From ssorce at redhat.com Sun Jun 1 15:03:43 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 01 Jun 2008 11:03:43 -0400 Subject: [Freeipa-devel] ipa_kpasswd - server error In-Reply-To: References: Message-ID: <1212332623.3156.30.camel@localhost.localdomain> On Sat, 2008-05-31 at 16:33 -0500, Matt Flusche wrote: > Hello, I've been testing freeipa for a few weeks. Current > configuration, is fedora 9 x86_64 and ipa-1.0.0-6. I'm having a > problem with ipa_kpasswd I can't seem to get past. I'm getting a > "Server error: Server Error" from kpasswd. ipa_kpasswd is logging > the following: > > kpasswd[14969]: Unable to bind to ldap server > > ns-slapd is logging the following: > > conn=17 received a non-LDAP message (tag 0x53, expected 0x30) > > The kadmin/changepw principal seems to be working. I can run the > following successfully to test > > # kinit -V -k -t /var/kerberos/krb5kdc/kpasswd.keytab kadmin/changepw > # ldapsearch -v -Y GSSAPI > > Suggestions? Do you see any AVC message in the audit.log by chance ? Simo. -- Simo Sorce * Red Hat, Inc * New York From matt.flusche at cox.net Sun Jun 1 15:21:57 2008 From: matt.flusche at cox.net (Matt Flusche) Date: Sun, 1 Jun 2008 10:21:57 -0500 Subject: [Freeipa-devel] ipa_kpasswd - server error In-Reply-To: <1212332623.3156.30.camel@localhost.localdomain> References: <1212332623.3156.30.camel@localhost.localdomain> Message-ID: <012538FE-081C-4EFA-9093-D6C9E3DA6808@cox.net> On Jun 1, 2008, at 10:03 AM, Simo Sorce wrote: > On Sat, 2008-05-31 at 16:33 -0500, Matt Flusche wrote: >> Hello, I've been testing freeipa for a few weeks. Current >> configuration, is fedora 9 x86_64 and ipa-1.0.0-6. I'm having a >> problem with ipa_kpasswd I can't seem to get past. I'm getting a >> "Server error: Server Error" from kpasswd. ipa_kpasswd is logging >> the following: >> >> kpasswd[14969]: Unable to bind to ldap server >> >> ns-slapd is logging the following: >> >> conn=17 received a non-LDAP message (tag 0x53, expected 0x30) >> >> The kadmin/changepw principal seems to be working. I can run the >> following successfully to test >> >> # kinit -V -k -t /var/kerberos/krb5kdc/kpasswd.keytab kadmin/changepw >> # ldapsearch -v -Y GSSAPI >> >> Suggestions? > > Do you see any AVC message in the audit.log by chance ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > Nothing in audit.log. I've also tested with selinux disabled. Same results. Thanks, Matt From mischins at imi.uni-luebeck.de Tue Jun 3 14:37:00 2008 From: mischins at imi.uni-luebeck.de (Andreas Mischinski) Date: Tue, 03 Jun 2008 16:37:00 +0200 Subject: [Freeipa-devel] freeIPA Installation issue on fedora core 9 (x86) Message-ID: <1212503820.13506.15.camel@vtx.imi.uni-luebeck.de> Hi, i have an issue with the installation of threfreeIPA Package from Fedora Core 9, currently package version ipa-server-1.0.0-6.fc9(i386). During installation there is an error with adding the admin user to the Ldap Server. I tried to repeat the command after the installation,but it does not help : /usr/lib/mozldap/ldappasswd -D cn=Directory Manager -w password1 -P /etc/dirsrv/slapd-MISCHINS-WORLD/cert8.db -ZZZ -s password1 uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world I get this answer : ldap_start_tls_s failed: (Can`t connect to the LDAP server) I have selinux disabled and added required ports to the firewall. The service dirsrv MISCHINS-WORLD is running. Whats`s wrong here ? :-) Thanks, Andreas Mischinski From rcritten at redhat.com Tue Jun 3 14:48:28 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Jun 2008 10:48:28 -0400 Subject: [Freeipa-devel] freeIPA Installation issue on fedora core 9 (x86) In-Reply-To: <1212503820.13506.15.camel@vtx.imi.uni-luebeck.de> References: <1212503820.13506.15.camel@vtx.imi.uni-luebeck.de> Message-ID: <484559BC.1070503@redhat.com> Andreas Mischinski wrote: > Hi, > > i have an issue with the installation of threfreeIPA Package from Fedora > Core 9, currently package version ipa-server-1.0.0-6.fc9(i386). > During installation there is an error with adding the admin user to the > Ldap Server. I tried to repeat the command after the installation,but it > does not help : > > /usr/lib/mozldap/ldappasswd -D cn=Directory Manager -w password1 > -P /etc/dirsrv/slapd-MISCHINS-WORLD/cert8.db -ZZZ -s password1 > uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world To run from the command-line you'll need to wrap quotes around "cn=Directory Manager" /var/log/ipaserver-install.log should have more details on the intitial failure. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Jun 3 15:34:52 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Jun 2008 11:34:52 -0400 Subject: [Freeipa-devel] [PATCH] ensure realm is upper-case Message-ID: <4845649C.1040404@redhat.com> Go ahead and enforce an upper-case realm name. Some things assume that it will be upper-case, and this is the convention anyway, so don't fight the system. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-38-realm.patch Type: text/x-patch Size: 1679 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mischins at imi.uni-luebeck.de Tue Jun 3 17:17:44 2008 From: mischins at imi.uni-luebeck.de (Andreas Mischinski) Date: Tue, 3 Jun 2008 19:17:44 +0200 Subject: AW: [Freeipa-devel] [PATCH] ensure realm is upper-case In-Reply-To: <4845649C.1040404@redhat.com> References: <4845649C.1040404@redhat.com> Message-ID: <000501c8c59d$bcb03120$36109360$@uni-luebeck.de> I repeated the installation several times. I used an upper case realm name : MISCHINS.WORLD The installation still has the same error but proceeds to end. I`ve attached my installation log file. Andreas -----Urspr?ngliche Nachricht----- Von: freeipa-devel-bounces at redhat.com [mailto:freeipa-devel-bounces at redhat.com] Im Auftrag von Rob Crittenden Gesendet: Dienstag, 3. Juni 2008 17:35 An: freeipa-devel Betreff: [Freeipa-devel] [PATCH] ensure realm is upper-case Go ahead and enforce an upper-case realm name. Some things assume that it will be upper-case, and this is the convention anyway, so don't fight the system. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaserver-install.log Type: application/octet-stream Size: 40850 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 3 18:02:42 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Jun 2008 14:02:42 -0400 Subject: AW: [Freeipa-devel] [PATCH] ensure realm is upper-case In-Reply-To: <000501c8c59d$bcb03120$36109360$@uni-luebeck.de> References: <4845649C.1040404@redhat.com> <000501c8c59d$bcb03120$36109360$@uni-luebeck.de> Message-ID: <48458742.4090708@redhat.com> Andreas Mischinski wrote: > I repeated the installation several times. I used an upper case realm name : > MISCHINS.WORLD > The installation still has the same error but proceeds to end. I`ve attached > my installation log file. > > Andreas > > -----Urspr?ngliche Nachricht----- > Von: freeipa-devel-bounces at redhat.com > [mailto:freeipa-devel-bounces at redhat.com] Im Auftrag von Rob Crittenden > Gesendet: Dienstag, 3. Juni 2008 17:35 > An: freeipa-devel > Betreff: [Freeipa-devel] [PATCH] ensure realm is upper-case > > Go ahead and enforce an upper-case realm name. Some things assume that it > will be upper-case, and this is the convention anyway, so don't fight the > system. > > rob This patch is unrelated to your problems. Can you see if the ns-slapd process is running? And/or check /var/log/dirsrv/slapd-MISCHINS-WORLD/errors and access? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mischins at imi.uni-luebeck.de Tue Jun 3 18:30:48 2008 From: mischins at imi.uni-luebeck.de (Andreas Mischinski) Date: Tue, 3 Jun 2008 20:30:48 +0200 Subject: AW: AW: [Freeipa-devel] [PATCH] ensure realm is upper-case In-Reply-To: <48458742.4090708@redhat.com> References: <4845649C.1040404@redhat.com> <000501c8c59d$bcb03120$36109360$@uni-luebeck.de> <48458742.4090708@redhat.com> Message-ID: <001c01c8c5a7$f1cf15b0$d56d4110$@uni-luebeck.de> Ns-ldap is running : [root at ipa ~]# ps aux | grep ns-slapd dirsrv 1825 0.0 0.9 453092 14192 ? Sl 19:28 0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-MISCHINS-WORLD -i /var/run/dirsrv/slapd-MISCHINS-WORLD.pid -w /var/run/dirsrv/slapd-MISCHINS-WORLD.startpid Last entries : /var/log/dirsrv/slapd-MISCHINS-WORLD/errors : Snip --------------------- [03/Jun/2008:19:28:38 +0200] - Fedora-Directory/1.1.0 B2008.107.1816 starting up [03/Jun/2008:19:28:39 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [03/Jun/2008:19:28:39 +0200] - Listening on All Interfaces port 636 for LDAPS requests Snap ---------------------------------------- In /var/log/dirsrv/slapd-MISCHINS-WORLD/access are more entries. Please have in a look in the attached file. As far as I can see, there`s no error. Greeting, Andreas -----Urspr?ngliche Nachricht----- Von: Rob Crittenden [mailto:rcritten at redhat.com] Gesendet: Dienstag, 3. Juni 2008 20:03 An: Andreas Mischinski Cc: 'freeipa-devel' Betreff: Re: AW: [Freeipa-devel] [PATCH] ensure realm is upper-case Andreas Mischinski wrote: > I repeated the installation several times. I used an upper case realm name : > MISCHINS.WORLD > The installation still has the same error but proceeds to end. I`ve attached > my installation log file. > > Andreas > > -----Urspr?ngliche Nachricht----- > Von: freeipa-devel-bounces at redhat.com > [mailto:freeipa-devel-bounces at redhat.com] Im Auftrag von Rob Crittenden > Gesendet: Dienstag, 3. Juni 2008 17:35 > An: freeipa-devel > Betreff: [Freeipa-devel] [PATCH] ensure realm is upper-case > > Go ahead and enforce an upper-case realm name. Some things assume that it > will be upper-case, and this is the convention anyway, so don't fight the > system. > > rob This patch is unrelated to your problems. Can you see if the ns-slapd process is running? And/or check /var/log/dirsrv/slapd-MISCHINS-WORLD/errors and access? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: access Type: application/octet-stream Size: 20247 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 3 18:59:26 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Jun 2008 14:59:26 -0400 Subject: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI attribute Message-ID: <4845948E.2040801@redhat.com> When converting from a multi-valued UI attribute back to a list drop any blank values. This will avoid errors in the UniqueList() validator. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-39-validate.patch Type: text/x-patch Size: 1269 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mischins at imi.uni-luebeck.de Tue Jun 3 19:33:24 2008 From: mischins at imi.uni-luebeck.de (Andreas Mischinski) Date: Tue, 3 Jun 2008 21:33:24 +0200 Subject: AW: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI attribute In-Reply-To: <4845948E.2040801@redhat.com> References: <4845948E.2040801@redhat.com> Message-ID: <003701c8c5b0$b0bc1010$12343030$@uni-luebeck.de> I`m a noob with this ipaserver. Tell me what`s wrong with my installation ? Should I apply your patch and reinstall the ipaserver ? Thanks for help so far. -----Urspr?ngliche Nachricht----- Von: freeipa-devel-bounces at redhat.com [mailto:freeipa-devel-bounces at redhat.com] Im Auftrag von Rob Crittenden Gesendet: Dienstag, 3. Juni 2008 20:59 An: freeipa-devel Betreff: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI attribute When converting from a multi-valued UI attribute back to a list drop any blank values. This will avoid errors in the UniqueList() validator. rob From rcritten at redhat.com Tue Jun 3 19:55:46 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Jun 2008 15:55:46 -0400 Subject: AW: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI attribute In-Reply-To: <003701c8c5b0$b0bc1010$12343030$@uni-luebeck.de> References: <4845948E.2040801@redhat.com> <003701c8c5b0$b0bc1010$12343030$@uni-luebeck.de> Message-ID: <4845A1C2.1090605@redhat.com> Andreas Mischinski wrote: > I`m a noob with this ipaserver. Tell me what`s wrong with my installation ? > > Should I apply your patch and reinstall the ipaserver ? > > Thanks for help so far. > > -----Urspr?ngliche Nachricht----- > Von: freeipa-devel-bounces at redhat.com > [mailto:freeipa-devel-bounces at redhat.com] Im Auftrag von Rob Crittenden > Gesendet: Dienstag, 3. Juni 2008 20:59 > An: freeipa-devel > Betreff: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI > attribute > > When converting from a multi-valued UI attribute back to a list drop any > blank values. This will avoid errors in the UniqueList() validator. > > rob > No, this patch too is unrelated to your problem. We post all patches for peer review here in a post starting with PATCH so they are easy to find. Can you try this command (basically putting quotes around cn=) /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 -P /etc/dirsrv/slapd-MISCHINS-WORLD/cert8.db -ZZZ -s password1 uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world There was one other report of this problem, https://bugzilla.redhat.com/show_bug.cgi?id=442802 I was never able to get confirmation on what he did to fix it though. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mischins at imi.uni-luebeck.de Tue Jun 3 20:12:28 2008 From: mischins at imi.uni-luebeck.de (Andreas Mischinski) Date: Tue, 3 Jun 2008 22:12:28 +0200 Subject: AW: AW: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI attribute In-Reply-To: <4845A1C2.1090605@redhat.com> References: <4845948E.2040801@redhat.com> <003701c8c5b0$b0bc1010$12343030$@uni-luebeck.de> <4845A1C2.1090605@redhat.com> Message-ID: <004001c8c5b6$25f23850$71d6a8f0$@uni-luebeck.de> Hey, this is the result. /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 -P /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db -ZZZ -s password2 uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world ldap_start_tls_s failed: (Can't connect to the LDAP server) I `ve installed fedora core 9 (fresh install) and then selected the ipaserver package over the package manager. >From the commandline I started ipa-server-install and received the only error with setting the admin password. MISCHINS.WORLD is a test domain in our environment. We want to migrate from pure OpenLdap to something like fedora directory server in combination with Active Director, since many applications are designed for Active Directory. It seems for me, that he had the same problem ? Maybe I should downgrade my fedora core installation, but that would not be my first choice. If I can provide you with more info, commands, let me know. Andreas -----Urspr?ngliche Nachricht----- Von: Rob Crittenden [mailto:rcritten at redhat.com] Gesendet: Dienstag, 3. Juni 2008 21:56 An: Andreas Mischinski Cc: 'freeipa-devel' Betreff: Re: AW: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI attribute Andreas Mischinski wrote: > I`m a noob with this ipaserver. Tell me what`s wrong with my installation ? > > Should I apply your patch and reinstall the ipaserver ? > > Thanks for help so far. > > -----Urspr?ngliche Nachricht----- > Von: freeipa-devel-bounces at redhat.com > [mailto:freeipa-devel-bounces at redhat.com] Im Auftrag von Rob Crittenden > Gesendet: Dienstag, 3. Juni 2008 20:59 > An: freeipa-devel > Betreff: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI > attribute > > When converting from a multi-valued UI attribute back to a list drop any > blank values. This will avoid errors in the UniqueList() validator. > > rob > No, this patch too is unrelated to your problem. We post all patches for peer review here in a post starting with PATCH so they are easy to find. Can you try this command (basically putting quotes around cn=) /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 -P /etc/dirsrv/slapd-MISCHINS-WORLD/cert8.db -ZZZ -s password1 uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world There was one other report of this problem, https://bugzilla.redhat.com/show_bug.cgi?id=442802 I was never able to get confirmation on what he did to fix it though. rob From rcritten at redhat.com Tue Jun 3 20:23:27 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Jun 2008 16:23:27 -0400 Subject: AW: AW: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI attribute In-Reply-To: <004001c8c5b6$25f23850$71d6a8f0$@uni-luebeck.de> References: <4845948E.2040801@redhat.com> <003701c8c5b0$b0bc1010$12343030$@uni-luebeck.de> <4845A1C2.1090605@redhat.com> <004001c8c5b6$25f23850$71d6a8f0$@uni-luebeck.de> Message-ID: <4845A83F.5060901@redhat.com> Andreas Mischinski wrote: > Hey, this is the result. > > /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 -P > /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db -ZZZ -s password2 > uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world > ldap_start_tls_s failed: (Can't connect to the LDAP server) > > I `ve installed fedora core 9 (fresh install) and then selected the > ipaserver package over the package manager. > From the commandline I started ipa-server-install and received the only > error with setting the admin password. > > MISCHINS.WORLD is a test domain in our environment. We want to migrate from > pure OpenLdap to something like fedora directory server in combination with > Active Director, since many applications are designed for Active Directory. > > It seems for me, that he had the same problem ? > > Maybe I should downgrade my fedora core installation, but that would not be > my first choice. > If I can provide you with more info, commands, let me know. No, Fedora 9 should be fine. Can you try the command again, this time also with the -v option (verbose output). That should show us what host it is trying to connect to. I wonder if that is simply failing. You can also try specifically using -h YOURSERVER where YOURSERVER is the hostname of the machine you installed IPA on. rob > > Andreas > > -----Urspr?ngliche Nachricht----- > Von: Rob Crittenden [mailto:rcritten at redhat.com] > Gesendet: Dienstag, 3. Juni 2008 21:56 > An: Andreas Mischinski > Cc: 'freeipa-devel' > Betreff: Re: AW: [Freeipa-devel] [PATCH] ignore empty values in multi-valued > UI attribute > > Andreas Mischinski wrote: >> I`m a noob with this ipaserver. Tell me what`s wrong with my installation > ? >> Should I apply your patch and reinstall the ipaserver ? >> >> Thanks for help so far. >> >> -----Urspr?ngliche Nachricht----- >> Von: freeipa-devel-bounces at redhat.com >> [mailto:freeipa-devel-bounces at redhat.com] Im Auftrag von Rob Crittenden >> Gesendet: Dienstag, 3. Juni 2008 20:59 >> An: freeipa-devel >> Betreff: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI >> attribute >> >> When converting from a multi-valued UI attribute back to a list drop any >> blank values. This will avoid errors in the UniqueList() validator. >> >> rob >> > > No, this patch too is unrelated to your problem. We post all patches for > peer review here in a post starting with PATCH so they are easy to find. > > Can you try this command (basically putting quotes around cn=) > > /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 > -P /etc/dirsrv/slapd-MISCHINS-WORLD/cert8.db -ZZZ -s password1 > uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world > > There was one other report of this problem, > https://bugzilla.redhat.com/show_bug.cgi?id=442802 > > I was never able to get confirmation on what he did to fix it though. > > rob > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mischins at imi.uni-luebeck.de Tue Jun 3 20:35:45 2008 From: mischins at imi.uni-luebeck.de (Andreas Mischinski) Date: Tue, 3 Jun 2008 22:35:45 +0200 Subject: [Freeipa-devel] SUCCESS [PATCH] ignore empty values in multi-valued UI attribute In-Reply-To: <4845A83F.5060901@redhat.com> References: <4845948E.2040801@redhat.com> <003701c8c5b0$b0bc1010$12343030$@uni-luebeck.de> <4845A1C2.1090605@redhat.com> <004001c8c5b6$25f23850$71d6a8f0$@uni-luebeck.de> <4845A83F.5060901@redhat.com> Message-ID: <004d01c8c5b9$66aa0820$33fe1860$@uni-luebeck.de> Here are my commando outputs : [root at ipa ~]# ps aux | grep slapd dirsrv 1825 0.0 0.9 453092 14216 ? Sl 19:28 0:01 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-MISCHINS-WORLD -i /var/run/dirsrv/slapd-MISCHINS-WORLD.pid -w /var/run/dirsrv/slapd-MISCHINS-WORLD.startpid root 2698 0.0 0.0 4148 764 pts/0 S+ 22:25 0:00 grep slapd [root at ipa ~]# /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 -P /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db -ZZZ -s password2 uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world -v ldappasswd: started Tue Jun 3 22:25:58 2008 ldap_init( localhost, 389 ) ldaptool_getcertpath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db ldaptool_getkeypath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) ldap_start_tls_s failed: (Can't connect to the LDAP server) [root at ipa ~]# /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 -P /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db -ZZZ -s password2 uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world -vv ldappasswd: started Tue Jun 3 22:26:42 2008 LDAP Library Information - Highest supported protocol version: 3 LDAP API revision: 2005 API vendor name: mozilla.org Vendor-specific version: 6.04 LDAP API Extensions: SERVER_SIDE_SORT (revision 1) VIRTUAL_LIST_VIEW (revision 1) PERSISTENT_SEARCH (revision 1) PROXY_AUTHORIZATION (revision 1) X_LDERRNO (revision 1) X_MEMCACHE (revision 1) X_IO_FUNCTIONS (revision 1) X_EXTIO_FUNCTIONS (revision 1) X_DNS_FUNCTIONS (revision 1) X_MEMALLOC_FUNCTIONS (revision 1) X_THREAD_FUNCTIONS (revision 1) X_EXTHREAD_FUNCTIONS (revision 1) X_GETLANGVALUES (revision 1) X_CLIENT_SIDE_SORT (revision 1) X_URL_FUNCTIONS (revision 1) X_FILTER_FUNCTIONS (revision 1) ldap_init( localhost, 389 ) ldaptool_getcertpath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db ldaptool_getkeypath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) ldap_start_tls_s failed: (Can't connect to the LDAP server) [root at ipa ~]# /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 -P /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db -ZZZ -s password2 uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world -v -h 141.83.20.101 ldappasswd: started Tue Jun 3 22:27:46 2008 ldap_init( 141.83.20.101, 389 ) ldaptool_getcertpath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db ldaptool_getkeypath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) ldappasswd: password successfully changed Success ! [root at ipa ~]# kinit admin Password for admin at MISCHINS.WORLD: kinit(v5): Password incorrect while getting initial credentials [root at ipa ~]# kinit admin Password for admin at MISCHINS.WORLD: [root at ipa ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at MISCHINS.WORLD Valid starting Expires Service principal 06/03/08 22:29:24 06/04/08 22:29:09 krbtgt/MISCHINS.WORLD at MISCHINS.WORLD Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached argh.. But good. I can start now exploring the other features. Great help. Andreas -----Urspr?ngliche Nachricht----- Von: Rob Crittenden [mailto:rcritten at redhat.com] Gesendet: Dienstag, 3. Juni 2008 22:23 An: Andreas Mischinski Cc: 'freeipa-devel' Betreff: Re: AW: AW: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI attribute Andreas Mischinski wrote: > Hey, this is the result. > > /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 -P > /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db -ZZZ -s password2 > uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world > ldap_start_tls_s failed: (Can't connect to the LDAP server) > > I `ve installed fedora core 9 (fresh install) and then selected the > ipaserver package over the package manager. > From the commandline I started ipa-server-install and received the only > error with setting the admin password. > > MISCHINS.WORLD is a test domain in our environment. We want to migrate from > pure OpenLdap to something like fedora directory server in combination with > Active Director, since many applications are designed for Active Directory. > > It seems for me, that he had the same problem ? > > Maybe I should downgrade my fedora core installation, but that would not be > my first choice. > If I can provide you with more info, commands, let me know. No, Fedora 9 should be fine. Can you try the command again, this time also with the -v option (verbose output). That should show us what host it is trying to connect to. I wonder if that is simply failing. You can also try specifically using -h YOURSERVER where YOURSERVER is the hostname of the machine you installed IPA on. rob > > Andreas > > -----Urspr?ngliche Nachricht----- > Von: Rob Crittenden [mailto:rcritten at redhat.com] > Gesendet: Dienstag, 3. Juni 2008 21:56 > An: Andreas Mischinski > Cc: 'freeipa-devel' > Betreff: Re: AW: [Freeipa-devel] [PATCH] ignore empty values in multi-valued > UI attribute > > Andreas Mischinski wrote: >> I`m a noob with this ipaserver. Tell me what`s wrong with my installation > ? >> Should I apply your patch and reinstall the ipaserver ? >> >> Thanks for help so far. >> >> -----Urspr?ngliche Nachricht----- >> Von: freeipa-devel-bounces at redhat.com >> [mailto:freeipa-devel-bounces at redhat.com] Im Auftrag von Rob Crittenden >> Gesendet: Dienstag, 3. Juni 2008 20:59 >> An: freeipa-devel >> Betreff: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI >> attribute >> >> When converting from a multi-valued UI attribute back to a list drop any >> blank values. This will avoid errors in the UniqueList() validator. >> >> rob >> > > No, this patch too is unrelated to your problem. We post all patches for > peer review here in a post starting with PATCH so they are easy to find. > > Can you try this command (basically putting quotes around cn=) > > /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 > -P /etc/dirsrv/slapd-MISCHINS-WORLD/cert8.db -ZZZ -s password1 > uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world > > There was one other report of this problem, > https://bugzilla.redhat.com/show_bug.cgi?id=442802 > > I was never able to get confirmation on what he did to fix it though. > > rob > > From rcritten at redhat.com Tue Jun 3 20:39:47 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Jun 2008 16:39:47 -0400 Subject: [Freeipa-devel] Re: SUCCESS [PATCH] ignore empty values in multi-valued UI attribute In-Reply-To: <004d01c8c5b9$66aa0820$33fe1860$@uni-luebeck.de> References: <4845948E.2040801@redhat.com> <003701c8c5b0$b0bc1010$12343030$@uni-luebeck.de> <4845A1C2.1090605@redhat.com> <004001c8c5b6$25f23850$71d6a8f0$@uni-luebeck.de> <4845A83F.5060901@redhat.com> <004d01c8c5b9$66aa0820$33fe1860$@uni-luebeck.de> Message-ID: <4845AC13.2070900@redhat.com> Andreas Mischinski wrote: > Here are my commando outputs : > > [root at ipa ~]# ps aux | grep slapd > dirsrv 1825 0.0 0.9 453092 14216 ? Sl 19:28 0:01 > /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-MISCHINS-WORLD -i > /var/run/dirsrv/slapd-MISCHINS-WORLD.pid -w > /var/run/dirsrv/slapd-MISCHINS-WORLD.startpid > root 2698 0.0 0.0 4148 764 pts/0 S+ 22:25 0:00 grep slapd > > [root at ipa ~]# /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w > password1 -P /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db -ZZZ -s password2 > uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world -v > ldappasswd: started Tue Jun 3 22:25:58 2008 > > ldap_init( localhost, 389 ) > ldaptool_getcertpath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db > ldaptool_getkeypath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db > ldaptool_getmodpath -- (null) > ldaptool_getdonglefilename -- (null) > ldap_start_tls_s failed: (Can't connect to the LDAP server) > > > [root at ipa ~]# /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w > password1 -P /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db -ZZZ -s password2 > uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world -vv > ldappasswd: started Tue Jun 3 22:26:42 2008 > > LDAP Library Information - > Highest supported protocol version: 3 > LDAP API revision: 2005 > API vendor name: mozilla.org > Vendor-specific version: 6.04 > LDAP API Extensions: > SERVER_SIDE_SORT (revision 1) > VIRTUAL_LIST_VIEW (revision 1) > PERSISTENT_SEARCH (revision 1) > PROXY_AUTHORIZATION (revision 1) > X_LDERRNO (revision 1) > X_MEMCACHE (revision 1) > X_IO_FUNCTIONS (revision 1) > X_EXTIO_FUNCTIONS (revision 1) > X_DNS_FUNCTIONS (revision 1) > X_MEMALLOC_FUNCTIONS (revision 1) > X_THREAD_FUNCTIONS (revision 1) > X_EXTHREAD_FUNCTIONS (revision 1) > X_GETLANGVALUES (revision 1) > X_CLIENT_SIDE_SORT (revision 1) > X_URL_FUNCTIONS (revision 1) > X_FILTER_FUNCTIONS (revision 1) > > ldap_init( localhost, 389 ) > ldaptool_getcertpath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db > ldaptool_getkeypath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db > ldaptool_getmodpath -- (null) > ldaptool_getdonglefilename -- (null) > ldap_start_tls_s failed: (Can't connect to the LDAP server) > > [root at ipa ~]# /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w > password1 -P /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db -ZZZ -s password2 > uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world -v -h 141.83.20.101 > ldappasswd: started Tue Jun 3 22:27:46 2008 > > ldap_init( 141.83.20.101, 389 ) > ldaptool_getcertpath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db > ldaptool_getkeypath -- /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db > ldaptool_getmodpath -- (null) > ldaptool_getdonglefilename -- (null) > ldappasswd: password successfully changed > > Success ! > > [root at ipa ~]# kinit admin > Password for admin at MISCHINS.WORLD: > kinit(v5): Password incorrect while getting initial credentials > [root at ipa ~]# kinit admin > Password for admin at MISCHINS.WORLD: > [root at ipa ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at MISCHINS.WORLD > > Valid starting Expires Service principal > 06/03/08 22:29:24 06/04/08 22:29:09 krbtgt/MISCHINS.WORLD at MISCHINS.WORLD > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > > argh.. But good. I can start now exploring the other features. > > Great help. > > Andreas Ok, that's a good start but we need to figure out why it can't connect to localhost. Do you have an entry for localhost in /etc/hosts? Fedora should create one by default and look something like: 127.0.0.1 localhost.localdomain localhost Is the loopback interface up? (/sbin/ifconfig lo) I'm wondering if this is a problem with NetworkManager. rob > > -----Urspr?ngliche Nachricht----- > Von: Rob Crittenden [mailto:rcritten at redhat.com] > Gesendet: Dienstag, 3. Juni 2008 22:23 > An: Andreas Mischinski > Cc: 'freeipa-devel' > Betreff: Re: AW: AW: [Freeipa-devel] [PATCH] ignore empty values in > multi-valued UI attribute > > Andreas Mischinski wrote: >> Hey, this is the result. >> >> /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 -P >> /etc/dirsrv/slapd-MISCHINS-WORLD//cert8.db -ZZZ -s password2 >> uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world >> ldap_start_tls_s failed: (Can't connect to the LDAP server) >> >> I `ve installed fedora core 9 (fresh install) and then selected the >> ipaserver package over the package manager. >> From the commandline I started ipa-server-install and received the only >> error with setting the admin password. >> >> MISCHINS.WORLD is a test domain in our environment. We want to migrate > from >> pure OpenLdap to something like fedora directory server in combination > with >> Active Director, since many applications are designed for Active > Directory. >> It seems for me, that he had the same problem ? >> >> Maybe I should downgrade my fedora core installation, but that would not > be >> my first choice. >> If I can provide you with more info, commands, let me know. > > No, Fedora 9 should be fine. > > Can you try the command again, this time also with the -v option > (verbose output). That should show us what host it is trying to connect > to. I wonder if that is simply failing. > > You can also try specifically using -h YOURSERVER where YOURSERVER is > the hostname of the machine you installed IPA on. > > rob > >> Andreas >> >> -----Urspr?ngliche Nachricht----- >> Von: Rob Crittenden [mailto:rcritten at redhat.com] >> Gesendet: Dienstag, 3. Juni 2008 21:56 >> An: Andreas Mischinski >> Cc: 'freeipa-devel' >> Betreff: Re: AW: [Freeipa-devel] [PATCH] ignore empty values in > multi-valued >> UI attribute >> >> Andreas Mischinski wrote: >>> I`m a noob with this ipaserver. Tell me what`s wrong with my installation >> ? >>> Should I apply your patch and reinstall the ipaserver ? >>> >>> Thanks for help so far. >>> >>> -----Urspr?ngliche Nachricht----- >>> Von: freeipa-devel-bounces at redhat.com >>> [mailto:freeipa-devel-bounces at redhat.com] Im Auftrag von Rob Crittenden >>> Gesendet: Dienstag, 3. Juni 2008 20:59 >>> An: freeipa-devel >>> Betreff: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI >>> attribute >>> >>> When converting from a multi-valued UI attribute back to a list drop any >>> blank values. This will avoid errors in the UniqueList() validator. >>> >>> rob >>> >> No, this patch too is unrelated to your problem. We post all patches for >> peer review here in a post starting with PATCH so they are easy to find. >> >> Can you try this command (basically putting quotes around cn=) >> >> /usr/lib/mozldap/ldappasswd -D "cn=Directory Manager" -w password1 >> -P /etc/dirsrv/slapd-MISCHINS-WORLD/cert8.db -ZZZ -s password1 >> uid=admin,cn=sysaccounts,cn=etc,dc=mischins,dc=world >> >> There was one other report of this problem, >> https://bugzilla.redhat.com/show_bug.cgi?id=442802 >> >> I was never able to get confirmation on what he did to fix it though. >> >> rob >> >> > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Tue Jun 3 22:08:26 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 03 Jun 2008 15:08:26 -0700 Subject: [Freeipa-devel] [PATCH] fix ipa_webgui logging In-Reply-To: <483D9EA4.5020507@redhat.com> References: <483D9EA4.5020507@redhat.com> Message-ID: <4845C0DA.7060000@redhat.com> Rob Crittenden wrote: > Fix issue of double logging in ipa_error.log. > > We open the log in ipa_webgui and this was being inherited by TurboGears > which uses the same log so everything was getting logged twice. Shut down > the log in ipa_webgui at the last possible moment. This will not catch > configuration errors. > > Add a Not Found template. > > Only print a traceback on 500 errors. ack. Is there still some easy way to troubleshoot config errors if they are not logged? > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jun 4 02:38:32 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Jun 2008 22:38:32 -0400 Subject: [Freeipa-devel] [PATCH] fix ipa_webgui logging In-Reply-To: <4845C0DA.7060000@redhat.com> References: <483D9EA4.5020507@redhat.com> <4845C0DA.7060000@redhat.com> Message-ID: <48460028.8090809@redhat.com> Nathan Kinder wrote: > Rob Crittenden wrote: >> Fix issue of double logging in ipa_error.log. >> >> We open the log in ipa_webgui and this was being inherited by TurboGears >> which uses the same log so everything was getting logged twice. Shut down >> the log in ipa_webgui at the last possible moment. This will not catch >> configuration errors. >> >> Add a Not Found template. >> >> Only print a traceback on 500 errors. > ack. Is there still some easy way to troubleshoot config errors if they > are not logged? >> >> rob >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > If run in debug mode (-d) then the log won't be shut down and config errors will show. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jun 4 02:41:57 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Jun 2008 22:41:57 -0400 Subject: [Freeipa-devel] [PATCH] fix ipa_webgui logging In-Reply-To: <48460028.8090809@redhat.com> References: <483D9EA4.5020507@redhat.com> <4845C0DA.7060000@redhat.com> <48460028.8090809@redhat.com> Message-ID: <484600F5.1030008@redhat.com> Rob Crittenden wrote: > Nathan Kinder wrote: >> Rob Crittenden wrote: >>> Fix issue of double logging in ipa_error.log. >>> >>> We open the log in ipa_webgui and this was being inherited by TurboGears >>> which uses the same log so everything was getting logged twice. Shut >>> down >>> the log in ipa_webgui at the last possible moment. This will not catch >>> configuration errors. >>> >>> Add a Not Found template. >>> >>> Only print a traceback on 500 errors. >> ack. Is there still some easy way to troubleshoot config errors if >> they are not logged? >>> >>> rob >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > If run in debug mode (-d) then the log won't be shut down and config > errors will show. > pushed to ipa-1-0 and master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jun 4 15:05:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Jun 2008 11:05:31 -0400 Subject: [Freeipa-devel] [PATCH] fix ipa-getkeytab usage typo Message-ID: <4846AF3B.8050903@redhat.com> Fixed a spelling mistake in the ipa-getkeytab usage. I've pushed this to ipa-1-0 and master under the trivial rule. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-40-usage.patch Type: text/x-patch Size: 1845 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jun 4 15:16:41 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Jun 2008 11:16:41 -0400 Subject: [Freeipa-devel] [PATCH] fix ipa-getkeytab man page Message-ID: <4846B1D9.5080308@redhat.com> Fixed some formatting problems in the ipa-getkeytab man page and corrected the example. I've pushed this to ipa-1-0 and master. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-41-man.patch Type: text/x-patch Size: 3613 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jun 4 17:48:21 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Jun 2008 13:48:21 -0400 Subject: [Freeipa-devel] [PATCH] fix DNS discovery in config Message-ID: <4846D565.9080900@redhat.com> Under some conditions rl may not have been initialized so the config may error out with: UnboundLocalError: "local variable 'rl' referenced before assignment" This is caught and ignored but the result is that the records in DNS may not be used at all. Initializing rl to zero fixes this. I also convert the server list into a set to make each entry unique (and back to a list because that is what we are supposed to return) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-43-config.patch Type: text/x-patch Size: 1386 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jun 4 19:39:33 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Jun 2008 15:39:33 -0400 Subject: [Freeipa-devel] [PATCH] add -p/--password option to ipa-replica-install Message-ID: <4846EF75.3020203@redhat.com> Add -p/--password option so the DM password can be passed on the command-line. The import for version moved from ipaserver to ipa, fix that as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-44-replica.patch Type: text/x-patch Size: 2462 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Wed Jun 4 20:50:52 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 04 Jun 2008 16:50:52 -0400 Subject: [Freeipa-devel] [PATCH] add -p/--password option to ipa-replica-install In-Reply-To: <4846EF75.3020203@redhat.com> References: <4846EF75.3020203@redhat.com> Message-ID: <4847002C.2070303@redhat.com> Rob Crittenden wrote: > Add -p/--password option so the DM password can be passed on the > command-line. > > The import for version moved from ipaserver to ipa, fix that as well. ack. > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jun 4 21:37:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Jun 2008 17:37:31 -0400 Subject: [Freeipa-devel] [PATCH] add -p/--password option to ipa-replica-install In-Reply-To: <4847002C.2070303@redhat.com> References: <4846EF75.3020203@redhat.com> <4847002C.2070303@redhat.com> Message-ID: <48470B1B.1020203@redhat.com> Nathan Kinder wrote: > Rob Crittenden wrote: >> Add -p/--password option so the DM password can be passed on the >> command-line. >> >> The import for version moved from ipaserver to ipa, fix that as well. > ack. pushed to ipa-1-0 and master. I also pushed a trivial patch to fix the import of version in ipa-manage-replica and ipa-prepare-replica. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Wed Jun 4 21:53:28 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 04 Jun 2008 17:53:28 -0400 Subject: [Freeipa-devel] [PATCH] fix DNS discovery in config In-Reply-To: <4846D565.9080900@redhat.com> References: <4846D565.9080900@redhat.com> Message-ID: <48470ED8.9040006@redhat.com> Rob Crittenden wrote: > Under some conditions rl may not have been initialized so the config > may error out with: > > UnboundLocalError: "local variable 'rl' referenced before assignment" > > This is caught and ignored but the result is that the records in DNS > may not be used at all. Initializing rl to zero fixes this. > > I also convert the server list into a set to make each entry unique > (and back to a list because that is what we are supposed to return) ack. > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jun 5 02:42:00 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Jun 2008 22:42:00 -0400 Subject: [Freeipa-devel] [PATCH] fix DNS discovery in config In-Reply-To: <48470ED8.9040006@redhat.com> References: <4846D565.9080900@redhat.com> <48470ED8.9040006@redhat.com> Message-ID: <48475278.9080509@redhat.com> Nathan Kinder wrote: > Rob Crittenden wrote: >> Under some conditions rl may not have been initialized so the config >> may error out with: >> >> UnboundLocalError: "local variable 'rl' referenced before assignment" >> >> This is caught and ignored but the result is that the records in DNS >> may not be used at all. Initializing rl to zero fixes this. >> >> I also convert the server list into a set to make each entry unique >> (and back to a list because that is what we are supposed to return) > ack. pushed to ipa-1-0 and master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jun 5 18:47:54 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Jun 2008 14:47:54 -0400 Subject: [Freeipa-devel] [PATCH] log the host when reporting LDAP connect errors Message-ID: <484834DA.7040108@redhat.com> In the kerberos instance installer if the LDAP server is unreachable then no error would be returned. Now at least report the host we are trying to connect to. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-48-connect.patch Type: text/x-patch Size: 1479 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jun 5 18:52:26 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Jun 2008 14:52:26 -0400 Subject: [Freeipa-devel] [PATCH] be clearer about what is being configured Message-ID: <484835EA.5060603@redhat.com> We always displayed this: This includes: * Configure the Network Time Daemon (ntpd) Even if -N was passed to not configure ntpd. So instead add a new list of excluded features. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-49-install.patch Type: text/x-patch Size: 1353 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jun 6 03:09:11 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Jun 2008 23:09:11 -0400 Subject: [Freeipa-devel] [PATCH] fix unclean shutdown in ipa_webui Message-ID: <4848AA57.50102@redhat.com> Add our own SIGTERM handler so we can do clean shutdowns. Also fix foreground mode. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-50-webui.patch Type: text/x-patch Size: 1797 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jun 6 19:27:21 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 06 Jun 2008 15:27:21 -0400 Subject: [Freeipa-devel] [PATCH] be clearer about what is being configured In-Reply-To: <4848E4B6.4060000@redhat.com> References: <484835EA.5060603@redhat.com> <4848E4B6.4060000@redhat.com> Message-ID: <48498F99.5090903@redhat.com> Martin Nagy wrote: > Rob Crittenden wrote: >> We always displayed this: >> >> This includes: >> * Configure the Network Time Daemon (ntpd) >> >> Even if -N was passed to not configure ntpd. So instead add a new list >> of excluded features. >> >> rob > > How about doing this for bind as well? And we could also customize the > end message telling the user what ports should be open. Plus, let the > message say "You must make sure" instead of "You may need to open". > > Martin Revised patch with some suggestions from mnagy in #freeipa rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-49-install.patch Type: text/x-patch Size: 2296 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kwirth at redhat.com Fri Jun 6 19:32:29 2008 From: kwirth at redhat.com (Karl Wirth) Date: Fri, 06 Jun 2008 15:32:29 -0400 Subject: [Freeipa-devel] AD and freeIPA synch Message-ID: <484990CD.30206@redhat.com> Hello, Many organizations have given feedback that they want to make sure that freeIPA can synch with AD. We want to provide more than what is available in the winsynch that is in fedora directory server. Here are my thoughts on what the features should be in this area. I would love your feedback. Does this sound right? What is missing? Longerterm, we hope to enable kerberos trust between AD and IPA but even then some folks will want synch as well. Thoughts? AD and freeIPA synch requirements ---proposal for your review and feedback 1. Keep password in AD same as PW in IPA - If changed in AD, bring change over to IPA - If changed in IPA, bring change over to AD 2. Synch userid and attributes - Configurable which attributes - If full posix available then make this available - Configurable translation between attributes (i.e transform data such as middle name length or whatever) - Configurable mapping between attribute names - Generate attributes if not present in AD with flexible rules for doing this and vice versa 3. Which subsets of users to keep in synch - Make it possible to define which AD/IPA users should be kept in synch 4. Topology - Password synch is only supported with 1 AD domain. Not multiple. - Identity/attribute synch is supported across multiple domains. ---If the same user is in multiple domains, there is a problem ---- Not supported ---If the same userid in different domains but different user, resolve - Need to support PW change on any IPA server - Need to support PW change on an AD server 5. Failover - Support for failover AD DC - Support for failover IPA 6. Install and Packaging - Separate install of synch tool - Preconfigured synch tool with easy to point to IPA and AD - Predefined - Requires passsynch on domain controllers - Proposal 1: Requires password to only change on AD. Probably not ok. - Proposal 2: Make changes to IPA to hand PW to AD 7. Groups. Allow four options that an administrator can choose between: - One option: Synchronize all users from AD into one IPA group - Second option: Synchronize all users according to filter defined in #3 above and bring along all of their groups and keep their memberships in them. - Third option: No group synch at all - Fourth option: No support for nested groups Best regards, Karl From rmeggins at redhat.com Fri Jun 6 19:38:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 06 Jun 2008 13:38:50 -0600 Subject: [Freeipa-devel] AD and freeIPA synch In-Reply-To: <484990CD.30206@redhat.com> References: <484990CD.30206@redhat.com> Message-ID: <4849924A.40303@redhat.com> Karl Wirth wrote: > Hello, > > Many organizations have given feedback that they want to make sure that > freeIPA can synch with AD. We want to provide more than what is > available in the winsynch that is in fedora directory server. Here are > my thoughts on what the features should be in this area. I would love > your feedback. Does this sound right? What is missing? Longerterm, we > hope to enable kerberos trust between AD and IPA but even then some > folks will want synch as well. Thoughts? > > AD and freeIPA synch requirements ---proposal for your review and feedback > > 1. Keep password in AD same as PW in IPA > - If changed in AD, bring change over to IPA > - If changed in IPA, bring change over to AD > One problem with this is password policy - min length, complexity, history, etc. How to sync password policy between IPA and AD? > 2. Synch userid and attributes > - Configurable which attributes > - If full posix available then make this available > - Configurable translation between attributes (i.e transform data such > as middle name length or whatever) > - Configurable mapping between attribute names > - Generate attributes if not present in AD with flexible rules for doing > this and vice versa > > 3. Which subsets of users to keep in synch > - Make it possible to define which AD/IPA users should be kept in synch > > 4. Topology > - Password synch is only supported with 1 AD domain. Not multiple. > - Identity/attribute synch is supported across multiple domains. > ---If the same user is in multiple domains, there is a problem ---- Not > supported > ---If the same userid in different domains but different user, resolve > - Need to support PW change on any IPA server > - Need to support PW change on an AD server > Support for uni-directional sync - many Fedora DS users have asked for the ability to sync changes only from Fedora DS to AD, or vice versa, but not both ways. Or perhaps uni-directional for passwords (due to password policy) and bi-di for other data. > 5. Failover > - Support for failover AD DC > - Support for failover IPA > > 6. Install and Packaging > - Separate install of synch tool > - Preconfigured synch tool with easy to point to IPA and AD > - Predefined > - Requires passsynch on domain controllers > - Proposal 1: Requires password to only change on AD. Probably not ok. > - Proposal 2: Make changes to IPA to hand PW to AD > > 7. Groups. > Allow four options that an administrator can choose between: > - One option: Synchronize all users from AD into one IPA group > - Second option: Synchronize all users according to filter defined in #3 > above and bring along all of their groups and keep their memberships in > them. > - Third option: No group synch at all > - Fourth option: No support for nested groups > Support for AD memberOf (if not already fully supported by ipa-memberof). > Best regards, > Karl > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mchristi at u.washington.edu Sat Jun 7 20:17:51 2008 From: mchristi at u.washington.edu (Mark Christiansen) Date: Sat, 7 Jun 2008 13:17:51 -0700 Subject: [Freeipa-devel] Re: Freeipa-devel Digest, Vol 13, Issue 11 In-Reply-To: <20080607160005.2CADB618A5C@hormel.redhat.com> References: <20080607160005.2CADB618A5C@hormel.redhat.com> Message-ID: Hello everyone, Recently I sent an e-mail because I couldn't get access to freeipa on any machine other than the one with freeipa installed. I reinstalled the MIT Kerberos client, and am now able to authenticate on a Windows machine. However, I can still not get the webpage to display on either a Windows or a Linux platform (other than the virtual machine freeIPA is installed on). I have reinstalled several times, and don't know what I could be missing. All of my machines are on one subnet, and I temporarily disabled firewalls to see if that could be the issue. Thanks for any tips! -Mark On Sat, Jun 7, 2008 at 9:00 AM, wrote: > Send Freeipa-devel mailing list submissions to > freeipa-devel at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-devel > or, via email, send a message with subject or body 'help' to > freeipa-devel-request at redhat.com > > You can reach the person managing the list at > freeipa-devel-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-devel digest..." > > > Today's Topics: > > 1. Re: [PATCH] be clearer about what is being configured > (Rob Crittenden) > 2. AD and freeIPA synch (Karl Wirth) > 3. Re: AD and freeIPA synch (Rich Megginson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 06 Jun 2008 15:27:21 -0400 > From: Rob Crittenden > Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is being > configured > To: freeipa-devel > Message-ID: <48498F99.5090903 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Skipped content of type multipart/mixed-------------- next part > -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin > > ------------------------------ > > Message: 2 > Date: Fri, 06 Jun 2008 15:32:29 -0400 > From: Karl Wirth > Subject: [Freeipa-devel] AD and freeIPA synch > To: freeipa-devel at redhat.com, freeipa-interest at redhat.com > Message-ID: <484990CD.30206 at redhat.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hello, > > Many organizations have given feedback that they want to make sure that > freeIPA can synch with AD. We want to provide more than what is > available in the winsynch that is in fedora directory server. Here are > my thoughts on what the features should be in this area. I would love > your feedback. Does this sound right? What is missing? Longerterm, we > hope to enable kerberos trust between AD and IPA but even then some > folks will want synch as well. Thoughts? > > AD and freeIPA synch requirements ---proposal for your review and feedback > > 1. Keep password in AD same as PW in IPA > - If changed in AD, bring change over to IPA > - If changed in IPA, bring change over to AD > > 2. Synch userid and attributes > - Configurable which attributes > - If full posix available then make this available > - Configurable translation between attributes (i.e transform data such > as middle name length or whatever) > - Configurable mapping between attribute names > - Generate attributes if not present in AD with flexible rules for doing > this and vice versa > > 3. Which subsets of users to keep in synch > - Make it possible to define which AD/IPA users should be kept in synch > > 4. Topology > - Password synch is only supported with 1 AD domain. Not multiple. > - Identity/attribute synch is supported across multiple domains. > ---If the same user is in multiple domains, there is a problem ---- Not > supported > ---If the same userid in different domains but different user, resolve > - Need to support PW change on any IPA server > - Need to support PW change on an AD server > > 5. Failover > - Support for failover AD DC > - Support for failover IPA > > 6. Install and Packaging > - Separate install of synch tool > - Preconfigured synch tool with easy to point to IPA and AD > - Predefined > - Requires passsynch on domain controllers > - Proposal 1: Requires password to only change on AD. Probably not ok. > - Proposal 2: Make changes to IPA to hand PW to AD > > 7. Groups. > Allow four options that an administrator can choose between: > - One option: Synchronize all users from AD into one IPA group > - Second option: Synchronize all users according to filter defined in #3 > above and bring along all of their groups and keep their memberships in > them. > - Third option: No group synch at all > - Fourth option: No support for nested groups > > Best regards, > Karl > > > > ------------------------------ > > Message: 3 > Date: Fri, 06 Jun 2008 13:38:50 -0600 > From: Rich Megginson > Subject: Re: [Freeipa-devel] AD and freeIPA synch > To: kwirth at redhat.com > Cc: freeipa-devel at redhat.com, freeipa-interest at redhat.com > Message-ID: <4849924A.40303 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Karl Wirth wrote: > > Hello, > > > > Many organizations have given feedback that they want to make sure that > > freeIPA can synch with AD. We want to provide more than what is > > available in the winsynch that is in fedora directory server. Here are > > my thoughts on what the features should be in this area. I would love > > your feedback. Does this sound right? What is missing? Longerterm, we > > hope to enable kerberos trust between AD and IPA but even then some > > folks will want synch as well. Thoughts? > > > > AD and freeIPA synch requirements ---proposal for your review and > feedback > > > > 1. Keep password in AD same as PW in IPA > > - If changed in AD, bring change over to IPA > > - If changed in IPA, bring change over to AD > > > One problem with this is password policy - min length, complexity, > history, etc. How to sync password policy between IPA and AD? > > 2. Synch userid and attributes > > - Configurable which attributes > > - If full posix available then make this available > > - Configurable translation between attributes (i.e transform data such > > as middle name length or whatever) > > - Configurable mapping between attribute names > > - Generate attributes if not present in AD with flexible rules for doing > > this and vice versa > > > > 3. Which subsets of users to keep in synch > > - Make it possible to define which AD/IPA users should be kept in synch > > > > 4. Topology > > - Password synch is only supported with 1 AD domain. Not multiple. > > - Identity/attribute synch is supported across multiple domains. > > ---If the same user is in multiple domains, there is a problem ---- Not > > supported > > ---If the same userid in different domains but different user, resolve > > - Need to support PW change on any IPA server > > - Need to support PW change on an AD server > > > Support for uni-directional sync - many Fedora DS users have asked for > the ability to sync changes only from Fedora DS to AD, or vice versa, > but not both ways. Or perhaps uni-directional for passwords (due to > password policy) and bi-di for other data. > > 5. Failover > > - Support for failover AD DC > > - Support for failover IPA > > > > 6. Install and Packaging > > - Separate install of synch tool > > - Preconfigured synch tool with easy to point to IPA and AD > > - Predefined > > - Requires passsynch on domain controllers > > - Proposal 1: Requires password to only change on AD. Probably not ok. > > - Proposal 2: Make changes to IPA to hand PW to AD > > > > 7. Groups. > > Allow four options that an administrator can choose between: > > - One option: Synchronize all users from AD into one IPA group > > - Second option: Synchronize all users according to filter defined in #3 > > above and bring along all of their groups and keep their memberships in > > them. > > - Third option: No group synch at all > > - Fourth option: No support for nested groups > > > Support for AD memberOf (if not already fully supported by ipa-memberof). > > Best regards, > > Karl > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin > > ------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > End of Freeipa-devel Digest, Vol 13, Issue 11 > ********************************************* > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Sun Jun 8 13:32:06 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 08 Jun 2008 09:32:06 -0400 Subject: [Freeipa-devel] Problems accessing IPA from clients In-Reply-To: References: <20080607160005.2CADB618A5C@hormel.redhat.com> Message-ID: <1212931926.4545.13.camel@localhost.localdomain> Can you get a kerberos ticket on the clients? If not, what error do you get ? Simo. On Sat, 2008-06-07 at 13:17 -0700, Mark Christiansen wrote: > Hello everyone, > > Recently I sent an e-mail because I couldn't get access to freeipa on > any machine other than the one with freeipa installed. I reinstalled > the MIT Kerberos client, and am now able to authenticate on a Windows > machine. However, I can still not get the webpage to display on > either a Windows or a Linux platform (other than the virtual machine > freeIPA is installed on). I have reinstalled several times, and don't > know what I could be missing. All of my machines are on one subnet, > and I temporarily disabled firewalls to see if that could be the > issue. > > Thanks for any tips! > > -Mark > > On Sat, Jun 7, 2008 at 9:00 AM, > wrote: > Send Freeipa-devel mailing list submissions to > freeipa-devel at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-devel > or, via email, send a message with subject or body 'help' to > freeipa-devel-request at redhat.com > > You can reach the person managing the list at > freeipa-devel-owner at redhat.com > > When replying, please edit your Subject line so it is more > specific > than "Re: Contents of Freeipa-devel digest..." > > > Today's Topics: > > 1. Re: [PATCH] be clearer about what is being configured > (Rob Crittenden) > 2. AD and freeIPA synch (Karl Wirth) > 3. Re: AD and freeIPA synch (Rich Megginson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 06 Jun 2008 15:27:21 -0400 > From: Rob Crittenden > Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is > being > configured > To: freeipa-devel > Message-ID: <48498F99.5090903 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Skipped content of type multipart/mixed-------------- next > part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin > > ------------------------------ > > Message: 2 > Date: Fri, 06 Jun 2008 15:32:29 -0400 > From: Karl Wirth > Subject: [Freeipa-devel] AD and freeIPA synch > To: freeipa-devel at redhat.com, freeipa-interest at redhat.com > Message-ID: <484990CD.30206 at redhat.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hello, > > Many organizations have given feedback that they want to make > sure that > freeIPA can synch with AD. We want to provide more than what > is > available in the winsynch that is in fedora directory server. > Here are > my thoughts on what the features should be in this area. I > would love > your feedback. Does this sound right? What is missing? > Longerterm, we > hope to enable kerberos trust between AD and IPA but even then > some > folks will want synch as well. Thoughts? > > AD and freeIPA synch requirements ---proposal for your review > and feedback > > 1. Keep password in AD same as PW in IPA > - If changed in AD, bring change over to IPA > - If changed in IPA, bring change over to AD > > 2. Synch userid and attributes > - Configurable which attributes > - If full posix available then make this available > - Configurable translation between attributes (i.e transform > data such > as middle name length or whatever) > - Configurable mapping between attribute names > - Generate attributes if not present in AD with flexible rules > for doing > this and vice versa > > 3. Which subsets of users to keep in synch > - Make it possible to define which AD/IPA users should be kept > in synch > > 4. Topology > - Password synch is only supported with 1 AD domain. Not > multiple. > - Identity/attribute synch is supported across multiple > domains. > ---If the same user is in multiple domains, there is a problem > ---- Not > supported > ---If the same userid in different domains but different user, > resolve > - Need to support PW change on any IPA server > - Need to support PW change on an AD server > > 5. Failover > - Support for failover AD DC > - Support for failover IPA > > 6. Install and Packaging > - Separate install of synch tool > - Preconfigured synch tool with easy to point to IPA and AD > - Predefined > - Requires passsynch on domain controllers > - Proposal 1: Requires password to only change on AD. > Probably not ok. > - Proposal 2: Make changes to IPA to hand PW to AD > > 7. Groups. > Allow four options that an administrator can choose between: > - One option: Synchronize all users from AD into one IPA group > - Second option: Synchronize all users according to filter > defined in #3 > above and bring along all of their groups and keep their > memberships in > them. > - Third option: No group synch at all > - Fourth option: No support for nested groups > > Best regards, > Karl > > > > ------------------------------ > > Message: 3 > Date: Fri, 06 Jun 2008 13:38:50 -0600 > From: Rich Megginson > Subject: Re: [Freeipa-devel] AD and freeIPA synch > To: kwirth at redhat.com > Cc: freeipa-devel at redhat.com, freeipa-interest at redhat.com > Message-ID: <4849924A.40303 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Karl Wirth wrote: > > Hello, > > > > Many organizations have given feedback that they want to > make sure that > > freeIPA can synch with AD. We want to provide more than > what is > > available in the winsynch that is in fedora directory > server. Here are > > my thoughts on what the features should be in this area. I > would love > > your feedback. Does this sound right? What is missing? > Longerterm, we > > hope to enable kerberos trust between AD and IPA but even > then some > > folks will want synch as well. Thoughts? > > > > AD and freeIPA synch requirements ---proposal for your > review and feedback > > > > 1. Keep password in AD same as PW in IPA > > - If changed in AD, bring change over to IPA > > - If changed in IPA, bring change over to AD > > > One problem with this is password policy - min length, > complexity, > history, etc. How to sync password policy between IPA and AD? > > 2. Synch userid and attributes > > - Configurable which attributes > > - If full posix available then make this available > > - Configurable translation between attributes (i.e transform > data such > > as middle name length or whatever) > > - Configurable mapping between attribute names > > - Generate attributes if not present in AD with flexible > rules for doing > > this and vice versa > > > > 3. Which subsets of users to keep in synch > > - Make it possible to define which AD/IPA users should be > kept in synch > > > > 4. Topology > > - Password synch is only supported with 1 AD domain. Not > multiple. > > - Identity/attribute synch is supported across multiple > domains. > > ---If the same user is in multiple domains, there is a > problem ---- Not > > supported > > ---If the same userid in different domains but different > user, resolve > > - Need to support PW change on any IPA server > > - Need to support PW change on an AD server > > > Support for uni-directional sync - many Fedora DS users have > asked for > the ability to sync changes only from Fedora DS to AD, or vice > versa, > but not both ways. Or perhaps uni-directional for passwords > (due to > password policy) and bi-di for other data. > > 5. Failover > > - Support for failover AD DC > > - Support for failover IPA > > > > 6. Install and Packaging > > - Separate install of synch tool > > - Preconfigured synch tool with easy to point to IPA and AD > > - Predefined > > - Requires passsynch on domain controllers > > - Proposal 1: Requires password to only change on AD. > Probably not ok. > > - Proposal 2: Make changes to IPA to hand PW to AD > > > > 7. Groups. > > Allow four options that an administrator can choose between: > > - One option: Synchronize all users from AD into one IPA > group > > - Second option: Synchronize all users according to filter > defined in #3 > > above and bring along all of their groups and keep their > memberships in > > them. > > - Third option: No group synch at all > > - Fourth option: No support for nested groups > > > Support for AD memberOf (if not already fully supported by > ipa-memberof). > > Best regards, > > Karl > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin > > ------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > End of Freeipa-devel Digest, Vol 13, Issue 11 > ********************************************* > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Simo Sorce * Red Hat, Inc * New York From mendbayar_b at mongol.net Mon Jun 9 19:39:10 2008 From: mendbayar_b at mongol.net (Byambaa Mendbayar) Date: Tue, 10 Jun 2008 03:39:10 +0800 Subject: [Freeipa-devel] hello there! Message-ID: <200806091205.m59C5ESY018280@mx3.redhat.com> Dear freeIPA developers, I am new one in freeIPA planet. I want to use freeIPA for identity management of my local network. I have planning and trying to use and implement freeIPA for our LAN. Just in certain time I have reading documents and studying from freeIPA website. Then I have arisen few questions on freeIPA client configuration. Our LAN clients are using various OS such as Ubuntu linux, Opensuse 10.3 and Windows XP operating system in our LAN. I have found "Configuring IPA Clients" document at the http://www.freeipa.com/page/ClientConfigurationGuide URL. But there have not state a how to configure openSUSE and Ubuntu clients. My question is that how can I configure my opensuse and ubuntu clients to joining freeIPA server. Is it possible to configure those OS clients to the freeIPA? Thanks and best regards, Byambaa Mendbayar From email.ahmedkamal at googlemail.com Mon Jun 9 12:49:40 2008 From: email.ahmedkamal at googlemail.com (Ahmed Kamal) Date: Mon, 9 Jun 2008 15:49:40 +0300 Subject: [Freeipa-devel] hello there! In-Reply-To: <200806091205.m59C5ESY018280@mx3.redhat.com> References: <200806091205.m59C5ESY018280@mx3.redhat.com> Message-ID: <3da3b5b40806090549s139a2ddcv1e1940e629ecd476@mail.gmail.com> Interesting how the Windows integration page mentions installing MIT Kerberos and that's it! What is the level of integration expected after installing this package ? Would Windows see users/groups/respect-permissions applied across the IPA domain ? Let me add, are there plans to integrate with samba-4 ? Regards On Mon, Jun 9, 2008 at 10:39 PM, Byambaa Mendbayar wrote: > Dear freeIPA developers, > > I am new one in freeIPA planet. > > I want to use freeIPA for identity management of my local network. I have > planning and trying to use and implement freeIPA for our LAN. Just in > certain time I have reading documents and studying from freeIPA website. > > Then I have arisen few questions on freeIPA client configuration. Our LAN > clients are using various OS such as Ubuntu linux, Opensuse 10.3 and > Windows > XP operating system in our LAN. I have found "Configuring IPA Clients" > document at the http://www.freeipa.com/page/ClientConfigurationGuide URL. > But there have not state a how to configure openSUSE and Ubuntu clients. > > My question is that how can I configure my opensuse and ubuntu clients to > joining freeIPA server. Is it possible to configure those OS clients to the > freeIPA? > > Thanks and best regards, > Byambaa Mendbayar > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 9 13:58:40 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Jun 2008 09:58:40 -0400 Subject: [Freeipa-devel] hello there! In-Reply-To: <200806091205.m59C5ESY018280@mx3.redhat.com> References: <200806091205.m59C5ESY018280@mx3.redhat.com> Message-ID: <484D3710.9010801@redhat.com> Byambaa Mendbayar wrote: > Dear freeIPA developers, > > I am new one in freeIPA planet. > > I want to use freeIPA for identity management of my local network. I have > planning and trying to use and implement freeIPA for our LAN. Just in > certain time I have reading documents and studying from freeIPA website. > > Then I have arisen few questions on freeIPA client configuration. Our LAN > clients are using various OS such as Ubuntu linux, Opensuse 10.3 and Windows > XP operating system in our LAN. I have found "Configuring IPA Clients" > document at the http://www.freeipa.com/page/ClientConfigurationGuide URL. > But there have not state a how to configure openSUSE and Ubuntu clients. > > My question is that how can I configure my opensuse and ubuntu clients to > joining freeIPA server. Is it possible to configure those OS clients to the > freeIPA? Yes, it is possible, we just haven't created packages or documented how yet. This is an area we could really use some help. I would suspect that the documentation for Solaris, HP and AIX will be a good starting point. Off the top of my head, you need to set up: - /etc/krb5.conf to get basic Kerberos working. You should be able to do kinit someuser at REALM once this is set up - /etc/ldap.conf and /etc/nsswitch.conf. You can use getent and/or id to verify that this is working - enable krb5 and ldap in pam thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Mon Jun 9 14:09:39 2008 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 09 Jun 2008 10:09:39 -0400 Subject: [Freeipa-devel] hello there! In-Reply-To: <3da3b5b40806090549s139a2ddcv1e1940e629ecd476@mail.gmail.com> References: <200806091205.m59C5ESY018280@mx3.redhat.com> <3da3b5b40806090549s139a2ddcv1e1940e629ecd476@mail.gmail.com> Message-ID: <484D39A3.10505@redhat.com> Ahmed Kamal wrote: > Interesting how the Windows integration page mentions installing MIT > Kerberos and that's it! What is the level of integration expected > after installing this package ? Would Windows see > users/groups/respect-permissions applied across the IPA domain ? Not at the moment. You get user Kerberos authentication against IPA domain. We have some plans for the Windows integration and AD synch but we will announce them on the summit. > Let me add, are there plans to integrate with samba-4 ? Yes but much later - IPAv3. > Regards > > On Mon, Jun 9, 2008 at 10:39 PM, Byambaa Mendbayar > > wrote: > > Dear freeIPA developers, > > I am new one in freeIPA planet. > > I want to use freeIPA for identity management of my local network. > I have > planning and trying to use and implement freeIPA for our LAN. Just in > certain time I have reading documents and studying from freeIPA > website. > > Then I have arisen few questions on freeIPA client configuration. > Our LAN > clients are using various OS such as Ubuntu linux, Opensuse 10.3 > and Windows > XP operating system in our LAN. I have found "Configuring IPA Clients" > document at the > http://www.freeipa.com/page/ClientConfigurationGuide URL. > But there have not state a how to configure openSUSE and Ubuntu > clients. > > My question is that how can I configure my opensuse and ubuntu > clients to > joining freeIPA server. Is it possible to configure those OS > clients to the > freeIPA? > > Thanks and best regards, > Byambaa Mendbayar > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Dmitri Pal Engineering Manager Red Hat Inc. From email.ahmedkamal at googlemail.com Mon Jun 9 16:21:32 2008 From: email.ahmedkamal at googlemail.com (Ahmed Kamal) Date: Mon, 9 Jun 2008 19:21:32 +0300 Subject: [Freeipa-devel] hello there! In-Reply-To: <484D39A3.10505@redhat.com> References: <200806091205.m59C5ESY018280@mx3.redhat.com> <3da3b5b40806090549s139a2ddcv1e1940e629ecd476@mail.gmail.com> <484D39A3.10505@redhat.com> Message-ID: <3da3b5b40806090921k39493dq5d7d2ce3f88b082b@mail.gmail.com> Um, I really hope we have plans for AD free environments (using samba, or whatever else). Sync'ing with AD, is not an ideal solution for all use cases as far as I am concerned. If only windows had nsswitch.conf ! On Mon, Jun 9, 2008 at 5:09 PM, Dmitri Pal wrote: > Ahmed Kamal wrote: > >> Interesting how the Windows integration page mentions installing MIT >> Kerberos and that's it! What is the level of integration expected after >> installing this package ? Would Windows see users/groups/respect-permissions >> applied across the IPA domain ? >> > Not at the moment. You get user Kerberos authentication against IPA domain. > We have some plans for the Windows integration and AD synch but we will > announce them on the summit. > >> Let me add, are there plans to integrate with samba-4 ? >> > Yes but much later - IPAv3. > >> Regards >> >> >> On Mon, Jun 9, 2008 at 10:39 PM, Byambaa Mendbayar < >> mendbayar_b at mongol.net > wrote: >> >> Dear freeIPA developers, >> >> I am new one in freeIPA planet. >> >> I want to use freeIPA for identity management of my local network. >> I have >> planning and trying to use and implement freeIPA for our LAN. Just in >> certain time I have reading documents and studying from freeIPA >> website. >> >> Then I have arisen few questions on freeIPA client configuration. >> Our LAN >> clients are using various OS such as Ubuntu linux, Opensuse 10.3 >> and Windows >> XP operating system in our LAN. I have found "Configuring IPA Clients" >> document at the >> http://www.freeipa.com/page/ClientConfigurationGuide URL. >> But there have not state a how to configure openSUSE and Ubuntu >> clients. >> >> My question is that how can I configure my opensuse and ubuntu >> clients to >> joining freeIPA server. Is it possible to configure those OS >> clients to the >> freeIPA? >> >> Thanks and best regards, >> Byambaa Mendbayar >> >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > > -- > Dmitri Pal > Engineering Manager > Red Hat Inc. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwchristiansen at gmail.com Mon Jun 9 17:22:38 2008 From: mwchristiansen at gmail.com (Mark Christiansen) Date: Mon, 9 Jun 2008 10:22:38 -0700 Subject: [Freeipa-devel] Problems accessing IPA from clients In-Reply-To: <1212931926.4545.13.camel@localhost.localdomain> References: <20080607160005.2CADB618A5C@hormel.redhat.com> <1212931926.4545.13.camel@localhost.localdomain> Message-ID: Hi Simo, Yes, I can get a kerberos ticket on both Windows and Linux clients. I am able to configure a browser on the machine with FreeIPA and use its web interface, but I am unable to do the same on the clients. Thanks for your suggestions! -Mark On Sun, Jun 8, 2008 at 6:32 AM, Simo Sorce wrote: > Can you get a kerberos ticket on the clients? > If not, what error do you get ? > > Simo. > > On Sat, 2008-06-07 at 13:17 -0700, Mark Christiansen wrote: > > Hello everyone, > > > > Recently I sent an e-mail because I couldn't get access to freeipa on > > any machine other than the one with freeipa installed. I reinstalled > > the MIT Kerberos client, and am now able to authenticate on a Windows > > machine. However, I can still not get the webpage to display on > > either a Windows or a Linux platform (other than the virtual machine > > freeIPA is installed on). I have reinstalled several times, and don't > > know what I could be missing. All of my machines are on one subnet, > > and I temporarily disabled firewalls to see if that could be the > > issue. > > > > Thanks for any tips! > > > > -Mark > > > > On Sat, Jun 7, 2008 at 9:00 AM, > > wrote: > > Send Freeipa-devel mailing list submissions to > > freeipa-devel at redhat.com > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > or, via email, send a message with subject or body 'help' to > > freeipa-devel-request at redhat.com > > > > You can reach the person managing the list at > > freeipa-devel-owner at redhat.com > > > > When replying, please edit your Subject line so it is more > > specific > > than "Re: Contents of Freeipa-devel digest..." > > > > > > Today's Topics: > > > > 1. Re: [PATCH] be clearer about what is being configured > > (Rob Crittenden) > > 2. AD and freeIPA synch (Karl Wirth) > > 3. Re: AD and freeIPA synch (Rich Megginson) > > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Fri, 06 Jun 2008 15:27:21 -0400 > > From: Rob Crittenden > > Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is > > being > > configured > > To: freeipa-devel > > Message-ID: <48498F99.5090903 at redhat.com> > > Content-Type: text/plain; charset="iso-8859-1" > > > > Skipped content of type multipart/mixed-------------- next > > part -------------- > > A non-text attachment was scrubbed... > > Name: smime.p7s > > Type: application/x-pkcs7-signature > > Size: 3245 bytes > > Desc: S/MIME Cryptographic Signature > > Url : > > > https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin > > > > ------------------------------ > > > > Message: 2 > > Date: Fri, 06 Jun 2008 15:32:29 -0400 > > From: Karl Wirth > > Subject: [Freeipa-devel] AD and freeIPA synch > > To: freeipa-devel at redhat.com, freeipa-interest at redhat.com > > Message-ID: <484990CD.30206 at redhat.com> > > Content-Type: text/plain; charset=ISO-8859-1 > > > > Hello, > > > > Many organizations have given feedback that they want to make > > sure that > > freeIPA can synch with AD. We want to provide more than what > > is > > available in the winsynch that is in fedora directory server. > > Here are > > my thoughts on what the features should be in this area. I > > would love > > your feedback. Does this sound right? What is missing? > > Longerterm, we > > hope to enable kerberos trust between AD and IPA but even then > > some > > folks will want synch as well. Thoughts? > > > > AD and freeIPA synch requirements ---proposal for your review > > and feedback > > > > 1. Keep password in AD same as PW in IPA > > - If changed in AD, bring change over to IPA > > - If changed in IPA, bring change over to AD > > > > 2. Synch userid and attributes > > - Configurable which attributes > > - If full posix available then make this available > > - Configurable translation between attributes (i.e transform > > data such > > as middle name length or whatever) > > - Configurable mapping between attribute names > > - Generate attributes if not present in AD with flexible rules > > for doing > > this and vice versa > > > > 3. Which subsets of users to keep in synch > > - Make it possible to define which AD/IPA users should be kept > > in synch > > > > 4. Topology > > - Password synch is only supported with 1 AD domain. Not > > multiple. > > - Identity/attribute synch is supported across multiple > > domains. > > ---If the same user is in multiple domains, there is a problem > > ---- Not > > supported > > ---If the same userid in different domains but different user, > > resolve > > - Need to support PW change on any IPA server > > - Need to support PW change on an AD server > > > > 5. Failover > > - Support for failover AD DC > > - Support for failover IPA > > > > 6. Install and Packaging > > - Separate install of synch tool > > - Preconfigured synch tool with easy to point to IPA and AD > > - Predefined > > - Requires passsynch on domain controllers > > - Proposal 1: Requires password to only change on AD. > > Probably not ok. > > - Proposal 2: Make changes to IPA to hand PW to AD > > > > 7. Groups. > > Allow four options that an administrator can choose between: > > - One option: Synchronize all users from AD into one IPA group > > - Second option: Synchronize all users according to filter > > defined in #3 > > above and bring along all of their groups and keep their > > memberships in > > them. > > - Third option: No group synch at all > > - Fourth option: No support for nested groups > > > > Best regards, > > Karl > > > > > > > > ------------------------------ > > > > Message: 3 > > Date: Fri, 06 Jun 2008 13:38:50 -0600 > > From: Rich Megginson > > Subject: Re: [Freeipa-devel] AD and freeIPA synch > > To: kwirth at redhat.com > > Cc: freeipa-devel at redhat.com, freeipa-interest at redhat.com > > Message-ID: <4849924A.40303 at redhat.com> > > Content-Type: text/plain; charset="iso-8859-1" > > > > Karl Wirth wrote: > > > Hello, > > > > > > Many organizations have given feedback that they want to > > make sure that > > > freeIPA can synch with AD. We want to provide more than > > what is > > > available in the winsynch that is in fedora directory > > server. Here are > > > my thoughts on what the features should be in this area. I > > would love > > > your feedback. Does this sound right? What is missing? > > Longerterm, we > > > hope to enable kerberos trust between AD and IPA but even > > then some > > > folks will want synch as well. Thoughts? > > > > > > AD and freeIPA synch requirements ---proposal for your > > review and feedback > > > > > > 1. Keep password in AD same as PW in IPA > > > - If changed in AD, bring change over to IPA > > > - If changed in IPA, bring change over to AD > > > > > One problem with this is password policy - min length, > > complexity, > > history, etc. How to sync password policy between IPA and AD? > > > 2. Synch userid and attributes > > > - Configurable which attributes > > > - If full posix available then make this available > > > - Configurable translation between attributes (i.e transform > > data such > > > as middle name length or whatever) > > > - Configurable mapping between attribute names > > > - Generate attributes if not present in AD with flexible > > rules for doing > > > this and vice versa > > > > > > 3. Which subsets of users to keep in synch > > > - Make it possible to define which AD/IPA users should be > > kept in synch > > > > > > 4. Topology > > > - Password synch is only supported with 1 AD domain. Not > > multiple. > > > - Identity/attribute synch is supported across multiple > > domains. > > > ---If the same user is in multiple domains, there is a > > problem ---- Not > > > supported > > > ---If the same userid in different domains but different > > user, resolve > > > - Need to support PW change on any IPA server > > > - Need to support PW change on an AD server > > > > > Support for uni-directional sync - many Fedora DS users have > > asked for > > the ability to sync changes only from Fedora DS to AD, or vice > > versa, > > but not both ways. Or perhaps uni-directional for passwords > > (due to > > password policy) and bi-di for other data. > > > 5. Failover > > > - Support for failover AD DC > > > - Support for failover IPA > > > > > > 6. Install and Packaging > > > - Separate install of synch tool > > > - Preconfigured synch tool with easy to point to IPA and AD > > > - Predefined > > > - Requires passsynch on domain controllers > > > - Proposal 1: Requires password to only change on AD. > > Probably not ok. > > > - Proposal 2: Make changes to IPA to hand PW to AD > > > > > > 7. Groups. > > > Allow four options that an administrator can choose between: > > > - One option: Synchronize all users from AD into one IPA > > group > > > - Second option: Synchronize all users according to filter > > defined in #3 > > > above and bring along all of their groups and keep their > > memberships in > > > them. > > > - Third option: No group synch at all > > > - Fourth option: No support for nested groups > > > > > Support for AD memberOf (if not already fully supported by > > ipa-memberof). > > > Best regards, > > > Karl > > > > > > _______________________________________________ > > > Freeipa-devel mailing list > > > Freeipa-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > > > -------------- next part -------------- > > A non-text attachment was scrubbed... > > Name: smime.p7s > > Type: application/x-pkcs7-signature > > Size: 3245 bytes > > Desc: S/MIME Cryptographic Signature > > Url : > > > https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin > > > > ------------------------------ > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > End of Freeipa-devel Digest, Vol 13, Issue 11 > > ********************************************* > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 9 17:34:38 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Jun 2008 13:34:38 -0400 Subject: [Freeipa-devel] Problems accessing IPA from clients In-Reply-To: References: <20080607160005.2CADB618A5C@hormel.redhat.com> <1212931926.4545.13.camel@localhost.localdomain> Message-ID: <484D69AE.2070602@redhat.com> Mark Christiansen wrote: > Hi Simo, > > Yes, I can get a kerberos ticket on both Windows and Linux clients. I > am able to configure a browser on the machine with FreeIPA and use its > web interface, but I am unable to do the same on the clients. > > Thanks for your suggestions! Are you configuring your browser according to: http://www.freeipa.com/page/ClientConfigurationGuide#Configuring_Your_Browser rob > > -Mark > > On Sun, Jun 8, 2008 at 6:32 AM, Simo Sorce > wrote: > > Can you get a kerberos ticket on the clients? > If not, what error do you get ? > > Simo. > > On Sat, 2008-06-07 at 13:17 -0700, Mark Christiansen wrote: > > Hello everyone, > > > > Recently I sent an e-mail because I couldn't get access to freeipa on > > any machine other than the one with freeipa installed. I reinstalled > > the MIT Kerberos client, and am now able to authenticate on a Windows > > machine. However, I can still not get the webpage to display on > > either a Windows or a Linux platform (other than the virtual machine > > freeIPA is installed on). I have reinstalled several times, and > don't > > know what I could be missing. All of my machines are on one subnet, > > and I temporarily disabled firewalls to see if that could be the > > issue. > > > > Thanks for any tips! > > > > -Mark > > > > On Sat, Jun 7, 2008 at 9:00 AM, > > > wrote: > > Send Freeipa-devel mailing list submissions to > > freeipa-devel at redhat.com > > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > or, via email, send a message with subject or body 'help' to > > freeipa-devel-request at redhat.com > > > > > You can reach the person managing the list at > > freeipa-devel-owner at redhat.com > > > > > When replying, please edit your Subject line so it is more > > specific > > than "Re: Contents of Freeipa-devel digest..." > > > > > > Today's Topics: > > > > 1. Re: [PATCH] be clearer about what is being configured > > (Rob Crittenden) > > 2. AD and freeIPA synch (Karl Wirth) > > 3. Re: AD and freeIPA synch (Rich Megginson) > > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Fri, 06 Jun 2008 15:27:21 -0400 > > From: Rob Crittenden > > > Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is > > being > > configured > > To: freeipa-devel > > > Message-ID: <48498F99.5090903 at redhat.com > > > > Content-Type: text/plain; charset="iso-8859-1" > > > > Skipped content of type multipart/mixed-------------- next > > part -------------- > > A non-text attachment was scrubbed... > > Name: smime.p7s > > Type: application/x-pkcs7-signature > > Size: 3245 bytes > > Desc: S/MIME Cryptographic Signature > > Url : > > > https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin > > > > ------------------------------ > > > > Message: 2 > > Date: Fri, 06 Jun 2008 15:32:29 -0400 > > From: Karl Wirth > > > Subject: [Freeipa-devel] AD and freeIPA synch > > To: freeipa-devel at redhat.com > , freeipa-interest at redhat.com > > > Message-ID: <484990CD.30206 at redhat.com > > > > Content-Type: text/plain; charset=ISO-8859-1 > > > > Hello, > > > > Many organizations have given feedback that they want to make > > sure that > > freeIPA can synch with AD. We want to provide more than what > > is > > available in the winsynch that is in fedora directory server. > > Here are > > my thoughts on what the features should be in this area. I > > would love > > your feedback. Does this sound right? What is missing? > > Longerterm, we > > hope to enable kerberos trust between AD and IPA but even > then > > some > > folks will want synch as well. Thoughts? > > > > AD and freeIPA synch requirements ---proposal for your review > > and feedback > > > > 1. Keep password in AD same as PW in IPA > > - If changed in AD, bring change over to IPA > > - If changed in IPA, bring change over to AD > > > > 2. Synch userid and attributes > > - Configurable which attributes > > - If full posix available then make this available > > - Configurable translation between attributes (i.e transform > > data such > > as middle name length or whatever) > > - Configurable mapping between attribute names > > - Generate attributes if not present in AD with flexible > rules > > for doing > > this and vice versa > > > > 3. Which subsets of users to keep in synch > > - Make it possible to define which AD/IPA users should be > kept > > in synch > > > > 4. Topology > > - Password synch is only supported with 1 AD domain. Not > > multiple. > > - Identity/attribute synch is supported across multiple > > domains. > > ---If the same user is in multiple domains, there is a > problem > > ---- Not > > supported > > ---If the same userid in different domains but different > user, > > resolve > > - Need to support PW change on any IPA server > > - Need to support PW change on an AD server > > > > 5. Failover > > - Support for failover AD DC > > - Support for failover IPA > > > > 6. Install and Packaging > > - Separate install of synch tool > > - Preconfigured synch tool with easy to point to IPA and AD > > - Predefined > > - Requires passsynch on domain controllers > > - Proposal 1: Requires password to only change on AD. > > Probably not ok. > > - Proposal 2: Make changes to IPA to hand PW to AD > > > > 7. Groups. > > Allow four options that an administrator can choose between: > > - One option: Synchronize all users from AD into one IPA > group > > - Second option: Synchronize all users according to filter > > defined in #3 > > above and bring along all of their groups and keep their > > memberships in > > them. > > - Third option: No group synch at all > > - Fourth option: No support for nested groups > > > > Best regards, > > Karl > > > > > > > > ------------------------------ > > > > Message: 3 > > Date: Fri, 06 Jun 2008 13:38:50 -0600 > > From: Rich Megginson > > > Subject: Re: [Freeipa-devel] AD and freeIPA synch > > To: kwirth at redhat.com > > Cc: freeipa-devel at redhat.com > , freeipa-interest at redhat.com > > > Message-ID: <4849924A.40303 at redhat.com > > > > Content-Type: text/plain; charset="iso-8859-1" > > > > Karl Wirth wrote: > > > Hello, > > > > > > Many organizations have given feedback that they want to > > make sure that > > > freeIPA can synch with AD. We want to provide more than > > what is > > > available in the winsynch that is in fedora directory > > server. Here are > > > my thoughts on what the features should be in this area. I > > would love > > > your feedback. Does this sound right? What is missing? > > Longerterm, we > > > hope to enable kerberos trust between AD and IPA but even > > then some > > > folks will want synch as well. Thoughts? > > > > > > AD and freeIPA synch requirements ---proposal for your > > review and feedback > > > > > > 1. Keep password in AD same as PW in IPA > > > - If changed in AD, bring change over to IPA > > > - If changed in IPA, bring change over to AD > > > > > One problem with this is password policy - min length, > > complexity, > > history, etc. How to sync password policy between IPA > and AD? > > > 2. Synch userid and attributes > > > - Configurable which attributes > > > - If full posix available then make this available > > > - Configurable translation between attributes (i.e > transform > > data such > > > as middle name length or whatever) > > > - Configurable mapping between attribute names > > > - Generate attributes if not present in AD with flexible > > rules for doing > > > this and vice versa > > > > > > 3. Which subsets of users to keep in synch > > > - Make it possible to define which AD/IPA users should be > > kept in synch > > > > > > 4. Topology > > > - Password synch is only supported with 1 AD domain. Not > > multiple. > > > - Identity/attribute synch is supported across multiple > > domains. > > > ---If the same user is in multiple domains, there is a > > problem ---- Not > > > supported > > > ---If the same userid in different domains but different > > user, resolve > > > - Need to support PW change on any IPA server > > > - Need to support PW change on an AD server > > > > > Support for uni-directional sync - many Fedora DS users have > > asked for > > the ability to sync changes only from Fedora DS to AD, or > vice > > versa, > > but not both ways. Or perhaps uni-directional for passwords > > (due to > > password policy) and bi-di for other data. > > > 5. Failover > > > - Support for failover AD DC > > > - Support for failover IPA > > > > > > 6. Install and Packaging > > > - Separate install of synch tool > > > - Preconfigured synch tool with easy to point to IPA and AD > > > - Predefined > > > - Requires passsynch on domain controllers > > > - Proposal 1: Requires password to only change on AD. > > Probably not ok. > > > - Proposal 2: Make changes to IPA to hand PW to AD > > > > > > 7. Groups. > > > Allow four options that an administrator can choose > between: > > > - One option: Synchronize all users from AD into one IPA > > group > > > - Second option: Synchronize all users according to filter > > defined in #3 > > > above and bring along all of their groups and keep their > > memberships in > > > them. > > > - Third option: No group synch at all > > > - Fourth option: No support for nested groups > > > > > Support for AD memberOf (if not already fully supported by > > ipa-memberof). > > > Best regards, > > > Karl > > > > > > _______________________________________________ > > > Freeipa-devel mailing list > > > Freeipa-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > > > -------------- next part -------------- > > A non-text attachment was scrubbed... > > Name: smime.p7s > > Type: application/x-pkcs7-signature > > Size: 3245 bytes > > Desc: S/MIME Cryptographic Signature > > Url : > > > https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin > > > > ------------------------------ > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > End of Freeipa-devel Digest, Vol 13, Issue 11 > > ********************************************* > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > -- > Simo Sorce * Red Hat, Inc * New York > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mwchristiansen at gmail.com Mon Jun 9 17:44:47 2008 From: mwchristiansen at gmail.com (Mark Christiansen) Date: Mon, 9 Jun 2008 10:44:47 -0700 Subject: [Freeipa-devel] Problems accessing IPA from clients In-Reply-To: <484D69AE.2070602@redhat.com> References: <20080607160005.2CADB618A5C@hormel.redhat.com> <1212931926.4545.13.camel@localhost.localdomain> <484D69AE.2070602@redhat.com> Message-ID: Hi Rob, It turns out that this fixed my Windows client: network.auth.use-sspi false However, my Linux (RHEL5) browser still doesn't connect. I can file a bug to add the above line to ssbrowser.html. I am still confused as to what could be going on with my Linux machine. Cheers! -Mark On Mon, Jun 9, 2008 at 10:34 AM, Rob Crittenden wrote: > Mark Christiansen wrote: > >> Hi Simo, >> >> Yes, I can get a kerberos ticket on both Windows and Linux clients. I am >> able to configure a browser on the machine with FreeIPA and use its web >> interface, but I am unable to do the same on the clients. >> Thanks for your suggestions! >> > > Are you configuring your browser according to: > > http://www.freeipa.com/page/ClientConfigurationGuide#Configuring_Your_Browser > > rob > > >> -Mark >> >> On Sun, Jun 8, 2008 at 6:32 AM, Simo Sorce > ssorce at redhat.com>> wrote: >> >> Can you get a kerberos ticket on the clients? >> If not, what error do you get ? >> >> Simo. >> >> On Sat, 2008-06-07 at 13:17 -0700, Mark Christiansen wrote: >> > Hello everyone, >> > >> > Recently I sent an e-mail because I couldn't get access to freeipa >> on >> > any machine other than the one with freeipa installed. I >> reinstalled >> > the MIT Kerberos client, and am now able to authenticate on a >> Windows >> > machine. However, I can still not get the webpage to display on >> > either a Windows or a Linux platform (other than the virtual machine >> > freeIPA is installed on). I have reinstalled several times, and >> don't >> > know what I could be missing. All of my machines are on one subnet, >> > and I temporarily disabled firewalls to see if that could be the >> > issue. >> > >> > Thanks for any tips! >> > >> > -Mark >> > >> > On Sat, Jun 7, 2008 at 9:00 AM, > > >> > wrote: >> > Send Freeipa-devel mailing list submissions to >> > freeipa-devel at redhat.com >> >> > >> > To subscribe or unsubscribe via the World Wide Web, visit >> > >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > or, via email, send a message with subject or body 'help' to >> > freeipa-devel-request at redhat.com >> >> > >> > You can reach the person managing the list at >> > freeipa-devel-owner at redhat.com >> >> > >> > When replying, please edit your Subject line so it is more >> > specific >> > than "Re: Contents of Freeipa-devel digest..." >> > >> > >> > Today's Topics: >> > >> > 1. Re: [PATCH] be clearer about what is being configured >> > (Rob Crittenden) >> > 2. AD and freeIPA synch (Karl Wirth) >> > 3. Re: AD and freeIPA synch (Rich Megginson) >> > >> > >> > >> ---------------------------------------------------------------------- >> > >> > Message: 1 >> > Date: Fri, 06 Jun 2008 15:27:21 -0400 >> > From: Rob Crittenden > > >> > Subject: Re: [Freeipa-devel] [PATCH] be clearer about what >> is >> > being >> > configured >> > To: freeipa-devel > > >> > Message-ID: <48498F99.5090903 at redhat.com >> > >> > Content-Type: text/plain; charset="iso-8859-1" >> > >> > Skipped content of type multipart/mixed-------------- next >> > part -------------- >> > A non-text attachment was scrubbed... >> > Name: smime.p7s >> > Type: application/x-pkcs7-signature >> > Size: 3245 bytes >> > Desc: S/MIME Cryptographic Signature >> > Url : >> > >> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin >> > >> > ------------------------------ >> > >> > Message: 2 >> > Date: Fri, 06 Jun 2008 15:32:29 -0400 >> > From: Karl Wirth > > >> > Subject: [Freeipa-devel] AD and freeIPA synch >> > To: freeipa-devel at redhat.com >> , freeipa-interest at redhat.com >> >> > Message-ID: <484990CD.30206 at redhat.com >> > >> >> > Content-Type: text/plain; charset=ISO-8859-1 >> > >> > Hello, >> > >> > Many organizations have given feedback that they want to >> make >> > sure that >> > freeIPA can synch with AD. We want to provide more than >> what >> > is >> > available in the winsynch that is in fedora directory >> server. >> > Here are >> > my thoughts on what the features should be in this area. I >> > would love >> > your feedback. Does this sound right? What is missing? >> > Longerterm, we >> > hope to enable kerberos trust between AD and IPA but even >> then >> > some >> > folks will want synch as well. Thoughts? >> > >> > AD and freeIPA synch requirements ---proposal for your >> review >> > and feedback >> > >> > 1. Keep password in AD same as PW in IPA >> > - If changed in AD, bring change over to IPA >> > - If changed in IPA, bring change over to AD >> > >> > 2. Synch userid and attributes >> > - Configurable which attributes >> > - If full posix available then make this available >> > - Configurable translation between attributes (i.e transform >> > data such >> > as middle name length or whatever) >> > - Configurable mapping between attribute names >> > - Generate attributes if not present in AD with flexible >> rules >> > for doing >> > this and vice versa >> > >> > 3. Which subsets of users to keep in synch >> > - Make it possible to define which AD/IPA users should be >> kept >> > in synch >> > >> > 4. Topology >> > - Password synch is only supported with 1 AD domain. Not >> > multiple. >> > - Identity/attribute synch is supported across multiple >> > domains. >> > ---If the same user is in multiple domains, there is a >> problem >> > ---- Not >> > supported >> > ---If the same userid in different domains but different >> user, >> > resolve >> > - Need to support PW change on any IPA server >> > - Need to support PW change on an AD server >> > >> > 5. Failover >> > - Support for failover AD DC >> > - Support for failover IPA >> > >> > 6. Install and Packaging >> > - Separate install of synch tool >> > - Preconfigured synch tool with easy to point to IPA and AD >> > - Predefined >> > - Requires passsynch on domain controllers >> > - Proposal 1: Requires password to only change on AD. >> > Probably not ok. >> > - Proposal 2: Make changes to IPA to hand PW to AD >> > >> > 7. Groups. >> > Allow four options that an administrator can choose between: >> > - One option: Synchronize all users from AD into one IPA >> group >> > - Second option: Synchronize all users according to filter >> > defined in #3 >> > above and bring along all of their groups and keep their >> > memberships in >> > them. >> > - Third option: No group synch at all >> > - Fourth option: No support for nested groups >> > >> > Best regards, >> > Karl >> > >> > >> > >> > ------------------------------ >> > >> > Message: 3 >> > Date: Fri, 06 Jun 2008 13:38:50 -0600 >> > From: Rich Megginson > > >> > Subject: Re: [Freeipa-devel] AD and freeIPA synch >> > To: kwirth at redhat.com >> > Cc: freeipa-devel at redhat.com >> , freeipa-interest at redhat.com >> >> > Message-ID: <4849924A.40303 at redhat.com >> > >> >> > Content-Type: text/plain; charset="iso-8859-1" >> > >> > Karl Wirth wrote: >> > > Hello, >> > > >> > > Many organizations have given feedback that they want to >> > make sure that >> > > freeIPA can synch with AD. We want to provide more than >> > what is >> > > available in the winsynch that is in fedora directory >> > server. Here are >> > > my thoughts on what the features should be in this area. >> I >> > would love >> > > your feedback. Does this sound right? What is missing? >> > Longerterm, we >> > > hope to enable kerberos trust between AD and IPA but even >> > then some >> > > folks will want synch as well. Thoughts? >> > > >> > > AD and freeIPA synch requirements ---proposal for your >> > review and feedback >> > > >> > > 1. Keep password in AD same as PW in IPA >> > > - If changed in AD, bring change over to IPA >> > > - If changed in IPA, bring change over to AD >> > > >> > One problem with this is password policy - min length, >> > complexity, >> > history, etc. How to sync password policy between IPA >> and AD? >> > > 2. Synch userid and attributes >> > > - Configurable which attributes >> > > - If full posix available then make this available >> > > - Configurable translation between attributes (i.e >> transform >> > data such >> > > as middle name length or whatever) >> > > - Configurable mapping between attribute names >> > > - Generate attributes if not present in AD with flexible >> > rules for doing >> > > this and vice versa >> > > >> > > 3. Which subsets of users to keep in synch >> > > - Make it possible to define which AD/IPA users should be >> > kept in synch >> > > >> > > 4. Topology >> > > - Password synch is only supported with 1 AD domain. Not >> > multiple. >> > > - Identity/attribute synch is supported across multiple >> > domains. >> > > ---If the same user is in multiple domains, there is a >> > problem ---- Not >> > > supported >> > > ---If the same userid in different domains but different >> > user, resolve >> > > - Need to support PW change on any IPA server >> > > - Need to support PW change on an AD server >> > > >> > Support for uni-directional sync - many Fedora DS users have >> > asked for >> > the ability to sync changes only from Fedora DS to AD, or >> vice >> > versa, >> > but not both ways. Or perhaps uni-directional for passwords >> > (due to >> > password policy) and bi-di for other data. >> > > 5. Failover >> > > - Support for failover AD DC >> > > - Support for failover IPA >> > > >> > > 6. Install and Packaging >> > > - Separate install of synch tool >> > > - Preconfigured synch tool with easy to point to IPA and >> AD >> > > - Predefined >> > > - Requires passsynch on domain controllers >> > > - Proposal 1: Requires password to only change on AD. >> > Probably not ok. >> > > - Proposal 2: Make changes to IPA to hand PW to AD >> > > >> > > 7. Groups. >> > > Allow four options that an administrator can choose >> between: >> > > - One option: Synchronize all users from AD into one IPA >> > group >> > > - Second option: Synchronize all users according to filter >> > defined in #3 >> > > above and bring along all of their groups and keep their >> > memberships in >> > > them. >> > > - Third option: No group synch at all >> > > - Fourth option: No support for nested groups >> > > >> > Support for AD memberOf (if not already fully supported by >> > ipa-memberof). >> > > Best regards, >> > > Karl >> > > >> > > _______________________________________________ >> > > Freeipa-devel mailing list >> > > Freeipa-devel at redhat.com > > >> > > https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > >> > >> > -------------- next part -------------- >> > A non-text attachment was scrubbed... >> > Name: smime.p7s >> > Type: application/x-pkcs7-signature >> > Size: 3245 bytes >> > Desc: S/MIME Cryptographic Signature >> > Url : >> > >> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin >> > >> > ------------------------------ >> > >> > _______________________________________________ >> > Freeipa-devel mailing list >> > Freeipa-devel at redhat.com >> > https://www.redhat.com/mailman/listinfo/freeipa-devel >> > >> > End of Freeipa-devel Digest, Vol 13, Issue 11 >> > ********************************************* >> > >> > _______________________________________________ >> > Freeipa-devel mailing list >> > Freeipa-devel at redhat.com >> > https://www.redhat.com/mailman/listinfo/freeipa-devel >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Jun 9 20:58:12 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Jun 2008 16:58:12 -0400 Subject: [Freeipa-devel] [PATCH] be clearer about what is being configured In-Reply-To: <48498F99.5090903@redhat.com> References: <484835EA.5060603@redhat.com> <4848E4B6.4060000@redhat.com> <48498F99.5090903@redhat.com> Message-ID: <1213045092.26517.10.camel@localhost.localdomain> On Fri, 2008-06-06 at 15:27 -0400, Rob Crittenden wrote: > Revised patch with some suggestions from mnagy in #freeipa ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jun 9 20:59:16 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Jun 2008 16:59:16 -0400 Subject: [Freeipa-devel] [PATCH] move version to ipa-python In-Reply-To: <48404663.10304@redhat.com> References: <48404663.10304@redhat.com> Message-ID: <1213045156.26517.12.camel@localhost.localdomain> On Fri, 2008-05-30 at 14:24 -0400, Rob Crittenden wrote: > Move version.py to the common ipa directory instead of being > server-based so it can be used by the client tool. > > Fix the client tool imports to fail more gracefully. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jun 9 21:00:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Jun 2008 17:00:11 -0400 Subject: [Freeipa-devel] [PATCH] fix unclean shutdown in ipa_webui In-Reply-To: <4848AA57.50102@redhat.com> References: <4848AA57.50102@redhat.com> Message-ID: <1213045211.26517.14.camel@localhost.localdomain> On Thu, 2008-06-05 at 23:09 -0400, Rob Crittenden wrote: > Add our own SIGTERM handler so we can do clean shutdowns. > > Also fix foreground mode. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jun 9 21:01:22 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Jun 2008 17:01:22 -0400 Subject: [Freeipa-devel] [PATCH] log the host when reporting LDAP connect errors In-Reply-To: <484834DA.7040108@redhat.com> References: <484834DA.7040108@redhat.com> Message-ID: <1213045282.26517.16.camel@localhost.localdomain> On Thu, 2008-06-05 at 14:47 -0400, Rob Crittenden wrote: > In the kerberos instance installer if the LDAP server is unreachable > then no error would be returned. Now at least report the host we are > trying to connect to. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jun 9 21:03:44 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Jun 2008 17:03:44 -0400 Subject: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI attribute In-Reply-To: <4845948E.2040801@redhat.com> References: <4845948E.2040801@redhat.com> Message-ID: <1213045424.26517.18.camel@localhost.localdomain> On Tue, 2008-06-03 at 14:59 -0400, Rob Crittenden wrote: > When converting from a multi-valued UI attribute back to a list drop > any > blank values. This will avoid errors in the UniqueList() validator. ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jun 9 21:07:17 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 09 Jun 2008 17:07:17 -0400 Subject: [Freeipa-devel] [PATCH] ensure realm is upper-case In-Reply-To: <4845649C.1040404@redhat.com> References: <4845649C.1040404@redhat.com> Message-ID: <1213045637.26517.20.camel@localhost.localdomain> On Tue, 2008-06-03 at 11:34 -0400, Rob Crittenden wrote: > Go ahead and enforce an upper-case realm name. Some things assume > that > it will be upper-case, and this is the convention anyway, so don't > fight > the system. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Jun 10 02:10:30 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Jun 2008 22:10:30 -0400 Subject: [Freeipa-devel] [PATCH] be clearer about what is being configured In-Reply-To: <1213045092.26517.10.camel@localhost.localdomain> References: <484835EA.5060603@redhat.com> <4848E4B6.4060000@redhat.com> <48498F99.5090903@redhat.com> <1213045092.26517.10.camel@localhost.localdomain> Message-ID: <484DE296.1080309@redhat.com> Simo Sorce wrote: > On Fri, 2008-06-06 at 15:27 -0400, Rob Crittenden wrote: >> Revised patch with some suggestions from mnagy in #freeipa > > ack > pushed to ipa-1-0 and master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Jun 10 02:12:33 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Jun 2008 22:12:33 -0400 Subject: [Freeipa-devel] [PATCH] fix unclean shutdown in ipa_webui In-Reply-To: <1213045211.26517.14.camel@localhost.localdomain> References: <4848AA57.50102@redhat.com> <1213045211.26517.14.camel@localhost.localdomain> Message-ID: <484DE311.3030104@redhat.com> Simo Sorce wrote: > On Thu, 2008-06-05 at 23:09 -0400, Rob Crittenden wrote: >> Add our own SIGTERM handler so we can do clean shutdowns. >> >> Also fix foreground mode. > > ack > pushed to master and ipa-1-0 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Jun 10 02:14:44 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Jun 2008 22:14:44 -0400 Subject: [Freeipa-devel] [PATCH] log the host when reporting LDAP connect errors In-Reply-To: <1213045282.26517.16.camel@localhost.localdomain> References: <484834DA.7040108@redhat.com> <1213045282.26517.16.camel@localhost.localdomain> Message-ID: <484DE394.8080400@redhat.com> Simo Sorce wrote: > On Thu, 2008-06-05 at 14:47 -0400, Rob Crittenden wrote: >> In the kerberos instance installer if the LDAP server is unreachable >> then no error would be returned. Now at least report the host we are >> trying to connect to. > > ack > pushed to ipa-1-0 and master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Jun 10 02:16:01 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Jun 2008 22:16:01 -0400 Subject: [Freeipa-devel] [PATCH] ignore empty values in multi-valued UI attribute In-Reply-To: <1213045424.26517.18.camel@localhost.localdomain> References: <4845948E.2040801@redhat.com> <1213045424.26517.18.camel@localhost.localdomain> Message-ID: <484DE3E1.60803@redhat.com> Simo Sorce wrote: > On Tue, 2008-06-03 at 14:59 -0400, Rob Crittenden wrote: >> When converting from a multi-valued UI attribute back to a list drop >> any >> blank values. This will avoid errors in the UniqueList() validator. > > ack > pushed to master and ipa-1-0 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Jun 11 13:28:54 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 11 Jun 2008 09:28:54 -0400 Subject: [Freeipa-devel] [PATCH] Make DS hash the clear text password In-Reply-To: <1212121754.12605.131.camel@localhost.localdomain> References: <1212085155.12605.123.camel@localhost.localdomain> <483F3A42.3090308@redhat.com> <1212121754.12605.131.camel@localhost.localdomain> Message-ID: <1213190934.26517.73.camel@localhost.localdomain> On Fri, 2008-05-30 at 00:29 -0400, Simo Sorce wrote: > On Thu, 2008-05-29 at 16:20 -0700, Nathan Kinder wrote: > > Simo Sorce wrote: > > > This fixes IPA -> AD password synchronization. > > > DS need to do the password hashing operation on userPassword itself, not > > > get a pre-hashed value. > > > > > ack. I tested this with a sync agreement setup between the IPA DS and > > AD, and the password went across to AD just fine. > > cool thanks for testing Finally pushed. Simo. -- Simo Sorce * Red Hat, Inc * New York From gdeschner at redhat.com Wed Jun 11 13:42:34 2008 From: gdeschner at redhat.com (=?UTF-8?B?R8O8bnRoZXIgRGVzY2huZXI=?=) Date: Wed, 11 Jun 2008 15:42:34 +0200 Subject: [Freeipa-devel] [PATCH] fail the build early when DS slapi plugin headers are not available. Message-ID: <484FD64A.1000704@redhat.com> -- G?nther Deschner GPG-ID: 8EE11688 Red Hat gdeschner at redhat.com Samba Team gd at samba.org -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipa-server-fail-the-build-early-when-DS-slapi-plugi.patch Type: application/mbox Size: 1000 bytes Desc: not available URL: From ssorce at redhat.com Wed Jun 11 13:56:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 11 Jun 2008 09:56:11 -0400 Subject: [Freeipa-devel] [PATCH] fail the build early when DS slapi plugin headers are not available. In-Reply-To: <484FD64A.1000704@redhat.com> References: <484FD64A.1000704@redhat.com> Message-ID: <1213192571.26517.80.camel@localhost.localdomain> Ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Jun 11 15:43:32 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 11 Jun 2008 11:43:32 -0400 Subject: [Freeipa-devel] [PATCH] fail the build early when DS slapi plugin headers are not available. In-Reply-To: <1213192571.26517.80.camel@localhost.localdomain> References: <484FD64A.1000704@redhat.com> <1213192571.26517.80.camel@localhost.localdomain> Message-ID: <1213199013.26517.108.camel@localhost.localdomain> On Wed, 2008-06-11 at 09:56 -0400, Simo Sorce wrote: > Ack pushed to master only. I also pushed 2 minor one line fixes under the trivial rule, to both branches. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Jun 11 18:35:25 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 Jun 2008 14:35:25 -0400 Subject: [Freeipa-devel] [PATCH] add missing verbose option Message-ID: <48501AED.4010702@redhat.com> A couple invocations of ipaclient.IPAClient lacked the verbose argument. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-51-verbose.patch Type: text/x-patch Size: 2306 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Jun 11 18:45:15 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 11 Jun 2008 14:45:15 -0400 Subject: [Freeipa-devel] [PATCH] add missing verbose option In-Reply-To: <48501AED.4010702@redhat.com> References: <48501AED.4010702@redhat.com> Message-ID: <1213209915.26517.117.camel@localhost.localdomain> On Wed, 2008-06-11 at 14:35 -0400, Rob Crittenden wrote: > A couple invocations of ipaclient.IPAClient lacked the verbose > argument. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Jun 11 20:31:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 Jun 2008 16:31:31 -0400 Subject: [Freeipa-devel] [PATCH] add missing verbose option In-Reply-To: <1213209915.26517.117.camel@localhost.localdomain> References: <48501AED.4010702@redhat.com> <1213209915.26517.117.camel@localhost.localdomain> Message-ID: <48503623.9030302@redhat.com> Simo Sorce wrote: > On Wed, 2008-06-11 at 14:35 -0400, Rob Crittenden wrote: >> A couple invocations of ipaclient.IPAClient lacked the verbose >> argument. > > ack > pushed to ipa-1-0 and master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jun 11 21:21:33 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 Jun 2008 17:21:33 -0400 Subject: [Freeipa-devel] [PATCH] index memberof Message-ID: <485041DD.7080604@redhat.com> The memberof attribute needs to be indexed because we will need to search on it frequently. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-52-memberof.patch Type: text/x-patch Size: 888 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Wed Jun 11 21:23:38 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 11 Jun 2008 17:23:38 -0400 Subject: [Freeipa-devel] [PATCH] index memberof In-Reply-To: <485041DD.7080604@redhat.com> References: <485041DD.7080604@redhat.com> Message-ID: <1213219418.26517.125.camel@localhost.localdomain> On Wed, 2008-06-11 at 17:21 -0400, Rob Crittenden wrote: > The memberof attribute needs to be indexed because we will need to > search on it frequently. ack -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Jun 11 21:30:36 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 Jun 2008 17:30:36 -0400 Subject: [Freeipa-devel] [PATCH] index memberof In-Reply-To: <1213219418.26517.125.camel@localhost.localdomain> References: <485041DD.7080604@redhat.com> <1213219418.26517.125.camel@localhost.localdomain> Message-ID: <485043FC.7020007@redhat.com> Simo Sorce wrote: > On Wed, 2008-06-11 at 17:21 -0400, Rob Crittenden wrote: >> The memberof attribute needs to be indexed because we will need to >> search on it frequently. > > ack > pushed to ipa-1-0 and master -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Jun 12 21:09:29 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Jun 2008 17:09:29 -0400 Subject: [Freeipa-devel] [PATCH] fix ipa-getkeytab Message-ID: <1213304969.26517.178.camel@localhost.localdomain> An uninitialized variable causing problems. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jun 12 21:09:51 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Jun 2008 17:09:51 -0400 Subject: [Freeipa-devel] [PATCH] Change defaults for DNA plugin Message-ID: <1213304991.26517.180.camel@localhost.localdomain> -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jun 12 21:12:41 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Jun 2008 17:12:41 -0400 Subject: [Freeipa-devel] [PATCH] fix ipa-getkeytab Message-ID: <1213305161.26517.184.camel@localhost.localdomain> An uninitialized variable causing problems. sorry re-sending because broken mailman messed up once again :( -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-uninizialized-counter-was-causing-allocation-to.patch Type: application/mbox Size: 755 bytes Desc: not available URL: From ssorce at redhat.com Thu Jun 12 21:13:21 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Jun 2008 17:13:21 -0400 Subject: [Freeipa-devel] [PATCH] Change defaults for DNA plugin Message-ID: <1213305201.26517.186.camel@localhost.localdomain> Hate our mailman with rage, re-attaching. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Change-default.patch Type: application/mbox Size: 1207 bytes Desc: not available URL: From rcritten at redhat.com Thu Jun 12 21:14:05 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 Jun 2008 17:14:05 -0400 Subject: [Freeipa-devel] [PATCH] fix ipa-getkeytab In-Reply-To: <1213305161.26517.184.camel@localhost.localdomain> References: <1213305161.26517.184.camel@localhost.localdomain> Message-ID: <4851919D.8000503@redhat.com> Simo Sorce wrote: > An uninitialized variable causing problems. > > sorry re-sending because broken mailman messed up once again :( > > ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Thu Jun 12 21:17:13 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 Jun 2008 17:17:13 -0400 Subject: [Freeipa-devel] [PATCH] Change defaults for DNA plugin In-Reply-To: <1213305201.26517.186.camel@localhost.localdomain> References: <1213305201.26517.186.camel@localhost.localdomain> Message-ID: <48519259.8080108@redhat.com> Simo Sorce wrote: > Hate our mailman with rage, > re-attaching. > ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Jun 12 22:31:42 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Jun 2008 18:31:42 -0400 Subject: [Freeipa-devel] [PATCH] Must index uidnumber/gidnumber or dna breaks Message-ID: <1213309902.26517.190.camel@localhost.localdomain> -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Must-index-uidnumber-and-gidnumber-and-any-attribute.patch Type: application/mbox Size: 1106 bytes Desc: not available URL: From rcritten at redhat.com Thu Jun 12 22:43:33 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 12 Jun 2008 18:43:33 -0400 Subject: [Freeipa-devel] [PATCH] Must index uidnumber/gidnumber or dna breaks In-Reply-To: <1213309902.26517.190.camel@localhost.localdomain> References: <1213309902.26517.190.camel@localhost.localdomain> Message-ID: <4851A695.6040300@redhat.com> Simo Sorce wrote: > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ack -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Jun 12 22:57:29 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Jun 2008 18:57:29 -0400 Subject: [Freeipa-devel] [PATCH] Must index uidnumber/gidnumber or dna breaks In-Reply-To: <4851A695.6040300@redhat.com> References: <1213309902.26517.190.camel@localhost.localdomain> <4851A695.6040300@redhat.com> Message-ID: <1213311449.26517.201.camel@localhost.localdomain> On Thu, 2008-06-12 at 18:43 -0400, Rob Crittenden wrote: ack Sorry had to respin this patch, rich says we need to tell the indexing engine that the values are integers. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Must-index-uidnumber-and-gidnumber-and-any-attribute.patch Type: application/mbox Size: 1187 bytes Desc: not available URL: From rmeggins at redhat.com Thu Jun 12 23:09:24 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 12 Jun 2008 17:09:24 -0600 Subject: [Freeipa-devel] [PATCH] Must index uidnumber/gidnumber or dna breaks In-Reply-To: <1213311449.26517.201.camel@localhost.localdomain> References: <1213309902.26517.190.camel@localhost.localdomain> <4851A695.6040300@redhat.com> <1213311449.26517.201.camel@localhost.localdomain> Message-ID: <4851ACA4.9010505@redhat.com> Simo Sorce wrote: > On Thu, 2008-06-12 at 18:43 -0400, Rob Crittenden wrote: > ack > > Sorry had to respin this patch, rich says we need to tell the indexing > engine that the values are integers. > ack > Simo. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Thu Jun 12 23:10:44 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Jun 2008 19:10:44 -0400 Subject: [Freeipa-devel] [PATCH] Must index uidnumber/gidnumber or dna breaks In-Reply-To: <4851ACA4.9010505@redhat.com> References: <1213309902.26517.190.camel@localhost.localdomain> <4851A695.6040300@redhat.com> <1213311449.26517.201.camel@localhost.localdomain> <4851ACA4.9010505@redhat.com> Message-ID: <1213312244.26517.207.camel@localhost.localdomain> On Thu, 2008-06-12 at 17:09 -0600, Rich Megginson wrote: > Simo Sorce wrote: > > On Thu, 2008-06-12 at 18:43 -0400, Rob Crittenden wrote: > > ack > > > > Sorry had to respin this patch, rich says we need to tell the indexing > > engine that the values are integers. > > > ack pushed to master -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jun 12 23:11:37 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Jun 2008 19:11:37 -0400 Subject: [Freeipa-devel] [PATCH] fix ipa-getkeytab In-Reply-To: <4851919D.8000503@redhat.com> References: <1213305161.26517.184.camel@localhost.localdomain> <4851919D.8000503@redhat.com> Message-ID: <1213312297.26517.209.camel@localhost.localdomain> On Thu, 2008-06-12 at 17:14 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > An uninitialized variable causing problems. > > > > sorry re-sending because broken mailman messed up once again :( > > > > > > ack pushed to master -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jun 12 23:11:52 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 12 Jun 2008 19:11:52 -0400 Subject: [Freeipa-devel] [PATCH] Change defaults for DNA plugin In-Reply-To: <48519259.8080108@redhat.com> References: <1213305201.26517.186.camel@localhost.localdomain> <48519259.8080108@redhat.com> Message-ID: <1213312312.26517.211.camel@localhost.localdomain> On Thu, 2008-06-12 at 17:17 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > Hate our mailman with rage, > > re-attaching. > > > > ack pushed to master -- Simo Sorce * Red Hat, Inc * New York From vcardprocessor at vcardprocessor.com Wed Jun 18 09:20:08 2008 From: vcardprocessor at vcardprocessor.com (Eric) Date: Wed, 18 Jun 2008 02:20:08 -0700 Subject: [Freeipa-devel] FreeIPA and FDS Admin Console Message-ID: <20086182208.644477@C840> It is unclear from the documentation if there is a possibility to install the Admin Console for the Fedora Directory Server. Apparently freeIPA has to be installed with no previous installation of FDS. FreeIPA installs the prefork Apache server but the Fedora Directory Console needs Apache with the worker module. Will there be any trouble if I do a yum install fedora-ds on a server running a freeIPA server? From rcritten at redhat.com Wed Jun 18 13:02:49 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Jun 2008 09:02:49 -0400 Subject: [Freeipa-devel] FreeIPA and FDS Admin Console In-Reply-To: <20086182208.644477@C840> References: <20086182208.644477@C840> Message-ID: <48590779.4020003@redhat.com> Eric wrote: > It is unclear from the documentation if there is a possibility to install the Admin Console for the Fedora Directory Server. Apparently freeIPA has to be installed with no previous installation of FDS. FreeIPA installs the prefork Apache server but the Fedora Directory Console needs Apache with the worker module. Will there be any trouble if I do a > > yum install fedora-ds > > on a server running a freeIPA server? Console is problematic because, among other things, it will allow you to add users/groups that won't work properly with IPA because they'll lack required objectclasses. What operations do you want to use console for? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jun 20 13:49:38 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Jun 2008 09:49:38 -0400 Subject: [Freeipa-devel] FreeIPA 1.1 Released Message-ID: <485BB572.9070308@redhat.com> The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA version 1.1. This is primarily a bug-fix release but a number of enhancements were made as well. An overview of the changes can be found at http://freeipa.org/page/Changelog See our git repository at http://git.fedorahosted.org/git/freeipa.git/ for a complete changelog. Many thanks to those who tested and provided feedback on version 1.0. Your assistance was greatly appreciated. We encourage people to experiment and evaluate the current release and we welcome feedback on the overall experience[1] and bug reports [2]. The complete source code is available for download here: http://www.freeipa.org/page/Downloads We are also pleased to announce that FreeIPA 1.1 is available in Fedora 8 and Fedora 8 in their respective repositories. The FreeIPA Project Team. [1] http://freeipa.org/page/Contribute#Communication [2] https://bugzilla.redhat.com/enter_bug.cgi?product=freeIPA -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Fri Jun 20 16:09:08 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Jun 2008 12:09:08 -0400 Subject: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: <485BB572.9070308@redhat.com> References: <485BB572.9070308@redhat.com> Message-ID: <485BD624.5000409@redhat.com> Rob Crittenden wrote: > The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA > version 1.1. > > This is primarily a bug-fix release but a number of enhancements were > made as well. An overview of the changes can be found at > http://freeipa.org/page/Changelog > > See our git repository at http://git.fedorahosted.org/git/freeipa.git/ > for a complete changelog. > > Many thanks to those who tested and provided feedback on version 1.0. > Your assistance was greatly appreciated. We encourage people to > experiment and evaluate the current release and we welcome feedback on > the overall experience[1] and bug reports [2]. > > The complete source code is available for download here: > http://www.freeipa.org/page/Downloads > > We are also pleased to announce that FreeIPA 1.1 is available in > Fedora 8 and Fedora 8 in their respective repositories. To clear that up, it is available in Fedora 8 and 9. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From aGiggins at wcg.net.au Sun Jun 22 22:41:53 2008 From: aGiggins at wcg.net.au (Anthony Giggins) Date: Mon, 23 Jun 2008 08:41:53 +1000 Subject: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: <485BD624.5000409@redhat.com> References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> Message-ID: > Rob Crittenden wrote: > > The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA > > version 1.1. > > > > This is primarily a bug-fix release but a number of enhancements were > > made as well. An overview of the changes can be found at > > http://freeipa.org/page/Changelog > > > > See our git repository at http://git.fedorahosted.org/git/freeipa.git/ > > for a complete changelog. > > > > Many thanks to those who tested and provided feedback on version 1.0. > > Your assistance was greatly appreciated. We encourage people to > > experiment and evaluate the current release and we welcome feedback on > > the overall experience[1] and bug reports [2]. > > > > The complete source code is available for download here: > > http://www.freeipa.org/page/Downloads > > > > We are also pleased to announce that FreeIPA 1.1 is available in > > Fedora 8 and Fedora 8 in their respective repositories. > > To clear that up, it is available in Fedora 8 and 9. > > rob Still no RHEL 5/Centos 5 RPMS? Anthony From ssorce at redhat.com Mon Jun 23 13:14:13 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Jun 2008 09:14:13 -0400 Subject: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> Message-ID: <1214226853.3822.31.camel@localhost.localdomain> On Mon, 2008-06-23 at 08:41 +1000, Anthony Giggins wrote: > > Rob Crittenden wrote: > > > The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA > > > version 1.1. > > > > > > This is primarily a bug-fix release but a number of enhancements > were > > > made as well. An overview of the changes can be found at > > > http://freeipa.org/page/Changelog > > > > > > See our git repository at > http://git.fedorahosted.org/git/freeipa.git/ > > > for a complete changelog. > > > > > > Many thanks to those who tested and provided feedback on version > 1.0. > > > Your assistance was greatly appreciated. We encourage people to > > > experiment and evaluate the current release and we welcome feedback > on > > > the overall experience[1] and bug reports [2]. > > > > > > The complete source code is available for download here: > > > http://www.freeipa.org/page/Downloads > > > > > > We are also pleased to announce that FreeIPA 1.1 is available in > > > Fedora 8 and Fedora 8 in their respective repositories. > > > > To clear that up, it is available in Fedora 8 and 9. > > > > rob > > Still no RHEL 5/Centos 5 RPMS? Anthony, RHEL 5/CentOS 5 require backporting of a few packages to be able to successfully use freeipa. It will require quite some work within EPEL to backport stuff like turbogears, the kdc ldap backend and other python dependencies. If someone wants to picj that work up it would be nice, but we do not plan on doing that work as part of the FreeIPA project. Simo. -- Simo Sorce * Red Hat, Inc * New York From joe at 2resonate.net Mon Jun 23 15:51:55 2008 From: joe at 2resonate.net (Joe Royall) Date: Mon, 23 Jun 2008 08:51:55 -0700 Subject: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: <1214226853.3822.31.camel@localhost.localdomain> References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> <1214226853.3822.31.camel@localhost.localdomain> Message-ID: On Mon, Jun 23, 2008 at 6:14 AM, Simo Sorce wrote: > On Mon, 2008-06-23 at 08:41 +1000, Anthony Giggins wrote: > > > Rob Crittenden wrote: > > > > The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA > > > > version 1.1. > > > > > > > > This is primarily a bug-fix release but a number of enhancements > > were > > > > made as well. An overview of the changes can be found at > > > > http://freeipa.org/page/Changelog > > > > > > > > See our git repository at > > http://git.fedorahosted.org/git/freeipa.git/ > > > > for a complete changelog. > > > > > > > > Many thanks to those who tested and provided feedback on version > > 1.0. > > > > Your assistance was greatly appreciated. We encourage people to > > > > experiment and evaluate the current release and we welcome feedback > > on > > > > the overall experience[1] and bug reports [2]. > > > > > > > > The complete source code is available for download here: > > > > http://www.freeipa.org/page/Downloads > > > > > > > > We are also pleased to announce that FreeIPA 1.1 is available in > > > > Fedora 8 and Fedora 8 in their respective repositories. > > > > > > To clear that up, it is available in Fedora 8 and 9. > > > > > > rob > > > > Still no RHEL 5/Centos 5 RPMS? > > Anthony, > RHEL 5/CentOS 5 require backporting of a few packages to be able to > successfully use freeipa. > It will require quite some work within EPEL to backport stuff like > turbogears, the kdc ldap backend and other python dependencies. > If someone wants to picj that work up it would be nice, but we do not > plan on doing that work as part of the FreeIPA project. > Wouldn't that make FreeIPA and Ovirt kind of useless until RHEL6? Other than updated python support, what is required? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -- Joe Royall Red Hat Certified Architect -------------- next part -------------- An HTML attachment was scrubbed... URL: From smooge at gmail.com Mon Jun 23 16:07:31 2008 From: smooge at gmail.com (Stephen John Smoogen) Date: Mon, 23 Jun 2008 10:07:31 -0600 Subject: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> <1214226853.3822.31.camel@localhost.localdomain> Message-ID: <80d7e4090806230907i5b0ac9fah3ec4578c02dc2e81@mail.gmail.com> On Mon, Jun 23, 2008 at 9:51 AM, Joe Royall wrote: > > > On Mon, Jun 23, 2008 at 6:14 AM, Simo Sorce wrote: >> >> On Mon, 2008-06-23 at 08:41 +1000, Anthony Giggins wrote: >> > > Rob Crittenden wrote: >> > > > The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA >> > > > version 1.1. >> > > > >> > > > This is primarily a bug-fix release but a number of enhancements >> > were >> > > > made as well. An overview of the changes can be found at >> > > > http://freeipa.org/page/Changelog >> > > > >> > > > See our git repository at >> > http://git.fedorahosted.org/git/freeipa.git/ >> > > > for a complete changelog. >> > > > >> > > > Many thanks to those who tested and provided feedback on version >> > 1.0. >> > > > Your assistance was greatly appreciated. We encourage people to >> > > > experiment and evaluate the current release and we welcome feedback >> > on >> > > > the overall experience[1] and bug reports [2]. >> > > > >> > > > The complete source code is available for download here: >> > > > http://www.freeipa.org/page/Downloads >> > > > >> > > > We are also pleased to announce that FreeIPA 1.1 is available in >> > > > Fedora 8 and Fedora 8 in their respective repositories. >> > > >> > > To clear that up, it is available in Fedora 8 and 9. >> > > >> > > rob >> > >> > Still no RHEL 5/Centos 5 RPMS? >> >> Anthony, >> RHEL 5/CentOS 5 require backporting of a few packages to be able to >> successfully use freeipa. >> It will require quite some work within EPEL to backport stuff like >> turbogears, the kdc ldap backend and other python dependencies. >> If someone wants to picj that work up it would be nice, but we do not >> plan on doing that work as part of the FreeIPA project. > > Wouldn't that make FreeIPA and Ovirt kind of useless until RHEL6? > > Other than updated python support, what is required? In an enterprise environment where you are supposed to only run approved OS's.. yes (I will be running into this while I get an allowance with my management to put in Fedora). However, the truth of the matter is that upstream for projects always move from from what is 'enterprise ready' and then if there is a corporate need, they will put in a lot of effort to get it ready. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From anthony.porcano at 247realmedia.com Mon Jun 23 16:10:18 2008 From: anthony.porcano at 247realmedia.com (Anthony Porcano) Date: Mon, 23 Jun 2008 12:10:18 -0400 Subject: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> <1214226853.3822.31.camel@localhost.localdomain> Message-ID: <1A98F6B9-1425-4785-8EA9-41771CECA280@247realmedia.com> On Jun 23, 2008, at 11:51 AM, Joe Royall wrote: > > On Mon, Jun 23, 2008 at 6:14 AM, Simo Sorce wrote: > > On Mon, 2008-06-23 at 08:41 +1000, Anthony Giggins wrote: > > > Rob Crittenden wrote: > > > > The FreeIPA Project (http://freeipa.org) is proud to present > FreeIPA > > > > version 1.1. > > > > > > > > > Still no RHEL 5/Centos 5 RPMS? > > Anthony, > RHEL 5/CentOS 5 require backporting of a few packages to be able to > successfully use freeipa. > It will require quite some work within EPEL to backport stuff like > turbogears, the kdc ldap backend and other python dependencies. > If someone wants to picj that work up it would be nice, but we do not > plan on doing that work as part of the FreeIPA project. > > Wouldn't that make FreeIPA and Ovirt kind of useless until RHEL6? > > Other than updated python support, what is required? Is there a list of client/server requirements available for FreeIPA? On the server side I'm happy to run Fedora 8/9 to satisfy requirements. Support for clients which must stay on RHEL3,4,5 seems to be the place where you'll need backported packages the most. If EPEL doesn't contain the required packages now, does anyone know if rpmforge has them? If someone can confirm what is required I don't mind chasing down the dependencies and documenting it for future reference. --AP -------------- next part -------------- An HTML attachment was scrubbed... URL: From mb--ipa at dcs.qmul.ac.uk Mon Jun 23 16:18:50 2008 From: mb--ipa at dcs.qmul.ac.uk (Matt Bernstein) Date: Mon, 23 Jun 2008 17:18:50 +0100 (BST) Subject: [Freeipa-devel] setting passwords stopped working Message-ID: Hi, not sure where better to send this so here goes.. I installed Fedora 9 FreeIPA (1.0) a couple of weeks ago, and yum has since upgraded it to 1.1. Things seem to be pretty good, except changing (or setting new) passwords has stopped working. I don't know if the upgrade was the cause of the error, but I thought I'd better mention it. User's interaction: $ kinit -V tim Password for tim at TEST.EECS.QMUL.AC.UK: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Password change failed while getting initial credentials >From krb5kdc.log: Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: CLIENT KEY EXPIRED: tim at TEST.EECS.QMUL.AC.UK for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Password has expired Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH: tim at TEST.EECS.QMUL.AC.UK for kadmin/changepw at TEST.EECS.QMUL.AC.UK, Additional pre-authentication required Jun 23 17:06:45 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237205, etypes {rep=18 tkt=18 ses=18}, tim at TEST.EECS.QMUL.AC.UK for kadmin/changepw at TEST.EECS.QMUL.AC.UK Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH: kadmin/changepw at TEST.EECS.QMUL.AC.UK for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Additional pre-authentication required Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK Jun 23 17:06:46 eagle krb5kdc[1357](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for ldap/eagle.test.eecs.qmul.ac.uk at TEST.EECS.QMUL.AC.UK >From syslog: Jun 23 17:06:46 eagle kpasswd[1852]: ldap_parse_result(): [Password generation not implemented.#012] Jun 23 17:06:46 eagle kpasswd[1852]: Password change failed So.. is any of this helpful? It seems from syslog that the ipa_pwd_extop slapi plugin isn't receiving the new password, but I've no idea why. Can anyone help? It's not SELinux or resource starvation, AFAICT. Matt From ssorce at redhat.com Mon Jun 23 16:53:59 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Jun 2008 12:53:59 -0400 Subject: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: <485FC6F4.9060106@htpassport.ro> References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> <1214226853.3822.31.camel@localhost.localdomain> <485FC6F4.9060106@htpassport.ro> Message-ID: <1214240039.3822.75.camel@localhost.localdomain> On Mon, 2008-06-23 at 18:53 +0300, Razvan Corneliu C.R. VILT wrote: > Simo Sorce wrote: > > On Mon, 2008-06-23 at 08:41 +1000, Anthony Giggins wrote: > > > > Rob Crittenden wrote: > > > > > The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA > > > > > version 1.1. > > > > > > > > > > This is primarily a bug-fix release but a number of enhancements were > > > > > made as well. An overview of the changes can be found at > > > > > http://freeipa.org/page/Changelog > > > > > > > > > > See our git repository at http://git.fedorahosted.org/git/freeipa.git/ > > > > > for a complete changelog. > > > > > > > > > > Many thanks to those who tested and provided feedback on version 1.0. > > > > > Your assistance was greatly appreciated. We encourage people to > > > > > experiment and evaluate the current release and we welcome feedback on > > > > > the overall experience[1] and bug reports [2]. > > > > > > > > > > The complete source code is available for download here: > > > > > http://www.freeipa.org/page/Downloads > > > > > > > > > > We are also pleased to announce that FreeIPA 1.1 is available in > > > > > Fedora 8 and Fedora 8 in their respective repositories. > > > > To clear that up, it is available in Fedora 8 and 9. > > > > > > > > rob > > > Still no RHEL 5/Centos 5 RPMS? > > Anthony, > > RHEL 5/CentOS 5 require backporting of a few packages to be able to > > successfully use freeipa. > > It will require quite some work within EPEL to backport stuff like > > turbogears, the kdc ldap backend and other python dependencies. > > If someone wants to picj that work up it would be nice, but we do not > > plan on doing that work as part of the FreeIPA project. > > > > Simo. > > Hi Simo, > > For the krb5-server-ldap package, you can rebuild-it simply by taking > the RHEL SRPM and changing the following two lines in the spec file: > > %define WITH_LDAP 1 > %define ONLY_LDAP 1 > > The rest of the packages should work with a simple recompile. I think > that it's doable. Yes, this is how you do it for the kerberos package. > Regards, > Razvan > > P.S.: I've removed freeipa-interest from the CC list as this thread is > getting technical Thanks, and I changed the subject line to reflect we are on the devl list :) -- Simo Sorce * Red Hat, Inc * New York From joe at 2resonate.net Mon Jun 23 17:01:20 2008 From: joe at 2resonate.net (Joe Royall) Date: Mon, 23 Jun 2008 10:01:20 -0700 Subject: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: <1A98F6B9-1425-4785-8EA9-41771CECA280@247realmedia.com> References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> <1214226853.3822.31.camel@localhost.localdomain> <1A98F6B9-1425-4785-8EA9-41771CECA280@247realmedia.com> Message-ID: On Mon, Jun 23, 2008 at 9:10 AM, Anthony Porcano < anthony.porcano at 247realmedia.com> wrote: > > On Jun 23, 2008, at 11:51 AM, Joe Royall wrote: > > > On Mon, Jun 23, 2008 at 6:14 AM, Simo Sorce wrote: > > > On Mon, 2008-06-23 at 08:41 +1000, Anthony Giggins wrote: >> > > Rob Crittenden wrote: >> > > > The FreeIPA Project (http://freeipa.org) is proud to present >> FreeIPA >> > > > version 1.1. >> > > > >> >> > >> > Still no RHEL 5/Centos 5 RPMS? >> >> Anthony, >> RHEL 5/CentOS 5 require backporting of a few packages to be able to >> successfully use freeipa. >> It will require quite some work within EPEL to backport stuff like >> turbogears, the kdc ldap backend and other python dependencies. >> If someone wants to picj that work up it would be nice, but we do not >> plan on doing that work as part of the FreeIPA project. >> > > Wouldn't that make FreeIPA and Ovirt kind of useless until RHEL6? > > Other than updated python support, what is required? > > > Is there a list of client/server requirements available for FreeIPA? On the > server side I'm happy to run Fedora 8/9 to satisfy requirements. Support for > clients which must stay on RHEL3,4,5 seems to be the place where you'll need > backported packages the most. If EPEL doesn't contain the required packages > now, does anyone know if rpmforge has them? If someone can confirm what is > required I don't mind chasing down the dependencies and documenting it for > future reference. > > --AP > > > > The source for Red Hat's IPA is here ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEIPA/SRPMS/ this is built for RHEL 5. I will ping CentOS and see if they are building it, they used to have a RH directory server. If not, I will see what it takes to remove RH trademarks and pass the binaries along -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Jun 23 17:07:31 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Jun 2008 13:07:31 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: References: Message-ID: <1214240851.3822.84.camel@localhost.localdomain> On Mon, 2008-06-23 at 17:18 +0100, Matt Bernstein wrote: > Hi, not sure where better to send this so here goes.. > > I installed Fedora 9 FreeIPA (1.0) a couple of weeks ago, and yum has > since upgraded it to 1.1. Things seem to be pretty good, except changing > (or setting new) passwords has stopped working. I don't know if the > upgrade was the cause of the error, but I thought I'd better mention it. > > User's interaction: > > $ kinit -V tim > Password for tim at TEST.EECS.QMUL.AC.UK: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Password change failed while getting initial credentials > > >From krb5kdc.log: > > Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: CLIENT KEY EXPIRED: tim at TEST.EECS.QMUL.AC.UK for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Password has expired > Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH: tim at TEST.EECS.QMUL.AC.UK for kadmin/changepw at TEST.EECS.QMUL.AC.UK, Additional pre-authentication required > Jun 23 17:06:45 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237205, etypes {rep=18 tkt=18 ses=18}, tim at TEST.EECS.QMUL.AC.UK for kadmin/changepw at TEST.EECS.QMUL.AC.UK > Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH: kadmin/changepw at TEST.EECS.QMUL.AC.UK for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Additional pre-authentication required > Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK > Jun 23 17:06:46 eagle krb5kdc[1357](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for ldap/eagle.test.eecs.qmul.ac.uk at TEST.EECS.QMUL.AC.UK > > >From syslog: > > Jun 23 17:06:46 eagle kpasswd[1852]: ldap_parse_result(): [Password generation not implemented.#012] > Jun 23 17:06:46 eagle kpasswd[1852]: Password change failed > > So.. is any of this helpful? It seems from syslog that the ipa_pwd_extop > slapi plugin isn't receiving the new password, but I've no idea why. > > Can anyone help? It's not SELinux or resource starvation, AFAICT. We have a bug report that has the exact same problem, I will try again to reproduce it today, and see if I can come up with the cause. Simo. -- Simo Sorce * Red Hat, Inc * New York From razvan at htpassport.ro Mon Jun 23 15:53:24 2008 From: razvan at htpassport.ro (Razvan Corneliu C.R. VILT) Date: Mon, 23 Jun 2008 18:53:24 +0300 Subject: [Freeipa-interest] RE: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: <1214226853.3822.31.camel@localhost.localdomain> References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> <1214226853.3822.31.camel@localhost.localdomain> Message-ID: <485FC6F4.9060106@htpassport.ro> Simo Sorce wrote: > On Mon, 2008-06-23 at 08:41 +1000, Anthony Giggins wrote: >>> Rob Crittenden wrote: >>>> The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA >>>> version 1.1. >>>> >>>> This is primarily a bug-fix release but a number of enhancements were >>>> made as well. An overview of the changes can be found at >>>> http://freeipa.org/page/Changelog >>>> >>>> See our git repository at http://git.fedorahosted.org/git/freeipa.git/ >>>> for a complete changelog. >>>> >>>> Many thanks to those who tested and provided feedback on version 1.0. >>>> Your assistance was greatly appreciated. We encourage people to >>>> experiment and evaluate the current release and we welcome feedback on >>>> the overall experience[1] and bug reports [2]. >>>> >>>> The complete source code is available for download here: >>>> http://www.freeipa.org/page/Downloads >>>> >>>> We are also pleased to announce that FreeIPA 1.1 is available in >>>> Fedora 8 and Fedora 8 in their respective repositories. >>> To clear that up, it is available in Fedora 8 and 9. >>> >>> rob >> Still no RHEL 5/Centos 5 RPMS? > Anthony, > RHEL 5/CentOS 5 require backporting of a few packages to be able to > successfully use freeipa. > It will require quite some work within EPEL to backport stuff like > turbogears, the kdc ldap backend and other python dependencies. > If someone wants to picj that work up it would be nice, but we do not > plan on doing that work as part of the FreeIPA project. > > Simo. Hi Simo, For the krb5-server-ldap package, you can rebuild-it simply by taking the RHEL SRPM and changing the following two lines in the spec file: %define WITH_LDAP 1 %define ONLY_LDAP 1 The rest of the packages should work with a simple recompile. I think that it's doable. Regards, Razvan P.S.: I've removed freeipa-interest from the CC list as this thread is getting technical -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3319 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon Jun 23 17:09:48 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Jun 2008 13:09:48 -0400 Subject: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> <1214226853.3822.31.camel@localhost.localdomain> <1A98F6B9-1425-4785-8EA9-41771CECA280@247realmedia.com> Message-ID: <1214240988.3822.89.camel@localhost.localdomain> On Mon, 2008-06-23 at 10:01 -0700, Joe Royall wrote: > The source for Red Hat's IPA is here > ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEIPA/SRPMS/ > > this is built for RHEL 5. I will ping CentOS and see if they are > building it, they used to have a RH directory server. If not, I will > see what it takes to remove RH trademarks and pass the binaries along Thanks Joe, I think this is indeed the way to go. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jun 23 17:12:18 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Jun 2008 13:12:18 -0400 Subject: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: <1A98F6B9-1425-4785-8EA9-41771CECA280@247realmedia.com> References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> <1214226853.3822.31.camel@localhost.localdomain> <1A98F6B9-1425-4785-8EA9-41771CECA280@247realmedia.com> Message-ID: <1214241138.3822.93.camel@localhost.localdomain> On Mon, 2008-06-23 at 12:10 -0400, Anthony Porcano wrote: > Is there a list of client/server requirements available for FreeIPA? > On the server side I'm happy to run Fedora 8/9 to satisfy > requirements. Support for clients which must stay on RHEL3,4,5 seems > to be the place where you'll need backported packages the most. If > EPEL doesn't contain the required packages now, does anyone know if > rpmforge has them? If someone can confirm what is required I don't > mind chasing down the dependencies and documenting it for future > reference. Clients in general do not need any special package, all you need is proper configuration of nss_ldap/pam_krb5. The admin tools have dependencies, and they are the same as for the rest of IPA. Admin tools are not necessary on normal clients, they are only need on admin workstations normally. Simo. P.S: please drop freeipa-interest from this thread, let's keep it on freeipa-devel where we can have lenghty conversations. -- Simo Sorce * Red Hat, Inc * New York From nkinder at redhat.com Mon Jun 23 17:24:57 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 23 Jun 2008 10:24:57 -0700 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: References: Message-ID: <485FDC69.40109@redhat.com> Matt Bernstein wrote: > Hi, not sure where better to send this so here goes.. > > I installed Fedora 9 FreeIPA (1.0) a couple of weeks ago, and yum has > since upgraded it to 1.1. Things seem to be pretty good, except > changing (or setting new) passwords has stopped working. I don't know > if the upgrade was the cause of the error, but I thought I'd better > mention it. > > User's interaction: > > $ kinit -V tim > Password for tim at TEST.EECS.QMUL.AC.UK: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Password change failed while getting initial credentials > >> From krb5kdc.log: > > Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 > 23 1 3 2}) 138.37.95.132: CLIENT KEY EXPIRED: tim at TEST.EECS.QMUL.AC.UK > for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Password has > expired > Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 > 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH: tim at TEST.EECS.QMUL.AC.UK for > kadmin/changepw at TEST.EECS.QMUL.AC.UK, Additional pre-authentication > required > Jun 23 17:06:45 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 > 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237205, etypes {rep=18 > tkt=18 ses=18}, tim at TEST.EECS.QMUL.AC.UK for > kadmin/changepw at TEST.EECS.QMUL.AC.UK > Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 > 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH: > kadmin/changepw at TEST.EECS.QMUL.AC.UK for > krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Additional > pre-authentication required > Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 > 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18 > tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for > krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK > Jun 23 17:06:46 eagle krb5kdc[1357](info): TGS_REQ (7 etypes {18 17 16 > 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18 > tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for > ldap/eagle.test.eecs.qmul.ac.uk at TEST.EECS.QMUL.AC.UK > >> From syslog: > > Jun 23 17:06:46 eagle kpasswd[1852]: ldap_parse_result(): [Password > generation not implemented.#012] > Jun 23 17:06:46 eagle kpasswd[1852]: Password change failed > > So.. is any of this helpful? It seems from syslog that the > ipa_pwd_extop slapi plugin isn't receiving the new password, but I've > no idea why. > > Can anyone help? It's not SELinux or resource starvation, AFAICT. Is there anything interesting related to the ipa_passwd_extop plug-in in the Directory Server errors log (/var/log/dirsrv/slapd-/errors)? -NGK > > Matt > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Mon Jun 23 18:19:26 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Jun 2008 14:19:26 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: References: Message-ID: <1214245166.3822.104.camel@localhost.localdomain> On Mon, 2008-06-23 at 17:18 +0100, Matt Bernstein wrote: > Hi, not sure where better to send this so here goes.. > > I installed Fedora 9 FreeIPA (1.0) a couple of weeks ago, and yum has > since upgraded it to 1.1. Things seem to be pretty good, except changing > (or setting new) passwords has stopped working. I don't know if the > upgrade was the cause of the error, but I thought I'd better mention it. > > User's interaction: > > $ kinit -V tim > Password for tim at TEST.EECS.QMUL.AC.UK: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Password change failed while getting initial credentials > > >From krb5kdc.log: > > Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: CLIENT KEY EXPIRED: tim at TEST.EECS.QMUL.AC.UK for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Password has expired > Jun 23 17:06:43 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH: tim at TEST.EECS.QMUL.AC.UK for kadmin/changepw at TEST.EECS.QMUL.AC.UK, Additional pre-authentication required > Jun 23 17:06:45 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237205, etypes {rep=18 tkt=18 ses=18}, tim at TEST.EECS.QMUL.AC.UK for kadmin/changepw at TEST.EECS.QMUL.AC.UK > Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: NEEDED_PREAUTH: kadmin/changepw at TEST.EECS.QMUL.AC.UK for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK, Additional pre-authentication required > Jun 23 17:06:46 eagle krb5kdc[1357](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for krbtgt/TEST.EECS.QMUL.AC.UK at TEST.EECS.QMUL.AC.UK > Jun 23 17:06:46 eagle krb5kdc[1357](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.37.95.132: ISSUE: authtime 1214237206, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at TEST.EECS.QMUL.AC.UK for ldap/eagle.test.eecs.qmul.ac.uk at TEST.EECS.QMUL.AC.UK > > >From syslog: > > Jun 23 17:06:46 eagle kpasswd[1852]: ldap_parse_result(): [Password generation not implemented.#012] > Jun 23 17:06:46 eagle kpasswd[1852]: Password change failed Matt, can your run ldd /usr/sbin/ipa_kpasswd and paste here the output ? Simo. -- Simo Sorce * Red Hat, Inc * New York From joe at 2resonate.net Mon Jun 23 18:58:07 2008 From: joe at 2resonate.net (Joe Royall) Date: Mon, 23 Jun 2008 11:58:07 -0700 Subject: [Freeipa-interest] Re: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: <67437bc40806231149n4ef7e03cm653b3dce8c20361d@mail.gmail.com> References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> <1214226853.3822.31.camel@localhost.localdomain> <80d7e4090806230907i5b0ac9fah3ec4578c02dc2e81@mail.gmail.com> <67437bc40806231149n4ef7e03cm653b3dce8c20361d@mail.gmail.com> Message-ID: On Mon, Jun 23, 2008 at 11:49 AM, Joshua Daniel Franklin < jdf.lists at gmail.com> wrote: > >> Wouldn't that make FreeIPA and Ovirt kind of useless until RHEL6? > > I have no inside information on EL6, but based on past timelines > it should not all that far off (especially the beta). > > Also, at least one group I know here is setting up a test freeIPA on > Fedora to get familiar with it and planning to really roll out with EL6. > I just talked to the centos team, they are working on RH IPA, but might be able to use some help. That discussion is a centos-devel at centos.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From smooge at gmail.com Mon Jun 23 18:59:37 2008 From: smooge at gmail.com (Stephen John Smoogen) Date: Mon, 23 Jun 2008 12:59:37 -0600 Subject: [Freeipa-interest] Re: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: <67437bc40806231149n4ef7e03cm653b3dce8c20361d@mail.gmail.com> References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> <1214226853.3822.31.camel@localhost.localdomain> <80d7e4090806230907i5b0ac9fah3ec4578c02dc2e81@mail.gmail.com> <67437bc40806231149n4ef7e03cm653b3dce8c20361d@mail.gmail.com> Message-ID: <80d7e4090806231159v2b507ef7v4505da3db4b4b1de@mail.gmail.com> On Mon, Jun 23, 2008 at 12:49 PM, Joshua Daniel Franklin wrote: >>> Wouldn't that make FreeIPA and Ovirt kind of useless until RHEL6? > > I have no inside information on EL6, but based on past timelines > it should not all that far off (especially the beta). > >From past time-lines, the beta would be out around/after F10 before F11. The final would be 3-6 months after that (around F11/F12). > Also, at least one group I know here is setting up a test freeIPA on > Fedora to get familiar with it and planning to really roll out with EL6. > -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From jdf.lists at gmail.com Mon Jun 23 18:49:30 2008 From: jdf.lists at gmail.com (Joshua Daniel Franklin) Date: Mon, 23 Jun 2008 11:49:30 -0700 Subject: [Freeipa-interest] Re: [Freeipa-devel] FreeIPA 1.1 Released In-Reply-To: <80d7e4090806230907i5b0ac9fah3ec4578c02dc2e81@mail.gmail.com> References: <485BB572.9070308@redhat.com> <485BD624.5000409@redhat.com> <1214226853.3822.31.camel@localhost.localdomain> <80d7e4090806230907i5b0ac9fah3ec4578c02dc2e81@mail.gmail.com> Message-ID: <67437bc40806231149n4ef7e03cm653b3dce8c20361d@mail.gmail.com> >> Wouldn't that make FreeIPA and Ovirt kind of useless until RHEL6? I have no inside information on EL6, but based on past timelines it should not all that far off (especially the beta). Also, at least one group I know here is setting up a test freeIPA on Fedora to get familiar with it and planning to really roll out with EL6. From mb--ipa at dcs.qmul.ac.uk Mon Jun 23 19:45:31 2008 From: mb--ipa at dcs.qmul.ac.uk (Matt Bernstein) Date: Mon, 23 Jun 2008 20:45:31 +0100 (BST) Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <1214245166.3822.104.camel@localhost.localdomain> References: <1214245166.3822.104.camel@localhost.localdomain> Message-ID: At 10:24 -0700 Nathan Kinder wrote: > Is there anything interesting related to the ipa_passwd_extop plug-in in the > Directory Server errors log (/var/log/dirsrv/slapd-/errors)? Nothing. Here's a connection in the access log, in case it's helpful. [23/Jun/2008:20:40:25 +0100] conn=201 fd=64 slot=64 connection from 138.37.95.132 to 138.37.95.132 [23/Jun/2008:20:40:25 +0100] conn=201 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [23/Jun/2008:20:40:25 +0100] conn=201 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [23/Jun/2008:20:40:25 +0100] conn=201 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [23/Jun/2008:20:40:25 +0100] conn=201 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [23/Jun/2008:20:40:25 +0100] conn=201 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [23/Jun/2008:20:40:25 +0100] conn=201 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=kadmin/changepw at test.eecs.qmul.ac.uk,cn=test.eecs.qmul.ac.uk,cn=kerberos,dc=test,dc=eecs,dc=qmul,dc=ac,dc=uk" [23/Jun/2008:20:40:25 +0100] conn=201 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="namingContexts" [23/Jun/2008:20:40:25 +0100] conn=201 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jun/2008:20:40:25 +0100] conn=201 op=4 SRCH base="dc=test,dc=eecs,dc=qmul,dc=ac,dc=uk" scope=2 filter="(krbPrincipalName=tim at TEST.EECS.QMUL.AC.UK)" attrs="krbPrincipalName" [23/Jun/2008:20:40:25 +0100] conn=201 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jun/2008:20:40:25 +0100] conn=201 op=5 EXT oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_extop" [23/Jun/2008:20:40:25 +0100] conn=201 op=5 RESULT err=53 tag=120 nentries=0 etime=0 [23/Jun/2008:20:40:25 +0100] conn=201 op=6 UNBIND [23/Jun/2008:20:40:25 +0100] conn=201 op=6 fd=64 closed - U1 At 14:19 -0400 Simo Sorce wrote: > can your run ldd /usr/sbin/ipa_kpasswd and paste here the output ? It's up-to-date F9 x86_64: # ldd /usr/sbin/ipa_kpasswd linux-vdso.so.1 => (0x00007fffa41fe000) libssldap60.so => /usr/lib64/libssldap60.so (0x0000000000607000) libprldap60.so => /usr/lib64/libprldap60.so (0x0000000000813000) libldap60.so => /usr/lib64/libldap60.so (0x0000000000a18000) libssl3.so => /lib64/libssl3.so (0x0000000000c50000) libsmime3.so => /lib64/libsmime3.so (0x0000000000e82000) libnss3.so => /lib64/libnss3.so (0x00000000046ec000) libnssutil3.so => /lib64/libnssutil3.so (0x00000000025e4000) libplds4.so => /lib64/libplds4.so (0x000000000230c000) libplc4.so => /lib64/libplc4.so (0x00000000010ad000) libnspr4.so => /lib64/libnspr4.so (0x0000000002948000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00000000012b1000) libdl.so.2 => /lib64/libdl.so.2 (0x00000000014cc000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00007fcd9bdff000) libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00007fcd9bbda000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fcd9b9d7000) libc.so.6 => /lib64/libc.so.6 (0x00007fcd9b66b000) libsoftokn3.so => /lib64/libsoftokn3.so (0x00007fcd9b431000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007fcd9b216000) /lib64/ld-linux-x86-64.so.2 (0x0000000000110000) libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00007fcd9b00e000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fcd9ae0b000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fcd9abf6000) libsqlite3.so.0 => /usr/lib64/libsqlite3.so.0 (0x00007fcd9a987000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fcd9a74e000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fcd9a532000) Let me know if there's anything else I can offer. Thanks Matt From ssorce at redhat.com Mon Jun 23 21:14:20 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Jun 2008 17:14:20 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: References: <1214245166.3822.104.camel@localhost.localdomain> Message-ID: <1214255660.3822.113.camel@localhost.localdomain> On Mon, 2008-06-23 at 20:45 +0100, Matt Bernstein wrote: > It's up-to-date F9 x86_64: > > # ldd /usr/sbin/ipa_kpasswd > linux-vdso.so.1 => (0x00007fffa41fe000) > libssldap60.so => /usr/lib64/libssldap60.so > (0x0000000000607000) > libprldap60.so => /usr/lib64/libprldap60.so > (0x0000000000813000) > libldap60.so => /usr/lib64/libldap60.so (0x0000000000a18000) > libssl3.so => /lib64/libssl3.so (0x0000000000c50000) > libsmime3.so => /lib64/libsmime3.so (0x0000000000e82000) > libnss3.so => /lib64/libnss3.so (0x00000000046ec000) > libnssutil3.so => /lib64/libnssutil3.so (0x00000000025e4000) > libplds4.so => /lib64/libplds4.so (0x000000000230c000) > libplc4.so => /lib64/libplc4.so (0x00000000010ad000) > libnspr4.so => /lib64/libnspr4.so (0x0000000002948000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00000000012b1000) > libdl.so.2 => /lib64/libdl.so.2 (0x00000000014cc000) > libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00007fcd9bdff000) > libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 > (0x00007fcd9bbda000) > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fcd9b9d7000) > libc.so.6 => /lib64/libc.so.6 (0x00007fcd9b66b000) > libsoftokn3.so => /lib64/libsoftokn3.so (0x00007fcd9b431000) > libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007fcd9b216000) > /lib64/ld-linux-x86-64.so.2 (0x0000000000110000) > libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 > (0x00007fcd9b00e000) > libkeyutils.so.1 => /lib64/libkeyutils.so.1 > (0x00007fcd9ae0b000) > libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fcd9abf6000) > libsqlite3.so.0 => /usr/lib64/libsqlite3.so.0 > (0x00007fcd9a987000) > libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fcd9a74e000) > libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fcd9a532000) > > Let me know if there's anything else I can offer. This was to confirm my suspicions while I was updating my F9 machine. The problem seem to show up when compiling against mozldap libraries, I reproduced the test and then rebuilt packages linking against openldap libraries instead. that fixed it, apparently. I am going to rebuild all Fedora packages against openldap libs until we find out why mozldap libs do not work for us. Thanks very much for the report. Simo. -- Simo Sorce * Red Hat, Inc * New York From mb--ipa at dcs.qmul.ac.uk Mon Jun 23 22:03:37 2008 From: mb--ipa at dcs.qmul.ac.uk (Matt Bernstein) Date: Mon, 23 Jun 2008 23:03:37 +0100 (BST) Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <1214255660.3822.113.camel@localhost.localdomain> References: <1214245166.3822.104.camel@localhost.localdomain> <1214255660.3822.113.camel@localhost.localdomain> Message-ID: At 17:14 -0400 Simo Sorce wrote: > I am going to rebuild all Fedora packages against openldap libs until we > find out why mozldap libs do not work for us. Upgrading to 1.1.0-3 and rebooting seems to have fixed the problem for me. Thanks very much :) and I'll be sure to let you know if there are any further peculiarities, Matt From matt.flusche at cox.net Wed Jun 25 03:10:52 2008 From: matt.flusche at cox.net (Matt Flusche) Date: Tue, 24 Jun 2008 22:10:52 -0500 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <1214255660.3822.113.camel@localhost.localdomain> References: <1214245166.3822.104.camel@localhost.localdomain> <1214255660.3822.113.camel@localhost.localdomain> Message-ID: <12A67C23-9896-490F-BE7A-139242E8C70D@cox.net> This is the same issue I reported on 5/31... Never heard much feedback. Glad it's being addressed so I can continue testing. Thanks, Matt On Jun 23, 2008, at 4:14 PM, Simo Sorce wrote: > On Mon, 2008-06-23 at 20:45 +0100, Matt Bernstein wrote: >> It's up-to-date F9 x86_64: >> >> # ldd /usr/sbin/ipa_kpasswd >> linux-vdso.so.1 => (0x00007fffa41fe000) >> libssldap60.so => /usr/lib64/libssldap60.so >> (0x0000000000607000) >> libprldap60.so => /usr/lib64/libprldap60.so >> (0x0000000000813000) >> libldap60.so => /usr/lib64/libldap60.so (0x0000000000a18000) >> libssl3.so => /lib64/libssl3.so (0x0000000000c50000) >> libsmime3.so => /lib64/libsmime3.so (0x0000000000e82000) >> libnss3.so => /lib64/libnss3.so (0x00000000046ec000) >> libnssutil3.so => /lib64/libnssutil3.so (0x00000000025e4000) >> libplds4.so => /lib64/libplds4.so (0x000000000230c000) >> libplc4.so => /lib64/libplc4.so (0x00000000010ad000) >> libnspr4.so => /lib64/libnspr4.so (0x0000000002948000) >> libpthread.so.0 => /lib64/libpthread.so.0 >> (0x00000000012b1000) >> libdl.so.2 => /lib64/libdl.so.2 (0x00000000014cc000) >> libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00007fcd9bdff000) >> libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 >> (0x00007fcd9bbda000) >> libcom_err.so.2 => /lib64/libcom_err.so.2 >> (0x00007fcd9b9d7000) >> libc.so.6 => /lib64/libc.so.6 (0x00007fcd9b66b000) >> libsoftokn3.so => /lib64/libsoftokn3.so (0x00007fcd9b431000) >> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 >> (0x00007fcd9b216000) >> /lib64/ld-linux-x86-64.so.2 (0x0000000000110000) >> libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 >> (0x00007fcd9b00e000) >> libkeyutils.so.1 => /lib64/libkeyutils.so.1 >> (0x00007fcd9ae0b000) >> libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fcd9abf6000) >> libsqlite3.so.0 => /usr/lib64/libsqlite3.so.0 >> (0x00007fcd9a987000) >> libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fcd9a74e000) >> libselinux.so.1 => /lib64/libselinux.so.1 >> (0x00007fcd9a532000) >> >> Let me know if there's anything else I can offer. > > This was to confirm my suspicions while I was updating my F9 machine. > The problem seem to show up when compiling against mozldap > libraries, I > reproduced the test and then rebuilt packages linking against openldap > libraries instead. that fixed it, apparently. > > I am going to rebuild all Fedora packages against openldap libs > until we > find out why mozldap libs do not work for us. > > Thanks very much for the report. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From mischins at imi.uni-luebeck.de Wed Jun 25 06:45:25 2008 From: mischins at imi.uni-luebeck.de (Andreas Mischinski) Date: Wed, 25 Jun 2008 08:45:25 +0200 Subject: [Freeipa-devel] Win sync between AD and IPA Message-ID: <1214376325.11096.6.camel@vtx.imi.uni-luebeck.de> Where to start ? I`m missing some informations of how to get basic sync with Windows AD running. Maybe someone has a hint ? From maxim at wzzrd.com Wed Jun 25 08:22:33 2008 From: maxim at wzzrd.com (Maxim Burgerhout) Date: Wed, 25 Jun 2008 10:22:33 +0200 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <12A67C23-9896-490F-BE7A-139242E8C70D@cox.net> References: <1214245166.3822.104.camel@localhost.localdomain> <1214255660.3822.113.camel@localhost.localdomain> <12A67C23-9896-490F-BE7A-139242E8C70D@cox.net> Message-ID: <88c1bad10806250122y5d3789aeu28dbdef66d61ca85@mail.gmail.com> Hi, I have been implementing FreeIPA in a pilot environment in a not-for-profit organisation I work for in my spare time (I'm telling this so you won't think I'm mad for implementing this in an enterprise production setting ;-)) . I found FreeIPA so promising I decided to build a setup with it, work with it for a year or so and migrate to IPA on CentOS, RHEL or something else, if we would evaluate the product as good enough by then. We ran into the can't-change-password problem last week and I'm happy it was solved already. I installed the fixes I downloaded from the site mentioned earlier, but after that I ran into 'Decrypt integrity check failed' errors. I have some new accounts with expired passwords for testing. When I try to log into a client system with one of those accounts through gdm, the console or ssh, I'm suppose to change the password. No matter how I try to log in, the password change always fails. In the krb5kdc logs on the IPA server I see 'decrypt integrity check failed' errors for kadmin/changepw and the test user account. I had to leave in a hurry, so I haven't got the exact message here, but hopefully this helps a bit. Anyway, I can set the password for an account by su'ing to it and then running kinit: the password change through kinit works fine. Most accounts of this error message Google shows me are about multiple KDC's conflicting with eachother (I have only one), about principals with kvno conflicts (which seems unlikely for a useraccount) or about people typing the wrong password (which I'm really pretty sure is not what is happening), so I thought I'ld drop it here: maybe one of you can slap me around the ears with something completely obvious I failed to configure :-) or else tell me to file a bugreport... Max On 25/06/2008, Matt Flusche wrote: > This is the same issue I reported on 5/31... Never heard much feedback. > Glad it's being addressed so I can continue testing. > > Thanks, > > Matt > > On Jun 23, 2008, at 4:14 PM, Simo Sorce wrote: > > > On Mon, 2008-06-23 at 20:45 +0100, Matt Bernstein wrote: > > > > > It's up-to-date F9 x86_64: > > > > > > # ldd /usr/sbin/ipa_kpasswd > > > linux-vdso.so.1 => (0x00007fffa41fe000) > > > libssldap60.so => /usr/lib64/libssldap60.so > > > (0x0000000000607000) > > > libprldap60.so => /usr/lib64/libprldap60.so > > > (0x0000000000813000) > > > libldap60.so => /usr/lib64/libldap60.so (0x0000000000a18000) > > > libssl3.so => /lib64/libssl3.so (0x0000000000c50000) > > > libsmime3.so => /lib64/libsmime3.so (0x0000000000e82000) > > > libnss3.so => /lib64/libnss3.so (0x00000000046ec000) > > > libnssutil3.so => /lib64/libnssutil3.so (0x00000000025e4000) > > > libplds4.so => /lib64/libplds4.so (0x000000000230c000) > > > libplc4.so => /lib64/libplc4.so (0x00000000010ad000) > > > libnspr4.so => /lib64/libnspr4.so (0x0000000002948000) > > > libpthread.so.0 => /lib64/libpthread.so.0 (0x00000000012b1000) > > > libdl.so.2 => /lib64/libdl.so.2 (0x00000000014cc000) > > > libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00007fcd9bdff000) > > > libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 > > > (0x00007fcd9bbda000) > > > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fcd9b9d7000) > > > libc.so.6 => /lib64/libc.so.6 (0x00007fcd9b66b000) > > > libsoftokn3.so => /lib64/libsoftokn3.so (0x00007fcd9b431000) > > > libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007fcd9b216000) > > > /lib64/ld-linux-x86-64.so.2 (0x0000000000110000) > > > libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 > > > (0x00007fcd9b00e000) > > > libkeyutils.so.1 => /lib64/libkeyutils.so.1 > > > (0x00007fcd9ae0b000) > > > libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fcd9abf6000) > > > libsqlite3.so.0 => /usr/lib64/libsqlite3.so.0 > > > (0x00007fcd9a987000) > > > libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fcd9a74e000) > > > libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fcd9a532000) > > > > > > Let me know if there's anything else I can offer. > > > > > > > This was to confirm my suspicions while I was updating my F9 machine. > > The problem seem to show up when compiling against mozldap libraries, I > > reproduced the test and then rebuilt packages linking against openldap > > libraries instead. that fixed it, apparently. > > > > I am going to rebuild all Fedora packages against openldap libs until we > > find out why mozldap libs do not work for us. > > > > Thanks very much for the report. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -- Maxim Burgerhout maxim at wzzrd.com ---------------- My public key: http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xACA34452 From ssorce at redhat.com Wed Jun 25 13:24:48 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 25 Jun 2008 09:24:48 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <12A67C23-9896-490F-BE7A-139242E8C70D@cox.net> References: <1214245166.3822.104.camel@localhost.localdomain> <1214255660.3822.113.camel@localhost.localdomain> <12A67C23-9896-490F-BE7A-139242E8C70D@cox.net> Message-ID: <1214400288.3822.126.camel@localhost.localdomain> On Tue, 2008-06-24 at 22:10 -0500, Matt Flusche wrote: > This is the same issue I reported on 5/31... Never heard much > feedback. Glad it's being addressed so I can continue testing. Sorry Matt, I couldn't find the problem because I always built my test packages against openldap and so I was not able to repro. The issue is solved now and packages are in updates-testing. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Jun 25 14:28:18 2008 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 25 Jun 2008 10:28:18 -0400 Subject: [Freeipa-devel] Win sync between AD and IPA In-Reply-To: <1214376325.11096.6.camel@vtx.imi.uni-luebeck.de> References: <1214376325.11096.6.camel@vtx.imi.uni-luebeck.de> Message-ID: <48625602.1010209@redhat.com> Andreas Mischinski wrote: > Where to start ? I`m missing some informations of how to get basic sync > with Windows AD running. Maybe someone has a hint ? > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > Win sync is not in the IPA yet. And we are not sure that Win sync as is will be the answer. We are actively working on the solution. We are trying to have it as soon as possible. Red Hat acquired Identyx and we are looking at the Penrose Virtual directory (Identyx flagship product) as one of the options to solve the issue. Stay tuned. -- Dmitri Pal Engineering Manager Red Hat Inc. From maxim at wzzrd.com Tue Jun 24 19:07:39 2008 From: maxim at wzzrd.com (Maxim Burgerhout) Date: Tue, 24 Jun 2008 21:07:39 +0200 Subject: [Freeipa-devel] setting passwords stopped working Message-ID: <88c1bad10806241207u67e9d109h253a75bfe8292f1e@mail.gmail.com> Hi, I have been implementing FreeIPA in a pilot environment in a not-for-profit organisation I work for in my spare time (I'm telling this so you won't think I'm mad for implementing this in an enterprise production setting ;-)) . I found FreeIPA so promising I decided to build a setup with it, work with it for a year or so and migrate to IPA on CentOS, RHEL or something else, if we would evaluate the product as good enough by then. We ran into the can't-change-password problem last week and I'm happy it was solved already. I installed the fixes I downloaded from the site mentioned earlier, but after that I ran into 'Decrypt integrity check failed' errors. I have some new accounts with expired passwords for testing. When I try to log into a client system with one of those accounts through gdm, the console or ssh, I'm suppose to change the password. No matter how I try to log in, the password change always fails. In the krb5kdc logs on the IPA server I see 'decrypt integrity check failed' errors for kadmin/changepw and the test user account. I had to leave in a hurry, so I haven't got the exact message here, but hopefully this helps a bit. Anyway, I can set the password for an account by su'ing to it and then running kinit: the password change through kinit works fine. Most accounts of this error message Google shows me are about multiple KDC's conflicting with eachother (I have only one), about principals with kvno conflicts (which seems unlikely for a useraccount) or about people typing the wrong password (which I'm really pretty sure is not what is happening), so I thought I'ld drop it here: maybe one of you can slap me around the ears with something completely obvious I failed to configure :-) or else tell me to file a bugreport... Max From maxim at wzzrd.com Wed Jun 25 08:18:31 2008 From: maxim at wzzrd.com (Maxim Burgerhout) Date: Wed, 25 Jun 2008 10:18:31 +0200 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <12A67C23-9896-490F-BE7A-139242E8C70D@cox.net> References: <1214245166.3822.104.camel@localhost.localdomain> <1214255660.3822.113.camel@localhost.localdomain> <12A67C23-9896-490F-BE7A-139242E8C70D@cox.net> Message-ID: <88c1bad10806250118m3c6d0b26r16a217b2b8582da1@mail.gmail.com> Hi, I have been implementing FreeIPA in a pilot environment in a not-for-profit organisation I work for in my spare time (I'm telling this so you won't think I'm mad for implementing this in an enterprise production setting ;-)) . I found FreeIPA so promising I decided to build a setup with it, work with it for a year or so and migrate to IPA on CentOS, RHEL or something else, if we would evaluate the product as good enough by then. We ran into the can't-change-password problem last week and I'm happy it was solved already. I installed the fixes I downloaded from the site mentioned earlier, but after that I ran into 'Decrypt integrity check failed' errors. I have some new accounts with expired passwords for testing. When I try to log into a client system with one of those accounts through gdm, the console or ssh, I'm suppose to change the password. No matter how I try to log in, the password change always fails. In the krb5kdc logs on the IPA server I see 'decrypt integrity check failed' errors for kadmin/changepw and the test user account. I had to leave in a hurry, so I haven't got the exact message here, but hopefully this helps a bit. Anyway, I can set the password for an account by su'ing to it and then running kinit: the password change through kinit works fine. Most accounts of this error message Google shows me are about multiple KDC's conflicting with eachother (I have only one), about principals with kvno conflicts (which seems unlikely for a useraccount) or about people typing the wrong password (which I'm really pretty sure is not what is happening), so I thought I'ld drop it here: maybe one of you can slap me around the ears with something completely obvious I failed to configure :-) or else tell me to file a bugreport... Max On 25/06/2008, Matt Flusche wrote: > This is the same issue I reported on 5/31... Never heard much feedback. > Glad it's being addressed so I can continue testing. > > Thanks, > > Matt > > On Jun 23, 2008, at 4:14 PM, Simo Sorce wrote: > > > On Mon, 2008-06-23 at 20:45 +0100, Matt Bernstein wrote: > > > > > It's up-to-date F9 x86_64: > > > > > > # ldd /usr/sbin/ipa_kpasswd > > > linux-vdso.so.1 => (0x00007fffa41fe000) > > > libssldap60.so => /usr/lib64/libssldap60.so > > > (0x0000000000607000) > > > libprldap60.so => /usr/lib64/libprldap60.so > > > (0x0000000000813000) > > > libldap60.so => /usr/lib64/libldap60.so (0x0000000000a18000) > > > libssl3.so => /lib64/libssl3.so (0x0000000000c50000) > > > libsmime3.so => /lib64/libsmime3.so (0x0000000000e82000) > > > libnss3.so => /lib64/libnss3.so (0x00000000046ec000) > > > libnssutil3.so => /lib64/libnssutil3.so (0x00000000025e4000) > > > libplds4.so => /lib64/libplds4.so (0x000000000230c000) > > > libplc4.so => /lib64/libplc4.so (0x00000000010ad000) > > > libnspr4.so => /lib64/libnspr4.so (0x0000000002948000) > > > libpthread.so.0 => /lib64/libpthread.so.0 (0x00000000012b1000) > > > libdl.so.2 => /lib64/libdl.so.2 (0x00000000014cc000) > > > libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00007fcd9bdff000) > > > libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 > > > (0x00007fcd9bbda000) > > > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fcd9b9d7000) > > > libc.so.6 => /lib64/libc.so.6 (0x00007fcd9b66b000) > > > libsoftokn3.so => /lib64/libsoftokn3.so (0x00007fcd9b431000) > > > libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007fcd9b216000) > > > /lib64/ld-linux-x86-64.so.2 (0x0000000000110000) > > > libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 > > > (0x00007fcd9b00e000) > > > libkeyutils.so.1 => /lib64/libkeyutils.so.1 > > > (0x00007fcd9ae0b000) > > > libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fcd9abf6000) > > > libsqlite3.so.0 => /usr/lib64/libsqlite3.so.0 > > > (0x00007fcd9a987000) > > > libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fcd9a74e000) > > > libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fcd9a532000) > > > > > > Let me know if there's anything else I can offer. > > > > > > > This was to confirm my suspicions while I was updating my F9 machine. > > The problem seem to show up when compiling against mozldap libraries, I > > reproduced the test and then rebuilt packages linking against openldap > > libraries instead. that fixed it, apparently. > > > > I am going to rebuild all Fedora packages against openldap libs until we > > find out why mozldap libs do not work for us. > > > > Thanks very much for the report. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > -- Maxim Burgerhout maxim at wzzrd.com ---------------- My public key: http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0xACA34452 From matt.flusche at cox.net Thu Jun 26 02:34:06 2008 From: matt.flusche at cox.net (Matt Flusche) Date: Wed, 25 Jun 2008 21:34:06 -0500 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <1214400288.3822.126.camel@localhost.localdomain> References: <1214245166.3822.104.camel@localhost.localdomain> <1214255660.3822.113.camel@localhost.localdomain> <12A67C23-9896-490F-BE7A-139242E8C70D@cox.net> <1214400288.3822.126.camel@localhost.localdomain> Message-ID: <5772614A-186E-4B2B-B87F-9B5E6EB3D3F2@cox.net> No problem; I've upgraded to 1.1.0-3. New problem; ns-slapd is crashing during password changes. Other ldap activity seems to work correctly. from /var/log/messages: Jun 25 21:18:14 ruff kernel: ns-slapd[1547]: segfault at 0 ip 392fc808f0 sp 41c16c58 error 4 in libc-2.8.so[392fc00000+162000] Matt On Jun 25, 2008, at 8:24 AM, Simo Sorce wrote: > On Tue, 2008-06-24 at 22:10 -0500, Matt Flusche wrote: >> This is the same issue I reported on 5/31... Never heard much >> feedback. Glad it's being addressed so I can continue testing. > > Sorry Matt, > I couldn't find the problem because I always built my test packages > against openldap and so I was not able to repro. > > The issue is solved now and packages are in updates-testing. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > From mnagy at redhat.com Thu Jun 26 11:01:13 2008 From: mnagy at redhat.com (Martin Nagy) Date: Thu, 26 Jun 2008 13:01:13 +0200 Subject: [Freeipa-devel] [PATCH] Fix some small issues that caused compiler warnings in C code Message-ID: <486376F9.7040803@redhat.com> This patch will fix some warnings produced by gcc. Unfortunately, there is still one warning and that one won't go away so easily.. Regards, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-some-small-issues-that-caused-compiler-warnings.patch Type: application/mbox Size: 5126 bytes Desc: not available URL: From ssorce at redhat.com Thu Jun 26 13:46:55 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Jun 2008 09:46:55 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <5772614A-186E-4B2B-B87F-9B5E6EB3D3F2@cox.net> References: <1214245166.3822.104.camel@localhost.localdomain> <1214255660.3822.113.camel@localhost.localdomain> <12A67C23-9896-490F-BE7A-139242E8C70D@cox.net> <1214400288.3822.126.camel@localhost.localdomain> <5772614A-186E-4B2B-B87F-9B5E6EB3D3F2@cox.net> Message-ID: <1214488015.3822.176.camel@localhost.localdomain> On Wed, 2008-06-25 at 21:34 -0500, Matt Flusche wrote: > No problem; I've upgraded to 1.1.0-3. > > New problem; ns-slapd is crashing during password changes. Other > ldap activity seems to work correctly. > > from /var/log/messages: > Jun 25 21:18:14 ruff kernel: ns-slapd[1547]: segfault at 0 ip > 392fc808f0 sp 41c16c58 error 4 in libc-2.8.so[392fc00000+162000] Any chance you can get a full stack trace ? Simo. -- Simo Sorce * Red Hat, Inc * New York From janfrode at tanso.net Wed Jun 25 22:49:57 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Thu, 26 Jun 2008 00:49:57 +0200 Subject: [Freeipa-devel] setting passwords stopped working Message-ID: <20080625224957.GA10064@lc4eb5760521341.ibm.com> I've been struggeling a bit with installing ipa v.1.1 on a ppc system. First I guess I got most right, but failed to set/change passwords. So I un-installed v.1.1.0-2 and installed v1.1.0-3.fc9 now. This fails in new and exciting ways :-) [1/16]: creating directory server user [2/16]: creating directory server instance [3/16]: adding default schema [4/16]: enabling memberof plugin [5/16]: enabling referential integrity plugin [6/16]: enabling distributed numeric assignment plugin [7/16]: configuring uniqueness plugin [8/16]: creating indices [9/16]: configuring ssl for ds instance [10/16]: configuring certmap.conf [11/16]: restarting directory server [12/16]: adding default layout [13/16]: configuring Posix uid/gid generation as first master [14/16]: adding master entry as first master [15/16]: initializing group membership [16/16]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC [1/13]: setting KDC account password [2/13]: adding sasl mappings to the directory root : CRITICAL failed to add Full Principal Sasl mapping Unexpected error - see ipaserver-install.log for details: local variable 'e' referenced before assignment >From the install-log: 2008-06-26 00:39:35,106 DEBUG Backing up system configuration file '/var/kerberos/krb5kdc/ldappwd' 2008-06-26 00:39:35,128 DEBUG -> Not backing up - '/var/kerberos/krb5kdc/ldappwd' doesn't exist 2008-06-26 00:39:35,144 DEBUG [2/13]: adding sasl mappings to the directory 2008-06-26 00:39:35,240 CRITICAL failed to add Full Principal Sasl mapping 2008-06-26 00:39:35,245 DEBUG local variable 'e' referenced before assignment File "/usr/sbin/ipa-server-install", line 572, in sys.exit(main()) File "/usr/sbin/ipa-server-install", line 495, in main krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password) File "/usr/lib/python2.5/site-packages/ipaserver/krbinstance.py", line 147, in create_instance self.start_creation("Configuring Kerberos KDC") File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139, in start_creation method() File "/usr/lib/python2.5/site-packages/ipaserver/krbinstance.py", line 267, in __configure_sasl_mappings raise e Any ideas ? -jf From nalin at redhat.com Thu Jun 26 14:28:35 2008 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 26 Jun 2008 10:28:35 -0400 Subject: [Freeipa-devel] Capturing passwords for migration at bind-time? Message-ID: <20080626142835.GA11875@redhat.com> During the Q&A session after Simo's talk at the Red Hat Summit last week, someone in the audience asked about migration from existing directory server instances to IPA. One of the sticking points is that these newly-migrated directory entries for users usually contain a previously-hashed version of the user's password (usually a Unix-style crypt(3) password), and this value is not usable as the user's long-term key for Kerberos. The person in the audience mentioned the pam_krb5_migrate module which can be deployed to a client system. IIRC, the module waits for users to attempt to log in with a password, and if the login attempt succeeds, it uses credentials which are present on a client machine to connect to a realm's kadmind service, create an entry in the realm database corresponding to the user, and to set the key for that entry using the user's password. The idea of storing credentials sufficient to do that sort of thing on any client system kind of scares me, so I'm not suggesting that we should use that approach. Currently we hook into the password change extended operation and provide a kpasswd service to ensure that Kerberos keys (and other hashes which are based on the user's password) are generated whenever a user changes her password. Would it be useful to also intercept the password used when a simple or SASL/PLAIN bind requests succeed, and take the opportunity to generate the hashes so that we can avoid forcing password changes? Nalin From jdennis at redhat.com Thu Jun 26 15:14:38 2008 From: jdennis at redhat.com (John Dennis) Date: Thu, 26 Jun 2008 11:14:38 -0400 Subject: [Freeipa-devel] Capturing passwords for migration at bind-time? In-Reply-To: <20080626142835.GA11875@redhat.com> References: <20080626142835.GA11875@redhat.com> Message-ID: <4863B25E.9080807@redhat.com> Nalin Dahyabhai wrote: > Would it be useful to also intercept the password used when a simple or > SASL/PLAIN bind requests succeed, and take the opportunity to generate > the hashes so that we can avoid forcing password changes? > How do you plan to intercept the plain text password in IPA? We aren't in control of the services a user is likely to issue a SASL/PLAIN bind to are we? -- John Dennis From dpal at redhat.com Thu Jun 26 15:15:26 2008 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 26 Jun 2008 11:15:26 -0400 Subject: [Freeipa-devel] Capturing passwords for migration at bind-time? In-Reply-To: <20080626142835.GA11875@redhat.com> References: <20080626142835.GA11875@redhat.com> Message-ID: <4863B28E.9080302@redhat.com> > Currently we hook into the password change extended operation and > provide a kpasswd service to ensure that Kerberos keys (and other hashes > which are based on the user's password) are generated whenever a user > changes her password. > > Would it be useful to also intercept the password used when a simple or > SASL/PLAIN bind requests succeed, and take the opportunity to generate > the hashes so that we can avoid forcing password changes? > > Simple bind will reveal the password in clear. I do not think we want to do this for the same reasons we do not want to store them on the client machine. It will force us to use SSL. It is currently turned off for performance reasons. SASL will not give us the password in clear on the server side so we won't be able to generate the hashes. Am I missing something? Dmitri From ssorce at redhat.com Thu Jun 26 15:51:31 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Jun 2008 11:51:31 -0400 Subject: [Freeipa-devel] Capturing passwords for migration at bind-time? In-Reply-To: <4863B25E.9080807@redhat.com> References: <20080626142835.GA11875@redhat.com> <4863B25E.9080807@redhat.com> Message-ID: <1214495491.3822.192.camel@localhost.localdomain> On Thu, 2008-06-26 at 11:14 -0400, John Dennis wrote: > Nalin Dahyabhai wrote: > > Would it be useful to also intercept the password used when a simple or > > SASL/PLAIN bind requests succeed, and take the opportunity to generate > > the hashes so that we can avoid forcing password changes? > > > How do you plan to intercept the plain text password in IPA? We aren't > in control of the services a user is likely to issue a SASL/PLAIN bind > to are we? We control the LDAP server, that's the only SASL/PLAIN bind we care about. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jun 26 15:56:15 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Jun 2008 11:56:15 -0400 Subject: [Freeipa-devel] Capturing passwords for migration at bind-time? In-Reply-To: <4863B28E.9080302@redhat.com> References: <20080626142835.GA11875@redhat.com> <4863B28E.9080302@redhat.com> Message-ID: <1214495775.3822.198.camel@localhost.localdomain> On Thu, 2008-06-26 at 11:15 -0400, Dmitri Pal wrote: > > Currently we hook into the password change extended operation and > > provide a kpasswd service to ensure that Kerberos keys (and other hashes > > which are based on the user's password) are generated whenever a user > > changes her password. > > > > Would it be useful to also intercept the password used when a simple or > > SASL/PLAIN bind requests succeed, and take the opportunity to generate > > the hashes so that we can avoid forcing password changes? > > > > > Simple bind will reveal the password in clear. I do not think we want to > do this for the same reasons we do not want to store them on the client > machine. I don't see why we should store them. > It will force us to use SSL. It is currently turned off for performance > reasons. SSL is configured in DS, we use it for replication, we do not use it in the default nss_ldap configuration, but nothing prevents us to use SSL for an eventual special bind done explicitly as a way to perform a password-change-on-good-auth operation. We would need a special pam module to do that though. > SASL will not give us the password in clear on the server side so we > won't be able to generate the hashes. A plain text bind gives us (and I mean DS) the password in the clear, so all we need is a bind plugin that intercepts it, checks that the account is in "upgrade" mode, perform a password change operation to generate all the hashes, and put the user account in "upgraded" mode (eventually turning off plain text auth at the same time). Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jun 26 16:00:25 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Jun 2008 12:00:25 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <20080625224957.GA10064@lc4eb5760521341.ibm.com> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> Message-ID: <1214496025.3822.201.camel@localhost.localdomain> On Thu, 2008-06-26 at 00:49 +0200, Jan-Frode Myklebust wrote: > I've been struggeling a bit with installing ipa v.1.1 on a ppc system. > First I guess I got most right, but failed to set/change passwords. So > I un-installed v.1.1.0-2 and installed v1.1.0-3.fc9 now. This fails > in new and exciting ways :-) Did you perform an ipa-server-install --uninstall before re-installing ? It seem like the install failed because an entry we add was actually already added. Why didn't you just upgrade the packages and use 'ipactl restart' to restart services ? Simo. -- Simo Sorce * Red Hat, Inc * New York From jdennis at redhat.com Thu Jun 26 16:00:28 2008 From: jdennis at redhat.com (John Dennis) Date: Thu, 26 Jun 2008 12:00:28 -0400 Subject: [Freeipa-devel] Capturing passwords for migration at bind-time? In-Reply-To: <1214495491.3822.192.camel@localhost.localdomain> References: <20080626142835.GA11875@redhat.com> <4863B25E.9080807@redhat.com> <1214495491.3822.192.camel@localhost.localdomain> Message-ID: <4863BD1C.2040601@redhat.com> Simo Sorce wrote: > On Thu, 2008-06-26 at 11:14 -0400, John Dennis wrote: > >> Nalin Dahyabhai wrote: >> >>> Would it be useful to also intercept the password used when a simple or >>> SASL/PLAIN bind requests succeed, and take the opportunity to generate >>> the hashes so that we can avoid forcing password changes? >>> >>> >> How do you plan to intercept the plain text password in IPA? We aren't >> in control of the services a user is likely to issue a SASL/PLAIN bind >> to are we? >> > > We control the LDAP server, that's the only SASL/PLAIN bind we care > about. > > Right, but when and in what context are users doing a plain bind to our LDAP server? Wouldn't this be very atypical? -- John Dennis -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Jun 26 16:01:40 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Jun 2008 12:01:40 -0400 Subject: [Freeipa-devel] [PATCH] Fix some small issues that caused compiler warnings in C code In-Reply-To: <486376F9.7040803@redhat.com> References: <486376F9.7040803@redhat.com> Message-ID: <1214496100.3822.203.camel@localhost.localdomain> On Thu, 2008-06-26 at 13:01 +0200, Martin Nagy wrote: > This patch will fix some warnings produced by gcc. Unfortunately, there > is still one warning and that one won't go away so easily.. Ack -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Thu Jun 26 16:08:40 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Jun 2008 12:08:40 -0400 Subject: [Freeipa-devel] Capturing passwords for migration at bind-time? In-Reply-To: <4863BD1C.2040601@redhat.com> References: <20080626142835.GA11875@redhat.com> <4863B25E.9080807@redhat.com> <1214495491.3822.192.camel@localhost.localdomain> <4863BD1C.2040601@redhat.com> Message-ID: <1214496520.3822.209.camel@localhost.localdomain> On Thu, 2008-06-26 at 12:00 -0400, John Dennis wrote: > Simo Sorce wrote: > > On Thu, 2008-06-26 at 11:14 -0400, John Dennis wrote: > > > > > Nalin Dahyabhai wrote: > > > > > > > Would it be useful to also intercept the password used when a simple or > > > > SASL/PLAIN bind requests succeed, and take the opportunity to generate > > > > the hashes so that we can avoid forcing password changes? > > > > > > > > > > > How do you plan to intercept the plain text password in IPA? We aren't > > > in control of the services a user is likely to issue a SASL/PLAIN bind > > > to are we? > > > > > > > We control the LDAP server, that's the only SASL/PLAIN bind we care > > about. > > > > > Right, but when and in what context are users doing a plain bind to > our LDAP server? Wouldn't this be very atypical? This is a migration scenario, I see at least 2 ways: a) some frontend (web?) app is built to proxy the user password to ldap by performing a bind. b) we provide a pam module smart enough to check the user status against ldap if pam_kerb5 fails, and if it finds the user is in "upgrade" mode, perform an (SSL protected) simple bind against the ldap server. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu Jun 26 16:15:39 2008 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 26 Jun 2008 12:15:39 -0400 Subject: [Freeipa-devel] Capturing passwords for migration at bind-time? In-Reply-To: <1214495775.3822.198.camel@localhost.localdomain> References: <20080626142835.GA11875@redhat.com> <4863B28E.9080302@redhat.com> <1214495775.3822.198.camel@localhost.localdomain> Message-ID: <4863C0AB.2060307@redhat.com> >>> Would it be useful to also intercept the password used when a simple or >>> SASL/PLAIN bind requests succeed, and take the opportunity to generate >>> the hashes so that we can avoid forcing password changes? >>> >>> >>> >> Simple bind will reveal the password in clear. I do not think we want to >> do this for the same reasons we do not want to store them on the client >> machine. >> > > I don't see why we should store them. > > I did not say we should store them. I said we do not want to use simple bind. >> It will force us to use SSL. It is currently turned off for performance >> reasons. >> > > SSL is configured in DS, we use it for replication, we do not use it in > the default nss_ldap configuration, but nothing prevents us to use SSL > for an eventual special bind done explicitly as a way to perform a > password-change-on-good-auth operation. > We would need a special pam module to do that though. > > Yes I agree. But we will have to provision certificate for this. We plan to provision certs for other things so I agree not a very big deal just acknowledging that yet more complexity. Can it be done in the PAM module we are planing to build or it has to be a separate one? Does not seem to make sense to have a separate one. >> SASL will not give us the password in clear on the server side so we >> won't be able to generate the hashes. >> > > A plain text bind gives us (and I mean DS) the password in the clear, so > all we need is a bind plugin that intercepts it, checks that the account > is in "upgrade" mode, perform a password change operation to generate > all the hashes, and put the user account in "upgraded" mode (eventually > turning off plain text auth at the same time). > > Simo. > > Yes. But for the bind to be successful some credential should be stored in the IPA's back end. It is the one that came from the previous DS in the form of UNIX hash of the password, right? We should delete it after we "upgrade". I think the presence of the hash and absence of kerberos hashes indicates that the account needs upgrade. Dmitri From dpal at redhat.com Thu Jun 26 16:19:20 2008 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 26 Jun 2008 12:19:20 -0400 Subject: [Freeipa-devel] Capturing passwords for migration at bind-time? In-Reply-To: <1214496520.3822.209.camel@localhost.localdomain> References: <20080626142835.GA11875@redhat.com> <4863B25E.9080807@redhat.com> <1214495491.3822.192.camel@localhost.localdomain> <4863BD1C.2040601@redhat.com> <1214496520.3822.209.camel@localhost.localdomain> Message-ID: <4863C188.2040804@redhat.com> > This is a migration scenario, I see at least 2 ways: > > a) some frontend (web?) app is built to proxy the user password to ldap > by performing a bind. > > This approach doe not really work in real deployments since it is not seamless for the end user. > b) we provide a pam module smart enough to check the user status against > ldap if pam_kerb5 fails, and if it finds the user is in "upgrade" mode, > perform an (SSL protected) simple bind against the ldap server. > > Simo. > > This approach is better since user does not need to do anything. -- Dmitri Pal Engineering Manager Red Hat Inc. From janfrode at tanso.net.redhat.com Thu Jun 26 17:32:44 2008 From: janfrode at tanso.net.redhat.com (Jan-Frode Myklebust) Date: Thu, 26 Jun 2008 19:32:44 +0200 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <1214496025.3822.201.camel@localhost.localdomain> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> <1214496025.3822.201.camel@localhost.localdomain> Message-ID: <20080626173244.GA10557@lc4eb5760521341.ibm.com> On Thu, Jun 26, 2008 at 12:00:25PM -0400, Simo Sorce wrote: > > Did you perform an ipa-server-install --uninstall before re-installing ? Ooops, no I didn't. But I tried uninstalling, and manually deleting all data files. I tried --uninstall now, but get the same error: # ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure?:[NO/yes] yes # ipa-server-install -N The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring directory server: [1/16]: creating directory server user [2/16]: creating directory server instance [3/16]: adding default schema [4/16]: enabling memberof plugin [5/16]: enabling referential integrity plugin [6/16]: enabling distributed numeric assignment plugin [7/16]: configuring uniqueness plugin [8/16]: creating indices [9/16]: configuring ssl for ds instance [10/16]: configuring certmap.conf [11/16]: restarting directory server [12/16]: adding default layout [13/16]: configuring Posix uid/gid generation as first master [14/16]: adding master entry as first master [15/16]: initializing group membership [16/16]: configuring directory to start on boot done configuring dirsrv. root : CRITICAL Could not connect to the Directory Server on minimac.tanso.net Unexpected error - see ipaserver-install.log for details: {'desc': 'Invalid credentials'} # ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure?:[NO/yes] yes And again using what I believe to be a previous version of the password I used for admin and Directory Manager: # ipa-server-install --no-ntp [5/16]: enabling referential integrity plugin [6/16]: enabling distributed numeric assignment plugin [7/16]: configuring uniqueness plugin [8/16]: creating indices [9/16]: configuring ssl for ds instance [10/16]: configuring certmap.conf [11/16]: restarting directory server [12/16]: adding default layout [13/16]: configuring Posix uid/gid generation as first master [14/16]: adding master entry as first master [15/16]: initializing group membership [16/16]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC [1/13]: setting KDC account password [2/13]: adding sasl mappings to the directory root : CRITICAL failed to add Full Principal Sasl mapping Unexpected error - see ipaserver-install.log for details: local variable 'e' referenced before assignment And from the ipaserver-install.log: 2008-06-26 19:18:58,059 INFO krb5kdc is stopped 2008-06-26 19:18:58,060 INFO 2008-06-26 19:18:58,061 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2008-06-26 19:18:58,183 INFO Stopping Kerberos 5 KDC: [FAILED] 2008-06-26 19:18:58,184 INFO 2008-06-26 19:18:58,184 DEBUG Configuring Kerberos KDC 2008-06-26 19:18:58,186 DEBUG [1/13]: setting KDC account password 2008-06-26 19:18:58,186 DEBUG Backing up system configuration file '/var/kerberos/krb5kdc/ldappwd' 2008-06-26 19:18:58,189 DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2008-06-26 19:18:58,190 DEBUG [2/13]: adding sasl mappings to the directory 2008-06-26 19:18:58,286 CRITICAL failed to add Full Principal Sasl mapping 2008-06-26 19:18:58,291 DEBUG local variable 'e' referenced before assignment File "/usr/sbin/ipa-server-install", line 572, in sys.exit(main()) File "/usr/sbin/ipa-server-install", line 495, in main krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password) File "/usr/lib/python2.5/site-packages/ipaserver/krbinstance.py", line 147, in create_instance self.start_creation("Configuring Kerberos KDC") File "/usr/lib/python2.5/site-packages/ipaserver/service.py", line 139, in start_creation method() File "/usr/lib/python2.5/site-packages/ipaserver/krbinstance.py", line 267, in __configure_sasl_mappings raise e So, what am I, and "ipa-server-install --uninstall" missing ? > Why didn't you just upgrade the packages and use 'ipactl restart' to > restart services ? Because I suspected it was a user error that the v1.1.0-2 installation wasn't working.. The installation I did was a fresh Fedora9 + "yum install ipa-server", and it was quite un-expected that hadn't been properly tested before the v1.1 release. -jf From ssorce at redhat.com Thu Jun 26 19:04:05 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Jun 2008 15:04:05 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <20080626173244.GA10557@lc4eb5760521341.ibm.com> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> <1214496025.3822.201.camel@localhost.localdomain> <20080626173244.GA10557@lc4eb5760521341.ibm.com> Message-ID: <1214507045.3822.234.camel@localhost.localdomain> On Thu, 2008-06-26 at 19:32 +0200, Jan-Frode Myklebust wrote: > > Because I suspected it was a user error that the v1.1.0-2 installation > wasn't working.. The installation I did was a fresh Fedora9 + "yum > install ipa-server", and it was quite un-expected that hadn't been > properly tested before the v1.1 release. This step should not fail on a clean machine, and this problem never showed up in our tests, I will try to repro tomorrow. Simo. -- Simo Sorce * Red Hat, Inc * New York From janfrode at tanso.net Thu Jun 26 20:31:06 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Thu, 26 Jun 2008 22:31:06 +0200 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <20080626173244.GA10557@lc4eb5760521341.ibm.com> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> <1214496025.3822.201.camel@localhost.localdomain> <20080626173244.GA10557@lc4eb5760521341.ibm.com> Message-ID: <20080626203106.GA23957@lc4eb5760521341.ibm.com> I just did a new install of Fedora9 + ipa-server-1.1.0-3.fc9.ppc, and successfully got trough the "ipa-server-install" now. And now I get into another issue I also saw the last time I did a fresh Fedora9+IPA. Firefox3 refuses to let me access the gui, complaining about: sec_error_reused_issuer_and_serial Last time I had this problem, I wasn't able to get around it on the firefox side, so I re-ran ipa-server-install, and got a valid certificat on the second run. But this didn't work now that I used "ipa-server-install --uninstall" to uninstall it. So, anybody have a workaround for this problem ? I'm also seeing a few selinux denials (but changed to permissive mode to allow them): type=1400 audit(1214511568.498:10): avc: denied { create } for pid=4364 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file type=1404 audit(1214511588.842:11): enforcing=0 old_enforcing=1 auid=0 ses=2 type=1400 audit(1214511598.891:12): avc: denied { create } for pid=4621 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file And -- the directory server dies when I try my first kinit with password change: $ kinit janfrode Password for janfrode at TANSO.NET: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Password change failed while getting initial credentials But I can't find any other errors from the directory server dying than: Jun 26 22:23:48 minimac kpasswd[4911]: ldap_result() failed. (-1) Jun 26 22:23:48 minimac kpasswd[4911]: Server Error while performing LDAP password change And this is with openldap, not mozldap: # ldd /usr/sbin/ipa_kpasswd linux-vdso32.so.1 => (0x00100000) libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0x0ff94000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x0fed0000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0fe86000) libcom_err.so.2 => /lib/libcom_err.so.2 (0x0fe62000) libc.so.6 => /lib/libc.so.6 (0x0fcae000) liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x0fc7c000) libresolv.so.2 => /lib/libresolv.so.2 (0x0fc39000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0fbfa000) libssl.so.7 => /lib/libssl.so.7 (0x0fb96000) libcrypto.so.7 => /lib/libcrypto.so.7 (0x0f9f7000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x0f9cd000) libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x0f9aa000) /lib/ld.so.1 (0x48000000) libdl.so.2 => /lib/libdl.so.2 (0x0f979000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x0f921000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0f8ce000) libz.so.1 => /lib/libz.so.1 (0x0f899000) libselinux.so.1 => /lib/libselinux.so.1 (0x0f848000) -jf From ssorce at redhat.com Thu Jun 26 20:38:33 2008 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 26 Jun 2008 16:38:33 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <20080626203106.GA23957@lc4eb5760521341.ibm.com> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> <1214496025.3822.201.camel@localhost.localdomain> <20080626173244.GA10557@lc4eb5760521341.ibm.com> <20080626203106.GA23957@lc4eb5760521341.ibm.com> Message-ID: <1214512713.3822.242.camel@localhost.localdomain> On Thu, 2008-06-26 at 22:31 +0200, Jan-Frode Myklebust wrote: > I just did a new install of Fedora9 + ipa-server-1.1.0-3.fc9.ppc, and > successfully got trough the "ipa-server-install" now. > > And now I get into another issue I also saw the last time I did a fresh > Fedora9+IPA. Firefox3 refuses to let me access the gui, complaining > about: > > sec_error_reused_issuer_and_serial This make me think you imported/acknowledged a previous SSL certificate by the same name and FF refuses to use another one that conflicts. Purge the SSL cert from firefox and retry. > Last time I had this problem, I wasn't able to get around it on the > firefox side, so I re-ran ipa-server-install, and got a valid certificat > on the second run. But this didn't work now that I used > "ipa-server-install --uninstall" to uninstall it. > > So, anybody have a workaround for this problem ? Avoid reinstalling everything from scratch, for minor problems, let's try to see what's wrong and fix it instead :) > I'm also seeing a few selinux denials (but changed to permissive mode to > allow them): > > type=1400 audit(1214511568.498:10): avc: denied { create } for pid=4364 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file > type=1404 audit(1214511588.842:11): enforcing=0 old_enforcing=1 auid=0 ses=2 > type=1400 audit(1214511598.891:12): avc: denied { create } for pid=4621 comm="krb5kdc" name="krb5kdc.log" scontext=unconfined_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_log_t:s0 tclass=file > > And -- the directory server dies when I try my first kinit with password change: > > $ kinit janfrode > Password for janfrode at TANSO.NET: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Password change failed while getting initial credentials > > But I can't find any other errors from the directory server dying than: > > Jun 26 22:23:48 minimac kpasswd[4911]: ldap_result() failed. (-1) > Jun 26 22:23:48 minimac kpasswd[4911]: Server Error while performing LDAP password change > > And this is with openldap, not mozldap: > > # ldd /usr/sbin/ipa_kpasswd > linux-vdso32.so.1 => (0x00100000) > libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0x0ff94000) > libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x0fed0000) > libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0fe86000) > libcom_err.so.2 => /lib/libcom_err.so.2 (0x0fe62000) > libc.so.6 => /lib/libc.so.6 (0x0fcae000) > liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x0fc7c000) > libresolv.so.2 => /lib/libresolv.so.2 (0x0fc39000) > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x0fbfa000) > libssl.so.7 => /lib/libssl.so.7 (0x0fb96000) > libcrypto.so.7 => /lib/libcrypto.so.7 (0x0f9f7000) > libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x0f9cd000) > libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x0f9aa000) > /lib/ld.so.1 (0x48000000) > libdl.so.2 => /lib/libdl.so.2 (0x0f979000) > libcrypt.so.1 => /lib/libcrypt.so.1 (0x0f921000) > libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x0f8ce000) > libz.so.1 => /lib/libz.so.1 (0x0f899000) > libselinux.so.1 => /lib/libselinux.so.1 (0x0f848000) Will try to repro, a stack trace would be extremely useful tho. Simo. -- Simo Sorce * Red Hat, Inc * New York From janfrode at tanso.net Thu Jun 26 20:51:22 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Thu, 26 Jun 2008 22:51:22 +0200 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <1214512713.3822.242.camel@localhost.localdomain> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> <1214496025.3822.201.camel@localhost.localdomain> <20080626173244.GA10557@lc4eb5760521341.ibm.com> <20080626203106.GA23957@lc4eb5760521341.ibm.com> <1214512713.3822.242.camel@localhost.localdomain> Message-ID: <20080626205122.GA24165@lc4eb5760521341.ibm.com> On Thu, Jun 26, 2008 at 04:38:33PM -0400, Simo Sorce wrote: > > > > sec_error_reused_issuer_and_serial > > This make me think you imported/acknowledged a previous SSL certificate > by the same name and FF refuses to use another one that conflicts. > Purge the SSL cert from firefox and retry. Yes, thanks, finally found it. It was quite well hidden.. > Avoid reinstalling everything from scratch, for minor problems, let's > try to see what's wrong and fix it instead :) This is a test server dedicated to testing free-ipa, so it's no big effort to reinstall when I suspect I've messed up something I don't completely understand. > > Will try to repro, a stack trace would be extremely useful tho. > Any pointers to how I can generate this ? -jf From mbooth at redhat.com Thu Jun 26 22:06:00 2008 From: mbooth at redhat.com (Matthew Booth) Date: Thu, 26 Jun 2008 23:06:00 +0100 Subject: [Freeipa-devel] Maintaining Identity in a large cluster Message-ID: <486412C8.2030104@redhat.com> Hi, I was recently asked to look into the problem of auditing user activity on a large cluster. There are a number of issues, but the one I'm highlighting here is the problem of maintaining a who a real user is in a large cluster. If you talk to a cluster designer, their cluster is *a* machine. It is not a collection of machines, but a single entity. Security is important, but it is provided only at the boundary. Separate components of the machine (anybody else might call them servers) would have no more business authenticating each other than a CPU core would have authenticating another core. If I need to become root on an 8-core box, I wouldn't expect to enter my password 8 times. Now imagine there are hundreds of 'cores'. A key administration tool of any cluster is a distributed shell. There are many implementations, but usage always boils down to something like: # clustersh node[1-512] rpm -Uvh /clusterfs/newpkg.rpm Key points to note: * The user is root * The user expects the command to run as root on nodes 1-512. From a security standpoint this is fine. The cluster trusts its network because it's entirely separate from any other network (it's just a bus in our big machine, right?). The user had to log on to the cluster in the first place with their own credentials, so access control is maintained. The problem comes when you introduce auditing. Under other circumstances, 'best practise' would be to insist that a user log on as themselves, then escalate their privileges to root via an approved method. The audit system can tag them as they log in, and all subsequent actions can be made accountable. This doesn't work on a big cluster because the system administrator can't be expected to enter their password 512 times. The solution is typically ssh keys shared across the cluster. The effect of this is that anyone who can perform an identity change on any machine can become anonymous on the cluster just by logging on to another node after the identity change. In practise, most/all users will be able to perform an identity change. If they are administrators this will be to root. If they are users, this will be to a processing user. The problem extends beyond just cluster shell operations. For example, MPI jobs will typically be initiated on 1 node but executed on many. Again, it cannot be expected to require an authenticated privilege escalation for each target node. The challenge is to maintain the identity of a real user across the cluster without compromising the 'single machine' model of the cluster. I'm not convinced this can be done today. It occurred to me that kerberos might be useful in this space if sshd can be coerced into: 1. Allowing principal mbooth/root to log in directly as root. 2. Setting the audit context to mbooth. Has this problem been given any thought to date? Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 From janfrode at tanso.net Thu Jun 26 22:29:05 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 27 Jun 2008 00:29:05 +0200 Subject: [Freeipa-devel] Maintaining Identity in a large cluster In-Reply-To: <486412C8.2030104@redhat.com> References: <486412C8.2030104@redhat.com> Message-ID: <20080626222905.GA24905@lc4eb5760521341.ibm.com> On Thu, Jun 26, 2008 at 11:06:00PM +0100, Matthew Booth wrote: > > If you talk to a cluster designer, their cluster is *a* machine. Former cluster sysadmin here. And yes, I agree, a cluster is a machine. > Under other circumstances, 'best practise' would be to insist that a > user log on as themselves, then escalate their privileges to root via an > approved method. The audit system can tag them as they log in, and all > subsequent actions can be made accountable. This doesn't work on a big > cluster because the system administrator can't be expected to enter > their password 512 times. An option would maybe be to do all root-tasks trough sudo. And use the NOPASSWD:-option in the sudoers config. Establish a policy that one should never log in as root, and always use sudo. %sysadmin ALL=(ALL) NOPASSWD: ALL Or to encourage your sysadmins to not cheat: Cmnd_Alias SHELLS = /bin/ash, /bin/ksh, /bin/bash, /bin/sh, /bin/bsh, /bin/tcsh, /usr/sbin/sesh, /bin/csh, /sbin/nash Cmnd_Alias TERMINALS = /usr/bin/gnome-terminal, /usr/bin/konsole, /usr/bin/xterm, /usr/bin/uxterm Cmnd_Alias SU = /bin/su %sysadmin ALL = (ALL) NOPASSWD: ALL, !SU, !SHELLS, !TERMINALS > The solution is typically ssh keys shared across the cluster. The effect > of this is that anyone who can perform an identity change on any machine > can become anonymous on the cluster just by logging on to another node > after the identity change. Don't allow identity changes. > In practise, most/all users will be able to > perform an identity change. If they are administrators this will be to > root. If they are users, this will be to a processing user. I don't see why users should need to change to a processing user. Why can't they run as their login user ? > The problem extends beyond just cluster shell operations. For example, > MPI jobs will typically be initiated on 1 node but executed on many. > Again, it cannot be expected to require an authenticated privilege > escalation for each target node. MPI-jobs normally doesn't need escalated privileges to run. -jf From mbooth at redhat.com Thu Jun 26 22:42:49 2008 From: mbooth at redhat.com (Matthew Booth) Date: Thu, 26 Jun 2008 23:42:49 +0100 Subject: [Freeipa-devel] Maintaining Identity in a large cluster In-Reply-To: <4864193E.7020404@redhat.com> References: <486412C8.2030104@redhat.com> <4864193E.7020404@redhat.com> Message-ID: <48641B69.3030507@redhat.com> Dmitri Pal wrote: > If I use kerberised SSH I will log into one node with real user ID, then > escalate to root. > Now I have both user ticket and root ticket. So to log into the rest of > the nodes I can just do the ssh as root and for the rest it would be > just kerberos SSO. > Every node has to be a principal in the KDC. > But there will be an audit trail of this SSO on the KDC. Will that be a > solution? I'm not entirely sure I follow the kerberos scenario there. But even assuming it works, this wouldn't be a terribly good solution. On a single machine I can set the audit system to log whenever an auditable event happens, and tell me who did it. When you move this into a cluster, you lose this context. While the information might theoretically still be there, you are throwing away one of the most useful features of the audit system. You are also making automated processing of the audit logs substantially harder and more error-prone. Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 From mbooth at redhat.com Thu Jun 26 22:42:34 2008 From: mbooth at redhat.com (Matthew Booth) Date: Thu, 26 Jun 2008 23:42:34 +0100 Subject: [Freeipa-devel] Maintaining Identity in a large cluster In-Reply-To: <4864193E.7020404@redhat.com> References: <486412C8.2030104@redhat.com> <4864193E.7020404@redhat.com> Message-ID: <48641B5A.3010703@redhat.com> Dmitri Pal wrote: > If I use kerberised SSH I will log into one node with real user ID, then > escalate to root. > Now I have both user ticket and root ticket. So to log into the rest of > the nodes I can just do the ssh as root and for the rest it would be > just kerberos SSO. > Every node has to be a principal in the KDC. > But there will be an audit trail of this SSO on the KDC. Will that be a > solution? I'm not entirely sure I follow the kerberos scenario there. But even assuming it works, this wouldn't be a terribly good solution. On a single machine I can set the audit system to log whenever an auditable event happens, and tell me who did it. When you move this into a cluster, you lose this context. While the information might theoretically still be there, you are throwing away one of the most useful features of the audit system. You are also making automated processing of the audit logs substantially harder and more error-prone. Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 From mbooth at redhat.com Thu Jun 26 23:03:07 2008 From: mbooth at redhat.com (Matthew Booth) Date: Fri, 27 Jun 2008 00:03:07 +0100 Subject: [Freeipa-devel] Maintaining Identity in a large cluster In-Reply-To: <20080626222905.GA24905@lc4eb5760521341.ibm.com> References: <486412C8.2030104@redhat.com> <20080626222905.GA24905@lc4eb5760521341.ibm.com> Message-ID: <4864202B.9090705@redhat.com> Jan-Frode Myklebust wrote: > An option would maybe be to do all root-tasks trough sudo. And use the > NOPASSWD:-option in the sudoers config. Establish a policy that one > should never log in as root, and always use sudo. > > %sysadmin ALL=(ALL) NOPASSWD: ALL > > Or to encourage your sysadmins to not cheat: > > Cmnd_Alias SHELLS = /bin/ash, /bin/ksh, /bin/bash, /bin/sh, /bin/bsh, /bin/tcsh, /usr/sbin/sesh, /bin/csh, /sbin/nash > Cmnd_Alias TERMINALS = /usr/bin/gnome-terminal, /usr/bin/konsole, /usr/bin/xterm, /usr/bin/uxterm > Cmnd_Alias SU = /bin/su > %sysadmin ALL = (ALL) NOPASSWD: ALL, !SU, !SHELLS, !TERMINALS > This would effectively amount to denying an unfettered root shell to the system administrators. I wouldn't want to do this on any machine I administered, so I can see it not being accepted (and therefore circumvented). For example, descending a directory structure for which my user account has no privilege suddenly breaks tab completion. Not to mention the additional finger ache from prefixing every individual command with sudo. I'm really looking to improve accountability without breaking features. Auditing is pretty low on a cluster administrator's priority list, as I'm sure you're aware ;) I wouldn't want to rely on selling a solution which will make their jobs miserable. >> The solution is typically ssh keys shared across the cluster. The effect >> of this is that anyone who can perform an identity change on any machine >> can become anonymous on the cluster just by logging on to another node >> after the identity change. > > Don't allow identity changes. See above for discussion of root, below for discussion of processing users. >> In practise, most/all users will be able to >> perform an identity change. If they are administrators this will be to >> root. If they are users, this will be to a processing user. > > I don't see why users should need to change to a processing user. Why > can't they run as their login user ? A job might run for 2 months, and there's a team of people who might start it, poke it or kill it. It might also be started automatically (another interesting case in itself). Going back to the single machine analogy, imagine: * Running a daemon as jbloggs and relying on group permissions. * Running database backups as jbloggs from cron, and relying on group permissions. You just wouldn't do that. Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 From janfrode at tanso.net Fri Jun 27 09:46:53 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 27 Jun 2008 11:46:53 +0200 Subject: [Freeipa-devel] Maintaining Identity in a large cluster In-Reply-To: <4864202B.9090705@redhat.com> References: <486412C8.2030104@redhat.com> <20080626222905.GA24905@lc4eb5760521341.ibm.com> <4864202B.9090705@redhat.com> Message-ID: <20080627094653.GA29576@lc4eb5760521341.ibm.com> On Fri, Jun 27, 2008 at 12:03:07AM +0100, Matthew Booth wrote: > > For example, descending a directory structure for which > my user account has no privilege suddenly breaks tab completion. Not to > mention the additional finger ache from prefixing every individual > command with sudo. How else will you get an audit trail for who descended a users directory structure, and read that users research results ? Overriding filesystem permissions shouldn't be default-allow for sysadmins. Prefixing by sudo lets them know they're now in secure-mode, and that they should be extra carefull not to leak anything about the files they're seeing. BTW: it seems it's possible to enable tab-completion for sudo, but I haven't used it myself. > >I don't see why users should need to change to a processing user. Why > >can't they run as their login user ? > > A job might run for 2 months, and there's a team of people who might > start it, poke it or kill it. We had lots of these. I know some users shared their accounts, but it was frowned upon. And we always tried to help them set up their jobs so that they could run the same jobs as their personal users. Letting a group of users poke/kill each others jobs should probably be a feature of the batch system. > It might also be started automatically > (another interesting case in itself). Going back to the single machine > analogy, imagine: > > * Running a daemon as jbloggs and relying on group permissions. > * Running database backups as jbloggs from cron, and relying on group > permissions. > > You just wouldn't do that. I'm not relying on group permissions much, but database backups typically runs as the system-user owning/running the database for Oracle backups.. but unfortunately we have a few mysql backups that run as root. There's really no good reason why these dumps aren't run as 'mysql'. -jf From ssorce at redhat.com Fri Jun 27 12:55:31 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2008 08:55:31 -0400 Subject: [Freeipa-devel] Maintaining Identity in a large cluster In-Reply-To: <4864202B.9090705@redhat.com> References: <486412C8.2030104@redhat.com> <20080626222905.GA24905@lc4eb5760521341.ibm.com> <4864202B.9090705@redhat.com> Message-ID: <1214571331.3822.259.camel@localhost.localdomain> On Fri, 2008-06-27 at 00:03 +0100, Matthew Booth wrote: > Jan-Frode Myklebust wrote: > > An option would maybe be to do all root-tasks trough sudo. And use the > > NOPASSWD:-option in the sudoers config. Establish a policy that one > > should never log in as root, and always use sudo. > > > > %sysadmin ALL=(ALL) NOPASSWD: ALL > > > > Or to encourage your sysadmins to not cheat: > > > > Cmnd_Alias SHELLS = /bin/ash, /bin/ksh, /bin/bash, /bin/sh, /bin/bsh, /bin/tcsh, /usr/sbin/sesh, /bin/csh, /sbin/nash > > Cmnd_Alias TERMINALS = /usr/bin/gnome-terminal, /usr/bin/konsole, /usr/bin/xterm, /usr/bin/uxterm > > Cmnd_Alias SU = /bin/su > > %sysadmin ALL = (ALL) NOPASSWD: ALL, !SU, !SHELLS, !TERMINALS > > > > This would effectively amount to denying an unfettered root shell to the > system administrators. I wouldn't want to do this on any machine I > administered, so I can see it not being accepted (and therefore > circumvented). For example, descending a directory structure for which > my user account has no privilege suddenly breaks tab completion. Not to > mention the additional finger ache from prefixing every individual > command with sudo. You can even just allow su or sudo, the point is in using only user credentials to login to other machines. with a distributed shell, the first command can then be: 'sudo su -' This is fine, gives you access on all machines (but never directly as root) and you will see who and when became root. Most task done as root in a cluster are anyway done because of laziness, not because root is actually needed, in many cases limiting most admins to a few sudo commands is the right approach security wise. > I'm really looking to improve accountability without breaking features. Giving root and ssh keys is certainly not the right way then. Especially ssh keys which cannot be centrally revoked and do not expire. > Auditing is pretty low on a cluster administrator's priority list, as > I'm sure you're aware ;) I wouldn't want to rely on selling a solution > which will make their jobs miserable. It really boils down to the usage pattern, but denying root login and allowing 'sudo su -' without password is imo better than giving everyone the root password or an ssh key that let you login as root. > >> The solution is typically ssh keys shared across the cluster. The effect > >> of this is that anyone who can perform an identity change on any machine > >> can become anonymous on the cluster just by logging on to another node > >> after the identity change. > > > > Don't allow identity changes. > > See above for discussion of root, below for discussion of processing users. Yet, this is a sound security principle, identity changes should be minimized as much as possible. > >> In practise, most/all users will be able to > >> perform an identity change. If they are administrators this will be to > >> root. If they are users, this will be to a processing user. > > > > I don't see why users should need to change to a processing user. Why > > can't they run as their login user ? > > A job might run for 2 months, and there's a team of people who might > start it, poke it or kill it. It might also be started automatically > (another interesting case in itself). Going back to the single machine > analogy, imagine: > > * Running a daemon as jbloggs and relying on group permissions. > * Running database backups as jbloggs from cron, and relying on group > permissions. > > You just wouldn't do that. On a single machine it is very rare to share process between groups. |It it a computational cluster specific characteristic. You should really use batch tools that run the processes for you, enforce quotas and precedence, and audit trails what happens to job, who requests a job to be killed, check if it is allowed and so on. The real problem here is that you should firmly distinguish between an admin user doing cluster related maintenance tasks, and cluster users. An admin may have legitimate needs to do root level operations on all nodes. A user generally not, and shouldn't even know how to jump on other nodes, it should be given access only to a front-end component to the cluster and a tool that provide the operations necessary to request cpu/disk/memory within the limit of the system and run process, a batch system. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jun 27 15:42:21 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2008 11:42:21 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <5772614A-186E-4B2B-B87F-9B5E6EB3D3F2@cox.net> References: <1214245166.3822.104.camel@localhost.localdomain> <1214255660.3822.113.camel@localhost.localdomain> <12A67C23-9896-490F-BE7A-139242E8C70D@cox.net> <1214400288.3822.126.camel@localhost.localdomain> <5772614A-186E-4B2B-B87F-9B5E6EB3D3F2@cox.net> Message-ID: <1214581341.3822.277.camel@localhost.localdomain> On Wed, 2008-06-25 at 21:34 -0500, Matt Flusche wrote: > No problem; I've upgraded to 1.1.0-3. > > New problem; ns-slapd is crashing during password changes. Other > ldap activity seems to work correctly. > > from /var/log/messages: > Jun 25 21:18:14 ruff kernel: ns-slapd[1547]: segfault at 0 ip > 392fc808f0 sp 41c16c58 error 4 in libc-2.8.so[392fc00000+162000] I've reinstalled a new F9 virtual machine from scratch and can't reproduce this. What architecture are you on? I used x86_64. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jun 27 15:43:02 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2008 11:43:02 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <1214512713.3822.242.camel@localhost.localdomain> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> <1214496025.3822.201.camel@localhost.localdomain> <20080626173244.GA10557@lc4eb5760521341.ibm.com> <20080626203106.GA23957@lc4eb5760521341.ibm.com> <1214512713.3822.242.camel@localhost.localdomain> Message-ID: <1214581382.3822.279.camel@localhost.localdomain> On Thu, 2008-06-26 at 16:38 -0400, Simo Sorce wrote: > Will try to repro, a stack trace would be extremely useful tho. Can't repro :( -- Simo Sorce * Red Hat, Inc * New York From janfrode at tanso.net Fri Jun 27 16:31:02 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 27 Jun 2008 18:31:02 +0200 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <1214581382.3822.279.camel@localhost.localdomain> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> <1214496025.3822.201.camel@localhost.localdomain> <20080626173244.GA10557@lc4eb5760521341.ibm.com> <20080626203106.GA23957@lc4eb5760521341.ibm.com> <1214512713.3822.242.camel@localhost.localdomain> <1214581382.3822.279.camel@localhost.localdomain> Message-ID: <20080627163102.GA27899@lc4eb5760521341.ibm.com> On Fri, Jun 27, 2008 at 11:43:02AM -0400, Simo Sorce wrote: > On Thu, 2008-06-26 at 16:38 -0400, Simo Sorce wrote: > > Will try to repro, a stack trace would be extremely useful tho. > > Can't repro :( Help me with a pointer to how to get a stack trace, and I will try getting one ASAP. The directory server fails every time I try changing password. -jf From ssorce at redhat.com Fri Jun 27 16:42:17 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2008 12:42:17 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <20080627163102.GA27899@lc4eb5760521341.ibm.com> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> <1214496025.3822.201.camel@localhost.localdomain> <20080626173244.GA10557@lc4eb5760521341.ibm.com> <20080626203106.GA23957@lc4eb5760521341.ibm.com> <1214512713.3822.242.camel@localhost.localdomain> <1214581382.3822.279.camel@localhost.localdomain> <20080627163102.GA27899@lc4eb5760521341.ibm.com> Message-ID: <1214584937.3822.290.camel@localhost.localdomain> On Fri, 2008-06-27 at 18:31 +0200, Jan-Frode Myklebust wrote: > On Fri, Jun 27, 2008 at 11:43:02AM -0400, Simo Sorce wrote: > > On Thu, 2008-06-26 at 16:38 -0400, Simo Sorce wrote: > > > Will try to repro, a stack trace would be extremely useful tho. > > > > Can't repro :( > > Help me with a pointer to how to get a stack trace, and I will try > getting one ASAP. The directory server fails every time I try changing > password. provide you install the debuginfo pakages for fedora-ds-base and ipa-server (you can use debuginfo-install to find out which exactly), then all is needed is this: start dirsrv service ps ax | grep ns-slapd and find the pid open a new shell and run: gdb /usr/sbin/ns-slapd (press c for continue) do the password change in another shell in the shell where gdb was used now you should see that a segfdault was caught and running the command bt in the gdb shell will return the stack trace (hopefully :-) Let me know if something is not clear. Simo. -- Simo Sorce * Red Hat, Inc * New York From janfrode at tanso.net Fri Jun 27 18:15:25 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 27 Jun 2008 20:15:25 +0200 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <1214584937.3822.290.camel@localhost.localdomain> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> <1214496025.3822.201.camel@localhost.localdomain> <20080626173244.GA10557@lc4eb5760521341.ibm.com> <20080626203106.GA23957@lc4eb5760521341.ibm.com> <1214512713.3822.242.camel@localhost.localdomain> <1214581382.3822.279.camel@localhost.localdomain> <20080627163102.GA27899@lc4eb5760521341.ibm.com> <1214584937.3822.290.camel@localhost.localdomain> Message-ID: <20080627181525.GA17288@lc4eb5760521341.ibm.com> On Fri, Jun 27, 2008 at 12:42:17PM -0400, Simo Sorce wrote: > > in the shell where gdb was used now you should see that a segfdault was > caught and running the command bt in the gdb shell will return the stack > trace (hopefully :-) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x582df4b0 (LWP 6328)] pw_val2scheme (val=0x0, valpwdp=0x582dea3c, first_is_default=1) at ldap/servers/slapd/pw.c:280 280 if ( *val != PWD_HASH_PREFIX_START || (gdb) bt #0 pw_val2scheme (val=0x0, valpwdp=0x582dea3c, first_is_default=1) at ldap/servers/slapd/pw.c:280 #1 0x0ff250c0 in slapi_pw_find_sv (vals=0x108ba708, v=0x108ba7d8) at ldap/servers/slapd/pw.c:142 #2 0x0dd98594 in ?? () from /usr/lib/dirsrv/plugins/libipa_pwd_extop.so #3 0x0ff1edc4 in plugin_call_exop_plugins (pb=0x108b8538, oid=0x0) at ldap/servers/slapd/plugin.c:393 #4 0x100143fc in do_extended (pb=0x108b8538) at ldap/servers/slapd/extendop.c:300 #5 0x1000f348 in connection_threadmain () at ldap/servers/slapd/connection.c:562 #6 0x0f91ffc8 in _pt_root (arg=) at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:221 #7 0x0fd46e3c in start_thread (arg=) at pthread_create.c:299 #8 0x48106670 in clone () from /lib/libc.so.6 Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) -jf From ssorce at redhat.com Fri Jun 27 18:27:03 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2008 14:27:03 -0400 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <20080627181525.GA17288@lc4eb5760521341.ibm.com> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> <1214496025.3822.201.camel@localhost.localdomain> <20080626173244.GA10557@lc4eb5760521341.ibm.com> <20080626203106.GA23957@lc4eb5760521341.ibm.com> <1214512713.3822.242.camel@localhost.localdomain> <1214581382.3822.279.camel@localhost.localdomain> <20080627163102.GA27899@lc4eb5760521341.ibm.com> <1214584937.3822.290.camel@localhost.localdomain> <20080627181525.GA17288@lc4eb5760521341.ibm.com> Message-ID: <1214591223.3822.292.camel@localhost.localdomain> On Fri, 2008-06-27 at 20:15 +0200, Jan-Frode Myklebust wrote: > On Fri, Jun 27, 2008 at 12:42:17PM -0400, Simo Sorce wrote: > > > > in the shell where gdb was used now you should see that a segfdault was > > caught and running the command bt in the gdb shell will return the stack > > trace (hopefully :-) > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 0x582df4b0 (LWP 6328)] > pw_val2scheme (val=0x0, valpwdp=0x582dea3c, first_is_default=1) > at ldap/servers/slapd/pw.c:280 > 280 if ( *val != PWD_HASH_PREFIX_START || > (gdb) bt > #0 pw_val2scheme (val=0x0, valpwdp=0x582dea3c, first_is_default=1) > at ldap/servers/slapd/pw.c:280 > #1 0x0ff250c0 in slapi_pw_find_sv (vals=0x108ba708, v=0x108ba7d8) > at ldap/servers/slapd/pw.c:142 > #2 0x0dd98594 in ?? () from /usr/lib/dirsrv/plugins/libipa_pwd_extop.so > #3 0x0ff1edc4 in plugin_call_exop_plugins (pb=0x108b8538, oid=0x0) > at ldap/servers/slapd/plugin.c:393 > #4 0x100143fc in do_extended (pb=0x108b8538) > at ldap/servers/slapd/extendop.c:300 > #5 0x1000f348 in connection_threadmain () > at ldap/servers/slapd/connection.c:562 > #6 0x0f91ffc8 in _pt_root (arg=) > at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:221 > #7 0x0fd46e3c in start_thread (arg=) > at pthread_create.c:299 > #8 0x48106670 in clone () from /lib/libc.so.6 > Backtrace stopped: previous frame inner to this frame (corrupt stack?) > (gdb) Perfect, I suspected this one, but I could not reproduce a crash, making patch. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Fri Jun 27 18:31:06 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2008 14:31:06 -0400 Subject: [Freeipa-devel] [PATCH] fix segfault in password change Message-ID: <1214591466.3822.295.camel@localhost.localdomain> This should fix the problem Jan-Frode ran into. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-slapi_pw_find_sv-expects-an-array-make-sure-we-ha.patch Type: application/mbox Size: 1593 bytes Desc: not available URL: From ssorce at redhat.com Fri Jun 27 18:53:45 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2008 14:53:45 -0400 Subject: [Freeipa-devel] [PATCH] fix segfault in password change In-Reply-To: <1214591466.3822.295.camel@localhost.localdomain> References: <1214591466.3822.295.camel@localhost.localdomain> Message-ID: <1214592825.3822.297.camel@localhost.localdomain> On Fri, 2008-06-27 at 14:31 -0400, Simo Sorce wrote: > This should fix the problem Jan-Frode ran into. Bah patch was wrong, attached a new one. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-slapi_pw_find_sv-expects-an-array-make-sure-we-ha.patch Type: application/mbox Size: 1593 bytes Desc: not available URL: From nkinder at redhat.com Fri Jun 27 19:06:10 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 27 Jun 2008 12:06:10 -0700 Subject: [Freeipa-devel] [PATCH] fix segfault in password change In-Reply-To: <1214592825.3822.297.camel@localhost.localdomain> References: <1214591466.3822.295.camel@localhost.localdomain> <1214592825.3822.297.camel@localhost.localdomain> Message-ID: <48653A22.6010506@redhat.com> Simo Sorce wrote: > On Fri, 2008-06-27 at 14:31 -0400, Simo Sorce wrote: > >> This should fix the problem Jan-Frode ran into. >> > > Bah patch was wrong, attached a new one. > ack. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From ssorce at redhat.com Fri Jun 27 20:00:37 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2008 16:00:37 -0400 Subject: [Freeipa-devel] [PATCH] fix segfault in password change In-Reply-To: <48653BF2.80909@redhat.com> References: <1214591466.3822.295.camel@localhost.localdomain> <1214592825.3822.297.camel@localhost.localdomain> <48653BF2.80909@redhat.com> Message-ID: <1214596837.3822.304.camel@localhost.localdomain> On Fri, 2008-06-27 at 13:13 -0600, Rich Megginson wrote: > Simo Sorce wrote: > > On Fri, 2008-06-27 at 14:31 -0400, Simo Sorce wrote: > > > >> This should fix the problem Jan-Frode ran into. > >> > > > > Bah patch was wrong, attached a new one. > > > Do you call > slapi_value_free(&cpw[0]); > somewhere? Ok, attached patch tries to avoid memory leaks too. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-slapi_pw_find_sv-expects-an-array-make-sure-we-ha.patch Type: application/mbox Size: 1738 bytes Desc: not available URL: From rmeggins at redhat.com Fri Jun 27 20:20:04 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 27 Jun 2008 14:20:04 -0600 Subject: [Freeipa-devel] [PATCH] fix segfault in password change In-Reply-To: <1214596837.3822.304.camel@localhost.localdomain> References: <1214591466.3822.295.camel@localhost.localdomain> <1214592825.3822.297.camel@localhost.localdomain> <48653BF2.80909@redhat.com> <1214596837.3822.304.camel@localhost.localdomain> Message-ID: <48654B74.5050007@redhat.com> Simo Sorce wrote: > On Fri, 2008-06-27 at 13:13 -0600, Rich Megginson wrote: > >> Simo Sorce wrote: >> >>> On Fri, 2008-06-27 at 14:31 -0400, Simo Sorce wrote: >>> >>> >>>> This should fix the problem Jan-Frode ran into. >>>> >>>> >>> Bah patch was wrong, attached a new one. >>> >>> >> Do you call >> slapi_value_free(&cpw[0]); >> somewhere? >> > > > Ok, attached patch tries to avoid memory leaks too. > ack > Simo. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From matt.flusche at cox.net Sat Jun 28 03:01:24 2008 From: matt.flusche at cox.net (Matt Flusche) Date: Fri, 27 Jun 2008 22:01:24 -0500 Subject: [Freeipa-devel] setting passwords stopped working In-Reply-To: <1214591223.3822.292.camel@localhost.localdomain> References: <20080625224957.GA10064@lc4eb5760521341.ibm.com> <1214496025.3822.201.camel@localhost.localdomain> <20080626173244.GA10557@lc4eb5760521341.ibm.com> <20080626203106.GA23957@lc4eb5760521341.ibm.com> <1214512713.3822.242.camel@localhost.localdomain> <1214581382.3822.279.camel@localhost.localdomain> <20080627163102.GA27899@lc4eb5760521341.ibm.com> <1214584937.3822.290.camel@localhost.localdomain> <20080627181525.GA17288@lc4eb5760521341.ibm.com> <1214591223.3822.292.camel@localhost.localdomain> Message-ID: looks like we ran into the same issue. I've included the trace from my system -- sounds like you've got it fixed though. Thanks, Matt Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x40a2f950 (LWP 16312)] 0x000000392fc808f0 in strcmp () from /lib64/libc.so.6 (gdb) bt #0 0x000000392fc808f0 in strcmp () from /lib64/libc.so.6 #1 0x00007fb25bacc028 in ipapwd_chpwop (pb=0x7fb2583a0830) at ipa_pwd_extop.c:1317 #2 0x00007fb25bacd708 in ipapwd_extop (pb=0x7fb2583a0830) at ipa_pwd_extop.c:2861 #3 0x0000000000188f05 in plugin_call_exop_plugins (pb=0x7fb2583a0830, oid=0x7fb2583a0630 "1.3.6.1.4.1.4203.1.11.1") at ldap/servers/ slapd/plugin.c:393 #4 0x000000000041698f in do_extended (pb=0x7fb2583a0830) at ldap/ servers/slapd/extendop.c:300 #5 0x0000000000412086 in connection_threadmain () at ldap/servers/ slapd/connection.c:562 #6 0x0000003ee8e29aa3 in _pt_root (arg=) at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:221 #7 0x000000393080729a in start_thread (arg=) at pthread_create.c:297 #8 0x000000392fce42cd in clone () from /lib64/libc.so.6 On Jun 27, 2008, at 1:27 PM, Simo Sorce wrote: > On Fri, 2008-06-27 at 20:15 +0200, Jan-Frode Myklebust wrote: >> On Fri, Jun 27, 2008 at 12:42:17PM -0400, Simo Sorce wrote: >>> >>> in the shell where gdb was used now you should see that a >>> segfdault was >>> caught and running the command bt in the gdb shell will return >>> the stack >>> trace (hopefully :-) >> >> Program received signal SIGSEGV, Segmentation fault. >> [Switching to Thread 0x582df4b0 (LWP 6328)] >> pw_val2scheme (val=0x0, valpwdp=0x582dea3c, first_is_default=1) >> at ldap/servers/slapd/pw.c:280 >> 280 if ( *val != PWD_HASH_PREFIX_START || >> (gdb) bt >> #0 pw_val2scheme (val=0x0, valpwdp=0x582dea3c, first_is_default=1) >> at ldap/servers/slapd/pw.c:280 >> #1 0x0ff250c0 in slapi_pw_find_sv (vals=0x108ba708, v=0x108ba7d8) >> at ldap/servers/slapd/pw.c:142 >> #2 0x0dd98594 in ?? () from /usr/lib/dirsrv/plugins/ >> libipa_pwd_extop.so >> #3 0x0ff1edc4 in plugin_call_exop_plugins (pb=0x108b8538, oid=0x0) >> at ldap/servers/slapd/plugin.c:393 >> #4 0x100143fc in do_extended (pb=0x108b8538) >> at ldap/servers/slapd/extendop.c:300 >> #5 0x1000f348 in connection_threadmain () >> at ldap/servers/slapd/connection.c:562 >> #6 0x0f91ffc8 in _pt_root (arg=) >> at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:221 >> #7 0x0fd46e3c in start_thread (arg=) >> at pthread_create.c:299 >> #8 0x48106670 in clone () from /lib/libc.so.6 >> Backtrace stopped: previous frame inner to this frame (corrupt >> stack?) >> (gdb) > > Perfect, I suspected this one, but I could not reproduce a crash, > making > patch. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel From janfrode at tanso.net Sat Jun 28 22:02:29 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Sun, 29 Jun 2008 00:02:29 +0200 Subject: [Freeipa-devel] [PATCH] fix segfault in password change In-Reply-To: <1214596837.3822.304.camel@localhost.localdomain> References: <1214591466.3822.295.camel@localhost.localdomain> <1214592825.3822.297.camel@localhost.localdomain> <48653BF2.80909@redhat.com> <1214596837.3822.304.camel@localhost.localdomain> Message-ID: <20080628220229.GA14672@lc4eb5760521341.ibm.com> On Fri, Jun 27, 2008 at 04:00:37PM -0400, Simo Sorce wrote: > On Fri, 2008-06-27 at 13:13 -0600, Rich Megginson wrote: > > Simo Sorce wrote: > > > On Fri, 2008-06-27 at 14:31 -0400, Simo Sorce wrote: > > > > > >> This should fix the problem Jan-Frode ran into. Will there soon be released an updated ipa-server with this fix in fedora9/updates-testing, or will I have to rebuild it myself ? -jf From ssorce at redhat.com Sun Jun 29 16:33:21 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 29 Jun 2008 12:33:21 -0400 Subject: [Freeipa-devel] [PATCH] fix segfault in password change In-Reply-To: <20080628220229.GA14672@lc4eb5760521341.ibm.com> References: <1214591466.3822.295.camel@localhost.localdomain> <1214592825.3822.297.camel@localhost.localdomain> <48653BF2.80909@redhat.com> <1214596837.3822.304.camel@localhost.localdomain> <20080628220229.GA14672@lc4eb5760521341.ibm.com> Message-ID: <1214757201.1573.1.camel@localhost.localdomain> On Sun, 2008-06-29 at 00:02 +0200, Jan-Frode Myklebust wrote: > On Fri, Jun 27, 2008 at 04:00:37PM -0400, Simo Sorce wrote: > > On Fri, 2008-06-27 at 13:13 -0600, Rich Megginson wrote: > > > Simo Sorce wrote: > > > > On Fri, 2008-06-27 at 14:31 -0400, Simo Sorce wrote: > > > > > > > >> This should fix the problem Jan-Frode ran into. > > > Will there soon be released an updated ipa-server with this fix in > fedora9/updates-testing, or will I have to rebuild it myself ? I am going to build a Fedora package with the patch today. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Sun Jun 29 17:59:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 29 Jun 2008 13:59:11 -0400 Subject: [Freeipa-devel] [PATCH] fix segfault in password change In-Reply-To: <1214757201.1573.1.camel@localhost.localdomain> References: <1214591466.3822.295.camel@localhost.localdomain> <1214592825.3822.297.camel@localhost.localdomain> <48653BF2.80909@redhat.com> <1214596837.3822.304.camel@localhost.localdomain> <20080628220229.GA14672@lc4eb5760521341.ibm.com> <1214757201.1573.1.camel@localhost.localdomain> Message-ID: <1214762351.1573.3.camel@localhost.localdomain> On Sun, 2008-06-29 at 12:33 -0400, Simo Sorce wrote: > On Sun, 2008-06-29 at 00:02 +0200, Jan-Frode Myklebust wrote: > > On Fri, Jun 27, 2008 at 04:00:37PM -0400, Simo Sorce wrote: > > > On Fri, 2008-06-27 at 13:13 -0600, Rich Megginson wrote: > > > > Simo Sorce wrote: > > > > > On Fri, 2008-06-27 at 14:31 -0400, Simo Sorce wrote: > > > > > > > > > >> This should fix the problem Jan-Frode ran into. > > > > > > Will there soon be released an updated ipa-server with this fix in > > fedora9/updates-testing, or will I have to rebuild it myself ? > > I am going to build a Fedora package with the patch today. Packages are built, I asked for pushing them to the testing repository. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jun 30 18:16:53 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 30 Jun 2008 14:16:53 -0400 Subject: [Freeipa-devel] [PATCH] fix segfault in password change In-Reply-To: <48654B74.5050007@redhat.com> References: <1214591466.3822.295.camel@localhost.localdomain> <1214592825.3822.297.camel@localhost.localdomain> <48653BF2.80909@redhat.com> <1214596837.3822.304.camel@localhost.localdomain> <48654B74.5050007@redhat.com> Message-ID: <1214849813.353.10.camel@localhost.localdomain> On Fri, 2008-06-27 at 14:20 -0600, Rich Megginson wrote: > Simo Sorce wrote: > > On Fri, 2008-06-27 at 13:13 -0600, Rich Megginson wrote: > > > >> Simo Sorce wrote: > >> > >>> On Fri, 2008-06-27 at 14:31 -0400, Simo Sorce wrote: > >>> > >>> > >>>> This should fix the problem Jan-Frode ran into. > >>>> > >>>> > >>> Bah patch was wrong, attached a new one. > >>> > >>> > >> Do you call > >> slapi_value_free(&cpw[0]); > >> somewhere? > >> > > > > > > Ok, attached patch tries to avoid memory leaks too. > > > ack pushed -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jun 30 18:21:10 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 30 Jun 2008 14:21:10 -0400 Subject: [Freeipa-devel] [PATCH] Fix some small issues that caused compiler warnings in C code In-Reply-To: <486376F9.7040803@redhat.com> References: <486376F9.7040803@redhat.com> Message-ID: <1214850070.353.12.camel@localhost.localdomain> On Thu, 2008-06-26 at 13:01 +0200, Martin Nagy wrote: > This patch will fix some warnings produced by gcc. Unfortunately, there > is still one warning and that one won't go away so easily.. Pushed to master only. -- Simo Sorce * Red Hat, Inc * New York