3:25 a.m.
Hi, I have 2 nodes of IPA system. The 'Server-Cert cert-pki-ca' of master node
was expired unexpectedly.
Based on https://ftweedal.fedorapeople.org/ipa-cert-renewal-deep-dive.pdf, this cert is
for HTTS( pki-tomcat), AKA Dogtag website.
As it was expired, Dogtag is OOS, either.
Right now, those services are not running,
---
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa-dnskeysyncd Service: STOPPED
---
This is /var/log/pki/pki-tomcat/ca/selftests.log
---------------------
0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SystemCertsVerification:
system certs verification failure: Certificate Server-Cert cert-pki-ca is invalid: Invalid
certificate: (-8181) Peers Certificate has expired.
0.localhost-startStop-1 - [25/Dec/2019:16:16:54 HKT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification
running at startup FAILED!
-----------------
And /var/log/pki/pki-tomcat/ca/debug
------------
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(Server-Cert cert-pki-ca, SSLServer)
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname():
calling verifyCertificate(Server-Cert cert-pki-ca, true, SSLServer)
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertByNickname()
failed: java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid
certificate: (-8181) Peer's Certificate has expired.
[25/Dec/2019:17:07:53][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed:
java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: Invalid certificate:
(-8181) Peer's Certificate has expired.
-----------------
Output from certutil:
-------
Issuer: "CN=Certificate Authority,O=IPA.PTHL.HK"
Validity:
Not Before: Tue Nov 21 08:43:11 2017
Not After : Mon Nov 11 08:43:11 2019
Subject: "CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK"
----------
This certificate was expired, so here comes the point,
1. Why ipa cert-mon did monitor and renew it? So weired.
getcert list | grep tomcat -i
does not return this certificate.
2. How to fix it? it's renewal master by 'ipa config-show | grep 'IPA CA
renewal master'
1) I reset the clock during the valid period, and restart services. it failed.
2) I plan to renew or recreate a Server-Cert since my CA is still valid, but I'm
not sure it's doable and don't know how.
Not sure it's a bug or not, my slave node is good, both are running freeipa v4.6.4.
Thanks a lot.
1:15 a.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
I reset system clock to a proper point now IPA is working.
Server-Cert cert-pki-ca was not tracked by certmonger somehow, I add it but it says
# output of getcert list.
-------------------------------------
Request ID '20191101102140':
status: MONITORING
ca-error: Server at "http://ipa.ipa.pthl.hk:8080/ca/ee/ca/profileSubmit"
replied: Certificate serial number {0} to be renewed is revoked. Cannot renew a revoked
certificate
stuck: no
----- --------------------
And it was not renewed.
So how to renew this certificate manually?
I also read
https://frasertweedale.github.io/blog-redhat/posts/2019-02-28-dogtag-cert... but
there is no 'cert-fix' command in my IPA.
Thanks.
8:43 p.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
I find out why ipa didn't run even I reset system clock.
Because dirsrv and httpd cetificate was valid "Not before Oct 26", and dogtag
certificate was valid " Not After Nov 11", so I have to set clock during this
period. :)
--------------------
What I try:
1. set clock to ensure pki-tomcat works, I set it to Oct 27.
2. set clock to Oct 6, remove httpd/dirsrv certificate and re-sign a new one. It does NOT
work. As kerebeors refuses to work.
8:33 p.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
luckydog xf via FreeIPA-users wrote:
I find out why ipa didn't run even I reset system clock.
Because dirsrv and httpd cetificate was valid "Not before Oct 26", and dogtag
certificate was valid " Not After Nov 11", so I have to set clock during this
period. :)
--------------------
What I try:
1. set clock to ensure pki-tomcat works, I set it to Oct 27.
2. set clock to Oct 6, remove httpd/dirsrv certificate and re-sign a new one. It does NOT
work. As kerebeors refuses to work.
Refuses to work how? It doesn't restart? What does it log?
rob
11:43 p.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
Forget to copy its error. :(
11:45 p.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
This is resolved by "
----
getcert modify-ca -c dogtag-ipa-ca-renew-agent -e
'/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -N'
----
and start-tracking....
The reason is that once certmonger renews a certificate, it would use old certificate
request information to geneate a new one. But the old one may not work out.
-N tells certmonger to discard the old stuff and just create a new one.
12:04 p.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
luckydog xf via FreeIPA-users wrote:
This is resolved by "
----
getcert modify-ca -c dogtag-ipa-ca-renew-agent -e
'/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -N'
----
and start-tracking....
The reason is that once certmonger renews a certificate, it would use old certificate
request information to geneate a new one. But the old one may not work out.
-N tells certmonger to discard the old stuff and just create a new one.
It tells certmonger to use a CSR and not rely on the dogtag
renew-by-serial number capability. This is the default since 4.8.1.
rob
6:39 p.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
I see. Just curious about the following error,
----
certificate serial number {0} to be renewed is revoked. Cannot renew a revoked
----
Where does serial number store in the dogtag? Redhat docs say it's in 389 DS, but I
cannot find it out.
And would any stuff related certificate would store in 389 DS ?
6:47 p.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
I reset system clock to Oct 27, while this certificate would expire in Nov 11.
It's still valid and should be renewed by certmonger.
So there is no reason it say the serial number was revoked.
2:48 a.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote:
I reset system clock to Oct 27, while this certificate would expire
in Nov 11.
It's still valid and should be renewed by certmonger.
So there is no reason it say the serial number was revoked.
Hi,
can you check if the cert is revoked with:
$ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca'
| grep -i Serial
(note the Serial number)
$ ipa cert-show <serial found above>
Does the last command display "Revoked: True" with a Revocation reason
or "Revoked: False"?
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
8:03 p.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote:
Hi,
can you check if the cert is revoked with:
$ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca'
| grep -i Serial
(note the Serial number)
$ ipa cert-show <serial found above>
Does the last command display "Revoked: True" with a Revocation reason
or "Revoked: False"?
flo
[root@ipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert
cert-pki-ca' | grep serial -i
Serial Number: 268238851 (0xffd0003)
****************************************************************
[root@ipa ~]# ipa cert-show 268238851
Issuing CA: ipa
Certificate: ..... ### chopped ###
Subject: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK
Issuer: CN=Certificate Authority,O=IPA.PTHL.HK
Not Before: Tue Nov 21 08:43:11 2017 UTC
Not After: Mon Nov 11 08:43:11 2019 UTC
Serial number: 268238851
Serial number (hex): 0xFFD0003
Revoked: True
Revocation reason: 0
---------------------------------------------------
Yes, this serial Number was marked 'revoked'.
3:01 a.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
On 1/3/20 3:03 AM, luckydog xf via FreeIPA-users wrote:
> On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote:
> Hi,
>
> can you check if the cert is revoked with:
> $ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca'
> | grep -i Serial
> (note the Serial number)
> $ ipa cert-show <serial found above>
>
> Does the last command display "Revoked: True" with a Revocation reason
> or "Revoked: False"?
>
> flo
[root@ipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert
cert-pki-ca' | grep serial -i
Serial Number: 268238851 (0xffd0003)
****************************************************************
[root@ipa ~]# ipa cert-show 268238851
Issuing CA: ipa
Certificate: ..... ### chopped ###
Subject: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK
Issuer: CN=Certificate Authority,O=IPA.PTHL.HK
Not Before: Tue Nov 21 08:43:11 2017 UTC
Not After: Mon Nov 11 08:43:11 2019 UTC
Serial number: 268238851
Serial number (hex): 0xFFD0003
Revoked: True
Revocation reason: 0
---------------------------------------------------
Yes, this serial Number was marked 'revoked'.
Hi,
the following is not a supported procedure but you can try to manually
edit the certificate entry and remove the revocation information.
The entry is cn=<serial>,ou=certificaterepository,ou=ca,o=ipaca and you
will need to remove the attributes revokedOn, revokedBy, revInfo and
replace certStatus: REVOKED with certStatus: VALID.
You can use ldapmodify:
$ ldapmodify -D "cn=directory manager" -W -f mod.ldif
With the following mod.ldif:
$ cat mod.ldif
dn: cn=<serial>,ou=certificateRepository,ou=ca,o=ipaca
changetype: modify
delete: revokedOn
-
delete: revokedBy
-
delete: revInfo
-
replace: certStatus
certStatus: VALID
After that, check that the cert is not revoked any more with $ ipa
cert-show <serial>, and you should be able to retry the renewal.
HTH,
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
3:04 a.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
I tried this way, but I have not found this entry.
===
ldapsearch -x -h localhost -D "cn=directory manager" -W > all.ldif
====
grep revoke -i all.ldf
----
returned nothing.
My IPA is v4.6.4.
4:06 a.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
On 1/7/20 10:04 AM, luckydog xf via FreeIPA-users wrote:
I tried this way, but I have not found this entry.
===
ldapsearch -x -h localhost -D "cn=directory manager" -W > all.ldif
Hi,
if your /etc/openldap/ldap.conf is configured with default settings, it
probably has
BASE dc=<your domain>,dc=com
but the search needs to be done on a different suffix o=ipaca.
What do you get with
ldapsearch -x -h localhost -D "cn=directory manager" -W -b o=ipaca
flo
====
grep revoke -i all.ldf
----
returned nothing.
My IPA is v4.6.4.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
3:16 a.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
Thanks, I did it as your instruction, the old serial 268238851 was revoked and invalid. A
new serial was generated and valid already.
==================
# 268238851, certificateRepository, ca, ipaca
dn: cn=268238851,ou=certificateRepository,ou=ca,o=ipaca
objectClass: top
objectClass: certificateRecord
serialno: 09268238851
metaInfo: requestId:9970004
metaInfo: profileId:caInternalAuthServerCert
notBefore: 20171121164311Z
notAfter: 20191111164311Z
duration: 1162208000000
subjectName: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK
issuerName: CN=Certificate Authority,O=IPA.PTHL.HK
publicKeyData:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: XXXXXXXXXXXXXXXXXXXXXXXX
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20171121164311Z
autoRenew: ENABLED
issuedBy: admin-ipa.ipa.pthl.hk
cn: 268238851
revInfo: 20180625110026Z;CRLReasonExtension=0
revokedBy: ipara
revokedOn: 20180625110026Z
certStatus: REVOKED
dateOfModify: 20180625110026Z
===============
Thanks. It seems that all the certificates are stored in 389 DS and being tracked.
4:05 a.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
On 1/16/20 10:16 AM, luckydog xf via FreeIPA-users wrote:
Thanks, I did it as your instruction, the old serial 268238851 was
revoked and invalid. A new serial was generated and valid already.
==================
# 268238851, certificateRepository, ca, ipaca
dn: cn=268238851,ou=certificateRepository,ou=ca,o=ipaca
objectClass: top
objectClass: certificateRecord
serialno: 09268238851
metaInfo: requestId:9970004
metaInfo: profileId:caInternalAuthServerCert
notBefore: 20171121164311Z
notAfter: 20191111164311Z
duration: 1162208000000
subjectName: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK
issuerName: CN=Certificate Authority,O=IPA.PTHL.HK
publicKeyData:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.15
userCertificate;binary:: XXXXXXXXXXXXXXXXXXXXXXXX
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20171121164311Z
autoRenew: ENABLED
issuedBy: admin-ipa.ipa.pthl.hk
cn: 268238851
revInfo: 20180625110026Z;CRLReasonExtension=0
revokedBy: ipara
revokedOn: 20180625110026Z
certStatus: REVOKED
dateOfModify: 20180625110026Z
===============
Thanks. It seems that all the certificates are stored in 389 DS and being tracked.
Great! thanks for closing the loop.
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
7:30 p.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
One more question to ask,
1. Both /etc/dirsrv/alias and /etc/http/alias store certificates for themselves. Right?
2. Dogtag is a cerfificate lifecycle management system, e.g issue/renew/rovke. Any CSR
would validate by httpd first and then forward to dogtag subCA? per
https://ftweedal.fedorapeople.org/ipa-cert-renewal-deep-dive.pdf
3. Where do certificates issued by dogtag store? any stuff would store in 389 DS?
Thanks,
8:39 a.m.
New subject: Max renew for Kerberos tickets
Hello,
when i want to set the Kerberos policy via IPA GUI for tickets, i have two parameters:
Max renew
Max life
„Max life“ is working for me as expected.
But it seems, that „Max renew“ has a value with a maximum for 14 days (of course i set it
in seconds).
Is this true?
What can i do to set a value higher than 14 days?
Thank you for any help!
Detlev
P.S.: We need a high value for simulations …
--
Detlev | Institut fuer Mikroelektronische Systeme
Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
--------+-------- Handy +49 172 5415752 ---------------------------
9:03 a.m.
New subject: Max renew for Kerberos tickets
Hello Detlev,
i have set the "Max renew to 1814400 seconds without any Problems in the GUI.
And ipa krbtpolicy-show --all shows me this:
Max life: 86400
Max renew: 18144000
I set the new "Max renew" and save it, nothing more :)
Regards
Dirk
Am 02.01.20 um 15:39 schrieb Detlev Habicht via FreeIPA-users:
> Hello,
>
> when i want to set the Kerberos policy via IPA GUI for tickets, i have two
parameters:
>
> Max renew
> Max life
>
> „Max life“ is working for me as expected.
>
> But it seems, that „Max renew“ has a value with a maximum for 14 days (of course i
set it in seconds).
> Is this true?
>
> What can i do to set a value higher than 14 days?
>
> Thank you for any help!
>
> Detlev
>
> P.S.: We need a high value for simulations …
>
> --
> Detlev | Institut fuer Mikroelektronische Systeme
> Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
> --------+-------- Handy +49 172 5415752 ---------------------------
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
9:13 a.m.
New subject: Max renew for Kerberos tickets
Yes … i can do this too …
But see you this value also with klist???
Greetings
Detlev
--
Detlev | Institut fuer Mikroelektronische Systeme
Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
--------+-------- Handy +49 172 5415752 ---------------------------
Am 02.01.2020 um 16:03 schrieb Dirk Streubel
<dirk.streubel(a)posteo.de>:
Hello Detlev,
i have set the "Max renew to 1814400 seconds without any Problems in the GUI.
And ipa krbtpolicy-show --all shows me this:
Max life: 86400
Max renew: 18144000
I set the new "Max renew" and save it, nothing more :)
Regards
Dirk
Am 02.01.20 um 15:39 schrieb Detlev Habicht via FreeIPA-users:
> Hello,
>
> when i want to set the Kerberos policy via IPA GUI for tickets, i have two
parameters:
>
> Max renew
> Max life
>
> „Max life“ is working for me as expected.
>
> But it seems, that „Max renew“ has a value with a maximum for 14 days (of course i
set it in seconds).
> Is this true?
>
> What can i do to set a value higher than 14 days?
>
> Thank you for any help!
>
> Detlev
>
> P.S.: We need a high value for simulations …
>
> --
> Detlev | Institut fuer Mikroelektronische Systeme
> Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
> --------+-------- Handy +49 172 5415752 ---------------------------
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
9:59 a.m.
New subject: Max renew for Kerberos tickets
Hello Detlev,
i have made this:
ipa krbtpolicy-mod --maxlife=43200 --maxrenew=604800
and the result is this:
Standard-Principal: dirk@XXX
Valid starting Expires Service principal
02.01.2020 16:53:29 03.01.2020 04:53:29 krbtgt/XXX@XXX
erneuern bis 03.01.2020 16:53:21
Is this what you wanted to see?
When i set the maxlife to 7 days i can only see the expire Date.
I don't know why and i must say i am not a "Kerberos Master" :)
Regards
Dirk
Am 02.01.20 um 16:13 schrieb Detlev Habicht via FreeIPA-users:
> Yes … i can do this too …
>
> But see you this value also with klist???
>
> Greetings
>
> Detlev
>
> --
> Detlev | Institut fuer Mikroelektronische Systeme
> Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
> --------+-------- Handy +49 172 5415752 ---------------------------
>
>
>
>> Am 02.01.2020 um 16:03 schrieb Dirk Streubel <dirk.streubel(a)posteo.de>:
>>
>> Hello Detlev,
>>
>> i have set the "Max renew to 1814400 seconds without any Problems in the
GUI.
>>
>> And ipa krbtpolicy-show --all shows me this:
>>
>> Max life: 86400
>> Max renew: 18144000
>>
>> I set the new "Max renew" and save it, nothing more :)
>>
>>
>> Regards
>>
>> Dirk
>>
>>
>> Am 02.01.20 um 15:39 schrieb Detlev Habicht via FreeIPA-users:
>>> Hello,
>>>
>>> when i want to set the Kerberos policy via IPA GUI for tickets, i have two
parameters:
>>>
>>> Max renew
>>> Max life
>>>
>>> „Max life“ is working for me as expected.
>>>
>>> But it seems, that „Max renew“ has a value with a maximum for 14 days (of
course i set it in seconds).
>>> Is this true?
>>>
>>> What can i do to set a value higher than 14 days?
>>>
>>> Thank you for any help!
>>>
>>> Detlev
>>>
>>> P.S.: We need a high value for simulations …
>>>
>>> --
>>> Detlev | Institut fuer Mikroelektronische Systeme
>>> Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
>>> --------+-------- Handy +49 172 5415752 ---------------------------
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
10:34 a.m.
New subject: Max renew for Kerberos tickets
Hi,
please have a look at the documentation [1]. There are multiple levels
where the ticket max life/max renew can be defined and the doc explains
the various settings that must be taken into account.
Hope this clarifies,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
On 1/2/20 4:59 PM, Dirk Streubel via FreeIPA-users wrote:
Hello Detlev,
i have made this:
ipa krbtpolicy-mod --maxlife=43200 --maxrenew=604800
and the result is this:
Standard-Principal: dirk@XXX
Valid starting Expires Service principal
02.01.2020 16:53:29 03.01.2020 04:53:29 krbtgt/XXX@XXX
erneuern bis 03.01.2020 16:53:21
Is this what you wanted to see?
When i set the maxlife to 7 days i can only see the expire Date.
I don't know why and i must say i am not a "Kerberos Master" :)
Regards
Dirk
Am 02.01.20 um 16:13 schrieb Detlev Habicht via FreeIPA-users:
> Yes … i can do this too …
>
> But see you this value also with klist???
>
> Greetings
>
> Detlev
>
> --
> Detlev | Institut fuer Mikroelektronische Systeme
> Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
> --------+-------- Handy +49 172 5415752 ---------------------------
>
>
>
>> Am 02.01.2020 um 16:03 schrieb Dirk Streubel <dirk.streubel(a)posteo.de>:
>>
>> Hello Detlev,
>>
>> i have set the "Max renew to 1814400 seconds without any Problems in the
GUI.
>>
>> And ipa krbtpolicy-show --all shows me this:
>>
>> Max life: 86400
>> Max renew: 18144000
>>
>> I set the new "Max renew" and save it, nothing more :)
>>
>>
>> Regards
>>
>> Dirk
>>
>>
>> Am 02.01.20 um 15:39 schrieb Detlev Habicht via FreeIPA-users:
>>> Hello,
>>>
>>> when i want to set the Kerberos policy via IPA GUI for tickets, i have two
parameters:
>>>
>>> Max renew
>>> Max life
>>>
>>> „Max life“ is working for me as expected.
>>>
>>> But it seems, that „Max renew“ has a value with a maximum for 14 days (of
course i set it in seconds).
>>> Is this true?
>>>
>>> What can i do to set a value higher than 14 days?
>>>
>>> Thank you for any help!
>>>
>>> Detlev
>>>
>>> P.S.: We need a high value for simulations …
>>>
>>> --
>>> Detlev | Institut fuer Mikroelektronische Systeme
>>> Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
>>> --------+-------- Handy +49 172 5415752 ---------------------------
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
3:56 a.m.
New subject: Max renew for Kerberos tickets
Thank you very much.
Reading the docs at the right page is really helpful :-) :
The value requested by the client is compared to the --maxlife setting of the
user_name-specific Kerberos ticket policies if these policies
exist, and the lower value of the two is selected. If user_name-specific Kerberos ticket
policies do not exist, the value sent by the client
is compared to the --maxlife setting of the Global Kerberos ticket policy, and the lower
value of the two is selected. For details on global
and user-specific Kerberos ticket policies, see Section 29.1.2, “Global and
User-specific Kerberos Ticket Policies”.
The value selected in the previous step is compared to two other values:
The value of the max_life setting in the /var/kerberos/krb5kdc/kdc.conf file
The value set in the krbMaxTicketLife attribute of the LDAP entry with the
distinguished name (DN):
krbPrincipalName=krbtgt/REALM_NAME@REALM_NAME,cn=REALM_NAME,cn=kerberos,domain_name
The lowest of the three values is ultimately selected for the lifetime of the Kerberos
ticket granted to user_name.
You have to check three places! And the most important hint is the last sentence: The
lowest value wins!
So with IPA GUI you cannot set a value higher as in kdc.conf and LDAP.
Thank you for the help.
Detlev
--
Detlev | Institut fuer Mikroelektronische Systeme
Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
--------+-------- Handy +49 172 5415752 ---------------------------
Am 02.01.2020 um 17:34 schrieb Florence Blanc-Renaud via
FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>:
Hi,
please have a look at the documentation [1]. There are multiple levels where the ticket
max life/max renew can be defined and the doc explains the various settings that must be
taken into account.
Hope this clarifies,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
On 1/2/20 4:59 PM, Dirk Streubel via FreeIPA-users wrote:
> Hello Detlev,
> i have made this:
> ipa krbtpolicy-mod --maxlife=43200 --maxrenew=604800
> and the result is this:
> Standard-Principal: dirk@XXX
> Valid starting Expires Service principal
> 02.01.2020 16:53:29 03.01.2020 04:53:29 krbtgt/XXX@XXX
> erneuern bis 03.01.2020 16:53:21
> Is this what you wanted to see?
> When i set the maxlife to 7 days i can only see the expire Date.
> I don't know why and i must say i am not a "Kerberos Master" :)
> Regards
> Dirk
> Am 02.01.20 um 16:13 schrieb Detlev Habicht via FreeIPA-users:
>> Yes … i can do this too …
>>
>> But see you this value also with klist???
>>
>> Greetings
>>
>> Detlev
>>
>> --
>> Detlev | Institut fuer Mikroelektronische Systeme
>> Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
>> --------+-------- Handy +49 172 5415752 ---------------------------
>>
>>
>>
>>> Am 02.01.2020 um 16:03 schrieb Dirk Streubel
<dirk.streubel(a)posteo.de>:
>>>
>>> Hello Detlev,
>>>
>>> i have set the "Max renew to 1814400 seconds without any Problems in the
GUI.
>>>
>>> And ipa krbtpolicy-show --all shows me this:
>>>
>>> Max life: 86400
>>> Max renew: 18144000
>>>
>>> I set the new "Max renew" and save it, nothing more :)
>>>
>>>
>>> Regards
>>>
>>> Dirk
>>>
>>>
>>> Am 02.01.20 um 15:39 schrieb Detlev Habicht via FreeIPA-users:
>>>> Hello,
>>>>
>>>> when i want to set the Kerberos policy via IPA GUI for tickets, i have
two parameters:
>>>>
>>>> Max renew
>>>> Max life
>>>>
>>>> „Max life“ is working for me as expected.
>>>>
>>>> But it seems, that „Max renew“ has a value with a maximum for 14 days (of
course i set it in seconds).
>>>> Is this true?
>>>>
>>>> What can i do to set a value higher than 14 days?
>>>>
>>>> Thank you for any help!
>>>>
>>>> Detlev
>>>>
>>>> P.S.: We need a high value for simulations …
>>>>
>>>> --
>>>> Detlev | Institut fuer Mikroelektronische Systeme
>>>> Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
>>>> --------+-------- Handy +49 172 5415752 ---------------------------
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
8:05 p.m.
New subject: Max renew for Kerberos tickets
Interesting, why my post was intercepted by a new topic ?
Lol.
2:34 a.m.
New subject: Max renew for Kerberos tickets
Sorry, maybe my fault.
Detlev
--
Detlev | Institut fuer Mikroelektronische Systeme
Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de
--------+-------- Handy +49 172 5415752 ---------------------------
Am 03.01.2020 um 03:05 schrieb luckydog xf via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>:
Interesting, why my post was intercepted by a new topic ?
Lol.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
8:04 p.m.
New subject: Server-Cert cert-pki-ca was expired and wasn't renewed automatically
I'm confused. :)
1559
days inactive
1581
days old
freeipa-users@lists.fedorahosted.org
25 comments
5 participants
participants (5)
-
Detlev Habicht -
Dirk Streubel -
Florence Blanc-Renaud -
luckydog xf -
Rob Crittenden