June 2017 - FreeIPA-users - Fedora mailing-lists

certificate has expired?
by Roberto Cornacchia 07 Jun '17

07 Jun '17

Not being able to login to the admin console, I checked the httpd log and found the following errors: [Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. [Wed Jun 07 12:50:59.353372 2017] [:error] [pid 10237] SSL Library Error: -8181 Certificate has expired [Wed Jun 07 12:50:59.353395 2017] [:error] [pid 10237] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. [Wed Jun 07 12:50:59.986025 2017] [core:error] [pid 11522] AH00546: no record of generation 47 of exiting child 10203 I also get an error during enrollment of a new client (which seems to retrieve a valid certificate anyway): Password for admin(a)HQ.SPINQUE.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=HQ.SPINQUE.COM Issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM Valid From: Mon Mar 16 18:44:35 2015 UTC Valid Until: Fri Mar 16 18:44:35 2035 UTC Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: TCP connection reset by peer Services are up: $ ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful Certificate monitoring seems ok: $ getcert list -d /etc/httpd/alias -n ipaCert Number of certificates and requests being tracked: 8. Request ID '20160501114633': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM subject: CN=IPA RA,O=HQ.SPINQUE.COM expires: 2019-01-26 19:41:51 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Version: $ ipa --version VERSION: 4.4.3, API_VERSION: 2.215 Could you please point me at what else to check?

3 6

IPA-clients fail to update DNS: "response to GSS-TSIG query was unsuccessful"
by Josh Pavel 07 Jun '17

07 Jun '17

I have a setup with 2 zones: My IPA realm is mob.nuance.com My first IPA server was built out with the DNS zone prod.mcs.som.mob.nuance.com My second IPA server is in a DNS zone of dev.mcs.az-eastus2.mob.nuance.com I can successfully add client to my first IPA server, and everything works as expected, including DNS updates. When I add clients to my second IPA server, they complete successfully for everything except updating DNS. I recreated the DNS Update file from ipa-client install log, and executed it manually as "admin" with debug. Any ideas what is wrong? # kinit admin Password for admin(a)MOB.NUANCE.COM: # id admin uid=1294000000(admin) gid=1294000000(admins) groups=1294000000(admins) # getent passwd admin admin:*:1294000000:1294000000:Administrator:/home/admin:/bin/bash # kinit -k # klist Ticket cache: KEYRING:persistent:0:krb_ccache_3k4KdJI Default principal: host/ metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com(a)MOB.NUANCE.COM Valid starting Expires Service principal 06/05/2017 18:11:39 06/06/2017 18:11:39 krbtgt/ MOB.NUANCE.COM(a)MOB.NUANCE.COM # nsupdate -v -g ./dns_update.txt Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY A Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58840 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;metrics-frontend-01.dev.mcs.az-eastus2.mob.nuance.com. IN SOA ;; AUTHORITY SECTION: dev.mcs.az-eastus2.mob.nuance.com. 0 IN SOA freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. hostmaster.dev.mcs.az-eastus2.mob.nuance.com. 1496548206 3600 900 1209600 3600 Found zone name: dev.mcs.az-eastus2.mob.nuance.com The master is: freeipa-01.dev.mcs.az-eastus2.mob.nuance.com start_gssrequest send_gssrequest Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY ;; ADDITIONAL SECTION: 2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. 0 ANY TKEY gss-tsig. 1496686456 1496686456 3 NOERROR 750 YIIC6gYJKoZIhvcSAQICAQBuggLZMIIC1aADAgEFoQMCAQ6iBwMFACAA AACjggGyYYIBrjCCAaqgAwIBBaEQGw5NT0IuTlVBTkNFLkNPTaI+MDyg AwIBA6E1MDMbA0ROUxssZnJlZWlwYS0wMS5kZXYubWNzLmF6LWVhc3R1 czIubW9iLm51YW5jZS5jb22jggFPMIIBS6ADAgESoQMCAQKiggE9BIIB OT6iIBKUylVkyZojuFesiyK9xr2TNsJcCxjHSKxRxDTI781ECObVev0r 5FEux+izbNYji5vEZpfZDela6vLLJuieQ7EUz02jEMU9lvkhfuiaA9w8 UGLjT+l7TsKLLa6O+gnZ9bLWoTeR++QTE3g/5ePKCLd5rv/h3fvsHoW9 MxUD896pNNYCSutwm9Q6WigpMabxz4oli2l2YpbABJGEk6ZOB3Dr65m6 j4ou1LCnJpy0pkCwQfNPqPtF6UXUiL7DBvZfDhr+MlOeH7o0EBmUEiy2 uNIj9D6VaXeThLBMzyOeZRAVgutqSGxCiBraZ2hVGCQ5Xdet2XuJtUMq gZEn7uS6B8d5iIRDhsiOZ2eGUfZqReXaoE9YFBROvvyn0tosoqwW7YUZ 1Yc6gItyh2p7T8s3VBu1H4K8+vSkggEIMIIBBKADAgESooH8BIH56H4C tKcmdKBDujhBN3UmWECEm1stlWq1CcmSqtYmU6LpWa2duyX4rUDHfHVC 1eHhxrWB9mdEb3DKPHiJrJ0vLOuKJprPFEJpf/RGJylnglPs0JCf0Caa dGZpgeXCQ10xNIdKFsxzcgSChF5ClYK5A+Axg8zxVnLnNKCLR3TGdMrJ +YIOe04oHl4SdREVP09IrtubcOZSJeG3lRt4v/NHHuSMXXb337y/7ErU 1/8YoSs1K3H9du22vLF2VxB8k70DDtDKKpYFj1PzNXD5Tk7yuuWb//Ze voVsTc9g86212KzDYOfDdaN5JM2j51R/O/ummcYw8GnqR5Kt 0 recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14301 ;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;2603545440.sig-freeipa-01.dev.mcs.az-eastus2.mob.nuance.com. ANY TKEY *response to GSS-TSIG query was unsuccessful*

2 5

certificate has expired?
by Roberto Cornacchia 07 Jun '17

07 Jun '17

Not being able to login to the admin console, I checked the httpd log and found the following errors: [Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. [Wed Jun 07 12:50:59.353372 2017] [:error] [pid 10237] SSL Library Error: -8181 Certificate has expired [Wed Jun 07 12:50:59.353395 2017] [:error] [pid 10237] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. [Wed Jun 07 12:50:59.986025 2017] [core:error] [pid 11522] AH00546: no record of generation 47 of exiting child 10203 I also get an error during enrollment of a new client (which seems to retrieve a valid certificate anyway): Password for admin(a)HQ.SPINQUE.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=HQ.SPINQUE.COM Issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM Valid From: Mon Mar 16 18:44:35 2015 UTC Valid Until: Fri Mar 16 18:44:35 2035 UTC Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: TCP connection reset by peer Services are up: $ ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful Certificate monitoring seems ok: $ getcert list -d /etc/httpd/alias -n ipaCert Number of certificates and requests being tracked: 8. Request ID '20160501114633': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM subject: CN=IPA RA,O=HQ.SPINQUE.COM expires: 2019-01-26 19:41:51 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Version: $ ipa --version VERSION: 4.4.3, API_VERSION: 2.215 Could you please point me at what else to check?

1 0

keytab usage?
by Kat 06 Jun '17

06 Jun '17

Ok, I guess I am not understanding something here. What am I missing? The PW is correct, but no matter what I do, I can't use the keytab file for a user as shown below: [root@ipa ~]# ktutil ktutil: addent -password -p cyberj(a)EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for cyberj(a)EXAMPLE.COM: ktutil: wkt /root/cyberj.keytab ktutil: q [root@ipa ~]# kinit -k -t cyberj.keytab cyberj(a)EXAMPLE.COM kinit: Password incorrect while getting initial credentials :-( -K

4 4

Scripting a SSSD client to add SIDtoUIDnumbers from ad Trust into custom LDAP schema.
by Frank Rey 06 Jun '17

06 Jun '17

I have a Netapp that does not support SSSD or Windbind and i want to use IDM ldap to do permission/name mapping. would using a Script on a SSSD client to populate a custom ldap schema in IPA with the SSSD uidnumber mappings be a bad idea? I know i would have to set up a cron job to run it at a reasonable interval. set it up to create and remove users added or removed from the Posix group i have mapped from the AD trust. Am i missing anything? Ray

2 2

Scripting a SSSD client to add SID to UIDnumbers from ad Trust into custom LDAP schema.
by Frank Rey 05 Jun '17

05 Jun '17

I have a Netapp that does not support SSSD or Windbind and i want to use IDM ldap to do permission/name mapping. would using a Script on a SSSD client to populate a custom ldap schema in IPA with the SSSD uidnumber mappings be a bad idea? I know i would have to set up a cron job to run it at a reasonable interval. set it up to create and remove users added or removed from the Posix group i have mapped from the AD trust. Ray

2 2

status of auditd integration on freeipa clients
by Sven Kieske 05 Jun '17

05 Jun '17

Hi, I got a question regarding integration of auditd on freeipa clients. What I want to achieve is full audit logging, like auditd provides, on the freeipa clients. we tried to hook auditd up with the currently deployed ipa via kerberos, but had no luck so far. we tried to reuse the already present kerberos authentication to transmit the auditdata in a secure way, but auditd needs the principal name to be "host/$hostname@REALM" whereas freeipa requires "$foo/$fqdn@REALM", so it seems we can't use kerberos tickets from ipa? (see also this ML Thread: https://www.redhat.com/archives/freeipa-users/2014-August/msg00079.html) it's very sad to see this divergent development, given that both projects are heavily developed by redhat, maybe this can get fixed? If I can help with this (even if you just need bug reports opened), please tell me so. In the mean time I would like to ask about the status of this project page: https://www.freeipa.org/page/Session_Recording Is this already implemnted? So far I couldn't find any practical examples on how to configure freeipa with auditd on freeipa clients :( If you know of any other working solution, please share! Thanks in advance -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +495772 293100 F: +495772 293333 https://www.mittwald.de Geschäftsführer: Robert Meyer, Maik Behring St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217 HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH HRB 13260, AG Bad Oeynhausen

2 1

Privileges needed for ipa-client-install
by Ronald Wimmer 04 Jun '17

04 Jun '17

Which privileges are needed for ipa-client-install? I created a user and gave it host enrollment privileges. But that does not seem to be enough...

4 6

FreeIPA for simply managing DNS
by Striker Leggette 04 Jun '17

04 Jun '17

FreeIPA has a very well-made and easy to use DNS management GUI that would serve well as a standalone tool. Are there any plans to fork the DNS GUI like this for those who would like an easy DNS management application who do not necessarily need LDAP/PKI/Kerberos/etc.? -- Striker Leggette Identity Management linkedin.com/in/striker

5 4

ipa server-del results in "internal error"
by dbischof＠hrz.uni-kassel.de 03 Jun '17

03 Jun '17

Dear list, I'm in the process of upgrading my IPA installation (1 master, 1 replica, external DNS) from IPA version 3.0 to 4.4. I followed the instructions at [1]. Everything worked flawlessly (kudos to all developers and supporters!): My new 4.4 master is up and running. To my understanding, the last step would be to remove the still existing replication agreements of the old 3.0 master and replica before creating the new 4.4 replica (the new 4.4 master is new hardware with a new hostname, but i want to keep the old hardware and hostname for the 4.4 replica). My attempt to remove the old servers result in --- root@o201:~# ipa server-del poolsrv.example.org Removing poolsrv.example.org from replication topology, please wait... ipa: ERROR: an internal error has occurred --- The error occurs even if i try to remove a non-existing server with --force. Attempts to remove the server via the web interface fail as well. IPA/OS versions: --- root@o201:~# cat /etc/redhat-release CentOS Linux release 7.3.1611 (Core) root@o201:~# rpm -qa | grep -i ipa libipa_hbac-1.14.0-43.el7_3.14.x86_64 python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 ipa-server-common-4.4.0-14.el7.centos.7.noarch python2-ipalib-4.4.0-14.el7.centos.7.noarch ipa-client-4.4.0-14.el7.centos.7.x86_64 ipa-common-4.4.0-14.el7.centos.7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch python-ipaddress-1.0.16-2.el7.noarch python2-ipaserver-4.4.0-14.el7.centos.7.noarch sssd-ipa-1.14.0-43.el7_3.14.x86_64 ipa-admintools-4.4.0-14.el7.centos.7.noarch python2-ipaclient-4.4.0-14.el7.centos.7.noarch python-iniparse-0.4-9.el7.noarch ipa-server-4.4.0-14.el7.centos.7.x86_64 --- Something I could try? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ht… Best regards, --Daniel.

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2017