[Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!
Niranjan M.R
mrniranjan at redhat.com
Tue Dec 9 09:58:11 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/09/2014 03:22 PM, Martin Kosek wrote:
> On 12/09/2014 10:48 AM, Niranjan M.R wrote:
>> On 12/09/2014 02:57 PM, thierry bordaz wrote:
>>> Hello,
>>
>>> Niranjan, may I have access to your test machine.
>>
>> It's a vm on my laptop. I am trying to reproduce on another VM
>> to which i can give access. I will provide the details of this VM as soon
>> as possible.
>>
>> Mean while i am providing ns-slapd access logs, ipa-logs and pkispawn logs.
>
> Thanks. I see no related errors in the DS errors log, I wonder if the suggested
>
> # systemctl status dirsrv at EXAMPLE-ORG.service
>
> would show anything interesting.
>
>>
>>
>>
>>> thanks
>>> theirry
>>
>>
>>> On 12/09/2014 10:01 AM, Martin Kosek wrote:
>>>> On 12/07/2014 03:01 PM, Niranjan M.R wrote:
>>>>> On 12/06/2014 12:24 AM, Dmitri Pal wrote:
>>>>>> Hello,
>>>>>> WE NEED HELP!
>>>>>> The biggest and the most interesting feature of FreeIPA 4.1.2 is support for the two factor authentication using HOTP/TOTP compatible software tokens like FreeOTP (open source compatible alternative to Google Authenticator) and hardware tokens like Yubikeys. This feature allows Kerberos and LDAP clients of a FreeIPA server to authenticate using the normal account password as the first factor and an OTP token as a second factor. For those environments where a 2FA solution is already in place, FreeIPA can act as a proxy via RADIUS. More about this feature can be read here.
>>>>>> http://www.freeipa.org/page/V4/OTP
>>>>>> If you want to see this feature in downstream distros sooner rather than later we need your help!
>>>>>> Please give it a try and provide feedback. We really, really need it!
>>>>> I am unable to configure ipa-server with freeipa-server-4.1.2-1.fc20.x86_64, ipa-server-install fails with below error:
>>>>>
>>>>> Done configuring certificate server (pki-tomcatd).
>>>>> Configuring directory server (dirsrv): Estimated time 10 seconds
>>>>> [1/3]: configuring ssl for ds instance
>>>>> [2/3]: restarting directory server
>>>>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] No such file or directory:
>>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the installation log for details.
>>>>> [3/3]: adding CA certificate entry
>>>>> Done configuring directory server (dirsrv).
>>>>> CA did not start in 300.0s
>>>>>
>>>>>
>>>>> Versions used:
>>>>> ==============
>>>>> freeipa-client-4.1.2-1.fc20.x86_64
>>>>> freeipa-server-4.1.2-1.fc20.x86_64
>>>>> libipa_hbac-1.12.2-2.fc20.x86_64
>>>>> libipa_hbac-python-1.12.2-2.fc20.x86_64
>>>>> sssd-ipa-1.12.2-2.fc20.x86_64
>>>>> device-mapper-multipath-0.4.9-56.fc20.x86_64
>>>>> python-iniparse-0.4-9.fc20.noarch
>>>>> freeipa-admintools-4.1.2-1.fc20.x86_64
>>>>> freeipa-python-4.1.2-1.fc20.x86_64
>>>>> 389-ds-base-libs-1.3.3.5-1.fc20.x86_64
>>>>> 389-ds-base-1.3.3.5-1.fc20.x86_64
>>>>>
>>>>> BaseOS:Fedora release 20 (Heisenbug)
>>>>>
>>>>>
>>>>> Steps to reproduce:
>>>>> ---------------
>>>>>
>>>>> 1. On Fedora-20 system, Used mkosek freeipa repo:
>>>>> [mkosek-freeipa]
>>>>> name=Copr repo for freeipa owned by mkosek
>>>>> baseurl=http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-$releasever-$basearch/
>>>>> skip_if_unavailable=True
>>>>> gpgcheck=0
>>>>> enabled=1
>>>>>
>>>>> 2. Install freeipa-server packages from the above repo
>>>>>
>>>>> 3. Issue ipa-server-install
>>>>>
>>>>> [root at pkiserver1 ~]# ipa-server-install
>>>>>
>>>>> The log file for this installation can be found in /var/log/ipaserver-install.log
>>>>> ==============================================================================
>>>>> This program will set up the FreeIPA Server.
>>>>>
>>>>> This includes:
>>>>> * Configure a stand-alone CA (dogtag) for certificate management
>>>>> * Configure the Network Time Daemon (ntpd)
>>>>> * Create and configure an instance of Directory Server
>>>>> * Create and configure a Kerberos Key Distribution Center (KDC)
>>>>> * Configure Apache (httpd)
>>>>>
>>>>> To accept the default shown in brackets, press the Enter key.
>>>>>
>>>>> WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
>>>>> in favor of ntpd
>>>>>
>>>>> Do you want to configure integrated DNS (BIND)? [no]: yes
>>>>>
>>>>> Existing BIND configuration detected, overwrite? [no]: yes
>>>>> Enter the fully qualified domain name of the computer
>>>>> on which you're setting up server software. Using the form
>>>>> <hostname>.<domainname>
>>>>> Example: master.example.com.
>>>>>
>>>>>
>>>>> Server host name [pkiserver1.example.org]:
>>>>>
>>>>> Warning: skipping DNS resolution of host pkiserver1.example.org
>>>>> The domain name has been determined based on the host name.
>>>>>
>>>>> Please confirm the domain name [example.org]:
>>>>>
>>>>> The kerberos protocol requires a Realm name to be defined.
>>>>> This is typically the domain name converted to uppercase.
>>>>>
>>>>> Please provide a realm name [EXAMPLE.ORG]:
>>>>> Certain directory server operations require an administrative user.
>>>>> This user is referred to as the Directory Manager and has full access
>>>>> to the Directory for system management tasks and will be added to the
>>>>>
>>>>> The IPA server requires an administrative user, named 'admin'.
>>>>> This user is a regular system account used for IPA server administration.
>>>>>
>>>>> IPA admin password:
>>>>> Password (confirm):
>>>>>
>>>>> Do you want to configure DNS forwarders? [yes]: no
>>>>> No DNS forwarders configured
>>>>> Do you want to configure the reverse zone? [yes]:
>>>>> Please specify the reverse zone name [122.168.192.in-addr.arpa.]:
>>>>> Using reverse zone(s) 122.168.192.in-addr.arpa.
>>>>>
>>>>> The IPA Master Server will be configured with:
>>>>> Hostname: pkiserver1.example.org
>>>>> IP address(es): 192.168.122.246
>>>>> Domain name: example.org
>>>>> Realm name: EXAMPLE.ORG
>>>>>
>>>>> BIND DNS server will be configured to serve IPA domain with:
>>>>> Forwarders: No forwarders
>>>>> Reverse zone(s): 122.168.192.in-addr.arpa.
>>>>>
>>>>> Continue to configure the system with these values? [no]: yes
>>>>>
>>>>> The following operations may take some minutes to complete.
>>>>> Please wait until the prompt is returned.
>>>>>
>>>>>
>>>>> instance of directory server created for IPA.
>>>>> The password must be at least 8 characters long.
>>>>>
>>>>> Directory Manager password:
>>>>> Password (confirm):
>>>>> Configuring NTP daemon (ntpd)
>>>>> [1/4]: stopping ntpd
>>>>> [2/4]: writing configuration
>>>>> [3/4]: configuring ntpd to start on boot
>>>>> [4/4]: starting ntpd
>>>>> Done configuring NTP daemon (ntpd).
>>>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>>>> [1/38]: creating directory server user
>>>>> [2/38]: creating directory server instance
>>>>> [3/38]: adding default schema
>>>>> [4/38]: enabling memberof plugin
>>>>> [5/38]: enabling winsync plugin
>>>>> [6/38]: configuring replication version plugin
>>>>> [7/38]: enabling IPA enrollment plugin
>>>>> [8/38]: enabling ldapi
>>>>> [9/38]: configuring uniqueness plugin
>>>>> [10/38]: configuring uuid plugin
>>>>> [11/38]: configuring modrdn plugin
>>>>> [12/38]: configuring DNS plugin
>>>>> [13/38]: enabling entryUSN plugin
>>>>> [14/38]: configuring lockout plugin
>>>>> [15/38]: creating indices
>>>>> [16/38]: enabling referential integrity plugin
>>>>> [17/38]: configuring certmap.conf
>>>>> [18/38]: configure autobind for root
>>>>> [19/38]: configure new location for managed entries
>>>>> [20/38]: configure dirsrv ccache
>>>>> [21/38]: enable SASL mapping fallback
>>>>> [22/38]: restarting directory server
>>>>> [23/38]: adding default layout
>>>>> [24/38]: adding delegation layout
>>>>> [25/38]: creating container for managed entries
>>>>> [26/38]: configuring user private groups
>>>>> [27/38]: configuring netgroups from hostgroups
>>>>> [28/38]: creating default Sudo bind user
>>>>> [29/38]: creating default Auto Member layout
>>>>> [30/38]: adding range check plugin
>>>>> [31/38]: creating default HBAC rule allow_all
>>>>> [32/38]: initializing group membership
>>>>> [33/38]: adding master entry
>>>>> [34/38]: configuring Posix uid/gid generation
>>>>> [35/38]: adding replication acis
>>>>> [36/38]: enabling compatibility plugin
>>>>> [37/38]: tuning directory server
>>>>> [38/38]: configuring directory to start on boot
>>>>> Done configuring directory server (dirsrv).
>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
>>>>> [1/27]: creating certificate server user
>>>>> [2/27]: configuring certificate server instance
>>>>> [3/27]: stopping certificate server instance to update CS.cfg
>>>>> [4/27]: backing up CS.cfg
>>>>> [5/27]: disabling nonces
>>>>> [6/27]: set up CRL publishing
>>>>> [7/27]: enable PKIX certificate path discovery and validation
>>>>> [8/27]: starting certificate server instance
>>>>> [9/27]: creating RA agent certificate database
>>>>> [10/27]: importing CA chain to RA certificate database
>>>>> [11/27]: fixing RA database permissions
>>>>> [12/27]: setting up signing cert profile
>>>>> [13/27]: set certificate subject base
>>>>> [14/27]: enabling Subject Key Identifier
>>>>> [15/27]: enabling Subject Alternative Name
>>>>> [16/27]: enabling CRL and OCSP extensions for certificates
>>>>> [17/27]: setting audit signing renewal to 2 years
>>>>> [18/27]: configuring certificate server to start on boot
>>>>> [19/27]: restarting certificate server
>>>>> [20/27]: requesting RA certificate from CA
>>>>> [21/27]: issuing RA agent certificate
>>>>> [22/27]: adding RA agent as a trusted user
>>>>> [23/27]: configure certmonger for renewals
>>>>> [24/27]: configure certificate renewals
>>>>> [25/27]: configure RA certificate renewal
>>>>> [26/27]: configure Server-Cert certificate renewal
>>>>> [27/27]: Configure HTTP to proxy connections
>>>>> Done configuring certificate server (pki-tomcatd).
>>>>> Configuring directory server (dirsrv): Estimated time 10 seconds
>>>>> [1/3]: configuring ssl for ds instance
>>>>> [2/3]: restarting directory server
>>>>> ipa : CRITICAL Failed to restart the directory server ([Errno 2] No such file or directory:
>>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the installation log for details.
>>>>> [3/3]: adding CA certificate entry
>>>>> Done configuring directory server (dirsrv).
>>>>>
>>>>> CA did not start in 300.0s
>>>>>
>>>>> Attaching ipaserver-install.log, pkispawn logs
>>>>>
>>>>> Any hints on how to overcome the above error.
>>>> The error is obviously in Directory Server restart. I am not sure what causes
>>>>
>>>> 2014-12-07T11:16:25Z DEBUG [2/3]: restarting directory server
>>>> 2014-12-07T11:16:25Z CRITICAL Failed to restart the directory server ([Errno 2]
>>>> No such file or directory:
>>>> '/etc/systemd/system/dirsrv.target.wants/dirsrv at EXAMPLE-ORG.service'). See the
>>>> installation log for details.
>>>>
>>>> The first restart worked and it uses the same call, AFAIK. It would be
>>>> interesting to see the latest logs of the instance after ipa-server-install
>>>> crashes:
>>>>
>>>> # systemctl status dirsrv at EXAMPLE-ORG.service
[root at pkiserver1 ~]# systemctl status dirsrv at EXAMPLE-ORG.service
dirsrv at EXAMPLE-ORG.service - 389 Directory Server EXAMPLE-ORG.
Loaded: loaded (/etc/systemd/system/dirsrv at .service; enabled)
Active: active (running) since Tue 2014-12-09 04:33:56 EST; 23min ago
Main PID: 2535 (ns-slapd)
CGroup: /system.slice/system-dirsrv.slice/dirsrv at EXAMPLE-ORG.service
??2535 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-EXAMPLE-ORG -i /var/run/dirsrv/slapd-EXAMPLE-ORG.pid -w
/var/run/dirsrv/slapd-EXAMPLE-ORG.startpid
Dec 09 04:33:56 pkiserver1.example.org systemd[1]: Started 389 Directory Server EXAMPLE-ORG..
>>>>
>>>> It may have some useful logs that would reveal what happened.
>>>>
>>>> Martin
>>
>>
>>
>>
>
>
>
- --
Niranjan
irc: mrniranjan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iKYEARECAGYFAlSGx7NfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF
RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8eV+ACfZ5YZL9lUgV1qKH7GH498RybK
FS4An1DU7wkpfe4kO5BymIAs9e9UthuX
=Axen
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x6047C7C7.asc
Type: application/pgp-keys
Size: 1893 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141209/64845cec/attachment.bin>
More information about the Freeipa-users
mailing list