[Freeipa-users] Ubuntu client 2FA not working

Tommy Nikjoo tommy.nikjoo at armourcomms.com
Mon Feb 6 13:56:06 UTC 2017 

Hi,

I'm having some issues with 2FA PAM config's on Ubuntu clients. 
Currently, I'm guessing that the PAM module doesn't know how to talk to
the 2FA protocol.  Is anyone able to give an in site into how to get
this working correctly?

Thanks

**

	//



On 14/12/16 22:48, Fraser Tweedale wrote:
> On Wed, Dec 14, 2016 at 05:35:35PM +0000, Tommy Nikjoo wrote:
>> Hi,
>>
>> I'm trying to install FreeIPA on CentOS 7 using the yum package, but I
>> keep getting an error when it tries to restart DogTag
>>
>>   [26/31]: restarting certificate server
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
>> the Dogtag instance.See the installation log for details.
>>   [27/31]: migrating certificate profiles to LDAP
>>   [error] NetworkError: cannot connect to
>> 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
>> ipa.ipapython.install.cli.install_tool(Server): ERROR    cannot connect
>> to 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
>> ipa.ipapython.install.cli.install_tool(Server): ERROR    The
>> ipa-server-install command failed. See /var/log/ipaserver-install.log
>> for more information
>>
>>
>> The log shows the following error
>>
>> 2016-12-14T16:53:05Z DEBUG NSSConnection init ldap.example.com
>> 2016-12-14T16:53:05Z DEBUG Connecting: x.x.x.x:0
>> 2016-12-14T16:53:05Z DEBUG approved_usage = SSL Server intended_usage =
>> SSL Server
>> 2016-12-14T16:53:05Z DEBUG cert valid True for
>> "CN=ldap.example.com,O=EXAMPLE.COM"
>> 2016-12-14T16:53:05Z DEBUG handshake complete, peer = x.x.x.x:8443
>> 2016-12-14T16:53:05Z DEBUG Protocol: TLS1.2
>> 2016-12-14T16:53:05Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
>> 2016-12-14T16:53:05Z DEBUG response status 200
>> 2016-12-14T16:53:05Z DEBUG response headers {'content-length': '205',
>> 'set-cookie': 'JSESSIONID=9B6C767CDBED07088646235E68E831E0; Path=/ca/;
>> Secure; HttpOnly', 'expires': 'Thu, 01 Jan 1970 00:00:00 UTC', 'server':
>> 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Wed, 14 Dec
>> 2016 16:53:05 GMT', 'content-type': 'application/xml'}
>> 2016-12-14T16:53:05Z DEBUG response body '<?xml version="1.0"
>> encoding="UTF-8" standalone="yes"?><Account
>> id="ipara"><FullName>ipara</FullName><Roles><Role>Certificate Manager
>> Agents</Role><Role>Registration Manager Agents</Role></Roles></Account>'
>> 2016-12-14T16:53:05Z DEBUG request POST
>> https://ldap.example.com:8443/ca/rest/profiles/raw
>> 2016-12-14T16:53:05Z DEBUG request body
>> 'profileId=IECUserRoles\nclassId=caEnrollImpl\ndesc=Enroll user
>> certificates with IECUserRoles extension via IPA-RA agent
>> authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=IPA-RA
>> Agent-Authenticated Server Certificate
>> Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject
>> Name
>> Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject
>> Name
>> Default\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
>> O=EXAMPLE.COM\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity
>> Constraint\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity
>> Default\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key
>> Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key
>> Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No
>> Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority
>> Key Identifier
>> Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No
>> Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA
>> Extension
>> Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key
>> Usage Extension
>> Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key
>> Usage
>> Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No
>> Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended
>> Key Usage Extension
>> Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No
>> Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing
>> Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.9.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.9.constraint.name=No
>> Constraint\npolicyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.serverCertSet.9.default.name=CRL
>> Distribution Points Extension
>> Default\npolicyset.serverCertSet.9.default.params.crlDistPointsCritical=false\npolicyset.serverCertSet.9.default.params.crlDistPointsNum=1\npolicyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate
>> Authority,o=ipaca\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName\npolicyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.example.com/ipa/crl/MasterCRL.bin\npolicyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName\npolicyset.serverCertSet.9.default.params.crlDistPointsReasons_0=\npolicyset.serverCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.10.constraint.name=No
>> Constraint\npolicyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.10.default.name=Subject
>> Key Identifier Extension
>> Default\npolicyset.serverCertSet.10.default.params.critical=false\npolicyset.serverCertSet.11.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.11.constraint.name=No
>> Constraint\npolicyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl\npolicyset.serverCertSet.11.default.name=User
>> Supplied Extension
>> Default\npolicyset.serverCertSet.11.default.params.userExtOID=2.5.29.17\npolicyset.serverCertSet.12.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.12.constraint.name=No
>> Constraint\npolicyset.serverCertSet.12.default.class_id=userExtensionDefaultImpl\npolicyset.serverCertSet.12.default.name=IECUserRoles
>> Extension
>> Default\npolicyset.serverCertSet.12.default.params.userExtOID=1.2.840.10070.8.1\n'
>>
>> Is there anything I can do to get around this?
>>
>> Thanks,
>>
>> Tommy
>>
> Could you look at `journalctl -u pki-tomcatd at pki-tomcat' and see if
> there are any errors there?
>
> Also could you provide more of /var/log/ipaserver-install.log and
> /var/log/pki/pki-tomcat/ca/debug ?
>
> Thanks,
> Fraser

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170206/f5dd787f/attachment.htm>

More information about the Freeipa-users mailing list