:29 AM >>> *To:* Deepak Dimri; Martin Basti; freeipa-users at redhat.com >>> *Subject:* Re: [Freeipa-users] Not able to pass through >>> ipa-replica-install on centos 7 >>> >>> On 10/15/2016 12:41 PM, Deepak Dimri wrote: >>> > Thanks Martin for the reply. >>> > >>> > when i try 'ipa-client-install --uninstall' then i am getting bellow >>> > message: >>> > >>> > >>> > ipa-client-install --uninstall >>> > IPA client is configured as a part of IPA server on this system. >>> > Refer to ipa-server-install for uninstallation. >>> > >>> > >>> > How can i raise domain level to 1 in v4? i tried >>> > >>> > ipa *domainlevel-set* 1 >>> > >>> > but i am getting ipa: ERROR: unknown command 'domainlevel-set' >>> > >>> > Thanks again for your help on this. >>> > >>> > Best Regards, >>> > Deepak >>> > >>> > >>> >>> Hi Deepak, >>> >>> IIRC Centos 7 has FreeIPA 4.2.0-15 that does not support replica >>> promotion and domain levels other than 0. >>> >>> The error from ipa-replica-install comes probably from a leftovers of >>> previous client enrollment. >>> >>> Just run `ipa-client-install --uninstall -U` and then re-run replica >>> installation as usual. >>> >>> > >>> ------------------------------------------------------------------------ >>> >>> > *From:* Martin Basti >>> > *Sent:* Saturday, October 15, 2016 4:54 AM >>> > *To:* Deepak Dimri; freeipa-users at redhat.com >>> > *Subject:* Re: [Freeipa-users] Not able to pass through >>> > ipa-replica-install on centos 7 >>> > >>> > >>> > >>> > >>> > On 14.10.2016 18:58, Deepak Dimri wrote: >>> >> >>> >> Hi All, >>> >> >>> >> >>> >> I am trying to configure replication between two FreeIPA centos 7 >>> >> servers. As per the document i need same FreeIPA version >>> running on >>> >> both the machines, which i have, and run ipa-replica-prepare on the >>> >> master and then simply run ipa-replica-install on the replica server >>> >> along with replica file. But i am unable to get pass the below >>> error >>> >> message: >>> >> >>> >> >>> >> [root at ip-172-31-23-230 ipa]# ipa-replica-install >>> >> /var/lib/ipa/replica-info-replica.ipa.com.gpg >>> >> >>> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client >>> >> is already configured on this system. >>> >> >>> >> Please uninstall it first before configuring the replica, using >>> >> 'ipa-client-install --uninstall'. >>> >> >>> >> >>> >> What should i be doing to get around this error? the error looks >>> >> missleading as i am trying to install replica and not ipa client >>> >> >>> >> >>> >> Thanks, >>> >> >>> >> Deepak >>> >> >>> >> >>> >> >>> > Hi, >>> > >>> > have you tried ipa-client-install --uninstall? >>> > >>> > Replica cannot be installed on system where client is already >>> installed >>> > (with domain level 0, your case) >>> > >>> > Martin >>> > >>> > >>> >>> >>> -- >>> Martin^3 Babinsky >> > > From prashant at apigee.com Tue Oct 18 17:08:20 2016 From: prashant at apigee.com (Prashant Bapat) Date: Tue, 18 Oct 2016 22:38:20 +0530 Subject: [Freeipa-users] Lots of error messages in logs after upgrade Message-ID: Hi, I'm seeing lots of error messages like this in the DS logs. [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed. [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed. [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed. [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed. [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed. [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed. [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed. [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed. [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap:// ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet) failed. We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have total 8 IPA servers with replication. Below are the steps I followed. 1. Install a new Centos server. 2. Replicated against a Fedora server with CA. 3. Moved the DNA ranges. 4. From the Centos master created replicas. Is this related to the DS package version ? We have 389-ds-base-1.3.4.0-33.el7_2.x86_64. Thanks. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Oct 18 17:26:27 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 18 Oct 2016 20:26:27 +0300 Subject: [Freeipa-users] FreeIPA as domain controller? In-Reply-To: <5e7c77ac-70d0-2921-d431-0af9fe04b2f4@pobox.com> References: <20161017101410.776yd3eqqahwk6ua@redhat.com> <3546af31-1dcb-910f-b7f0-cfb2cedd7237@pobox.com> <20161017140609.bkzaneja3oukmrtg@redhat.com> <00bad80b-85d7-5f2b-444c-b1e5d87d9bbc@pobox.com> <20161017145226.ex7htijbefj2qvnv@redhat.com> <5e7c77ac-70d0-2921-d431-0af9fe04b2f4@pobox.com> Message-ID: <20161018172627.em4d7tkv2ltd4okb@redhat.com> On ti, 18 loka 2016, Brian Candler wrote: >On 17/10/2016 15:52, Alexander Bokovoy wrote: >>If you set ID range for corresponding AD domain in IPA to be >>'ipa-ad-trust-posix' and make sure all users that need to logon to IPA >>have POSIX attributes, then it should work. >> >>I think most of this is described in the Windows Integration Guide for >>RHEL7. > >Thank you. > >Final question. Suppose I use just the ipa-client package with sssd-ad >pointing to Samba4 (or even real Windows AD). Is that likely to be a >satisfactory solution for managing the *nix boxes, or would I be >better of with two separate domains? No, it is wrong to use this mode. If you made a Linux machine a client to IPA, it will be set up to use 'ipa' provider in SSSD and that should support all needed functionality. You don't need to change anything in the configuration. Remember, I pointed you to sssd-ad manual page only to make sure you would read about ID mapping because this is the place in SSSD documentation which explains what happens there. I did not ask you to change IPA client setup to use 'ad' provider in SSSD. > >For example, would I lose the features that FreeIPA gives me like >host-based access controls, sudo controls, central storage of ssh >public keys? Yes, you will lose all these features. -- / Alexander Bokovoy From aebruno2 at buffalo.edu Tue Oct 18 18:52:58 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Tue, 18 Oct 2016 14:52:58 -0400 Subject: [Freeipa-users] replica DS failure deadlock Message-ID: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f74000500040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f74000500040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f74000500040000 [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f74000500040000) error (1). Aborting replication session(conn=1314106 op=1688559) [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is NULL--updating cache just in case [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for changenumber=30856302,cn=changelog from entryrdn index (-30993) [18/Oct/2016:13:43:20 -0400] - Operation error fetching changenumber=30856302,cn=changelog (null), error -30993. [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856302, dn = changenumber=30856302,cn=changelog: Operations error. [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f9f000000600000) error (1). Aborting replication session(conn=1901274 op=5) [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a00040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a00040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f7c000a00040000 ns-slapd was hung so we restarted and now it's stuck and won't come back up. It hangs up here: [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 Tried deleting the semaphore files and restarting but no luck. Attached is a stacktrace of the stuck ns-slapd process. Here's the versions were running: ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 389-ds-base-1.3.4.0-33.el7_2.x86_64 FWIW, we were experimenting with the new life-cycle management features, specifically "preserved" users and deleted the user "janedoe" when this happened. From the errors above looks like this host failed to replicate the change? Not sure if this is related or not. Is it possible to recover the database? Thanks in advance for any pointers. --Andrew -------------- next part -------------- GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: ... Reading symbols from /usr/sbin/ns-slapd...Reading symbols from /usr/lib/debug/usr/sbin/ns-slapd.debug...done. done. Attaching to program: /usr/sbin/ns-slapd, process 39086 Reading symbols from /usr/lib64/dirsrv/libslapd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libslapd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libslapd.so.0 Reading symbols from /usr/lib64/dirsrv/libnunc-stans.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libnunc-stans.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libnunc-stans.so.0 Reading symbols from /lib64/libkrb5.so.3...Reading symbols from /lib64/libkrb5.so.3...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkrb5.so.3 Reading symbols from /lib64/libk5crypto.so.3...Reading symbols from /lib64/libk5crypto.so.3...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libk5crypto.so.3 Reading symbols from /lib64/libcom_err.so.2...Reading symbols from /lib64/libcom_err.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libcom_err.so.2 Reading symbols from /lib64/libpcre.so.1...Reading symbols from /lib64/libpcre.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libpcre.so.1 Reading symbols from /lib64/libldap_r-2.4.so.2...Reading symbols from /lib64/libldap_r-2.4.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libldap_r-2.4.so.2 Reading symbols from /lib64/liblber-2.4.so.2...Reading symbols from /lib64/liblber-2.4.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/liblber-2.4.so.2 Reading symbols from /lib64/libssl3.so...Reading symbols from /lib64/libssl3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libssl3.so Reading symbols from /lib64/libnss3.so...Reading symbols from /lib64/libnss3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss3.so Reading symbols from /lib64/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libdl.so.2 Reading symbols from /lib64/libplc4.so...Reading symbols from /lib64/libplc4.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libplc4.so Reading symbols from /lib64/libplds4.so...Reading symbols from /lib64/libplds4.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libplds4.so Reading symbols from /lib64/libnspr4.so...Reading symbols from /lib64/libnspr4.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnspr4.so Reading symbols from /lib64/libsasl2.so.3...Reading symbols from /lib64/libsasl2.so.3...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsasl2.so.3 Reading symbols from /lib64/libsvrcore.so.0...Reading symbols from /lib64/libsvrcore.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsvrcore.so.0 Reading symbols from /lib64/libpthread.so.0...(no debugging symbols found)...done. [New LWP 39091] [New LWP 39090] [New LWP 39089] [New LWP 39088] [New LWP 39087] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Loaded symbols for /lib64/libpthread.so.0 Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libc.so.6 Reading symbols from /lib64/libevent-2.0.so.5...Reading symbols from /lib64/libevent-2.0.so.5...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libevent-2.0.so.5 Reading symbols from /lib64/libtevent.so.0...Reading symbols from /lib64/libtevent.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libtevent.so.0 Reading symbols from /lib64/libtalloc.so.2...Reading symbols from /lib64/libtalloc.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libtalloc.so.2 Reading symbols from /lib64/libkrb5support.so.0...Reading symbols from /lib64/libkrb5support.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkrb5support.so.0 Reading symbols from /lib64/libkeyutils.so.1...Reading symbols from /lib64/libkeyutils.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkeyutils.so.1 Reading symbols from /lib64/libresolv.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libresolv.so.2 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib64/libsmime3.so...Reading symbols from /lib64/libsmime3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsmime3.so Reading symbols from /lib64/libnssutil3.so...Reading symbols from /lib64/libnssutil3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssutil3.so Reading symbols from /lib64/libz.so.1...Reading symbols from /lib64/libz.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libz.so.1 Reading symbols from /lib64/librt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/librt.so.1 Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libcrypt.so.1 Reading symbols from /lib64/libselinux.so.1...Reading symbols from /lib64/libselinux.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libselinux.so.1 Reading symbols from /lib64/libfreebl3.so...Reading symbols from /lib64/libfreebl3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreebl3.so Reading symbols from /lib64/liblzma.so.5...Reading symbols from /lib64/liblzma.so.5...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/liblzma.so.5 Reading symbols from /lib64/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/libnss_files.so.2 Reading symbols from /usr/lib64/dirsrv/plugins/libsyntax-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libsyntax-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libsyntax-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libbitwise-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libbitwise-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libbitwise-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcollation-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcollation-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcollation-plugin.so Reading symbols from /lib64/libicui18n.so.50...Reading symbols from /lib64/libicui18n.so.50...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libicui18n.so.50 Reading symbols from /lib64/libicuuc.so.50...Reading symbols from /lib64/libicuuc.so.50...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libicuuc.so.50 Reading symbols from /lib64/libicudata.so.50...Reading symbols from /lib64/libicudata.so.50...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libicudata.so.50 Reading symbols from /lib64/libstdc++.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libstdc++.so.6 Reading symbols from /lib64/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib64/libm.so.6 Reading symbols from /lib64/libgcc_s.so.1...(no debugging symbols found)...done. Loaded symbols for /lib64/libgcc_s.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpbe-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpbe-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpbe-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so Reading symbols from /usr/lib64/sasl2/libanonymous.so...Reading symbols from /usr/lib64/sasl2/libanonymous.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/libanonymous.so Reading symbols from /usr/lib64/sasl2/libplain.so...Reading symbols from /usr/lib64/sasl2/libplain.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/libplain.so Reading symbols from /usr/lib64/sasl2/libcrammd5.so...Reading symbols from /usr/lib64/sasl2/libcrammd5.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/libcrammd5.so Reading symbols from /usr/lib64/sasl2/libdigestmd5.so...Reading symbols from /usr/lib64/sasl2/libdigestmd5.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/libdigestmd5.so Reading symbols from /lib64/libcrypto.so.10...Reading symbols from /lib64/libcrypto.so.10...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libcrypto.so.10 Reading symbols from /usr/lib64/sasl2/libsasldb.so...Reading symbols from /usr/lib64/sasl2/libsasldb.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/libsasldb.so Reading symbols from /lib64/libdb-5.3.so...Reading symbols from /lib64/libdb-5.3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libdb-5.3.so Reading symbols from /usr/lib64/sasl2/libgssapiv2.so...Reading symbols from /usr/lib64/sasl2/libgssapiv2.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/libgssapiv2.so Reading symbols from /lib64/libgssapi_krb5.so.2...Reading symbols from /lib64/libgssapi_krb5.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libgssapi_krb5.so.2 Reading symbols from /usr/lib64/sasl2/liblogin.so...Reading symbols from /usr/lib64/sasl2/liblogin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/sasl2/liblogin.so Reading symbols from /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libattr-unique-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libattr-unique-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacctusability-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacctusability-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacctusability-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libacl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libacl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libacl-plugin.so Reading symbols from /usr/lib64/dirsrv/libns-dshttpd.so.0...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/libns-dshttpd.so.0.0.0.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/libns-dshttpd.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libautomember-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libautomember-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libautomember-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libchainingdb-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libchainingdb-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcos-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcos-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcos-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libcontentsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libcontentsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libderef-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libderef-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libderef-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libdna-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libdna-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libdna-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libhttp-client-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libhttp-client-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_dns.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_dns.so Reading symbols from /lib64/libkrad.so.0...Reading symbols from /lib64/libkrad.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libkrad.so.0 Reading symbols from /lib64/libverto.so.1...Reading symbols from /lib64/libverto.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libverto.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_lockout.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_lockout.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_modrdn.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_modrdn.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_counter.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_counter.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_otp_lasttoken.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_range_check.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_range_check.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_sidgen.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_sidgen.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_sidgen.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_uuid.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_uuid.so Reading symbols from /lib64/libuuid.so.1...Reading symbols from /lib64/libuuid.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libuuid.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_repl_version.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_repl_version.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_winsync.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_winsync.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_enrollment_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libipa_extdom_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_extdom_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_extdom_extop.so Reading symbols from /lib64/libsss_nss_idmap.so.0...Reading symbols from /lib64/libsss_nss_idmap.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsss_nss_idmap.so.0 Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...Reading symbols from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so Reading symbols from /usr/lib64/dirsrv/plugins/libback-ldbm.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libback-ldbm.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libback-ldbm.so Reading symbols from /usr/lib64/dirsrv/plugins/libreplication-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreplication-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreplication-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/liblinkedattrs-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmanagedentries-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libmemberof-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libmemberof-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libmemberof-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpam-passthru-plugin.so Reading symbols from /lib64/libpam.so.0...Reading symbols from /lib64/libpam.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libpam.so.0 Reading symbols from /lib64/libaudit.so.1...Reading symbols from /lib64/libaudit.so.1...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libaudit.so.1 Reading symbols from /usr/lib64/dirsrv/plugins/libpassthru-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libpassthru-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libpassthru-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libposix-winsync-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libreferint-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libreferint-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libreferint-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libretrocl-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libretrocl-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libretrocl-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libroles-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libroles-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libroles-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/librootdn-access-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/librootdn-access-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...Reading symbols from /usr/lib64/dirsrv/plugins/schemacompat-plugin.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /usr/lib64/dirsrv/plugins/schemacompat-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libschemareload-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libschemareload-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libschemareload-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libstatechange-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libstatechange-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libstatechange-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libusn-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libusn-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libusn-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libviews-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libviews-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libviews-plugin.so Reading symbols from /usr/lib64/dirsrv/plugins/libwhoami-plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/dirsrv/plugins/libwhoami-plugin.so.debug...done. done. Loaded symbols for /usr/lib64/dirsrv/plugins/libwhoami-plugin.so Reading symbols from /lib64/libsoftokn3.so...Reading symbols from /lib64/libsoftokn3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsoftokn3.so Reading symbols from /lib64/libsqlite3.so.0...Reading symbols from /lib64/libsqlite3.so.0...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libsqlite3.so.0 Reading symbols from /lib64/libfreeblpriv3.so...Reading symbols from /lib64/libfreeblpriv3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libfreeblpriv3.so Reading symbols from /lib64/libnssdbm3.so...Reading symbols from /lib64/libnssdbm3.so...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnssdbm3.so Reading symbols from /lib64/libnss_sss.so.2...Reading symbols from /lib64/libnss_sss.so.2...(no debugging symbols found)...done. (no debugging symbols found)...done. Loaded symbols for /lib64/libnss_sss.so.2 0x00007f4e9361dcdc in calloc () from /lib64/libc.so.6 Thread 6 (Thread 0x7f4ceb2b8700 (LWP 39087)): #0 0x00007f4e9368b413 in select () from /lib64/libc.so.6 No symbol table info available. #1 0x00007f4e95e170e9 in DS_Sleep (ticks=ticks at entry=100) at ldap/servers/slapd/util.c:1035 mSecs = tm = {tv_sec = 0, tv_usec = 34108} #2 0x00007f4e89057907 in deadlock_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4466 rval = priv = 0x7f4e97db1cd0 li = interval = #3 0x00007f4e93fc596b in _pt_root () from /lib64/libnspr4.so No symbol table info available. #4 0x00007f4e93966dc5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #5 0x00007f4e93693ced in clone () from /lib64/libc.so.6 No symbol table info available. Thread 5 (Thread 0x7f4ceaab7700 (LWP 39088)): #0 0x00007f4e9368b413 in select () from /lib64/libc.so.6 No symbol table info available. #1 0x00007f4e95e170e9 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1035 mSecs = tm = {tv_sec = 0, tv_usec = 134463} #2 0x00007f4e8905ba26 in checkpoint_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4675 time_of_last_checkpoint_completion = 1476816038 interval = rval = priv = li = debug_checkpointing = 0 checkpoint_interval = home_dir = list = 0x0 listp = penv = 0x7f4e97f4f980 time_of_last_comapctdb_completion = 1476815918 compactdb_interval = 2592000 txn = {back_txn_txn = 0x0} #3 0x00007f4e93fc596b in _pt_root () from /lib64/libnspr4.so No symbol table info available. #4 0x00007f4e93966dc5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #5 0x00007f4e93693ced in clone () from /lib64/libc.so.6 No symbol table info available. Thread 4 (Thread 0x7f4cea2b6700 (LWP 39089)): #0 0x00007f4e9368b413 in select () from /lib64/libc.so.6 No symbol table info available. #1 0x00007f4e95e170e9 in DS_Sleep (ticks=ticks at entry=250) at ldap/servers/slapd/util.c:1035 mSecs = tm = {tv_sec = 0, tv_usec = 195021} #2 0x00007f4e89057b7f in trickle_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:4892 interval = 250 rval = priv = 0x7f4e97db1cd0 li = debug_checkpointing = 0 #3 0x00007f4e93fc596b in _pt_root () from /lib64/libnspr4.so No symbol table info available. #4 0x00007f4e93966dc5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #5 0x00007f4e93693ced in clone () from /lib64/libc.so.6 No symbol table info available. Thread 3 (Thread 0x7f4ce9ab5700 (LWP 39090)): #0 0x00007f4e9368b413 in select () from /lib64/libc.so.6 No symbol table info available. #1 0x00007f4e95e170e9 in DS_Sleep (ticks=) at ldap/servers/slapd/util.c:1035 mSecs = tm = {tv_sec = 0, tv_usec = 610220} #2 0x00007f4e890aa784 in perfctrs_wait (milliseconds=milliseconds at entry=1000, priv=, db_env=) at ldap/servers/slapd/back-ldbm/perfctrs.c:100 interval = #3 0x00007f4e89052707 in perf_threadmain (param=) at ldap/servers/slapd/back-ldbm/dblayer.c:3966 priv = 0x7f4e97db1cd0 li = #4 0x00007f4e93fc596b in _pt_root () from /lib64/libnspr4.so No symbol table info available. #5 0x00007f4e93966dc5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #6 0x00007f4e93693ced in clone () from /lib64/libc.so.6 No symbol table info available. Thread 2 (Thread 0x7f4ce90ab700 (LWP 39091)): #0 0x00007f4e9396a6d5 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 No symbol table info available. #1 0x00007f4e93fc01f0 in PR_WaitCondVar () from /lib64/libnspr4.so No symbol table info available. #2 0x00007f4e95e06198 in slapi_wait_condvar (cvar=0x7f4e984057b0, timeout=timeout at entry=0x0) at ldap/servers/slapd/slapi2nspr.c:150 prit = #3 0x00007f4e8bd8a62e in cos_cache_wait_on_change (arg=) at ldap/servers/plugins/cos/cos_cache.c:407 No locals. #4 0x00007f4e93fc596b in _pt_root () from /lib64/libnspr4.so No symbol table info available. #5 0x00007f4e93966dc5 in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #6 0x00007f4e93693ced in clone () from /lib64/libc.so.6 No symbol table info available. Thread 1 (Thread 0x7f4e9627c840 (LWP 39086)): #0 0x00007f4e9361dcdc in calloc () from /lib64/libc.so.6 No symbol table info available. #1 0x00007f4e95d94741 in slapi_ch_calloc (nelem=nelem at entry=1, size=size at entry=40) at ldap/servers/slapd/ch_malloc.c:188 newmem = #2 0x00007f4e95dd4562 in slapi_mods_init (smods=smods at entry=0x7ffff65986b0, initCount=initCount at entry=4) at ldap/servers/slapd/modutil.c:81 No locals. #3 0x00007f4e88dacc2b in _cl5ReadMods (mods=mods at entry=0x7ffff65989b0, buff=buff at entry=0x7ffff65987d0) at ldap/servers/plugins/replication/cl5_api.c:2603 pos = 0x7f4e9839d095 "\202krbLastSuccessfulAuth" i = mod_count = 4 smods = {mods = 0x0, num_elements = 5, num_mods = 0, iterator = 0, free_mods = 1} smod = {mod = 0x7f4e983d9e80, num_elements = -1923590184, num_values = 32590, iterator = -161904528, free_mod = 0} #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, len=, entry=entry at entry=0x7ffff6598910) at ldap/servers/plugins/replication/cl5_api.c:2342 rc = version = pos = 0x7f4e9839d091 "" strCSN = 0x0 op = 0x7ffff6598980 add_mods = 0x7f4e983a5e80 rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" s = "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" #5 0x00007f4e88daf5d6 in _cl5GetNextEntry (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at ldap/servers/plugins/replication/cl5_api.c:5291 rc = 0 it = 0x7f4e983a5e80 key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 "\200\211Y\366\377\177") at ldap/servers/plugins/replication/cl5_api.c:4306 iterator = 0x7f4e983a5e80 file = 0x7f4e983e1fc0 rid = rc = entry = {op = 0x7ffff6598980, time = 1454218823} op = {operation_type = 8, target_address = {udn = 0x0, uniqueid = 0x7f4e98395840 "79be6cad-34d111e5-b870d574-de3f6355", sdn = 0x7f4e983beed0}, csn = 0x7f4e98388400, request_controls = 0x0, p = {p_add = {target_entry = 0x0, parentuniqueid = 0x0}, p_bind = {bind_method = 0, bind_creds = 0x0, bind_saslmechanism = 0x0, bind_ret_saslcreds = 0x0}, p_compare = {compare_ava = {ava_type = 0x0, ava_value = {bv_len = 0, bv_val = 0x0}, ava_private = 0x0}}, p_modify = {modify_mods = 0x0}, p_modrdn = {modrdn_newrdn = 0x0, modrdn_deloldrdn = 0, modrdn_newsuperior_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, modrdn_mods = 0x0}, p_search = {search_scope = 0, search_deref = 0, search_sizelimit = 0, search_timelimit = 0, search_filter = 0x0, search_strfilter = 0x0, search_attrs = 0x0, search_attrsonly = 0, search_is_and = 0, search_gerattrs = 0x0}, p_abandon = {abandon_targetmsgid = 0}, p_extended = {exop_oid = 0x0, exop_value = 0x0}}} #7 _cl5ReadRUV (replGen=replGen at entry=0x7f4e97f567e0 "55a95591000000040000", obj=obj at entry=0x7f4e983d7bc0, purge=purge at entry=1) at ldap/servers/plugins/replication/cl5_api.c:4153 rc = csnStr = "000000de", '0' key = {data = 0x7ffff65989f0, size = 21, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 0} data = {data = 0x0, size = 0, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} vals = 0x0 file = pos = agmt_name = 0x7f4e88e104d3 "" #8 0x00007f4e88daff99 in _cl5DBOpenFileByReplicaName (replName=replName at entry=0x7f4e9837bcf0 "986efe12-71b811e5-9d33a516-e778e883", replGen=0x7f4e97f567e0 "55a95591000000040000", obj=obj at entry=0x0, checkDups=checkDups at entry=0) at ldap/servers/plugins/replication/cl5_api.c:6041 rc = tmpObj = 0x7f4e983d7bc0 file = 0x7f4e983e1fc0 file_name = 0x7f4e983a6610 "" #9 0x00007f4e88db0f65 in _cl5DBOpenFile (obj=0x0, checkDups=0, replica=0x7f4e983d7e60) at ldap/servers/plugins/replication/cl5_api.c:5988 rc = replName = 0x7f4e9837bcf0 "986efe12-71b811e5-9d33a516-e778e883" replGen = 0x7f4e97f567e0 "55a95591000000040000" r = 0x7f4e983f76b0 #10 _cl5DBOpen () at ldap/servers/plugins/replication/cl5_api.c:2068 dir = 0x7f4e983ddd20 entry = 0x7f4e983ddd20 rc = replica = 0x7f4e983d7e60 count = 1 #11 0x00007f4e88db13f6 in _cl5Open (dir=dir at entry=0x7f4e98404b70 "/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb", config=config at entry=0x7ffff6599ce8, openMode=openMode at entry=CL5_OPEN_NORMAL) at ldap/servers/plugins/replication/cl5_api.c:1911 rc = #12 0x00007f4e88db1600 in cl5Open (dir=0x7f4e98404b70 "/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb", config=config at entry=0x7ffff6599ce8) at ldap/servers/plugins/replication/cl5_api.c:484 rc = #13 0x00007f4e88db81f6 in changelog5_init () at ldap/servers/plugins/replication/cl5_init.c:51 rc = 0 config = {dir = 0x7f4e98404b70 "/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb", maxAge = 0x7f4e97f593b0 "-1", maxEntries = 0, dbconfig = {pageSize = 0, fileMode = 0, maxConcurrentWrites = 2, encryptionAlgorithm = 0x0, symmetricKey = 0x0}, symmetricKey = 0x0, compactInterval = 2592000, trimInterval = 300} #14 0x00007f4e88dce0dc in multimaster_start (pb=0x7f4e97f710d8) at ldap/servers/plugins/replication/repl5_init.c:761 rc = pb = 0x7f4e97f710d8 rc = #15 0x00007f4e95de38b7 in plugin_call_func (list=0x7f4e97dc51e0, operation=operation at entry=212, pb=0x7f4e97f710d8, call_one=call_one at entry=1) at ldap/servers/slapd/plugin.c:1920 n = func = 0x7f4e88dcdf90 rc = return_value = 0 count = 0 #16 0x00007f4e95de3fe8 in plugin_call_one (pb=, operation=212, list=) at ldap/servers/slapd/plugin.c:1870 No locals. #17 plugin_dependency_startall (argc=argc at entry=7, argv=argv at entry=0x7ffff659aa98, errmsg=, operation=212) at ldap/servers/slapd/plugin.c:1679 enabled = satisfied = 1 break_out = 0 ret = 0 pb = {pb_backend = 0x0, pb_conn = 0x0, pb_op = 0x0, pb_plugin = 0x0, pb_opreturn = 0, pb_object = 0x0, pb_destroy_fn = 0x0, pb_requestor_isroot = 0, pb_config_fname = 0x0, pb_config_lineno = 0, pb_config_argc = 0, pb_config_argv = 0x0, plugin_tracking = 0, pb_target_entry = 0x0, pb_existing_dn_entry = 0x0, pb_existing_uniqueid_entry = 0x0, pb_parent_entry = 0x0, pb_newparent_entry = 0x0, pb_pre_op_entry = 0x0, pb_post_op_entry = 0x0, pb_seq_type = 0, pb_seq_attrname = 0x0, pb_seq_val = 0x0, pb_dbverify_dbdir = 0x0, pb_ldif_file = 0x0, pb_removedupvals = 0, pb_db2index_attrs = 0x0, pb_ldif2db_noattrindexes = 0, pb_ldif_printkey = 0, pb_instance_name = 0x0, pb_task = 0x0, pb_task_flags = 0, pb_mr_filter_match_fn = 0x0, pb_mr_filter_index_fn = 0x0, pb_mr_filter_reset_fn = 0x0, pb_mr_index_fn = 0x0, pb_mr_oid = 0x0, pb_mr_type = 0x0, pb_mr_value = 0x0, pb_mr_values = 0x0, pb_mr_keys = 0x0, pb_mr_filter_reusable = 0, pb_mr_query_operator = 0, pb_mr_usage = 0, pb_pwd_storage_scheme_user_passwd = 0x0, pb_pwd_storage_scheme_db_passwd = 0x0, pb_managedsait = 0, pb_internal_op_result = 0, pb_plugin_internal_search_op_entries = 0x0, pb_plugin_internal_search_op_referrals = 0x0, pb_plugin_identity = 0x0, pb_plugin_config_area = 0x0, pb_parent_txn = 0x0, pb_txn = 0x0, pb_txn_ruv_mods_fn = 0x0, pb_dbsize = 0, pb_ldif_files = 0x0, pb_ldif_include = 0x0, pb_ldif_exclude = 0x0, pb_ldif_dump_replica = 0, pb_ldif_dump_uniqueid = 0, pb_ldif_generate_uniqueid = 0, pb_ldif_namespaceid = 0x0, pb_ldif_encrypt = 0, pb_operation_notes = 0, pb_slapd_argc = 7, pb_slapd_argv = 0x7ffff659aa98, pb_slapd_configdir = 0x0, pb_ctrls_arg = 0x0, pb_dse_dont_add_write = 0, pb_dse_add_merge = 0, pb_dse_dont_check_dups = 0, pb_dse_is_primary_file = 0, pb_schema_flags = 0, pb_result_code = 0, pb_result_text = 0x0, pb_result_matched = 0x0, pb_nentries = 0, urls = 0x0, pb_import_entry = 0x0, pb_import_state = 0, pb_destroy_content = 0, pb_dse_reapply_mods = 0, pb_urp_naming_collision_dn = 0x0, pb_urp_tombstone_uniqueid = 0x0, pb_server_running = 0, pb_backend_count = 0, pb_pwpolicy_ctrl = 0, pb_vattr_context = 0x0, pb_substrlens = 0x0, pb_plugin_enabled = 0, pb_search_ctrls = 0x0, pb_mr_index_sv_fn = 0x0, pb_syntax_filter_normalized = 0, pb_syntax_filter_data = 0x0, pb_paged_results_index = 0, pwdpolicy = 0x0, op_stack_elem = 0x0, pb_aci_target_check = 0} total_plugins = config = 0x7f4e97f61c60 plugin_head = 0x7f4e97f53020 plugin_index = 79 plugin_entry = i = the_plugin_type = index = value = 0x0 plugins_started = 1 num_plg_started = 91 plugin = ep = shutdown_index = 14 #18 0x00007f4e95de43f1 in plugin_startall (argc=argc at entry=7, argv=argv at entry=0x7ffff659aa98, start_backends=start_backends at entry=1, start_global=start_global at entry=1) at ldap/servers/slapd/plugin.c:1832 No locals. #19 0x00007f4e962adbc2 in main (argc=7, argv=0x7ffff659aa98) at ldap/servers/slapd/main.c:1054 rc = 0 sdn = 0x0 return_value = 0 slapdFrontendConfig = ports_info = {n_port = 389, s_port = 636, n_listenaddr = 0x7f4e97d3e040, s_listenaddr = 0x7f4e97d3c490, n_socket = 0x7f4e97d3c4b0, i_listenaddr = 0x7f4e97d3dfc0, i_port = 1, i_socket = 0x7f4e97d3c370, s_socket = 0x7f4e97d3c470} m = Detaching from program: /usr/sbin/ns-slapd, process 39086 From bretif at phosphore.eu Tue Oct 18 21:22:28 2016 From: bretif at phosphore.eu (Bertrand =?utf-8?Q?R=C3=A9tif?=) Date: Tue, 18 Oct 2016 23:22:28 +0200 (CEST) Subject: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue In-Reply-To: <412207718.1295777.1476825250501.JavaMail.zimbra@phosphore.eu> Message-ID: <1383346498.1295916.1476825748599.JavaMail.zimbra@phosphore.eu> Hello, I had an issue with pki-tomcat. I had serveral certificate that was expired and pki-tomcat did not start anymore. I set the dateon the server before certificate expiration and then pki-tomcat starts properly. Then I try to resubmit the certificate, but I get below error: "Profile caServerCert Not Found" Do you have any idea how I could fix this issue. Please find below output of commands: # getcert resubmit -i 20160108170324 # getcert list -i 20160108170324 Number of certificates and requests being tracked: 7. Request ID '20160108170324': status: MONITORING ca-error: Server at "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" replied: Profile caServerCert Not Found stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=A.SKINFRA.EU subject: CN=IPA RA,O=A.SKINFRA.EU expires: 2016-06-28 15:25:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Thanksby advance for your help. Bertrand -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Tue Oct 18 22:55:52 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Tue, 18 Oct 2016 15:55:52 -0700 Subject: [Freeipa-users] DNS question on named.ca Message-ID: Hi all, I have a DNS question on how/why my IPA DNS servers are trying to hit the root DNS internet servers. My IPA servers are in private networks only serving DNS for the private domains they manage but recently the network team indicated they see my ipa IPs trying to hit the outside world. After obtaining the logs I noticed they are trying to hit the internet root DNS servers. I then tracked down named.ca on the IPAs which correlates to the IPs the network team is showing. I then found named.conf references named.ca for hints. This is where I imagine it is coming from in named.conf zone "." IN { type hint; file "named.ca"; }; Question is how can I stop my IPA DNS servers from trying to hit the internet root DNS servers? I was thinking commenting out named.ca in named.conf but imagine bad things happening. I guess I could also make a new file for named.ca and reference it in named.conf...then scp it to the other ipas but no idea as to the syntax (giving it a shot at bottom of email) or if it can be empty. Any help is appreciated. IPA clients resolv.conf are set for search domain and the nameserver IPs of the IPA servers. Versions: ipa-server-3.0.0-50.el6.1.x86_64 bind-9.8.2-0.47.rc1.el6.x86_64 Commands used for server install: ipa-server-install --setup-dns Attempt at correct syntax if I need a file with info in it..file named say fakenamed.ca If my IPA servers are named DNS1 10.10.10.1/2001:7fd::1 and DNS2 10.10.10.2/2001:503:c27::2:30 would this work or not even need? ; OPERATED BY ME ; . 3600000 NS DNS1. DNS1. 3600000 A 10.10.10.1 DNS1. 3600000 AAAA 2001:7fd::1 ; ; OPERATED BY ME ; . 3600000 NS DNS2. DNS2. 3600000 A 10.10.10.2 DNS2. 3600000 AAAA 2001:503:c27::2:30 Sean Hogan -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Wed Oct 19 06:45:49 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 19 Oct 2016 08:45:49 +0200 Subject: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue In-Reply-To: <1383346498.1295916.1476825748599.JavaMail.zimbra@phosphore.eu> References: <1383346498.1295916.1476825748599.JavaMail.zimbra@phosphore.eu> Message-ID: On 10/18/2016 11:22 PM, Bertrand R?tif wrote: > Hello, > > I had an issue with pki-tomcat. > I had serveral certificate that was expired and pki-tomcat did not start > anymore. > > I set the dateon the server before certificate expiration and then > pki-tomcat starts properly. > Then I try to resubmit the certificate, but I get below error: > "Profile caServerCert Not Found" > > Do you have any idea how I could fix this issue. > > Please find below output of commands: > > > # getcert resubmit -i 20160108170324 > > # getcert list -i 20160108170324 > Number of certificates and requests being tracked: 7. > Request ID '20160108170324': > status: MONITORING > ca-error: Server at > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" replied: > Profile caServerCert Not Found > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=A.SKINFRA.EU > subject: CN=IPA RA,O=A.SKINFRA.EU > expires: 2016-06-28 15:25:11 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > > Thanksby advance for your help. > Bertrand > > > > Hi Betrand, what version of FreeIPA and Dogtag are you running? Also perform the following search on the IPA master and post the result: """ ldapsearch -D "cn=Directory Manager" -W -b 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)' """ -- Martin^3 Babinsky From pspacek at redhat.com Wed Oct 19 07:30:40 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 19 Oct 2016 09:30:40 +0200 Subject: [Freeipa-users] DNS question on named.ca In-Reply-To: References: Message-ID: <37b1bed4-761b-c726-9866-d69516a6fd0f@redhat.com> On 19.10.2016 00:55, Sean Hogan wrote: > > Hi all, > > I have a DNS question on how/why my IPA DNS servers are trying to hit > the root DNS internet servers. My IPA servers are in private networks only > serving DNS for the private domains they manage but recently the network > team > indicated they see my ipa IPs trying to hit the outside world. After > obtaining the logs I noticed they are trying to hit the internet root DNS > servers. I then tracked down named.ca on the IPAs which correlates to the > IPs the network > team is showing. I then found named.conf references named.ca for hints. > > This is where I imagine it is coming from in named.conf > > zone "." IN { > type hint; > file "named.ca"; > }; > > Question is how can I stop my IPA DNS servers from trying to hit the > internet root DNS servers? The answer depends on your environment. If you are on isolated network and *have your own DNS root domain*, you have couple of options: a) specify only IP addresses of your root servers to named.ca file (recommended) b) use global forwarding with policy only to forward to some other DNS server, which is properly configured c) add the root zone to IPA and configure *other* servers with root hints or forwarders (just create zone named '.' and add appropriate delegations to sub-zones as usual) If your requirement is to have IPA DNS servers which do not reply to anything else except DNS zones they are authoritative for, set allow-recursion policy to "none;". In that case BIND will not run recursive resolution and thus not try to contact root servers. It needs to be set in /etc/named.conf, IPA does not support this setting. Beware, IPA installer may rewrite named.conf when you run ipa-dns-install or so. In that case just edit it again. For all the gory details please see https://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html I hope it helps. Petr^2 Spacek > I was thinking commenting out named.ca in > named.conf but imagine bad things happening. > I guess I could also make a new file for named.ca and reference it in > named.conf...then scp it to the other ipas but no idea as to the syntax > (giving it a shot at bottom of email) or if it can be empty. Any help is > appreciated. > > > IPA clients resolv.conf are set for search domain and the nameserver IPs of > the IPA servers. > > Versions: > ipa-server-3.0.0-50.el6.1.x86_64 > bind-9.8.2-0.47.rc1.el6.x86_64 > > Commands used for server install: > ipa-server-install --setup-dns > > > > Attempt at correct syntax if I need a file with info in it..file named say > fakenamed.ca > If my IPA servers are named DNS1 10.10.10.1/2001:7fd::1 and DNS2 > 10.10.10.2/2001:503:c27::2:30 would this work or not even need? > > ; OPERATED BY ME > ; > . 3600000 NS DNS1. > DNS1. 3600000 A 10.10.10.1 > DNS1. 3600000 AAAA 2001:7fd::1 > ; > ; OPERATED BY ME > ; > . 3600000 NS DNS2. > DNS2. 3600000 A 10.10.10.2 > DNS2. 3600000 AAAA 2001:503:c27::2:30 > > > > Sean Hogan From prashant at apigee.com Wed Oct 19 07:39:53 2016 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 19 Oct 2016 13:09:53 +0530 Subject: [Freeipa-users] Lots of error messages in logs after upgrade In-Reply-To: References: Message-ID: Some more info. This is happening on one of the hosts for which replica-info file was generated but for some reason the replica installation failed. So I went ahead and deleted and created the replica file again and this time installation went thru fine. Should this cause logs like this ? These messages are seen every 5 mins. On 18 October 2016 at 22:38, Prashant Bapat wrote: > Hi, > > I'm seeing lots of error messages like this in the DS logs. > > [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc% > 3Dnet) failed. > [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc% > 3Dnet) failed. > [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc% > 3Dnet) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc% > 3Dnet) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc% > 3Dnet) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc% > 3Dnet) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc% > 3Dnet) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc% > 3Dnet) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc% > 3Dnet) failed. > > We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have total 8 > IPA servers with replication. Below are the steps I followed. > > 1. Install a new Centos server. > 2. Replicated against a Fedora server with CA. > 3. Moved the DNA ranges. > 4. From the Centos master created replicas. > > Is this related to the DS package version ? We have 389-ds-base-1.3.4.0-33. > el7_2.x86_64. > > Thanks. > --Prashant > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Oct 19 08:13:26 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 19 Oct 2016 10:13:26 +0200 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> Message-ID: <58072B26.4090203@redhat.com> On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: > We had one of our replicas fail today with the following errors: > > > [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f74000500040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f74000500040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f74000500040000 > [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f74000500040000) error (1). Aborting replication session(conn=1314106 op=1688559) > [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is NULL--updating cache just in case > [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. > [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. > [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for changenumber=30856302,cn=changelog from entryrdn index (-30993) > [18/Oct/2016:13:43:20 -0400] - Operation error fetching changenumber=30856302,cn=changelog (null), error -30993. > [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856302, dn = changenumber=30856302,cn=changelog: Operations error. > [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f9f000000600000) error (1). Aborting replication session(conn=1901274 op=5) > [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a00040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a00040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f7c000a00040000 > > > ns-slapd was hung so we restarted and now it's stuck and won't come back up. It > hangs up here: > > [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. > [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 > [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 > > > Tried deleting the semaphore files and restarting but no luck. Attached > is a stacktrace of the stuck ns-slapd process. > > Here's the versions were running: > > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 > 389-ds-base-1.3.4.0-33.el7_2.x86_64 > > FWIW, we were experimenting with the new life-cycle management features, > specifically "preserved" users and deleted the user "janedoe" when this > happened. From the errors above looks like this host failed to > replicate the change? Not sure if this is related or not. > > Is it possible to recover the database? Thanks in advance for any pointers. from the stack trace the process is not hanging, it is trying to recover. After a crash/kill the changelog does not contai a RUV and it is reconstructed by reading all records in the changelog, if this is large it can take some time. If you look at that part of the stack repeatedly, #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, len=, entry=entry at entry=0x7ffff6598910) at ldap/servers/plugins/replication/cl5_api.c:2342 rc = version = pos = 0x7f4e9839d091 "" strCSN = 0x0 op = 0x7ffff6598980 add_mods = 0x7f4e983a5e80 rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" s = "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" #5 0x00007f4e88daf5d6 in _cl5GetNextEntry (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at ldap/servers/plugins/replication/cl5_api.c:5291 rc = 0 it = 0x7f4e983a5e80 key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 "\200\211Y\366\377\177") at ldap/servers/plugins/replication/cl5_api.c:4306 you should see some progress in which entry is handled > > > --Andrew > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Oct 19 08:14:45 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 19 Oct 2016 10:14:45 +0200 Subject: [Freeipa-users] Lots of error messages in logs after upgrade In-Reply-To: References: Message-ID: <58072B75.1070804@redhat.com> On 10/19/2016 09:39 AM, Prashant Bapat wrote: > Some more info. > > This is happening on one of the hosts for which replica-info file was > generated but for some reason the replica installation failed. So I > went ahead and deleted and created the replica file again and this > time installation went thru fine. Should this cause logs like this ? you now have two replicaids with the same url, you need to do a cleanruv as discussed frequently on this list > > These messages are seen every 5 mins. > > On 18 October 2016 at 22:38, Prashant Bapat > wrote: > > Hi, > > I'm seeing lots of error messages like this in the DS logs. > > [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > ) failed. > [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > ) failed. > [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > ) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > ) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > ) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > ) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > ) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > ) failed. > [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > ) failed. > > We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have > total 8 IPA servers with replication. Below are the steps I followed. > > 1. Install a new Centos server. > 2. Replicated against a Fedora server with CA. > 3. Moved the DNA ranges. > 4. From the Centos master created replicas. > > Is this related to the DS package version ? We > have 389-ds-base-1.3.4.0-33.el7_2.x86_64. > > Thanks. > --Prashant > > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Oct 19 08:44:44 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 19 Oct 2016 10:44:44 +0200 Subject: [Freeipa-users] Lots of error messages in logs after upgrade In-Reply-To: <58072B75.1070804@redhat.com> References: <58072B75.1070804@redhat.com> Message-ID: <870010b6-0832-b2fa-27d5-d9122592635c@redhat.com> On 19.10.2016 10:14, Ludwig Krispenz wrote: > > On 10/19/2016 09:39 AM, Prashant Bapat wrote: >> Some more info. >> >> This is happening on one of the hosts for which replica-info file was >> generated but for some reason the replica installation failed. So I went >> ahead and deleted and created the replica file again and this time >> installation went thru fine. Should this cause logs like this ? > you now have two replicaids with the same url, you need to do a cleanruv as > discussed frequently on this list For reference, it is described here: http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records Petr^2 Spacek >> >> These messages are seen every 5 mins. >> >> On 18 October 2016 at 22:38, Prashant Bapat > > wrote: >> >> Hi, >> >> I'm seeing lots of error messages like this in the DS logs. >> >> [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace >> (nsslapd-referral, >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet >> ) failed. >> [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace >> (nsslapd-referral, >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet >> ) failed. >> [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace >> (nsslapd-referral, >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet >> ) failed. >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace >> (nsslapd-referral, >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet >> ) failed. >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace >> (nsslapd-referral, >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet >> ) failed. >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace >> (nsslapd-referral, >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet >> ) failed. >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace >> (nsslapd-referral, >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet >> ) failed. >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace >> (nsslapd-referral, >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet >> ) failed. >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace >> (nsslapd-referral, >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet >> ) failed. >> >> We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have >> total 8 IPA servers with replication. Below are the steps I followed. >> >> 1. Install a new Centos server. >> 2. Replicated against a Fedora server with CA. >> 3. Moved the DNA ranges. >> 4. From the Centos master created replicas. >> >> Is this related to the DS package version ? We >> have 389-ds-base-1.3.4.0-33.el7_2.x86_64. >> >> Thanks. >> --Prashant >> >> >> >> > > > -- Petr^2 Spacek From prashant at apigee.com Wed Oct 19 09:11:23 2016 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 19 Oct 2016 14:41:23 +0530 Subject: [Freeipa-users] Lots of error messages in logs after upgrade In-Reply-To: <870010b6-0832-b2fa-27d5-d9122592635c@redhat.com> References: <58072B75.1070804@redhat.com> <870010b6-0832-b2fa-27d5-d9122592635c@redhat.com> Message-ID: Thanks. This is error was did not include ipaca which is discussed a lot on this list. So I was not sure. There was indeed a dangling reference to an old replica. Removed now. ipa-replica-manage clean-ruv did the trick. On 19 October 2016 at 14:14, Petr Spacek wrote: > On 19.10.2016 10:14, Ludwig Krispenz wrote: > > > > On 10/19/2016 09:39 AM, Prashant Bapat wrote: > >> Some more info. > >> > >> This is happening on one of the hosts for which replica-info file was > >> generated but for some reason the replica installation failed. So I went > >> ahead and deleted and created the replica file again and this time > >> installation went thru fine. Should this cause logs like this ? > > you now have two replicaids with the same url, you need to do a cleanruv > as > > discussed frequently on this list > > For reference, it is described here: > http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records > > Petr^2 Spacek > > >> > >> These messages are seen every 5 mins. > >> > >> On 18 October 2016 at 22:38, Prashant Bapat >> > wrote: > >> > >> Hi, > >> > >> I'm seeing lots of error messages like this in the DS logs. > >> > >> [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace > >> (nsslapd-referral, > >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > >> ) > failed. > >> [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace > >> (nsslapd-referral, > >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > >> ) > failed. > >> [18/Oct/2016:17:00:37 +0000] attrlist_replace - attr_replace > >> (nsslapd-referral, > >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > >> ) > failed. > >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > >> (nsslapd-referral, > >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > >> ) > failed. > >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > >> (nsslapd-referral, > >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > >> ) > failed. > >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > >> (nsslapd-referral, > >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > >> ) > failed. > >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > >> (nsslapd-referral, > >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > >> ) > failed. > >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > >> (nsslapd-referral, > >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > >> ) > failed. > >> [18/Oct/2016:17:00:46 +0000] attrlist_replace - attr_replace > >> (nsslapd-referral, > >> ldap://ipa-primary.example.net:389/dc%3Dexample%2Cdc%3Dnet > >> ) > failed. > >> > >> We moved from 4.1.4 (FC21) to 4.2.0 (Centos7.2) recently. We have > >> total 8 IPA servers with replication. Below are the steps I > followed. > >> > >> 1. Install a new Centos server. > >> 2. Replicated against a Fedora server with CA. > >> 3. Moved the DNA ranges. > >> 4. From the Centos master created replicas. > >> > >> Is this related to the DS package version ? We > >> have 389-ds-base-1.3.4.0-33.el7_2.x86_64. > >> > >> Thanks. > >> --Prashant > >> > >> > >> > >> > > > > > > > > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jamesaharrisonuk at yahoo.co.uk Wed Oct 19 09:35:39 2016 From: jamesaharrisonuk at yahoo.co.uk (James Harrison) Date: Wed, 19 Oct 2016 09:35:39 +0000 (UTC) Subject: [Freeipa-users] Promote CA-less replica References: <1456562096.6248871.1476869739681.ref@mail.yahoo.com> Message-ID: <1456562096.6248871.1476869739681@mail.yahoo.com> Hi,Were using FreeIPA on Ubuntu Xenial. We lost the Master server. I have some questions:1. Do DNS replicate among other replicas is we change/add DNS records? If not can this behaviour be changed? 2. How do we promote a replica to become a master? We have not configured our servers to become a CA. Our CA is Comodo and we have configured FreeIPA to use a certificate, key and interim certificates from Comodo. using the options: --http_pkcs12=....--http_pin=.... --dirsrv_pkcs12=... --dirsrv_pin=.... Hope someone can help. Quite urgent. Regards, James Harrison -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.dejaeghere at gmail.com Wed Oct 19 09:42:36 2016 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Wed, 19 Oct 2016 11:42:36 +0200 Subject: [Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch Message-ID: Hello, When installing FreeIPA we used the CA from our Windows servers. This one recently expired and we created a new one. It seems that the new root CA has another subject name and this seems to be an issue when we want to install new certs on our FreeIPA hosts. ipa-cacert-manage install certnew.pem -n mycert -t C,, Installing CA certificate, please wait Failed to install the certificate: subject public key info mismatch After validating the subjects are indeed different. How can we replace the required certs for dirsrv and http when the ca is not installable? Kind Regards, David -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Wed Oct 19 10:01:08 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 19 Oct 2016 12:01:08 +0200 Subject: [Freeipa-users] Promote CA-less replica In-Reply-To: <1456562096.6248871.1476869739681@mail.yahoo.com> References: <1456562096.6248871.1476869739681.ref@mail.yahoo.com> <1456562096.6248871.1476869739681@mail.yahoo.com> Message-ID: <92007abf-5463-d876-581e-f08d9af2d430@redhat.com> On 10/19/2016 11:35 AM, James Harrison wrote: Hi James, > Hi, > Were using FreeIPA on Ubuntu Xenial. We lost the Master server. > > I have some questions: > 1. Do DNS replicate among other replicas is we change/add DNS records? > If not can this behaviour be changed? IPA-intergrated DNS stores records in the replicated LDAP subtree so any added/removed DNS record will replicate to other IPA DNS servers. > 2. How do we promote a replica to become a master? We have not > configured our servers to become a CA. Our CA is Comodo and we have > configured FreeIPA to use a certificate, key and interim certificates > from Comodo. using the options: > > --http_pkcs12=.... > --http_pin=.... > --dirsrv_pkcs12=... > --dirsrv_pin=.... > > Hope someone can help. Quite urgent. > The terms FreeIPA master/replica are quite arbitrary as all replicas are equal peers and can be considered masters. The only notion of 'master' is when you use a Dogtag CA (then one of the CA replicas is designated a renewal master and does renew certificates in the topology and one is CRL master generating certificate revocation lists) and/or DNSSec (then one of DNS replica is designated a key master generating zone signing keys and other DNS replicas pull these keys). As you are using CA-less replicas then there should be no loss in the fact that the one designated 'master' is down (unless it was e.g. the only DNS server). As long as the others have valid CA and server certs they should be working just fine. You can just install a new replica in place of the master by generating replica file on another replicaa nd supplying the required certificates through options. > Regards, > James Harrison > > -- Martin^3 Babinsky From jan.karasek at elostech.cz Wed Oct 19 10:08:01 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Wed, 19 Oct 2016 12:08:01 +0200 (CEST) Subject: [Freeipa-users] Unable to resolve AD users from IPA In-Reply-To: References: Message-ID: <2109087965.1005584.1476871681286.JavaMail.zimbra@elostech.cz> Hi, thank you for help. This is my sssd.conf from server : [domain/vs.example.cz] debug_level = 7 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = vs.example.cz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = tidmipa02.vs.example.cz chpass_provider = ipa ipa_server = tidmipa02.vs.example.cz ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = vs.example.cz [nss] debug_level = 7 memcache_timeout = 600 homedir_substring = /home [pam] debug_level = 7 [sudo] debug_level = 7 [autofs] debug_level = 7 [ssh] debug_level = 7 [pac] debug_level = 7 [ifp] debug_level = 7 I can resolve all groups from client : SERVER: id tst99654 at cen.example.cz uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) CLIENT: getent group 5001 csunix:x:5001: getent group 930000008 final_test_group:*:930000008: getent group final_test_group at vs.example.cz final_test_group:*:930000008: getent group csunix at cen.example.cz No reply - can't resolve that group from client. More detailed log from client: ==> sssd_vs.example.cz.log <== (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f9e77a81430 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_dispatch] (0x4000): Dispatching. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=tst99654))]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_print_server] (0x2000): Searching 10.88.14.63 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 20 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_add] (0x2000): New operation 20 timeout 60 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a92e60], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_destructor] (0x2000): Operation 20 finished (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=tst99654))]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 21 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_add] (0x2000): New operation 21 timeout 6 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a75b80], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a75b80], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_destructor] (0x2000): Operation 21 finished (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [add_v1_user_data] (0x4000): BER tag is [48] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Found new sequence. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [objectSIDString]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [userPrincipalName]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [adUserAccountControl]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [originalDN]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [originalMemberOf]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [originalMemberOf]. ... (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry ... (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 22 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_add] (0x2000): New operation 22 timeout 6 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a8cf50], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a8cf50], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_destructor] (0x2000): Operation 22 finished (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[(nil)], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! This is nss log on server during id request from client: (Mon Oct 17 12:26:05 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Oct 17 12:26:05 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [tst99654 at cen.example.cz]. (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'tst99654 at cen.example.cz' matched expression for domain 'cen.example.cz', user is tst99654 (Mon Oct 17 12:26:05 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [tst99654] from [cen.example.cz] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [tst99654 at cen.example.cz] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:1:tst99654 at cen.example.cz] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [cen.example.cz][4097][1][name=tst99654] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:1:tst99654 at cen.example.cz] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:3:tst99654 at cen.example.cz] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [cen.example.cz][4099][1][name=tst99654] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:3:tst99654 at cen.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success) (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [tst99654 at cen.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): Initgroups for [tst99654 at cen.example.cz] completed (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:3:tst99654 at cen.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [930000008]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [930000008 at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [930000008 at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [930000008] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [csunix at vs.example.cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix at vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:1:csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4097][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:1:csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:1:csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33] with input [csunix at vs.example.cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix at vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrnam_search] (0x0100): Requesting info for [csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:2:csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4098][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:2:csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:2:csunix at vs.example.cz] Also I find out that in AD there are multiple objects with gidNumber=5001 ldapsearch .... (&(gidNumber=5001)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0)))) > /tmp/csunix_dump cat /tmp/csunix_dump dn: CN=csunix_0,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_0 ... gidNumber: 5001 dn: CN=csunix_1,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_1 .... gidNumber: 5001 dn: CN=csunix_2,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_2 ... gidNumber: 5001 dn: CN=csunix_3,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_3 ... gidNumber: 5001 dn: CN=csunix_4,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_4 ... gidNumber: 5001 dn: CN=csunix_5,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_5 ... gidNumber: 5001 dn: CN=csunix,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix ... gidNumber: 5001 and in the logs on the server(both nss and sssd grep by csunix). It looks like it has problem with that 'multiple' object : (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_0,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_1,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_2,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_3,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_4,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_5,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_primary_name] (0x0400): Processing object csunix_0 at cen.example.cz (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_group] (0x0400): Processing group csunix_0 at cen.example.cz (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_check_ad_group_type] (0x0400): Filtering AD group [csunix_0 at cen.example.cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_group] (0x0400): Storing info for group csunix_0 at cen.example.cz (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sysdb_store_group] (0x1000): Group csunix_0 at cen.example.cz does not exist. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_primary_name] (0x0400): Processing object csunix_0 at example.cz (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_grpmem] (0x0400): Processing group csunix_0 at example.cz (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_grpmem] (0x0040): Failed to save members of group csunix_0 at example.cz (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [csunix at vs.example.cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix at vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:1:csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4097][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:1:csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=csunix)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=vs,dc=example,dc=cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:1:csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33] with input [csunix at vs.example.cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix at vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrnam_search] (0x0100): Requesting info for [csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:2:csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4098][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:2:csunix at vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=csunix)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=vs,dc=example,dc=cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:2:csunix at vs.example.cz] I dont know why there is that 'multiobject' in AD, will have to ask Windows team. Can this be the reason, why clients are not able to resolve users ? OR Can be the reason that it asking for csunix at vs.example.cz ? Sorry for the long post. Thank you, Jan From: "freeipa-users-request" To: freeipa-users at redhat.com Sent: Monday, October 17, 2016 3:56:08 PM Subject: Freeipa-users Digest, Vol 99, Issue 46 Send Freeipa-users mailing list submissions to freeipa-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-request at redhat.com You can reach the person managing the list at freeipa-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: Unable to resolve AD users from IPA client (Sumit Bose) 2. Re: Unable to resolve AD users from IPA client (Jakub Hrozek) 3. Re: Best and Secure Way for a System Account (G?nther J. Niederwimmer) 4. Re: Best and Secure Way for a System Account (Martin Babinsky) 5. Re: FreeIPA as domain controller? (Brian Candler) ---------------------------------------------------------------------- Message: 1 Date: Mon, 17 Oct 2016 13:49:23 +0200 From: Sumit Bose To: freeipa-users at redhat.com Subject: Hi client Message-ID: <20161017114923.GA9339 at p.Speedport_W_724V_Typ_A_05011603_00_009> Content-Type: text/plain; charset=iso-8859-1 On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Kar?sek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2. > AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain of AD - vs.example.cz. > Trust is set as one-way trust. User's POSIX attributes are stored in AD. > > ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: CEN.EXAMPLE.CZ > First Posix ID of the range: 98800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: EXAMPLE.CZ_id_range > First Posix ID of the range: 68800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: VS.EXAMPLE.CZ_id_range > First Posix ID of the range: 930000000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > ---------------------------- > Number of entries returned 3 > ---------------------------- > > I have no problem to resolve AD users from both IPA server: > > IPA Server: > root#:id tst99654 at cen.example.cz > uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) - this is correct Can you send your sssd.conf from the server? I wonder why the AD groups are returned with a short name 'csunix' while the user is returned with the full name (tst99654 at cen.example.cz). bye, Sumit > > but from IPA client: > root#:id tst99654 at cen.example.cz > id: tst99654 at cen.example.cz: no such user > > ==> sssd_vs.example.cz.log <== > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) > > All IPA clients have the same result - No such user. On the other hand kerberos works fine - I can do kinit with AD users both on IPA servers and clients. All IPA clients use the same DNS server as IPA servers. > > > On IPA server, I can see that it is able to find test user in AD. Log is captured during IPA client request for id: > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=cen,dc=example,dc=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=tst99654,OU=CSUsers,DC=cen,DC=example,DC=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.cen.example.cz/DC=DomainDnsZones,DC=cen,DC=example,DC=cz > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_save_user] (0x0400): Save user > ... > > > I can provide full log from IPA server, but its quite long. Could you point me what else I could try ? > > Thank you . > > Jan > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project ------------------------------ Message: 2 Date: Mon, 17 Oct 2016 13:51:41 +0200 From: Jakub Hrozek To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to resolve AD users from IPA client Message-ID: <20161017115141.ug26fx7rhhaijrgj at hendrix> Content-Type: text/plain; charset=iso-8859-1 On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Kar?sek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2. > AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain of AD - vs.example.cz. > Trust is set as one-way trust. User's POSIX attributes are stored in AD. > > ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: CEN.EXAMPLE.CZ > First Posix ID of the range: 98800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: EXAMPLE.CZ_id_range > First Posix ID of the range: 68800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: VS.EXAMPLE.CZ_id_range > First Posix ID of the range: 930000000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > ---------------------------- > Number of entries returned 3 > ---------------------------- > > I have no problem to resolve AD users from both IPA server: > > IPA Server: > root#:id tst99654 at cen.example.cz > uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) - this is correct > > but from IPA client: > root#:id tst99654 at cen.example.cz > id: tst99654 at cen.example.cz: no such user > > ==> sssd_vs.example.cz.log <== > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) > > All IPA clients have the same result - No such user. On the other hand kerberos works fine - I can do kinit with AD users both on IPA servers and clients. All IPA clients use the same DNS server as IPA servers. > > > On IPA server, I can see that it is able to find test user in AD. Log is captured during IPA client request for id: > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=cen,dc=example,dc=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=tst99654,OU=CSUsers,DC=cen,DC=example,DC=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.cen.example.cz/DC=DomainDnsZones,DC=cen,DC=example,DC=cz > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_save_user] (0x0400): Save user > ... > > > I can provide full log from IPA server, but its quite long. Could you point me what else I could try ? the most typical cause is that the IPA client cannot resolve all the POSIX information from the server. Check if all the groups are resolvable by ID: getent group 5001 getent group 930000008 alternatively, tail /var/log/sssd/sssd_nss.log on the IPA *server* and watch if all requests that come from the DS UID (typically the dirsrv user, see getent passwd dirsrv) are resolvable on the server. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed Oct 19 10:28:31 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 19 Oct 2016 12:28:31 +0200 Subject: [Freeipa-users] Unable to resolve AD users from IPA In-Reply-To: <2109087965.1005584.1476871681286.JavaMail.zimbra@elostech.cz> References: <2109087965.1005584.1476871681286.JavaMail.zimbra@elostech.cz> Message-ID: <20161019102831.GC9339@p.Speedport_W_724V_Typ_A_05011603_00_009> On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Kar?sek wrote: > Hi, > > thank you for help. > > This is my sssd.conf from server : > > [domain/vs.example.cz] > debug_level = 7 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = vs.example.cz > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = tidmipa02.vs.example.cz > chpass_provider = ipa > ipa_server = tidmipa02.vs.example.cz > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = vs.example.cz > [nss] > debug_level = 7 > memcache_timeout = 600 > homedir_substring = /home > > [pam] > debug_level = 7 > [sudo] > debug_level = 7 > [autofs] > debug_level = 7 > [ssh] > debug_level = 7 > [pac] > debug_level = 7 > [ifp] > debug_level = 7 > > > I can resolve all groups from client : > > SERVER: id tst99654 at cen.example.cz > uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) > > CLIENT: > getent group 5001 > csunix:x:5001: > > getent group 930000008 > final_test_group:*:930000008: > > getent group final_test_group at vs.example.cz > final_test_group:*:930000008: > > getent group csunix at cen.example.cz > No reply - can't resolve that group from client. > > ... > > Also I find out that in AD there are multiple objects with gidNumber=5001 This might be the issue each gidNumber (and each uidNumber as well) should be unique in the whole environment. Please check with the AD administrators why it was done this way and if it can be changed. HTH bye, Sumit > > ldapsearch .... (&(gidNumber=5001)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0)))) > /tmp/csunix_dump > cat /tmp/csunix_dump > dn: CN=csunix_0,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_0 > ... > gidNumber: 5001 > > dn: CN=csunix_1,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_1 > .... > gidNumber: 5001 > > dn: CN=csunix_2,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_2 > ... > gidNumber: 5001 > > dn: CN=csunix_3,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_3 > ... > gidNumber: 5001 > > dn: CN=csunix_4,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_4 > ... > gidNumber: 5001 > > dn: CN=csunix_5,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_5 > ... > gidNumber: 5001 > > dn: CN=csunix,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix > ... > gidNumber: 5001 > From jamesaharrisonuk at yahoo.co.uk Wed Oct 19 11:29:40 2016 From: jamesaharrisonuk at yahoo.co.uk (James Harrison) Date: Wed, 19 Oct 2016 11:29:40 +0000 (UTC) Subject: [Freeipa-users] Promote CA-less replica In-Reply-To: <92007abf-5463-d876-581e-f08d9af2d430@redhat.com> References: <1456562096.6248871.1476869739681.ref@mail.yahoo.com> <1456562096.6248871.1476869739681@mail.yahoo.com> <92007abf-5463-d876-581e-f08d9af2d430@redhat.com> Message-ID: <559060450.2565340.1476876580834@mail.yahoo.com> Hi, Martin thanks for your quick response. Based on your comments. I have further questions. >> equal peers and can be considered masters 1. If there any urgency for us to recreate a "master" server to perform any "master" type functions? How do we re-attach "replicas" to this new "master"? >> As long as the others have valid CA and server certs 2. This is the install script we are using on the "replicas" ipa-replica-install \ ??? --setup-dns --ssh-trust-dns --no-dnssec-validation \ ??? -p xxxxxxxxx \ ??? --admin-password=xxxxxxx \ ??? --ip-address=replica_ip?? \ ??? --no-forwarders \ ??? -U --mkhomedir --log-file=freeipa_log_file $1 3. The $1 is the cert generated from the "master".? If theres no distinction between a "master" and a "replica" in a CA-less environment, can a "replica" run the ipa-replica-prepare script once ipa-replica-install has been successfully run? Thank you for any help.Best regards,James Harrison From: Martin Babinsky To: freeipa-users at redhat.com Sent: Wednesday, 19 October 2016, 11:01 Subject: Re: [Freeipa-users] Promote CA-less replica On 10/19/2016 11:35 AM, James Harrison wrote: Hi James, > Hi, > Were using FreeIPA on Ubuntu Xenial. We lost the Master server. > > I have some questions: > 1. Do DNS replicate among other replicas is we change/add DNS records? > If not can this behaviour be changed? IPA-intergrated DNS stores records in the replicated LDAP subtree so any added/removed DNS record will replicate to other IPA DNS servers. > 2. How do we promote a replica to become a master? We have not > configured our servers to become a CA. Our CA is Comodo and we have > configured FreeIPA to use a certificate, key and interim certificates > from Comodo. using the options: > > --http_pkcs12=.... > --http_pin=.... > --dirsrv_pkcs12=... > --dirsrv_pin=.... > > Hope someone can help. Quite urgent. > The terms FreeIPA master/replica are quite arbitrary as all replicas are equal peers and can be considered masters. The only notion of 'master' is when you use a Dogtag CA (then one of the CA replicas is designated a renewal master and does renew certificates in the topology and one is CRL master generating certificate revocation lists) and/or DNSSec (then one of DNS replica is designated a key master generating zone signing keys and other DNS replicas pull these keys). As you are using CA-less replicas then there should be no loss in the fact that the one designated 'master' is down (unless it was e.g. the only DNS server). As long as the others have valid CA and server certs they should be working just fine. You can just install a new replica in place of the master by generating replica file on another replicaa nd supplying the required certificates through options. > Regards, > James Harrison > > -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From bretif at phosphore.eu Wed Oct 19 12:09:54 2016 From: bretif at phosphore.eu (Bertrand =?utf-8?Q?R=C3=A9tif?=) Date: Wed, 19 Oct 2016 14:09:54 +0200 (CEST) Subject: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue In-Reply-To: References: <1383346498.1295916.1476825748599.JavaMail.zimbra@phosphore.eu> Message-ID: <1101487784.1356614.1476878994121.JavaMail.zimbra@phosphore.eu> > De: "Martin Babinsky" > ?: freeipa-users at redhat.com > Envoy?: Mercredi 19 Octobre 2016 08:45:49 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 10/18/2016 11:22 PM, Bertrand R?tif wrote: > > Hello, > > > > I had an issue with pki-tomcat. > > I had serveral certificate that was expired and pki-tomcat did not start > > anymore. > > > > I set the dateon the server before certificate expiration and then > > pki-tomcat starts properly. > > Then I try to resubmit the certificate, but I get below error: > > "Profile caServerCert Not Found" > > > > Do you have any idea how I could fix this issue. > > > > Please find below output of commands: > > > > > > # getcert resubmit -i 20160108170324 > > > > # getcert list -i 20160108170324 > > Number of certificates and requests being tracked: 7. > > Request ID '20160108170324': > > status: MONITORING > > ca-error: Server at > > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" replied: > > Profile caServerCert Not Found > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > subject: CN=IPA RA,O=A.SKINFRA.EU > > expires: 2016-06-28 15:25:11 UTC > > key usage: > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > > > > > Thanksby advance for your help. > > Bertrand > > > > > > > > > Hi Betrand, > what version of FreeIPA and Dogtag are you running? > Also perform the following search on the IPA master and post the result: > """ > ldapsearch -D "cn=Directory Manager" -W -b > 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)' > """ Hi Martin, Thanks for your reply. Here is version: - FreeIPA 4.2.0 - Centos 7.2 I have been able to fix the issue with "Profile caServerCert Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg I replace below entry "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" by "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" and then launch "ipa-server-upgrade" command I found this solution in this post: http://osdir.com/ml/freeipa-users/2016-03/msg00280.html Then I was able to renew my certificate. However I reboot my server to and pki-tomcat do not start and provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate verification java.lang.Exception: SystemCertsVerification: system certs verification failure at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details) [19/Oct/2016:11:11:52][localhost-startStop-1]: CMSEngine.shutdown() I am currently stuck here. Thanks a lot for your help. Bertrand From rcritten at redhat.com Wed Oct 19 13:28:39 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Oct 2016 09:28:39 -0400 Subject: [Freeipa-users] Promote CA-less replica In-Reply-To: <559060450.2565340.1476876580834@mail.yahoo.com> References: <1456562096.6248871.1476869739681.ref@mail.yahoo.com> <1456562096.6248871.1476869739681@mail.yahoo.com> <92007abf-5463-d876-581e-f08d9af2d430@redhat.com> <559060450.2565340.1476876580834@mail.yahoo.com> Message-ID: <58077507.6020901@redhat.com> James Harrison wrote: > Hi, > Martin thanks for your quick response. Based on your comments. I have > further questions. > > >> equal peers and can be considered masters > > 1. If there any urgency for us to recreate a "master" server to perform > any "master" type functions? How do we re-attach "replicas" to this new > "master"? Like he said, all IPA servers are equal (some are just more equal than others). If you truly have a CA-less system the the only thing that distinguishes one master from another is the presence of the DNS service. From below it looks like you install DNS on all which makes them all masters. You can manage the replication topology using ipa-replica-manage. > > >> As long as the others have valid CA and server certs > 2. This is the install script we are using on the "replicas" > > ipa-replica-install \ > --setup-dns --ssh-trust-dns --no-dnssec-validation \ > -p xxxxxxxxx \ > --admin-password=xxxxxxx \ > --ip-address=replica_ip \ > --no-forwarders \ > -U --mkhomedir --log-file=freeipa_log_file $1 > > 3. The $1 is the cert generated from the "master". If theres no > distinction between a "master" and a "replica" in a CA-less environment, > can a "replica" run the ipa-replica-prepare script once > ipa-replica-install has been successfully run? I think you mean $1 is the replica file generated from some master. Seeing how you generate that would tell us whether you are truly in a CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to ipa-replica-prepare). To answer your question, yes. In a CA-less environment any master can generate a prepare file. You can add/remove connections using ipa-replica-manage. The initial connection is between the master that generated the prepare file and the host it was installed on. rob > > Thank you for any help. > Best regards, > James Harrison > > ------------------------------------------------------------------------ > *From:* Martin Babinsky > *To:* freeipa-users at redhat.com > *Sent:* Wednesday, 19 October 2016, 11:01 > *Subject:* Re: [Freeipa-users] Promote CA-less replica > > On 10/19/2016 11:35 AM, James Harrison wrote: > > Hi James, > > > Hi, > > Were using FreeIPA on Ubuntu Xenial. We lost the Master server. > > > > I have some questions: > > 1. Do DNS replicate among other replicas is we change/add DNS records? > > If not can this behaviour be changed? > IPA-intergrated DNS stores records in the replicated LDAP subtree so any > added/removed DNS record will replicate to other IPA DNS servers. > > > 2. How do we promote a replica to become a master? We have not > > configured our servers to become a CA. Our CA is Comodo and we have > > configured FreeIPA to use a certificate, key and interim certificates > > from Comodo. using the options: > > > > --http_pkcs12=.... > > --http_pin=.... > > --dirsrv_pkcs12=... > > --dirsrv_pin=.... > > > > Hope someone can help. Quite urgent. > > > The terms FreeIPA master/replica are quite arbitrary as all replicas are > equal peers and can be considered masters. The only notion of 'master' > is when you use a Dogtag CA (then one of the CA replicas is designated a > renewal master and does renew certificates in the topology and one is > CRL master generating certificate revocation lists) and/or DNSSec (then > one of DNS replica is designated a key master generating zone signing > keys and other DNS replicas pull these keys). > > As you are using CA-less replicas then there should be no loss in the > fact that the one designated 'master' is down (unless it was e.g. the > only DNS server). As long as the others have valid CA and server certs > they should be working just fine. > > > > You can just install a new replica in place of the master by generating > replica file on another replicaa nd supplying the required certificates > through options. > > > > Regards, > > James Harrison > > > > > > > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > > From rcritten at redhat.com Wed Oct 19 13:30:14 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 19 Oct 2016 09:30:14 -0400 Subject: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue In-Reply-To: <1101487784.1356614.1476878994121.JavaMail.zimbra@phosphore.eu> References: <1383346498.1295916.1476825748599.JavaMail.zimbra@phosphore.eu> <1101487784.1356614.1476878994121.JavaMail.zimbra@phosphore.eu> Message-ID: <58077566.8010401@redhat.com> Bertrand R?tif wrote: >> De: "Martin Babinsky" >> ?: freeipa-users at redhat.com >> Envoy?: Mercredi 19 Octobre 2016 08:45:49 >> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > >> On 10/18/2016 11:22 PM, Bertrand R?tif wrote: >>> Hello, >>> >>> I had an issue with pki-tomcat. >>> I had serveral certificate that was expired and pki-tomcat did not start >>> anymore. >>> >>> I set the dateon the server before certificate expiration and then >>> pki-tomcat starts properly. >>> Then I try to resubmit the certificate, but I get below error: >>> "Profile caServerCert Not Found" >>> >>> Do you have any idea how I could fix this issue. >>> >>> Please find below output of commands: >>> >>> >>> # getcert resubmit -i 20160108170324 >>> >>> # getcert list -i 20160108170324 >>> Number of certificates and requests being tracked: 7. >>> Request ID '20160108170324': >>> status: MONITORING >>> ca-error: Server at >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" replied: >>> Profile caServerCert Not Found >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU >>> subject: CN=IPA RA,O=A.SKINFRA.EU >>> expires: 2016-06-28 15:25:11 UTC >>> key usage: >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>> track: yes >>> auto-renew: yes >>> >>> >>> Thanksby advance for your help. >>> Bertrand >>> >>> >>> >>> > >> Hi Betrand, > >> what version of FreeIPA and Dogtag are you running? > >> Also perform the following search on the IPA master and post the result: > >> """ >> ldapsearch -D "cn=Directory Manager" -W -b >> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)' >> """ > > Hi Martin, > > Thanks for your reply. > > Here is version: > - FreeIPA 4.2.0 > - Centos 7.2 > > I have been able to fix the issue with "Profile caServerCert Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > I replace below entry > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" > by > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" > > and then launch "ipa-server-upgrade" command > I found this solution in this post: http://osdir.com/ml/freeipa-users/2016-03/msg00280.html > > Then I was able to renew my certificate. > > However I reboot my server to and pki-tomcat do not start and provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ > System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate verification > > java.lang.Exception: SystemCertsVerification: system certs verification failure > at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) > at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) > at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) > at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) > at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) > at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details) > [19/Oct/2016:11:11:52][localhost-startStop-1]: CMSEngine.shutdown() > > > I am currently stuck here. > Thanks a lot for your help. I'm guessing at least one of the CA subsystem certificates are still expired. Look at the "getcert list" output to see if there are any expired certificates. rob > > Bertrand > > From jan.karasek at elostech.cz Wed Oct 19 13:32:11 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Wed, 19 Oct 2016 15:32:11 +0200 (CEST) Subject: [Freeipa-users] Unable to resolve AD users from IPA In-Reply-To: References: Message-ID: <356157303.1013839.1476883931913.JavaMail.zimbra@elostech.cz> Ok thank you. Wonder why it's a problem only on clients - IPA servers are quite ok with that. Jan ---------------------------------------------------------------------- Message: 1 Date: Wed, 19 Oct 2016 12:28:31 +0200 From: Sumit Bose To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to resolve AD users from IPA Message-ID: <20161019102831.GC9339 at p.Speedport_W_724V_Typ_A_05011603_00_009> Content-Type: text/plain; charset=iso-8859-1 On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Kar?sek wrote: > Hi, > > thank you for help. > > This is my sssd.conf from server : > > [domain/vs.example.cz] > debug_level = 7 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = vs.example.cz > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = tidmipa02.vs.example.cz > chpass_provider = ipa > ipa_server = tidmipa02.vs.example.cz > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = vs.example.cz > [nss] > debug_level = 7 > memcache_timeout = 600 > homedir_substring = /home > > [pam] > debug_level = 7 > [sudo] > debug_level = 7 > [autofs] > debug_level = 7 > [ssh] > debug_level = 7 > [pac] > debug_level = 7 > [ifp] > debug_level = 7 > > > I can resolve all groups from client : > > SERVER: id tst99654 at cen.example.cz > uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) > > CLIENT: > getent group 5001 > csunix:x:5001: > > getent group 930000008 > final_test_group:*:930000008: > > getent group final_test_group at vs.example.cz > final_test_group:*:930000008: > > getent group csunix at cen.example.cz > No reply - can't resolve that group from client. > > ... > > Also I find out that in AD there are multiple objects with gidNumber=5001 This might be the issue each gidNumber (and each uidNumber as well) should be unique in the whole environment. Please check with the AD administrators why it was done this way and if it can be changed. HTH bye, Sumit -------------- next part -------------- An HTML attachment was scrubbed... URL: From aebruno2 at buffalo.edu Wed Oct 19 13:48:54 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 19 Oct 2016 09:48:54 -0400 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <58072B26.4090203@redhat.com> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> <58072B26.4090203@redhat.com> Message-ID: <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: > > We had one of our replicas fail today with the following errors: > > > > > > [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f74000500040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f74000500040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f74000500040000 > > [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f74000500040000) error (1). Aborting replication session(conn=1314106 op=1688559) > > [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is NULL--updating cache just in case > > [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. > > [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for changenumber=30856302,cn=changelog from entryrdn index (-30993) > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching changenumber=30856302,cn=changelog (null), error -30993. > > [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856302, dn = changenumber=30856302,cn=changelog: Operations error. > > [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > > [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f9f000000600000) error (1). Aborting replication session(conn=1901274 op=5) > > [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a00040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a00040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f7c000a00040000 > > > > > > ns-slapd was hung so we restarted and now it's stuck and won't come back up. It > > hangs up here: > > > > [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. > > [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 > > [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 > > > > > > Tried deleting the semaphore files and restarting but no luck. Attached > > is a stacktrace of the stuck ns-slapd process. > > > > Here's the versions were running: > > > > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 > > 389-ds-base-1.3.4.0-33.el7_2.x86_64 > > > > FWIW, we were experimenting with the new life-cycle management features, > > specifically "preserved" users and deleted the user "janedoe" when this > > happened. From the errors above looks like this host failed to > > replicate the change? Not sure if this is related or not. > > > > Is it possible to recover the database? Thanks in advance for any pointers. > from the stack trace the process is not hanging, it is trying to recover. > After a crash/kill the changelog does not contai a RUV and it is > reconstructed by reading all records in the changelog, if this is large it > can take some time. > If you look at that part of the stack repeatedly, > > #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, len=, entry=entry at entry=0x7ffff6598910) at ldap/servers/plugins/replication/cl5_api.c:2342 > rc = > version = > pos = 0x7f4e9839d091 "" > strCSN = 0x0 > op = 0x7ffff6598980 > add_mods = 0x7f4e983a5e80 > rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > s = "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" > #5 0x00007f4e88daf5d6 in _cl5GetNextEntry (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at ldap/servers/plugins/replication/cl5_api.c:5291 > rc = 0 > it = 0x7f4e983a5e80 > key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} > data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} > #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 "\200\211Y\366\377\177") at ldap/servers/plugins/replication/cl5_api.c:4306 > > > you should see some progress in which entry is handled > Ludwig, thanks very much for the help. As you pointed out just needed to let it finish. ns-slapd eventually came back up once it finished reading the changelog. Still seeing some errors related to the NSMMReplicationPlugin failed to apply update and from the managed-entries-plugin. Can these safely be ignored or are they indicative of a more serious problem? [19/Oct/2016:09:28:46 -0400] - Operation error fetching Null DN (e73b48a4-95ff11e6-8bc7a516-e778e883), error -30993. [19/Oct/2016:09:28:46 -0400] - dn2entry_ext: Failed to get id for changenumber=30856335,cn=changelog from entryrdn index (-30993) [19/Oct/2016:09:28:46 -0400] - Operation error fetching changenumber=30856335,cn=changelog (null), error -30993. [19/Oct/2016:09:28:46 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856335, dn = changenumber=30856335,cn=changelog: Operations error. [19/Oct/2016:09:28:46 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [19/Oct/2016:09:28:46 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=9 op=28) [19/Oct/2016:09:28:54 -0400] - Operation error fetching Null DN (e73b48a7-95ff11e6-8bc7a516-e778e883), error -30993. [19/Oct/2016:09:28:59 -0400] - dn2entry_ext: Failed to get id for changenumber=30856337,cn=changelog from entryrdn index (-30993) [19/Oct/2016:09:29:17 -0400] - Operation error fetching changenumber=30856337,cn=changelog (null), error -30993. [19/Oct/2016:09:29:17 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856337, dn = changenumber=30856337,cn=changelog: Operations error. [19/Oct/2016:09:29:17 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [19/Oct/2016:09:29:17 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=15 op=5) [19/Oct/2016:09:29:20 -0400] - Retry count exceeded in delete [19/Oct/2016:09:29:20 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 30712389 (rc: 51) [19/Oct/2016:09:29:28 -0400] - Operation error fetching Null DN (0afe8e82-960011e6-8bc7a516-e778e883), error -30993. [19/Oct/2016:09:29:28 -0400] - dn2entry_ext: Failed to get id for changenumber=30856351,cn=changelog from entryrdn index (-30993) [19/Oct/2016:09:29:28 -0400] - Operation error fetching changenumber=30856351,cn=changelog (null), error -30993. [19/Oct/2016:09:29:28 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856351, dn = changenumber=30856351,cn=changelog: Operations error. [19/Oct/2016:09:29:28 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [19/Oct/2016:09:29:28 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=25 op=5) [19/Oct/2016:09:29:31 -0400] - Retry count exceeded in delete [19/Oct/2016:09:29:31 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 30712865 (rc: 51) [19/Oct/2016:09:29:39 -0400] - Operation error fetching Null DN (0afe8e90-960011e6-8bc7a516-e778e883), error -30993. [19/Oct/2016:09:29:39 -0400] - dn2entry_ext: Failed to get id for changenumber=30856364,cn=changelog from entryrdn index (-30993) [19/Oct/2016:09:29:39 -0400] - Operation error fetching changenumber=30856364,cn=changelog (null), error -30993. [19/Oct/2016:09:29:39 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856364, dn = changenumber=30856364,cn=changelog: Operations error. [19/Oct/2016:09:29:39 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [19/Oct/2016:09:29:39 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=35 op=5) [19/Oct/2016:09:29:42 -0400] - Retry count exceeded in delete [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 30713364 (rc: 51) [19/Oct/2016:09:29:42 -0400] - Operation error fetching Null DN (0afe8ea0-960011e6-8bc7a516-e778e883), error -30993. [19/Oct/2016:09:29:42 -0400] - dn2entry_ext: Failed to get id for changenumber=30856379,cn=changelog from entryrdn index (-30993) [19/Oct/2016:09:29:42 -0400] - Operation error fetching changenumber=30856379,cn=changelog (null), error -30993. [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856379, dn = changenumber=30856379,cn=changelog: Operations error. [19/Oct/2016:09:29:42 -0400] retrocl-plugin - retrocl_postob: operation failure [1] [19/Oct/2016:09:29:42 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=36 op=5) [19/Oct/2016:09:29:50 -0400] - Operation error fetching Null DN (0afe8ea2-960011e6-8bc7a516-e778e883), error -30993. [19/Oct/2016:09:29:50 -0400] - dn2entry_ext: Failed to get id for changenumber=30856380,cn=changelog from entryrdn index (-30993) [19/Oct/2016:09:29:50 -0400] - Operation error fetching changenumber=30856380,cn=changelog (null), error -30993. [19/Oct/2016:09:29:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856380, dn = changenumber=30856380,cn=changelog: Operations error. [19/Oct/2016:09:29:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] ... [19/Oct/2016:09:30:06 -0400] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu". [19/Oct/2016:09:30:06 -0400] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu". From lkrispen at redhat.com Wed Oct 19 15:02:28 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 19 Oct 2016 17:02:28 +0200 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> <58072B26.4090203@redhat.com> <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> Message-ID: <58078B04.2030408@redhat.com> On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: >> On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: >>> We had one of our replicas fail today with the following errors: >>> >>> >>> [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. >>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f74000500040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) >>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f74000500040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock >>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f74000500040000 >>> [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE >>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f74000500040000) error (1). Aborting replication session(conn=1314106 op=1688559) >>> [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is NULL--updating cache just in case >>> [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. >>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. >>> [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for changenumber=30856302,cn=changelog from entryrdn index (-30993) >>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching changenumber=30856302,cn=changelog (null), error -30993. >>> [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856302, dn = changenumber=30856302,cn=changelog: Operations error. >>> [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>> [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f9f000000600000) error (1). Aborting replication session(conn=1901274 op=5) >>> [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 >>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a00040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) >>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a00040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock >>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f7c000a00040000 >>> >>> >>> ns-slapd was hung so we restarted and now it's stuck and won't come back up. It >>> hangs up here: >>> >>> [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. >>> [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 >>> [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 >>> >>> >>> Tried deleting the semaphore files and restarting but no luck. Attached >>> is a stacktrace of the stuck ns-slapd process. >>> >>> Here's the versions were running: >>> >>> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 >>> 389-ds-base-1.3.4.0-33.el7_2.x86_64 >>> >>> FWIW, we were experimenting with the new life-cycle management features, >>> specifically "preserved" users and deleted the user "janedoe" when this >>> happened. From the errors above looks like this host failed to >>> replicate the change? Not sure if this is related or not. >>> >>> Is it possible to recover the database? Thanks in advance for any pointers. >> from the stack trace the process is not hanging, it is trying to recover. >> After a crash/kill the changelog does not contai a RUV and it is >> reconstructed by reading all records in the changelog, if this is large it >> can take some time. >> If you look at that part of the stack repeatedly, >> >> #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, len=, entry=entry at entry=0x7ffff6598910) at ldap/servers/plugins/replication/cl5_api.c:2342 >> rc = >> version = >> pos = 0x7f4e9839d091 "" >> strCSN = 0x0 >> op = 0x7ffff6598980 >> add_mods = 0x7f4e983a5e80 >> rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" >> s = "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" >> #5 0x00007f4e88daf5d6 in _cl5GetNextEntry (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at ldap/servers/plugins/replication/cl5_api.c:5291 >> rc = 0 >> it = 0x7f4e983a5e80 >> key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} >> data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} >> #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 "\200\211Y\366\377\177") at ldap/servers/plugins/replication/cl5_api.c:4306 >> >> >> you should see some progress in which entry is handled >> > Ludwig, thanks very much for the help. As you pointed out just needed to let it > finish. ns-slapd eventually came back up once it finished reading the > changelog. Still seeing some errors related to the NSMMReplicationPlugin failed > to apply update and from the managed-entries-plugin. Can these safely be > ignored or are they indicative of a more serious problem? > > [19/Oct/2016:09:28:46 -0400] - Operation error fetching Null DN (e73b48a4-95ff11e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:28:46 -0400] - dn2entry_ext: Failed to get id for changenumber=30856335,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:28:46 -0400] - Operation error fetching changenumber=30856335,cn=changelog (null), error -30993. > [19/Oct/2016:09:28:46 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856335, dn = changenumber=30856335,cn=changelog: Operations error. > [19/Oct/2016:09:28:46 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [19/Oct/2016:09:28:46 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=9 op=28) > [19/Oct/2016:09:28:54 -0400] - Operation error fetching Null DN (e73b48a7-95ff11e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:28:59 -0400] - dn2entry_ext: Failed to get id for changenumber=30856337,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:29:17 -0400] - Operation error fetching changenumber=30856337,cn=changelog (null), error -30993. > [19/Oct/2016:09:29:17 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856337, dn = changenumber=30856337,cn=changelog: Operations error. > [19/Oct/2016:09:29:17 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [19/Oct/2016:09:29:17 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=15 op=5) > [19/Oct/2016:09:29:20 -0400] - Retry count exceeded in delete > [19/Oct/2016:09:29:20 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 30712389 (rc: 51) > [19/Oct/2016:09:29:28 -0400] - Operation error fetching Null DN (0afe8e82-960011e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:29:28 -0400] - dn2entry_ext: Failed to get id for changenumber=30856351,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:29:28 -0400] - Operation error fetching changenumber=30856351,cn=changelog (null), error -30993. > [19/Oct/2016:09:29:28 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856351, dn = changenumber=30856351,cn=changelog: Operations error. > [19/Oct/2016:09:29:28 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [19/Oct/2016:09:29:28 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=25 op=5) > [19/Oct/2016:09:29:31 -0400] - Retry count exceeded in delete > [19/Oct/2016:09:29:31 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 30712865 (rc: 51) > [19/Oct/2016:09:29:39 -0400] - Operation error fetching Null DN (0afe8e90-960011e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:29:39 -0400] - dn2entry_ext: Failed to get id for changenumber=30856364,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:29:39 -0400] - Operation error fetching changenumber=30856364,cn=changelog (null), error -30993. > [19/Oct/2016:09:29:39 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856364, dn = changenumber=30856364,cn=changelog: Operations error. > [19/Oct/2016:09:29:39 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [19/Oct/2016:09:29:39 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=35 op=5) > [19/Oct/2016:09:29:42 -0400] - Retry count exceeded in delete > [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 30713364 (rc: 51) > [19/Oct/2016:09:29:42 -0400] - Operation error fetching Null DN (0afe8ea0-960011e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:29:42 -0400] - dn2entry_ext: Failed to get id for changenumber=30856379,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:29:42 -0400] - Operation error fetching changenumber=30856379,cn=changelog (null), error -30993. > [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856379, dn = changenumber=30856379,cn=changelog: Operations error. > [19/Oct/2016:09:29:42 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [19/Oct/2016:09:29:42 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=36 op=5) > [19/Oct/2016:09:29:50 -0400] - Operation error fetching Null DN (0afe8ea2-960011e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:29:50 -0400] - dn2entry_ext: Failed to get id for changenumber=30856380,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:29:50 -0400] - Operation error fetching changenumber=30856380,cn=changelog (null), error -30993. > [19/Oct/2016:09:29:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856380, dn = changenumber=30856380,cn=changelog: Operations error. > [19/Oct/2016:09:29:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] this doesn't look good. There could be cancelled ops which would be repeated, but the failing repl op is always with the same csn: 5806acf7000000600000 so it seems incoming replication is stuck. you could try to find out which entry is affected (grep for the csn in the access log and look at the operation) and what kind of modification it is to check what could be going wrong. > ... > [19/Oct/2016:09:30:06 -0400] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu". > [19/Oct/2016:09:30:06 -0400] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu". > > > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From beeth2006 at gmail.com Wed Oct 19 15:23:00 2016 From: beeth2006 at gmail.com (beeth beeth) Date: Wed, 19 Oct 2016 11:23:00 -0400 Subject: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica) Message-ID: I once asked about Install IPA servers with certificate provided by third-party like Verisign(https://www.redhat.com/archives/freeipa-users/ 2016-September/msg00440.html). Florence, Rob and Jakub from Redhat had been very helpful, and pointed out the solution at https://access.redhat.com/ documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_ Authentication_and_Policy_Guide/install-server.html# install-server-without-ca, about "Installing Without a CA", and it worked great! Now it came up another problem, is that the Verisign(or any other certificate) will expire in a year or two, how can I smoothly renew the Verisign certificate on the primary and replica IPA servers a year from now? Or if we decide to use another provider, say Godaddy certificate, how can I replace the existing certificate on both IPA servers? I found a relevant instruction at https://access.redhat.com/ documentation/en-US/Red_Hat_Enterprise_Linux/7/html- single/Linux_Domain_Identity_Authentication_and_Policy_ Guide/index.html#auto-cert-renewal, but that's about the "Dogtag" CA certificate, not about the third-party certificate I am using in our upcoming production environment(running IPA 4.2 on RHEL7). Please advise. Thank you! Beeth -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Oct 19 15:41:37 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 19 Oct 2016 17:41:37 +0200 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <58078B04.2030408@redhat.com> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> <58072B26.4090203@redhat.com> <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> <58078B04.2030408@redhat.com> Message-ID: <58079431.5070801@redhat.com> On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: >> On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: >>> On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: >>>> We had one of our replicas fail today with the following errors: >>>> >>>> >>>> [18/Oct/2016:13:40:47 -0400] >>>> agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - >>>> Can't locate CSN 58065ef3000100030000 in the changelog (DB >>>> rc=-30988). If replication stops, the consumer may need to be >>>> reinitialized. >>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog >>>> program - _cl5WriteOperationTxn: retry (49) the transaction >>>> (csn=58065f74000500040000) failed (rc=-30993 (BDB0068 >>>> DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) >>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog >>>> program - _cl5WriteOperationTxn: failed to write entry with csn >>>> (58065f74000500040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: >>>> Locker killed to resolve a deadlock >>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - >>>> write_changelog_and_ruv: can't add a change for >>>> uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu >>>> (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to >>>> changelog csn 58065f74000500040000 >>>> [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN >>>> plugin returned error but did not set SLAPI_RESULT_CODE >>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - >>>> process_postop: Failed to apply update (58065f74000500040000) error >>>> (1). Aborting replication session(conn=1314106 op=1688559) >>>> [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified >>>> entry is NULL--updating cache just in case >>>> [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS >>>> Templates found, which should be added before the CoS Definition. >>>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN >>>> (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. >>>> [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856302,cn=changelog from entryrdn index (-30993) >>>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching >>>> changenumber=30856302,cn=changelog (null), error -30993. >>>> [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856302, dn = >>>> changenumber=30856302,cn=changelog: Operations error. >>>> [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>>> [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - >>>> process_postop: Failed to apply update (58065f9f000000600000) error >>>> (1). Aborting replication session(conn=1901274 op=5) >>>> [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD >>>> 1601, err=0 BDB0062 Successful return: 0 >>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog >>>> program - _cl5WriteOperationTxn: retry (49) the transaction >>>> (csn=58065f7c000a00040000) failed (rc=-30993 (BDB0068 >>>> DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) >>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog >>>> program - _cl5WriteOperationTxn: failed to write entry with csn >>>> (58065f7c000a00040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: >>>> Locker killed to resolve a deadlock >>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - >>>> write_changelog_and_ruv: can't add a change for >>>> uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu >>>> (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to >>>> changelog csn 58065f7c000a00040000 >>>> >>>> >>>> ns-slapd was hung so we restarted and now it's stuck and won't come >>>> back up. It >>>> hangs up here: >>>> >>>> [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS >>>> Templates found, which should be added before the CoS Definition. >>>> [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog >>>> program - _cl5NewDBFile: PR_DeleteSemaphore: >>>> /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; >>>> NSPR error - -5943 >>>> [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog >>>> program - _cl5NewDBFile: PR_DeleteSemaphore: >>>> /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; >>>> NSPR error - -5943 >>>> >>>> >>>> Tried deleting the semaphore files and restarting but no luck. >>>> Attached >>>> is a stacktrace of the stuck ns-slapd process. >>>> >>>> Here's the versions were running: >>>> >>>> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 >>>> 389-ds-base-1.3.4.0-33.el7_2.x86_64 >>>> >>>> FWIW, we were experimenting with the new life-cycle management >>>> features, >>>> specifically "preserved" users and deleted the user "janedoe" when >>>> this >>>> happened. From the errors above looks like this host failed to >>>> replicate the change? Not sure if this is related or not. >>>> >>>> Is it possible to recover the database? Thanks in advance for any >>>> pointers. >>> from the stack trace the process is not hanging, it is trying to >>> recover. >>> After a crash/kill the changelog does not contai a RUV and it is >>> reconstructed by reading all records in the changelog, if this is >>> large it >>> can take some time. >>> If you look at that part of the stack repeatedly, >>> >>> #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, >>> len=, entry=entry at entry=0x7ffff6598910) at >>> ldap/servers/plugins/replication/cl5_api.c:2342 >>> rc = >>> version = >>> pos = 0x7f4e9839d091 "" >>> strCSN = 0x0 >>> op = 0x7ffff6598980 >>> add_mods = 0x7f4e983a5e80 >>> rawDN = 0x7f4e98396e20 >>> "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" >>> s = >>> "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" >>> #5 0x00007f4e88daf5d6 in _cl5GetNextEntry >>> (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at >>> ldap/servers/plugins/replication/cl5_api.c:5291 >>> rc = 0 >>> it = 0x7f4e983a5e80 >>> key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff = 0, >>> app_data = 0x0, flags = 16} >>> data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, dlen = >>> 0, doff = 0, app_data = 0x0, flags = 16} >>> #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, >>> obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 "\200\211Y\366\377\177") >>> at ldap/servers/plugins/replication/cl5_api.c:4306 >>> >>> >>> you should see some progress in which entry is handled >>> >> Ludwig, thanks very much for the help. As you pointed out just needed >> to let it >> finish. ns-slapd eventually came back up once it finished reading the >> changelog. Still seeing some errors related to the >> NSMMReplicationPlugin failed >> to apply update and from the managed-entries-plugin. Can these safely be >> ignored or are they indicative of a more serious problem? >> >> [19/Oct/2016:09:28:46 -0400] - Operation error fetching Null DN >> (e73b48a4-95ff11e6-8bc7a516-e778e883), error -30993. >> [19/Oct/2016:09:28:46 -0400] - dn2entry_ext: Failed to get id for >> changenumber=30856335,cn=changelog from entryrdn index (-30993) >> [19/Oct/2016:09:28:46 -0400] - Operation error fetching >> changenumber=30856335,cn=changelog (null), error -30993. >> [19/Oct/2016:09:28:46 -0400] DSRetroclPlugin - replog: an error >> occured while adding change number 30856335, dn = >> changenumber=30856335,cn=changelog: Operations error. >> [19/Oct/2016:09:28:46 -0400] retrocl-plugin - retrocl_postob: >> operation failure [1] >> [19/Oct/2016:09:28:46 -0400] NSMMReplicationPlugin - process_postop: >> Failed to apply update (5806acf7000000600000) error (1). Aborting >> replication session(conn=9 op=28) >> [19/Oct/2016:09:28:54 -0400] - Operation error fetching Null DN >> (e73b48a7-95ff11e6-8bc7a516-e778e883), error -30993. >> [19/Oct/2016:09:28:59 -0400] - dn2entry_ext: Failed to get id for >> changenumber=30856337,cn=changelog from entryrdn index (-30993) >> [19/Oct/2016:09:29:17 -0400] - Operation error fetching >> changenumber=30856337,cn=changelog (null), error -30993. >> [19/Oct/2016:09:29:17 -0400] DSRetroclPlugin - replog: an error >> occured while adding change number 30856337, dn = >> changenumber=30856337,cn=changelog: Operations error. >> [19/Oct/2016:09:29:17 -0400] retrocl-plugin - retrocl_postob: >> operation failure [1] >> [19/Oct/2016:09:29:17 -0400] NSMMReplicationPlugin - process_postop: >> Failed to apply update (5806acf7000000600000) error (1). Aborting >> replication session(conn=15 op=5) >> [19/Oct/2016:09:29:20 -0400] - Retry count exceeded in delete >> [19/Oct/2016:09:29:20 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 30712389 (rc: 51) >> [19/Oct/2016:09:29:28 -0400] - Operation error fetching Null DN >> (0afe8e82-960011e6-8bc7a516-e778e883), error -30993. >> [19/Oct/2016:09:29:28 -0400] - dn2entry_ext: Failed to get id for >> changenumber=30856351,cn=changelog from entryrdn index (-30993) >> [19/Oct/2016:09:29:28 -0400] - Operation error fetching >> changenumber=30856351,cn=changelog (null), error -30993. >> [19/Oct/2016:09:29:28 -0400] DSRetroclPlugin - replog: an error >> occured while adding change number 30856351, dn = >> changenumber=30856351,cn=changelog: Operations error. >> [19/Oct/2016:09:29:28 -0400] retrocl-plugin - retrocl_postob: >> operation failure [1] >> [19/Oct/2016:09:29:28 -0400] NSMMReplicationPlugin - process_postop: >> Failed to apply update (5806acf7000000600000) error (1). Aborting >> replication session(conn=25 op=5) >> [19/Oct/2016:09:29:31 -0400] - Retry count exceeded in delete >> [19/Oct/2016:09:29:31 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 30712865 (rc: 51) >> [19/Oct/2016:09:29:39 -0400] - Operation error fetching Null DN >> (0afe8e90-960011e6-8bc7a516-e778e883), error -30993. >> [19/Oct/2016:09:29:39 -0400] - dn2entry_ext: Failed to get id for >> changenumber=30856364,cn=changelog from entryrdn index (-30993) >> [19/Oct/2016:09:29:39 -0400] - Operation error fetching >> changenumber=30856364,cn=changelog (null), error -30993. >> [19/Oct/2016:09:29:39 -0400] DSRetroclPlugin - replog: an error >> occured while adding change number 30856364, dn = >> changenumber=30856364,cn=changelog: Operations error. >> [19/Oct/2016:09:29:39 -0400] retrocl-plugin - retrocl_postob: >> operation failure [1] >> [19/Oct/2016:09:29:39 -0400] NSMMReplicationPlugin - process_postop: >> Failed to apply update (5806acf7000000600000) error (1). Aborting >> replication session(conn=35 op=5) >> [19/Oct/2016:09:29:42 -0400] - Retry count exceeded in delete >> [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - delete_changerecord: >> could not delete change record 30713364 (rc: 51) >> [19/Oct/2016:09:29:42 -0400] - Operation error fetching Null DN >> (0afe8ea0-960011e6-8bc7a516-e778e883), error -30993. >> [19/Oct/2016:09:29:42 -0400] - dn2entry_ext: Failed to get id for >> changenumber=30856379,cn=changelog from entryrdn index (-30993) >> [19/Oct/2016:09:29:42 -0400] - Operation error fetching >> changenumber=30856379,cn=changelog (null), error -30993. >> [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - replog: an error >> occured while adding change number 30856379, dn = >> changenumber=30856379,cn=changelog: Operations error. >> [19/Oct/2016:09:29:42 -0400] retrocl-plugin - retrocl_postob: >> operation failure [1] >> [19/Oct/2016:09:29:42 -0400] NSMMReplicationPlugin - process_postop: >> Failed to apply update (5806acf7000000600000) error (1). Aborting >> replication session(conn=36 op=5) >> [19/Oct/2016:09:29:50 -0400] - Operation error fetching Null DN >> (0afe8ea2-960011e6-8bc7a516-e778e883), error -30993. >> [19/Oct/2016:09:29:50 -0400] - dn2entry_ext: Failed to get id for >> changenumber=30856380,cn=changelog from entryrdn index (-30993) >> [19/Oct/2016:09:29:50 -0400] - Operation error fetching >> changenumber=30856380,cn=changelog (null), error -30993. >> [19/Oct/2016:09:29:50 -0400] DSRetroclPlugin - replog: an error >> occured while adding change number 30856380, dn = >> changenumber=30856380,cn=changelog: Operations error. >> [19/Oct/2016:09:29:50 -0400] retrocl-plugin - retrocl_postob: >> operation failure [1] > this doesn't look good. There could be cancelled ops which would be > repeated, but the failing repl op is always with the same csn: > 5806acf7000000600000 > so it seems incoming replication is stuck. > you could try to find out which entry is affected (grep for the csn in > the access log and look at the operation) and what kind of > modification it is to check what could be going wrong. the information of what is the change with csn 5806acf7000000600000, it should be found in the changelog of the server with the replicaid 96. there is also the possibility that your retro changelog got corrupted. could you try to query the retrocl: ldapsearch ..... -b "cn=changelog" dn and before rebuilding or reimporting the database it would be worth to try to recreate the retro changelog >> ... >> [19/Oct/2016:09:30:06 -0400] managed-entries-plugin - >> mep_mod_post_op: Unable to find config for origin entry >> "uid=janedoe,cn=deleted >> users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu". >> [19/Oct/2016:09:30:06 -0400] managed-entries-plugin - >> mep_mod_post_op: Unable to find config for origin entry >> "uid=janedoe,cn=deleted >> users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu". >> >> >> >> >> > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From bretif at phosphore.eu Wed Oct 19 13:42:07 2016 From: bretif at phosphore.eu (Bertrand =?utf-8?Q?R=C3=A9tif?=) Date: Wed, 19 Oct 2016 15:42:07 +0200 (CEST) Subject: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue In-Reply-To: <58077566.8010401@redhat.com> References: <1383346498.1295916.1476825748599.JavaMail.zimbra@phosphore.eu> <1101487784.1356614.1476878994121.JavaMail.zimbra@phosphore.eu> <58077566.8010401@redhat.com> Message-ID: <719022987.1370764.1476884527122.JavaMail.zimbra@phosphore.eu> ----- Mail original ----- > De: "Rob Crittenden" > ?: "Bertrand R?tif" , freeipa-users at redhat.com > Envoy?: Mercredi 19 Octobre 2016 15:30:14 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > Bertrand R?tif wrote: > >> De: "Martin Babinsky" > >> ?: freeipa-users at redhat.com > >> Envoy?: Mercredi 19 Octobre 2016 08:45:49 > >> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat > >> issue > > > >> On 10/18/2016 11:22 PM, Bertrand R?tif wrote: > >>> Hello, > >>> > >>> I had an issue with pki-tomcat. > >>> I had serveral certificate that was expired and pki-tomcat did not start > >>> anymore. > >>> > >>> I set the dateon the server before certificate expiration and then > >>> pki-tomcat starts properly. > >>> Then I try to resubmit the certificate, but I get below error: > >>> "Profile caServerCert Not Found" > >>> > >>> Do you have any idea how I could fix this issue. > >>> > >>> Please find below output of commands: > >>> > >>> > >>> # getcert resubmit -i 20160108170324 > >>> > >>> # getcert list -i 20160108170324 > >>> Number of certificates and requests being tracked: 7. > >>> Request ID '20160108170324': > >>> status: MONITORING > >>> ca-error: Server at > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" replied: > >>> Profile caServerCert Not Found > >>> stuck: no > >>> key pair storage: > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >>> certificate: > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>> Certificate DB' > >>> CA: dogtag-ipa-ca-renew-agent > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > >>> expires: 2016-06-28 15:25:11 UTC > >>> key usage: > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>> eku: id-kp-serverAuth,id-kp-clientAuth > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > >>> track: yes > >>> auto-renew: yes > >>> > >>> > >>> Thanksby advance for your help. > >>> Bertrand > >>> > >>> > >>> > >>> > > > >> Hi Betrand, > > > >> what version of FreeIPA and Dogtag are you running? > > > >> Also perform the following search on the IPA master and post the result: > > > >> """ > >> ldapsearch -D "cn=Directory Manager" -W -b > >> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)' > >> """ > > > > Hi Martin, > > > > Thanks for your reply. > > > > Here is version: > > - FreeIPA 4.2.0 > > - Centos 7.2 > > > > I have been able to fix the issue with "Profile caServerCert Not Found" by > > editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > I replace below entry > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" > > by > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" > > > > and then launch "ipa-server-upgrade" command > > I found this solution in this post: > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html > > > > Then I was able to renew my certificate. > > > > However I reboot my server to and pki-tomcat do not start and provide with > > a new erreor in /var/log/pki/pki-tomcat/ca/debug > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: > > verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca > > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: > > create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ > > System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC > > certificate verification > > > > java.lang.Exception: SystemCertsVerification: system certs verification > > failure > > at > > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) > > at > > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) > > at > > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) > > at > > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) > > at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) > > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) > > at > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > at > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > at > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > at > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > at > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > at > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > at > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > at > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > at > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > at > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > at java.security.AccessController.doPrivileged(Native Method) > > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > at > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > at > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:745) > > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: > > create() > > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > > self tests execution (see selftests.log for details) > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CMSEngine.shutdown() > > > > > > I am currently stuck here. > > Thanks a lot for your help. > I'm guessing at least one of the CA subsystem certificates are still > expired. Look at the "getcert list" output to see if there are any > expired certificates. > rob > > > > Bertrand > > > > Hello Rob, I check on my 2 servers and no certificate is expired [root at sdkipa03 ~]# getcert list |grep expire expires: 2018-06-22 22:02:26 UTC expires: 2018-06-22 22:02:47 UTC expires: 2034-07-09 15:24:34 UTC expires: 2016-10-30 13:35:29 UTC [root at sdkipa01 conf]# getcert list |grep expire expires: 2018-06-12 23:38:01 UTC expires: 2018-06-12 23:37:41 UTC expires: 2018-06-11 22:53:57 UTC expires: 2018-06-11 22:55:50 UTC expires: 2018-06-11 22:57:47 UTC expires: 2034-07-09 15:24:34 UTC expires: 2018-06-11 22:59:55 UTC I see that one certificate is in status: CA_UNREACHABLE, maybe I reboot to soon my server... I continue to investigate Thanks for your help. Bertrand -------------- next part -------------- An HTML attachment was scrubbed... URL: From flo at redhat.com Wed Oct 19 15:49:57 2016 From: flo at redhat.com (Florence Blanc-Renaud) Date: Wed, 19 Oct 2016 17:49:57 +0200 Subject: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica) In-Reply-To: References: Message-ID: On 10/19/2016 05:23 PM, beeth beeth wrote: > I once asked about Install IPA servers with certificate provided by > third-party like > Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html > ). > Florence, Rob and Jakub from Redhat had been very helpful, and pointed > out the solution at > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca > , > about "Installing Without a CA", and it worked great! > > Now it came up another problem, is that the Verisign(or any other > certificate) will expire in a year or two, how can I smoothly renew the > Verisign certificate on the primary and replica IPA servers a year from > now? Or if we decide to use another provider, say Godaddy certificate, > how can I replace the existing certificate on both IPA servers? I found > a relevant instruction at > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal > , > but that's about the "Dogtag" CA certificate, not about the third-party > certificate I am using in our upcoming production environment(running > IPA 4.2 on RHEL7). > Hi, if you plan to use another CA (for instance switch from Verisign to Godaddy), you will need first to install the new CA certificate with ipa-cacert-manage install and ipa-certupdate. The instructions are in 30.4 Manual CA Certificate Installation [1]. Then, if you want to change the HTTP and LDAP certificates for your server, you can use the ipa-server-certinstall utility [2]. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities Hope this helps, Flo. > Please advise. Thank you! > Beeth From aebruno2 at buffalo.edu Wed Oct 19 16:28:38 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 19 Oct 2016 12:28:38 -0400 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <58079431.5070801@redhat.com> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> <58072B26.4090203@redhat.com> <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> <58078B04.2030408@redhat.com> <58079431.5070801@redhat.com> Message-ID: <20161019162838.vlk465mkqxzuln2x@dead.ccr.buffalo.edu> On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: > > On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: > > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: > > > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: > > > > > We had one of our replicas fail today with the following errors: > > > > > > > > > > > > > > > [18/Oct/2016:13:40:47 -0400] > > > > > agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" > > > > > (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in > > > > > the changelog (DB rc=-30988). If replication stops, the > > > > > consumer may need to be reinitialized. > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - > > > > > changelog program - _cl5WriteOperationTxn: retry (49) the > > > > > transaction (csn=58065f74000500040000) failed (rc=-30993 > > > > > (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a > > > > > deadlock)) > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - > > > > > changelog program - _cl5WriteOperationTxn: failed to write > > > > > entry with csn (58065f74000500040000); db error - -30993 > > > > > BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a > > > > > deadlock > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - > > > > > write_changelog_and_ruv: can't add a change for > > > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu > > > > > (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to > > > > > changelog csn 58065f74000500040000 > > > > > [18/Oct/2016:13:43:07 -0400] - > > > > > SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but > > > > > did not set SLAPI_RESULT_CODE > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - > > > > > process_postop: Failed to apply update > > > > > (58065f74000500040000) error (1). Aborting replication > > > > > session(conn=1314106 op=1688559) > > > > > [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: > > > > > modified entry is NULL--updating cache just in case > > > > > [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition > > > > > cn=Password > > > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS > > > > > Templates found, which should be added before the CoS > > > > > Definition. > > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null > > > > > DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. > > > > > [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get > > > > > id for changenumber=30856302,cn=changelog from entryrdn > > > > > index (-30993) > > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching > > > > > changenumber=30856302,cn=changelog (null), error -30993. > > > > > [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an > > > > > error occured while adding change number 30856302, dn = > > > > > changenumber=30856302,cn=changelog: Operations error. > > > > > [18/Oct/2016:13:43:20 -0400] retrocl-plugin - > > > > > retrocl_postob: operation failure [1] > > > > > [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - > > > > > process_postop: Failed to apply update > > > > > (58065f9f000000600000) error (1). Aborting replication > > > > > session(conn=1901274 op=5) > > > > > [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry > > > > > BAD 1601, err=0 BDB0062 Successful return: 0 > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - > > > > > changelog program - _cl5WriteOperationTxn: retry (49) the > > > > > transaction (csn=58065f7c000a00040000) failed (rc=-30993 > > > > > (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a > > > > > deadlock)) > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - > > > > > changelog program - _cl5WriteOperationTxn: failed to write > > > > > entry with csn (58065f7c000a00040000); db error - -30993 > > > > > BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a > > > > > deadlock > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - > > > > > write_changelog_and_ruv: can't add a change for > > > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu > > > > > (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to > > > > > changelog csn 58065f7c000a00040000 > > > > > > > > > > > > > > > ns-slapd was hung so we restarted and now it's stuck and > > > > > won't come back up. It > > > > > hangs up here: > > > > > > > > > > [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition > > > > > cn=Password > > > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS > > > > > Templates found, which should be added before the CoS > > > > > Definition. > > > > > [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - > > > > > changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; > > > > > NSPR error - -5943 > > > > > [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - > > > > > changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; > > > > > NSPR error - -5943 > > > > > > > > > > > > > > > Tried deleting the semaphore files and restarting but no > > > > > luck. Attached > > > > > is a stacktrace of the stuck ns-slapd process. > > > > > > > > > > Here's the versions were running: > > > > > > > > > > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 > > > > > 389-ds-base-1.3.4.0-33.el7_2.x86_64 > > > > > > > > > > FWIW, we were experimenting with the new life-cycle > > > > > management features, > > > > > specifically "preserved" users and deleted the user > > > > > "janedoe" when this > > > > > happened. From the errors above looks like this host failed to > > > > > replicate the change? Not sure if this is related or not. > > > > > > > > > > Is it possible to recover the database? Thanks in advance > > > > > for any pointers. > > > > from the stack trace the process is not hanging, it is trying to > > > > recover. > > > > After a crash/kill the changelog does not contai a RUV and it is > > > > reconstructed by reading all records in the changelog, if this > > > > is large it > > > > can take some time. > > > > If you look at that part of the stack repeatedly, > > > > > > > > #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, > > > > len=, entry=entry at entry=0x7ffff6598910) at > > > > ldap/servers/plugins/replication/cl5_api.c:2342 > > > > rc = > > > > version = > > > > pos = 0x7f4e9839d091 "" > > > > strCSN = 0x0 > > > > op = 0x7ffff6598980 > > > > add_mods = 0x7f4e983a5e80 > > > > rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > > > > s = > > > > "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" > > > > #5 0x00007f4e88daf5d6 in _cl5GetNextEntry > > > > (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at > > > > ldap/servers/plugins/replication/cl5_api.c:5291 > > > > rc = 0 > > > > it = 0x7f4e983a5e80 > > > > key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff > > > > = 0, app_data = 0x0, flags = 16} > > > > data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, > > > > dlen = 0, doff = 0, app_data = 0x0, flags = 16} > > > > #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, > > > > obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 > > > > "\200\211Y\366\377\177") at > > > > ldap/servers/plugins/replication/cl5_api.c:4306 > > > > > > > > > > > > you should see some progress in which entry is handled > > > > > > > Ludwig, thanks very much for the help. As you pointed out just > > > needed to let it > > > finish. ns-slapd eventually came back up once it finished reading the > > > changelog. Still seeing some errors related to the > > > NSMMReplicationPlugin failed > > > to apply update and from the managed-entries-plugin. Can these safely be > > > ignored or are they indicative of a more serious problem? > > > > > > [19/Oct/2016:09:28:46 -0400] - Operation error fetching Null DN > > > (e73b48a4-95ff11e6-8bc7a516-e778e883), error -30993. > > > [19/Oct/2016:09:28:46 -0400] - dn2entry_ext: Failed to get id for > > > changenumber=30856335,cn=changelog from entryrdn index (-30993) > > > [19/Oct/2016:09:28:46 -0400] - Operation error fetching > > > changenumber=30856335,cn=changelog (null), error -30993. > > > [19/Oct/2016:09:28:46 -0400] DSRetroclPlugin - replog: an error > > > occured while adding change number 30856335, dn = > > > changenumber=30856335,cn=changelog: Operations error. > > > [19/Oct/2016:09:28:46 -0400] retrocl-plugin - retrocl_postob: > > > operation failure [1] > > > [19/Oct/2016:09:28:46 -0400] NSMMReplicationPlugin - process_postop: > > > Failed to apply update (5806acf7000000600000) error (1). Aborting > > > replication session(conn=9 op=28) > > > [19/Oct/2016:09:28:54 -0400] - Operation error fetching Null DN > > > (e73b48a7-95ff11e6-8bc7a516-e778e883), error -30993. > > > [19/Oct/2016:09:28:59 -0400] - dn2entry_ext: Failed to get id for > > > changenumber=30856337,cn=changelog from entryrdn index (-30993) > > > [19/Oct/2016:09:29:17 -0400] - Operation error fetching > > > changenumber=30856337,cn=changelog (null), error -30993. > > > [19/Oct/2016:09:29:17 -0400] DSRetroclPlugin - replog: an error > > > occured while adding change number 30856337, dn = > > > changenumber=30856337,cn=changelog: Operations error. > > > [19/Oct/2016:09:29:17 -0400] retrocl-plugin - retrocl_postob: > > > operation failure [1] > > > [19/Oct/2016:09:29:17 -0400] NSMMReplicationPlugin - process_postop: > > > Failed to apply update (5806acf7000000600000) error (1). Aborting > > > replication session(conn=15 op=5) > > > [19/Oct/2016:09:29:20 -0400] - Retry count exceeded in delete > > > [19/Oct/2016:09:29:20 -0400] DSRetroclPlugin - delete_changerecord: > > > could not delete change record 30712389 (rc: 51) > > > [19/Oct/2016:09:29:28 -0400] - Operation error fetching Null DN > > > (0afe8e82-960011e6-8bc7a516-e778e883), error -30993. > > > [19/Oct/2016:09:29:28 -0400] - dn2entry_ext: Failed to get id for > > > changenumber=30856351,cn=changelog from entryrdn index (-30993) > > > [19/Oct/2016:09:29:28 -0400] - Operation error fetching > > > changenumber=30856351,cn=changelog (null), error -30993. > > > [19/Oct/2016:09:29:28 -0400] DSRetroclPlugin - replog: an error > > > occured while adding change number 30856351, dn = > > > changenumber=30856351,cn=changelog: Operations error. > > > [19/Oct/2016:09:29:28 -0400] retrocl-plugin - retrocl_postob: > > > operation failure [1] > > > [19/Oct/2016:09:29:28 -0400] NSMMReplicationPlugin - process_postop: > > > Failed to apply update (5806acf7000000600000) error (1). Aborting > > > replication session(conn=25 op=5) > > > [19/Oct/2016:09:29:31 -0400] - Retry count exceeded in delete > > > [19/Oct/2016:09:29:31 -0400] DSRetroclPlugin - delete_changerecord: > > > could not delete change record 30712865 (rc: 51) > > > [19/Oct/2016:09:29:39 -0400] - Operation error fetching Null DN > > > (0afe8e90-960011e6-8bc7a516-e778e883), error -30993. > > > [19/Oct/2016:09:29:39 -0400] - dn2entry_ext: Failed to get id for > > > changenumber=30856364,cn=changelog from entryrdn index (-30993) > > > [19/Oct/2016:09:29:39 -0400] - Operation error fetching > > > changenumber=30856364,cn=changelog (null), error -30993. > > > [19/Oct/2016:09:29:39 -0400] DSRetroclPlugin - replog: an error > > > occured while adding change number 30856364, dn = > > > changenumber=30856364,cn=changelog: Operations error. > > > [19/Oct/2016:09:29:39 -0400] retrocl-plugin - retrocl_postob: > > > operation failure [1] > > > [19/Oct/2016:09:29:39 -0400] NSMMReplicationPlugin - process_postop: > > > Failed to apply update (5806acf7000000600000) error (1). Aborting > > > replication session(conn=35 op=5) > > > [19/Oct/2016:09:29:42 -0400] - Retry count exceeded in delete > > > [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - delete_changerecord: > > > could not delete change record 30713364 (rc: 51) > > > [19/Oct/2016:09:29:42 -0400] - Operation error fetching Null DN > > > (0afe8ea0-960011e6-8bc7a516-e778e883), error -30993. > > > [19/Oct/2016:09:29:42 -0400] - dn2entry_ext: Failed to get id for > > > changenumber=30856379,cn=changelog from entryrdn index (-30993) > > > [19/Oct/2016:09:29:42 -0400] - Operation error fetching > > > changenumber=30856379,cn=changelog (null), error -30993. > > > [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - replog: an error > > > occured while adding change number 30856379, dn = > > > changenumber=30856379,cn=changelog: Operations error. > > > [19/Oct/2016:09:29:42 -0400] retrocl-plugin - retrocl_postob: > > > operation failure [1] > > > [19/Oct/2016:09:29:42 -0400] NSMMReplicationPlugin - process_postop: > > > Failed to apply update (5806acf7000000600000) error (1). Aborting > > > replication session(conn=36 op=5) > > > [19/Oct/2016:09:29:50 -0400] - Operation error fetching Null DN > > > (0afe8ea2-960011e6-8bc7a516-e778e883), error -30993. > > > [19/Oct/2016:09:29:50 -0400] - dn2entry_ext: Failed to get id for > > > changenumber=30856380,cn=changelog from entryrdn index (-30993) > > > [19/Oct/2016:09:29:50 -0400] - Operation error fetching > > > changenumber=30856380,cn=changelog (null), error -30993. > > > [19/Oct/2016:09:29:50 -0400] DSRetroclPlugin - replog: an error > > > occured while adding change number 30856380, dn = > > > changenumber=30856380,cn=changelog: Operations error. > > > [19/Oct/2016:09:29:50 -0400] retrocl-plugin - retrocl_postob: > > > operation failure [1] > > this doesn't look good. There could be cancelled ops which would be > > repeated, but the failing repl op is always with the same csn: > > 5806acf7000000600000 > > so it seems incoming replication is stuck. > > you could try to find out which entry is affected (grep for the csn in > > the access log and look at the operation) and what kind of modification > > it is to check what could be going wrong. Here's what was in the access logs for that csn: access.20161018-113116:[19/Oct/2016:09:28:46 -0400] conn=9 op=28 RESULT err=1 tag=103 nentries=0 etime=3 csn=5806acf7000000600000 access.20161018-113116:[19/Oct/2016:09:29:17 -0400] conn=15 op=5 RESULT err=1 tag=103 nentries=0 etime=24 csn=5806acf7000000600000 access.20161018-113116:[19/Oct/2016:09:29:28 -0400] conn=25 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 access.20161018-113116:[19/Oct/2016:09:29:39 -0400] conn=35 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 access.20161018-113116:[19/Oct/2016:09:29:42 -0400] conn=36 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 access.20161018-113116:[19/Oct/2016:09:29:50 -0400] conn=37 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 access.20161018-113116:[19/Oct/2016:09:29:54 -0400] conn=44 op=5 RESULT err=1 tag=103 nentries=0 etime=1 csn=5806acf7000000600000 access.20161018-113116:[19/Oct/2016:09:29:58 -0400] conn=45 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 access.20161018-113116:[19/Oct/2016:09:30:06 -0400] conn=46 op=5 RESULT err=1 tag=103 nentries=0 etime=4 csn=5806acf7000000600000 access.20161018-113116:[19/Oct/2016:09:30:12 -0400] conn=48 op=5 RESULT err=0 tag=103 nentries=0 etime=2 csn=5806acf7000000600000 Interestingly, right before the first op=28 was the modification of user janedoe, we were testing deleting/preserving this user: [19/Oct/2016:09:28:43 -0400] conn=9 op=27 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" [19/Oct/2016:09:28:43 -0400] conn=10 op=15 RESULT err=0 tag=103 nentries=0 etime=0 csn=58065f7c000300030000 [19/Oct/2016:09:28:43 -0400] conn=10 op=16 MODRDN dn="uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" newrdn="uid=janedoe" newsuperior="cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" [19/Oct/2016:09:28:43 -0400] conn=9 op=27 RESULT err=0 tag=103 nentries=0 etime=0 csn=5806a973000000600000 [19/Oct/2016:09:28:43 -0400] conn=9 op=28 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" [19/Oct/2016:09:28:46 -0400] conn=9 op=28 RESULT err=1 tag=103 nentries=0 etime=3 csn=5806acf7000000600000 [19/Oct/2016:09:28:46 -0400] conn=9 op=-1 fd=88 closed - B4 > the information of what is the change with csn 5806acf7000000600000, it > should be found in the changelog of the server with the replicaid 96. Where can I find/query the changelog? > > there is also the possibility that your retro changelog got corrupted. could > you try to query the retrocl: ldapsearch ..... -b "cn=changelog" dn Guessing the changelog is too big or I need to increase some limit? ldapsearch -Y GSSAPI -b "cn=changelog" dn # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: dn # # search result search: 4 result: 11 Administrative limit exceeded > > and before rebuilding or reimporting the database it would be worth to try > to recreate the retro changelog I'm not seeing anymore errors in the logs. Is there any way to verify if replication has caught up? Thanks again for all the help. From tbordaz at redhat.com Wed Oct 19 16:33:05 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 19 Oct 2016 18:33:05 +0200 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> <58072B26.4090203@redhat.com> <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> Message-ID: <5807A041.8030507@redhat.com> On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: >> On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: >>> We had one of our replicas fail today with the following errors: >>> >>> >>> [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. >>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f74000500040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) >>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f74000500040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock >>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f74000500040000 >>> [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE >>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f74000500040000) error (1). Aborting replication session(conn=1314106 op=1688559) >>> [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is NULL--updating cache just in case >>> [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. >>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. >>> [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for changenumber=30856302,cn=changelog from entryrdn index (-30993) >>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching changenumber=30856302,cn=changelog (null), error -30993. >>> [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856302, dn = changenumber=30856302,cn=changelog: Operations error. >>> [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>> [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f9f000000600000) error (1). Aborting replication session(conn=1901274 op=5) >>> [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 >>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a00040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) >>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a00040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock >>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f7c000a00040000 >>> >>> >>> ns-slapd was hung so we restarted and now it's stuck and won't come back up. It >>> hangs up here: >>> >>> [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. >>> [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 >>> [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 >>> >>> >>> Tried deleting the semaphore files and restarting but no luck. Attached >>> is a stacktrace of the stuck ns-slapd process. >>> >>> Here's the versions were running: >>> >>> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 >>> 389-ds-base-1.3.4.0-33.el7_2.x86_64 >>> >>> FWIW, we were experimenting with the new life-cycle management features, >>> specifically "preserved" users and deleted the user "janedoe" when this >>> happened. From the errors above looks like this host failed to >>> replicate the change? Not sure if this is related or not. >>> >>> Is it possible to recover the database? Thanks in advance for any pointers. >> from the stack trace the process is not hanging, it is trying to recover. >> After a crash/kill the changelog does not contai a RUV and it is >> reconstructed by reading all records in the changelog, if this is large it >> can take some time. >> If you look at that part of the stack repeatedly, >> >> #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, len=, entry=entry at entry=0x7ffff6598910) at ldap/servers/plugins/replication/cl5_api.c:2342 >> rc = >> version = >> pos = 0x7f4e9839d091 "" >> strCSN = 0x0 >> op = 0x7ffff6598980 >> add_mods = 0x7f4e983a5e80 >> rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" >> s = "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" >> #5 0x00007f4e88daf5d6 in _cl5GetNextEntry (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at ldap/servers/plugins/replication/cl5_api.c:5291 >> rc = 0 >> it = 0x7f4e983a5e80 >> key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} >> data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} >> #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 "\200\211Y\366\377\177") at ldap/servers/plugins/replication/cl5_api.c:4306 >> >> >> you should see some progress in which entry is handled >> > Ludwig, thanks very much for the help. As you pointed out just needed to let it > finish. ns-slapd eventually came back up once it finished reading the > changelog. Still seeing some errors related to the NSMMReplicationPlugin failed > to apply update and from the managed-entries-plugin. Can these safely be > ignored or are they indicative of a more serious problem? This is difficult to say the reason of managed entries messages. It says that the origin entry "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" is still having a managed entry ('|mepManagedEntry') that is possibly something like '|cn=janedoe,cn=groups,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu". This is looking like a bug because user 'janedoe' being a preserved user, it should not have any reference to existing groups. Could you dump uid=janedoe entry: ldapsearch -D "cn=directory manager" -w xxxx -b ""uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" nscpentrywsi If the link still exists, it is looking like a bug but IMHO it should not create security issue. regards thierry > > [19/Oct/2016:09:28:46 -0400] - Operation error fetching Null DN (e73b48a4-95ff11e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:28:46 -0400] - dn2entry_ext: Failed to get id for changenumber=30856335,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:28:46 -0400] - Operation error fetching changenumber=30856335,cn=changelog (null), error -30993. > [19/Oct/2016:09:28:46 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856335, dn = changenumber=30856335,cn=changelog: Operations error. > [19/Oct/2016:09:28:46 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [19/Oct/2016:09:28:46 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=9 op=28) > [19/Oct/2016:09:28:54 -0400] - Operation error fetching Null DN (e73b48a7-95ff11e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:28:59 -0400] - dn2entry_ext: Failed to get id for changenumber=30856337,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:29:17 -0400] - Operation error fetching changenumber=30856337,cn=changelog (null), error -30993. > [19/Oct/2016:09:29:17 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856337, dn = changenumber=30856337,cn=changelog: Operations error. > [19/Oct/2016:09:29:17 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [19/Oct/2016:09:29:17 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=15 op=5) > [19/Oct/2016:09:29:20 -0400] - Retry count exceeded in delete > [19/Oct/2016:09:29:20 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 30712389 (rc: 51) > [19/Oct/2016:09:29:28 -0400] - Operation error fetching Null DN (0afe8e82-960011e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:29:28 -0400] - dn2entry_ext: Failed to get id for changenumber=30856351,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:29:28 -0400] - Operation error fetching changenumber=30856351,cn=changelog (null), error -30993. > [19/Oct/2016:09:29:28 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856351, dn = changenumber=30856351,cn=changelog: Operations error. > [19/Oct/2016:09:29:28 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [19/Oct/2016:09:29:28 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=25 op=5) > [19/Oct/2016:09:29:31 -0400] - Retry count exceeded in delete > [19/Oct/2016:09:29:31 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 30712865 (rc: 51) > [19/Oct/2016:09:29:39 -0400] - Operation error fetching Null DN (0afe8e90-960011e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:29:39 -0400] - dn2entry_ext: Failed to get id for changenumber=30856364,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:29:39 -0400] - Operation error fetching changenumber=30856364,cn=changelog (null), error -30993. > [19/Oct/2016:09:29:39 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856364, dn = changenumber=30856364,cn=changelog: Operations error. > [19/Oct/2016:09:29:39 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [19/Oct/2016:09:29:39 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=35 op=5) > [19/Oct/2016:09:29:42 -0400] - Retry count exceeded in delete > [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - delete_changerecord: could not delete change record 30713364 (rc: 51) > [19/Oct/2016:09:29:42 -0400] - Operation error fetching Null DN (0afe8ea0-960011e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:29:42 -0400] - dn2entry_ext: Failed to get id for changenumber=30856379,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:29:42 -0400] - Operation error fetching changenumber=30856379,cn=changelog (null), error -30993. > [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856379, dn = changenumber=30856379,cn=changelog: Operations error. > [19/Oct/2016:09:29:42 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > [19/Oct/2016:09:29:42 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (5806acf7000000600000) error (1). Aborting replication session(conn=36 op=5) > [19/Oct/2016:09:29:50 -0400] - Operation error fetching Null DN (0afe8ea2-960011e6-8bc7a516-e778e883), error -30993. > [19/Oct/2016:09:29:50 -0400] - dn2entry_ext: Failed to get id for changenumber=30856380,cn=changelog from entryrdn index (-30993) > [19/Oct/2016:09:29:50 -0400] - Operation error fetching changenumber=30856380,cn=changelog (null), error -30993. > [19/Oct/2016:09:29:50 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856380, dn = changenumber=30856380,cn=changelog: Operations error. > [19/Oct/2016:09:29:50 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > ... > [19/Oct/2016:09:30:06 -0400] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu". > [19/Oct/2016:09:30:06 -0400] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu". > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aebruno2 at buffalo.edu Wed Oct 19 16:54:44 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 19 Oct 2016 12:54:44 -0400 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <5807A041.8030507@redhat.com> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> <58072B26.4090203@redhat.com> <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> <5807A041.8030507@redhat.com> Message-ID: <20161019165444.xwqgsi54az637vpd@dead.ccr.buffalo.edu> On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote: > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: > > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: > > > > We had one of our replicas fail today with the following errors: > > > > > > > > > > > > [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f74000500040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f74000500040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f74000500040000 > > > > [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f74000500040000) error (1). Aborting replication session(conn=1314106 op=1688559) > > > > [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is NULL--updating cache just in case > > > > [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. > > > > [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for changenumber=30856302,cn=changelog from entryrdn index (-30993) > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching changenumber=30856302,cn=changelog (null), error -30993. > > > > [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856302, dn = changenumber=30856302,cn=changelog: Operations error. > > > > [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > > > > [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f9f000000600000) error (1). Aborting replication session(conn=1901274 op=5) > > > > [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a00040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a00040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f7c000a00040000 > > > > > > > > > > > > ns-slapd was hung so we restarted and now it's stuck and won't come back up. It > > > > hangs up here: > > > > > > > > [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. > > > > [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 > > > > [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 > > > > > > > > > > > > Tried deleting the semaphore files and restarting but no luck. Attached > > > > is a stacktrace of the stuck ns-slapd process. > > > > > > > > Here's the versions were running: > > > > > > > > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 > > > > 389-ds-base-1.3.4.0-33.el7_2.x86_64 > > > > > > > > FWIW, we were experimenting with the new life-cycle management features, > > > > specifically "preserved" users and deleted the user "janedoe" when this > > > > happened. From the errors above looks like this host failed to > > > > replicate the change? Not sure if this is related or not. > > > > > > > > Is it possible to recover the database? Thanks in advance for any pointers. > > > from the stack trace the process is not hanging, it is trying to recover. > > > After a crash/kill the changelog does not contai a RUV and it is > > > reconstructed by reading all records in the changelog, if this is large it > > > can take some time. > > > If you look at that part of the stack repeatedly, > > > > > > #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, len=, entry=entry at entry=0x7ffff6598910) at ldap/servers/plugins/replication/cl5_api.c:2342 > > > rc = > > > version = > > > pos = 0x7f4e9839d091 "" > > > strCSN = 0x0 > > > op = 0x7ffff6598980 > > > add_mods = 0x7f4e983a5e80 > > > rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > > > s = "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" > > > #5 0x00007f4e88daf5d6 in _cl5GetNextEntry (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at ldap/servers/plugins/replication/cl5_api.c:5291 > > > rc = 0 > > > it = 0x7f4e983a5e80 > > > key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} > > > data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} > > > #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 "\200\211Y\366\377\177") at ldap/servers/plugins/replication/cl5_api.c:4306 > > > > > > > > > you should see some progress in which entry is handled > > > > > Ludwig, thanks very much for the help. As you pointed out just needed to let it > > finish. ns-slapd eventually came back up once it finished reading the > > changelog. Still seeing some errors related to the NSMMReplicationPlugin failed > > to apply update and from the managed-entries-plugin. Can these safely be > > ignored or are they indicative of a more serious problem? > > This is difficult to say the reason of managed entries messages. > It says that the origin entry "uid=janedoe,cn=deleted > users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > is still having a managed entry ('|mepManagedEntry') that is possibly > something like > '|cn=janedoe,cn=groups,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu". > > This is looking like a bug because user 'janedoe' being a preserved user, it > should not have any reference to existing groups. > > Could you dump uid=janedoe entry: > ldapsearch -D "cn=directory manager" -w xxxx -b ""uid=janedoe,cn=deleted > users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > nscpentrywsi Here's the entry for janedoe: ldapsearch -Y GSSAPI -b "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" nscpentrywsi # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: nscpentrywsi # # janedoe, deleted users, accounts, provisioning, cbls.ccr.buffalo.edu dn: uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,d c=buffalo,dc=edu # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 > > If the link still exists, it is looking like a bug but IMHO it should not > create security issue. > > regards > thierry From tbordaz at redhat.com Wed Oct 19 16:59:57 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 19 Oct 2016 18:59:57 +0200 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <20161019162838.vlk465mkqxzuln2x@dead.ccr.buffalo.edu> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> <58072B26.4090203@redhat.com> <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> <58078B04.2030408@redhat.com> <58079431.5070801@redhat.com> <20161019162838.vlk465mkqxzuln2x@dead.ccr.buffalo.edu> Message-ID: <5807A68D.1030004@redhat.com> On 10/19/2016 06:28 PM, Andrew E. Bruno wrote: > On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: >> On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: >>> On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: >>>> On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: >>>>> On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: >>>>>> We had one of our replicas fail today with the following errors: >>>>>> >>>>>> >>>>>> [18/Oct/2016:13:40:47 -0400] >>>>>> agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" >>>>>> (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in >>>>>> the changelog (DB rc=-30988). If replication stops, the >>>>>> consumer may need to be reinitialized. >>>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5WriteOperationTxn: retry (49) the >>>>>> transaction (csn=58065f74000500040000) failed (rc=-30993 >>>>>> (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a >>>>>> deadlock)) >>>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5WriteOperationTxn: failed to write >>>>>> entry with csn (58065f74000500040000); db error - -30993 >>>>>> BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a >>>>>> deadlock >>>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - >>>>>> write_changelog_and_ruv: can't add a change for >>>>>> uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu >>>>>> (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to >>>>>> changelog csn 58065f74000500040000 >>>>>> [18/Oct/2016:13:43:07 -0400] - >>>>>> SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but >>>>>> did not set SLAPI_RESULT_CODE >>>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - >>>>>> process_postop: Failed to apply update >>>>>> (58065f74000500040000) error (1). Aborting replication >>>>>> session(conn=1314106 op=1688559) >>>>>> [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: >>>>>> modified entry is NULL--updating cache just in case >>>>>> [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition >>>>>> cn=Password >>>>>> Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS >>>>>> Templates found, which should be added before the CoS >>>>>> Definition. >>>>>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null >>>>>> DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. >>>>>> [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get >>>>>> id for changenumber=30856302,cn=changelog from entryrdn >>>>>> index (-30993) >>>>>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching >>>>>> changenumber=30856302,cn=changelog (null), error -30993. >>>>>> [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an >>>>>> error occured while adding change number 30856302, dn = >>>>>> changenumber=30856302,cn=changelog: Operations error. >>>>>> [18/Oct/2016:13:43:20 -0400] retrocl-plugin - >>>>>> retrocl_postob: operation failure [1] >>>>>> [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - >>>>>> process_postop: Failed to apply update >>>>>> (58065f9f000000600000) error (1). Aborting replication >>>>>> session(conn=1901274 op=5) >>>>>> [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry >>>>>> BAD 1601, err=0 BDB0062 Successful return: 0 >>>>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5WriteOperationTxn: retry (49) the >>>>>> transaction (csn=58065f7c000a00040000) failed (rc=-30993 >>>>>> (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a >>>>>> deadlock)) >>>>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5WriteOperationTxn: failed to write >>>>>> entry with csn (58065f7c000a00040000); db error - -30993 >>>>>> BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a >>>>>> deadlock >>>>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - >>>>>> write_changelog_and_ruv: can't add a change for >>>>>> uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu >>>>>> (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to >>>>>> changelog csn 58065f7c000a00040000 >>>>>> >>>>>> >>>>>> ns-slapd was hung so we restarted and now it's stuck and >>>>>> won't come back up. It >>>>>> hangs up here: >>>>>> >>>>>> [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition >>>>>> cn=Password >>>>>> Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS >>>>>> Templates found, which should be added before the CoS >>>>>> Definition. >>>>>> [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; >>>>>> NSPR error - -5943 >>>>>> [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; >>>>>> NSPR error - -5943 >>>>>> >>>>>> >>>>>> Tried deleting the semaphore files and restarting but no >>>>>> luck. Attached >>>>>> is a stacktrace of the stuck ns-slapd process. >>>>>> >>>>>> Here's the versions were running: >>>>>> >>>>>> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 >>>>>> 389-ds-base-1.3.4.0-33.el7_2.x86_64 >>>>>> >>>>>> FWIW, we were experimenting with the new life-cycle >>>>>> management features, >>>>>> specifically "preserved" users and deleted the user >>>>>> "janedoe" when this >>>>>> happened. From the errors above looks like this host failed to >>>>>> replicate the change? Not sure if this is related or not. >>>>>> >>>>>> Is it possible to recover the database? Thanks in advance >>>>>> for any pointers. >>>>> from the stack trace the process is not hanging, it is trying to >>>>> recover. >>>>> After a crash/kill the changelog does not contai a RUV and it is >>>>> reconstructed by reading all records in the changelog, if this >>>>> is large it >>>>> can take some time. >>>>> If you look at that part of the stack repeatedly, >>>>> >>>>> #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, >>>>> len=, entry=entry at entry=0x7ffff6598910) at >>>>> ldap/servers/plugins/replication/cl5_api.c:2342 >>>>> rc = >>>>> version = >>>>> pos = 0x7f4e9839d091 "" >>>>> strCSN = 0x0 >>>>> op = 0x7ffff6598980 >>>>> add_mods = 0x7f4e983a5e80 >>>>> rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" >>>>> s = >>>>> "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" >>>>> #5 0x00007f4e88daf5d6 in _cl5GetNextEntry >>>>> (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at >>>>> ldap/servers/plugins/replication/cl5_api.c:5291 >>>>> rc = 0 >>>>> it = 0x7f4e983a5e80 >>>>> key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff >>>>> = 0, app_data = 0x0, flags = 16} >>>>> data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, >>>>> dlen = 0, doff = 0, app_data = 0x0, flags = 16} >>>>> #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, >>>>> obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 >>>>> "\200\211Y\366\377\177") at >>>>> ldap/servers/plugins/replication/cl5_api.c:4306 >>>>> >>>>> >>>>> you should see some progress in which entry is handled >>>>> >>>> Ludwig, thanks very much for the help. As you pointed out just >>>> needed to let it >>>> finish. ns-slapd eventually came back up once it finished reading the >>>> changelog. Still seeing some errors related to the >>>> NSMMReplicationPlugin failed >>>> to apply update and from the managed-entries-plugin. Can these safely be >>>> ignored or are they indicative of a more serious problem? >>>> >>>> [19/Oct/2016:09:28:46 -0400] - Operation error fetching Null DN >>>> (e73b48a4-95ff11e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:28:46 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856335,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:28:46 -0400] - Operation error fetching >>>> changenumber=30856335,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:28:46 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856335, dn = >>>> changenumber=30856335,cn=changelog: Operations error. >>>> [19/Oct/2016:09:28:46 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>>> [19/Oct/2016:09:28:46 -0400] NSMMReplicationPlugin - process_postop: >>>> Failed to apply update (5806acf7000000600000) error (1). Aborting >>>> replication session(conn=9 op=28) >>>> [19/Oct/2016:09:28:54 -0400] - Operation error fetching Null DN >>>> (e73b48a7-95ff11e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:28:59 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856337,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:29:17 -0400] - Operation error fetching >>>> changenumber=30856337,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:29:17 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856337, dn = >>>> changenumber=30856337,cn=changelog: Operations error. >>>> [19/Oct/2016:09:29:17 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>>> [19/Oct/2016:09:29:17 -0400] NSMMReplicationPlugin - process_postop: >>>> Failed to apply update (5806acf7000000600000) error (1). Aborting >>>> replication session(conn=15 op=5) >>>> [19/Oct/2016:09:29:20 -0400] - Retry count exceeded in delete >>>> [19/Oct/2016:09:29:20 -0400] DSRetroclPlugin - delete_changerecord: >>>> could not delete change record 30712389 (rc: 51) >>>> [19/Oct/2016:09:29:28 -0400] - Operation error fetching Null DN >>>> (0afe8e82-960011e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:29:28 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856351,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:29:28 -0400] - Operation error fetching >>>> changenumber=30856351,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:29:28 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856351, dn = >>>> changenumber=30856351,cn=changelog: Operations error. >>>> [19/Oct/2016:09:29:28 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>>> [19/Oct/2016:09:29:28 -0400] NSMMReplicationPlugin - process_postop: >>>> Failed to apply update (5806acf7000000600000) error (1). Aborting >>>> replication session(conn=25 op=5) >>>> [19/Oct/2016:09:29:31 -0400] - Retry count exceeded in delete >>>> [19/Oct/2016:09:29:31 -0400] DSRetroclPlugin - delete_changerecord: >>>> could not delete change record 30712865 (rc: 51) >>>> [19/Oct/2016:09:29:39 -0400] - Operation error fetching Null DN >>>> (0afe8e90-960011e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:29:39 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856364,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:29:39 -0400] - Operation error fetching >>>> changenumber=30856364,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:29:39 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856364, dn = >>>> changenumber=30856364,cn=changelog: Operations error. >>>> [19/Oct/2016:09:29:39 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>>> [19/Oct/2016:09:29:39 -0400] NSMMReplicationPlugin - process_postop: >>>> Failed to apply update (5806acf7000000600000) error (1). Aborting >>>> replication session(conn=35 op=5) >>>> [19/Oct/2016:09:29:42 -0400] - Retry count exceeded in delete >>>> [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - delete_changerecord: >>>> could not delete change record 30713364 (rc: 51) >>>> [19/Oct/2016:09:29:42 -0400] - Operation error fetching Null DN >>>> (0afe8ea0-960011e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:29:42 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856379,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:29:42 -0400] - Operation error fetching >>>> changenumber=30856379,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856379, dn = >>>> changenumber=30856379,cn=changelog: Operations error. >>>> [19/Oct/2016:09:29:42 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>>> [19/Oct/2016:09:29:42 -0400] NSMMReplicationPlugin - process_postop: >>>> Failed to apply update (5806acf7000000600000) error (1). Aborting >>>> replication session(conn=36 op=5) >>>> [19/Oct/2016:09:29:50 -0400] - Operation error fetching Null DN >>>> (0afe8ea2-960011e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:29:50 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856380,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:29:50 -0400] - Operation error fetching >>>> changenumber=30856380,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:29:50 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856380, dn = >>>> changenumber=30856380,cn=changelog: Operations error. >>>> [19/Oct/2016:09:29:50 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>> this doesn't look good. There could be cancelled ops which would be >>> repeated, but the failing repl op is always with the same csn: >>> 5806acf7000000600000 >>> so it seems incoming replication is stuck. >>> you could try to find out which entry is affected (grep for the csn in >>> the access log and look at the operation) and what kind of modification >>> it is to check what could be going wrong. > > Here's what was in the access logs for that csn: > > access.20161018-113116:[19/Oct/2016:09:28:46 -0400] conn=9 op=28 RESULT err=1 tag=103 nentries=0 etime=3 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:17 -0400] conn=15 op=5 RESULT err=1 tag=103 nentries=0 etime=24 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:28 -0400] conn=25 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:39 -0400] conn=35 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:42 -0400] conn=36 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:50 -0400] conn=37 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:54 -0400] conn=44 op=5 RESULT err=1 tag=103 nentries=0 etime=1 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:58 -0400] conn=45 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:30:06 -0400] conn=46 op=5 RESULT err=1 tag=103 nentries=0 etime=4 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:30:12 -0400] conn=48 op=5 RESULT err=0 tag=103 nentries=0 etime=2 csn=5806acf7000000600000 > > > Interestingly, right before the first op=28 was the modification of user > janedoe, we were testing deleting/preserving this user: > > [19/Oct/2016:09:28:43 -0400] conn=9 op=27 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" > [19/Oct/2016:09:28:43 -0400] conn=10 op=15 RESULT err=0 tag=103 nentries=0 etime=0 csn=58065f7c000300030000 > [19/Oct/2016:09:28:43 -0400] conn=10 op=16 MODRDN dn="uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" newrdn="uid=janedoe" newsuperior="cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > [19/Oct/2016:09:28:43 -0400] conn=9 op=27 RESULT err=0 tag=103 nentries=0 etime=0 csn=5806a973000000600000 > [19/Oct/2016:09:28:43 -0400] conn=9 op=28 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" > [19/Oct/2016:09:28:46 -0400] conn=9 op=28 RESULT err=1 tag=103 nentries=0 etime=3 csn=5806acf7000000600000 > [19/Oct/2016:09:28:46 -0400] conn=9 op=-1 fd=88 closed - B4 Note that janedoe operation and 5806acf7000000600000 operation were on different suffixes but are sharing the retroCL. According to [19/Oct/2016:09:30:06 -0400] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu". We may think that operation 'conn=10 op=16' completed (but likely failed) on 9:30:06 and only then 5806acf7000000600000 was successfully replicated. There may be interaction between both operation, 'janedoe' that was to fail but preventing other updates to complete. It would be interesting to get full logs (access/errors): 19/Oct/2016:09:28:43 -> 19/Oct/2016:09:30:20 and also the dump of 'janedoe' entry. > >> the information of what is the change with csn 5806acf7000000600000, it >> should be found in the changelog of the server with the replicaid 96. > Where can I find/query the changelog? You may dump it with: dbscan -f /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/xxx.db > >> there is also the possibility that your retro changelog got corrupted. could >> you try to query the retrocl: ldapsearch ..... -b "cn=changelog" dn > Guessing the changelog is too big or I need to increase some limit? > > ldapsearch -Y GSSAPI -b "cn=changelog" dn > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: dn > # > > # search result > search: 4 > result: 11 Administrative limit exceeded Can you do the same operation being 'cn=directory manager' ? > > >> and before rebuilding or reimporting the database it would be worth to try >> to recreate the retro changelog > I'm not seeing anymore errors in the logs. Is there any way to verify if > replication has caught up? > > Thanks again for all the help. > > > From tbordaz at redhat.com Wed Oct 19 17:05:14 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 19 Oct 2016 19:05:14 +0200 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <20161019165444.xwqgsi54az637vpd@dead.ccr.buffalo.edu> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> <58072B26.4090203@redhat.com> <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> <5807A041.8030507@redhat.com> <20161019165444.xwqgsi54az637vpd@dead.ccr.buffalo.edu> Message-ID: <5807A7CA.4020708@redhat.com> On 10/19/2016 06:54 PM, Andrew E. Bruno wrote: > On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote: >> >> On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: >>> On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: >>>> On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: >>>>> We had one of our replicas fail today with the following errors: >>>>> >>>>> >>>>> [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. >>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f74000500040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) >>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f74000500040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock >>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f74000500040000 >>>>> [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE >>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f74000500040000) error (1). Aborting replication session(conn=1314106 op=1688559) >>>>> [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is NULL--updating cache just in case >>>>> [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. >>>>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. >>>>> [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for changenumber=30856302,cn=changelog from entryrdn index (-30993) >>>>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching changenumber=30856302,cn=changelog (null), error -30993. >>>>> [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856302, dn = changenumber=30856302,cn=changelog: Operations error. >>>>> [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure [1] >>>>> [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f9f000000600000) error (1). Aborting replication session(conn=1901274 op=5) >>>>> [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 >>>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a00040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) >>>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a00040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock >>>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f7c000a00040000 >>>>> >>>>> >>>>> ns-slapd was hung so we restarted and now it's stuck and won't come back up. It >>>>> hangs up here: >>>>> >>>>> [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. >>>>> [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 >>>>> [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 >>>>> >>>>> >>>>> Tried deleting the semaphore files and restarting but no luck. Attached >>>>> is a stacktrace of the stuck ns-slapd process. >>>>> >>>>> Here's the versions were running: >>>>> >>>>> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 >>>>> 389-ds-base-1.3.4.0-33.el7_2.x86_64 >>>>> >>>>> FWIW, we were experimenting with the new life-cycle management features, >>>>> specifically "preserved" users and deleted the user "janedoe" when this >>>>> happened. From the errors above looks like this host failed to >>>>> replicate the change? Not sure if this is related or not. >>>>> >>>>> Is it possible to recover the database? Thanks in advance for any pointers. >>>> from the stack trace the process is not hanging, it is trying to recover. >>>> After a crash/kill the changelog does not contai a RUV and it is >>>> reconstructed by reading all records in the changelog, if this is large it >>>> can take some time. >>>> If you look at that part of the stack repeatedly, >>>> >>>> #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, len=, entry=entry at entry=0x7ffff6598910) at ldap/servers/plugins/replication/cl5_api.c:2342 >>>> rc = >>>> version = >>>> pos = 0x7f4e9839d091 "" >>>> strCSN = 0x0 >>>> op = 0x7ffff6598980 >>>> add_mods = 0x7f4e983a5e80 >>>> rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" >>>> s = "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" >>>> #5 0x00007f4e88daf5d6 in _cl5GetNextEntry (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at ldap/servers/plugins/replication/cl5_api.c:5291 >>>> rc = 0 >>>> it = 0x7f4e983a5e80 >>>> key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} >>>> data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} >>>> #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 "\200\211Y\366\377\177") at ldap/servers/plugins/replication/cl5_api.c:4306 >>>> >>>> >>>> you should see some progress in which entry is handled >>>> >>> Ludwig, thanks very much for the help. As you pointed out just needed to let it >>> finish. ns-slapd eventually came back up once it finished reading the >>> changelog. Still seeing some errors related to the NSMMReplicationPlugin failed >>> to apply update and from the managed-entries-plugin. Can these safely be >>> ignored or are they indicative of a more serious problem? >> This is difficult to say the reason of managed entries messages. >> It says that the origin entry "uid=janedoe,cn=deleted >> users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" >> is still having a managed entry ('|mepManagedEntry') that is possibly >> something like >> '|cn=janedoe,cn=groups,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu". >> >> This is looking like a bug because user 'janedoe' being a preserved user, it >> should not have any reference to existing groups. >> >> Could you dump uid=janedoe entry: >> ldapsearch -D "cn=directory manager" -w xxxx -b ""uid=janedoe,cn=deleted >> users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" >> nscpentrywsi > Here's the entry for janedoe: > > ldapsearch -Y GSSAPI -b "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" nscpentrywsi > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: nscpentrywsi > # > > # janedoe, deleted users, accounts, provisioning, cbls.ccr.buffalo.edu > dn: uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,d > c=buffalo,dc=edu > > # search result > search: 4 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 nscpentrywsi is a specific attribute that dumps the entry. It is only available for 'cn=directory manager' but not for 'admin'. If you do not know the 'cn=directory manager' password, then being 'admin' do the same request without specifying any attributes ldapsearch -Y GSSAPI -LLL -s base -b "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > > >> If the link still exists, it is looking like a bug but IMHO it should not >> create security issue. >> >> regards >> thierry From aebruno2 at buffalo.edu Wed Oct 19 17:25:36 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 19 Oct 2016 13:25:36 -0400 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <5807A7CA.4020708@redhat.com> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> <58072B26.4090203@redhat.com> <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> <5807A041.8030507@redhat.com> <20161019165444.xwqgsi54az637vpd@dead.ccr.buffalo.edu> <5807A7CA.4020708@redhat.com> Message-ID: <20161019172536.geeva42ni76votis@dead.ccr.buffalo.edu> On Wed, Oct 19, 2016 at 07:05:14PM +0200, thierry bordaz wrote: > > > On 10/19/2016 06:54 PM, Andrew E. Bruno wrote: > > On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote: > > > > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > > > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: > > > > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: > > > > > > We had one of our replicas fail today with the following errors: > > > > > > > > > > > > > > > > > > [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f74000500040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f74000500040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f74000500040000 > > > > > > [18/Oct/2016:13:43:07 -0400] - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f74000500040000) error (1). Aborting replication session(conn=1314106 op=1688559) > > > > > > [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: modified entry is NULL--updating cache just in case > > > > > > [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. > > > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. > > > > > > [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get id for changenumber=30856302,cn=changelog from entryrdn index (-30993) > > > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching changenumber=30856302,cn=changelog (null), error -30993. > > > > > > [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an error occured while adding change number 30856302, dn = changenumber=30856302,cn=changelog: Operations error. > > > > > > [18/Oct/2016:13:43:20 -0400] retrocl-plugin - retrocl_postob: operation failure [1] > > > > > > [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - process_postop: Failed to apply update (58065f9f000000600000) error (1). Aborting replication session(conn=1901274 op=5) > > > > > > [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry BAD 1601, err=0 BDB0062 Successful return: 0 > > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=58065f7c000a00040000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock)) > > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (58065f7c000a00040000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock > > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to changelog csn 58065f7c000a00040000 > > > > > > > > > > > > > > > > > > ns-slapd was hung so we restarted and now it's stuck and won't come back up. It > > > > > > hangs up here: > > > > > > > > > > > > [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS Templates found, which should be added before the CoS Definition. > > > > > > [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 > > > > > > [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; NSPR error - -5943 > > > > > > > > > > > > > > > > > > Tried deleting the semaphore files and restarting but no luck. Attached > > > > > > is a stacktrace of the stuck ns-slapd process. > > > > > > > > > > > > Here's the versions were running: > > > > > > > > > > > > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 > > > > > > 389-ds-base-1.3.4.0-33.el7_2.x86_64 > > > > > > > > > > > > FWIW, we were experimenting with the new life-cycle management features, > > > > > > specifically "preserved" users and deleted the user "janedoe" when this > > > > > > happened. From the errors above looks like this host failed to > > > > > > replicate the change? Not sure if this is related or not. > > > > > > > > > > > > Is it possible to recover the database? Thanks in advance for any pointers. > > > > > from the stack trace the process is not hanging, it is trying to recover. > > > > > After a crash/kill the changelog does not contai a RUV and it is > > > > > reconstructed by reading all records in the changelog, if this is large it > > > > > can take some time. > > > > > If you look at that part of the stack repeatedly, > > > > > > > > > > #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, len=, entry=entry at entry=0x7ffff6598910) at ldap/servers/plugins/replication/cl5_api.c:2342 > > > > > rc = > > > > > version = > > > > > pos = 0x7f4e9839d091 "" > > > > > strCSN = 0x0 > > > > > op = 0x7ffff6598980 > > > > > add_mods = 0x7f4e983a5e80 > > > > > rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > > > > > s = "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" > > > > > #5 0x00007f4e88daf5d6 in _cl5GetNextEntry (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at ldap/servers/plugins/replication/cl5_api.c:5291 > > > > > rc = 0 > > > > > it = 0x7f4e983a5e80 > > > > > key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} > > > > > data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 16} > > > > > #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 "\200\211Y\366\377\177") at ldap/servers/plugins/replication/cl5_api.c:4306 > > > > > > > > > > > > > > > you should see some progress in which entry is handled > > > > > > > > > Ludwig, thanks very much for the help. As you pointed out just needed to let it > > > > finish. ns-slapd eventually came back up once it finished reading the > > > > changelog. Still seeing some errors related to the NSMMReplicationPlugin failed > > > > to apply update and from the managed-entries-plugin. Can these safely be > > > > ignored or are they indicative of a more serious problem? > > > This is difficult to say the reason of managed entries messages. > > > It says that the origin entry "uid=janedoe,cn=deleted > > > users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > > > is still having a managed entry ('|mepManagedEntry') that is possibly > > > something like > > > '|cn=janedoe,cn=groups,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu". > > > > > > This is looking like a bug because user 'janedoe' being a preserved user, it > > > should not have any reference to existing groups. > > > > > > Could you dump uid=janedoe entry: > > > ldapsearch -D "cn=directory manager" -w xxxx -b ""uid=janedoe,cn=deleted > > > users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > > > nscpentrywsi > nscpentrywsi is a specific attribute that dumps the entry. It is only > available for 'cn=directory manager' but not for 'admin'. > If you do not know the 'cn=directory manager' password, then being 'admin' > do the same request without specifying any attributes Sorry about that.. here's the dump of janedoe entry using the directory manager: ldapsearch -D "cn=directory manager" -W -b "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" nscpentrywsi Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: nscpentrywsi # # janedoe, deleted users, accounts, provisioning, cbls.ccr.buffalo.edu dn: uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,d c=buffalo,dc=edu nscpentrywsi: dn: uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc =cbls,dc=ccr,dc=buffalo,dc=edu nscpentrywsi: entryusn;adcsn-58077599000100060003;vucsn-58077599000100060003: 114339992 nscpentrywsi: modifyTimestamp;adcsn-58077599000100060002;vucsn-580775990001000 60002: 20161019132917Z nscpentrywsi: modifiersName;adcsn-58077599000100060001;vucsn-58077599000100060 001: cn=IPA MODRDN,cn=plugins,cn=config nscpentrywsi: krbPrincipalName;adcsn-58077599000100060000;vucsn-58077599000100 060000: janedoe at CBLS.CCR.BUFFALO.EDU nscpentrywsi: uid;vucsn-58065f7c000a00040001;mdcsn-58065f7c000a00040000: abhin avv nscpentrywsi: nsAccountLock;adcsn-575f121e000600040000;vucsn-575f121e000600040 000: TRUE nscpentrywsi: entryid: 2585 nscpentrywsi: ipaUniqueID;vucsn-55a9d0ae000200040000: 4eea383c-2d02-11e5-9809- a0369f577818 nscpentrywsi: createTimestamp;vucsn-55a9d0ae000200040000: 20150718040603Z nscpentrywsi: creatorsName;vucsn-55a9d0ae000200040000: uid=admin,cn=users,cn=a ccounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu nscpentrywsi: givenName;vucsn-55a9d0ae000200040000: Jane nscpentrywsi: mail;vucsn-55a9d0ae000200040000: janedoe nscpentrywsi: homeDirectory;vucsn-55a9d0ae000200040000: /user/janedoe nscpentrywsi: gecos;vucsn-55a9d0ae000200040000: Jane Doe nscpentrywsi: gidNumber;vucsn-55a9d0ae000200040000: 573 nscpentrywsi: initials;vucsn-55a9d0ae000200040000: JD nscpentrywsi: uidNumber;vucsn-55a9d0ae000200040000: 253568 nscpentrywsi: sn;vucsn-55a9d0ae000200040000: Vishnu nscpentrywsi: loginShell;vucsn-55a9d0ae000200040000: /bin/bash nscpentrywsi: objectClass;vucsn-55a9d0ae000200040000: ipaobject nscpentrywsi: objectClass;vucsn-55a9d0ae000200040000: person nscpentrywsi: objectClass;vucsn-55a9d0ae000200040000: top nscpentrywsi: objectClass;vucsn-55a9d0ae000200040000: ipasshuser nscpentrywsi: objectClass;vucsn-55a9d0ae000200040000: inetorgperson nscpentrywsi: objectClass;vucsn-55a9d0ae000200040000: organizationalperson nscpentrywsi: objectClass;vucsn-55a9d0ae000200040000: krbticketpolicyaux nscpentrywsi: objectClass;vucsn-55a9d0ae000200040000: krbprincipalaux nscpentrywsi: objectClass;vucsn-55a9d0ae000200040000: inetuser nscpentrywsi: objectClass;vucsn-55a9d0ae000200040000: posixaccount nscpentrywsi: objectClass;vucsn-55a9d0ae000200040000: ipaSshGroupOfPubKeys nscpentrywsi: cn;vucsn-55a9d0ae000200040000: Jane Doe nscpentrywsi: displayName;vucsn-55a9d0ae000200040000: Jane Doe nscpentrywsi: nsUniqueId: 4080421a-2d0211e5-ac0b8f7e-e0b1a377 nscpentrywsi: parentid: 8938 nscpentrywsi: memberOf;adcsn-58077599000000060000;vdcsn-58077599000000060000;d eletedattribute;deleted: nscpentrywsi: description;adcsn-55a9d0ae000500040000;vdcsn-55a9d0ae00050004000 0;deletedattribute;deleted: # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 From aebruno2 at buffalo.edu Wed Oct 19 17:28:30 2016 From: aebruno2 at buffalo.edu (Andrew E. Bruno) Date: Wed, 19 Oct 2016 13:28:30 -0400 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <5807A68D.1030004@redhat.com> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> <58072B26.4090203@redhat.com> <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> <58078B04.2030408@redhat.com> <58079431.5070801@redhat.com> <20161019162838.vlk465mkqxzuln2x@dead.ccr.buffalo.edu> <5807A68D.1030004@redhat.com> Message-ID: <20161019172830.ngohwqfe7rbgbzyw@dead.ccr.buffalo.edu> On Wed, Oct 19, 2016 at 06:59:57PM +0200, thierry bordaz wrote: > > > On 10/19/2016 06:28 PM, Andrew E. Bruno wrote: > > On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: > > > On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: > > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > > > > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: > > > > > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: > > > > > > > We had one of our replicas fail today with the following errors: > > > > > > > > > > > > > > > > > > > > > [18/Oct/2016:13:40:47 -0400] > > > > > > > agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" > > > > > > > (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in > > > > > > > the changelog (DB rc=-30988). If replication stops, the > > > > > > > consumer may need to be reinitialized. > > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - > > > > > > > changelog program - _cl5WriteOperationTxn: retry (49) the > > > > > > > transaction (csn=58065f74000500040000) failed (rc=-30993 > > > > > > > (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a > > > > > > > deadlock)) > > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - > > > > > > > changelog program - _cl5WriteOperationTxn: failed to write > > > > > > > entry with csn (58065f74000500040000); db error - -30993 > > > > > > > BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a > > > > > > > deadlock > > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - > > > > > > > write_changelog_and_ruv: can't add a change for > > > > > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu > > > > > > > (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to > > > > > > > changelog csn 58065f74000500040000 > > > > > > > [18/Oct/2016:13:43:07 -0400] - > > > > > > > SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but > > > > > > > did not set SLAPI_RESULT_CODE > > > > > > > [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - > > > > > > > process_postop: Failed to apply update > > > > > > > (58065f74000500040000) error (1). Aborting replication > > > > > > > session(conn=1314106 op=1688559) > > > > > > > [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: > > > > > > > modified entry is NULL--updating cache just in case > > > > > > > [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition > > > > > > > cn=Password > > > > > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS > > > > > > > Templates found, which should be added before the CoS > > > > > > > Definition. > > > > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null > > > > > > > DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. > > > > > > > [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get > > > > > > > id for changenumber=30856302,cn=changelog from entryrdn > > > > > > > index (-30993) > > > > > > > [18/Oct/2016:13:43:20 -0400] - Operation error fetching > > > > > > > changenumber=30856302,cn=changelog (null), error -30993. > > > > > > > [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an > > > > > > > error occured while adding change number 30856302, dn = > > > > > > > changenumber=30856302,cn=changelog: Operations error. > > > > > > > [18/Oct/2016:13:43:20 -0400] retrocl-plugin - > > > > > > > retrocl_postob: operation failure [1] > > > > > > > [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - > > > > > > > process_postop: Failed to apply update > > > > > > > (58065f9f000000600000) error (1). Aborting replication > > > > > > > session(conn=1901274 op=5) > > > > > > > [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry > > > > > > > BAD 1601, err=0 BDB0062 Successful return: 0 > > > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - > > > > > > > changelog program - _cl5WriteOperationTxn: retry (49) the > > > > > > > transaction (csn=58065f7c000a00040000) failed (rc=-30993 > > > > > > > (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a > > > > > > > deadlock)) > > > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - > > > > > > > changelog program - _cl5WriteOperationTxn: failed to write > > > > > > > entry with csn (58065f7c000a00040000); db error - -30993 > > > > > > > BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a > > > > > > > deadlock > > > > > > > [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - > > > > > > > write_changelog_and_ruv: can't add a change for > > > > > > > uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu > > > > > > > (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to > > > > > > > changelog csn 58065f7c000a00040000 > > > > > > > > > > > > > > > > > > > > > ns-slapd was hung so we restarted and now it's stuck and > > > > > > > won't come back up. It > > > > > > > hangs up here: > > > > > > > > > > > > > > [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition > > > > > > > cn=Password > > > > > > > Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS > > > > > > > Templates found, which should be added before the CoS > > > > > > > Definition. > > > > > > > [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - > > > > > > > changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; > > > > > > > NSPR error - -5943 > > > > > > > [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - > > > > > > > changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; > > > > > > > NSPR error - -5943 > > > > > > > > > > > > > > > > > > > > > Tried deleting the semaphore files and restarting but no > > > > > > > luck. Attached > > > > > > > is a stacktrace of the stuck ns-slapd process. > > > > > > > > > > > > > > Here's the versions were running: > > > > > > > > > > > > > > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 > > > > > > > 389-ds-base-1.3.4.0-33.el7_2.x86_64 > > > > > > > > > > > > > > FWIW, we were experimenting with the new life-cycle > > > > > > > management features, > > > > > > > specifically "preserved" users and deleted the user > > > > > > > "janedoe" when this > > > > > > > happened. From the errors above looks like this host failed to > > > > > > > replicate the change? Not sure if this is related or not. > > > > > > > > > > > > > > Is it possible to recover the database? Thanks in advance > > > > > > > for any pointers. > > > > > > from the stack trace the process is not hanging, it is trying to > > > > > > recover. > > > > > > After a crash/kill the changelog does not contai a RUV and it is > > > > > > reconstructed by reading all records in the changelog, if this > > > > > > is large it > > > > > > can take some time. > > > > > > If you look at that part of the stack repeatedly, > > > > > > > > > > > > #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, > > > > > > len=, entry=entry at entry=0x7ffff6598910) at > > > > > > ldap/servers/plugins/replication/cl5_api.c:2342 > > > > > > rc = > > > > > > version = > > > > > > pos = 0x7f4e9839d091 "" > > > > > > strCSN = 0x0 > > > > > > op = 0x7ffff6598980 > > > > > > add_mods = 0x7f4e983a5e80 > > > > > > rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > > > > > > s = > > > > > > "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" > > > > > > #5 0x00007f4e88daf5d6 in _cl5GetNextEntry > > > > > > (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at > > > > > > ldap/servers/plugins/replication/cl5_api.c:5291 > > > > > > rc = 0 > > > > > > it = 0x7f4e983a5e80 > > > > > > key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff > > > > > > = 0, app_data = 0x0, flags = 16} > > > > > > data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, > > > > > > dlen = 0, doff = 0, app_data = 0x0, flags = 16} > > > > > > #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, > > > > > > obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 > > > > > > "\200\211Y\366\377\177") at > > > > > > ldap/servers/plugins/replication/cl5_api.c:4306 > > > > > > > > > > > > > > > > > > you should see some progress in which entry is handled > > > > > > > > > > > Ludwig, thanks very much for the help. As you pointed out just > > > > > needed to let it > > > > > finish. ns-slapd eventually came back up once it finished reading the > > > > > changelog. Still seeing some errors related to the > > > > > NSMMReplicationPlugin failed > > > > > to apply update and from the managed-entries-plugin. Can these safely be > > > > > ignored or are they indicative of a more serious problem? > > > > > > > > > > [19/Oct/2016:09:28:46 -0400] - Operation error fetching Null DN > > > > > (e73b48a4-95ff11e6-8bc7a516-e778e883), error -30993. > > > > > [19/Oct/2016:09:28:46 -0400] - dn2entry_ext: Failed to get id for > > > > > changenumber=30856335,cn=changelog from entryrdn index (-30993) > > > > > [19/Oct/2016:09:28:46 -0400] - Operation error fetching > > > > > changenumber=30856335,cn=changelog (null), error -30993. > > > > > [19/Oct/2016:09:28:46 -0400] DSRetroclPlugin - replog: an error > > > > > occured while adding change number 30856335, dn = > > > > > changenumber=30856335,cn=changelog: Operations error. > > > > > [19/Oct/2016:09:28:46 -0400] retrocl-plugin - retrocl_postob: > > > > > operation failure [1] > > > > > [19/Oct/2016:09:28:46 -0400] NSMMReplicationPlugin - process_postop: > > > > > Failed to apply update (5806acf7000000600000) error (1). Aborting > > > > > replication session(conn=9 op=28) > > > > > [19/Oct/2016:09:28:54 -0400] - Operation error fetching Null DN > > > > > (e73b48a7-95ff11e6-8bc7a516-e778e883), error -30993. > > > > > [19/Oct/2016:09:28:59 -0400] - dn2entry_ext: Failed to get id for > > > > > changenumber=30856337,cn=changelog from entryrdn index (-30993) > > > > > [19/Oct/2016:09:29:17 -0400] - Operation error fetching > > > > > changenumber=30856337,cn=changelog (null), error -30993. > > > > > [19/Oct/2016:09:29:17 -0400] DSRetroclPlugin - replog: an error > > > > > occured while adding change number 30856337, dn = > > > > > changenumber=30856337,cn=changelog: Operations error. > > > > > [19/Oct/2016:09:29:17 -0400] retrocl-plugin - retrocl_postob: > > > > > operation failure [1] > > > > > [19/Oct/2016:09:29:17 -0400] NSMMReplicationPlugin - process_postop: > > > > > Failed to apply update (5806acf7000000600000) error (1). Aborting > > > > > replication session(conn=15 op=5) > > > > > [19/Oct/2016:09:29:20 -0400] - Retry count exceeded in delete > > > > > [19/Oct/2016:09:29:20 -0400] DSRetroclPlugin - delete_changerecord: > > > > > could not delete change record 30712389 (rc: 51) > > > > > [19/Oct/2016:09:29:28 -0400] - Operation error fetching Null DN > > > > > (0afe8e82-960011e6-8bc7a516-e778e883), error -30993. > > > > > [19/Oct/2016:09:29:28 -0400] - dn2entry_ext: Failed to get id for > > > > > changenumber=30856351,cn=changelog from entryrdn index (-30993) > > > > > [19/Oct/2016:09:29:28 -0400] - Operation error fetching > > > > > changenumber=30856351,cn=changelog (null), error -30993. > > > > > [19/Oct/2016:09:29:28 -0400] DSRetroclPlugin - replog: an error > > > > > occured while adding change number 30856351, dn = > > > > > changenumber=30856351,cn=changelog: Operations error. > > > > > [19/Oct/2016:09:29:28 -0400] retrocl-plugin - retrocl_postob: > > > > > operation failure [1] > > > > > [19/Oct/2016:09:29:28 -0400] NSMMReplicationPlugin - process_postop: > > > > > Failed to apply update (5806acf7000000600000) error (1). Aborting > > > > > replication session(conn=25 op=5) > > > > > [19/Oct/2016:09:29:31 -0400] - Retry count exceeded in delete > > > > > [19/Oct/2016:09:29:31 -0400] DSRetroclPlugin - delete_changerecord: > > > > > could not delete change record 30712865 (rc: 51) > > > > > [19/Oct/2016:09:29:39 -0400] - Operation error fetching Null DN > > > > > (0afe8e90-960011e6-8bc7a516-e778e883), error -30993. > > > > > [19/Oct/2016:09:29:39 -0400] - dn2entry_ext: Failed to get id for > > > > > changenumber=30856364,cn=changelog from entryrdn index (-30993) > > > > > [19/Oct/2016:09:29:39 -0400] - Operation error fetching > > > > > changenumber=30856364,cn=changelog (null), error -30993. > > > > > [19/Oct/2016:09:29:39 -0400] DSRetroclPlugin - replog: an error > > > > > occured while adding change number 30856364, dn = > > > > > changenumber=30856364,cn=changelog: Operations error. > > > > > [19/Oct/2016:09:29:39 -0400] retrocl-plugin - retrocl_postob: > > > > > operation failure [1] > > > > > [19/Oct/2016:09:29:39 -0400] NSMMReplicationPlugin - process_postop: > > > > > Failed to apply update (5806acf7000000600000) error (1). Aborting > > > > > replication session(conn=35 op=5) > > > > > [19/Oct/2016:09:29:42 -0400] - Retry count exceeded in delete > > > > > [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - delete_changerecord: > > > > > could not delete change record 30713364 (rc: 51) > > > > > [19/Oct/2016:09:29:42 -0400] - Operation error fetching Null DN > > > > > (0afe8ea0-960011e6-8bc7a516-e778e883), error -30993. > > > > > [19/Oct/2016:09:29:42 -0400] - dn2entry_ext: Failed to get id for > > > > > changenumber=30856379,cn=changelog from entryrdn index (-30993) > > > > > [19/Oct/2016:09:29:42 -0400] - Operation error fetching > > > > > changenumber=30856379,cn=changelog (null), error -30993. > > > > > [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - replog: an error > > > > > occured while adding change number 30856379, dn = > > > > > changenumber=30856379,cn=changelog: Operations error. > > > > > [19/Oct/2016:09:29:42 -0400] retrocl-plugin - retrocl_postob: > > > > > operation failure [1] > > > > > [19/Oct/2016:09:29:42 -0400] NSMMReplicationPlugin - process_postop: > > > > > Failed to apply update (5806acf7000000600000) error (1). Aborting > > > > > replication session(conn=36 op=5) > > > > > [19/Oct/2016:09:29:50 -0400] - Operation error fetching Null DN > > > > > (0afe8ea2-960011e6-8bc7a516-e778e883), error -30993. > > > > > [19/Oct/2016:09:29:50 -0400] - dn2entry_ext: Failed to get id for > > > > > changenumber=30856380,cn=changelog from entryrdn index (-30993) > > > > > [19/Oct/2016:09:29:50 -0400] - Operation error fetching > > > > > changenumber=30856380,cn=changelog (null), error -30993. > > > > > [19/Oct/2016:09:29:50 -0400] DSRetroclPlugin - replog: an error > > > > > occured while adding change number 30856380, dn = > > > > > changenumber=30856380,cn=changelog: Operations error. > > > > > [19/Oct/2016:09:29:50 -0400] retrocl-plugin - retrocl_postob: > > > > > operation failure [1] > > > > this doesn't look good. There could be cancelled ops which would be > > > > repeated, but the failing repl op is always with the same csn: > > > > 5806acf7000000600000 > > > > so it seems incoming replication is stuck. > > > > you could try to find out which entry is affected (grep for the csn in > > > > the access log and look at the operation) and what kind of modification > > > > it is to check what could be going wrong. > > > > Here's what was in the access logs for that csn: > > > > access.20161018-113116:[19/Oct/2016:09:28:46 -0400] conn=9 op=28 RESULT err=1 tag=103 nentries=0 etime=3 csn=5806acf7000000600000 > > access.20161018-113116:[19/Oct/2016:09:29:17 -0400] conn=15 op=5 RESULT err=1 tag=103 nentries=0 etime=24 csn=5806acf7000000600000 > > access.20161018-113116:[19/Oct/2016:09:29:28 -0400] conn=25 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > > access.20161018-113116:[19/Oct/2016:09:29:39 -0400] conn=35 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > > access.20161018-113116:[19/Oct/2016:09:29:42 -0400] conn=36 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > > access.20161018-113116:[19/Oct/2016:09:29:50 -0400] conn=37 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > > access.20161018-113116:[19/Oct/2016:09:29:54 -0400] conn=44 op=5 RESULT err=1 tag=103 nentries=0 etime=1 csn=5806acf7000000600000 > > access.20161018-113116:[19/Oct/2016:09:29:58 -0400] conn=45 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > > access.20161018-113116:[19/Oct/2016:09:30:06 -0400] conn=46 op=5 RESULT err=1 tag=103 nentries=0 etime=4 csn=5806acf7000000600000 > > access.20161018-113116:[19/Oct/2016:09:30:12 -0400] conn=48 op=5 RESULT err=0 tag=103 nentries=0 etime=2 csn=5806acf7000000600000 > > > > > > Interestingly, right before the first op=28 was the modification of user > > janedoe, we were testing deleting/preserving this user: > > > > [19/Oct/2016:09:28:43 -0400] conn=9 op=27 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" > > [19/Oct/2016:09:28:43 -0400] conn=10 op=15 RESULT err=0 tag=103 nentries=0 etime=0 csn=58065f7c000300030000 > > [19/Oct/2016:09:28:43 -0400] conn=10 op=16 MODRDN dn="uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" newrdn="uid=janedoe" newsuperior="cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > > [19/Oct/2016:09:28:43 -0400] conn=9 op=27 RESULT err=0 tag=103 nentries=0 etime=0 csn=5806a973000000600000 > > [19/Oct/2016:09:28:43 -0400] conn=9 op=28 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" > > [19/Oct/2016:09:28:46 -0400] conn=9 op=28 RESULT err=1 tag=103 nentries=0 etime=3 csn=5806acf7000000600000 > > [19/Oct/2016:09:28:46 -0400] conn=9 op=-1 fd=88 closed - B4 > Note that janedoe operation and 5806acf7000000600000 operation were on > different suffixes but are sharing the retroCL. > According to > > [19/Oct/2016:09:30:06 -0400] managed-entries-plugin - mep_mod_post_op: Unable to find config for origin entry "uid=janedoe,cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu". > > We may think that operation 'conn=10 op=16' completed (but likely failed) on 9:30:06 and only then 5806acf7000000600000 > was successfully replicated. > > There may be interaction between both operation, 'janedoe' that was to fail but preventing other updates to complete. > > It would be interesting to get full logs (access/errors): 19/Oct/2016:09:28:43 -> 19/Oct/2016:09:30:20 > and also the dump of 'janedoe' entry. I'd be happy to provide more logs. Any chance I can send them off list? > > > > > > > the information of what is the change with csn 5806acf7000000600000, it > > > should be found in the changelog of the server with the replicaid 96. > > Where can I find/query the changelog? > > You may dump it with: dbscan -f > /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/xxx.db > > > > > there is also the possibility that your retro changelog got corrupted. could > > > you try to query the retrocl: ldapsearch ..... -b "cn=changelog" dn > > Guessing the changelog is too big or I need to increase some limit? > > > > ldapsearch -Y GSSAPI -b "cn=changelog" dn > > # extended LDIF > > # > > # LDAPv3 > > # base with scope subtree > > # filter: (objectclass=*) > > # requesting: dn > > # > > > > # search result > > search: 4 > > result: 11 Administrative limit exceeded > > Can you do the same operation being 'cn=directory manager' ? > > > > > > > and before rebuilding or reimporting the database it would be worth to try > > > to recreate the retro changelog > > I'm not seeing anymore errors in the logs. Is there any way to verify if > > replication has caught up? > > > > Thanks again for all the help. > > > > > > > From bretif at phosphore.eu Wed Oct 19 18:18:10 2016 From: bretif at phosphore.eu (Bertrand =?utf-8?Q?R=C3=A9tif?=) Date: Wed, 19 Oct 2016 20:18:10 +0200 (CEST) Subject: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue In-Reply-To: <719022987.1370764.1476884527122.JavaMail.zimbra@phosphore.eu> References: <1383346498.1295916.1476825748599.JavaMail.zimbra@phosphore.eu> <1101487784.1356614.1476878994121.JavaMail.zimbra@phosphore.eu> <58077566.8010401@redhat.com> <719022987.1370764.1476884527122.JavaMail.zimbra@phosphore.eu> Message-ID: <1467699597.1398215.1476901090793.JavaMail.zimbra@phosphore.eu> De: "Bertrand R?tif" > ?: freeipa-users at redhat.com > Envoy?: Mercredi 19 Octobre 2016 15:42:07 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > ----- Mail original ----- > > De: "Rob Crittenden" > > > ?: "Bertrand R?tif" , freeipa-users at redhat.com > > > Envoy?: Mercredi 19 Octobre 2016 15:30:14 > > > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat > > issue > > > Bertrand R?tif wrote: > > > >> De: "Martin Babinsky" > > > >> ?: freeipa-users at redhat.com > > > >> Envoy?: Mercredi 19 Octobre 2016 08:45:49 > > > >> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat > > >> issue > > > > > > > >> On 10/18/2016 11:22 PM, Bertrand R?tif wrote: > > > >>> Hello, > > > >>> > > > >>> I had an issue with pki-tomcat. > > > >>> I had serveral certificate that was expired and pki-tomcat did not > > >>> start > > > >>> anymore. > > > >>> > > > >>> I set the dateon the server before certificate expiration and then > > > >>> pki-tomcat starts properly. > > > >>> Then I try to resubmit the certificate, but I get below error: > > > >>> "Profile caServerCert Not Found" > > > >>> > > > >>> Do you have any idea how I could fix this issue. > > > >>> > > > >>> Please find below output of commands: > > > >>> > > > >>> > > > >>> # getcert resubmit -i 20160108170324 > > > >>> > > > >>> # getcert list -i 20160108170324 > > > >>> Number of certificates and requests being tracked: 7. > > > >>> Request ID '20160108170324': > > > >>> status: MONITORING > > > >>> ca-error: Server at > > > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" replied: > > > >>> Profile caServerCert Not Found > > > >>> stuck: no > > > >>> key pair storage: > > > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > >>> certificate: > > > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > >>> Certificate DB' > > > >>> CA: dogtag-ipa-ca-renew-agent > > > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > > > >>> expires: 2016-06-28 15:25:11 UTC > > > >>> key usage: > > > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > >>> eku: id-kp-serverAuth,id-kp-clientAuth > > > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > > >>> track: yes > > > >>> auto-renew: yes > > > >>> > > > >>> > > > >>> Thanksby advance for your help. > > > >>> Bertrand > > > >>> > > > >>> > > > >>> > > > >>> > > > > > > > >> Hi Betrand, > > > > > > > >> what version of FreeIPA and Dogtag are you running? > > > > > > > >> Also perform the following search on the IPA master and post the result: > > > > > > > >> """ > > > >> ldapsearch -D "cn=Directory Manager" -W -b > > > >> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)' > > > >> """ > > > > > > > > Hi Martin, > > > > > > > > Thanks for your reply. > > > > > > > > Here is version: > > > > - FreeIPA 4.2.0 > > > > - Centos 7.2 > > > > > > > > I have been able to fix the issue with "Profile caServerCert Not Found" > > > by > > > editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > > > I replace below entry > > > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" > > > > by > > > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" > > > > > > > > and then launch "ipa-server-upgrade" command > > > > I found this solution in this post: > > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html > > > > > > > > Then I was able to renew my certificate. > > > > > > > > However I reboot my server to and pki-tomcat do not start and provide > > > with > > > a new erreor in /var/log/pki/pki-tomcat/ca/debug > > > > > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: > > > verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: > > > create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ > > > > System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC > > > certificate verification > > > > > > > > java.lang.Exception: SystemCertsVerification: system certs verification > > > failure > > > > at > > > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) > > > > at > > > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) > > > > at > > > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) > > > > at > > > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) > > > > at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) > > > > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) > > > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) > > > > at > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > > > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > > at java.lang.reflect.Method.invoke(Method.java:606) > > > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > > > at java.security.AccessController.doPrivileged(Native Method) > > > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > > > at > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > > > at > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > > > at > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > > > at > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > > > at > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > > > at > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > > > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > > > at > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > > > at > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > > > at java.security.AccessController.doPrivileged(Native Method) > > > > at > > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > > > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > > > at > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > > > at > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > > > at > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > > > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > > > at java.lang.Thread.run(Thread.java:745) > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: > > > create() > > > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > > > self tests execution (see selftests.log for details) > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CMSEngine.shutdown() > > > > > > > > > > > > I am currently stuck here. > > > > Thanks a lot for your help. > > > I'm guessing at least one of the CA subsystem certificates are still > > > expired. Look at the "getcert list" output to see if there are any > > > expired certificates. > > > rob > > > > > > > > Bertrand > > > > > > > > > > Hello Rob, > I check on my 2 servers and no certificate is expired > [root at sdkipa03 ~]# getcert list |grep expire > expires: 2018-06-22 22:02:26 UTC > expires: 2018-06-22 22:02:47 UTC > expires: 2034-07-09 15:24:34 UTC > expires: 2016-10-30 13:35:29 UTC > [root at sdkipa01 conf]# getcert list |grep expire > expires: 2018-06-12 23:38:01 UTC > expires: 2018-06-12 23:37:41 UTC > expires: 2018-06-11 22:53:57 UTC > expires: 2018-06-11 22:55:50 UTC > expires: 2018-06-11 22:57:47 UTC > expires: 2034-07-09 15:24:34 UTC > expires: 2018-06-11 22:59:55 UTC > I see that one certificate is in status: CA_UNREACHABLE, maybe I reboot to > soon my server... > I continue to investigate > Thanks for your help. > Bertrand I fix my previous issue. Now I have an issue with a server. This server can not start pki-tomcatd, I get this error in debug file: "Error netscape.ldap.LDAPExceptio n: IO Error creating JSS SSL Socket (-1)" After investigation i see that I do not have "ipaCert" certificat in "/etc/httpd/alias" cf below command: [root at sdkipa03 ~]# getcert list -d /etc/httpd/alias Number of certificates and requests being tracked: 4. Request ID '20141110133632': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=A.SKINFRA.EU subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU expires: 2018-06-22 22:02:47 UTC principal name: HTTP/sdkipa03.skinfra.eu at A.SKINFRA.EU key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes How can I add the certificate to /etc/httpd/alias? Thanks fo ryour support. Regards Bertrand -------------- next part -------------- An HTML attachment was scrubbed... URL: From dag at sonsorol.org Wed Oct 19 19:18:14 2016 From: dag at sonsorol.org (Chris Dagdigian) Date: Wed, 19 Oct 2016 15:18:14 -0400 Subject: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory Message-ID: <5807C6F6.4070107@sonsorol.org> Thanks to great tips and pointers from people on this list (h/t Alexander B) I was able to build an IPA master + replica setup that can recognize and allow logins from users coming from multiple disconnected AD Forests with 1-way trusts to the IPA servers Sanitized view of our AWS footprint: AD Servers & IPA: ------------------------ AD Forest #1: company-test.org AD Forest #2: company-aws.org AD Forest #3: company.org IPA Domain/Realm: company-ipa.org (successful 1-way trusts to company-test.org and company-aws.org etc.) With basic recognition of users and working SSH logins based on AD username and passwords I'm moving on to trying to use the far more interesting IPA/IDM features. Using user accounts defined locally on the IPA server I'm having a blast uploading SSH keys and creating sudo rules and groups. So the natural next question is "can we do this for users who exist only in remote AD controllers? IPA is doing 100% of the UID/GID/Posix stuff management - we are only pulling usernames & groups from AD and checking passwords against the AD servers. The basic question -- is it possible for me to get to "hybrid linux user management" nirvana whereby IPA/IDM manages everything about AD users except for their username and passwords? Tried to find this in the official documentation but it dives instantly into deep topics about user data mapping, custom schemas and dealing with POSIX data served up by the AD controllers. Hard to figure out the boundary between what IPA can support with local user accounts vs what it can do when the users exist in remote AD forests. Any URLs or documentation pointers would be appreciated Regards, Chris From jbaird at follett.com Wed Oct 19 19:31:11 2016 From: jbaird at follett.com (Baird, Josh) Date: Wed, 19 Oct 2016 19:31:11 +0000 Subject: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory In-Reply-To: <5807C6F6.4070107@sonsorol.org> References: <5807C6F6.4070107@sonsorol.org> Message-ID: Hi, If I'm understanding you correctly - you will want to nest 'external' groups into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users. There are examples of this in the IdM documentation, but the gist is: * Create an 'external' group in IPA (eg, ipa-group-add external_admins --external) * Add your AD group as a member to the external group (eg, ipa group-add-member external_admins --external 'AD\groupname) * Create a standard POSIX group in IPA (eg, ipa group-add admins) * Add the external group as a member to the POSIX group (eg, ipa-group-add-members admins --groups external_admins) Now you can define policy (HBAC, sudo) based on the 'admins' POSIX group and the policies will apply to the AD users in the AD\groupname group. Hope this helps. Thanks, Josh -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Chris Dagdigian Sent: Wednesday, October 19, 2016 3:18 PM To: freeipa-users at redhat.com Subject: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory Thanks to great tips and pointers from people on this list (h/t Alexander B) I was able to build an IPA master + replica setup that can recognize and allow logins from users coming from multiple disconnected AD Forests with 1-way trusts to the IPA servers Sanitized view of our AWS footprint: AD Servers & IPA: ------------------------ AD Forest #1: company-test.org AD Forest #2: company-aws.org AD Forest #3: company.org IPA Domain/Realm: company-ipa.org (successful 1-way trusts to company-test.org and company-aws.org etc.) With basic recognition of users and working SSH logins based on AD username and passwords I'm moving on to trying to use the far more interesting IPA/IDM features. Using user accounts defined locally on the IPA server I'm having a blast uploading SSH keys and creating sudo rules and groups. So the natural next question is "can we do this for users who exist only in remote AD controllers? IPA is doing 100% of the UID/GID/Posix stuff management - we are only pulling usernames & groups from AD and checking passwords against the AD servers. The basic question -- is it possible for me to get to "hybrid linux user management" nirvana whereby IPA/IDM manages everything about AD users except for their username and passwords? Tried to find this in the official documentation but it dives instantly into deep topics about user data mapping, custom schemas and dealing with POSIX data served up by the AD controllers. Hard to figure out the boundary between what IPA can support with local user accounts vs what it can do when the users exist in remote AD forests. Any URLs or documentation pointers would be appreciated Regards, Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Wed Oct 19 19:44:14 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 19 Oct 2016 22:44:14 +0300 Subject: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory In-Reply-To: <5807C6F6.4070107@sonsorol.org> References: <5807C6F6.4070107@sonsorol.org> Message-ID: <20161019194414.3rigvmsusd7q4427@redhat.com> On ke, 19 loka 2016, Chris Dagdigian wrote: >Thanks to great tips and pointers from people on this list (h/t >Alexander B) I was able to build an IPA master + replica setup that >can recognize and allow logins from users coming from multiple >disconnected AD Forests with 1-way trusts to the IPA servers > >Sanitized view of our AWS footprint: > >AD Servers & IPA: >------------------------ >AD Forest #1: company-test.org >AD Forest #2: company-aws.org >AD Forest #3: company.org >IPA Domain/Realm: company-ipa.org (successful 1-way trusts to >company-test.org and company-aws.org etc.) > >With basic recognition of users and working SSH logins based on AD >username and passwords I'm moving on to trying to use the far more >interesting IPA/IDM features. > >Using user accounts defined locally on the IPA server I'm having a >blast uploading SSH keys and creating sudo rules and groups. So the >natural next question is "can we do this for users who exist only in >remote AD controllers? Yes, you can, by using ID views and ID overrides. In FreeIPA < 4.4 you need admins to create and populate the overrides. You can see how it works in this video: https://www.youtube.com/watch?v=M_umNxB7rSM Starting with FreeIPA 4.4 you only need to create override as IPA admin, users can populate it with the use of IPA command line interface while 'kinit' as AD user: $ kinit admin $ ipa idoverrideuser-add 'Default Trust View' user at ad.domain then AD user can do: $ kinit user at AD.DOMAIN $ ipa idoverrideuser-mod 'Default Trust View' user at ad.domain \ --sshpubkey=$(cat /path/to/my-ssh-key.pub) There are access controls in place which don't allow to change things like username (--login) or home directory in self-service. Practically, AD users can maintain their public SSH keys and (starting with FreeIPA 4.4) attach public certificates to their ID overrides. >IPA is doing 100% of the UID/GID/Posix stuff management - we are only >pulling usernames & groups from AD and checking passwords against the >AD servers. > >The basic question -- is it possible for me to get to "hybrid linux >user management" nirvana whereby IPA/IDM manages everything about AD >users except for their username and passwords? See above. >Tried to find this in the official documentation but it dives >instantly into deep topics about user data mapping, custom schemas and >dealing with POSIX data served up by the AD controllers. Hard to >figure out the boundary between what IPA can support with local user >accounts vs what it can do when the users exist in remote AD forests. > >Any URLs or documentation pointers would be appreciated https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#managing-id-views-in-ad ID Views are the thing you need to deal with. FreeIPA 4.4 adds support for 'self-service' for AD users in the command line. Versions before it require IPA admins to handle ID overrides. No Web UI support for the self-service yet. FreeIPA 4.4 is what is available in RHEL 7.3 beta already. -- / Alexander Bokovoy From dag at sonsorol.org Wed Oct 19 19:45:14 2016 From: dag at sonsorol.org (Chris Dagdigian) Date: Wed, 19 Oct 2016 15:45:14 -0400 Subject: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory In-Reply-To: References: <5807C6F6.4070107@sonsorol.org> Message-ID: <5807CD4A.3030904@sonsorol.org> Perfect thank you. I tend to get too wordy in my emails. You've described exactly what I'm going for. Follow up question - Will a similar approach work for users (not groups) as well if there is a small collection of AD-defined people I want to hold and distribute SSH public keys for? Happy to document our setup or write up a HowTO or intro guide for other novices if we are trying something that is not often done. Regards, Chris Baird, Josh wrote: > Hi, > > If I'm understanding you correctly - you will want to nest 'external' groups into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users. There are examples of this in the IdM documentation, but the gist is: > > * Create an 'external' group in IPA (eg, ipa-group-add external_admins --external) > * Add your AD group as a member to the external group (eg, ipa group-add-member external_admins --external 'AD\groupname) > * Create a standard POSIX group in IPA (eg, ipa group-add admins) > * Add the external group as a member to the POSIX group (eg, ipa-group-add-members admins --groups external_admins) > > Now you can define policy (HBAC, sudo) based on the 'admins' POSIX group and the policies will apply to the AD users in the AD\groupname group. > > Hope this helps. > > Thanks, > > Jos From abokovoy at redhat.com Wed Oct 19 19:46:10 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 19 Oct 2016 22:46:10 +0300 Subject: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory In-Reply-To: References: <5807C6F6.4070107@sonsorol.org> Message-ID: <20161019194610.7x5aefmqimbcxlkl@redhat.com> On ke, 19 loka 2016, Baird, Josh wrote: >Hi, > >If I'm understanding you correctly - you will want to nest 'external' groups into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users. There are examples of this in the IdM documentation, but the gist is: > >* Create an 'external' group in IPA (eg, ipa-group-add external_admins --external) >* Add your AD group as a member to the external group (eg, ipa group-add-member external_admins --external 'AD\groupname) >* Create a standard POSIX group in IPA (eg, ipa group-add admins) >* Add the external group as a member to the POSIX group (eg, ipa-group-add-members admins --groups external_admins) > >Now you can define policy (HBAC, sudo) based on the 'admins' POSIX group and the policies will apply to the AD users in the AD\groupname group. Correct -- for HBAC and SUDO rules this is the right procedure. See also discussions on this list in last couple months, this topic was discussed several times already. For ID overrides (SSH public keys/homedir/etc) -- see my other email. -- / Alexander Bokovoy From beeth2006 at gmail.com Thu Oct 20 03:05:31 2016 From: beeth2006 at gmail.com (beeth beeth) Date: Wed, 19 Oct 2016 23:05:31 -0400 Subject: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica) In-Reply-To: References: Message-ID: First of all, thanks for the quick response Florence! I have question about your suggested step [1] and [2]: For [1], "ipa-cacert-manage install cert.pem". Which certificate is this? Is it the ChainBundle cert(root cert + intermediate cert)? For [2], "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which certificate is this pkcs12.p12? Is it the Server cert? Here's exactly what I ran initially to install the IPA server with the Verisign certs, by following your suggestion last time(at the Admin manual 2.3.6. Installing Without a CA), and it worked well: # ipa-server-install --http-cert-file ServerCertificate.crt --http-cert-file ipaserver1.encrypted.key --http-pin MYipakey --dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file ChainBundle2.crt So, basically the installation requested 3 items: the server key(ipaserver1.encrypted.key), the server certificate from Verisign(ServerCertificate.crt), and the "root+intermediate" certs from Verisign(ChainBundle2.crt). Now let's say such Verisign certificate expires, and I want to replace the certs from GoDaddy(another public cert provider), I assume a new set of certs, including the new key, the new server cert, and the new Chain cert(root+intermediate), total 3 items, will need to be included in the commands for the third party certificate replacement. The steps [1] and [2] only show two inputs, so I am not sure what I have been missing. Please advise the detail. Thanks again! Beeth On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud wrote: > On 10/19/2016 05:23 PM, beeth beeth wrote: > >> I once asked about Install IPA servers with certificate provided by >> third-party like >> Verisign(https://www.redhat.com/archives/freeipa-users/2016- >> September/msg00440.html >> > r/msg00440.html>). >> Florence, Rob and Jakub from Redhat had been very helpful, and pointed >> out the solution at >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp >> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ >> Policy_Guide/install-server.html#install-server-without-ca >> > prise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ >> Policy_Guide/install-server.html#install-server-without-ca>, >> about "Installing Without a CA", and it worked great! >> >> Now it came up another problem, is that the Verisign(or any other >> certificate) will expire in a year or two, how can I smoothly renew the >> Verisign certificate on the primary and replica IPA servers a year from >> now? Or if we decide to use another provider, say Godaddy certificate, >> how can I replace the existing certificate on both IPA servers? I found >> a relevant instruction at >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp >> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti >> cation_and_Policy_Guide/index.html#auto-cert-renewal >> > prise_Linux/7/html-single/Linux_Domain_Identity_Authenti >> cation_and_Policy_Guide/index.html#auto-cert-renewal>, >> but that's about the "Dogtag" CA certificate, not about the third-party >> certificate I am using in our upcoming production environment(running >> IPA 4.2 on RHEL7). >> >> Hi, > > if you plan to use another CA (for instance switch from Verisign to > Godaddy), you will need first to install the new CA certificate with > ipa-cacert-manage install and ipa-certupdate. The instructions are in 30.4 > Manual CA Certificate Installation [1]. > > Then, if you want to change the HTTP and LDAP certificates for your > server, you can use the ipa-server-certinstall utility [2]. > > [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html-single/Linux_Domain_Identity_Authenti > cation_and_Policy_Guide/index.html#manual-cert-install > > [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html-single/Linux_Domain_Identity_Authenti > cation_and_Policy_Guide/index.html#Configuring_Certificates_ > and_Certificate_Authorities > > Hope this helps, > Flo. > > > Please advise. Thank you! >> Beeth >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rns at unimelb.edu.au Thu Oct 20 05:46:01 2016 From: rns at unimelb.edu.au (Robert Sturrock) Date: Thu, 20 Oct 2016 16:46:01 +1100 Subject: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains? Message-ID: <62D4B20C-4A0A-4F9C-A693-C0B61CFFAB38@unimelb.edu.au> Hello, We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with our University organisational AD. The AD forest contains *two* domains: EXAMPLE.AU (staff users) STUDENT.EXAMPLE.AU (student users) The IPA domain that trusts these is called: IPA.EXAMPLE.AU The basic configuration as described above works ok - we can login to IPA client hosts with user principals from either of the AD domains and we see correct group membership. However, I would like to tune this configuration to drop the domain component of the user and group names. I tried to do this by adding these settings to the [sssd] section in sssd.conf on the client: default_domain_suffix = example.au full_name_format = %1$s With this configuration, I can login as a staff domain user (example.au) successfully and I then see the short-name form of the groups: $ ssh -l rns at example.au ipa-client-rh7.ipa.example.au [rns at ipa-client-rh7 ~]$ groups rns domain users d-750g 511all [..etc..] However, when I try logging in as a student domain user (student.example.au), I don't see any of the groups (there should be 8): $ ssh -l rnst at student.example.au ipa-client-rh7.ipa.example.au [rnst at ipa-client-rh7 ~]$ groups rnst Is this expected behaviour? Is there a possible client configuration that will support our AD forest setup or is this simply not possible? Regards, Robert. Complete client sssd.conf: --------------------------------- [domain/ipa.example.au] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.example.au id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-client-rh7.ipa.example.au chpass_provider = ipa ipa_server = _srv_, matilda3.ipa.example.au ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ipa.example.au default_domain_suffix = example.au full_name_format = %1$s [nss] homedir_substring = /home override_shell = /bin/bash [pam] [sudo] [autofs] [ssh] [pac] [ifp] From flo at redhat.com Thu Oct 20 06:22:01 2016 From: flo at redhat.com (Florence Blanc-Renaud) Date: Thu, 20 Oct 2016 08:22:01 +0200 Subject: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica) In-Reply-To: References: Message-ID: On 10/20/2016 05:05 AM, beeth beeth wrote: > First of all, thanks for the quick response Florence! > > I have question about your suggested step [1] and [2]: > For [1], "ipa-cacert-manage install cert.pem". Which certificate is > this? Is it the ChainBundle cert(root cert + intermediate cert)? > For [2], "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which > certificate is this pkcs12.p12? Is it the Server cert? > > Here's exactly what I ran initially to install the IPA server with the > Verisign certs, by following your suggestion last time(at the Admin > manual 2.3.6. Installing Without a CA), and it worked well: > > # ipa-server-install --http-cert-file ServerCertificate.crt > --http-cert-file ipaserver1.encrypted.key --http-pin MYipakey > --dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file > ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file > ChainBundle2.crt > > So, basically the installation requested 3 items: the server > key(ipaserver1.encrypted.key), the server certificate from > Verisign(ServerCertificate.crt), and the "root+intermediate" certs from > Verisign(ChainBundle2.crt). > Now let's say such Verisign certificate expires, and I want to replace > the certs from GoDaddy(another public cert provider), I assume a new set > of certs, including the new key, the new server cert, and the new Chain > cert(root+intermediate), total 3 items, will need to be included in the > commands for the third party certificate replacement. > The steps [1] and [2] only show two inputs, so I am not sure what I have > been missing. > Hi, Sorry if I was not clear enough. The first step (ipa-cacert-manage install) aims at adding the CA certificate thus the root+intermediate certs should be provided. The step with ipa-server-certinstall configures the Server Cert (-d if you want to replace the LDAP cert, -w for HTTP cert), meaning that the Server-Cert and key should be provided. The man page details all the supported formats, and it is possible to provide multiple files. Hope this clarifies, Flo. > Please advise the detail. Thanks again! > Beeth > > > On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud > wrote: > > On 10/19/2016 05:23 PM, beeth beeth wrote: > > I once asked about Install IPA servers with certificate provided by > third-party like > Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html > > >). > Florence, Rob and Jakub from Redhat had been very helpful, and > pointed > out the solution at > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca > > >, > about "Installing Without a CA", and it worked great! > > Now it came up another problem, is that the Verisign(or any other > certificate) will expire in a year or two, how can I smoothly > renew the > Verisign certificate on the primary and replica IPA servers a > year from > now? Or if we decide to use another provider, say Godaddy > certificate, > how can I replace the existing certificate on both IPA servers? > I found > a relevant instruction at > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal > > >, > but that's about the "Dogtag" CA certificate, not about the > third-party > certificate I am using in our upcoming production > environment(running > IPA 4.2 on RHEL7). > > Hi, > > if you plan to use another CA (for instance switch from Verisign to > Godaddy), you will need first to install the new CA certificate with > ipa-cacert-manage install and ipa-certupdate. The instructions are > in 30.4 Manual CA Certificate Installation [1]. > > Then, if you want to change the HTTP and LDAP certificates for your > server, you can use the ipa-server-certinstall utility [2]. > > [1] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install > > > [2] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities > > > Hope this helps, > Flo. > > > Please advise. Thank you! > Beeth > > > From jhrozek at redhat.com Thu Oct 20 07:22:38 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 20 Oct 2016 09:22:38 +0200 Subject: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains? In-Reply-To: <62D4B20C-4A0A-4F9C-A693-C0B61CFFAB38@unimelb.edu.au> References: <62D4B20C-4A0A-4F9C-A693-C0B61CFFAB38@unimelb.edu.au> Message-ID: <20161020072238.og3sjcjkbmwfpfjw@hendrix> On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > Hello, > > We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with > our University organisational AD. The AD forest contains *two* > domains: > > EXAMPLE.AU (staff users) > STUDENT.EXAMPLE.AU (student users) > > The IPA domain that trusts these is called: > > IPA.EXAMPLE.AU > > The basic configuration as described above works ok - we can login to > IPA client hosts with user principals from either of the AD domains > and we see correct group membership. > > However, I would like to tune this configuration to drop the domain > component of the user and group names. I tried to do this by adding > these settings to the [sssd] section in sssd.conf on the client: > > default_domain_suffix = example.au > full_name_format = %1$s > > With this configuration, I can login as a staff domain user (example.au) > successfully and I then see the short-name form of the groups: > > $ ssh -l rns at example.au ipa-client-rh7.ipa.example.au > [rns at ipa-client-rh7 ~]$ groups > rns domain users d-750g 511all [..etc..] > > However, when I try logging in as a student domain user (student.example.au), > I don't see any of the groups (there should be 8): > > $ ssh -l rnst at student.example.au ipa-client-rh7.ipa.example.au > [rnst at ipa-client-rh7 ~]$ groups > rnst > > Is this expected behaviour? Is there a possible client configuration that > will support our AD forest setup or is this simply not possible? What you did is quite correct, but unfortunately works only with RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. From lkrispen at redhat.com Thu Oct 20 07:38:52 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 20 Oct 2016 09:38:52 +0200 Subject: [Freeipa-users] replica DS failure deadlock In-Reply-To: <20161019162838.vlk465mkqxzuln2x@dead.ccr.buffalo.edu> References: <20161018185258.yslvh2amicerejae@dead.ccr.buffalo.edu> <58072B26.4090203@redhat.com> <20161019134854.t3xpjo35xjhfkzpd@dead.ccr.buffalo.edu> <58078B04.2030408@redhat.com> <58079431.5070801@redhat.com> <20161019162838.vlk465mkqxzuln2x@dead.ccr.buffalo.edu> Message-ID: <5808748C.1080400@redhat.com> On 10/19/2016 06:28 PM, Andrew E. Bruno wrote: > On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: >> On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: >>> On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: >>>> On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: >>>>> On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: >>>>>> We had one of our replicas fail today with the following errors: >>>>>> >>>>>> >>>>>> [18/Oct/2016:13:40:47 -0400] >>>>>> agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" >>>>>> (srv-m14-32:389) - Can't locate CSN 58065ef3000100030000 in >>>>>> the changelog (DB rc=-30988). If replication stops, the >>>>>> consumer may need to be reinitialized. >>>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5WriteOperationTxn: retry (49) the >>>>>> transaction (csn=58065f74000500040000) failed (rc=-30993 >>>>>> (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a >>>>>> deadlock)) >>>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5WriteOperationTxn: failed to write >>>>>> entry with csn (58065f74000500040000); db error - -30993 >>>>>> BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a >>>>>> deadlock >>>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - >>>>>> write_changelog_and_ruv: can't add a change for >>>>>> uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu >>>>>> (uniqid: 939bca48-2ced11e5-ac0b8f7e-e0b1a377, optype: 64) to >>>>>> changelog csn 58065f74000500040000 >>>>>> [18/Oct/2016:13:43:07 -0400] - >>>>>> SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but >>>>>> did not set SLAPI_RESULT_CODE >>>>>> [18/Oct/2016:13:43:07 -0400] NSMMReplicationPlugin - >>>>>> process_postop: Failed to apply update >>>>>> (58065f74000500040000) error (1). Aborting replication >>>>>> session(conn=1314106 op=1688559) >>>>>> [18/Oct/2016:13:43:12 -0400] - cos_cache_change_notify: >>>>>> modified entry is NULL--updating cache just in case >>>>>> [18/Oct/2016:13:43:12 -0400] - Skipping CoS Definition >>>>>> cn=Password >>>>>> Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS >>>>>> Templates found, which should be added before the CoS >>>>>> Definition. >>>>>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching Null >>>>>> DN (4a729f9a-955a11e6-aaffa516-e778e883), error -30993. >>>>>> [18/Oct/2016:13:43:20 -0400] - dn2entry_ext: Failed to get >>>>>> id for changenumber=30856302,cn=changelog from entryrdn >>>>>> index (-30993) >>>>>> [18/Oct/2016:13:43:20 -0400] - Operation error fetching >>>>>> changenumber=30856302,cn=changelog (null), error -30993. >>>>>> [18/Oct/2016:13:43:20 -0400] DSRetroclPlugin - replog: an >>>>>> error occured while adding change number 30856302, dn = >>>>>> changenumber=30856302,cn=changelog: Operations error. >>>>>> [18/Oct/2016:13:43:20 -0400] retrocl-plugin - >>>>>> retrocl_postob: operation failure [1] >>>>>> [18/Oct/2016:13:43:20 -0400] NSMMReplicationPlugin - >>>>>> process_postop: Failed to apply update >>>>>> (58065f9f000000600000) error (1). Aborting replication >>>>>> session(conn=1901274 op=5) >>>>>> [18/Oct/2016:13:43:24 -0400] - ldbm_back_seq deadlock retry >>>>>> BAD 1601, err=0 BDB0062 Successful return: 0 >>>>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5WriteOperationTxn: retry (49) the >>>>>> transaction (csn=58065f7c000a00040000) failed (rc=-30993 >>>>>> (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a >>>>>> deadlock)) >>>>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5WriteOperationTxn: failed to write >>>>>> entry with csn (58065f7c000a00040000); db error - -30993 >>>>>> BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a >>>>>> deadlock >>>>>> [18/Oct/2016:13:43:25 -0400] NSMMReplicationPlugin - >>>>>> write_changelog_and_ruv: can't add a change for >>>>>> uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu >>>>>> (uniqid: 4080421a-2d0211e5-ac0b8f7e-e0b1a377, optype: 64) to >>>>>> changelog csn 58065f7c000a00040000 >>>>>> >>>>>> >>>>>> ns-slapd was hung so we restarted and now it's stuck and >>>>>> won't come back up. It >>>>>> hangs up here: >>>>>> >>>>>> [18/Oct/2016:14:12:31 -0400] - Skipping CoS Definition >>>>>> cn=Password >>>>>> Policy,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu--no CoS >>>>>> Templates found, which should be added before the CoS >>>>>> Definition. >>>>>> [18/Oct/2016:14:12:31 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/a32992ce-71b811e5-9d33a516-e778e883.sema; >>>>>> NSPR error - -5943 >>>>>> [18/Oct/2016:14:12:32 -0400] NSMMReplicationPlugin - >>>>>> changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/986efe12-71b811e5-9d33a516-e778e883.sema; >>>>>> NSPR error - -5943 >>>>>> >>>>>> >>>>>> Tried deleting the semaphore files and restarting but no >>>>>> luck. Attached >>>>>> is a stacktrace of the stuck ns-slapd process. >>>>>> >>>>>> Here's the versions were running: >>>>>> >>>>>> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 >>>>>> 389-ds-base-1.3.4.0-33.el7_2.x86_64 >>>>>> >>>>>> FWIW, we were experimenting with the new life-cycle >>>>>> management features, >>>>>> specifically "preserved" users and deleted the user >>>>>> "janedoe" when this >>>>>> happened. From the errors above looks like this host failed to >>>>>> replicate the change? Not sure if this is related or not. >>>>>> >>>>>> Is it possible to recover the database? Thanks in advance >>>>>> for any pointers. >>>>> from the stack trace the process is not hanging, it is trying to >>>>> recover. >>>>> After a crash/kill the changelog does not contai a RUV and it is >>>>> reconstructed by reading all records in the changelog, if this >>>>> is large it >>>>> can take some time. >>>>> If you look at that part of the stack repeatedly, >>>>> >>>>> #4 0x00007f4e88daeba5 in cl5DBData2Entry (data=, >>>>> len=, entry=entry at entry=0x7ffff6598910) at >>>>> ldap/servers/plugins/replication/cl5_api.c:2342 >>>>> rc = >>>>> version = >>>>> pos = 0x7f4e9839d091 "" >>>>> strCSN = 0x0 >>>>> op = 0x7ffff6598980 >>>>> add_mods = 0x7f4e983a5e80 >>>>> rawDN = 0x7f4e98396e20 "fqdn=cpn-k08-29-02.cbls.ccr.buffalo.edu,cn=computers,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" >>>>> s = >>>>> "\300\037>\230N\177\000\000@\210Y\366\377\177\000\000@\210Y\366\377" >>>>> #5 0x00007f4e88daf5d6 in _cl5GetNextEntry >>>>> (entry=entry at entry=0x7ffff6598910, iterator=0x7f4e983a5e80) at >>>>> ldap/servers/plugins/replication/cl5_api.c:5291 >>>>> rc = 0 >>>>> it = 0x7f4e983a5e80 >>>>> key = {data = 0x0, size = 21, ulen = 0, dlen = 0, doff >>>>> = 0, app_data = 0x0, flags = 16} >>>>> data = {data = 0x7f4e9839cff0, size = 335, ulen = 0, >>>>> dlen = 0, doff = 0, app_data = 0x0, flags = 16} >>>>> #6 0x00007f4e88dafb34 in _cl5ConstructRUV (purge=1, >>>>> obj=0x7f4e983e1fc0, replGen=0x7ffff6598910 >>>>> "\200\211Y\366\377\177") at >>>>> ldap/servers/plugins/replication/cl5_api.c:4306 >>>>> >>>>> >>>>> you should see some progress in which entry is handled >>>>> >>>> Ludwig, thanks very much for the help. As you pointed out just >>>> needed to let it >>>> finish. ns-slapd eventually came back up once it finished reading the >>>> changelog. Still seeing some errors related to the >>>> NSMMReplicationPlugin failed >>>> to apply update and from the managed-entries-plugin. Can these safely be >>>> ignored or are they indicative of a more serious problem? >>>> >>>> [19/Oct/2016:09:28:46 -0400] - Operation error fetching Null DN >>>> (e73b48a4-95ff11e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:28:46 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856335,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:28:46 -0400] - Operation error fetching >>>> changenumber=30856335,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:28:46 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856335, dn = >>>> changenumber=30856335,cn=changelog: Operations error. >>>> [19/Oct/2016:09:28:46 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>>> [19/Oct/2016:09:28:46 -0400] NSMMReplicationPlugin - process_postop: >>>> Failed to apply update (5806acf7000000600000) error (1). Aborting >>>> replication session(conn=9 op=28) >>>> [19/Oct/2016:09:28:54 -0400] - Operation error fetching Null DN >>>> (e73b48a7-95ff11e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:28:59 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856337,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:29:17 -0400] - Operation error fetching >>>> changenumber=30856337,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:29:17 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856337, dn = >>>> changenumber=30856337,cn=changelog: Operations error. >>>> [19/Oct/2016:09:29:17 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>>> [19/Oct/2016:09:29:17 -0400] NSMMReplicationPlugin - process_postop: >>>> Failed to apply update (5806acf7000000600000) error (1). Aborting >>>> replication session(conn=15 op=5) >>>> [19/Oct/2016:09:29:20 -0400] - Retry count exceeded in delete >>>> [19/Oct/2016:09:29:20 -0400] DSRetroclPlugin - delete_changerecord: >>>> could not delete change record 30712389 (rc: 51) >>>> [19/Oct/2016:09:29:28 -0400] - Operation error fetching Null DN >>>> (0afe8e82-960011e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:29:28 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856351,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:29:28 -0400] - Operation error fetching >>>> changenumber=30856351,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:29:28 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856351, dn = >>>> changenumber=30856351,cn=changelog: Operations error. >>>> [19/Oct/2016:09:29:28 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>>> [19/Oct/2016:09:29:28 -0400] NSMMReplicationPlugin - process_postop: >>>> Failed to apply update (5806acf7000000600000) error (1). Aborting >>>> replication session(conn=25 op=5) >>>> [19/Oct/2016:09:29:31 -0400] - Retry count exceeded in delete >>>> [19/Oct/2016:09:29:31 -0400] DSRetroclPlugin - delete_changerecord: >>>> could not delete change record 30712865 (rc: 51) >>>> [19/Oct/2016:09:29:39 -0400] - Operation error fetching Null DN >>>> (0afe8e90-960011e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:29:39 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856364,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:29:39 -0400] - Operation error fetching >>>> changenumber=30856364,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:29:39 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856364, dn = >>>> changenumber=30856364,cn=changelog: Operations error. >>>> [19/Oct/2016:09:29:39 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>>> [19/Oct/2016:09:29:39 -0400] NSMMReplicationPlugin - process_postop: >>>> Failed to apply update (5806acf7000000600000) error (1). Aborting >>>> replication session(conn=35 op=5) >>>> [19/Oct/2016:09:29:42 -0400] - Retry count exceeded in delete >>>> [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - delete_changerecord: >>>> could not delete change record 30713364 (rc: 51) >>>> [19/Oct/2016:09:29:42 -0400] - Operation error fetching Null DN >>>> (0afe8ea0-960011e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:29:42 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856379,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:29:42 -0400] - Operation error fetching >>>> changenumber=30856379,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:29:42 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856379, dn = >>>> changenumber=30856379,cn=changelog: Operations error. >>>> [19/Oct/2016:09:29:42 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>>> [19/Oct/2016:09:29:42 -0400] NSMMReplicationPlugin - process_postop: >>>> Failed to apply update (5806acf7000000600000) error (1). Aborting >>>> replication session(conn=36 op=5) >>>> [19/Oct/2016:09:29:50 -0400] - Operation error fetching Null DN >>>> (0afe8ea2-960011e6-8bc7a516-e778e883), error -30993. >>>> [19/Oct/2016:09:29:50 -0400] - dn2entry_ext: Failed to get id for >>>> changenumber=30856380,cn=changelog from entryrdn index (-30993) >>>> [19/Oct/2016:09:29:50 -0400] - Operation error fetching >>>> changenumber=30856380,cn=changelog (null), error -30993. >>>> [19/Oct/2016:09:29:50 -0400] DSRetroclPlugin - replog: an error >>>> occured while adding change number 30856380, dn = >>>> changenumber=30856380,cn=changelog: Operations error. >>>> [19/Oct/2016:09:29:50 -0400] retrocl-plugin - retrocl_postob: >>>> operation failure [1] >>> this doesn't look good. There could be cancelled ops which would be >>> repeated, but the failing repl op is always with the same csn: >>> 5806acf7000000600000 >>> so it seems incoming replication is stuck. >>> you could try to find out which entry is affected (grep for the csn in >>> the access log and look at the operation) and what kind of modification >>> it is to check what could be going wrong. > > Here's what was in the access logs for that csn: > > access.20161018-113116:[19/Oct/2016:09:28:46 -0400] conn=9 op=28 RESULT err=1 tag=103 nentries=0 etime=3 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:17 -0400] conn=15 op=5 RESULT err=1 tag=103 nentries=0 etime=24 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:28 -0400] conn=25 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:39 -0400] conn=35 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:42 -0400] conn=36 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:50 -0400] conn=37 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:54 -0400] conn=44 op=5 RESULT err=1 tag=103 nentries=0 etime=1 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:29:58 -0400] conn=45 op=5 RESULT err=1 tag=103 nentries=0 etime=0 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:30:06 -0400] conn=46 op=5 RESULT err=1 tag=103 nentries=0 etime=4 csn=5806acf7000000600000 > access.20161018-113116:[19/Oct/2016:09:30:12 -0400] conn=48 op=5 RESULT err=0 tag=103 nentries=0 etime=2 csn=5806acf7000000600000 > > > Interestingly, right before the first op=28 was the modification of user > janedoe, we were testing deleting/preserving this user: > > [19/Oct/2016:09:28:43 -0400] conn=9 op=27 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" > [19/Oct/2016:09:28:43 -0400] conn=10 op=15 RESULT err=0 tag=103 nentries=0 etime=0 csn=58065f7c000300030000 > [19/Oct/2016:09:28:43 -0400] conn=10 op=16 MODRDN dn="uid=janedoe,cn=users,cn=accounts,dc=cbls,dc=ccr,dc=buffalo,dc=edu" newrdn="uid=janedoe" newsuperior="cn=deleted users,cn=accounts,cn=provisioning,dc=cbls,dc=ccr,dc=buffalo,dc=edu" > [19/Oct/2016:09:28:43 -0400] conn=9 op=27 RESULT err=0 tag=103 nentries=0 etime=0 csn=5806a973000000600000 > [19/Oct/2016:09:28:43 -0400] conn=9 op=28 MOD dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca" > [19/Oct/2016:09:28:46 -0400] conn=9 op=28 RESULT err=1 tag=103 nentries=0 etime=3 csn=5806acf7000000600000 > [19/Oct/2016:09:28:46 -0400] conn=9 op=-1 fd=88 closed - B4 > > >> the information of what is the change with csn 5806acf7000000600000, it >> should be found in the changelog of the server with the replicaid 96. > Where can I find/query the changelog? > >> there is also the possibility that your retro changelog got corrupted. could >> you try to query the retrocl: ldapsearch ..... -b "cn=changelog" dn > Guessing the changelog is too big or I need to increase some limit? > > ldapsearch -Y GSSAPI -b "cn=changelog" dn > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: dn > # > > # search result > search: 4 > result: 11 Administrative limit exceeded > > >> and before rebuilding or reimporting the database it would be worth to try >> to recreate the retro changelog > I'm not seeing anymore errors in the logs. Is there any way to verify if > replication has caught up? from your logs: access.20161018-113116:[19/Oct/2016:09:30:06 -0400] conn=46 op=5 RESULT err=1 tag=103 nentries=0 etime=4 csn=5806acf7000000600000 access.20161018-113116:[19/Oct/2016:09:30:12 -0400] conn=48 op=5 RESULT err=0 tag=103 nentries=0 etime=2 csn=5806acf7000000600000 it looks like the operation was finally successful. So there could have been a time where parrallel updates to the ca and the domain suffix could be blocked on the retrocl and be aborted, but this is speculation. if you want to find out if replication is working you can look at the ruvs of the suffixes on both servers, since there is a lot of dynamics they will probably never be identical, but the maxcsn should move forward: ldapsearch -o ldif-wrap=no -D "cn=directory manager" .... -b "cn=config" "objectclass=nsds5replica" nsds50ruv or you do a simple repl test, do a "dummy" (eg replacing a description attr in an entry with the existing value) change on each suffix an each server and check if they are replicated > > Thanks again for all the help. > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From julliot at ljll.math.upmc.fr Thu Oct 20 09:43:01 2016 From: julliot at ljll.math.upmc.fr (=?UTF-8?Q?S=c3=a9bastien_Julliot?=) Date: Thu, 20 Oct 2016 11:43:01 +0200 Subject: [Freeipa-users] Setting "preserve" as default action when deleting in webUI In-Reply-To: References: Message-ID: <5f607850-9623-254e-1609-02fd922117c0@ljll.math.upmc.fr> Hi everyone, In order to prevent administrators to make mistakes that could have silly consequences, I would like to set "preserve" as the default selected action in freeipa's webui. What do you think would be the best way to achieve this ? Thank you in advance, Sebastien Julliot. From deepak_dimri at hotmail.com Thu Oct 20 12:03:35 2016 From: deepak_dimri at hotmail.com (Deepak Dimri) Date: Thu, 20 Oct 2016 12:03:35 +0000 Subject: [Freeipa-users] Getting Minimum SSF not met. Message-ID: Hi All, I wanted to enable secure LDAP connection on freeIPA but alas after changing cn=config nsslapd-minssf from 0 to 128 i am getting below error: ipactl restart Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: Server is unwilling to perform: Minimum SSF not met. Shutting down When trying to put back the original nsslapd-minssf to "0" i am getting below error: modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Minimum SSF not met. I tried below configuration but still getting unwilling to perform (53) Minimum SSF not met Error. dn: cn=config changetype: modify replace: nsslapd-minssf nsslapd-minssf: 10 - replace: nsslapd-allow-anonymous-access nsslapd-allow-anonymous-access: on - replace: nsslapd-minssf-exclude-rootdse nsslapd-minssf-exclude-rootdse: off I am following the steps mentioned here: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/SecureConnections.html Chapter 14. Configuring Secure Connections - Red Hat Support access.redhat.com By default, clients and users connect to the Red Hat Directory Server over a standard connection. Standard connections do not use any encryption, so information is ... How can i get LDAPS working on my FreeIPA? Many Thanks, Deepak -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.klima at vig.cz Thu Oct 20 13:37:58 2016 From: david.klima at vig.cz (=?iso-8859-1?Q?Kl=EDma_David?=) Date: Thu, 20 Oct 2016 13:37:58 +0000 Subject: [Freeipa-users] FreeIPA JSON API does not work behind Load Balancer because Services4User Message-ID: Hi all, I need advice or help with freeIPA implementation behind F5 bigip loadbalancer. My goal is to have all freeIPA services (including json/xml API) behind loadbalancer for freeIPA clients. >> Because RHEL support says me IPA behind loadbalancer is not supported I was coming out of these articles (I recommend you read and I thank the people who wrote them): https://www.redhat.com/archives/freeipa-users/2015-March/msg00965.html http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance-gssapi.html https://ssimo.org/blog/id_019.html https://access.redhat.com/solutions/547723 http://firstyear.id.au/blog/html/2015/12/11/Load_balanced_389_instance_with_freeipa_kerberos_domain..html http://www.freeipa.org/page/V4/Keytab_Retrieval#Use_Case:_A_load_balancing_cluster_of_HTTP_server_that_allow_GSSAPI.2FKrb5_negotiation_.28TBD.29 https://www.freeipa.org/page/V4/Service_Constraint_Delegation http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy >> Now I have one pool with one freeIPA node (for easy debugging): hostname: ipa-01.internal.services >> And VIP hostname for clients: hostname: hub.internal.services hub.internal.services +--------------+ | | | | +--------+ | Loadbalancer | ipa-01.internal.services | | TLS | | TLS +--------------+ |Client +----->+ +----->+ | | | | | | freeIPA node | +--------+ | | | | | | +--------------+ +--------------+ >> After ipa-server-install .... first, I created a fake host that I assign services. This is fake host for the load balancer: ipa host-add hub.internal.services --force --random ipa host-allow-retrieve-keytab hub.internal.services --users=admin ipa-getkeytab -s ipa-01.internal.services -p host/hub.internal.services -k /etc/krb5.keytab \ -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac >> Second I created LDAP service - because I need keytab for ldap/hub.internal.services (after retrieved merged into /etc/dirsrv/ds.keytab): ipa service-add --force ldap/hub.internal.services ipa service-add-host ldap/hub.internal.services --hosts=ipa-01.internal.services ipa service-allow-retrieve-keytab ldap/hub.internal.services --users=admin ipa-getkeytab -s ipa-01.internal.services -p ldap/hub.internal.services -k /etc/dirsrv/ds.keytab \ -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac chown dirsrv:dirsrv /etc/dirsrv/ds.keytab >> Next I created HTTP service - I need keytab for HTTP/hub.internal.services (after retrieved merged into /etc/httpd/conf/ipa.keytab): ipa service-add --force HTTP/hub.internal.services ipa service-add-host HTTP/hub.internal.services --hosts={ipa-01.internal.services,ipa-02.internal.services,ipa-03.internal.services} ipa service-allow-retrieve-keytab HTTP/hub.internal.services --users=admin ipa-getkeytab -s ipa-01.internal.services -p HTTP/hub.internal.services -k /etc/httpd/conf/ipa.keytab \ -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac chown apache:apache /etc/httpd/conf/ipa.keytab >> Check keytabs: klist -Kket /etc/krb5.keytab klist -Kket /etc/dirsrv/ds.keytab klist -Kket /etc/httpd/conf/ipa.keytab All keytabs looks like this: Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal ---- ------------------ ------------------------------------------------------- 3 13.5.2016 22:05:14 ldap/ipa-01.internal.services at INTERNAL.SERVICES (aes256-cts-hmac-sha1-96) (0x0b8140ce7a7a521cbacecda8902e7c7a6b61fd21758997fb2f2721d9f2d3c8e5) 3 13.5.2016 22:05:14 ldap/ipa-01.internal.services at INTERNAL.SERVICES (aes128-cts-hmac-sha1-96) (0x4247b97e7b2b62a49094105b86740537) 3 13.5.2016 22:05:14 ldap/ipa-01.internal.services at INTERNAL.SERVICES (des3-cbc-sha1) (0x67851f1a16f8df45b30b1a89fe677ad03eaeae6ba2940e4a) 3 13.5.2016 22:05:14 ldap/ipa-01.internal.services at INTERNAL.SERVICES (arcfour-hmac) (0xed6d8caba385fdd8b5775e2f17303fb6) 1 13.5.2016 23:00:43 ldap/hub.internal.services at INTERNAL.SERVICES (aes256-cts-hmac-sha1-96) (0x439341b1848dc91f02f6b38f2e04446e9f7f8547d8251a708dce99d1526e961a) 1 13.5.2016 23:00:43 ldap/hub.internal.services at INTERNAL.SERVICES (aes128-cts-hmac-sha1-96) (0x11e1c820db6b49bb9290c0c9e2888914) 1 13.5.2016 23:00:43 ldap/hub.internal.services at INTERNAL.SERVICES (des3-cbc-sha1) (0xbad3cb89fbf132abbcad29bcfd79fb4532cedfe90bf1078f) 1 13.5.2016 23:00:43 ldap/hub.internal.services at INTERNAL.SERVICES (arcfour-hmac) (0xb80563d1f60ac374ffb3888c95434371) >> Next I add 'ignore_acceptor_hostname = true' to the /etc/krb5.conf file (because I need ignore acceptor hostname): sed -i '/^\[libdefaults\]$/a\ ignore_acceptor_hostname = true' /etc/krb5.conf >> Last step was modify rewrite rules in /etc/httpd/conf.d/ipa-rewrite.conf file, I commented all lines except these: RewriteEngine on RewriteRule ^/ipa/ui/js/freeipa/plugins.js$ /ipa/wsgi/plugins.py [PT] >> On Loadbalancer I created iRule for replacing referer when client send request to hub.internal.services and for replace cookie domain when response from IPA node: when HTTP_REQUEST_SEND { clientside { # Odstani z IP route domain scan [LB::server addr] {%[^%]} iponly # Najde v listu s nazvem ipa-hostnames podle IP hostname a nahradi referer HTTP::header replace Referer "https://[class match -value $iponly equals ipa-hostnames]/ipa/ui/" # Vypise referer do logu #log local0. "[HTTP::header Referer]" } } when HTTP_RESPONSE { set newdomain "hub.internal.services" foreach mycookie [HTTP::cookie names] { HTTP::cookie domain $mycookie $newdomain } } >> I make SSL offloading on loadbalancer for LDAPS (636), LDAP over SSL (389 starttls extension), HTTPS, so SSL certificate CN matching everytime. Certs on LB are from the same authority as certificates for IPA nodes. >> Now I am in state all services working fine (LDAP, HTTP web gui, NTP, DNS) with kerberos auth bud freeIPA json or xml api NOT. david at dklima:~$ ldapsearch -H ldap://hub.internal.services -Y GSSAPI SASL/GSSAPI authentication started SASL username: admin at INTERNAL.SERVICES SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 >> I know why kerberos auth to ONLY freeipa json api fails. It is because freeipa using S4U2Proxy/Services4User and client (ipa-client-install) not send TGT. So freeipa backend can not connect to 389DS with user identity >> If I calling API throught loadbalancer: >> My freeipa api testing command: rm $COOKIEJAR -f export KRB5CCNAME=FILE:/tmp/krb5cc_1000 export COOKIE=/tmp/cookie.ipa export IPAHOSTNAME=hub.internal.services curl -vc $COOKIE -b $COOKIE -k --negotiate -u : -X GET https://$IPAHOSTNAME/ipa/xml Result: faultCode 2100 faultString Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Matching credential not found) * Closing connection 0 * SSLv3, TLS alert, Client hello (1): >> If i try add parameter '--delegation always' to curl command result is OK, API is working curl --delegation always -vc $COOKIE -b $COOKIE -k --negotiate -u : -X GET https://$IPAHOSTNAME/ipa/xml faultCode 905 faultString unknown command 'xml' >> So I add the service constraint delegation: [root at ipa-01 ~]# ipa servicedelegationrule-show ipa-http-delegation Delegation name: ipa-http-delegation Allowed Target: ipa-ldap-delegation-targets, ipa-cifs-delegation-targets Member principals: HTTP/ipa-01.internal.services at INTERNAL.SERVICES, HTTP/hub.internal.services at INTERNAL.SERVICES [root at ipa-01 ~]# ipa servicedelegationtarget-show ipa-ldap-delegation-targets Delegation name: ipa-ldap-delegation-targets Member principals: ldap/hub.internal.services at INTERNAL.SERVICES, HTTP/ipa-01.internal.services at INTERNAL.SERVICES, ldap/ipa-01.internal.services at INTERNAL.SERVICES >> Now as you can see I am able to get ticket for ldap/ipa-01.internal.services based on ticket HTTP/hub.internal.services: [root at ipa-01 ~]# kinit -kt /etc/httpd/conf/ipa.keytab HTTP/hub.internal.services [root at ipa-01 ~]# kvno -k /etc/httpd/conf/ipa.keytab -U admin -P HTTP/hub.internal.services ldap/ipa-01.internal.services HTTP/hub.internal.services at INTERNAL.SERVICES: kvno = 1, keytab entry valid ldap/ipa-01.internal.services at INTERNAL.SERVICES: kvno = 1, keytab entry valid >> I monitored KRB clientcache on IPA node and difference if connection failed: >> This is direct connection to API - cache is good, as you can see - based on HTTP/ipa-01.internal.services IPA framework got ldap/ipa-01.internal.services [root at ipa-01 caches]# klist admin at INTERNAL.SERVICES-directipa Ticket cache: FILE:admin at INTERNAL.SERVICES-directipa Default principal: admin at INTERNAL.SERVICES Valid starting Expires Service principal 27.9.2016 21:51:01 28.9.2016 21:50:47 HTTP/ipa-01.internal.services at INTERNAL.SERVICES 27.9.2016 19:21:16 28.9.2016 19:21:16 krbtgt/INTERNAL.SERVICES at INTERNAL.SERVICES for client HTTP/ipa-01.internal.services at INTERNAL.SERVICES 27.9.2016 21:51:02 28.9.2016 19:21:16 ldap/ipa-01.internal.services at INTERNAL.SERVICES >> This is connection to API trought loadbalancer (hub.internal.services), connection ended with error, because IPA framework do not knowing that they must use HTTP/hub.internal.services for got ldap/ipa-01.internal.services ticket or client TGT (not send in this case) [root at ipa-01 caches]# klist admin at INTERNAL.SERVICES-throught-loadbalancer Ticket cache: FILE:admin at INTERNAL.SERVICES-throught-loadbalancer Default principal: admin at INTERNAL.SERVICES Valid starting Expires Service principal 27.9.2016 21:54:00 28.9.2016 21:50:47 HTTP/hub.internal.services at INTERNAL.SERVICES 27.9.2016 19:21:16 28.9.2016 19:21:16 krbtgt/INTERNAL.SERVICES at INTERNAL.SERVICES for client HTTP/ipa-01.internal.services at INTERNAL.SERVICES >> This is connection to API trought loadbalancer (hub.internal.services) with TGT delegation, connection ended with success, because IPA framework use TGT to obtain ticket for ldap/ipa-01.internal.services [root at ipa-01 caches]# klist admin at INTERNAL.SERVICES-loadbalancer-delegace Ticket cache: FILE:admin at INTERNAL.SERVICES-loadbalancer-delegace Default principal: admin at INTERNAL.SERVICES Valid starting Expires Service principal 27.9.2016 21:54:01 28.9.2016 21:50:47 krbtgt/INTERNAL.SERVICES at INTERNAL.SERVICES 27.9.2016 21:54:01 28.9.2016 21:50:47 ldap/ipa-01.internal.services at INTERNAL.SERVICES >> So without delegation TGT there is missing ticket for ldap/ipa-01.internal.services and IPA framework return this message: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Matching credential not found) >> In freeipa code is hardcored ipa node principal and i do not know where is this part of code. Can you help me create patch (or introduce a code point where I'm looking for) or found other solutions, please? Or I think one solution is to force the client (in my case ipa-client-instal) to send TGT. Bud I do not want to send TGT. I think better solutions is create patch for freeipa server code. Delegation is already produced by ipa servicedelegationrule. Thank you very much and sorry for my English. David From carlosla1987 at gmail.com Thu Oct 20 14:01:09 2016 From: carlosla1987 at gmail.com (=?UTF-8?Q?Carlos_Ra=C3=BAl_Laguna?=) Date: Thu, 20 Oct 2016 10:01:09 -0400 Subject: [Freeipa-users] IPA-AD Trust unable to resolve child domain Message-ID: Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any record from my child domain, i found this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this version of IPA is affected by it. The procedure in the documentation is still valid ?. Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Oct 20 14:10:36 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 20 Oct 2016 17:10:36 +0300 Subject: [Freeipa-users] IPA-AD Trust unable to resolve child domain In-Reply-To: References: Message-ID: <20161020141036.cw6eq64xlebhhuz6@redhat.com> On to, 20 loka 2016, Carlos Ra?l Laguna wrote: >Hello everyone, > >Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as >documentation explain in >http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA > >however the server is unable to resolve any record from my child domain, i >found >this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this >version of IPA is affected by it. > >The procedure in the documentation is still valid ?. Given that you have literally provided no logs that would help to help you, let's start from it. Show what's your problem is through the logs. What exact commands are failing? If you suspect DNS issues, show your named-pkcs11's logs. -- / Alexander Bokovoy From harald.dunkel at aixigo.de Thu Oct 20 15:12:11 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Thu, 20 Oct 2016 17:12:11 +0200 Subject: [Freeipa-users] Replication error acquiring replica: unknown error Message-ID: Hi folks, My second master shows me that it would push local changes to ipa1, but it doesn't: [root at ipa2 ipa]# ipa-replica-manage list ipa3.aixigo.de: master ipa4.aixigo.de: master ipa1.aixigo.de: master ipa2.aixigo.de: master [root at ipa2 ~]# ipa-replica-manage list `hostname` ipa1.aixigo.de: replica [root at ipa2 ~]# ipa-replica-manage list -v `hostname` ipa1.aixigo.de: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: 205 Replication error acquiring replica: unknown error - Incremental update connection error. Backing off, will retry update later. last update ended: 1970-01-01 00:00:00+00:00 The other ipa servers don't show an "unknown error". The log file doesn't tell, either, so I wonder what this problem is? FreeIPA is version 4.2.0-15.0.1 on Centos 7.2. Every helpful comment is highly appreciated Harri From guillermo.fuentes at modernizingmedicine.com Thu Oct 20 15:43:37 2016 From: guillermo.fuentes at modernizingmedicine.com (Guillermo Fuentes) Date: Thu, 20 Oct 2016 11:43:37 -0400 Subject: [Freeipa-users] Getting Minimum SSF not met. In-Reply-To: References: Message-ID: Hi Deepak, What you did was disabling unsecure connections to the directory service. As such, use LDAPS to connect and enable unsecure connections again: ldapmodify -D "cn=directory manager" -W -H ldaps://`hostname` dn: cn=config changetype: modify replace: nsslapd-minssf nsslapd-minssf: 0 If the directory service is stopped, you can edit the attribute in /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif and start the service. Hope it helps, Guillermo GUILLERMO FUENTES SENIOR SYSTEMS ADMINISTRATOR T: 561-880-2998 x1337 E: guillermo.fuentes at modmed.com [image: [ Modernizing Medicine ]] [image: [ Facebook ]] [image: [ LinkedIn ]] [image: [ YouTube ]] [image: [ Twitter ]] [image: [ Blog ]] [image: [ Instagram ]] [image: [ MOMENTUM 2016 ]] On Thu, Oct 20, 2016 at 8:03 AM, Deepak Dimri wrote: > Hi All, > > > I wanted to enable secure LDAP connection on freeIPA but alas after > changing cn=config > > nsslapd-minssf from 0 to 128 i am getting below error: > > > ipactl restart > > Failed to read data from Directory Service: Unknown error when retrieving > list of services from LDAP: Server is unwilling to perform: Minimum SSF not > met. > > Shutting down > > > When trying to put back the original nsslapd-minssf to "0" i am getting below > error: > > modifying entry "cn=config" > > ldap_modify: Server is unwilling to perform (53) > > additional info: Minimum SSF not met. > > > I tried below configuration but still getting unwilling to perform (53) > Minimum SSF not met Error. > > > dn: cn=config > > changetype: modify > > replace: nsslapd-minssf > > nsslapd-minssf: 10 > > - > > replace: nsslapd-allow-anonymous-access > > nsslapd-allow-anonymous-access: on > > - > > replace: nsslapd-minssf-exclude-rootdse > > nsslapd-minssf-exclude-rootdse: off > > > I am following the steps mentioned here: https://access.redhat.co > m/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Admi > nistration_Guide/SecureConnections.html > Chapter 14. Configuring Secure Connections - Red Hat Support > > access.redhat.com > By default, clients and users connect to the Red Hat Directory Server over > a standard connection. Standard connections do not use any encryption, so > information is ... > > > How can i get LDAPS working on my FreeIPA? > > > Many Thanks, > > Deepak > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From flo at redhat.com Thu Oct 20 16:45:21 2016 From: flo at redhat.com (Florence Blanc-Renaud) Date: Thu, 20 Oct 2016 18:45:21 +0200 Subject: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue In-Reply-To: <1467699597.1398215.1476901090793.JavaMail.zimbra@phosphore.eu> References: <1383346498.1295916.1476825748599.JavaMail.zimbra@phosphore.eu> <1101487784.1356614.1476878994121.JavaMail.zimbra@phosphore.eu> <58077566.8010401@redhat.com> <719022987.1370764.1476884527122.JavaMail.zimbra@phosphore.eu> <1467699597.1398215.1476901090793.JavaMail.zimbra@phosphore.eu> Message-ID: On 10/19/2016 08:18 PM, Bertrand R?tif wrote: > *De: *"Bertrand R?tif" > > *?: *freeipa-users at redhat.com > *Envoy?: *Mercredi 19 Octobre 2016 15:42:07 > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > pki-tomcat issue > > > ------------------------------------------------------------------------ > > *De: *"Rob Crittenden" > *?: *"Bertrand R?tif" , > freeipa-users at redhat.com > *Envoy?: *Mercredi 19 Octobre 2016 15:30:14 > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > pki-tomcat issue > > Bertrand R?tif wrote: > >> De: "Martin Babinsky" > >> ?: freeipa-users at redhat.com > >> Envoy?: Mercredi 19 Octobre 2016 08:45:49 > >> Objet: Re: [Freeipa-users] Impossible to renew certificate. > pki-tomcat issue > > > >> On 10/18/2016 11:22 PM, Bertrand R?tif wrote: > >>> Hello, > >>> > >>> I had an issue with pki-tomcat. > >>> I had serveral certificate that was expired and pki-tomcat > did not start > >>> anymore. > >>> > >>> I set the dateon the server before certificate expiration > and then > >>> pki-tomcat starts properly. > >>> Then I try to resubmit the certificate, but I get below error: > >>> "Profile caServerCert Not Found" > >>> > >>> Do you have any idea how I could fix this issue. > >>> > >>> Please find below output of commands: > >>> > >>> > >>> # getcert resubmit -i 20160108170324 > >>> > >>> # getcert list -i 20160108170324 > >>> Number of certificates and requests being tracked: 7. > >>> Request ID '20160108170324': > >>> status: MONITORING > >>> ca-error: Server at > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" > replied: > >>> Profile caServerCert Not Found > >>> stuck: no > >>> key pair storage: > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >>> certificate: > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>> Certificate DB' > >>> CA: dogtag-ipa-ca-renew-agent > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > >>> expires: 2016-06-28 15:25:11 UTC > >>> key usage: > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>> eku: id-kp-serverAuth,id-kp-clientAuth > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > >>> track: yes > >>> auto-renew: yes > >>> > >>> > >>> Thanksby advance for your help. > >>> Bertrand > >>> > >>> > >>> > >>> > > > >> Hi Betrand, > > > >> what version of FreeIPA and Dogtag are you running? > > > >> Also perform the following search on the IPA master and post > the result: > > > >> """ > >> ldapsearch -D "cn=Directory Manager" -W -b > >> 'ou=certificateProfiles,ou=ca,o=ipaca' > '(objectClass=certProfile)' > >> """ > > > > Hi Martin, > > > > Thanks for your reply. > > > > Here is version: > > - FreeIPA 4.2.0 > > - Centos 7.2 > > > > I have been able to fix the issue with "Profile caServerCert > Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > I replace below entry > > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" > > by > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" > > > > and then launch "ipa-server-upgrade" command > > I found this solution in this post: > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html > > > > Then I was able to renew my certificate. > > > > However I reboot my server to and pki-tomcat do not start and > provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: > verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > SignedAuditEventFactory: create() > message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ > > System$][Outcome=Success][CertNickName=auditSigningCert > cert-pki-ca] CIMC certificate verification > > > > java.lang.Exception: SystemCertsVerification: system certs > verification failure > > at > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) > > at > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) > > at > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) > > at > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) > > at > com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) > > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) > > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > at > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:745) > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > SignedAuditEventFactory: create() > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > self tests execution (see selftests.log for details) > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > CMSEngine.shutdown() > > > > > > I am currently stuck here. > > Thanks a lot for your help. > > I'm guessing at least one of the CA subsystem certificates are > still > expired. Look at the "getcert list" output to see if there are any > expired certificates. > > rob > > > > > Bertrand > > > > > > Hello Rob, > > I check on my 2 servers and no certificate is expired > > [root at sdkipa03 ~]# getcert list |grep expire > expires: 2018-06-22 22:02:26 UTC > expires: 2018-06-22 22:02:47 UTC > expires: 2034-07-09 15:24:34 UTC > expires: 2016-10-30 13:35:29 UTC > > [root at sdkipa01 conf]# getcert list |grep expire > expires: 2018-06-12 23:38:01 UTC > expires: 2018-06-12 23:37:41 UTC > expires: 2018-06-11 22:53:57 UTC > expires: 2018-06-11 22:55:50 UTC > expires: 2018-06-11 22:57:47 UTC > expires: 2034-07-09 15:24:34 UTC > expires: 2018-06-11 22:59:55 UTC > > I see that one certificate is in status: CA_UNREACHABLE, maybe I > reboot to soon my server... > > I continue to investigate > > Thanks for your help. > Bertrand > > I fix my previous issue. > Now I have an issue with a server. > This server can not start pki-tomcatd, I get this error in debug file: > "Error netscape.ldap.LDAPExceptio n: IO Error creating JSS SSL Socket (-1)" > > After investigation i see that I do not have "ipaCert" certificat in > "/etc/httpd/alias" > cf below command: > > [root at sdkipa03 ~]# getcert list -d /etc/httpd/alias > Number of certificates and requests being tracked: 4. > Request ID '20141110133632': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=A.SKINFRA.EU > subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU > expires: 2018-06-22 22:02:47 UTC > principal name: HTTP/sdkipa03.skinfra.eu at A.SKINFRA.EU > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > > How can I add the certificate to /etc/httpd/alias? > Hi, for the record, the command getcert list that you supplied shows the certificates in /etc/httpd/alias that are tracked by certmonger. If you want to display all the certificates contained in /etc/httpd/alias (whether tracked or not), then you may want to use certutil -L -d /etc/httpd/alias instead. If ipaCert is missing, you can export ipaCert certificate from another master, then import it to your server. On a master containing the cert: # certutil -d /etc/httpd/alias -L -n 'ipaCert' -a > /tmp/newRAcert.crt Then copy the file /tmp/newRAcert.crt to your server and import the cert: # certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i /tmp/newRAcert.crt -t u,u,u And finally you need to tell certmonger to monitor the cert using getcert start-tracking. Hope this helps, Flo. > Thanks fo ryour support. > Regards > Bertrand > > > From carlosla1987 at gmail.com Thu Oct 20 18:05:49 2016 From: carlosla1987 at gmail.com (=?UTF-8?Q?Carlos_Ra=C3=BAl_Laguna?=) Date: Thu, 20 Oct 2016 14:05:49 -0400 Subject: [Freeipa-users] IPA-AD Trust unable to resolve child domain In-Reply-To: <20161020141036.cw6eq64xlebhhuz6@redhat.com> References: <20161020141036.cw6eq64xlebhhuz6@redhat.com> Message-ID: Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i disable the dnssec validation on IPA and it work as expected, i will setup dnssec on the windows side and enable dns validation once more on IPA to see if can get the same outcome. Thanks for you answer 2016-10-20 10:10 GMT-04:00 Alexander Bokovoy : > On to, 20 loka 2016, Carlos Ra?l Laguna wrote: > >> Hello everyone, >> >> Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as >> documentation explain in >> http://www.freeipa.org/page/Active_Directory_trust_setup#If_ >> AD_is_subdomain_of_IPA >> >> however the server is unable to resolve any record from my child domain, i >> found >> this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if >> this >> version of IPA is affected by it. >> >> The procedure in the documentation is still valid ?. >> > Given that you have literally provided no logs that would help to help > you, let's start from it. > > Show what's your problem is through the logs. What exact commands are > failing? If you suspect DNS issues, show your named-pkcs11's logs. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Oct 20 18:23:32 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 20 Oct 2016 21:23:32 +0300 Subject: [Freeipa-users] IPA-AD Trust unable to resolve child domain In-Reply-To: References: <20161020141036.cw6eq64xlebhhuz6@redhat.com> Message-ID: <20161020182332.fi55t5rwe3in3hjz@redhat.com> On to, 20 loka 2016, Carlos Ra?l Laguna wrote: >Hi Alexander, >I do belive is a DNS problem, the command failing are > >host -t srv _ldap._tcp.ad_domain >or >dig SRV _ldap._tcp.ad_domain >after checkig the logs a see this error >"no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" > >so i disable the dnssec validation on IPA and it work as expected, i will >setup dnssec on the windows side and enable dns validation once more on IPA >to see if can get the same outcome. When you use DNSSEC validation, your DNS infrastructure should all be using DNSSEC. This does not depend on whether you are deploying trust to AD or not. In fact, when installing FreeIPA server, you have option to disable DNSSEC validation (ipa-server-install --no-dnssec-validation). The same option exists in ipa-dns-install. -- / Alexander Bokovoy From carlosla1987 at gmail.com Thu Oct 20 21:18:15 2016 From: carlosla1987 at gmail.com (=?UTF-8?Q?Carlos_Ra=C3=BAl_Laguna?=) Date: Thu, 20 Oct 2016 17:18:15 -0400 Subject: [Freeipa-users] IPA-AD Trust unable to resolve child domain In-Reply-To: <20161020182332.fi55t5rwe3in3hjz@redhat.com> References: <20161020141036.cw6eq64xlebhhuz6@redhat.com> <20161020182332.fi55t5rwe3in3hjz@redhat.com> Message-ID: Thanks for the clarification. Regards 2016-10-20 14:23 GMT-04:00 Alexander Bokovoy : > On to, 20 loka 2016, Carlos Ra?l Laguna wrote: > >> Hi Alexander, >> I do belive is a DNS problem, the command failing are >> >> host -t srv _ldap._tcp.ad_domain >> or >> dig SRV _ldap._tcp.ad_domain >> after checkig the logs a see this error >> "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" >> >> so i disable the dnssec validation on IPA and it work as expected, i will >> setup dnssec on the windows side and enable dns validation once more on >> IPA >> to see if can get the same outcome. >> > When you use DNSSEC validation, your DNS infrastructure should all be > using DNSSEC. This does not depend on whether you are deploying trust to > AD or not. > > In fact, when installing FreeIPA server, you have option to disable > DNSSEC validation (ipa-server-install --no-dnssec-validation). The same > option exists in ipa-dns-install. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rns at unimelb.edu.au Fri Oct 21 05:07:16 2016 From: rns at unimelb.edu.au (Robert Sturrock) Date: Fri, 21 Oct 2016 16:07:16 +1100 Subject: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains? In-Reply-To: <62D4B20C-4A0A-4F9C-A693-C0B61CFFAB38@unimelb.edu.au> References: <62D4B20C-4A0A-4F9C-A693-C0B61CFFAB38@unimelb.edu.au> Message-ID: <2A9DFFFA-DB82-4EEF-BF52-B0108093253F@unimelb.edu.au> > On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > [?] > > However, when I try logging in as a student domain user (student.example.au), > > I don't see any of the groups (there should be 8): > > > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au > > [rnst ipa-client-rh7 ~]$ groups > > rnst > > > > Is this expected behaviour? Is there a possible client configuration that > > will support our AD forest setup or is this simply not possible? > > What you did is quite correct, but unfortunately works only with > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. I tried the same configuration on FC24, which has sssd-1.14.1-3, but it didn?t work for the student domain either: $ ssh -l rnst at STUDENT.EXAMPLE.AU ipa-client-fc24.ipa.example.au -sh-4.3$ groups rnst Is the version shipping with RHEL7.3 likely to be different? Regards, Robert. From jamesaharrisonuk at yahoo.co.uk Fri Oct 21 05:14:53 2016 From: jamesaharrisonuk at yahoo.co.uk (James Harrison) Date: Fri, 21 Oct 2016 05:14:53 +0000 (UTC) Subject: [Freeipa-users] Promote CA-less replica In-Reply-To: <58077507.6020901@redhat.com> References: <1456562096.6248871.1476869739681.ref@mail.yahoo.com> <1456562096.6248871.1476869739681@mail.yahoo.com> <92007abf-5463-d876-581e-f08d9af2d430@redhat.com> <559060450.2565340.1476876580834@mail.yahoo.com> <58077507.6020901@redhat.com> Message-ID: <294043133.48648.1477026893124@mail.yahoo.com> Hi,Thanks again. Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba compilation choice stopping AD trusts from working (samba isn't using MIT kerberos????). ?We're now using CentOS 7.2.? While we know the CentOS version will operate correctly, we only get to use 4.2 of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for CentOS? Best regardsJames Harrison? From: Rob Crittenden To: James Harrison ; Martin Babinsky ; "freeipa-users at redhat.com" Sent: Wednesday, 19 October 2016, 14:28 Subject: Re: [Freeipa-users] Promote CA-less replica James Harrison wrote: > Hi, > Martin thanks for your quick response. Based on your comments. I have > further questions. > >? >> equal peers and can be considered masters > > 1. If there any urgency for us to recreate a "master" server to perform > any "master" type functions? How do we re-attach "replicas" to this new > "master"? Like he said, all IPA servers are equal (some are just more equal than others). If you truly have a CA-less system the the only thing that distinguishes one master from another is the presence of the DNS service. From below it looks like you install DNS on all which makes them all masters. You can manage the replication topology using ipa-replica-manage. > >? >> As long as the others have valid CA and server certs > 2. This is the install script we are using on the "replicas" > > ipa-replica-install \ >? ? ? --setup-dns --ssh-trust-dns --no-dnssec-validation \ >? ? ? -p xxxxxxxxx \ >? ? ? --admin-password=xxxxxxx \ >? ? ? --ip-address=replica_ip? \ >? ? ? --no-forwarders \ >? ? ? -U --mkhomedir --log-file=freeipa_log_file $1 > > 3. The $1 is the cert generated from the "master".? If theres no > distinction between a "master" and a "replica" in a CA-less environment, > can a "replica" run the ipa-replica-prepare script once > ipa-replica-install has been successfully run? I think you mean $1 is the replica file generated from some master. Seeing how you generate that would tell us whether you are truly in a CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to ipa-replica-prepare). To answer your question, yes. In a CA-less environment any master can generate a prepare file. You can add/remove connections using ipa-replica-manage. The initial connection is between the master that generated the prepare file and the host it was installed on. rob > > Thank you for any help. > Best regards, > James Harrison > > ------------------------------------------------------------------------ > *From:* Martin Babinsky > *To:* freeipa-users at redhat.com > *Sent:* Wednesday, 19 October 2016, 11:01 > *Subject:* Re: [Freeipa-users] Promote CA-less replica > > On 10/19/2016 11:35 AM, James Harrison wrote: > > Hi James, > >? > Hi, >? > Were using FreeIPA on Ubuntu Xenial. We lost the Master server. >? > >? > I have some questions: >? > 1. Do DNS replicate among other replicas is we change/add DNS records? >? > If not can this behaviour be changed? > IPA-intergrated DNS stores records in the replicated LDAP subtree so any > added/removed DNS record will replicate to other IPA DNS servers. > >? > 2. How do we promote a replica to become a master? We have not >? > configured our servers to become a CA. Our CA is Comodo and we have >? > configured FreeIPA to use a certificate, key and interim certificates >? > from Comodo. using the options: >? > >? > --http_pkcs12=.... >? > --http_pin=.... >? > --dirsrv_pkcs12=... >? > --dirsrv_pin=.... >? > >? > Hope someone can help. Quite urgent. >? > > The terms FreeIPA master/replica are quite arbitrary as all replicas are > equal peers and can be considered masters. The only notion of 'master' > is when you use a Dogtag CA (then one of the CA replicas is designated a > renewal master and does renew certificates in the topology and one is > CRL master generating certificate revocation lists) and/or DNSSec (then > one of DNS replica is designated a key master generating zone signing > keys and other DNS replicas pull these keys). > > As you are using CA-less replicas then there should be no loss in the > fact that the one designated 'master' is down (unless it was e.g. the > only DNS server). As long as the others have valid CA and server certs > they should be working just fine. > > > > You can just install a new replica in place of the master by generating > replica file on another replicaa nd supplying the required certificates > through options. > > >? > Regards, >? > James Harrison > >? > >? > > > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Oct 21 06:26:19 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 21 Oct 2016 08:26:19 +0200 Subject: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains? In-Reply-To: <2A9DFFFA-DB82-4EEF-BF52-B0108093253F@unimelb.edu.au> References: <62D4B20C-4A0A-4F9C-A693-C0B61CFFAB38@unimelb.edu.au> <2A9DFFFA-DB82-4EEF-BF52-B0108093253F@unimelb.edu.au> Message-ID: <20161021062619.kk3mmyrrss7rd6uq@hendrix> On Fri, Oct 21, 2016 at 04:07:16PM +1100, Robert Sturrock wrote: > > On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > > [?] > > > However, when I try logging in as a student domain user (student.example.au), > > > I don't see any of the groups (there should be 8): > > > > > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au > > > [rnst ipa-client-rh7 ~]$ groups > > > rnst > > > > > > Is this expected behaviour? Is there a possible client configuration that > > > will support our AD forest setup or is this simply not possible? > > > > What you did is quite correct, but unfortunately works only with > > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. > > I tried the same configuration on FC24, which has sssd-1.14.1-3, but it didn?t work for the student domain either: > > $ ssh -l rnst at STUDENT.EXAMPLE.AU ipa-client-fc24.ipa.example.au > -sh-4.3$ groups > rnst > > Is the version shipping with RHEL7.3 likely to be different? No, it's pretty much the same. Can you take a look at the logs and create a dump of the ldb cache, please? See: https://fedorahosted.org/sssd/wiki/Troubleshooting From gjn at gjn.priv.at Fri Oct 21 10:23:53 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 21 Oct 2016 12:23:53 +0200 Subject: [Freeipa-users] Question Time and DS Message-ID: <4943074.aE0kAzHu6m@techz> Hello, CentOS 7 1. is it possible to install the DS tools for installing / testing ACI (found in Redhat Docs) without destroy the FreeIPA installation? 2. What is the best way to have a correct time in KVM Clients (FreeIPA Server)? my way in the moment is" chrony", with NTP I have the Problem for a to big time difference and NTP can't correct this ? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From gbatir at gmail.com Fri Oct 21 12:00:57 2016 From: gbatir at gmail.com (Gabriel Batir) Date: Fri, 21 Oct 2016 15:00:57 +0300 Subject: [Freeipa-users] Replica or no replica Message-ID: Hello After I have lost the entire IPA infrastructure (due to admin error:( ) I have recreated one server that I had a ipa backup for and restored the backup. First problem I had were the replication agreements with the now missing servers. I have used ipa-replica-manage del --force --clean for all the replicas. It did not work without --force. So now I have this: ipa --version VERSION: 4.3.1, API_VERSION: 2.164 root at de-fra-irx08-ldap01 ~#ipa-replica-manage list de-fra-irx08-ldap01.ipa.XXXXXX: master root at de-fra-irx08-ldap01 ~# ipa-replica-manage list-ruv de-fra-irx08-ldap01.ipa.XXXXXX:389: 8 root at de-fra-irx08-ldap01 ~# ipa-csreplica-manage list Directory Manager password: de-fra-irx08-ldap01.ipa.XXXXXX: master But I still get this in the error log: NSMMReplicationPlugin - agmt="cn=masterAgreement1-ro-buh-nx02-ldap01.ipa.XXXXXX-pki-tomcat" (ro-buh-nx02-ldap01:389): Replication bind w ith SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () root at de-fra-irx08-ldap01 ~# ldapsearch -D "cn=Directory Manager" -W -LLL -x -b "cn=replica,cn=dc\3Dipa\2Cdc\3DXXXXXX,cn=mapping tree,cn=config" Enter LDAP Password: dn: cn=replica,cn=dc\3Dipa\2Cdc\3DXXXXXX,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/ro-buh-nx02-ldap01.ipa.XXXXXX at IPA.B IGSTEP,cn=services,cn=accounts,dc=ipa,dc=XXXXXX nsDS5ReplicaBindDN: krbprincipalname=ldap/uk-rdg-evr01-ldap01.ipa.XXXXXX at IPA. XXXXXX,cn=services,cn=accounts,dc=ipa,dc=XXXXXX nsDS5ReplicaId: 8 nsDS5ReplicaName: b4848193-ef4611e5-8893afc8-cadb562e nsDS5ReplicaRoot: dc=ipa,dc=XXXXXX nsDS5ReplicaType: 3 nsState:: CAAAAAAAAAAU/glYAAAAAAAAAAAAAAAA2gQAAAAAAAAUAAAAAAAAAA== nsds5ReplicaLegacyConsumer: off nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,dc=ipa, dc=XXXXXX nsds5replicabinddngroupcheckinterval: 60 objectClass: nsds5replica objectClass: top objectClass: extensibleobject nsds5ReplicaChangeCount: 550 nsds5replicareapactive: 0 root at de-fra-irx08-ldap01 ~# ldapsearch -D "cn=Directory Manager" -W -LLL -x -b "cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,cn=o\3Dipaca ,cn=mapping tree,cn=config" Enter LDAP Password: dn: cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,c n=o\3Dipaca,cn=mapping tree,cn=config cn: cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat description: cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-de-fra-irx08-ldap0 1.ipa.XXXXXX-pki-tomcat,ou=csusers,cn=config nsDS5ReplicaBindMethod: Simple nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG RERBNEJDUTJPRE5rWXpkaVpDMWtPRFZpTTJJeg0KT0MxaFpHVm1aall5TUMwMk9HSTFOakExTVFBQ 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTF1K2UyWFJybUwyL0 ZWVTYrdmFDVw==}cJhPqOxvyGaExF/h3IO9UA== nsDS5ReplicaHost: ro-buh-nx02-ldap01.ipa.XXXXXX nsDS5ReplicaPort: 389 nsDS5ReplicaRoot: o=ipaca nsDS5ReplicaTransportInfo: TLS nsds50ruv: {replicageneration} 56efacec000000600000 nsds50ruv: {replica 96 ldap://ro-buh-nx02-ldap01.ipa.XXXXXX:389} 56efacf10000 00600000 580711f2000000600000 nsds50ruv: {replica 81 ldap://de-fra-irx08-ldap02.ipa.XXXXXX:389} 57163ff7000 000510000 575fedb7000000510000 nsds50ruv: {replica 86 ldap://de-fra-irx08-ldap01.ipa.XXXXXX:389} 56efbe5b000 000560000 57179149000000560000 nsds50ruv: {replica 91 ldap://uk-rdg-evr01-ldap02.ipa.XXXXXX:389} 56efb7c5000 0005b0000 56efb80a0012005b0000 nsds50ruv: {replica 97 ldap://uk-rdg-evr01-ldap01.ipa.XXXXXX:389} 56efacf7000 000610000 575ffeda000000610000 nsds50ruv: {replica 66} 575eb9f6000300420000 575eb9f6000300420000 nsds50ruv: {replica 71} 575eade7000e00470000 575eade7000e00470000 nsruvReplicaLastModified: {replica 96 ldap://ro-buh-nx02-ldap01.ipa.XXXXXX:38 9} 00000000 nsruvReplicaLastModified: {replica 81 ldap://de-fra-irx08-ldap02.ipa.XXXXXX:3 89} 00000000 nsruvReplicaLastModified: {replica 86 ldap://de-fra-irx08-ldap01.ipa.XXXXXX:3 89} 00000000 nsruvReplicaLastModified: {replica 91 ldap://uk-rdg-evr01-ldap02.ipa.XXXXXX:3 89} 00000000 nsruvReplicaLastModified: {replica 97 ldap://uk-rdg-evr01-ldap01.ipa.XXXXXX:3 89} 00000000 nsruvReplicaLastModified: {replica 66} 00000000 nsruvReplicaLastModified: {replica 71} 00000000 objectClass: top objectClass: nsds5replicationagreement nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 19700101000000Z nsds5replicaLastUpdateEnd: 19700101000000Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't co ntact LDAP server nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 19700101000000Z nsds5replicaLastInitEnd: 19700101000000Z Is it safe to delete cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config ? Would this solve my problem? Regards, Gabriel Batir -------------- next part -------------- An HTML attachment was scrubbed... URL: From julliot at ljll.math.upmc.fr Fri Oct 21 12:13:05 2016 From: julliot at ljll.math.upmc.fr (=?UTF-8?Q?S=c3=a9bastien_Julliot?=) Date: Fri, 21 Oct 2016 14:13:05 +0200 Subject: [Freeipa-users] Setting "preserve" as default action when deleting in webUI Message-ID: Hi everyone, In order to prevent administrators to make mistakes that could have silly consequences, I would like to set "preserve" as the default selected action in freeipa's webui. What do you think would be the best way to achieve this ? Thank you in advance, Sebastien Julliot. From varga.gabor at zalaszam.hu Fri Oct 21 12:28:29 2016 From: varga.gabor at zalaszam.hu (=?UTF-8?Q?G=c3=a1bor_Varga?=) Date: Fri, 21 Oct 2016 14:28:29 +0200 Subject: [Freeipa-users] questions regarding OTP tokens Message-ID: Hello, I have a couple of questions regarding the OTP tokens: 1. Can I limit the number of active tokens a regular user can have at a given time? If yes, then how? 2. Can I forbid the regular to generate OTP tokens? (they should only have a token assigned by an administrator) 3. Other than editing the python class inside /usr/lib/python2.7/dist-packages/ipalib/plugins/otptoken.pyc how can I set the default algorithm for the newly generated OTP tokens? I would like to disable SHA-1 and only enable at least SHA-256. 4. How can I set the default lifetime for a new OTP token other than the beforementiond python class? 5. How can I prevent a regular user from modifying the properties of his/her OTP token? (The validiy period for example..) Thanks! -- sig G?bor VARGA Systems Engineer __________________________________________________ Zalasz?m Informatika Kft. 8900 Zalaegerszeg, M?rt?rok ?tja 53. Telefon: 36-92-502-500 Fax: 36-92-502-501 e-mail: varga.gabor at zalaszam.hu web: www.zalaszam.hu -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 30allo3.jpg Type: image/jpeg Size: 19422 bytes Desc: not available URL: From gjn at gjn.priv.at Fri Oct 21 12:42:49 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 21 Oct 2016 14:42:49 +0200 Subject: [Freeipa-users] Best and Secure Way for a System Account In-Reply-To: References: <12955976.8G96f2fpOL@techz> <3469566.I6xoSU5hl8@techz> Message-ID: <10051107.mcWgACcI78@techz> Hello Martin and List, Pardon me, but anything is wrong with the ldif i ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif Enter LDAP Password: ldapmodify: invalid format (line 5) entry: "cn=users,cn=accounts,dc=4gjn,dc=com" I have search and read now any Days, but this FreeIPA / LDAP Problem have a to high level for me :-(. Pleas help again.. Thanks for a answer Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > On 10/17/2016 02:25 PM, G?nther J. Niederwimmer wrote: > > Hello Martin and List > > > > Thanks for the answer and Help. > > > > I mean my big Problem is to understand the way to configure a ACI :-(. # ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D > >>> > >>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > >>> > >>> The IPA Docs have no time stamp to found out, is this actual or old :-(. > >>> > >>> Thanks for a answer, > >> > >> Hi Gunther, > >> > >> that LDIF look ok to me. > >> > >> Do not forget that you must set up the correct ACIs in order for the > >> system account to see the 'mailAlternaleAddress' attribute. > > See the following document for a step-by-step guide on how to write ACIs: > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht > ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html > > To allow the system account read access to your custom attributes, you > can use LDIF like this (untested, hopefully I got it right from the top > of my head): > > """ > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient > )")(version 3.0; acl "Allow system account to read mail address"; > allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) > """ > save it to file and then call > > ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > > to add this ACI to cn=users subtree. The ACI then applies to all entries > in the subtree. -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From peljasz at yahoo.co.uk Fri Oct 21 12:55:19 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 21 Oct 2016 13:55:19 +0100 Subject: [Freeipa-users] cannot ssh in (sss_ssh_authorizedkeys returned status 1) ?? Message-ID: <2612b90b-12e8-1c0f-a217-d171fc50bc1f@yahoo.co.uk> hi all I cannot ssh from a boxA (ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) I realize that to assume versions differences cause it is bit silly but nothing changed except update of boxB's IPA a day before the problem occur. Also, there is a boxC (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) (so boxB == boxC IPA-wise) which does ssh in fine. Other way around, boxB to boxA ssh works. Logs are pretty quiet, I merely see: error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 and that I'm not sure appears at the time of login attempt. I do: boxA$ ssh boxB Connection closed by UNKNOWN ps. boxA is not banned nor block by any tcp/ip means. many! thanks for any help L. From sbose at redhat.com Fri Oct 21 13:11:23 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 21 Oct 2016 15:11:23 +0200 Subject: [Freeipa-users] cannot ssh in (sss_ssh_authorizedkeys returned status 1) ?? In-Reply-To: <2612b90b-12e8-1c0f-a217-d171fc50bc1f@yahoo.co.uk> References: <2612b90b-12e8-1c0f-a217-d171fc50bc1f@yahoo.co.uk> Message-ID: <20161021131123.GD12052@p.Speedport_W_724V_Typ_A_05011603_00_009> On Fri, Oct 21, 2016 at 01:55:19PM +0100, lejeczek wrote: > hi all > > I cannot ssh from a boxA (ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB > (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) > I realize that to assume versions differences cause it is bit silly but > nothing changed except update of boxB's IPA a day before the problem occur. > Also, there is a boxC (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) (so > boxB == boxC IPA-wise) which does ssh in fine. > Other way around, boxB to boxA ssh works. > Logs are pretty quiet, I merely see: > > error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status > 1 > > and that I'm not sure appears at the time of login attempt. > I do: > boxA$ ssh boxB > Connection closed by UNKNOWN > > ps. boxA is not banned nor block by any tcp/ip means. > > many! thanks for any help Which version of SSSD is running? Do you have user certificates stored in IPA? In this case you might hit https://bugzilla.redhat.com/show_bug.cgi?id=1372042 https://fedorahosted.org/sssd/ticket/2977 If there are no updates with a fix available you might want to set ldap_user_certificate = noSuchSttribute in the [domain/...] section of sssd.conf to tell SSSD to not read the certificates from the server. As an alternative you can all CA certificates needed to validate the user certificates properly to /etc/pki/nssdb. HTH bye, Sumit > L. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From rmeggins at redhat.com Fri Oct 21 13:11:58 2016 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 21 Oct 2016 07:11:58 -0600 Subject: [Freeipa-users] Best and Secure Way for a System Account In-Reply-To: <10051107.mcWgACcI78@techz> References: <12955976.8G96f2fpOL@techz> <3469566.I6xoSU5hl8@techz> <10051107.mcWgACcI78@techz> Message-ID: <65431654-9c89-fdbc-02b2-db064e8292f1@redhat.com> On 10/21/2016 06:42 AM, G?nther J. Niederwimmer wrote: > Hello Martin and List, > > Pardon me, but anything is wrong with the ldif i > > ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif > Enter LDAP Password: > ldapmodify: invalid format (line 5) entry: > "cn=users,cn=accounts,dc=4gjn,dc=com" dn: cn=users,cn=accounts,dc=4gjn,dc=com > > I have search and read now any Days, but this FreeIPA / LDAP Problem have a to > high level for me :-(. > > Pleas help again.. > > Thanks for a answer > > Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: >> On 10/17/2016 02:25 PM, G?nther J. Niederwimmer wrote: >>> Hello Martin and List >>> >>> Thanks for the answer and Help. >>> >>> I mean my big Problem is to understand the way to configure a ACI :-(. > # ldapmodify -x -D 'cn=Directory Manager' -W > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > changetype: add > objectclass: account > objectclass: simplesecurityobject > uid: system > userPassword: secret123 > passwordExpirationTime: 20380119031407Z > nsIdleTimeout: 0 > > ^D > >>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts >>>>> >>>>> The IPA Docs have no time stamp to found out, is this actual or old :-(. >>>>> >>>>> Thanks for a answer, >>>> Hi Gunther, >>>> >>>> that LDIF look ok to me. >>>> >>>> Do not forget that you must set up the correct ACIs in order for the >>>> system account to see the 'mailAlternaleAddress' attribute. >> See the following document for a step-by-step guide on how to write ACIs: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht >> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html >> >> To allow the system account read access to your custom attributes, you >> can use LDIF like this (untested, hopefully I got it right from the top >> of my head): >> >> """ >> dn: cn=users,cn=accounts,dc=example,dc=com >> changetype: modify >> add: aci >> aci: >> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient >> )")(version 3.0; acl "Allow system account to read mail address"; >> allow(read, >> search, compare) userdn = >> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) >> """ >> save it to file and then call >> >> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif >> >> to add this ACI to cn=users subtree. The ACI then applies to all entries >> in the subtree. From b.candler at pobox.com Fri Oct 21 13:17:12 2016 From: b.candler at pobox.com (Brian Candler) Date: Fri, 21 Oct 2016 14:17:12 +0100 Subject: [Freeipa-users] Do expired passwords remain usable indefinitely? Message-ID: Question: when a password expires, does it remain in a usable state in the database indefinitely? For example, if someone comes along a year after their password has expired, can they still login once with that password? This is actually what I want, but I just want to confirm there's not some sort of secondary threshold which means that an expired password is not usable X days after it has expired. Or, if there is such a secondary threshold, where I can find it. The scenario is a RADIUS server for wifi which reads NTLM password hashes out of the database to authenticate - this continues to work after expiry. However I want users to be able to do a self-reset later if and when they want to. Thanks, Brian. From rcritten at redhat.com Fri Oct 21 13:17:30 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Oct 2016 09:17:30 -0400 Subject: [Freeipa-users] Replica or no replica In-Reply-To: References: Message-ID: <580A156A.3030300@redhat.com> Gabriel Batir wrote: > Hello > > After I have lost the entire IPA infrastructure (due to admin error:( ) > I have recreated one server that I had a ipa backup for and restored the > backup. > > First problem I had were the replication agreements with the now missing > servers. > I have used ipa-replica-manage del --force --clean for > all the replicas. It did not work without --force. > > So now I have this: > > ipa --version > VERSION: 4.3.1, API_VERSION: 2.164 > > root at de-fra-irx08-ldap01 ~#ipa-replica-manage list > de-fra-irx08-ldap01.ipa.XXXXXX: master > > root at de-fra-irx08-ldap01 ~# ipa-replica-manage list-ruv > de-fra-irx08-ldap01.ipa.XXXXXX:389: 8 > > root at de-fra-irx08-ldap01 ~# ipa-csreplica-manage list > Directory Manager password: > > de-fra-irx08-ldap01.ipa.XXXXXX: master > > But I still get this in the error log: > NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ro-buh-nx02-ldap01.ipa.XXXXXX-pki-tomcat" > (ro-buh-nx02-ldap01:389): Replication bind w > ith SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () > > > root at de-fra-irx08-ldap01 ~# ldapsearch -D "cn=Directory Manager" -W > -LLL -x -b "cn=replica,cn=dc\3Dipa\2Cdc\3DXXXXXX,cn=mapping tree,cn=config" > Enter LDAP Password: > dn: cn=replica,cn=dc\3Dipa\2Cdc\3DXXXXXX,cn=mapping tree,cn=config > cn: replica > nsDS5Flags: 1 > nsDS5ReplicaBindDN: cn=replication manager,cn=config > nsDS5ReplicaBindDN: > krbprincipalname=ldap/ro-buh-nx02-ldap01.ipa.XXXXXX at IPA.B > IGSTEP,cn=services,cn=accounts,dc=ipa,dc=XXXXXX > nsDS5ReplicaBindDN: > krbprincipalname=ldap/uk-rdg-evr01-ldap01.ipa.XXXXXX at IPA. > XXXXXX,cn=services,cn=accounts,dc=ipa,dc=XXXXXX > nsDS5ReplicaId: 8 > nsDS5ReplicaName: b4848193-ef4611e5-8893afc8-cadb562e > nsDS5ReplicaRoot: dc=ipa,dc=XXXXXX > nsDS5ReplicaType: 3 > nsState:: CAAAAAAAAAAU/glYAAAAAAAAAAAAAAAA2gQAAAAAAAAUAAAAAAAAAA== > nsds5ReplicaLegacyConsumer: off > nsds5replicabinddngroup: cn=replication > managers,cn=sysaccounts,cn=etc,dc=ipa, > dc=XXXXXX > nsds5replicabinddngroupcheckinterval: 60 > objectClass: nsds5replica > objectClass: top > objectClass: extensibleobject > nsds5ReplicaChangeCount: 550 > nsds5replicareapactive: 0 > > root at de-fra-irx08-ldap01 ~# ldapsearch -D "cn=Directory Manager" -W > -LLL -x -b > "cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,cn=o\3Dipaca > ,cn=mapping tree,cn=config" > Enter LDAP Password: > dn: > cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,c > n=o\3Dipaca,cn=mapping tree,cn=config > cn: cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat > description: cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat > nsDS5ReplicaBindDN: cn=Replication Manager > masterAgreement1-de-fra-irx08-ldap0 > 1.ipa.XXXXXX-pki-tomcat,ou=csusers,cn=config > nsDS5ReplicaBindMethod: Simple > nsDS5ReplicaCredentials: > {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG > RERBNEJDUTJPRE5rWXpkaVpDMWtPRFZpTTJJeg0KT0MxaFpHVm1aall5TUMwMk9HSTFOakExTVFBQ > > 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTF1K2UyWFJybUwyL0 > > ZWVTYrdmFDVw==}cJhPqOxvyGaExF/h3IO9UA== > nsDS5ReplicaHost: ro-buh-nx02-ldap01.ipa.XXXXXX > nsDS5ReplicaPort: 389 > nsDS5ReplicaRoot: o=ipaca > nsDS5ReplicaTransportInfo: TLS > nsds50ruv: {replicageneration} 56efacec000000600000 > nsds50ruv: {replica 96 ldap://ro-buh-nx02-ldap01.ipa.XXXXXX:389} > 56efacf10000 > 00600000 580711f2000000600000 > nsds50ruv: {replica 81 ldap://de-fra-irx08-ldap02.ipa.XXXXXX:389} > 57163ff7000 > 000510000 575fedb7000000510000 > nsds50ruv: {replica 86 ldap://de-fra-irx08-ldap01.ipa.XXXXXX:389} > 56efbe5b000 > 000560000 57179149000000560000 > nsds50ruv: {replica 91 ldap://uk-rdg-evr01-ldap02.ipa.XXXXXX:389} > 56efb7c5000 > 0005b0000 56efb80a0012005b0000 > nsds50ruv: {replica 97 ldap://uk-rdg-evr01-ldap01.ipa.XXXXXX:389} > 56efacf7000 > 000610000 575ffeda000000610000 > nsds50ruv: {replica 66} 575eb9f6000300420000 575eb9f6000300420000 > nsds50ruv: {replica 71} 575eade7000e00470000 575eade7000e00470000 > nsruvReplicaLastModified: {replica 96 > ldap://ro-buh-nx02-ldap01.ipa.XXXXXX:38 > 9} 00000000 > nsruvReplicaLastModified: {replica 81 > ldap://de-fra-irx08-ldap02.ipa.XXXXXX:3 > 89} 00000000 > nsruvReplicaLastModified: {replica 86 > ldap://de-fra-irx08-ldap01.ipa.XXXXXX:3 > 89} 00000000 > nsruvReplicaLastModified: {replica 91 > ldap://uk-rdg-evr01-ldap02.ipa.XXXXXX:3 > 89} 00000000 > nsruvReplicaLastModified: {replica 97 > ldap://uk-rdg-evr01-ldap01.ipa.XXXXXX:3 > 89} 00000000 > nsruvReplicaLastModified: {replica 66} 00000000 > nsruvReplicaLastModified: {replica 71} 00000000 > objectClass: top > objectClass: nsds5replicationagreement > nsds5replicareapactive: 0 > nsds5replicaLastUpdateStart: 19700101000000Z > nsds5replicaLastUpdateEnd: 19700101000000Z > nsds5replicaChangesSentSinceStartup: > nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: > Can't co > ntact LDAP server > nsds5replicaUpdateInProgress: FALSE > nsds5replicaLastInitStart: 19700101000000Z > nsds5replicaLastInitEnd: 19700101000000Z > > > Is it safe to delete > cn=cloneAgreement1-de-fra-irx08-ldap01.ipa.XXXXXX-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping > tree,cn=config ? > > Would this solve my problem? Yes. It looks like a CA replication agreement. Given that, as stated, you have no other replicas it is safe to remove this. rob From rcritten at redhat.com Fri Oct 21 13:18:15 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Oct 2016 09:18:15 -0400 Subject: [Freeipa-users] Promote CA-less replica In-Reply-To: <294043133.48648.1477026893124@mail.yahoo.com> References: <1456562096.6248871.1476869739681.ref@mail.yahoo.com> <1456562096.6248871.1476869739681@mail.yahoo.com> <92007abf-5463-d876-581e-f08d9af2d430@redhat.com> <559060450.2565340.1476876580834@mail.yahoo.com> <58077507.6020901@redhat.com> <294043133.48648.1477026893124@mail.yahoo.com> Message-ID: <580A1597.8020000@redhat.com> James Harrison wrote: > Hi, > Thanks again. > > Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba > compilation choice stopping AD trusts from working (samba isn't using > MIT kerberos????). We're now using CentOS 7.2. > > While we know the CentOS version will operate correctly, we only get to > use 4.2 of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for > CentOS? Not until RHEL 7.3 is released and rebuilt for CentOS. rob > > Best regards > James Harrison > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* James Harrison ; Martin Babinsky > ; "freeipa-users at redhat.com" > > *Sent:* Wednesday, 19 October 2016, 14:28 > *Subject:* Re: [Freeipa-users] Promote CA-less replica > > James Harrison wrote: > > Hi, > > Martin thanks for your quick response. Based on your comments. I have > > further questions. > > > > >> equal peers and can be considered masters > > > > 1. If there any urgency for us to recreate a "master" server to perform > > any "master" type functions? How do we re-attach "replicas" to this new > > "master"? > > Like he said, all IPA servers are equal (some are just more equal than > others). If you truly have a CA-less system the the only thing that > distinguishes one master from another is the presence of the DNS > service. From below it looks like you install DNS on all which makes > them all masters. > > You can manage the replication topology using ipa-replica-manage. > > > > > >> As long as the others have valid CA and server certs > > 2. This is the install script we are using on the "replicas" > > > > ipa-replica-install \ > > --setup-dns --ssh-trust-dns --no-dnssec-validation \ > > -p xxxxxxxxx \ > > --admin-password=xxxxxxx \ > > --ip-address=replica_ip \ > > --no-forwarders \ > > -U --mkhomedir --log-file=freeipa_log_file $1 > > > > 3. The $1 is the cert generated from the "master". If theres no > > distinction between a "master" and a "replica" in a CA-less environment, > > can a "replica" run the ipa-replica-prepare script once > > ipa-replica-install has been successfully run? > > I think you mean $1 is the replica file generated from some master. > Seeing how you generate that would tell us whether you are truly in a > CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to > ipa-replica-prepare). > > To answer your question, yes. In a CA-less environment any master can > generate a prepare file. > > You can add/remove connections using ipa-replica-manage. The initial > connection is between the master that generated the prepare file and the > host it was installed on. > > rob > > > > > > Thank you for any help. > > Best regards, > > James Harrison > > > > ------------------------------------------------------------------------ > > *From:* Martin Babinsky > > > *To:* freeipa-users at redhat.com > > *Sent:* Wednesday, 19 October 2016, 11:01 > > *Subject:* Re: [Freeipa-users] Promote CA-less replica > > > > On 10/19/2016 11:35 AM, James Harrison wrote: > > > > Hi James, > > > > > Hi, > > > Were using FreeIPA on Ubuntu Xenial. We lost the Master server. > > > > > > I have some questions: > > > 1. Do DNS replicate among other replicas is we change/add DNS records? > > > If not can this behaviour be changed? > > IPA-intergrated DNS stores records in the replicated LDAP subtree so any > > added/removed DNS record will replicate to other IPA DNS servers. > > > > > 2. How do we promote a replica to become a master? We have not > > > configured our servers to become a CA. Our CA is Comodo and we have > > > configured FreeIPA to use a certificate, key and interim certificates > > > from Comodo. using the options: > > > > > > --http_pkcs12=.... > > > --http_pin=.... > > > --dirsrv_pkcs12=... > > > --dirsrv_pin=.... > > > > > > Hope someone can help. Quite urgent. > > > > > The terms FreeIPA master/replica are quite arbitrary as all replicas are > > equal peers and can be considered masters. The only notion of 'master' > > is when you use a Dogtag CA (then one of the CA replicas is designated a > > renewal master and does renew certificates in the topology and one is > > CRL master generating certificate revocation lists) and/or DNSSec (then > > one of DNS replica is designated a key master generating zone signing > > keys and other DNS replicas pull these keys). > > > > As you are using CA-less replicas then there should be no loss in the > > fact that the one designated 'master' is down (unless it was e.g. the > > only DNS server). As long as the others have valid CA and server certs > > they should be working just fine. > > > > > > > > You can just install a new replica in place of the master by generating > > replica file on another replicaa nd supplying the required certificates > > through options. > > > > > > > Regards, > > > James Harrison > > > > > > > > > > > > > > -- > > Martin^3 Babinsky > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org > for more info on the project > > > > > > > > > > > > > From gjn at gjn.priv.at Fri Oct 21 14:05:42 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 21 Oct 2016 16:05:42 +0200 Subject: [Freeipa-users] Best and Secure Way for a System Account In-Reply-To: <65431654-9c89-fdbc-02b2-db064e8292f1@redhat.com> References: <12955976.8G96f2fpOL@techz> <10051107.mcWgACcI78@techz> <65431654-9c89-fdbc-02b2-db064e8292f1@redhat.com> Message-ID: <6261846.Ngv5mNHpuK@techz> Hello, Thanks for the answer, Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: > On 10/21/2016 06:42 AM, G?nther J. Niederwimmer wrote: > > Hello Martin and List, > > > > Pardon me, but anything is wrong with the ldif i > > > > ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif > > Enter LDAP Password: > > ldapmodify: invalid format (line 5) entry: > > "cn=users,cn=accounts,dc=4gjn,dc=com" > > dn: cn=users,cn=accounts,dc=4gjn,dc=com this is in the ldif ? """ dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)") (version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) "" but what is wrong ? > > I have search and read now any Days, but this FreeIPA / LDAP Problem have > > a to high level for me :-(. > > > > Pleas help again.. > > > > Thanks for a answer > > > > Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > >> On 10/17/2016 02:25 PM, G?nther J. Niederwimmer wrote: > >>> Hello Martin and List > >>> > >>> Thanks for the answer and Help. > >>> > >>> I mean my big Problem is to understand the way to configure a ACI :-(. > > > > # ldapmodify -x -D 'cn=Directory Manager' -W > > > > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: secret123 > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > > > > > ^D > > > >>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > >>>>> > >>>>> The IPA Docs have no time stamp to found out, is this actual or old > >>>>> :-(. > >>>>> > >>>>> Thanks for a answer, > >>>> > >>>> Hi Gunther, > >>>> > >>>> that LDIF look ok to me. > >>>> > >>>> Do not forget that you must set up the correct ACIs in order for the > >>>> system account to see the 'mailAlternaleAddress' attribute. > >> > >> See the following document for a step-by-step guide on how to write ACIs: > >> > >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10 > >> /ht > >> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h > >> tml > >> > >> To allow the system account read access to your custom attributes, you > >> can use LDIF like this (untested, hopefully I got it right from the top > >> of my head): > >> > >> """ > >> dn: cn=users,cn=accounts,dc=example,dc=com > >> changetype: modify > >> add: aci > >> aci: > >> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi > >> ent )")(version 3.0; acl "Allow system account to read mail address"; > >> allow(read, > >> search, compare) userdn = > >> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) > >> """ > >> save it to file and then call > >> > >> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > >> > >> to add this ACI to cn=users subtree. The ACI then applies to all entries > >> in the subtree. -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From rmeggins at redhat.com Fri Oct 21 14:12:11 2016 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 21 Oct 2016 08:12:11 -0600 Subject: [Freeipa-users] Best and Secure Way for a System Account In-Reply-To: <6261846.Ngv5mNHpuK@techz> References: <12955976.8G96f2fpOL@techz> <10051107.mcWgACcI78@techz> <65431654-9c89-fdbc-02b2-db064e8292f1@redhat.com> <6261846.Ngv5mNHpuK@techz> Message-ID: <216e60eb-2ce8-8c24-97a0-3cd8a31f4872@redhat.com> On 10/21/2016 08:05 AM, G?nther J. Niederwimmer wrote: > Hello, > > Thanks for the answer, > > Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: >> On 10/21/2016 06:42 AM, G?nther J. Niederwimmer wrote: >>> Hello Martin and List, >>> >>> Pardon me, but anything is wrong with the ldif i >>> >>> ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif >>> Enter LDAP Password: >>> ldapmodify: invalid format (line 5) entry: >>> "cn=users,cn=accounts,dc=4gjn,dc=com" >> dn: cn=users,cn=accounts,dc=4gjn,dc=com > this is in the ldif ? > > """ > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)") > (version > 3.0; acl "Allow system account to read mail address"; allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) > "" > > but what is wrong ? Sorry, I don't know, I thought it was complaining about the DN line format. >>> I have search and read now any Days, but this FreeIPA / LDAP Problem have >>> a to high level for me :-(. >>> >>> Pleas help again.. >>> >>> Thanks for a answer >>> >>> Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: >>>> On 10/17/2016 02:25 PM, G?nther J. Niederwimmer wrote: >>>>> Hello Martin and List >>>>> >>>>> Thanks for the answer and Help. >>>>> >>>>> I mean my big Problem is to understand the way to configure a ACI :-(. >>> # ldapmodify -x -D 'cn=Directory Manager' -W >>> >>> dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com >>> changetype: add >>> objectclass: account >>> objectclass: simplesecurityobject >>> uid: system >>> userPassword: secret123 >>> passwordExpirationTime: 20380119031407Z >>> nsIdleTimeout: 0 >>> >>> >>> ^D >>> >>>>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts >>>>>>> >>>>>>> The IPA Docs have no time stamp to found out, is this actual or old >>>>>>> :-(. >>>>>>> >>>>>>> Thanks for a answer, >>>>>> Hi Gunther, >>>>>> >>>>>> that LDIF look ok to me. >>>>>> >>>>>> Do not forget that you must set up the correct ACIs in order for the >>>>>> system account to see the 'mailAlternaleAddress' attribute. >>>> See the following document for a step-by-step guide on how to write ACIs: >>>> >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10 >>>> /ht >>>> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h >>>> tml >>>> >>>> To allow the system account read access to your custom attributes, you >>>> can use LDIF like this (untested, hopefully I got it right from the top >>>> of my head): >>>> >>>> """ >>>> dn: cn=users,cn=accounts,dc=example,dc=com >>>> changetype: modify >>>> add: aci >>>> aci: >>>> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi >>>> ent )")(version 3.0; acl "Allow system account to read mail address"; >>>> allow(read, >>>> search, compare) userdn = >>>> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) >>>> """ >>>> save it to file and then call >>>> >>>> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif >>>> >>>> to add this ACI to cn=users subtree. The ACI then applies to all entries >>>> in the subtree. From lkrispen at redhat.com Fri Oct 21 14:21:35 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 21 Oct 2016 16:21:35 +0200 Subject: [Freeipa-users] Best and Secure Way for a System Account In-Reply-To: <6261846.Ngv5mNHpuK@techz> References: <12955976.8G96f2fpOL@techz> <10051107.mcWgACcI78@techz> <65431654-9c89-fdbc-02b2-db064e8292f1@redhat.com> <6261846.Ngv5mNHpuK@techz> Message-ID: <580A246F.6010207@redhat.com> On 10/21/2016 04:05 PM, G?nther J. Niederwimmer wrote: > Hello, > > Thanks for the answer, > > Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: >> On 10/21/2016 06:42 AM, G?nther J. Niederwimmer wrote: >>> Hello Martin and List, >>> >>> Pardon me, but anything is wrong with the ldif i >>> >>> ldapmodify -D 'cn=Directory Manager' -W -f alias.ldif >>> Enter LDAP Password: >>> ldapmodify: invalid format (line 5) entry: >>> "cn=users,cn=accounts,dc=4gjn,dc=com" >> dn: cn=users,cn=accounts,dc=4gjn,dc=com > this is in the ldif ? > > """ > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)") > (version > 3.0; acl "Allow system account to read mail address"; allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) > "" > > but what is wrong ? the value for the aci attribute spans multiple lines. In a ldif file a continuation line has to start with a space. Try dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipient)") (version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) > >>> I have search and read now any Days, but this FreeIPA / LDAP Problem have >>> a to high level for me :-(. >>> >>> Pleas help again.. >>> >>> Thanks for a answer >>> >>> Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: >>>> On 10/17/2016 02:25 PM, G?nther J. Niederwimmer wrote: >>>>> Hello Martin and List >>>>> >>>>> Thanks for the answer and Help. >>>>> >>>>> I mean my big Problem is to understand the way to configure a ACI :-(. >>> # ldapmodify -x -D 'cn=Directory Manager' -W >>> >>> dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com >>> changetype: add >>> objectclass: account >>> objectclass: simplesecurityobject >>> uid: system >>> userPassword: secret123 >>> passwordExpirationTime: 20380119031407Z >>> nsIdleTimeout: 0 >>> >>> >>> ^D >>> >>>>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts >>>>>>> >>>>>>> The IPA Docs have no time stamp to found out, is this actual or old >>>>>>> :-(. >>>>>>> >>>>>>> Thanks for a answer, >>>>>> Hi Gunther, >>>>>> >>>>>> that LDIF look ok to me. >>>>>> >>>>>> Do not forget that you must set up the correct ACIs in order for the >>>>>> system account to see the 'mailAlternaleAddress' attribute. >>>> See the following document for a step-by-step guide on how to write ACIs: >>>> >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10 >>>> /ht >>>> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.h >>>> tml >>>> >>>> To allow the system account read access to your custom attributes, you >>>> can use LDIF like this (untested, hopefully I got it right from the top >>>> of my head): >>>> >>>> """ >>>> dn: cn=users,cn=accounts,dc=example,dc=com >>>> changetype: modify >>>> add: aci >>>> aci: >>>> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipi >>>> ent )")(version 3.0; acl "Allow system account to read mail address"; >>>> allow(read, >>>> search, compare) userdn = >>>> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) >>>> """ >>>> save it to file and then call >>>> >>>> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif >>>> >>>> to add this ACI to cn=users subtree. The ACI then applies to all entries >>>> in the subtree. -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From jamesaharrisonuk at yahoo.co.uk Fri Oct 21 14:40:56 2016 From: jamesaharrisonuk at yahoo.co.uk (James Harrison) Date: Fri, 21 Oct 2016 14:40:56 +0000 (UTC) Subject: [Freeipa-users] Promote CA-less replica In-Reply-To: <580A1597.8020000@redhat.com> References: <1456562096.6248871.1476869739681.ref@mail.yahoo.com> <1456562096.6248871.1476869739681@mail.yahoo.com> <92007abf-5463-d876-581e-f08d9af2d430@redhat.com> <559060450.2565340.1476876580834@mail.yahoo.com> <58077507.6020901@redhat.com> <294043133.48648.1477026893124@mail.yahoo.com> <580A1597.8020000@redhat.com> Message-ID: <793955614.903042.1477060856974@mail.yahoo.com> Hello all, That is really good to know. Thank you for helping me out with this. James From: Rob Crittenden To: "jamesaharrisonuk at yahoo.co.uk" ; Martin Babinsky ; "freeipa-users at redhat.com" Sent: Friday, 21 October 2016, 14:18 Subject: Re: [Freeipa-users] Promote CA-less replica James Harrison wrote: > Hi, > Thanks again. > > Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba > compilation choice stopping AD trusts from working (samba isn't using > MIT kerberos????).? We're now using CentOS 7.2. > > While we know the CentOS version will operate correctly, we only get to > use 4.2 of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for > CentOS? Not until RHEL 7.3 is released and rebuilt for CentOS. rob > > Best regards > James Harrison > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* James Harrison ; Martin Babinsky > ; "freeipa-users at redhat.com" > > *Sent:* Wednesday, 19 October 2016, 14:28 > *Subject:* Re: [Freeipa-users] Promote CA-less replica > > James Harrison wrote: >? > Hi, >? > Martin thanks for your quick response. Based on your comments. I have >? > further questions. >? > >? >? >> equal peers and can be considered masters >? > >? > 1. If there any urgency for us to recreate a "master" server to perform >? > any "master" type functions? How do we re-attach "replicas" to this new >? > "master"? > > Like he said, all IPA servers are equal (some are just more equal than > others). If you truly have a CA-less system the the only thing that > distinguishes one master from another is the presence of the DNS > service. From below it looks like you install DNS on all which makes > them all masters. > > You can manage the replication topology using ipa-replica-manage. > >? > >? >? >> As long as the others have valid CA and server certs >? > 2. This is the install script we are using on the "replicas" >? > >? > ipa-replica-install \ >? >? ? ? --setup-dns --ssh-trust-dns --no-dnssec-validation \ >? >? ? ? -p xxxxxxxxx \ >? >? ? ? --admin-password=xxxxxxx \ >? >? ? ? --ip-address=replica_ip? \ >? >? ? ? --no-forwarders \ >? >? ? ? -U --mkhomedir --log-file=freeipa_log_file $1 >? > >? > 3. The $1 is the cert generated from the "master".? If theres no >? > distinction between a "master" and a "replica" in a CA-less environment, >? > can a "replica" run the ipa-replica-prepare script once >? > ipa-replica-install has been successfully run? > > I think you mean $1 is the replica file generated from some master. > Seeing how you generate that would tell us whether you are truly in a > CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to > ipa-replica-prepare). > > To answer your question, yes. In a CA-less environment any master can > generate a prepare file. > > You can add/remove connections using ipa-replica-manage. The initial > connection is between the master that generated the prepare file and the > host it was installed on. > > rob > > >? > >? > Thank you for any help. >? > Best regards, >? > James Harrison >? > >? > ------------------------------------------------------------------------ >? > *From:* Martin Babinsky > >? > *To:* freeipa-users at redhat.com >? > *Sent:* Wednesday, 19 October 2016, 11:01 >? > *Subject:* Re: [Freeipa-users] Promote CA-less replica >? > >? > On 10/19/2016 11:35 AM, James Harrison wrote: >? > >? > Hi James, >? > >? >? > Hi, >? >? > Were using FreeIPA on Ubuntu Xenial. We lost the Master server. >? >? > >? >? > I have some questions: >? >? > 1. Do DNS replicate among other replicas is we change/add DNS records? >? >? > If not can this behaviour be changed? >? > IPA-intergrated DNS stores records in the replicated LDAP subtree so any >? > added/removed DNS record will replicate to other IPA DNS servers. >? > >? >? > 2. How do we promote a replica to become a master? We have not >? >? > configured our servers to become a CA. Our CA is Comodo and we have >? >? > configured FreeIPA to use a certificate, key and interim certificates >? >? > from Comodo. using the options: >? >? > >? >? > --http_pkcs12=.... >? >? > --http_pin=.... >? >? > --dirsrv_pkcs12=... >? >? > --dirsrv_pin=.... >? >? > >? >? > Hope someone can help. Quite urgent. >? >? > >? > The terms FreeIPA master/replica are quite arbitrary as all replicas are >? > equal peers and can be considered masters. The only notion of 'master' >? > is when you use a Dogtag CA (then one of the CA replicas is designated a >? > renewal master and does renew certificates in the topology and one is >? > CRL master generating certificate revocation lists) and/or DNSSec (then >? > one of DNS replica is designated a key master generating zone signing >? > keys and other DNS replicas pull these keys). >? > >? > As you are using CA-less replicas then there should be no loss in the >? > fact that the one designated 'master' is down (unless it was e.g. the >? > only DNS server). As long as the others have valid CA and server certs >? > they should be working just fine. >? > >? > >? > >? > You can just install a new replica in place of the master by generating >? > replica file on another replicaa nd supplying the required certificates >? > through options. >? > >? > >? >? > Regards, >? >? > James Harrison >? > >? >? > >? >? > >? > >? > >? > -- >? > Martin^3 Babinsky >? > >? > -- >? > Manage your subscription for the Freeipa-users mailing list: >? > https://www.redhat.com/mailman/listinfo/freeipa-users >? > Go to http://freeipa.org > for more info on the project >? > >? > >? > >? > >? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Fri Oct 21 19:05:23 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 21 Oct 2016 21:05:23 +0200 Subject: [Freeipa-users] Best and Secure Way for a System Account In-Reply-To: <580A246F.6010207@redhat.com> References: <12955976.8G96f2fpOL@techz> <6261846.Ngv5mNHpuK@techz> <580A246F.6010207@redhat.com> Message-ID: <2460821.J4uA8bHZ9i@techz> Hello, many, many thanks, this was the Problem ;-) now I have a modifying entry "cn=users,cn=accounts,dc=example,dc=com" :-))) So now I hope I can configure my dovecot Server and the mailAlternatAddress was found! Thanks again. Am Freitag, 21. Oktober 2016, 16:21:35 schrieb Ludwig Krispenz: > On 10/21/2016 04:05 PM, G?nther J. Niederwimmer wrote: > > Hello, > > > > Thanks for the answer, > > > > Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: > >> On 10/21/2016 06:42 AM, G?nther J. Niederwimmer wrote: > >>> Hello Martin and List, > >>> > >>> Pardon me, but anything is wrong with the ldif i > > dn: cn=users,cn=accounts,dc=example,dc=com > > changetype: modify > > add: aci > > aci: > > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipie > > nt)") (version > > 3.0; acl "Allow system account to read mail address"; allow(read, > > search, compare) userdn = > > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) > > "" > > > > but what is wrong ? > > the value for the aci attribute spans multiple lines. In a ldif file a > continuation line has to start with a space. Try > > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: > (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailrecipien > t)") (version > 3.0; acl "Allow system account to read mail address"; allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) > > >>> I have search and read now any Days, but this FreeIPA / LDAP Problem > >>> have > >>> a to high level for me :-(. > >>> > >>> Pleas help again.. > >>> > >>> Thanks for a answer > >>> > >>> Am Montag, 17. Oktober 2016, 14:41:01 schrieb Martin Babinsky: > >>>> On 10/17/2016 02:25 PM, G?nther J. Niederwimmer wrote: > >>>>> Hello Martin and List > >>>>> > >>>>> Thanks for the answer and Help. > >>>>> > >>>>> I mean my big Problem is to understand the way to configure a ACI :-(. > >>> > >>> # ldapmodify -x -D 'cn=Directory Manager' -W > >>> > >>> dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > >>> changetype: add > >>> objectclass: account > >>> objectclass: simplesecurityobject > >>> uid: system > >>> userPassword: secret123 > >>> passwordExpirationTime: 20380119031407Z > >>> nsIdleTimeout: 0 > >>> > >>> > >>> ^D > >>> > >>>>>>> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > >>>>>>> > >>>>>>> The IPA Docs have no time stamp to found out, is this actual or old > >>>>>>> > >>>>>>> :-(. > >>>>>>> > >>>>>>> Thanks for a answer, > >>>>>> > >>>>>> Hi Gunther, > >>>>>> > >>>>>> that LDIF look ok to me. > >>>>>> > >>>>>> Do not forget that you must set up the correct ACIs in order for the > >>>>>> system account to see the 'mailAlternaleAddress' attribute. > >>>> > >>>> See the following document for a step-by-step guide on how to write > >>>> ACIs: > >>>> > >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/ > >>>> 10 > >>>> /ht > >>>> ml/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually. > >>>> h > >>>> tml > >>>> > >>>> To allow the system account read access to your custom attributes, you > >>>> can use LDIF like this (untested, hopefully I got it right from the top > >>>> of my head): > >>>> > >>>> """ > >>>> dn: cn=users,cn=accounts,dc=example,dc=com > >>>> changetype: modify > >>>> add: aci > >>>> aci: > >>>> (targetattr="mailAlternateAddress")(targetfilter="(objectClass=mailreci > >>>> pi > >>>> ent )")(version 3.0; acl "Allow system account to read mail address"; > >>>> allow(read, > >>>> search, compare) userdn = > >>>> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) > >>>> """ > >>>> save it to file and then call > >>>> > >>>> ldapmodify -D 'cn=Directory Manager' -W -f aci.ldif > >>>> > >>>> to add this ACI to cn=users subtree. The ACI then applies to all > >>>> entries > >>>> in the subtree. -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From peljasz at yahoo.co.uk Fri Oct 21 19:39:43 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 21 Oct 2016 20:39:43 +0100 Subject: [Freeipa-users] cannot ssh in (sss_ssh_authorizedkeys returned status 1) ?? In-Reply-To: <20161021131123.GD12052@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <2612b90b-12e8-1c0f-a217-d171fc50bc1f@yahoo.co.uk> <20161021131123.GD12052@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: On 21/10/16 14:11, Sumit Bose wrote: > On Fri, Oct 21, 2016 at 01:55:19PM +0100, lejeczek wrote: >> hi all >> >> I cannot ssh from a boxA (ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB >> (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) >> I realize that to assume versions differences cause it is bit silly but >> nothing changed except update of boxB's IPA a day before the problem occur. >> Also, there is a boxC (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) (so >> boxB == boxC IPA-wise) which does ssh in fine. >> Other way around, boxB to boxA ssh works. >> Logs are pretty quiet, I merely see: >> >> error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status >> 1 >> >> and that I'm not sure appears at the time of login attempt. >> I do: >> boxA$ ssh boxB >> Connection closed by UNKNOWN >> >> ps. boxA is not banned nor block by any tcp/ip means. >> >> many! thanks for any help > Which version of SSSD is running? Do you have user certificates stored > in IPA? In this case you might hit all three boxes run - sssd-1.13.0-40.el7_2.12.x86_64 but there is something weird going on with boxA ipa-server-4.2.0-15.sl7_2.19.x86_64 for a while when IPA started all seems ok but later, actually quiet soon $ ipa dnszone-find ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/ and I realize dirsrv "crashes" earlier slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error 49 (Invalid credentials) slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error 49 (Invalid credentials) NSMMReplicationPlugin - agmt="cn=meTodzien.private.xxxx.xxx.private.xxx.xx.xx" (dzien:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) NSMMReplicationPlugin - CleanAllRUV Task (rid 38): Replica not online (agmt="cn=meTodzien.private.xxxx.xxx.private.xxx.xx.xx" (dzien:389)) NSMMReplicationPlugin - CleanAllRUV Task (rid 38): Not all replicas online, retrying in 20 seconds... which is that boxB ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 but I can query that boxB from boxA manually $ ldapsearch -LLL -D "cn=directory manager" -b cn=config -p 389 -h boxB -W = results OK. whats wrong with boxA ? > https://bugzilla.redhat.com/show_bug.cgi?id=1372042 > https://fedorahosted.org/sssd/ticket/2977 > > If there are no updates with a fix available you might want to set > > ldap_user_certificate = noSuchSttribute > > in the [domain/...] section of sssd.conf to tell SSSD to not read the > certificates from the server. As an alternative you can all CA > certificates needed to validate the user certificates properly to > /etc/pki/nssdb. > > HTH > > bye, > Sumit > >> L. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From gil at omnigroup.com Fri Oct 21 22:15:19 2016 From: gil at omnigroup.com (Gilbert Wilson) Date: Fri, 21 Oct 2016 15:15:19 -0700 Subject: [Freeipa-users] Certmonger (or similar) for FreeBSD? Message-ID: <20F48E91-A587-4A82-9775-6E56528E2D7E@omnigroup.com> We have a lot of FreeBSD systems that I would like to streamline certificate issuance and renewal. Ideally, we could leverage our FreeIPA system's CA to do this. But, certmonger doesn't run on FreeBSD (or does it?). What other means have other people tried, or would you recommend investigating, to enable automated certificate issuance and renewal for FreeBSD FreeIPA clients? Any pointers are appreciated! Gil From gjn at gjn.priv.at Sun Oct 23 13:01:31 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sun, 23 Oct 2016 15:01:31 +0200 Subject: [Freeipa-users] Replica Problem (Errors) Message-ID: <5871092.HDg4xTobpa@techz> Hello, I have added on my ipa (Master) Server this user and ACI with a ldif file ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 ^D dn: cn=users,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr="mailAlternateAddress") (targetfilter="(objectClass=mailrecipient)") (version 3.0; acl "Allow system account to read mail address"; allow(read, search, compare) userdn = "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) This Ends with a modifying entry "cn=users,cn=accounts,dc=example,dc=com" but now I have on the changed master this 100... Errors [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 396504 (rc: 32) [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 396505 (rc: 32) [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 396506 (rc: 32) [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep alive entry already exists [23/Oct/2016:13:38:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:13:38:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:13:38:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:13:39:20 +0200] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" (ipa1:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -1 (Can't contact LDAP server) [23/Oct/2016:13:39:23 +0200] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" (ipa1:389): Replication bind with GSSAPI auth resumed [23/Oct/2016:13:53:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:13:53:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:13:53:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:14:04:24 +0200] NSMMReplicationPlugin - replication keep alive entry already exists [23/Oct/2016:14:08:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:14:08:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:14:08:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:14:23:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:14:23:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:14:23:57 +0200] attrlist_replace - attr_replace (nsslapd- referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. [23/Oct/2016:14:30:23 +0200] NSMMReplicationPlugin - replication keep alive entry already exists and on the replica (Master) this 1000....Errors [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 240846 (rc: 32) [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 240847 (rc: 32) [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 240848 (rc: 32) [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 240849 (rc: 32) [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 240850 (rc: 32) [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 240851 (rc: 32) [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 240852 (rc: 32) [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 240853 (rc: 32) What is wrong with my changes, or have I to add my changes also on the Replicas ? Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From david.dejaeghere at gmail.com Sun Oct 23 16:03:03 2016 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Sun, 23 Oct 2016 18:03:03 +0200 Subject: [Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch In-Reply-To: References: Message-ID: Does somebody have an idea how to replace our certificates when the new ROOT ca certificate has a different subject? The UI is down because of this. 2016-10-19 11:42 GMT+02:00 David Dejaeghere : > Hello, > > When installing FreeIPA we used the CA from our Windows servers. > This one recently expired and we created a new one. It seems that the new > root CA has another subject name and this seems to be an issue when we want > to install new certs on our FreeIPA hosts. > > ipa-cacert-manage install certnew.pem -n mycert -t C,, > > Installing CA certificate, please wait > Failed to install the certificate: subject public key info mismatch > > After validating the subjects are indeed different. > > How can we replace the required certs for dirsrv and http when the ca is > not installable? > > Kind Regards, > > David > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From elwellj at vmcmail.com Sun Oct 23 17:22:16 2016 From: elwellj at vmcmail.com (Elwell, Jason) Date: Sun, 23 Oct 2016 12:22:16 -0500 Subject: [Freeipa-users] PWM password self-service integration with FreeIPA Message-ID: I posted this on the PWM boards, and figured I'd send this along here, too. I'm looking for feedback on this. Let me know if you find this accurate and/or valuable. Thanks! PWM setup for FreeIPA https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a PwmConfiguration-template.xml https://gist.github.com/PowerWagon/0e83a0c5b67316a6987944b76eb103bc -------------- next part -------------- An HTML attachment was scrubbed... URL: From fdinoto at gmail.com Mon Oct 24 03:37:15 2016 From: fdinoto at gmail.com (Fil Di Noto) Date: Sun, 23 Oct 2016 20:37:15 -0700 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? Message-ID: Hello, I would like to better understand why IPA requires SAN (subject alternative name) entries to have a backing host record. In order to sign a certificate with a SAN that corresponded to a user friendly CNAME I had to add a host record (ipa host) for that DNS name (use force option to create without an A/AAAA record) as well as a service principle. I'm sure I'm not alone when I say I don't like doing that because it means that a "Host" in FreeIPA is not a computer, it's a host record that may or may not be the only record that corresponds to a computer. It gets confusing. I assume things are this way to ensure integrity at some level. But I can't picture it. What is the potential danger of simply bypassing the host/principal checks and just signing the certificate with whatever SAN field we like? If this actually is a necessity and is not likely to change, I think it would be beneficial to administrators to be able to manage "Hosts" that correspond to CNAMEs (call them "Alias Hosts"? ) separately from Hosts that are actually enrolled computers. They could be managed in a similar fashion to SUDO rules, like maybe: Alias Hosts = a single name Alias Host Groups = groups of names Alias Host Maps = associate Alias Host/Group with a Hosts or Host Groups I'm picturing Alias Hosts and Alias groups as a seperate tab under Identity (and some corresponding "ipa aliashost-*" CLI) and Alias Host Maps tab under policy. -------------- next part -------------- An HTML attachment was scrubbed... URL: From fdinoto at gmail.com Mon Oct 24 03:49:37 2016 From: fdinoto at gmail.com (Fil Di Noto) Date: Sun, 23 Oct 2016 20:49:37 -0700 Subject: [Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch In-Reply-To: References: Message-ID: Hi, Can you give an example of what's different between the two subjects? On Sun, Oct 23, 2016 at 9:03 AM, David Dejaeghere < david.dejaeghere at gmail.com> wrote: > Does somebody have an idea how to replace our certificates when the new > ROOT ca certificate has a different subject? > The UI is down because of this. > > 2016-10-19 11:42 GMT+02:00 David Dejaeghere : > >> Hello, >> >> When installing FreeIPA we used the CA from our Windows servers. >> This one recently expired and we created a new one. It seems that the >> new root CA has another subject name and this seems to be an issue when we >> want to install new certs on our FreeIPA hosts. >> >> ipa-cacert-manage install certnew.pem -n mycert -t C,, >> >> Installing CA certificate, please wait >> Failed to install the certificate: subject public key info mismatch >> >> After validating the subjects are indeed different. >> >> How can we replace the required certs for dirsrv and http when the ca is >> not installable? >> >> Kind Regards, >> >> David >> >> >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Oct 24 04:53:32 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 24 Oct 2016 14:53:32 +1000 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? In-Reply-To: References: Message-ID: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote: > Hello, > > > > I would like to better understand why IPA requires SAN (subject alternative > name) entries to have a backing host record. In order to sign a certificate > with a SAN that corresponded to a user friendly CNAME I had to add a host > record (ipa host) for that DNS name (use force option to create without an > A/AAAA record) as well as a service principle. > > > > I'm sure I'm not alone when I say I don't like doing that because it means > that a "Host" in FreeIPA is not a computer, it's a host record that may or > may not be the only record that corresponds to a computer. It gets > confusing. > > > > I assume things are this way to ensure integrity at some level. But I can't > picture it. What is the potential danger of simply bypassing the > host/principal checks and just signing the certificate with whatever SAN > field we like? > In this specific case, it is because certmonger requests service certificates with host credentials. Therefore it is not just human administrators issuing certs. And we MUST validate SAN against information in the directory (the only "source of truth" available to the CA / IPA cert-request command). Otherwise you could put e.g. `google.com' into SAN, and we would issue the cert, and that would be Very Bad. The problem is slightly exacerbated in that 99% of the time you really want to issue service certs, but FreeIPA does not permit the creation of a service entry without a corresponding host entry. So you end up with spurious host entries that do not correspond to actual hosts. I have previously asked about relaxing this restriction. The idea was rejected (for reasons I don't remember). > > > If this actually is a necessity and is not likely to change, I think it > would be beneficial to administrators to be able to manage "Hosts" that > correspond to CNAMEs (call them "Alias Hosts"? ) separately from Hosts that > are actually enrolled computers. They could be managed in a similar fashion > to SUDO rules, like maybe: > > > > Alias Hosts = a single name > > Alias Host Groups = groups of names > > Alias Host Maps = associate Alias Host/Group with a Hosts or Host Groups > > > > I'm picturing Alias Hosts and Alias groups as a seperate tab under Identity > (and some corresponding "ipa aliashost-*" CLI) and Alias Host Maps tab > under policy. > Now that we have kerberos principal aliases, we might be able to leverage that, perhaps even directly for service principals. Any devs want to chime in on this idea? Cheers, Fraser From abokovoy at redhat.com Mon Oct 24 07:24:24 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 24 Oct 2016 10:24:24 +0300 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? In-Reply-To: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> References: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> Message-ID: <20161024072424.h6h5vjujop4xma6w@redhat.com> On ma, 24 loka 2016, Fraser Tweedale wrote: >On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote: >> Hello, >> >> >> >> I would like to better understand why IPA requires SAN (subject alternative >> name) entries to have a backing host record. In order to sign a certificate >> with a SAN that corresponded to a user friendly CNAME I had to add a host >> record (ipa host) for that DNS name (use force option to create without an >> A/AAAA record) as well as a service principle. >> >> >> >> I'm sure I'm not alone when I say I don't like doing that because it means >> that a "Host" in FreeIPA is not a computer, it's a host record that may or >> may not be the only record that corresponds to a computer. It gets >> confusing. >> >> >> >> I assume things are this way to ensure integrity at some level. But I can't >> picture it. What is the potential danger of simply bypassing the >> host/principal checks and just signing the certificate with whatever SAN >> field we like? >> >In this specific case, it is because certmonger requests service >certificates with host credentials. Therefore it is not just human >administrators issuing certs. And we MUST validate SAN against >information in the directory (the only "source of truth" available >to the CA / IPA cert-request command). Otherwise you could put e.g. >`google.com' into SAN, and we would issue the cert, and that would >be Very Bad. > >The problem is slightly exacerbated in that 99% of the time you >really want to issue service certs, but FreeIPA does not permit the >creation of a service entry without a corresponding host entry. So >you end up with spurious host entries that do not correspond to >actual hosts. I have previously asked about relaxing this >restriction. The idea was rejected (for reasons I don't remember). The host entries are not "spurious" as you call them. They are objects that participate in the access control. Services always belong to hosts and are managed by them. Whether there are DNS entries corresponding to the controlling objects is irrelevant, their primary use is to be used as something that could be defined as owning the service. The fact that host object is also a service in itself (for host/) is an obvious optimization for Kerberos infrastructure As you know, on x.509 certificate level there are no differences between services running on the same host, so technically all Kerberos services could share the same certificate associated with the host that controls them. You could just keep the certificate in the host entry and be done with it. This, of course, has own issues -- mostly related to rotation of the certificates and access to the private keys from multiple applications -- but this has nothing to do with the way how IPA presents hosts in the database. -- / Alexander Bokovoy From fdinoto at gmail.com Mon Oct 24 07:30:10 2016 From: fdinoto at gmail.com (Fil Di Noto) Date: Mon, 24 Oct 2016 00:30:10 -0700 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? In-Reply-To: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> References: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> Message-ID: On Sun, Oct 23, 2016 at 9:53 PM, Fraser Tweedale wrote: > On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote: >> Hello, >> >> >> >> I would like to better understand why IPA requires SAN (subject alternative >> name) entries to have a backing host record. In order to sign a certificate >> with a SAN that corresponded to a user friendly CNAME I had to add a host >> record (ipa host) for that DNS name (use force option to create without an >> A/AAAA record) as well as a service principle. >> >> >> >> I'm sure I'm not alone when I say I don't like doing that because it means >> that a "Host" in FreeIPA is not a computer, it's a host record that may or >> may not be the only record that corresponds to a computer. It gets >> confusing. >> >> >> >> I assume things are this way to ensure integrity at some level. But I can't >> picture it. What is the potential danger of simply bypassing the >> host/principal checks and just signing the certificate with whatever SAN >> field we like? >> > In this specific case, it is because certmonger requests service > certificates with host credentials. Therefore it is not just human > administrators issuing certs. And we MUST validate SAN against > information in the directory (the only "source of truth" available > to the CA / IPA cert-request command). Otherwise you could put e.g. > `google.com' into SAN, and we would issue the cert, and that would > be Very Bad. > In my case it's always human administrators issuing certs. I can see how validation is a great way to prevent a scenario like the one you described. But couldn't that be accommodated by tinkering with the roles/privileges so that you could impose the restriction on external, less-trusted applications but allow a trusted human administrator to bypass it? Admin group by default would be nice. It would be unfortunate if someone added a service account to the admin group, but I don't see that as justification for ruling it out. How many other poor security decisions has someone made already before they decided to add a service account to the domain admin group? To that I would say that degree of administrative negligence is not something that the project should design around. But, I don't work at RedHat and I don't have to take the support calls so my opinion means nothing. But if I'm an admin, enforcing the SAN restriction doesn't prevent me from doing anything I couldn't already do by creating a couple host records. It's just making things difficult for admins who ultimately are securely deploying a service. > The problem is slightly exacerbated in that 99% of the time you > really want to issue service certs, but FreeIPA does not permit the > creation of a service entry without a corresponding host entry. So > you end up with spurious host entries that do not correspond to > actual hosts. I have previously asked about relaxing this > restriction. The idea was rejected (for reasons I don't remember). To be fair, I don't think I ever read specifically that a Host in IPA was supposed to represent a single computer. But I imagine that the majority of people who are using it thought that was the case, at least at first. I don't think it would take much abstraction to maintain that logical representation for administrators. >> If this actually is a necessity and is not likely to change, I think it >> would be beneficial to administrators to be able to manage "Hosts" that >> correspond to CNAMEs (call them "Alias Hosts"? ) separately from Hosts that >> are actually enrolled computers. They could be managed in a similar fashion >> to SUDO rules, like maybe: >> >> >> >> Alias Hosts = a single name >> >> Alias Host Groups = groups of names >> >> Alias Host Maps = associate Alias Host/Group with a Hosts or Host Groups >> >> >> >> I'm picturing Alias Hosts and Alias groups as a seperate tab under Identity >> (and some corresponding "ipa aliashost-*" CLI) and Alias Host Maps tab >> under policy. >> > Now that we have kerberos principal aliases, we might be able to > leverage that, perhaps even directly for service principals. Any > devs want to chime in on this idea? > > Cheers, > Fraser From lkrispen at redhat.com Mon Oct 24 07:53:21 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 24 Oct 2016 09:53:21 +0200 Subject: [Freeipa-users] Replica Problem (Errors) In-Reply-To: <5871092.HDg4xTobpa@techz> References: <5871092.HDg4xTobpa@techz> Message-ID: <580DBDF1.2000406@redhat.com> Hi, On 10/23/2016 03:01 PM, G?nther J. Niederwimmer wrote: > Hello, > > I have added on my ipa (Master) Server this user and ACI with a ldif file > > ldapmodify -x -D 'cn=Directory Manager' -W > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > changetype: add > objectclass: account > objectclass: simplesecurityobject > uid: system > userPassword: secret123 > passwordExpirationTime: 20380119031407Z > nsIdleTimeout: 0 > > ^D > > dn: cn=users,cn=accounts,dc=example,dc=com > changetype: modify > add: aci > aci: (targetattr="mailAlternateAddress") > (targetfilter="(objectClass=mailrecipient)") > (version > 3.0; acl "Allow system account to read mail address"; allow(read, > search, compare) userdn = > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) > > This Ends with a > modifying entry "cn=users,cn=accounts,dc=example,dc=com" these changes are not related to the errors you report below (I would be really surprised) and you only need to apply them on one server, that's what replication is good for. There are a couple of different types of messages: - failed to delete changelog record: this is from retro changelog trimming, when miscalculation of the starting point for trimming starts with changenumber lower than what's in the retro changelog. In my experience this can happen after a crash/kill/reboot and should stop after som time - attrlist_replace errors: looks like you have recreated a replica on a machine and not cleaned the RUV, please see: http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records - keep-alive already exists: this is also an indication of a new replica, the keep alive entry was in the database, but the supplier tries to send it again, this should also disappear once some real changes from replica 4 are replicated > > but now I have on the changed master this 100... Errors > > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not > delete change record 396504 (rc: 32) > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not > delete change record 396505 (rc: 32) > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could not > delete change record 396506 (rc: 32) > [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep alive > entry already exists > [23/Oct/2016:13:38:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:13:38:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:13:38:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:13:39:20 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa1.example.com" (ipa1:389): Warning: Attempting to release > replica, but unable to receive endReplication extended operation response from > the replica. Error -1 (Can't contact LDAP server) > [23/Oct/2016:13:39:23 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa1.example.com" (ipa1:389): Replication bind with GSSAPI auth > resumed > [23/Oct/2016:13:53:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:13:53:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:13:53:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:14:04:24 +0200] NSMMReplicationPlugin - replication keep alive > entry already exists > [23/Oct/2016:14:08:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:14:08:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:14:08:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:14:23:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:14:23:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:14:23:57 +0200] attrlist_replace - attr_replace (nsslapd- > referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. > [23/Oct/2016:14:30:23 +0200] NSMMReplicationPlugin - replication keep alive > entry already exists > > > and on the replica (Master) this 1000....Errors > > [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: could not > delete change record 240846 (rc: 32) > [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: could not > delete change record 240847 (rc: 32) > [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not > delete change record 240848 (rc: 32) > [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not > delete change record 240849 (rc: 32) > [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not > delete change record 240850 (rc: 32) > [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not > delete change record 240851 (rc: 32) > [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not > delete change record 240852 (rc: 32) > [23/Oct/2016:13:42:51 +0200] DSRetroclPlugin - delete_changerecord: could not > delete change record 240853 (rc: 32) > > What is wrong with my changes, or have I to add my changes also on the > Replicas ? > > Thanks for a answer, > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From david.dejaeghere at gmail.com Mon Oct 24 08:10:49 2016 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Mon, 24 Oct 2016 10:10:49 +0200 Subject: [Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch In-Reply-To: References: Message-ID: These are both the subjects for the old and new root ca cert. Subject: "CN=tokio-PAPRIKA-CA,DC=tokio,DC=local" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d5:51:19:a0:7e:2f:b6:4b:cb:71:42:cb:38:bc:50:0a: 18:16:58:07:11:c6:d3:ea:66:91:a8:52:02:54:93:28: 78:a1:89:36:7a:0f:1e:2a:35:8a:da:85:05:c4:fe:de: e8:6a:e8:fd:1b:89:44:8f:8c:62:d6:56:f7:9e:16:d5: fd:b4:44:65:71:4f:1a:7d:d6:28:2d:5e:ad:c9:da:60: 54:98:02:87:d9:43:62:ab:1b:93:c1:af:0b:b9:80:2e: 08:f0:65:46:bf:de:78:c5:d2:19:b8:07:52:d6:01:ab: d0:b2:7d:0a:7f:9f:fa:e8:8c:55:86:e0:d3:d5:ef:e7: ad:6a:12:a2:b8:75:be:93:c2:05:df:99:a9:d8:a2:cc: 7c:2b:49:d6:a3:65:0c:c8:ef:c3:a4:b6:f6:86:1d:c2: 56:56:1b:0d:70:7a:67:15:49:2f:b7:92:8e:2a:94:57: 53:26:ef:9a:af:89:fe:cb:1e:e7:ac:72:9a:cd:b4:22: b1:22:02:fd:95:23:e0:65:d0:36:e8:e1:88:2b:35:02: 99:1c:ee:84:10:80:84:a8:e5:61:04:6b:a3:6b:da:c5: 49:36:ef:f6:48:09:2c:0d:7c:b2:52:4f:a6:72:cc:e6: 30:b5:dd:a0:5b:0e:96:49:78:9d:1e:27:4e:02:40:a1 Exponent: 65537 (0x10001) Subject: DC=local, DC=tokio, CN=tokio-PAPRIKA-CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ae:32:35:fa:b5:f4:2d:b8:0c:c3:d9:b0:9f:a8: 5d:21:90:58:a9:79:79:7d:85:7e:f1:f2:36:9d:ef: 9f:8c:a8:3a:bf:57:5c:2e:6b:5d:2e:91:ba:c6:b7: b2:b1:dd:45:de:e6:d4:fe:01:f4:d2:bd:99:9f:9a: 71:1d:d4:e4:a7:cd:9e:f3:36:a7:a0:73:55:6b:04: 66:ab:c3:63:b3:41:06:ac:c8:c8:3a:4c:eb:83:78: 6e:e8:b6:0f:94:fa:a8:7e:7d:89:44:d1:bd:be:14: df:0c:ce:4d:b4:e6:0a:e2:d7:84:95:4b:a1:3e:53: c9:04:3f:7b:de:1b:fd:7b:b5:b0:69:3b:f9:f2:b5: a7:fe:6d:9d:62:6e:9a:fc:1e:32:69:ad:4c:ae:e3: 61:dd:92:99:34:4b:bf:6b:02:88:18:88:a2:0f:ca: e8:6e:91:f0:e6:2e:4d:83:f6:05:7e:ed:f2:f1:3e: b2:36:3f:de:3f:db:93:73:5b:60:ee:8c:48:e0:c0: 4c:0e:6a:63:1a:16:af:9e:28:93:40:39:23:bf:d0: 77:9c:b7:80:d3:c3:42:d8:27:db:d7:4b:e5:3f:b4: d2:ad:57:c2:01:73:c8:45:26:f1:00:93:50:3e:cf: 7a:2d:25:d5:43:b6:a7:75:a1:ef:58:f9:c9:11:e8: 09:1d Exponent: 65537 (0x10001) 2016-10-24 5:49 GMT+02:00 Fil Di Noto : > Hi, > > Can you give an example of what's different between the two subjects? > > On Sun, Oct 23, 2016 at 9:03 AM, David Dejaeghere < > david.dejaeghere at gmail.com> wrote: > >> Does somebody have an idea how to replace our certificates when the new >> ROOT ca certificate has a different subject? >> The UI is down because of this. >> >> 2016-10-19 11:42 GMT+02:00 David Dejaeghere : >> >>> Hello, >>> >>> When installing FreeIPA we used the CA from our Windows servers. >>> This one recently expired and we created a new one. It seems that the >>> new root CA has another subject name and this seems to be an issue when we >>> want to install new certs on our FreeIPA hosts. >>> >>> ipa-cacert-manage install certnew.pem -n mycert -t C,, >>> >>> Installing CA certificate, please wait >>> Failed to install the certificate: subject public key info mismatch >>> >>> After validating the subjects are indeed different. >>> >>> How can we replace the required certs for dirsrv and http when the ca is >>> not installable? >>> >>> Kind Regards, >>> >>> David >>> >>> >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvomacka at redhat.com Mon Oct 24 10:37:31 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 24 Oct 2016 12:37:31 +0200 Subject: [Freeipa-users] Setting "preserve" as default action when deleting in webUI In-Reply-To: <5f607850-9623-254e-1609-02fd922117c0@ljll.math.upmc.fr> References: <5f607850-9623-254e-1609-02fd922117c0@ljll.math.upmc.fr> Message-ID: <4b88fa7e-4df2-ba82-0591-94f8ac37ac59@redhat.com> Hello Sebastien, the safest way is to create a WebUI plugin which rewrite definition of radiobutton in deleter dialog. You can find radiobutton code in user.js, line 989 (method IPA.user.create_active_user_del_dialog), where you need to set default_value to true. Several examples of plugins can be found here: https://pvoborni.fedorapeople.org/plugins/ . I recommend to look at employeenumber or association_search_fix. And here is documentation about plugins: https://pvoborni.fedorapeople.org/doc/#!/guide/Plugins On 10/20/2016 11:43 AM, S?bastien Julliot wrote: > Hi everyone, > > > In order to prevent administrators to make mistakes that could have > > silly consequences, I would like to set "preserve" as the default selected > > action in freeipa's webui. > > What do you think would be the best way to achieve this ? > > > Thank you in advance, > > Sebastien Julliot. > > > -- Pavel^3 Vomacka From gjn at gjn.priv.at Mon Oct 24 11:21:10 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Mon, 24 Oct 2016 13:21:10 +0200 Subject: [Freeipa-users] Replica Problem (Errors) In-Reply-To: <580DBDF1.2000406@redhat.com> References: <5871092.HDg4xTobpa@techz> <580DBDF1.2000406@redhat.com> Message-ID: <3481914.stP7xGGlje@techz> Hello Ludwig, thanks for the answer, Am Montag, 24. Oktober 2016, 09:53:21 schrieb Ludwig Krispenz: > On 10/23/2016 03:01 PM, G?nther J. Niederwimmer wrote: > > I have added on my ipa (Master) Server this user and ACI with a ldif file > > > > ldapmodify -x -D 'cn=Directory Manager' -W > > dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com > > changetype: add > > objectclass: account > > objectclass: simplesecurityobject > > uid: system > > userPassword: secret123 > > passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > > > ^D > > > > dn: cn=users,cn=accounts,dc=example,dc=com > > changetype: modify > > add: aci > > aci: (targetattr="mailAlternateAddress") > > (targetfilter="(objectClass=mailrecipient)") > > > > (version > > 3.0; acl "Allow system account to read mail address"; allow(read, > > search, compare) userdn = > > "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) > > > > This Ends with a > > modifying entry "cn=users,cn=accounts,dc=example,dc=com" > > these changes are not related to the errors you report below (I would be > really surprised) and you only need to apply them on one server, that's > what replication is good for. > > There are a couple of different types of messages: > - failed to delete changelog record: this is from retro changelog > trimming, when miscalculation of the starting point for trimming starts > with changenumber lower than what's in the retro changelog. > In my experience this can happen after a crash/kill/reboot and should > stop after som time OK, nothing to do ;-). > - attrlist_replace errors: looks like you have recreated a replica on a > machine and not cleaned the RUV, please see: > http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records I don't have add or remove a replica ? this two servers running now I mean over three month ? The last I remember I add a 3rd Party Certificate ? but I don't found before so much Errors :-(. Is there a possible way to check a freeIPA Installation, to find out for a "normal" user to have a consistent System ? > - keep-alive already exists: this is also an indication of a new > replica, the keep alive entry was in the database, but the supplier > tries to send it again, this should also disappear once some real > changes from replica 4 are replicated > > > but now I have on the changed master this 100... Errors > > > > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could > > not delete change record 396504 (rc: 32) > > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could > > not delete change record 396505 (rc: 32) > > [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could > > not delete change record 396506 (rc: 32) > > [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep > > alive > > entry already exists > > > > and on the replica (Master) this 1000....Errors > > > > [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: could > > not delete change record 240846 (rc: 32) > > What is wrong with my changes, or have I to add my changes also on the > > Replicas ? > > > > Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From lkrispen at redhat.com Mon Oct 24 12:16:23 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 24 Oct 2016 14:16:23 +0200 Subject: [Freeipa-users] Replica Problem (Errors) In-Reply-To: <3481914.stP7xGGlje@techz> References: <5871092.HDg4xTobpa@techz> <580DBDF1.2000406@redhat.com> <3481914.stP7xGGlje@techz> Message-ID: <580DFB97.3060602@redhat.com> On 10/24/2016 01:21 PM, G?nther J. Niederwimmer wrote: > Hello Ludwig, > > thanks for the answer, > > > Am Montag, 24. Oktober 2016, 09:53:21 schrieb Ludwig Krispenz: >> On 10/23/2016 03:01 PM, G?nther J. Niederwimmer wrote: >>> I have added on my ipa (Master) Server this user and ACI with a ldif file >>> >>> ldapmodify -x -D 'cn=Directory Manager' -W >>> dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com >>> changetype: add >>> objectclass: account >>> objectclass: simplesecurityobject >>> uid: system >>> userPassword: secret123 >>> passwordExpirationTime: 20380119031407Z >>> nsIdleTimeout: 0 >>> >>> ^D >>> >>> dn: cn=users,cn=accounts,dc=example,dc=com >>> changetype: modify >>> add: aci >>> aci: (targetattr="mailAlternateAddress") >>> (targetfilter="(objectClass=mailrecipient)") >>> >>> (version >>> 3.0; acl "Allow system account to read mail address"; allow(read, >>> search, compare) userdn = >>> "ldap:///uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com";) >>> >>> This Ends with a >>> modifying entry "cn=users,cn=accounts,dc=example,dc=com" >> these changes are not related to the errors you report below (I would be >> really surprised) and you only need to apply them on one server, that's >> what replication is good for. >> >> There are a couple of different types of messages: >> - failed to delete changelog record: this is from retro changelog >> trimming, when miscalculation of the starting point for trimming starts >> with changenumber lower than what's in the retro changelog. >> In my experience this can happen after a crash/kill/reboot and should >> stop after som time > OK, nothing to do ;-). > >> - attrlist_replace errors: looks like you have recreated a replica on a >> machine and not cleaned the RUV, please see: >> http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records > I don't have add or remove a replica ? this two servers running now I mean > over three month ? that is strange, could you perform step 1] and 2] of this recipe: https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html but add the option "-o ldif-wrap=no" to the ldapsearch to get the full ruv > > The last I remember I add a 3rd Party Certificate ? > > but I don't found before so much Errors :-(. > > Is there a possible way to check a freeIPA Installation, to find out for a > "normal" user to have a consistent System ? > >> - keep-alive already exists: this is also an indication of a new >> replica, the keep alive entry was in the database, but the supplier >> tries to send it again, this should also disappear once some real >> changes from replica 4 are replicated >> >>> but now I have on the changed master this 100... Errors >>> >>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could >>> not delete change record 396504 (rc: 32) >>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could >>> not delete change record 396505 (rc: 32) >>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: could >>> not delete change record 396506 (rc: 32) >>> [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep >>> alive >>> entry already exists >>> >>> and on the replica (Master) this 1000....Errors >>> >>> [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: could >>> not delete change record 240846 (rc: 32) >>> What is wrong with my changes, or have I to add my changes also on the >>> Replicas ? >>> >>> Thanks for a answer, -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From dkupka at redhat.com Mon Oct 24 12:13:31 2016 From: dkupka at redhat.com (David Kupka) Date: Mon, 24 Oct 2016 14:13:31 +0200 Subject: [Freeipa-users] Do expired passwords remain usable indefinitely? In-Reply-To: References: Message-ID: <53b3aea2-8470-7110-c3db-3733b0e3a539@redhat.com> On 21/10/16 15:17, Brian Candler wrote: > Question: when a password expires, does it remain in a usable state in > the database indefinitely? For example, if someone comes along a year > after their password has expired, can they still login once with that > password? > > This is actually what I want, but I just want to confirm there's not > some sort of secondary threshold which means that an expired password is > not usable X days after it has expired. Or, if there is such a > secondary threshold, where I can find it. > > The scenario is a RADIUS server for wifi which reads NTLM password > hashes out of the database to authenticate - this continues to work > after expiry. However I want users to be able to do a self-reset later > if and when they want to. > > Thanks, > > Brian. > Hello Brian! AFAIK, it will work. Your RADIUS server will retrieve the hash from LDAP and do the validation locally. So FreeIPA has no way to say the password is expired. When the user tries to obtain Kerberos ticket he will be forced to change the password and NTLM hash will be also regenerated. -- David Kupka From dkupka at redhat.com Mon Oct 24 12:51:16 2016 From: dkupka at redhat.com (David Kupka) Date: Mon, 24 Oct 2016 14:51:16 +0200 Subject: [Freeipa-users] Certmonger (or similar) for FreeBSD? In-Reply-To: <20F48E91-A587-4A82-9775-6E56528E2D7E@omnigroup.com> References: <20F48E91-A587-4A82-9775-6E56528E2D7E@omnigroup.com> Message-ID: <552b65a2-5731-498a-1d61-7fe158695695@redhat.com> On 22/10/16 00:15, Gilbert Wilson wrote: > We have a lot of FreeBSD systems that I would like to streamline certificate issuance and renewal. Ideally, we could leverage our FreeIPA system's CA to do this. But, certmonger doesn't run on FreeBSD (or does it?). What other means have other people tried, or would you recommend investigating, to enable automated certificate issuance and renewal for FreeBSD FreeIPA clients? > > Any pointers are appreciated! > > Gil > Hello Gil! I've very limited experiences with *BSD systems so the question may be completely off. Have you tried to install and run certmonger using FreeBSD's Linux Binary Compatibility [1]? Though I don't know what are the limitations or possible issues it could be a way. [1] http://www.freebsd.cz/doc/handbook/linuxemu.html -- David Kupka From william.muriithi at gmail.com Mon Oct 24 15:29:06 2016 From: william.muriithi at gmail.com (William Muriithi) Date: Mon, 24 Oct 2016 11:29:06 -0400 Subject: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains? Message-ID: Morning Jakub, >> However, I would like to tune this configuration to drop the domain >> component of the user and group names. I tried to do this by adding >> these settings to the [sssd] section in sssd.conf on the client: >> >> default_domain_suffix = example.au >> full_name_format = %1$s >> >> With this configuration, I can login as a staff domain user (example.au) >> successfully and I then see the short-name form of the groups: >> >> $ ssh -l rnst at student.example.au ipa-client-rh7.ipa.example.au >> [rnst at ipa-client-rh7 ~]$ groups >> rnst >> >> Is this expected behaviour? Is there a possible client configuration that >> will support our AD forest setup or is this simply not possible? > > What you did is quite correct, but unfortunately works only with > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. Does one need sssd-1.14 on the IPA server only or is this required on all the IPA clients too? Regards, William From jhrozek at redhat.com Mon Oct 24 17:03:15 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 24 Oct 2016 19:03:15 +0200 Subject: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains? In-Reply-To: References: Message-ID: <20161024170315.jsacjaqhol3nhky2@hendrix> On Mon, Oct 24, 2016 at 11:29:06AM -0400, William Muriithi wrote: > Morning Jakub, > > >> However, I would like to tune this configuration to drop the domain > >> component of the user and group names. I tried to do this by adding > >> these settings to the [sssd] section in sssd.conf on the client: > >> > >> default_domain_suffix = example.au > >> full_name_format = %1$s > >> > >> With this configuration, I can login as a staff domain user (example.au) > >> successfully and I then see the short-name form of the groups: > >> > >> $ ssh -l rnst at student.example.au ipa-client-rh7.ipa.example.au > >> [rnst at ipa-client-rh7 ~]$ groups > >> rnst > >> > >> Is this expected behaviour? Is there a possible client configuration that > >> will support our AD forest setup or is this simply not possible? > > > > What you did is quite correct, but unfortunately works only with > > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. > > Does one need sssd-1.14 on the IPA server only or is this required on > all the IPA clients too? I haven't tested since I was working in this area, but I belive the clients as well. From gil at omnigroup.com Mon Oct 24 17:26:10 2016 From: gil at omnigroup.com (Gilbert Wilson) Date: Mon, 24 Oct 2016 10:26:10 -0700 Subject: [Freeipa-users] Certmonger (or similar) for FreeBSD? In-Reply-To: <552b65a2-5731-498a-1d61-7fe158695695@redhat.com> References: <20F48E91-A587-4A82-9775-6E56528E2D7E@omnigroup.com> <552b65a2-5731-498a-1d61-7fe158695695@redhat.com> Message-ID: > On Oct 24, 2016, at 5:51 AM, David Kupka wrote: > > On 22/10/16 00:15, Gilbert Wilson wrote: >> We have a lot of FreeBSD systems that I would like to streamline certificate issuance and renewal. Ideally, we could leverage our FreeIPA system's CA to do this. But, certmonger doesn't run on FreeBSD (or does it?). What other means have other people tried, or would you recommend investigating, to enable automated certificate issuance and renewal for FreeBSD FreeIPA clients? >> >> Any pointers are appreciated! >> >> Gil >> > > Hello Gil! > > I've very limited experiences with *BSD systems so the question may be completely off. > Have you tried to install and run certmonger using FreeBSD's Linux Binary Compatibility [1]? Though I don't know what are the limitations or possible issues it could be a way. > > [1] http://www.freebsd.cz/doc/handbook/linuxemu.html > > -- > David Kupka You know? I haven?t ever tried LBC! I suppose it?s worth a sacrificial virtual machine to see if it works. It also occurred to me that FreeIPA might have some sort of API given the web interface, and sure enough that made the Google-fu turn up more useful results. * https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ * https://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ * http://www.admin-magazine.com/Archive/2016/34/A-REST-interface-for-FreeIPA There doesn?t appear to be a manual for the API but those examples seem to ?show the way?. My initial thought is to create a script that uses kinit with a keytab to authenticate against FreeIPA and then create/renew permissible certificates for the system before they expire. This seems reasonable since the certificate creation/renewal is the scope of what I?m interested in doing. Do you see any reason not to do it this way or have any other alternative suggestions? Another way to think about it, perhaps, is what would you do on a Linux system if you didn?t have access to the FreeIPA client or certmonger? Thanks for the pointer/reminder about LBC! Gil From prasun.gera at gmail.com Mon Oct 24 23:02:56 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Mon, 24 Oct 2016 19:02:56 -0400 Subject: [Freeipa-users] Do expired passwords remain usable indefinitely? In-Reply-To: <53b3aea2-8470-7110-c3db-3733b0e3a539@redhat.com> References: <53b3aea2-8470-7110-c3db-3733b0e3a539@redhat.com> Message-ID: I've seen some different behaviour. I've had errors for users (including the admin user) trying to log in with possibly an expired password. Both webui and ssh would fail, but kinit would work. I'm not sure if this is related to the password's expiration or the account's expiration. My /var/log/secure has messages like "pam_sss(sshd:auth): received for user uname: 13 (User account has expired)". Is there a setting for default expiration of user accounts ? I don't remember setting it anywhere. On Mon, Oct 24, 2016 at 8:13 AM, David Kupka wrote: > On 21/10/16 15:17, Brian Candler wrote: > >> Question: when a password expires, does it remain in a usable state in >> the database indefinitely? For example, if someone comes along a year >> after their password has expired, can they still login once with that >> password? >> >> This is actually what I want, but I just want to confirm there's not >> some sort of secondary threshold which means that an expired password is >> not usable X days after it has expired. Or, if there is such a >> secondary threshold, where I can find it. >> >> The scenario is a RADIUS server for wifi which reads NTLM password >> hashes out of the database to authenticate - this continues to work >> after expiry. However I want users to be able to do a self-reset later >> if and when they want to. >> >> Thanks, >> >> Brian. >> >> > Hello Brian! > > AFAIK, it will work. Your RADIUS server will retrieve the hash from LDAP > and do the validation locally. So FreeIPA has no way to say the password is > expired. > When the user tries to obtain Kerberos ticket he will be forced to change > the password and NTLM hash will be also regenerated. > > -- > David Kupka > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Tue Oct 25 04:55:24 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 25 Oct 2016 14:55:24 +1000 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? In-Reply-To: References: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> Message-ID: <20161025045524.GI3554@dhcp-40-8.bne.redhat.com> On Mon, Oct 24, 2016 at 12:30:10AM -0700, Fil Di Noto wrote: > On Sun, Oct 23, 2016 at 9:53 PM, Fraser Tweedale wrote: > > On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote: > >> Hello, > >> > >> > >> > >> I would like to better understand why IPA requires SAN (subject alternative > >> name) entries to have a backing host record. In order to sign a certificate > >> with a SAN that corresponded to a user friendly CNAME I had to add a host > >> record (ipa host) for that DNS name (use force option to create without an > >> A/AAAA record) as well as a service principle. > >> > >> > >> > >> I'm sure I'm not alone when I say I don't like doing that because it means > >> that a "Host" in FreeIPA is not a computer, it's a host record that may or > >> may not be the only record that corresponds to a computer. It gets > >> confusing. > >> > >> > >> > >> I assume things are this way to ensure integrity at some level. But I can't > >> picture it. What is the potential danger of simply bypassing the > >> host/principal checks and just signing the certificate with whatever SAN > >> field we like? > >> > > In this specific case, it is because certmonger requests service > > certificates with host credentials. Therefore it is not just human > > administrators issuing certs. And we MUST validate SAN against > > information in the directory (the only "source of truth" available > > to the CA / IPA cert-request command). Otherwise you could put e.g. > > `google.com' into SAN, and we would issue the cert, and that would > > be Very Bad. > > > > In my case it's always human administrators issuing certs. I can see > how validation is a great way to prevent a scenario like the one you > described. But couldn't that be accommodated by tinkering with the > roles/privileges so that you could impose the restriction on external, > less-trusted applications but allow a trusted human administrator to > bypass it? > > Admin group by default would be nice. It would be unfortunate if > someone added a service account to the admin group, but I don't see > that as justification for ruling it out. How many other poor security > decisions has someone made already before they decided to add a > service account to the domain admin group? To that I would say that > degree of administrative negligence is not something that the project > should design around. But, I don't work at RedHat and I don't have to > take the support calls so my opinion means nothing. > > But if I'm an admin, enforcing the SAN restriction doesn't prevent me > from doing anything I couldn't already do by creating a couple host > records. It's just making things difficult for admins who ultimately > are securely deploying a service. > The question is not really one of privilege, but sanity. FreeIPA has to make sure that certs issued by it correspond to the CA's view of reality, i.e. what is in the FreeIPA directory, at the time the request is made. IMO to disable these checks for human users with a particular permission is a mistake waiting to happen. Yes, enforcing the restriction forces a human to put to created the needed objects before the cert request will be considered valid. Not a bad thing, IMO. All this said, I think there is a valid RFE in allowing Kerberos principal aliases to be consulted when validating a CSR. This would mean you do not have to create new objects, just add more principal names to the existing one. I filed a ticket: https://fedorahosted.org/freeipa/ticket/6432 Alexander, Simo, what do you think? > > The problem is slightly exacerbated in that 99% of the time you > > really want to issue service certs, but FreeIPA does not permit the > > creation of a service entry without a corresponding host entry. So > > you end up with spurious host entries that do not correspond to > > actual hosts. I have previously asked about relaxing this > > restriction. The idea was rejected (for reasons I don't remember). > > To be fair, I don't think I ever read specifically that a Host in IPA > was supposed to represent a single computer. But I imagine that the > majority of people who are using it thought that was the case, at > least at first. I don't think it would take much abstraction to > maintain that logical representation for administrators. > > >> If this actually is a necessity and is not likely to change, I think it > >> would be beneficial to administrators to be able to manage "Hosts" that > >> correspond to CNAMEs (call them "Alias Hosts"? ) separately from Hosts that > >> are actually enrolled computers. They could be managed in a similar fashion > >> to SUDO rules, like maybe: > >> > >> > >> > >> Alias Hosts = a single name > >> > >> Alias Host Groups = groups of names > >> > >> Alias Host Maps = associate Alias Host/Group with a Hosts or Host Groups > >> > >> > >> > >> I'm picturing Alias Hosts and Alias groups as a seperate tab under Identity > >> (and some corresponding "ipa aliashost-*" CLI) and Alias Host Maps tab > >> under policy. > >> > > Now that we have kerberos principal aliases, we might be able to > > leverage that, perhaps even directly for service principals. Any > > devs want to chime in on this idea? > > > > Cheers, > > Fraser From abokovoy at redhat.com Tue Oct 25 05:01:59 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 25 Oct 2016 08:01:59 +0300 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? In-Reply-To: <20161025045524.GI3554@dhcp-40-8.bne.redhat.com> References: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> <20161025045524.GI3554@dhcp-40-8.bne.redhat.com> Message-ID: <20161025050159.i5brtkj5yuxgz636@redhat.com> On ti, 25 loka 2016, Fraser Tweedale wrote: >On Mon, Oct 24, 2016 at 12:30:10AM -0700, Fil Di Noto wrote: >> On Sun, Oct 23, 2016 at 9:53 PM, Fraser Tweedale wrote: >> > On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote: >> >> Hello, >> >> >> >> >> >> >> >> I would like to better understand why IPA requires SAN (subject alternative >> >> name) entries to have a backing host record. In order to sign a certificate >> >> with a SAN that corresponded to a user friendly CNAME I had to add a host >> >> record (ipa host) for that DNS name (use force option to create without an >> >> A/AAAA record) as well as a service principle. >> >> >> >> >> >> >> >> I'm sure I'm not alone when I say I don't like doing that because it means >> >> that a "Host" in FreeIPA is not a computer, it's a host record that may or >> >> may not be the only record that corresponds to a computer. It gets >> >> confusing. >> >> >> >> >> >> >> >> I assume things are this way to ensure integrity at some level. But I can't >> >> picture it. What is the potential danger of simply bypassing the >> >> host/principal checks and just signing the certificate with whatever SAN >> >> field we like? >> >> >> > In this specific case, it is because certmonger requests service >> > certificates with host credentials. Therefore it is not just human >> > administrators issuing certs. And we MUST validate SAN against >> > information in the directory (the only "source of truth" available >> > to the CA / IPA cert-request command). Otherwise you could put e.g. >> > `google.com' into SAN, and we would issue the cert, and that would >> > be Very Bad. >> > >> >> In my case it's always human administrators issuing certs. I can see >> how validation is a great way to prevent a scenario like the one you >> described. But couldn't that be accommodated by tinkering with the >> roles/privileges so that you could impose the restriction on external, >> less-trusted applications but allow a trusted human administrator to >> bypass it? >> >> Admin group by default would be nice. It would be unfortunate if >> someone added a service account to the admin group, but I don't see >> that as justification for ruling it out. How many other poor security >> decisions has someone made already before they decided to add a >> service account to the domain admin group? To that I would say that >> degree of administrative negligence is not something that the project >> should design around. But, I don't work at RedHat and I don't have to >> take the support calls so my opinion means nothing. >> >> But if I'm an admin, enforcing the SAN restriction doesn't prevent me >> from doing anything I couldn't already do by creating a couple host >> records. It's just making things difficult for admins who ultimately >> are securely deploying a service. >> >The question is not really one of privilege, but sanity. FreeIPA >has to make sure that certs issued by it correspond to the CA's view >of reality, i.e. what is in the FreeIPA directory, at the time the >request is made. IMO to disable these checks for human users with a >particular permission is a mistake waiting to happen. > >Yes, enforcing the restriction forces a human to put to created the >needed objects before the cert request will be considered valid. >Not a bad thing, IMO. > >All this said, I think there is a valid RFE in allowing Kerberos >principal aliases to be consulted when validating a CSR. This would >mean you do not have to create new objects, just add more principal >names to the existing one. I filed a ticket: > >https://fedorahosted.org/freeipa/ticket/6432 > >Alexander, Simo, what do you think? Certainly principal aliases should be checked if they were asked to be in SAN. The question is what type of the SAN extension should be considered for them in addition to Kerberos principal. The aliases are stored in their full format (alias at REALM), so either you need to do full match or consider dropping the realm for some types. This needs to be clarified before any implementation happens. -- / Alexander Bokovoy From ftweedal at redhat.com Tue Oct 25 05:48:34 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 25 Oct 2016 15:48:34 +1000 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? In-Reply-To: <20161025050159.i5brtkj5yuxgz636@redhat.com> References: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> <20161025045524.GI3554@dhcp-40-8.bne.redhat.com> <20161025050159.i5brtkj5yuxgz636@redhat.com> Message-ID: <20161025054834.GJ3554@dhcp-40-8.bne.redhat.com> On Tue, Oct 25, 2016 at 08:01:59AM +0300, Alexander Bokovoy wrote: > On ti, 25 loka 2016, Fraser Tweedale wrote: > > On Mon, Oct 24, 2016 at 12:30:10AM -0700, Fil Di Noto wrote: > > > On Sun, Oct 23, 2016 at 9:53 PM, Fraser Tweedale wrote: > > > > On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote: > > > >> Hello, > > > >> > > > >> > > > >> > > > >> I would like to better understand why IPA requires SAN (subject alternative > > > >> name) entries to have a backing host record. In order to sign a certificate > > > >> with a SAN that corresponded to a user friendly CNAME I had to add a host > > > >> record (ipa host) for that DNS name (use force option to create without an > > > >> A/AAAA record) as well as a service principle. > > > >> > > > >> > > > >> > > > >> I'm sure I'm not alone when I say I don't like doing that because it means > > > >> that a "Host" in FreeIPA is not a computer, it's a host record that may or > > > >> may not be the only record that corresponds to a computer. It gets > > > >> confusing. > > > >> > > > >> > > > >> > > > >> I assume things are this way to ensure integrity at some level. But I can't > > > >> picture it. What is the potential danger of simply bypassing the > > > >> host/principal checks and just signing the certificate with whatever SAN > > > >> field we like? > > > >> > > > > In this specific case, it is because certmonger requests service > > > > certificates with host credentials. Therefore it is not just human > > > > administrators issuing certs. And we MUST validate SAN against > > > > information in the directory (the only "source of truth" available > > > > to the CA / IPA cert-request command). Otherwise you could put e.g. > > > > `google.com' into SAN, and we would issue the cert, and that would > > > > be Very Bad. > > > > > > > > > > In my case it's always human administrators issuing certs. I can see > > > how validation is a great way to prevent a scenario like the one you > > > described. But couldn't that be accommodated by tinkering with the > > > roles/privileges so that you could impose the restriction on external, > > > less-trusted applications but allow a trusted human administrator to > > > bypass it? > > > > > > Admin group by default would be nice. It would be unfortunate if > > > someone added a service account to the admin group, but I don't see > > > that as justification for ruling it out. How many other poor security > > > decisions has someone made already before they decided to add a > > > service account to the domain admin group? To that I would say that > > > degree of administrative negligence is not something that the project > > > should design around. But, I don't work at RedHat and I don't have to > > > take the support calls so my opinion means nothing. > > > > > > But if I'm an admin, enforcing the SAN restriction doesn't prevent me > > > from doing anything I couldn't already do by creating a couple host > > > records. It's just making things difficult for admins who ultimately > > > are securely deploying a service. > > > > > The question is not really one of privilege, but sanity. FreeIPA > > has to make sure that certs issued by it correspond to the CA's view > > of reality, i.e. what is in the FreeIPA directory, at the time the > > request is made. IMO to disable these checks for human users with a > > particular permission is a mistake waiting to happen. > > > > Yes, enforcing the restriction forces a human to put to created the > > needed objects before the cert request will be considered valid. > > Not a bad thing, IMO. > > > > All this said, I think there is a valid RFE in allowing Kerberos > > principal aliases to be consulted when validating a CSR. This would > > mean you do not have to create new objects, just add more principal > > names to the existing one. I filed a ticket: > > > > https://fedorahosted.org/freeipa/ticket/6432 > > > > Alexander, Simo, what do you think? > Certainly principal aliases should be checked if they were asked to be > in SAN. The question is what type of the SAN extension should be > considered for them in addition to Kerberos principal. The aliases are > stored in their full format (alias at REALM), so either you need to do full > match or consider dropping the realm for some types. This needs to be > clarified before any implementation happens. > Right, UPN and KR5PrincipalName can be checked as-is. We should check dnsNames by affixing around the dnsName the same service type (e.g. `HTTP') and realm as the nominated principal, and looking for that in the aliases. e.g. for nominated principal `HTTP/web.example.com at EXAMPLE.COM', if there is a SAN dnsName `www.example.com', we look for `HTTP/www.example.com at EXAMPLE.COM' in its aliases. Does this sound reasonable? No other GeneralName types shall be checked against principal aliases, unless/until we support SRVName. Cheers, Fraser From dkupka at redhat.com Tue Oct 25 05:50:05 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 25 Oct 2016 07:50:05 +0200 Subject: [Freeipa-users] Certmonger (or similar) for FreeBSD? In-Reply-To: References: <20F48E91-A587-4A82-9775-6E56528E2D7E@omnigroup.com> <552b65a2-5731-498a-1d61-7fe158695695@redhat.com> Message-ID: <63a4bfd5-4d2d-fea0-9b55-7e342331317a@redhat.com> On 24/10/16 19:26, Gilbert Wilson wrote: > >> On Oct 24, 2016, at 5:51 AM, David Kupka wrote: >> >> On 22/10/16 00:15, Gilbert Wilson wrote: >>> We have a lot of FreeBSD systems that I would like to streamline certificate issuance and renewal. Ideally, we could leverage our FreeIPA system's CA to do this. But, certmonger doesn't run on FreeBSD (or does it?). What other means have other people tried, or would you recommend investigating, to enable automated certificate issuance and renewal for FreeBSD FreeIPA clients? >>> >>> Any pointers are appreciated! >>> >>> Gil >>> >> >> Hello Gil! >> >> I've very limited experiences with *BSD systems so the question may be completely off. >> Have you tried to install and run certmonger using FreeBSD's Linux Binary Compatibility [1]? Though I don't know what are the limitations or possible issues it could be a way. >> >> [1] http://www.freebsd.cz/doc/handbook/linuxemu.html >> >> -- >> David Kupka > > > You know? I haven?t ever tried LBC! I suppose it?s worth a sacrificial virtual machine to see if it works. It also occurred to me that FreeIPA might have some sort of API given the web interface, and sure enough that made the Google-fu turn up more useful results. > > * https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ > * https://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ > * http://www.admin-magazine.com/Archive/2016/34/A-REST-interface-for-FreeIPA > > There doesn?t appear to be a manual for the API but those examples seem to ?show the way?. My initial thought is to create a script that uses kinit with a keytab to authenticate against FreeIPA and then create/renew permissible certificates for the system before they expire. This seems reasonable since the certificate creation/renewal is the scope of what I?m interested in doing. Do you see any reason not to do it this way or have any other alternative suggestions? Another way to think about it, perhaps, is what would you do on a Linux system if you didn?t have access to the FreeIPA client or certmonger? > > Thanks for the pointer/reminder about LBC! > > Gil > > > You're right, FreeIPA has JSON RPC API. It's used in WebUI and also in 'ipa' CLI. If you've FreeIPA server 4.2 and above there's API Browser in WebUI (IPA Server - API Browser). There you can find all commands and their parameters. Just obligatory disclaimer, talking directly to the API is not officially supported. This means that the API can change in future versions. Good luck! -- David Kupka From abokovoy at redhat.com Tue Oct 25 06:02:48 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 25 Oct 2016 09:02:48 +0300 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? In-Reply-To: <20161025054834.GJ3554@dhcp-40-8.bne.redhat.com> References: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> <20161025045524.GI3554@dhcp-40-8.bne.redhat.com> <20161025050159.i5brtkj5yuxgz636@redhat.com> <20161025054834.GJ3554@dhcp-40-8.bne.redhat.com> Message-ID: <20161025060248.xeohsgr6yzffeut3@redhat.com> On ti, 25 loka 2016, Fraser Tweedale wrote: >On Tue, Oct 25, 2016 at 08:01:59AM +0300, Alexander Bokovoy wrote: >> On ti, 25 loka 2016, Fraser Tweedale wrote: >> > On Mon, Oct 24, 2016 at 12:30:10AM -0700, Fil Di Noto wrote: >> > > On Sun, Oct 23, 2016 at 9:53 PM, Fraser Tweedale wrote: >> > > > On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote: >> > > >> Hello, >> > > >> >> > > >> >> > > >> >> > > >> I would like to better understand why IPA requires SAN (subject alternative >> > > >> name) entries to have a backing host record. In order to sign a certificate >> > > >> with a SAN that corresponded to a user friendly CNAME I had to add a host >> > > >> record (ipa host) for that DNS name (use force option to create without an >> > > >> A/AAAA record) as well as a service principle. >> > > >> >> > > >> >> > > >> >> > > >> I'm sure I'm not alone when I say I don't like doing that because it means >> > > >> that a "Host" in FreeIPA is not a computer, it's a host record that may or >> > > >> may not be the only record that corresponds to a computer. It gets >> > > >> confusing. >> > > >> >> > > >> >> > > >> >> > > >> I assume things are this way to ensure integrity at some level. But I can't >> > > >> picture it. What is the potential danger of simply bypassing the >> > > >> host/principal checks and just signing the certificate with whatever SAN >> > > >> field we like? >> > > >> >> > > > In this specific case, it is because certmonger requests service >> > > > certificates with host credentials. Therefore it is not just human >> > > > administrators issuing certs. And we MUST validate SAN against >> > > > information in the directory (the only "source of truth" available >> > > > to the CA / IPA cert-request command). Otherwise you could put e.g. >> > > > `google.com' into SAN, and we would issue the cert, and that would >> > > > be Very Bad. >> > > > >> > > >> > > In my case it's always human administrators issuing certs. I can see >> > > how validation is a great way to prevent a scenario like the one you >> > > described. But couldn't that be accommodated by tinkering with the >> > > roles/privileges so that you could impose the restriction on external, >> > > less-trusted applications but allow a trusted human administrator to >> > > bypass it? >> > > >> > > Admin group by default would be nice. It would be unfortunate if >> > > someone added a service account to the admin group, but I don't see >> > > that as justification for ruling it out. How many other poor security >> > > decisions has someone made already before they decided to add a >> > > service account to the domain admin group? To that I would say that >> > > degree of administrative negligence is not something that the project >> > > should design around. But, I don't work at RedHat and I don't have to >> > > take the support calls so my opinion means nothing. >> > > >> > > But if I'm an admin, enforcing the SAN restriction doesn't prevent me >> > > from doing anything I couldn't already do by creating a couple host >> > > records. It's just making things difficult for admins who ultimately >> > > are securely deploying a service. >> > > >> > The question is not really one of privilege, but sanity. FreeIPA >> > has to make sure that certs issued by it correspond to the CA's view >> > of reality, i.e. what is in the FreeIPA directory, at the time the >> > request is made. IMO to disable these checks for human users with a >> > particular permission is a mistake waiting to happen. >> > >> > Yes, enforcing the restriction forces a human to put to created the >> > needed objects before the cert request will be considered valid. >> > Not a bad thing, IMO. >> > >> > All this said, I think there is a valid RFE in allowing Kerberos >> > principal aliases to be consulted when validating a CSR. This would >> > mean you do not have to create new objects, just add more principal >> > names to the existing one. I filed a ticket: >> > >> > https://fedorahosted.org/freeipa/ticket/6432 >> > >> > Alexander, Simo, what do you think? >> Certainly principal aliases should be checked if they were asked to be >> in SAN. The question is what type of the SAN extension should be >> considered for them in addition to Kerberos principal. The aliases are >> stored in their full format (alias at REALM), so either you need to do full >> match or consider dropping the realm for some types. This needs to be >> clarified before any implementation happens. >> >Right, UPN and KR5PrincipalName can be checked as-is. > >We should check dnsNames by affixing around the dnsName the same >service type (e.g. `HTTP') and realm as the nominated principal, and >looking for that in the aliases. e.g. for nominated principal >`HTTP/web.example.com at EXAMPLE.COM', if there is a SAN dnsName >`www.example.com', we look for `HTTP/www.example.com at EXAMPLE.COM' in >its aliases. > >Does this sound reasonable? > >No other GeneralName types shall be checked against principal >aliases, unless/until we support SRVName. Sounds reasonable for me, thanks. -- / Alexander Bokovoy From dkupka at redhat.com Tue Oct 25 07:29:34 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 25 Oct 2016 09:29:34 +0200 Subject: [Freeipa-users] Do expired passwords remain usable indefinitely? In-Reply-To: References: <53b3aea2-8470-7110-c3db-3733b0e3a539@redhat.com> Message-ID: On 25/10/16 01:02, Prasun Gera wrote: > I've seen some different behaviour. I've had errors for users (including > the admin user) trying to log in with possibly an expired password. Both > webui and ssh would fail, but kinit would work. I'm not sure if this is > related to the password's expiration or the account's expiration. My > /var/log/secure has messages like "pam_sss(sshd:auth): received for user > uname: 13 (User account has expired)". Is there a setting for default > expiration of user accounts ? I don't remember setting it anywhere. > > On Mon, Oct 24, 2016 at 8:13 AM, David Kupka wrote: > >> On 21/10/16 15:17, Brian Candler wrote: >> >>> Question: when a password expires, does it remain in a usable state in >>> the database indefinitely? For example, if someone comes along a year >>> after their password has expired, can they still login once with that >>> password? >>> >>> This is actually what I want, but I just want to confirm there's not >>> some sort of secondary threshold which means that an expired password is >>> not usable X days after it has expired. Or, if there is such a >>> secondary threshold, where I can find it. >>> >>> The scenario is a RADIUS server for wifi which reads NTLM password >>> hashes out of the database to authenticate - this continues to work >>> after expiry. However I want users to be able to do a self-reset later >>> if and when they want to. >>> >>> Thanks, >>> >>> Brian. >>> >>> >> Hello Brian! >> >> AFAIK, it will work. Your RADIUS server will retrieve the hash from LDAP >> and do the validation locally. So FreeIPA has no way to say the password is >> expired. >> When the user tries to obtain Kerberos ticket he will be forced to change >> the password and NTLM hash will be also regenerated. >> >> -- >> David Kupka >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > Hello Prasun! If I understood Brian correctly he was asking about expiration of NTLM password hashes. In his case there is no checking for password or account expiration. It would need to be done in RADIUS server itself because RADIUS server just fetches the attributes from LDAP and does whatever it is programmed to do. The situation that you're describing looks weird to me. When user's Kerberos Password expires kinit and WebUI forces password change on next login attempt. I don't know how ssh client behaves. When user's Kerberos Principal ("account") expires neither WebUI nor kinit would allow login or password change. Administrator must prolong or remove the Kerberos Principal expiration. By default Kerberos Password expiration is set according relevant to password policy (global_policy by default) and Kerberos Principal expiration is not set. -- David Kupka From b.candler at pobox.com Tue Oct 25 07:54:37 2016 From: b.candler at pobox.com (Brian Candler) Date: Tue, 25 Oct 2016 08:54:37 +0100 Subject: [Freeipa-users] Do expired passwords remain usable indefinitely? In-Reply-To: References: <53b3aea2-8470-7110-c3db-3733b0e3a539@redhat.com> Message-ID: <80c682d3-499d-3972-1420-cf7cc1f8e707@pobox.com> On 25/10/2016 00:02, Prasun Gera wrote: > I've seen some different behaviour. I've had errors for users > (including the admin user) trying to log in with possibly an expired > password. Both webui and ssh would fail, but kinit would work. I'm not > sure if this is related to the password's expiration or the account's > expiration. My /var/log/secure has messages like "pam_sss(sshd:auth): > received for user uname: 13 (User account has expired)". Is there a > setting for default expiration of user accounts ? I don't remember > setting it anywhere. By "account expiration" do you mean the "--principal-expiration" option to ipa user-xxx? Or is there another setting? Code 13 is PAM_ACCT_EXPIRED, at least in the "new" constants $ egrep '\b13\b' /usr/include/security/*pam* /usr/include/security/_pam_compat.h:# define PAM_USER_UNKNOWN 13 /usr/include/security/_pam_types.h:#define PAM_ACCT_EXPIRED 13 /* User account has expired */ /usr/include/security/_pam_types.h:#define PAM_AUTHTOK_TYPE 13 /* The type for pam_get_authtok */ This to me implies it's not looking at the krbPasswordExpiration attribute, because it could (or should) use PAM_AUTHTOK_EXPIRED (27) for that instead. For me, pam_sss seems to handle expiry correctly. For example if I reset an account password (which in turn causes it to expire immediately), and then someone logs in their ssh private key, and subsequently does "sudo", sudo prompts them for the password, tells them it has expired, but gives them the opportunity to change it. However it's not impossible that the PAM module has some buried logic, e.g. it refuses to use a password which expired more than X days ago. That was the reason for my original question. I guess I should try setting some expiry date way in the past. The other thing is to look in the source code for pam_sss to see under which conditions it returns PAM_ACCT_EXPIRED. The answer is: when it gets ERR_ACCOUNT_EXPIRED from parse_krb5_child_response. Which in turn is when we get KRB5KDC_ERR_NAME_EXP from Kerberos. Which in turn is "Client's entry in database has expired". http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Kerberos-V5-Library-Error-Codes.html But as has already been said - if the *principal* has expired you shouldn't be able to login with kinit at all. Regards, Brian. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bahanw042014 at gmail.com Tue Oct 25 08:27:24 2016 From: bahanw042014 at gmail.com (bahan w) Date: Tue, 25 Oct 2016 10:27:24 +0200 Subject: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Message-ID: Hello everyone ! I have an ipa server and an ipa client both in 3.0.0-47. In order to connect via SSH to the host of the ipa-client, I use root. When I'm connected to the ipa-client via ssh being root, I do a kinit of a user with a keytab : ### kinit -kt /etc/security/keytabs/.headless.keytab ### And sometimes, once I have the TGT, when I do just an ipa user-show, I got the following error : ### ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) ### When I check the ticket, it is not expired : ### # klist Ticket cache: FILE:/tmp/krb5cc_root_ Default principal: @ Valid starting Expires Service principal 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/@ ### Do you know from where it can come and how I can solve this error please ? Here is more information with the debug option : ### ipa -d user-show ### Result : ### ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:@ ipa: DEBUG: stdout=44063864 ipa: DEBUG: stderr= ipa: DEBUG: args=keyctl pipe 44063864 ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly ipa: DEBUG: stderr= ipa: DEBUG: found session_cookie in persistent storage for principal '@', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly' ipa: DEBUG: setting session_cookie into context 'ipa_session=26a7252e4853374fc7439eae5926c584;' ipa: INFO: trying https:///ipa/session/xml ipa: DEBUG: Created connection context.xmlclient ipa: DEBUG: raw: user_show(u'', rights=False, all=False, raw=False, version=u'2.49', no_members=False) ipa: DEBUG: user_show(u'', rights=False, all=False, raw=False, version=u'2.49', no_members=False) ipa: INFO: Forwarding 'user_show' to server u'https:// /ipa/session/xml' ipa: DEBUG: NSSConnection init ipa: DEBUG: Connecting: 10.79.28.51:0 ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O= Validity: Not Before: Mon Nov 23 13:01:37 2015 UTC Not After: Thu Nov 23 13:01:37 2017 UTC Subject: CN=,O= Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: f4:df:8e:0c:39:ff:37:ba:64:90:b8:90:85:98:b9:b2: 8d:1f:81:3e:ce:de:84:87:51:f9:48:c1:27:8e:00:86: 90:d8:1c:1c:b2:d5:03:7e:29:a1:6d:f2:06:fd:26:8c: f5:b6:8e:80:aa:0d:47:ea:82:74:30:9b:78:34:6d:62: c5:ba:a6:05:3b:56:a7:b2:0a:88:35:9f:6b:cc:80:f8: c9:15:08:5e:6c:36:98:09:80:3f:75:e9:69:3d:c1:22: 22:ce:15:5f:f8:c4:a3:db:79:92:57:ae:6d:5f:82:15: fc:3c:c9:b6:10:58:36:71:03:91:19:cd:bb:5a:f3:9b: e0:4a:cf:a6:43:30:b2:71:99:56:28:3f:7f:60:b3:fc: e0:84:7b:cc:ef:63:b1:5d:0a:32:94:db:74:7b:a2:7c: 52:db:fb:12:fb:3e:14:fe:f1:9b:9c:e9:42:c2:7e:03: a5:1d:ab:c1:75:06:a0:b4:50:5b:27:1c:c6:5a:27:62: 73:74:70:22:16:03:15:dc:f3:6c:de:1d:02:d7:de:03: ca:1e:d1:9d:c1:25:59:84:e1:f6:b4:a0:8c:c6:b0:e0: 74:ce:2f:9f:50:e9:b5:d9:d5:f3:fa:7d:57:84:c3:59: 75:e9:6e:7d:0e:97:8b:a0:15:f2:4b:31:cc:ca:5c:45 Exponent: 65537 (0x10001) Signed Extensions: (5 total) Name: Certificate Authority Key Identifier Critical: False Key ID: 39:76:7e:02:f1:99:28:b5:e4:c4:a5:cb:c5:4a:7a:50: f7:7f:85:85 Serial Number: None General Names: [0 total] Name: Authority Information Access Critical: False Authority Information Access: [1 total] Info [1]: Method: PKIX Online Certificate Status Protocol Location: URI: http://:80/ca/ocsp Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: Certificate Subject Key ID Critical: False Data: 30:7d:c4:6f:01:e9:45:84:12:83:97:9c:34:42:c1:d1: ad:84:68:8b Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 99:8f:05:f4:14:64:5e:8a:b3:cc:6d:b8:b1:b1:17:1c: a1:28:37:da:5a:1e:17:6c:61:5d:d4:a9:52:15:0a:8c: bc:9d:14:35:f0:b7:1a:0c:53:fa:05:5d:fa:56:1f:ea: 23:be:b3:20:0a:30:dc:ae:e5:a6:4d:bf:35:4a:91:11: f6:fd:73:c5:55:e7:83:52:b0:f1:9b:83:c2:b3:48:ea: 5e:21:aa:a0:2d:fb:78:cb:35:d8:20:02:c2:1c:8d:a1: 8a:f5:72:81:c5:35:f5:36:3e:3e:5e:02:4b:4e:34:97: 0f:b6:80:e2:90:1e:f9:55:41:79:f9:78:e6:d7:43:14: 50:f7:39:e2:e8:7f:0a:89:95:08:94:7e:dd:ca:9d:ba: f8:9c:6f:24:48:5c:92:53:9d:cd:aa:91:91:6e:db:1e: df:54:3c:0b:ce:57:07:26:32:70:f9:ba:fd:ad:b2:7a: a6:1b:d1:a5:c9:30:1d:fa:f6:1d:8a:b0:71:ca:4d:9b: 41:2b:7c:43:80:54:a3:32:65:d8:48:fe:87:a2:15:a7: 14:f0:bb:f9:65:cd:7e:a9:03:a7:3c:f3:d1:73:f7:1b: a1:e7:51:66:39:ba:6c:a9:6d:1d:33:b0:3b:63:04:4c: 79:cc:16:ce:5f:9f:b1:c5:01:47:72:88:0c:e2:69:ef Fingerprint (MD5): 7c:3d:5b:37:da:62:e4:a1:da:57:e5:66:5a:f0:15:53 Fingerprint (SHA1): 2e:83:f0:14:cf:ca:c3:f5:6c:8e:fa:01:79:94:ec:90: 75:81:d5:0b ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for "CN=,O=" ipa: DEBUG: handshake complete, peer = :443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA ipa: DEBUG: Caught fault 2100 from server https:///ipa/session/xml: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) ### Any guidance about where it can come from or what to do ? >From the ipa-server, in the krb5kdc.log, I found sometimes this kind of emssage : ### Oct 25 09:59:37 krb5kdc[30767](info): ... CONSTRAINED-DELEGATION s4u-client=@ Oct 25 09:59:37 krb5kdc[30767](info): ... CONSTRAINED-DELEGATION s4u-client=@ ### Best regards. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From b.candler at pobox.com Tue Oct 25 08:46:14 2016 From: b.candler at pobox.com (Brian Candler) Date: Tue, 25 Oct 2016 09:46:14 +0100 Subject: [Freeipa-users] Do expired passwords remain usable indefinitely? In-Reply-To: References: <53b3aea2-8470-7110-c3db-3733b0e3a539@redhat.com> Message-ID: <2bc866ce-433b-9dda-e38a-868b036a569c@pobox.com> On 25/10/2016 08:29, David Kupka wrote: > If I understood Brian correctly he was asking about expiration of NTLM > password hashes. Partly. As long as the hash remains in the database and is readable via LDAP, I know it will continue to work for authentication. However I was also asking whether a long-expired password would prevent a user from logging into the webUI or obtaining a kerberos ticket. Scenario is: a user who is mostly wireless-only, who very rarely uses IPA for anything else. Their password expires, and they never notice because it keeps working. However, (say) a year later, they decide to login to IPA for some reason - maybe because they've decided it's time to change their wireless password. Will their old expired password still be usable for this? I'm hoping it would simply tell them that the account has expired and force a password change. Aside: I realise there are other ways I can handle this. Perhaps I *should* make passwords expire for wireless too, by checking the krbPasswordExpiration field in the RADIUS server. But then I need some way to warn people that their passwords are about to expire and give them an opportunity to change it - e.g. by mailing out a warning a couple of weeks before it does. Regards, Brian. From prasun.gera at gmail.com Tue Oct 25 09:07:11 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Tue, 25 Oct 2016 05:07:11 -0400 Subject: [Freeipa-users] Do expired passwords remain usable indefinitely? In-Reply-To: <80c682d3-499d-3972-1420-cf7cc1f8e707@pobox.com> References: <53b3aea2-8470-7110-c3db-3733b0e3a539@redhat.com> <80c682d3-499d-3972-1420-cf7cc1f8e707@pobox.com> Message-ID: David & Brian, I'm familiar with the usual password expiration message that shows up which forces you to change the password. I've seen that before. However, I didn't see it this time, which is odd. Since I was able to kinit, I reset the password, and it started working again. I don't have an account in this failed state currently, but is it possible to force password expiration in order to reproduce this again ? Something like "ipa user-mod myuser --setattr=krbpasswordexpiration=" should work, right ? On Tue, Oct 25, 2016 at 3:54 AM, Brian Candler wrote: > On 25/10/2016 00:02, Prasun Gera wrote: > > I've seen some different behaviour. I've had errors for users (including > the admin user) trying to log in with possibly an expired password. Both > webui and ssh would fail, but kinit would work. I'm not sure if this is > related to the password's expiration or the account's expiration. My > /var/log/secure has messages like "pam_sss(sshd:auth): received for user > uname: 13 (User account has expired)". Is there a setting for default > expiration of user accounts ? I don't remember setting it anywhere. > > By "account expiration" do you mean the "--principal-expiration" option to > ipa user-xxx? Or is there another setting? > Code 13 is PAM_ACCT_EXPIRED, at least in the "new" constants > > $ egrep '\b13\b' /usr/include/security/*pam* > /usr/include/security/_pam_compat.h:# define PAM_USER_UNKNOWN > 13 > /usr/include/security/_pam_types.h:#define PAM_ACCT_EXPIRED 13 /* User > account has expired */ > /usr/include/security/_pam_types.h:#define PAM_AUTHTOK_TYPE 13 /* The > type for pam_get_authtok */ > > This to me implies it's not looking at the krbPasswordExpiration > attribute, because it could (or should) use PAM_AUTHTOK_EXPIRED (27) for > that instead. > > For me, pam_sss seems to handle expiry correctly. For example if I reset > an account password (which in turn causes it to expire immediately), and > then someone logs in their ssh private key, and subsequently does "sudo", > sudo prompts them for the password, tells them it has expired, but gives > them the opportunity to change it. > > However it's not impossible that the PAM module has some buried logic, > e.g. it refuses to use a password which expired more than X days ago. That > was the reason for my original question. I guess I should try setting some > expiry date way in the past. > > The other thing is to look in the source code for pam_sss to see under > which conditions it returns PAM_ACCT_EXPIRED. The answer is: when it gets > ERR_ACCOUNT_EXPIRED from parse_krb5_child_response. Which in turn is when > we get KRB5KDC_ERR_NAME_EXP from Kerberos. Which in turn is "Client's entry > in database has expired". > > http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5- > admin/Kerberos-V5-Library-Error-Codes.html > > But as has already been said - if the *principal* has expired you > shouldn't be able to login with kinit at all. > > Regards, > > Brian. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From b.candler at pobox.com Tue Oct 25 09:20:57 2016 From: b.candler at pobox.com (Brian Candler) Date: Tue, 25 Oct 2016 10:20:57 +0100 Subject: [Freeipa-users] Do expired passwords remain usable indefinitely? In-Reply-To: <2bc866ce-433b-9dda-e38a-868b036a569c@pobox.com> References: <53b3aea2-8470-7110-c3db-3733b0e3a539@redhat.com> <2bc866ce-433b-9dda-e38a-868b036a569c@pobox.com> Message-ID: Looking in MIT krb5 source: $ grep -R ERR_NAME_EXP . ./src/include/k5-int.h:#define KDC_ERR_NAME_EXP 1 /* Client's entry in DB expired */ ./src/kdc/kdc_util.c: return(KDC_ERR_NAME_EXP); ./src/lib/krb5/error_tables/krb5_err.et:error_code KRB5KDC_ERR_NAME_EXP, "Client's entry in database has expired" There appears to be only one case where NAME_EXP is returned: when the client.expiration field is passed (not client.pw_expiration) The fields are defined in krb5_db_entry in src/include/kdb.h: krb5_timestamp expiration; /* When the client expires */ krb5_timestamp pw_expiration; /* When its passwd expires */ I think "expiration" must equate to the "principal expiration" in IPA. But only regular password expiry would give you the option of changing it. Regards, Brian. === from src/kdc/kdc_util. c === /* The client must not be expired */ if (client.expiration && client.expiration < kdc_time) { *status = "CLIENT EXPIRED"; if (vague_errors) return(KRB_ERR_GENERIC); else return(KDC_ERR_NAME_EXP); } /* The client's password must not be expired, unless the server is a KRB5_KDC_PWCHANGE_SERVICE. */ if (client.pw_expiration && client.pw_expiration < kdc_time && !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { *status = "CLIENT KEY EXPIRED"; if (vague_errors) return(KRB_ERR_GENERIC); else return(KDC_ERR_KEY_EXP); } From prasun.gera at gmail.com Tue Oct 25 09:50:15 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Tue, 25 Oct 2016 05:50:15 -0400 Subject: [Freeipa-users] Do expired passwords remain usable indefinitely? In-Reply-To: References: <53b3aea2-8470-7110-c3db-3733b0e3a539@redhat.com> <2bc866ce-433b-9dda-e38a-868b036a569c@pobox.com> Message-ID: > > There appears to be only one case where NAME_EXP is returned: when the > client.expiration field is passed (not client.pw_expiration) > > I think "expiration" must equate to the "principal expiration" in IPA. But > only regular password expiry would give you the option of changing it. > > Thanks Brian. Can you explain a bit more ? When is principal expiration triggered ? I haven't set it explicitly for any user, and ipa user-show doesn't show that attribute either. I'm not very familiar with kerberos. And as you and David said earlier, if the principal expires, kinit shouldn't work either, right ? > Regards, > > Brian. > > === from src/kdc/kdc_util. c === > > /* The client must not be expired */ > if (client.expiration && client.expiration < kdc_time) { > *status = "CLIENT EXPIRED"; > if (vague_errors) > return(KRB_ERR_GENERIC); > else > return(KDC_ERR_NAME_EXP); > } > > /* The client's password must not be expired, unless the server is > a KRB5_KDC_PWCHANGE_SERVICE. */ > if (client.pw_expiration && client.pw_expiration < kdc_time && > !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { > *status = "CLIENT KEY EXPIRED"; > if (vague_errors) > return(KRB_ERR_GENERIC); > else > return(KDC_ERR_KEY_EXP); > } > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Oct 25 10:01:31 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 25 Oct 2016 12:01:31 +0200 Subject: [Freeipa-users] Certmonger (or similar) for FreeBSD? In-Reply-To: <63a4bfd5-4d2d-fea0-9b55-7e342331317a@redhat.com> References: <20F48E91-A587-4A82-9775-6E56528E2D7E@omnigroup.com> <552b65a2-5731-498a-1d61-7fe158695695@redhat.com> <63a4bfd5-4d2d-fea0-9b55-7e342331317a@redhat.com> Message-ID: <580F2D7B.9090700@redhat.com> David Kupka wrote: > On 24/10/16 19:26, Gilbert Wilson wrote: >> >>> On Oct 24, 2016, at 5:51 AM, David Kupka wrote: >>> >>> On 22/10/16 00:15, Gilbert Wilson wrote: >>>> We have a lot of FreeBSD systems that I would like to streamline >>>> certificate issuance and renewal. Ideally, we could leverage our >>>> FreeIPA system's CA to do this. But, certmonger doesn't run on >>>> FreeBSD (or does it?). What other means have other people tried, or >>>> would you recommend investigating, to enable automated certificate >>>> issuance and renewal for FreeBSD FreeIPA clients? >>>> >>>> Any pointers are appreciated! >>>> >>>> Gil >>>> >>> >>> Hello Gil! >>> >>> I've very limited experiences with *BSD systems so the question may >>> be completely off. >>> Have you tried to install and run certmonger using FreeBSD's Linux >>> Binary Compatibility [1]? Though I don't know what are the >>> limitations or possible issues it could be a way. >>> >>> [1] http://www.freebsd.cz/doc/handbook/linuxemu.html >>> >>> -- >>> David Kupka >> >> >> You know? I haven?t ever tried LBC! I suppose it?s worth a sacrificial >> virtual machine to see if it works. It also occurred to me that >> FreeIPA might have some sort of API given the web interface, and sure >> enough that made the Google-fu turn up more useful results. >> >> * >> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ >> * >> https://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ >> >> * >> http://www.admin-magazine.com/Archive/2016/34/A-REST-interface-for-FreeIPA >> >> >> There doesn?t appear to be a manual for the API but those examples >> seem to ?show the way?. My initial thought is to create a script that >> uses kinit with a keytab to authenticate against FreeIPA and then >> create/renew permissible certificates for the system before they >> expire. This seems reasonable since the certificate creation/renewal >> is the scope of what I?m interested in doing. Do you see any reason >> not to do it this way or have any other alternative suggestions? >> Another way to think about it, perhaps, is what would you do on a >> Linux system if you didn?t have access to the FreeIPA client or >> certmonger? >> >> Thanks for the pointer/reminder about LBC! >> >> Gil >> >> >> > > You're right, FreeIPA has JSON RPC API. It's used in WebUI and also in > 'ipa' CLI. If you've FreeIPA server 4.2 and above there's API Browser in > WebUI (IPA Server - API Browser). There you can find all commands and > their parameters. > Just obligatory disclaimer, talking directly to the API is not > officially supported. This means that the API can change in future > versions. > > Good luck! And this is sort of reinventing the wheel. certmonger uses the API already. Have you tried building certmonger on BSD? It should be pretty portable C code, it just might require installing additional dependencies like libcurl (with GSSAPI support) and probably a few others. You'd also need to manually configure Kerberos, get a keytab for it and create a basic /etc/ipa/default.conf. rob rob From b.candler at pobox.com Tue Oct 25 10:02:40 2016 From: b.candler at pobox.com (Brian Candler) Date: Tue, 25 Oct 2016 11:02:40 +0100 Subject: [Freeipa-users] Do expired passwords remain usable indefinitely? In-Reply-To: References: <53b3aea2-8470-7110-c3db-3733b0e3a539@redhat.com> <2bc866ce-433b-9dda-e38a-868b036a569c@pobox.com> Message-ID: <07b528af-80c0-4b76-40ea-c86384e878e4@pobox.com> On 25/10/2016 10:50, Prasun Gera wrote: > When is principal expiration triggered ? I haven't set it explicitly > for any user, and ipa user-show doesn't show that attribute either. > I'm not very familiar with kerberos. It doesn't show it unless it has been set. You can set it like this: # ipa help user-mod ... --principal-expiration=DATETIME Kerberos principal expiration (This is from IPA under CentOS 7. Older versions might not have this feature at all). > And as you and David said earlier, if the principal expires, kinit > shouldn't work either, right ? Yes I agree. I have just tried setting krbPasswordExpiration to a very old time, using ldapmodify. # ldapmodify -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 20010101000000Z - ^D But this works for me: $ sudo -s [sudo] password for bcandler: Password expired. Change your password now. sudo: Account or password is expired, reset your password and try again Current Password: New password: Retype new password: # But actually, I didn't try the web UI with an expired password yet. I'll try that later. Regards, Brian. From mbabinsk at redhat.com Tue Oct 25 10:18:38 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 25 Oct 2016 12:18:38 +0200 Subject: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) In-Reply-To: References: Message-ID: On 10/25/2016 10:27 AM, bahan w wrote: > Hello everyone ! > > I have an ipa server and an ipa client both in 3.0.0-47. > > In order to connect via SSH to the host of the ipa-client, I use root. > When I'm connected to the ipa-client via ssh being root, I do a kinit of > a user with a keytab : > ### > kinit -kt /etc/security/keytabs/.headless.keytab > ### > > And sometimes, once I have the TGT, when I do just an ipa user-show, I > got the following error : > ### > ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Ticket expired) > ### > > When I check the ticket, it is not expired : > ### > # klist > Ticket cache: FILE:/tmp/krb5cc_root_ > Default principal: @ > > Valid starting Expires Service principal > 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/@ > ### > > Do you know from where it can come and how I can solve this error please ? > > Here is more information with the debug option : > ### > ipa -d user-show > ### > > Result : > ### > ipa: DEBUG: importing all plugin modules in > '/usr/lib/python2.6/site-packages/ipalib/plugins'... > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' > ipa: DEBUG: args=klist -V > ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 > > ipa: DEBUG: stderr= > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' > ipa: DEBUG: importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:@ > ipa: DEBUG: stdout=44063864 > > ipa: DEBUG: stderr= > ipa: DEBUG: args=keyctl pipe 44063864 > ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; > Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; > Secure; HttpOnly > ipa: DEBUG: stderr= > ipa: DEBUG: found session_cookie in persistent storage for principal > '@', cookie: > 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=; > Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly' > ipa: DEBUG: setting session_cookie into context > 'ipa_session=26a7252e4853374fc7439eae5926c584;' > ipa: INFO: trying https:///ipa/session/xml > ipa: DEBUG: Created connection context.xmlclient > ipa: DEBUG: raw: user_show(u'', rights=False, all=False, > raw=False, version=u'2.49', no_members=False) > ipa: DEBUG: user_show(u'', rights=False, all=False, raw=False, > version=u'2.49', no_members=False) > ipa: INFO: Forwarding 'user_show' to server > u'https:///ipa/session/xml' > ipa: DEBUG: NSSConnection init > ipa: DEBUG: Connecting: 10.79.28.51:0 > ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False > Data: > Version: 3 (0x2) > Serial Number: 10 (0xa) > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: CN=Certificate Authority,O= > Validity: > Not Before: Mon Nov 23 13:01:37 2015 UTC > Not After: Thu Nov 23 13:01:37 2017 UTC > Subject: CN=,O= > Subject Public Key Info: > Public Key Algorithm: > Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > f4:df:8e:0c:39:ff:37:ba:64:90:b8:90:85:98:b9:b2: > 8d:1f:81:3e:ce:de:84:87:51:f9:48:c1:27:8e:00:86: > 90:d8:1c:1c:b2:d5:03:7e:29:a1:6d:f2:06:fd:26:8c: > f5:b6:8e:80:aa:0d:47:ea:82:74:30:9b:78:34:6d:62: > c5:ba:a6:05:3b:56:a7:b2:0a:88:35:9f:6b:cc:80:f8: > c9:15:08:5e:6c:36:98:09:80:3f:75:e9:69:3d:c1:22: > 22:ce:15:5f:f8:c4:a3:db:79:92:57:ae:6d:5f:82:15: > fc:3c:c9:b6:10:58:36:71:03:91:19:cd:bb:5a:f3:9b: > e0:4a:cf:a6:43:30:b2:71:99:56:28:3f:7f:60:b3:fc: > e0:84:7b:cc:ef:63:b1:5d:0a:32:94:db:74:7b:a2:7c: > 52:db:fb:12:fb:3e:14:fe:f1:9b:9c:e9:42:c2:7e:03: > a5:1d:ab:c1:75:06:a0:b4:50:5b:27:1c:c6:5a:27:62: > 73:74:70:22:16:03:15:dc:f3:6c:de:1d:02:d7:de:03: > ca:1e:d1:9d:c1:25:59:84:e1:f6:b4:a0:8c:c6:b0:e0: > 74:ce:2f:9f:50:e9:b5:d9:d5:f3:fa:7d:57:84:c3:59: > 75:e9:6e:7d:0e:97:8b:a0:15:f2:4b:31:cc:ca:5c:45 > Exponent: > 65537 (0x10001) > Signed Extensions: (5 total) > Name: Certificate Authority Key Identifier > Critical: False > Key ID: > 39:76:7e:02:f1:99:28:b5:e4:c4:a5:cb:c5:4a:7a:50: > f7:7f:85:85 > Serial Number: None > General Names: [0 total] > > Name: Authority Information Access > Critical: False > Authority Information Access: [1 total] > Info [1]: > Method: PKIX Online Certificate Status Protocol > Location: URI: http://:80/ca/ocsp > > Name: Certificate Key Usage > Critical: True > Usages: > Digital Signature > Non-Repudiation > Key Encipherment > Data Encipherment > > Name: Extended Key Usage > Critical: False > Usages: > TLS Web Server Authentication Certificate > TLS Web Client Authentication Certificate > > Name: Certificate Subject Key ID > Critical: False > Data: > 30:7d:c4:6f:01:e9:45:84:12:83:97:9c:34:42:c1:d1: > ad:84:68:8b > > Signature: > Signature Algorithm: > Algorithm: PKCS #1 SHA-256 With RSA Encryption > Signature: > 99:8f:05:f4:14:64:5e:8a:b3:cc:6d:b8:b1:b1:17:1c: > a1:28:37:da:5a:1e:17:6c:61:5d:d4:a9:52:15:0a:8c: > bc:9d:14:35:f0:b7:1a:0c:53:fa:05:5d:fa:56:1f:ea: > 23:be:b3:20:0a:30:dc:ae:e5:a6:4d:bf:35:4a:91:11: > f6:fd:73:c5:55:e7:83:52:b0:f1:9b:83:c2:b3:48:ea: > 5e:21:aa:a0:2d:fb:78:cb:35:d8:20:02:c2:1c:8d:a1: > 8a:f5:72:81:c5:35:f5:36:3e:3e:5e:02:4b:4e:34:97: > 0f:b6:80:e2:90:1e:f9:55:41:79:f9:78:e6:d7:43:14: > 50:f7:39:e2:e8:7f:0a:89:95:08:94:7e:dd:ca:9d:ba: > f8:9c:6f:24:48:5c:92:53:9d:cd:aa:91:91:6e:db:1e: > df:54:3c:0b:ce:57:07:26:32:70:f9:ba:fd:ad:b2:7a: > a6:1b:d1:a5:c9:30:1d:fa:f6:1d:8a:b0:71:ca:4d:9b: > 41:2b:7c:43:80:54:a3:32:65:d8:48:fe:87:a2:15:a7: > 14:f0:bb:f9:65:cd:7e:a9:03:a7:3c:f3:d1:73:f7:1b: > a1:e7:51:66:39:ba:6c:a9:6d:1d:33:b0:3b:63:04:4c: > 79:cc:16:ce:5f:9f:b1:c5:01:47:72:88:0c:e2:69:ef > Fingerprint (MD5): > 7c:3d:5b:37:da:62:e4:a1:da:57:e5:66:5a:f0:15:53 > Fingerprint (SHA1): > 2e:83:f0:14:cf:ca:c3:f5:6c:8e:fa:01:79:94:ec:90: > 75:81:d5:0b > ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server > ipa: DEBUG: cert valid True for "CN=,O=" > ipa: DEBUG: handshake complete, peer = :443 > ipa: DEBUG: Protocol: TLS1.2 > ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA > ipa: DEBUG: Caught fault 2100 from server > https:///ipa/session/xml: Insufficient access: SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (Ticket expired) > ipa: DEBUG: Destroyed connection context.xmlclient > ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Ticket expired) > ### > > Any guidance about where it can come from or what to do ? > > From the ipa-server, in the krb5kdc.log, I found sometimes this kind of > emssage : > ### > Oct 25 09:59:37 krb5kdc[30767](info): ... > CONSTRAINED-DELEGATION s4u-client=@ > Oct 25 09:59:37 krb5kdc[30767](info): ... > CONSTRAINED-DELEGATION s4u-client=@ > ### > > Best regards. > > Bahan > > I would firstly check the time difference between client and IPA server. If the time skew is too grea all sorts of errors can pop up regarding Kerberos authentication. I would also check /var/log/http/error_log and /var/log/dirsrv/slapd-/errors for additional info. I suspect there is something wrong with the keytab of HTTP principal on the IPA server. -- Martin^3 Babinsky From abokovoy at redhat.com Tue Oct 25 10:24:19 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 25 Oct 2016 13:24:19 +0300 Subject: [Freeipa-users] Certmonger (or similar) for FreeBSD? In-Reply-To: <580F2D7B.9090700@redhat.com> References: <20F48E91-A587-4A82-9775-6E56528E2D7E@omnigroup.com> <552b65a2-5731-498a-1d61-7fe158695695@redhat.com> <63a4bfd5-4d2d-fea0-9b55-7e342331317a@redhat.com> <580F2D7B.9090700@redhat.com> Message-ID: <20161025102419.dnamcluaznl2mj7i@redhat.com> On ti, 25 loka 2016, Rob Crittenden wrote: >David Kupka wrote: >>On 24/10/16 19:26, Gilbert Wilson wrote: >>> >>>>On Oct 24, 2016, at 5:51 AM, David Kupka wrote: >>>> >>>>On 22/10/16 00:15, Gilbert Wilson wrote: >>>>>We have a lot of FreeBSD systems that I would like to streamline >>>>>certificate issuance and renewal. Ideally, we could leverage our >>>>>FreeIPA system's CA to do this. But, certmonger doesn't run on >>>>>FreeBSD (or does it?). What other means have other people tried, or >>>>>would you recommend investigating, to enable automated certificate >>>>>issuance and renewal for FreeBSD FreeIPA clients? >>>>> >>>>>Any pointers are appreciated! >>>>> >>>>>Gil >>>>> >>>> >>>>Hello Gil! >>>> >>>>I've very limited experiences with *BSD systems so the question may >>>>be completely off. >>>>Have you tried to install and run certmonger using FreeBSD's Linux >>>>Binary Compatibility [1]? Though I don't know what are the >>>>limitations or possible issues it could be a way. >>>> >>>>[1] http://www.freebsd.cz/doc/handbook/linuxemu.html >>>> >>>>-- >>>>David Kupka >>> >>> >>>You know? I haven?t ever tried LBC! I suppose it?s worth a sacrificial >>>virtual machine to see if it works. It also occurred to me that >>>FreeIPA might have some sort of API given the web interface, and sure >>>enough that made the Google-fu turn up more useful results. >>> >>>* >>>https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ >>>* >>>https://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ >>> >>>* >>>http://www.admin-magazine.com/Archive/2016/34/A-REST-interface-for-FreeIPA >>> >>> >>>There doesn?t appear to be a manual for the API but those examples >>>seem to ?show the way?. My initial thought is to create a script that >>>uses kinit with a keytab to authenticate against FreeIPA and then >>>create/renew permissible certificates for the system before they >>>expire. This seems reasonable since the certificate creation/renewal >>>is the scope of what I?m interested in doing. Do you see any reason >>>not to do it this way or have any other alternative suggestions? >>>Another way to think about it, perhaps, is what would you do on a >>>Linux system if you didn?t have access to the FreeIPA client or >>>certmonger? >>> >>>Thanks for the pointer/reminder about LBC! >>> >>>Gil >>> >>> >>> >> >>You're right, FreeIPA has JSON RPC API. It's used in WebUI and also in >>'ipa' CLI. If you've FreeIPA server 4.2 and above there's API Browser in >>WebUI (IPA Server - API Browser). There you can find all commands and >>their parameters. >>Just obligatory disclaimer, talking directly to the API is not >>officially supported. This means that the API can change in future >>versions. >> >>Good luck! > >And this is sort of reinventing the wheel. certmonger uses the API already. > >Have you tried building certmonger on BSD? It should be pretty >portable C code, it just might require installing additional >dependencies like libcurl (with GSSAPI support) and probably a few >others. There are some more involved dependencies which would require porting the code to use *BSD-provided options -- netlink interface is Linux-specific dependency that may be harder to avoid and would require a separate implementation as certmonger depends on the ability to look at the networking interface changes. -- / Alexander Bokovoy From bahanw042014 at gmail.com Tue Oct 25 11:00:51 2016 From: bahanw042014 at gmail.com (bahan w) Date: Tue, 25 Oct 2016 13:00:51 +0200 Subject: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) In-Reply-To: References: Message-ID: Re. There is no time difference between client and server. I checked the httpd error log and saw no errors. Same with the dirsrv error logs. Any other idea ? By looking at the log, I'm wondering if this is a question of session ? See there : ### ipa: DEBUG: args=keyctl pipe 44063864 ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly ipa: DEBUG: stderr= ipa: DEBUG: found session_cookie in persistent storage for principal '@', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly' ipa: DEBUG: setting session_cookie into context 'ipa_session= 26a7252e4853374fc7439eae5926c584;' ### At that time, it was not yet expired but there was only a few minuts before expiration (something like 10 minuts). What is this persistent storage which is mentioned in the logs ? Best regards. Bahan On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky wrote: > On 10/25/2016 10:27 AM, bahan w wrote: > >> Hello everyone ! >> >> I have an ipa server and an ipa client both in 3.0.0-47. >> >> In order to connect via SSH to the host of the ipa-client, I use root. >> When I'm connected to the ipa-client via ssh being root, I do a kinit of >> a user with a keytab : >> ### >> kinit -kt /etc/security/keytabs/.headless.keytab >> ### >> >> And sometimes, once I have the TGT, when I do just an ipa user-show, I >> got the following error : >> ### >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >> Error: Unspecified GSS failure. Minor code may provide more information >> (Ticket expired) >> ### >> >> When I check the ticket, it is not expired : >> ### >> # klist >> Ticket cache: FILE:/tmp/krb5cc_root_ >> Default principal: @ >> >> Valid starting Expires Service principal >> 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/@ >> ### >> >> Do you know from where it can come and how I can solve this error please ? >> >> Here is more information with the debug option : >> ### >> ipa -d user-show >> ### >> >> Result : >> ### >> ipa: DEBUG: importing all plugin modules in >> '/usr/lib/python2.6/site-packages/ipalib/plugins'... >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' >> ipa: DEBUG: args=klist -V >> ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' >> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:@> yrealm> >> ipa: DEBUG: stdout=44063864 >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: args=keyctl pipe 44063864 >> ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; >> Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; >> Secure; HttpOnly >> ipa: DEBUG: stderr= >> ipa: DEBUG: found session_cookie in persistent storage for principal >> '@', cookie: >> 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=; >> Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly' >> ipa: DEBUG: setting session_cookie into context >> 'ipa_session=26a7252e4853374fc7439eae5926c584;' >> ipa: INFO: trying https:///ipa/session/xml >> ipa: DEBUG: Created connection context.xmlclient >> ipa: DEBUG: raw: user_show(u'', rights=False, all=False, >> raw=False, version=u'2.49', no_members=False) >> ipa: DEBUG: user_show(u'', rights=False, all=False, raw=False, >> version=u'2.49', no_members=False) >> ipa: INFO: Forwarding 'user_show' to server >> u'https:///ipa/session/xml' >> ipa: DEBUG: NSSConnection init >> ipa: DEBUG: Connecting: 10.79.28.51:0 >> >> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False >> Data: >> Version: 3 (0x2) >> Serial Number: 10 (0xa) >> Signature Algorithm: >> Algorithm: PKCS #1 SHA-256 With RSA Encryption >> Issuer: CN=Certificate Authority,O= >> Validity: >> Not Before: Mon Nov 23 13:01:37 2015 UTC >> Not After: Thu Nov 23 13:01:37 2017 UTC >> Subject: CN=,O= >> Subject Public Key Info: >> Public Key Algorithm: >> Algorithm: PKCS #1 RSA Encryption >> RSA Public Key: >> Modulus: >> f4:df:8e:0c:39:ff:37:ba:64:90:b8:90:85:98:b9:b2: >> 8d:1f:81:3e:ce:de:84:87:51:f9:48:c1:27:8e:00:86: >> 90:d8:1c:1c:b2:d5:03:7e:29:a1:6d:f2:06:fd:26:8c: >> f5:b6:8e:80:aa:0d:47:ea:82:74:30:9b:78:34:6d:62: >> c5:ba:a6:05:3b:56:a7:b2:0a:88:35:9f:6b:cc:80:f8: >> c9:15:08:5e:6c:36:98:09:80:3f:75:e9:69:3d:c1:22: >> 22:ce:15:5f:f8:c4:a3:db:79:92:57:ae:6d:5f:82:15: >> fc:3c:c9:b6:10:58:36:71:03:91:19:cd:bb:5a:f3:9b: >> e0:4a:cf:a6:43:30:b2:71:99:56:28:3f:7f:60:b3:fc: >> e0:84:7b:cc:ef:63:b1:5d:0a:32:94:db:74:7b:a2:7c: >> 52:db:fb:12:fb:3e:14:fe:f1:9b:9c:e9:42:c2:7e:03: >> a5:1d:ab:c1:75:06:a0:b4:50:5b:27:1c:c6:5a:27:62: >> 73:74:70:22:16:03:15:dc:f3:6c:de:1d:02:d7:de:03: >> ca:1e:d1:9d:c1:25:59:84:e1:f6:b4:a0:8c:c6:b0:e0: >> 74:ce:2f:9f:50:e9:b5:d9:d5:f3:fa:7d:57:84:c3:59: >> 75:e9:6e:7d:0e:97:8b:a0:15:f2:4b:31:cc:ca:5c:45 >> Exponent: >> 65537 (0x10001) >> Signed Extensions: (5 total) >> Name: Certificate Authority Key Identifier >> Critical: False >> Key ID: >> 39:76:7e:02:f1:99:28:b5:e4:c4:a5:cb:c5:4a:7a:50: >> f7:7f:85:85 >> Serial Number: None >> General Names: [0 total] >> >> Name: Authority Information Access >> Critical: False >> Authority Information Access: [1 total] >> Info [1]: >> Method: PKIX Online Certificate Status Protocol >> Location: URI: http://:80/ca/ocsp >> >> Name: Certificate Key Usage >> Critical: True >> Usages: >> Digital Signature >> Non-Repudiation >> Key Encipherment >> Data Encipherment >> >> Name: Extended Key Usage >> Critical: False >> Usages: >> TLS Web Server Authentication Certificate >> TLS Web Client Authentication Certificate >> >> Name: Certificate Subject Key ID >> Critical: False >> Data: >> 30:7d:c4:6f:01:e9:45:84:12:83:97:9c:34:42:c1:d1: >> ad:84:68:8b >> >> Signature: >> Signature Algorithm: >> Algorithm: PKCS #1 SHA-256 With RSA Encryption >> Signature: >> 99:8f:05:f4:14:64:5e:8a:b3:cc:6d:b8:b1:b1:17:1c: >> a1:28:37:da:5a:1e:17:6c:61:5d:d4:a9:52:15:0a:8c: >> bc:9d:14:35:f0:b7:1a:0c:53:fa:05:5d:fa:56:1f:ea: >> 23:be:b3:20:0a:30:dc:ae:e5:a6:4d:bf:35:4a:91:11: >> f6:fd:73:c5:55:e7:83:52:b0:f1:9b:83:c2:b3:48:ea: >> 5e:21:aa:a0:2d:fb:78:cb:35:d8:20:02:c2:1c:8d:a1: >> 8a:f5:72:81:c5:35:f5:36:3e:3e:5e:02:4b:4e:34:97: >> 0f:b6:80:e2:90:1e:f9:55:41:79:f9:78:e6:d7:43:14: >> 50:f7:39:e2:e8:7f:0a:89:95:08:94:7e:dd:ca:9d:ba: >> f8:9c:6f:24:48:5c:92:53:9d:cd:aa:91:91:6e:db:1e: >> df:54:3c:0b:ce:57:07:26:32:70:f9:ba:fd:ad:b2:7a: >> a6:1b:d1:a5:c9:30:1d:fa:f6:1d:8a:b0:71:ca:4d:9b: >> 41:2b:7c:43:80:54:a3:32:65:d8:48:fe:87:a2:15:a7: >> 14:f0:bb:f9:65:cd:7e:a9:03:a7:3c:f3:d1:73:f7:1b: >> a1:e7:51:66:39:ba:6c:a9:6d:1d:33:b0:3b:63:04:4c: >> 79:cc:16:ce:5f:9f:b1:c5:01:47:72:88:0c:e2:69:ef >> Fingerprint (MD5): >> 7c:3d:5b:37:da:62:e4:a1:da:57:e5:66:5a:f0:15:53 >> Fingerprint (SHA1): >> 2e:83:f0:14:cf:ca:c3:f5:6c:8e:fa:01:79:94:ec:90: >> 75:81:d5:0b >> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server >> ipa: DEBUG: cert valid True for "CN=,O=" >> ipa: DEBUG: handshake complete, peer = :443 >> ipa: DEBUG: Protocol: TLS1.2 >> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA >> ipa: DEBUG: Caught fault 2100 from server >> https:///ipa/session/xml: Insufficient access: SASL(-1): >> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may >> provide more information (Ticket expired) >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >> Error: Unspecified GSS failure. Minor code may provide more information >> (Ticket expired) >> ### >> >> Any guidance about where it can come from or what to do ? >> >> From the ipa-server, in the krb5kdc.log, I found sometimes this kind of >> emssage : >> ### >> Oct 25 09:59:37 krb5kdc[30767](info): ... >> CONSTRAINED-DELEGATION s4u-client=@ >> Oct 25 09:59:37 krb5kdc[30767](info): ... >> CONSTRAINED-DELEGATION s4u-client=@ >> ### >> >> Best regards. >> >> Bahan >> >> >> > I would firstly check the time difference between client and IPA server. > If the time skew is too grea all sorts of errors can pop up regarding > Kerberos authentication. > > I would also check /var/log/http/error_log and > /var/log/dirsrv/slapd-/errors for additional info. I suspect there > is something wrong with the keytab of HTTP principal on the IPA server. > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Oct 25 12:55:19 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 25 Oct 2016 08:55:19 -0400 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? In-Reply-To: <20161025060248.xeohsgr6yzffeut3@redhat.com> References: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> <20161025045524.GI3554@dhcp-40-8.bne.redhat.com> <20161025050159.i5brtkj5yuxgz636@redhat.com> <20161025054834.GJ3554@dhcp-40-8.bne.redhat.com> <20161025060248.xeohsgr6yzffeut3@redhat.com> Message-ID: <1477400119.18284.14.camel@redhat.com> On Tue, 2016-10-25 at 09:02 +0300, Alexander Bokovoy wrote: > On ti, 25 loka 2016, Fraser Tweedale wrote: > >On Tue, Oct 25, 2016 at 08:01:59AM +0300, Alexander Bokovoy wrote: > >> On ti, 25 loka 2016, Fraser Tweedale wrote: > >> > On Mon, Oct 24, 2016 at 12:30:10AM -0700, Fil Di Noto wrote: > >> > > On Sun, Oct 23, 2016 at 9:53 PM, Fraser Tweedale wrote: > >> > > > On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote: > >> > > >> Hello, > >> > > >> > >> > > >> > >> > > >> > >> > > >> I would like to better understand why IPA requires SAN (subject alternative > >> > > >> name) entries to have a backing host record. In order to sign a certificate > >> > > >> with a SAN that corresponded to a user friendly CNAME I had to add a host > >> > > >> record (ipa host) for that DNS name (use force option to create without an > >> > > >> A/AAAA record) as well as a service principle. > >> > > >> > >> > > >> > >> > > >> > >> > > >> I'm sure I'm not alone when I say I don't like doing that because it means > >> > > >> that a "Host" in FreeIPA is not a computer, it's a host record that may or > >> > > >> may not be the only record that corresponds to a computer. It gets > >> > > >> confusing. > >> > > >> > >> > > >> > >> > > >> > >> > > >> I assume things are this way to ensure integrity at some level. But I can't > >> > > >> picture it. What is the potential danger of simply bypassing the > >> > > >> host/principal checks and just signing the certificate with whatever SAN > >> > > >> field we like? > >> > > >> > >> > > > In this specific case, it is because certmonger requests service > >> > > > certificates with host credentials. Therefore it is not just human > >> > > > administrators issuing certs. And we MUST validate SAN against > >> > > > information in the directory (the only "source of truth" available > >> > > > to the CA / IPA cert-request command). Otherwise you could put e.g. > >> > > > `google.com' into SAN, and we would issue the cert, and that would > >> > > > be Very Bad. > >> > > > > >> > > > >> > > In my case it's always human administrators issuing certs. I can see > >> > > how validation is a great way to prevent a scenario like the one you > >> > > described. But couldn't that be accommodated by tinkering with the > >> > > roles/privileges so that you could impose the restriction on external, > >> > > less-trusted applications but allow a trusted human administrator to > >> > > bypass it? > >> > > > >> > > Admin group by default would be nice. It would be unfortunate if > >> > > someone added a service account to the admin group, but I don't see > >> > > that as justification for ruling it out. How many other poor security > >> > > decisions has someone made already before they decided to add a > >> > > service account to the domain admin group? To that I would say that > >> > > degree of administrative negligence is not something that the project > >> > > should design around. But, I don't work at RedHat and I don't have to > >> > > take the support calls so my opinion means nothing. > >> > > > >> > > But if I'm an admin, enforcing the SAN restriction doesn't prevent me > >> > > from doing anything I couldn't already do by creating a couple host > >> > > records. It's just making things difficult for admins who ultimately > >> > > are securely deploying a service. > >> > > > >> > The question is not really one of privilege, but sanity. FreeIPA > >> > has to make sure that certs issued by it correspond to the CA's view > >> > of reality, i.e. what is in the FreeIPA directory, at the time the > >> > request is made. IMO to disable these checks for human users with a > >> > particular permission is a mistake waiting to happen. > >> > > >> > Yes, enforcing the restriction forces a human to put to created the > >> > needed objects before the cert request will be considered valid. > >> > Not a bad thing, IMO. > >> > > >> > All this said, I think there is a valid RFE in allowing Kerberos > >> > principal aliases to be consulted when validating a CSR. This would > >> > mean you do not have to create new objects, just add more principal > >> > names to the existing one. I filed a ticket: > >> > > >> > https://fedorahosted.org/freeipa/ticket/6432 > >> > > >> > Alexander, Simo, what do you think? > >> Certainly principal aliases should be checked if they were asked to be > >> in SAN. The question is what type of the SAN extension should be > >> considered for them in addition to Kerberos principal. The aliases are > >> stored in their full format (alias at REALM), so either you need to do full > >> match or consider dropping the realm for some types. This needs to be > >> clarified before any implementation happens. > >> > >Right, UPN and KR5PrincipalName can be checked as-is. > > > >We should check dnsNames by affixing around the dnsName the same > >service type (e.g. `HTTP') and realm as the nominated principal, and > >looking for that in the aliases. e.g. for nominated principal > >`HTTP/web.example.com at EXAMPLE.COM', if there is a SAN dnsName > >`www.example.com', we look for `HTTP/www.example.com at EXAMPLE.COM' in > >its aliases. > > > >Does this sound reasonable? > > > >No other GeneralName types shall be checked against principal > >aliases, unless/until we support SRVName. > Sounds reasonable for me, thanks. +1 Simo. -- Simo Sorce * Red Hat, Inc * New York From frank.munsche at gmx.net Tue Oct 25 13:49:22 2016 From: frank.munsche at gmx.net (Frank Munsche) Date: Tue, 25 Oct 2016 15:49:22 +0200 Subject: [Freeipa-users] free-ipa 389 own schema, cos, static and dynamic groups Message-ID: <20161025154922.7b7cd744@tp.int.cloudrock.de> Hi guys, we are currently evaluating free-ipa. We've used the sun one ds, sun / oracle dsee and 389 so far. All of those are easy to customize respective the schema, class of service, dynamic groups,... Unfortunately most applications like jenkins, jira, confluence, gitblit, bitbucket, nexus and others don't have a native interface to authenticate against free-ipa. But most of them can do ldap(s) / tls and can connect to any ldap server with a proxy user configured. This way and by using class of service and dynamic groups, we were able to tie them to the directory and use it for authentication and sometimes aothorization as well. As I've seen so far, the 389 as part of free-ipa is tightly coupled to the rest of the components and it's schema and dit are structured to fit the needs of ipa. Some questions that come into my mind: Would it be possible to extend the schema and configure the 389 ds for my own needs? Could the dit be restructured to match the logic of our environments? I remember the sun idm server which was a pretty complex product but gave the user lots of possible customizations of the web ui and included workflows. Is that possible with ipa also? thank you very much, cheers, Frank From gjn at gjn.priv.at Tue Oct 25 13:49:27 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Tue, 25 Oct 2016 15:49:27 +0200 Subject: [Freeipa-users] Is this a bigger Problem DNSSEC ? Message-ID: <6855743.Ni35mL8Wg0@techz> Hello, FreeIPA 4.3.1 CentOS 7.2 I found today in /var/log/messages this entries Is the DNSSEC now broken ? Thanks for a answer ct 25 15:41:29 ipa ipa-dnskeysyncd: Traceback (most recent call last): Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 112, in Oct 25 15:41:29 ipa ipa-dnskeysyncd: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib64/python2.7/site- packages/ldap/syncrepl.py", line 405, in syncrepl_poll Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.syncrepl_refreshdone() Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- packages/ipapython/dnssec/keysyncer.py", line 118, in syncrepl_refreshdone Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.bindmgr.sync(self.dnssec_zones) Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- packages/ipapython/dnssec/bindmgr.py", line 209, in sync Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.sync_zone(zone) Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- packages/ipapython/dnssec/bindmgr.py", line 182, in sync_zone Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.install_key(zone, uuid, attrs, tempdir) Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- packages/ipapython/dnssec/bindmgr.py", line 117, in install_key Oct 25 15:41:29 ipa ipa-dnskeysyncd: result = ipautil.run(cmd, capture_output=True) Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- packages/ipapython/ipautil.py", line 479, in run Oct 25 15:41:29 ipa ipa-dnskeysyncd: raise CalledProcessError(p.returncode, arg_string, str(output)) Oct 25 15:41:29 ipa ipa-dnskeysyncd: subprocess.CalledProcessError: Command '/usr/sbin/dnssec-keyfromlabel-pkcs11 -K /var/named/dyndb- ldap/ipa/master/4gjn.com/tmppaO_R2 -a RSASHA256 -l pkcs11:object=d7fe5c98d5f3f89aefb9e8dfb92ebcb1;pin- source=/var/lib/ipa/dnssec/softhsm_pin -I 20160811091542 -D 20160825225503 -P 20160513081600 -A 20160513081600 4gjn.com.' returned non-zero exit status 1 Oct 25 15:41:30 ipa systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE Oct 25 15:41:30 ipa systemd: Unit ipa-dnskeysyncd.service entered failed state. Oct 25 15:41:30 ipa systemd: ipa-dnskeysyncd.service failed. -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From simo at redhat.com Tue Oct 25 14:01:17 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 25 Oct 2016 10:01:17 -0400 Subject: [Freeipa-users] PWM password self-service integration with FreeIPA In-Reply-To: References: Message-ID: <1477404077.18284.26.camel@redhat.com> On Sun, 2016-10-23 at 12:22 -0500, Elwell, Jason wrote: > I posted this on the PWM boards, and figured I'd send this along here, > too. I'm looking for feedback on this. Let me know if you find this > accurate and/or valuable. Thanks! > > > PWM setup for FreeIPA > https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a > > PwmConfiguration-template.xml > https://gist.github.com/PowerWagon/0e83a0c5b67316a6987944b76eb103bc Jason, It seems to me your ACIs are too lax, you should also make the PWM user a password synchronization agent and not just give it blanket access to read everything from the directory and write every password, you should limit it to users for example and not allow it to change service's or host's "passwords". Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Oct 25 14:07:01 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 25 Oct 2016 10:07:01 -0400 Subject: [Freeipa-users] free-ipa 389 own schema, cos, static and dynamic groups In-Reply-To: <20161025154922.7b7cd744@tp.int.cloudrock.de> References: <20161025154922.7b7cd744@tp.int.cloudrock.de> Message-ID: <1477404421.18284.29.camel@redhat.com> On Tue, 2016-10-25 at 15:49 +0200, Frank Munsche wrote: > Hi guys, > > we are currently evaluating free-ipa. We've used the sun one ds, sun / > oracle dsee and 389 so far. All of those are easy to customize > respective the schema, class of service, dynamic groups,... > Unfortunately most applications like jenkins, jira, confluence, gitblit, > bitbucket, nexus and others don't have a native interface to > authenticate against free-ipa. But most of them can do ldap(s) / tls > and can connect to any ldap server with a proxy user configured. This > way and by using class of service and dynamic groups, we were able to > tie them to the directory and use it for authentication and sometimes > aothorization as well. > As I've seen so far, the 389 as part of free-ipa is tightly coupled to > the rest of the components and it's schema and dit are structured to > fit the needs of ipa. > Some questions that come into my mind: > > Would it be possible to extend the schema and configure the 389 ds for > my own needs? Yes, the schema can be extended. > Could the dit be restructured to match the logic of our > environments? No, but we have a compat tree that can be used with clients that insist on using other "views" of the directory. The compat tree carries performance penalties and is not easy to change dramatically, but it is a possible way to go. > I remember the sun idm server which was a pretty complex product but > gave the user lots of possible customizations of the web ui and > included workflows. Is that possible with ipa also? With the latest FreeIPA versions it is possible to write plugins to extend the Web UI, we are working on making it more straightforward, but it has been done already. > thank you very much, HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Tue Oct 25 14:14:57 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 25 Oct 2016 17:14:57 +0300 Subject: [Freeipa-users] free-ipa 389 own schema, cos, static and dynamic groups In-Reply-To: <20161025154922.7b7cd744@tp.int.cloudrock.de> References: <20161025154922.7b7cd744@tp.int.cloudrock.de> Message-ID: <20161025141457.njfpmrhmcprnfqa2@redhat.com> On ti, 25 loka 2016, Frank Munsche wrote: >Hi guys, > >we are currently evaluating free-ipa. We've used the sun one ds, sun / >oracle dsee and 389 so far. All of those are easy to customize >respective the schema, class of service, dynamic groups,... >Unfortunately most applications like jenkins, jira, confluence, gitblit, >bitbucket, nexus and others don't have a native interface to >authenticate against free-ipa. But most of them can do ldap(s) / tls >and can connect to any ldap server with a proxy user configured. This >way and by using class of service and dynamic groups, we were able to >tie them to the directory and use it for authentication and sometimes >aothorization as well. Have you checked http://www.freeipa.org/page/HowTos ? >As I've seen so far, the 389 as part of free-ipa is tightly coupled to >the rest of the components and it's schema and dit are structured to >fit the needs of ipa. >Some questions that come into my mind: > >Would it be possible to extend the schema and configure the 389 ds for >my own needs? Everything is possible but you'll be responsible for whatever would be done. >Could the dit be restructured to match the logic of our >environments? Most likely no. The flat DIT assumptions and naming of subtrees are encoded in FreeIPA framework. >I remember the sun idm server which was a pretty complex product but >gave the user lots of possible customizations of the web ui and >included workflows. Is that possible with ipa also? Read existing documentation. http://www.freeipa.org/page/HowTo/Add_a_new_attribute http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf and overall links under http://www.freeipa.org/page/Documentation -- / Alexander Bokovoy From gjn at gjn.priv.at Tue Oct 25 14:41:36 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Tue, 25 Oct 2016 16:41:36 +0200 Subject: [Freeipa-users] Replica Problem (Errors) In-Reply-To: <580DFB97.3060602@redhat.com> References: <5871092.HDg4xTobpa@techz> <3481914.stP7xGGlje@techz> <580DFB97.3060602@redhat.com> Message-ID: <2153983.bU9YpENNS3@techz> Hello Ludwig, Thanks for the answer and help, Am Montag, 24. Oktober 2016, 14:16:23 schrieb Ludwig Krispenz: > On 10/24/2016 01:21 PM, G?nther J. Niederwimmer wrote: > > Am Montag, 24. Oktober 2016, 09:53:21 schrieb Ludwig Krispenz: > >> On 10/23/2016 03:01 PM, G?nther J. Niederwimmer wrote: > >>> I have added on my ipa (Master) Server this user and ACI with a ldif > >>> file > >>> > >>> This Ends with a > >>> modifying entry "cn=users,cn=accounts,dc=example,dc=com" > >> > >> these changes are not related to the errors you report below (I would be > >> really surprised) and you only need to apply them on one server, that's > >> what replication is good for. > >> > >> There are a couple of different types of messages: > >> - failed to delete changelog record: this is from retro changelog > >> trimming, when miscalculation of the starting point for trimming starts > >> with changenumber lower than what's in the retro changelog. > >> In my experience this can happen after a crash/kill/reboot and should > >> stop after som time > > > > OK, nothing to do ;-). > > > >> - attrlist_replace errors: looks like you have recreated a replica on a > >> machine and not cleaned the RUV, please see: > >> http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records > > > > I don't have add or remove a replica ? this two servers running now I mean > > over three month ? > > that is strange, could you perform step 1] and 2] of this recipe: > https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html > but add the option "-o ldif-wrap=no" to the ldapsearch to get the full ruv OK. The first is ipa-csreplica-manage list Directory Manager password: ipa.example.com: master ipa1.example.com: master The second is: nsDS5ReplicaId: 96 nsds50ruv: {replicageneration} 5706b1a3000000600000 nsds50ruv: {replica 96 ldap://ipa.example.com:389} 5706b1ab000000600000 580f6a5f000000600000 nsds50ruv: {replica 91 ldap://ipa1.example.com:389} 5714ad010000005b0000 575c65140005005b0000 nsds50ruv: {replica 97 ldap://ipa1.example.com:389} 5706b1bd000000610000 570803a9000000610000 The domain is changed !! > > The last I remember I add a 3rd Party Certificate ? > > > > but I don't found before so much Errors :-(. > > > > Is there a possible way to check a freeIPA Installation, to find out for a > > "normal" user to have a consistent System ? > > > >> - keep-alive already exists: this is also an indication of a new > >> replica, the keep alive entry was in the database, but the supplier > >> tries to send it again, this should also disappear once some real > >> changes from replica 4 are replicated > >> > >>> but now I have on the changed master this 100... Errors > >>> > >>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: > >>> could > >>> not delete change record 396504 (rc: 32) > >>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: > >>> could > >>> not delete change record 396505 (rc: 32) > >>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: > >>> could > >>> not delete change record 396506 (rc: 32) > >>> [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep > >>> alive > >>> entry already exists > >>> > >>> and on the replica (Master) this 1000....Errors > >>> > >>> [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: > >>> could > >>> not delete change record 240846 (rc: 32) > >>> What is wrong with my changes, or have I to add my changes also on the > >>> Replicas ? > >>> > >>> Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From lkrispen at redhat.com Tue Oct 25 15:20:44 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 25 Oct 2016 17:20:44 +0200 Subject: [Freeipa-users] Replica Problem (Errors) In-Reply-To: <2153983.bU9YpENNS3@techz> References: <5871092.HDg4xTobpa@techz> <3481914.stP7xGGlje@techz> <580DFB97.3060602@redhat.com> <2153983.bU9YpENNS3@techz> Message-ID: <580F784C.7010602@redhat.com> On 10/25/2016 04:41 PM, G?nther J. Niederwimmer wrote: > Hello Ludwig, > > Thanks for the answer and help, > > Am Montag, 24. Oktober 2016, 14:16:23 schrieb Ludwig Krispenz: >> On 10/24/2016 01:21 PM, G?nther J. Niederwimmer wrote: >>> Am Montag, 24. Oktober 2016, 09:53:21 schrieb Ludwig Krispenz: >>>> On 10/23/2016 03:01 PM, G?nther J. Niederwimmer wrote: >>>>> I have added on my ipa (Master) Server this user and ACI with a ldif >>>>> file >>>>> >>>>> This Ends with a >>>>> modifying entry "cn=users,cn=accounts,dc=example,dc=com" >>>> these changes are not related to the errors you report below (I would be >>>> really surprised) and you only need to apply them on one server, that's >>>> what replication is good for. >>>> >>>> There are a couple of different types of messages: >>>> - failed to delete changelog record: this is from retro changelog >>>> trimming, when miscalculation of the starting point for trimming starts >>>> with changenumber lower than what's in the retro changelog. >>>> In my experience this can happen after a crash/kill/reboot and should >>>> stop after som time >>> OK, nothing to do ;-). >>> >>>> - attrlist_replace errors: looks like you have recreated a replica on a >>>> machine and not cleaned the RUV, please see: >>>> http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records >>> I don't have add or remove a replica ? this two servers running now I mean >>> over three month ? >> that is strange, could you perform step 1] and 2] of this recipe: >> https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html >> but add the option "-o ldif-wrap=no" to the ldapsearch to get the full ruv > OK. > The first is > > ipa-csreplica-manage list > Directory Manager password: > > ipa.example.com: master > ipa1.example.com: master > > The second is: > nsDS5ReplicaId: 96 > nsds50ruv: {replicageneration} 5706b1a3000000600000 > nsds50ruv: {replica 96 ldap://ipa.example.com:389} 5706b1ab000000600000 > 580f6a5f000000600000 > nsds50ruv: {replica 91 ldap://ipa1.example.com:389} 5714ad010000005b0000 > 575c65140005005b0000 > nsds50ruv: {replica 97 ldap://ipa1.example.com:389} 5706b1bd000000610000 > 570803a9000000610000 you should do the same search on ipa1, it looks like you have to replicaids: 91 and 97 for the sane server: ipa1.example.com from the timestamps in the RUV I think you recreated the instance on ipa1 between Apr,8th and Apr,18th and since then have this in teh RUV. but it looks like changes on ipa1 for the o=ipaca suffix are rare (ruv output from ipa1 would tell more) and maybe missed the error messages so far. I would suggest you follow the next steps in the doc abou cleaning the no longer active replicaID from the ruv > > The domain is changed !! > >>> The last I remember I add a 3rd Party Certificate ? >>> >>> but I don't found before so much Errors :-(. >>> >>> Is there a possible way to check a freeIPA Installation, to find out for a >>> "normal" user to have a consistent System ? >>> >>>> - keep-alive already exists: this is also an indication of a new >>>> replica, the keep alive entry was in the database, but the supplier >>>> tries to send it again, this should also disappear once some real >>>> changes from replica 4 are replicated >>>> >>>>> but now I have on the changed master this 100... Errors >>>>> >>>>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: >>>>> could >>>>> not delete change record 396504 (rc: 32) >>>>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: >>>>> could >>>>> not delete change record 396505 (rc: 32) >>>>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: >>>>> could >>>>> not delete change record 396506 (rc: 32) >>>>> [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep >>>>> alive >>>>> entry already exists >>>>> >>>>> and on the replica (Master) this 1000....Errors >>>>> >>>>> [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: >>>>> could >>>>> not delete change record 240846 (rc: 32) >>>>> What is wrong with my changes, or have I to add my changes also on the >>>>> Replicas ? >>>>> >>>>> Thanks for a answer, -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From bretif at phosphore.eu Tue Oct 25 15:51:09 2016 From: bretif at phosphore.eu (Bertrand =?utf-8?Q?R=C3=A9tif?=) Date: Tue, 25 Oct 2016 17:51:09 +0200 (CEST) Subject: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue In-Reply-To: References: <1383346498.1295916.1476825748599.JavaMail.zimbra@phosphore.eu> <1101487784.1356614.1476878994121.JavaMail.zimbra@phosphore.eu> <58077566.8010401@redhat.com> <719022987.1370764.1476884527122.JavaMail.zimbra@phosphore.eu> <1467699597.1398215.1476901090793.JavaMail.zimbra@phosphore.eu> Message-ID: <835252359.90240.1477410669922.JavaMail.zimbra@phosphore.eu> ----- Mail original ----- > De: "Florence Blanc-Renaud" > ?: "Bertrand R?tif" , freeipa-users at redhat.com > Envoy?: Jeudi 20 Octobre 2016 18:45:21 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 10/19/2016 08:18 PM, Bertrand R?tif wrote: > > *De: *"Bertrand R?tif" > > > > *?: *freeipa-users at redhat.com > > *Envoy?: *Mercredi 19 Octobre 2016 15:42:07 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > > > ------------------------------------------------------------------------ > > > > *De: *"Rob Crittenden" > > *?: *"Bertrand R?tif" , > > freeipa-users at redhat.com > > *Envoy?: *Mercredi 19 Octobre 2016 15:30:14 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > Bertrand R?tif wrote: > > >> De: "Martin Babinsky" > > >> ?: freeipa-users at redhat.com > > >> Envoy?: Mercredi 19 Octobre 2016 08:45:49 > > >> Objet: Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > > >> On 10/18/2016 11:22 PM, Bertrand R?tif wrote: > > >>> Hello, > > >>> > > >>> I had an issue with pki-tomcat. > > >>> I had serveral certificate that was expired and pki-tomcat > > did not start > > >>> anymore. > > >>> > > >>> I set the dateon the server before certificate expiration > > and then > > >>> pki-tomcat starts properly. > > >>> Then I try to resubmit the certificate, but I get below error: > > >>> "Profile caServerCert Not Found" > > >>> > > >>> Do you have any idea how I could fix this issue. > > >>> > > >>> Please find below output of commands: > > >>> > > >>> > > >>> # getcert resubmit -i 20160108170324 > > >>> > > >>> # getcert list -i 20160108170324 > > >>> Number of certificates and requests being tracked: 7. > > >>> Request ID '20160108170324': > > >>> status: MONITORING > > >>> ca-error: Server at > > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" > > replied: > > >>> Profile caServerCert Not Found > > >>> stuck: no > > >>> key pair storage: > > >>> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > >>> certificate: > > >>> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > >>> Certificate DB' > > >>> CA: dogtag-ipa-ca-renew-agent > > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > > >>> expires: 2016-06-28 15:25:11 UTC > > >>> key usage: > > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > >>> eku: id-kp-serverAuth,id-kp-clientAuth > > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > >>> track: yes > > >>> auto-renew: yes > > >>> > > >>> > > >>> Thanksby advance for your help. > > >>> Bertrand > > >>> > > >>> > > >>> > > >>> > > > > > >> Hi Betrand, > > > > > >> what version of FreeIPA and Dogtag are you running? > > > > > >> Also perform the following search on the IPA master and post > > the result: > > > > > >> """ > > >> ldapsearch -D "cn=Directory Manager" -W -b > > >> 'ou=certificateProfiles,ou=ca,o=ipaca' > > '(objectClass=certProfile)' > > >> """ > > > > > > Hi Martin, > > > > > > Thanks for your reply. > > > > > > Here is version: > > > - FreeIPA 4.2.0 > > > - Centos 7.2 > > > > > > I have been able to fix the issue with "Profile caServerCert > > Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > > I replace below entry > > > > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" > > > by > > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" > > > > > > and then launch "ipa-server-upgrade" command > > > I found this solution in this post: > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html > > > > > > Then I was able to renew my certificate. > > > > > > However I reboot my server to and pki-tomcat do not start and > > provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug > > > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: > > verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > SignedAuditEventFactory: create() > > message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ > > > System$][Outcome=Success][CertNickName=auditSigningCert > > cert-pki-ca] CIMC certificate verification > > > > > > java.lang.Exception: SystemCertsVerification: system certs > > verification failure > > > at > > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) > > > at > > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) > > > at > > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) > > > at > > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) > > > at > > com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) > > > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) > > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) > > > at > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > at java.lang.reflect.Method.invoke(Method.java:606) > > > at > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > > at > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > > at java.security.AccessController.doPrivileged(Native Method) > > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > > at > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > > at > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > > at > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > > at > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > > at > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > > at > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > > at > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > > at > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > > at > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > > at > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > > at > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > > at > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > > at java.security.AccessController.doPrivileged(Native Method) > > > at > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > > at > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > > at > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > > at > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > > at > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > > at java.lang.Thread.run(Thread.java:745) > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > SignedAuditEventFactory: create() > > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > > self tests execution (see selftests.log for details) > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > CMSEngine.shutdown() > > > > > > > > > I am currently stuck here. > > > Thanks a lot for your help. > > > > I'm guessing at least one of the CA subsystem certificates are > > still > > expired. Look at the "getcert list" output to see if there are any > > expired certificates. > > > > rob > > > > > > > > Bertrand > > > > > > > > > > Hello Rob, > > > > I check on my 2 servers and no certificate is expired > > > > [root at sdkipa03 ~]# getcert list |grep expire > > expires: 2018-06-22 22:02:26 UTC > > expires: 2018-06-22 22:02:47 UTC > > expires: 2034-07-09 15:24:34 UTC > > expires: 2016-10-30 13:35:29 UTC > > > > [root at sdkipa01 conf]# getcert list |grep expire > > expires: 2018-06-12 23:38:01 UTC > > expires: 2018-06-12 23:37:41 UTC > > expires: 2018-06-11 22:53:57 UTC > > expires: 2018-06-11 22:55:50 UTC > > expires: 2018-06-11 22:57:47 UTC > > expires: 2034-07-09 15:24:34 UTC > > expires: 2018-06-11 22:59:55 UTC > > > > I see that one certificate is in status: CA_UNREACHABLE, maybe I > > reboot to soon my server... > > > > I continue to investigate > > > > Thanks for your help. > > Bertrand > > > > I fix my previous issue. > > Now I have an issue with a server. > > This server can not start pki-tomcatd, I get this error in debug file: > > "Error netscape.ldap.LDAPExceptio n: IO Error creating JSS SSL Socket (-1)" > > > > After investigation i see that I do not have "ipaCert" certificat in > > "/etc/httpd/alias" > > cf below command: > > > > [root at sdkipa03 ~]# getcert list -d /etc/httpd/alias > > Number of certificates and requests being tracked: 4. > > Request ID '20141110133632': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU > > expires: 2018-06-22 22:02:47 UTC > > principal name: HTTP/sdkipa03.skinfra.eu at A.SKINFRA.EU > > key usage: > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > > > > > How can I add the certificate to /etc/httpd/alias? > > > Hi, > for the record, the command getcert list that you supplied shows the > certificates in /etc/httpd/alias that are tracked by certmonger. If you > want to display all the certificates contained in /etc/httpd/alias > (whether tracked or not), then you may want to use certutil -L -d > /etc/httpd/alias instead. > If ipaCert is missing, you can export ipaCert certificate from another > master, then import it to your server. > On a master containing the cert: > # certutil -d /etc/httpd/alias -L -n 'ipaCert' -a > /tmp/newRAcert.crt > Then copy the file /tmp/newRAcert.crt to your server and import the cert: > # certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i /tmp/newRAcert.crt > -t u,u,u > And finally you need to tell certmonger to monitor the cert using > getcert start-tracking. > Hope this helps, > Flo. > > Thanks fo ryour support. > > Regards > > Bertrand > > > > > > Hi, Florence, thanks for your help. I was able to import correctly ipaCert with your commands. Now it seems that I also have an issue on one server with "subsystemCert cert-pki-ca" in /etc/pki/pki-tomcat/alias as I get below error when pki-tomcat try to start LdapJssSSLSocket set client auth cert nickname subsystemCert cert-pki-ca Could not connect to LDAP server host sdkipa03.XX.YY port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket ( -1) Is there a way to restore a correct "subsystemCert cert-pki-ca"? Regards Bertrand -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Tue Oct 25 17:38:37 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Tue, 25 Oct 2016 19:38:37 +0200 Subject: [Freeipa-users] Replica Problem (Errors) In-Reply-To: <580F784C.7010602@redhat.com> References: <5871092.HDg4xTobpa@techz> <2153983.bU9YpENNS3@techz> <580F784C.7010602@redhat.com> Message-ID: <2331613.8lmPAjFlzN@techz> Hello Ludwig, Thanks for the help. Am Dienstag, 25. Oktober 2016, 17:20:44 schrieb Ludwig Krispenz: > On 10/25/2016 04:41 PM, G?nther J. Niederwimmer wrote: > > Hello Ludwig, > > > > Thanks for the answer and help, > >>>> - attrlist_replace errors: looks like you have recreated a replica on a > >>>> machine and not cleaned the RUV, please see: > >>>> http://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records > >>> > >>> I don't have add or remove a replica ? this two servers running now I > >>> mean > >>> over three month ? > >> > >> that is strange, could you perform step 1] and 2] of this recipe: > >> https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html > >> but add the option "-o ldif-wrap=no" to the ldapsearch to get the full > >> ruv > > > > OK. > > The first is > > > > ipa-csreplica-manage list > > Directory Manager password: > > > > ipa.example.com: master > > ipa1.example.com: master > > > > The second is: > > nsDS5ReplicaId: 96 > > nsds50ruv: {replicageneration} 5706b1a3000000600000 > > nsds50ruv: {replica 96 ldap://ipa.example.com:389} 5706b1ab000000600000 > > 580f6a5f000000600000 > > nsds50ruv: {replica 91 ldap://ipa1.example.com:389} 5714ad010000005b0000 > > 575c65140005005b0000 > > nsds50ruv: {replica 97 ldap://ipa1.example.com:389} 5706b1bd000000610000 > > 570803a9000000610000 > you should do the same search on ipa1, it looks like you have to > replicaids: 91 and 97 for the sane server: ipa1.example.com > from the timestamps in the RUV I think you recreated the instance on > ipa1 between Apr,8th and Apr,18th and since then have this in teh RUV. > but it looks like changes on ipa1 for the o=ipaca suffix are rare (ruv > output from ipa1 would tell more) and maybe missed the error messages so > far. but I don't remember to recreate ipa1 ? But it could be, I have a Error on creating the Replica (?). OK, ipa1 is this nsDS5ReplicaId: 91 nsds50ruv: {replicageneration} 5706b1a3000000600000 nsds50ruv: {replica 91 ldap://ipa1.example.com:389} 5714ad010000005b0000 575c65140005005b0000 nsds50ruv: {replica 96 ldap://ipa.example.com:389} 5706b1ab000000600000 580f6a5f000000600000 nsds50ruv: {replica 97 ldap://ipa1.example.com:389} 5706b1bd000000610000 570803a9000000610000 > I would suggest you follow the next steps in the doc abou cleaning the > no longer active replicaID from the ruv OK, I test it out and hope this is working ! But for me it is not really understandable why this is created ? > > The domain is changed !! > > > >>> The last I remember I add a 3rd Party Certificate ? > >>> > >>> but I don't found before so much Errors :-(. > >>> > >>> Is there a possible way to check a freeIPA Installation, to find out for > >>> a > >>> "normal" user to have a consistent System ? > >>> > >>>> - keep-alive already exists: this is also an indication of a new > >>>> replica, the keep alive entry was in the database, but the supplier > >>>> tries to send it again, this should also disappear once some real > >>>> changes from replica 4 are replicated > >>>> > >>>>> but now I have on the changed master this 100... Errors > >>>>> > >>>>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: > >>>>> could > >>>>> not delete change record 396504 (rc: 32) > >>>>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: > >>>>> could > >>>>> not delete change record 396505 (rc: 32) > >>>>> [23/Oct/2016:13:27:58 +0200] DSRetroclPlugin - delete_changerecord: > >>>>> could > >>>>> not delete change record 396506 (rc: 32) > >>>>> [23/Oct/2016:13:37:08 +0200] NSMMReplicationPlugin - replication keep > >>>>> alive > >>>>> entry already exists > >>>>> > >>>>> and on the replica (Master) this 1000....Errors > >>>>> > >>>>> [23/Oct/2016:13:42:50 +0200] DSRetroclPlugin - delete_changerecord: > >>>>> could > >>>>> not delete change record 240846 (rc: 32) > >>>>> What is wrong with my changes, or have I to add my changes also on the > >>>>> Replicas ? > >>>>> > >>>>> Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From fdinoto at gmail.com Tue Oct 25 18:02:44 2016 From: fdinoto at gmail.com (Fil Di Noto) Date: Tue, 25 Oct 2016 11:02:44 -0700 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? In-Reply-To: <20161025045524.GI3554@dhcp-40-8.bne.redhat.com> References: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> <20161025045524.GI3554@dhcp-40-8.bne.redhat.com> Message-ID: On Mon, Oct 24, 2016 at 9:55 PM, Fraser Tweedale wrote: > On Mon, Oct 24, 2016 at 12:30:10AM -0700, Fil Di Noto wrote: >> On Sun, Oct 23, 2016 at 9:53 PM, Fraser Tweedale wrote: >> > On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote: >> >> Hello, >> >> >> >> >> >> >> >> I would like to better understand why IPA requires SAN (subject alternative >> >> name) entries to have a backing host record. In order to sign a certificate >> >> with a SAN that corresponded to a user friendly CNAME I had to add a host >> >> record (ipa host) for that DNS name (use force option to create without an >> >> A/AAAA record) as well as a service principle. >> >> >> >> >> >> >> >> I'm sure I'm not alone when I say I don't like doing that because it means >> >> that a "Host" in FreeIPA is not a computer, it's a host record that may or >> >> may not be the only record that corresponds to a computer. It gets >> >> confusing. >> >> >> >> >> >> >> >> I assume things are this way to ensure integrity at some level. But I can't >> >> picture it. What is the potential danger of simply bypassing the >> >> host/principal checks and just signing the certificate with whatever SAN >> >> field we like? >> >> >> > In this specific case, it is because certmonger requests service >> > certificates with host credentials. Therefore it is not just human >> > administrators issuing certs. And we MUST validate SAN against >> > information in the directory (the only "source of truth" available >> > to the CA / IPA cert-request command). Otherwise you could put e.g. >> > `google.com' into SAN, and we would issue the cert, and that would >> > be Very Bad. >> > >> >> In my case it's always human administrators issuing certs. I can see >> how validation is a great way to prevent a scenario like the one you >> described. But couldn't that be accommodated by tinkering with the >> roles/privileges so that you could impose the restriction on external, >> less-trusted applications but allow a trusted human administrator to >> bypass it? >> >> Admin group by default would be nice. It would be unfortunate if >> someone added a service account to the admin group, but I don't see >> that as justification for ruling it out. How many other poor security >> decisions has someone made already before they decided to add a >> service account to the domain admin group? To that I would say that >> degree of administrative negligence is not something that the project >> should design around. But, I don't work at RedHat and I don't have to >> take the support calls so my opinion means nothing. >> >> But if I'm an admin, enforcing the SAN restriction doesn't prevent me >> from doing anything I couldn't already do by creating a couple host >> records. It's just making things difficult for admins who ultimately >> are securely deploying a service. >> > The question is not really one of privilege, but sanity. FreeIPA > has to make sure that certs issued by it correspond to the CA's view > of reality, i.e. what is in the FreeIPA directory, at the time the > request is made. IMO to disable these checks for human users with a > particular permission is a mistake waiting to happen. > > Yes, enforcing the restriction forces a human to put to created the > needed objects before the cert request will be considered valid. > Not a bad thing, IMO. Help me understand. Assuming that the SAN in the CSR are valid/intended/non-malicious, can you give me an example scenario where sanity becomes a problem? Is IPA going to examine the cert at some point in the future and get confused when it doesn't recognize the entries in the SAN field? In my imagination, I see IPA for whatever reason comes accross a cert it signed in the past and decides it needs to compare the SAN to the directory. Then it sees the SAN doesn't have an associated principal in the directory. Who does IPA trust? (the directory obviously). IPA says, "is this SAN in the directory? No. Did I sign the cert? Yes. Should I trust the cert? Yes because I signed it." I've got a hundred related questions, but maybe an example would help me answer them myself. > > All this said, I think there is a valid RFE in allowing Kerberos > principal aliases to be consulted when validating a CSR. This would > mean you do not have to create new objects, just add more principal > names to the existing one. I filed a ticket: > > https://fedorahosted.org/freeipa/ticket/6432 > > Alexander, Simo, what do you think? > > >> > The problem is slightly exacerbated in that 99% of the time you >> > really want to issue service certs, but FreeIPA does not permit the >> > creation of a service entry without a corresponding host entry. So >> > you end up with spurious host entries that do not correspond to >> > actual hosts. I have previously asked about relaxing this >> > restriction. The idea was rejected (for reasons I don't remember). >> >> To be fair, I don't think I ever read specifically that a Host in IPA >> was supposed to represent a single computer. But I imagine that the >> majority of people who are using it thought that was the case, at >> least at first. I don't think it would take much abstraction to >> maintain that logical representation for administrators. >> >> >> If this actually is a necessity and is not likely to change, I think it >> >> would be beneficial to administrators to be able to manage "Hosts" that >> >> correspond to CNAMEs (call them "Alias Hosts"? ) separately from Hosts that >> >> are actually enrolled computers. They could be managed in a similar fashion >> >> to SUDO rules, like maybe: >> >> >> >> >> >> >> >> Alias Hosts = a single name >> >> >> >> Alias Host Groups = groups of names >> >> >> >> Alias Host Maps = associate Alias Host/Group with a Hosts or Host Groups >> >> >> >> >> >> >> >> I'm picturing Alias Hosts and Alias groups as a seperate tab under Identity >> >> (and some corresponding "ipa aliashost-*" CLI) and Alias Host Maps tab >> >> under policy. >> >> >> > Now that we have kerberos principal aliases, we might be able to >> > leverage that, perhaps even directly for service principals. Any >> > devs want to chime in on this idea? >> > >> > Cheers, >> > Fraser From redbranchwarrior at gmail.com Tue Oct 25 19:16:52 2016 From: redbranchwarrior at gmail.com (Matthew Carter) Date: Tue, 25 Oct 2016 15:16:52 -0400 Subject: [Freeipa-users] Can't login with on client after password-auth modification Message-ID: <5314b7ed-f42b-748b-f723-3bb3656c663c@gmail.com> So a Gov't STIG has had me add to /etc/pam.d/password-auth: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 account required pam_faillock.so So that it looks like this: auth required pam_env.so auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so and now IPA users get a permission denied. Local users can still log in. I'm not even sure where to start . . . Thanks for any hints and help! /R Matthew From abokovoy at redhat.com Tue Oct 25 19:34:52 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 25 Oct 2016 22:34:52 +0300 Subject: [Freeipa-users] Can't login with on client after password-auth modification In-Reply-To: <5314b7ed-f42b-748b-f723-3bb3656c663c@gmail.com> References: <5314b7ed-f42b-748b-f723-3bb3656c663c@gmail.com> Message-ID: <20161025193452.3vc3wgkw5ftz3emn@redhat.com> On ti, 25 loka 2016, Matthew Carter wrote: >So a Gov't STIG has had me add to /etc/pam.d/password-auth: > >auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 >fail_interval=900 >auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 >fail_interval=900 >account required pam_faillock.so > >So that it looks like this: > >auth required pam_env.so >auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 >auth sufficient pam_unix.so nullok try_first_pass >auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 >auth requisite pam_succeed_if.so uid >= 500 quiet >auth required pam_deny.so > >account required pam_faillock.so >account required pam_unix.so >account sufficient pam_localuser.so >account sufficient pam_succeed_if.so uid < 500 quiet >account required pam_permit.so > >and now IPA users get a permission denied. Local users can still log in. > >I'm not even sure where to start . . . You don't have pam_sss.so anywhere so any IPA password check could not be done, only pam_unix.so which checks /etc/passwd or /etc/shadow. Then you'd need to wrap pam_sss use in 'auth' with pam_faillock.so too: pam_faillock.so preauth pam_sss.so .... pam_faillock.so authfail -- / Alexander Bokovoy From redbranchwarrior at gmail.com Tue Oct 25 20:05:16 2016 From: redbranchwarrior at gmail.com (Matthew Carter) Date: Tue, 25 Oct 2016 16:05:16 -0400 Subject: [Freeipa-users] Can't login with on client after password-auth modification In-Reply-To: <20161025193452.3vc3wgkw5ftz3emn@redhat.com> References: <5314b7ed-f42b-748b-f723-3bb3656c663c@gmail.com> <20161025193452.3vc3wgkw5ftz3emn@redhat.com> Message-ID: Works perfectly now! Thank you! On 10/25/2016 03:34 PM, Alexander Bokovoy wrote: > pam_faillock.so preauth From ftweedal at redhat.com Tue Oct 25 23:31:24 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 26 Oct 2016 09:31:24 +1000 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? In-Reply-To: References: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> <20161025045524.GI3554@dhcp-40-8.bne.redhat.com> Message-ID: <20161025233124.GM3554@dhcp-40-8.bne.redhat.com> On Tue, Oct 25, 2016 at 11:02:44AM -0700, Fil Di Noto wrote: > On Mon, Oct 24, 2016 at 9:55 PM, Fraser Tweedale wrote: > > On Mon, Oct 24, 2016 at 12:30:10AM -0700, Fil Di Noto wrote: > >> On Sun, Oct 23, 2016 at 9:53 PM, Fraser Tweedale wrote: > >> > On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote: > >> >> Hello, > >> >> > >> >> > >> >> > >> >> I would like to better understand why IPA requires SAN (subject alternative > >> >> name) entries to have a backing host record. In order to sign a certificate > >> >> with a SAN that corresponded to a user friendly CNAME I had to add a host > >> >> record (ipa host) for that DNS name (use force option to create without an > >> >> A/AAAA record) as well as a service principle. > >> >> > >> >> > >> >> > >> >> I'm sure I'm not alone when I say I don't like doing that because it means > >> >> that a "Host" in FreeIPA is not a computer, it's a host record that may or > >> >> may not be the only record that corresponds to a computer. It gets > >> >> confusing. > >> >> > >> >> > >> >> > >> >> I assume things are this way to ensure integrity at some level. But I can't > >> >> picture it. What is the potential danger of simply bypassing the > >> >> host/principal checks and just signing the certificate with whatever SAN > >> >> field we like? > >> >> > >> > In this specific case, it is because certmonger requests service > >> > certificates with host credentials. Therefore it is not just human > >> > administrators issuing certs. And we MUST validate SAN against > >> > information in the directory (the only "source of truth" available > >> > to the CA / IPA cert-request command). Otherwise you could put e.g. > >> > `google.com' into SAN, and we would issue the cert, and that would > >> > be Very Bad. > >> > > >> > >> In my case it's always human administrators issuing certs. I can see > >> how validation is a great way to prevent a scenario like the one you > >> described. But couldn't that be accommodated by tinkering with the > >> roles/privileges so that you could impose the restriction on external, > >> less-trusted applications but allow a trusted human administrator to > >> bypass it? > >> > >> Admin group by default would be nice. It would be unfortunate if > >> someone added a service account to the admin group, but I don't see > >> that as justification for ruling it out. How many other poor security > >> decisions has someone made already before they decided to add a > >> service account to the domain admin group? To that I would say that > >> degree of administrative negligence is not something that the project > >> should design around. But, I don't work at RedHat and I don't have to > >> take the support calls so my opinion means nothing. > >> > >> But if I'm an admin, enforcing the SAN restriction doesn't prevent me > >> from doing anything I couldn't already do by creating a couple host > >> records. It's just making things difficult for admins who ultimately > >> are securely deploying a service. > >> > > The question is not really one of privilege, but sanity. FreeIPA > > has to make sure that certs issued by it correspond to the CA's view > > of reality, i.e. what is in the FreeIPA directory, at the time the > > request is made. IMO to disable these checks for human users with a > > particular permission is a mistake waiting to happen. > > > > Yes, enforcing the restriction forces a human to put to created the > > needed objects before the cert request will be considered valid. > > Not a bad thing, IMO. > > Help me understand. Assuming that the SAN in the CSR are > valid/intended/non-malicious, can you give me an example scenario > where sanity becomes a problem? Is IPA going to examine the cert at > some point in the future and get confused when it doesn't recognize > the entries in the SAN field? > > In my imagination, I see IPA for whatever reason comes accross a cert > it signed in the past and decides it needs to compare the SAN to the > directory. Then it sees the SAN doesn't have an associated principal > in the directory. Who does IPA trust? (the directory obviously). IPA > says, "is this SAN in the directory? No. Did I sign the cert? Yes. > Should I trust the cert? Yes because I signed it." > > I've got a hundred related questions, but maybe an example would help > me answer them myself. > A CA must ensure that the assertions it makes have some relationship to (its view of) reality. If it issues a cert with `google.com' in the SAN, the holder of the key can pretend to be `google.com' to anyone who trusts the CA. If `alice' tricks an admin into issuing a cert with `bob at example.com' as a SAN rfc822Name, then alice can pretend to be Bob. Entities consuming these certs do not necessarily have access to the IPA directory to check if the data on the cert makes sense - they will simply trust whatever assertions are in the cert. IMO there is no good reason to skip any of these checks. But w.r.t. multiple DNS names on a cert, we can make it less burdensome than it currently is (as discussed in the other branch of this thread). We have plans for "request queues" where requests can be enqueued and assesed by (presumably human) agents. If/when this gets implemented, there *might* be scope for relaxing some of the checks we currently perform. The design page is: http://www.freeipa.org/page/V4/Certificate_Request_Queues. Do you want to contribute? :) HTH, Fraser > > > > All this said, I think there is a valid RFE in allowing Kerberos > > principal aliases to be consulted when validating a CSR. This would > > mean you do not have to create new objects, just add more principal > > names to the existing one. I filed a ticket: > > > > https://fedorahosted.org/freeipa/ticket/6432 > > > > Alexander, Simo, what do you think? > > > > > >> > The problem is slightly exacerbated in that 99% of the time you > >> > really want to issue service certs, but FreeIPA does not permit the > >> > creation of a service entry without a corresponding host entry. So > >> > you end up with spurious host entries that do not correspond to > >> > actual hosts. I have previously asked about relaxing this > >> > restriction. The idea was rejected (for reasons I don't remember). > >> > >> To be fair, I don't think I ever read specifically that a Host in IPA > >> was supposed to represent a single computer. But I imagine that the > >> majority of people who are using it thought that was the case, at > >> least at first. I don't think it would take much abstraction to > >> maintain that logical representation for administrators. > >> > >> >> If this actually is a necessity and is not likely to change, I think it > >> >> would be beneficial to administrators to be able to manage "Hosts" that > >> >> correspond to CNAMEs (call them "Alias Hosts"? ) separately from Hosts that > >> >> are actually enrolled computers. They could be managed in a similar fashion > >> >> to SUDO rules, like maybe: > >> >> > >> >> > >> >> > >> >> Alias Hosts = a single name > >> >> > >> >> Alias Host Groups = groups of names > >> >> > >> >> Alias Host Maps = associate Alias Host/Group with a Hosts or Host Groups > >> >> > >> >> > >> >> > >> >> I'm picturing Alias Hosts and Alias groups as a seperate tab under Identity > >> >> (and some corresponding "ipa aliashost-*" CLI) and Alias Host Maps tab > >> >> under policy. > >> >> > >> > Now that we have kerberos principal aliases, we might be able to > >> > leverage that, perhaps even directly for service principals. Any > >> > devs want to chime in on this idea? > >> > > >> > Cheers, > >> > Fraser From david.dejaeghere at gmail.com Wed Oct 26 11:43:09 2016 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Wed, 26 Oct 2016 13:43:09 +0200 Subject: [Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch In-Reply-To: References: Message-ID: Does anybody have a clue on how to continue with this? Kind Regards, David 2016-10-24 10:10 GMT+02:00 David Dejaeghere : > These are both the subjects for the old and new root ca cert. > > Subject: "CN=tokio-PAPRIKA-CA,DC=tokio,DC=local" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > d5:51:19:a0:7e:2f:b6:4b:cb:71:42:cb:38:bc:50:0a: > 18:16:58:07:11:c6:d3:ea:66:91:a8:52:02:54:93:28: > 78:a1:89:36:7a:0f:1e:2a:35:8a:da:85:05:c4:fe:de: > e8:6a:e8:fd:1b:89:44:8f:8c:62:d6:56:f7:9e:16:d5: > fd:b4:44:65:71:4f:1a:7d:d6:28:2d:5e:ad:c9:da:60: > 54:98:02:87:d9:43:62:ab:1b:93:c1:af:0b:b9:80:2e: > 08:f0:65:46:bf:de:78:c5:d2:19:b8:07:52:d6:01:ab: > d0:b2:7d:0a:7f:9f:fa:e8:8c:55:86:e0:d3:d5:ef:e7: > ad:6a:12:a2:b8:75:be:93:c2:05:df:99:a9:d8:a2:cc: > 7c:2b:49:d6:a3:65:0c:c8:ef:c3:a4:b6:f6:86:1d:c2: > 56:56:1b:0d:70:7a:67:15:49:2f:b7:92:8e:2a:94:57: > 53:26:ef:9a:af:89:fe:cb:1e:e7:ac:72:9a:cd:b4:22: > b1:22:02:fd:95:23:e0:65:d0:36:e8:e1:88:2b:35:02: > 99:1c:ee:84:10:80:84:a8:e5:61:04:6b:a3:6b:da:c5: > 49:36:ef:f6:48:09:2c:0d:7c:b2:52:4f:a6:72:cc:e6: > 30:b5:dd:a0:5b:0e:96:49:78:9d:1e:27:4e:02:40:a1 > Exponent: 65537 (0x10001) > > Subject: DC=local, DC=tokio, CN=tokio-PAPRIKA-CA > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:ae:32:35:fa:b5:f4:2d:b8:0c:c3:d9:b0:9f:a8: > 5d:21:90:58:a9:79:79:7d:85:7e:f1:f2:36:9d:ef: > 9f:8c:a8:3a:bf:57:5c:2e:6b:5d:2e:91:ba:c6:b7: > b2:b1:dd:45:de:e6:d4:fe:01:f4:d2:bd:99:9f:9a: > 71:1d:d4:e4:a7:cd:9e:f3:36:a7:a0:73:55:6b:04: > 66:ab:c3:63:b3:41:06:ac:c8:c8:3a:4c:eb:83:78: > 6e:e8:b6:0f:94:fa:a8:7e:7d:89:44:d1:bd:be:14: > df:0c:ce:4d:b4:e6:0a:e2:d7:84:95:4b:a1:3e:53: > c9:04:3f:7b:de:1b:fd:7b:b5:b0:69:3b:f9:f2:b5: > a7:fe:6d:9d:62:6e:9a:fc:1e:32:69:ad:4c:ae:e3: > 61:dd:92:99:34:4b:bf:6b:02:88:18:88:a2:0f:ca: > e8:6e:91:f0:e6:2e:4d:83:f6:05:7e:ed:f2:f1:3e: > b2:36:3f:de:3f:db:93:73:5b:60:ee:8c:48:e0:c0: > 4c:0e:6a:63:1a:16:af:9e:28:93:40:39:23:bf:d0: > 77:9c:b7:80:d3:c3:42:d8:27:db:d7:4b:e5:3f:b4: > d2:ad:57:c2:01:73:c8:45:26:f1:00:93:50:3e:cf: > 7a:2d:25:d5:43:b6:a7:75:a1:ef:58:f9:c9:11:e8: > 09:1d > Exponent: 65537 (0x10001) > > 2016-10-24 5:49 GMT+02:00 Fil Di Noto : > >> Hi, >> >> Can you give an example of what's different between the two subjects? >> >> On Sun, Oct 23, 2016 at 9:03 AM, David Dejaeghere < >> david.dejaeghere at gmail.com> wrote: >> >>> Does somebody have an idea how to replace our certificates when the new >>> ROOT ca certificate has a different subject? >>> The UI is down because of this. >>> >>> 2016-10-19 11:42 GMT+02:00 David Dejaeghere >>> : >>> >>>> Hello, >>>> >>>> When installing FreeIPA we used the CA from our Windows servers. >>>> This one recently expired and we created a new one. It seems that the >>>> new root CA has another subject name and this seems to be an issue when we >>>> want to install new certs on our FreeIPA hosts. >>>> >>>> ipa-cacert-manage install certnew.pem -n mycert -t C,, >>>> >>>> Installing CA certificate, please wait >>>> Failed to install the certificate: subject public key info mismatch >>>> >>>> After validating the subjects are indeed different. >>>> >>>> How can we replace the required certs for dirsrv and http when the ca >>>> is not installable? >>>> >>>> Kind Regards, >>>> >>>> David >>>> >>>> >>>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jochen at winteltosh.de Wed Oct 26 12:28:10 2016 From: jochen at winteltosh.de (Jochen Demmer) Date: Wed, 26 Oct 2016 14:28:10 +0200 Subject: [Freeipa-users] ipa-replica-install fails because of IPv6? Message-ID: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> Hi, I've been running and using a single FreeIPA server successfully, i.e.: Fedora 24 freeipa-server-4.3.2-2.fc24.x86_64 This server is only available via IPv6, because I can't get public lPv4 addresses no more. Now I want to setup a FreeIPA replica at another site also running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 First I run "ipa-client-install" which succeeds without an error. When I invoke "ipa-replica-install" I get this error: ipa : ERROR Could not resolve hostname *hostname.mydoma.in* using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) LOG: 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for *hostname.mydoma.in* *hostname.mydoma.in* is actually the DNS entry for the old FreeIPA server, which actually resolves, but only to an IPv6 address of course. I can continue the installation though by entering "yes". I then get asked: Enter the IP address to use, or press Enter to finish. Please provide the IP address to be used for this host name: When I enter the IPv6 address of the new replica host it doesn't accept but infinitely asks this question instead. Honestly, I can't see what I might have done wrong. Old FreeIPA has hostname is in sync forward and reverse record. New FreeIPA host as well has hostname that symmetrically resolves, even though the hostname is using another second level domain. Any hints? Jochen Demmer -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x54A5283E.asc Type: application/pgp-keys Size: 3108 bytes Desc: not available URL: From mbasti at redhat.com Wed Oct 26 13:38:13 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 26 Oct 2016 15:38:13 +0200 Subject: [Freeipa-users] ipa-replica-install fails because of IPv6? In-Reply-To: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> Message-ID: <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> Hi, comments inline On 26.10.2016 14:28, Jochen Demmer wrote: > Hi, > > I've been running and using a single FreeIPA server successfully, i.e.: > Fedora 24 > freeipa-server-4.3.2-2.fc24.x86_64 > This server is only available via IPv6, because I can't get public > lPv4 addresses no more. > > Now I want to setup a FreeIPA replica at another site also running > IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 > First I run "ipa-client-install" which succeeds without an error. > When I invoke "ipa-replica-install" I get this error: > ipa : ERROR Could not resolve hostname *hostname.mydoma.in* > using DNS. Clients may not function properly. Please check your DNS > setup. (Note that this check queries IPA DNS directly and ignores > /etc/hosts.) > LOG: > 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* > (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for > *hostname.mydoma.in* Can you check with dig or host command if the hostname is really resolvable on that machine? do you have proper resolver in /etc/resolv.conf? > > *hostname.mydoma.in* is actually the DNS entry for the old FreeIPA > server, which actually resolves, but only to an IPv6 address of course. > I can continue the installation though by entering "yes". > > I then get asked: > Enter the IP address to use, or press Enter to finish. > Please provide the IP address to be used for this host name: > > When I enter the IPv6 address of the new replica host it doesn't > accept but infinitely asks this question instead. Have you pressed enter twice? It should end prompt and continue with installation > > Honestly, I can't see what I might have done wrong. > Old FreeIPA has hostname is in sync forward and reverse record. > New FreeIPA host as well has hostname that symmetrically resolves, > even though the hostname is using another second level domain. > > Any hints? > Jochen Demmer > > Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Oct 26 14:00:26 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Wed, 26 Oct 2016 16:00:26 +0200 Subject: [Freeipa-users] container for custom objects Message-ID: HI! I'd like to add some custom entries (custom STRUCTURAL object class) to FreeIPA tree in 389-DS. But I'd like to make sure that there won't be any issues when upgrading the system later on. So where to add a container for those custom objects? At top-level domain entry? BTW: Is there documentation describing the DIT in detail? Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From jochen at winteltosh.de Wed Oct 26 14:10:36 2016 From: jochen at winteltosh.de (Jochen Demmer) Date: Wed, 26 Oct 2016 16:10:36 +0200 Subject: [Freeipa-users] ipa-replica-install fails because of IPv6? In-Reply-To: <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> Message-ID: <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> Hi, my answers also inline. Am 26.10.2016 um 15:38 schrieb Martin Basti: > > Hi, comments inline > > > On 26.10.2016 14:28, Jochen Demmer wrote: >> Hi, >> >> I've been running and using a single FreeIPA server successfully, i.e.: >> Fedora 24 >> freeipa-server-4.3.2-2.fc24.x86_64 >> This server is only available via IPv6, because I can't get public >> lPv4 addresses no more. >> >> Now I want to setup a FreeIPA replica at another site also running >> IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >> First I run "ipa-client-install" which succeeds without an error. >> When I invoke "ipa-replica-install" I get this error: >> ipa : ERROR Could not resolve hostname >> *hostname.mydoma.in* using DNS. Clients may not function properly. >> Please check your DNS setup. (Note that this check queries IPA DNS >> directly and ignores /etc/hosts.) >> LOG: >> 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* >> (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for >> *hostname.mydoma.in* > > Can you check with dig or host command if the hostname is really > resolvable on that machine? do you have proper resolver in > /etc/resolv.conf? There is a resolver given in /etc/resolv.conf. When I do "host <>" I get the right IPv6 back. > >> >> *hostname.mydoma.in* is actually the DNS entry for the old FreeIPA >> server, which actually resolves, but only to an IPv6 address of course. >> I can continue the installation though by entering "yes". >> >> I then get asked: >> Enter the IP address to use, or press Enter to finish. >> Please provide the IP address to be used for this host name: >> >> When I enter the IPv6 address of the new replica host it doesn't >> accept but infinitely asks this question instead. > > Have you pressed enter twice? It should end prompt and continue with > installation Enter without an IP -> No usable IP address provided nor resolved. Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot use IP network address 2a02:1:2:3::4 > >> >> Honestly, I can't see what I might have done wrong. >> Old FreeIPA has hostname is in sync forward and reverse record. >> New FreeIPA host as well has hostname that symmetrically resolves, >> even though the hostname is using another second level domain. >> >> Any hints? >> Jochen Demmer >> >> > > Martin Jochen -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x54A5283E.asc Type: application/pgp-keys Size: 3108 bytes Desc: not available URL: From mbasti at redhat.com Wed Oct 26 14:27:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 26 Oct 2016 16:27:12 +0200 Subject: [Freeipa-users] ipa-replica-install fails because of IPv6? In-Reply-To: <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> Message-ID: <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> On 26.10.2016 16:10, Jochen Demmer wrote: > Hi, > > my answers also inline. > > Am 26.10.2016 um 15:38 schrieb Martin Basti: >> >> Hi, comments inline >> >> >> On 26.10.2016 14:28, Jochen Demmer wrote: >>> Hi, >>> >>> I've been running and using a single FreeIPA server successfully, i.e.: >>> Fedora 24 >>> freeipa-server-4.3.2-2.fc24.x86_64 >>> This server is only available via IPv6, because I can't get public >>> lPv4 addresses no more. >>> >>> Now I want to setup a FreeIPA replica at another site also running >>> IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>> First I run "ipa-client-install" which succeeds without an error. >>> When I invoke "ipa-replica-install" I get this error: >>> ipa : ERROR Could not resolve hostname >>> *hostname.mydoma.in* using DNS. Clients may not function properly. >>> Please check your DNS setup. (Note that this check queries IPA DNS >>> directly and ignores /etc/hosts.) >>> LOG: >>> 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* >>> (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for >>> *hostname.mydoma.in* >> >> Can you check with dig or host command if the hostname is really >> resolvable on that machine? do you have proper resolver in >> /etc/resolv.conf? > There is a resolver given in /etc/resolv.conf. When I do "host > <>" I get the right IPv6 back. That is weird because IPA is doing basically the same. >> >>> >>> *hostname.mydoma.in* is actually the DNS entry for the old FreeIPA >>> server, which actually resolves, but only to an IPv6 address of course. >>> I can continue the installation though by entering "yes". >>> >>> I then get asked: >>> Enter the IP address to use, or press Enter to finish. >>> Please provide the IP address to be used for this host name: >>> >>> When I enter the IPv6 address of the new replica host it doesn't >>> accept but infinitely asks this question instead. >> >> Have you pressed enter twice? It should end prompt and continue with >> installation > Enter without an IP -> No usable IP address provided nor resolved. > Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot use > IP network address 2a02:1:2:3::4 How do you have configured IP address on your interface? Does it have prefix /128? >> >>> >>> Honestly, I can't see what I might have done wrong. >>> Old FreeIPA has hostname is in sync forward and reverse record. >>> New FreeIPA host as well has hostname that symmetrically resolves, >>> even though the hostname is using another second level domain. >>> >>> Any hints? >>> Jochen Demmer >>> >>> >> >> Martin > Jochen > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Oct 26 14:34:56 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 26 Oct 2016 16:34:56 +0200 Subject: [Freeipa-users] container for custom objects In-Reply-To: References: Message-ID: <5810BF10.9030705@redhat.com> Michael Str?der wrote: > HI! > > I'd like to add some custom entries (custom STRUCTURAL object class) to FreeIPA > tree in 389-DS. But I'd like to make sure that there won't be any issues when > upgrading the system later on. > > So where to add a container for those custom objects? > At top-level domain entry? Yeah, something off dc=example,dc=com is probably the "safest" place. No guarantees can be made. It might make sense to file an RFE for IPA to create a container to put custom containers into. > > BTW: Is there documentation describing the DIT in detail? This is about all there is AFAIK, http://www.freeipa.org/page/FreeIPAv1:UsingRhdsWithIpa rob From jochen at winteltosh.de Wed Oct 26 14:42:16 2016 From: jochen at winteltosh.de (Jochen Demmer) Date: Wed, 26 Oct 2016 16:42:16 +0200 Subject: [Freeipa-users] ipa-replica-install fails because of IPv6? In-Reply-To: <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> Message-ID: <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> Am 26.10.2016 um 16:27 schrieb Martin Basti: > > > > On 26.10.2016 16:10, Jochen Demmer wrote: >> Hi, >> >> my answers also inline. >> >> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>> >>> Hi, comments inline >>> >>> >>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>> Hi, >>>> >>>> I've been running and using a single FreeIPA server successfully, i.e.: >>>> Fedora 24 >>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>> This server is only available via IPv6, because I can't get public >>>> lPv4 addresses no more. >>>> >>>> Now I want to setup a FreeIPA replica at another site also running >>>> IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>> First I run "ipa-client-install" which succeeds without an error. >>>> When I invoke "ipa-replica-install" I get this error: >>>> ipa : ERROR Could not resolve hostname >>>> *hostname.mydoma.in* using DNS. Clients may not function properly. >>>> Please check your DNS setup. (Note that this check queries IPA DNS >>>> directly and ignores /etc/hosts.) >>>> LOG: >>>> 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* >>>> (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for >>>> *hostname.mydoma.in* >>> >>> Can you check with dig or host command if the hostname is really >>> resolvable on that machine? do you have proper resolver in >>> /etc/resolv.conf? >> There is a resolver given in /etc/resolv.conf. When I do "host >> <>" I get the right IPv6 back. > That is weird because IPA is doing basically the same. > >>> >>>> >>>> *hostname.mydoma.in* is actually the DNS entry for the old FreeIPA >>>> server, which actually resolves, but only to an IPv6 address of course. >>>> I can continue the installation though by entering "yes". >>>> >>>> I then get asked: >>>> Enter the IP address to use, or press Enter to finish. >>>> Please provide the IP address to be used for this host name: >>>> >>>> When I enter the IPv6 address of the new replica host it doesn't >>>> accept but infinitely asks this question instead. >>> >>> Have you pressed enter twice? It should end prompt and continue with >>> installation >> Enter without an IP -> No usable IP address provided nor resolved. >> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot >> use IP network address 2a02:1:2:3::4 > > How do you have configured IP address on your interface? Does it have > prefix /128? Yes, that's right. It's an IP being assigned statefully by a DHCPv6 server. There is also another dynamic IP within the same prefix having /64. I don't want to use this one of course, because its IID changes. > >>> >>>> >>>> Honestly, I can't see what I might have done wrong. >>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>> New FreeIPA host as well has hostname that symmetrically resolves, >>>> even though the hostname is using another second level domain. >>>> >>>> Any hints? >>>> Jochen Demmer >>>> >>>> >>> >>> Martin >> Jochen >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x54A5283E.asc Type: application/pgp-keys Size: 3108 bytes Desc: not available URL: From mbasti at redhat.com Wed Oct 26 14:48:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 26 Oct 2016 16:48:41 +0200 Subject: [Freeipa-users] ipa-replica-install fails because of IPv6? In-Reply-To: <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> Message-ID: <087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com> On 26.10.2016 16:42, Jochen Demmer wrote: > > > Am 26.10.2016 um 16:27 schrieb Martin Basti: >> >> >> >> On 26.10.2016 16:10, Jochen Demmer wrote: >>> Hi, >>> >>> my answers also inline. >>> >>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>> >>>> Hi, comments inline >>>> >>>> >>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>> Hi, >>>>> >>>>> I've been running and using a single FreeIPA server successfully, >>>>> i.e.: >>>>> Fedora 24 >>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>> This server is only available via IPv6, because I can't get public >>>>> lPv4 addresses no more. >>>>> >>>>> Now I want to setup a FreeIPA replica at another site also running >>>>> IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>> First I run "ipa-client-install" which succeeds without an error. >>>>> When I invoke "ipa-replica-install" I get this error: >>>>> ipa : ERROR Could not resolve hostname >>>>> *hostname.mydoma.in* using DNS. Clients may not function properly. >>>>> Please check your DNS setup. (Note that this check queries IPA DNS >>>>> directly and ignores /etc/hosts.) >>>>> LOG: >>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* >>>>> (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for >>>>> *hostname.mydoma.in* >>>> >>>> Can you check with dig or host command if the hostname is really >>>> resolvable on that machine? do you have proper resolver in >>>> /etc/resolv.conf? >>> There is a resolver given in /etc/resolv.conf. When I do "host >>> <>" I get the right IPv6 back. >> That is weird because IPA is doing basically the same. >> >>>> >>>>> >>>>> *hostname.mydoma.in* is actually the DNS entry for the old FreeIPA >>>>> server, which actually resolves, but only to an IPv6 address of >>>>> course. >>>>> I can continue the installation though by entering "yes". >>>>> >>>>> I then get asked: >>>>> Enter the IP address to use, or press Enter to finish. >>>>> Please provide the IP address to be used for this host name: >>>>> >>>>> When I enter the IPv6 address of the new replica host it doesn't >>>>> accept but infinitely asks this question instead. >>>> >>>> Have you pressed enter twice? It should end prompt and continue >>>> with installation >>> Enter without an IP -> No usable IP address provided nor resolved. >>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot >>> use IP network address 2a02:1:2:3::4 >> >> How do you have configured IP address on your interface? Does it have >> prefix /128? > Yes, that's right. It's an IP being assigned statefully by a DHCPv6 > server. > There is also another dynamic IP within the same prefix having /64. I > don't want to use this one of course, because its IID changes. > Could you set (temporarily) prefix for that address to /64 and re-run installer? IPA 4.3 has check that prevents you to use /128 prefix >> >>>> >>>>> >>>>> Honestly, I can't see what I might have done wrong. >>>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>>> New FreeIPA host as well has hostname that symmetrically resolves, >>>>> even though the hostname is using another second level domain. >>>>> >>>>> Any hints? >>>>> Jochen Demmer >>>>> >>>>> >>>> >>>> Martin >>> Jochen >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jochen at winteltosh.de Wed Oct 26 15:25:21 2016 From: jochen at winteltosh.de (Jochen Demmer) Date: Wed, 26 Oct 2016 17:25:21 +0200 Subject: [Freeipa-users] ipa-replica-install fails because of IPv6? In-Reply-To: <087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com> References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> <087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com> Message-ID: <5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de> Am 26.10.2016 um 16:48 schrieb Martin Basti: > > > > On 26.10.2016 16:42, Jochen Demmer wrote: >> >> >> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>> >>> >>> >>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>> Hi, >>>> >>>> my answers also inline. >>>> >>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>> >>>>> Hi, comments inline >>>>> >>>>> >>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>> Hi, >>>>>> >>>>>> I've been running and using a single FreeIPA server successfully, >>>>>> i.e.: >>>>>> Fedora 24 >>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>> This server is only available via IPv6, because I can't get >>>>>> public lPv4 addresses no more. >>>>>> >>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>> First I run "ipa-client-install" which succeeds without an error. >>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>> ipa : ERROR Could not resolve hostname >>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>> properly. Please check your DNS setup. (Note that this check >>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>> LOG: >>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server *hostname.mydoma.in* >>>>>> (['2a01:f11:1:1::1', '2a01:f11:1:1::1', '2a01:f11:1:1::1']) for >>>>>> *hostname.mydoma.in* >>>>> >>>>> Can you check with dig or host command if the hostname is really >>>>> resolvable on that machine? do you have proper resolver in >>>>> /etc/resolv.conf? >>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>> <>" I get the right IPv6 back. >>> That is weird because IPA is doing basically the same. >>> >>>>> >>>>>> >>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>> address of course. >>>>>> I can continue the installation though by entering "yes". >>>>>> >>>>>> I then get asked: >>>>>> Enter the IP address to use, or press Enter to finish. >>>>>> Please provide the IP address to be used for this host name: >>>>>> >>>>>> When I enter the IPv6 address of the new replica host it doesn't >>>>>> accept but infinitely asks this question instead. >>>>> >>>>> Have you pressed enter twice? It should end prompt and continue >>>>> with installation >>>> Enter without an IP -> No usable IP address provided nor resolved. >>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot >>>> use IP network address 2a02:1:2:3::4 >>> >>> How do you have configured IP address on your interface? Does it >>> have prefix /128? >> Yes, that's right. It's an IP being assigned statefully by a DHCPv6 >> server. >> There is also another dynamic IP within the same prefix having /64. I >> don't want to use this one of course, because its IID changes. >> > Could you set (temporarily) prefix for that address to /64 and re-run > installer? IPA 4.3 has check that prevents you to use /128 prefix Well now I don't even get asked for the IP. The setup wizard continues, but I now get this error: [27/43]: restarting directory server ipa : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned non-zero exit status 1). See the installation log for details. [28/43]: setting up initial replication [error] error: [Errno 111] Connection refused LOG: 2016-10-26T15:14:46Z DEBUG Process finished, return code=1 2016-10-26T15:14:46Z DEBUG stdout= 2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv at MY-REALM.service failed because the control process exited with error code. See "systemctl status dirsrv at MY-REALM.service" and "journalctl -xe" for details. 2016-10-26T15:14:46Z CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned non-zero exit status 1). See the installation log for details. 2016-10-26T15:14:46Z DEBUG duration: 1 seconds 2016-10-26T15:14:46Z DEBUG [28/43]: setting up initial replication 2016-10-26T15:14:56Z DEBUG Traceback (most recent call last): When I try to restart manually with, "/bin/systemctl restart dirsrv at MY-REALM.service" this is what systemd logs: https://paste.fedoraproject.org/461439/raw/ > > >>> >>>>> >>>>>> >>>>>> Honestly, I can't see what I might have done wrong. >>>>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>>>> New FreeIPA host as well has hostname that symmetrically >>>>>> resolves, even though the hostname is using another second level >>>>>> domain. >>>>>> >>>>>> Any hints? >>>>>> Jochen Demmer >>>>>> >>>>>> >>>>> >>>>> Martin >>>> Jochen >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x54A5283E.asc Type: application/pgp-keys Size: 3108 bytes Desc: not available URL: From mbasti at redhat.com Wed Oct 26 15:31:05 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 26 Oct 2016 17:31:05 +0200 Subject: [Freeipa-users] ipa-replica-install fails because of IPv6? In-Reply-To: <5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de> References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> <087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com> <5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de> Message-ID: <2d166fde-b04e-28fc-4fd6-8cc636416af7@redhat.com> On 26.10.2016 17:25, Jochen Demmer wrote: > > > Am 26.10.2016 um 16:48 schrieb Martin Basti: >> >> >> >> On 26.10.2016 16:42, Jochen Demmer wrote: >>> >>> >>> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>>> >>>> >>>> >>>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>>> Hi, >>>>> >>>>> my answers also inline. >>>>> >>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>>> >>>>>> Hi, comments inline >>>>>> >>>>>> >>>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I've been running and using a single FreeIPA server >>>>>>> successfully, i.e.: >>>>>>> Fedora 24 >>>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>> This server is only available via IPv6, because I can't get >>>>>>> public lPv4 addresses no more. >>>>>>> >>>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>> First I run "ipa-client-install" which succeeds without an error. >>>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>>> ipa : ERROR Could not resolve hostname >>>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>>> properly. Please check your DNS setup. (Note that this check >>>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>>> LOG: >>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server >>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', >>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in* >>>>>> >>>>>> Can you check with dig or host command if the hostname is really >>>>>> resolvable on that machine? do you have proper resolver in >>>>>> /etc/resolv.conf? >>>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>>> <>" I get the right IPv6 back. >>>> That is weird because IPA is doing basically the same. >>>> >>>>>> >>>>>>> >>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>>> address of course. >>>>>>> I can continue the installation though by entering "yes". >>>>>>> >>>>>>> I then get asked: >>>>>>> Enter the IP address to use, or press Enter to finish. >>>>>>> Please provide the IP address to be used for this host name: >>>>>>> >>>>>>> When I enter the IPv6 address of the new replica host it doesn't >>>>>>> accept but infinitely asks this question instead. >>>>>> >>>>>> Have you pressed enter twice? It should end prompt and continue >>>>>> with installation >>>>> Enter without an IP -> No usable IP address provided nor resolved. >>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 cannot >>>>> use IP network address 2a02:1:2:3::4 >>>> >>>> How do you have configured IP address on your interface? Does it >>>> have prefix /128? >>> Yes, that's right. It's an IP being assigned statefully by a DHCPv6 >>> server. >>> There is also another dynamic IP within the same prefix having /64. >>> I don't want to use this one of course, because its IID changes. >>> >> Could you set (temporarily) prefix for that address to /64 and re-run >> installer? IPA 4.3 has check that prevents you to use /128 prefix > Well now I don't even get asked for the IP. The setup wizard > continues, but I now get this error: > > [27/43]: restarting directory server > ipa : CRITICAL Failed to restart the directory server (Command > '/bin/systemctl restart dirsrv at MY-REALM.service' returned non-zero > exit status 1). See the installation log for details. > [28/43]: setting up initial replication > [error] error: [Errno 111] Connection refused > > LOG: > 2016-10-26T15:14:46Z DEBUG Process finished, return code=1 > 2016-10-26T15:14:46Z DEBUG stdout= > 2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv at MY-REALM.service > failed because the control process exited with error code. See > "systemctl status dirsrv at MY-REALM.service" and "journalctl -xe" for > details. > 2016-10-26T15:14:46Z CRITICAL Failed to restart the directory server > (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned > non-zero exit status 1). See the installation log for details. > 2016-10-26T15:14:46Z DEBUG duration: 1 seconds > 2016-10-26T15:14:46Z DEBUG [28/43]: setting up initial replication > 2016-10-26T15:14:56Z DEBUG Traceback (most recent call last): > > When I try to restart manually with, "/bin/systemctl restart > dirsrv at MY-REALM.service" > this is what systemd logs: > https://paste.fedoraproject.org/461439/raw/ > > Could you please check /var/log/dirsrv/slapd-*/errors there might be more details. Did you reused an old IPA server for this installation? Martin >> >> >>>> >>>>>> >>>>>>> >>>>>>> Honestly, I can't see what I might have done wrong. >>>>>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>>>>> New FreeIPA host as well has hostname that symmetrically >>>>>>> resolves, even though the hostname is using another second level >>>>>>> domain. >>>>>>> >>>>>>> Any hints? >>>>>>> Jochen Demmer >>>>>>> >>>>>>> >>>>>> >>>>>> Martin >>>>> Jochen >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Wed Oct 26 18:00:43 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 26 Oct 2016 19:00:43 +0100 Subject: [Freeipa-users] rpm dependencies Message-ID: hi all quick question - does IPA rpms depend on samaba's? I'm hoping I can remove samba-common but dnf fies a 46 packages long list of dependencies - is it somehow broken? If is not and that is 100% correct long chain of deps - then can samba be safely downgraded to 3.6.x ? given that IPA does not integrate samba in my configuration. many thanks L. From m3freak at thesandhufamily.ca Wed Oct 26 20:03:35 2016 From: m3freak at thesandhufamily.ca (Ranbir) Date: Wed, 26 Oct 2016 16:03:35 -0400 Subject: [Freeipa-users] FreeIPA domains and sub-domains Message-ID: <883c4c27cae474f6a2b97cd461f41013@thesandhufamily.ca> Hi Everyone! If I have two networks, say A and B, and I want both to use the same FreeIPA server, should I have one Freeipa domain for network A and a sub-domain for network B, (domain.local and b.domain.local), or should I create two top level domains (a.local and b.local)? What's the recommended way to do this? -- Ranbir From abokovoy at redhat.com Wed Oct 26 20:51:04 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 26 Oct 2016 23:51:04 +0300 Subject: [Freeipa-users] FreeIPA domains and sub-domains In-Reply-To: <883c4c27cae474f6a2b97cd461f41013@thesandhufamily.ca> References: <883c4c27cae474f6a2b97cd461f41013@thesandhufamily.ca> Message-ID: <20161026205104.22q5asedgt3cmdvq@redhat.com> On ke, 26 loka 2016, Ranbir wrote: >Hi Everyone! > >If I have two networks, say A and B, and I want both to use the same >FreeIPA server, should I have one Freeipa domain for network A and a >sub-domain for network B, (domain.local and b.domain.local), or should >I create two top level domains (a.local and b.local)? What's the >recommended way to do this? Does not really matter if you are talking about DNS. Read https://www.freeipa.org/page/Deployment_Recommendations for more details on DNS recommendations. -- / Alexander Bokovoy From jruybal at owneriq.com Wed Oct 26 23:18:12 2016 From: jruybal at owneriq.com (Joshua Ruybal) Date: Wed, 26 Oct 2016 16:18:12 -0700 Subject: [Freeipa-users] ipa-replica-prepare failing Message-ID: While trying to run IPA replica prepare with debug, we see an unexplained failure. Debug seems to show the process running smoothly, then I see: "Certificate issuance failed". Looking at previous mail-archives, I see that someone has run into this before, however all permissions on caIPAserviceCert.cfg are correct (the solution for him). Is there any method to get more details on the failure from ipa-replica-prepare? Thanks -- *Joshua Ruybal | Systems Engineer* o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549> e: jruybal at owneriq.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Thu Oct 27 01:10:50 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 27 Oct 2016 11:10:50 +1000 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: Message-ID: <20161027011050.GR3554@dhcp-40-8.bne.redhat.com> On Wed, Oct 26, 2016 at 04:18:12PM -0700, Joshua Ruybal wrote: > While trying to run IPA replica prepare with debug, we see an unexplained > failure. > > Debug seems to show the process running smoothly, then I see: "Certificate > issuance failed". > > Looking at previous mail-archives, I see that someone has run into this > before, however all permissions on caIPAserviceCert.cfg are correct (the > solution for him). > > Is there any method to get more details on the failure from > ipa-replica-prepare? > > Thanks > Need some more information to be able to render assistance :) Do you have any logs pertaining to the failure? Is certificate issuance working e.g. via `ipa cert-request'? Are all certificates in your infrastructure currently valid? Cheers, Fraser From tyrell at jentink.net Thu Oct 27 02:43:54 2016 From: tyrell at jentink.net (Tyrell Jentink) Date: Wed, 26 Oct 2016 19:43:54 -0700 Subject: [Freeipa-users] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified. Message-ID: Hello all, I'm still having problems with my IPA Client install... My errors aren't bringing up any meaningful results on Google, so I really appreciate any hints anyone might have! To narrow the scope of the problem, I simply rebuilt both the server and the client from scratch... This time without Active Directory Realm trusts, so things are nice and clean. To wit, I have been using http://www.freeipa.org/page/Active_Directory_trust_setup and https://blog.christophersmart.com/articles/freeipa-how-to-fedora/ as references, and I have run the following: ON THE SERVER: - dnf -y update && dnf install -y "*ipa-server" "*ipa-server-trust-ad" "*ipa-server-dns" bind bind-dyndb-ldap - echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >> /etc/hosts (I also added the AD server to my hosts file, although that shouldn't be messing with anything...) - hostname ipa_hostname.ipa_domain - hostnamectl set-hostname ipa_hostname.ipa_domain - reboot (And took a snapshot of the VM) - for x in freeipa-ldap freeipa-ldaps dns ntp; do firewall-cmd --permanent --zone=FedoraServer --add-service=${x} ; done - systemctl reload firewalld.service - ipa-server-install --setup-dns --no-forwarders (I had no errors there... But I can share my logs if anyone wants to see them) - And I rebooted again, took another snapshot, and verified the following: - kinit admin id admin getent passwd admin All return appropriate values on the server... - nslookup ipa_hostname.ipa_domain works on both the server and on the client... So, ON TO THE CLIENT: - echo "ipa_ip_address ipa_hostname.ipa_domain ipa_hostname" >> /etc/hosts - echo "nameserver ipa_ip_address" >> /etc/resolv.conf - (OF course, I verified that the client can ping the server, and nslookup against the server) - ipa-client-install --enable-dns-updates --ssh-trust-dns --force-ntpd And this is where I ran into problems... My output: Discovery was successful! > Client hostname: trainmaster.ipa.rxrhouse.net > Realm: IPA.RXRHOUSE.NET > DNS Domain: ipa.rxrhouse.net > IPA Server: ipa-pdc.ipa.rxrhouse.net > BaseDN: dc=ipa,dc=rxrhouse,dc=net > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > Attempting to sync time using ntpd. Will timeout after 15 seconds > Attempting to sync time using ntpd. Will timeout after 15 seconds > Unable to sync time with NTP server, assuming the time is in sync. Please > check > > that 123 UDP port is opened. > User authorized to enroll computers: admin > Password for admin at IPA.RXRHOUSE.NET: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET > > Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET > > Valid From: Thu Sep 08 17:27:47 2016 UTC > Valid Until: Mon Sep 08 17:27:47 2036 UTC > Enrolled in IPA realm IPA.RXRHOUSE.NET > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET > > trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json > Forwarding 'ping' to json server 'https://ipa-pdc.ipa.rxrhouse. > net/ipa/json' > Forwarding 'ca_is_enabled' to json server 'https://ipa-pdc.ipa.rxrhouse. > net/ipa/json' > Systemwide CA database updated. > Failed to update DNS records. > Missing reverse record(s) for address(es): 10.42.0.100. > Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub > Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Forwarding 'host_mod' to json server 'https://ipa-pdc.ipa.rxrhouse. > net/ipa/json' > Could not update DNS SSHFP records. > SSSD enabled > Configured /etc/openldap/ldap.conf > NTP enabled > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Configuring ipa.rxrhouse.net as NIS domain. > Client configuration complete. - Of interest, I DID solve my NTP issues from before! On the downside, that wasn't the source of my DNS issues... In /var/log/ipaclient-install, I still have the following clipping of errors, which I'm merely assuming are the relevant piece: 2016-10-26T23:30:40Z DEBUG Starting external process > 2016-10-26T23:30:40Z DEBUG args=/sbin/ip -oneline address show dev enp1s6 > 2016-10-26T23:30:40Z DEBUG Process finished, return code=0 > 2016-10-26T23:30:40Z DEBUG stdout=2: enp1s6 inet 10.42.0.100/8 brd > 10.255.255.255 scope global dynamic enp1s6\ valid_lft 588384sec > preferred_lft 588384sec > 2: enp1s6 inet6 fe80::e779:3263:960d:ff87/64 scope link \ > valid_lft forever preferred_lft forever > > 2016-10-26T23:30:40Z DEBUG stderr= > 2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to > /etc/ipa/.dns_update.txt: > 2016-10-26T23:30:40Z DEBUG debug > > update delete trainmaster.ipa.rxrhouse.net. IN A > show > send > > update delete trainmaster.ipa.rxrhouse.net. IN AAAA > show > send > > update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100 > show > send > > 2016-10-26T23:30:40Z DEBUG Starting external process > 2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt > 2016-10-26T23:30:40Z DEBUG Process finished, return code=1 > 2016-10-26T23:30:40Z DEBUG stdout=Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > trainmaster.ipa.rxrhouse.net. 0 ANY A > > Outgoing update query: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562 > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; QUESTION SECTION: > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > > ;; ADDITIONAL SECTION: > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1477524640 > 1477524640 3 NOERROR 683 > YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA > AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow > KKADAgEBoSEwHxsDRE5TGxhpc > GEtcGRjLmlwYS5yeHJob3VzZS5uZXSj > ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIRyL2cGKhgVeg8UlZTp1+Eyg > QTBUAKE0e6NMtlIkxk9oJWldmUiP6UW7gcoxn66qvHyzHAqrlUNdFAcC > jKlsM2cRchfNTTom0QCeFn37eQICFdYo7NsrugG4DN/XT/rjNhohCSEl > O2tKYqiVBpjnyDF4OwC1nLcDpzBJr3nbSl > sh21NQJhGj+B/GPMJqpkl/ > 12HJpyjeaRjqzCD2csdvGOolH89yAhFjbmpAErBdVPD+ATAEYX+aRbEc > 3k2idj7AcEqeQpNr5XCoCLAeyqOz/qgYrHYnrBabysbkjF0JRRoEO6BD > cJjeMpqai36WtW1MAs+byXBtudap0UEnx8xpub/MN7cCzJYn5sEkTOyK > pSp4s/fiRyaX9O+dxXK1xrBblg6kgfAwge2gAwIBEqK > B5QSB4rnd/vP+ s2nrQ/yBkWRVnvqyWrTqfc213iyvIR+pNvE2T9t3F1qRPcdF4OQ8soQ4 > kQIVQOZUQZlY3NhYS08M/Rb3wUfi+Im/Z47v6//QMxb2igbPMx7/RELf > YHbZorXSKwzx5tkV2+JwtelUW6T5yw3PugyRueg0tdQH5lp4nrEbWNhY > VTDe9njUO/WCgp6ZEp+aJGVxR9qeZMVrJMYwHHF+je2fwZifztXD > 6cU/ Eki79Nk6HzhilK3pMOLuIvF2Kfpucj6aDiabvlplptzio9cqml8Li3E0 > gEN/ATloKcVgtNA= 0 > > > 2016-10-26T23:30:40Z DEBUG stderr=Reply from SOA query: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738 > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;trainmaster.ipa.rxrhouse.net. IN SOA > > ;; AUTHORITY SECTION: > ipa.rxrhouse.net. 0 IN SOA ipa-pdc.ipa.rxrhouse.net. > hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600 > > Found zone name: ipa.rxrhouse.net > The master is: ipa-pdc.ipa.rxrhouse.net > start_gssrequest > Found realm from ticket: IPA.RXRHOUSE.NET > send_gssrequest > recvmsg reply from GSS-TSIG query > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562 > ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > > ;; ANSWER SECTION: > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466301805 > 1466388205 3 NOERROR 101 > YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw > MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg > AwIBAaELMAkbB2FkLXBkYyQ= > 0 > > dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS > failure. Minor code may provide more information, Minor = Message stream > modified. > > 2016-10-26T23:30:40Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g > /etc/ipa/.dns_update.txt' returned non-zero exit status 1 > 2016-10-26T23:30:40Z ERROR Failed to update DNS records. > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: > trainmaster.ipa.rxrhouse.net IN A > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: > trainmaster.ipa.rxrhouse.net IN AAAA > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: 100.0.42.10.in-addr.arpa. > IN PTR > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. > 2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host > trainmaster.ipa.rxrhouse.net: 10.42.0.100. > 2016-10-26T23:30:40Z WARNING Missing reverse record(s) for address(es): > 10.42.0.100. > -- Full logs can be found here: http://pastebin.com/90dG9Ffu - For grins, I decided to test: kinit admin id admin getent passwd admin on the client, and all of those all made valid responses... So authentication is working, I just can't update DNS records. So that's what I've tried, and where I'm at... My client machines running modern client software can NOT update DNS records, complaining about GSSAPI "Message Stream Modified" errors... And I have no idea how to troubleshoot that... Any ideas? On Tue, Oct 11, 2016 at 6:24 PM, Tyrell Jentink wrote: > Thank you, Rob. > > For reference, my full log can be found here: http://pastebin.com/6VLaQjYw > > But I would postulate that the interesting bit is this: > >> 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query: >> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> >> ;; UPDATE SECTION: >> >> trainmaster.ipa.rxrhouse.net. 0 ANY A >> >> >>> Outgoing update query: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971 >> >> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; QUESTION SECTION: >> >> ;350449427.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY >> >> >>> ;; ADDITIONAL SECTION: >> >> 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1476223815 >>> 1476223815 3 NOERROR 683 YIICpwYJKoZIhvcSAQICAQBuggKWMIICkqADAgEFoQMCAQ6iBwMFACAA >>> AACjggGIYYIBhDCCAYCgAwIBBaESGxBJUEEuUlhSSE9VU0UuTkVUoiow >>> KKADAgEBoSEwHxsDRE5TGxhpcGEtcGRjLmlwYS5yeHJob3VzZS5uZXSj >>> ggE3MIIBM6ADAgESoQMCAQKiggElBIIBIeFubKS/x0aKfc7u/f9Z5Ro8 >>> pZZ4RkIlwOWAAuiSxJNmoaIhYgYNitn2pkAII+eKtdialtAI/1418exm >>> sM7zahCj0MWpBIYQZB4tsN9JZMaKF7SK5TlewH9mZitjd+hbQ5iwjklV >>> 8P6OOMsIRIytywnd8eD/988GQz3C5CfBU1pQM5Bkox4vSRawZJRUy0xx >>> C8H4nOOPsJZd9AozsaAZSR4EeA05IbW+gxxIeXjShPDwRF6fs4sNxZUt >>> FEkdujVZOaM4M4olLadzScsXDi2pO/8WqjJdDwMfLD95+CHSiFMSyJqy >>> nwem6dzJTJvyLTq4fKO+ajmUHw5tV30Pg7w9krEiFSTuFkCmKW1a2GQo >>> 5Lm3VQF34cnYTA+5K8yEwLiTqX+kgfAwge2gAwIBEqKB5QSB4u9m77de >>> VD1pQ+DUyBKaC2jOgD/uUWAyfNNojNAtKAMGbHzDWSRASe1Xd+RNgwIa >>> QdT2PC6kHbJMz9jaJu/0fxC9JmPp6Qe6p8CGaQ6IvPGm4838TlGdGhuS >>> YpUwVAEqvl85S23+yT3Qo/O8Qffhi4i/WDdiBHGGDrKF4CCZXJrr/F+L >>> Pd8oabRE81h+4Tu7KBTApBwWYFYQSct7Q9ZrFiUuQzbpc2ZjXaVLi3ai >>> uvH2NLWvLwxt8Z8PYRHgTrEYb/QfEluP2qfbo6XuO4UHoF7rN8d28bnw >>> bhUsEYaVs1r8Pxk= 0 >> >> >>> >>> 2016-10-11T22:10:15Z DEBUG stderr=Reply from SOA query: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18681 >> >> ;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 >> >> ;; QUESTION SECTION: >> >> ;trainmaster.ipa.rxrhouse.net. IN SOA >> >> >>> ;; AUTHORITY SECTION: >> >> ipa.rxrhouse.net. 60 IN SOA ipa-pdc.ipa.rxrhouse.net >>> . hostmaster.ipa.rxrhouse.net. 1476221978 3600 900 1209600 3600 >> >> >>> ;; ADDITIONAL SECTION: >> >> ipa-pdc.ipa.rxrhouse.net. 353 IN A 10.42.0.11 >> >> >>> Found zone name: ipa.rxrhouse.net >> >> The master is: ipa-pdc.ipa.rxrhouse.net >> >> start_gssrequest >> >> Found realm from ticket: IPA.RXRHOUSE.NET >> >> send_gssrequest >> >> recvmsg reply from GSS-TSIG query >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23971 >> >> ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> >> ;350449427.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY >> >> >>> ;; ANSWER SECTION: >> >> 350449427.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466641678 >>> 1466728078 3 NOERROR 101 YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MjMw >>> MDI3NThapQUCAwVDn6YDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg >>> AwIBAaELMAkbB2FkLXBkYyQ= 0 >> >> >>> dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS >>> failure. Minor code may provide more information, Minor = Message stream >>> modified. >> >> >>> 2016-10-11T22:10:15Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate >>> -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 >> >> 2016-10-11T22:10:15Z ERROR Failed to update DNS records. >> >> >> > This isn't the first time I've seen this "Unspecified GSS failure [...] > Message stream modified" error, and I suspect it to be the root of my > problem... But my google-foo is not strong with this one... I'm not sure > how to proceed. > > On Tue, Oct 11, 2016 at 3:52 PM, Rob Crittenden > wrote: > >> Tyrell Jentink wrote: >> >>> First off... new to the list, thank you in advance for your assistance! >>> >>> My server is Fedora 24 Server, running in a VirtualBox virtual machine. >>> I have FreeIPA Server 4.3.2-2.fc24, installed from the standard >>> repositories, and dnf says it's up to date. FreeIPA has a trust set up >>> with an Windows Server 2012r2 ActiveDirectory server, and it APPEARS to >>> be working... >>> >>> The first client I connected was a Raspberry Pi running Pidora. This >>> client appears to have connected fine, and appears to be working (I >>> guess I haven't tried logging in as an ActiveDirectory user; But it's >>> certainly NOT having any DNS issues, as other clients are; See below...) >>> >>> Then I tried connecting a second client, a system running Fedora 24 with >>> FreeIPA Client 4.3.2-2.fc24, and the install went ALMOST according to >>> plan... Here's the output of ipa-client-install: >>> >>> Discovery was successful! >>> Client hostname: trainmaster.ipa.rxrhouse.net >>> >>> Realm: IPA.RXRHOUSE.NET >>> DNS Domain: ipa.rxrhouse.net >>> IPA Server: ipa-pdc.ipa.rxrhouse.net >> et> >>> BaseDN: dc=ipa,dc=rxrhouse,dc=net >>> Continue to configure the system with these values? [no]: yes >>> Synchronizing time with KDC... >>> Attempting to sync time using ntpd. Will timeout after 15 seconds >>> Attempting to sync time using ntpd. Will timeout after 15 seconds >>> Unable to sync time with NTP server, assuming the time is in sync. >>> Please check >>> >>> that 123 UDP port is opened. >>> User authorized to enroll computers: admin >>> Password for admin at IPA.RXRHOUSE.NET : >>> Successfully retrieved CA cert >>> Subject: CN=Certificate Authority,O=IPA.RXRHOUSE.NET >>> >>> Issuer: CN=Certificate Authority,O=IPA.RXRHOUSE.NET >>> >>> Valid From: Thu Sep 08 17:27:47 2016 UTC >>> Valid Until: Mon Sep 08 17:27:47 2036 UTC >>> Enrolled in IPA realm IPA.RXRHOUSE.NET >>> Created /etc/ipa/default.conf >>> New SSSD config will be created >>> Configured sudoers in /etc/nsswitch.conf >>> Configured /etc/sssd/sssd.conf >>> Configured /etc/krb5.conf for IPA realm IPA.RXRHOUSE.NET >>> >>> trying https://ipa-pdc.ipa.rxrhouse.net/ipa/json >>> Forwarding 'ping' to json server >>> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' >>> Forwarding 'ca_is_enabled' to json server >>> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' >>> Systemwide CA database updated. >>> Failed to update DNS records. >>> Missing reverse record(s) for address(es): 10.42.0.100. >>> Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub >>> Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub >>> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >>> Forwarding 'host_mod' to json server >>> 'https://ipa-pdc.ipa.rxrhouse.net/ipa/json' >>> Could not update DNS SSHFP records. >>> SSSD enabled >>> Configured /etc/openldap/ldap.conf >>> NTP enabled >>> Configured /etc/ssh/ssh_config >>> Configured /etc/ssh/sshd_config >>> Configuring ipa.rxrhouse.net as NIS >>> domain. >>> Client configuration complete. >>> >>> >>> Of concern, the installer failed to update DNS records, resulting in a >>> missing reverse record, and eventually failing to update the DNS SSHFP >>> records. Looking in the Web UI for FreeIPA server, I see that the >>> client is registered, but it doesn't have any SSH keys , and as >>> expected, doesn't have a reverse zone... But the Raspberry Pi DOES. >>> >>> Just to be fully sure something was wrong... I tried connecting with a >>> clean install of Fedora 24 running in a virtual machine, and had the >>> same issue. I've googled around, and can't find anyone having any >>> similar issues... And I didn't accidentally stumble across anything >>> interesting while exploring logs... But I honestly don't know where to >>> look. >>> >>> TO BE CLEAR, things appear to work just fine from freeipa-client version >>> 3.3.3-4.fc20 on pidora on a Raspberry Pi, but it's NOT working with the >>> latest versions from Fedora 24 on x86_64 hardware... >>> >>> Where should I look first? Thank you for any assistance... >>> >> >> Look in /var/log/ipaclient-install.log for debug logging of the install. >> >> rob >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From william.muriithi at gmail.com Thu Oct 27 04:16:29 2016 From: william.muriithi at gmail.com (William Muriithi) Date: Thu, 27 Oct 2016 00:16:29 -0400 Subject: [Freeipa-users] ipa automount bug? Message-ID: Evening, I am trying to import some autos map from a file to FreeIPA LDAP and have noticed two problems that can be considered a bug in my humble opinion. This is on: ipa-server-4.2.0-15.0.1.el7 1. This either is a documentation bug that suggest one can specify a parent map while thats actually not the case or ipa I am running has a bug and can't handle parent map. Below is what I get when I try to specify parent map: [root at hydrogen ~]# ipa automountmap-add-indirect default auto.projects-prs1013 ?-mount=/projects/prs1013 --parentmap=auto.projects ipa: ERROR: command 'automountmap_add_indirect' takes at most 2 arguments I had got the idea that this is possible from the documentation below: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-maps.html According to the document, I should be able to specify an automap parent. However, it don?t look like that?s actually supported. 2. How would one import an existing maps to ipa auto.home map. Import seem to be only capable of importing to auto.master, which make its utility doubtful [root at hydrogen ~]# ipa automountlocation-import default /tmp/2016-10-26/auto.home Imported maps: Imported keys: Added adam to auto.master ...... I think we should have a flag that allow importation of key to other other maps other than auto.master Regards, William From pspacek at redhat.com Thu Oct 27 06:36:56 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 27 Oct 2016 08:36:56 +0200 Subject: [Freeipa-users] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified. In-Reply-To: References: Message-ID: On 27.10.2016 04:43, Tyrell Jentink wrote: >> 2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to >> > /etc/ipa/.dns_update.txt: >> > 2016-10-26T23:30:40Z DEBUG debug >> > >> > update delete trainmaster.ipa.rxrhouse.net. IN A >> > show >> > send >> > >> > update delete trainmaster.ipa.rxrhouse.net. IN AAAA >> > show >> > send >> > >> > update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100 >> > show >> > send >> > >> > 2016-10-26T23:30:40Z DEBUG Starting external process >> > 2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g >> > /etc/ipa/.dns_update.txt >> > 2016-10-26T23:30:40Z DEBUG Process finished, return code=1 >> > 2016-10-26T23:30:40Z DEBUG stdout=Outgoing update query: >> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> > ;; UPDATE SECTION: >> > trainmaster.ipa.rxrhouse.net. 0 ANY A >> > >> > Outgoing update query: >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562 >> > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> > ;; QUESTION SECTION: >> > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY >> > >> > ;; ADDITIONAL SECTION: >> > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1477524640 [...] >> > >> > 2016-10-26T23:30:40Z DEBUG stderr=Reply from SOA query: >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738 >> > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >> > ;; QUESTION SECTION: >> > ;trainmaster.ipa.rxrhouse.net. IN SOA >> > >> > ;; AUTHORITY SECTION: >> > ipa.rxrhouse.net. 0 IN SOA ipa-pdc.ipa.rxrhouse.net. >> > hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600 >> > >> > Found zone name: ipa.rxrhouse.net >> > The master is: ipa-pdc.ipa.rxrhouse.net >> > start_gssrequest >> > Found realm from ticket: IPA.RXRHOUSE.NET >> > send_gssrequest >> > recvmsg reply from GSS-TSIG query >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562 >> > ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >> > ;; QUESTION SECTION: >> > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY >> > >> > ;; ANSWER SECTION: >> > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. 1466301805 >> > 1466388205 3 NOERROR 101 >> > YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw >> > MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg >> > AwIBAaELMAkbB2FkLXBkYyQ= >> > 0 >> > >> > dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS >> > failure. Minor code may provide more information, Minor = Message stream >> > modified. >> > >> > 2016-10-26T23:30:40Z DEBUG nsupdate failed: Command '/usr/bin/nsupdate -g >> > /etc/ipa/.dns_update.txt' returned non-zero exit status 1 >> > 2016-10-26T23:30:40Z ERROR Failed to update DNS records. >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: >> > trainmaster.ipa.rxrhouse.net IN A >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: >> > trainmaster.ipa.rxrhouse.net IN AAAA >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: 100.0.42.10.in-addr.arpa. >> > IN PTR >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. >> > 2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host >> > trainmaster.ipa.rxrhouse.net: 10.42.0.100. >> > 2016-10-26T23:30:40Z WARNING Missing reverse record(s) for address(es): >> > 10.42.0.100. >> > > -- Full logs can be found here: http://pastebin.com/90dG9Ffu > > - For grins, I decided to test: > kinit admin > id admin > getent passwd admin > on the client, and all of those all made valid responses... So > authentication is working, I just can't update DNS records. > > > So that's what I've tried, and where I'm at... My client machines running > modern client software can NOT update DNS records, complaining about GSSAPI > "Message Stream Modified" errors... And I have no idea how to troubleshoot > that... Any ideas? Interesting, I haven't seen this one :-) There is something fishy in GSSAPI negotiation between the client and DNS server. I would try this (and watch out for suspicious messages along the way): 1) To be sure, please double-check that ipa-pdc.ipa.rxrhouse.net. resolves (from the client) to correct IP address of IPA DNS server. 2) Verify that Kerberos ticket for the DNS server can be obtained: $ kinit -k $ kvno DNS/ipa-pdc.ipa.rxrhouse.net $ klist # it should list Kerberos ticket for ipa-pdc.ipa.rxrhouse.net 3) Create a plain text file with update message content: cat > /tmp/dnsupdate << References: <6855743.Ni35mL8Wg0@techz> Message-ID: <80e87458-3542-d96f-3d15-eb7ed210b3b1@redhat.com> On 25.10.2016 15:49, G?nther J. Niederwimmer wrote: > Hello, > > FreeIPA 4.3.1 > CentOS 7.2 > > > I found today in /var/log/messages this entries > > Is the DNSSEC now broken ? > > Thanks for a answer > > ct 25 15:41:29 ipa ipa-dnskeysyncd: Traceback (most recent call last): > Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", > line 112, in > Oct 25 15:41:29 ipa ipa-dnskeysyncd: while > ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): > Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib64/python2.7/site- > packages/ldap/syncrepl.py", line 405, in syncrepl_poll > Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.syncrepl_refreshdone() > Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- > packages/ipapython/dnssec/keysyncer.py", line 118, in syncrepl_refreshdone > Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.bindmgr.sync(self.dnssec_zones) > Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- > packages/ipapython/dnssec/bindmgr.py", line 209, in sync > Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.sync_zone(zone) > Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- > packages/ipapython/dnssec/bindmgr.py", line 182, in sync_zone > Oct 25 15:41:29 ipa ipa-dnskeysyncd: self.install_key(zone, uuid, attrs, > tempdir) > Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- > packages/ipapython/dnssec/bindmgr.py", line 117, in install_key > Oct 25 15:41:29 ipa ipa-dnskeysyncd: result = ipautil.run(cmd, > capture_output=True) > Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/lib/python2.7/site- > packages/ipapython/ipautil.py", line 479, in run > Oct 25 15:41:29 ipa ipa-dnskeysyncd: raise CalledProcessError(p.returncode, > arg_string, str(output)) > Oct 25 15:41:29 ipa ipa-dnskeysyncd: subprocess.CalledProcessError: Command > '/usr/sbin/dnssec-keyfromlabel-pkcs11 -K /var/named/dyndb- > ldap/ipa/master/4gjn.com/tmppaO_R2 -a RSASHA256 -l > pkcs11:object=d7fe5c98d5f3f89aefb9e8dfb92ebcb1;pin- > source=/var/lib/ipa/dnssec/softhsm_pin -I 20160811091542 -D 20160825225503 -P > 20160513081600 -A 20160513081600 4gjn.com.' returned non-zero exit status 1 > Oct 25 15:41:30 ipa systemd: ipa-dnskeysyncd.service: main process exited, > code=exited, status=1/FAILURE > Oct 25 15:41:30 ipa systemd: Unit ipa-dnskeysyncd.service entered failed > state. > Oct 25 15:41:30 ipa systemd: ipa-dnskeysyncd.service failed. It might break in future, when keys are rotated. Please follow http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work This debugging option might get handy, too: http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data -- Petr^2 Spacek From dkupka at redhat.com Thu Oct 27 07:39:44 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 27 Oct 2016 09:39:44 +0200 Subject: [Freeipa-users] rpm dependencies In-Reply-To: References: Message-ID: <15448e66-30e9-7ee1-4b27-7870727e0c08@redhat.com> On 26/10/16 20:00, lejeczek wrote: > hi all > > quick question - does IPA rpms depend on samaba's? > I'm hoping I can remove samba-common but dnf fies a 46 packages long > list of dependencies - is it somehow broken? > If is not and that is 100% correct long chain of deps - then can samba > be safely downgraded to 3.6.x ? given that IPA does not integrate samba > in my configuration. > > many thanks > L. > Hello! Only freeipa-server-trust-ad package depends on samba. If you haven't configured AD trust you can safely remove samba (and also freeipa-server-trust-ad package if you've installed it). samba-common contains files for samba client and server so removing it may remove applications that can behave as samba client. -- David Kupka From b.candler at pobox.com Thu Oct 27 07:59:06 2016 From: b.candler at pobox.com (Brian Candler) Date: Thu, 27 Oct 2016 08:59:06 +0100 Subject: [Freeipa-users] FreeIPA domains and sub-domains In-Reply-To: <883c4c27cae474f6a2b97cd461f41013@thesandhufamily.ca> References: <883c4c27cae474f6a2b97cd461f41013@thesandhufamily.ca> Message-ID: <81146581-c4d1-681b-db47-7f1eb45af5d2@pobox.com> On 26/10/2016 21:03, Ranbir wrote: > > If I have two networks, say A and B, and I want both to use the same > FreeIPA server, should I have one Freeipa domain for network A and a > sub-domain for network B, (domain.local and b.domain.local), or should > I create two top level domains (a.local and b.local)? What's the > recommended way to do this? Well, as a first point, I'd say never use a fake domain like ".local". Use a subdomain of some real domain that you already have - e.g. int.yourcompany.com. You don't need to expose it to the Internet if you don't want to, and a fake domain can cause you problems down the line. Secondly: do you really need two domains? DNS domains are used as way to delegate administrative responsibility. If the same person is managing the DNS for both sites, then you can just as well use one domain. Personally I like to embed the site in the hostname (e.g. lon-srv-1.int.yourcomany.com), because there are many circumstance in which only the shortened hostname "lon-srv-1" is seen, such as syslog messages and bash prompts. Hence it's good for the hostname itself to be unambiguous. But if you prefer a different DNS domain for equipment in each site, that's not a problem either. You can either create additional domains in FreeIPA (if you want to use the FreeIPA GUI/CLI to manage DNS records), or just have separate DNS domains managed elsewhere. If FreeIPA is managing your DNS, you can get it to manage your reverse DNS too, by creating domains like 10.in-addr.arpa and 168.192.in-addr.arpa. Taking this to extreme: you don't even need to use the same DNS domain for your IPA and your other equipment. It's fine to have: ldap-1.ipa.yourdomain.com host1.site1.yourdomain.com host2.site2.yourdomain.com even if all the hosts are joined into the same Kerberos realm IPA.YOURDOMAIN.COM (which sounds like is what you're doing). This is quite a good approach if you already have existing DNS for site1.yourdomain.com and site2.yourdomain.com which you don't want to change. Having FreeIPA manage its own domain makes it easier to automatically locate the Kerberos servers for the realm IPA.YOURDOMAIN.COM. But even that's not necessary if you are happy to create the necessary SRV records in the DNS yourself. The final issue is IPA replicas in multiple sites. Personally I've put all my IPA replicas in the same DNS domain (ldap-1.ipa.yourcompany.com; ldap-2.ipa.yourcompany.com), and have never tried putting them in different DNS domains: e.g. ipa-1.site1.yourdomain.com ipa-2.site2.yourdomain.com I'm not sure if you can do this, and I think it would be safer not to unless someone else on this list says it's OK. Regards, Brian. From jochen at winteltosh.de Thu Oct 27 08:02:50 2016 From: jochen at winteltosh.de (Jochen Demmer) Date: Thu, 27 Oct 2016 10:02:50 +0200 Subject: [Freeipa-users] ipa-replica-install fails because of IPv6? In-Reply-To: <2d166fde-b04e-28fc-4fd6-8cc636416af7@redhat.com> References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> <087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com> <5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de> <2d166fde-b04e-28fc-4fd6-8cc636416af7@redhat.com> Message-ID: <8dc96dc9-838b-844f-fc16-20eeaf2619de@winteltosh.de> Am 26.10.2016 um 17:31 schrieb Martin Basti: > > > > On 26.10.2016 17:25, Jochen Demmer wrote: >> >> >> Am 26.10.2016 um 16:48 schrieb Martin Basti: >>> >>> >>> >>> On 26.10.2016 16:42, Jochen Demmer wrote: >>>> >>>> >>>> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>>>> >>>>> >>>>> >>>>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>>>> Hi, >>>>>> >>>>>> my answers also inline. >>>>>> >>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>>>> >>>>>>> Hi, comments inline >>>>>>> >>>>>>> >>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I've been running and using a single FreeIPA server >>>>>>>> successfully, i.e.: >>>>>>>> Fedora 24 >>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>> This server is only available via IPv6, because I can't get >>>>>>>> public lPv4 addresses no more. >>>>>>>> >>>>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>> First I run "ipa-client-install" which succeeds without an error. >>>>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>>>> ipa : ERROR Could not resolve hostname >>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>>>> properly. Please check your DNS setup. (Note that this check >>>>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>>>> LOG: >>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server >>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', >>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in* >>>>>>> >>>>>>> Can you check with dig or host command if the hostname is really >>>>>>> resolvable on that machine? do you have proper resolver in >>>>>>> /etc/resolv.conf? >>>>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>>>> <>" I get the right IPv6 back. >>>>> That is weird because IPA is doing basically the same. >>>>> >>>>>>> >>>>>>>> >>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>>>> address of course. >>>>>>>> I can continue the installation though by entering "yes". >>>>>>>> >>>>>>>> I then get asked: >>>>>>>> Enter the IP address to use, or press Enter to finish. >>>>>>>> Please provide the IP address to be used for this host name: >>>>>>>> >>>>>>>> When I enter the IPv6 address of the new replica host it >>>>>>>> doesn't accept but infinitely asks this question instead. >>>>>>> >>>>>>> Have you pressed enter twice? It should end prompt and continue >>>>>>> with installation >>>>>> Enter without an IP -> No usable IP address provided nor resolved. >>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 >>>>>> cannot use IP network address 2a02:1:2:3::4 >>>>> >>>>> How do you have configured IP address on your interface? Does it >>>>> have prefix /128? >>>> Yes, that's right. It's an IP being assigned statefully by a DHCPv6 >>>> server. >>>> There is also another dynamic IP within the same prefix having /64. >>>> I don't want to use this one of course, because its IID changes. >>>> >>> Could you set (temporarily) prefix for that address to /64 and >>> re-run installer? IPA 4.3 has check that prevents you to use /128 prefix >> Well now I don't even get asked for the IP. The setup wizard >> continues, but I now get this error: >> >> [27/43]: restarting directory server >> ipa : CRITICAL Failed to restart the directory server >> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned >> non-zero exit status 1). See the installation log for details. >> [28/43]: setting up initial replication >> [error] error: [Errno 111] Connection refused >> >> LOG: >> 2016-10-26T15:14:46Z DEBUG Process finished, return code=1 >> 2016-10-26T15:14:46Z DEBUG stdout= >> 2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv at MY-REALM.service >> failed because the control process exited with error code. See >> "systemctl status dirsrv at MY-REALM.service" and "journalctl -xe" for >> details. >> 2016-10-26T15:14:46Z CRITICAL Failed to restart the directory server >> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned >> non-zero exit status 1). See the installation log for details. >> 2016-10-26T15:14:46Z DEBUG duration: 1 seconds >> 2016-10-26T15:14:46Z DEBUG [28/43]: setting up initial replication >> 2016-10-26T15:14:56Z DEBUG Traceback (most recent call last): >> >> When I try to restart manually with, "/bin/systemctl restart >> dirsrv at MY-REALM.service" >> this is what systemd logs: >> https://paste.fedoraproject.org/461439/raw/ >> >> > > Could you please check /var/log/dirsrv/slapd-*/errors there might be > more details. > > Did you reused an old IPA server for this installation? > > Martin This is what the logfile says: https://paste.fedoraproject.org/461685/raw/ I tried to install this server as a replica a couple of times, but I even reinstalled all of the software and I keep using ipa-client-install --uninstall and ipa-server-install --uninstall > >>> >>> >>>>> >>>>>>> >>>>>>>> >>>>>>>> Honestly, I can't see what I might have done wrong. >>>>>>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>>>>>> New FreeIPA host as well has hostname that symmetrically >>>>>>>> resolves, even though the hostname is using another second >>>>>>>> level domain. >>>>>>>> >>>>>>>> Any hints? >>>>>>>> Jochen Demmer >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Martin >>>>>> Jochen >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Oct 27 08:21:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 27 Oct 2016 10:21:04 +0200 Subject: [Freeipa-users] ipa-replica-install fails because dirsrv failed to start In-Reply-To: <8dc96dc9-838b-844f-fc16-20eeaf2619de@winteltosh.de> References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> <087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com> <5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de> <2d166fde-b04e-28fc-4fd6-8cc636416af7@redhat.com> <8dc96dc9-838b-844f-fc16-20eeaf2619de@winteltosh.de> Message-ID: On 27.10.2016 10:02, Jochen Demmer wrote: > > > Am 26.10.2016 um 17:31 schrieb Martin Basti: >> >> >> >> On 26.10.2016 17:25, Jochen Demmer wrote: >>> >>> >>> Am 26.10.2016 um 16:48 schrieb Martin Basti: >>>> >>>> >>>> >>>> On 26.10.2016 16:42, Jochen Demmer wrote: >>>>> >>>>> >>>>> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>>>>> >>>>>> >>>>>> >>>>>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>>>>> Hi, >>>>>>> >>>>>>> my answers also inline. >>>>>>> >>>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>>>>> >>>>>>>> Hi, comments inline >>>>>>>> >>>>>>>> >>>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I've been running and using a single FreeIPA server >>>>>>>>> successfully, i.e.: >>>>>>>>> Fedora 24 >>>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>> This server is only available via IPv6, because I can't get >>>>>>>>> public lPv4 addresses no more. >>>>>>>>> >>>>>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>> First I run "ipa-client-install" which succeeds without an error. >>>>>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>>>>> ipa : ERROR Could not resolve hostname >>>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>>>>> properly. Please check your DNS setup. (Note that this check >>>>>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>>>>> LOG: >>>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server >>>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', >>>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in* >>>>>>>> >>>>>>>> Can you check with dig or host command if the hostname is >>>>>>>> really resolvable on that machine? do you have proper resolver >>>>>>>> in /etc/resolv.conf? >>>>>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>>>>> <>" I get the right IPv6 back. >>>>>> That is weird because IPA is doing basically the same. >>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>>>>> address of course. >>>>>>>>> I can continue the installation though by entering "yes". >>>>>>>>> >>>>>>>>> I then get asked: >>>>>>>>> Enter the IP address to use, or press Enter to finish. >>>>>>>>> Please provide the IP address to be used for this host name: >>>>>>>>> >>>>>>>>> When I enter the IPv6 address of the new replica host it >>>>>>>>> doesn't accept but infinitely asks this question instead. >>>>>>>> >>>>>>>> Have you pressed enter twice? It should end prompt and continue >>>>>>>> with installation >>>>>>> Enter without an IP -> No usable IP address provided nor resolved. >>>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 >>>>>>> cannot use IP network address 2a02:1:2:3::4 >>>>>> >>>>>> How do you have configured IP address on your interface? Does it >>>>>> have prefix /128? >>>>> Yes, that's right. It's an IP being assigned statefully by a >>>>> DHCPv6 server. >>>>> There is also another dynamic IP within the same prefix having >>>>> /64. I don't want to use this one of course, because its IID changes. >>>>> >>>> Could you set (temporarily) prefix for that address to /64 and >>>> re-run installer? IPA 4.3 has check that prevents you to use /128 >>>> prefix >>> Well now I don't even get asked for the IP. The setup wizard >>> continues, but I now get this error: >>> >>> [27/43]: restarting directory server >>> ipa : CRITICAL Failed to restart the directory server >>> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned >>> non-zero exit status 1). See the installation log for details. >>> [28/43]: setting up initial replication >>> [error] error: [Errno 111] Connection refused >>> >>> LOG: >>> 2016-10-26T15:14:46Z DEBUG Process finished, return code=1 >>> 2016-10-26T15:14:46Z DEBUG stdout= >>> 2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv at MY-REALM.service >>> failed because the control process exited with error code. See >>> "systemctl status dirsrv at MY-REALM.service" and "journalctl -xe" for >>> details. >>> 2016-10-26T15:14:46Z CRITICAL Failed to restart the directory server >>> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned >>> non-zero exit status 1). See the installation log for details. >>> 2016-10-26T15:14:46Z DEBUG duration: 1 seconds >>> 2016-10-26T15:14:46Z DEBUG [28/43]: setting up initial replication >>> 2016-10-26T15:14:56Z DEBUG Traceback (most recent call last): >>> >>> When I try to restart manually with, "/bin/systemctl restart >>> dirsrv at MY-REALM.service" >>> this is what systemd logs: >>> https://paste.fedoraproject.org/461439/raw/ >>> >>> >> >> Could you please check /var/log/dirsrv/slapd-*/errors there might be >> more details. >> >> Did you reused an old IPA server for this installation? >> >> Martin > This is what the logfile says: > https://paste.fedoraproject.org/461685/raw/ > > I tried to install this server as a replica a couple of times, but I > even reinstalled all of the software and I keep using > ipa-client-install --uninstall and > ipa-server-install --uninstall It looks that DS database is somehow corrupted, is possible that there might be some leftovers from previous installations start: Failed to start databases, err=-1 BDB0092 Unknown error: -1 I'm not sure what that error means, maybe DS guys will know Can you run server uninstall twice? It should remove all leftovers, and then check /var/lib/dirsrv/ if there are any slapd-* directories, if yes please remove them Martin >> >>>> >>>> >>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Honestly, I can't see what I might have done wrong. >>>>>>>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>>>>>>> New FreeIPA host as well has hostname that symmetrically >>>>>>>>> resolves, even though the hostname is using another second >>>>>>>>> level domain. >>>>>>>>> >>>>>>>>> Any hints? >>>>>>>>> Jochen Demmer >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Martin >>>>>>> Jochen >>>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Oct 27 08:28:23 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 27 Oct 2016 11:28:23 +0300 Subject: [Freeipa-users] rpm dependencies In-Reply-To: <15448e66-30e9-7ee1-4b27-7870727e0c08@redhat.com> References: <15448e66-30e9-7ee1-4b27-7870727e0c08@redhat.com> Message-ID: <20161027082823.frddqylnj4tocddj@redhat.com> On to, 27 loka 2016, David Kupka wrote: >On 26/10/16 20:00, lejeczek wrote: >>hi all >> >>quick question - does IPA rpms depend on samaba's? >>I'm hoping I can remove samba-common but dnf fies a 46 packages long >>list of dependencies - is it somehow broken? >>If is not and that is 100% correct long chain of deps - then can samba >>be safely downgraded to 3.6.x ? given that IPA does not integrate samba >>in my configuration. >> >>many thanks >>L. >> > >Hello! > >Only freeipa-server-trust-ad package depends on samba. If you haven't >configured AD trust you can safely remove samba (and also >freeipa-server-trust-ad package if you've installed it). >samba-common contains files for samba client and server so removing it >may remove applications that can behave as samba client. That's not fully correct. FreeIPA 4.2+ has 389-ds plugins which link to Samba components and are part of freeipa-server package because we configure them by default to make trust agent configuration easy: # rpm -q --requires freeipa-server|grep ^lib|xargs -n1 rpm -q --whatprovides|sort -u glibc-2.23.1-10.fc24.x86_64 krb5-libs-1.14.4-4.fc24.x86_64 libcom_err-1.42.13-4.fc24.x86_64 libgcc-6.2.1-2.fc24.x86_64 libsss_nss_idmap-1.14.2-1.fc24.x86_64 libtalloc-2.1.6-1.fc24.x86_64 libtevent-0.9.28-1.fc24.x86_64 libunistring-0.9.4-3.fc24.x86_64 libuuid-2.28.2-1.fc24.x86_64 libverto-0.2.6-6.fc24.x86_64 nspr-4.13.1-1.fc24.x86_64 nss-3.27.0-1.1.fc24.x86_64 nss-util-3.27.0-1.0.fc24.x86_64 openldap-2.4.44-1.fc24.x86_64 openssl-libs-1.0.2j-1.fc24.x86_64 samba-client-libs-4.4.6-1.fc24.x86_64 You cannot remove samba-client-libs due to this. We also do not support downgrading Samba. -- / Alexander Bokovoy From abokovoy at redhat.com Thu Oct 27 08:30:10 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 27 Oct 2016 11:30:10 +0300 Subject: [Freeipa-users] FreeIPA domains and sub-domains In-Reply-To: <81146581-c4d1-681b-db47-7f1eb45af5d2@pobox.com> References: <883c4c27cae474f6a2b97cd461f41013@thesandhufamily.ca> <81146581-c4d1-681b-db47-7f1eb45af5d2@pobox.com> Message-ID: <20161027083010.wwezmnn2ww5ozfxv@redhat.com> On to, 27 loka 2016, Brian Candler wrote: >On 26/10/2016 21:03, Ranbir wrote: >> >>If I have two networks, say A and B, and I want both to use the same >>FreeIPA server, should I have one Freeipa domain for network A and a >>sub-domain for network B, (domain.local and b.domain.local), or >>should I create two top level domains (a.local and b.local)? What's >>the recommended way to do this? > >Well, as a first point, I'd say never use a fake domain like ".local". >Use a subdomain of some real domain that you already have - e.g. >int.yourcompany.com. You don't need to expose it to the Internet if >you don't want to, and a fake domain can cause you problems down the >line. > >Secondly: do you really need two domains? DNS domains are used as way >to delegate administrative responsibility. If the same person is >managing the DNS for both sites, then you can just as well use one >domain. Personally I like to embed the site in the hostname (e.g. >lon-srv-1.int.yourcomany.com), because there are many circumstance in >which only the shortened hostname "lon-srv-1" is seen, such as syslog >messages and bash prompts. Hence it's good for the hostname itself to >be unambiguous. > >But if you prefer a different DNS domain for equipment in each site, >that's not a problem either. You can either create additional domains >in FreeIPA (if you want to use the FreeIPA GUI/CLI to manage DNS >records), or just have separate DNS domains managed elsewhere. If >FreeIPA is managing your DNS, you can get it to manage your reverse >DNS too, by creating domains like 10.in-addr.arpa and >168.192.in-addr.arpa. > >Taking this to extreme: you don't even need to use the same DNS domain >for your IPA and your other equipment. It's fine to have: > >ldap-1.ipa.yourdomain.com >host1.site1.yourdomain.com >host2.site2.yourdomain.com > >even if all the hosts are joined into the same Kerberos realm >IPA.YOURDOMAIN.COM (which sounds like is what you're doing). > >This is quite a good approach if you already have existing DNS for >site1.yourdomain.com and site2.yourdomain.com which you don't want to >change. Having FreeIPA manage its own domain makes it easier to >automatically locate the Kerberos servers for the realm >IPA.YOURDOMAIN.COM. But even that's not necessary if you are happy to >create the necessary SRV records in the DNS yourself. > >The final issue is IPA replicas in multiple sites. Personally I've put >all my IPA replicas in the same DNS domain >(ldap-1.ipa.yourcompany.com; ldap-2.ipa.yourcompany.com), and have >never tried putting them in different DNS domains: e.g. > >ipa-1.site1.yourdomain.com >ipa-2.site2.yourdomain.com > >I'm not sure if you can do this, and I think it would be safer not to >unless someone else on this list says it's OK. Yes, you can do that, there is no issue at all. -- / Alexander Bokovoy From jochen at winteltosh.de Thu Oct 27 08:33:23 2016 From: jochen at winteltosh.de (Jochen Demmer) Date: Thu, 27 Oct 2016 10:33:23 +0200 Subject: [Freeipa-users] ipa-replica-install fails because of IPv6? In-Reply-To: <8dc96dc9-838b-844f-fc16-20eeaf2619de@winteltosh.de> References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> <087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com> <5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de> <2d166fde-b04e-28fc-4fd6-8cc636416af7@redhat.com> <8dc96dc9-838b-844f-fc16-20eeaf2619de@winteltosh.de> Message-ID: <511eece7-c623-896a-4bb3-af5973d58e37@winteltosh.de> Am 27.10.2016 um 10:02 schrieb Jochen Demmer: > > > Am 26.10.2016 um 17:31 schrieb Martin Basti: >> >> >> >> On 26.10.2016 17:25, Jochen Demmer wrote: >>> >>> >>> Am 26.10.2016 um 16:48 schrieb Martin Basti: >>>> >>>> >>>> >>>> On 26.10.2016 16:42, Jochen Demmer wrote: >>>>> >>>>> >>>>> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>>>>> >>>>>> >>>>>> >>>>>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>>>>> Hi, >>>>>>> >>>>>>> my answers also inline. >>>>>>> >>>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>>>>> >>>>>>>> Hi, comments inline >>>>>>>> >>>>>>>> >>>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I've been running and using a single FreeIPA server >>>>>>>>> successfully, i.e.: >>>>>>>>> Fedora 24 >>>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>> This server is only available via IPv6, because I can't get >>>>>>>>> public lPv4 addresses no more. >>>>>>>>> >>>>>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>> First I run "ipa-client-install" which succeeds without an error. >>>>>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>>>>> ipa : ERROR Could not resolve hostname >>>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>>>>> properly. Please check your DNS setup. (Note that this check >>>>>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>>>>> LOG: >>>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server >>>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', >>>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in* >>>>>>>> >>>>>>>> Can you check with dig or host command if the hostname is >>>>>>>> really resolvable on that machine? do you have proper resolver >>>>>>>> in /etc/resolv.conf? >>>>>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>>>>> <>" I get the right IPv6 back. >>>>>> That is weird because IPA is doing basically the same. >>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>>>>> address of course. >>>>>>>>> I can continue the installation though by entering "yes". >>>>>>>>> >>>>>>>>> I then get asked: >>>>>>>>> Enter the IP address to use, or press Enter to finish. >>>>>>>>> Please provide the IP address to be used for this host name: >>>>>>>>> >>>>>>>>> When I enter the IPv6 address of the new replica host it >>>>>>>>> doesn't accept but infinitely asks this question instead. >>>>>>>> >>>>>>>> Have you pressed enter twice? It should end prompt and continue >>>>>>>> with installation >>>>>>> Enter without an IP -> No usable IP address provided nor resolved. >>>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 >>>>>>> cannot use IP network address 2a02:1:2:3::4 >>>>>> >>>>>> How do you have configured IP address on your interface? Does it >>>>>> have prefix /128? >>>>> Yes, that's right. It's an IP being assigned statefully by a >>>>> DHCPv6 server. >>>>> There is also another dynamic IP within the same prefix having >>>>> /64. I don't want to use this one of course, because its IID changes. >>>>> >>>> Could you set (temporarily) prefix for that address to /64 and >>>> re-run installer? IPA 4.3 has check that prevents you to use /128 >>>> prefix >>> Well now I don't even get asked for the IP. The setup wizard >>> continues, but I now get this error: >>> >>> [27/43]: restarting directory server >>> ipa : CRITICAL Failed to restart the directory server >>> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned >>> non-zero exit status 1). See the installation log for details. >>> [28/43]: setting up initial replication >>> [error] error: [Errno 111] Connection refused >>> >>> LOG: >>> 2016-10-26T15:14:46Z DEBUG Process finished, return code=1 >>> 2016-10-26T15:14:46Z DEBUG stdout= >>> 2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv at MY-REALM.service >>> failed because the control process exited with error code. See >>> "systemctl status dirsrv at MY-REALM.service" and "journalctl -xe" for >>> details. >>> 2016-10-26T15:14:46Z CRITICAL Failed to restart the directory server >>> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned >>> non-zero exit status 1). See the installation log for details. >>> 2016-10-26T15:14:46Z DEBUG duration: 1 seconds >>> 2016-10-26T15:14:46Z DEBUG [28/43]: setting up initial replication >>> 2016-10-26T15:14:56Z DEBUG Traceback (most recent call last): >>> >>> When I try to restart manually with, "/bin/systemctl restart >>> dirsrv at MY-REALM.service" >>> this is what systemd logs: >>> https://paste.fedoraproject.org/461439/raw/ >>> >>> >> >> Could you please check /var/log/dirsrv/slapd-*/errors there might be >> more details. >> >> Did you reused an old IPA server for this installation? >> >> Martin > This is what the logfile says: > https://paste.fedoraproject.org/461685/raw/ > > I tried to install this server as a replica a couple of times, but I > even reinstalled all of the software and I keep using > ipa-client-install --uninstall and > ipa-server-install --uninstall It looks like you encountered that problem yourself nearly a year ago: https://fedorahosted.org/freeipa/ticket/5561 >> >>>> >>>> >>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Honestly, I can't see what I might have done wrong. >>>>>>>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>>>>>>> New FreeIPA host as well has hostname that symmetrically >>>>>>>>> resolves, even though the hostname is using another second >>>>>>>>> level domain. >>>>>>>>> >>>>>>>>> Any hints? >>>>>>>>> Jochen Demmer >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Martin >>>>>>> Jochen >>>>>>> >>>>>> >>>>> >>>> >>> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x54A5283E.asc Type: application/pgp-keys Size: 3108 bytes Desc: not available URL: From jochen at winteltosh.de Thu Oct 27 08:48:11 2016 From: jochen at winteltosh.de (Jochen Demmer) Date: Thu, 27 Oct 2016 10:48:11 +0200 Subject: [Freeipa-users] ipa-replica-install fails because dirsrv failed to start In-Reply-To: References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> <087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com> <5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de> <2d166fde-b04e-28fc-4fd6-8cc636416af7@redhat.com> <8dc96dc9-838b-844f-fc16-20eeaf2619de@winteltosh.de> Message-ID: Am 27.10.2016 um 10:21 schrieb Martin Basti: > > > > On 27.10.2016 10:02, Jochen Demmer wrote: >> >> >> Am 26.10.2016 um 17:31 schrieb Martin Basti: >>> >>> >>> >>> On 26.10.2016 17:25, Jochen Demmer wrote: >>>> >>>> >>>> Am 26.10.2016 um 16:48 schrieb Martin Basti: >>>>> >>>>> >>>>> >>>>> On 26.10.2016 16:42, Jochen Demmer wrote: >>>>>> >>>>>> >>>>>> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> my answers also inline. >>>>>>>> >>>>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>>>>>> >>>>>>>>> Hi, comments inline >>>>>>>>> >>>>>>>>> >>>>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I've been running and using a single FreeIPA server >>>>>>>>>> successfully, i.e.: >>>>>>>>>> Fedora 24 >>>>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>>> This server is only available via IPv6, because I can't get >>>>>>>>>> public lPv4 addresses no more. >>>>>>>>>> >>>>>>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>>> First I run "ipa-client-install" which succeeds without an error. >>>>>>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>>>>>> ipa : ERROR Could not resolve hostname >>>>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>>>>>> properly. Please check your DNS setup. (Note that this check >>>>>>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>>>>>> LOG: >>>>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server >>>>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', >>>>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in* >>>>>>>>> >>>>>>>>> Can you check with dig or host command if the hostname is >>>>>>>>> really resolvable on that machine? do you have proper resolver >>>>>>>>> in /etc/resolv.conf? >>>>>>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>>>>>> <>" I get the right IPv6 back. >>>>>>> That is weird because IPA is doing basically the same. >>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>>>>>> address of course. >>>>>>>>>> I can continue the installation though by entering "yes". >>>>>>>>>> >>>>>>>>>> I then get asked: >>>>>>>>>> Enter the IP address to use, or press Enter to finish. >>>>>>>>>> Please provide the IP address to be used for this host name: >>>>>>>>>> >>>>>>>>>> When I enter the IPv6 address of the new replica host it >>>>>>>>>> doesn't accept but infinitely asks this question instead. >>>>>>>>> >>>>>>>>> Have you pressed enter twice? It should end prompt and >>>>>>>>> continue with installation >>>>>>>> Enter without an IP -> No usable IP address provided nor resolved. >>>>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 >>>>>>>> cannot use IP network address 2a02:1:2:3::4 >>>>>>> >>>>>>> How do you have configured IP address on your interface? Does it >>>>>>> have prefix /128? >>>>>> Yes, that's right. It's an IP being assigned statefully by a >>>>>> DHCPv6 server. >>>>>> There is also another dynamic IP within the same prefix having >>>>>> /64. I don't want to use this one of course, because its IID changes. >>>>>> >>>>> Could you set (temporarily) prefix for that address to /64 and >>>>> re-run installer? IPA 4.3 has check that prevents you to use /128 >>>>> prefix >>>> Well now I don't even get asked for the IP. The setup wizard >>>> continues, but I now get this error: >>>> >>>> [27/43]: restarting directory server >>>> ipa : CRITICAL Failed to restart the directory server >>>> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned >>>> non-zero exit status 1). See the installation log for details. >>>> [28/43]: setting up initial replication >>>> [error] error: [Errno 111] Connection refused >>>> >>>> LOG: >>>> 2016-10-26T15:14:46Z DEBUG Process finished, return code=1 >>>> 2016-10-26T15:14:46Z DEBUG stdout= >>>> 2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv at MY-REALM.service >>>> failed because the control process exited with error code. See >>>> "systemctl status dirsrv at MY-REALM.service" and "journalctl -xe" for >>>> details. >>>> 2016-10-26T15:14:46Z CRITICAL Failed to restart the directory >>>> server (Command '/bin/systemctl restart dirsrv at MY-REALM.service' >>>> returned non-zero exit status 1). See the installation log for details. >>>> 2016-10-26T15:14:46Z DEBUG duration: 1 seconds >>>> 2016-10-26T15:14:46Z DEBUG [28/43]: setting up initial replication >>>> 2016-10-26T15:14:56Z DEBUG Traceback (most recent call last): >>>> >>>> When I try to restart manually with, "/bin/systemctl restart >>>> dirsrv at MY-REALM.service" >>>> this is what systemd logs: >>>> https://paste.fedoraproject.org/461439/raw/ >>>> >>>> >>> >>> Could you please check /var/log/dirsrv/slapd-*/errors there might >>> be more details. >>> >>> Did you reused an old IPA server for this installation? >>> >>> Martin >> This is what the logfile says: >> https://paste.fedoraproject.org/461685/raw/ >> >> I tried to install this server as a replica a couple of times, but I >> even reinstalled all of the software and I keep using >> ipa-client-install --uninstall and >> ipa-server-install --uninstall > > It looks that DS database is somehow corrupted, is possible that there > might be some leftovers from previous installations > > start: Failed to start databases, err=-1 BDB0092 Unknown error: -1 > > I'm not sure what that error means, maybe DS guys will know > > Can you run server uninstall twice? It should remove all leftovers, > and then check /var/lib/dirsrv/ if there are any slapd-* directories, > if yes please remove them > > Martin I uninstalled freeipa-*, deleted /etc/dirsrv and /var/lib/dirsrv, rebooted, reinstalled and ran into the exact same problem. > >>> >>>>> >>>>> >>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Honestly, I can't see what I might have done wrong. >>>>>>>>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>>>>>>>> New FreeIPA host as well has hostname that symmetrically >>>>>>>>>> resolves, even though the hostname is using another second >>>>>>>>>> level domain. >>>>>>>>>> >>>>>>>>>> Any hints? >>>>>>>>>> Jochen Demmer >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> Martin >>>>>>>> Jochen >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x54A5283E.asc Type: application/pgp-keys Size: 3108 bytes Desc: not available URL: From lkrispen at redhat.com Thu Oct 27 09:06:13 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 27 Oct 2016 11:06:13 +0200 Subject: [Freeipa-users] ipa-replica-install fails because dirsrv failed to start In-Reply-To: References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> <087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com> <5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de> <2d166fde-b04e-28fc-4fd6-8cc636416af7@redhat.com> <8dc96dc9-838b-844f-fc16-20eeaf2619de@winteltosh.de> Message-ID: <5811C385.3050207@redhat.com> On 10/27/2016 10:48 AM, Jochen Demmer wrote: > > > Am 27.10.2016 um 10:21 schrieb Martin Basti: >> >> >> >> On 27.10.2016 10:02, Jochen Demmer wrote: >>> >>> >>> Am 26.10.2016 um 17:31 schrieb Martin Basti: >>>> >>>> >>>> >>>> On 26.10.2016 17:25, Jochen Demmer wrote: >>>>> >>>>> >>>>> Am 26.10.2016 um 16:48 schrieb Martin Basti: >>>>>> >>>>>> >>>>>> >>>>>> On 26.10.2016 16:42, Jochen Demmer wrote: >>>>>>> >>>>>>> >>>>>>> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> my answers also inline. >>>>>>>>> >>>>>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>>>>>>> >>>>>>>>>> Hi, comments inline >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I've been running and using a single FreeIPA server >>>>>>>>>>> successfully, i.e.: >>>>>>>>>>> Fedora 24 >>>>>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>>>> This server is only available via IPv6, because I can't get >>>>>>>>>>> public lPv4 addresses no more. >>>>>>>>>>> >>>>>>>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>>>> First I run "ipa-client-install" which succeeds without an >>>>>>>>>>> error. >>>>>>>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>>>>>>> ipa : ERROR Could not resolve hostname >>>>>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>>>>>>> properly. Please check your DNS setup. (Note that this check >>>>>>>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>>>>>>> LOG: >>>>>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server >>>>>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', >>>>>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in* >>>>>>>>>> >>>>>>>>>> Can you check with dig or host command if the hostname is >>>>>>>>>> really resolvable on that machine? do you have proper >>>>>>>>>> resolver in /etc/resolv.conf? >>>>>>>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>>>>>>> <>" I get the right IPv6 back. >>>>>>>> That is weird because IPA is doing basically the same. >>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>>>>>>> address of course. >>>>>>>>>>> I can continue the installation though by entering "yes". >>>>>>>>>>> >>>>>>>>>>> I then get asked: >>>>>>>>>>> Enter the IP address to use, or press Enter to finish. >>>>>>>>>>> Please provide the IP address to be used for this host name: >>>>>>>>>>> >>>>>>>>>>> When I enter the IPv6 address of the new replica host it >>>>>>>>>>> doesn't accept but infinitely asks this question instead. >>>>>>>>>> >>>>>>>>>> Have you pressed enter twice? It should end prompt and >>>>>>>>>> continue with installation >>>>>>>>> Enter without an IP -> No usable IP address provided nor resolved. >>>>>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 >>>>>>>>> cannot use IP network address 2a02:1:2:3::4 >>>>>>>> >>>>>>>> How do you have configured IP address on your interface? Does >>>>>>>> it have prefix /128? >>>>>>> Yes, that's right. It's an IP being assigned statefully by a >>>>>>> DHCPv6 server. >>>>>>> There is also another dynamic IP within the same prefix having >>>>>>> /64. I don't want to use this one of course, because its IID >>>>>>> changes. >>>>>>> >>>>>> Could you set (temporarily) prefix for that address to /64 and >>>>>> re-run installer? IPA 4.3 has check that prevents you to use /128 >>>>>> prefix >>>>> Well now I don't even get asked for the IP. The setup wizard >>>>> continues, but I now get this error: >>>>> >>>>> [27/43]: restarting directory server >>>>> ipa : CRITICAL Failed to restart the directory server >>>>> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned >>>>> non-zero exit status 1). See the installation log for details. >>>>> [28/43]: setting up initial replication >>>>> [error] error: [Errno 111] Connection refused >>>>> >>>>> LOG: >>>>> 2016-10-26T15:14:46Z DEBUG Process finished, return code=1 >>>>> 2016-10-26T15:14:46Z DEBUG stdout= >>>>> 2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv at MY-REALM.service >>>>> failed because the control process exited with error code. See >>>>> "systemctl status dirsrv at MY-REALM.service" and "journalctl -xe" >>>>> for details. >>>>> 2016-10-26T15:14:46Z CRITICAL Failed to restart the directory >>>>> server (Command '/bin/systemctl restart dirsrv at MY-REALM.service' >>>>> returned non-zero exit status 1). See the installation log for >>>>> details. >>>>> 2016-10-26T15:14:46Z DEBUG duration: 1 seconds >>>>> 2016-10-26T15:14:46Z DEBUG [28/43]: setting up initial replication >>>>> 2016-10-26T15:14:56Z DEBUG Traceback (most recent call last): >>>>> >>>>> When I try to restart manually with, "/bin/systemctl restart >>>>> dirsrv at MY-REALM.service" >>>>> this is what systemd logs: >>>>> https://paste.fedoraproject.org/461439/raw/ >>>>> >>>>> >>>> >>>> Could you please check /var/log/dirsrv/slapd-*/errors there might >>>> be more details. >>>> >>>> Did you reused an old IPA server for this installation? >>>> >>>> Martin >>> This is what the logfile says: >>> https://paste.fedoraproject.org/461685/raw/ >>> >>> I tried to install this server as a replica a couple of times, but I >>> even reinstalled all of the software and I keep using >>> ipa-client-install --uninstall and >>> ipa-server-install --uninstall >> >> It looks that DS database is somehow corrupted, is possible that >> there might be some leftovers from previous installations >> >> start: Failed to start databases, err=-1 BDB0092 Unknown error: -1 >> >> I'm not sure what that error means, maybe DS guys will know >> >> Can you run server uninstall twice? It should remove all leftovers, >> and then check /var/lib/dirsrv/ if there are any slapd-* directories, >> if yes please remove them >> >> Martin > I uninstalled freeipa-*, deleted /etc/dirsrv and /var/lib/dirsrv, > rebooted, reinstalled and ran into the exact same problem. you get the failure because the certificate database cannot be read [26/Oct/2016:17:17:58.018611176 +0200] Can't find certificate Server-Cert in attrcrypt_fetch_private_key: -8174 - security library: bad database. [26/Oct/2016:17:17:58.104832444 +0200] Can't get private key from cert Server-Cert in attrcrypt_fetch_private_key: -8174 - security library: bad database. [26/Oct/2016:17:17:58.112911216 +0200] Error: unable to initialize attrcrypt system for userRoot [26/Oct/2016:17:17:58.116560926 +0200] start: Failed to start databases, err=-1 BDB0092 Unknown error: -1 Martin, shouldn't ipa install create this, or can there be some leftovers ? >> >>>> >>>>>> >>>>>> >>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Honestly, I can't see what I might have done wrong. >>>>>>>>>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>>>>>>>>> New FreeIPA host as well has hostname that symmetrically >>>>>>>>>>> resolves, even though the hostname is using another second >>>>>>>>>>> level domain. >>>>>>>>>>> >>>>>>>>>>> Any hints? >>>>>>>>>>> Jochen Demmer >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Martin >>>>>>>>> Jochen >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From b.candler at pobox.com Thu Oct 27 09:07:40 2016 From: b.candler at pobox.com (Brian Candler) Date: Thu, 27 Oct 2016 10:07:40 +0100 Subject: [Freeipa-users] FreeIPA domains and sub-domains In-Reply-To: <20161027083010.wwezmnn2ww5ozfxv@redhat.com> References: <883c4c27cae474f6a2b97cd461f41013@thesandhufamily.ca> <81146581-c4d1-681b-db47-7f1eb45af5d2@pobox.com> <20161027083010.wwezmnn2ww5ozfxv@redhat.com> Message-ID: <77f21e19-18c2-626d-2419-d1c107aa7088@pobox.com> On 27/10/2016 09:30, Alexander Bokovoy wrote: > Yes, you can do that, there is no issue at all. Thank you for confirming that. To the OP: in that case, I'd still recommend that you choose a distinct kerberos realm like IPA.YOURCOMPANY.COM, with associated primary domain "ipa.yourcompany.com", and let FreeIPA manage that domain so that it sets up all the right SRV records for auto-discovery. But you don't need to put any hosts inside that DNS domain at all. This gives you the flexibility to set up future Kerberos realms like AD.YOURCOMPANY.COM if you deploy Active Directory or Samba4 later. Regards, Brian. From peljasz at yahoo.co.uk Thu Oct 27 09:54:06 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Thu, 27 Oct 2016 10:54:06 +0100 Subject: [Freeipa-users] rpm dependencies In-Reply-To: <20161027082823.frddqylnj4tocddj@redhat.com> References: <15448e66-30e9-7ee1-4b27-7870727e0c08@redhat.com> <20161027082823.frddqylnj4tocddj@redhat.com> Message-ID: <50c0b747-3a88-bf0c-abd7-e56562d8c5bd@yahoo.co.uk> On 27/10/16 09:28, Alexander Bokovoy wrote: > # rpm -q --requires freeipa-server|grep ^lib|xargs -n1 rpm > -q --whatprovides|sort -u > glibc-2.23.1-10.fc24.x86_64 > krb5-libs-1.14.4-4.fc24.x86_64 > libcom_err-1.42.13-4.fc24.x86_64 > libgcc-6.2.1-2.fc24.x86_64 > libsss_nss_idmap-1.14.2-1.fc24.x86_64 > libtalloc-2.1.6-1.fc24.x86_64 > libtevent-0.9.28-1.fc24.x86_64 > libunistring-0.9.4-3.fc24.x86_64 > libuuid-2.28.2-1.fc24.x86_64 > libverto-0.2.6-6.fc24.x86_64 > nspr-4.13.1-1.fc24.x86_64 > nss-3.27.0-1.1.fc24.x86_64 > nss-util-3.27.0-1.0.fc24.x86_64 > openldap-2.4.44-1.fc24.x86_64 > openssl-libs-1.0.2j-1.fc24.x86_64 > samba-client-libs-4.4.6-1.fc24.x86_64 > > You cannot remove samba-client-libs due to this. > > We also do not support downgrading Samba. ough, this is not good this Siamese-twins type of existence. AD easy integration is very nice thing to have but admins/users should also be able to equally easy disintegrate. It to me goes way too weird - sssd won't exist (according to rpm deps logic) without sssd-ad and then IPA follows. We should have IPA which does not depend on Samba. I myself am in a sticky wicket situation right now - my BDC Samba 4.2.x on Centos 7 is not happy with userdb multi-master ldap backend, PDC which is Centos 6.8 with 3.6.23-36.el6_8 has ruled that little domain fine for many years and win clients, etc are a OK. But Samba 4.2.x fails. I believe it might be a bug - I have even submitted a report: https://bugzilla.redhat.com/show_bug.cgi?id=1388589 - but I'm stuck!! I cannot try (at least not in orderly manner) any Samba 3 version which I believe would be quick & nice fix to my problem. I'm stuck between these Siamese twins. hmm...kupa. L. From slaznick at redhat.com Thu Oct 27 10:15:23 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Thu, 27 Oct 2016 12:15:23 +0200 Subject: [Freeipa-users] ipa automount bug? In-Reply-To: References: Message-ID: <84aa5368-8537-8d78-b6e7-4e372df52b50@redhat.com> Hello, I am no automount expert so I will leave answering those questions to those but see my comment inline. On 10/27/2016 06:16 AM, William Muriithi wrote: > Evening, > > I am trying to import some autos map from a file to FreeIPA LDAP and > have noticed two problems that can be considered a bug in my humble > opinion. This is on: > > ipa-server-4.2.0-15.0.1.el7 > > 1. This either is a documentation bug that suggest one can specify a > parent map while thats actually not the case or ipa I am running has a > bug and can't handle parent map. Below is what I get when I try to > specify parent map: > > [root at hydrogen ~]# ipa automountmap-add-indirect default > auto.projects-prs1013 ?-mount=/projects/prs1013 > --parentmap=auto.projects Is this a direct copy-paste from the terminal? If so and your e-mail client did not do any reformatting then the first character in the "?-mount=/projects/prs1013" is not a dash, which results in it being recognized as a third argument, thus the warning about at most 2 arguments. > > ipa: ERROR: command 'automountmap_add_indirect' takes at most 2 arguments > > I had got the idea that this is possible from the documentation below: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-maps.html > > According to the document, I should be able to specify an automap > parent. However, it don?t look like that?s actually supported. > > > > 2. How would one import an existing maps to ipa auto.home map. Import > seem to be only capable of importing to auto.master, which make its > utility doubtful > > [root at hydrogen ~]# ipa automountlocation-import default > /tmp/2016-10-26/auto.home > > Imported maps: > Imported keys: > > Added adam to auto.master > ...... > > I think we should have a flag that allow importation of key to other > other maps other than auto.master > > Regards, > William > From mbasti at redhat.com Thu Oct 27 10:14:42 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 27 Oct 2016 12:14:42 +0200 Subject: [Freeipa-users] ipa-replica-install fails because of IPv6? In-Reply-To: <511eece7-c623-896a-4bb3-af5973d58e37@winteltosh.de> References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> <087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com> <5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de> <2d166fde-b04e-28fc-4fd6-8cc636416af7@redhat.com> <8dc96dc9-838b-844f-fc16-20eeaf2619de@winteltosh.de> <511eece7-c623-896a-4bb3-af5973d58e37@winteltosh.de> Message-ID: On 27.10.2016 10:33, Jochen Demmer wrote: > > > Am 27.10.2016 um 10:02 schrieb Jochen Demmer: >> >> >> Am 26.10.2016 um 17:31 schrieb Martin Basti: >>> >>> >>> >>> On 26.10.2016 17:25, Jochen Demmer wrote: >>>> >>>> >>>> Am 26.10.2016 um 16:48 schrieb Martin Basti: >>>>> >>>>> >>>>> >>>>> On 26.10.2016 16:42, Jochen Demmer wrote: >>>>>> >>>>>> >>>>>> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> my answers also inline. >>>>>>>> >>>>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>>>>>> >>>>>>>>> Hi, comments inline >>>>>>>>> >>>>>>>>> >>>>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I've been running and using a single FreeIPA server >>>>>>>>>> successfully, i.e.: >>>>>>>>>> Fedora 24 >>>>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>>> This server is only available via IPv6, because I can't get >>>>>>>>>> public lPv4 addresses no more. >>>>>>>>>> >>>>>>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>>> First I run "ipa-client-install" which succeeds without an error. >>>>>>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>>>>>> ipa : ERROR Could not resolve hostname >>>>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>>>>>> properly. Please check your DNS setup. (Note that this check >>>>>>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>>>>>> LOG: >>>>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server >>>>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', >>>>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in* >>>>>>>>> >>>>>>>>> Can you check with dig or host command if the hostname is >>>>>>>>> really resolvable on that machine? do you have proper resolver >>>>>>>>> in /etc/resolv.conf? >>>>>>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>>>>>> <>" I get the right IPv6 back. >>>>>>> That is weird because IPA is doing basically the same. >>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>>>>>> address of course. >>>>>>>>>> I can continue the installation though by entering "yes". >>>>>>>>>> >>>>>>>>>> I then get asked: >>>>>>>>>> Enter the IP address to use, or press Enter to finish. >>>>>>>>>> Please provide the IP address to be used for this host name: >>>>>>>>>> >>>>>>>>>> When I enter the IPv6 address of the new replica host it >>>>>>>>>> doesn't accept but infinitely asks this question instead. >>>>>>>>> >>>>>>>>> Have you pressed enter twice? It should end prompt and >>>>>>>>> continue with installation >>>>>>>> Enter without an IP -> No usable IP address provided nor resolved. >>>>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 >>>>>>>> cannot use IP network address 2a02:1:2:3::4 >>>>>>> >>>>>>> How do you have configured IP address on your interface? Does it >>>>>>> have prefix /128? >>>>>> Yes, that's right. It's an IP being assigned statefully by a >>>>>> DHCPv6 server. >>>>>> There is also another dynamic IP within the same prefix having >>>>>> /64. I don't want to use this one of course, because its IID changes. >>>>>> >>>>> Could you set (temporarily) prefix for that address to /64 and >>>>> re-run installer? IPA 4.3 has check that prevents you to use /128 >>>>> prefix >>>> Well now I don't even get asked for the IP. The setup wizard >>>> continues, but I now get this error: >>>> >>>> [27/43]: restarting directory server >>>> ipa : CRITICAL Failed to restart the directory server >>>> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned >>>> non-zero exit status 1). See the installation log for details. >>>> [28/43]: setting up initial replication >>>> [error] error: [Errno 111] Connection refused >>>> >>>> LOG: >>>> 2016-10-26T15:14:46Z DEBUG Process finished, return code=1 >>>> 2016-10-26T15:14:46Z DEBUG stdout= >>>> 2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv at MY-REALM.service >>>> failed because the control process exited with error code. See >>>> "systemctl status dirsrv at MY-REALM.service" and "journalctl -xe" for >>>> details. >>>> 2016-10-26T15:14:46Z CRITICAL Failed to restart the directory >>>> server (Command '/bin/systemctl restart dirsrv at MY-REALM.service' >>>> returned non-zero exit status 1). See the installation log for details. >>>> 2016-10-26T15:14:46Z DEBUG duration: 1 seconds >>>> 2016-10-26T15:14:46Z DEBUG [28/43]: setting up initial replication >>>> 2016-10-26T15:14:56Z DEBUG Traceback (most recent call last): >>>> >>>> When I try to restart manually with, "/bin/systemctl restart >>>> dirsrv at MY-REALM.service" >>>> this is what systemd logs: >>>> https://paste.fedoraproject.org/461439/raw/ >>>> >>>> >>> >>> Could you please check /var/log/dirsrv/slapd-*/errors there might >>> be more details. >>> >>> Did you reused an old IPA server for this installation? >>> >>> Martin >> This is what the logfile says: >> https://paste.fedoraproject.org/461685/raw/ >> >> I tried to install this server as a replica a couple of times, but I >> even reinstalled all of the software and I keep using >> ipa-client-install --uninstall and >> ipa-server-install --uninstall > It looks like you encountered that problem yourself nearly a year ago: > https://fedorahosted.org/freeipa/ticket/5561 IPA hasn't been released with this bug, it was in development version only. >>> >>>>> >>>>> >>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Honestly, I can't see what I might have done wrong. >>>>>>>>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>>>>>>>> New FreeIPA host as well has hostname that symmetrically >>>>>>>>>> resolves, even though the hostname is using another second >>>>>>>>>> level domain. >>>>>>>>>> >>>>>>>>>> Any hints? >>>>>>>>>> Jochen Demmer >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> Martin >>>>>>>> Jochen >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Thu Oct 27 10:22:56 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 27 Oct 2016 12:22:56 +0200 Subject: [Freeipa-users] ipa-replica-install fails because dirsrv failed to start In-Reply-To: References: <6cabd71f-9e06-2778-d534-d5039846c301@winteltosh.de> <36079a29-0ccd-9aa7-5e7e-9eb3f99e6089@redhat.com> <68ba2f75-2ec3-205e-99bb-26737965f4c3@winteltosh.de> <5e55e85e-6b11-e56a-914b-42594aa703b4@redhat.com> <2ded2848-a5ef-8e5e-591e-9c98dc6fe8f0@winteltosh.de> <087c11ce-dae5-8584-c31b-f9233c3412b0@redhat.com> <5ed2b215-6b51-db8f-f897-86d129367889@winteltosh.de> <2d166fde-b04e-28fc-4fd6-8cc636416af7@redhat.com> <8dc96dc9-838b-844f-fc16-20eeaf2619de@winteltosh.de> Message-ID: On 10/27/2016 10:48 AM, Jochen Demmer wrote: > > > Am 27.10.2016 um 10:21 schrieb Martin Basti: >> >> >> >> On 27.10.2016 10:02, Jochen Demmer wrote: >>> >>> >>> Am 26.10.2016 um 17:31 schrieb Martin Basti: >>>> >>>> >>>> >>>> On 26.10.2016 17:25, Jochen Demmer wrote: >>>>> >>>>> >>>>> Am 26.10.2016 um 16:48 schrieb Martin Basti: >>>>>> >>>>>> >>>>>> >>>>>> On 26.10.2016 16:42, Jochen Demmer wrote: >>>>>>> >>>>>>> >>>>>>> Am 26.10.2016 um 16:27 schrieb Martin Basti: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 26.10.2016 16:10, Jochen Demmer wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> my answers also inline. >>>>>>>>> >>>>>>>>> Am 26.10.2016 um 15:38 schrieb Martin Basti: >>>>>>>>>> >>>>>>>>>> Hi, comments inline >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 26.10.2016 14:28, Jochen Demmer wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I've been running and using a single FreeIPA server >>>>>>>>>>> successfully, i.e.: >>>>>>>>>>> Fedora 24 >>>>>>>>>>> freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>>>> This server is only available via IPv6, because I can't get >>>>>>>>>>> public lPv4 addresses no more. >>>>>>>>>>> >>>>>>>>>>> Now I want to setup a FreeIPA replica at another site also >>>>>>>>>>> running IPv6, Fedora 24 and freeipa-server-4.3.2-2.fc24.x86_64 >>>>>>>>>>> First I run "ipa-client-install" which succeeds without an error. >>>>>>>>>>> When I invoke "ipa-replica-install" I get this error: >>>>>>>>>>> ipa : ERROR Could not resolve hostname >>>>>>>>>>> *hostname.mydoma.in* using DNS. Clients may not function >>>>>>>>>>> properly. Please check your DNS setup. (Note that this check >>>>>>>>>>> queries IPA DNS directly and ignores /etc/hosts.) >>>>>>>>>>> LOG: >>>>>>>>>>> 2016-10-26T12:14:39Z DEBUG Search DNS server >>>>>>>>>>> *hostname.mydoma.in* (['2a01:f11:1:1::1', '2a01:f11:1:1::1', >>>>>>>>>>> '2a01:f11:1:1::1']) for *hostname.mydoma.in* >>>>>>>>>> >>>>>>>>>> Can you check with dig or host command if the hostname is >>>>>>>>>> really resolvable on that machine? do you have proper resolver >>>>>>>>>> in /etc/resolv.conf? >>>>>>>>> There is a resolver given in /etc/resolv.conf. When I do "host >>>>>>>>> <>" I get the right IPv6 back. >>>>>>>> That is weird because IPA is doing basically the same. >>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *hostname.mydoma.in* is actually the DNS entry for the old >>>>>>>>>>> FreeIPA server, which actually resolves, but only to an IPv6 >>>>>>>>>>> address of course. >>>>>>>>>>> I can continue the installation though by entering "yes". >>>>>>>>>>> >>>>>>>>>>> I then get asked: >>>>>>>>>>> Enter the IP address to use, or press Enter to finish. >>>>>>>>>>> Please provide the IP address to be used for this host name: >>>>>>>>>>> >>>>>>>>>>> When I enter the IPv6 address of the new replica host it >>>>>>>>>>> doesn't accept but infinitely asks this question instead. >>>>>>>>>> >>>>>>>>>> Have you pressed enter twice? It should end prompt and >>>>>>>>>> continue with installation >>>>>>>>> Enter without an IP -> No usable IP address provided nor resolved. >>>>>>>>> Enter with an IP -> Error: Invalid IP Address 2a02:1:2:3::4 >>>>>>>>> cannot use IP network address 2a02:1:2:3::4 >>>>>>>> >>>>>>>> How do you have configured IP address on your interface? Does it >>>>>>>> have prefix /128? >>>>>>> Yes, that's right. It's an IP being assigned statefully by a >>>>>>> DHCPv6 server. >>>>>>> There is also another dynamic IP within the same prefix having >>>>>>> /64. I don't want to use this one of course, because its IID changes. >>>>>>> >>>>>> Could you set (temporarily) prefix for that address to /64 and >>>>>> re-run installer? IPA 4.3 has check that prevents you to use /128 >>>>>> prefix >>>>> Well now I don't even get asked for the IP. The setup wizard >>>>> continues, but I now get this error: >>>>> >>>>> [27/43]: restarting directory server >>>>> ipa : CRITICAL Failed to restart the directory server >>>>> (Command '/bin/systemctl restart dirsrv at MY-REALM.service' returned >>>>> non-zero exit status 1). See the installation log for details. >>>>> [28/43]: setting up initial replication >>>>> [error] error: [Errno 111] Connection refused >>>>> >>>>> LOG: >>>>> 2016-10-26T15:14:46Z DEBUG Process finished, return code=1 >>>>> 2016-10-26T15:14:46Z DEBUG stdout= >>>>> 2016-10-26T15:14:46Z DEBUG stderr=Job for dirsrv at MY-REALM.service >>>>> failed because the control process exited with error code. See >>>>> "systemctl status dirsrv at MY-REALM.service" and "journalctl -xe" for >>>>> details. >>>>> 2016-10-26T15:14:46Z CRITICAL Failed to restart the directory >>>>> server (Command '/bin/systemctl restart dirsrv at MY-REALM.service' >>>>> returned non-zero exit status 1). See the installation log for details. >>>>> 2016-10-26T15:14:46Z DEBUG duration: 1 seconds >>>>> 2016-10-26T15:14:46Z DEBUG [28/43]: setting up initial replication >>>>> 2016-10-26T15:14:56Z DEBUG Traceback (most recent call last): >>>>> >>>>> When I try to restart manually with, "/bin/systemctl restart >>>>> dirsrv at MY-REALM.service" >>>>> this is what systemd logs: >>>>> https://paste.fedoraproject.org/461439/raw/ >>>>> >>>>> >>>> >>>> Could you please check /var/log/dirsrv/slapd-*/errors there might >>>> be more details. >>>> >>>> Did you reused an old IPA server for this installation? >>>> >>>> Martin >>> This is what the logfile says: >>> https://paste.fedoraproject.org/461685/raw/ >>> >>> I tried to install this server as a replica a couple of times, but I >>> even reinstalled all of the software and I keep using >>> ipa-client-install --uninstall and >>> ipa-server-install --uninstall >> >> It looks that DS database is somehow corrupted, is possible that there >> might be some leftovers from previous installations >> >> start: Failed to start databases, err=-1 BDB0092 Unknown error: -1 >> >> I'm not sure what that error means, maybe DS guys will know >> >> Can you run server uninstall twice? It should remove all leftovers, >> and then check /var/lib/dirsrv/ if there are any slapd-* directories, >> if yes please remove them >> >> Martin > I uninstalled freeipa-*, deleted /etc/dirsrv and /var/lib/dirsrv, > rebooted, reinstalled and ran into the exact same problem. >> >>>> >>>>>> >>>>>> >>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Honestly, I can't see what I might have done wrong. >>>>>>>>>>> Old FreeIPA has hostname is in sync forward and reverse record. >>>>>>>>>>> New FreeIPA host as well has hostname that symmetrically >>>>>>>>>>> resolves, even though the hostname is using another second >>>>>>>>>>> level domain. >>>>>>>>>>> >>>>>>>>>>> Any hints? >>>>>>>>>>> Jochen Demmer >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Martin >>>>>>>>> Jochen >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > > > After failed install please inspect the contents of directory server NSS database. It is located with other files in /etc/dirsrv/slapd-$YOUR_REALM/: certutil -L -d /etc/dirsrv/slapd-$YOUR_REALM/ See that the nickname 'Server-Cert' mentioned in the error message is present. Also make sure that the NSS files (cert8.db, key3.db, pin.txt, pwdfile.txt, and secmod.db) are readable to dirsrv user. If all else fails, try to re-create the replica file on the master and re-install replica with it. -- Martin^3 Babinsky From rcritten at redhat.com Thu Oct 27 12:14:56 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 Oct 2016 14:14:56 +0200 Subject: [Freeipa-users] ipa automount bug? In-Reply-To: <84aa5368-8537-8d78-b6e7-4e372df52b50@redhat.com> References: <84aa5368-8537-8d78-b6e7-4e372df52b50@redhat.com> Message-ID: <5811EFC0.2050601@redhat.com> Standa Laznicka wrote: > Hello, > > I am no automount expert so I will leave answering those questions to > those but see my comment inline. > > On 10/27/2016 06:16 AM, William Muriithi wrote: >> Evening, >> >> I am trying to import some autos map from a file to FreeIPA LDAP and >> have noticed two problems that can be considered a bug in my humble >> opinion. This is on: >> >> ipa-server-4.2.0-15.0.1.el7 >> >> 1. This either is a documentation bug that suggest one can specify a >> parent map while thats actually not the case or ipa I am running has a >> bug and can't handle parent map. Below is what I get when I try to >> specify parent map: >> >> [root at hydrogen ~]# ipa automountmap-add-indirect default >> auto.projects-prs1013 ?-mount=/projects/prs1013 >> --parentmap=auto.projects > Is this a direct copy-paste from the terminal? If so and your e-mail > client did not do any reformatting then the first character in the > "?-mount=/projects/prs1013" is not a dash, which results in it being > recognized as a third argument, thus the warning about at most 2 arguments. >> >> ipa: ERROR: command 'automountmap_add_indirect' takes at most 2 arguments >> >> I had got the idea that this is possible from the documentation below: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-maps.html >> >> >> According to the document, I should be able to specify an automap >> parent. However, it don?t look like that?s actually supported. >> >> >> >> 2. How would one import an existing maps to ipa auto.home map. Import >> seem to be only capable of importing to auto.master, which make its >> utility doubtful >> >> [root at hydrogen ~]# ipa automountlocation-import default >> /tmp/2016-10-26/auto.home >> >> Imported maps: >> Imported keys: >> >> Added adam to auto.master >> ...... >> >> I think we should have a flag that allow importation of key to other >> other maps other than auto.master You're right, auto.master is hardcoded. Please open an RFE for this if you need to be able to specify the mount. rob From rcritten at redhat.com Thu Oct 27 12:23:29 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 27 Oct 2016 14:23:29 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: Message-ID: <5811F1C1.2060505@redhat.com> Joshua Ruybal wrote: > While trying to run IPA replica prepare with debug, we see an > unexplained failure. > > Debug seems to show the process running smoothly, then I see: > "Certificate issuance failed". > > Looking at previous mail-archives, I see that someone has run into this > before, however all permissions on caIPAserviceCert.cfg are correct (the > solution for him). > > Is there any method to get more details on the failure from > ipa-replica-prepare? I'd check the dogtag logs. This error is thrown when no certificate is issued by the CA. There is no way other than instrumenting the code to get more details about the error from ipa-replica-prepare. rob From michael at stroeder.com Thu Oct 27 12:40:35 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Thu, 27 Oct 2016 14:40:35 +0200 Subject: [Freeipa-users] cn=deleted users,cn=accounts Message-ID: <7534bf15-0c4a-af0f-e10a-f7503ce6805b@stroeder.com> HI! I wonder which action in the FreeIPA Web UI (4.2.0) moves an active user to this container: cn=deleted users,cn=accounts,cn=provisioning,dc=example,dc=com Selecting [Delete] as action really deletes the LDAP entry. Likely I missed something. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Thu Oct 27 12:45:09 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Thu, 27 Oct 2016 14:45:09 +0200 Subject: [Freeipa-users] cn=deleted users,cn=accounts In-Reply-To: <7534bf15-0c4a-af0f-e10a-f7503ce6805b@stroeder.com> References: <7534bf15-0c4a-af0f-e10a-f7503ce6805b@stroeder.com> Message-ID: <061aa77f-1901-71f0-1323-60bc8c2149ec@stroeder.com> Michael Str?der wrote: > I wonder which action in the FreeIPA Web UI (4.2.0) moves an active user to > this container: > > cn=deleted users,cn=accounts,cn=provisioning,dc=example,dc=com > > Selecting [Delete] as action really deletes the LDAP entry. Ah, found it myself: It makes a difference choosing action [Delete] when displaying a single user entry or from the user overview table. The latter asks whether to preserve the entry or not. Is this UI inconsistency fixed in a later release? Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From william.muriithi at gmail.com Thu Oct 27 12:45:39 2016 From: william.muriithi at gmail.com (William Muriithi) Date: Thu, 27 Oct 2016 08:45:39 -0400 Subject: [Freeipa-users] ipa automount bug? In-Reply-To: <84aa5368-8537-8d78-b6e7-4e372df52b50@redhat.com> References: <84aa5368-8537-8d78-b6e7-4e372df52b50@redhat.com> Message-ID: >> >> [root at hydrogen ~]# ipa automountmap-add-indirect default >> auto.projects-prs1013 ?-mount=/projects/prs1013 >> --parentmap=auto.projects > > Is this a direct copy-paste from the terminal? If so and your e-mail client > did not do any reformatting then the first character in the > "?-mount=/projects/prs1013" is not a dash, which results in it being > recognized as a third argument, thus the warning about at most 2 arguments. > Thanks for that observation. It was indeed the case and it worked when I fixed that typo. Thanks a bunch William >> >> ipa: ERROR: command 'automountmap_add_indirect' takes at most 2 arguments >> >> I had got the idea that this is possible from the documentation below: >> >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-maps.html ported keys: William From pvomacka at redhat.com Thu Oct 27 12:57:03 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 27 Oct 2016 14:57:03 +0200 Subject: [Freeipa-users] cn=deleted users,cn=accounts In-Reply-To: <061aa77f-1901-71f0-1323-60bc8c2149ec@stroeder.com> References: <7534bf15-0c4a-af0f-e10a-f7503ce6805b@stroeder.com> <061aa77f-1901-71f0-1323-60bc8c2149ec@stroeder.com> Message-ID: Hello Michael, Yes, the deleter dialog on details page was extended in version 4.4 ( https://fedorahosted.org/freeipa/ticket/5370 ). On 10/27/2016 02:45 PM, Michael Str?der wrote: > Michael Str?der wrote: >> I wonder which action in the FreeIPA Web UI (4.2.0) moves an active user to >> this container: >> >> cn=deleted users,cn=accounts,cn=provisioning,dc=example,dc=com >> >> Selecting [Delete] as action really deletes the LDAP entry. > Ah, found it myself: > It makes a difference choosing action [Delete] when displaying a single user > entry or from the user overview table. The latter asks whether to preserve the > entry or not. > > Is this UI inconsistency fixed in a later release? > > Ciao, Michael. > > > > -- Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Oct 27 14:40:18 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 27 Oct 2016 16:40:18 +0200 Subject: [Freeipa-users] cn=deleted users,cn=accounts In-Reply-To: <061aa77f-1901-71f0-1323-60bc8c2149ec@stroeder.com> References: <7534bf15-0c4a-af0f-e10a-f7503ce6805b@stroeder.com> <061aa77f-1901-71f0-1323-60bc8c2149ec@stroeder.com> Message-ID: <695a60ff-e1dc-46a8-ff0e-3ac8e090785a@redhat.com> On 10/27/2016 02:45 PM, Michael Str?der wrote: > Michael Str?der wrote: >> I wonder which action in the FreeIPA Web UI (4.2.0) moves an active user to >> this container: >> >> cn=deleted users,cn=accounts,cn=provisioning,dc=example,dc=com >> >> Selecting [Delete] as action really deletes the LDAP entry. > > Ah, found it myself: > It makes a difference choosing action [Delete] when displaying a single user > entry or from the user overview table. The latter asks whether to preserve the > entry or not. > > Is this UI inconsistency fixed in a later release? Yes, it has been fixed in 4.4 release. > > Ciao, Michael. > -- Petr Vobornik From elwellj at vmcmail.com Thu Oct 27 15:22:49 2016 From: elwellj at vmcmail.com (Elwell, Jason) Date: Thu, 27 Oct 2016 10:22:49 -0500 Subject: [Freeipa-users] PWM password self-service integration with FreeIPA In-Reply-To: <1477404077.18284.26.camel@redhat.com> References: <1477404077.18284.26.camel@redhat.com> Message-ID: I have updated the gist using the PWM documentation I found to do just that. Let me know if that is more acceptable. I'm feeling my way through this, please pardon my lack of savoir-faire. See latest at https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a *Jason Elwell* *Office: 205-298-3731 * *Cell: 205-603-4195 * elwellj at vmcmail.com E-mail Confidentiality Footer Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify the sender immediately. If you or your employer does not consent to e-mail messages of this kind, please advise the sender immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by employer unless otherwise indicated by an authorized representative independent of this message On Tue, Oct 25, 2016 at 9:01 AM, Simo Sorce wrote: > On Sun, 2016-10-23 at 12:22 -0500, Elwell, Jason wrote: > > I posted this on the PWM boards, and figured I'd send this along here, > > too. I'm looking for feedback on this. Let me know if you find this > > accurate and/or valuable. Thanks! > > > > > > PWM setup for FreeIPA > > https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a > > > > PwmConfiguration-template.xml > > https://gist.github.com/PowerWagon/0e83a0c5b67316a6987944b76eb103bc > > Jason, > It seems to me your ACIs are too lax, you should also make the PWM user > a password synchronization agent and not just give it blanket access to > read everything from the directory and write every password, you should > limit it to users for example and not allow it to change service's or > host's "passwords". > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Oct 27 15:47:50 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 27 Oct 2016 17:47:50 +0200 Subject: [Freeipa-users] Setting "preserve" as default action when deleting in webUI In-Reply-To: References: Message-ID: <4b372f1d-d364-51ca-f878-0286fc644ba7@redhat.com> On 10/21/2016 02:13 PM, S?bastien Julliot wrote: > Hi everyone, > > > In order to prevent administrators to make mistakes that could have > > silly consequences, I would like to set "preserve" as the default selected > > action in freeipa's webui. > > What do you think would be the best way to achieve this ? 1. Quick, more work: Create Web UI plugin which would change the hardcoded default to the other value: related code: https://git.fedorahosted.org/cgit/freeipa.git/tree/install/ui/src/freeipa/user.js#n989 example plugins: https://pvoborni.fedorapeople.org/plugins/ plugin info: https://pvoborni.fedorapeople.org/doc/#!/guide/Plugins 2. Uncertain delivery: File a ticket to change default or make it configurable(IMO better). Let core team to implement it. But note that there is quite a big number of other tickets which we prioritize. https://fedorahosted.org/freeipa/newticket 3. Do #2 and contribute patch for it. When reviewed, it would then go to currently developed version(4.5). This might be more work then #1. 4. dirty: change the default directly in Web UI code. Doesn't work well with upgrades, not supported, hard to find it in minimized code. > > > Thank you in advance, > > Sebastien Julliot. > -- Petr Vobornik From b.candler at pobox.com Thu Oct 27 15:50:56 2016 From: b.candler at pobox.com (Brian Candler) Date: Thu, 27 Oct 2016 16:50:56 +0100 Subject: [Freeipa-users] FreeIPA domains and sub-domains In-Reply-To: <77f21e19-18c2-626d-2419-d1c107aa7088@pobox.com> References: <883c4c27cae474f6a2b97cd461f41013@thesandhufamily.ca> <81146581-c4d1-681b-db47-7f1eb45af5d2@pobox.com> <20161027083010.wwezmnn2ww5ozfxv@redhat.com> <77f21e19-18c2-626d-2419-d1c107aa7088@pobox.com> Message-ID: <234d9d76-801b-2880-ae66-cc67c9488c0e@pobox.com> On 27/10/2016 10:07, Brian Candler wrote: > To the OP: in that case, I'd still recommend that you choose a > distinct kerberos realm like IPA.YOURCOMPANY.COM, with associated > primary domain "ipa.yourcompany.com", and let FreeIPA manage that > domain so that it sets up all the right SRV records for > auto-discovery. But you don't need to put any hosts inside that DNS > domain at all. Aside: I have just been trying this out. What's slightly confusing is that the ipa server-install process requires you to set a "domain name" as well as a realm, and it's not clear to me which "domain" to put here. Is this the domain which corresponds to the realm, or the domain which the clients normally reside in, or something else? For example, suppose I have realm IPA.MYCOMPANY.COM but my servers are xxx.int.mycompany.com. Should I set the FreeIPA "domain" to ipa.mycompany.com or int.mycompany.com, or mycompany.com ? After some experimentation, it seems that the LDAP baseDN is always taken from the realm (dc=ipa,dc=mycompany,dc=com). But the DNS domain is used for: - nisDomain and associatedDomain - ipaDefaultEmailDomain - crucially, the SRV records are published under the DNS domain So it looks like really you should put "ipa.mycompany.com" as the DNS domain, even if the IPA servers are in a different domain. Regards, Brian. From bahanw042014 at gmail.com Thu Oct 27 16:12:51 2016 From: bahanw042014 at gmail.com (bahan w) Date: Thu, 27 Oct 2016 18:12:51 +0200 Subject: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) In-Reply-To: References: Message-ID: Help ? Best regards. Bahan On Tue, Oct 25, 2016 at 1:00 PM, bahan w wrote: > Re. > > There is no time difference between client and server. > > I checked the httpd error log and saw no errors. > Same with the dirsrv error logs. > > Any other idea ? > > By looking at the log, I'm wondering if this is a question of session ? > > See there : > ### > ipa: DEBUG: args=keyctl pipe 44063864 > ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; > Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; > Secure; HttpOnly > ipa: DEBUG: stderr= > ipa: DEBUG: found session_cookie in persistent storage for principal > '@', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584; > Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; > Secure; HttpOnly' > ipa: DEBUG: setting session_cookie into context > 'ipa_session=26a7252e4853374fc7439eae5926c584;' > ### > > At that time, it was not yet expired but there was only a few minuts > before expiration (something like 10 minuts). > What is this persistent storage which is mentioned in the logs ? > > Best regards. > > Bahan > > > > On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky > wrote: > >> On 10/25/2016 10:27 AM, bahan w wrote: >> >>> Hello everyone ! >>> >>> I have an ipa server and an ipa client both in 3.0.0-47. >>> >>> In order to connect via SSH to the host of the ipa-client, I use root. >>> When I'm connected to the ipa-client via ssh being root, I do a kinit of >>> a user with a keytab : >>> ### >>> kinit -kt /etc/security/keytabs/.headless.keytab >>> ### >>> >>> And sometimes, once I have the TGT, when I do just an ipa user-show, I >>> got the following error : >>> ### >>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >>> Error: Unspecified GSS failure. Minor code may provide more information >>> (Ticket expired) >>> ### >>> >>> When I check the ticket, it is not expired : >>> ### >>> # klist >>> Ticket cache: FILE:/tmp/krb5cc_root_ >>> Default principal: @ >>> >>> Valid starting Expires Service principal >>> 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/@ >>> ### >>> >>> Do you know from where it can come and how I can solve this error please >>> ? >>> >>> Here is more information with the debug option : >>> ### >>> ipa -d user-show >>> ### >>> >>> Result : >>> ### >>> ipa: DEBUG: importing all plugin modules in >>> '/usr/lib/python2.6/site-packages/ipalib/plugins'... >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' >>> ipa: DEBUG: args=klist -V >>> ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 >>> >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' >>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:@>> yrealm> >>> ipa: DEBUG: stdout=44063864 >>> >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: args=keyctl pipe 44063864 >>> ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; >>> Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; >>> Secure; HttpOnly >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: found session_cookie in persistent storage for principal >>> '@', cookie: >>> 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=; >>> Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly' >>> ipa: DEBUG: setting session_cookie into context >>> 'ipa_session=26a7252e4853374fc7439eae5926c584;' >>> ipa: INFO: trying https:///ipa/session/xml >>> ipa: DEBUG: Created connection context.xmlclient >>> ipa: DEBUG: raw: user_show(u'', rights=False, all=False, >>> raw=False, version=u'2.49', no_members=False) >>> ipa: DEBUG: user_show(u'', rights=False, all=False, raw=False, >>> version=u'2.49', no_members=False) >>> ipa: INFO: Forwarding 'user_show' to server >>> u'https:///ipa/session/xml' >>> ipa: DEBUG: NSSConnection init >>> ipa: DEBUG: Connecting: 10.79.28.51:0 >>> >>> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False >>> Data: >>> Version: 3 (0x2) >>> Serial Number: 10 (0xa) >>> Signature Algorithm: >>> Algorithm: PKCS #1 SHA-256 With RSA Encryption >>> Issuer: CN=Certificate Authority,O= >>> Validity: >>> Not Before: Mon Nov 23 13:01:37 2015 UTC >>> Not After: Thu Nov 23 13:01:37 2017 UTC >>> Subject: CN=,O= >>> Subject Public Key Info: >>> Public Key Algorithm: >>> Algorithm: PKCS #1 RSA Encryption >>> RSA Public Key: >>> Modulus: >>> f4:df:8e:0c:39:ff:37:ba:64:90:b8:90:85:98:b9:b2: >>> 8d:1f:81:3e:ce:de:84:87:51:f9:48:c1:27:8e:00:86: >>> 90:d8:1c:1c:b2:d5:03:7e:29:a1:6d:f2:06:fd:26:8c: >>> f5:b6:8e:80:aa:0d:47:ea:82:74:30:9b:78:34:6d:62: >>> c5:ba:a6:05:3b:56:a7:b2:0a:88:35:9f:6b:cc:80:f8: >>> c9:15:08:5e:6c:36:98:09:80:3f:75:e9:69:3d:c1:22: >>> 22:ce:15:5f:f8:c4:a3:db:79:92:57:ae:6d:5f:82:15: >>> fc:3c:c9:b6:10:58:36:71:03:91:19:cd:bb:5a:f3:9b: >>> e0:4a:cf:a6:43:30:b2:71:99:56:28:3f:7f:60:b3:fc: >>> e0:84:7b:cc:ef:63:b1:5d:0a:32:94:db:74:7b:a2:7c: >>> 52:db:fb:12:fb:3e:14:fe:f1:9b:9c:e9:42:c2:7e:03: >>> a5:1d:ab:c1:75:06:a0:b4:50:5b:27:1c:c6:5a:27:62: >>> 73:74:70:22:16:03:15:dc:f3:6c:de:1d:02:d7:de:03: >>> ca:1e:d1:9d:c1:25:59:84:e1:f6:b4:a0:8c:c6:b0:e0: >>> 74:ce:2f:9f:50:e9:b5:d9:d5:f3:fa:7d:57:84:c3:59: >>> 75:e9:6e:7d:0e:97:8b:a0:15:f2:4b:31:cc:ca:5c:45 >>> Exponent: >>> 65537 (0x10001) >>> Signed Extensions: (5 total) >>> Name: Certificate Authority Key Identifier >>> Critical: False >>> Key ID: >>> 39:76:7e:02:f1:99:28:b5:e4:c4:a5:cb:c5:4a:7a:50: >>> f7:7f:85:85 >>> Serial Number: None >>> General Names: [0 total] >>> >>> Name: Authority Information Access >>> Critical: False >>> Authority Information Access: [1 total] >>> Info [1]: >>> Method: PKIX Online Certificate Status Protocol >>> Location: URI: http://:80/ca/ocsp >>> >>> Name: Certificate Key Usage >>> Critical: True >>> Usages: >>> Digital Signature >>> Non-Repudiation >>> Key Encipherment >>> Data Encipherment >>> >>> Name: Extended Key Usage >>> Critical: False >>> Usages: >>> TLS Web Server Authentication Certificate >>> TLS Web Client Authentication Certificate >>> >>> Name: Certificate Subject Key ID >>> Critical: False >>> Data: >>> 30:7d:c4:6f:01:e9:45:84:12:83:97:9c:34:42:c1:d1: >>> ad:84:68:8b >>> >>> Signature: >>> Signature Algorithm: >>> Algorithm: PKCS #1 SHA-256 With RSA Encryption >>> Signature: >>> 99:8f:05:f4:14:64:5e:8a:b3:cc:6d:b8:b1:b1:17:1c: >>> a1:28:37:da:5a:1e:17:6c:61:5d:d4:a9:52:15:0a:8c: >>> bc:9d:14:35:f0:b7:1a:0c:53:fa:05:5d:fa:56:1f:ea: >>> 23:be:b3:20:0a:30:dc:ae:e5:a6:4d:bf:35:4a:91:11: >>> f6:fd:73:c5:55:e7:83:52:b0:f1:9b:83:c2:b3:48:ea: >>> 5e:21:aa:a0:2d:fb:78:cb:35:d8:20:02:c2:1c:8d:a1: >>> 8a:f5:72:81:c5:35:f5:36:3e:3e:5e:02:4b:4e:34:97: >>> 0f:b6:80:e2:90:1e:f9:55:41:79:f9:78:e6:d7:43:14: >>> 50:f7:39:e2:e8:7f:0a:89:95:08:94:7e:dd:ca:9d:ba: >>> f8:9c:6f:24:48:5c:92:53:9d:cd:aa:91:91:6e:db:1e: >>> df:54:3c:0b:ce:57:07:26:32:70:f9:ba:fd:ad:b2:7a: >>> a6:1b:d1:a5:c9:30:1d:fa:f6:1d:8a:b0:71:ca:4d:9b: >>> 41:2b:7c:43:80:54:a3:32:65:d8:48:fe:87:a2:15:a7: >>> 14:f0:bb:f9:65:cd:7e:a9:03:a7:3c:f3:d1:73:f7:1b: >>> a1:e7:51:66:39:ba:6c:a9:6d:1d:33:b0:3b:63:04:4c: >>> 79:cc:16:ce:5f:9f:b1:c5:01:47:72:88:0c:e2:69:ef >>> Fingerprint (MD5): >>> 7c:3d:5b:37:da:62:e4:a1:da:57:e5:66:5a:f0:15:53 >>> Fingerprint (SHA1): >>> 2e:83:f0:14:cf:ca:c3:f5:6c:8e:fa:01:79:94:ec:90: >>> 75:81:d5:0b >>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server >>> ipa: DEBUG: cert valid True for "CN=,O=" >>> ipa: DEBUG: handshake complete, peer = :443 >>> ipa: DEBUG: Protocol: TLS1.2 >>> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA >>> ipa: DEBUG: Caught fault 2100 from server >>> https:///ipa/session/xml: Insufficient access: SASL(-1): >>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may >>> provide more information (Ticket expired) >>> ipa: DEBUG: Destroyed connection context.xmlclient >>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >>> Error: Unspecified GSS failure. Minor code may provide more information >>> (Ticket expired) >>> ### >>> >>> Any guidance about where it can come from or what to do ? >>> >>> From the ipa-server, in the krb5kdc.log, I found sometimes this kind of >>> emssage : >>> ### >>> Oct 25 09:59:37 krb5kdc[30767](info): ... >>> CONSTRAINED-DELEGATION s4u-client=@ >>> Oct 25 09:59:37 krb5kdc[30767](info): ... >>> CONSTRAINED-DELEGATION s4u-client=@ >>> ### >>> >>> Best regards. >>> >>> Bahan >>> >>> >>> >> I would firstly check the time difference between client and IPA server. >> If the time skew is too grea all sorts of errors can pop up regarding >> Kerberos authentication. >> >> I would also check /var/log/http/error_log and >> /var/log/dirsrv/slapd-/errors for additional info. I suspect >> there is something wrong with the keytab of HTTP principal on the IPA >> server. >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tyrell at jentink.net Thu Oct 27 19:47:11 2016 From: tyrell at jentink.net (Tyrell Jentink) Date: Thu, 27 Oct 2016 12:47:11 -0700 Subject: [Freeipa-users] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified. In-Reply-To: References: Message-ID: Thank you Petr! I found the problem, but quite by accident... There may be a Best Practice at hand that I wasn't aware of... I still have the Windows AD server sitting on the side, serving as DHCP server and waiting patiently for my Cross Realm Trust; That server will forward DNS requests to the IPA server, and return a non-authoritative answer. Occasionally, that server will seemingly loose track of the IPA server, and stop returning results... And that happened while I was trying to follow through with your request for info... So as a quick work around, I simply dropped the AD server from my resolv.conf... And then performed your requests, without errors. I ran the DNS Update from the ipa-server-install script, and that worked without errors. I added the AD server back into resolv.conf, and everything failed again. I put the AD server as the SECOND name server in resolv.conf, and the errors went away. So I've clearly identified the problem. I uninstalled the client, and reinstalled the client, and everything went cleanly. To prevent this problem in the future... I will be changing the DHCP options to list the IPA DNS first for the Linux clients, and the AD DNS first for Windows clients; I still want the AD DNS server in the list, as a fallback. Is this plan the best practice here? On Wed, Oct 26, 2016 at 11:36 PM, Petr Spacek wrote: > On 27.10.2016 04:43, Tyrell Jentink wrote: > >> 2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to > >> > /etc/ipa/.dns_update.txt: > >> > 2016-10-26T23:30:40Z DEBUG debug > >> > > >> > update delete trainmaster.ipa.rxrhouse.net. IN A > >> > show > >> > send > >> > > >> > update delete trainmaster.ipa.rxrhouse.net. IN AAAA > >> > show > >> > send > >> > > >> > update add trainmaster.ipa.rxrhouse.net. 1200 IN A 10.42.0.100 > >> > show > >> > send > >> > > >> > 2016-10-26T23:30:40Z DEBUG Starting external process > >> > 2016-10-26T23:30:40Z DEBUG args=/usr/bin/nsupdate -g > >> > /etc/ipa/.dns_update.txt > >> > 2016-10-26T23:30:40Z DEBUG Process finished, return code=1 > >> > 2016-10-26T23:30:40Z DEBUG stdout=Outgoing update query: > >> > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> > ;; UPDATE SECTION: > >> > trainmaster.ipa.rxrhouse.net. 0 ANY A > >> > > >> > Outgoing update query: > >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562 > >> > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > >> > ;; QUESTION SECTION: > >> > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > >> > > >> > ;; ADDITIONAL SECTION: > >> > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. > 1477524640 > [...] > >> > > >> > 2016-10-26T23:30:40Z DEBUG stderr=Reply from SOA query: > >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38738 > >> > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, > ADDITIONAL: 0 > >> > ;; QUESTION SECTION: > >> > ;trainmaster.ipa.rxrhouse.net. IN SOA > >> > > >> > ;; AUTHORITY SECTION: > >> > ipa.rxrhouse.net. 0 IN SOA > ipa-pdc.ipa.rxrhouse.net. > >> > hostmaster.ipa.rxrhouse.net. 1477524446 3600 900 1209600 3600 > >> > > >> > Found zone name: ipa.rxrhouse.net > >> > The master is: ipa-pdc.ipa.rxrhouse.net > >> > start_gssrequest > >> > Found realm from ticket: IPA.RXRHOUSE.NET > >> > send_gssrequest > >> > recvmsg reply from GSS-TSIG query > >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39562 > >> > ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > >> > ;; QUESTION SECTION: > >> > ;3107127915.sig-ipa-pdc.ipa.rxrhouse.net. ANY TKEY > >> > > >> > ;; ANSWER SECTION: > >> > 3107127915.sig-ipa-pdc.ipa.rxrhouse.net. 0 ANY TKEY gss-tsig. > 1466301805 > >> > 1466388205 3 NOERROR 101 > >> > YGMGCSqGSIb3EgECAgMAflQwUqADAgEFoQMCAR6kERgPMjAxNjA2MTkw > >> > MjAzMjVapQUCAwHGkaYDAgEpqREbD0FELlJYUkhPVVNFLk5FVKoUMBKg > >> > AwIBAaELMAkbB2FkLXBkYyQ= > >> > 0 > >> > > >> > dns_tkey_negotiategss: failure GSSAPI error: Major = Unspecified GSS > >> > failure. Minor code may provide more information, Minor = Message > stream > >> > modified. > >> > > >> > 2016-10-26T23:30:40Z DEBUG nsupdate failed: Command > '/usr/bin/nsupdate -g > >> > /etc/ipa/.dns_update.txt' returned non-zero exit status 1 > >> > 2016-10-26T23:30:40Z ERROR Failed to update DNS records. > >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: > >> > trainmaster.ipa.rxrhouse.net IN A > >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. > >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: > >> > trainmaster.ipa.rxrhouse.net IN AAAA > >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. > >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: Query: > 100.0.42.10.in-addr.arpa. > >> > IN PTR > >> > 2016-10-26T23:30:40Z DEBUG DNS resolver: No record. > >> > 2016-10-26T23:30:40Z WARNING Missing A/AAAA record(s) for host > >> > trainmaster.ipa.rxrhouse.net: 10.42.0.100. > >> > 2016-10-26T23:30:40Z WARNING Missing reverse record(s) for > address(es): > >> > 10.42.0.100. > >> > > > -- Full logs can be found here: http://pastebin.com/90dG9Ffu > > > > - For grins, I decided to test: > > kinit admin > > id admin > > getent passwd admin > > on the client, and all of those all made valid responses... So > > authentication is working, I just can't update DNS records. > > > > > > So that's what I've tried, and where I'm at... My client machines > running > > modern client software can NOT update DNS records, complaining about > GSSAPI > > "Message Stream Modified" errors... And I have no idea how to > troubleshoot > > that... Any ideas? > > Interesting, I haven't seen this one :-) > > There is something fishy in GSSAPI negotiation between the client and DNS > server. > > I would try this (and watch out for suspicious messages along the way): > > 1) To be sure, please double-check that ipa-pdc.ipa.rxrhouse.net. resolves > (from the client) to correct IP address of IPA DNS server. > > 2) Verify that Kerberos ticket for the DNS server can be obtained: > $ kinit -k > $ kvno DNS/ipa-pdc.ipa.rxrhouse.net > $ klist # it should list Kerberos ticket for ipa-pdc.ipa.rxrhouse.net > > 3) Create a plain text file with update message content: > cat > /tmp/dnsupdate << debug > update delete trainmaster.ipa.rxrhouse.net. IN A > send > EOF > > 4) call nsupdate on it > $ KRB5_TRACE=/dev/stdout nsupdate -g /tmp/dnsupdate > > Does it produce the same error? (It should, but with more debuginfo.) > > > What version of server and client packages are you using? > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Oct 27 20:06:56 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 27 Oct 2016 23:06:56 +0300 Subject: [Freeipa-users] FreeIPA domains and sub-domains In-Reply-To: <234d9d76-801b-2880-ae66-cc67c9488c0e@pobox.com> References: <883c4c27cae474f6a2b97cd461f41013@thesandhufamily.ca> <81146581-c4d1-681b-db47-7f1eb45af5d2@pobox.com> <20161027083010.wwezmnn2ww5ozfxv@redhat.com> <77f21e19-18c2-626d-2419-d1c107aa7088@pobox.com> <234d9d76-801b-2880-ae66-cc67c9488c0e@pobox.com> Message-ID: <20161027200656.jtpmfhrqvgfkranq@redhat.com> On to, 27 loka 2016, Brian Candler wrote: >On 27/10/2016 10:07, Brian Candler wrote: >>To the OP: in that case, I'd still recommend that you choose a >>distinct kerberos realm like IPA.YOURCOMPANY.COM, with associated >>primary domain "ipa.yourcompany.com", and let FreeIPA manage that >>domain so that it sets up all the right SRV records for >>auto-discovery. But you don't need to put any hosts inside that DNS >>domain at all. > >Aside: I have just been trying this out. > >What's slightly confusing is that the ipa server-install process >requires you to set a "domain name" as well as a realm, and it's not >clear to me which "domain" to put here. Is this the domain which >corresponds to the realm, or the domain which the clients normally >reside in, or something else? > >For example, suppose I have realm IPA.MYCOMPANY.COM but my servers are >xxx.int.mycompany.com. Should I set the FreeIPA "domain" to >ipa.mycompany.com or int.mycompany.com, or mycompany.com ? It really depends on your taste, nothing else. There are some technical details, though, that you should look at: - Kerberos implementations have to deal with both realm to DNS and DNS to realm conversions. When there is no static configuration of KDCs per realm, MIT Kerberos would take the name of the realm and treat it as a DNS domain name to perform SRV record query (_kerberos._udp.REALM and _kerberos._tcp.REALM). - for DNS hostname to realm conversion, if realm is unknown, MIT Kerberos might look up TXT record _kerberos.$domain. These two details mean the following: - DNS domain corresponding to your REALM should be under your control. Note that it effectively means if you are using single word REALM, you are asking for trouble with dynamic KDC resolution (do you own one-word top level domain .REALM? With DNSSEC?) - all other domains where the same REALM is in use should have TXT record pointing to your REALM. - As long as you can control how clients resolve DNS hostnames to REALM and discover configuration of the REALM, you should be fine. This is why we recommend to have IPA primary DNS domain the same as REALM. You can have both IPA masters and IPA clients in other DNS domains too but the DNS domain named as your REALM has to be under your control. Final detail is related to the forest trust to Active Directory. Microsoft implementation of Active Directory protocol stack assumes your DNS domain is equal to your realm and that _kerberos.udp or _kerberos._tcp and _ldap._tcp SRV records for this domain point to the proper Active Directory DCs authoritative for the forest of REALM. This is why we recommend to have IPA primary DNS domain the same as REALM. You can have both IPA masters and IPA clients in other DNS domains too but the DNS domain named as your REALM has to be under your control. This will make your life going forward much simpler. >After some experimentation, it seems that the LDAP baseDN is always >taken from the realm (dc=ipa,dc=mycompany,dc=com). But the DNS domain >is used for: > >- nisDomain and associatedDomain >- ipaDefaultEmailDomain >- crucially, the SRV records are published under the DNS domain > >So it looks like really you should put "ipa.mycompany.com" as the DNS >domain, even if the IPA servers are in a different domain. FreeIPA enforces realm to primary DNS domain through these elements, right, out of practical needs outlined above. -- / Alexander Bokovoy From michael at stroeder.com Thu Oct 27 17:27:39 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Thu, 27 Oct 2016 19:27:39 +0200 Subject: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA? In-Reply-To: References: <20161024045332.GD26501@dhcp-40-8.bne.redhat.com> <20161025045524.GI3554@dhcp-40-8.bne.redhat.com> Message-ID: Fil Di Noto wrote: > In my imagination, I see IPA for whatever reason comes accross a cert > it signed in the past and decides it needs to compare the SAN to the > directory. Then it sees the SAN doesn't have an associated principal > in the directory. Who does IPA trust? (the directory obviously). IPA > says, "is this SAN in the directory? No. Did I sign the cert? Yes. > Should I trust the cert? Yes because I signed it." Speaking purely from the PKI perspective without detailed knowledge about FreeIPA: If the IPA directory is the only assured source of truth then the CA must revoke the cert because its knowledge about the assertion made in the cert (this public key belongs to this entity) cannot be verified anymore. Note that the assertion made in a cert has to be valid for the *complete* validity period of the cert, not only at the time of cert issuance. => If in doubt then revoke. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From jruybal at owneriq.com Thu Oct 27 20:21:00 2016 From: jruybal at owneriq.com (Joshua Ruybal) Date: Thu, 27 Oct 2016 13:21:00 -0700 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: <5811F1C1.2060505@redhat.com> References: <5811F1C1.2060505@redhat.com> Message-ID: Took a look at the dogtag logs, the debug log only shows the following every time I run ipa-replica-prepare. [27/Oct/2016:12:55:02][http-9444-1]: CMSServlet: curDate=Thu Oct 27 12:55:02 EDT 2016 id=caProfileSubmitSSLClient time=10 The other logs don't appear to have anything. I tried to run ipa cert-request on one of the servers and get: (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate. I've check that the cert is in /etc/httpd/alias, /etc/pki/nssdb, /etc/dirsrv/slapd-EXAMPLE-COM, and /etc/dirsrv/slapd-PKI-IPA Is there anywhere else I would need to add the CA cert? On Thu, Oct 27, 2016 at 5:23 AM, Rob Crittenden wrote: > Joshua Ruybal wrote: > >> While trying to run IPA replica prepare with debug, we see an >> unexplained failure. >> >> Debug seems to show the process running smoothly, then I see: >> "Certificate issuance failed". >> >> Looking at previous mail-archives, I see that someone has run into this >> before, however all permissions on caIPAserviceCert.cfg are correct (the >> solution for him). >> >> Is there any method to get more details on the failure from >> ipa-replica-prepare? >> > > I'd check the dogtag logs. This error is thrown when no certificate is > issued by the CA. > > There is no way other than instrumenting the code to get more details > about the error from ipa-replica-prepare. > > rob > > -- *Joshua Ruybal | Systems Engineer* o: (866) 870-2295 x823 <8668702293x823> c: (206) 724-4549 <2067244549> e: jruybal at owneriq.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From julliot at ljll.math.upmc.fr Thu Oct 27 22:14:04 2016 From: julliot at ljll.math.upmc.fr (Sebastien Julliot) Date: Fri, 28 Oct 2016 00:14:04 +0200 Subject: [Freeipa-users] Setting "preserve" as default action when deleting in webUI In-Reply-To: <4b88fa7e-4df2-ba82-0591-94f8ac37ac59@redhat.com> References: <5f607850-9623-254e-1609-02fd922117c0@ljll.math.upmc.fr> <4b88fa7e-4df2-ba82-0591-94f8ac37ac59@redhat.com> Message-ID: Hello guys, Thank you for your answers. First, I was able to modify the minified js to change the default. Ugly solution, but it works for now. I am trying to write a plugin but it seems that I missed something here since, despite being executed, the default is not changed .. Here is my code, freely inspired of what I think I understood of your 'association_search_fix.js' example: define([ 'freeipa/ipa', 'freeipa/user', ], function(IPA, user) { exp = {}; exp.orig_create_active_user_del_dialog = IPA.user.create_active_user_del_dialog; IPA.user.create_active_user_del_dialog = function(dialog) { dialog.deleter_dialog_create_content(); dialog.option_layout = IPA.fluid_layout({ label_cls: 'col-sm-3', widget_cls: 'col-sm-9' }); dialog.option_radio = IPA.radio_widget({ name: 'preserve', label: '@i18n:objects.user.delete_mode', options: [ { label: '@i18n:objects.user.mode_delete', value: 'false' }, { label: '@i18n:objects.user.mode_preserve', value: 'true' } ], default_value: 'true' }); var html = dialog.option_layout.create([dialog.option_radio]); dialog.container.append(html); dialog.option_radio.set_value(['']); return dialog; }; //exp.orig_create_active_user_del_dialog = IPA.user.create_active_user_del_dialog; console.log('PRESERVE.JS WAS EXECUTED'); return exp; }); I checked that disabling the comment or not does not change anything. Can you see what I missed here ? Thanks a lot, Sebastien Julliot. From william.muriithi at gmail.com Fri Oct 28 04:14:44 2016 From: william.muriithi at gmail.com (William Muriithi) Date: Fri, 28 Oct 2016 00:14:44 -0400 Subject: [Freeipa-users] ipa automount bug? In-Reply-To: <5811EFC0.2050601@redhat.com> References: <84aa5368-8537-8d78-b6e7-4e372df52b50@redhat.com> <5811EFC0.2050601@redhat.com> Message-ID: Rob, >>> >>> 2. How would one import an existing maps to ipa auto.home map. Import >>> seem to be only capable of importing to auto.master, which make its >>> utility doubtful >>> >>> [root at hydrogen ~]# ipa automountlocation-import default >>> /tmp/2016-10-26/auto.home >>> >>> Imported maps: >>> Imported keys: >>> >>> Added adam to auto.master >>> ...... >>> >>> I think we should have a flag that allow importation of key to other >>> other maps other than auto.master > > > You're right, auto.master is hardcoded. Please open an RFE for this if you > need to be able to specify the mount. Thanks for confirming a problem. Will open a ticket on it this morning > > rob > Regards, William From william.muriithi at gmail.com Sun Oct 30 07:26:50 2016 From: william.muriithi at gmail.com (William Muriithi) Date: Sun, 30 Oct 2016 03:26:50 -0400 Subject: [Freeipa-users] is ipa-client-automount idempotent? Message-ID: Morning, I am curious to know if ipa-client-automount would be safe to rerun multiple times. I have done a bit of google search and this don't seem to have been discussed previously in this list. I have attempted to rerun it on a system multiple time and don't seem to break anything, but that don't mean its not messing around with configuration file somehow. Regards, William From william.muriithi at gmail.com Sun Oct 30 08:08:14 2016 From: william.muriithi at gmail.com (William Muriithi) Date: Sun, 30 Oct 2016 04:08:14 -0400 Subject: [Freeipa-users] is ipa-client-automount idempotent? In-Reply-To: References: Message-ID: Hi On 30 October 2016 at 03:26, William Muriithi wrote: > Morning, > > I am curious to know if ipa-client-automount would be safe to rerun > multiple times. I have done a bit of google search and this don't > seem to have been discussed previously in this list. > Ignore this question please. I have figured the answer to my question. Its not idempotent Regards, William From jochen at jochen.org Sun Oct 30 10:58:10 2016 From: jochen at jochen.org (Jochen Hein) Date: Sun, 30 Oct 2016 11:58:10 +0100 Subject: [Freeipa-users] OTP: using external validation server for Yubikeys? Message-ID: <83vawam7ct.fsf@echidna.jochen.org> Hi, I'm running my own privacyidea instance to manage my Yubikey and other OTP tokens. Right now I have to decide, in which system my Yubikey is managed - right now it is in privacyidea. My token is in yubico mode, so no HOTP/TOTP for now. For now I run a FreeRADIUS as a frontend to privacyidea and use that in FreeIPA to authenticate my user, but I think it is too complex and fragile for my small installation. And FreeIPA is dependent on an external userstore (for me Kolab's dirsrv right now) as well. What I'd find useful is something like the following: - A yubikey token generates a 44 character OTP, the first 12 characters identify the token. This could be a factory initialized token or a locally initialized one. - A user has a yubikey token assigned (the 12 characters identifier) and a validation server that will check the OTP. Default servers could be yubico's validation servers (https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s) while it should be possible to use a self hosted infrastructure with yubico's software or something like privacyidea or linotp (somewhat similar to the RADIUS configuration) The validation protokoll is explained at https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html and is quite simple. Authentication option for the user would be password+OTP. - When logging in the user is first asked for the first factor (password), and then the second factor (OTP). ipa-otp would hand off the validation to the external server and act according to the response. That way a yubikey token you be used for other applications (like Kolab/Roundcube, pam_yubico etc.) as well as for FreeIPA, because the secret and counter are stored in one central system that is queried by all applications. Something like that would possibly require changes to the LDAP schema[1] in addition to changes to ipa-otp, ipa, and the webui. Do you think something like that would be useful? Jochen [1] Kolab documents this at https://git.kolab.org/T414: The Roundcube plugin is basically functional to run locally as of commit rRPK9cd117d7. There's some documentation about the kolab_2fa plugin, its components, installation and configuration in the README.md. Please note that the Yubikey driver doesn't work with the LDAP storage due to missing coverage in the FreeIPA schema. -- The only problem with troubleshooting is that the trouble shoots back. From th at casalogic.dk Mon Oct 31 07:04:56 2016 From: th at casalogic.dk (Troels Hansen) Date: Mon, 31 Oct 2016 08:04:56 +0100 (CET) Subject: [Freeipa-users] Allow external AD users on webui Message-ID: <58873534.735532.1477897496520.JavaMail.zimbra@casalogic.dk> Hi there After trying to add external usergroups from AD to allow (admin) users to log in to IPA webUI, by tdding the groups to toe local admin group and discovering that it didn't work, I found that as far as I can see, its currently not possibly, and fount this rather old ticket on the case: https://fedorahosted.org/freeipa/ticket/3242 I can see that its currently pushed for IPA 4.5 and that the required patch seems to have been made, but also that the request have been pushed for some time now. Is there and active plan for pushing this into the 4.5 release as I too would like to have this implemented and see this as a BIG missing feature that everyone have to log in as admin, or create local IPA users, to be able to log in to webui. -------------- next part -------------- An HTML attachment was scrubbed... URL: From frli at paloaltonetworks.com Sat Oct 29 17:21:18 2016 From: frli at paloaltonetworks.com (Frank Li) Date: Sat, 29 Oct 2016 17:21:18 +0000 Subject: [Freeipa-users] freeipa 4.2.0 ipa-cacert-manage not generating CSR with CA:True for chaining Message-ID: <7A2164AE-17C3-4C7B-9209-0024F6D13644@paloaltonetworks.com> we currently have a IPA 4.2 servers working with a self-signed CA certificate with the REALM of xyz.local I?m trying chain our xyz.local CA cert with IT?s abc.local CA cert so that users on corp laptop(with the abc.local cert already in CA chain) would trust the xyz.local CA cert and not get the SSL cert warning when visiting sites with certs issued by the IPA installation. I followed the step in freeipa documentation and ran: ipa-cacert-manage renew --external-ca it generated the ca.scr, but the CA attribute was set to False: [root at xyz ipa]# openssl req -in ca.csr -noout -text | grep -B 2 X509 friendlyName :unable to print attribute Requested Extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:FALSE Please let me know how to generate the CSR so that CA is set to True, or do I need to manually modify the CSR to make it True ? Thanks. -- Efficiency is Intelligent Laziness -------------- next part -------------- An HTML attachment was scrubbed... URL: From frolvlad at gmail.com Sun Oct 30 20:56:00 2016 From: frolvlad at gmail.com (Vladyslav Frolov) Date: Sun, 30 Oct 2016 22:56:00 +0200 Subject: [Freeipa-users] How to fix a broken PKI state? Message-ID: Hello dear FreeIPA people, After weeks of unsuccessful attempts, I seems to run out of sane ideas of how to proceed. I have been using FreeIPA in Docker container https://github.com/ adelton/docker-freeipa for over half a year now, and everything was fine up until this August when after a subsequent update my FreeIPA couldn't boot. I was messing things around and broke some files permissions, and it seems that during that process my PKI got reinstalled, so CA certificate and other certificates were regenerated... But they only got updated in the PKI (according to `certutil -L -d /etc/pki/pki-tomcat/alias ...` information it has certificates from August while `/etc/dirsrv/sldap-*/` and `/etc/httpd/alias/` have certificates from March). Unfortunately, I don't have backups from the time before the issue... Currently, everything but `pki-tomcat` is running successfully, though I think I won't be able to add a new host into the setup. I use `ipactl start --force` to ignore the PKI failure, but I would love to recover FreeIPA. The most relevant log I have found is `/var/log/pki/pki-tomcat/ca/debug`, which reveals the following error: ``` [localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca Could not connect to LDAP server host freeipa.xxx.yyy.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. (-1) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5027) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5337) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) ``` This is quite expected, given that PKI doesn't trust the old certificates that are still used by LDAP. I have attempted several approaches: 1. Migration of my users and groups to a fresh FreeIPA installation succeeded, but it cannot migrate passwords nicely (meaning without asking users to visit a special page, which won't be available to them because FreeIPA is used for a VPN auth, and is only available inside the VPN). It seems like I need to migrate kerberos keys also. How can I do that? 2. Renewing the certificates once again (using `ipa-cacert-manage renew --self-signed`) fails with the following errors: ``` Server at https://freeipa.xxx.yyy.com/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (500)). CA certificate is not tracked by certmonger ``` And indeed, ``` # getcert list Number of certificates and requests being tracked: 0. ``` 3. Installing new CA certificate following steps for "external CA" (using `ipa-cacert manage install ./ca.crt`) didn't work either: ``` Failed to install the certificate: subject public key info mismatch ``` Reading the Troubleshooting page, I learned that this error means that "The new CA certificate issued by the external CA uses a different public / private key pair than the old CA certificate." Also, I don't think this will help as PKI still cannot communicate with LDAP and HTTPD due to the already unsynced state. Can anybody help me with this? -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Oct 31 07:33:14 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 31 Oct 2016 09:33:14 +0200 Subject: [Freeipa-users] Allow external AD users on webui In-Reply-To: <58873534.735532.1477897496520.JavaMail.zimbra@casalogic.dk> References: <58873534.735532.1477897496520.JavaMail.zimbra@casalogic.dk> Message-ID: <20161031073314.so2svmdfadwgkh3y@redhat.com> On ma, 31 loka 2016, Troels Hansen wrote: >Hi there > >After trying to add external usergroups from AD to allow (admin) users >to log in to IPA webUI, by tdding the groups to toe local admin group >and discovering that it didn't work, I found that as far as I can see, >its currently not possibly, and fount this rather old ticket on the >case: > >https://fedorahosted.org/freeipa/ticket/3242 > >I can see that its currently pushed for IPA 4.5 and that the required >patch seems to have been made, but also that the request have been >pushed for some time now. > >Is there and active plan for pushing this into the 4.5 release as I too >would like to have this implemented and see this as a BIG missing >feature that everyone have to log in as admin, or create local IPA >users, to be able to log in to webui. You make it sound as if it is a done deal. It is not, there is a number of changes that yet not figured out how to do in an efficient way. It is in our pipeline for 4.5. It is understandable that people ask for this feature. It is also should be clear to you had it been a simple thing, it would have been implemented already. If you want to see a progress, subscribe to the ticket. -- / Alexander Bokovoy From frli at paloaltonetworks.com Mon Oct 31 07:46:16 2016 From: frli at paloaltonetworks.com (Frank Li) Date: Mon, 31 Oct 2016 07:46:16 +0000 Subject: [Freeipa-users] freeipa 4.2.0 ipa-cacert-manage not generating CSR with CA:True for chaining In-Reply-To: <7A2164AE-17C3-4C7B-9209-0024F6D13644@paloaltonetworks.com> References: <7A2164AE-17C3-4C7B-9209-0024F6D13644@paloaltonetworks.com> Message-ID: <029793C6-03E2-400C-9CAA-F599736DFAB7@paloaltonetworks.com> we currently have a IPA 4.2 servers working with a self-signed CA certificate with the REALM of xyz.local I?m trying chain our xyz.local CA cert with IT?s abc.local CA cert so that users on corp laptop(with the abc.local cert already in CA chain) would trust the xyz.local CA cert and not get the SSL cert warning when visiting sites with certs issued by the IPA installation. I followed the step in freeipa documentation and ran: ipa-cacert-manage renew --external-ca it generated the ca.scr, but the CA attribute was set to False: [root at xyz ipa]# openssl req -in ca.csr -noout -text | grep -B 2 X509 friendlyName :unable to print attribute Requested Extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:FALSE Please let me know how to generate the CSR so that CA is set to True, or do I need to manually modify the CSR to make it True ? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From th at casalogic.dk Mon Oct 31 07:51:14 2016 From: th at casalogic.dk (Troels Hansen) Date: Mon, 31 Oct 2016 08:51:14 +0100 (CET) Subject: [Freeipa-users] Allow external AD users on webui In-Reply-To: <20161031073314.so2svmdfadwgkh3y@redhat.com> References: <58873534.735532.1477897496520.JavaMail.zimbra@casalogic.dk> <20161031073314.so2svmdfadwgkh3y@redhat.com> Message-ID: <117848539.736498.1477900274602.JavaMail.zimbra@casalogic.dk> ----- On Oct 31, 2016, at 8:33 AM, Alexander Bokovoy abokovoy at redhat.com wrote: > You make it sound as if it is a done deal. It is not, there is a number > of changes that yet not figured out how to do in an efficient way. > > It is in our pipeline for 4.5. It is understandable that people ask for > this feature. It is also should be clear to you had it been a simple > thing, it would have been implemented already. > > If you want to see a progress, subscribe to the ticket. Hi Alexander It was in no way a critics of the FreeIPA team. I'm well aware of the work being out into this product from the core team, and appreciate every new release, but also not really able to help much with the development, only testing and feedback. I'm aware that this request isn't a simple change of structure, and the complexity of the product. Also, at the same time, a big thumbs up to the whole IPA team! Keep up the good work... From abokovoy at redhat.com Mon Oct 31 07:59:36 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 31 Oct 2016 09:59:36 +0200 Subject: [Freeipa-users] Allow external AD users on webui In-Reply-To: <117848539.736498.1477900274602.JavaMail.zimbra@casalogic.dk> References: <58873534.735532.1477897496520.JavaMail.zimbra@casalogic.dk> <20161031073314.so2svmdfadwgkh3y@redhat.com> <117848539.736498.1477900274602.JavaMail.zimbra@casalogic.dk> Message-ID: <20161031075936.msdjg655wak5qnry@redhat.com> On ma, 31 loka 2016, Troels Hansen wrote: >----- On Oct 31, 2016, at 8:33 AM, Alexander Bokovoy abokovoy at redhat.com wrote: > > >> You make it sound as if it is a done deal. It is not, there is a number >> of changes that yet not figured out how to do in an efficient way. >> >> It is in our pipeline for 4.5. It is understandable that people ask for >> this feature. It is also should be clear to you had it been a simple >> thing, it would have been implemented already. >> >> If you want to see a progress, subscribe to the ticket. > >Hi Alexander > >It was in no way a critics of the FreeIPA team. I'm well aware of the >work being out into this product from the core team, and appreciate >every new release, but also not really able to help much with the >development, only testing and feedback. That's why I asked you to subscribe to the ticket. Once the changes will be ready, you could help with testing them. -- / Alexander Bokovoy From pvomacka at redhat.com Mon Oct 31 15:18:43 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 31 Oct 2016 16:18:43 +0100 Subject: [Freeipa-users] Setting "preserve" as default action when deleting in webUI In-Reply-To: References: <5f607850-9623-254e-1609-02fd922117c0@ljll.math.upmc.fr> <4b88fa7e-4df2-ba82-0591-94f8ac37ac59@redhat.com> Message-ID: <55650f44-97f4-b3e0-9907-7521a2f886ca@redhat.com> Hello Sebastien, I tried your plugin and it works correctly. Default value is Preserve with your plugin. Did you copy your plugin into /var/share/ipa/ui/js/plugins/plugin_name/plugin_name.js ? That should be enough. On 10/28/2016 12:14 AM, Sebastien Julliot wrote: > Hello guys, > > > Thank you for your answers. First, I was able to modify the minified js > to change the default. Ugly solution, but it works for now. > > I am trying to write a plugin but it seems that I missed something here > since, despite being executed, the default is not changed .. > > Here is my code, freely inspired of what I think I understood of your > 'association_search_fix.js' example: > > define([ > > 'freeipa/ipa', > > 'freeipa/user', > > ], > > function(IPA, user) { > > exp = {}; > > > > exp.orig_create_active_user_del_dialog = IPA.user.create_active_user_del_dialog; > > IPA.user.create_active_user_del_dialog = function(dialog) { > > dialog.deleter_dialog_create_content(); > > dialog.option_layout = IPA.fluid_layout({ > > label_cls: 'col-sm-3', > > widget_cls: 'col-sm-9' > > }); > > dialog.option_radio = IPA.radio_widget({ > > name: 'preserve', > > label: '@i18n:objects.user.delete_mode', > > options: [ > > { label: '@i18n:objects.user.mode_delete', value: 'false' }, > > { label: '@i18n:objects.user.mode_preserve', value: 'true' } > > ], > > default_value: 'true' > > }); > > var html = dialog.option_layout.create([dialog.option_radio]); > > dialog.container.append(html); > > dialog.option_radio.set_value(['']); > > return dialog; > > }; > > //exp.orig_create_active_user_del_dialog = IPA.user.create_active_user_del_dialog; > > console.log('PRESERVE.JS WAS EXECUTED'); > > return exp; > > }); > > I checked that disabling the comment or not does not change anything. > > > Can you see what I missed here ? > > > Thanks a lot, > > Sebastien Julliot. > > -- Pavel^3 Vomacka From geordie.grindle at gmail.com Mon Oct 31 20:17:08 2016 From: geordie.grindle at gmail.com (Geordie Grindle) Date: Mon, 31 Oct 2016 16:17:08 -0400 Subject: [Freeipa-users] SSH as Root on CentOS 7 fails Message-ID: <568EA196-3F34-4C80-8C5C-198E81E8DE57@gmail.com> Hello, I?m unable to ssh as ?root? onto any of my new CentOS 7 hosts. I?ve always been able to do so on CentOS6.x We normally have the file ?/root/.k5login? listing the designated system admins? principals. Once on a CentOS 7, an admin can ?ksu? and become root as we expected. We are using puppet and Foreman to build our hosts so they are in every way we can think of, identical, except for the O/s version. I?ve confirmed forward and reverse DNS and that the ?kvno? number matches what?s reported by ?klist -k?. I enabled "LogLevel DEBUG? in sshd_config and restarted sshd on a CentOS7 host: Oct 31 19:22:36 someserver sshd[12378]: debug1: userauth-request for user testuser service ssh-connection method none [preauth] Oct 31 19:22:36 someserver sshd[12378]: debug1: attempt 0 failures 0 [preauth] Oct 31 19:22:36 someserver sshd[12378]: debug1: PAM: initializing for "testuser" Oct 31 19:22:36 someserver sshd[12378]: debug1: PAM: setting PAM_RHOST to "someserver.test.com" Oct 31 19:22:36 someserver sshd[12378]: debug1: PAM: setting PAM_TTY to "ssh" Oct 31 19:22:36 someserver sshd[12378]: debug1: userauth-request for user testuser service ssh-connection method gssapi-with-mic [preauth] Oct 31 19:22:36 someserver sshd[12378]: debug1: attempt 1 failures 0 [preauth] Oct 31 19:22:36 someserver sshd[12378]: Postponed gssapi-with-mic for testuser from 10.0.0.55 port 36383 ssh2 [preauth] Oct 31 19:22:36 someserver sshd[12378]: debug1: Received some client credentials Oct 31 19:22:36 someserver sshd[12378]: Authorized to testuser, krb5 principal testuser at TEST.COM (ssh_gssapi_krb5_cmdok) ################ Oct 31 19:35:42 someserver sshd[12409]: debug1: userauth-request for user root service ssh-connection method none [preauth] Oct 31 19:35:42 someserver sshd[12409]: debug1: attempt 0 failures 0 [preauth] Oct 31 19:35:42 someserver sshd[12409]: debug1: PAM: initializing for "root" Oct 31 19:35:42 someserver sshd[12409]: debug1: PAM: setting PAM_RHOST to "someserver.test.com" Oct 31 19:35:42 someserver sshd[12409]: debug1: PAM: setting PAM_TTY to "ssh" Oct 31 19:35:42 someserver sshd[12409]: debug1: userauth-request for user root service ssh-connection method gssapi-with-mic [preauth] Oct 31 19:35:42 someserver sshd[12409]: debug1: attempt 1 failures 0 [preauth] Oct 31 19:35:42 someserver sshd[12409]: Postponed gssapi-with-mic for root from 10.0.0.55 port 36384 ssh2 [preauth] Oct 31 19:35:42 someserver sshd[12409]: debug1: Received some client credentials Oct 31 19:35:42 someserver sshd[12409]: Failed gssapi-with-mic for root from 10.0.0.55 port 36384 ssh2 ... Oct 31 19:35:42 someserver sshd[12577]: debug1: userauth-request for user root service ssh-connection method gssapi-with-mic [preauth] Oct 31 19:35:42 someserver sshd[12577]: debug1: attempt 4 failures 1 [preauth] Appreciate any thoughts or suggestions you have. Yours, Geordie Grindle From Steven.Jones at vuw.ac.nz Mon Oct 31 20:27:21 2016 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 31 Oct 2016 20:27:21 +0000 Subject: [Freeipa-users] 3 way IPA setup Message-ID: Hi, I have a 3 way IPA 4.2 setup running on Centos7.2 So ipa2 and ipa3 are replicas from ipa1. Is a replication agreement setup between 2 and 3 automatically by default? (I suspect not) how do I see this is or is not the case? This is what I have so far, ========== [root at glusterp2 ~]# ipa-replica-manage -v list Directory Manager password: glusterp2.ods.graywitch.co.nz: master glusterp3.ods.graywitch.co.nz: master glusterp1.ods.graywitch.co.nz: master [root at glusterp2 ~]# === [root at glusterp3 ~]# ipa-replica-manage -v list Directory Manager password: glusterp2.ods.graywitch.co.nz: master glusterp3.ods.graywitch.co.nz: master glusterp1.ods.graywitch.co.nz: master [root at glusterp3 ~]# ========== If not, how do I set this up as I cant find any documentation on how. thanks regards Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Oct 31 20:33:24 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 31 Oct 2016 16:33:24 -0400 Subject: [Freeipa-users] 3 way IPA setup In-Reply-To: References: Message-ID: <5817AA94.6040305@redhat.com> Steven Jones wrote: > Hi, > > I have a 3 way IPA 4.2 setup running on Centos7.2 > > > So ipa2 and ipa3 are replicas from ipa1. > > > Is a replication agreement setup between 2 and 3 automatically by > default? (I suspect not) how do I see this is or is not the case? > > > This is what I have so far, > > > ========== > > [root at glusterp2 ~]# ipa-replica-manage -v list > Directory Manager password: > > glusterp2.ods.graywitch.co.nz: master > glusterp3.ods.graywitch.co.nz: master > glusterp1.ods.graywitch.co.nz: master > [root at glusterp2 ~]# > === > > [root at glusterp3 ~]# ipa-replica-manage -v list > Directory Manager password: > > glusterp2.ods.graywitch.co.nz: master > glusterp3.ods.graywitch.co.nz: master > glusterp1.ods.graywitch.co.nz: master > [root at glusterp3 ~]# > ========== > > > If not, how do I set this up as I cant find any documentation on how. Re-run those with `hostname` appended and you'll see the replication agreements and their status (though in your case you just want to see who is talking to who). rob