Problem adding a RHEL 8.1 client

List overview All Threads
Download

newer

older

FreeIPA/PKI CA/KRA Subsystem...

sudo rule doesn't work

SOLER SANGUESA Miguel

9 Jan 2020 9 Jan '20

9:07 a.m.

Hello,

I'm trying to add a RHEL 8.1 client with the following spec: OS: RHEL 8.1 (Ootpa) IPA: ipa-client-4.8.0-10 SSSD: sssd-2.2.0-19.el8.x86_64

My IDM server has: OS: RHEL 7.7 (Maipo) IPA: ipa-server-4.6.5-11.el7_7.3 SSSD: sssd-1.16.4-21.el7_7.1

When I try to add the client using "ipa-client-install" I get the error: This program will set up IPA client. Version 4.8.0

Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: Client hostname: client01.svc.domain.org Realm: IPA.DOMAIN.ORG DNS Domain: ipa.domain.org IPA Server: icidmpdc1.ipa.domain.org BaseDN: dc=ipa,dc=domain,dc=org

Continue to configure the system with these values? [no]: yes Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Time synchronization was successful. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG Valid From: 2016-03-04 15:13:38 Valid Until: 2036-03-04 15:13:38

Joining realm failed: Unable to initialize STARTTLS session Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... Unable to initialize STARTTLS session Failed to bind to server! Failed to get keytab child exited with 9

Installation failed. Rolling back changes. Disabling client Kerberos and LDAP configurations Restoring client configuration files nslcd daemon is not installed, skip configuration Client uninstall complete. The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0. Can anyone please, let me know why it is not working?

Thanks & Regards.

Attachments:

attachment.html (text/html — 7.4 KB)
ipa-client-install.log (application/octet-stream — 82.4 KB)

Show replies by date

Florence Blanc-Renaud

9 Jan 9 Jan

2:05 p.m.

On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...

Hello,

I’m trying to add a RHEL 8.1 client with the following spec:

OS: RHEL 8.1 (Ootpa)

IPA: ipa-client-4.8.0-10

SSSD: sssd-2.2.0-19.el8.x86_64

My IDM server has:

OS: RHEL 7.7 (Maipo)

IPA: ipa-server-4.6.5-11.el7_7.3

SSSD: sssd-1.16.4-21.el7_7.1

When I try to add the client using “ipa-client-install” I get the error:

This program will set up IPA client.

Version 4.8.0

Discovery was successful!

Do you want to configure chrony with NTP server or pool address? [no]:

Client hostname: client01.svc.domain.org

Realm: IPA.DOMAIN.ORG

DNS Domain: ipa.domain.org

IPA Server: icidmpdc1.ipa.domain.org

BaseDN: dc=ipa,dc=domain,dc=org

Continue to configure the system with these values? [no]: yes

Synchronizing time

Configuration of chrony was changed by installer.

Attempting to sync time with chronyc.

Time synchronization was successful.

Successfully retrieved CA cert

Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Valid From: 2016-03-04 15:13:38

Valid Until: 2036-03-04 15:13:38

Joining realm failed: Unable to initialize STARTTLS session

Failed to bind to server!

Retrying with pre-4.0 keytab retrieval method...

Unable to initialize STARTTLS session

Failed to bind to server!

Failed to get keytab

child exited with 9

Installation failed. Rolling back changes.

Disabling client Kerberos and LDAP configurations

Restoring client configuration files

nslcd daemon is not installed, skip configuration

Client uninstall complete.

The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

The entire debug log is attached. It fails doing the “join”. It doesn’t happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.

Can anyone please, let me know why it is not working?

Hi,

can you paste the content of /var/log/dirsrv/slapd-<DOMAIN>/errors (on the master) that is related to SSL: - INFO - Security Initialization - SSL info: Enabling default cipher set. - INFO - Security Initialization - SSL info: Configured NSS Ciphers - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [... list of all ciphers] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3

The full list of ciphers and the SSL range may help understand the issue.

flo

...

Thanks & Regards.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

SOLER SANGUESA Miguel

10 Jan 10 Jan

3:26 a.m.

Hello,

The list of ciphers seems OK (it is the one showed on the debug logs: " TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled"), and also the SSL version range is from TLS1.0 to TLS1.3. I have also added lines with 'ERR' or 'WARN': [10/Jan/2020:08:53:57.993429356 +0100] - ERR - oc_check_allowed_sv - Entry "cn=encryption,cn=config" -- attribute "CACertExtractFile" not allowed [10/Jan/2020:08:53:57.999532781 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [10/Jan/2020:08:53:58.005282229 +0100] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert [10/Jan/2020:08:53:58.013492586 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. [10/Jan/2020:08:53:58.021112518 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [10/Jan/2020:08:53:58.023818570 +0100] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.025012562 +0100] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.026865854 +0100] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.027909825 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.028910559 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.030192210 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.032707645 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.038511038 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.042101912 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.047331242 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.053222255 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.059417443 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.065215952 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.066816630 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.070814501 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.076808934 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.082326398 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.085812594 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.088603987 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.095429780 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.097605520 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.099003065 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.101106312 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.102701393 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.105723970 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.107107490 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.110522147 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.113200222 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.126201090 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 ... [10/Jan/2020:08:54:02.128378609 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match ... [10/Jan/2020:08:54:02.268900495 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [10/Jan/2020:08:54:02.283005210 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.284850029 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.291534216 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.296575693 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.300672868 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.306498604 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.312925397 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.316251285 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.318903023 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.324020591 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.327893713 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.334512981 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.338954980 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.341830396 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.343118609 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.346506279 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.359003489 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.361548258 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.449783407 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [10/Jan/2020:08:54:02.489813637 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Jan/2020:08:54:02.498610374 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [10/Jan/2020:08:54:02.502099316 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-IPA-DOMAIN-ORG.socket for LDAPI requests [10/Jan/2020:08:54:02.506101255 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [10/Jan/2020:08:54:02.560926332 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [10/Jan/2020:08:54:11.584790390 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=domain,dc=org [10/Jan/2020:08:54:11.592447129 +0100] - ERR - schema-compat-plugin - Finished plugin initialization.

On the client side, seems it is also abailabe: [root@client01 ~]# openssl ciphers -v | grep ECDHE-RSA-AES256-GCM ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD

Thanks & Regards.

-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 09, 2020 21:06 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Problem adding a RHEL 8.1 client

On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...

Hello,

I'm trying to add a RHEL 8.1 client with the following spec:

OS: RHEL 8.1 (Ootpa)

IPA: ipa-client-4.8.0-10

SSSD: sssd-2.2.0-19.el8.x86_64

My IDM server has:

OS: RHEL 7.7 (Maipo)

IPA: ipa-server-4.6.5-11.el7_7.3

SSSD: sssd-1.16.4-21.el7_7.1

When I try to add the client using "ipa-client-install" I get the error:

This program will set up IPA client.

Version 4.8.0

Discovery was successful!

Do you want to configure chrony with NTP server or pool address? [no]:

Client hostname: client01.svc.domain.org

Realm: IPA.DOMAIN.ORG

DNS Domain: ipa.domain.org

IPA Server: icidmpdc1.ipa.domain.org

BaseDN: dc=ipa,dc=domain,dc=org

Continue to configure the system with these values? [no]: yes

Synchronizing time

Configuration of chrony was changed by installer.

Attempting to sync time with chronyc.

Time synchronization was successful.

Successfully retrieved CA cert

Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Valid From: 2016-03-04 15:13:38

Valid Until: 2036-03-04 15:13:38

Joining realm failed: Unable to initialize STARTTLS session

Failed to bind to server!

Retrying with pre-4.0 keytab retrieval method...

Unable to initialize STARTTLS session

Failed to bind to server!

Failed to get keytab

child exited with 9

Installation failed. Rolling back changes.

Disabling client Kerberos and LDAP configurations

Restoring client configuration files

nslcd daemon is not installed, skip configuration

Client uninstall complete.

The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.

Can anyone please, let me know why it is not working?

Hi,

The full list of ciphers and the SSL range may help understand the issue.

flo

...

Thanks & Regards.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637141971601947392&sdata=%2FXm p17T3G8G6HelhTlBMbbwk2Z0XRRbk1JOMsEZAfXM%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637141971601957347&sdata=KCpN67a3VP%2B7W1 TWNLSjIjlcJTioY6phCrJPjIWB%2BFE%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208 d7953f57d3%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714197160195 7347&sdata=ayLDi6PUsROquosBP%2Bkbh9KGoPGGHL4PyIabw3FloKQ%3D&re served=0

SOLER SANGUESA Miguel

3:45 a.m.

Hello again,

I have tried to create a connection with the cipher is used on the client install and I get this: [root@client01 ~]# openssl s_client -connect server2.ipa.domain.org:636 -cipher ECDHE-RSA-AES256-GCM-SHA384 CONNECTED(00000003) depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify return:1 depth=0 O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org verify return:1 --- Certificate chain 0 s:O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org i:O = IPA.DOMAIN.ORG, CN = Certificate Authority 1 s:O = IPA.DOMAIN.ORG, CN = Certificate Authority i:O = IPA.DOMAIN.ORG, CN = Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEtTCCA52gAwIBAgIED/8BuzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1J .... 3Z4Moyqlg+wT -----END CERTIFICATE----- subject=O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org

issuer=O = IPA.DOMAIN.ORG, CN = Certificate Authority

--- Acceptable client certificate CA names O = IPA.DOMAIN.ORG, CN = Certificate Authority Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2734 bytes and written 365 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 <------- Changes the cipher, but it is also enbled on server side. Server public key is 2048 bit Secure Renegotiation IS NOT supported <------------- ???? Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self signed certificate in certificate chain) ---

Executing the same command on a RHEL 7 I don't have the err=19 (self signed certificate complain), also the " Shared Requested Signature Algorithms" are more and " Server Temp Key" different: Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Server Temp Key: ECDH, P-256, 256 bits

Thanks & Regards.

-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:26 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client

Hello,

On the client side, seems it is also abailabe: [root@client01 ~]# openssl ciphers -v | grep ECDHE-RSA-AES256-GCM ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD

Thanks & Regards.

On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...

Hello,

I'm trying to add a RHEL 8.1 client with the following spec:

OS: RHEL 8.1 (Ootpa)

IPA: ipa-client-4.8.0-10

SSSD: sssd-2.2.0-19.el8.x86_64

My IDM server has:

OS: RHEL 7.7 (Maipo)

IPA: ipa-server-4.6.5-11.el7_7.3

SSSD: sssd-1.16.4-21.el7_7.1

When I try to add the client using "ipa-client-install" I get the error:

This program will set up IPA client.

Version 4.8.0

Discovery was successful!

Do you want to configure chrony with NTP server or pool address? [no]:

Client hostname: client01.svc.domain.org

Realm: IPA.DOMAIN.ORG

DNS Domain: ipa.domain.org

IPA Server: icidmpdc1.ipa.domain.org

BaseDN: dc=ipa,dc=domain,dc=org

Continue to configure the system with these values? [no]: yes

Synchronizing time

Configuration of chrony was changed by installer.

Attempting to sync time with chronyc.

Time synchronization was successful.

Successfully retrieved CA cert

Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Valid From: 2016-03-04 15:13:38

Valid Until: 2036-03-04 15:13:38

Joining realm failed: Unable to initialize STARTTLS session

Failed to bind to server!

Retrying with pre-4.0 keytab retrieval method...

Unable to initialize STARTTLS session

Failed to bind to server!

Failed to get keytab

child exited with 9

Installation failed. Rolling back changes.

Disabling client Kerberos and LDAP configurations

Restoring client configuration files

nslcd daemon is not installed, skip configuration

Client uninstall complete.

The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.

Can anyone please, let me know why it is not working?

Hi,

The full list of ciphers and the SSL range may help understand the issue.

flo

...

Thanks & Regards.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637141971601947392&sdata=%2FXm p17T3G8G6HelhTlBMbbwk2Z0XRRbk1JOMsEZAfXM%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637141971601957347&sdata=KCpN67a3VP%2B7W1 TWNLSjIjlcJTioY6phCrJPjIWB%2BFE%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208 d7953f57d3%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714197160195 7347&sdata=ayLDi6PUsROquosBP%2Bkbh9KGoPGGHL4PyIabw3FloKQ%3D&re served=0

SOLER SANGUESA Miguel

5:49 a.m.

Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK: [root@client01 ~]# openssl s_client -connect server2.ipa.unicc.org:636 -tls1_2 ... Client Certificate Types: RSA sign, ECDSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2694 bytes and written 339 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: B1CA329B2A6E4B33F8850112EDCE76273A47C407526C4CC6497FAF05322031C2 Session-ID-ctx: Master-Key: 0443C4A385C5445DB9B17CA6C6C463B686EBA71D60C451276970AE0892C574E19B899FCB653840E1DA7C0B0E1458FF65 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1578655322 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no ---

Do you know why it is not working with TLSv1.3 and how can I fix it? I have still no luck with adding the server to IDM. I have followed the workaround described here: https://bugzilla.redhat.com/show_bug.cgi?id=1685470

now if I test the connection with: openssl s_client -connect server2.ipa.unicc.org:636

It connects using TLSv1.2, but it still not working the join to IDM.

Thanks & Regards.

-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:46 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client

Hello again,

issuer=O = IPA.DOMAIN.ORG, CN = Certificate Authority

Thanks & Regards.

Hello,

On the client side, seems it is also abailabe: [root@client01 ~]# openssl ciphers -v | grep ECDHE-RSA-AES256-GCM ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD

Thanks & Regards.

On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...

Hello,

I'm trying to add a RHEL 8.1 client with the following spec:

OS: RHEL 8.1 (Ootpa)

IPA: ipa-client-4.8.0-10

SSSD: sssd-2.2.0-19.el8.x86_64

My IDM server has:

OS: RHEL 7.7 (Maipo)

IPA: ipa-server-4.6.5-11.el7_7.3

SSSD: sssd-1.16.4-21.el7_7.1

When I try to add the client using "ipa-client-install" I get the error:

This program will set up IPA client.

Version 4.8.0

Discovery was successful!

Do you want to configure chrony with NTP server or pool address? [no]:

Client hostname: client01.svc.domain.org

Realm: IPA.DOMAIN.ORG

DNS Domain: ipa.domain.org

IPA Server: icidmpdc1.ipa.domain.org

BaseDN: dc=ipa,dc=domain,dc=org

Continue to configure the system with these values? [no]: yes

Synchronizing time

Configuration of chrony was changed by installer.

Attempting to sync time with chronyc.

Time synchronization was successful.

Successfully retrieved CA cert

Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Valid From: 2016-03-04 15:13:38

Valid Until: 2036-03-04 15:13:38

Joining realm failed: Unable to initialize STARTTLS session

Failed to bind to server!

Retrying with pre-4.0 keytab retrieval method...

Unable to initialize STARTTLS session

Failed to bind to server!

Failed to get keytab

child exited with 9

Installation failed. Rolling back changes.

Disabling client Kerberos and LDAP configurations

Restoring client configuration files

nslcd daemon is not installed, skip configuration

Client uninstall complete.

The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.

Can anyone please, let me know why it is not working?

Hi,

The full list of ciphers and the SSL range may help understand the issue.

flo

...

Thanks & Regards.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637141971601947392&sdata=%2FXm p17T3G8G6HelhTlBMbbwk2Z0XRRbk1JOMsEZAfXM%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637141971601957347&sdata=KCpN67a3VP%2B7W1 TWNLSjIjlcJTioY6phCrJPjIWB%2BFE%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208 d7953f57d3%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714197160195 7347&sdata=ayLDi6PUsROquosBP%2Bkbh9KGoPGGHL4PyIabw3FloKQ%3D&re served=0

Florence Blanc-Renaud

6:05 a.m.

Hi,

can you try to run the following on the client: $ update-crypto-policies --set LEGACY then retry the client install?

(This is a workaround described in https://access.redhat.com/articles/3642912. RHEL8 enables less ciphersuites and protocols)

flo

On 1/10/20 12:49 PM, SOLER SANGUESA Miguel wrote:

...

Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK: [root@client01 ~]# openssl s_client -connect server2.ipa.unicc.org:636 -tls1_2 ... Client Certificate Types: RSA sign, ECDSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 2694 bytes and written 339 bytes Verification error: self signed certificate in certificate chain

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: B1CA329B2A6E4B33F8850112EDCE76273A47C407526C4CC6497FAF05322031C2 Session-ID-ctx: Master-Key: 0443C4A385C5445DB9B17CA6C6C463B686EBA71D60C451276970AE0892C574E19B899FCB653840E1DA7C0B0E1458FF65 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1578655322 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no

Do you know why it is not working with TLSv1.3 and how can I fix it? I have still no luck with adding the server to IDM. I have followed the workaround described here: https://bugzilla.redhat.com/show_bug.cgi?id=1685470

now if I test the connection with: openssl s_client -connect server2.ipa.unicc.org:636

It connects using TLSv1.2, but it still not working the join to IDM.

Thanks & Regards.

-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:46 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client

Hello again,

I have tried to create a connection with the cipher is used on the client install and I get this: [root@client01 ~]# openssl s_client -connect server2.ipa.domain.org:636 -cipher ECDHE-RSA-AES256-GCM-SHA384 CONNECTED(00000003) depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify return:1 depth=0 O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org verify return:1

Certificate chain 0 s:O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org i:O = IPA.DOMAIN.ORG, CN = Certificate Authority 1 s:O = IPA.DOMAIN.ORG, CN = Certificate Authority i:O = IPA.DOMAIN.ORG, CN = Certificate Authority

Server certificate -----BEGIN CERTIFICATE----- MIIEtTCCA52gAwIBAgIED/8BuzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1J .... 3Z4Moyqlg+wT -----END CERTIFICATE----- subject=O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org

issuer=O = IPA.DOMAIN.ORG, CN = Certificate Authority

Acceptable client certificate CA names O = IPA.DOMAIN.ORG, CN = Certificate Authority Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 2734 bytes and written 365 bytes Verification error: self signed certificate in certificate chain

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 <------- Changes the cipher, but it is also enbled on server side. Server public key is 2048 bit Secure Renegotiation IS NOT supported <------------- ???? Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self signed certificate in certificate chain)

Executing the same command on a RHEL 7 I don't have the err=19 (self signed certificate complain), also the " Shared Requested Signature Algorithms" are more and " Server Temp Key" different: Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Server Temp Key: ECDH, P-256, 256 bits

Thanks & Regards.

-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:26 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client

Hello,

The list of ciphers seems OK (it is the one showed on the debug logs: " TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled"), and also the SSL version range is from TLS1.0 to TLS1.3. I have also added lines with 'ERR' or 'WARN': [10/Jan/2020:08:53:57.993429356 +0100] - ERR - oc_check_allowed_sv - Entry "cn=encryption,cn=config" -- attribute "CACertExtractFile" not allowed [10/Jan/2020:08:53:57.999532781 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [10/Jan/2020:08:53:58.005282229 +0100] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert [10/Jan/2020:08:53:58.013492586 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. [10/Jan/2020:08:53:58.021112518 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [10/Jan/2020:08:53:58.023818570 +0100] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.025012562 +0100] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.026865854 +0100] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.027909825 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.028910559 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.030192210 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.032707645 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.038511038 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.042101912 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.047331242 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.053222255 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.059417443 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.065215952 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.066816630 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.070814501 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.076808934 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.082326398 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.085812594 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.088603987 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.095429780 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.097605520 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.099003065 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.101106312 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.102701393 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.105723970 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.107107490 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.110522147 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.113200222 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.126201090 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 ... [10/Jan/2020:08:54:02.128378609 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match ... [10/Jan/2020:08:54:02.268900495 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [10/Jan/2020:08:54:02.283005210 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.284850029 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.291534216 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.296575693 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.300672868 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.306498604 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.312925397 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.316251285 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.318903023 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.324020591 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.327893713 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.334512981 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.338954980 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.341830396 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.343118609 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.346506279 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.359003489 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.361548258 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.449783407 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [10/Jan/2020:08:54:02.489813637 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Jan/2020:08:54:02.498610374 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [10/Jan/2020:08:54:02.502099316 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-IPA-DOMAIN-ORG.socket for LDAPI requests [10/Jan/2020:08:54:02.506101255 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [10/Jan/2020:08:54:02.560926332 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [10/Jan/2020:08:54:11.584790390 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=domain,dc=org [10/Jan/2020:08:54:11.592447129 +0100] - ERR - schema-compat-plugin - Finished plugin initialization.

On the client side, seems it is also abailabe: [root@client01 ~]# openssl ciphers -v | grep ECDHE-RSA-AES256-GCM ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD

Thanks & Regards.

-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 09, 2020 21:06 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Problem adding a RHEL 8.1 client

On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...
Hello,

I'm trying to add a RHEL 8.1 client with the following spec:

OS: RHEL 8.1 (Ootpa)

IPA: ipa-client-4.8.0-10

SSSD: sssd-2.2.0-19.el8.x86_64

My IDM server has:

OS: RHEL 7.7 (Maipo)

IPA: ipa-server-4.6.5-11.el7_7.3

SSSD: sssd-1.16.4-21.el7_7.1

When I try to add the client using "ipa-client-install" I get the error:

This program will set up IPA client.

Version 4.8.0

Discovery was successful!

Do you want to configure chrony with NTP server or pool address? [no]:

Client hostname: client01.svc.domain.org

Realm: IPA.DOMAIN.ORG

DNS Domain: ipa.domain.org

IPA Server: icidmpdc1.ipa.domain.org

BaseDN: dc=ipa,dc=domain,dc=org

Continue to configure the system with these values? [no]: yes

Synchronizing time

Configuration of chrony was changed by installer.

Attempting to sync time with chronyc.

Time synchronization was successful.

Successfully retrieved CA cert

Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Valid From: 2016-03-04 15:13:38

Valid Until: 2036-03-04 15:13:38

Joining realm failed: Unable to initialize STARTTLS session

Failed to bind to server!

Retrying with pre-4.0 keytab retrieval method...

Unable to initialize STARTTLS session

Failed to bind to server!

Failed to get keytab

child exited with 9

Installation failed. Rolling back changes.

Disabling client Kerberos and LDAP configurations

Restoring client configuration files

nslcd daemon is not installed, skip configuration

Client uninstall complete.

The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.

Can anyone please, let me know why it is not working?

Hi,

can you paste the content of /var/log/dirsrv/slapd-<DOMAIN>/errors (on the master) that is related to SSL:

INFO - Security Initialization - SSL info: Enabling default cipher set.

INFO - Security Initialization - SSL info: Configured NSS Ciphers

INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256:

enabled [... list of all ciphers]

INFO - Security Initialization - SSL info:

TLS_RSA_WITH_AES_128_CBC_SHA256: enabled

INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3

The full list of ciphers and the SSL range may help understand the issue.

flo

...
Thanks & Regards.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637141971601947392&sdata=%2FXm p17T3G8G6HelhTlBMbbwk2Z0XRRbk1JOMsEZAfXM%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637141971601957347&sdata=KCpN67a3VP%2B7W1 TWNLSjIjlcJTioY6phCrJPjIWB%2BFE%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208 d7953f57d3%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714197160195 7347&sdata=ayLDi6PUsROquosBP%2Bkbh9KGoPGGHL4PyIabw3FloKQ%3D&re served=0

SOLER SANGUESA Miguel

7:50 a.m.

Hello,

I already tested that and I have the same error.

Thanks & Regards.

______________________________

-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Friday, January 10, 2020 13:06 To: SOLER SANGUESA Miguel solerm@unicc.org; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Problem adding a RHEL 8.1 client

Hi,

can you try to run the following on the client: $ update-crypto-policies --set LEGACY then retry the client install?

(This is a workaround described in https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.red.... RHEL8 enables less ciphersuites and protocols)

flo

On 1/10/20 12:49 PM, SOLER SANGUESA Miguel wrote:

...

Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK: [root@client01 ~]# openssl s_client -connect server2.ipa.unicc.org:636 -tls1_2 ... Client Certificate Types: RSA sign, ECDSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-P SS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA +SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-P SS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA +SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 2694 bytes and written 339 bytes Verification error: self signed certificate in certificate chain

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: B1CA329B2A6E4B33F8850112EDCE76273A47C407526C4CC6497FAF05322031C2 Session-ID-ctx: Master-Key: 0443C4A385C5445DB9B17CA6C6C463B686EBA71D60C451276970AE0892C574E19B899FCB653840E1DA7C0B0E1458FF65 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1578655322 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no

Do you know why it is not working with TLSv1.3 and how can I fix it? I have still no luck with adding the server to IDM. I have followed the workaround described here: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz illa.redhat.com%2Fshow_bug.cgi%3Fid%3D1685470&data=02%7C01%7Csoler m%40unicc.org%7C4895772460b64be3239908d795c57a07%7Ca33def5739f8400593e de80266830257%7C0%7C0%7C637142547701419753&sdata=i5Oxh5gvxpf29%2F8 EJMuYpIbCuCW8xu9f%2B%2Bkw9b42TTY%3D&reserved=0

now if I test the connection with: openssl s_client -connect server2.ipa.unicc.org:636

It connects using TLSv1.2, but it still not working the join to IDM.

Thanks & Regards.

-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:46 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client

Hello again,

I have tried to create a connection with the cipher is used on the client install and I get this: [root@client01 ~]# openssl s_client -connect server2.ipa.domain.org:636 -cipher ECDHE-RSA-AES256-GCM-SHA384 CONNECTED(00000003) depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify return:1 depth=0 O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org verify return:1

Certificate chain 0 s:O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org i:O = IPA.DOMAIN.ORG, CN = Certificate Authority 1 s:O = IPA.DOMAIN.ORG, CN = Certificate Authority i:O = IPA.DOMAIN.ORG, CN = Certificate Authority

Server certificate -----BEGIN CERTIFICATE----- MIIEtTCCA52gAwIBAgIED/8BuzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1J .... 3Z4Moyqlg+wT -----END CERTIFICATE----- subject=O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org

issuer=O = IPA.DOMAIN.ORG, CN = Certificate Authority

Acceptable client certificate CA names O = IPA.DOMAIN.ORG, CN = Certificate Authority Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-P SS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA +SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:R SA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 2734 bytes and written 365 bytes Verification error: self signed certificate in certificate chain

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 <------- Changes the cipher, but it is also enbled on server side. Server public key is 2048 bit Secure Renegotiation IS NOT supported <------------- ???? Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self signed certificate in certificate chain)

Executing the same command on a RHEL 7 I don't have the err=19 (self signed certificate complain), also the " Shared Requested Signature Algorithms" are more and " Server Temp Key" different: Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA+SHA256:RSA+SHA38 4:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Server Temp Key: ECDH, P-256, 256 bits

Thanks & Regards.

-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:26 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client

Hello,

The list of ciphers seems OK (it is the one showed on the debug logs: " TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled"), and also the SSL version range is from TLS1.0 to TLS1.3. I have also added lines with 'ERR' or 'WARN': [10/Jan/2020:08:53:57.993429356 +0100] - ERR - oc_check_allowed_sv - Entry "cn=encryption,cn=config" -- attribute "CACertExtractFile" not allowed [10/Jan/2020:08:53:57.999532781 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [10/Jan/2020:08:53:58.005282229 +0100] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert [10/Jan/2020:08:53:58.013492586 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. [10/Jan/2020:08:53:58.021112518 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [10/Jan/2020:08:53:58.023818570 +0100] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.025012562 +0100] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.026865854 +0100] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.027909825 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.028910559 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.030192210 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.032707645 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.038511038 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.042101912 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.047331242 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.053222255 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.059417443 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.065215952 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.066816630 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.070814501 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.076808934 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.082326398 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.085812594 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.088603987 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.095429780 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.097605520 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.099003065 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.101106312 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.102701393 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.105723970 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.107107490 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.110522147 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.113200222 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.126201090 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 ... [10/Jan/2020:08:54:02.128378609 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match ... [10/Jan/2020:08:54:02.268900495 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [10/Jan/2020:08:54:02.283005210 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.284850029 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.291534216 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.296575693 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.300672868 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.306498604 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.312925397 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.316251285 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.318903023 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.324020591 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.327893713 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.334512981 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.338954980 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.341830396 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.343118609 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.346506279 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.359003489 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.361548258 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.449783407 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [10/Jan/2020:08:54:02.489813637 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Jan/2020:08:54:02.498610374 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [10/Jan/2020:08:54:02.502099316 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-IPA-DOMAIN-ORG.socket for LDAPI requests [10/Jan/2020:08:54:02.506101255 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [10/Jan/2020:08:54:02.560926332 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [10/Jan/2020:08:54:11.584790390 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=domain,dc=org [10/Jan/2020:08:54:11.592447129 +0100] - ERR - schema-compat-plugin - Finished plugin initialization.

On the client side, seems it is also abailabe: [root@client01 ~]# openssl ciphers -v | grep ECDHE-RSA-AES256-GCM ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD

Thanks & Regards.

-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 09, 2020 21:06 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Problem adding a RHEL 8.1 client

On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...
Hello,

I'm trying to add a RHEL 8.1 client with the following spec:

OS: RHEL 8.1 (Ootpa)

IPA: ipa-client-4.8.0-10

SSSD: sssd-2.2.0-19.el8.x86_64

My IDM server has:

OS: RHEL 7.7 (Maipo)

IPA: ipa-server-4.6.5-11.el7_7.3

SSSD: sssd-1.16.4-21.el7_7.1

When I try to add the client using "ipa-client-install" I get the error:

This program will set up IPA client.

Version 4.8.0

Discovery was successful!

Do you want to configure chrony with NTP server or pool address? [no]:

Client hostname: client01.svc.domain.org

Realm: IPA.DOMAIN.ORG

DNS Domain: ipa.domain.org

IPA Server: icidmpdc1.ipa.domain.org

BaseDN: dc=ipa,dc=domain,dc=org

Continue to configure the system with these values? [no]: yes

Synchronizing time

Configuration of chrony was changed by installer.

Attempting to sync time with chronyc.

Time synchronization was successful.

Successfully retrieved CA cert

Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG

Valid From: 2016-03-04 15:13:38

Valid Until: 2036-03-04 15:13:38

Joining realm failed: Unable to initialize STARTTLS session

Failed to bind to server!

Retrying with pre-4.0 keytab retrieval method...

Unable to initialize STARTTLS session

Failed to bind to server!

Failed to get keytab

child exited with 9

Installation failed. Rolling back changes.

Disabling client Kerberos and LDAP configurations

Restoring client configuration files

nslcd daemon is not installed, skip configuration

Client uninstall complete.

The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.

Can anyone please, let me know why it is not working?

Hi,

can you paste the content of /var/log/dirsrv/slapd-<DOMAIN>/errors (on the master) that is related to SSL:

INFO - Security Initialization - SSL info: Enabling default cipher set.

INFO - Security Initialization - SSL info: Configured NSS Ciphers

INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256:

enabled [... list of all ciphers]

INFO - Security Initialization - SSL info:

TLS_RSA_WITH_AES_128_CBC_SHA256: enabled

INFO - Security Initialization - slapd_ssl_init2 - Configured SSL

version range: min: TLS1.0, max: TLS1.3

The full list of ciphers and the SSL range may help understand the issue.

flo

...
Thanks & Regards.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdoc s .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02 % 7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def 5 739f8400593ede80266830257%7C0%7C0%7C637141971601947392&sdata=%2FX m p17T3G8G6HelhTlBMbbwk2Z0XRRbk1JOMsEZAfXM%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffed o raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csol e rm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5739f840059 3 ede80266830257%7C0%7C0%7C637141971601957347&sdata=KCpN67a3VP%2B7W 1 TWNLSjIjlcJTioY6phCrJPjIWB%2BFE%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis t s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedoraho s ted.org&data=02%7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f620 8 d7953f57d3%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C6371419716019 5 7347&sdata=ayLDi6PUsROquosBP%2Bkbh9KGoPGGHL4PyIabw3FloKQ%3D&r e served=0

Christian Heimes

6:13 a.m.

On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...

Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:

Hi,

is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.

I'm going to create a reproducer setup and try to come up with a workaround now.

Christian

-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage

SOLER SANGUESA Miguel

7:55 a.m.

Hello Christian,

It is an standard installation.

[root@server2 ~]# cat /proc/sys/crypto/fips_enabled 0

Thanks & Regards.

-----Original Message----- From: Christian Heimes cheimes@redhat.com Sent: Friday, January 10, 2020 13:13 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...

Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:

Hi,

is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.

I'm going to create a reproducer setup and try to come up with a workaround now.

Christian

-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage

Florence Blanc-Renaud

8:56 a.m.

On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...

Hello Christian,

It is an standard installation.

[root@server2 ~]# cat /proc/sys/crypto/fips_enabled 0

Can you also check the following: - which version of openldap is installed on the client: rpm -qa openldap

- does the LDAP server certificate contain SAN extensions: on the master certutil -L -d /etc/dirsrv/slap-<DOMAIN> -n Server-Cert

flo

...

Thanks & Regards.

-----Original Message----- From: Christian Heimes cheimes@redhat.com Sent: Friday, January 10, 2020 13:13 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:

Hi,

is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.

I'm going to create a reproducer setup and try to come up with a workaround now.

Christian

-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

SOLER SANGUESA Miguel

9:08 a.m.

[root@client01 ~]# rpm -qa openldap openldap-2.4.46-10.el8.x86_64

[root@server2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-ORG -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 268370363 (0xfff01bb) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA.DOMAIN.ORG" Validity: Not Before: Fri Feb 16 21:18:08 2018 Not After : Mon Feb 17 21:18:08 2020 Subject: "CN=server2.ipa.domain.org,O=IPA.DOMAIN.ORG" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d7:d3:51:8e:a0:99:a3:9f:30:d2:49:98:a8:ef:41:21: 7c:ab:98:87:59:85:6d:15:fd:09:43:63:f9:e7:98:bc: ... 66:63:cd:58:ca:a4:93:99:33:68:08:7b:76:07:a6:9b Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 74:...:63: c1:37:5b:e9

Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ipa-ca.ipa.domain.org/ca/ocsp"

Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment

Name: Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate

Name: CRL Distribution Points Distribution point: URI: "http://ipa-ca.ipa.domain.org/ipa/crl/MasterCRL.bin" CRL issuer: Directory Name: "CN=Certificate Authority,O=ipaca"

Name: Certificate Subject Key ID Data: b4:...:60: 71:ef:da:b7

Name: Certificate Subject Alt Name Other Name: "ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG" OID: Microsoft NT Principal Name Other Name: Sequence { [0]: { 1b:0d:4....:52:47 } [1]: { Sequence { [0]: { 1 (0x1) } [1]: { Sequence { 1b:04:...:70 1b:17:....32:2e:69:70:61: 2e:75:.....6f:72:67 } } } } } OID: OID.1.3.6.1.5.2.2

Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 84:51:79:32:49:f3:46:89:c0:56:0b:d0:5a:dd:d0:4e: ... 88:15:49:b0:fd:4b:cd:dd:9e:0c:a3:2a:a5:83:ec:13 Fingerprint (SHA-256): F5:72:8D:E8:A8:8A:....6:A2:B8:4B:FF:E2 Fingerprint (SHA1): A6:32:14:.....46:4A:97:A0:67:A3

Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User

Thanks & Regards. -----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Friday, January 10, 2020 15:56 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Christian Heimes cheimes@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...

Hello Christian,

It is an standard installation.

[root@server2 ~]# cat /proc/sys/crypto/fips_enabled 0

Can you also check the following: - which version of openldap is installed on the client: rpm -qa openldap

- does the LDAP server certificate contain SAN extensions: on the master certutil -L -d /etc/dirsrv/slap-<DOMAIN> -n Server-Cert

flo

...

Thanks & Regards.

-----Original Message----- From: Christian Heimes cheimes@redhat.com Sent: Friday, January 10, 2020 13:13 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:

Hi,

is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.

I'm going to create a reproducer setup and try to come up with a workaround now.

Christian

-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.d e.redhat.com%2F&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef76942 2dca8808d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142 650019201441&sdata=wOiZtK7TmzbzBxXkNjvEY86ac7atC0MserZNmv66d2Y%3D& amp;reserved=0, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637142650019201441&sdata=AsNrN 498wAYwaVBEK5q12rgNTUzuvlu6y2Pk4ALb%2BmU%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637142650019211408&sdata=S5581w0eMy9DZIAJ Mzk3P0nNbD1IGKWnHZLnZzReq%2FI%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808 d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714265001921 1408&sdata=XPSc6N3MH%2FTICWZUU1PpTIH5UHcUU2gXSe6ZZQyQMF0%3D&re served=0

Florence Blanc-Renaud

9:32 a.m.

On 1/10/20 4:08 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...

[root@client01 ~]# rpm -qa openldap openldap-2.4.46-10.el8.x86_64

[root@server2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-ORG -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 268370363 (0xfff01bb) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA.DOMAIN.ORG" Validity: Not Before: Fri Feb 16 21:18:08 2018 Not After : Mon Feb 17 21:18:08 2020 Subject: "CN=server2.ipa.domain.org,O=IPA.DOMAIN.ORG" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d7:d3:51:8e:a0:99:a3:9f:30:d2:49:98:a8:ef:41:21: 7c:ab:98:87:59:85:6d:15:fd:09:43:63:f9:e7:98:bc: ... 66:63:cd:58:ca:a4:93:99:33:68:08:7b:76:07:a6:9b Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 74:...:63: c1:37:5b:e9
         Name: Authority Information Access
         Method: PKIX Online Certificate Status Protocol
         Location:
             URI: "http://ipa-ca.ipa.domain.org/ca/ocsp"

         Name: Certificate Key Usage
         Critical: True
         Usages: Digital Signature
                 Non-Repudiation
                 Key Encipherment
                 Data Encipherment

         Name: Extended Key Usage
             TLS Web Server Authentication Certificate
             TLS Web Client Authentication Certificate

         Name: CRL Distribution Points
         Distribution point:
             URI: "http://ipa-ca.ipa.domain.org/ipa/crl/MasterCRL.bin"
             CRL issuer:
                 Directory Name: "CN=Certificate Authority,O=ipaca"

         Name: Certificate Subject Key ID
         Data:
             b4:...:60:
             71:ef:da:b7

         Name: Certificate Subject Alt Name
         Other Name: "ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG"
             OID: Microsoft NT Principal Name

Bingo, I think we found the issue. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1781799#c11.

You can try to replace your LDAP server cert with a certificate containing the hostname in the Subject Alt Name extension. On the server: (backup the /etc/dirsrv/slapd NSS database first) getcert list -d /etc/dirsrv/slapd-<DOMAIN> Note the tracking id

getcert resubmit -i <id> -D `hostname`

This will renew the server cert with a new cert having the additional SAN extension containing the hostname.

After that, retry the client install, crossing my fingers but this should succeed. flo

...

         Other Name: Sequence {
             [0]: {
                 1b:0d:4....:52:47
             }
             [1]: {
                 Sequence {
                     [0]: {
                         1 (0x1)
                     }
                     [1]: {
                         Sequence {
                             1b:04:...:70
                             1b:17:....32:2e:69:70:61:
                             2e:75:.....6f:72:67
                         }
                     }
                 }
             }
         }
             OID: OID.1.3.6.1.5.2.2

 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
 Signature:
     84:51:79:32:49:f3:46:89:c0:56:0b:d0:5a:dd:d0:4e:
...
     88:15:49:b0:fd:4b:cd:dd:9e:0c:a3:2a:a5:83:ec:13
 Fingerprint (SHA-256):
     F5:72:8D:E8:A8:8A:....6:A2:B8:4B:FF:E2
 Fingerprint (SHA1):
     A6:32:14:.....46:4A:97:A0:67:A3

 Mozilla-CA-Policy: false (attribute missing)
 Certificate Trust Flags:
     SSL Flags:
         User
     Email Flags:
         User
     Object Signing Flags:
         User
Thanks & Regards. -----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Friday, January 10, 2020 15:56 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Christian Heimes cheimes@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...
Hello Christian,

It is an standard installation.

[root@server2 ~]# cat /proc/sys/crypto/fips_enabled 0

Can you also check the following:

which version of openldap is installed on the client:

rpm -qa openldap

does the LDAP server certificate contain SAN extensions: on the master certutil -L -d /etc/dirsrv/slap-<DOMAIN> -n Server-Cert

flo

...
Thanks & Regards.

-----Original Message----- From: Christian Heimes cheimes@redhat.com Sent: Friday, January 10, 2020 13:13 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:

Hi,

is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.

I'm going to create a reproducer setup and try to come up with a workaround now.

Christian

-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.d e.redhat.com%2F&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef76942 2dca8808d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142 650019201441&sdata=wOiZtK7TmzbzBxXkNjvEY86ac7atC0MserZNmv66d2Y%3D& amp;reserved=0, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637142650019201441&sdata=AsNrN 498wAYwaVBEK5q12rgNTUzuvlu6y2Pk4ALb%2BmU%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637142650019211408&sdata=S5581w0eMy9DZIAJ Mzk3P0nNbD1IGKWnHZLnZzReq%2FI%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808 d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714265001921 1408&sdata=XPSc6N3MH%2FTICWZUU1PpTIH5UHcUU2gXSe6ZZQyQMF0%3D&re served=0

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

SOLER SANGUESA Miguel

13 Jan 13 Jan

2:36 a.m.

Hello,

You are right! It worked.

Thank you very much.

Thanks & Regards.

-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Friday, January 10, 2020 16:33 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Christian Heimes cheimes@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 1/10/20 4:08 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...

[root@client01 ~]# rpm -qa openldap openldap-2.4.46-10.el8.x86_64

[root@server2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-ORG -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 268370363 (0xfff01bb) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA.DOMAIN.ORG" Validity: Not Before: Fri Feb 16 21:18:08 2018 Not After : Mon Feb 17 21:18:08 2020 Subject: "CN=server2.ipa.domain.org,O=IPA.DOMAIN.ORG" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d7:d3:51:8e:a0:99:a3:9f:30:d2:49:98:a8:ef:41:21: 7c:ab:98:87:59:85:6d:15:fd:09:43:63:f9:e7:98:bc: ... 66:63:cd:58:ca:a4:93:99:33:68:08:7b:76:07:a6:9b Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 74:...:63: c1:37:5b:e9
         Name: Authority Information Access
         Method: PKIX Online Certificate Status Protocol
         Location:
             URI: "https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fipa-ca.ipa.domain.org%2Fca%2Focsp&amp;data=02%7C01%7Csolerm%40unicc.org%7C9fb1a6e9d8434f0ba92108d795e25a09%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142671715901182&amp;sdata=arWUGijmT70YJRCudab7s7mXjzpW1%2BKUnMt%2FfhgctVc%3D&amp;reserved=0"

         Name: Certificate Key Usage
         Critical: True
         Usages: Digital Signature
                 Non-Repudiation
                 Key Encipherment
                 Data Encipherment

         Name: Extended Key Usage
             TLS Web Server Authentication Certificate
             TLS Web Client Authentication Certificate

         Name: CRL Distribution Points
         Distribution point:
             URI: "https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fipa-ca.ipa.domain.org%2Fipa%2Fcrl%2FMasterCRL.bin&amp;data=02%7C01%7Csolerm%40unicc.org%7C9fb1a6e9d8434f0ba92108d795e25a09%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142671715901182&amp;sdata=CCV49RQ8VghhJSedgltyNB%2F39hX7i1GlZflO%2BE91BYc%3D&amp;reserved=0"
             CRL issuer:
                 Directory Name: "CN=Certificate Authority,O=ipaca"

         Name: Certificate Subject Key ID
         Data:
             b4:...:60:
             71:ef:da:b7

         Name: Certificate Subject Alt Name
         Other Name: "ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG"
             OID: Microsoft NT Principal Name

Bingo, I think we found the issue. Please see https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.r....

getcert resubmit -i <id> -D `hostname`

This will renew the server cert with a new cert having the additional SAN extension containing the hostname.

After that, retry the client install, crossing my fingers but this should succeed. flo

...

         Other Name: Sequence {
             [0]: {
                 1b:0d:4....:52:47
             }
             [1]: {
                 Sequence {
                     [0]: {
                         1 (0x1)
                     }
                     [1]: {
                         Sequence {
                             1b:04:...:70
                             1b:17:....32:2e:69:70:61:
                             2e:75:.....6f:72:67
                         }
                     }
                 }
             }
         }
             OID: OID.1.3.6.1.5.2.2

 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
 Signature:
     84:51:79:32:49:f3:46:89:c0:56:0b:d0:5a:dd:d0:4e:
...
     88:15:49:b0:fd:4b:cd:dd:9e:0c:a3:2a:a5:83:ec:13
 Fingerprint (SHA-256):
     F5:72:8D:E8:A8:8A:....6:A2:B8:4B:FF:E2
 Fingerprint (SHA1):
     A6:32:14:.....46:4A:97:A0:67:A3

 Mozilla-CA-Policy: false (attribute missing)
 Certificate Trust Flags:
     SSL Flags:
         User
     Email Flags:
         User
     Object Signing Flags:
         User
Thanks & Regards. -----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Friday, January 10, 2020 15:56 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Christian Heimes cheimes@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...
Hello Christian,

It is an standard installation.

[root@server2 ~]# cat /proc/sys/crypto/fips_enabled 0

Can you also check the following:

which version of openldap is installed on the client:

rpm -qa openldap

does the LDAP server certificate contain SAN extensions: on the master certutil -L -d /etc/dirsrv/slap-<DOMAIN> -n Server-Cert

flo

...
Thanks & Regards.

-----Original Message----- From: Christian Heimes cheimes@redhat.com Sent: Friday, January 10, 2020 13:13 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:

...
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:

Hi,

is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.

I'm going to create a reproducer setup and try to come up with a workaround now.

Christian

-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.d e.redhat.com%2F&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef76942 2dca8808d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142 650019201441&sdata=wOiZtK7TmzbzBxXkNjvEY86ac7atC0MserZNmv66d2Y%3D& amp;reserved=0, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637142650019201441&sdata=AsNrN 498wAYwaVBEK5q12rgNTUzuvlu6y2Pk4ALb%2BmU%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637142650019211408&sdata=S5581w0eMy9DZIAJ Mzk3P0nNbD1IGKWnHZLnZzReq%2FI%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808 d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714265001921 1408&sdata=XPSc6N3MH%2FTICWZUU1PpTIH5UHcUU2gXSe6ZZQyQMF0%3D&re served=0

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor... List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj... List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...

1573

Age (days ago)

1577

Last active (days ago)

freeipa-users@lists.fedorahosted.org

12 comments

3 participants

tags (0)

participants (3)

Christian Heimes
Florence Blanc-Renaud
SOLER SANGUESA Miguel