From rcritten at redhat.com Mon Jan 4 17:01:20 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 04 Jan 2010 12:01:20 -0500 Subject: [Freeipa-users] freeipa replication In-Reply-To: <108883.57229.qm@web76311.mail.sg1.yahoo.com> References: <108883.57229.qm@web76311.mail.sg1.yahoo.com> Message-ID: <4B421EE0.4000307@redhat.com> John Robert Mendoza wrote: > Finally I made it work! > > I had to manually install the CA certificate and the server certificate > to the database. As for the replica machine, all I had to do was to add > the main IPA machine and the replica machines entry to the /etc/hosts file. > > Thanks to all! Great, glad you got it working. Are there any take-aways we can get from this process? A FAQ entry, a bug to file? Can you provide some more detail on what you had to do? Which database did you have to manually update? It definitely shouldn't be this hard to set up a replica :-) thanks rob > > John Robert Mendoza > > --- On *Tue, 12/15/09, John Robert Mendoza //* wrote: > > > From: John Robert Mendoza > Subject: Re: [Freeipa-users] freeipa replication > To: "Rob Crittenden" > Cc: freeipa-users at redhat.com > Date: Tuesday, 15 December, 2009, 6:13 PM > > I did this to install the master server. Before even making a replica. > > John Robert Mendoza > > --- On *Tue, 12/15/09, John Robert Mendoza //* > wrote: > > > From: John Robert Mendoza > Subject: Re: [Freeipa-users] freeipa replication > To: "Rob Crittenden" > Cc: freeipa-users at redhat.com > Date: Tuesday, 15 December, 2009, 5:55 PM > > Hi Rob, > > Just to let you know, I tried to again reproduce the > installation. I did a clean install of Fedora 11 on a machine > and updated it using yum. Then I tried to install FreeIPA on it. > But strangely I had a harder time doing it. It again outputs an > error complaing about not being able to contact itself. > > here is the ipaserver-install log > > 2009-12-15 20:19:51,187 DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > 2009-12-15 20:19:51,196 CRITICAL Could not connect to the > Directory Server on id.example.net > 2009-12-15 20:19:51,204 DEBUG {'desc': "Can't contact LDAP server"} > File "/usr/sbin/ipa-server-install", line 609, in > sys.exit(main()) > > File "/usr/sbin/ipa-server-install", line 509, in main > krb.create_instance(ds_user, realm_name, host_name, > domain_name, dm_password, master_password) > > File > "/usr/lib/python2.6/site-packages/ipaserver/krbinstance.py", > line 135, in create_instance > self.__common_setup(ds_user, realm_name, host_name, > domain_name, admin_password) > > File > "/usr/lib/python2.6/site-packages/ipaserver/krbinstance.py", > line 119, in __common_setup > raise e > > TIA. > > John Robert Mendoza > > --- On *Sat, 12/12/09, Rob Crittenden //* > wrote: > > > From: Rob Crittenden > Subject: Re: [Freeipa-users] freeipa replication > To: "John Robert Mendoza" > Cc: freeipa-users at redhat.com > Date: Saturday, 12 December, 2009, 2:50 AM > > John Robert Mendoza wrote: > > Rob, > > > > I'm using freeipa 1.2.2 on a fedora 11 machine. I have > successfully configured it for authentication for our > services but the lack of replication makes it vulnerable for > unavailability and downtime. > > It's complaining about the replica server not being able > to contact the ldap server. > > > > This can be reproduced by: > > > > 1. Clean install fedora 11 > > 2. Install the ipa packages > > 3. Clean install fedora 11 on a "replica" server > > 4. Install the ipa packages > > 5. ipa-replica-prepare on the freeipa server > > 6. ipa-replica-install on the replica > > > > note: both machines have DNS records. > > > > TIA > > > > Ok, strange. On the replica server can you do something like: > > % ldapsearch -x -h ipa.example.com -p 389 -b > "dc=example,dc=com" uid=admin > > That will confirm that the ports are available. > > Can you provide the ipareplica-install.log? > > rob > > > ------------------------------------------------------------------------ > Surf faster. > > Internet Explorer 8 optmized for Yahoo! auto launches 2 of your > favorite pages everytime you open your browser.Get IE8 here! > (It's free) > > > > ------------------------------------------------------------------------ > New Email addresses available on Yahoo! > > > Get the Email name you've always wanted on the new @ymail and > @rocketmail. > Hurry before someone else does! > > -----Inline Attachment Follows----- > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > ------------------------------------------------------------------------ > New Email addresses available on Yahoo! > > > Get the Email name you've always wanted on the new @ymail and @rocketmail. > Hurry before someone else does! > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From danieljamesscott at gmail.com Wed Jan 6 14:50:12 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 6 Jan 2010 09:50:12 -0500 Subject: [Freeipa-users] Failed to verify that server.example.com is an IPA Server. while running ipa-client-install Message-ID: <6835906b1001060650y2c3413b7q57b0229501d5d18f@mail.gmail.com> Hi, I've just tried to add an new Fedora 12 PC to our FreeIPA realm and I received the following error: [root at client ~]# ipa-client-install Failed to verify that server.example.com is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. If I run it again, I receive the same error, but with our replicated FreeIPA server: server1.example.com There is no firewall running on either the client or server. Does anyone know what is causing this? I've tried running `ipa-client-install -d` but this does not show that any error occurs before the error message above is displayed. Thanks, Dan Scott http://danieljamesscott.org From danieljamesscott at gmail.com Wed Jan 6 15:56:07 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 6 Jan 2010 10:56:07 -0500 Subject: [Freeipa-users] Failed to verify that server.example.com is an IPA Server. while running ipa-client-install In-Reply-To: <6835906b1001060650y2c3413b7q57b0229501d5d18f@mail.gmail.com> References: <6835906b1001060650y2c3413b7q57b0229501d5d18f@mail.gmail.com> Message-ID: <6835906b1001060756v39093297h11512ff5edb79421@mail.gmail.com> Sorry, there was an error in my DNS configuration. The TXT entry for _kerberos was incorrect. Dan On Wed, Jan 6, 2010 at 09:50, Dan Scott wrote: > Hi, > > I've just tried to add an new Fedora 12 PC to our FreeIPA realm and I > received the following error: > > [root at client ~]# ipa-client-install > Failed to verify that server.example.com is an IPA Server. > This may mean that the remote server is not up or is not reachable > due to network or firewall settings. > > If I run it again, I receive the same error, but with our replicated > FreeIPA server: server1.example.com > > There is no firewall running on either the client or server. Does > anyone know what is causing this? I've tried running > `ipa-client-install -d` but this does not show that any error occurs > before the error message above is displayed. > > Thanks, > > Dan Scott > http://danieljamesscott.org > From shan.sysadm at gmail.com Mon Jan 11 07:58:17 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Mon, 11 Jan 2010 10:58:17 +0300 Subject: [Freeipa-users] AD user intergration with IPA Message-ID: <68b7c79a1001102358l4fc5a5e7p93e53fe04bea4c2a@mail.gmail.com> Dear All, Can any of one could provide me the detail steps of how the AD accounts would be granted root privileges on RHEL servers using IPA? Thanks in Advance. Regards, Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Jan 11 13:49:59 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 11 Jan 2010 08:49:59 -0500 Subject: [Freeipa-users] AD user intergration with IPA In-Reply-To: <68b7c79a1001102358l4fc5a5e7p93e53fe04bea4c2a@mail.gmail.com> References: <68b7c79a1001102358l4fc5a5e7p93e53fe04bea4c2a@mail.gmail.com> Message-ID: <20100111084959.27854c65@willson.li.ssimo.org> On Mon, 11 Jan 2010 10:58:17 +0300 Shan Kumaraswamy wrote: > Dear All, > > Can any of one could provide me the detail steps of how the AD > accounts would be granted root privileges on RHEL servers using IPA? > > Thanks in Advance. > > Regards, > > Shan Kumaraswamy The best way is to provide sudo access for the users you want to grant root privs to. Simo. -- Simo Sorce * Red Hat, Inc * New York From shan.sysadm at gmail.com Mon Jan 11 14:08:17 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Mon, 11 Jan 2010 17:08:17 +0300 Subject: [Freeipa-users] AD user intergration with IPA In-Reply-To: <20100111084959.27854c65@willson.li.ssimo.org> References: <68b7c79a1001102358l4fc5a5e7p93e53fe04bea4c2a@mail.gmail.com> <20100111084959.27854c65@willson.li.ssimo.org> Message-ID: <68b7c79a1001110608q397e9fc0n4cf1e1b07c63269f@mail.gmail.com> Simo, Thanks for your mail, we already installed and configured freeIPA in please, but my admin group asking one AD user will have complete root priviliage and log in to entire RHEL infrastrcuture, and RHEL servers local root will be disabled. So only one user will be login and do any changes, rest of the local system users will be disabled. Regards, Shan Kumaraswamy On Mon, Jan 11, 2010 at 4:49 PM, Simo Sorce wrote: > On Mon, 11 Jan 2010 10:58:17 +0300 > Shan Kumaraswamy wrote: > > > Dear All, > > > > Can any of one could provide me the detail steps of how the AD > > accounts would be granted root privileges on RHEL servers using IPA? > > > > Thanks in Advance. > > > > Regards, > > > > Shan Kumaraswamy > > The best way is to provide sudo access for the users you want to grant > root privs to. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Jan 11 15:50:22 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 11 Jan 2010 10:50:22 -0500 Subject: [Freeipa-users] AD user intergration with IPA In-Reply-To: <68b7c79a1001110608q397e9fc0n4cf1e1b07c63269f@mail.gmail.com> References: <68b7c79a1001102358l4fc5a5e7p93e53fe04bea4c2a@mail.gmail.com> <20100111084959.27854c65@willson.li.ssimo.org> <68b7c79a1001110608q397e9fc0n4cf1e1b07c63269f@mail.gmail.com> Message-ID: <4B4B48BE.2030305@redhat.com> Shan Kumaraswamy wrote: > Simo, > Thanks for your mail, we already installed and configured freeIPA in > please, but my admin group asking one AD user will have complete root > priviliage and log in to entire RHEL infrastrcuture, and RHEL servers > local root will be disabled. So only one user will be login and do any > changes, rest of the local system users will be disabled. > This centrally managed IPA user should be given privileges via sudo as Simo pointed out. Then local users can be disabled (or better use long and strong passwords just in case you need to do some recovery work at the console). If you are concerned about the case when the client can get offline then consider using SSSD on the client. Thanks Dmitri > Regards, > Shan Kumaraswamy > > On Mon, Jan 11, 2010 at 4:49 PM, Simo Sorce > wrote: > > On Mon, 11 Jan 2010 10:58:17 +0300 > Shan Kumaraswamy > wrote: > > > Dear All, > > > > Can any of one could provide me the detail steps of how the AD > > accounts would be granted root privileges on RHEL servers using IPA? > > > > Thanks in Advance. > > > > Regards, > > > > Shan Kumaraswamy > > The best way is to provide sudo access for the users you want to grant > root privs to. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -- > Thanks & Regards > Shan Kumaraswamy > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From freeipa at voidembraced.net Tue Jan 12 22:42:38 2010 From: freeipa at voidembraced.net (root) Date: Tue, 12 Jan 2010 14:42:38 -0800 Subject: [Freeipa-users] freeipa master server disaster recovery Message-ID: <20100112224238.5A5A362D5E@IronClad.SEA.voidembraced.net> Greetings FreeIPA mailing list: I have an FC11 environment setup for testing the FreeIPA implementation of kerberos+ldap w/admin utils. Our primary purpose for kerberos right now is to provide auth services for coda. However, once that gnat is squished, we'll of course be using kerberos for various other authentication services as well, and possibly using ldap for all manner of things (top of the list is basic server configuration information). So far, FreeIPA is a wonderful product and has very much simplified our deployment. My only real disappointment with FreeIPA, in fact, was seeing the notion of a "master server". Moreover, I have not been able to determine what configuration or crucial data is stored on the master server -- of utmost importance, is _where_ said crucial configuration/data is stored so that we may suitably back it up. This of course raises disaster recovery questions. Such as, in the event of a disaster, is it possible (and advisable?) to somehow "promote" a FreeIPA slave/peer server to "master" status? Or must we deploy a new server with the same name as the old and then somehow sync up the non-master data from the slave/peer(s)? Obviously, the best scenario would be that we could do either, as the decision on whether to promote or re-deploy will depend heavily on circumstances surrounding the failure. I am assuming the following scenario: *) master server goes down *) slave/peer(s) continue taking updates, the only exception being no FreeIPA servers may be deployed (correct??) *) several days pass *) master server is determined irreparable At which point, what should we have done prior to this failure, to give us the most options for recovery? Are there worse scenarios we can plan for? Any other actions we can take that might save our bacon down the road? Just trying to think ahead. ;) Many thanks for the product, and the support! Regards, -Don Systems Administrator {void} From freeipa at voidembraced.net Tue Jan 12 23:01:32 2010 From: freeipa at voidembraced.net (root) Date: Tue, 12 Jan 2010 15:01:32 -0800 Subject: [Freeipa-users] FreeIPA master replica generation divorce? Message-ID: <20100112230132.3C67362D5E@IronClad.SEA.voidembraced.net> Greetings FreeIPA mailing list: Thinking outside of the box for a moment, is it possible to divorce the FreeIPA "master" feature of deploying FreeIPA servers from the FreeIPA cluster which handles everything else? Keeps it safe and out of harms way, especially considering it has the CA key on it. This could be done a couple of different ways. One would be to just have the master FreeIPA "server" deployed as a VM instance -- we only dust it off and start it up when a new server needs deployment, and shut it back down after it's generated the replica file. While crude for my environment, this would work really well for a VM based shop. The elegant approach for us is to run the FreeIPA replica generation feature on our kickstart+puppet server, where it only generates FreeIPA replica files and simply doesn't handle any FreeIPA requests. Since KickStart would most likely need to generate the replica file as I believe the way puppet works prevents it from doing much server side execution, is there a problem with generating replica files willy nilly and then deleting them? I.E.: Running ipa-replica-prepare for each server deployed, but simply deleting the gpg file for all servers excluding those being deployed as FreeIPA slave/peer(s). Regardless, taking a step back from specific implementation details, is the general idea sound? Beyond generating replica files, must there be any other communication between the master server and the other slave/peer(s)? E.G.: The master must make updates to ldap/kerberos/etc. as a part of generating the replica file. Many thanks for the product, and the support! Regards, -Don Systems Administrator {void} From rcritten at redhat.com Wed Jan 13 02:39:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jan 2010 21:39:33 -0500 Subject: [Freeipa-users] freeipa master server disaster recovery In-Reply-To: <20100112224238.5A5A362D5E@IronClad.SEA.voidembraced.net> References: <20100112224238.5A5A362D5E@IronClad.SEA.voidembraced.net> Message-ID: <4B4D3265.2020400@redhat.com> root wrote: > Greetings FreeIPA mailing list: > I have an FC11 environment setup for testing the FreeIPA implementation > of kerberos+ldap w/admin utils. Our primary purpose for kerberos right > now is to provide auth services for coda. However, once that gnat is > squished, we'll of course be using kerberos for various other > authentication services as well, and possibly using ldap for all manner > of things (top of the list is basic server configuration information). > So far, FreeIPA is a wonderful product and has very much simplified our > deployment. > My only real disappointment with FreeIPA, in fact, was seeing the notion > of a "master server". Moreover, I have not been able to determine what > configuration or crucial data is stored on the master server -- of > utmost importance, is _where_ said crucial configuration/data is stored > so that we may suitably back it up. > This of course raises disaster recovery questions. Such as, in the > event of a disaster, is it possible (and advisable?) to somehow > "promote" a FreeIPA slave/peer server to "master" status? Or must we > deploy a new server with the same name as the old and then somehow sync > up the non-master data from the slave/peer(s)? Obviously, the best > scenario would be that we could do either, as the decision on whether to > promote or re-deploy will depend heavily on circumstances surrounding > the failure. > > I am assuming the following scenario: > *) master server goes down > *) slave/peer(s) continue taking updates, the only exception being no > FreeIPA servers may be deployed (correct??) > *) several days pass > *) master server is determined irreparable > At which point, what should we have done prior to this failure, to give > us the most options for recovery? > > Are there worse scenarios we can plan for? Any other actions we can > take that might save our bacon down the road? Glad to hear the freeIPA is filling your needs. See this bug on promoting a new master: https://bugzilla.redhat.com/show_bug.cgi?id=486950 Each IPA server is in fact a complete standalone server. The only distinctions about the "master" are: - It was the first one installed - It owns the CA private key so only it can generate replicas - It is the hub for replication The MMR we set up has each replica talking to this initial master. So if it goes down all communication between other replicas is hosed. All is not lost though. You can use ipa-replica-manage to set up additional communication links between your replicas. I don't think I'd get too carried away with this though and make each replica talk to every other replica. We just don't set up these additional links by default. It all depends on your needs, paranoia, etc. Critically though you should back up the CA cert and key and stick it in a vault somewhere, the kerberos master key too if you're really paranoid (but it exists on the replicas too, unlike the CA key). > Just trying to think ahead. ;) Always recommended :-) > > Many thanks for the product, and the support! > > Regards, > -Don > Systems Administrator > {void} cheers rob From rcritten at redhat.com Wed Jan 13 02:47:52 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 12 Jan 2010 21:47:52 -0500 Subject: [Freeipa-users] FreeIPA master replica generation divorce? In-Reply-To: <20100112230132.3C67362D5E@IronClad.SEA.voidembraced.net> References: <20100112230132.3C67362D5E@IronClad.SEA.voidembraced.net> Message-ID: <4B4D3458.3060708@redhat.com> root wrote: > Greetings FreeIPA mailing list: > Thinking outside of the box for a moment, is it possible to divorce the > FreeIPA "master" feature of deploying FreeIPA servers from the FreeIPA > cluster which handles everything else? Keeps it safe and out of harms > way, especially considering it has the CA key on it. > This could be done a couple of different ways. One would be to just > have the master FreeIPA "server" deployed as a VM instance -- we only > dust it off and start it up when a new server needs deployment, and shut > it back down after it's generated the replica file. While crude for my > environment, this would work really well for a VM based shop. Interesting. I suppose you *could* do this but you'd have to do a bit of manual work to get this done. When a replica is created the MMR we set up connects the new replica with the initial master. You can use ipa-replica-manage to create and remove replication agreements, so I don't see why you couldn't disconnect from the master and then connect to other installed replicas. This might be a tad overkill, YMMV. What you definitely want to do is back up the CA private key. We create a PKCS#12 file for this purpose. It is stored in /etc/dirsrv/slapd-YOUR-DOMAIN/cacert.p12. The password for this file is in /etc/dirsrv/slapd-YOUR-DOMAIN/pwdfile.txt. > The elegant approach for us is to run the FreeIPA replica generation > feature on our kickstart+puppet server, where it only generates FreeIPA > replica files and simply doesn't handle any FreeIPA requests. > Since KickStart would most likely need to generate the replica file as I > believe the way puppet works prevents it from doing much server side > execution, is there a problem with generating replica files willy nilly > and then deleting them? I.E.: Running ipa-replica-prepare for each > server deployed, but simply deleting the gpg file for all servers > excluding those being deployed as FreeIPA slave/peer(s). The gpg files themselves aren't particularly interesting, though they do contain quite a bit of secure information. Removing them is probably not a terrible idea, they can always be re-generated. But they have no impact on a running server. So you can create and destroy them as much as you like, they have no impact until you install them with ipa-replica-install. Creating these files just creates the SSL certificates needed for things to work and collecting some other critical data needed for the IPA server (e.g. the things you answered when you did the initial install). We've been tinkering with the idea of doing online replica creation where this gpg file won't be necessary but it hasn't gotten much past the "now how would we do this?" stage. > > Regardless, taking a step back from specific implementation details, is > the general idea sound? Beyond generating replica files, must there be > any other communication between the master server and the other > slave/peer(s)? E.G.: The master must make updates to > ldap/kerberos/etc. as a part of generating the replica file. Nothing is done with a replica until you install it other than incrementing the CA serial number counter. All other communication between the initial master and the replicas is the 389-ds MMR communication, keeping the LDAP servers in sync. Since we store everything in LDAP that is all that is required. > > Many thanks for the product, and the support! > > Regards, > -Don > Systems Administrator > {void} cheers rob From ssorce at redhat.com Wed Jan 13 14:58:01 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 13 Jan 2010 09:58:01 -0500 Subject: [Freeipa-users] FreeIPA master replica generation divorce? In-Reply-To: <20100112230132.3C67362D5E@IronClad.SEA.voidembraced.net> References: <20100112230132.3C67362D5E@IronClad.SEA.voidembraced.net> Message-ID: <20100113095801.16802b74@willson.li.ssimo.org> On Tue, 12 Jan 2010 15:01:32 -0800 root wrote: > Thinking outside of the box for a moment, is it possible to divorce > the FreeIPA "master" feature of deploying FreeIPA servers from the > FreeIPA cluster which handles everything else? Keeps it safe and out > of harms way, especially considering it has the CA key on it. > > This could be done a couple of different ways. One would be to just > have the master FreeIPA "server" deployed as a VM instance -- we only > dust it off and start it up when a new server needs deployment, and > shut it back down after it's generated the replica file. While crude > for my environment, this would work really well for a VM based shop. No, I think you can't "start it up" only "when needed". Replication would be compromised, the backlog window is about a week IIRC. But what you could do is to keep the first master reachable only by other replicas through firewalling/vpn/vlans your choice. And expose to the real world only the replicas. In this scenario you can shut it down without much care because it is not serving clients. But you cannot keep it shut for long times or it will get completely out of sync with the other replicas. Of course, as Rob already pointed out, you may want to add replication channels between replicas so that your master server is not critical for replication if you have to shut it down. Simo. -- Simo Sorce * Red Hat, Inc * New York From prjctgeek at gmail.com Fri Jan 22 19:35:22 2010 From: prjctgeek at gmail.com (Doug Chapman) Date: Fri, 22 Jan 2010 11:35:22 -0800 Subject: [Freeipa-users] loadbalancer? Message-ID: We're currently running SunDS and using Citrix (Netscaler) load balancers to keep the load on our client facing LDAP servers balanced between 2 hosts. I'm evaluating FreeIPA and wondered if anyone can share any experience with using IPA behind a load balancer (or point me at wikidocs)? I know the ldap portion will work, it's the kerberos bits I'm unfamiliar with. Note, this would only be for client connections, not replication. tia -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmatson at videoegg.com Fri Jan 22 20:21:11 2010 From: mmatson at videoegg.com (Matt Matson) Date: Fri, 22 Jan 2010 12:21:11 -0800 Subject: [Freeipa-users] ipa-server-install failing "enabling memberof plugin" (freeipa-1.2.2) In-Reply-To: <10397855.01264191567082.JavaMail.m2matson@m2matson> Message-ID: <15380978.21264191666929.JavaMail.m2matson@m2matson> Hi All, I'm trying to run ipa-server-install and it fails with the following log message. Any ideas? Thanks! server specs: *centos-5.3 *389-ds-base-1.2.4-1 *freeipa-1.2.2 2010-01-22 20:09:55,698 INFO 2010-01-22 20:09:55,698 DEBUG completed creating ds instance 2010-01-22 20:09:55,698 DEBUG restarting ds instance 2010-01-22 20:09:59,026 INFO Shutting down dirsrv: VIDEOEGG-COM...ESC[60G[ESC[0;32m OK ESC[0;39m] Starting dirsrv: VIDEOEGG-COM...ESC[60G[ESC[0;32m OK ESC[0;39m] 2010-01-22 20:09:59,027 INFO 2010-01-22 20:09:59,027 DEBUG done restarting ds instance 2010-01-22 20:09:59,027 DEBUG [3/17]: adding default schema 2010-01-22 20:09:59,029 DEBUG [4/17]: enabling memberof plugin 2010-01-22 20:09:59,049 DEBUG [Errno 2] No such file or directory File "/usr/sbin/ipa-server-install", line 609, in ? sys.exit(main()) File "/usr/sbin/ipa-server-install", line 505, in main ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password) File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line 193, in create_instance self.start_creation("Configuring directory server:") File "/usr/lib/python2.4/site-packages/ipaserver/service.py", line 139, in start_creation method() File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line 313, in __add_memberof_module self.__ldap_mod("memberof-conf.ldif") File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line 303, in __ldap_mod ipautil.run(args) File "/usr/lib/python2.4/site-packages/ipa/ipautil.py", line 90, in run p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) File "/usr/lib64/python2.4/subprocess.py", line 542, in __init__ errread, errwrite) File "/usr/lib64/python2.4/subprocess.py", line 975, in _execute_child raise child_exception Matt Matson Systems Administrator e: mmatson at videoegg.com t: (415) 574-5358 180 Townsend St., Third Floor San Francisco, CA 94107 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jan 22 20:53:39 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jan 2010 15:53:39 -0500 Subject: [Freeipa-users] ipa-server-install failing "enabling memberof plugin" (freeipa-1.2.2) In-Reply-To: <15380978.21264191666929.JavaMail.m2matson@m2matson> References: <15380978.21264191666929.JavaMail.m2matson@m2matson> Message-ID: <4B5A1053.2060506@redhat.com> Matt Matson wrote: > Hi All, > > I'm trying to run ipa-server-install and it fails with the following log > message. Any ideas? Thanks! > > server specs: > *centos-5.3 > *389-ds-base-1.2.4-1 > *freeipa-1.2.2 > > > 2010-01-22 20:09:55,698 INFO > 2010-01-22 20:09:55,698 DEBUG completed creating ds instance > 2010-01-22 20:09:55,698 DEBUG restarting ds instance > 2010-01-22 20:09:59,026 INFO Shutting down dirsrv: > VIDEOEGG-COM...ESC[60G[ESC[0;32m OK ESC[0;39m] > Starting dirsrv: > VIDEOEGG-COM...ESC[60G[ESC[0;32m OK ESC[0;39m] > > 2010-01-22 20:09:59,027 INFO > 2010-01-22 20:09:59,027 DEBUG done restarting ds instance > 2010-01-22 20:09:59,027 DEBUG [3/17]: adding default schema > 2010-01-22 20:09:59,029 DEBUG [4/17]: enabling memberof plugin > 2010-01-22 20:09:59,049 DEBUG [Errno 2] No such file or directory > File "/usr/sbin/ipa-server-install", line 609, in ? > sys.exit(main()) > > File "/usr/sbin/ipa-server-install", line 505, in main > ds.create_instance(ds_user, realm_name, host_name, domain_name, > dm_password) > > File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line > 193, in create_instance > self.start_creation("Configuring directory server:") > > File "/usr/lib/python2.4/site-packages/ipaserver/service.py", line > 139, in start_creation > method() > > File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line > 313, in __add_memberof_module > self.__ldap_mod("memberof-conf.ldif") > > File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line > 303, in __ldap_mod > ipautil.run(args) > > File "/usr/lib/python2.4/site-packages/ipa/ipautil.py", line 90, in run > p = subprocess.Popen(args, stdout=subprocess.PIPE, > stderr=subprocess.PIPE, close_fds=True) > > File "/usr/lib64/python2.4/subprocess.py", line 542, in __init__ > errread, errwrite) > > File "/usr/lib64/python2.4/subprocess.py", line 975, in _execute_child > raise child_exception > This is usually seen when the DS isn't restarting. Can you look in /var/log/ipaserver-install.log and /var/log/dirsrv/slapd-VIDEOEGG-COM/errors for more details? From mmatson at videoegg.com Fri Jan 22 21:04:21 2010 From: mmatson at videoegg.com (Matt Matson) Date: Fri, 22 Jan 2010 13:04:21 -0800 Subject: [Freeipa-users] ipa-server-install failing "enabling memberof plugin" (freeipa-1.2.2) In-Reply-To: <4B5A1053.2060506@redhat.com> Message-ID: <25979766.61264194256617.JavaMail.m2matson@m2matson> Thanks Rob, but I think DS is working properly. I'm able to bind to it as Directory Manager, etc.. Any other ideas? Matt Matson Systems Administrator e: mmatson at videoegg.com t: (415) 574-5358 180 Townsend St., Third Floor San Francisco, CA 94107 ----- Original Message ----- From: "Rob Crittenden" To: "Matt Matson" Cc: Freeipa-users at redhat.com Sent: Friday, January 22, 2010 12:53:39 PM GMT -08:00 US/Canada Pacific Subject: Re: [Freeipa-users] ipa-server-install failing "enabling memberof plugin" (freeipa-1.2.2) Matt Matson wrote: > Hi All, > > I'm trying to run ipa-server-install and it fails with the following log > message. Any ideas? Thanks! > > server specs: > *centos-5.3 > *389-ds-base-1.2.4-1 > *freeipa-1.2.2 > > > 2010-01-22 20:09:55,698 INFO > 2010-01-22 20:09:55,698 DEBUG completed creating ds instance > 2010-01-22 20:09:55,698 DEBUG restarting ds instance > 2010-01-22 20:09:59,026 INFO Shutting down dirsrv: > VIDEOEGG-COM...ESC[60G[ESC[0;32m OK ESC[0;39m] > Starting dirsrv: > VIDEOEGG-COM...ESC[60G[ESC[0;32m OK ESC[0;39m] > > 2010-01-22 20:09:59,027 INFO > 2010-01-22 20:09:59,027 DEBUG done restarting ds instance > 2010-01-22 20:09:59,027 DEBUG [3/17]: adding default schema > 2010-01-22 20:09:59,029 DEBUG [4/17]: enabling memberof plugin > 2010-01-22 20:09:59,049 DEBUG [Errno 2] No such file or directory > File "/usr/sbin/ipa-server-install", line 609, in ? > sys.exit(main()) > > File "/usr/sbin/ipa-server-install", line 505, in main > ds.create_instance(ds_user, realm_name, host_name, domain_name, > dm_password) > > File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line > 193, in create_instance > self.start_creation("Configuring directory server:") > > File "/usr/lib/python2.4/site-packages/ipaserver/service.py", line > 139, in start_creation > method() > > File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line > 313, in __add_memberof_module > self.__ldap_mod("memberof-conf.ldif") > > File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line > 303, in __ldap_mod > ipautil.run(args) > > File "/usr/lib/python2.4/site-packages/ipa/ipautil.py", line 90, in run > p = subprocess.Popen(args, stdout=subprocess.PIPE, > stderr=subprocess.PIPE, close_fds=True) > > File "/usr/lib64/python2.4/subprocess.py", line 542, in __init__ > errread, errwrite) > > File "/usr/lib64/python2.4/subprocess.py", line 975, in _execute_child > raise child_exception > This is usually seen when the DS isn't restarting. Can you look in /var/log/ipaserver-install.log and /var/log/dirsrv/slapd-VIDEOEGG-COM/errors for more details? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jan 22 21:07:43 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Jan 2010 16:07:43 -0500 Subject: [Freeipa-users] ipa-server-install failing "enabling memberof plugin" (freeipa-1.2.2) In-Reply-To: <25979766.61264194256617.JavaMail.m2matson@m2matson> References: <25979766.61264194256617.JavaMail.m2matson@m2matson> Message-ID: <4B5A139F.7010101@redhat.com> Matt Matson wrote: > Thanks Rob, but I think DS is working properly. I'm able to bind to it > as Directory Manager, etc.. Well, like I said, see what the logs say. This error message is usually a red-herring. rob > > Any other ideas? > > Matt Matson > Systems Administrator > e: mmatson at videoegg.com > t: (415) 574-5358 > 180 Townsend St., Third Floor > San Francisco, CA 94107 > > ----- Original Message ----- > From: "Rob Crittenden" > To: "Matt Matson" > Cc: Freeipa-users at redhat.com > Sent: Friday, January 22, 2010 12:53:39 PM GMT -08:00 US/Canada Pacific > Subject: Re: [Freeipa-users] ipa-server-install failing "enabling > memberof plugin" (freeipa-1.2.2) > > Matt Matson wrote: > > Hi All, > > > > I'm trying to run ipa-server-install and it fails with the following log > > message. Any ideas? Thanks! > > > > server specs: > > *centos-5.3 > > *389-ds-base-1.2.4-1 > > *freeipa-1.2.2 > > > > > > 2010-01-22 20:09:55,698 INFO > > 2010-01-22 20:09:55,698 DEBUG completed creating ds instance > > 2010-01-22 20:09:55,698 DEBUG restarting ds instance > > 2010-01-22 20:09:59,026 INFO Shutting down dirsrv: > > VIDEOEGG-COM...ESC[60G[ESC[0;32m OK ESC[0;39m] > > Starting dirsrv: > > VIDEOEGG-COM...ESC[60G[ESC[0;32m OK ESC[0;39m] > > > > 2010-01-22 20:09:59,027 INFO > > 2010-01-22 20:09:59,027 DEBUG done restarting ds instance > > 2010-01-22 20:09:59,027 DEBUG [3/17]: adding default schema > > 2010-01-22 20:09:59,029 DEBUG [4/17]: enabling memberof plugin > > 2010-01-22 20:09:59,049 DEBUG [Errno 2] No such file or directory > > File "/usr/sbin/ipa-server-install", line 609, in ? > > sys.exit(main()) > > > > File "/usr/sbin/ipa-server-install", line 505, in main > > ds.create_instance(ds_user, realm_name, host_name, domain_name, > > dm_password) > > > > File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line > > 193, in create_instance > > self.start_creation("Configuring directory server:") > > > > File "/usr/lib/python2.4/site-packages/ipaserver/service.py", line > > 139, in start_creation > > method() > > > > File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line > > 313, in __add_memberof_module > > self.__ldap_mod("memberof-conf.ldif") > > > > File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line > > 303, in __ldap_mod > > ipautil.run(args) > > > > File "/usr/lib/python2.4/site-packages/ipa/ipautil.py", line 90, in run > > p = subprocess.Popen(args, stdout=subprocess.PIPE, > > stderr=subprocess.PIPE, close_fds=True) > > > > File "/usr/lib64/python2.4/subprocess.py", line 542, in __init__ > > errread, errwrite) > > > > File "/usr/lib64/python2.4/subprocess.py", line 975, in _execute_child > > raise child_exception > > > > This is usually seen when the DS isn't restarting. Can you look in > /var/log/ipaserver-install.log and > /var/log/dirsrv/slapd-VIDEOEGG-COM/errors for more details? > From wxiluo at gmail.com Sat Jan 23 03:34:28 2010 From: wxiluo at gmail.com (Michael Kang) Date: Sat, 23 Jan 2010 11:34:28 +0800 Subject: [Freeipa-users] Configuring Client SSH Access Failure Message-ID: <97725cf1001221934x43686034idb564f4a45a37785@mail.gmail.com> Hi all, I'm trying to configure client ssh access on Fedora 12 and I can't access ipaclient without password. I'm following this document: http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/sect-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client-Configuring_Client_SSH_Access.html At the end of this document: > The IPA client should now be fully configured to accept incoming SSHconnections and authenticate with the user's > Kerberos credentials. Use the following command on another machine to test > the configuration. This should succeed without asking for a password. > # ssh admin at ipaclient.example.com As I see it, another machine don't need to install any ipa software and it can access ipaclient without password. I have three Fedora machine: - ipa.example.com(IPA Server) - client.example.com(IPA Client) - node.example.com(another machine which was not installed ipa-client or ipa-server) The client.example.com can access ipa.example.com without password. But the node.example.com can't access client.example.com. Do I misunderstand the document or configure incorrect? Thanks, Michael -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From wxiluo at gmail.com Sat Jan 23 05:12:37 2010 From: wxiluo at gmail.com (Michael Kang) Date: Sat, 23 Jan 2010 13:12:37 +0800 Subject: [Freeipa-users] Configuring Client SSH Access Failure In-Reply-To: <406634A2-3FD6-4ED8-8528-F888C98F71FD@gmail.com> References: <97725cf1001221934x43686034idb564f4a45a37785@mail.gmail.com> <406634A2-3FD6-4ED8-8528-F888C98F71FD@gmail.com> Message-ID: <97725cf1001222112k2129bc04k2745a56b18d9d6a7@mail.gmail.com> DNS is OK. I run kinit on client.example.com. Access client.example.com from node.example.com: > ssh -v admin at client.example.com > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more information > Credentials cache file '/tmp/krb5cc_0' not found > > debug1: Unspecified GSS failure. Minor code may provide more information > Credentials cache file '/tmp/krb5cc_0' not found > > debug1: Unspecified GSS failure. Minor code may provide more information > It seems the ssh-client was trying to load /tmp/krb5cc_0. I don't run kinit on node.example.com, so there is such file. But I can find it on the client.example.com. Can node.example.com access client.example.com without any ipa configuration? Do I need to install ipa-client on the node.example.com? The document is wrong? On Sat, Jan 23, 2010 at 11:54 AM, Scott wrote: > > first I would verify that dns is functional both forward and reverse. > > If that is okay try doing a kinit first then try to connect. > > > Sent from my iPhone > > On Jan 22, 2010, at 7:34 PM, Michael Kang wrote: > > Hi all, > > I'm trying to configure client ssh access on Fedora 12 and I can't access > ipaclient without password. > > I'm following this document: > > > http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/sect-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client-Configuring_Client_SSH_Access.html > > At the end of this document: > >> The IPA client should now be fully configured to accept incoming SSHconnections and authenticate with the user's >> Kerberos credentials. Use the following command on another machine to >> test the configuration. This should succeed without asking for a password. >> > # ssh admin at ipaclient.example.com > > As I see it, another machine don't need to install any ipa software and it > can access ipaclient without password. > > I have three Fedora machine: > > - ipa.example.com(IPA Server) > - client.example.com(IPA Client) > - node.example.com(another machine which was > not installed ipa-client or ipa-server) > > The client.example.com can access > ipa.example.com without password. But the > node.example.com can't access > client.example.com. > > Do I misunderstand the document or configure incorrect? > > Thanks, > Michael > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant awakens,miracles > happen. > > Personal blog: http://ufusion.org - United Fusion > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From scott.kaminski at gmail.com Sat Jan 23 03:54:33 2010 From: scott.kaminski at gmail.com (Scott) Date: Fri, 22 Jan 2010 19:54:33 -0800 Subject: [Freeipa-users] Configuring Client SSH Access Failure In-Reply-To: <97725cf1001221934x43686034idb564f4a45a37785@mail.gmail.com> References: <97725cf1001221934x43686034idb564f4a45a37785@mail.gmail.com> Message-ID: <406634A2-3FD6-4ED8-8528-F888C98F71FD@gmail.com> first I would verify that dns is functional both forward and reverse. If that is okay try doing a kinit first then try to connect. Sent from my iPhone On Jan 22, 2010, at 7:34 PM, Michael Kang wrote: > Hi all, > > I'm trying to configure client ssh access on Fedora 12 and I can't > access ipaclient without password. > > I'm following this document: > http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/sect-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client-Configuring_Client_SSH_Access.html > > At the end of this document: > The IPA client should now be fully configured to accept incoming SSH > connections and authenticate with the user's Kerberos credentials. > Use the following command on another machine to test the > configuration. This should succeed without asking for a password. > # ssh admin at ipaclient.example.com > As I see it, another machine don't need to install any ipa software > and it can access ipaclient without password. > > I have three Fedora machine: > ipa.example.com(IPA Server) > client.example.com(IPA Client) > node.example.com(another machine which was not installed ipa-client > or ipa-server) > The client.example.com can access ipa.example.com without password. > But the node.example.com can't access client.example.com. > > Do I misunderstand the document or configure incorrect? > > Thanks, > Michael > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jrobertm8 at yahoo.com Sat Jan 23 13:21:02 2010 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Sat, 23 Jan 2010 21:21:02 +0800 (SGT) Subject: [Freeipa-users] Configuring Client SSH Access Failure In-Reply-To: <97725cf1001222112k2129bc04k2745a56b18d9d6a7@mail.gmail.com> Message-ID: <740737.55872.qm@web76301.mail.sg1.yahoo.com> >From what I understand from your email, You don't have kerberos credentials that's why its complaining about not being able to read the file /tmp/krb5cc_0. Firstly, do the admin account in ipaclient.example.com exist. And if so, can you get a kerberos ticket for admin from node.example.com. You should have a minimally working kerberos client configuration for node.example.com i.e. krb5.conf.? John Robert Mendoza --- On Sat, 1/23/10, Michael Kang wrote: From: Michael Kang Subject: Re: [Freeipa-users] Configuring Client SSH Access Failure To: "Scott" Cc: "freeipa-users" Date: Saturday, 23 January, 2010, 1:12 PM DNS is OK. I run kinit on client.example.com. Access client.example.com from node.example.com: ssh -v admin at client.example.com debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure.? Minor code may provide more information Credentials cache file '/tmp/krb5cc_0' not found debug1: Unspecified GSS failure.? Minor code may provide more information Credentials cache file '/tmp/krb5cc_0' not found debug1: Unspecified GSS failure.? Minor code may provide more information It seems the ssh-client was trying to load /tmp/krb5cc_0. I don't run kinit on node.example.com, so there is such file. But I can find it on the client.example.com. Can node.example.com access client.example.com without any ipa configuration? Do I need to install ipa-client on the node.example.com? The document is wrong? On Sat, Jan 23, 2010 at 11:54 AM, Scott wrote: first I would verify that dns is functional both forward and reverse.? If that is okay try doing a kinit first then try to connect.? Sent from my iPhone On Jan 22, 2010, at 7:34 PM, Michael Kang wrote: Hi all, I'm trying to configure client ssh access on Fedora 12 and I can't access ipaclient without password. I'm following this document: http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/sect-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client-Configuring_Client_SSH_Access.html At the end of this document: The IPA client should now be fully configured to accept incoming SSH connections and authenticate with the user's Kerberos credentials. Use the following command on another machine to test the configuration. This should succeed without asking for a password. # ssh admin at ipaclient.example.com As I see it, another machine don't need to install any ipa software and it can access ipaclient without password. I have three Fedora machine: ipa.example.com(IPA Server) client.example.com(IPA Client)node.example.com(another machine which was not installed ipa-client or ipa-server) The client.example.com can access ipa.example.com without password. But the node.example.com can't access client.example.com. Do I misunderstand the document or configure incorrect? Thanks, Michael -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -----Inline Attachment Follows----- _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Open emails faster. Yahoo! recommends that you upgrade your browser to the new Internet Explorer 8 optimized for Yahoo! Get it here! http://downloads.yahoo.com/sg/internetexplorer/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jrobertm8 at yahoo.com Sat Jan 23 13:25:09 2010 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Sat, 23 Jan 2010 21:25:09 +0800 (SGT) Subject: [Freeipa-users] Configuring Client SSH Access Failure In-Reply-To: <97725cf1001221934x43686034idb564f4a45a37785@mail.gmail.com> Message-ID: <591049.5245.qm@web76302.mail.sg1.yahoo.com> Also, do ipa-client-install configure to be a ssh server? >From what I understand from the documentation, ipa-client-install does not configure the client machine to be a kerberized ssh server. John Robert Mendoza --- On Sat, 1/23/10, Michael Kang wrote: From: Michael Kang Subject: [Freeipa-users] Configuring Client SSH Access Failure To: "freeipa-users" Date: Saturday, 23 January, 2010, 11:34 AM Hi all, I'm trying to configure client ssh access on Fedora 12 and I can't access ipaclient without password. I'm following this document: http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/sect-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client-Configuring_Client_SSH_Access.html At the end of this document: The IPA client should now be fully configured to accept incoming SSH connections and authenticate with the user's Kerberos credentials. Use the following command on another machine to test the configuration. This should succeed without asking for a password. # ssh admin at ipaclient.example.com As I see it, another machine don't need to install any ipa software and it can access ipaclient without password. I have three Fedora machine: ipa.example.com(IPA Server) client.example.com(IPA Client)node.example.com(another machine which was not installed ipa-client or ipa-server)The client.example.com can access ipa.example.com without password. But the node.example.com can't access client.example.com. Do I misunderstand the document or configure incorrect? Thanks, Michael -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -----Inline Attachment Follows----- _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Get your new Email address! Grab the Email name you've always wanted before someone else does! http://mail.promotions.yahoo.com/newdomains/ph/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andy.Singleton at tipp24os.co.uk Mon Jan 25 10:44:54 2010 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Mon, 25 Jan 2010 10:44:54 -0000 Subject: [Freeipa-users] Installing IPA on Solaris 10 Message-ID: <1CD40A4DEEA320479C98D8A93A5C6906026B089E@waterloo.t24uk.tipp24.net> Hi guys, I am installing IPA 1.2.2 client installation on one of our Solaris servers, and I cant seem to get the system to see the IPA users. "getent passwd" only returns local users, and no traffic is leaving the client for the IPA server for ldap. I have followed the instructions from the documentation, but I definitely get the feeling that something is missing. All the various configuration files are populated, and the Kerberos portion works correctly because I can obtain a ticket. So possibly there is a problem with the nss_ldap part, or the ldap.conf itself. Does anyone know common problems that might have this result on Solaris 10? For reference, here is the /etc/ldap.conf file: ldap_version 3 base cn=compat,dc=live,dc=tipp24,dc=net nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub nss_schema rfc2307bis nss_map_objectclass shadowAccount posixAccount nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,dirsrv,oracle nss_reconnect_maxsleeptime 8 nss_reconnect_sleeptime 1 bind_timelimit 2 timelimit 4 nss_srv_domain live.tipp24.net uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net Thanks Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: From wxiluo at gmail.com Tue Jan 26 10:17:05 2010 From: wxiluo at gmail.com (Michael Kang) Date: Tue, 26 Jan 2010 18:17:05 +0800 Subject: [Freeipa-users] Web admin for FreeIPA Directory Server Message-ID: <97725cf1001260217r1b8ba4f8o28019da15f463e49@mail.gmail.com> Hi all, Could I ues phpLDAPadmin to maintain FreeIPA Directory Server? I want to use dhcp3-server-ldapand PowerDNS based on FreeIPA. So that, I could integrate FreeIPA, DNS, DHCP by Fedora Directory Server. I guess it's a good idea. FreeIPA need DNS server. But managing BIND server is a boring job. If FreeIPA could design the IP address dynamicly assignation automatically binding in DNS mapping table. It will be much perfecter. I'm working on this solution. I'd like to document the whole process and make a HOWTO ducument for FreeIPA community. Thanks, Michael -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From scott.kaminski at gmail.com Tue Jan 26 23:15:23 2010 From: scott.kaminski at gmail.com (Scott Kaminski) Date: Tue, 26 Jan 2010 15:15:23 -0800 Subject: [Freeipa-users] HA/DR Message-ID: Just wondering if you setup 4 servers using MMR what would happen if your first ipa server died and was unrecoverable? Would it be possible to recover from this scenario? The reason I ask as the way I understand 389-ds is that the username/password db will be available in a mmr setup, but the configuration database requires a special replication setup. What methods does everyone use to backup there ipa systems? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Jan 26 23:50:02 2010 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 26 Jan 2010 18:50:02 -0500 Subject: [Freeipa-users] HA/DR In-Reply-To: References: Message-ID: <4B5F7FAA.8010203@redhat.com> Scott Kaminski wrote: > Just wondering if you setup 4 servers using MMR what would happen if > your first ipa server died and was unrecoverable? Would it be possible > to recover from this scenario? > The replicas are mostly symmetric. The difference is the that the first IPA has certs that you need to back up and store. Other than that all replicas are equal. With the certs saved aside you can recover with no issues. There was a more detailed answer on the list some time ago from Rob. Rob do you remember? > The reason I ask as the way I understand 389-ds is that the > username/password db will be available in a mmr setup, but the > configuration database requires a special replication setup. > > What methods does everyone use to backup there ipa systems? > > Thanks, > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed Jan 27 03:56:09 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jan 2010 22:56:09 -0500 Subject: [Freeipa-users] HA/DR In-Reply-To: <4B5F7FAA.8010203@redhat.com> References: <4B5F7FAA.8010203@redhat.com> Message-ID: <4B5FB959.4060905@redhat.com> Dmitri Pal wrote: > Scott Kaminski wrote: >> Just wondering if you setup 4 servers using MMR what would happen if >> your first ipa server died and was unrecoverable? Would it be possible >> to recover from this scenario? >> > > The replicas are mostly symmetric. The difference is the that the first > IPA has certs that you need to back up and store. Other than that all > replicas are equal. > With the certs saved aside you can recover with no issues. > There was a more detailed answer on the list some time ago from Rob. > Rob do you remember? Yup, details are here: https://bugzilla.redhat.com/show_bug.cgi?id=486950 The only other stipulation is that you'd want to use ipa-replica-manage to break any replication agreements with the downed server to avoid the extra overhead. rob > >> The reason I ask as the way I understand 389-ds is that the >> username/password db will be available in a mmr setup, but the >> configuration database requires a special replication setup. >> >> What methods does everyone use to backup there ipa systems? >> >> Thanks, >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > From wxiluo at gmail.com Wed Jan 27 05:44:25 2010 From: wxiluo at gmail.com (Michael Kang) Date: Wed, 27 Jan 2010 13:44:25 +0800 Subject: [Freeipa-users] Web admin for FreeIPA Directory Server In-Reply-To: <97725cf1001260217r1b8ba4f8o28019da15f463e49@mail.gmail.com> References: <97725cf1001260217r1b8ba4f8o28019da15f463e49@mail.gmail.com> Message-ID: <97725cf1001262144v7b0e0ffy10e3e35d0fe6868c@mail.gmail.com> Nobody answers my question: Could I ues phpLDAPadmin to maintain FreeIPA Directory Server? On Tue, Jan 26, 2010 at 6:17 PM, Michael Kang wrote: > Hi all, > > Could I ues phpLDAPadmin to maintain FreeIPA Directory Server? > > I want to use dhcp3-server-ldapand > PowerDNS based on > FreeIPA. So that, I could integrate FreeIPA, DNS, DHCP by Fedora Directory > Server. > > I guess it's a good idea. FreeIPA need DNS server. But managing BIND server > is a boring job. If FreeIPA could design the IP address dynamicly > assignation automatically binding in DNS mapping table. It will be much > perfecter. > > I'm working on this solution. I'd like to document the whole process and > make a HOWTO ducument for FreeIPA community. > > Thanks, > Michael > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant awakens,miracles > happen. > > Personal blog: http://ufusion.org - United Fusion > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdennis at redhat.com Wed Jan 27 13:49:24 2010 From: jdennis at redhat.com (John Dennis) Date: Wed, 27 Jan 2010 08:49:24 -0500 Subject: [Freeipa-users] Web admin for FreeIPA Directory Server In-Reply-To: <97725cf1001262144v7b0e0ffy10e3e35d0fe6868c@mail.gmail.com> References: <97725cf1001260217r1b8ba4f8o28019da15f463e49@mail.gmail.com> <97725cf1001262144v7b0e0ffy10e3e35d0fe6868c@mail.gmail.com> Message-ID: <4B604464.6070404@redhat.com> On 01/27/2010 12:44 AM, Michael Kang wrote: > Nobody answers my question: > > Could I ues phpLDAPadmin to maintain FreeIPA Directory Server? What would you like to administer? FreeIPA comes with a Web GUI that gives you an administrator interface for many operations. The 389 Directory server (which FreeIPA is based on) also comes with a Java based web administration interface, although we don't use it. There is no inherent reason you couldn't use phpLDAPadmin provided it supports the authentication we require. But more to the point is why? If there is something fundamentally lacking in the administration interface we provide we should fix it. Please note that v2 of FreeIPA has been under heavy development and the web GUI has received a lot of attention for the next release and whatever you're missing might have already been taken care of. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed Jan 27 14:38:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jan 2010 09:38:02 -0500 Subject: [Freeipa-users] Web admin for FreeIPA Directory Server In-Reply-To: <97725cf1001262144v7b0e0ffy10e3e35d0fe6868c@mail.gmail.com> References: <97725cf1001260217r1b8ba4f8o28019da15f463e49@mail.gmail.com> <97725cf1001262144v7b0e0ffy10e3e35d0fe6868c@mail.gmail.com> Message-ID: <4B604FCA.9030209@redhat.com> Michael Kang wrote: > Nobody answers my question: > > Could I ues phpLDAPadmin to maintain FreeIPA Directory Server? Is it technically possible? Sure, assuming it works with 389-ds. Is it a good idea? Depends on what exactly you're going to do. If you don't try to manage any objects used by IPA you should be fine. If you start managing users, groups, etc using another interface and you don't create them in the way that IPA expects them then you could run into problems. It is this reason we don't configure the 389-ds console. IPA v2 is going to add support for managing DNS. rob > > On Tue, Jan 26, 2010 at 6:17 PM, Michael Kang > wrote: > > Hi all, > > Could I ues phpLDAPadmin to maintain FreeIPA Directory Server? > > I want to use dhcp3-server-ldap > and PowerDNS > based on FreeIPA. > So that, I could integrate FreeIPA, DNS, DHCP by Fedora Directory > Server. > > I guess it's a good idea. FreeIPA need DNS server. But managing BIND > server is a boring job. If FreeIPA could design the IP address > dynamicly assignation automatically binding in DNS mapping table. It > will be much perfecter. > > I'm working on this solution. I'd like to document the whole process > and make a HOWTO ducument for FreeIPA community. > > Thanks, > Michael > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > > > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From shan.sysadm at gmail.com Thu Jan 28 13:22:21 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Thu, 28 Jan 2010 16:22:21 +0300 Subject: [Freeipa-users] Error Installing FreeIPA build 1.2.2 Message-ID: <68b7c79a1001280522y6be892f0i2a2997deb8ee11f5@mail.gmail.com> Dear All, I am try to install FreeIPA build 1.2.2 with RHDS 8.0, while installing I am facing some serious issue. Please find the blow steps which I followed and error message which got during the installation 1. I successfully installed RHDS 8.0 2. Installed and tested RH Enter IPA without any issue 3. As per our requirement we need to Active Directory Integration, so I am planning to Install FreeIPA, and I have completely un-installed RH Ent IPA using #ipa-server-install --uninstall command and chosen "yes" to completely remove the configuration file which Ent IPA used. 4. Now I downloaded FreeIPA build (1.2.2) and done "make" then "make install". 5. I cross checked the /etc/hosts file and the fully qualified name is correct only, nothing was changed. 6. Once I start the script the error message was through continually: [root at sbttipa001 ~]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup the FreeIPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure TurboGears To accept the default shown in brackets, press the Enter key. Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [sbttipa001.bmitest.com]: Unexpected error - see ipaserver-install.log for details: verify_fqdn() takes exactly 1 argument (2 given) Please help me to resove this critical issue: Thanks in Advance. -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jan 28 15:19:20 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jan 2010 10:19:20 -0500 Subject: [Freeipa-users] Error Installing FreeIPA build 1.2.2 In-Reply-To: <68b7c79a1001280522y6be892f0i2a2997deb8ee11f5@mail.gmail.com> References: <68b7c79a1001280522y6be892f0i2a2997deb8ee11f5@mail.gmail.com> Message-ID: <4B61AAF8.3090003@redhat.com> Shan Kumaraswamy wrote: > Dear All, > > I am try to install FreeIPA build 1.2.2 with RHDS 8.0, while installing > I am facing some serious issue. Please find the blow steps which I > followed and error message which got during the installation > > > > 1. I successfully installed RHDS 8.0 > > 2. Installed and tested RH Enter IPA without any issue > > 3. As per our requirement we need to Active Directory Integration, so > I am planning to Install FreeIPA, and I have completely un-installed RH > Ent IPA using #ipa-server-install --uninstall command and chosen "yes" > to completely remove the configuration file which Ent IPA used. > > 4. Now I downloaded FreeIPA build (1.2.2) and done "make" then "make > install". > > 5. I cross checked the /etc/hosts file and the fully qualified name is > correct only, nothing was changed. > > 6. Once I start the script the error message was through continually: > > > > [root at sbttipa001 ~]# ipa-server-install > > The log file for this installation can be found in > /var/log/ipaserver-install.log > ============================================================================== > This program will setup the FreeIPA Server. > > This includes: > * Configure the Network Time Daemon (ntpd) > * Create and configure an instance of Directory Server > * Create and configure a Kerberos Key Distribution Center (KDC) > * Configure Apache (httpd) > * Configure TurboGears > > To accept the default shown in brackets, press the Enter key. > > Enter the fully qualified domain name of the computer > on which you're setting up server software. Using the form > . > Example: master.example.com . > > > Server host name [sbttipa001.bmitest.com ]: > > Unexpected error - see ipaserver-install.log for details: > verify_fqdn() takes exactly 1 argument (2 given) > > > > Please help me to resove this critical issue: If you look in /var/log/ipaserver-install.log there should be a python backtrace, we'd need to see that. Alternatively when we build and test from source we tend to use: make rpms and install the results from dist/rpms. I do this because it makes it easier to do replication and client testing and be sure I'm using the same bits everywhere. rob