From danieljamesscott at gmail.com Wed Jun 1 00:28:52 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 31 May 2011 20:28:52 -0400 Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2 In-Reply-To: <4DE56AFA.5080602@redhat.com> References: <4DDD7F0A.402@redhat.com> <4DE56AFA.5080602@redhat.com> Message-ID: Done: https://fedorahosted.org/freeipa/ticket/1266 Dan On Tue, May 31, 2011 at 18:26, Dmitri Pal wrote: > On 05/31/2011 06:02 PM, Dan Scott wrote: >> Hi, >> >> Thanks for all the replies. >> >> On Wed, May 25, 2011 at 18:13, Rob Crittenden wrote: >>>> I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running >>>> on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has >>>> been released. But I have a few questions: >>>> >>>> 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? >>> Yes but you would have to configure it yourself. sssd would work nicely with >>> an ldap/krb5 configuration. >> I've set up a Fedora 15 VM and have successfully configured it to >> authenticate against my FreeIPA 1 servers, so this is good. One small >> problem was that I couldn't get passwordless ssh logins *to* the F15 >> system working. I created and installed a host keytab, same as for all >> the other systems, but no luck. I was able to ssh *from* the F15 >> system without a password however. Any ideas? >> >>>> 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring >>>> an upgrade from Fedora 14 to 15 along the way). >>> You cannot do a straight upgrade, too much changed between the two versions. >>> You should be able to migrate the users and groups using the v2 migration >>> system. This will maintain your user passwords at least. You would need to >>> generate new principals and keytabs for your kerberized services. >> I've setup a Fedora 15 VM and installed the FreeIPA server. I ran the >> ipa migrate-ds command provided in the documentation. All of the user >> groups were migrated successfully, but none of the users were migrated >> due to 'unknown object class "radiusprofile"' errors. >> >> I've seen this post here: >> >> https://www.redhat.com/archives/freeipa-users/2011-May/msg00282.html >> >> but I wanted to add that I don't use any of the radius functionality >> and my FreeIPA v1 installation is pretty standard, so other users >> might run into this. I didn't find a bug report, but can file one if >> needed? >> > > Yes please: https://fedorahosted.org/freeipa/ > >> Thanks, >> >> Dan >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From ide4you at gmail.com Wed Jun 1 14:41:06 2011 From: ide4you at gmail.com (Uzor Ide) Date: Wed, 1 Jun 2011 10:41:06 -0400 Subject: [Freeipa-users] Issue with replication install Message-ID: Hi all We are trying to setup a backup IPA server and decided to toe that replication route. The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora 15 and freeipa 2.0.1. Note we first did ipa-server-install --uninstall before upgrading the freeipa packages so as to make sure that the server is relatively clean. However when I run that ipa-replica-install command, I end up with the following error in the ipareplica-install.log 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: PKI-IPA...[ OK ] Starting dirsrv: PKI-IPA...[FAILED] *** Warning: 1 instance(s) failed to start 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped 2011-05-31 23:54:33,501 DEBUG stderr= 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. See the installation log for details. This are the tomcat rpms on the server tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch tomcat6-6.0.30-6.fc15.noarch tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch tomcat6-lib-6.0.30-6.fc15.noarch tomcat6-el-2.1-api-6.0.30-6.fc15.noarch tomcatjss-2.1.1-1.fc15.noarch So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other thing different from same, [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.) [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed Any help will be greatly appreciated Ide -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jun 1 15:25:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Jun 2011 11:25:40 -0400 Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2 In-Reply-To: References: <4DDD7F0A.402@redhat.com> Message-ID: <4DE659F4.5070104@redhat.com> Dan Scott wrote: > Hi, > > Thanks for all the replies. > > On Wed, May 25, 2011 at 18:13, Rob Crittenden wrote: >>> I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running >>> on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has >>> been released. But I have a few questions: >>> >>> 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? >> >> Yes but you would have to configure it yourself. sssd would work nicely with >> an ldap/krb5 configuration. > > I've set up a Fedora 15 VM and have successfully configured it to > authenticate against my FreeIPA 1 servers, so this is good. One small > problem was that I couldn't get passwordless ssh logins *to* the F15 > system working. I created and installed a host keytab, same as for all > the other systems, but no luck. I was able to ssh *from* the F15 > system without a password however. Any ideas? Are any errors reported on either side? You can test the host principal with something like: # kinit -kt /etc/krb5.keytab host/ipa.example.com at EXAMPLE.COM > >>> 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring >>> an upgrade from Fedora 14 to 15 along the way). >> >> You cannot do a straight upgrade, too much changed between the two versions. >> You should be able to migrate the users and groups using the v2 migration >> system. This will maintain your user passwords at least. You would need to >> generate new principals and keytabs for your kerberized services. > > I've setup a Fedora 15 VM and installed the FreeIPA server. I ran the > ipa migrate-ds command provided in the documentation. All of the user > groups were migrated successfully, but none of the users were migrated > due to 'unknown object class "radiusprofile"' errors. > > I've seen this post here: > > https://www.redhat.com/archives/freeipa-users/2011-May/msg00282.html > > but I wanted to add that I don't use any of the radius functionality > and my FreeIPA v1 installation is pretty standard, so other users > might run into this. I didn't find a bug report, but can file one if > needed? Saw that you filed one, thanks, we'll take a look. rob From rcritten at redhat.com Wed Jun 1 15:40:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Jun 2011 11:40:29 -0400 Subject: [Freeipa-users] Issue with replication install In-Reply-To: References: Message-ID: <4DE65D6D.7050604@redhat.com> Uzor Ide wrote: > > Hi all > > We are trying to setup a backup IPA server and decided to toe that > replication route. > The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora > 15 and freeipa 2.0.1. > Note we first did ipa-server-install --uninstall before upgrading the > freeipa packages so as to make sure that the server is relatively clean. > > However when I run that ipa-replica-install command, I end up with the > following error in the ipareplica-install.log > > 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA > 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: > PKI-IPA...[ OK ] > Starting dirsrv: > PKI-IPA...[FAILED] > *** Warning: 1 instance(s) failed to start > > 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL > alert: Security Initialization: Unable to authenticate (Netscape > Portable Runtime error -8192 - An I/O error occurred during security > authorization.) > [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. > > 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status > 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped > > 2011-05-31 23:54:33,501 DEBUG stderr= > 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. > See the installation log for details. > > This are the tomcat rpms on the server > > tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch > tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch > tomcat6-6.0.30-6.fc15.noarch > tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch > tomcat6-lib-6.0.30-6.fc15.noarch > tomcat6-el-2.1-api-6.0.30-6.fc15.noarch > tomcatjss-2.1.1-1.fc15.noarch > > So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. > > The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other > thing different from same, > > [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: > Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O > error occurred during security authorization.) > [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed > > > Any help will be greatly appreciated > > Ide I think we need more context. Can you compress and send /var/log/ipareplica-install.log ? I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors to see if there is anything interesting there. And can you provide the output for: certutil -L -d /etc/dirsrv/slapd-PKI-IPA It would seem that your 389-ds instance is missing a copy of the CA cert. thanks rob From DLWillson at TheGeek.NU Wed Jun 1 17:31:52 2011 From: DLWillson at TheGeek.NU (David L. Willson) Date: Wed, 01 Jun 2011 11:31:52 -0600 (MDT) Subject: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server In-Reply-To: <4DE55B3E.9000707@redhat.com> Message-ID: <8c2df50f-4e03-4a7e-b86d-2601ffd35fc4@dlwillson-laptop> > On 05/31/2011 05:12 PM, Steven Jones wrote: > > Ive tried googling and found nothing really.......it doesnt bode > > well. > > The general theme: is use standard NSS_LDAP + PAM_KRB5 instructions > provided on the platforms that do not support SSSD. > There is nothing better than that. Maybe this article could be a good jumping-off point? http://www.aput.net/~jheiss/krbldap/howto.html It's pretty old, but seems to bring together many things and overview them well, with enough static examples to give you a feel for what you're getting into. From ide4you at gmail.com Wed Jun 1 16:38:13 2011 From: ide4you at gmail.com (Uzor Ide) Date: Wed, 1 Jun 2011 12:38:13 -0400 Subject: [Freeipa-users] Issue with replication install In-Reply-To: <4DE65D6D.7050604@redhat.com> References: <4DE65D6D.7050604@redhat.com> Message-ID: Thanks Rob I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the nssdb is empty If the CA cert is supposed to exist there at that stage of install, then that would be the problem. Both the slapd-PKI-IPA error and access does not contain much. I attached them herein with the ipareplica-install.log. thanks Ide On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden wrote: > Uzor Ide wrote: > >> >> Hi all >> >> We are trying to setup a backup IPA server and decided to toe that >> replication route. >> The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora >> 15 and freeipa 2.0.1. >> Note we first did ipa-server-install --uninstall before upgrading the >> freeipa packages so as to make sure that the server is relatively clean. >> >> However when I run that ipa-replica-install command, I end up with the >> following error in the ipareplica-install.log >> >> 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA >> 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: >> PKI-IPA...[ OK ] >> Starting dirsrv: >> PKI-IPA...[FAILED] >> *** Warning: 1 instance(s) failed to start >> >> 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL >> alert: Security Initialization: Unable to authenticate (Netscape >> Portable Runtime error -8192 - An I/O error occurred during security >> authorization.) >> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. >> >> 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status >> 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped >> >> 2011-05-31 23:54:33,501 DEBUG stderr= >> 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. >> See the installation log for details. >> >> This are the tomcat rpms on the server >> >> tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch >> tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch >> tomcat6-6.0.30-6.fc15.noarch >> tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch >> tomcat6-lib-6.0.30-6.fc15.noarch >> tomcat6-el-2.1-api-6.0.30-6.fc15.noarch >> tomcatjss-2.1.1-1.fc15.noarch >> >> So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. >> >> The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other >> thing different from same, >> >> [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: >> Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O >> error occurred during security authorization.) >> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed >> >> >> Any help will be greatly appreciated >> >> Ide >> > > I think we need more context. Can you compress and send > /var/log/ipareplica-install.log ? > > I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors to > see if there is anything interesting there. > > And can you provide the output for: > > certutil -L -d /etc/dirsrv/slapd-PKI-IPA > > It would seem that your 389-ds instance is missing a copy of the CA cert. > > thanks > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipainstallogs.tgz Type: application/x-gzip Size: 3854 bytes Desc: not available URL: From dpal at redhat.com Wed Jun 1 20:17:19 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Jun 2011 16:17:19 -0400 Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2 In-Reply-To: References: <4DDD7F0A.402@redhat.com> <4DE56AFA.5080602@redhat.com> Message-ID: <4DE69E4F.2020509@redhat.com> On 05/31/2011 08:28 PM, Dan Scott wrote: > Done: > > https://fedorahosted.org/freeipa/ticket/1266 Thanks. We will try to look at it as soon as we can. > Dan > > On Tue, May 31, 2011 at 18:26, Dmitri Pal wrote: >> On 05/31/2011 06:02 PM, Dan Scott wrote: >>> Hi, >>> >>> Thanks for all the replies. >>> >>> On Wed, May 25, 2011 at 18:13, Rob Crittenden wrote: >>>>> I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running >>>>> on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has >>>>> been released. But I have a few questions: >>>>> >>>>> 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers? >>>> Yes but you would have to configure it yourself. sssd would work nicely with >>>> an ldap/krb5 configuration. >>> I've set up a Fedora 15 VM and have successfully configured it to >>> authenticate against my FreeIPA 1 servers, so this is good. One small >>> problem was that I couldn't get passwordless ssh logins *to* the F15 >>> system working. I created and installed a host keytab, same as for all >>> the other systems, but no luck. I was able to ssh *from* the F15 >>> system without a password however. Any ideas? >>> >>>>> 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring >>>>> an upgrade from Fedora 14 to 15 along the way). >>>> You cannot do a straight upgrade, too much changed between the two versions. >>>> You should be able to migrate the users and groups using the v2 migration >>>> system. This will maintain your user passwords at least. You would need to >>>> generate new principals and keytabs for your kerberized services. >>> I've setup a Fedora 15 VM and installed the FreeIPA server. I ran the >>> ipa migrate-ds command provided in the documentation. All of the user >>> groups were migrated successfully, but none of the users were migrated >>> due to 'unknown object class "radiusprofile"' errors. >>> >>> I've seen this post here: >>> >>> https://www.redhat.com/archives/freeipa-users/2011-May/msg00282.html >>> >>> but I wanted to add that I don't use any of the radius functionality >>> and my FreeIPA v1 installation is pretty standard, so other users >>> might run into this. I didn't find a bug report, but can file one if >>> needed? >>> >> Yes please: https://fedorahosted.org/freeipa/ >> >>> Thanks, >>> >>> Dan >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Jun 1 20:24:22 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Jun 2011 16:24:22 -0400 Subject: [Freeipa-users] Issue with replication install In-Reply-To: <4DE65D6D.7050604@redhat.com> References: <4DE65D6D.7050604@redhat.com> Message-ID: <4DE69FF6.8020004@redhat.com> On 06/01/2011 11:40 AM, Rob Crittenden wrote: > Uzor Ide wrote: >> >> Hi all >> >> We are trying to setup a backup IPA server and decided to toe that >> replication route. >> The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to fedora >> 15 and freeipa 2.0.1. >> Note we first did ipa-server-install --uninstall before upgrading the >> freeipa packages so as to make sure that the server is relatively clean. >> >> However when I run that ipa-replica-install command, I end up with the >> following error in the ipareplica-install.log >> >> 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart PKI-IPA >> 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: >> PKI-IPA...[ OK ] >> Starting dirsrv: >> PKI-IPA...[FAILED] >> *** Warning: 1 instance(s) failed to start >> >> 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 -0400] - SSL >> alert: Security Initialization: Unable to authenticate (Netscape >> Portable Runtime error -8192 - An I/O error occurred during security >> authorization.) >> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. >> >> 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status >> 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped >> >> 2011-05-31 23:54:33,501 DEBUG stderr= >> 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory server. >> See the installation log for details. >> >> This are the tomcat rpms on the server >> >> tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch >> tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch >> tomcat6-6.0.30-6.fc15.noarch >> tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch >> tomcat6-lib-6.0.30-6.fc15.noarch >> tomcat6-el-2.1-api-6.0.30-6.fc15.noarch >> tomcatjss-2.1.1-1.fc15.noarch >> >> So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. >> >> The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any other >> thing different from same, >> >> [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: >> Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O >> error occurred during security authorization.) >> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed >> >> >> Any help will be greatly appreciated >> >> Ide > > I think we need more context. Can you compress and send > /var/log/ipareplica-install.log ? > > I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and errors > to see if there is anything interesting there. > > And can you provide the output for: > > certutil -L -d /etc/dirsrv/slapd-PKI-IPA > > It would seem that your 389-ds instance is missing a copy of the CA cert. > > thanks > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > I just for the record, I did a similar thing yesterday. I had F14 with old ipa instance. I did ipa-server-install -- uninstall removed ipa packages Upgraded Fedora. Installed new IPA packages Ran install and hit a similar error. It seems that ipa-server uninstall does not destroy all the instances correctly for the PKI. So when the package is updated and the install is rerun it fails since there is a PKI DS instance. This might be a bug in the uninstall that we already fixed. To clean the system I ran the --uninstall several times. Each time it was failing but moving further. At some point it was successful and I was able to install. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Wed Jun 1 20:26:01 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 1 Jun 2011 20:26:01 +0000 Subject: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server In-Reply-To: <8c2df50f-4e03-4a7e-b86d-2601ffd35fc4@dlwillson-laptop> References: <4DE55B3E.9000707@redhat.com>, <8c2df50f-4e03-4a7e-b86d-2601ffd35fc4@dlwillson-laptop> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0DCC77@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Thanks any help to kick off is good. regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of David L. Willson [DLWillson at TheGeek.NU] Sent: Thursday, 2 June 2011 5:31 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server > On 05/31/2011 05:12 PM, Steven Jones wrote: > > Ive tried googling and found nothing really.......it doesnt bode > > well. > > The general theme: is use standard NSS_LDAP + PAM_KRB5 instructions > provided on the platforms that do not support SSSD. > There is nothing better than that. Maybe this article could be a good jumping-off point? http://www.aput.net/~jheiss/krbldap/howto.html It's pretty old, but seems to bring together many things and overview them well, with enough static examples to give you a feel for what you're getting into. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Jun 2 00:04:31 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 2 Jun 2011 00:04:31 +0000 Subject: [Freeipa-users] New ipa manual suggestions Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0DCCC3@STAWINCOX10MBX1.staff.vuw.ac.nz> While looking through the freeipa v 1 manual I see we get written descriptions of how to use the web gui, I am always un-impressed by this. If you are talking about a visual event/task pictures / screen shots I find are way better than words. Also some good examples of how to setup for instance end to end examples eg add users to groups, add hosts to groups and add bothe to netgroups and any other bits 'n pieces needed... regards From dpal at redhat.com Thu Jun 2 00:38:03 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Jun 2011 20:38:03 -0400 Subject: [Freeipa-users] New ipa manual suggestions In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0DCCC3@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0DCCC3@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DE6DB6B.2040202@redhat.com> On 06/01/2011 08:04 PM, Steven Jones wrote: > While looking through the freeipa v 1 manual I see we get written descriptions of how to use the web gui, I am always un-impressed by this. If you are talking about a visual event/task pictures / screen shots I find are way better than words. > > Also some good examples of how to setup for instance end to end examples eg add users to groups, add hosts to groups and add bothe to netgroups and any other bits 'n pieces needed... > The IPA v1 UI has nothing to do with IPA v2 UI. It was redone from scratch. We have not had a chance to even start documenting the UI. This is the task for upcoming months. > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Jun 2 15:08:31 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 02 Jun 2011 11:08:31 -0400 Subject: [Freeipa-users] Issue with replication install In-Reply-To: References: <4DE65D6D.7050604@redhat.com> Message-ID: <4DE7A76F.5010405@redhat.com> Uzor Ide wrote: > Thanks Rob > > I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the > nssdb is empty > If the CA cert is supposed to exist there at that stage of install, > then that would be the problem. > > Both the slapd-PKI-IPA error and access does not contain much. I > attached them herein with the ipareplica-install.log. > How old is the prepared replica file, and was it created with an older version of IPA? In one of the last release candidates we started creating a separate SSL certificate for the 389-ds instance used by dogtag. I get the feeling that doesn't exist which would explain why SSL is failing. You can check by doing something like: # gpg -d replica-info-.gpg | tar tvf - The file you're looking for is dogtagcert.p12 rob > thanks > > Ide > > > On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden > wrote: > > Uzor Ide wrote: > > > Hi all > > We are trying to setup a backup IPA server and decided to toe that > replication route. > The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to > fedora > 15 and freeipa 2.0.1. > Note we first did ipa-server-install --uninstall before > upgrading the > freeipa packages so as to make sure that the server is > relatively clean. > > However when I run that ipa-replica-install command, I end up > with the > following error in the ipareplica-install.log > > 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart > PKI-IPA > 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: > PKI-IPA...[ OK ] > Starting dirsrv: > PKI-IPA...[FAILED] > *** Warning: 1 instance(s) failed to start > > 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 > -0400] - SSL > alert: Security Initialization: Unable to authenticate (Netscape > Portable Runtime error -8192 - An I/O error occurred during security > authorization.) > [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. > > 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status > 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped > > 2011-05-31 23:54:33,501 DEBUG stderr= > 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory > server. > See the installation log for details. > > This are the tomcat rpms on the server > > tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch > tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch > tomcat6-6.0.30-6.fc15.noarch > tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch > tomcat6-lib-6.0.30-6.fc15.noarch > tomcat6-el-2.1-api-6.0.30-6.fc15.noarch > tomcatjss-2.1.1-1.fc15.noarch > > So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. > > The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any > other > thing different from same, > > [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: > Unable to authenticate (Netscape Portable Runtime error -8192 - > An I/O > error occurred during security authorization.) > [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed > > > Any help will be greatly appreciated > > Ide > > > I think we need more context. Can you compress and send > /var/log/ipareplica-install.log ? > > I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and > errors to see if there is anything interesting there. > > And can you provide the output for: > > certutil -L -d /etc/dirsrv/slapd-PKI-IPA > > It would seem that your 389-ds instance is missing a copy of the CA > cert. > > thanks > > rob > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From ide4you at gmail.com Fri Jun 3 14:28:02 2011 From: ide4you at gmail.com (Uzor Ide) Date: Fri, 3 Jun 2011 10:28:02 -0400 Subject: [Freeipa-users] Issue with replication install In-Reply-To: <4DE7A76F.5010405@redhat.com> References: <4DE65D6D.7050604@redhat.com> <4DE7A76F.5010405@redhat.com> Message-ID: The IPA server is version 2.0.0 R3 which is supposed to install on fc14 with some packages from updates-testing repo, while the replica install is on server 2.0.1 Yes, there is no dogtagcert.p12 file; here are the files contained: realm_info/httpcert.p12 realm_info/cacert.p12 realm_info/ldappwd realm_info/ra.p12 realm_info/http_pin.txt realm_info/realm_info realm_info/configure.jar realm_info/dscert.p12 realm_info/dirsrv_pin.txt realm_info/pwdfile.txt.ori realm_info/pwdfile.txt realm_info/kpasswd.keytab realm_info/preferences.htm realm_info/ca.crt I have upgraded the IPA box to fc15 and freeipa-2.0.1 in the quest to get a correct replica package but that seems to have created another problem as it has broken the tomcat and thus pki-ca. Jun 3, 2011 10:09:29 AM org.apache.catalina.loader.WebappLoader start SEVERE: LifecycleException java.io.IOException: Failed to access resource /WEB-INF/lib/jakarta-commons-collections.jar at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050) at org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4541) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061) at org.apache.catalina.core.StandardHost.start(StandardHost.java:785) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463) at org.apache.catalina.core.StandardService.start(StandardService.java:525) at org.apache.catalina.core.StandardServer.start(StandardServer.java:701) at org.apache.catalina.startup.Catalina.start(Catalina.java:585) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Caused by: javax.naming.NamingException: Resource jakarta-commons-collections.jar not found at org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209) at org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048) ... 24 more It seems to me that it is looking for jakarta-commons-collections.jar which exist but is a package from the old tomcat6-6.0.26. Thanks __Ide On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden wrote: > Uzor Ide wrote: > >> Thanks Rob >> >> I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the >> nssdb is empty >> If the CA cert is supposed to exist there at that stage of install, >> then that would be the problem. >> >> Both the slapd-PKI-IPA error and access does not contain much. I >> attached them herein with the ipareplica-install.log. >> >> > How old is the prepared replica file, and was it created with an older > version of IPA? > > In one of the last release candidates we started creating a separate SSL > certificate for the 389-ds instance used by dogtag. I get the feeling that > doesn't exist which would explain why SSL is failing. > > You can check by doing something like: > # gpg -d replica-info-.gpg | tar tvf - > > The file you're looking for is dogtagcert.p12 > > rob > >> thanks >> >> Ide >> >> >> On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden > > wrote: >> >> Uzor Ide wrote: >> >> >> Hi all >> >> We are trying to setup a backup IPA server and decided to toe that >> replication route. >> The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to >> fedora >> 15 and freeipa 2.0.1. >> Note we first did ipa-server-install --uninstall before >> upgrading the >> freeipa packages so as to make sure that the server is >> relatively clean. >> >> However when I run that ipa-replica-install command, I end up >> with the >> following error in the ipareplica-install.log >> >> 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart >> PKI-IPA >> 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: >> PKI-IPA...[ OK ] >> Starting dirsrv: >> PKI-IPA...[FAILED] >> *** Warning: 1 instance(s) failed to start >> >> 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 >> -0400] - SSL >> alert: Security Initialization: Unable to authenticate (Netscape >> Portable Runtime error -8192 - An I/O error occurred during >> security >> authorization.) >> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. >> >> 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status >> 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped >> >> 2011-05-31 23:54:33,501 DEBUG stderr= >> 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory >> server. >> See the installation log for details. >> >> This are the tomcat rpms on the server >> >> tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch >> tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch >> tomcat6-6.0.30-6.fc15.noarch >> tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch >> tomcat6-lib-6.0.30-6.fc15.noarch >> tomcat6-el-2.1-api-6.0.30-6.fc15.noarch >> tomcatjss-2.1.1-1.fc15.noarch >> >> So the tomcat6 version is definitely greater than tomcat6-6-0.30-5. >> >> The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any >> other >> thing different from same, >> >> [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: >> Unable to authenticate (Netscape Portable Runtime error -8192 - >> An I/O >> error occurred during security authorization.) >> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed >> >> >> Any help will be greatly appreciated >> >> Ide >> >> >> I think we need more context. Can you compress and send >> /var/log/ipareplica-install.log ? >> >> I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and >> errors to see if there is anything interesting there. >> >> And can you provide the output for: >> >> certutil -L -d /etc/dirsrv/slapd-PKI-IPA >> >> It would seem that your 389-ds instance is missing a copy of the CA >> cert. >> >> thanks >> >> rob >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ide4you at gmail.com Fri Jun 3 18:32:18 2011 From: ide4you at gmail.com (Uzor Ide) Date: Fri, 3 Jun 2011 14:32:18 -0400 Subject: [Freeipa-users] Issue with replication install In-Reply-To: References: <4DE65D6D.7050604@redhat.com> <4DE7A76F.5010405@redhat.com> Message-ID: I have corrected the problem with the ipa server, from the broken tomcat/pki-ca; The problem comes a sym link that was created during the setup of pki-ca from PKI-HOME for jakarta-commons-collections.jar to /usr/share/java/jakarta-commons-collections.jar. This file is a member of jakarta-commons-collections rpm package in fc14. In fc15 jakarta-commons-collections package appears to have been renamed to apache-commons-collections and an equivalent file apache-commons-collections.jar is contained. However when you upgrade, at least in my own case using preupgrade, it leaves /var/lib/pki-ca/webapps/ca/WEB-INF/lib/jakarta-commons-collections.jar link orphaned. recreating the sym link to /usr/share/java/apache-commons-collections.jar fixes the problem. I have create a new replica package and I see that it contained the dogtagcert.p12 file. I will try to install the replica and see how it goes. Thanks __Ide > On Fri, Jun 3, 2011 at 10:28 AM, Uzor Ide wrote: > The IPA server is version 2.0.0 R3 which is supposed to install on fc14 > with some packages from updates-testing repo, while the replica install is > on server 2.0.1 > > Yes, there is no dogtagcert.p12 file; here are the files contained: > realm_info/httpcert.p12 > realm_info/cacert.p12 > realm_info/ldappwd > realm_info/ra.p12 > realm_info/http_pin.txt > realm_info/realm_info > realm_info/configure.jar > realm_info/dscert.p12 > realm_info/dirsrv_pin.txt > realm_info/pwdfile.txt.ori > realm_info/pwdfile.txt > realm_info/kpasswd.keytab > realm_info/preferences.htm > realm_info/ca.crt > > I have upgraded the IPA box to fc15 and freeipa-2.0.1 in the quest to get > a correct replica package but that seems to have created another problem as > it has broken the tomcat and thus pki-ca. > > Jun 3, 2011 10:09:29 AM org.apache.catalina.loader.WebappLoader start > SEVERE: LifecycleException > java.io.IOException: Failed to access resource > /WEB-INF/lib/jakarta-commons-collections.jar > at > org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050) > at > org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681) > at > org.apache.catalina.core.StandardContext.start(StandardContext.java:4541) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546) > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) > at > org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) > at > org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061) > at > org.apache.catalina.core.StandardHost.start(StandardHost.java:785) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463) > at > org.apache.catalina.core.StandardService.start(StandardService.java:525) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:701) > at org.apache.catalina.startup.Catalina.start(Catalina.java:585) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:616) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > Caused by: javax.naming.NamingException: Resource > jakarta-commons-collections.jar not found > at > org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209) > at > org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048) > ... 24 more > > It seems to me that it is looking for jakarta-commons-collections.jar which > exist but is a package from the old tomcat6-6.0.26. > > > Thanks > > __Ide > > > > > On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden wrote: > >> Uzor Ide wrote: >> >>> Thanks Rob >>> >>> I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the >>> nssdb is empty >>> If the CA cert is supposed to exist there at that stage of install, >>> then that would be the problem. >>> >>> Both the slapd-PKI-IPA error and access does not contain much. I >>> attached them herein with the ipareplica-install.log. >>> >>> >> How old is the prepared replica file, and was it created with an older >> version of IPA? >> >> In one of the last release candidates we started creating a separate SSL >> certificate for the 389-ds instance used by dogtag. I get the feeling that >> doesn't exist which would explain why SSL is failing. >> >> You can check by doing something like: >> # gpg -d replica-info-.gpg | tar tvf - >> >> The file you're looking for is dogtagcert.p12 >> >> rob >> >>> thanks >>> >>> Ide >>> >>> >>> On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden >> > wrote: >>> >>> Uzor Ide wrote: >>> >>> >>> Hi all >>> >>> We are trying to setup a backup IPA server and decided to toe that >>> replication route. >>> The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to >>> fedora >>> 15 and freeipa 2.0.1. >>> Note we first did ipa-server-install --uninstall before >>> upgrading the >>> freeipa packages so as to make sure that the server is >>> relatively clean. >>> >>> However when I run that ipa-replica-install command, I end up >>> with the >>> following error in the ipareplica-install.log >>> >>> 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart >>> PKI-IPA >>> 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: >>> PKI-IPA...[ OK ] >>> Starting dirsrv: >>> PKI-IPA...[FAILED] >>> *** Warning: 1 instance(s) failed to start >>> >>> 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 >>> -0400] - SSL >>> alert: Security Initialization: Unable to authenticate (Netscape >>> Portable Runtime error -8192 - An I/O error occurred during >>> security >>> authorization.) >>> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. >>> >>> 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status >>> 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped >>> >>> 2011-05-31 23:54:33,501 DEBUG stderr= >>> 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory >>> server. >>> See the installation log for details. >>> >>> This are the tomcat rpms on the server >>> >>> tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch >>> tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch >>> tomcat6-6.0.30-6.fc15.noarch >>> tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch >>> tomcat6-lib-6.0.30-6.fc15.noarch >>> tomcat6-el-2.1-api-6.0.30-6.fc15.noarch >>> tomcatjss-2.1.1-1.fc15.noarch >>> >>> So the tomcat6 version is definitely greater than >>> tomcat6-6-0.30-5. >>> >>> The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any >>> other >>> thing different from same, >>> >>> [31/May/2011:23:54:23 -0400] - SSL alert: Security Initialization: >>> Unable to authenticate (Netscape Portable Runtime error -8192 - >>> An I/O >>> error occurred during security authorization.) >>> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed >>> >>> >>> Any help will be greatly appreciated >>> >>> Ide >>> >>> >>> I think we need more context. Can you compress and send >>> /var/log/ipareplica-install.log ? >>> >>> I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and >>> errors to see if there is anything interesting there. >>> >>> And can you provide the output for: >>> >>> certutil -L -d /etc/dirsrv/slapd-PKI-IPA >>> >>> It would seem that your 389-ds instance is missing a copy of the CA >>> cert. >>> >>> thanks >>> >>> rob >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.p.stamper at nasa.gov Fri Jun 3 21:09:38 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Fri, 3 Jun 2011 16:09:38 -0500 Subject: [Freeipa-users] Difficulty installing freeipa Message-ID: I initially started testing with FreeIPA on Fedora 15, using ipa 2.x. The server install went smoothly, however I was unable to add clients due to lack of backward compatibility, since ipa 2.x isn't available for most of the systems I manage. I decided to rebuild the test ipa server. I build a fresh Fedora 13 system and installed the yum packages. Initially the ipa server installed without errors. However they were some issues. It hadn't configured httpd to autostart, and when I did start httpd, I was unable to get to the management UI. Attempting to kinit would pause for ~10-15 seconds before requesting a password. I was able to get the ticket. Attempting to then reach the website, after configuring firefox and importing the certs, resulted in the "Service temporarily unavailable" error. All of this seemed to indicate a problem with the hosts file, but checking it multiple times, as well as checking all variations of name resolution indicated nothing. I decided to reinstall to try to fix the kerb oddness and hopefully get to the website gui. I ran ipa-server-install -uninstall and attempted to reinstall, and got the following error: CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w password -f /tmp/tmpe1aE3t' returned non-zero exit status 32 Which led me to this bug, which was reported fixed in 2008: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=448287 Here is an excerpt from the install log: 2011-06-02 12:40:02,619 DEBUG calling setup-ds.pl 2011-06-02 12:40:09,869 INFO [11/06/02:12:40:09] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 49464 [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache. [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job... [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering enabled with bucket size 100 [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import threads... [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted. [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [02/Jun/2011:12:40:09 -0700] - All database threads now stopped [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed. Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 49464 [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache. [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job... [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering enabled with bucket size 100 [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import threads... [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted. [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [02/Jun/2011:12:40:09 -0700] - All database threads now stopped [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed. [11/06/02:12:40:09] - [Setup] Fatal Error: Could not create directory server instance 'ARC-NASA-GOV'. Error: Could not create directory server instance 'ARC-NASA-GOV'. [11/06/02:12:40:09] - [Setup] Fatal Exiting . . . Log file is '-' Exiting . . . Log file is '-' 2011-06-02 12:40:09,870 INFO 2011-06-02 12:40:09,870 CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpLtRn9j' returned non-zero exit status 1 2011-06-02 12:40:09,870 DEBUG restarting ds instance 2011-06-02 12:40:12,030 INFO Shutting down dirsrv: ARC-NASA-GOV... server already stopped[FAILED] *** Error: 1 instance(s) unsuccessfully stopped[FAILED] Starting dirsrv: ARC-NASA-GOV...[ OK ] All my attempts to re-install ipa-server now fail. I've tried removing all 51 packages associated with ipa-server and re-installing them. I've removed all 51 packages and deleted every file I could find associated with nscd, 389, ipa, sssd, etc. I have been unable to return the system to a state that will allow a reinstall of ipa-server. I upgraded the OS on the test system to Fedora 14 and reinstalled the packages, no change. Any advice would be appreciated. -Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Jun 3 21:30:50 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 03 Jun 2011 17:30:50 -0400 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: References: Message-ID: <4DE9528A.1020907@redhat.com> On 06/03/2011 05:09 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > I initially started testing with FreeIPA on Fedora 15, using ipa 2.x. > The server install went smoothly, however I was unable to add clients > due to lack of backward compatibility, since ipa 2.x isn't available > for most of the systems I manage. > > I decided to rebuild the test ipa server. I build a fresh Fedora 13 > system and installed the yum packages. Initially the ipa server > installed without errors. However they were some issues. It hadn't > configured httpd to autostart, and when I did start httpd, I was > unable to get to the management UI. Attempting to kinit would pause > for ~10-15 seconds before requesting a password. I was able to get > the ticket. Attempting to then reach the website, after configuring > firefox and importing the certs, resulted in the "Service temporarily > unavailable" error. All of this seemed to indicate a problem with the > hosts file, but checking it multiple times, as well as checking all > variations of name resolution indicated nothing. > > I decided to reinstall to try to fix the kerb oddness and hopefully > get to the website gui. I ran ipa-server-install ---uninstall and > attempted to reinstall, and got the following error: > > CRITICAL Failed to load bootstrap-template.ldif: Command > '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w > password --f /tmp/tmpe1aE3t' returned non-zero exit status 32 > > Which led me to this bug, which was reported fixed in 2008: > https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=448287 > > > Here is an excerpt from the install log: > > 2011-06-02 12:40:02,619 DEBUG calling setup-ds.pl > 2011-06-02 12:40:09,869 INFO [11/06/02:12:40:09] - [Setup] Info Could > not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. > Output: importing data ... > [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: > 4096, pages: 997331, procpages: 49464 > [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache. > [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job... > [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering > enabled with bucket size 100 > [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF > file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) > [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import > threads... > [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted. > [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory > [02/Jun/2011:12:40:09 -0700] - All database threads now stopped > [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed. > > Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. > Output: importing data ... > [02/Jun/2011:12:40:03 -0700] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [02/Jun/2011:12:40:03 -0700] - check_and_set_import_cache: pagesize: > 4096, pages: 997331, procpages: 49464 > [02/Jun/2011:12:40:03 -0700] - Import allocates 1595728KB import cache. > [02/Jun/2011:12:40:03 -0700] - import userRoot: Beginning import job... > [02/Jun/2011:12:40:03 -0700] - import userRoot: Index buffering > enabled with bucket size 100 > [02/Jun/2011:12:40:04 -0700] - import userRoot: Could not open LDIF > file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) > [02/Jun/2011:12:40:04 -0700] - import userRoot: Aborting all Import > threads... > [02/Jun/2011:12:40:09 -0700] - import userRoot: Import threads aborted. > [02/Jun/2011:12:40:09 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory > [02/Jun/2011:12:40:09 -0700] - All database threads now stopped > [02/Jun/2011:12:40:09 -0700] - import userRoot: Import failed. > > [11/06/02:12:40:09] - [Setup] Fatal Error: Could not create directory > server instance 'ARC-NASA-GOV'. > Error: Could not create directory server instance 'ARC-NASA-GOV'. > [11/06/02:12:40:09] - [Setup] Fatal Exiting . . . > Log file is '-' > > Exiting . . . > Log file is '-' > > 2011-06-02 12:40:09,870 INFO > 2011-06-02 12:40:09,870 CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpLtRn9j' > returned non-zero exit status 1 > 2011-06-02 12:40:09,870 DEBUG restarting ds instance > 2011-06-02 12:40:12,030 INFO Shutting down dirsrv: > ARC-NASA-GOV... server already stopped[FAILED] > *** Error: 1 instance(s) unsuccessfully stopped[FAILED] > Starting dirsrv: > ARC-NASA-GOV...[ OK ] > > All my attempts to re-install ipa-server now fail. I've tried > removing all 51 packages associated with ipa-server and re-installing > them. I've removed all 51 packages and deleted every file I could > find associated with nscd, 389, ipa, sssd, etc. I have been unable to > return the system to a state that will allow a reinstall of > ipa-server. I upgraded the OS on the test system to Fedora 14 and > reinstalled the packages, no change. > > Any advice would be appreciated. Is it all on F13? The IPA v2 can't be built on F13 as there are many dependencies missing that we rely on. There are two many parts this is why we had to move to the later versions of F15. We just did not have any options. So the server you built might in fact be completely broken. I do not know how to fix it. It looks like you have some instances of the DS left over in a misconfigured state. You can try running ipa-server-install --uninstall 4-5 times. That might clear things a bit. But let us get back to the original problem. Freeipa can be used with the LDAP+Kerberos configuration on the clients. You do not need to have latest and greatest. There was a nice article referenced in some of the earlier threads on the list: http://www.aput.net/~jheiss/krbldap/howto.html You can configure very old clients to use IPA as NIS server. Let us know how else we can help. Thanks Dmitri > > -Brian > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.p.stamper at nasa.gov Fri Jun 3 21:38:43 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Fri, 3 Jun 2011 16:38:43 -0500 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: <4DE9528A.1020907@redhat.com> Message-ID: I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems. [root at freeipa ~]# uname -r 2.6.35.13-91.fc14.x86_64 [root at freeipa ~]# rpm -qa 'ipa*' ipa-client-1.2.2-6.fc14.x86_64 ipa-server-selinux-1.2.2-6.fc14.x86_64 ipa-python-1.2.2-6.fc14.x86_64 ipa-admintools-1.2.2-6.fc14.x86_64 ipa-server-1.2.2-6.fc14.x86_64 [root at freeipa ~]# I'm not doing anything special at this point. I'm not even trying to get clients added. I'm trying to do a basic install of ipa-server, with no extra arguments. That claimed to succeed but wouldn't work, I tried to fix it, uninstalled, any attempts to reinstall failed. So right now I'm simply trying to get the ipa service back to any kind of functioning status without re-installing the OS. -Brian On 6/3/11 2:30 PM, "Dmitri Pal" wrote: Is it all on F13? The IPA v2 can't be built on F13 as there are many dependencies missing that we rely on. There are two many parts this is why we had to move to the later versions of F15. We just did not have any options. So the server you built might in fact be completely broken. I do not know how to fix it. It looks like you have some instances of the DS left over in a misconfigured state. You can try running ipa-server-install --uninstall 4-5 times. That might clear things a bit. But let us get back to the original problem. Freeipa can be used with the LDAP+Kerberos configuration on the clients. You do not need to have latest and greatest. There was a nice article referenced in some of the earlier threads on the list: http://www.aput.net/~jheiss/krbldap/howto.html You can configure very old clients to use IPA as NIS server. Let us know how else we can help. Thanks Dmitri -Brian _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Jun 3 21:45:33 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 03 Jun 2011 17:45:33 -0400 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: References: Message-ID: <1307137533.2613.132.camel@willson.li.ssimo.org> On Fri, 2011-06-03 at 16:38 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > I've given up on freeipa v2 due to lack of compatibility with hosts I > manage. This is all on freeipa v1. The server started as Fedora 13, > and I upgraded to Fedora 14 in an attempt to fix the problems. Brian, I am curious, what compatibility are you lacking ? I can't think any difference in the supported list of clients, with v2 we have native sssd support that was not available in v1, but the legacy support is basically identical. Can you elaborate on which problem you found on which clients ? Thanks, Simo -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Fri Jun 3 21:53:41 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 03 Jun 2011 17:53:41 -0400 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: References: Message-ID: <4DE957E5.4010108@redhat.com> On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > I've given up on freeipa v2 due to lack of compatibility with hosts I > manage. This is all on freeipa v1. The server started as Fedora 13, > and I upgraded to Fedora 14 in an attempt to fix the problems. > > [root at freeipa ~]# uname -r > 2.6.35.13-91.fc14.x86_64 > [root at freeipa ~]# rpm -qa 'ipa*' > ipa-client-1.2.2-6.fc14.x86_64 > ipa-server-selinux-1.2.2-6.fc14.x86_64 > ipa-python-1.2.2-6.fc14.x86_64 > ipa-admintools-1.2.2-6.fc14.x86_64 > ipa-server-1.2.2-6.fc14.x86_64 > [root at freeipa ~]# > > I'm not doing anything special at this point. I'm not even trying to > get clients added. I'm trying to do a basic install of ipa-server, > with no extra arguments. That claimed to succeed but wouldn't work, I > tried to fix it, uninstalled, any attempts to reinstall failed. So > right now I'm simply trying to get the ipa service back to any kind of > functioning status without re-installing the OS. > Ah this is all old 1.2 IPA. Have you tried ipa-server-install --uninstall Might require several attempts until all the errors are cleared. > -Brian > > On 6/3/11 2:30 PM, "Dmitri Pal" wrote: > > > Is it all on F13? > The IPA v2 can't be built on F13 as there are many dependencies > missing that we rely on. There are two many parts this is why we > had to move to the later versions of F15. We just did not have any > options. So the server you built might in fact be completely > broken. I do not know how to fix it. It looks like you have some > instances of the DS left over in a misconfigured state. > > You can try running ipa-server-install --uninstall 4-5 times. > That might clear things a bit. > > But let us get back to the original problem. > Freeipa can be used with the LDAP+Kerberos configuration on the > clients. You do not need to have latest and greatest. > There was a nice article referenced in some of the earlier > threads on the list: > > http://www.aput.net/~jheiss/krbldap/howto.html > > > > You can configure very old clients to use IPA as NIS server. > Let us know how else we can help. > Thanks > Dmitri > > > > > -Brian > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.p.stamper at nasa.gov Fri Jun 3 22:14:20 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Fri, 3 Jun 2011 17:14:20 -0500 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: <4DE957E5.4010108@redhat.com> Message-ID: Yes, I mentioned in the first email I had attempted that. I just ran the uninstall 10 times in a row. Same errors: Configuring directory server: [1/17]: creating directory server user [2/17]: creating directory server instance root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned non-zero exit status 1 [3/17]: adding default schema [4/17]: enabling memberof plugin [5/17]: enabling referential integrity plugin [6/17]: enabling distributed numeric assignment plugin [7/17]: enabling winsync plugin [8/17]: configuring uniqueness plugin [9/17]: creating indices [10/17]: configuring ssl for ds instance [11/17]: configuring certmap.conf [12/17]: restarting directory server [13/17]: adding default layout root : CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero exit status 32 [14/17]: configuring Posix uid/gid generation as first master [15/17]: adding master entry as first master root : CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32 [16/17]: initializing group membership [17/17]: configuring directory to start on boot done configuring dirsrv. As a test I've manually run setup-ds.pl accepting all of the defaults. It works fine and installs successfully, creating the slapd-freeipa (which is the hostname) instance. I then ran remove-ds.pl on the slapd-freeipa instance and re-ran the ipa uninstall. When I attempted to reinstall ipa, it detected an existing ds. I did a locate for dirsrv and found logfiles from an instance called slapd-ARC-NASA-GOV, which should be my default freeipa dirsrv instance. To try to clean this up, I ran setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV instance, and then immediately removed it with remove-ds.pl. I then re-ran ipa-server-install, which this time did not detect an existing directory server. However, the ipa-server-install again failed in the same location. [2/17]: creating directory server instance root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' returned non-zero exit status 1 And from the log: 2011-06-03 15:12:41,540 DEBUG Configuring directory server: 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server instance 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances configured 2011-06-03 15:12:41,567 INFO 2011-06-03 15:12:41,567 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,568 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,568 DEBUG dn: dc=arc,dc=nasa,dc=gov objectClass: top objectClass: domain objectClass: pilotObject dc: arc info: IPA V1.0 2011-06-03 15:12:41,569 DEBUG writing inf template 2011-06-03 15:12:41,570 DEBUG [General] FullMachineName= freeipa.arc.nasa.gov SuiteSpotUserID= dirsrv ServerRoot= /usr/lib64/dirsrv [slapd] ServerPort= 389 ServerIdentifier= ARC-NASA-GOV Suffix= dc=arc,dc=nasa,dc=gov RootDN= cn=Directory Manager InstallLdifFile= /var/lib/dirsrv/boot.ldif 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998 [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache. [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job... [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100 [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads... [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted. [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [03/Jun/2011:15:12:48 -0700] - All database threads now stopped [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998 [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache. [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job... [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100 [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads... [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted. [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [03/Jun/2011:15:12:48 -0700] - All database threads now stopped [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create directory server instance 'ARC-NASA-GOV'. Error: Could not create directory server instance 'ARC-NASA-GOV'. [11/06/03:15:12:48] - [Setup] Fatal Exiting . . . -Brian On 6/3/11 2:53 PM, "Dmitri Pal" wrote: On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: Re: [Freeipa-users] Difficulty installing freeipa I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems. [root at freeipa ~]# uname -r 2.6.35.13-91.fc14.x86_64 [root at freeipa ~]# rpm -qa 'ipa*' ipa-client-1.2.2-6.fc14.x86_64 ipa-server-selinux-1.2.2-6.fc14.x86_64 ipa-python-1.2.2-6.fc14.x86_64 ipa-admintools-1.2.2-6.fc14.x86_64 ipa-server-1.2.2-6.fc14.x86_64 [root at freeipa ~]# I'm not doing anything special at this point. I'm not even trying to get clients added. I'm trying to do a basic install of ipa-server, with no extra arguments. That claimed to succeed but wouldn't work, I tried to fix it, uninstalled, any attempts to reinstall failed. So right now I'm simply trying to get the ipa service back to any kind of functioning status without re-installing the OS. Ah this is all old 1.2 IPA. Have you tried ipa-server-install --uninstall Might require several attempts until all the errors are cleared. -Brian On 6/3/11 2:30 PM, "Dmitri Pal" wrote: Is it all on F13? The IPA v2 can't be built on F13 as there are many dependencies missing that we rely on. There are two many parts this is why we had to move to the later versions of F15. We just did not have any options. So the server you built might in fact be completely broken. I do not know how to fix it. It looks like you have some instances of the DS left over in a misconfigured state. You can try running ipa-server-install --uninstall 4-5 times. That might clear things a bit. But let us get back to the original problem. Freeipa can be used with the LDAP+Kerberos configuration on the clients. You do not need to have latest and greatest. There was a nice article referenced in some of the earlier threads on the list: http://www.aput.net/~jheiss/krbldap/howto.html You can configure very old clients to use IPA as NIS server. Let us know how else we can help. Thanks Dmitri -Brian _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.p.stamper at nasa.gov Fri Jun 3 22:44:29 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Fri, 3 Jun 2011 17:44:29 -0500 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: Message-ID: I have resolved the install issue. The installer is a bit sloppy and makes some bad assumptions. The problem turns out to be that the directory server setup seems to be running as dirsrv, not root. Ipa-server-install (more specifically dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it does so as root, using root's umask. It doesn't do a check to make sure dirsrv can read this file before spawning an external process to create the directory server. Part of security best practices recommended by the CIS group as well as others is to set root's umask to 0077. With this setting in place, dirsrv is unable to read /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when executed from ipa-server-install. I modified dsinstance.py to not remove the file and checked it after a failed install. It was written properly, so I changed the permission on it to 666 and re-ran the install. It succeeded. I'm now back to where I started, which is a partly working ipa install. Kinit takes 75 seconds to complete. I still can't get to the UI. I'm now going to uninstall again, change root's umask to 022, and see if that fixes any more of the problems. -Brian On 6/3/11 3:14 PM, "Brian Stamper" wrote: Yes, I mentioned in the first email I had attempted that. I just ran the uninstall 10 times in a row. Same errors: Configuring directory server: [1/17]: creating directory server user [2/17]: creating directory server instance root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned non-zero exit status 1 [3/17]: adding default schema [4/17]: enabling memberof plugin [5/17]: enabling referential integrity plugin [6/17]: enabling distributed numeric assignment plugin [7/17]: enabling winsync plugin [8/17]: configuring uniqueness plugin [9/17]: creating indices [10/17]: configuring ssl for ds instance [11/17]: configuring certmap.conf [12/17]: restarting directory server [13/17]: adding default layout root : CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero exit status 32 [14/17]: configuring Posix uid/gid generation as first master [15/17]: adding master entry as first master root : CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32 [16/17]: initializing group membership [17/17]: configuring directory to start on boot done configuring dirsrv. As a test I've manually run setup-ds.pl accepting all of the defaults. It works fine and installs successfully, creating the slapd-freeipa (which is the hostname) instance. I then ran remove-ds.pl on the slapd-freeipa instance and re-ran the ipa uninstall. When I attempted to reinstall ipa, it detected an existing ds. I did a locate for dirsrv and found logfiles from an instance called slapd-ARC-NASA-GOV, which should be my default freeipa dirsrv instance. To try to clean this up, I ran setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV instance, and then immediately removed it with remove-ds.pl. I then re-ran ipa-server-install, which this time did not detect an existing directory server. However, the ipa-server-install again failed in the same location. [2/17]: creating directory server instance root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' returned non-zero exit status 1 And from the log: 2011-06-03 15:12:41,540 DEBUG Configuring directory server: 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server instance 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances configured 2011-06-03 15:12:41,567 INFO 2011-06-03 15:12:41,567 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,568 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,568 DEBUG dn: dc=arc,dc=nasa,dc=gov objectClass: top objectClass: domain objectClass: pilotObject dc: arc info: IPA V1.0 2011-06-03 15:12:41,569 DEBUG writing inf template 2011-06-03 15:12:41,570 DEBUG [General] FullMachineName= freeipa.arc.nasa.gov SuiteSpotUserID= dirsrv ServerRoot= /usr/lib64/dirsrv [slapd] ServerPort= 389 ServerIdentifier= ARC-NASA-GOV Suffix= dc=arc,dc=nasa,dc=gov RootDN= cn=Directory Manager InstallLdifFile= /var/lib/dirsrv/boot.ldif 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998 [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache. [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job... [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100 [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads... [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted. [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [03/Jun/2011:15:12:48 -0700] - All database threads now stopped [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998 [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache. [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job... [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100 [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads... [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted. [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [03/Jun/2011:15:12:48 -0700] - All database threads now stopped [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create directory server instance 'ARC-NASA-GOV'. Error: Could not create directory server instance 'ARC-NASA-GOV'. [11/06/03:15:12:48] - [Setup] Fatal Exiting . . . -Brian On 6/3/11 2:53 PM, "Dmitri Pal" wrote: On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: Re: [Freeipa-users] Difficulty installing freeipa I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems. [root at freeipa ~]# uname -r 2.6.35.13-91.fc14.x86_64 [root at freeipa ~]# rpm -qa 'ipa*' ipa-client-1.2.2-6.fc14.x86_64 ipa-server-selinux-1.2.2-6.fc14.x86_64 ipa-python-1.2.2-6.fc14.x86_64 ipa-admintools-1.2.2-6.fc14.x86_64 ipa-server-1.2.2-6.fc14.x86_64 [root at freeipa ~]# I'm not doing anything special at this point. I'm not even trying to get clients added. I'm trying to do a basic install of ipa-server, with no extra arguments. That claimed to succeed but wouldn't work, I tried to fix it, uninstalled, any attempts to reinstall failed. So right now I'm simply trying to get the ipa service back to any kind of functioning status without re-installing the OS. Ah this is all old 1.2 IPA. Have you tried ipa-server-install --uninstall Might require several attempts until all the errors are cleared. -Brian On 6/3/11 2:30 PM, "Dmitri Pal" wrote: Is it all on F13? The IPA v2 can't be built on F13 as there are many dependencies missing that we rely on. There are two many parts this is why we had to move to the later versions of F15. We just did not have any options. So the server you built might in fact be completely broken. I do not know how to fix it. It looks like you have some instances of the DS left over in a misconfigured state. You can try running ipa-server-install --uninstall 4-5 times. That might clear things a bit. But let us get back to the original problem. Freeipa can be used with the LDAP+Kerberos configuration on the clients. You do not need to have latest and greatest. There was a nice article referenced in some of the earlier threads on the list: http://www.aput.net/~jheiss/krbldap/howto.html You can configure very old clients to use IPA as NIS server. Let us know how else we can help. Thanks Dmitri -Brian _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Jun 3 22:58:48 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 03 Jun 2011 18:58:48 -0400 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: References: Message-ID: <4DE96728.2050209@redhat.com> On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > I have resolved the install issue. Great! > > The installer is a bit sloppy and makes some bad assumptions. The > problem turns out to be that the directory server setup seems to be > running as dirsrv, not root. Ipa-server-install (more specifically > dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it > does so as root, using root's umask. It doesn't do a check to make > sure dirsrv can read this file before spawning an external process to > create the directory server. Part of security best practices > recommended by the CIS group as well as others is to set root's umask > to 0077. With this setting in place, dirsrv is unable to read > /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when > executed from ipa-server-install. I modified dsinstance.py to not > remove the file and checked it after a failed install. It was written > properly, so I changed the permission on it to 666 and re-ran the > install. It succeeded. Opened https://fedorahosted.org/freeipa/ticket/1282 > > I'm now back to where I started, which is a partly working ipa > install. Kinit takes 75 seconds to complete. Seems like a DNS timeout or something related to the name resolution. > I still can't get to the UI. I'm now going to uninstall again, > change root's umask to 022, and see if that fixes any more of the > problems. The UI does not start for me if you try to run FF from the root shell. I forget about this frequently and just upgraded to F15 and hit it again. If you have a normal user shell, kinit from that shell as admin and start browser from it you should have all the right context to access UI. > > -Brian > > > > On 6/3/11 3:14 PM, "Brian Stamper" wrote: > > > Yes, I mentioned in the first email I had attempted that. I just > ran the uninstall 10 times in a row. Same errors: > > Configuring directory server: > [1/17]: creating directory server user > [2/17]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' > returned non-zero exit status 1 > [3/17]: adding default schema > [4/17]: enabling memberof plugin > [5/17]: enabling referential integrity plugin > [6/17]: enabling distributed numeric assignment plugin > [7/17]: enabling winsync plugin > [8/17]: configuring uniqueness plugin > [9/17]: creating indices > [10/17]: configuring ssl for ds instance > [11/17]: configuring certmap.conf > [12/17]: restarting directory server > [13/17]: adding default layout > root : CRITICAL Failed to load bootstrap-template.ldif: > Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory > Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero > exit status 32 > [14/17]: configuring Posix uid/gid generation as first master > [15/17]: adding master entry as first master > root : CRITICAL Failed to load master-entry.ldif: Command > '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y > /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32 > [16/17]: initializing group membership > [17/17]: configuring directory to start on boot > done configuring dirsrv. > > As a test I've manually run setup-ds.pl accepting all of the > defaults. It works fine and installs successfully, creating the > slapd-freeipa (which is the hostname) instance. I then ran > remove-ds.pl on the slapd-freeipa instance and re-ran the ipa > uninstall. When I attempted to reinstall ipa, it detected an > existing ds. I did a locate for dirsrv and found logfiles from an > instance called slapd-ARC-NASA-GOV, which should be my default > freeipa dirsrv instance. To try to clean this up, I ran > setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV > instance, and then immediately removed it with remove-ds.pl. I > then re-ran ipa-server-install, which this time did not detect an > existing directory server. However, the ipa-server-install again > failed in the same location. > > [2/17]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' > returned non-zero exit status 1 > > > And from the log: > > 2011-06-03 15:12:41,540 DEBUG Configuring directory server: > 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user > 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server > instance > 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances > configured > > 2011-06-03 15:12:41,567 INFO > 2011-06-03 15:12:41,567 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,568 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,568 DEBUG > dn: dc=arc,dc=nasa,dc=gov > objectClass: top > objectClass: domain > objectClass: pilotObject > dc: arc > info: IPA V1.0 > > 2011-06-03 15:12:41,569 DEBUG writing inf template > 2011-06-03 15:12:41,570 DEBUG > [General] > FullMachineName= freeipa.arc.nasa.gov > SuiteSpotUserID= dirsrv > ServerRoot= /usr/lib64/dirsrv > [slapd] > ServerPort= 389 > ServerIdentifier= ARC-NASA-GOV > Suffix= dc=arc,dc=nasa,dc=gov > RootDN= cn=Directory Manager > InstallLdifFile= /var/lib/dirsrv/boot.ldif > > 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl > 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info > Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: > 59648. Output: importing data ... > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: > pagesize: 4096, pages: 997331, procpages: 48998 > [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import > cache. > [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import > job... > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering > enabled with bucket size 100 > [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open > LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) > [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all > Import threads.. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads > aborted. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or > directory > [03/Jun/2011:15:12:48 -0700] - All database threads now stopped > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. > > Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: > 59648. Output: importing data ... > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: > pagesize: 4096, pages: 997331, procpages: 48998 > [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import > cache. > [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import > job... > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering > enabled with bucket size 100 > [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open > LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) > [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all > Import threads.. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads > aborted. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or > directory > [03/Jun/2011:15:12:48 -0700] - All database threads now stopped > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. > > [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create > directory server instance 'ARC-NASA-GOV'. > Error: Could not create directory server instance 'ARC-NASA-GOV'. > [11/06/03:15:12:48] - [Setup] Fatal Exiting . . . > > > -Brian > > On 6/3/11 2:53 PM, "Dmitri Pal" wrote: > > On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] > wrote: > > Re: [Freeipa-users] Difficulty installing freeipa > I've given up on freeipa v2 due to lack of compatibility > with hosts I manage. This is all on freeipa v1. The > server started as Fedora 13, and I upgraded to Fedora 14 > in an attempt to fix the problems. > > [root at freeipa ~]# uname -r > 2.6.35.13-91.fc14.x86_64 > [root at freeipa ~]# rpm -qa 'ipa*' > ipa-client-1.2.2-6.fc14.x86_64 > ipa-server-selinux-1.2.2-6.fc14.x86_64 > ipa-python-1.2.2-6.fc14.x86_64 > ipa-admintools-1.2.2-6.fc14.x86_64 > ipa-server-1.2.2-6.fc14.x86_64 > [root at freeipa ~]# > > I'm not doing anything special at this point. I'm not > even trying to get clients added. I'm trying to do a > basic install of ipa-server, with no extra arguments. > That claimed to succeed but wouldn't work, I tried to fix > it, uninstalled, any attempts to reinstall failed. So > right now I'm simply trying to get the ipa service back to > any kind of functioning status without re-installing the OS. > > > > > Ah this is all old 1.2 IPA. > Have you tried > ipa-server-install --uninstall > > Might require several attempts until all the errors are cleared. > > > > -Brian > > On 6/3/11 2:30 PM, "Dmitri Pal" wrote: > > > > > > > Is it all on F13? > The IPA v2 can't be built on F13 as there are many > dependencies missing that we rely on. There are two > many parts this is why we had to move to the later > versions of F15. We just did not have any options. So > the server you built might in fact be completely > broken. I do not know how to fix it. It looks like you > have some instances of the DS left over in a > misconfigured state. > > You can try running ipa-server-install --uninstall > 4-5 times. That might clear things a bit. > > But let us get back to the original problem. > Freeipa can be used with the LDAP+Kerberos > configuration on the clients. You do not need to have > latest and greatest. > There was a nice article referenced in some of the > earlier threads on the list: > > http://www.aput.net/~jheiss/krbldap/howto.html > > > > > You can configure very old clients to use IPA as NIS > server. > Let us know how else we can help. > Thanks > Dmitri > > > > > > -Brian > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.p.stamper at nasa.gov Fri Jun 3 23:14:03 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Fri, 3 Jun 2011 18:14:03 -0500 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: <4DE96728.2050209@redhat.com> Message-ID: I'm closer. I was able to get logged into the UI. It wasn't that I was running firefox from root, but that I had inited as root. Same problem really. Dropping back to my own shell and initing I was able to reach the GUI. The next problem I need to tackle is the slowness. Ipa-finduser admin does return results, but it takes 2m43s. [root at freeipa ~]# egrep "freeipa|local" /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 1.2.3.4 freeipa.arc.nasa.gov freeipa [root at freeipa ~]# grep host /etc/nsswitch.conf #hosts: db files nisplus nis dns hosts: files dns [root at freeipa ~]# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93 inet addr:1.2.3.4 I don't see any issues with the configuration there. There are no conflicting "freeipa" hosts in dns. Looks pretty much in compliance with the guide: Configuring /etc/hosts You need to ensure that your /etc/hosts file is configured correctly, or the ipa-* commands may not work correctly. The /etc/hosts file should list the FQDN for your IPA server before any aliases. You should also ensure that the hostname is not part of the localhost entry. The following is an example of a valid hosts file: 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.1.1 ipaserver.example.com ipaserver -Brian On 6/3/11 3:58 PM, "Dmitri Pal" wrote: On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: Re: [Freeipa-users] Difficulty installing freeipa I have resolved the install issue. Great! The installer is a bit sloppy and makes some bad assumptions. The problem turns out to be that the directory server setup seems to be running as dirsrv, not root. Ipa-server-install (more specifically dsinstance.py) writes out the file /var/lib/dirsrv/boot.ldif. But it does so as root, using root's umask. It doesn't do a check to make sure dirsrv can read this file before spawning an external process to create the directory server. Part of security best practices recommended by the CIS group as well as others is to set root's umask to 0077. With this setting in place, dirsrv is unable to read /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when executed from ipa-server-install. I modified dsinstance.py to not remove the file and checked it after a failed install. It was written properly, so I changed the permission on it to 666 and re-ran the install. It succeeded. Opened https://fedorahosted.org/freeipa/ticket/1282 I'm now back to where I started, which is a partly working ipa install. Kinit takes 75 seconds to complete. Seems like a DNS timeout or something related to the name resolution. I still can't get to the UI. I'm now going to uninstall again, change root's umask to 022, and see if that fixes any more of the problems. The UI does not start for me if you try to run FF from the root shell. I forget about this frequently and just upgraded to F15 and hit it again. If you have a normal user shell, kinit from that shell as admin and start browser from it you should have all the right context to access UI. -Brian On 6/3/11 3:14 PM, "Brian Stamper" wrote: Yes, I mentioned in the first email I had attempted that. I just ran the uninstall 10 times in a row. Same errors: Configuring directory server: [1/17]: creating directory server user [2/17]: creating directory server instance root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpYwtW2p' returned non-zero exit status 1 [3/17]: adding default schema [4/17]: enabling memberof plugin [5/17]: enabling referential integrity plugin [6/17]: enabling distributed numeric assignment plugin [7/17]: enabling winsync plugin [8/17]: configuring uniqueness plugin [9/17]: creating indices [10/17]: configuring ssl for ds instance [11/17]: configuring certmap.conf [12/17]: restarting directory server [13/17]: adding default layout root : CRITICAL Failed to load bootstrap-template.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' returned non-zero exit status 32 [14/17]: configuring Posix uid/gid generation as first master [15/17]: adding master entry as first master root : CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned non-zero exit status 32 [16/17]: initializing group membership [17/17]: configuring directory to start on boot done configuring dirsrv. As a test I've manually run setup-ds.pl accepting all of the defaults. It works fine and installs successfully, creating the slapd-freeipa (which is the hostname) instance. I then ran remove-ds.pl on the slapd-freeipa instance and re-ran the ipa uninstall. When I attempted to reinstall ipa, it detected an existing ds. I did a locate for dirsrv and found logfiles from an instance called slapd-ARC-NASA-GOV, which should be my default freeipa dirsrv instance. To try to clean this up, I ran setup-ds.pl and chose custom and created a slapd-ARC-NASA-GOV instance, and then immediately removed it with remove-ds.pl. I then re-ran ipa-server-install, which this time did not detect an existing directory server. However, the ipa-server-install again failed in the same location. [2/17]: creating directory server instance root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp77JJv1' returned non-zero exit status 1 And from the log: 2011-06-03 15:12:41,540 DEBUG Configuring directory server: 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory server user 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,541 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory server instance 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances configured 2011-06-03 15:12:41,567 INFO 2011-06-03 15:12:41,567 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,568 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-06-03 15:12:41,568 DEBUG dn: dc=arc,dc=nasa,dc=gov objectClass: top objectClass: domain objectClass: pilotObject dc: arc info: IPA V1.0 2011-06-03 15:12:41,569 DEBUG writing inf template 2011-06-03 15:12:41,570 DEBUG [General] FullMachineName= freeipa.arc.nasa.gov SuiteSpotUserID= dirsrv ServerRoot= /usr/lib64/dirsrv [slapd] ServerPort= 389 ServerIdentifier= ARC-NASA-GOV Suffix= dc=arc,dc=nasa,dc=gov RootDN= cn=Directory Manager InstallLdifFile= /var/lib/dirsrv/boot.ldif 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998 [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache. [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job... [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100 [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads.. [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted. [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [03/Jun/2011:15:12:48 -0700] - All database threads now stopped [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 59648. Output: importing data ... [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: pagesize: 4096, pages: 997331, procpages: 48998 [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB import cache. [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning import job... [03/Jun/2011:15:12:42 -0700] - import userRoot: Index buffering enabled with bucket size 100 [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied) [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all Import threads.. [03/Jun/2011:15:12:48 -0700] - import userRoot: Import threads aborted. [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file or directory [03/Jun/2011:15:12:48 -0700] - All database threads now stopped [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create directory server instance 'ARC-NASA-GOV'. Error: Could not create directory server instance 'ARC-NASA-GOV'. [11/06/03:15:12:48] - [Setup] Fatal Exiting . . . -Brian On 6/3/11 2:53 PM, "Dmitri Pal" wrote: On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: Re: [Freeipa-users] Difficulty installing freeipa I've given up on freeipa v2 due to lack of compatibility with hosts I manage. This is all on freeipa v1. The server started as Fedora 13, and I upgraded to Fedora 14 in an attempt to fix the problems. [root at freeipa ~]# uname -r 2.6.35.13-91.fc14.x86_64 [root at freeipa ~]# rpm -qa 'ipa*' ipa-client-1.2.2-6.fc14.x86_64 ipa-server-selinux-1.2.2-6.fc14.x86_64 ipa-python-1.2.2-6.fc14.x86_64 ipa-admintools-1.2.2-6.fc14.x86_64 ipa-server-1.2.2-6.fc14.x86_64 [root at freeipa ~]# I'm not doing anything special at this point. I'm not even trying to get clients added. I'm trying to do a basic install of ipa-server, with no extra arguments. That claimed to succeed but wouldn't work, I tried to fix it, uninstalled, any attempts to reinstall failed. So right now I'm simply trying to get the ipa service back to any kind of functioning status without re-installing the OS. Ah this is all old 1.2 IPA. Have you tried ipa-server-install --uninstall Might require several attempts until all the errors are cleared. -Brian On 6/3/11 2:30 PM, "Dmitri Pal" wrote: Is it all on F13? The IPA v2 can't be built on F13 as there are many dependencies missing that we rely on. There are two many parts this is why we had to move to the later versions of F15. We just did not have any options. So the server you built might in fact be completely broken. I do not know how to fix it. It looks like you have some instances of the DS left over in a misconfigured state. You can try running ipa-server-install --uninstall 4-5 times. That might clear things a bit. But let us get back to the original problem. Freeipa can be used with the LDAP+Kerberos configuration on the clients. You do not need to have latest and greatest. There was a nice article referenced in some of the earlier threads on the list: http://www.aput.net/~jheiss/krbldap/howto.html You can configure very old clients to use IPA as NIS server. Let us know how else we can help. Thanks Dmitri -Brian _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 6 14:56:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jun 2011 10:56:41 -0400 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: References: Message-ID: <4DECEAA9.6060602@redhat.com> Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > I?m closer. I was able to get logged into the UI. It wasn?t that I was > running firefox from root, but that I had inited as root. Same problem > really. Dropping back to my own shell and initing I was able to reach > the GUI. The next problem I need to tackle is the slowness. Ipa-finduser > admin does return results, but it takes 2m43s. Definitely getting hung up somewhere. I'd try the -v option to ipa-finduser to get a bit more detail on the request. The client will attempt to find the right IPA Apache server to connect to, make a kerberos connection. Apache will then handle the request and collect any data needed from 389-ds and return it. There are a lot of places things can break down. By examining the server logs you may be able to discern where the logjam is. rob > > [root at freeipa ~]# egrep "freeipa|local" /etc/hosts > 127.0.0.1 localhost.localdomain localhost > ::1 localhost6.localdomain6 localhost6 > 1.2.3.4 freeipa.arc.nasa.gov freeipa > > [root at freeipa ~]# grep host /etc/nsswitch.conf > #hosts: db files nisplus nis dns > hosts: files dns > > [root at freeipa ~]# ifconfig eth0 > eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93 > inet addr:1.2.3.4 > > I don?t see any issues with the configuration there. There are no > conflicting ?freeipa? hosts in dns. Looks pretty much in compliance with > the guide: > > */Configuring /etc/hosts > /*/You need to ensure that your ///etc/hosts file is configured > correctly, or the *ipa-** commands may not work correctly. > > The /etc/hosts file should list the FQDN for your IPA server before any > aliases. You should also ensure that the hostname is not part of the > localhost entry. The following is an example of a valid hosts file: > 127.0.0.1 localhost.localdomain localhost > ::1 localhost6.localdomain6 localhost6 > 192.168.1.1 ipaserver.example.com ipaserver > / > > -Brian > > > > On 6/3/11 3:58 PM, "Dmitri Pal" wrote: > > On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > Re: [Freeipa-users] Difficulty installing freeipa > I have resolved the install issue. > > > Great! > > > > The installer is a bit sloppy and makes some bad assumptions. > The problem turns out to be that the directory server setup > seems to be running as dirsrv, not root. Ipa-server-install > (more specifically dsinstance.py) writes out the file > /var/lib/dirsrv/boot.ldif. But it does so as root, using root?s > umask. It doesn?t do a check to make sure dirsrv can read this > file before spawning an external process to create the directory > server. Part of security best practices recommended by the CIS > group as well as others is to set root?s umask to 0077. With > this setting in place, dirsrv is unable to read > /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when > executed from ipa-server-install. I modified dsinstance.py to > not remove the file and checked it after a failed install. It > was written properly, so I changed the permission on it to 666 > and re-ran the install. It succeeded. > > > Opened https://fedorahosted.org/freeipa/ticket/1282 > > > > I?m now back to where I started, which is a partly working ipa > install. Kinit takes 75 seconds to complete. > > > Seems like a DNS timeout or something related to the name resolution. > > > I still can?t get to the UI. I?m now going to uninstall again, > change root?s umask to 022, and see if that fixes any more of > the problems. > > > The UI does not start for me if you try to run FF from the root > shell. I forget about this frequently and just upgraded to F15 and > hit it again. > > If you have a normal user shell, kinit from that shell as admin and > start browser from it you should have all the right context to > access UI. > > > > > -Brian > > > > On 6/3/11 3:14 PM, "Brian Stamper" wrote: > > > > Yes, I mentioned in the first email I had attempted that. I > just ran the uninstall 10 times in a row. Same errors: > > Configuring directory server: > [1/17]: creating directory server user > [2/17]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f > /tmp/tmpYwtW2p' returned non-zero exit status 1 > [3/17]: adding default schema > [4/17]: enabling memberof plugin > [5/17]: enabling referential integrity plugin > [6/17]: enabling distributed numeric assignment plugin > [7/17]: enabling winsync plugin > [8/17]: configuring uniqueness plugin > [9/17]: creating indices > [10/17]: configuring ssl for ds instance > [11/17]: configuring certmap.conf > [12/17]: restarting directory server > [13/17]: adding default layout > root : CRITICAL Failed to load bootstrap-template.ldif: > Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D > cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' > returned non-zero exit status 32 > [14/17]: configuring Posix uid/gid generation as first master > [15/17]: adding master entry as first master > root : CRITICAL Failed to load master-entry.ldif: Command > '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory > Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned > non-zero exit status 32 > [16/17]: initializing group membership > [17/17]: configuring directory to start on boot > done configuring dirsrv. > > As a test I?ve manually run setup-ds.pl accepting all of the > defaults. It works fine and installs successfully, creating > the slapd-freeipa (which is the hostname) instance. I then > ran remove-ds.pl on the slapd-freeipa instance and re-ran > the ipa uninstall. When I attempted to reinstall ipa, it > detected an existing ds. I did a locate for dirsrv and found > logfiles from an instance called slapd-ARC-NASA-GOV, which > should be my default freeipa dirsrv instance. To try to > clean this up, I ran setup-ds.pl and chose custom and > created a slapd-ARC-NASA-GOV instance, and then immediately > removed it with remove-ds.pl. I then re-ran > ipa-server-install, which this time did not detect an > existing directory server. However, the ipa-server-install > again failed in the same location. > > [2/17]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f > /tmp/tmp77JJv1' returned non-zero exit status 1 > > > And from the log: > > 2011-06-03 15:12:41,540 DEBUG Configuring directory server: > 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory > server user > 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory > server instance > 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances > configured > > 2011-06-03 15:12:41,567 INFO > 2011-06-03 15:12:41,567 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,568 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,568 DEBUG > dn: dc=arc,dc=nasa,dc=gov > objectClass: top > objectClass: domain > objectClass: pilotObject > dc: arc > info: IPA V1.0 > > 2011-06-03 15:12:41,569 DEBUG writing inf template > 2011-06-03 15:12:41,570 DEBUG > [General] > FullMachineName= freeipa.arc.nasa.gov > SuiteSpotUserID= dirsrv > ServerRoot= /usr/lib64/dirsrv > [slapd] > ServerPort= 389 > ServerIdentifier= ARC-NASA-GOV > Suffix= dc=arc,dc=nasa,dc=gov > RootDN= cn=Directory Manager > InstallLdifFile= /var/lib/dirsrv/boot.ldif > > 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl > 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] > Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. > Error: 59648. Output: importing data ... > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running > with nsslapd-db-private-import-mem on; No other process is > allowed to access the database > [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: > pagesize: 4096, pages: 997331, procpages: 48998 > [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB > import cache. > [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning > import job... > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index > buffering enabled with bucket size 100 > [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 > (Permission denied) > [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all > Import threads.. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import > threads aborted. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file > or directory > [03/Jun/2011:15:12:48 -0700] - All database threads now stopped > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. > > Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. > Error: 59648. Output: importing data ... > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running > with nsslapd-db-private-import-mem on; No other process is > allowed to access the database > [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: > pagesize: 4096, pages: 997331, procpages: 48998 > [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB > import cache. > [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning > import job... > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index > buffering enabled with bucket size 100 > [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 > (Permission denied) > [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all > Import threads.. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import > threads aborted. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file > or directory > [03/Jun/2011:15:12:48 -0700] - All database threads now stopped > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. > > [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create > directory server instance 'ARC-NASA-GOV'. > Error: Could not create directory server instance > 'ARC-NASA-GOV'. > [11/06/03:15:12:48] - [Setup] Fatal Exiting . . . > > > -Brian > > On 6/3/11 2:53 PM, "Dmitri Pal" wrote: > > > On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx > LLC] wrote: > > Re: [Freeipa-users] Difficulty installing freeipa > I?ve given up on freeipa v2 due to lack of > compatibility with hosts I manage. This is all on > freeipa v1. The server started as Fedora 13, and I > upgraded to Fedora 14 in an attempt to fix the problems. > > [root at freeipa ~]# uname -r > 2.6.35.13-91.fc14.x86_64 > [root at freeipa ~]# rpm -qa 'ipa*' > ipa-client-1.2.2-6.fc14.x86_64 > ipa-server-selinux-1.2.2-6.fc14.x86_64 > ipa-python-1.2.2-6.fc14.x86_64 > ipa-admintools-1.2.2-6.fc14.x86_64 > ipa-server-1.2.2-6.fc14.x86_64 > [root at freeipa ~]# > > I?m not doing anything special at this point. I?m > not even trying to get clients added. I?m trying to > do a basic install of ipa-server, with no extra > arguments. That claimed to succeed but wouldn?t > work, I tried to fix it, uninstalled, any attempts > to reinstall failed. So right now I?m simply trying > to get the ipa service back to any kind of > functioning status without re-installing the OS. > > > > > Ah this is all old 1.2 IPA. > Have you tried > ipa-server-install --uninstall > > Might require several attempts until all the errors are > cleared. > > > > -Brian > > On 6/3/11 2:30 PM, "Dmitri Pal" wrote: > > > > > > > > Is it all on F13? > The IPA v2 can't be built on F13 as there are > many dependencies missing that we rely on. There > are two many parts this is why we had to move to > the later versions of F15. We just did not have > any options. So the server you built might in > fact be completely broken. I do not know how to > fix it. It looks like you have some instances of > the DS left over in a misconfigured state. > > You can try running ipa-server-install > --uninstall 4-5 times. That might clear things a > bit. > > But let us get back to the original problem. > Freeipa can be used with the LDAP+Kerberos > configuration on the clients. You do not need to > have latest and greatest. > There was a nice article referenced in some of > the earlier threads on the list: > > http://www.aput.net/~jheiss/krbldap/howto.html > > > > > You can configure very old clients to use IPA as > NIS server. > Let us know how else we can help. > Thanks > Dmitri > > > > > > -Brian > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From brian.p.stamper at nasa.gov Mon Jun 6 19:31:05 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Mon, 6 Jun 2011 14:31:05 -0500 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: <4DECEAA9.6060602@redhat.com> Message-ID: This is what I get. I'm not sure which logfiles would be useful at this point. -brian time ipa-finduser -v admin Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml send: "POST /ipa/xml HTTP/1.1\r\nHost: freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization: negotiate YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2mDC1egtsyNS30+guxSWB4HfXVr5RneyGkI+fb6WttuAaPA2XQwZSY8M52SCH8eEfmtycHwZdcfurVpfYGpLTZuJQ/yRlw2meGOtf2NggwqyPyUiYhZ7s+6gg3rvvDSDsg/Mr4txHZ/V30Zk4cjTrQRmUqzWfMf+0ZtmzGo19oRn1vijXbs3CIsiwER3Zi28qYZYgViqFQghIHm5DKoyIQglR0rjt7iEDJtBF8nxVm7lzXuz7lqKIl/QXAbTVzm6gqwtzjPIb2hLtKdF3QY2q7Kba8LbqV2AOrPPPjh/QsU2cGdxZBTiGR05ggSr3D8PPBqlfQxwvnu2b0QgiWWFEgavawTIE7DDkMZDD8C7I/gmQUHV/0kAHizivGNbuHmklXg/KRUkVS5p7AlnJSv5kYtIjMLbXxX7tKxIy9zzPPrliJDp2fr3ER7iKDVALdLPZ5Htlin0ZnD5H6g6qx3kDPV4PeVAx30qqv0UG/45x/uJEC9/3H3Alt7pF/d0xPOWTXho+tGwRcO1gkb0ygIndDIleDEo9CQh+aNsvUxa4UhgzftpACPIwp39nGk+V+7ajY2Tzb2qaKrt6L2q8lqeFxYZ8bcSxDvNgem3ENpL/6FWb+oi86w5JV5OQm7ECJ7js0PJ4DDqgTsyOcDrKhW1l8xHiJkOgxjg0F3+JwCXY0AWIYPNTNdEoXS5T1yGbCLqSL8PevL/obMUHWZiQxzCiN0oA5NQHWoPZ9l7ScHHpxwds5S6Ze1OLV+JRk0aU7Hj7VSJx9irDaAHkXB4PPwyUCOmLl/cF3hxvsYXoEe8j3yQlEE0GV7a3LIhH1mH66byATeSkDv8Ji6LATdtmVUZYI0KLb6oaZKAjn6Pg19mn1hW7GC6WZSzJvSt01uO7XFjsgDz45hKGMevls3GKEM8wAkiiuVaZ/Oq8zkRaf84DmzyYtOHnoyYUzZ9t4FyG4PcU+DVotcBiFLFk5Q9+BxGRVHZGV2K0tz2UyaI8PtIb2AyMdhyj9dCQrFPbZ5d5iOVeMGhutwGQjC8goPP2Bcz2o28hLv+d7qH5PXlcUeeeRTTk1hvkzAv7dtXIoTxWqaot5qNclXsFf7kiYy6I2dWjMKbjL3Nwyyuf3LO+AVRfB3+qhqKAAquQ0IkRL1lblKVEXvufqKF5Z3YPA=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: text/xml\r\nContent-Length: 515\r\n\r\n\n\nfind_users\n\n\nadmin\n\n\n\nuid\ngivenname\nsn\nhomeDirectory\nloginshell\n\n\n\n-1\n\n\n-1\n\n\n\n" reply: 'HTTP/1.1 200 OK\r\n' header: Date: Mon, 06 Jun 2011 19:25:47 GMT header: Server: Apache/2.2.17 (Fedora) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvgT/A5n14nLzBVzpFQFm8lIUc1dZmoma0UuzN9dxD7ykRe/S6rTZJnlroYZG9cmHK9WmIZX5eg/zThvgz/QVvVufnzTbihT3lUDFa4ING9mtCpigZoTnLWGcIRLKddjFHammKG6SjMU29YgwHIZ2D header: Content-Length: 650 header: Connection: close header: Content-Type: text/xml body: "\n\n\n\n\n1\n\n\ndn\nuid=admin,cn=users,cn=accounts,dc=arc,dc=nasa,dc=gov\n\n\nloginshell\n/bin/bash\n\n\nuid\nadmin\n\n\nsn\nAdministrator\n\n\nhomedirectory\n/home/admin\n\n\n\n\n\n\n" Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml send: "POST /ipa/xml HTTP/1.1\r\nHost: freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization: negotiate YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2k1cPNHqqzr20sQC7iXZ6xc2wfb2DYmkqQBNTrXT33fcXYjo1Bw/Z/jc3pj4ohHrLbnkBe9fYNzaKRy7UXjnydOjKeZv3/7FgxJabRb907+4JojogcUxHR+14wQSW0TBPRvaqBrgkYfbfLXsfJm+yTUIH+GlI2VCkerZM2mbpTD3OU2traM2P8NDYfuJ6Bj23rgMg5Bo8+419npiUtFzOL/6bUeY9WmqDYwHsP4YT47vetLraoLeQckNqZ2D5eZwoUV9dNL485v40OZNInte4UwZoQ3xEygxvAM4Wf26CBzTToo+4hAbd7AhJXGTGguEdi7fx7lQqBSYWjkykFNwGndHWTpxm0Y2k3hU+GDoUzMIgFzMmZjALe1oJQFt0Hpv5Qx1NINDAevbYbdSYtajPQnF4//zwOdC5DGkCDqRyztpU0/4esushEXQkTgGVKZTigcahXtYBRX7qZGkveFhq2nBxIZwlqsv+uu5+GwrLNmm/tiH9ahW+9eyCu6uzQzXp4RqmnFGbjrCdVzDsH8nb2d/ul+l/vVUXguglfkEaRCDYhqusFIAvEVHiVeSD0Lmgoew87XvJ/kKNH3zen0tCofGrNtZ6tc62HOi2pod+TGezOp/f6HBeDKG4csuj3OM+/Li2LvwwfurogJW+N/CU0ilrLt5UaKiaeN+Pw81GQCrZ4575SzN8Y3RUFWPLxvVH/vGiaEHG9Nv3KdnpDREAJDAGSEwLSJYtAFcwMnqsezkrYtFd7DmNvb1DyjAXpOfe6SjYLa0DBHLM2RJ/Ico8HJ1LyXUSex3v4hp8ap0JMdc4nUKzsSFrG0TsPKu/+89tphlQkCN91THQ+QNr03kbGUfsf1LpeeYgf+7lFKU5hrsuUJZgBtAVT6l3KQEco0xe9IDNlJLogeKL9X9cPCa3e4XAUVCJdg8pNVScubTXo41EK6zzPAnvPxxgNprZzrhQtkBEedLYNHNICBsutH9ELtZcSDDYxwFyLFKrOb0p9maZL0Z9VmaqBl43h4QcqLXOJcOmjk0jkXufM5VMJdvjHlkXBS9bkAjRKpdq8jXu4gVdh7nxCAxdw9mLww1VvFLbGB6DxQNNP9ZmSgjbJ1LxvxEqguZh9fAhzY3kEQrjPHa7mT6Vc0xosMAux31K07E7uUcylW38V3+Og=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: text/xml\r\nContent-Length: 331\r\n\r\n\n\nattrs_to_labels\n\n\n\nhomedirectory\nloginshell\nsn\nuid\n\n\n\n\n" reply: 'HTTP/1.1 200 OK\r\n' header: Date: Mon, 06 Jun 2011 19:26:18 GMT header: Server: Apache/2.2.17 (Fedora) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv14HufxqWTyNzhsD9xAxrBN5L7jejiqPqHum3FjYTKc2xIrC1ONAloxDyxcOV0isynFIw6/NwpXJKHfzfDbiFPiYjF3xrOakeGDiiVSCL7G12ZNdqErNfP1GVBU5yVg+vIDI+HxfzRa29Gl9eIu1J header: Content-Length: 458 header: Connection: close header: Content-Type: text/xml body: "\n\n\n\n\n\nloginshell\nLogin Shell\n\n\nhomedirectory\nHome Directory\n\n\nuid\nLogin\n\n\nsn\nLast Name\n\n\n\n\n\n" Home Directory: /home/admin Login Shell: /bin/bash Last Name: Administrator Login: admin real 1m50.460s user 0m0.083s sys 0m0.017s [root at freeipa ~]# time wget https://freeipa.arc.nasa.gov/ipa/xml --2011-06-06 12:29:40-- https://freeipa.arc.nasa.gov/ipa/xml Resolving freeipa.arc.nasa.gov... 143.232.152.197 Connecting to freeipa.arc.nasa.gov|143.232.152.197|:443... connected. ERROR: cannot verify freeipa.arc.nasa.gov's certificate, issued by "/CN=IPA Test Certificate Authority": Self-signed certificate encountered. To connect to freeipa.arc.nasa.gov insecurely, use '--no-check-certificate'. real 0m0.015s user 0m0.011s sys 0m0.002s [root at freeipa ~]# On 6/6/11 7:56 AM, "Rob Crittenden" wrote: Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > I'm closer. I was able to get logged into the UI. It wasn't that I was > running firefox from root, but that I had inited as root. Same problem > really. Dropping back to my own shell and initing I was able to reach > the GUI. The next problem I need to tackle is the slowness. Ipa-finduser > admin does return results, but it takes 2m43s. Definitely getting hung up somewhere. I'd try the -v option to ipa-finduser to get a bit more detail on the request. The client will attempt to find the right IPA Apache server to connect to, make a kerberos connection. Apache will then handle the request and collect any data needed from 389-ds and return it. There are a lot of places things can break down. By examining the server logs you may be able to discern where the logjam is. rob > > [root at freeipa ~]# egrep "freeipa|local" /etc/hosts > 127.0.0.1 localhost.localdomain localhost > ::1 localhost6.localdomain6 localhost6 > 1.2.3.4 freeipa.arc.nasa.gov freeipa > > [root at freeipa ~]# grep host /etc/nsswitch.conf > #hosts: db files nisplus nis dns > hosts: files dns > > [root at freeipa ~]# ifconfig eth0 > eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93 > inet addr:1.2.3.4 > > I don't see any issues with the configuration there. There are no > conflicting "freeipa" hosts in dns. Looks pretty much in compliance with > the guide: > > */Configuring /etc/hosts > /*/You need to ensure that your ///etc/hosts file is configured > correctly, or the *ipa-** commands may not work correctly. > > The /etc/hosts file should list the FQDN for your IPA server before any > aliases. You should also ensure that the hostname is not part of the > localhost entry. The following is an example of a valid hosts file: > 127.0.0.1 localhost.localdomain localhost > ::1 localhost6.localdomain6 localhost6 > 192.168.1.1 ipaserver.example.com ipaserver > / > > -Brian > > > > On 6/3/11 3:58 PM, "Dmitri Pal" wrote: > > On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > Re: [Freeipa-users] Difficulty installing freeipa > I have resolved the install issue. > > > Great! > > > > The installer is a bit sloppy and makes some bad assumptions. > The problem turns out to be that the directory server setup > seems to be running as dirsrv, not root. Ipa-server-install > (more specifically dsinstance.py) writes out the file > /var/lib/dirsrv/boot.ldif. But it does so as root, using root's > umask. It doesn't do a check to make sure dirsrv can read this > file before spawning an external process to create the directory > server. Part of security best practices recommended by the CIS > group as well as others is to set root's umask to 0077. With > this setting in place, dirsrv is unable to read > /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when > executed from ipa-server-install. I modified dsinstance.py to > not remove the file and checked it after a failed install. It > was written properly, so I changed the permission on it to 666 > and re-ran the install. It succeeded. > > > Opened https://fedorahosted.org/freeipa/ticket/1282 > > > > I'm now back to where I started, which is a partly working ipa > install. Kinit takes 75 seconds to complete. > > > Seems like a DNS timeout or something related to the name resolution. > > > I still can't get to the UI. I'm now going to uninstall again, > change root's umask to 022, and see if that fixes any more of > the problems. > > > The UI does not start for me if you try to run FF from the root > shell. I forget about this frequently and just upgraded to F15 and > hit it again. > > If you have a normal user shell, kinit from that shell as admin and > start browser from it you should have all the right context to > access UI. > > > > > -Brian > > > > On 6/3/11 3:14 PM, "Brian Stamper" wrote: > > > > Yes, I mentioned in the first email I had attempted that. I > just ran the uninstall 10 times in a row. Same errors: > > Configuring directory server: > [1/17]: creating directory server user > [2/17]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f > /tmp/tmpYwtW2p' returned non-zero exit status 1 > [3/17]: adding default schema > [4/17]: enabling memberof plugin > [5/17]: enabling referential integrity plugin > [6/17]: enabling distributed numeric assignment plugin > [7/17]: enabling winsync plugin > [8/17]: configuring uniqueness plugin > [9/17]: creating indices > [10/17]: configuring ssl for ds instance > [11/17]: configuring certmap.conf > [12/17]: restarting directory server > [13/17]: adding default layout > root : CRITICAL Failed to load bootstrap-template.ldif: > Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D > cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' > returned non-zero exit status 32 > [14/17]: configuring Posix uid/gid generation as first master > [15/17]: adding master entry as first master > root : CRITICAL Failed to load master-entry.ldif: Command > '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory > Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned > non-zero exit status 32 > [16/17]: initializing group membership > [17/17]: configuring directory to start on boot > done configuring dirsrv. > > As a test I've manually run setup-ds.pl accepting all of the > defaults. It works fine and installs successfully, creating > the slapd-freeipa (which is the hostname) instance. I then > ran remove-ds.pl on the slapd-freeipa instance and re-ran > the ipa uninstall. When I attempted to reinstall ipa, it > detected an existing ds. I did a locate for dirsrv and found > logfiles from an instance called slapd-ARC-NASA-GOV, which > should be my default freeipa dirsrv instance. To try to > clean this up, I ran setup-ds.pl and chose custom and > created a slapd-ARC-NASA-GOV instance, and then immediately > removed it with remove-ds.pl. I then re-ran > ipa-server-install, which this time did not detect an > existing directory server. However, the ipa-server-install > again failed in the same location. > > [2/17]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f > /tmp/tmp77JJv1' returned non-zero exit status 1 > > > And from the log: > > 2011-06-03 15:12:41,540 DEBUG Configuring directory server: > 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory > server user > 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory > server instance > 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances > configured > > 2011-06-03 15:12:41,567 INFO > 2011-06-03 15:12:41,567 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,568 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,568 DEBUG > dn: dc=arc,dc=nasa,dc=gov > objectClass: top > objectClass: domain > objectClass: pilotObject > dc: arc > info: IPA V1.0 > > 2011-06-03 15:12:41,569 DEBUG writing inf template > 2011-06-03 15:12:41,570 DEBUG > [General] > FullMachineName= freeipa.arc.nasa.gov > SuiteSpotUserID= dirsrv > ServerRoot= /usr/lib64/dirsrv > [slapd] > ServerPort= 389 > ServerIdentifier= ARC-NASA-GOV > Suffix= dc=arc,dc=nasa,dc=gov > RootDN= cn=Directory Manager > InstallLdifFile= /var/lib/dirsrv/boot.ldif > > 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl > 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] > Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. > Error: 59648. Output: importing data ... > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running > with nsslapd-db-private-import-mem on; No other process is > allowed to access the database > [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: > pagesize: 4096, pages: 997331, procpages: 48998 > [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB > import cache. > [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning > import job... > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index > buffering enabled with bucket size 100 > [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 > (Permission denied) > [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all > Import threads.. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import > threads aborted. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file > or directory > [03/Jun/2011:15:12:48 -0700] - All database threads now stopped > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. > > Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. > Error: 59648. Output: importing data ... > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running > with nsslapd-db-private-import-mem on; No other process is > allowed to access the database > [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: > pagesize: 4096, pages: 997331, procpages: 48998 > [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB > import cache. > [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning > import job... > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index > buffering enabled with bucket size 100 > [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 > (Permission denied) > [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all > Import threads.. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import > threads aborted. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file > or directory > [03/Jun/2011:15:12:48 -0700] - All database threads now stopped > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. > > [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create > directory server instance 'ARC-NASA-GOV'. > Error: Could not create directory server instance > 'ARC-NASA-GOV'. > [11/06/03:15:12:48] - [Setup] Fatal Exiting . . . > > > -Brian > > On 6/3/11 2:53 PM, "Dmitri Pal" wrote: > > > On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx > LLC] wrote: > > Re: [Freeipa-users] Difficulty installing freeipa > I've given up on freeipa v2 due to lack of > compatibility with hosts I manage. This is all on > freeipa v1. The server started as Fedora 13, and I > upgraded to Fedora 14 in an attempt to fix the problems. > > [root at freeipa ~]# uname -r > 2.6.35.13-91.fc14.x86_64 > [root at freeipa ~]# rpm -qa 'ipa*' > ipa-client-1.2.2-6.fc14.x86_64 > ipa-server-selinux-1.2.2-6.fc14.x86_64 > ipa-python-1.2.2-6.fc14.x86_64 > ipa-admintools-1.2.2-6.fc14.x86_64 > ipa-server-1.2.2-6.fc14.x86_64 > [root at freeipa ~]# > > I'm not doing anything special at this point. I'm > not even trying to get clients added. I'm trying to > do a basic install of ipa-server, with no extra > arguments. That claimed to succeed but wouldn't > work, I tried to fix it, uninstalled, any attempts > to reinstall failed. So right now I'm simply trying > to get the ipa service back to any kind of > functioning status without re-installing the OS. > > > > > Ah this is all old 1.2 IPA. > Have you tried > ipa-server-install --uninstall > > Might require several attempts until all the errors are > cleared. > > > > -Brian > > On 6/3/11 2:30 PM, "Dmitri Pal" wrote: > > > > > > > > Is it all on F13? > The IPA v2 can't be built on F13 as there are > many dependencies missing that we rely on. There > are two many parts this is why we had to move to > the later versions of F15. We just did not have > any options. So the server you built might in > fact be completely broken. I do not know how to > fix it. It looks like you have some instances of > the DS left over in a misconfigured state. > > You can try running ipa-server-install > --uninstall 4-5 times. That might clear things a > bit. > > But let us get back to the original problem. > Freeipa can be used with the LDAP+Kerberos > configuration on the clients. You do not need to > have latest and greatest. > There was a nice article referenced in some of > the earlier threads on the list: > > http://www.aput.net/~jheiss/krbldap/howto.html > > > > > You can configure very old clients to use IPA as > NIS server. > Let us know how else we can help. > Thanks > Dmitri > > > > > > -Brian > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ide4you at gmail.com Mon Jun 6 20:27:34 2011 From: ide4you at gmail.com (Uzor Ide) Date: Mon, 6 Jun 2011 16:27:34 -0400 Subject: [Freeipa-users] Issue with replication install In-Reply-To: References: <4DE65D6D.7050604@redhat.com> <4DE7A76F.5010405@redhat.com> Message-ID: Anybody with idea why my replication setup is hanging at stage 4 of the 11 stage process. ######################################################### Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/11]: creating certificate server user [2/11]: creating pki-ca instance [3/11]: restarting certificate server [4/11]: configuring certificate server instance ############################################################### When I checked the pki-ca debug log, everything is okay until it gets to the this stage and it keeps repeating the last entry. #################################################################### [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: initializeConsumer host: company.domain.com port: 7389 [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: start modifying [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: Finish modification. [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: thread sleeping for 5 seconds. [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: finish sleeping. [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: Successfully initialize consumer [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel comparetAndWaitEntries checking ou=people,o=ipaca [06/Jun/2011:16:00:30][http-9445-1]: DatabasePanel comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel comparetAndWaitEntries checking ou=people,o=ipaca [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! ######################################################################## If leave for hours, it will continue will keep repeating the last entry. In the catalina.out log, I get the following java execption ########################################################################### INFO: Deploying web application directory ca Jun 6, 2011 3:58:36 PM org.apache.catalina.startup.Catalina stopServer SEVERE: Catalina.stop: java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) at java.net.Socket.connect(Socket.java:546) at java.net.Socket.connect(Socket.java:495) at java.net.Socket.(Socket.java:392) at java.net.Socket.(Socket.java:206) at org.apache.catalina.startup.Catalina.stopServer(Catalina.java:412) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:338) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:416) 32-bit osutil library loaded 32-bit osutil library loaded CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Jun 6, 2011 3:58:44 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT ############################################################# While this points to connection failure, I don't know why that is so because there is not firewall running on the two boxes, also I disabled selinux just to make sure but it did not make any difference. There is a bug number 643449 with this exception thrown here in bugzilla but that issue was supposed to be caused by missing xalan-j2-serializer.jar file in the tomcat5. This is tomcat6. Please any help will be appreciated. Thanks __Ide On Fri, Jun 3, 2011 at 2:32 PM, Uzor Ide wrote: > I have corrected the problem with the ipa server, from the broken > tomcat/pki-ca; > > The problem comes a sym link that was created during the setup of pki-ca > from PKI-HOME for > jakarta-commons-collections.jar to > /usr/share/java/jakarta-commons-collections.jar. > This file is a member of jakarta-commons-collections rpm package in fc14. > In fc15 jakarta-commons-collections package appears to have been renamed to > apache-commons-collections and an equivalent file > apache-commons-collections.jar is contained. > However when you upgrade, at least in my own case using preupgrade, it > leaves > /var/lib/pki-ca/webapps/ca/WEB-INF/lib/jakarta-commons-collections.jar link > orphaned. recreating the sym link to > /usr/share/java/apache-commons-collections.jar fixes the problem. > > I have create a new replica package and I see that it contained the > dogtagcert.p12 file. > > I will try to install the replica and see how it goes. > > Thanks > > __Ide > > > > > > On Fri, Jun 3, 2011 at 10:28 AM, Uzor Ide wrote: > >> The IPA server is version 2.0.0 R3 which is supposed to install on fc14 >> with some packages from updates-testing repo, while the replica install is >> on server 2.0.1 >> >> Yes, there is no dogtagcert.p12 file; here are the files contained: >> realm_info/httpcert.p12 >> realm_info/cacert.p12 >> realm_info/ldappwd >> realm_info/ra.p12 >> realm_info/http_pin.txt >> realm_info/realm_info >> realm_info/configure.jar >> realm_info/dscert.p12 >> realm_info/dirsrv_pin.txt >> realm_info/pwdfile.txt.ori >> realm_info/pwdfile.txt >> realm_info/kpasswd.keytab >> realm_info/preferences.htm >> realm_info/ca.crt >> >> I have upgraded the IPA box to fc15 and freeipa-2.0.1 in the quest to get >> a correct replica package but that seems to have created another problem as >> it has broken the tomcat and thus pki-ca. >> >> Jun 3, 2011 10:09:29 AM org.apache.catalina.loader.WebappLoader start >> SEVERE: LifecycleException >> java.io.IOException: Failed to access resource >> /WEB-INF/lib/jakarta-commons-collections.jar >> at >> org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050) >> at >> org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681) >> at >> org.apache.catalina.core.StandardContext.start(StandardContext.java:4541) >> at >> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799) >> at >> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779) >> at >> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546) >> at >> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) >> at >> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) >> at >> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) >> at >> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) >> at >> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) >> at >> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) >> at >> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061) >> at >> org.apache.catalina.core.StandardHost.start(StandardHost.java:785) >> at >> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) >> at >> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463) >> at >> org.apache.catalina.core.StandardService.start(StandardService.java:525) >> at >> org.apache.catalina.core.StandardServer.start(StandardServer.java:701) >> at org.apache.catalina.startup.Catalina.start(Catalina.java:585) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:616) >> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) >> Caused by: javax.naming.NamingException: Resource >> jakarta-commons-collections.jar not found >> at >> org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209) >> at >> org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048) >> ... 24 more >> >> It seems to me that it is looking for jakarta-commons-collections.jar >> which exist but is a package from the old tomcat6-6.0.26. >> >> >> Thanks >> >> __Ide >> >> >> >> >> On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden wrote: >> >>> Uzor Ide wrote: >>> >>>> Thanks Rob >>>> >>>> I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA command; the >>>> nssdb is empty >>>> If the CA cert is supposed to exist there at that stage of install, >>>> then that would be the problem. >>>> >>>> Both the slapd-PKI-IPA error and access does not contain much. I >>>> attached them herein with the ipareplica-install.log. >>>> >>>> >>> How old is the prepared replica file, and was it created with an older >>> version of IPA? >>> >>> In one of the last release candidates we started creating a separate SSL >>> certificate for the 389-ds instance used by dogtag. I get the feeling that >>> doesn't exist which would explain why SSL is failing. >>> >>> You can check by doing something like: >>> # gpg -d replica-info-.gpg | tar tvf - >>> >>> The file you're looking for is dogtagcert.p12 >>> >>> rob >>> >>>> thanks >>>> >>>> Ide >>>> >>>> >>>> On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden >>> > wrote: >>>> >>>> Uzor Ide wrote: >>>> >>>> >>>> Hi all >>>> >>>> We are trying to setup a backup IPA server and decided to toe >>>> that >>>> replication route. >>>> The box is a fedora 14 with freeipa-2.0-RC2 which I upgraded to >>>> fedora >>>> 15 and freeipa 2.0.1. >>>> Note we first did ipa-server-install --uninstall before >>>> upgrading the >>>> freeipa packages so as to make sure that the server is >>>> relatively clean. >>>> >>>> However when I run that ipa-replica-install command, I end up >>>> with the >>>> following error in the ipareplica-install.log >>>> >>>> 2011-05-31 23:54:33,352 DEBUG args=/sbin/service dirsrv restart >>>> PKI-IPA >>>> 2011-05-31 23:54:33,353 DEBUG stdout=Shutting down dirsrv: >>>> PKI-IPA...[ OK ] >>>> Starting dirsrv: >>>> PKI-IPA...[FAILED] >>>> *** Warning: 1 instance(s) failed to start >>>> >>>> 2011-05-31 23:54:33,354 DEBUG stderr=[31/May/2011:23:54:23 >>>> -0400] - SSL >>>> alert: Security Initialization: Unable to authenticate (Netscape >>>> Portable Runtime error -8192 - An I/O error occurred during >>>> security >>>> authorization.) >>>> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed. >>>> >>>> 2011-05-31 23:54:33,497 DEBUG args=/sbin/service dirsrv status >>>> 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv PKI-IPA is stopped >>>> >>>> 2011-05-31 23:54:33,501 DEBUG stderr= >>>> 2011-05-31 23:54:33,502 CRITICAL Failed to restart the directory >>>> server. >>>> See the installation log for details. >>>> >>>> This are the tomcat rpms on the server >>>> >>>> tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch >>>> tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch >>>> tomcat6-6.0.30-6.fc15.noarch >>>> tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch >>>> tomcat6-lib-6.0.30-6.fc15.noarch >>>> tomcat6-el-2.1-api-6.0.30-6.fc15.noarch >>>> tomcatjss-2.1.1-1.fc15.noarch >>>> >>>> So the tomcat6 version is definitely greater than >>>> tomcat6-6-0.30-5. >>>> >>>> The /var/log/dirsrv/slapd-PKI-IPA/errors logs does not show any >>>> other >>>> thing different from same, >>>> >>>> [31/May/2011:23:54:23 -0400] - SSL alert: Security >>>> Initialization: >>>> Unable to authenticate (Netscape Portable Runtime error -8192 - >>>> An I/O >>>> error occurred during security authorization.) >>>> [31/May/2011:23:54:23 -0400] - ERROR: SSL Initialization Failed >>>> >>>> >>>> Any help will be greatly appreciated >>>> >>>> Ide >>>> >>>> >>>> I think we need more context. Can you compress and send >>>> /var/log/ipareplica-install.log ? >>>> >>>> I'd also suggest looking at /var/log/dirsrv/PKI-IPA/access and >>>> errors to see if there is anything interesting there. >>>> >>>> And can you provide the output for: >>>> >>>> certutil -L -d /etc/dirsrv/slapd-PKI-IPA >>>> >>>> It would seem that your 389-ds instance is missing a copy of the CA >>>> cert. >>>> >>>> thanks >>>> >>>> rob >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 6 22:14:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Jun 2011 18:14:27 -0400 Subject: [Freeipa-users] Issue with replication install In-Reply-To: References: <4DE65D6D.7050604@redhat.com> <4DE7A76F.5010405@redhat.com> Message-ID: <4DED5143.5000405@redhat.com> Uzor Ide wrote: > Anybody with idea why my replication setup is hanging at stage 4 of the > 11 stage process. > > ######################################################### > Configuring directory server for the CA: Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > [3/3]: restarting directory server > done configuring pkids. > Configuring certificate server: Estimated time 6 minutes > [1/11]: creating certificate server user > [2/11]: creating pki-ca instance > [3/11]: restarting certificate server > [4/11]: configuring certificate server instance > ############################################################### > > When I checked the pki-ca debug log, everything is okay until it gets to > the this stage and it keeps repeating the last entry. > > #################################################################### > [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: > initializeConsumer host: company.domain.com > port: 7389 > [06/Jun/2011:16:00:13][http-9445-1]: DatabasePanel initializeConsumer: > start modifying > [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: > Finish modification. > [06/Jun/2011:16:00:14][http-9445-1]: DatabasePanel initializeConsumer: > thread sleeping for 5 seconds. > [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: > finish sleeping. > [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel initializeConsumer: > Successfully initialize consumer > [06/Jun/2011:16:00:19][http-9445-1]: DatabasePanel > comparetAndWaitEntries checking ou=people,o=ipaca > [06/Jun/2011:16:00:30][http-9445-1]: DatabasePanel > comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! > [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel > comparetAndWaitEntries checking ou=people,o=ipaca > [06/Jun/2011:16:00:35][http-9445-1]: DatabasePanel > comparetAndWaitEntries ou=people,o=ipaca not found, let's wait! > ######################################################################## Can you reproduce this again and while it is looping like this telnet from the master to your replica on port 9445? Perhaps it is something else in the network, but something is preventing replication from proceeding. The 389-ds access and error logs on the master may hold some clues as well. > > > If leave for hours, it will continue will keep repeating the last entry. > In the catalina.out log, I get the following java execption > > > ########################################################################### > INFO: Deploying web application directory ca > Jun 6, 2011 3:58:36 PM org.apache.catalina.startup.Catalina stopServer > SEVERE: Catalina.stop: > java.net.ConnectException: Connection refused > at java.net.PlainSocketImpl.socketConnect(Native Method) > at > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) > at > java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) > at > java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) > at java.net.Socket.connect(Socket.java:546) > at java.net.Socket.connect(Socket.java:495) > at java.net.Socket.(Socket.java:392) > at java.net.Socket.(Socket.java:206) > at > org.apache.catalina.startup.Catalina.stopServer(Catalina.java:412) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:616) > at > org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:338) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:416) > 32-bit osutil library loaded > 32-bit osutil library loaded > CMS Warning: FAILURE: Cannot build CA chain. Error > java.security.cert.CertificateException: Certificate is not a PKCS #11 > certificate|FAILURE: authz instance DirAclAuthz initialization failed > and skipped, error=Property internaldb.ldapconn.port missing value| > Server is started. > Jun 6, 2011 3:58:44 PM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory ROOT > ############################################################# > > While this points to connection failure, I don't know why that is so > because there is not firewall running on the two boxes, also I disabled > selinux just to make sure but it did not make any difference. The backtrace is just tomcat being tomcat. If you ask tomcat to stop itself and it isn't running it throws this big scary message. This is not likely to be an SELinux issue, if it were you would see lots of AVCs in /var/log/audit/audit.log if you want to check. > > There is a bug number 643449 with this exception thrown here in bugzilla > but that issue was supposed to be caused by missing > xalan-j2-serializer.jar file in the tomcat5. This is tomcat6. > > Please any help will be appreciated. > > Thanks > > __Ide > > > On Fri, Jun 3, 2011 at 2:32 PM, Uzor Ide > wrote: > > I have corrected the problem with the ipa server, from the broken > tomcat/pki-ca; > > The problem comes a sym link that was created during the setup of > pki-ca from PKI-HOME for > jakarta-commons-collections.jar to > /usr/share/java/jakarta-commons-collections.jar. > This file is a member of jakarta-commons-collections rpm package in > fc14. In fc15 jakarta-commons-collections package appears to have > been renamed to apache-commons-collections and an equivalent file > apache-commons-collections.jar is contained. > However when you upgrade, at least in my own case using preupgrade, > it leaves > /var/lib/pki-ca/webapps/ca/WEB-INF/lib/jakarta-commons-collections.jar > link orphaned. recreating the sym link to > /usr/share/java/apache-commons-collections.jar fixes the problem. > > I have create a new replica package and I see that it contained the > dogtagcert.p12 file. > > I will try to install the replica and see how it goes. > > Thanks > > __Ide > > > > > > On Fri, Jun 3, 2011 at 10:28 AM, Uzor Ide > wrote: > > The IPA server is version 2.0.0 R3 which is supposed to install > on fc14 with some packages from updates-testing repo, while the > replica install is on server 2.0.1 > > Yes, there is no dogtagcert.p12 file; here are the files contained: > realm_info/httpcert.p12 > realm_info/cacert.p12 > realm_info/ldappwd > realm_info/ra.p12 > realm_info/http_pin.txt > realm_info/realm_info > realm_info/configure.jar > realm_info/dscert.p12 > realm_info/dirsrv_pin.txt > realm_info/pwdfile.txt.ori > realm_info/pwdfile.txt > realm_info/kpasswd.keytab > realm_info/preferences.htm > realm_info/ca.crt > > I have upgraded the IPA box to fc15 and freeipa-2.0.1 in the > quest to get a correct replica package but that seems to have > created another problem as it has broken the tomcat and thus pki-ca. > > Jun 3, 2011 10:09:29 AM org.apache.catalina.loader.WebappLoader > start > SEVERE: LifecycleException > java.io.IOException: Failed to access resource > /WEB-INF/lib/jakarta-commons-collections.jar > at > org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1050) > at > org.apache.catalina.loader.WebappLoader.start(WebappLoader.java:681) > at > org.apache.catalina.core.StandardContext.start(StandardContext.java:4541) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546) > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) > at > org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) > at > org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1061) > at > org.apache.catalina.core.StandardHost.start(StandardHost.java:785) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463) > at > org.apache.catalina.core.StandardService.start(StandardService.java:525) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:701) > at > org.apache.catalina.startup.Catalina.start(Catalina.java:585) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:616) > at > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > Caused by: javax.naming.NamingException: Resource > jakarta-commons-collections.jar not found > at > org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:209) > at > org.apache.catalina.loader.WebappLoader.setRepositories(WebappLoader.java:1048) > ... 24 more > > It seems to me that it is looking for > jakarta-commons-collections.jar which exist but is a package > from the old tomcat6-6.0.26. > > > Thanks > > __Ide > > > > > On Thu, Jun 2, 2011 at 11:08 AM, Rob Crittenden > > wrote: > > Uzor Ide wrote: > > Thanks Rob > > I did run the certutil -L -d /etc/dirsrv/slapd-PKI-IPA > command; the > nssdb is empty > If the CA cert is supposed to exist there at that stage > of install, > then that would be the problem. > > Both the slapd-PKI-IPA error and access does not contain > much. I > attached them herein with the ipareplica-install.log. > > > How old is the prepared replica file, and was it created > with an older version of IPA? > > In one of the last release candidates we started creating a > separate SSL certificate for the 389-ds instance used by > dogtag. I get the feeling that doesn't exist which would > explain why SSL is failing. > > You can check by doing something like: > # gpg -d replica-info-.gpg | tar tvf - > > The file you're looking for is dogtagcert.p12 > > rob > > thanks > > Ide > > > On Wed, Jun 1, 2011 at 11:40 AM, Rob Crittenden > > >> wrote: > > Uzor Ide wrote: > > > Hi all > > We are trying to setup a backup IPA server and > decided to toe that > replication route. > The box is a fedora 14 with freeipa-2.0-RC2 > which I upgraded to > fedora > 15 and freeipa 2.0.1. > Note we first did ipa-server-install --uninstall > before > upgrading the > freeipa packages so as to make sure that the > server is > relatively clean. > > However when I run that ipa-replica-install > command, I end up > with the > following error in the ipareplica-install.log > > 2011-05-31 23:54:33,352 DEBUG args=/sbin/service > dirsrv restart > PKI-IPA > 2011-05-31 23:54:33,353 DEBUG stdout=Shutting > down dirsrv: > PKI-IPA...[ OK ] > Starting dirsrv: > PKI-IPA...[FAILED] > *** Warning: 1 instance(s) failed to start > > 2011-05-31 23:54:33,354 DEBUG > stderr=[31/May/2011:23:54:23 > -0400] - SSL > alert: Security Initialization: Unable to > authenticate (Netscape > Portable Runtime error -8192 - An I/O error > occurred during security > authorization.) > [31/May/2011:23:54:23 -0400] - ERROR: SSL > Initialization Failed. > > 2011-05-31 23:54:33,497 DEBUG args=/sbin/service > dirsrv status > 2011-05-31 23:54:33,500 DEBUG stdout=dirsrv > PKI-IPA is stopped > > 2011-05-31 23:54:33,501 DEBUG stderr= > 2011-05-31 23:54:33,502 CRITICAL Failed to > restart the directory > server. > See the installation log for details. > > This are the tomcat rpms on the server > > tomcat5-servlet-2.4-api-5.5.31-3.fc15.noarch > tomcat6-jsp-2.1-api-6.0.30-6.fc15.noarch > tomcat6-6.0.30-6.fc15.noarch > tomcat6-servlet-2.5-api-6.0.30-6.fc15.noarch > tomcat6-lib-6.0.30-6.fc15.noarch > tomcat6-el-2.1-api-6.0.30-6.fc15.noarch > tomcatjss-2.1.1-1.fc15.noarch > > So the tomcat6 version is definitely greater > than tomcat6-6-0.30-5. > > The /var/log/dirsrv/slapd-PKI-IPA/errors logs > does not show any > other > thing different from same, > > [31/May/2011:23:54:23 -0400] - SSL alert: > Security Initialization: > Unable to authenticate (Netscape Portable > Runtime error -8192 - > An I/O > error occurred during security authorization.) > [31/May/2011:23:54:23 -0400] - ERROR: SSL > Initialization Failed > > > Any help will be greatly appreciated > > Ide > > > I think we need more context. Can you compress and send > /var/log/ipareplica-install.log ? > > I'd also suggest looking at > /var/log/dirsrv/PKI-IPA/access and > errors to see if there is anything interesting there. > > And can you provide the output for: > > certutil -L -d /etc/dirsrv/slapd-PKI-IPA > > It would seem that your 389-ds instance is missing a > copy of the CA > cert. > > thanks > > rob > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > From Steven.Jones at vuw.ac.nz Tue Jun 7 21:03:50 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 7 Jun 2011 21:03:50 +0000 Subject: [Freeipa-users] sync passwords with AD or not per user Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Is it possible to set some users so they will not psswoard sync with AD while most do? regards From brian.p.stamper at nasa.gov Tue Jun 7 21:17:10 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Tue, 7 Jun 2011 16:17:10 -0500 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: Message-ID: I continue to work with performance issues. I went into the krb5.conf and changed dns_lookup_kdc from true to false. Kinit now responds immediately. It's cut the time on "ipa-finduser admin" from 2m30s down to 18-20s. How fast "should" this respond? -Brian On 6/6/11 12:31 PM, "Brian Stamper" wrote: This is what I get. I'm not sure which logfiles would be useful at this point. -brian time ipa-finduser -v admin Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml send: "POST /ipa/xml HTTP/1.1\r\nHost: freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization: negotiate YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2mDC1egtsyNS30+guxSWB4HfXVr5RneyGkI+fb6WttuAaPA2XQwZSY8M52SCH8eEfmtycHwZdcfurVpfYGpLTZuJQ/yRlw2meGOtf2NggwqyPyUiYhZ7s+6gg3rvvDSDsg/Mr4txHZ/V30Zk4cjTrQRmUqzWfMf+0ZtmzGo19oRn1vijXbs3CIsiwER3Zi28qYZYgViqFQghIHm5DKoyIQglR0rjt7iEDJtBF8nxVm7lzXuz7lqKIl/QXAbTVzm6gqwtzjPIb2hLtKdF3QY2q7Kba8LbqV2AOrPPPjh/QsU2cGdxZBTiGR05ggSr3D8PPBqlfQxwvnu2b0QgiWWFEgavawTIE7DDkMZDD8C7I/gmQUHV/0kAHizivGNbuHmklXg/KRUkVS5p7AlnJSv5kYtIjMLbXxX7tKxIy9zzPPrliJDp2fr3ER7iKDVALdLPZ5Htlin0ZnD5H6g6qx3kDPV4PeVAx30qqv0UG/45x/uJEC9/3H3Alt7pF/d0xPOWTXho+tGwRcO1gkb0ygIndDIleDEo9CQh+aNsvUxa4UhgzftpACPIwp39nGk+V+7ajY2Tzb2qaKrt6L2q8lqeFxYZ8bcSxDvNgem3ENpL/6FWb+oi86w5JV5OQm7ECJ7js0PJ4DDqgTsyOcDrKhW1l8xHiJkOgxjg0F3+JwCXY0AWIYPNTNdEoXS5T1yGbCLqSL8PevL/obMUHWZiQxzCiN0oA5NQHWoPZ9l7ScHHpxwds5S6Ze1OLV+JRk0aU7Hj7VSJx9irDaAHkXB4PPwyUCOmLl/cF3hxvsYXoEe8j3yQlEE0GV7a3LIhH1mH66byATeSkDv8Ji6LATdtmVUZYI0KLb6oaZKAjn6Pg19mn1hW7GC6WZSzJvSt01uO7XFjsgDz45hKGMevls3GKEM8wAkiiuVaZ/Oq8zkRaf84DmzyYtOHnoyYUzZ9t4FyG4PcU+DVotcBiFLFk5Q9+BxGRVHZGV2K0tz2UyaI8PtIb2AyMdhyj9dCQrFPbZ5d5iOVeMGhutwGQjC8goPP2Bcz2o28hLv+d7qH5PXlcUeeeRTTk1hvkzAv7dtXIoTxWqaot5qNclXsFf7kiYy6I2dWjMKbjL3Nwyyuf3LO+AVRfB3+qhqKAAquQ0IkRL1lblKVEXvufqKF5Z3YPA=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: text/xml\r\nContent-Length: 515\r\n\r\n\n\nfind_users\n\n\nadmin\n\n\n\nuid\ngivenname\nsn\nhomeDirectory\nloginshell\n\n\n\n-1\n\n\n-1\n\n\n\n" reply: 'HTTP/1.1 200 OK\r\n' header: Date: Mon, 06 Jun 2011 19:25:47 GMT header: Server: Apache/2.2.17 (Fedora) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvgT/A5n14nLzBVzpFQFm8lIUc1dZmoma0UuzN9dxD7ykRe/S6rTZJnlroYZG9cmHK9WmIZX5eg/zThvgz/QVvVufnzTbihT3lUDFa4ING9mtCpigZoTnLWGcIRLKddjFHammKG6SjMU29YgwHIZ2D header: Content-Length: 650 header: Connection: close header: Content-Type: text/xml body: "\n\n\n\n\n1\n\n\ndn\nuid=admin,cn=users,cn=accounts,dc=arc,dc=nasa,dc=gov\n\n\nloginshell\n/bin/bash\n\n\nuid\nadmin\n\n\nsn\nAdministrator\n\n\nhomedirectory\n/home/admin\n\n\n\n\n\n\n" Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml send: "POST /ipa/xml HTTP/1.1\r\nHost: freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization: negotiate YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2k1cPNHqqzr20sQC7iXZ6xc2wfb2DYmkqQBNTrXT33fcXYjo1Bw/Z/jc3pj4ohHrLbnkBe9fYNzaKRy7UXjnydOjKeZv3/7FgxJabRb907+4JojogcUxHR+14wQSW0TBPRvaqBrgkYfbfLXsfJm+yTUIH+GlI2VCkerZM2mbpTD3OU2traM2P8NDYfuJ6Bj23rgMg5Bo8+419npiUtFzOL/6bUeY9WmqDYwHsP4YT47vetLraoLeQckNqZ2D5eZwoUV9dNL485v40OZNInte4UwZoQ3xEygxvAM4Wf26CBzTToo+4hAbd7AhJXGTGguEdi7fx7lQqBSYWjkykFNwGndHWTpxm0Y2k3hU+GDoUzMIgFzMmZjALe1oJQFt0Hpv5Qx1NINDAevbYbdSYtajPQnF4//zwOdC5DGkCDqRyztpU0/4esushEXQkTgGVKZTigcahXtYBRX7qZGkveFhq2nBxIZwlqsv+uu5+GwrLNmm/tiH9ahW+9eyCu6uzQzXp4RqmnFGbjrCdVzDsH8nb2d/ul+l/vVUXguglfkEaRCDYhqusFIAvEVHiVeSD0Lmgoew87XvJ/kKNH3zen0tCofGrNtZ6tc62HOi2pod+TGezOp/f6HBeDKG4csuj3OM+/Li2LvwwfurogJW+N/CU0ilrLt5UaKiaeN+Pw81GQCrZ4575SzN8Y3RUFWPLxvVH/vGiaEHG9Nv3KdnpDREAJDAGSEwLSJYtAFcwMnqsezkrYtFd7DmNvb1DyjAXpOfe6SjYLa0DBHLM2RJ/Ico8HJ1LyXUSex3v4hp8ap0JMdc4nUKzsSFrG0TsPKu/+89tphlQkCN91THQ+QNr03kbGUfsf1LpeeYgf+7lFKU5hrsuUJZgBtAVT6l3KQEco0xe9IDNlJLogeKL9X9cPCa3e4XAUVCJdg8pNVScubTXo41EK6zzPAnvPxxgNprZzrhQtkBEedLYNHNICBsutH9ELtZcSDDYxwFyLFKrOb0p9maZL0Z9VmaqBl43h4QcqLXOJcOmjk0jkXufM5VMJdvjHlkXBS9bkAjRKpdq8jXu4gVdh7nxCAxdw9mLww1VvFLbGB6DxQNNP9ZmSgjbJ1LxvxEqguZh9fAhzY3kEQrjPHa7mT6Vc0xosMAux31K07E7uUcylW38V3+Og=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: text/xml\r\nContent-Length: 331\r\n\r\n\n\nattrs_to_labels\n\n\n\nhomedirectory\nloginshell\nsn\nuid\n\n\n\n\n" reply: 'HTTP/1.1 200 OK\r\n' header: Date: Mon, 06 Jun 2011 19:26:18 GMT header: Server: Apache/2.2.17 (Fedora) header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv14HufxqWTyNzhsD9xAxrBN5L7jejiqPqHum3FjYTKc2xIrC1ONAloxDyxcOV0isynFIw6/NwpXJKHfzfDbiFPiYjF3xrOakeGDiiVSCL7G12ZNdqErNfP1GVBU5yVg+vIDI+HxfzRa29Gl9eIu1J header: Content-Length: 458 header: Connection: close header: Content-Type: text/xml body: "\n\n\n\n\n\nloginshell\nLogin Shell\n\n\nhomedirectory\nHome Directory\n\n\nuid\nLogin\n\n\nsn\nLast Name\n\n\n\n\n\n" Home Directory: /home/admin Login Shell: /bin/bash Last Name: Administrator Login: admin real 1m50.460s user 0m0.083s sys 0m0.017s [root at freeipa ~]# time wget https://freeipa.arc.nasa.gov/ipa/xml --2011-06-06 12:29:40-- https://freeipa.arc.nasa.gov/ipa/xml Resolving freeipa.arc.nasa.gov... 143.232.152.197 Connecting to freeipa.arc.nasa.gov|143.232.152.197|:443... connected. ERROR: cannot verify freeipa.arc.nasa.gov's certificate, issued by "/CN=IPA Test Certificate Authority": Self-signed certificate encountered. To connect to freeipa.arc.nasa.gov insecurely, use '--no-check-certificate'. real 0m0.015s user 0m0.011s sys 0m0.002s [root at freeipa ~]# On 6/6/11 7:56 AM, "Rob Crittenden" wrote: Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > I'm closer. I was able to get logged into the UI. It wasn't that I was > running firefox from root, but that I had inited as root. Same problem > really. Dropping back to my own shell and initing I was able to reach > the GUI. The next problem I need to tackle is the slowness. Ipa-finduser > admin does return results, but it takes 2m43s. Definitely getting hung up somewhere. I'd try the -v option to ipa-finduser to get a bit more detail on the request. The client will attempt to find the right IPA Apache server to connect to, make a kerberos connection. Apache will then handle the request and collect any data needed from 389-ds and return it. There are a lot of places things can break down. By examining the server logs you may be able to discern where the logjam is. rob > > [root at freeipa ~]# egrep "freeipa|local" /etc/hosts > 127.0.0.1 localhost.localdomain localhost > ::1 localhost6.localdomain6 localhost6 > 1.2.3.4 freeipa.arc.nasa.gov freeipa > > [root at freeipa ~]# grep host /etc/nsswitch.conf > #hosts: db files nisplus nis dns > hosts: files dns > > [root at freeipa ~]# ifconfig eth0 > eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93 > inet addr:1.2.3.4 > > I don't see any issues with the configuration there. There are no > conflicting "freeipa" hosts in dns. Looks pretty much in compliance with > the guide: > > */Configuring /etc/hosts > /*/You need to ensure that your ///etc/hosts file is configured > correctly, or the *ipa-** commands may not work correctly. > > The /etc/hosts file should list the FQDN for your IPA server before any > aliases. You should also ensure that the hostname is not part of the > localhost entry. The following is an example of a valid hosts file: > 127.0.0.1 localhost.localdomain localhost > ::1 localhost6.localdomain6 localhost6 > 192.168.1.1 ipaserver.example.com ipaserver > / > > -Brian > > > > On 6/3/11 3:58 PM, "Dmitri Pal" wrote: > > On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > Re: [Freeipa-users] Difficulty installing freeipa > I have resolved the install issue. > > > Great! > > > > The installer is a bit sloppy and makes some bad assumptions. > The problem turns out to be that the directory server setup > seems to be running as dirsrv, not root. Ipa-server-install > (more specifically dsinstance.py) writes out the file > /var/lib/dirsrv/boot.ldif. But it does so as root, using root's > umask. It doesn't do a check to make sure dirsrv can read this > file before spawning an external process to create the directory > server. Part of security best practices recommended by the CIS > group as well as others is to set root's umask to 0077. With > this setting in place, dirsrv is unable to read > /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl to fail when > executed from ipa-server-install. I modified dsinstance.py to > not remove the file and checked it after a failed install. It > was written properly, so I changed the permission on it to 666 > and re-ran the install. It succeeded. > > > Opened https://fedorahosted.org/freeipa/ticket/1282 > > > > I'm now back to where I started, which is a partly working ipa > install. Kinit takes 75 seconds to complete. > > > Seems like a DNS timeout or something related to the name resolution. > > > I still can't get to the UI. I'm now going to uninstall again, > change root's umask to 022, and see if that fixes any more of > the problems. > > > The UI does not start for me if you try to run FF from the root > shell. I forget about this frequently and just upgraded to F15 and > hit it again. > > If you have a normal user shell, kinit from that shell as admin and > start browser from it you should have all the right context to > access UI. > > > > > -Brian > > > > On 6/3/11 3:14 PM, "Brian Stamper" wrote: > > > > Yes, I mentioned in the first email I had attempted that. I > just ran the uninstall 10 times in a row. Same errors: > > Configuring directory server: > [1/17]: creating directory server user > [2/17]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f > /tmp/tmpYwtW2p' returned non-zero exit status 1 > [3/17]: adding default schema > [4/17]: enabling memberof plugin > [5/17]: enabling referential integrity plugin > [6/17]: enabling distributed numeric assignment plugin > [7/17]: enabling winsync plugin > [8/17]: configuring uniqueness plugin > [9/17]: creating indices > [10/17]: configuring ssl for ds instance > [11/17]: configuring certmap.conf > [12/17]: restarting directory server > [13/17]: adding default layout > root : CRITICAL Failed to load bootstrap-template.ldif: > Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D > cn=Directory Manager -y /tmp/tmp0AROuy -f /tmp/tmpPC4048' > returned non-zero exit status 32 > [14/17]: configuring Posix uid/gid generation as first master > [15/17]: adding master entry as first master > root : CRITICAL Failed to load master-entry.ldif: Command > '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory > Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned > non-zero exit status 32 > [16/17]: initializing group membership > [17/17]: configuring directory to start on boot > done configuring dirsrv. > > As a test I've manually run setup-ds.pl accepting all of the > defaults. It works fine and installs successfully, creating > the slapd-freeipa (which is the hostname) instance. I then > ran remove-ds.pl on the slapd-freeipa instance and re-ran > the ipa uninstall. When I attempted to reinstall ipa, it > detected an existing ds. I did a locate for dirsrv and found > logfiles from an instance called slapd-ARC-NASA-GOV, which > should be my default freeipa dirsrv instance. To try to > clean this up, I ran setup-ds.pl and chose custom and > created a slapd-ARC-NASA-GOV instance, and then immediately > removed it with remove-ds.pl. I then re-ran > ipa-server-install, which this time did not detect an > existing directory server. However, the ipa-server-install > again failed in the same location. > > [2/17]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f > /tmp/tmp77JJv1' returned non-zero exit status 1 > > > And from the log: > > 2011-06-03 15:12:41,540 DEBUG Configuring directory server: > 2011-06-03 15:12:41,541 DEBUG [1/17]: creating directory > server user > 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,542 DEBUG [2/17]: creating directory > server instance > 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv instances > configured > > 2011-06-03 15:12:41,567 INFO > 2011-06-03 15:12:41,567 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,568 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-06-03 15:12:41,568 DEBUG > dn: dc=arc,dc=nasa,dc=gov > objectClass: top > objectClass: domain > objectClass: pilotObject > dc: arc > info: IPA V1.0 > > 2011-06-03 15:12:41,569 DEBUG writing inf template > 2011-06-03 15:12:41,570 DEBUG > [General] > FullMachineName= freeipa.arc.nasa.gov > SuiteSpotUserID= dirsrv > ServerRoot= /usr/lib64/dirsrv > [slapd] > ServerPort= 389 > ServerIdentifier= ARC-NASA-GOV > Suffix= dc=arc,dc=nasa,dc=gov > RootDN= cn=Directory Manager > InstallLdifFile= /var/lib/dirsrv/boot.ldif > > 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl > 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] - [Setup] > Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. > Error: 59648. Output: importing data ... > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running > with nsslapd-db-private-import-mem on; No other process is > allowed to access the database > [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: > pagesize: 4096, pages: 997331, procpages: 48998 > [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB > import cache. > [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning > import job... > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index > buffering enabled with bucket size 100 > [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 > (Permission denied) > [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all > Import threads.. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import > threads aborted. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file > or directory > [03/Jun/2011:15:12:48 -0700] - All database threads now stopped > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. > > Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. > Error: 59648. Output: importing data ... > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is running > with nsslapd-db-private-import-mem on; No other process is > allowed to access the database > [03/Jun/2011:15:12:42 -0700] - check_and_set_import_cache: > pagesize: 4096, pages: 997331, procpages: 48998 > [03/Jun/2011:15:12:42 -0700] - Import allocates 1595728KB > import cache. > [03/Jun/2011:15:12:42 -0700] - import userRoot: Beginning > import job... > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index > buffering enabled with bucket size 100 > [03/Jun/2011:15:12:42 -0700] - import userRoot: Could not > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 > (Permission denied) > [03/Jun/2011:15:12:42 -0700] - import userRoot: Aborting all > Import threads.. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import > threads aborted. > [03/Jun/2011:15:12:48 -0700] - import userRoot: Closing files... > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: No such file > or directory > [03/Jun/2011:15:12:48 -0700] - All database threads now stopped > [03/Jun/2011:15:12:48 -0700] - import userRoot: Import failed. > > [11/06/03:15:12:48] - [Setup] Fatal Error: Could not create > directory server instance 'ARC-NASA-GOV'. > Error: Could not create directory server instance > 'ARC-NASA-GOV'. > [11/06/03:15:12:48] - [Setup] Fatal Exiting . . . > > > -Brian > > On 6/3/11 2:53 PM, "Dmitri Pal" wrote: > > > On 06/03/2011 05:38 PM, Stamper, Brian P. (ARC-D)[Logyx > LLC] wrote: > > Re: [Freeipa-users] Difficulty installing freeipa > I've given up on freeipa v2 due to lack of > compatibility with hosts I manage. This is all on > freeipa v1. The server started as Fedora 13, and I > upgraded to Fedora 14 in an attempt to fix the problems. > > [root at freeipa ~]# uname -r > 2.6.35.13-91.fc14.x86_64 > [root at freeipa ~]# rpm -qa 'ipa*' > ipa-client-1.2.2-6.fc14.x86_64 > ipa-server-selinux-1.2.2-6.fc14.x86_64 > ipa-python-1.2.2-6.fc14.x86_64 > ipa-admintools-1.2.2-6.fc14.x86_64 > ipa-server-1.2.2-6.fc14.x86_64 > [root at freeipa ~]# > > I'm not doing anything special at this point. I'm > not even trying to get clients added. I'm trying to > do a basic install of ipa-server, with no extra > arguments. That claimed to succeed but wouldn't > work, I tried to fix it, uninstalled, any attempts > to reinstall failed. So right now I'm simply trying > to get the ipa service back to any kind of > functioning status without re-installing the OS. > > > > > Ah this is all old 1.2 IPA. > Have you tried > ipa-server-install --uninstall > > Might require several attempts until all the errors are > cleared. > > > > -Brian > > On 6/3/11 2:30 PM, "Dmitri Pal" wrote: > > > > > > > > Is it all on F13? > The IPA v2 can't be built on F13 as there are > many dependencies missing that we rely on. There > are two many parts this is why we had to move to > the later versions of F15. We just did not have > any options. So the server you built might in > fact be completely broken. I do not know how to > fix it. It looks like you have some instances of > the DS left over in a misconfigured state. > > You can try running ipa-server-install > --uninstall 4-5 times. That might clear things a > bit. > > But let us get back to the original problem. > Freeipa can be used with the LDAP+Kerberos > configuration on the clients. You do not need to > have latest and greatest. > There was a nice article referenced in some of > the earlier threads on the list: > > http://www.aput.net/~jheiss/krbldap/howto.html > > > > > You can configure very old clients to use IPA as > NIS server. > Let us know how else we can help. > Thanks > Dmitri > > > > > > -Brian > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jun 7 21:20:31 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 07 Jun 2011 15:20:31 -0600 Subject: [Freeipa-users] sync passwords with AD or not per user In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DEE961F.50206@redhat.com> On 06/07/2011 03:03 PM, Steven Jones wrote: > Hi, > > Is it possible to set some users so they will not psswoard sync with AD while most do? Do you want the user data to sync, just not the passwords? > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Jun 7 21:29:50 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 7 Jun 2011 21:29:50 +0000 Subject: [Freeipa-users] sync passwords with AD or not per user In-Reply-To: <4DEE961F.50206@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE961F.50206@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E7E5D@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I thought with freeipa 2.0 it could only sync passwords? Basically our security manager wants stricter and stronger password control on our financial linux powered servers than is the policy set in AD, which is pathetic.... regards ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 8 June 2011 9:20 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] sync passwords with AD or not per user On 06/07/2011 03:03 PM, Steven Jones wrote: > Hi, > > Is it possible to set some users so they will not psswoard sync with AD while most do? Do you want the user data to sync, just not the passwords? > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Tue Jun 7 21:31:22 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 07 Jun 2011 15:31:22 -0600 Subject: [Freeipa-users] sync passwords with AD or not per user In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E7E5D@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE961F.50206@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7E5D@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DEE98AA.9020007@redhat.com> On 06/07/2011 03:29 PM, Steven Jones wrote: > Hi, > > I thought with freeipa 2.0 it could only sync passwords? Usually PassSync works in conjunction with Windows Sync - you first sync the users from AD to IPA, then when the AD password changes, PassSync finds the corresponding user in IPA (synced over by Windows Sync), then sends the updated password for that user. > Basically our security manager wants stricter and stronger password control on our financial linux powered servers than is the policy set in AD, which is pathetic.... What sort of password control? Minimum length? Character classes? Password history checking? > regards > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 8 June 2011 9:20 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sync passwords with AD or not per user > > On 06/07/2011 03:03 PM, Steven Jones wrote: >> Hi, >> >> Is it possible to set some users so they will not psswoard sync with AD while most do? > Do you want the user data to sync, just not the passwords? >> regards >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Tue Jun 7 21:33:03 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 07 Jun 2011 17:33:03 -0400 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: References: Message-ID: <4DEE990F.6050009@redhat.com> On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > I continue to work with performance issues. I went into the krb5.conf > and changed dns_lookup_kdc from true to false. Kinit now responds > immediately. It's cut the time on "ipa-finduser admin" from 2m30s > down to 18-20s. How fast "should" this respond? It should be a matter of less than a second. Are you using a VM to test? Does it have enough memory? It is really hard to say what exactly is causing your delays. IPA does a lot of name resolution. Delays usually related to that. By turning off the name resolution against DNS in Kerberos you reduced number of the lookups but probably not eliminated all of them. I suggest you continue looking into the name resolution more. This is the best we can say without any logs or specific configurations. Sorry. Thanks Dmitri > > -Brian > > On 6/6/11 12:31 PM, "Brian Stamper" wrote: > > This is what I get. I'm not sure which logfiles would be useful > at this point. > > -brian > > time ipa-finduser -v admin > > Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml > Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml > send: "POST /ipa/xml HTTP/1.1\r\nHost: > freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization: > negotiate > YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2mDC1egtsyNS30+guxSWB4HfXVr5RneyGkI+fb6WttuAaPA2XQwZSY8M52SCH8eEfmtycHwZdcfurVpfYGpLTZuJQ/yRlw2meGOtf2NggwqyPyUiYhZ7s+6gg3rvvDSDsg/Mr4txHZ/V30Zk4cjTrQRmUqzWfMf+0ZtmzGo19oRn1vijXbs3CIsiwER3Zi28qYZYgViqFQghIHm5DKoyIQglR0rjt7iEDJtBF8nxVm7lzXuz7lqKIl/QXAbTVzm6gqwtzjPIb2hLtKdF3QY2q7Kba8LbqV2AOrPPPjh/QsU2cGdxZBTiGR05ggSr3D8PPBqlfQxwvnu2b0QgiWWFEgavawTIE7DDkMZDD8C7I/gmQUHV/0kAHizivGNbuHmklXg/KRUkVS5p7AlnJSv5kYtIjMLbXxX7tKxIy9zzPPrliJDp2fr3ER7iKDVALdLPZ5Htlin0ZnD5H6g6qx3kDPV4PeVAx30qqv0UG/45x/uJEC9/3H3Alt7pF/d0xPOWTXho+tGwRcO1gkb0ygIndDIleDEo9CQh+aNsvUxa4UhgzftpACPIwp39nGk+V+7ajY2Tzb2qaKrt6L2q8lqeFxYZ8bcSxDvNgem3ENpL/6FWb+oi86w5JV5OQm7ECJ7js0PJ4DDqgTsyOcDrKhW1l8xHiJkOgxjg0F3+JwCXY0AWIYPNTNdEoXS5T1yGbCLqSL8PevL/obMUHWZiQxzCiN0oA5NQHWoPZ9l7ScHHpxwds5S6Ze1OLV+JRk0aU7Hj7VSJx9irDaAHkXB4PPwyUCOmLl/cF3hxvsYXoEe8j3yQlEE0GV7a3LIhH1mH66byATeSkDv8Ji6LATdtmVUZYI0KLb6oaZKAjn6Pg19mn1hW7GC6WZSzJvSt01uO7XFjsgDz45hKGMevls3GKEM8wAkiiuVaZ/Oq8zkRaf84DmzyYtOHnoyYUzZ9t4FyG4PcU+DVotcBiFLFk5Q9+BxGRVHZGV2K0tz2UyaI8PtIb2AyMdhyj9dCQrFPbZ5d5iOVeMGhutwGQjC8goPP2Bcz2o28hLv+d7qH5PXlcUeeeRTTk1hvkzAv7dtXIoTxWqaot5qNclXsFf7kiYy6I2dWjMKbjL3Nwyyuf3LO+AVRfB3+qhqKAAquQ0IkRL1lblKVEXvufqKF5Z3YPA=\r\nUser-Agent: > xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: > text/xml\r\nContent-Length: 515\r\n\r\n version='1.0'?>\n\nfind_users\n\n\nadmin\n\n\n\nuid\ngivenname\nsn\nhomeDirectory\nloginshell\n\n\n\n-1\n\n\n-1\n\n\n\n" > reply: 'HTTP/1.1 200 OK\r\n' > header: Date: Mon, 06 Jun 2011 19:25:47 GMT > header: Server: Apache/2.2.17 (Fedora) > header: WWW-Authenticate: Negotiate > YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvgT/A5n14nLzBVzpFQFm8lIUc1dZmoma0UuzN9dxD7ykRe/S6rTZJnlroYZG9cmHK9WmIZX5eg/zThvgz/QVvVufnzTbihT3lUDFa4ING9mtCpigZoTnLWGcIRLKddjFHammKG6SjMU29YgwHIZ2D > header: Content-Length: 650 > header: Connection: close > header: Content-Type: text/xml > body: " version='1.0'?>\n\n\n\n\n1\n\n\ndn\nuid=admin,cn=users,cn=accounts,dc=arc,dc=nasa,dc=gov\n\n\nloginshell\n/bin/bash\n\n\nuid\nadmin\n\n\nsn\nAdministrator\n\n\nhomedirectory\n/home/admin\n\n\n\n\n\n\n" > Connecting to IPA server: https://freeipa.arc.nasa.gov/ipa/xml > send: "POST /ipa/xml HTTP/1.1\r\nHost: > freeipa.arc.nasa.gov\r\nAccept-Encoding: gzip\r\nAuthorization: > negotiate > YIIFCAYJKoZIhvcSAQICAQBuggT3MIIE86ADAgEFoQMCAQ6iBwMFACAAAACjggFeYYIBWjCCAVagAwIBBaEOGwxBUkMuTkFTQS5HT1aiJzAloAMCAQOhHjAcGwRIVFRQGxRmcmVlaXBhLmFyYy5uYXNhLmdvdqOCARQwggEQoAMCARKhAwIBAqKCAQIEgf9q+QJ59aomNKqyY70zeReIT3azmhvBUenVUlqCtdUChD1EKroAUMynyQTHH7c4WQHoY3GqUDtQOUutqaZiOIpO/j2Hirn+c6v3sXg7214KUNfZ2MIZ2vpNwwNtpOGqnmQ5rwGKnyVA8aB4cK/TOqdu7r0nPmADviKplvdFst68lqzSunZ7OwrUxOa0rGVdbJS5fmCVwOPDHtDJy3j3kARCZUa+jJA4ZmAb4Wn4lvYckoHDxhc/R1mXTSr4NXjqnphoKCR1XcU9b4ng0h336yzlq4d9YwRSR/oBL6ZB1LAgZJrXpWSXAxnCXljOWx4mbnpcD9EFblyH2Mzx7jR56nykggN6MIIDdqADAgESooIDbQSCA2k1cPNHqqzr20sQC7iXZ6xc2wfb2DYmkqQBNTrXT33fcXYjo1Bw/Z/jc3pj4ohHrLbnkBe9fYNzaKRy7UXjnydOjKeZv3/7FgxJabRb907+4JojogcUxHR+14wQSW0TBPRvaqBrgkYfbfLXsfJm+yTUIH+GlI2VCkerZM2mbpTD3OU2traM2P8NDYfuJ6Bj23rgMg5Bo8+419npiUtFzOL/6bUeY9WmqDYwHsP4YT47vetLraoLeQckNqZ2D5eZwoUV9dNL485v40OZNInte4UwZoQ3xEygxvAM4Wf26CBzTToo+4hAbd7AhJXGTGguEdi7fx7lQqBSYWjkykFNwGndHWTpxm0Y2k3hU+GDoUzMIgFzMmZjALe1oJQFt0Hpv5Qx1NINDAevbYbdSYtajPQnF4//zwOdC5DGkCDqRyztpU0/4esushEXQkTgGVKZTigcahXtYBRX7qZGkveFhq2nBxIZwlqsv+uu5+GwrLNmm/tiH9ahW+9eyCu6uzQzXp4RqmnFGbjrCdVzDsH8nb2d/ul+l/vVUXguglfkEaRCDYhqusFIAvEVHiVeSD0Lmgoew87XvJ/kKNH3zen0tCofGrNtZ6tc62HOi2pod+TGezOp/f6HBeDKG4csuj3OM+/Li2LvwwfurogJW+N/CU0ilrLt5UaKiaeN+Pw81GQCrZ4575SzN8Y3RUFWPLxvVH/vGiaEHG9Nv3KdnpDREAJDAGSEwLSJYtAFcwMnqsezkrYtFd7DmNvb1DyjAXpOfe6SjYLa0DBHLM2RJ/Ico8HJ1LyXUSex3v4hp8ap0JMdc4nUKzsSFrG0TsPKu/+89tphlQkCN91THQ+QNr03kbGUfsf1LpeeYgf+7lFKU5hrsuUJZgBtAVT6l3KQEco0xe9IDNlJLogeKL9X9cPCa3e4XAUVCJdg8pNVScubTXo41EK6zzPAnvPxxgNprZzrhQtkBEedLYNHNICBsutH9ELtZcSDDYxwFyLFKrOb0p9maZL0Z9VmaqBl43h4QcqLXOJcOmjk0jkXufM5VMJdvjHlkXBS9bkAjRKpdq8jXu4gVdh7nxCAxdw9mLww1VvFLbGB6DxQNNP9ZmSgjbJ1LxvxEqguZh9fAhzY3kEQrjPHa7mT6Vc0xosMAux31K07E7uUcylW38V3+Og=\r\nUser-Agent: > xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: > text/xml\r\nContent-Length: 331\r\n\r\n version='1.0'?>\n\nattrs_to_labels\n\n\n\nhomedirectory\nloginshell\nsn\nuid\n\n\n\n\n" > reply: 'HTTP/1.1 200 OK\r\n' > header: Date: Mon, 06 Jun 2011 19:26:18 GMT > header: Server: Apache/2.2.17 (Fedora) > header: WWW-Authenticate: Negotiate > YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv14HufxqWTyNzhsD9xAxrBN5L7jejiqPqHum3FjYTKc2xIrC1ONAloxDyxcOV0isynFIw6/NwpXJKHfzfDbiFPiYjF3xrOakeGDiiVSCL7G12ZNdqErNfP1GVBU5yVg+vIDI+HxfzRa29Gl9eIu1J > header: Content-Length: 458 > header: Connection: close > header: Content-Type: text/xml > body: " version='1.0'?>\n\n\n\n\n\nloginshell\nLogin > Shell\n\n\nhomedirectory\nHome > Directory\n\n\nuid\nLogin\n\n\nsn\nLast > Name\n\n\n\n\n\n" > Home Directory: /home/admin > Login Shell: /bin/bash > Last Name: Administrator > Login: admin > > > real 1m50.460s > user 0m0.083s > sys 0m0.017s > > [root at freeipa ~]# time wget https://freeipa.arc.nasa.gov/ipa/xml > --2011-06-06 12:29:40-- https://freeipa.arc.nasa.gov/ipa/xml > Resolving freeipa.arc.nasa.gov... 143.232.152.197 > Connecting to freeipa.arc.nasa.gov|143.232.152.197|:443... connected. > ERROR: cannot verify freeipa.arc.nasa.gov's certificate, issued by > "/CN=IPA Test Certificate Authority": > Self-signed certificate encountered. > To connect to freeipa.arc.nasa.gov insecurely, use > '--no-check-certificate'. > > real 0m0.015s > user 0m0.011s > sys 0m0.002s > [root at freeipa ~]# > > > On 6/6/11 7:56 AM, "Rob Crittenden" wrote: > > Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > > > I'm closer. I was able to get logged into the UI. It wasn't > that I was > > running firefox from root, but that I had inited as root. > Same problem > > really. Dropping back to my own shell and initing I was able > to reach > > the GUI. The next problem I need to tackle is the slowness. > Ipa-finduser > > admin does return results, but it takes 2m43s. > > Definitely getting hung up somewhere. I'd try the -v option to > ipa-finduser to get a bit more detail on the request. The > client will > attempt to find the right IPA Apache server to connect to, make a > kerberos connection. Apache will then handle the request and > collect any > data needed from 389-ds and return it. There are a lot of > places things > can break down. By examining the server logs you may be able > to discern > where the logjam is. > > rob > > > > > [root at freeipa ~]# egrep "freeipa|local" /etc/hosts > > 127.0.0.1 localhost.localdomain localhost > > ::1 localhost6.localdomain6 localhost6 > > 1.2.3.4 freeipa.arc.nasa.gov freeipa > > > > [root at freeipa ~]# grep host /etc/nsswitch.conf > > #hosts: db files nisplus nis dns > > hosts: files dns > > > > [root at freeipa ~]# ifconfig eth0 > > eth0 Link encap:Ethernet HWaddr 00:10:18:2D:E6:93 > > inet addr:1.2.3.4 > > > > I don't see any issues with the configuration there. There are no > > conflicting "freeipa" hosts in dns. Looks pretty much in > compliance with > > the guide: > > > > */Configuring /etc/hosts > > /*/You need to ensure that your ///etc/hosts file is configured > > correctly, or the *ipa-** commands may not work correctly. > > > > The /etc/hosts file should list the FQDN for your IPA server > before any > > aliases. You should also ensure that the hostname is not part > of the > > localhost entry. The following is an example of a valid hosts > file: > > 127.0.0.1 localhost.localdomain localhost > > ::1 localhost6.localdomain6 localhost6 > > 192.168.1.1 ipaserver.example.com ipaserver > > / > > > > -Brian > > > > > > > > On 6/3/11 3:58 PM, "Dmitri Pal" wrote: > > > > On 06/03/2011 06:44 PM, Stamper, Brian P. (ARC-D)[Logyx > LLC] wrote: > > > > Re: [Freeipa-users] Difficulty installing freeipa > > I have resolved the install issue. > > > > > > Great! > > > > > > > > The installer is a bit sloppy and makes some bad > assumptions. > > The problem turns out to be that the directory server > setup > > seems to be running as dirsrv, not root. > Ipa-server-install > > (more specifically dsinstance.py) writes out the file > > /var/lib/dirsrv/boot.ldif. But it does so as root, > using root's > > umask. It doesn't do a check to make sure dirsrv can > read this > > file before spawning an external process to create > the directory > > server. Part of security best practices recommended > by the CIS > > group as well as others is to set root's umask to > 0077. With > > this setting in place, dirsrv is unable to read > > /var/lib/dirsrv/boot.ldif, which causes setup-ds.pl > to fail when > > executed from ipa-server-install. I modified > dsinstance.py to > > not remove the file and checked it after a failed > install. It > > was written properly, so I changed the permission on > it to 666 > > and re-ran the install. It succeeded. > > > > > > Opened https://fedorahosted.org/freeipa/ticket/1282 > > > > > > > > I'm now back to where I started, which is a partly > working ipa > > install. Kinit takes 75 seconds to complete. > > > > > > Seems like a DNS timeout or something related to the name > resolution. > > > > > > I still can't get to the UI. I'm now going to > uninstall again, > > change root's umask to 022, and see if that fixes any > more of > > the problems. > > > > > > The UI does not start for me if you try to run FF from > the root > > shell. I forget about this frequently and just upgraded > to F15 and > > hit it again. > > > > If you have a normal user shell, kinit from that shell as > admin and > > start browser from it you should have all the right > context to > > access UI. > > > > > > > > > > -Brian > > > > > > > > On 6/3/11 3:14 PM, "Brian Stamper" > wrote: > > > > > > > > Yes, I mentioned in the first email I had > attempted that. I > > just ran the uninstall 10 times in a row. Same > errors: > > > > Configuring directory server: > > [1/17]: creating directory server user > > [2/17]: creating directory server instance > > root : CRITICAL failed to restart ds instance Command > > '/usr/sbin/setup-ds.pl --silent --logfile - -f > > /tmp/tmpYwtW2p' returned non-zero exit status 1 > > [3/17]: adding default schema > > [4/17]: enabling memberof plugin > > [5/17]: enabling referential integrity plugin > > [6/17]: enabling distributed numeric assignment > plugin > > [7/17]: enabling winsync plugin > > [8/17]: configuring uniqueness plugin > > [9/17]: creating indices > > [10/17]: configuring ssl for ds instance > > [11/17]: configuring certmap.conf > > [12/17]: restarting directory server > > [13/17]: adding default layout > > root : CRITICAL Failed to load > bootstrap-template.ldif: > > Command '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D > > cn=Directory Manager -y /tmp/tmp0AROuy -f > /tmp/tmpPC4048' > > returned non-zero exit status 32 > > [14/17]: configuring Posix uid/gid generation as > first master > > [15/17]: adding master entry as first master > > root : CRITICAL Failed to load master-entry.ldif: > Command > > '/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory > > Manager -y /tmp/tmpwyqeVF -f /tmp/tmp1dDTjN' returned > > non-zero exit status 32 > > [16/17]: initializing group membership > > [17/17]: configuring directory to start on boot > > done configuring dirsrv. > > > > As a test I've manually run setup-ds.pl accepting > all of the > > defaults. It works fine and installs > successfully, creating > > the slapd-freeipa (which is the hostname) > instance. I then > > ran remove-ds.pl on the slapd-freeipa instance > and re-ran > > the ipa uninstall. When I attempted to reinstall > ipa, it > > detected an existing ds. I did a locate for > dirsrv and found > > logfiles from an instance called > slapd-ARC-NASA-GOV, which > > should be my default freeipa dirsrv instance. To > try to > > clean this up, I ran setup-ds.pl and chose custom and > > created a slapd-ARC-NASA-GOV instance, and then > immediately > > removed it with remove-ds.pl. I then re-ran > > ipa-server-install, which this time did not detect an > > existing directory server. However, the > ipa-server-install > > again failed in the same location. > > > > [2/17]: creating directory server instance > > root : CRITICAL failed to restart ds instance Command > > '/usr/sbin/setup-ds.pl --silent --logfile - -f > > /tmp/tmp77JJv1' returned non-zero exit status 1 > > > > > > And from the log: > > > > 2011-06-03 15:12:41,540 DEBUG Configuring > directory server: > > 2011-06-03 15:12:41,541 DEBUG [1/17]: creating > directory > > server user > > 2011-06-03 15:12:41,541 DEBUG ds user dirsrv exists > > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2011-06-03 15:12:41,541 DEBUG Saving StateFile to > > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2011-06-03 15:12:41,542 DEBUG [2/17]: creating > directory > > server instance > > 2011-06-03 15:12:41,567 INFO *** Error: no dirsrv > instances > > configured > > > > 2011-06-03 15:12:41,567 INFO > > 2011-06-03 15:12:41,567 DEBUG Saving StateFile to > > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2011-06-03 15:12:41,568 DEBUG Saving StateFile to > > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2011-06-03 15:12:41,568 DEBUG > > dn: dc=arc,dc=nasa,dc=gov > > objectClass: top > > objectClass: domain > > objectClass: pilotObject > > dc: arc > > info: IPA V1.0 > > > > 2011-06-03 15:12:41,569 DEBUG writing inf template > > 2011-06-03 15:12:41,570 DEBUG > > [General] > > FullMachineName= freeipa.arc.nasa.gov > > SuiteSpotUserID= dirsrv > > ServerRoot= /usr/lib64/dirsrv > > [slapd] > > ServerPort= 389 > > ServerIdentifier= ARC-NASA-GOV > > Suffix= dc=arc,dc=nasa,dc=gov > > RootDN= cn=Directory Manager > > InstallLdifFile= /var/lib/dirsrv/boot.ldif > > > > 2011-06-03 15:12:41,570 DEBUG calling setup-ds.pl > > 2011-06-03 15:12:48,633 INFO [11/06/03:15:12:48] > - [Setup] > > Info Could not import LDIF file > '/var/lib/dirsrv/boot.ldif'. > > Error: 59648. Output: importing data ... > > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is > running > > with nsslapd-db-private-import-mem on; No other > process is > > allowed to access the database > > [03/Jun/2011:15:12:42 -0700] - > check_and_set_import_cache: > > pagesize: 4096, pages: 997331, procpages: 48998 > > [03/Jun/2011:15:12:42 -0700] - Import allocates > 1595728KB > > import cache. > > [03/Jun/2011:15:12:42 -0700] - import userRoot: > Beginning > > import job... > > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index > > buffering enabled with bucket size 100 > > [03/Jun/2011:15:12:42 -0700] - import userRoot: > Could not > > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 > > (Permission denied) > > [03/Jun/2011:15:12:42 -0700] - import userRoot: > Aborting all > > Import threads.. > > [03/Jun/2011:15:12:48 -0700] - import userRoot: > Import > > threads aborted. > > [03/Jun/2011:15:12:48 -0700] - import userRoot: > Closing files... > > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: > No such file > > or directory > > [03/Jun/2011:15:12:48 -0700] - All database > threads now stopped > > [03/Jun/2011:15:12:48 -0700] - import userRoot: > Import failed. > > > > Could not import LDIF file > '/var/lib/dirsrv/boot.ldif'. > > Error: 59648. Output: importing data ... > > [03/Jun/2011:15:12:41 -0700] - WARNING: Import is > running > > with nsslapd-db-private-import-mem on; No other > process is > > allowed to access the database > > [03/Jun/2011:15:12:42 -0700] - > check_and_set_import_cache: > > pagesize: 4096, pages: 997331, procpages: 48998 > > [03/Jun/2011:15:12:42 -0700] - Import allocates > 1595728KB > > import cache. > > [03/Jun/2011:15:12:42 -0700] - import userRoot: > Beginning > > import job... > > [03/Jun/2011:15:12:42 -0700] - import userRoot: Index > > buffering enabled with bucket size 100 > > [03/Jun/2011:15:12:42 -0700] - import userRoot: > Could not > > open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 > > (Permission denied) > > [03/Jun/2011:15:12:42 -0700] - import userRoot: > Aborting all > > Import threads.. > > [03/Jun/2011:15:12:48 -0700] - import userRoot: > Import > > threads aborted. > > [03/Jun/2011:15:12:48 -0700] - import userRoot: > Closing files... > > /var/lib/dirsrv/slapd-ARC-NASA-GOV/db/userRoot: > No such file > > or directory > > [03/Jun/2011:15:12:48 -0700] - All database > threads now stopped > > [03/Jun/2011:15:12:48 -0700] - import userRoot: > Import failed. > > > > [11/06/03:15:12:48] - [Setup] Fatal Error: Could > not create > > directory server instance 'ARC-NASA-GOV'. > > Error: Could not create directory server instance > > 'ARC-NASA-GOV'. > > [11/06/03:15:12:48] - [Setup] Fatal Exiting . . . > > > > > > -Brian > > > > On 6/3/11 2:53 PM, "Dmitri Pal" > wrote: > > > > > > On 06/03/2011 05:38 PM, Stamper, Brian P. > (ARC-D)[Logyx > > LLC] wrote: > > > > Re: [Freeipa-users] Difficulty installing > freeipa > > I've given up on freeipa v2 due to lack of > > compatibility with hosts I manage. This > is all on > > freeipa v1. The server started as Fedora > 13, and I > > upgraded to Fedora 14 in an attempt to > fix the problems. > > > > [root at freeipa ~]# uname -r > > 2.6.35.13-91.fc14.x86_64 > > [root at freeipa ~]# rpm -qa 'ipa*' > > ipa-client-1.2.2-6.fc14.x86_64 > > ipa-server-selinux-1.2.2-6.fc14.x86_64 > > ipa-python-1.2.2-6.fc14.x86_64 > > ipa-admintools-1.2.2-6.fc14.x86_64 > > ipa-server-1.2.2-6.fc14.x86_64 > > [root at freeipa ~]# > > > > I'm not doing anything special at this > point. I'm > > not even trying to get clients added. I'm > trying to > > do a basic install of ipa-server, with no > extra > > arguments. That claimed to succeed but > wouldn't > > work, I tried to fix it, uninstalled, any > attempts > > to reinstall failed. So right now I'm > simply trying > > to get the ipa service back to any kind of > > functioning status without re-installing > the OS. > > > > > > > > > > Ah this is all old 1.2 IPA. > > Have you tried > > ipa-server-install --uninstall > > > > Might require several attempts until all the > errors are > > cleared. > > > > > > > > -Brian > > > > On 6/3/11 2:30 PM, "Dmitri Pal" > wrote: > > > > > > > > > > > > > > > > Is it all on F13? > > The IPA v2 can't be built on F13 as > there are > > many dependencies missing that we > rely on. There > > are two many parts this is why we had > to move to > > the later versions of F15. We just > did not have > > any options. So the server you built > might in > > fact be completely broken. I do not > know how to > > fix it. It looks like you have some > instances of > > the DS left over in a misconfigured > state. > > > > You can try running ipa-server-install > > --uninstall 4-5 times. That might > clear things a > > bit. > > > > But let us get back to the original > problem. > > Freeipa can be used with the > LDAP+Kerberos > > configuration on the clients. You do > not need to > > have latest and greatest. > > There was a nice article referenced > in some of > > the earlier threads on the list: > > > > http://www.aput.net/~jheiss/krbldap/howto.html > > > > > > > > > > You can configure very old clients to > use IPA as > > NIS server. > > Let us know how else we can help. > > Thanks > > Dmitri > > > > > > > > > > > > -Brian > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Jun 7 21:36:18 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 7 Jun 2011 21:36:18 +0000 Subject: [Freeipa-users] sync passwords with AD or not per user In-Reply-To: <4DEE98AA.9020007@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE961F.50206@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7E5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE98AA.9020007@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E7EFF@STAWINCOX10MBX1.staff.vuw.ac.nz> >What sort of password control? Minimum length? Character classes? >Password history checking? yes, yes and yes... regards From rmeggins at redhat.com Tue Jun 7 21:36:59 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 07 Jun 2011 15:36:59 -0600 Subject: [Freeipa-users] sync passwords with AD or not per user In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E7EFF@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE961F.50206@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7E5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE98AA.9020007@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7EFF@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DEE99FB.2080407@redhat.com> On 06/07/2011 03:36 PM, Steven Jones wrote: >> What sort of password control? Minimum length? Character classes? >> Password history checking? > yes, yes and yes... > > regards With plain old 389, you can do all of these and more. IPA has its own password checking plugin, so it may differ slightly. But what does this have to do with Windows PassSync? From Steven.Jones at vuw.ac.nz Tue Jun 7 21:41:36 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 7 Jun 2011 21:41:36 +0000 Subject: [Freeipa-users] sync passwords with AD or not per user In-Reply-To: <4DEE99FB.2080407@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE961F.50206@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7E5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE98AA.9020007@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7EFF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE99FB.2080407@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E83F6@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, For most users I will want to allow the same password in AD as in freeipa....so a linux or windows desktop will work with a linux or windows service.....but for some specific financial servers/services I need a stricter password capability to meet our audit criteria. regards ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 8 June 2011 9:36 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] sync passwords with AD or not per user On 06/07/2011 03:36 PM, Steven Jones wrote: >> What sort of password control? Minimum length? Character classes? >> Password history checking? > yes, yes and yes... > > regards With plain old 389, you can do all of these and more. IPA has its own password checking plugin, so it may differ slightly. But what does this have to do with Windows PassSync? From rmeggins at redhat.com Tue Jun 7 21:48:30 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 07 Jun 2011 15:48:30 -0600 Subject: [Freeipa-users] sync passwords with AD or not per user In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E83F6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE961F.50206@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7E5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE98AA.9020007@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7EFF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE99FB.2080407@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E83F6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DEE9CAE.7000206@redhat.com> On 06/07/2011 03:41 PM, Steven Jones wrote: > Hi, > > For most users I will want to allow the same password in AD as in freeipa....so a linux or windows desktop will work with a linux or windows service.....but for some specific financial servers/services I need a stricter password capability to meet our audit criteria. In 389 you can set password policy on a per-user or per-subtree basis. With a little extra work, you could probably get this working on a per-group or per-role basis as well. This should apply to IPA as well, depending on how they have implemented support for password policy. > regards > > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 8 June 2011 9:36 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sync passwords with AD or not per user > > On 06/07/2011 03:36 PM, Steven Jones wrote: >>> What sort of password control? Minimum length? Character classes? >>> Password history checking? >> yes, yes and yes... >> >> regards > With plain old 389, you can do all of these and more. IPA has its own > password checking plugin, so it may differ slightly. > > But what does this have to do with Windows PassSync? From dpal at redhat.com Tue Jun 7 21:50:29 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 07 Jun 2011 17:50:29 -0400 Subject: [Freeipa-users] sync passwords with AD or not per user In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E83F6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE961F.50206@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7E5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE98AA.9020007@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7EFF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE99FB.2080407@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E83F6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DEE9D25.1080605@redhat.com> On 06/07/2011 05:41 PM, Steven Jones wrote: > Hi, > > For most users I will want to allow the same password in AD as in freeipa....so a linux or windows desktop will work with a linux or windows service.....but for some specific financial servers/services I need a stricter password capability to meet our audit criteria. > But you still need to synch the users for those servers or you can created specific users in IPA and apply more restrictive password policies to them? In IPA v2 you can have password policies per group. > regards > > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 8 June 2011 9:36 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sync passwords with AD or not per user > > On 06/07/2011 03:36 PM, Steven Jones wrote: >>> What sort of password control? Minimum length? Character classes? >>> Password history checking? >> yes, yes and yes... >> >> regards > With plain old 389, you can do all of these and more. IPA has its own > password checking plugin, so it may differ slightly. > > But what does this have to do with Windows PassSync? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Tue Jun 7 21:56:03 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 7 Jun 2011 21:56:03 +0000 Subject: [Freeipa-users] sync passwords with AD or not per user In-Reply-To: <4DEE9D25.1080605@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE961F.50206@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7E5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE98AA.9020007@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7EFF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE99FB.2080407@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E83F6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE9D25.1080605@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E841E@STAWINCOX10MBX1.staff.vuw.ac.nz> Thanks... Some options to suggest.... "you can create specific users in IPA and apply more restrictive password policies to them?" Sounds the better way.... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Wednesday, 8 June 2011 9:50 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] sync passwords with AD or not per user On 06/07/2011 05:41 PM, Steven Jones wrote: > Hi, > > For most users I will want to allow the same password in AD as in freeipa....so a linux or windows desktop will work with a linux or windows service.....but for some specific financial servers/services I need a stricter password capability to meet our audit criteria. > But you still need to synch the users for those servers or you can created specific users in IPA and apply more restrictive password policies to them? In IPA v2 you can have password policies per group. > regards > > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 8 June 2011 9:36 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sync passwords with AD or not per user > > On 06/07/2011 03:36 PM, Steven Jones wrote: >>> What sort of password control? Minimum length? Character classes? >>> Password history checking? >> yes, yes and yes... >> >> regards > With plain old 389, you can do all of these and more. IPA has its own > password checking plugin, so it may differ slightly. > > But what does this have to do with Windows PassSync? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From brian.p.stamper at nasa.gov Tue Jun 7 22:12:44 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Tue, 7 Jun 2011 17:12:44 -0500 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: <4DEE990F.6050009@redhat.com> Message-ID: I'm not using a VM, I'm using a workstation dedicated to just FreeIPA. It has 4GB memory. Which logs are you interested in? I've been looking through all I can find and have seen nothing relevant. -Brian [root at freeipa ~]# free total used free shared buffers cached Mem: 3989324 2043720 1945604 0 219368 1202000 -/+ buffers/cache: 622352 3366972 Swap: 8191992 0 8191992 [root at freeipa ~]# load average: 0.00, 0.05, 0.05 [root at freeipa ~]# date ; time ipa-finduser admin Tue Jun 7 14:46:59 PDT 2011 Home Directory: /home/admin Login Shell: /bin/bash Last Name: Administrator Login: admin real 0m20.688s user 0m0.072s sys 0m0.022s [root at freeipa ~]# tail -3 /var/log/ipa_error.log 2011-06-03 16:01:58,882 root INFO IPA: get_user_by_principal 'admin at ARC.NASA.GOV' 2011-06-03 16:02:19,254 root INFO IPA: get_user_by_principal 'admin at ARC.NASA.GOV' 2011-06-03 16:02:39,455 root INFO IPA: get_user_by_principal 'admin at ARC.NASA.GOV' [root at freeipa ~]# tail -5 /var/log/krb5kdc.log Jun 07 14:17:31 freeipa.arc.nasa.gov krb5kdc[7680](info): commencing operation Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for krbtgt/ARC.NASA.GOV at ARC.NASA.GOV Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for krbtgt/ARC.NASA.GOV at ARC.NASA.GOV Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (4 etypes {18 17 16 23}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for ldap/freeipa.arc.nasa.gov at ARC.NASA.GOV Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for krbtgt/ARC.NASA.GOV at ARC.NASA.GOV [root at freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/access [07/Jun/2011:14:47:20 -0700] conn=20 op=14 RESULT err=0 tag=101 nentries=1 etime=0 [07/Jun/2011:14:47:20 -0700] conn=20 op=15 SRCH base="dc=arc,dc=nasa,dc=gov" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin at ARC.NASA.GOV))" attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData krbObjectReferences krballowedtodelegateto" [07/Jun/2011:14:47:20 -0700] conn=20 op=15 RESULT err=0 tag=101 nentries=1 etime=0 [root at freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors [07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up [07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests [root at freeipa ~]# tail -5 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors [07/Jun/2011:14:12:02 -0700] - All database threads now stopped [07/Jun/2011:14:12:02 -0700] - slapd stopped. [07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up [07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests On 6/7/11 2:33 PM, "Dmitri Pal" wrote: On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: Re: [Freeipa-users] Difficulty installing freeipa I continue to work with performance issues. I went into the krb5.conf and changed dns_lookup_kdc from true to false. Kinit now responds immediately. It's cut the time on "ipa-finduser admin" from 2m30s down to 18-20s. How fast "should" this respond? It should be a matter of less than a second. Are you using a VM to test? Does it have enough memory? It is really hard to say what exactly is causing your delays. IPA does a lot of name resolution. Delays usually related to that. By turning off the name resolution against DNS in Kerberos you reduced number of the lookups but probably not eliminated all of them. I suggest you continue looking into the name resolution more. This is the best we can say without any logs or specific configurations. Sorry. Thanks Dmitri -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Jun 7 23:13:08 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 7 Jun 2011 23:13:08 +0000 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: References: <4DEE990F.6050009@redhat.com>, Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E849C@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Where is DNS being done and how? I tend to agree with Dmitri, it looks like DNS related issues. regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stamper at nasa.gov] Sent: Wednesday, 8 June 2011 10:12 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Difficulty installing freeipa I?m not using a VM, I?m using a workstation dedicated to just FreeIPA. It has 4GB memory. Which logs are you interested in? I?ve been looking through all I can find and have seen nothing relevant. -Brian [root at freeipa ~]# free total used free shared buffers cached Mem: 3989324 2043720 1945604 0 219368 1202000 -/+ buffers/cache: 622352 3366972 Swap: 8191992 0 8191992 [root at freeipa ~]# load average: 0.00, 0.05, 0.05 [root at freeipa ~]# date ; time ipa-finduser admin Tue Jun 7 14:46:59 PDT 2011 Home Directory: /home/admin Login Shell: /bin/bash Last Name: Administrator Login: admin real 0m20.688s user 0m0.072s sys 0m0.022s [root at freeipa ~]# tail -3 /var/log/ipa_error.log 2011-06-03 16:01:58,882 root INFO IPA: get_user_by_principal 'admin at ARC.NASA.GOV' 2011-06-03 16:02:19,254 root INFO IPA: get_user_by_principal 'admin at ARC.NASA.GOV' 2011-06-03 16:02:39,455 root INFO IPA: get_user_by_principal 'admin at ARC.NASA.GOV' [root at freeipa ~]# tail -5 /var/log/krb5kdc.log Jun 07 14:17:31 freeipa.arc.nasa.gov krb5kdc[7680](info): commencing operation Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for krbtgt/ARC.NASA.GOV at ARC.NASA.GOV Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for krbtgt/ARC.NASA.GOV at ARC.NASA.GOV Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (4 etypes {18 17 16 23}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for ldap/freeipa.arc.nasa.gov at ARC.NASA.GOV Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for krbtgt/ARC.NASA.GOV at ARC.NASA.GOV [root at freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/access [07/Jun/2011:14:47:20 -0700] conn=20 op=14 RESULT err=0 tag=101 nentries=1 etime=0 [07/Jun/2011:14:47:20 -0700] conn=20 op=15 SRCH base="dc=arc,dc=nasa,dc=gov" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin at ARC.NASA.GOV))" attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData krbObjectReferences krballowedtodelegateto" [07/Jun/2011:14:47:20 -0700] conn=20 op=15 RESULT err=0 tag=101 nentries=1 etime=0 [root at freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors [07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up [07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests [root at freeipa ~]# tail -5 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors [07/Jun/2011:14:12:02 -0700] - All database threads now stopped [07/Jun/2011:14:12:02 -0700] - slapd stopped. [07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up [07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests On 6/7/11 2:33 PM, "Dmitri Pal" > wrote: On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: Re: [Freeipa-users] Difficulty installing freeipa I continue to work with performance issues. I went into the krb5.conf and changed dns_lookup_kdc from true to false. Kinit now responds immediately. It?s cut the time on ?ipa-finduser admin? from 2m30s down to 18-20s. How fast ?should? this respond? It should be a matter of less than a second. Are you using a VM to test? Does it have enough memory? It is really hard to say what exactly is causing your delays. IPA does a lot of name resolution. Delays usually related to that. By turning off the name resolution against DNS in Kerberos you reduced number of the lookups but probably not eliminated all of them. I suggest you continue looking into the name resolution more. This is the best we can say without any logs or specific configurations. Sorry. Thanks Dmitri From Steven.Jones at vuw.ac.nz Wed Jun 8 02:19:44 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Jun 2011 02:19:44 +0000 Subject: [Freeipa-users] DNS in freeipa Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E853E@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, When I add a RHEL 6.1 client o free-ipa it appears in the ldap/dns section under policy, not so RHEL5.6, is this correct? regards From Steven.Jones at vuw.ac.nz Wed Jun 8 02:25:46 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Jun 2011 02:25:46 +0000 Subject: [Freeipa-users] DNS in freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E853E@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E853E@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E854C@STAWINCOX10MBX1.staff.vuw.ac.nz> fedora15 also appears in DNS when I add it as a client. regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Wednesday, 8 June 2011 2:19 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] DNS in freeipa Hi, When I add a RHEL 6.1 client o free-ipa it appears in the ldap/dns section under policy, not so RHEL5.6, is this correct? regards _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed Jun 8 02:36:47 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Jun 2011 02:36:47 +0000 Subject: [Freeipa-users] Inconsistant first login behaviour Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> Logging into the F15 client and I just login with the ldap password... If I try the same thing with RHEL5.6 I get told I have one hour to password expiry.... I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all. regards Steven From brian.p.stamper at nasa.gov Wed Jun 8 05:49:42 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Wed, 8 Jun 2011 00:49:42 -0500 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E849C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4DEE990F.6050009@redhat.com>, , <833D8E48405E064EBC54C84EC6B36E401B0E849C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <12DC34690DFFAC4FACD7A7255FC5E14A133A18A15F@NDJSSCC07.ndc.nasa.gov> The short answer is, it's not. I don't really use DNS, I rely on hosts files, particularly in this test environment. -brian ________________________________________ From: Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, June 07, 2011 4:13 PM To: Stamper, Brian P. (ARC-D)[Logyx LLC]; freeipa-users at redhat.com Subject: RE: [Freeipa-users] Difficulty installing freeipa Hi, Where is DNS being done and how? I tend to agree with Dmitri, it looks like DNS related issues. regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stamper at nasa.gov] Sent: Wednesday, 8 June 2011 10:12 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Difficulty installing freeipa I?m not using a VM, I?m using a workstation dedicated to just FreeIPA. It has 4GB memory. Which logs are you interested in? I?ve been looking through all I can find and have seen nothing relevant. -Brian [root at freeipa ~]# free total used free shared buffers cached Mem: 3989324 2043720 1945604 0 219368 1202000 -/+ buffers/cache: 622352 3366972 Swap: 8191992 0 8191992 [root at freeipa ~]# load average: 0.00, 0.05, 0.05 [root at freeipa ~]# date ; time ipa-finduser admin Tue Jun 7 14:46:59 PDT 2011 Home Directory: /home/admin Login Shell: /bin/bash Last Name: Administrator Login: admin real 0m20.688s user 0m0.072s sys 0m0.022s [root at freeipa ~]# tail -3 /var/log/ipa_error.log 2011-06-03 16:01:58,882 root INFO IPA: get_user_by_principal 'admin at ARC.NASA.GOV' 2011-06-03 16:02:19,254 root INFO IPA: get_user_by_principal 'admin at ARC.NASA.GOV' 2011-06-03 16:02:39,455 root INFO IPA: get_user_by_principal 'admin at ARC.NASA.GOV' [root at freeipa ~]# tail -5 /var/log/krb5kdc.log Jun 07 14:17:31 freeipa.arc.nasa.gov krb5kdc[7680](info): commencing operation Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for krbtgt/ARC.NASA.GOV at ARC.NASA.GOV Jun 07 14:47:19 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for krbtgt/ARC.NASA.GOV at ARC.NASA.GOV Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (4 etypes {18 17 16 23}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for ldap/freeipa.arc.nasa.gov at ARC.NASA.GOV Jun 07 14:47:20 freeipa.arc.nasa.gov krb5kdc[7680](info): TGS_REQ (1 etypes {18}) 143.232.152.197: ISSUE: authtime 1307481346, etypes {rep=18 tkt=18 ses=18}, admin at ARC.NASA.GOV for krbtgt/ARC.NASA.GOV at ARC.NASA.GOV [root at freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/access [07/Jun/2011:14:47:20 -0700] conn=20 op=14 RESULT err=0 tag=101 nentries=1 etime=0 [07/Jun/2011:14:47:20 -0700] conn=20 op=15 SRCH base="dc=arc,dc=nasa,dc=gov" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin at ARC.NASA.GOV))" attrs="krbPrincipalName krbcanonicalname objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock krbLastPwdChange krbExtraData krbObjectReferences krballowedtodelegateto" [07/Jun/2011:14:47:20 -0700] conn=20 op=15 RESULT err=0 tag=101 nentries=1 etime=0 [root at freeipa ~]# tail -3 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors [07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up [07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests [root at freeipa ~]# tail -5 /var/log/dirsrv/slapd-ARC-NASA-GOV/errors [07/Jun/2011:14:12:02 -0700] - All database threads now stopped [07/Jun/2011:14:12:02 -0700] - slapd stopped. [07/Jun/2011:14:12:03 -0700] - 389-Directory/1.2.8.3 B2011.122.1634 starting up [07/Jun/2011:14:12:03 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [07/Jun/2011:14:12:04 -0700] - Listening on All Interfaces port 636 for LDAPS requests On 6/7/11 2:33 PM, "Dmitri Pal" > wrote: On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: Re: [Freeipa-users] Difficulty installing freeipa I continue to work with performance issues. I went into the krb5.conf and changed dns_lookup_kdc from true to false. Kinit now responds immediately. It?s cut the time on ?ipa-finduser admin? from 2m30s down to 18-20s. How fast ?should? this respond? It should be a matter of less than a second. Are you using a VM to test? Does it have enough memory? It is really hard to say what exactly is causing your delays. IPA does a lot of name resolution. Delays usually related to that. By turning off the name resolution against DNS in Kerberos you reduced number of the lookups but probably not eliminated all of them. I suggest you continue looking into the name resolution more. This is the best we can say without any logs or specific configurations. Sorry. Thanks Dmitri From rcritten at redhat.com Wed Jun 8 14:25:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Jun 2011 10:25:21 -0400 Subject: [Freeipa-users] Difficulty installing freeipa In-Reply-To: <4DEE990F.6050009@redhat.com> References: <4DEE990F.6050009@redhat.com> Message-ID: <4DEF8651.5010908@redhat.com> Dmitri Pal wrote: > On 06/07/2011 05:17 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: >> >> I continue to work with performance issues. I went into the krb5.conf >> and changed dns_lookup_kdc from true to false. Kinit now responds >> immediately. It?s cut the time on ?ipa-finduser admin? from 2m30s down >> to 18-20s. How fast ?should? this respond? > > It should be a matter of less than a second. > Are you using a VM to test? Does it have enough memory? > It is really hard to say what exactly is causing your delays. > IPA does a lot of name resolution. Delays usually related to that. By > turning off the name resolution against DNS in Kerberos you reduced > number of the lookups but probably not eliminated all of them. I suggest > you continue looking into the name resolution more. > This is the best we can say without any logs or specific configurations. > Sorry. Well, not quite sub-second processing. Two kerberos authentications have to occur and those tend to be slow, 300ms or so each, plus processing time and such. A typical v1 command will take 1-3 seconds. It seems sometimes that the first execution is a bit slower as a lot of python modules need to get loaded but subsequent runs tend to speed up a bit. 18-20 is still far out of line of what I'd expect. The logs to look at on the server are: /var/log/dirsrv/slapd-YOURINSTANCE/access You'd need to find the BIND for your user to get the connection number, then trace that through to see how long the LDAP part took. This is likley to be very fast. /var/log/httpd/error_log This will show the XML-RPC handling time, any errors, etc. rob From rcritten at redhat.com Wed Jun 8 14:27:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Jun 2011 10:27:37 -0400 Subject: [Freeipa-users] sync passwords with AD or not per user In-Reply-To: <4DEE9CAE.7000206@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE961F.50206@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7E5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE98AA.9020007@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7EFF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEE99FB.2080407@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E83F6@STAWINCOX10MBX1.staff.vuw.ac.nz> <4DEE9CAE.7000206@redhat.com> Message-ID: <4DEF86D9.6070706@redhat.com> Rich Megginson wrote: > On 06/07/2011 03:41 PM, Steven Jones wrote: >> Hi, >> >> For most users I will want to allow the same password in AD as in >> freeipa....so a linux or windows desktop will work with a linux or >> windows service.....but for some specific financial servers/services I >> need a stricter password capability to meet our audit criteria. > In 389 you can set password policy on a per-user or per-subtree basis. > With a little extra work, you could probably get this working on a > per-group or per-role basis as well. This should apply to IPA as well, > depending on how they have implemented support for password policy. We have per-group password policy but we don't use the 389-ds password policy engine. What I don't know is what happens if you set a lousy password in AD whether that gets replicated to IPA. Will it be rejected, accepted? rob From simo at redhat.com Wed Jun 8 14:57:50 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Jun 2011 10:57:50 -0400 Subject: [Freeipa-users] sync passwords with AD or not per user In-Reply-To: <4DEF86D9.6070706@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0E72C0@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEE961F.50206@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7E5D@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEE98AA.9020007@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E7EFF@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEE99FB.2080407@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E83F6@STAWINCOX10MBX1.staff.vuw.ac.nz> <4DEE9CAE.7000206@redhat.com> <4DEF86D9.6070706@redhat.com> Message-ID: <1307545070.2613.225.camel@willson.li.ssimo.org> On Wed, 2011-06-08 at 10:27 -0400, Rob Crittenden wrote: > Rich Megginson wrote: > > On 06/07/2011 03:41 PM, Steven Jones wrote: > >> Hi, > >> > >> For most users I will want to allow the same password in AD as in > >> freeipa....so a linux or windows desktop will work with a linux or > >> windows service.....but for some specific financial servers/services I > >> need a stricter password capability to meet our audit criteria. > > In 389 you can set password policy on a per-user or per-subtree basis. > > With a little extra work, you could probably get this working on a > > per-group or per-role basis as well. This should apply to IPA as well, > > depending on how they have implemented support for password policy. > > We have per-group password policy but we don't use the 389-ds password > policy engine. What I don't know is what happens if you set a lousy > password in AD whether that gets replicated to IPA. Will it be rejected, > accepted? The ipa-pwd-extop module has a list of users that can set passwords w/o having them quality checked. The passsync user is normally one of these users. And passwords replicated from windows are not quality checked. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Jun 8 17:00:02 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Jun 2011 13:00:02 -0400 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DEFAA92.8080003@redhat.com> On 06/07/2011 10:36 PM, Steven Jones wrote: > Logging into the F15 client and I just login with the ldap password... > > If I try the same thing with RHEL5.6 I get told I have one hour to password expiry.... > > I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all. > This is probably because in one case you log using LDAP password and in another as Kerberos credential. The underlying password string is the same but other properties like expiration are different as you see. To have the consistent experience configure both systems to use same type of the credential. > regards > > Steven > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Wed Jun 8 20:04:52 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Jun 2011 20:04:52 +0000 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <4DEFAA92.8080003@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFAA92.8080003@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work? regards Steven ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Thursday, 9 June 2011 5:00 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour On 06/07/2011 10:36 PM, Steven Jones wrote: > Logging into the F15 client and I just login with the ldap password... > > If I try the same thing with RHEL5.6 I get told I have one hour to password expiry.... > > I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all. > This is probably because in one case you log using LDAP password and in another as Kerberos credential. The underlying password string is the same but other properties like expiration are different as you see. To have the consistent experience configure both systems to use same type of the credential. > regards > > Steven > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed Jun 8 20:07:02 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Jun 2011 20:07:02 +0000 Subject: [Freeipa-users] DNS in freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E854C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E853E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E401B0E854C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9C84@STAWINCOX10MBX1.staff.vuw.ac.nz> So for now I have to add the client(s) to DNS manually? and it will get fixed? or will it always be like this? regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Wednesday, 8 June 2011 2:25 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] DNS in freeipa fedora15 also appears in DNS when I add it as a client. regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Wednesday, 8 June 2011 2:19 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] DNS in freeipa Hi, When I add a RHEL 6.1 client o free-ipa it appears in the ldap/dns section under policy, not so RHEL5.6, is this correct? regards _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Wed Jun 8 20:29:45 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Jun 2011 16:29:45 -0400 Subject: [Freeipa-users] DNS in freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9C84@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E853E@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E401B0E854C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9C84@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1307564985.2613.242.camel@willson.li.ssimo.org> Clients get added automatically to DNS in 2 ways: 1. At install time by the ipa-client-install script 2. at run time, if configured to do so, sssd can run dynamic updates using the host keytab. Clients that do not have sssd support must use some other way. For example a cron job with enough privileges to access the host keytab and run dnsupdate. Simo. On Wed, 2011-06-08 at 20:07 +0000, Steven Jones wrote: > So for now I have to add the client(s) to DNS manually? and it will get fixed? > > or will it always be like this? > > regards > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Wednesday, 8 June 2011 2:25 p.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] DNS in freeipa > > fedora15 also appears in DNS when I add it as a client. > > regards > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Wednesday, 8 June 2011 2:19 p.m. > To: freeipa-users at redhat.com > Subject: [Freeipa-users] DNS in freeipa > > Hi, > > When I add a RHEL 6.1 client o free-ipa it appears in the ldap/dns section under policy, not so RHEL5.6, is this correct? > > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Wed Jun 8 20:51:26 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Jun 2011 20:51:26 +0000 Subject: [Freeipa-users] DNS in freeipa In-Reply-To: <1307564985.2613.242.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E401B0E853E@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E401B0E854C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9C84@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1307564985.2613.242.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9CC7@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, So you are saying RHEL5.6 cant do DNS updates from the "ipa-client-install" script? So its a limitation and not a bug/failure? regards ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Thursday, 9 June 2011 8:29 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] DNS in freeipa Clients get added automatically to DNS in 2 ways: 1. At install time by the ipa-client-install script 2. at run time, if configured to do so, sssd can run dynamic updates using the host keytab. Clients that do not have sssd support must use some other way. For example a cron job with enough privileges to access the host keytab and run dnsupdate. Simo. On Wed, 2011-06-08 at 20:07 +0000, Steven Jones wrote: > So for now I have to add the client(s) to DNS manually? and it will get fixed? > > or will it always be like this? > > regards > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Wednesday, 8 June 2011 2:25 p.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] DNS in freeipa > > fedora15 also appears in DNS when I add it as a client. > > regards > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Wednesday, 8 June 2011 2:19 p.m. > To: freeipa-users at redhat.com > Subject: [Freeipa-users] DNS in freeipa > > Hi, > > When I add a RHEL 6.1 client o free-ipa it appears in the ldap/dns section under policy, not so RHEL5.6, is this correct? > > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Jun 8 20:56:05 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Jun 2011 16:56:05 -0400 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DEFE1E5.1030400@redhat.com> On 06/08/2011 04:04 PM, Steven Jones wrote: > Hi, > > Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work? Well the problem is that SSSD is not in 5.6 by default. ipa-client on 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is configured. In 5.7 there will be a new ipa-client that will act in the same way as in RHEL 6 or Fedora. But the expectation is that they should act in the same way now. But apparently there is some difference. We need to understand exactly what is your use case. What is configured in your nsswitch and pam config on RHEL and Fedora? And if in one case it is SSSD and not in the other we need to see SSSD configuration and LDAP and Kerberos configuration files. > regards > > Steven > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Thursday, 9 June 2011 5:00 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Inconsistant first login behaviour > > On 06/07/2011 10:36 PM, Steven Jones wrote: >> Logging into the F15 client and I just login with the ldap password... >> >> If I try the same thing with RHEL5.6 I get told I have one hour to password expiry.... >> >> I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all. >> > This is probably because in one case you log using LDAP password and in > another as Kerberos credential. The underlying password string is the > same but other properties like expiration are different as you see. > To have the consistent experience configure both systems to use same > type of the credential. > > >> regards >> >> Steven >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed Jun 8 21:01:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Jun 2011 17:01:20 -0400 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <4DEFE1E5.1030400@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> <4DEFE1E5.1030400@redhat.com> Message-ID: <4DEFE320.5070206@redhat.com> Dmitri Pal wrote: > On 06/08/2011 04:04 PM, Steven Jones wrote: >> Hi, >> >> Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work? > > Well the problem is that SSSD is not in 5.6 by default. ipa-client on > 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is > configured. In 5.7 there will be a new ipa-client that will act in the > same way as in RHEL 6 or Fedora. > > But the expectation is that they should act in the same way now. But > apparently there is some difference. > > We need to understand exactly what is your use case. > What is configured in your nsswitch and pam config on RHEL and Fedora? > And if in one case it is SSSD and not in the other we need to see SSSD > configuration and LDAP and Kerberos configuration files. > And also what service you're logging in on, whether you got a TGT before using that service (if applicable), if this is a brand-new user (e.g. password never been used), etc. rob From dpal at redhat.com Wed Jun 8 21:02:19 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Jun 2011 17:02:19 -0400 Subject: [Freeipa-users] DNS in freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9CC7@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E853E@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E401B0E854C@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9C84@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1307564985.2613.242.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9CC7@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DEFE35B.1090606@redhat.com> On 06/08/2011 04:51 PM, Steven Jones wrote: > Hi, > > So you are saying RHEL5.6 cant do DNS updates from the "ipa-client-install" script? > 5.6 ipa-client is not that mighty as the one you get in the latest Fedora and will get in 5.7 > So its a limitation and not a bug/failure? > > > > regards > ________________________________________ > From: Simo Sorce [simo at redhat.com] > Sent: Thursday, 9 June 2011 8:29 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] DNS in freeipa > > Clients get added automatically to DNS in 2 ways: > > 1. At install time by the ipa-client-install script > > 2. at run time, if configured to do so, sssd can run dynamic updates > using the host keytab. > > Clients that do not have sssd support must use some other way. > > For example a cron job with enough privileges to access the host keytab > and run dnsupdate. > > Simo. > > On Wed, 2011-06-08 at 20:07 +0000, Steven Jones wrote: >> So for now I have to add the client(s) to DNS manually? and it will get fixed? >> >> or will it always be like this? >> >> regards >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >> Sent: Wednesday, 8 June 2011 2:25 p.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] DNS in freeipa >> >> fedora15 also appears in DNS when I add it as a client. >> >> regards >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >> Sent: Wednesday, 8 June 2011 2:19 p.m. >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] DNS in freeipa >> >> Hi, >> >> When I add a RHEL 6.1 client o free-ipa it appears in the ldap/dns section under policy, not so RHEL5.6, is this correct? >> >> regards >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > -- > Simo Sorce * Red Hat, Inc * New York > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Wed Jun 8 22:31:41 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Jun 2011 22:31:41 +0000 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <4DEFE1E5.1030400@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFE1E5.1030400@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, These files/clients have all been configured by the ipa-client-install script, so any settings are standard, I have modified nothing. So when I built all 3 client/workstations I made a default user jonesst1 at build time with password 1 and its the same across all three. So in the freeipa server I set password2 for jonesst1 which is different so I know that I am getting a centralised login....really basic stuff. So then using the ipa-client-install script I joined them each in turn to IPA....for F15 and 6.1 clients they now accept the IPA password2 without an issue...for RHEL 5.6 it initially asked to reset the password....and I only had 1 hour......later logins are fine. So my use case is nothing more than a simple centralised login...... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Thursday, 9 June 2011 8:56 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour On 06/08/2011 04:04 PM, Steven Jones wrote: > Hi, > > Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work? Well the problem is that SSSD is not in 5.6 by default. ipa-client on 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is configured. In 5.7 there will be a new ipa-client that will act in the same way as in RHEL 6 or Fedora. But the expectation is that they should act in the same way now. But apparently there is some difference. We need to understand exactly what is your use case. What is configured in your nsswitch and pam config on RHEL and Fedora? And if in one case it is SSSD and not in the other we need to see SSSD configuration and LDAP and Kerberos configuration files. > regards > > Steven > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Thursday, 9 June 2011 5:00 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Inconsistant first login behaviour > > On 06/07/2011 10:36 PM, Steven Jones wrote: >> Logging into the F15 client and I just login with the ldap password... >> >> If I try the same thing with RHEL5.6 I get told I have one hour to password expiry.... >> >> I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all. >> > This is probably because in one case you log using LDAP password and in > another as Kerberos credential. The underlying password string is the > same but other properties like expiration are different as you see. > To have the consistent experience configure both systems to use same > type of the credential. > > >> regards >> >> Steven >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Wed Jun 8 22:52:04 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Jun 2011 18:52:04 -0400 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFE1E5.1030400@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1307573524.2613.244.camel@willson.li.ssimo.org> On Wed, 2011-06-08 at 22:31 +0000, Steven Jones wrote: > So then using the ipa-client-install script I joined them each in turn > to IPA....for F15 and 6.1 clients they now accept the IPA password2 > without an issue...for RHEL 5.6 it initially asked to reset the > password....and I only had 1 hour......later logins are fine. Steven, so the problem is that you got a bogus warning, but it is working properly beyond that ? Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Wed Jun 8 22:56:28 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Jun 2011 22:56:28 +0000 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <1307573524.2613.244.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFE1E5.1030400@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1307573524.2613.244.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9D56@STAWINCOX10MBX1.staff.vuw.ac.nz> Bogus except it wouldnt allow me to login unless I changed my password, yes. regards Steven ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Thursday, 9 June 2011 10:52 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour On Wed, 2011-06-08 at 22:31 +0000, Steven Jones wrote: > So then using the ipa-client-install script I joined them each in turn > to IPA....for F15 and 6.1 clients they now accept the IPA password2 > without an issue...for RHEL 5.6 it initially asked to reset the > password....and I only had 1 hour......later logins are fine. Steven, so the problem is that you got a bogus warning, but it is working properly beyond that ? Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Wed Jun 8 22:57:48 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Jun 2011 22:57:48 +0000 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFE1E5.1030400@redhat.com>, <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9D61@STAWINCOX10MBX1.staff.vuw.ac.nz> Attached are F15 adnd RHEL5.6 conf scripts. regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 9 June 2011 10:31 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour Hi, These files/clients have all been configured by the ipa-client-install script, so any settings are standard, I have modified nothing. So when I built all 3 client/workstations I made a default user jonesst1 at build time with password 1 and its the same across all three. So in the freeipa server I set password2 for jonesst1 which is different so I know that I am getting a centralised login....really basic stuff. So then using the ipa-client-install script I joined them each in turn to IPA....for F15 and 6.1 clients they now accept the IPA password2 without an issue...for RHEL 5.6 it initially asked to reset the password....and I only had 1 hour......later logins are fine. So my use case is nothing more than a simple centralised login...... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Thursday, 9 June 2011 8:56 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour On 06/08/2011 04:04 PM, Steven Jones wrote: > Hi, > > Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work? Well the problem is that SSSD is not in 5.6 by default. ipa-client on 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is configured. In 5.7 there will be a new ipa-client that will act in the same way as in RHEL 6 or Fedora. But the expectation is that they should act in the same way now. But apparently there is some difference. We need to understand exactly what is your use case. What is configured in your nsswitch and pam config on RHEL and Fedora? And if in one case it is SSSD and not in the other we need to see SSSD configuration and LDAP and Kerberos configuration files. > regards > > Steven > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Thursday, 9 June 2011 5:00 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Inconsistant first login behaviour > > On 06/07/2011 10:36 PM, Steven Jones wrote: >> Logging into the F15 client and I just login with the ldap password... >> >> If I try the same thing with RHEL5.6 I get told I have one hour to password expiry.... >> >> I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all. >> > This is probably because in one case you log using LDAP password and in > another as Kerberos credential. The underlying password string is the > same but other properties like expiration are different as you see. > To have the consistent experience configure both systems to use same > type of the credential. > > >> regards >> >> Steven >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: f15-krb5.conf Type: application/octet-stream Size: 506 bytes Desc: f15-krb5.conf URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: f15-nsswitch.conf Type: application/octet-stream Size: 1726 bytes Desc: f15-nsswitch.conf URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: f15-sssd.conf Type: application/octet-stream Size: 417 bytes Desc: f15-sssd.conf URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: rhel56-krb5.conf Type: application/octet-stream Size: 414 bytes Desc: rhel56-krb5.conf URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: rhel56-ldap.conf Type: application/octet-stream Size: 482 bytes Desc: rhel56-ldap.conf URL: From simo at redhat.com Wed Jun 8 22:59:19 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Jun 2011 18:59:19 -0400 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9D56@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFE1E5.1030400@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573524.2613.244.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D56@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1307573959.2613.247.camel@willson.li.ssimo.org> On Wed, 2011-06-08 at 22:56 +0000, Steven Jones wrote: > Bogus except it wouldnt allow me to login unless I changed my password, yes. Was this right after you used an administrative account to change the user password ? Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Wed Jun 8 23:08:35 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Jun 2011 23:08:35 +0000 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <1307573959.2613.247.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFE1E5.1030400@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573524.2613.244.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D56@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1307573959.2613.247.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9D9D@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Nope.....password1 was set on build....it hasnt been changed by root or the user at all. regards ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Thursday, 9 June 2011 10:59 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Inconsistant first login behaviour On Wed, 2011-06-08 at 22:56 +0000, Steven Jones wrote: > Bogus except it wouldnt allow me to login unless I changed my password, yes. Was this right after you used an administrative account to change the user password ? Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Jun 8 23:32:02 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Jun 2011 19:32:02 -0400 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9D61@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFE1E5.1030400@redhat.com>, <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9D61@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DF00672.9000705@redhat.com> On 06/08/2011 06:57 PM, Steven Jones wrote: > Attached are F15 adnd RHEL5.6 conf scripts. You have not attached pam configurations and nsswitch for 5.6. > regards > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Thursday, 9 June 2011 10:31 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Inconsistant first login behaviour > > Hi, > > These files/clients have all been configured by the ipa-client-install script, so any settings are standard, I have modified nothing. > > So when I built all 3 client/workstations I made a default user jonesst1 at build time with password 1 and its the same across all three. > > So in the freeipa server I set password2 for jonesst1 which is different so I know that I am getting a centralised login....really basic stuff. > > So then using the ipa-client-install script I joined them each in turn to IPA....for F15 and 6.1 clients they now accept the IPA password2 without an issue...for RHEL 5.6 it initially asked to reset the password....and I only had 1 hour......later logins are fine. > > So my use case is nothing more than a simple centralised login...... > > regards > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Thursday, 9 June 2011 8:56 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Inconsistant first login behaviour > > On 06/08/2011 04:04 PM, Steven Jones wrote: >> Hi, >> >> Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work? > Well the problem is that SSSD is not in 5.6 by default. ipa-client on > 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is > configured. In 5.7 there will be a new ipa-client that will act in the > same way as in RHEL 6 or Fedora. > > But the expectation is that they should act in the same way now. But > apparently there is some difference. > > We need to understand exactly what is your use case. > What is configured in your nsswitch and pam config on RHEL and Fedora? > And if in one case it is SSSD and not in the other we need to see SSSD > configuration and LDAP and Kerberos configuration files. > > >> regards >> >> Steven >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] >> Sent: Thursday, 9 June 2011 5:00 a.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Inconsistant first login behaviour >> >> On 06/07/2011 10:36 PM, Steven Jones wrote: >>> Logging into the F15 client and I just login with the ldap password... >>> >>> If I try the same thing with RHEL5.6 I get told I have one hour to password expiry.... >>> >>> I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all. >>> >> This is probably because in one case you log using LDAP password and in >> another as Kerberos credential. The underlying password string is the >> same but other properties like expiration are different as you see. >> To have the consistent experience configure both systems to use same >> type of the credential. >> >> >>> regards >>> >>> Steven >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed Jun 8 23:48:11 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 8 Jun 2011 23:48:11 +0000 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <4DF00672.9000705@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFE1E5.1030400@redhat.com>, <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9D61@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DF00672.9000705@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9DBE@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, nsswitch atatched. Which pam files? regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Thursday, 9 June 2011 11:32 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour On 06/08/2011 06:57 PM, Steven Jones wrote: Attached are F15 adnd RHEL5.6 conf scripts. You have not attached pam configurations and nsswitch for 5.6. regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 9 June 2011 10:31 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour Hi, These files/clients have all been configured by the ipa-client-install script, so any settings are standard, I have modified nothing. So when I built all 3 client/workstations I made a default user jonesst1 at build time with password 1 and its the same across all three. So in the freeipa server I set password2 for jonesst1 which is different so I know that I am getting a centralised login....really basic stuff. So then using the ipa-client-install script I joined them each in turn to IPA....for F15 and 6.1 clients they now accept the IPA password2 without an issue...for RHEL 5.6 it initially asked to reset the password....and I only had 1 hour......later logins are fine. So my use case is nothing more than a simple centralised login...... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Thursday, 9 June 2011 8:56 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour On 06/08/2011 04:04 PM, Steven Jones wrote: Hi, Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work? Well the problem is that SSSD is not in 5.6 by default. ipa-client on 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is configured. In 5.7 there will be a new ipa-client that will act in the same way as in RHEL 6 or Fedora. But the expectation is that they should act in the same way now. But apparently there is some difference. We need to understand exactly what is your use case. What is configured in your nsswitch and pam config on RHEL and Fedora? And if in one case it is SSSD and not in the other we need to see SSSD configuration and LDAP and Kerberos configuration files. regards Steven ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Thursday, 9 June 2011 5:00 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour On 06/07/2011 10:36 PM, Steven Jones wrote: Logging into the F15 client and I just login with the ldap password... If I try the same thing with RHEL5.6 I get told I have one hour to password expiry.... I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all. This is probably because in one case you log using LDAP password and in another as Kerberos credential. The underlying password string is the same but other properties like expiration are different as you see. To have the consistent experience configure both systems to use same type of the credential. regards Steven _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: rhel56-nsswitch.conf Type: application/octet-stream Size: 1711 bytes Desc: rhel56-nsswitch.conf URL: From Steven.Jones at vuw.ac.nz Thu Jun 9 00:43:21 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 9 Jun 2011 00:43:21 +0000 Subject: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server In-Reply-To: <8c2df50f-4e03-4a7e-b86d-2601ffd35fc4@dlwillson-laptop> References: <4DE55B3E.9000707@redhat.com>, <8c2df50f-4e03-4a7e-b86d-2601ffd35fc4@dlwillson-laptop> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9E8A@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I am still tryig to figure getting ubuntu connected.... So to get a non-rhel client computer into freeipa the first thing I have to do is make a client computer instance in freepia first? or doesnt it matter? ie can a non rhel client only do authentication or can it be acted upon fully as per a rhel client? Are there certificates for ssl or something that have to be copied over to the client(s)? I dont have it working yet beyond I can do a kinit and admin and give a password and then do klist etc.... :/ Its proving very painful.... regards Steven 8><---- Maybe this article could be a good jumping-off point? http://www.aput.net/~jheiss/krbldap/howto.html It's pretty old, but seems to bring together many things and overview them well, with enough static examples to give you a feel for what you're getting into. 8><--- thanks, its helping. From sbingram at gmail.com Thu Jun 9 00:55:08 2011 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 8 Jun 2011 17:55:08 -0700 Subject: [Freeipa-users] disable account behavior Message-ID: I've disabled an account in FreeIPA using the UI and I don't see any changes in the directory. Are there supposed to be changes there or is this something that is accomplished in Kerberos? I was hoping to be able to search the directory for disabled accounts. Steve From Steven.Jones at vuw.ac.nz Thu Jun 9 03:36:16 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 9 Jun 2011 03:36:16 +0000 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9DBE@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFE1E5.1030400@redhat.com>, <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9D61@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DF00672.9000705@redhat.com>, <833D8E48405E064EBC54C84EC6B36E401B0E9DBE@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9F26@STAWINCOX10MBX1.staff.vuw.ac.nz> It is also not at just the first login....if I change the password in IPA the next login to rhel5.6 requires a password change. yet to F15 does not. regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 9 June 2011 11:48 a.m. To: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour Hi, nsswitch atatched. Which pam files? regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Thursday, 9 June 2011 11:32 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour On 06/08/2011 06:57 PM, Steven Jones wrote: Attached are F15 adnd RHEL5.6 conf scripts. You have not attached pam configurations and nsswitch for 5.6. regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 9 June 2011 10:31 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour Hi, These files/clients have all been configured by the ipa-client-install script, so any settings are standard, I have modified nothing. So when I built all 3 client/workstations I made a default user jonesst1 at build time with password 1 and its the same across all three. So in the freeipa server I set password2 for jonesst1 which is different so I know that I am getting a centralised login....really basic stuff. So then using the ipa-client-install script I joined them each in turn to IPA....for F15 and 6.1 clients they now accept the IPA password2 without an issue...for RHEL 5.6 it initially asked to reset the password....and I only had 1 hour......later logins are fine. So my use case is nothing more than a simple centralised login...... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Thursday, 9 June 2011 8:56 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour On 06/08/2011 04:04 PM, Steven Jones wrote: Hi, Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work? Well the problem is that SSSD is not in 5.6 by default. ipa-client on 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is configured. In 5.7 there will be a new ipa-client that will act in the same way as in RHEL 6 or Fedora. But the expectation is that they should act in the same way now. But apparently there is some difference. We need to understand exactly what is your use case. What is configured in your nsswitch and pam config on RHEL and Fedora? And if in one case it is SSSD and not in the other we need to see SSSD configuration and LDAP and Kerberos configuration files. regards Steven ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Thursday, 9 June 2011 5:00 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Inconsistant first login behaviour On 06/07/2011 10:36 PM, Steven Jones wrote: Logging into the F15 client and I just login with the ldap password... If I try the same thing with RHEL5.6 I get told I have one hour to password expiry.... I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all. This is probably because in one case you log using LDAP password and in another as Kerberos credential. The underlying password string is the same but other properties like expiration are different as you see. To have the consistent experience configure both systems to use same type of the credential. regards Steven _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Thu Jun 9 03:54:16 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 9 Jun 2011 03:54:16 +0000 Subject: [Freeipa-users] New user first login behaviour (Fedora 15) Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9F33@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, When I login as a new user "thing" to a F15 workstation without an account it allows me to login to the point of forcing a password change and almost completes the GUI, I get an ICE failure and Im forced to log back out.... If I try to create the user locally it tells me user exists, yet its not in the /etc/passwd file so I cant create a login locally or using IPA, what gives? regards From Steven.Jones at vuw.ac.nz Thu Jun 9 04:10:08 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 9 Jun 2011 04:10:08 +0000 Subject: [Freeipa-users] New user first login behaviour (Fedora 15) In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9F33@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E9F33@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9F50@STAWINCOX10MBX1.staff.vuw.ac.nz> RHEL6.1 does the same thing but I get an extra msg. screenshot attached. regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 9 June 2011 3:54 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] New user first login behaviour (Fedora 15) Hi, When I login as a new user "thing" to a F15 workstation without an account it allows me to login to the point of forcing a password change and almost completes the GUI, I get an ICE failure and Im forced to log back out.... If I try to create the user locally it tells me user exists, yet its not in the /etc/passwd file so I cant create a login locally or using IPA, what gives? regards _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: sanity-fail.jpeg Type: image/jpeg Size: 32360 bytes Desc: sanity-fail.jpeg URL: From Steven.Jones at vuw.ac.nz Thu Jun 9 04:20:39 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 9 Jun 2011 04:20:39 +0000 Subject: [Freeipa-users] New user first login behaviour (Fedora 15) In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9F50@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E9F33@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E401B0E9F50@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0E9F66@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, hmmm......I can login to the workstation via ssh using the ipa password for thing....but no home directory has been created... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 9 June 2011 4:10 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] New user first login behaviour (Fedora 15) RHEL6.1 does the same thing but I get an extra msg. screenshot attached. regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 9 June 2011 3:54 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] New user first login behaviour (Fedora 15) Hi, When I login as a new user "thing" to a F15 workstation without an account it allows me to login to the point of forcing a password change and almost completes the GUI, I get an ICE failure and Im forced to log back out.... If I try to create the user locally it tells me user exists, yet its not in the /etc/passwd file so I cant create a login locally or using IPA, what gives? regards _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From mkosek at redhat.com Thu Jun 9 08:58:42 2011 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 09 Jun 2011 10:58:42 +0200 Subject: [Freeipa-users] disable account behavior In-Reply-To: References: Message-ID: <1307609924.27281.2.camel@dhcp-25-52.brq.redhat.com> On Wed, 2011-06-08 at 17:55 -0700, Stephen Ingram wrote: > I've disabled an account in FreeIPA using the UI and I don't see any > changes in the directory. Are there supposed to be changes there or is > this something that is accomplished in Kerberos? I was hoping to be > able to search the directory for disabled accounts. > > Steve > When an account is disabled, nsaccountlock attribute is set to True. I would suggest a following LDAP search: # ldapsearch -h localhost -Y GSSAPI -b cn=users,cn=accounts,$SUFFIX -s one nsaccountlock SASL/GSSAPI authentication started SASL username: admin at IDM.LAB.BOS.REDHAT.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope oneLevel # filter: (objectclass=*) # requesting: nsaccountlock # # admin, users, accounts, idm.lab.bos.redhat.com dn: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com nsaccountlock: False # fbar, users, accounts, idm.lab.bos.redhat.com dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com nsaccountlock: True User "fbar" was disabled via CLI. Martin From tomasz.napierala at allegro.pl Thu Jun 9 11:04:22 2011 From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl) Date: Thu, 9 Jun 2011 13:04:22 +0200 Subject: [Freeipa-users] Kerberos problem with account with changed attributes Message-ID: <88860510-0133-499F-8249-885BEEB14EFF@allegro.pl> Hi, Due to a bug in one of our maintanace scripts, I had to manually change some attributes for one of the users, e.g.: uid and uidNumber. I did it using /usr/sbin/ipa-moduser --setattr="uid=username" --setattr="uidNumber=1221" 1221 (yeah, last argument is really user's uid ;) After that user canno use any of the ipa-* scripts, he's getting: "Connection to database failed: Invalid credentials: SASL(-14): authorization failure:" I suppose is a problem with inconsistency in ldap and Kerberos database (probably Kerberos still has old data) My question is how to fix that without generating new user (I really have to avoid that due to fact that this environment has some compliance restictions) Regards, -- Tomasz Z. Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4565 bytes Desc: not available URL: From simo at redhat.com Thu Jun 9 11:55:48 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Jun 2011 07:55:48 -0400 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9D9D@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFE1E5.1030400@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573524.2613.244.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D56@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573959.2613.247.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D9D@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1307620548.2613.250.camel@willson.li.ssimo.org> On Wed, 2011-06-08 at 23:08 +0000, Steven Jones wrote: > Hi, > > Nope.....password1 was set on build....it hasnt been changed by root or the user at all. I think this will apply then: http://www.freeipa.org/page/NewPasswordsExpired Simo. -- Simo Sorce * Red Hat, Inc * New York From jss at bzz.no Thu Jun 9 10:44:00 2011 From: jss at bzz.no (John S. Skogtvedt) Date: Thu, 09 Jun 2011 12:44:00 +0200 Subject: [Freeipa-users] FreeIPA 2, adding Samba attributes Message-ID: <4DF0A3F0.2050602@bzz.no> Hello, has anybody tried to integrate Samba with FreeIPA 2? I searched and found a mailing list post from 2009 with a solution using the 389 DNA plugin, but later posts indicated that the solution outlined wasn't correct (and probably out of date). My impression from what I've read is that there is no way of doing it other than configuring FreeIPA to add samba object classes, and specifying the required attributes when adding a user. The problem then is that adding users won't be possible from the web interface, because of required samba attributes (unless one instead later adds the necessary object classes and attributes). Is this correct? If so, I wonder how much work it might be to either add a small hack to the web interface to add the necessary attributes, or to write a web interface plugin which adds a user with the necessary attributes. Any pointers would be appreciated (I know python). I think it'd be useful to be able to add template values as well as objectclasses in ipaConfig, e.g. something like: ipaUserAttrs: sambaSid: ...-$uid, where $uid is expanded when the user is created. Thank you, John. From simo at redhat.com Thu Jun 9 12:23:43 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Jun 2011 08:23:43 -0400 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9F26@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFE1E5.1030400@redhat.com> , <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9D61@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DF00672.9000705@redhat.com> , <833D8E48405E064EBC54C84EC6B36E401B0E9DBE@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9F26@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1307622223.2613.255.camel@willson.li.ssimo.org> On Thu, 2011-06-09 at 03:36 +0000, Steven Jones wrote: > It is also not at just the first login....if I change the password in IPA the next login to rhel5.6 requires a password change. > > yet to F15 does not. What matters is *how* you change this password. But see my other mail the explain what happens if you change a user password as an administrator. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Jun 9 12:26:09 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Jun 2011 08:26:09 -0400 Subject: [Freeipa-users] New user first login behaviour (Fedora 15) In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9F66@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E9F33@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E401B0E9F50@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9F66@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1307622369.2613.257.camel@willson.li.ssimo.org> On Thu, 2011-06-09 at 04:20 +0000, Steven Jones wrote: > Hi, > > hmmm......I can login to the workstation via ssh using the ipa > password for thing....but no home directory has been created... You need to configure pam_mkhomedir if you want that done. We cannot do that from ipa-client-install because we have no data on how you are going to set up your home directories. We have no idea if you want local ones or if you are going to setup a NFS mountpoint on /home or if you are going to use automonut/autofs or whatever . You can run the authconfig gui (or CLI) and select the option of creating home directories at login if they are not available yet. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Jun 9 12:29:50 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Jun 2011 08:29:50 -0400 Subject: [Freeipa-users] Kerberos problem with account with changed attributes In-Reply-To: <88860510-0133-499F-8249-885BEEB14EFF@allegro.pl> References: <88860510-0133-499F-8249-885BEEB14EFF@allegro.pl> Message-ID: <1307622590.2613.260.camel@willson.li.ssimo.org> On Thu, 2011-06-09 at 13:04 +0200, tomasz.napierala at allegro.pl wrote: > Hi, > > Due to a bug in one of our maintanace scripts, I had to manually change some attributes for one of the users, e.g.: uid and uidNumber. I did it using > /usr/sbin/ipa-moduser --setattr="uid=username" --setattr="uidNumber=1221" 1221 > > (yeah, last argument is really user's uid ;) > > After that user canno use any of the ipa-* scripts, he's getting: > "Connection to database failed: Invalid credentials: SASL(-14): authorization failure:" > > I suppose is a problem with inconsistency in ldap and Kerberos database (probably Kerberos still has old data) > > My question is how to fix that without generating new user (I really have to avoid that due to fact that this environment has some compliance restictions) Use ldapsearch to check what is the DN, it is probably still something like: cn=1211,cn=users,cn=accounts, ... then use ldapmodrdn -r cn=1211,cn=users,cn=acc..... cn=username This will rename the user properly and a plugin will take care of renaming also the kerberos principal. Local client caches may need some purging to properly pick up the new value. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Jun 9 12:31:49 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Jun 2011 08:31:49 -0400 Subject: [Freeipa-users] FreeIPA 2, adding Samba attributes In-Reply-To: <4DF0A3F0.2050602@bzz.no> References: <4DF0A3F0.2050602@bzz.no> Message-ID: <1307622709.2613.262.camel@willson.li.ssimo.org> On Thu, 2011-06-09 at 12:44 +0200, John S. Skogtvedt wrote: > Hello, > > has anybody tried to integrate Samba with FreeIPA 2? I searched and > found a mailing list post from 2009 with a solution using the 389 DNA > plugin, but later posts indicated that the solution outlined wasn't > correct (and probably out of date). > > My impression from what I've read is that there is no way of doing it > other than configuring FreeIPA to add samba object classes, and > specifying the required attributes when adding a user. The problem then > is that adding users won't be possible from the web interface, because > of required samba attributes (unless one instead later adds the > necessary object classes and attributes). > > Is this correct? You can modify the UI behavior wrt what classes and attribute to store. > If so, I wonder how much work it might be to either add a small hack to > the web interface to add the necessary attributes, or to write a web > interface plugin which adds a user with the necessary attributes. Any > pointers would be appreciated (I know python). > I think it'd be useful to be able to add template values as well as > objectclasses in ipaConfig, e.g. something like: > ipaUserAttrs: sambaSid: ...-$uid, where $uid is expanded when the user > is created. You probably want to use the DNA plugin to generate the sambaSid for you once you have a domain SID, it's not too difficult and will be much less error prone. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Jun 9 13:35:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jun 2011 09:35:25 -0400 Subject: [Freeipa-users] disable account behavior In-Reply-To: <1307609924.27281.2.camel@dhcp-25-52.brq.redhat.com> References: <1307609924.27281.2.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4DF0CC1D.9040808@redhat.com> Martin Kosek wrote: > On Wed, 2011-06-08 at 17:55 -0700, Stephen Ingram wrote: >> I've disabled an account in FreeIPA using the UI and I don't see any >> changes in the directory. Are there supposed to be changes there or is >> this something that is accomplished in Kerberos? I was hoping to be >> able to search the directory for disabled accounts. >> >> Steve >> > > When an account is disabled, nsaccountlock attribute is set to True. I > would suggest a following LDAP search: > > # ldapsearch -h localhost -Y GSSAPI -b cn=users,cn=accounts,$SUFFIX -s one nsaccountlock > SASL/GSSAPI authentication started > SASL username: admin at IDM.LAB.BOS.REDHAT.COM > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base with scope oneLevel > # filter: (objectclass=*) > # requesting: nsaccountlock > # > > # admin, users, accounts, idm.lab.bos.redhat.com > dn: uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > nsaccountlock: False > > # fbar, users, accounts, idm.lab.bos.redhat.com > dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > nsaccountlock: True > > > User "fbar" was disabled via CLI. To add to this, nsaccountlock is an LDAP operational attribute so you have to specifically ask for it for it to be displayed. rob From sgallagh at redhat.com Thu Jun 9 13:41:36 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 09 Jun 2011 09:41:36 -0400 Subject: [Freeipa-users] New user first login behaviour (Fedora 15) In-Reply-To: <1307622369.2613.257.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E401B0E9F33@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E401B0E9F50@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9F66@STAWINCOX10MBX1.staff.vuw.ac.nz> <1307622369.2613.257.camel@willson.li.ssimo.org> Message-ID: <1307626896.2328.1.camel@sgallagh.bos.redhat.com> On Thu, 2011-06-09 at 08:26 -0400, Simo Sorce wrote: > On Thu, 2011-06-09 at 04:20 +0000, Steven Jones wrote: > > Hi, > > > > hmmm......I can login to the workstation via ssh using the ipa > > password for thing....but no home directory has been created... > > You need to configure pam_mkhomedir if you want that done. > > We cannot do that from ipa-client-install because we have no data on how > you are going to set up your home directories. We have no idea if you > want local ones or if you are going to setup a NFS mountpoint on /home > or if you are going to use automonut/autofs or whatever . > > You can run the authconfig gui (or CLI) and select the option of > creating home directories at login if they are not available yet. > > Simo. > You can also pass --mkhomedir to ipa-client-install when you're initially setting the client up. This will configure pam_mkhomedir (or oddjob_mkhomedir, if available) to automatically create home directories when users first log in. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From simo at redhat.com Thu Jun 9 13:47:02 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 09 Jun 2011 09:47:02 -0400 Subject: [Freeipa-users] New user first login behaviour (Fedora 15) In-Reply-To: <1307626896.2328.1.camel@sgallagh.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0E9F33@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E401B0E9F50@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9F66@STAWINCOX10MBX1.staff.vuw.ac.nz> <1307622369.2613.257.camel@willson.li.ssimo.org> <1307626896.2328.1.camel@sgallagh.bos.redhat.com> Message-ID: <1307627222.2613.266.camel@willson.li.ssimo.org> On Thu, 2011-06-09 at 09:41 -0400, Stephen Gallagher wrote: > On Thu, 2011-06-09 at 08:26 -0400, Simo Sorce wrote: > > On Thu, 2011-06-09 at 04:20 +0000, Steven Jones wrote: > > > Hi, > > > > > > hmmm......I can login to the workstation via ssh using the ipa > > > password for thing....but no home directory has been created... > > > > You need to configure pam_mkhomedir if you want that done. > > > > We cannot do that from ipa-client-install because we have no data on how > > you are going to set up your home directories. We have no idea if you > > want local ones or if you are going to setup a NFS mountpoint on /home > > or if you are going to use automonut/autofs or whatever . > > > > You can run the authconfig gui (or CLI) and select the option of > > creating home directories at login if they are not available yet. > > > > Simo. > > > > You can also pass --mkhomedir to ipa-client-install when you're > initially setting the client up. This will configure pam_mkhomedir (or > oddjob_mkhomedir, if available) to automatically create home directories > when users first log in. Thanks Stephen, I had forgotten we had that option. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Thu Jun 9 14:50:16 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Jun 2011 10:50:16 -0400 Subject: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9E8A@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4DE55B3E.9000707@redhat.com>, <8c2df50f-4e03-4a7e-b86d-2601ffd35fc4@dlwillson-laptop> <833D8E48405E064EBC54C84EC6B36E401B0E9E8A@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DF0DDA8.9020809@redhat.com> On 06/08/2011 08:43 PM, Steven Jones wrote: > Hi, > > I am still tryig to figure getting ubuntu connected.... > > So to get a non-rhel client computer into freeipa the first thing I have to do is make a client computer instance in freepia first? or doesnt it matter? ie can a non rhel client only do authentication or can it be acted upon fully as per a rhel client? > Unless you want to have the client use Kerberos to protect your ldap connection from host to IPA you do not need to have the host principal in the server. For not RHEL machines or machines that do not use SSSD you need to configure only PAM and NSS. For PAM you can use kerberos or ldap. For NSS you need to use ldap. Effectively you need to manually do what ipa-client on rhel 5.6 does for you. It is covered in the Freeipa v1 client config guides. Nothing changed there. http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/ Hope this helps. > Are there certificates for ssl or something that have to be copied over to the client(s)? > > I dont have it working yet beyond I can do a kinit and admin and give a password and then do klist etc.... > > :/ > > Its proving very painful.... > > regards > > Steven > > > 8><---- > > Maybe this article could be a good jumping-off point? > http://www.aput.net/~jheiss/krbldap/howto.html > > It's pretty old, but seems to bring together many things and overview them well, with enough static examples to give you a feel for what you're getting into. > > 8><--- > > thanks, its helping. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Jun 9 14:57:36 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Jun 2011 10:57:36 -0400 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9DBE@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DEFE1E5.1030400@redhat.com>, <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E401B0E9D61@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4DF00672.9000705@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9DBE@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DF0DF60.4040504@redhat.com> On 06/08/2011 07:48 PM, Steven Jones wrote: > Hi, > > nsswitch atatched. > > Which pam files? The pam configuration files. On my RHEL6 it is in /etc/pam.d/system-auth which is usually a link to a file in the same directory. I think in 5.6 is it similar. I do not have 5.6 machine handy to check. > regards > ________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Thursday, 9 June 2011 11:32 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Inconsistant first login behaviour > > On 06/08/2011 06:57 PM, Steven Jones wrote: > > Attached are F15 adnd RHEL5.6 conf scripts. > > > You have not attached pam configurations and nsswitch for 5.6. > > regards > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Thursday, 9 June 2011 10:31 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Inconsistant first login behaviour > > Hi, > > These files/clients have all been configured by the ipa-client-install script, so any settings are standard, I have modified nothing. > > So when I built all 3 client/workstations I made a default user jonesst1 at build time with password 1 and its the same across all three. > > So in the freeipa server I set password2 for jonesst1 which is different so I know that I am getting a centralised login....really basic stuff. > > So then using the ipa-client-install script I joined them each in turn to IPA....for F15 and 6.1 clients they now accept the IPA password2 without an issue...for RHEL 5.6 it initially asked to reset the password....and I only had 1 hour......later logins are fine. > > So my use case is nothing more than a simple centralised login...... > > regards > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Thursday, 9 June 2011 8:56 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Inconsistant first login behaviour > > On 06/08/2011 04:04 PM, Steven Jones wrote: > > > Hi, > > Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work? > > > Well the problem is that SSSD is not in 5.6 by default. ipa-client on > 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is > configured. In 5.7 there will be a new ipa-client that will act in the > same way as in RHEL 6 or Fedora. > > But the expectation is that they should act in the same way now. But > apparently there is some difference. > > We need to understand exactly what is your use case. > What is configured in your nsswitch and pam config on RHEL and Fedora? > And if in one case it is SSSD and not in the other we need to see SSSD > configuration and LDAP and Kerberos configuration files. > > > > > regards > > Steven > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Thursday, 9 June 2011 5:00 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Inconsistant first login behaviour > > On 06/07/2011 10:36 PM, Steven Jones wrote: > > > Logging into the F15 client and I just login with the ldap password... > > If I try the same thing with RHEL5.6 I get told I have one hour to password expiry.... > > I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all. > > > > This is probably because in one case you log using LDAP password and in > another as Kerberos credential. The underlying password string is the > same but other properties like expiration are different as you see. > To have the consistent experience configure both systems to use same > type of the credential. > > > > > regards > > Steven > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 9 14:59:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Jun 2011 10:59:17 -0400 Subject: [Freeipa-users] Kerberos problem with account with changed attributes In-Reply-To: <88860510-0133-499F-8249-885BEEB14EFF@allegro.pl> References: <88860510-0133-499F-8249-885BEEB14EFF@allegro.pl> Message-ID: <4DF0DFC5.8060702@redhat.com> tomasz.napierala at allegro.pl wrote: > Hi, > > Due to a bug in one of our maintanace scripts, I had to manually change some attributes for one of the users, e.g.: uid and uidNumber. I did it using > /usr/sbin/ipa-moduser --setattr="uid=username" --setattr="uidNumber=1221" 1221 > > (yeah, last argument is really user's uid ;) > > After that user canno use any of the ipa-* scripts, he's getting: > "Connection to database failed: Invalid credentials: SASL(-14): authorization failure:" > > I suppose is a problem with inconsistency in ldap and Kerberos database (probably Kerberos still has old data) > > My question is how to fix that without generating new user (I really have to avoid that due to fact that this environment has some compliance restictions) > > Regards, Hmm, this is strange. It looks like you changed the uid properly. Let's remove the ipa admin tools from the picture. Can the user try this using your LDAP search basedn? ldapsearch -Y GSSAPI -b dc=example,dc=com uid=1221 They may also want to try a kdestroy/kinit if it fails, though I don't know why the principal wouldn't be accepted. When binding in LDAP we need to map the Kerberos principal to a user account. It may be that this mapping is failing. The ldapsearch command may give us a more specific error message. rob From dpal at redhat.com Thu Jun 9 15:05:53 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Jun 2011 11:05:53 -0400 Subject: [Freeipa-users] FreeIPA 2, adding Samba attributes In-Reply-To: <1307622709.2613.262.camel@willson.li.ssimo.org> References: <4DF0A3F0.2050602@bzz.no> <1307622709.2613.262.camel@willson.li.ssimo.org> Message-ID: <4DF0E151.50208@redhat.com> On 06/09/2011 08:31 AM, Simo Sorce wrote: > On Thu, 2011-06-09 at 12:44 +0200, John S. Skogtvedt wrote: >> Hello, >> >> has anybody tried to integrate Samba with FreeIPA 2? I searched and >> found a mailing list post from 2009 with a solution using the 389 DNA >> plugin, but later posts indicated that the solution outlined wasn't >> correct (and probably out of date). >> >> My impression from what I've read is that there is no way of doing it >> other than configuring FreeIPA to add samba object classes, and >> specifying the required attributes when adding a user. The problem then >> is that adding users won't be possible from the web interface, because >> of required samba attributes (unless one instead later adds the >> necessary object classes and attributes). >> >> Is this correct? > You can modify the UI behavior wrt what classes and attribute to store. > >> If so, I wonder how much work it might be to either add a small hack to >> the web interface to add the necessary attributes, or to write a web >> interface plugin which adds a user with the necessary attributes. Any >> pointers would be appreciated (I know python). >> I think it'd be useful to be able to add template values as well as >> objectclasses in ipaConfig, e.g. something like: >> ipaUserAttrs: sambaSid: ...-$uid, where $uid is expanded when the user >> is created. > You probably want to use the DNA plugin to generate the sambaSid for you > once you have a domain SID, it's not too difficult and will be much less > error prone. > > Simo. > Once in the past the DS was fixed to be able to be a back end for the Samba4 server so I suspect it should provide all the functionality you need. A plugin can be written to provide cli and UI management of Samba attributes. Are you interested in writing such a plugin? What is your end goal and time line? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Thu Jun 9 17:21:41 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 09 Jun 2011 19:21:41 +0200 Subject: [Freeipa-users] Connecting Ubuntu to IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0E9E8A@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4DE55B3E.9000707@redhat.com>, <8c2df50f-4e03-4a7e-b86d-2601ffd35fc4@dlwillson-laptop> <833D8E48405E064EBC54C84EC6B36E401B0E9E8A@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DF10125.5020406@nixtra.com> Hi, I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 11.04. NFS4+KRB successfully in 10.10 and 11.04. Install the packages below, substitute libpam-ldap for libpam-ldapd if you prefer PADL's ldap liberary which can use groups within groups for user accounts. ldapld can't, however it offers a daemon which connect to a LDAP server, and workaround for such as issues with Thunderbird crashing, etc. I have not been able to get the sssd that comes with Ubuntu to work. Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the Ubuntu host. Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make /etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf (nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf, /etc/default/nfs-common. See attached files for examples. Add the following to /etc/ssh/sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes And the following to /etc/ssh/ssh_config: Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes Run this command to make sure ldap+krb has been configured in PAM after the packages has been installed: $ /usr/sbin/pam-auth-update --package --force This gives you a Ubuntu system configured for IPA with autofs and nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when SSSD comes in version 1.5.x in Ubuntu! :) I've set the ldap timeouts very low so you might need tweaking for this to work over a WAN/slow link, but it makes the client much more responsive if your first listed IPA/LDAP server becomes unavailable. Packages: autofs5 action=install autofs5-ldap action=install krb5-user action=install krb5-clients action=install nfs-client action=install nfs4-acl-tools action=install ldap-auth-config action=install ldap-utils action=install #libpam-ldap action=install libpam-ldapd action=install libpam-krb5 action=install libpam-ccreds action=install libpam-foreground action=install libnss-ldap action=install nscd action=install ntp action=install Rgds, Siggi On 06/09/2011 02:43 AM, Steven Jones wrote: > Hi, > > I am still tryig to figure getting ubuntu connected.... > > So to get a non-rhel client computer into freeipa the first thing I have to do is make a client computer instance in freepia first? or doesnt it matter? ie can a non rhel client only do authentication or can it be acted upon fully as per a rhel client? > > Are there certificates for ssl or something that have to be copied over to the client(s)? > > I dont have it working yet beyond I can do a kinit and admin and give a password and then do klist etc.... > > :/ > > Its proving very painful.... > > regards > > Steven > > > 8><---- > > Maybe this article could be a good jumping-off point? > http://www.aput.net/~jheiss/krbldap/howto.html > > It's pretty old, but seems to bring together many things and overview them well, with enough static examples to give you a feel for what you're getting into. > > 8><--- > > thanks, its helping. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: autofs URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: idmapd.conf URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: krb5.conf URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ldap.conf URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: nslcd.conf URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: nsswitch.conf URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ntp.conf URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: nfs-common URL: From sigbjorn at nixtra.com Thu Jun 9 17:38:42 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 09 Jun 2011 19:38:42 +0200 Subject: [Freeipa-users] Connecting Ubuntu to IPA - one last important step! In-Reply-To: <4DF10125.5020406@nixtra.com> References: <4DE55B3E.9000707@redhat.com>, <8c2df50f-4e03-4a7e-b86d-2601ffd35fc4@dlwillson-laptop> <833D8E48405E064EBC54C84EC6B36E401B0E9E8A@STAWINCOX10MBX1.staff.vuw.ac.nz> <4DF10125.5020406@nixtra.com> Message-ID: <4DF10522.9010204@nixtra.com> Sorry, forgot one last, very important thing. Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, and copy this to /etc/krb5.keytab on the Ubuntu client. [root at ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab If you prefer you can use something like CFengine to automate the whole process. Rgds, Siggi. On 06/09/2011 07:21 PM, Sigbjorn Lie wrote: > Hi, > > I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and > 11.04. NFS4+KRB successfully in 10.10 and 11.04. > > Install the packages below, substitute libpam-ldap for libpam-ldapd if > you prefer PADL's ldap liberary which can use groups within groups for > user accounts. ldapld can't, however it offers a daemon which connect > to a LDAP server, and workaround for such as issues with Thunderbird > crashing, etc. I have not been able to get the sssd that comes with > Ubuntu to work. > > Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the > Ubuntu host. > > Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make > /etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf > (nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf, > /etc/default/nfs-common. See attached files for examples. > > Add the following to /etc/ssh/sshd_config: > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > And the following to /etc/ssh/ssh_config: > Host * > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > > Run this command to make sure ldap+krb has been configured in PAM > after the packages has been installed: $ /usr/sbin/pam-auth-update > --package --force > > This gives you a Ubuntu system configured for IPA with autofs and > nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when SSSD > comes in version 1.5.x in Ubuntu! :) > > I've set the ldap timeouts very low so you might need tweaking for > this to work over a WAN/slow link, but it makes the client much more > responsive if your first listed IPA/LDAP server becomes unavailable. > > > Packages: > autofs5 action=install > autofs5-ldap action=install > krb5-user action=install > krb5-clients action=install > nfs-client action=install > nfs4-acl-tools action=install > ldap-auth-config action=install > ldap-utils action=install > #libpam-ldap action=install > libpam-ldapd action=install > libpam-krb5 action=install > libpam-ccreds action=install > libpam-foreground action=install > libnss-ldap action=install > nscd action=install > ntp action=install > > > > Rgds, > Siggi > > > > On 06/09/2011 02:43 AM, Steven Jones wrote: >> Hi, >> >> I am still tryig to figure getting ubuntu connected.... >> >> So to get a non-rhel client computer into freeipa the first thing I >> have to do is make a client computer instance in freepia first? or >> doesnt it matter? ie can a non rhel client only do authentication or >> can it be acted upon fully as per a rhel client? >> >> Are there certificates for ssl or something that have to be copied >> over to the client(s)? >> >> I dont have it working yet beyond I can do a kinit and admin and give >> a password and then do klist etc.... >> >> :/ >> >> Its proving very painful.... >> >> regards >> >> Steven >> >> >> 8><---- >> >> Maybe this article could be a good jumping-off point? >> http://www.aput.net/~jheiss/krbldap/howto.html >> >> It's pretty old, but seems to bring together many things and overview >> them well, with enough static examples to give you a feel for what >> you're getting into. >> >> 8><--- >> >> thanks, its helping. >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jss at bzz.no Thu Jun 9 19:37:22 2011 From: jss at bzz.no (John S. Skogtvedt) Date: Thu, 09 Jun 2011 21:37:22 +0200 Subject: [Freeipa-users] FreeIPA 2, adding Samba attributes In-Reply-To: <1307622709.2613.262.camel@willson.li.ssimo.org> References: <4DF0A3F0.2050602@bzz.no> <1307622709.2613.262.camel@willson.li.ssimo.org> Message-ID: <4DF120F2.9050102@bzz.no> Den 09. juni 2011 14:31, skrev Simo Sorce: > You probably want to use the DNA plugin to generate the sambaSid for you > once you have a domain SID, it's not too difficult and will be much less > error prone. > > Simo. > Thanks. The solution outlined at http://www.mail-archive.com/freeipa-users at redhat.com/msg00111.html works for me, at least for user objects (didn't try the group part yet). From jss at bzz.no Thu Jun 9 19:44:45 2011 From: jss at bzz.no (John S. Skogtvedt) Date: Thu, 09 Jun 2011 21:44:45 +0200 Subject: [Freeipa-users] FreeIPA 2, adding Samba attributes In-Reply-To: <4DF0E151.50208@redhat.com> References: <4DF0A3F0.2050602@bzz.no> <1307622709.2613.262.camel@willson.li.ssimo.org> <4DF0E151.50208@redhat.com> Message-ID: <4DF122AD.2060005@bzz.no> Den 09. juni 2011 17:05, skrev Dmitri Pal: > Once in the past the DS was fixed to be able to be a back end for the > Samba4 server so I suspect it should provide all the functionality you need. > A plugin can be written to provide cli and UI management of Samba > attributes. > Are you interested in writing such a plugin? > What is your end goal and time line? > I just need the minimal samba LDAP attributes set in order to be able to use Samba 3 together with FreeIPA. Fortunately it seems that that's possible after all without any coding (see my other email). John. From Steven.Jones at vuw.ac.nz Thu Jun 9 20:32:49 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 9 Jun 2011 20:32:49 +0000 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <1307620548.2613.250.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFE1E5.1030400@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573524.2613.244.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D56@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573959.2613.247.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D9D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1307620548.2613.250.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0EA311@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, In which case I would expect it should happen across all clients in the same way and not some... regards ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Thursday, 9 June 2011 11:55 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Inconsistant first login behaviour On Wed, 2011-06-08 at 23:08 +0000, Steven Jones wrote: > Hi, > > Nope.....password1 was set on build....it hasnt been changed by root or the user at all. I think this will apply then: http://www.freeipa.org/page/NewPasswordsExpired Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Thu Jun 9 20:46:00 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 9 Jun 2011 20:46:00 +0000 Subject: [Freeipa-users] Connecting Ubuntu to IPA - one last important step! In-Reply-To: <4DF10522.9010204@nixtra.com> References: <4DE55B3E.9000707@redhat.com>, <8c2df50f-4e03-4a7e-b86d-2601ffd35fc4@dlwillson-laptop> <833D8E48405E064EBC54C84EC6B36E401B0E9E8A@STAWINCOX10MBX1.staff.vuw.ac.nz> <4DF10125.5020406@nixtra.com>,<4DF10522.9010204@nixtra.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0EA334@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, thanks, this should help a lot. When I sudo to root I can use the ipa password so Im fairly close... regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Friday, 10 June 2011 5:38 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Connecting Ubuntu to IPA - one last important step! Sorry, forgot one last, very important thing. Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, and copy this to /etc/krb5.keytab on the Ubuntu client. [root at ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab If you prefer you can use something like CFengine to automate the whole process. Rgds, Siggi. On 06/09/2011 07:21 PM, Sigbjorn Lie wrote: Hi, I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 11.04. NFS4+KRB successfully in 10.10 and 11.04. Install the packages below, substitute libpam-ldap for libpam-ldapd if you prefer PADL's ldap liberary which can use groups within groups for user accounts. ldapld can't, however it offers a daemon which connect to a LDAP server, and workaround for such as issues with Thunderbird crashing, etc. I have not been able to get the sssd that comes with Ubuntu to work. Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the Ubuntu host. Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make /etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf (nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf, /etc/default/nfs-common. See attached files for examples. Add the following to /etc/ssh/sshd_config: GSSAPIAuthentication yes GSSAPICleanupCredentials yes And the following to /etc/ssh/ssh_config: Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes Run this command to make sure ldap+krb has been configured in PAM after the packages has been installed: $ /usr/sbin/pam-auth-update --package --force This gives you a Ubuntu system configured for IPA with autofs and nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when SSSD comes in version 1.5.x in Ubuntu! :) I've set the ldap timeouts very low so you might need tweaking for this to work over a WAN/slow link, but it makes the client much more responsive if your first listed IPA/LDAP server becomes unavailable. Packages: autofs5 action=install autofs5-ldap action=install krb5-user action=install krb5-clients action=install nfs-client action=install nfs4-acl-tools action=install ldap-auth-config action=install ldap-utils action=install #libpam-ldap action=install libpam-ldapd action=install libpam-krb5 action=install libpam-ccreds action=install libpam-foreground action=install libnss-ldap action=install nscd action=install ntp action=install Rgds, Siggi On 06/09/2011 02:43 AM, Steven Jones wrote: Hi, I am still tryig to figure getting ubuntu connected.... So to get a non-rhel client computer into freeipa the first thing I have to do is make a client computer instance in freepia first? or doesnt it matter? ie can a non rhel client only do authentication or can it be acted upon fully as per a rhel client? Are there certificates for ssl or something that have to be copied over to the client(s)? I dont have it working yet beyond I can do a kinit and admin and give a password and then do klist etc.... :/ Its proving very painful.... regards Steven 8><---- Maybe this article could be a good jumping-off point? http://www.aput.net/~jheiss/krbldap/howto.html It's pretty old, but seems to bring together many things and overview them well, with enough static examples to give you a feel for what you're getting into. 8><--- thanks, its helping. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From ayoung at redhat.com Thu Jun 9 21:45:15 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 09 Jun 2011 17:45:15 -0400 Subject: [Freeipa-users] FreeIPA 2, adding Samba attributes In-Reply-To: <4DF120F2.9050102@bzz.no> References: <4DF0A3F0.2050602@bzz.no> <1307622709.2613.262.camel@willson.li.ssimo.org> <4DF120F2.9050102@bzz.no> Message-ID: <4DF13EEB.9090809@redhat.com> On 06/09/2011 03:37 PM, John S. Skogtvedt wrote: > Den 09. juni 2011 14:31, skrev Simo Sorce: >> You probably want to use the DNA plugin to generate the sambaSid for you >> once you have a domain SID, it's not too difficult and will be much less >> error prone. >> >> Simo. >> > Thanks. The solution outlined at > http://www.mail-archive.com/freeipa-users at redhat.com/msg00111.html works > for me, at least for user objects (didn't try the group part yet). It should be relatively trivial to add support in the WebUI for Samba, but nothing would be broken without it. All that would happen is that the WebUI would lack fields for the Samba specific attributes. Assuming that ipa user-add works, you would want to add the field as an attribute in user.py. To add it after groupID: Int('gidnumber?', label=_('GID'), doc=_('Group ID Number'), default_from=lambda uid: uid, Int('sambasid?', label=_('SAMBA SID'), doc=_('Samba SID Number') I have to admit I'm not sure what the rules would be for default values for sambaSID. Once you have ipa user-add working, if you want to extend the web UI, the file to modify is /usr/share/ipa/ui/user.js. What you would want to do is to add in a filed sambaSID. I'd be prone to put it under the section with the name: 'account'. It should be a text field, so you just need to add an entry for sambasid. I'd put it under 'gidnumber'. That looks like this: { name: 'account', fields: [ { factory: IPA.user_status_widget, name: 'nsaccountlock' }, 'uid', { factory: IPA.user_password_widget, name: 'userpassword' }, 'uidnumber', 'gidnumber', 'sambasid', 'loginshell', 'homedirectory' ] }, > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Fri Jun 10 12:49:27 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 10 Jun 2011 08:49:27 -0400 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0EA311@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFE1E5.1030400@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573524.2613.244.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D56@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573959.2613.247.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D9D@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307620548.2613.250.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0EA311@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1307710167.2613.289.camel@willson.li.ssimo.org> On Thu, 2011-06-09 at 20:32 +0000, Steven Jones wrote: > Hi, > > In which case I would expect it should happen across all clients in the same way and not some... Indeed it should, if a brand new user with an admin set password is used and a specific machine does not force you to change a password, please open a bug against the specific distro version, feel free to assign it to the sssd components or pam_krb5 components depending on what you are using on the specific machine. Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Sun Jun 12 20:44:52 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 12 Jun 2011 20:44:52 +0000 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <1307710167.2613.289.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFE1E5.1030400@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573524.2613.244.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D56@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573959.2613.247.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D9D@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307620548.2613.250.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0EA311@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1307710167.2613.289.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0EB0E0@STAWINCOX10MBX1.staff.vuw.ac.nz> If they ever make the bugtrak system useable, I will. regards ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Saturday, 11 June 2011 12:49 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: RE: [Freeipa-users] Inconsistant first login behaviour On Thu, 2011-06-09 at 20:32 +0000, Steven Jones wrote: > Hi, > > In which case I would expect it should happen across all clients in the same way and not some... Indeed it should, if a brand new user with an admin set password is used and a specific machine does not force you to change a password, please open a bug against the specific distro version, feel free to assign it to the sssd components or pam_krb5 components depending on what you are using on the specific machine. Simo. -- Simo Sorce * Red Hat, Inc * New York From DLWillson at TheGeek.NU Sun Jun 12 22:00:10 2011 From: DLWillson at TheGeek.NU (David L. Willson) Date: Sun, 12 Jun 2011 16:00:10 -0600 (MDT) Subject: [Freeipa-users] Replica install breaking on DS step 23 of 27 (master-entry.ldif) In-Reply-To: Message-ID: <5ca8558f-d845-4ce6-85c7-f1ddb7aa50d4@dlwillson-laptop> I'm trying to create a replica. I have two F15 boxen with all updates. The first IPA is humperdinck, running right with DNS and manage-able from the CLI and web. vizzini wants the to be the second IPA, but is failing with the console output below: I'm really not sure where to begin the trouble-shooting or information collection. I've been generally following the test case docs for everything. The particular commands I'm using right now are: https://fedoraproject.org/wiki/QA:Testcase_freeipav2_replication [rmsel-admin at vizzini ~]$ sudo ipa-replica-install --setup-dns --forwarder=205.171.3.65 --forwarder=205.171.2.65 replica-info-vizzini.rmsel.org.gpg Directory Manager (existing master) password: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/27]: creating directory server user [2/27]: creating directory server instance [3/27]: adding default schema [4/27]: enabling memberof plugin [5/27]: enabling referential integrity plugin [6/27]: enabling winsync plugin [7/27]: configuring replication version plugin [8/27]: enabling IPA enrollment plugin [9/27]: enabling ldapi [10/27]: configuring uniqueness plugin [11/27]: configuring uuid plugin [12/27]: configuring modrdn plugin [13/27]: enabling entryUSN plugin [14/27]: configuring lockout plugin [15/27]: creating indices [16/27]: configuring ssl for ds instance [17/27]: configuring certmap.conf [18/27]: configure autobind for root [19/27]: restarting directory server [20/27]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [21/27]: adding replication acis [22/27]: initializing group membership [23/27]: adding master entry root : CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h vizzini.rmsel.org -v -f /tmp/tmpaiKmYl -x -D cn=Directory Manager -y /tmp/tmpjT3kr3' returned non-zero exit status 32 [24/27]: configuring Posix uid/gid generation [25/27]: enabling compatibility plugin [26/27]: tuning directory server Custom file limits are already set! Skipping [27/27]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: writing stash file from DS [3/10]: configuring KDC [4/10]: creating a keytab for the directory creation of replica failed: [Errno 2] No such file or directory: '/etc/dirsrv/ds.keytab' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. From sgallagh at redhat.com Mon Jun 13 11:37:54 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 13 Jun 2011 07:37:54 -0400 Subject: [Freeipa-users] Inconsistant first login behaviour In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0EB0E0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0E855C@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFAA92.8080003@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9C7B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4DEFE1E5.1030400@redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0E9D0F@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573524.2613.244.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D56@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307573959.2613.247.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0E9D9D@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1307620548.2613.250.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0EA311@STAWINCOX10MBX1.staff.vuw.ac.nz> , <1307710167.2613.289.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E401B0EB0E0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1307965075.1923.3.camel@sgallagh520.bos.redhat.com> On Sun, 2011-06-12 at 20:44 +0000, Steven Jones wrote: > If they ever make the bugtrak system useable, I will. This is not a helpful response. Please file a bug at bugzilla.redhat.com against either SSSD or pam_krb5 on the appropriate version of Fedora. Please include the exact behavior you are seeing, as well as the behavior you would expect to see. Include as much detail as possible. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sigbjorn at nixtra.com Mon Jun 13 13:23:26 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 13 Jun 2011 15:23:26 +0200 Subject: [Freeipa-users] Configuring IPA replicas Message-ID: <4DF60F4E.8090409@nixtra.com> Hi, I have successfully configured one IPA replica, now I'm trying to configure a second replica, but I'm not having much success. I've attached the output of ipa-replica-install -d. I get as far as "[4/11]: configuring certificate server instance". The machine is configured in the same way as the 2 first machines. They are all F15, updated with all available packages from the official repos. The installation fails when it's trying to connect to the dogtag server on the ipa replica it's just configured, with a "Invalid clone_uri" message. (See the attached file for details). I'm not sure where to start looking. The only difference from the 2 first IPA servers, is that this server is located at another subnet, over a site-to-site VPN connection. Any suggestions to what might be wrong? Rgds, Siggi -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ipa_replica_install_log.txt URL: From simo at redhat.com Mon Jun 13 14:12:10 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 13 Jun 2011 10:12:10 -0400 Subject: [Freeipa-users] Configuring IPA replicas In-Reply-To: <4DF60F4E.8090409@nixtra.com> References: <4DF60F4E.8090409@nixtra.com> Message-ID: <1307974330.12323.30.camel@willson.li.ssimo.org> On Mon, 2011-06-13 at 15:23 +0200, Sigbjorn Lie wrote: > Hi, > > I have successfully configured one IPA replica, now I'm trying to > configure a second replica, but I'm not having much success. I've > attached the output of ipa-replica-install -d. I get as far as "[4/11]: > configuring certificate server instance". The machine is configured in > the same way as the 2 first machines. They are all F15, updated with all > available packages from the official repos. > > The installation fails when it's trying to connect to the dogtag server > on the ipa replica it's just configured, with a "Invalid clone_uri" > message. (See the attached file for details). > > I'm not sure where to start looking. The only difference from the 2 > first IPA servers, is that this server is located at another subnet, > over a site-to-site VPN connection. > > Any suggestions to what might be wrong? I have never seen this error, have you created a new replica package with ipa-replica-prepare to create the second replica ? Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Mon Jun 13 14:15:29 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 13 Jun 2011 10:15:29 -0400 Subject: [Freeipa-users] Replica install breaking on DS step 23 of 27 (master-entry.ldif) In-Reply-To: <5ca8558f-d845-4ce6-85c7-f1ddb7aa50d4@dlwillson-laptop> References: <5ca8558f-d845-4ce6-85c7-f1ddb7aa50d4@dlwillson-laptop> Message-ID: <1307974529.12323.32.camel@willson.li.ssimo.org> On Sun, 2011-06-12 at 16:00 -0600, David L. Willson wrote: > I'm trying to create a replica. > I have two F15 boxen with all updates. > The first IPA is humperdinck, running right with DNS and manage-able > from the CLI and web. > vizzini wants the to be the second IPA, but is failing with the > console output below: > > I'm really not sure where to begin the trouble-shooting or information > collection. Can you check what errors do you see in /var/log/ipareplica-install.log ? You can also send the file privately to me if you want. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Mon Jun 13 14:17:32 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 13 Jun 2011 16:17:32 +0200 Subject: [Freeipa-users] Configuring IPA replicas In-Reply-To: <1307974330.12323.30.camel@willson.li.ssimo.org> References: <4DF60F4E.8090409@nixtra.com> <1307974330.12323.30.camel@willson.li.ssimo.org> Message-ID: <4DF61BFC.3040700@nixtra.com> On 06/13/2011 04:12 PM, Simo Sorce wrote: > On Mon, 2011-06-13 at 15:23 +0200, Sigbjorn Lie wrote: >> Hi, >> >> I have successfully configured one IPA replica, now I'm trying to >> configure a second replica, but I'm not having much success. I've >> attached the output of ipa-replica-install -d. I get as far as "[4/11]: >> configuring certificate server instance". The machine is configured in >> the same way as the 2 first machines. They are all F15, updated with all >> available packages from the official repos. >> >> The installation fails when it's trying to connect to the dogtag server >> on the ipa replica it's just configured, with a "Invalid clone_uri" >> message. (See the attached file for details). >> >> I'm not sure where to start looking. The only difference from the 2 >> first IPA servers, is that this server is located at another subnet, >> over a site-to-site VPN connection. >> >> Any suggestions to what might be wrong? > I have never seen this error, have you created a new replica package > with ipa-replica-prepare to create the second replica ? > Yes, a fresh package was created using ipa-replica-prepare and scp'ed to the new ipa server. I've even tried re-creating the package. Still the same error message. From alee at redhat.com Mon Jun 13 14:41:14 2011 From: alee at redhat.com (Ade Lee) Date: Mon, 13 Jun 2011 10:41:14 -0400 Subject: [Freeipa-users] Configuring IPA replicas In-Reply-To: <4DF61BFC.3040700@nixtra.com> References: <4DF60F4E.8090409@nixtra.com> <1307974330.12323.30.camel@willson.li.ssimo.org> <4DF61BFC.3040700@nixtra.com> Message-ID: <1307976074.9254.6.camel@localhost.localdomain> Hi, The replica installation is failing when the replica attempts to contact the CA on the master to log into the security domain. According to your log, this is https://ipa01.ix.test.com:9445 Can the master be resolved and reached from the replica? Can port 9445 be reached (as well as ports 9444 and 9443?) You can also check the master's /var/log/pki-ca/debug log to see if any communication was received from the replica. Ade On Mon, 2011-06-13 at 16:17 +0200, Sigbjorn Lie wrote: > On 06/13/2011 04:12 PM, Simo Sorce wrote: > > On Mon, 2011-06-13 at 15:23 +0200, Sigbjorn Lie wrote: > >> Hi, > >> > >> I have successfully configured one IPA replica, now I'm trying to > >> configure a second replica, but I'm not having much success. I've > >> attached the output of ipa-replica-install -d. I get as far as "[4/11]: > >> configuring certificate server instance". The machine is configured in > >> the same way as the 2 first machines. They are all F15, updated with all > >> available packages from the official repos. > >> > >> The installation fails when it's trying to connect to the dogtag server > >> on the ipa replica it's just configured, with a "Invalid clone_uri" > >> message. (See the attached file for details). > >> > >> I'm not sure where to start looking. The only difference from the 2 > >> first IPA servers, is that this server is located at another subnet, > >> over a site-to-site VPN connection. > >> > >> Any suggestions to what might be wrong? > > I have never seen this error, have you created a new replica package > > with ipa-replica-prepare to create the second replica ? > > > > Yes, a fresh package was created using ipa-replica-prepare and scp'ed to > the new ipa server. I've even tried re-creating the package. Still the > same error message. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Mon Jun 13 15:29:14 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 13 Jun 2011 17:29:14 +0200 Subject: [Freeipa-users] Configuring IPA replicas In-Reply-To: <1307976074.9254.6.camel@localhost.localdomain> References: <4DF60F4E.8090409@nixtra.com> <1307974330.12323.30.camel@willson.li.ssimo.org> <4DF61BFC.3040700@nixtra.com> <1307976074.9254.6.camel@localhost.localdomain> Message-ID: <4DF62CCA.4060503@nixtra.com> On 06/13/2011 04:41 PM, Ade Lee wrote: > Hi, > > The replica installation is failing when the replica attempts to contact > the CA on the master to log into the security domain. According to your > log, this is https://ipa01.ix.test.com:9445 > > Can the master be resolved and reached from the replica? Can port 9445 > be reached (as well as ports 9444 and 9443?) > > You can also check the master's /var/log/pki-ca/debug log to see if any > communication was received from the replica. > There was an additional DNS A record added to the existing IPA server hostname! This additional DNS A record pointed at the IP address of the replica IPA server I'm attempting to configure! I removed this A record and the replica installed successfully. When I initially ran the ipa-replica-prepare command, I added the "--ip-address" option to get the DNS records for this host created. (I have a seperate dns domain for the IPA environment.) In this process ipa-replica-prepare created an additional reverse zone on the server. (The new ipa replica resides on a subnet which sits at a AD DNS server, but it's still resolvable from the IPA dns servers). After the replica finished I tried to run the ipa-replica-prepare command again with a new hostname, and adding an IP address using --ip-address on a subnet not known to the IPA DNS. The same error was re-produced, the DNS A record was added to the master IPA server. I would also like to note that I cannot see the second DNS entry using the web gui, only using "ipa dnsrecord-find". Bug opened in bugzilla for ipa-replica-prepare: https://bugzilla.redhat.com/show_bug.cgi?id=712920 Rgds, Siggi From sigbjorn at nixtra.com Mon Jun 13 16:20:12 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 13 Jun 2011 18:20:12 +0200 Subject: [Freeipa-users] Multiple host records in the GUI Message-ID: <4DF638BC.6020306@nixtra.com> Hi, How come I cannot see multiple records for the same host in the WEB GUI? I can see the records when I'm using the CLI. This goes for multiple A records for the same hostname, but also if a hostname has an A record and a AAAA record. Only the A record will show up in the WEB GUI. All records are found using a "ipa dnsrecord-find domain.com hostname" on the CLI. Rgds, Siggi From sgallagh at redhat.com Mon Jun 13 16:55:37 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 13 Jun 2011 12:55:37 -0400 Subject: [Freeipa-users] Configuring IPA replicas In-Reply-To: <4DF62CCA.4060503@nixtra.com> References: <4DF60F4E.8090409@nixtra.com> <1307974330.12323.30.camel@willson.li.ssimo.org> <4DF61BFC.3040700@nixtra.com> <1307976074.9254.6.camel@localhost.localdomain> <4DF62CCA.4060503@nixtra.com> Message-ID: <1307984138.1923.8.camel@sgallagh520.bos.redhat.com> On Mon, 2011-06-13 at 17:29 +0200, Sigbjorn Lie wrote: > On 06/13/2011 04:41 PM, Ade Lee wrote: > > Hi, > > > > The replica installation is failing when the replica attempts to contact > > the CA on the master to log into the security domain. According to your > > log, this is https://ipa01.ix.test.com:9445 > > > > Can the master be resolved and reached from the replica? Can port 9445 > > be reached (as well as ports 9444 and 9443?) > > > > You can also check the master's /var/log/pki-ca/debug log to see if any > > communication was received from the replica. > > > > There was an additional DNS A record added to the existing IPA server > hostname! This additional DNS A record pointed at the IP address of the > replica IPA server I'm attempting to configure! I removed this A record > and the replica installed successfully. > > When I initially ran the ipa-replica-prepare command, I added the > "--ip-address" option to get the DNS records for this host created. (I > have a seperate dns domain for the IPA environment.) In this process > ipa-replica-prepare created an additional reverse zone on the server. > (The new ipa replica resides on a subnet which sits at a AD DNS server, > but it's still resolvable from the IPA dns servers). > > After the replica finished I tried to run the ipa-replica-prepare > command again with a new hostname, and adding an IP address using > --ip-address on a subnet not known to the IPA DNS. The same error was > re-produced, the DNS A record was added to the master IPA server. > > I would also like to note that I cannot see the second DNS entry using > the web gui, only using "ipa dnsrecord-find". Bug opened in bugzilla for > ipa-replica-prepare: > > https://bugzilla.redhat.com/show_bug.cgi?id=712920 > This looks like it's probably related to https://fedorahosted.org/freeipa/ticket/1223 > > Rgds, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From ayoung at redhat.com Mon Jun 13 17:06:51 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 13 Jun 2011 13:06:51 -0400 Subject: [Freeipa-users] Multiple host records in the GUI In-Reply-To: <4DF638BC.6020306@nixtra.com> References: <4DF638BC.6020306@nixtra.com> Message-ID: <4DF643AB.8010604@redhat.com> On 06/13/2011 12:20 PM, Sigbjorn Lie wrote: > Hi, > > How come I cannot see multiple records for the same host in the WEB > GUI? I can see the records when I'm using the CLI. > > This goes for multiple A records for the same hostname, but also if a > hostname has an A record and a AAAA record. Only the A record will > show up in the WEB GUI. All records are found using a "ipa > dnsrecord-find domain.com hostname" on the CLI. > > > Rgds, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users This is an issue that comes about based on the way that ipa dnsrecord-find returns data. We are currently only reading the first value for each record, but this command packs the data in such a way that is different from other "find" comands. Thus, the subsequent A and AAAA records are ignored. I've opened up a ticket for this issue: https://fedorahosted.org/freeipa/ticket/1319 From sigbjorn at nixtra.com Mon Jun 13 17:17:24 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 13 Jun 2011 19:17:24 +0200 Subject: [Freeipa-users] Multiple host records in the GUI In-Reply-To: <4DF643AB.8010604@redhat.com> References: <4DF638BC.6020306@nixtra.com> <4DF643AB.8010604@redhat.com> Message-ID: <4DF64624.7080505@nixtra.com> On 06/13/2011 07:06 PM, Adam Young wrote: > On 06/13/2011 12:20 PM, Sigbjorn Lie wrote: >> Hi, >> >> How come I cannot see multiple records for the same host in the WEB >> GUI? I can see the records when I'm using the CLI. >> >> This goes for multiple A records for the same hostname, but also if a >> hostname has an A record and a AAAA record. Only the A record will >> show up in the WEB GUI. All records are found using a "ipa >> dnsrecord-find domain.com hostname" on the CLI. >> >> >> Rgds, >> Siggi >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > This is an issue that comes about based on the way that ipa > dnsrecord-find returns data. We are currently only reading the first > value for each record, but this command packs the data in such a way > that is different from other "find" comands. Thus, the subsequent A > and AAAA records are ignored. > > I've opened up a ticket for this issue: > > https://fedorahosted.org/freeipa/ticket/1319 > Excellent, thanks. From rcritten at redhat.com Mon Jun 13 17:24:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 13:24:17 -0400 Subject: [Freeipa-users] Configuring IPA replicas In-Reply-To: <4DF62CCA.4060503@nixtra.com> References: <4DF60F4E.8090409@nixtra.com> <1307974330.12323.30.camel@willson.li.ssimo.org> <4DF61BFC.3040700@nixtra.com> <1307976074.9254.6.camel@localhost.localdomain> <4DF62CCA.4060503@nixtra.com> Message-ID: <4DF647C1.60207@redhat.com> Sigbjorn Lie wrote: > On 06/13/2011 04:41 PM, Ade Lee wrote: >> Hi, >> >> The replica installation is failing when the replica attempts to contact >> the CA on the master to log into the security domain. According to your >> log, this is https://ipa01.ix.test.com:9445 >> >> Can the master be resolved and reached from the replica? Can port 9445 >> be reached (as well as ports 9444 and 9443?) >> >> You can also check the master's /var/log/pki-ca/debug log to see if any >> communication was received from the replica. >> > > There was an additional DNS A record added to the existing IPA server > hostname! This additional DNS A record pointed at the IP address of the > replica IPA server I'm attempting to configure! I removed this A record > and the replica installed successfully. > > When I initially ran the ipa-replica-prepare command, I added the > "--ip-address" option to get the DNS records for this host created. (I > have a seperate dns domain for the IPA environment.) In this process > ipa-replica-prepare created an additional reverse zone on the server. > (The new ipa replica resides on a subnet which sits at a AD DNS server, > but it's still resolvable from the IPA dns servers). > > After the replica finished I tried to run the ipa-replica-prepare > command again with a new hostname, and adding an IP address using > --ip-address on a subnet not known to the IPA DNS. The same error was > re-produced, the DNS A record was added to the master IPA server. > > I would also like to note that I cannot see the second DNS entry using > the web gui, only using "ipa dnsrecord-find". Bug opened in bugzilla for > ipa-replica-prepare: > > https://bugzilla.redhat.com/show_bug.cgi?id=712920 Adding the record has already been fixed upstream, https://bugzilla.redhat.com/show_bug.cgi?id=704012 rob From sigbjorn at nixtra.com Mon Jun 13 17:26:03 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 13 Jun 2011 19:26:03 +0200 Subject: [Freeipa-users] Configuring IPA replicas In-Reply-To: <1307984138.1923.8.camel@sgallagh520.bos.redhat.com> References: <4DF60F4E.8090409@nixtra.com> <1307974330.12323.30.camel@willson.li.ssimo.org> <4DF61BFC.3040700@nixtra.com> <1307976074.9254.6.camel@localhost.localdomain> <4DF62CCA.4060503@nixtra.com> <1307984138.1923.8.camel@sgallagh520.bos.redhat.com> Message-ID: <4DF6482B.10808@nixtra.com> On 06/13/2011 06:55 PM, Stephen Gallagher wrote: > On Mon, 2011-06-13 at 17:29 +0200, Sigbjorn Lie wrote: >> On 06/13/2011 04:41 PM, Ade Lee wrote: >>> Hi, >>> >>> The replica installation is failing when the replica attempts to contact >>> the CA on the master to log into the security domain. According to your >>> log, this is https://ipa01.ix.test.com:9445 >>> >>> Can the master be resolved and reached from the replica? Can port 9445 >>> be reached (as well as ports 9444 and 9443?) >>> >>> You can also check the master's /var/log/pki-ca/debug log to see if any >>> communication was received from the replica. >>> >> There was an additional DNS A record added to the existing IPA server >> hostname! This additional DNS A record pointed at the IP address of the >> replica IPA server I'm attempting to configure! I removed this A record >> and the replica installed successfully. >> >> When I initially ran the ipa-replica-prepare command, I added the >> "--ip-address" option to get the DNS records for this host created. (I >> have a seperate dns domain for the IPA environment.) In this process >> ipa-replica-prepare created an additional reverse zone on the server. >> (The new ipa replica resides on a subnet which sits at a AD DNS server, >> but it's still resolvable from the IPA dns servers). >> >> After the replica finished I tried to run the ipa-replica-prepare >> command again with a new hostname, and adding an IP address using >> --ip-address on a subnet not known to the IPA DNS. The same error was >> re-produced, the DNS A record was added to the master IPA server. >> >> I would also like to note that I cannot see the second DNS entry using >> the web gui, only using "ipa dnsrecord-find". Bug opened in bugzilla for >> ipa-replica-prepare: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=712920 >> > > This looks like it's probably related to > https://fedorahosted.org/freeipa/ticket/1223 > Yes. :) From sigbjorn at nixtra.com Mon Jun 13 17:26:50 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 13 Jun 2011 19:26:50 +0200 Subject: [Freeipa-users] Configuring IPA replicas In-Reply-To: <4DF647C1.60207@redhat.com> References: <4DF60F4E.8090409@nixtra.com> <1307974330.12323.30.camel@willson.li.ssimo.org> <4DF61BFC.3040700@nixtra.com> <1307976074.9254.6.camel@localhost.localdomain> <4DF62CCA.4060503@nixtra.com> <4DF647C1.60207@redhat.com> Message-ID: <4DF6485A.3010805@nixtra.com> On 06/13/2011 07:24 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> On 06/13/2011 04:41 PM, Ade Lee wrote: >>> Hi, >>> >>> The replica installation is failing when the replica attempts to >>> contact >>> the CA on the master to log into the security domain. According to your >>> log, this is https://ipa01.ix.test.com:9445 >>> >>> Can the master be resolved and reached from the replica? Can port 9445 >>> be reached (as well as ports 9444 and 9443?) >>> >>> You can also check the master's /var/log/pki-ca/debug log to see if any >>> communication was received from the replica. >>> >> >> There was an additional DNS A record added to the existing IPA server >> hostname! This additional DNS A record pointed at the IP address of the >> replica IPA server I'm attempting to configure! I removed this A record >> and the replica installed successfully. >> >> When I initially ran the ipa-replica-prepare command, I added the >> "--ip-address" option to get the DNS records for this host created. (I >> have a seperate dns domain for the IPA environment.) In this process >> ipa-replica-prepare created an additional reverse zone on the server. >> (The new ipa replica resides on a subnet which sits at a AD DNS server, >> but it's still resolvable from the IPA dns servers). >> >> After the replica finished I tried to run the ipa-replica-prepare >> command again with a new hostname, and adding an IP address using >> --ip-address on a subnet not known to the IPA DNS. The same error was >> re-produced, the DNS A record was added to the master IPA server. >> >> I would also like to note that I cannot see the second DNS entry using >> the web gui, only using "ipa dnsrecord-find". Bug opened in bugzilla for >> ipa-replica-prepare: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=712920 > > Adding the record has already been fixed upstream, > https://bugzilla.redhat.com/show_bug.cgi?id=704012 Excellent, Thanks. I assume this is coming to freeipa in F15 as well at some point? From brian.p.stamper at nasa.gov Mon Jun 13 18:16:21 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Mon, 13 Jun 2011 13:16:21 -0500 Subject: [Freeipa-users] Disable ldap dns lookup in freeipa? Message-ID: I've been continuing to troubleshoot this slowness in freeipa, specifically ipa-finduser which I'm told should take at most 2-3 seconds is taking 20+. People suspected "a dns issue". I don't really use DNS, particularly in my test environment. However, to check this issue, I relented and added my server to dns. The situation has not changed. An strace of ipa-finduser admin shows the following: open("/usr/lib64/python2.7/site-packages/ldap/filter.py", O_RDONLY) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=1441, ...}) = 0 open("/usr/lib64/python2.7/site-packages/ldap/filter.pyc", O_RDONLY) = 6 fstat(6, {st_mode=S_IFREG|0644, st_size=1863, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f115dba3000 read(6, "\3\363\r\n/\350\352Jc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s/\0\0\0d\0"..., 4096) = 1863 fstat(6, {st_mode=S_IFREG|0644, st_size=1863, ...}) = 0 read(6, "", 4096) = 0 close(6) = 0 munmap(0x7f115dba3000, 4096) = 0 close(5) = 0 close(4) = 0 close(3) = 0 stat("/usr/share/locale/en_US.UTF8/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en.UTF8/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) = -1 ENOENT (No such file or directory) stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) = -1 ENOENT (No such file or directory) brk(0) = 0x2755000 brk(0x2776000) = 0x2776000 open("/etc/ipa/ipa.conf", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f115dba3000 read(3, "[defaults]\nserver=freeipa.arc.na"..., 4096) = 78 read(3, "", 4096) = 0 close(3) = 0 munmap(0x7f115dba3000, 4096) = 0 open("/etc/resolv.conf", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f115dba3000 read(3, "domain arc.nasa.gov\nnameserver 1"..., 4096) = 71 read(3, "", 4096) = 0 close(3) = 0 munmap(0x7f115dba3000, 4096) = 0 socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 3 connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("143.232.252.34")}, 16) = 0 poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}]) sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, MSG_NOSIGNAL, NULL, 0) = 41 poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout) poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}]) sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, MSG_NOSIGNAL, NULL, 0) = 41 poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout) poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}]) sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, MSG_NOSIGNAL, NULL, 0) = 41 poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout) poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}]) sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, MSG_NOSIGNAL, NULL, 0) = 41 poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout) close(3) = 0 open("/etc/ipa/ipa.conf", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f115dba3000 read(3, "[defaults]\nserver=freeipa.arc.na"..., 4096) = 78 read(3, "", 4096) = 0 close(3) = 0 Doing a tcpdump of the DNS server shows the following: 11:01:18.217811 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: 0+ SRV? _ldap._tcp.arc.nasa.gov. (41) 11:01:18.235829 IP freeipa.arc.nasa.gov.35688 > ns1.arc.nasa.gov.domain: 981+ PTR? 34.252.232.143.in-addr.arpa. (45) 11:01:18.236535 IP ns1.arc.nasa.gov.domain > freeipa.arc.nasa.gov.35688: 981* 1/3/3 PTR ns1.arc.nasa.gov. (173) 11:01:28.228160 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: 0+ SRV? _ldap._tcp.arc.nasa.gov. (41) 11:01:38.237880 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: 0+ SRV? _ldap._tcp.arc.nasa.gov. (41) 11:01:48.248343 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: 0+ SRV? _ldap._tcp.arc.nasa.gov. (41) This is a pretty serious problem. I don't own the name servers for this domain. I don't manage the entirety of the namespace. I don't want SRV entries for my host. Is there a way to disable the _srv lookup? I found the following thread: http://osdir.com/ml/freeipa-users/2011-04/msg00020.html Which discusses it a little bit. Specifying a static list of IPA servers is exactly what I want to do. I'm using 1.2, so I'm not using sssd. -Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Jun 13 18:31:22 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 13 Jun 2011 14:31:22 -0400 Subject: [Freeipa-users] Disable ldap dns lookup in freeipa? In-Reply-To: References: Message-ID: <1307989882.12323.60.camel@willson.li.ssimo.org> On Mon, 2011-06-13 at 13:16 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > This is a pretty serious problem. I don't own the name servers for > this domain. I don't manage the entirety of the namespace. I don't > want SRV entries for my host. Is there a way to disable the _srv > lookup? I found the following thread: > > http://osdir.com/ml/freeipa-users/2011-04/msg00020.html > > Which discusses it a little bit. Specifying a static list of IPA > servers is exactly what I want to do. I'm using 1.2, so I'm not using > sssd. I suggest you configure your freeipa installation to use a subdomain like: ipa.arc.nasa.gov or similar and install the embedded freeipa DNS server for your tests so that you "own" that zone. It will be visible only to your server, so you don't have to worry about "polluting" the organization DNS namespace, unless you actually ask for being delegated such zone :) Use your regular DNS servers as forwarders, and configure the /etc/resolv.conf file to point to 127.0.0.1 It will make your life much easier. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Mon Jun 13 19:00:29 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 13 Jun 2011 21:00:29 +0200 Subject: [Freeipa-users] Thunderbird Address Book Message-ID: <4DF65E4D.3030802@nixtra.com> Hi, Has anyone had success using IPA's LDAP as address book for Thunderbird? I've tried configring IPA's LDAP as Abook for Thunderbird. As far as I can see all the required attributes are there and mapped correctly out of the box with Thunderbird 3.1, but I cannot get any names looked up. Rgds, Siggi From rcritten at redhat.com Mon Jun 13 19:51:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 15:51:39 -0400 Subject: [Freeipa-users] Disable ldap dns lookup in freeipa? In-Reply-To: References: Message-ID: <4DF66A4B.6080003@redhat.com> Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > I?ve been continuing to troubleshoot this slowness in freeipa, > specifically ipa-finduser which I?m told should take at most 2-3 seconds > is taking 20+. People suspected ?a dns issue?. I don?t really use DNS, > particularly in my test environment. However, to check this issue, I > relented and added my server to dns. The situation has not changed. An > strace of ipa-finduser admin shows the following: > > open("/usr/lib64/python2.7/site-packages/ldap/filter.py", O_RDONLY) = 5 > fstat(5, {st_mode=S_IFREG|0644, st_size=1441, ...}) = 0 > open("/usr/lib64/python2.7/site-packages/ldap/filter.pyc", O_RDONLY) = 6 > fstat(6, {st_mode=S_IFREG|0644, st_size=1863, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0x7f115dba3000 > read(6, > "\3\363\r\n/\350\352Jc\0\0\0\0\0\0\0\0\2\0\0\0@\0\0\0s/\0\0\0d\0"..., > 4096) = 1863 > fstat(6, {st_mode=S_IFREG|0644, st_size=1863, ...}) = 0 > read(6, "", 4096) = 0 > close(6) = 0 > munmap(0x7f115dba3000, 4096) = 0 > close(5) = 0 > close(4) = 0 > close(3) = 0 > stat("/usr/share/locale/en_US.UTF8/LC_MESSAGES/messages.mo", > 0x7fff13cb0b10) = -1 ENOENT (No such file or directory) > stat("/usr/share/locale/en_US/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) > = -1 ENOENT (No such file or directory) > stat("/usr/share/locale/en.UTF8/LC_MESSAGES/messages.mo", > 0x7fff13cb0b10) = -1 ENOENT (No such file or directory) > stat("/usr/share/locale/en/LC_MESSAGES/messages.mo", 0x7fff13cb0b10) = > -1 ENOENT (No such file or directory) > brk(0) = 0x2755000 > brk(0x2776000) = 0x2776000 > open("/etc/ipa/ipa.conf", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0 > fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0x7f115dba3000 > read(3, "[defaults]\nserver=freeipa.arc.na"..., 4096) = 78 > read(3, "", 4096) = 0 > close(3) = 0 > munmap(0x7f115dba3000, 4096) = 0 > open("/etc/resolv.conf", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0x7f115dba3000 > read(3, "domain arc.nasa.gov\nnameserver 1"..., 4096) = 71 > read(3, "", 4096) = 0 > close(3) = 0 > munmap(0x7f115dba3000, 4096) = 0 > > > > socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 3 > connect(3, {sa_family=AF_INET, sin_port=htons(53), > sin_addr=inet_addr("143.232.252.34")}, 16) = 0 > poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}]) > sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, > MSG_NOSIGNAL, NULL, 0) = 41 > poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout) > poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}]) > sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, > MSG_NOSIGNAL, NULL, 0) = 41 > poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout) > poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}]) > sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, > MSG_NOSIGNAL, NULL, 0) = 41 > poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout) > poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}]) > sendto(3, "\0\0\1\0\0\1\0\0\0\0\0\0\5_ldap\4_tcp\3arc\4nasa"..., 41, > MSG_NOSIGNAL, NULL, 0) = 41 > poll([{fd=3, events=POLLIN}], 1, 5000) = 0 (Timeout) > close(3) = 0 > open("/etc/ipa/ipa.conf", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0 > fstat(3, {st_mode=S_IFREG|0644, st_size=78, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) > = 0x7f115dba3000 > read(3, "[defaults]\nserver=freeipa.arc.na"..., 4096) = 78 > read(3, "", 4096) = 0 > close(3) = 0 > > Doing a tcpdump of the DNS server shows the following: > > 11:01:18.217811 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: > 0+ SRV? _ldap._tcp.arc.nasa.gov. (41) > 11:01:18.235829 IP freeipa.arc.nasa.gov.35688 > ns1.arc.nasa.gov.domain: > 981+ PTR? 34.252.232.143.in-addr.arpa. (45) > 11:01:18.236535 IP ns1.arc.nasa.gov.domain > freeipa.arc.nasa.gov.35688: > 981* 1/3/3 PTR ns1.arc.nasa.gov. (173) > 11:01:28.228160 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: > 0+ SRV? _ldap._tcp.arc.nasa.gov. (41) > 11:01:38.237880 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: > 0+ SRV? _ldap._tcp.arc.nasa.gov. (41) > 11:01:48.248343 IP freeipa.arc.nasa.gov.55272 > ns1.arc.nasa.gov.domain: > 0+ SRV? _ldap._tcp.arc.nasa.gov. (41) > > This is a pretty serious problem. I don?t own the name servers for this > domain. I don?t manage the entirety of the namespace. I don?t want SRV > entries for my host. Is there a way to disable the _srv lookup? I found > the following thread: > > http://osdir.com/ml/freeipa-users/2011-04/msg00020.html > > Which discusses it a little bit. Specifying a static list of IPA servers > is exactly what I want to do. I?m using 1.2, so I?m not using sssd. > > -Brian I believe you need to specify --server on the command-line to avoid the SRV lookup: $ ipa-finduser --server=ipa.arc.nasa.gov admin rob From brian.p.stamper at nasa.gov Mon Jun 13 19:54:16 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Mon, 13 Jun 2011 14:54:16 -0500 Subject: [Freeipa-users] Disable ldap dns lookup in freeipa? In-Reply-To: <4DF66A4B.6080003@redhat.com> Message-ID: Ok, that's perfect for testing. But when I'm actually using ipa, does it do this SRV lookup? With -server specificed, ipa-finduser takes between .5 and .85 seconds, which is great. Thanks, -Brian On 6/13/11 12:51 PM, "Rob Crittenden" wrote: I believe you need to specify --server on the command-line to avoid the SRV lookup: $ ipa-finduser --server=ipa.arc.nasa.gov admin rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 13 19:54:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 15:54:49 -0400 Subject: [Freeipa-users] Configuring IPA replicas In-Reply-To: <4DF6485A.3010805@nixtra.com> References: <4DF60F4E.8090409@nixtra.com> <1307974330.12323.30.camel@willson.li.ssimo.org> <4DF61BFC.3040700@nixtra.com> <1307976074.9254.6.camel@localhost.localdomain> <4DF62CCA.4060503@nixtra.com> <4DF647C1.60207@redhat.com> <4DF6485A.3010805@nixtra.com> Message-ID: <4DF66B09.9080800@redhat.com> Sigbjorn Lie wrote: > On 06/13/2011 07:24 PM, Rob Crittenden wrote: >> Sigbjorn Lie wrote: >>> On 06/13/2011 04:41 PM, Ade Lee wrote: >>>> Hi, >>>> >>>> The replica installation is failing when the replica attempts to >>>> contact >>>> the CA on the master to log into the security domain. According to your >>>> log, this is https://ipa01.ix.test.com:9445 >>>> >>>> Can the master be resolved and reached from the replica? Can port 9445 >>>> be reached (as well as ports 9444 and 9443?) >>>> >>>> You can also check the master's /var/log/pki-ca/debug log to see if any >>>> communication was received from the replica. >>>> >>> >>> There was an additional DNS A record added to the existing IPA server >>> hostname! This additional DNS A record pointed at the IP address of the >>> replica IPA server I'm attempting to configure! I removed this A record >>> and the replica installed successfully. >>> >>> When I initially ran the ipa-replica-prepare command, I added the >>> "--ip-address" option to get the DNS records for this host created. (I >>> have a seperate dns domain for the IPA environment.) In this process >>> ipa-replica-prepare created an additional reverse zone on the server. >>> (The new ipa replica resides on a subnet which sits at a AD DNS server, >>> but it's still resolvable from the IPA dns servers). >>> >>> After the replica finished I tried to run the ipa-replica-prepare >>> command again with a new hostname, and adding an IP address using >>> --ip-address on a subnet not known to the IPA DNS. The same error was >>> re-produced, the DNS A record was added to the master IPA server. >>> >>> I would also like to note that I cannot see the second DNS entry using >>> the web gui, only using "ipa dnsrecord-find". Bug opened in bugzilla for >>> ipa-replica-prepare: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=712920 >> >> Adding the record has already been fixed upstream, >> https://bugzilla.redhat.com/show_bug.cgi?id=704012 > > Excellent, Thanks. I assume this is coming to freeipa in F15 as well at > some point? I'm hoping to do another 2.0 bug fux release in the next couple of weeks. rob From sgallagh at redhat.com Mon Jun 13 20:00:29 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 13 Jun 2011 16:00:29 -0400 Subject: [Freeipa-users] Disable ldap dns lookup in freeipa? In-Reply-To: References: Message-ID: <1307995230.1923.16.camel@sgallagh520.bos.redhat.com> On Mon, 2011-06-13 at 14:54 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > Ok, that?s perfect for testing. But when I?m actually using ipa, does > it do this SRV lookup? With ?server specificed, ipa-finduser takes > between .5 and .85 seconds, which is great. The reason for this is so that ipa can auto-detect which server is available or least-loaded. With the DNS-based SRV records, it can easily load-balance between replicas. If you're not using replicas and DNS, you should use the --server option. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From brian.p.stamper at nasa.gov Mon Jun 13 20:08:34 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Mon, 13 Jun 2011 15:08:34 -0500 Subject: [Freeipa-users] Disable ldap dns lookup in freeipa? In-Reply-To: <1307995230.1923.16.camel@sgallagh520.bos.redhat.com> Message-ID: I understand that, what I'm asking is "Is --server required to be configured somewhere for 'normal' ipa use?" I can use -server on the command line. It also seems I can choose to disable SRV lookups when doing ipa-client-install after the SRV lookup fails. Is there anywhere else that I need to configure it? I guess I assumed that if ipa-finduser does a SRV lookup that just using ipa for authentication would also do a SRV lookup. Is that not the case? -brian On 6/13/11 1:00 PM, "Stephen Gallagher" wrote: On Mon, 2011-06-13 at 14:54 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > Ok, that's perfect for testing. But when I'm actually using ipa, does > it do this SRV lookup? With -server specificed, ipa-finduser takes > between .5 and .85 seconds, which is great. The reason for this is so that ipa can auto-detect which server is available or least-loaded. With the DNS-based SRV records, it can easily load-balance between replicas. If you're not using replicas and DNS, you should use the --server option. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Jun 13 20:15:33 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 13 Jun 2011 16:15:33 -0400 Subject: [Freeipa-users] Disable ldap dns lookup in freeipa? In-Reply-To: References: Message-ID: <1307996133.12323.62.camel@willson.li.ssimo.org> On Mon, 2011-06-13 at 15:08 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > I understand that, what I?m asking is ?Is --server required to be > configured somewhere for ?normal? ipa use?? I can use ?server on the > command line. It also seems I can choose to disable SRV lookups when > doing ipa-client-install after the SRV lookup fails. Is there > anywhere else that I need to configure it? I guess I assumed that if > ipa-finduser does a SRV lookup that just using ipa for authentication > would also do a SRV lookup. Is that not the case? You can turn dns related options off in /etc/krb5.conf you can also configure sssd with a specific kdc ip address in sssd.conf if you are using sssd. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Jun 13 21:43:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 17:43:25 -0400 Subject: [Freeipa-users] Disable ldap dns lookup in freeipa? In-Reply-To: References: Message-ID: <4DF6847D.1030003@redhat.com> Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > I understand that, what I?m asking is ?Is --server required to be > configured somewhere for ?normal? ipa use?? I can use ?server on the > command line. It also seems I can choose to disable SRV lookups when > doing ipa-client-install after the SRV lookup fails. Is there anywhere > else that I need to configure it? I guess I assumed that if ipa-finduser > does a SRV lookup that just using ipa for authentication would also do a > SRV lookup. Is that not the case? The client configuration is separate from the administrative tools. With the admin tools yes you need to specify --server to avoid the SRV lookup. I don't see a way in the code around that (other than to not have SRV records). If you pass --server and --force to ipa-client-install it will force it to not use DNS discovery. In the long run you are probably better off looking at 2.0 if you are looking to deploy. rob From brian.p.stamper at nasa.gov Mon Jun 13 22:00:15 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Mon, 13 Jun 2011 17:00:15 -0500 Subject: [Freeipa-users] Disable ldap dns lookup in freeipa? In-Reply-To: <4DF6847D.1030003@redhat.com> Message-ID: Yeah, about an hour ago I wiped out my 1.x installs, upgraded my machines to Fedora 15, and installed 2.0. The UI came up out of the box (gnome issues on Fedora 15 aside). I just got my first client added with --force. Onward and upward. Thanks, -brian On 6/13/11 2:43 PM, "Rob Crittenden" wrote: Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > I understand that, what I'm asking is "Is --server required to be > configured somewhere for 'normal' ipa use?" I can use -server on the > command line. It also seems I can choose to disable SRV lookups when > doing ipa-client-install after the SRV lookup fails. Is there anywhere > else that I need to configure it? I guess I assumed that if ipa-finduser > does a SRV lookup that just using ipa for authentication would also do a > SRV lookup. Is that not the case? The client configuration is separate from the administrative tools. With the admin tools yes you need to specify --server to avoid the SRV lookup. I don't see a way in the code around that (other than to not have SRV records). If you pass --server and --force to ipa-client-install it will force it to not use DNS discovery. In the long run you are probably better off looking at 2.0 if you are looking to deploy. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.p.stamper at nasa.gov Mon Jun 13 22:18:42 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Mon, 13 Jun 2011 17:18:42 -0500 Subject: [Freeipa-users] Change UID range Message-ID: After installing, I've noticed that my UIDs for freeipa start at 1.3 billion. Now, this isn't technically a problem, but it is ... Odd. Is there a way to change this value after install, or am I stuck uninstalling and reinstalling with the --idstart value set to get this to a more reasonable number? -Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Jun 13 22:22:31 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 13 Jun 2011 22:22:31 +0000 Subject: [Freeipa-users] Change UID range In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0ED690@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, The docs say they do this to try and avoid clashes with other organisations in case of a merger. Another reason I can see is possibly Shiboleth (Federation) which I/we have to do. So is changing it that much of an issue? regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stamper at nasa.gov] Sent: Tuesday, 14 June 2011 10:18 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Change UID range After installing, I?ve noticed that my UIDs for freeipa start at 1.3 billion. Now, this isn?t technically a problem, but it is ... Odd. Is there a way to change this value after install, or am I stuck uninstalling and reinstalling with the --idstart value set to get this to a more reasonable number? -Brian From brian.p.stamper at nasa.gov Mon Jun 13 22:34:20 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Mon, 13 Jun 2011 17:34:20 -0500 Subject: [Freeipa-users] Change UID range In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0ED690@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: It's enough of an issue that I'd spend the 1-2 hours to reinstall my server and 1 client. I just find it really odd that the default would be so high. I'm all for avoiding conflicts, but I can't think of too many systems that would have a billion users. The help on the server installer says the idstart is random. I'd rather skip 1000 UIDs than 1.3 billion, I just find the numbers unwieldy. Browsing the web, it looks like the default is random between 1m and 2^31. I'd just prefer it be in the 4-6 digit range, as I do still use UIDs numerically on occasion. I have no issue with the default being what it is, most people may not care what their UID range actually is. I just want to know if it can be changed manually or if I have to reinstall. I'm still in an evaluation phase with a testing system anyway, so I'll just add it to my notes when I deploy to something I might use in production. -brian On 6/13/11 3:22 PM, "Steven Jones" wrote: Hi, The docs say they do this to try and avoid clashes with other organisations in case of a merger. Another reason I can see is possibly Shiboleth (Federation) which I/we have to do. So is changing it that much of an issue? regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stamper at nasa.gov] Sent: Tuesday, 14 June 2011 10:18 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Change UID range After installing, I've noticed that my UIDs for freeipa start at 1.3 billion. Now, this isn't technically a problem, but it is ... Odd. Is there a way to change this value after install, or am I stuck uninstalling and reinstalling with the --idstart value set to get this to a more reasonable number? -Brian _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 13 22:56:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 18:56:33 -0400 Subject: [Freeipa-users] Change UID range In-Reply-To: References: Message-ID: <4DF695A1.1050602@redhat.com> Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > It?s enough of an issue that I?d spend the 1-2 hours to reinstall my > server and 1 client. I just find it really odd that the default would be > so high. I?m all for avoiding conflicts, but I can?t think of too many > systems that would have a billion users. The help on the server > installer says the idstart is random. I?d rather skip 1000 UIDs than 1.3 > billion, I just find the numbers unwieldy. Browsing the web, it looks > like the default is random between 1m and 2^31. I?d just prefer it be in > the 4-6 digit range, as I do still use UIDs numerically on occasion. > > I have no issue with the default being what it is, most people may not > care what their UID range actually is. I just want to know if it can be > changed manually or if I have to reinstall. I?m still in an evaluation > phase with a testing system anyway, so I?ll just add it to my notes when > I deploy to something I might use in production. Modify the dnanextvalue and dnamaxvalue options in the entry: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config rob > > -brian > > On 6/13/11 3:22 PM, "Steven Jones" wrote: > > Hi, > > The docs say they do this to try and avoid clashes with other > organisations in case of a merger. > > Another reason I can see is possibly Shiboleth (Federation) which > I/we have to do. So is changing it that much of an issue? > > regards > > > ________________________________ > From: freeipa-users-bounces at redhat.com > [freeipa-users-bounces at redhat.com] on behalf of Stamper, Brian P. > (ARC-D)[Logyx LLC] [brian.p.stamper at nasa.gov] > Sent: Tuesday, 14 June 2011 10:18 a.m. > To: freeipa-users at redhat.com > Subject: [Freeipa-users] Change UID range > > After installing, I?ve noticed that my UIDs for freeipa start at 1.3 > billion. Now, this isn?t technically a problem, but it is ... Odd. > Is there a way to change this value after install, or am I stuck > uninstalling and reinstalling with the --idstart value set to get > this to a more reasonable number? > > -Brian > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Mon Jun 13 23:00:30 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Jun 2011 19:00:30 -0400 Subject: [Freeipa-users] Change UID range In-Reply-To: References: Message-ID: <4DF6968E.8080203@redhat.com> On 06/13/2011 06:34 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > It's enough of an issue that I'd spend the 1-2 hours to reinstall my > server and 1 client. I just find it really odd that the default would > be so high. I'm all for avoiding conflicts, but I can't think of too > many systems that would have a billion users. The help on the server > installer says the idstart is random. I'd rather skip 1000 UIDs than > 1.3 billion, I just find the numbers unwieldy. Browsing the web, it > looks like the default is random between 1m and 2^31. I'd just prefer > it be in the 4-6 digit range, as I do still use UIDs numerically on > occasion. > > I have no issue with the default being what it is, most people may not > care what their UID range actually is. I just want to know if it can > be changed manually or if I have to reinstall. I'm still in an > evaluation phase with a testing system anyway, so I'll just add it to > my notes when I deploy to something I might use in production. > As far as I remember it is not possible to change after install as any first user is created using this setting. We are heading into the era or multiple name spaces even inside one organization with all the virtualization and cloud. Though these numbers look odd it might actually be a good idea to use higher ranges to avoid conflicts between different environments down the road as there will be many different domains both IPA based as well as AD based in general case. It will be very hard to change the ranges later so leave yourself a bit of breathing room and think about you identity landscape 5-7 years from now. Wrong or limiting decisions now might lead to a lot of pain and costs down the road. Thanks Dmitri > -brian > > On 6/13/11 3:22 PM, "Steven Jones" wrote: > > Hi, > > The docs say they do this to try and avoid clashes with other > organisations in case of a merger. > > Another reason I can see is possibly Shiboleth (Federation) which > I/we have to do. So is changing it that much of an issue? > > regards > > > ________________________________ > From: freeipa-users-bounces at redhat.com > [freeipa-users-bounces at redhat.com] on behalf of Stamper, Brian P. > (ARC-D)[Logyx LLC] [brian.p.stamper at nasa.gov] > Sent: Tuesday, 14 June 2011 10:18 a.m. > To: freeipa-users at redhat.com > Subject: [Freeipa-users] Change UID range > > After installing, I've noticed that my UIDs for freeipa start at > 1.3 billion. Now, this isn't technically a problem, but it is ... > Odd. Is there a way to change this value after install, or am I > stuck uninstalling and reinstalling with the --idstart value set > to get this to a more reasonable number? > > -Brian > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Jun 13 23:02:13 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Jun 2011 19:02:13 -0400 Subject: [Freeipa-users] Change UID range In-Reply-To: <4DF695A1.1050602@redhat.com> References: <4DF695A1.1050602@redhat.com> Message-ID: <4DF696F5.90501@redhat.com> On 06/13/2011 06:56 PM, Rob Crittenden wrote: > Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: >> >> It?s enough of an issue that I?d spend the 1-2 hours to reinstall my >> server and 1 client. I just find it really odd that the default would be >> so high. I?m all for avoiding conflicts, but I can?t think of too many >> systems that would have a billion users. The help on the server >> installer says the idstart is random. I?d rather skip 1000 UIDs than 1.3 >> billion, I just find the numbers unwieldy. Browsing the web, it looks >> like the default is random between 1m and 2^31. I?d just prefer it be in >> the 4-6 digit range, as I do still use UIDs numerically on occasion. >> >> I have no issue with the default being what it is, most people may not >> care what their UID range actually is. I just want to know if it can be >> changed manually or if I have to reinstall. I?m still in an evaluation >> phase with a testing system anyway, so I?ll just add it to my notes when >> I deploy to something I might use in production. > > Modify the dnanextvalue and dnamaxvalue options in the entry: > > cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config Ha! Seems I am wrong... Rob but what about the ID of the first entries created? They will be out of scope potentially and it might have issues down the road. > > rob > >> >> -brian >> >> On 6/13/11 3:22 PM, "Steven Jones" wrote: >> >> Hi, >> >> The docs say they do this to try and avoid clashes with other >> organisations in case of a merger. >> >> Another reason I can see is possibly Shiboleth (Federation) which >> I/we have to do. So is changing it that much of an issue? >> >> regards >> >> >> ________________________________ >> From: freeipa-users-bounces at redhat.com >> [freeipa-users-bounces at redhat.com] on behalf of Stamper, Brian P. >> (ARC-D)[Logyx LLC] [brian.p.stamper at nasa.gov] >> Sent: Tuesday, 14 June 2011 10:18 a.m. >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] Change UID range >> >> After installing, I?ve noticed that my UIDs for freeipa start at 1.3 >> billion. Now, this isn?t technically a problem, but it is ... Odd. >> Is there a way to change this value after install, or am I stuck >> uninstalling and reinstalling with the --idstart value set to get >> this to a more reasonable number? >> >> -Brian >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From brian.p.stamper at nasa.gov Mon Jun 13 23:10:37 2011 From: brian.p.stamper at nasa.gov (Stamper, Brian P. (ARC-D)[Logyx LLC]) Date: Mon, 13 Jun 2011 18:10:37 -0500 Subject: [Freeipa-users] Change UID range In-Reply-To: <4DF696F5.90501@redhat.com> Message-ID: Not until I add 1.299 billion users :) -brian On 6/13/11 4:02 PM, "Dmitri Pal" wrote: Ha! Seems I am wrong... Rob but what about the ID of the first entries created? They will be out of scope potentially and it might have issues down the road. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Jun 13 23:43:47 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 13 Jun 2011 23:43:47 +0000 Subject: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0ED6EC@STAWINCOX10MBX1.staff.vuw.ac.nz> I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login.... So how do I stop that? When will we see some documentation on doing user admin tasks like this? regards From JR.Aquino at citrix.com Mon Jun 13 23:53:01 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Mon, 13 Jun 2011 23:53:01 +0000 Subject: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0ED6EC@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0ED6EC@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <7B197B59-F402-412B-BFB7-EBC73CFDB167@citrixonline.com> On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: > I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login.... > > So how do I stop that? > > When will we see some documentation on doing user admin tasks like this? Have a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies From Steven.Jones at vuw.ac.nz Tue Jun 14 00:32:45 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 14 Jun 2011 00:32:45 +0000 Subject: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? In-Reply-To: <7B197B59-F402-412B-BFB7-EBC73CFDB167@citrixonline.com> References: <833D8E48405E064EBC54C84EC6B36E401B0ED6EC@STAWINCOX10MBX1.staff.vuw.ac.nz>, <7B197B59-F402-412B-BFB7-EBC73CFDB167@citrixonline.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0ED70B@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Ive seen/read it.....and I have a hard copy on my desk in front of me right now.... I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to end....and often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.....So it needs far more screenshots and wizards.... regards ________________________________________ From: JR Aquino [JR.Aquino at citrix.com] Sent: Tuesday, 14 June 2011 11:53 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: > I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login.... > > So how do I stop that? > > When will we see some documentation on doing user admin tasks like this? Have a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies From JR.Aquino at citrix.com Tue Jun 14 01:10:41 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 14 Jun 2011 01:10:41 +0000 Subject: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0ED70B@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0ED6EC@STAWINCOX10MBX1.staff.vuw.ac.nz>, <7B197B59-F402-412B-BFB7-EBC73CFDB167@citrixonline.com> <833D8E48405E064EBC54C84EC6B36E401B0ED70B@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <6A437F18-BAEC-42B5-9110-A20D0617EB68@citrixonline.com> 1) Create an HBAC Rule or rules: choose allow or deny 2) add users/usergroups to the rule 3) add hosts/hostgroups to the rule 4) disable the default 'allow all' rule Now any system that has SSSD 1.5 will enforce those HBAC rules. For systems that do not support sssd, I have been working on a proof of concept authorization module for HBAC written in python. -JR On Jun 13, 2011, at 5:32 PM, Steven Jones wrote: > Hi, > > Ive seen/read it.....and I have a hard copy on my desk in front of me right now.... > > I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to end....and often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.....So it needs far more screenshots and wizards.... > > regards > ________________________________________ > From: JR Aquino [JR.Aquino at citrix.com] > Sent: Tuesday, 14 June 2011 11:53 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? > > On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: > >> I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login.... >> >> So how do I stop that? >> >> When will we see some documentation on doing user admin tasks like this? > > Have a look at this: > > http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Jun 14 01:34:41 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 14 Jun 2011 01:34:41 +0000 Subject: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? In-Reply-To: <6A437F18-BAEC-42B5-9110-A20D0617EB68@citrixonline.com> References: <833D8E48405E064EBC54C84EC6B36E401B0ED6EC@STAWINCOX10MBX1.staff.vuw.ac.nz>, <7B197B59-F402-412B-BFB7-EBC73CFDB167@citrixonline.com> <833D8E48405E064EBC54C84EC6B36E401B0ED70B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <6A437F18-BAEC-42B5-9110-A20D0617EB68@citrixonline.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0ED72C@STAWINCOX10MBX1.staff.vuw.ac.nz> Hmm, So whats the default rule? can i set precedence? is there any? Example. So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to allow specific user groups to login to specific hostgroups servers....that didnt work... So I disabled the deny_all rule and users in the specific group can login to the specific server, and if I remove them from the user group they cannot login, so OK good BUT the trouble is a second user that is in no groups at all can also login to the servers, which shouldn't occur...or at least I odnt want that to occur...so something is set incorrectly. Is there a way to "suck out" the HBAC rules or whatever info for the user at the command line? I certainly cant find why that second user can login, it should not be able to, but it can. regards ________________________________________ From: JR Aquino [JR.Aquino at citrix.com] Sent: Tuesday, 14 June 2011 1:10 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? 1) Create an HBAC Rule or rules: choose allow or deny 2) add users/usergroups to the rule 3) add hosts/hostgroups to the rule 4) disable the default 'allow all' rule Now any system that has SSSD 1.5 will enforce those HBAC rules. For systems that do not support sssd, I have been working on a proof of concept authorization module for HBAC written in python. -JR On Jun 13, 2011, at 5:32 PM, Steven Jones wrote: > Hi, > > Ive seen/read it.....and I have a hard copy on my desk in front of me right now.... > > I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to end....and often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.....So it needs far more screenshots and wizards.... > > regards > ________________________________________ > From: JR Aquino [JR.Aquino at citrix.com] > Sent: Tuesday, 14 June 2011 11:53 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? > > On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: > >> I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login.... >> >> So how do I stop that? >> >> When will we see some documentation on doing user admin tasks like this? > > Have a look at this: > > http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Tue Jun 14 03:27:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2011 23:27:34 -0400 Subject: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0ED72C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0ED6EC@STAWINCOX10MBX1.staff.vuw.ac.nz>, <7B197B59-F402-412B-BFB7-EBC73CFDB167@citrixonline.com> <833D8E48405E064EBC54C84EC6B36E401B0ED70B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <6A437F18-BAEC-42B5-9110-A20D0617EB68@citrixonline.com> <833D8E48405E064EBC54C84EC6B36E401B0ED72C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DF6D526.6000103@redhat.com> Steven Jones wrote: > Hmm, > > So whats the default rule? can i set precedence? is there any? The default rule is deny. > > Example. > > So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to allow specific user groups to login to specific hostgroups servers....that didnt work... > > So I disabled the deny_all rule and users in the specific group can login to the specific server, and if I remove them from the user group they cannot login, so OK good BUT the trouble is a second user that is in no groups at all can also login to the servers, which shouldn't occur...or at least I odnt want that to occur...so something is set incorrectly. > > Is there a way to "suck out" the HBAC rules or whatever info for the user at the command line? I certainly cant find why that second user can login, it should not be able to, but it can. > > regards It is currently very easy to create bad HBAC rules. The only real way to test them is to crank up the debug level in sssd and watch the logs. We and the sssd team are in the process of writing a utility where you can simulate a rule execution and get feedback on how the rule will work (or if pieces are missing). rob From simo at redhat.com Tue Jun 14 03:31:34 2011 From: simo at redhat.com (Simo Sorce) Date: Mon, 13 Jun 2011 23:31:34 -0400 Subject: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? In-Reply-To: <6A437F18-BAEC-42B5-9110-A20D0617EB68@citrixonline.com> References: <833D8E48405E064EBC54C84EC6B36E401B0ED6EC@STAWINCOX10MBX1.staff.vuw.ac.nz> , <7B197B59-F402-412B-BFB7-EBC73CFDB167@citrixonline.com> <833D8E48405E064EBC54C84EC6B36E401B0ED70B@STAWINCOX10MBX1.staff.vuw.ac.nz> <6A437F18-BAEC-42B5-9110-A20D0617EB68@citrixonline.com> Message-ID: <1308022294.3182.2.camel@willson.li.ssimo.org> Just to add on the advice, not to detract, On Tue, 2011-06-14 at 01:10 +0000, JR Aquino wrote: > 1) Create an HBAC Rule or rules: choose allow or deny Do yourself a favor and never use deny rules, they are there if you *really* need them, but you do not want to use them if you can avoid them :) > 2) add users/usergroups to the rule > 3) add hosts/hostgroups to the rule > 4) disable the default 'allow all' rule Remember that by default if a user isn't explicitly allowed the behavior of HBAC is to deny (that's why we have a default allow_all rule) > Now any system that has SSSD 1.5 will enforce those HBAC rules. And if it doesn't we really want to know as it is going to be a security issue. Simo. > For systems that do not support sssd, I have been working on a proof > of concept authorization module for HBAC written in python. > > -JR > > On Jun 13, 2011, at 5:32 PM, Steven Jones wrote: > > > Hi, > > > > Ive seen/read it.....and I have a hard copy on my desk in front of me right now.... > > > > I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to end....and often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.....So it needs far more screenshots and wizards.... > > > > regards > > ________________________________________ > > From: JR Aquino [JR.Aquino at citrix.com] > > Sent: Tuesday, 14 June 2011 11:53 a.m. > > To: Steven Jones > > Cc: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? > > > > On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: > > > >> I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login.... > >> > >> So how do I stop that? > >> > >> When will we see some documentation on doing user admin tasks like this? > > > > Have a look at this: > > > > http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Tue Jun 14 04:18:00 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 14 Jun 2011 04:18:00 +0000 Subject: [Freeipa-users] extracting info and injecting info Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0ED7C2@STAWINCOX10MBX1.staff.vuw.ac.nz> At a high level, I just need an idea how this will/could work.... We have a centralised provisioning system that (eventually) we need to talk to IPA. So the sort of things I need to extract are the available user groups and hosts and that then would be displayed in the IdM system. At that point the user admin would create the user and select the groups and hosts the user can interact with...how does the external program query IPA? langauge? etc ? and then inject user info? regards From Steven.Jones at vuw.ac.nz Tue Jun 14 04:23:24 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 14 Jun 2011 04:23:24 +0000 Subject: [Freeipa-users] Change UID range In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E401B0ED690@STAWINCOX10MBX1.staff.vuw.ac.nz>, Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0ED7CE@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I was sort of a like mind, but the advantage of the idea of avoiding clashes made enough sense for me to live with it. We will be doing Federation potentially worldwide and if a person from anywhere else has a unique UID and is part of a unique UID range at another Uni site that doesnt clash Im all for making my life easier..... regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stamper at nasa.gov] Sent: Tuesday, 14 June 2011 10:34 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Change UID range It?s enough of an issue that I?d spend the 1-2 hours to reinstall my server and 1 client. I just find it really odd that the default would be so high. I?m all for avoiding conflicts, but I can?t think of too many systems that would have a billion users. The help on the server installer says the idstart is random. I?d rather skip 1000 UIDs than 1.3 billion, I just find the numbers unwieldy. Browsing the web, it looks like the default is random between 1m and 2^31. I?d just prefer it be in the 4-6 digit range, as I do still use UIDs numerically on occasion. I have no issue with the default being what it is, most people may not care what their UID range actually is. I just want to know if it can be changed manually or if I have to reinstall. I?m still in an evaluation phase with a testing system anyway, so I?ll just add it to my notes when I deploy to something I might use in production. -brian On 6/13/11 3:22 PM, "Steven Jones" > wrote: Hi, The docs say they do this to try and avoid clashes with other organisations in case of a merger. Another reason I can see is possibly Shiboleth (Federation) which I/we have to do. So is changing it that much of an issue? regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stamper at nasa.gov] Sent: Tuesday, 14 June 2011 10:18 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Change UID range After installing, I?ve noticed that my UIDs for freeipa start at 1.3 billion. Now, this isn?t technically a problem, but it is ... Odd. Is there a way to change this value after install, or am I stuck uninstalling and reinstalling with the --idstart value set to get this to a more reasonable number? -Brian _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From sgallagh at redhat.com Tue Jun 14 11:30:12 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 14 Jun 2011 07:30:12 -0400 Subject: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0ED72C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0ED6EC@STAWINCOX10MBX1.staff.vuw.ac.nz> , <7B197B59-F402-412B-BFB7-EBC73CFDB167@citrixonline.com> <833D8E48405E064EBC54C84EC6B36E401B0ED70B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <6A437F18-BAEC-42B5-9110-A20D0617EB68@citrixonline.com> <833D8E48405E064EBC54C84EC6B36E401B0ED72C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1308051019.1954.4.camel@sgallagh520.bos.redhat.com> On Tue, 2011-06-14 at 01:34 +0000, Steven Jones wrote: > Hmm, > > So whats the default rule? can i set precedence? is there any? > > Example. > > So Ive disabled the allow_all rule, I made a deny_all rule and then a > rule to allow specific user groups to login to specific hostgroups > servers....that didnt work... DENY rules always win (meaning they override any ALLOW rule). So if you have a DENY rule that matches everyone, your ALLOW rules will never match. HBAC rules work this way: If no rules match, deny. If one or more ALLOW rules match: grant access unless one or more DENY rules match, in which case: deny. > > So I disabled the deny_all rule and users in the specific group can > login to the specific server, and if I remove them from the user group > they cannot login, so OK good BUT the trouble is a second user that is > in no groups at all can also login to the servers, which shouldn't > occur...or at least I odnt want that to occur...so something is set > incorrectly. > > Is there a way to "suck out" the HBAC rules or whatever info for the > user at the command line? I certainly cant find why that second user > can login, it should not be able to, but it can. 'ipa hbacrule-find' This will give you output like: Rule name: testrule Rule type: allow Enabled: TRUE Groups: ipausers Hosts: client1.example.com Source hosts: client2.example.com Services: sshd The meaning of the above rule is: Any user in the group 'ipausers' can log into 'client1.example.com' FROM client2.example.com using SSH. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Tue Jun 14 11:42:05 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 14 Jun 2011 07:42:05 -0400 Subject: [Freeipa-users] Change UID range In-Reply-To: References: Message-ID: <1308051726.1954.10.camel@sgallagh520.bos.redhat.com> On Mon, 2011-06-13 at 18:10 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > Not until I add 1.299 billion users :) I think you've missed the point a little bit. The reason for the high UIDs is to solve a problem that most people don't realize yet that they have. A VERY common situation is for a larger company to acquire a smaller one. When this happens, it becomes necessary to merge their two identity environments. Right now, most small companies (and a disconcerting number of large ones) have UIDs that start at 500 or 1000 in their LDAP servers (because the vast majority of these companies start out by using /etc/passwd and then dump these values to LDAP when they grow to a certain point). Now, in the case of a merger, you have two companies that likely have colliding UID ranges. If you're using IPA, however, which dedicates much higher ranges, there's a significantly greater chance that you will be able to trivially merge the users and groups without forcing one company or the other to change their IDs. (If you've ever had to do this, you'd know that this is usually a multi-month project that invariably misses something.) The decision to make the range start at 1 billion was made specifically BECAUSE the chances of a company having that many users was statistically unlikely. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Tue Jun 14 11:48:16 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 14 Jun 2011 07:48:16 -0400 Subject: [Freeipa-users] extracting info and injecting info In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0ED7C2@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0ED7C2@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1308052097.1954.14.camel@sgallagh520.bos.redhat.com> On Tue, 2011-06-14 at 04:18 +0000, Steven Jones wrote: > At a high level, I just need an idea how this will/could work.... > > We have a centralised provisioning system that (eventually) we need to > talk to IPA. So the sort of things I need to extract are the > available user groups and hosts and that then would be displayed in the > IdM system. At that point the user admin would create the user and > select the groups and hosts the user can interact with...how does the > external program query IPA? langauge? etc ? and then inject user info? An external program can use the XLM-RPC interface to perform IPA queries and updates. This is what the 'ipa' command-line tool does behind the scenes. It's not very readable, but you can take a look at http://git.fedorahosted.org/git/?p=freeipa.git;a=blob_plain;f=API.txt;hb=HEAD to see the API specification. There's a python API included with FreeIPA as well. See http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=doc/examples/python-api.py;h=60578e805fb5f2b440ba204c5adbac62e8415c2b;hb=HEAD for an example of how to start using this API. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From simo at redhat.com Tue Jun 14 13:48:07 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 14 Jun 2011 09:48:07 -0400 Subject: [Freeipa-users] Change UID range In-Reply-To: <1308051726.1954.10.camel@sgallagh520.bos.redhat.com> References: <1308051726.1954.10.camel@sgallagh520.bos.redhat.com> Message-ID: <1308059287.3182.16.camel@willson.li.ssimo.org> On Tue, 2011-06-14 at 07:42 -0400, Stephen Gallagher wrote: > The decision to make the range start at 1 billion was made > specifically > BECAUSE the chances of a company having that many users was > statistically unlikely. Correction we start at 1Million and we get a 100k range randomly within the 1M-2B range, so almost 10k different possible buckets. The chance 2 installations end up getting the same bucket are very low. owever you can always force the UID to be used at user creation by explicitly specifying the IDs you want. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Jun 14 14:14:46 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 14 Jun 2011 10:14:46 -0400 Subject: [Freeipa-users] Change UID range In-Reply-To: <1308059287.3182.16.camel@willson.li.ssimo.org> References: <1308051726.1954.10.camel@sgallagh520.bos.redhat.com> <1308059287.3182.16.camel@willson.li.ssimo.org> Message-ID: <1308060886.3182.18.camel@willson.li.ssimo.org> On Tue, 2011-06-14 at 09:48 -0400, Simo Sorce wrote: > On Tue, 2011-06-14 at 07:42 -0400, Stephen Gallagher wrote: > > The decision to make the range start at 1 billion was made > > specifically > > BECAUSE the chances of a company having that many users was > > statistically unlikely. > > Correction we start at 1Million and we get a 100k range randomly within > the 1M-2B range, so almost 10k different possible buckets. Ah I must correct myself, I changed the values before the 2.0 release so the random range is 200k-2B which makes up the 10k buckets :-) The code is actually this: namespace = random.randint(1, 10000) * 200000 > The chance 2 installations end up getting the same bucket are very low. > > owever you can always force the UID to be used at user creation by > explicitly specifying the IDs you want. > > Simo. > -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Tue Jun 14 20:31:36 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 14 Jun 2011 20:31:36 +0000 Subject: [Freeipa-users] Change UID range In-Reply-To: <1308051726.1954.10.camel@sgallagh520.bos.redhat.com> References: , <1308051726.1954.10.camel@sgallagh520.bos.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0EDBCB@STAWINCOX10MBX1.staff.vuw.ac.nz> 8><-------- Now, in the case of a merger, you have two companies that likely have colliding UID ranges. If you're using IPA, however, which dedicates much higher ranges, there's a significantly greater chance that you will be able to trivially merge the users and groups without forcing one company or the other to change their IDs. (If you've ever had to do this, you'd know that this is usually a multi-month project that invariably misses something.) 8><----- Yep, I am about to go through this with 100 production linux servers, 350ish T&D, 100s of desktops and at least 2 pre-existing LDAP solutions (openldap and MAC OS ldap) out there that I know of that clash on UIDs plus use of /etc/passwd. Many of these are described as mission critical, typically financial servers....I might take up smoking and large amounts of mental health insurance..... ;] Honestly live with the IPA range idea, its a god one. Multi-Months? yeah could easily be an understatement...just for the prod servers alone I will have to do a in depth look at and write out a conversion plan for each one and do it, I think as much as a week each...So Im thinking not less than 6 months and I reckon as I'm on my own probably 1 to 2 years bearing in mind other work will come along......so some of them could be "organic" ie on a hardware refresh, so 5 years... My management hasn't a clue yet......but that's because they haven't wanted to listen for 4+ years.... regards From Steven.Jones at vuw.ac.nz Tue Jun 14 20:33:50 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 14 Jun 2011 20:33:50 +0000 Subject: [Freeipa-users] extracting info and injecting info In-Reply-To: <1308052097.1954.14.camel@sgallagh520.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E401B0ED7C2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1308052097.1954.14.camel@sgallagh520.bos.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0EE3DE@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, That's excellent....it wont be me but our IdM developers...who will want to look, since its Oracle IdM I suspect Java type stuff but im clueless on programming......I can hand this to them when they ask. thanks regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com] Sent: Tuesday, 14 June 2011 11:48 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] extracting info and injecting info On Tue, 2011-06-14 at 04:18 +0000, Steven Jones wrote: > At a high level, I just need an idea how this will/could work.... > > We have a centralised provisioning system that (eventually) we need to > talk to IPA. So the sort of things I need to extract are the > available user groups and hosts and that then would be displayed in the > IdM system. At that point the user admin would create the user and > select the groups and hosts the user can interact with...how does the > external program query IPA? langauge? etc ? and then inject user info? An external program can use the XLM-RPC interface to perform IPA queries and updates. This is what the 'ipa' command-line tool does behind the scenes. It's not very readable, but you can take a look at http://git.fedorahosted.org/git/?p=freeipa.git;a=blob_plain;f=API.txt;hb=HEAD to see the API specification. There's a python API included with FreeIPA as well. See http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=doc/examples/python-api.py;h=60578e805fb5f2b440ba204c5adbac62e8415c2b;hb=HEAD for an example of how to start using this API. From danieljamesscott at gmail.com Tue Jun 14 21:25:24 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 14 Jun 2011 17:25:24 -0400 Subject: [Freeipa-users] Mac OSX 10.6 client configuration Message-ID: Hi, I'm trying to set up a Mac OSX 10.6 client to connect to our FreeIPA 1.x servers. Unfortunately, I don't have the authentication working yet, neither do I have the group lookup working. So far, all I have working is that I can 'id $USERNAME' on a FreeIPA username and have a record returned (without the groups). My main question is that I'm confused by the attribute mapping configuration. The manual states that the "Authentication Authority" should be mapped to "#;Kerberosv5;;$uid$;EXAMPLE.COM", which is fine. It also states that I should add mappings for other attributes, but I'm unsure how to modify the string correctly. i.e. Should "PrimaryGroupID" map to "#;Kerberosv5;;$gidNumber$;EXAMPLE.COM"? Or do I have to alter it in some other way. There seems to be no configuration for the group mappings, and I'm unsure how to configure these. I'm happy to experiment/document the procedure further if someone can suggest the correct settings for me to use. Finally, the current documentation is written for OSx 10.4 and is a little out of date - here are some updates: 1. There is no GUI 'realm configuration tool', you have to manually edit the file: /Library/Preferences/edu.mit.kerberos 2. In the 'authorization' file, the existing text is: 'builtin:authenticate,privileged' which must be replaced with 'builtin:krb5authnoverify,privileged' (But authentication still doesn't work for me - any ideas?) 3. The "Directory Utility" is now in: /System/Library/CoreServices 4. The "Add DHCP-supplied LDAP servers" option is no longer available. Thanks, Dan From prjctgeek at gmail.com Tue Jun 14 22:53:30 2011 From: prjctgeek at gmail.com (Doug Chapman) Date: Tue, 14 Jun 2011 15:53:30 -0700 Subject: [Freeipa-users] Mac OSX 10.6 client configuration In-Reply-To: References: Message-ID: On Tue, Jun 14, 2011 at 2:25 PM, Dan Scott wrote: I can't speak to your gid mapping issue, but Under Accounts -> Login Options -> Network Account Server, you can get access to the Directory Utility to 'bind' to a server. My Mac is tied to an AD domain, so I'm not in a position to play with this. 1. There is no GUI 'realm configuration tool', you have to manually > edit the file: > /Library/Preferences/edu.mit.kerberos > > Use /System/Library/CoreServices/Ticket Viewer.app to manage your Kerberos keys, or the command line utilities. -- Doug Chapman -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Wed Jun 15 14:47:26 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 15 Jun 2011 10:47:26 -0400 Subject: [Freeipa-users] Mac OSX 10.6 client configuration In-Reply-To: References: Message-ID: Hi, On Tue, Jun 14, 2011 at 18:53, Doug Chapman wrote: > On Tue, Jun 14, 2011 at 2:25 PM, Dan Scott > wrote: > I can't speak to your gid mapping issue, but?Under Accounts -> Login Options > -> Network Account Server, you can get access to the Directory Utility to > 'bind' to a server. ?My Mac is tied to an AD domain, so I'm not in a > position to play with this. Yep, I've been through this, but I'm unsure what to put into the mapping fields to make it work correctly. >> 1. There is no GUI 'realm configuration tool', you have to manually >> edit the file: >> >> /Library/Preferences/edu.mit.kerberos >> > > Use /System/Library/CoreServices/Ticket Viewer.app to manage > your?Kerberos?keys, or the command line utilities. Yes, that's the replacement utility in 10.6 for managing tickets, but you can't use it to edit the realm information - you have to manually edit the configuration file. I think the documentation should be updated to reflect this. Thanks, Dan From loris at lgs.com.ve Thu Jun 16 15:01:03 2011 From: loris at lgs.com.ve (Loris Santamaria) Date: Thu, 16 Jun 2011 10:31:03 -0430 Subject: [Freeipa-users] DNS zone transfers Message-ID: <1308236476.3716.12.camel@arepa.pzo.lgs.com.ve> Hi, I would like to use my freeIPA v2 server as my master name server and have other normal (non ldap based) bind servers as caching / secondary name servers. Ideally the clients would query only the secondary servers and the secondary name servers would perform regular zone transfers from the master server. So I'm trying to setup zone transfer in my IPA based name server. First of all I see that the attribute "idnsAllowTransfer" referenced in the bind-dyndb-ldap documentation is not really supported in the schema installed in IPA. Next, using a global "allow-transfer" in named.conf doesn't work also. Are zone transfer supported with bind-dyndb-ldap? Am I doing something wrong? Thanks -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ -O9 -omg-optimize -fomit-instructions -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5909 bytes Desc: not available URL: From rcritten at redhat.com Thu Jun 16 15:09:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2011 11:09:52 -0400 Subject: [Freeipa-users] DNS zone transfers In-Reply-To: <1308236476.3716.12.camel@arepa.pzo.lgs.com.ve> References: <1308236476.3716.12.camel@arepa.pzo.lgs.com.ve> Message-ID: <4DFA1CC0.9090903@redhat.com> Loris Santamaria wrote: > Hi, > > I would like to use my freeIPA v2 server as my master name server and > have other normal (non ldap based) bind servers as caching / secondary > name servers. Ideally the clients would query only the secondary servers > and the secondary name servers would perform regular zone transfers from > the master server. > > So I'm trying to setup zone transfer in my IPA based name server. First > of all I see that the attribute "idnsAllowTransfer" referenced in the > bind-dyndb-ldap documentation is not really supported in the schema > installed in IPA. Next, using a global "allow-transfer" in named.conf > doesn't work also. > > Are zone transfer supported with bind-dyndb-ldap? Am I doing something > wrong? > > Thanks > We don't currently support idnsAllowQuery and idnsAllowTransfer but we have a ticket open to add it: https://fedorahosted.org/freeipa/ticket/1211 rob From rcritten at redhat.com Thu Jun 16 15:20:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2011 11:20:33 -0400 Subject: [Freeipa-users] Thunderbird Address Book In-Reply-To: <4DF65E4D.3030802@nixtra.com> References: <4DF65E4D.3030802@nixtra.com> Message-ID: <4DFA1F41.6040202@redhat.com> Sigbjorn Lie wrote: > Hi, > > Has anyone had success using IPA's LDAP as address book for Thunderbird? > > I've tried configring IPA's LDAP as Abook for Thunderbird. As far as I > can see all the required attributes are there and mapped correctly out > of the box with Thunderbird 3.1, but I cannot get any names looked up. It works for me using TB 2 and 3.1. My settings are: Name: IPA Hostname: ipa.example.com Base DN: cn=users,cn=accounts,dc=example,dc=com Port number: 389 Bind DN: Use secure connection is not set rob From simo at redhat.com Thu Jun 16 15:27:39 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 16 Jun 2011 11:27:39 -0400 Subject: [Freeipa-users] DNS zone transfers In-Reply-To: <1308236476.3716.12.camel@arepa.pzo.lgs.com.ve> References: <1308236476.3716.12.camel@arepa.pzo.lgs.com.ve> Message-ID: <1308238059.3182.101.camel@willson.li.ssimo.org> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote: > Hi, > > I would like to use my freeIPA v2 server as my master name server and > have other normal (non ldap based) bind servers as caching / secondary > name servers. Ideally the clients would query only the secondary servers > and the secondary name servers would perform regular zone transfers from > the master server. > > So I'm trying to setup zone transfer in my IPA based name server. First > of all I see that the attribute "idnsAllowTransfer" referenced in the > bind-dyndb-ldap documentation is not really supported in the schema > installed in IPA. Next, using a global "allow-transfer" in named.conf > doesn't work also. A global allow-transfer should work, have you restarted named after setting it ? If it doesn't work we may have a bug. Simo. -- Simo Sorce * Red Hat, Inc * New York From loris at lgs.com.ve Thu Jun 16 19:38:18 2011 From: loris at lgs.com.ve (Loris Santamaria) Date: Thu, 16 Jun 2011 15:08:18 -0430 Subject: [Freeipa-users] DNS zone transfers In-Reply-To: <1308238059.3182.101.camel@willson.li.ssimo.org> References: <1308236476.3716.12.camel@arepa.pzo.lgs.com.ve> <1308238059.3182.101.camel@willson.li.ssimo.org> Message-ID: <1308253102.3716.20.camel@arepa.pzo.lgs.com.ve> El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribi?: > On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote: > > Hi, > > > > I would like to use my freeIPA v2 server as my master name server and > > have other normal (non ldap based) bind servers as caching / secondary > > name servers. Ideally the clients would query only the secondary servers > > and the secondary name servers would perform regular zone transfers from > > the master server. > > > > So I'm trying to setup zone transfer in my IPA based name server. First > > of all I see that the attribute "idnsAllowTransfer" referenced in the > > bind-dyndb-ldap documentation is not really supported in the schema > > installed in IPA. Next, using a global "allow-transfer" in named.conf > > doesn't work also. > > A global allow-transfer should work, have you restarted named after > setting it ? > > If it doesn't work we may have a bug. I'm adding to named.conf options section: allow-transfer { 127.0.0.1; }; then I restart named and try a zone transfer on the same host: # host -l ipa.corpfbk. 127.0.0.1 ; Transfer failed. Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: Host ipa.corpfbk not found: 9(NOTAUTH) ; Transfer failed. In the logs I get: Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH) -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ -O9 -omg-optimize -fomit-instructions -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5909 bytes Desc: not available URL: From thildred at redhat.com Fri Jun 17 06:15:41 2011 From: thildred at redhat.com (Tim Hildred) Date: Fri, 17 Jun 2011 02:15:41 -0400 (EDT) Subject: [Freeipa-users] SRV record to tell w2k8 machines to use IPA server for ldap Message-ID: <1755334875.758692.1308291341971.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Hello; I have a VM running FreeIPA, and have the DNS SRV records referencing ldap and kerberos mentioned in the documentation. In trying to set the domain of my Win2k8 VM to mysandbox.com, i get an error that the "DNS name does not exist" after running the query for "_ldap._tcp.dc._msdcs.mysandbox.com" which is different than the example given for an LDAP SRV record. So what SRV record has to exist that will allow my W2k8 VM to join mysandbox.com domain? ipa dnsrecord-add _______________________ Thanks! Tim From sigbjorn at nixtra.com Fri Jun 17 20:10:39 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 17 Jun 2011 22:10:39 +0200 Subject: [Freeipa-users] Thunderbird Address Book In-Reply-To: <4DFA1F41.6040202@redhat.com> References: <4DF65E4D.3030802@nixtra.com> <4DFA1F41.6040202@redhat.com> Message-ID: <4DFBB4BF.8020605@nixtra.com> On 06/16/2011 05:20 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> Hi, >> >> Has anyone had success using IPA's LDAP as address book for Thunderbird? >> >> I've tried configring IPA's LDAP as Abook for Thunderbird. As far as I >> can see all the required attributes are there and mapped correctly out >> of the box with Thunderbird 3.1, but I cannot get any names looked up. > > It works for me using TB 2 and 3.1. > > My settings are: > > Name: IPA > Hostname: ipa.example.com > Base DN: cn=users,cn=accounts,dc=example,dc=com > Port number: 389 > Bind DN: > > Use secure connection is not set Ok, that's my configuration too. I noticed that it works when I start typing someones name, their details is being pulled from IPA. So yes, it works. :) When I did my testing I expected to see the directory when I opened up the Address Book in Thunderbird. I see the addresses from "Personal Address Book", but there is still none under the "IPA" address book. I suppose this is a Thunderbird issue and not a IPA issue...? From sgallagh at redhat.com Fri Jun 17 20:19:52 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 17 Jun 2011 16:19:52 -0400 Subject: [Freeipa-users] Thunderbird Address Book In-Reply-To: <4DFBB4BF.8020605@nixtra.com> References: <4DF65E4D.3030802@nixtra.com> <4DFA1F41.6040202@redhat.com> <4DFBB4BF.8020605@nixtra.com> Message-ID: <1308341992.5165.3.camel@sgallagh520.bos.redhat.com> On Fri, 2011-06-17 at 22:10 +0200, Sigbjorn Lie wrote: > On 06/16/2011 05:20 PM, Rob Crittenden wrote: > > Sigbjorn Lie wrote: > >> Hi, > >> > >> Has anyone had success using IPA's LDAP as address book for Thunderbird? > >> > >> I've tried configring IPA's LDAP as Abook for Thunderbird. As far as I > >> can see all the required attributes are there and mapped correctly out > >> of the box with Thunderbird 3.1, but I cannot get any names looked up. > > > > It works for me using TB 2 and 3.1. > > > > My settings are: > > > > Name: IPA > > Hostname: ipa.example.com > > Base DN: cn=users,cn=accounts,dc=example,dc=com > > Port number: 389 > > Bind DN: > > > > Use secure connection is not set > > Ok, that's my configuration too. I noticed that it works when I start > typing someones name, their details is being pulled from IPA. So yes, it > works. :) > > When I did my testing I expected to see the directory when I opened up > the Address Book in Thunderbird. I see the addresses from "Personal > Address Book", but there is still none under the "IPA" address book. > > I suppose this is a Thunderbird issue and not a IPA issue...? It's not really an "issue", it's expected behavior. It's too expensive for every client to pre-cache the entirety of the LDAP server (since it could contain tens of thousands of entries). So what Thunderbird (and most other address book tools) does is create an LDAP search string and query LDAP on the fly as you are typing. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Fri Jun 17 20:37:00 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Jun 2011 16:37:00 -0400 Subject: [Freeipa-users] Thunderbird Address Book In-Reply-To: <4DFBB4BF.8020605@nixtra.com> References: <4DF65E4D.3030802@nixtra.com> <4DFA1F41.6040202@redhat.com> <4DFBB4BF.8020605@nixtra.com> Message-ID: <4DFBBAEC.5020307@redhat.com> Sigbjorn Lie wrote: > On 06/16/2011 05:20 PM, Rob Crittenden wrote: >> Sigbjorn Lie wrote: >>> Hi, >>> >>> Has anyone had success using IPA's LDAP as address book for Thunderbird? >>> >>> I've tried configring IPA's LDAP as Abook for Thunderbird. As far as I >>> can see all the required attributes are there and mapped correctly out >>> of the box with Thunderbird 3.1, but I cannot get any names looked up. >> >> It works for me using TB 2 and 3.1. >> >> My settings are: >> >> Name: IPA >> Hostname: ipa.example.com >> Base DN: cn=users,cn=accounts,dc=example,dc=com >> Port number: 389 >> Bind DN: >> >> Use secure connection is not set > > Ok, that's my configuration too. I noticed that it works when I start > typing someones name, their details is being pulled from IPA. So yes, it > works. :) > > When I did my testing I expected to see the directory when I opened up > the Address Book in Thunderbird. I see the addresses from "Personal > Address Book", but there is still none under the "IPA" address book. > > I suppose this is a Thunderbird issue and not a IPA issue...? > > Must be, I saw the same thing. I guess always enumerating * could be rather expensive. rob From ayoung at redhat.com Sat Jun 18 01:28:27 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 17 Jun 2011 21:28:27 -0400 Subject: [Freeipa-users] extracting info and injecting info In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0EE3DE@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E401B0ED7C2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1308052097.1954.14.camel@sgallagh520.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E401B0EE3DE@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4DFBFF3B.9020201@redhat.com> On 06/14/2011 04:33 PM, Steven Jones wrote: > Hi, > > That's excellent....it wont be me but our IdM developers...who will want to look, since its Oracle IdM I suspect Java type stuff but im clueless on programming......I can hand this to them when they ask. JSON is much friendlier, and it is what the webUI uses: I do it all the time. Here's my write up. http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ > thanks > > regards > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com] > Sent: Tuesday, 14 June 2011 11:48 p.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] extracting info and injecting info > > On Tue, 2011-06-14 at 04:18 +0000, Steven Jones wrote: >> At a high level, I just need an idea how this will/could work.... >> >> We have a centralised provisioning system that (eventually) we need to >> talk to IPA. So the sort of things I need to extract are the >> available user groups and hosts and that then would be displayed in the >> IdM system. At that point the user admin would create the user and >> select the groups and hosts the user can interact with...how does the >> external program query IPA? langauge? etc ? and then inject user info? > An external program can use the XLM-RPC interface to perform IPA queries > and updates. This is what the 'ipa' command-line tool does behind the > scenes. > > It's not very readable, but you can take a look at > http://git.fedorahosted.org/git/?p=freeipa.git;a=blob_plain;f=API.txt;hb=HEAD to see the API specification. > > There's a python API included with FreeIPA as well. See > http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=doc/examples/python-api.py;h=60578e805fb5f2b440ba204c5adbac62e8415c2b;hb=HEAD > for an example of how to start using this API. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From chorn at fluxcoil.net Sat Jun 18 12:49:41 2011 From: chorn at fluxcoil.net (Christian Horn) Date: Sat, 18 Jun 2011 14:49:41 +0200 Subject: [Freeipa-users] SRV record to tell w2k8 machines to use IPA server for ldap In-Reply-To: <1755334875.758692.1308291341971.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> References: <1755334875.758692.1308291341971.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Message-ID: <20110618124941.GB23770@fluxcoil.net> Hi, On Fri, Jun 17, 2011 at 02:15:41AM -0400, Tim Hildred wrote: > I have a VM running FreeIPA, and have the DNS SRV records referencing > ldap and kerberos mentioned in the documentation. So things used by ipa clients. > In trying to set the domain of my Win2k8 VM to mysandbox.com, i get > an error that the > "DNS name does not exist" > after running the query for > "_ldap._tcp.dc._msdcs.mysandbox.com" > which is different than the example given for an LDAP SRV record. You try to "set a dns domain" or "join the box into an active directory domain"? > So what SRV record has to exist that will allow my W2k8 VM to > join mysandbox.com domain? > ipa dnsrecord-add _______________________ Not sure on what you try to accomplish, on the requirements to do it Microsoft could probably comment best. Since from sniffing you know the request you could just try to fullfill it/serve it with you dns server? Pure hookup of windows with kerberos into the IPA realm might work (if not windows insists in using encryption types that are not offered or such things). Complete domain hookup will not work, for that AD servers could be used or Samba 4. Christian From simo at redhat.com Sat Jun 18 14:55:26 2011 From: simo at redhat.com (Simo Sorce) Date: Sat, 18 Jun 2011 10:55:26 -0400 Subject: [Freeipa-users] SRV record to tell w2k8 machines to use IPA server for ldap In-Reply-To: <1755334875.758692.1308291341971.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> References: <1755334875.758692.1308291341971.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Message-ID: <1308408926.3182.197.camel@willson.li.ssimo.org> On Fri, 2011-06-17 at 02:15 -0400, Tim Hildred wrote: > Hello; > > I have a VM running FreeIPA, and have the DNS SRV records referencing ldap and kerberos mentioned in the documentation. In trying to set the domain of my Win2k8 VM to mysandbox.com, i get an error that the > > "DNS name does not exist" > > after running the query for > > "_ldap._tcp.dc._msdcs.mysandbox.com" > > which is different than the example given for an LDAP SRV record. > > So what SRV record has to exist that will allow my W2k8 VM to join mysandbox.com domain? > > > ipa dnsrecord-add _______________________ Sorry Tim, but FreeIPA cannot be a direct Domain Controller for Windows clients. Unfortunately Windows Clients can only join AD domains and stuff that behave *exactly* like AD down to very fine details. There is actually a write-up here [1] on how to hook-up a windows client to use FreeIPA as an authentication source, but that is not the same thing as joining a domain. Depending on your needs it may be enough though. Also note that we have not tested this guide with v2 or recent Windows clients. If you want an alternative to AD for your Windows clients I can suggest trying Samba4, it is still not complete, but has enough basic AD infrastructure to work for single domain deployments, with some minor restrictions. Simo. [1] http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_ %28Windows/Linux%29_-_Step_by_step -- Simo Sorce * Red Hat, Inc * New York From attila.bogar at linguamatics.com Mon Jun 20 15:37:57 2011 From: attila.bogar at linguamatics.com (=?ISO-8859-1?Q?Attila_Bog=E1r?=) Date: Mon, 20 Jun 2011 16:37:57 +0100 Subject: [Freeipa-users] Insufficient access during winsync agreement Message-ID: <4DFF6955.3050300@linguamatics.com> Hi, I'm trying to set up the AD-FreeIPA sync agreement and I'm always getting this error: # ipa-replica-manage connect --winsync --binddn cn="IPA Sync",cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v Added CA certificate /root/dc1.cer to certificate database for ipa1.example.com ipa: INFO: AD Suffix is: DC=win,DC=example,DC=com *Insufficient access* Where does this insufficient access come from? Can you please provide some guidance with this issue? IPA Sync user on the AD side has Domain Admins, Enterprise Admins, Schema Admins group memberships. I'm able to query the AD using ldapsearch and binding with the credentials and have an also an admin kerberos ticket. On the other hand the documentation in the freeipa enterprise guide is rather succint than adequate as it doesn't provide at least one working example. I've read all the corresponding documentation and it's still unclear what password do I have to specify with the --passsync to ipa-replica-manage? "the password for the Windows PassSync user, and a required argument to |ipa-replica-manage| when creating winsync agreements." I can't see any documentation mentioning that a passync user has to (or being) created in the AD. The bindpw already gives read/write permission to the AD tree, so I'm wondering why is this --passync required? It's rather annoying to set up the passync on the Windows side. The only documentation for this (what FreeIPA refers to) I can see is: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html However, "cn=sync,cn=config" on the screenshot for the user name is misleading as full dn was working only for us. I assume instead of ou=People,dc=example,dc=com cn=user,cn=accounts,dc=example,dc=com has to be substituted (or it has to be cn=compat?) Thanks for any help in advance, Attila -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jun 20 16:42:25 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Jun 2011 10:42:25 -0600 Subject: [Freeipa-users] Insufficient access during winsync agreement In-Reply-To: <4DFF6955.3050300@linguamatics.com> References: <4DFF6955.3050300@linguamatics.com> Message-ID: <4DFF7871.4050805@redhat.com> On 06/20/2011 09:37 AM, Attila Bog?r wrote: > Hi, > > I'm trying to set up the AD-FreeIPA sync agreement and I'm always > getting this error: > > # ipa-replica-manage connect --winsync --binddn cn="IPA > Sync",cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert > /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v > > Added CA certificate /root/dc1.cer to certificate database for > ipa1.example.com > ipa: INFO: AD Suffix is: DC=win,DC=example,DC=com > *Insufficient access* > > Where does this insufficient access come from? > Can you please provide some guidance with this issue? Not sure. First check the directory server access log - look for err=50 around the time of your command - /var/log/dirsrv/slapd-YOUR-INSTANCE/access > > > IPA Sync user on the AD side has Domain Admins, Enterprise Admins, > Schema Admins group memberships. > > I'm able to query the AD using ldapsearch and binding with the > credentials and have an also an admin kerberos ticket. > > On the other hand the documentation in the freeipa enterprise guide is > rather succint than adequate as it doesn't provide at least one > working example. > > I've read all the corresponding documentation and it's still unclear > what password do I have to specify with the --passsync to > ipa-replica-manage? > > "the password for the Windows PassSync user, and a required argument > to |ipa-replica-manage| when creating winsync agreements." I can't > see any documentation mentioning that a passync user has to (or being) > created in the AD. > The bindpw already gives read/write permission to the AD tree, so I'm > wondering why is this --passync required? > > It's rather annoying to set up the passync on the Windows side. > The only documentation for this (what FreeIPA refers to) I can see is: > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html > > However, "cn=sync,cn=config" on the screenshot for the user name is > misleading as full dn was working only for us. I assume instead of > ou=People,dc=example,dc=com cn=user,cn=accounts,dc=example,dc=com has > to be substituted (or it has to be cn=compat?) > > Thanks for any help in advance, > Attila > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From attila.bogar at linguamatics.com Tue Jun 21 09:01:08 2011 From: attila.bogar at linguamatics.com (=?ISO-8859-1?Q?Attila_Bog=E1r?=) Date: Tue, 21 Jun 2011 10:01:08 +0100 Subject: [Freeipa-users] Insufficient access during winsync agreement In-Reply-To: <4DFF6955.3050300@linguamatics.com> References: <4DFF6955.3050300@linguamatics.com> Message-ID: <4E005DD4.8060700@linguamatics.com> On 20/06/11 16:37, Attila Bog?r wrote: > I'm trying to set up the AD-FreeIPA sync agreement and I'm always > getting this error: > # ipa-replica-manage connect --winsync --binddn cn="IPA > Sync",cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert > /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v This is solved now. Directory Manager password was missing from the command line. (-p). admin user's privileges via kerberos are insufficient to set up a replica agreement as I see. Could you please add this to the documentation example in the docs, I think upcoming users would appreciate this. http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server Thanks, Attila -------------- next part -------------- An HTML attachment was scrubbed... URL: From atkac at redhat.com Tue Jun 21 10:12:08 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 21 Jun 2011 12:12:08 +0200 Subject: [Freeipa-users] DNS zone transfers In-Reply-To: <1308253102.3716.20.camel@arepa.pzo.lgs.com.ve> References: <1308236476.3716.12.camel@arepa.pzo.lgs.com.ve> <1308238059.3182.101.camel@willson.li.ssimo.org> <1308253102.3716.20.camel@arepa.pzo.lgs.com.ve> Message-ID: <4E006E78.6010903@redhat.com> On 06/16/2011 09:38 PM, Loris Santamaria wrote: > El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribi?: >> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote: >>> Hi, >>> >>> I would like to use my freeIPA v2 server as my master name server and >>> have other normal (non ldap based) bind servers as caching / secondary >>> name servers. Ideally the clients would query only the secondary servers >>> and the secondary name servers would perform regular zone transfers from >>> the master server. >>> >>> So I'm trying to setup zone transfer in my IPA based name server. First >>> of all I see that the attribute "idnsAllowTransfer" referenced in the >>> bind-dyndb-ldap documentation is not really supported in the schema >>> installed in IPA. Next, using a global "allow-transfer" in named.conf >>> doesn't work also. >> A global allow-transfer should work, have you restarted named after >> setting it ? >> >> If it doesn't work we may have a bug. > I'm adding to named.conf options section: > > allow-transfer { 127.0.0.1; }; > > then I restart named and try a zone transfer on the same host: > > # host -l ipa.corpfbk. 127.0.0.1 > ; Transfer failed. > Using domain server: > Name: 127.0.0.1 > Address: 127.0.0.1#53 > Aliases: > > Host ipa.corpfbk not found: 9(NOTAUTH) > ; Transfer failed. > > In the logs I get: > > Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH) > Hello Loris, the bind-dyndb-ldap plugin currently doesn't support zone transfers but you should receive SERVFAIL error in this case, not NOTAUTH. Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk zone? Can you please post output of "dig @127.0.0.1 ipa.corpfbk SOA" here? Regards, Adam From simo at redhat.com Tue Jun 21 12:00:30 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 21 Jun 2011 08:00:30 -0400 Subject: [Freeipa-users] Insufficient access during winsync agreement In-Reply-To: <4E005DD4.8060700@linguamatics.com> References: <4DFF6955.3050300@linguamatics.com> <4E005DD4.8060700@linguamatics.com> Message-ID: <1308657630.25324.4.camel@willson.li.ssimo.org> On Tue, 2011-06-21 at 10:01 +0100, Attila Bog?r wrote: > On 20/06/11 16:37, Attila Bog?r wrote: > > I'm trying to set up the AD-FreeIPA sync agreement and I'm always > > getting this error: > > # ipa-replica-manage connect --winsync --binddn cn="IPA > > Sync",cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 > > --cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com > > -v > > This is solved now. Directory Manager password was missing from the > command line. (-p). > admin user's privileges via kerberos are insufficient to set up a > replica agreement as I see. > > Could you please add this to the documentation example in the docs, I > think upcoming users would appreciate this. > > http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server > If the command didn't give you an error it is a bug, can you please open a ticket ? Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Tue Jun 21 12:14:42 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 21 Jun 2011 08:14:42 -0400 Subject: [Freeipa-users] DNS zone transfers In-Reply-To: <4E006E78.6010903@redhat.com> References: <1308236476.3716.12.camel@arepa.pzo.lgs.com.ve> <1308238059.3182.101.camel@willson.li.ssimo.org> <1308253102.3716.20.camel@arepa.pzo.lgs.com.ve> <4E006E78.6010903@redhat.com> Message-ID: <1308658482.25324.7.camel@willson.li.ssimo.org> On Tue, 2011-06-21 at 12:12 +0200, Adam Tkac wrote: > On 06/16/2011 09:38 PM, Loris Santamaria wrote: > > El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribi?: > >> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote: > >>> Hi, > >>> > >>> I would like to use my freeIPA v2 server as my master name server and > >>> have other normal (non ldap based) bind servers as caching / secondary > >>> name servers. Ideally the clients would query only the secondary servers > >>> and the secondary name servers would perform regular zone transfers from > >>> the master server. > >>> > >>> So I'm trying to setup zone transfer in my IPA based name server. First > >>> of all I see that the attribute "idnsAllowTransfer" referenced in the > >>> bind-dyndb-ldap documentation is not really supported in the schema > >>> installed in IPA. Next, using a global "allow-transfer" in named.conf > >>> doesn't work also. > >> A global allow-transfer should work, have you restarted named after > >> setting it ? > >> > >> If it doesn't work we may have a bug. > > I'm adding to named.conf options section: > > > > allow-transfer { 127.0.0.1; }; > > > > then I restart named and try a zone transfer on the same host: > > > > # host -l ipa.corpfbk. 127.0.0.1 > > ; Transfer failed. > > Using domain server: > > Name: 127.0.0.1 > > Address: 127.0.0.1#53 > > Aliases: > > > > Host ipa.corpfbk not found: 9(NOTAUTH) > > ; Transfer failed. > > > > In the logs I get: > > > > Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH) > > > Hello Loris, > > the bind-dyndb-ldap plugin currently doesn't support zone transfers but > you should receive SERVFAIL error in this case, not NOTAUTH. > > Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk > zone? Can you please post output of "dig @127.0.0.1 ipa.corpfbk SOA" here? Adam, Thanks for the reply. Loris, sorry for the confusion, I mistakenly thought we already implemented this feature. The implementation is not particularly difficult, and we plan to have support for zone transfers in one of the next 2.x releases, as soon as UI changes can be made and tested. Follow future release announcements, we will have this feature listed when it is ready. Simo. -- Simo Sorce * Red Hat, Inc * New York From attila.bogar at linguamatics.com Tue Jun 21 13:24:52 2011 From: attila.bogar at linguamatics.com (=?ISO-8859-1?Q?Attila_Bog=E1r?=) Date: Tue, 21 Jun 2011 14:24:52 +0100 Subject: [Freeipa-users] syncing custom attributes from AD Message-ID: <4E009BA4.9030607@linguamatics.com> Dear List, I'd like to sync extra attributes from AD -> FreeIPA. These are namely: employeeNumber and employeeType. The following .ldif is always adding value unknown instead of syncing the value in AD. -- 8< -- dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify add: ipaWinSyncUserAttr ipaWinSyncUserAttr: employeeType unknown -- 8< -- I'd like to use the value unknown if no such employeeType is defined in AD. What's the correct form for ipaWinSyncUserAttr? Thanks, Attila From loris at lgs.com.ve Tue Jun 21 13:51:03 2011 From: loris at lgs.com.ve (Loris Santamaria) Date: Tue, 21 Jun 2011 09:21:03 -0430 Subject: [Freeipa-users] DNS zone transfers In-Reply-To: <4E006E78.6010903@redhat.com> References: <1308236476.3716.12.camel@arepa.pzo.lgs.com.ve> <1308238059.3182.101.camel@willson.li.ssimo.org> <1308253102.3716.20.camel@arepa.pzo.lgs.com.ve> <4E006E78.6010903@redhat.com> Message-ID: <1308664266.5070.10.camel@arepa.pzo.lgs.com.ve> El mar, 21-06-2011 a las 12:12 +0200, Adam Tkac escribi?: > On 06/16/2011 09:38 PM, Loris Santamaria wrote: > > El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribi?: > >> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote: > >>> Hi, > >>> > >>> I would like to use my freeIPA v2 server as my master name server and > >>> have other normal (non ldap based) bind servers as caching / secondary > >>> name servers. Ideally the clients would query only the secondary servers > >>> and the secondary name servers would perform regular zone transfers from > >>> the master server. > >>> > >>> So I'm trying to setup zone transfer in my IPA based name server. First > >>> of all I see that the attribute "idnsAllowTransfer" referenced in the > >>> bind-dyndb-ldap documentation is not really supported in the schema > >>> installed in IPA. Next, using a global "allow-transfer" in named.conf > >>> doesn't work also. > >> A global allow-transfer should work, have you restarted named after > >> setting it ? > >> > >> If it doesn't work we may have a bug. > > I'm adding to named.conf options section: > > > > allow-transfer { 127.0.0.1; }; > > > > then I restart named and try a zone transfer on the same host: > > > > # host -l ipa.corpfbk. 127.0.0.1 > > ; Transfer failed. > > Using domain server: > > Name: 127.0.0.1 > > Address: 127.0.0.1#53 > > Aliases: > > > > Host ipa.corpfbk not found: 9(NOTAUTH) > > ; Transfer failed. > > > > In the logs I get: > > > > Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH) > > > Hello Loris, > > the bind-dyndb-ldap plugin currently doesn't support zone transfers but > you should receive SERVFAIL error in this case, not NOTAUTH. > > Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk > zone? Can you please post output of "dig @127.0.0.1 ipa.corpfbk SOA" here? The zone's SOA seems right to me: [root at ipa01 ~]# dig @127.0.0.1 ipa.corpfbk SOA ; <<>> DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 <<>> @127.0.0.1 ipa.corpfbk SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43430 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;ipa.corpfbk. IN SOA ;; ANSWER SECTION: ipa.corpfbk. 86400 IN SOA ipa01.central.corpfbk. soporte.tiendaskioto.com. 2011020601 3600 900 1209600 3600 ;; AUTHORITY SECTION: ipa.corpfbk. 86400 IN NS ipa01.central.corpfbk. ;; ADDITIONAL SECTION: ipa01.central.corpfbk. 86400 IN A 192.168.3.6 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jun 21 09:15:43 2011 ;; MSG SIZE rcvd: 133 -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ -O9 -omg-optimize -fomit-instructions -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5909 bytes Desc: not available URL: From atkac at redhat.com Tue Jun 21 14:02:07 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 21 Jun 2011 16:02:07 +0200 Subject: [Freeipa-users] DNS zone transfers In-Reply-To: <1308664266.5070.10.camel@arepa.pzo.lgs.com.ve> References: <1308236476.3716.12.camel@arepa.pzo.lgs.com.ve> <1308238059.3182.101.camel@willson.li.ssimo.org> <1308253102.3716.20.camel@arepa.pzo.lgs.com.ve> <4E006E78.6010903@redhat.com> <1308664266.5070.10.camel@arepa.pzo.lgs.com.ve> Message-ID: <4E00A45F.7040004@redhat.com> On 06/21/2011 03:51 PM, Loris Santamaria wrote: > El mar, 21-06-2011 a las 12:12 +0200, Adam Tkac escribi?: >> On 06/16/2011 09:38 PM, Loris Santamaria wrote: >>> El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribi?: >>>> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote: >>>>> Hi, >>>>> >>>>> I would like to use my freeIPA v2 server as my master name server and >>>>> have other normal (non ldap based) bind servers as caching / secondary >>>>> name servers. Ideally the clients would query only the secondary servers >>>>> and the secondary name servers would perform regular zone transfers from >>>>> the master server. >>>>> >>>>> So I'm trying to setup zone transfer in my IPA based name server. First >>>>> of all I see that the attribute "idnsAllowTransfer" referenced in the >>>>> bind-dyndb-ldap documentation is not really supported in the schema >>>>> installed in IPA. Next, using a global "allow-transfer" in named.conf >>>>> doesn't work also. >>>> A global allow-transfer should work, have you restarted named after >>>> setting it ? >>>> >>>> If it doesn't work we may have a bug. >>> I'm adding to named.conf options section: >>> >>> allow-transfer { 127.0.0.1; }; >>> >>> then I restart named and try a zone transfer on the same host: >>> >>> # host -l ipa.corpfbk. 127.0.0.1 >>> ; Transfer failed. >>> Using domain server: >>> Name: 127.0.0.1 >>> Address: 127.0.0.1#53 >>> Aliases: >>> >>> Host ipa.corpfbk not found: 9(NOTAUTH) >>> ; Transfer failed. >>> >>> In the logs I get: >>> >>> Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH) >>> >> Hello Loris, >> >> the bind-dyndb-ldap plugin currently doesn't support zone transfers but >> you should receive SERVFAIL error in this case, not NOTAUTH. >> >> Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk >> zone? Can you please post output of "dig @127.0.0.1 ipa.corpfbk SOA" here? > The zone's SOA seems right to me: > > [root at ipa01 ~]# dig @127.0.0.1 ipa.corpfbk SOA > > ; <<>> DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 <<>> @127.0.0.1 ipa.corpfbk SOA > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43430 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;ipa.corpfbk. IN SOA > > ;; ANSWER SECTION: > ipa.corpfbk. 86400 IN SOA ipa01.central.corpfbk. soporte.tiendaskioto.com. 2011020601 3600 900 1209600 3600 > > ;; AUTHORITY SECTION: > ipa.corpfbk. 86400 IN NS ipa01.central.corpfbk. > > ;; ADDITIONAL SECTION: > ipa01.central.corpfbk. 86400 IN A 192.168.3.6 > > ;; Query time: 3 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Jun 21 09:15:43 2011 > ;; MSG SIZE rcvd: 133 That's weird if server still returns NOTAUTH. Are you sure you perform zone transfer from 192.168.3.6? (i.e. you execute host utility on machine with IP 192.168.3.6). Regards, Adam From danieljamesscott at gmail.com Tue Jun 21 15:06:30 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 21 Jun 2011 11:06:30 -0400 Subject: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server Message-ID: Hi, I'm still running a FreeIPA 1.2 server but have started installing Fedora 15 clients and am trying to figure out how to manually setup the Krb/LDAP configuration. I've run the 'authconfig-tui' command and manually setup Krb authentication and LDAP authorisation, using DNS discovery for the servers. The authentication is working correctly, but when I run 'id $USERNAME' I don't receive the correct groups, so I believe that Kerberos is working, but the LDAP configuration is wrong. I've turned the sssd loglevel up to 100, but I can't figure out why I'm not getting the correct groups My system has a variety of files and I'm not sure which are still in use: /etc/krb5.conf /etc/pam_ldap.conf /etc/sssd/sssd.conf On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - this is not present on F15. Can anyone help me figure out how to get the group lookups working? Thanks, Dan From attila.bogar at linguamatics.com Tue Jun 21 15:17:58 2011 From: attila.bogar at linguamatics.com (=?ISO-8859-1?Q?Attila_Bog=E1r?=) Date: Tue, 21 Jun 2011 16:17:58 +0100 Subject: [Freeipa-users] ipa-winsync account disable Message-ID: <4E00B626.4050401@linguamatics.com> Dear List, winsync is working between AD and FreeIPA. If I disable a user in FreeIPA, it automatically disables on the AD side. Though, if I disable on the AD side, nothing happens on the FreeIPA side. Moreover, if I get a kerberos ticket for the disabled (only in AD) user from freeipa, then it automatically enables the user on the AD side. Settings for ipa-winsync are: # ipa-winsync, plugins, config dn: cn=ipa-winsync,cn=plugins,cn=config ipawinsyncacctdisable: both Is this the expected behaviour? Thanks, Attila From sgallagh at redhat.com Tue Jun 21 15:20:52 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 21 Jun 2011 11:20:52 -0400 Subject: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server In-Reply-To: References: Message-ID: <1308669653.32513.26.camel@sgallagh520.bos.redhat.com> On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: > Hi, > > I'm still running a FreeIPA 1.2 server but have started installing > Fedora 15 clients and am trying to figure out how to manually setup > the Krb/LDAP configuration. > > I've run the 'authconfig-tui' command and manually setup Krb > authentication and LDAP authorisation, using DNS discovery for the > servers. The authentication is working correctly, but when I run 'id > $USERNAME' I don't receive the correct groups, so I believe that > Kerberos is working, but the LDAP configuration is wrong. I've turned > the sssd loglevel up to 100, but I can't figure out why I'm not > getting the correct groups > > My system has a variety of files and I'm not sure which are still in use: > > /etc/krb5.conf > /etc/pam_ldap.conf > /etc/sssd/sssd.conf > > On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - > this is not present on F15. > > Can anyone help me figure out how to get the group lookups working? Probably you need to add ldap_schema=rfc2307bis into the [domain/default] section of /etc/sssd/sssd.conf. If you just set authconfig up as an LDAP server, it defaults to ldap_schema = rfc2307, which uses a different attribute on the server to contain group memberships. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From danieljamesscott at gmail.com Tue Jun 21 15:31:15 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 21 Jun 2011 11:31:15 -0400 Subject: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server In-Reply-To: <1308669653.32513.26.camel@sgallagh520.bos.redhat.com> References: <1308669653.32513.26.camel@sgallagh520.bos.redhat.com> Message-ID: Hi, On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher wrote: > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: >> Hi, >> >> I'm still running a FreeIPA 1.2 server but have started installing >> Fedora 15 clients and am trying to figure out how to manually setup >> the Krb/LDAP configuration. >> >> I've run the 'authconfig-tui' command and manually setup Krb >> authentication and LDAP authorisation, using DNS discovery for the >> servers. The authentication is working correctly, but when I run 'id >> $USERNAME' I don't receive the correct groups, so I believe that >> Kerberos is working, but the LDAP configuration is wrong. I've turned >> the sssd loglevel up to 100, but I can't figure out why I'm not >> getting the correct groups >> >> My system has a variety of files and I'm not sure which are still in use: >> >> /etc/krb5.conf >> /etc/pam_ldap.conf >> /etc/sssd/sssd.conf >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - >> this is not present on F15. >> >> Can anyone help me figure out how to get the group lookups working? > > > Probably you need to add ldap_schema=rfc2307bis into the > [domain/default] section of /etc/sssd/sssd.conf. > > If you just set authconfig up as an LDAP server, it defaults to > ldap_schema = rfc2307, which uses a different attribute on the server to > contain group memberships. Thanks, but I've tried both of those entries - it doesn't appear to make any difference. Dan From sgallagh at redhat.com Tue Jun 21 15:37:00 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 21 Jun 2011 11:37:00 -0400 Subject: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server In-Reply-To: References: <1308669653.32513.26.camel@sgallagh520.bos.redhat.com> Message-ID: <1308670622.32513.27.camel@sgallagh520.bos.redhat.com> On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: > Hi, > > On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher wrote: > > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: > >> Hi, > >> > >> I'm still running a FreeIPA 1.2 server but have started installing > >> Fedora 15 clients and am trying to figure out how to manually setup > >> the Krb/LDAP configuration. > >> > >> I've run the 'authconfig-tui' command and manually setup Krb > >> authentication and LDAP authorisation, using DNS discovery for the > >> servers. The authentication is working correctly, but when I run 'id > >> $USERNAME' I don't receive the correct groups, so I believe that > >> Kerberos is working, but the LDAP configuration is wrong. I've turned > >> the sssd loglevel up to 100, but I can't figure out why I'm not > >> getting the correct groups > >> > >> My system has a variety of files and I'm not sure which are still in use: > >> > >> /etc/krb5.conf > >> /etc/pam_ldap.conf > >> /etc/sssd/sssd.conf > >> > >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - > >> this is not present on F15. > >> > >> Can anyone help me figure out how to get the group lookups working? > > > > > > Probably you need to add ldap_schema=rfc2307bis into the > > [domain/default] section of /etc/sssd/sssd.conf. > > > > If you just set authconfig up as an LDAP server, it defaults to > > ldap_schema = rfc2307, which uses a different attribute on the server to > > contain group memberships. > > Thanks, but I've tried both of those entries - it doesn't appear to > make any difference. > > Dan Could you attach your (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From danieljamesscott at gmail.com Tue Jun 21 15:58:50 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 21 Jun 2011 11:58:50 -0400 Subject: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server In-Reply-To: <1308670622.32513.27.camel@sgallagh520.bos.redhat.com> References: <1308669653.32513.26.camel@sgallagh520.bos.redhat.com> <1308670622.32513.27.camel@sgallagh520.bos.redhat.com> Message-ID: On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher wrote: > On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: >> Hi, >> >> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher wrote: >> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: >> >> Hi, >> >> >> >> I'm still running a FreeIPA 1.2 server but have started installing >> >> Fedora 15 clients and am trying to figure out how to manually setup >> >> the Krb/LDAP configuration. >> >> >> >> I've run the 'authconfig-tui' command and manually setup Krb >> >> authentication and LDAP authorisation, using DNS discovery for the >> >> servers. The authentication is working correctly, but when I run 'id >> >> $USERNAME' I don't receive the correct groups, so I believe that >> >> Kerberos is working, but the LDAP configuration is wrong. I've turned >> >> the sssd loglevel up to 100, but I can't figure out why I'm not >> >> getting the correct groups >> >> >> >> My system has a variety of files and I'm not sure which are still in use: >> >> >> >> /etc/krb5.conf >> >> /etc/pam_ldap.conf >> >> /etc/sssd/sssd.conf >> >> >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - >> >> this is not present on F15. >> >> >> >> Can anyone help me figure out how to get the group lookups working? >> > >> > >> > Probably you need to add ldap_schema=rfc2307bis into the >> > [domain/default] section of /etc/sssd/sssd.conf. >> > >> > If you just set authconfig up as an LDAP server, it defaults to >> > ldap_schema = rfc2307, which uses a different attribute on the server to >> > contain group memberships. >> >> Thanks, but I've tried both of those entries - it doesn't appear to >> make any difference. >> >> Dan > > > Could you attach your > (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf > and /etc/pam.d/system-auth? Attached, thanks. The only changes are domain names and 'dc=*' entries. One thing that I just noticed, the system-auth file has pam_krb5.so entries, previously, these were pam_sss.so - I've tried using both, but neither appears to work. Thanks, Dan -------------- next part -------------- A non-text attachment was scrubbed... Name: nsswitch.conf Type: application/octet-stream Size: 1735 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: system-auth Type: application/octet-stream Size: 1196 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: krb5.conf Type: application/octet-stream Size: 320 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd.conf Type: application/octet-stream Size: 3857 bytes Desc: not available URL: From rmeggins at redhat.com Tue Jun 21 16:13:27 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Jun 2011 10:13:27 -0600 Subject: [Freeipa-users] syncing custom attributes from AD In-Reply-To: <4E009BA4.9030607@linguamatics.com> References: <4E009BA4.9030607@linguamatics.com> Message-ID: <4E00C327.1000407@redhat.com> On 06/21/2011 07:24 AM, Attila Bog?r wrote: > Dear List, > > I'd like to sync extra attributes from AD -> FreeIPA. > These are namely: employeeNumber and employeeType. > > The following .ldif is always adding value unknown instead of syncing > the value in AD. > -- 8< -- > dn: cn=ipa-winsync,cn=plugins,cn=config > changetype: modify > add: ipaWinSyncUserAttr > ipaWinSyncUserAttr: employeeType unknown > -- 8< -- > > I'd like to use the value unknown if no such employeeType is defined > in AD. > > What's the correct form for ipaWinSyncUserAttr? You have it correct. Looking at the code, it is supposed to work as you expect. Looks like it may be a bug. Can you enable REPL and PLUGIN error logging level and reproduce the problem? I would like to see the errors log. See http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting for more information. > > Thanks, > Attila > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Tue Jun 21 16:20:20 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Jun 2011 10:20:20 -0600 Subject: [Freeipa-users] ipa-winsync account disable In-Reply-To: <4E00B626.4050401@linguamatics.com> References: <4E00B626.4050401@linguamatics.com> Message-ID: <4E00C4C4.4080907@redhat.com> On 06/21/2011 09:17 AM, Attila Bog?r wrote: > Dear List, > > winsync is working between AD and FreeIPA. > > If I disable a user in FreeIPA, it automatically disables on the AD side. > Though, if I disable on the AD side, nothing happens on the FreeIPA side. Sounds like a bug. > > Moreover, if I get a kerberos ticket for the disabled (only in AD) > user from freeipa, then it automatically enables the user on the AD side. Getting a kerberos ticket may involve internal modify operations in freeipa - these ops will trigger the code that checks account disable sync. Since the user is enabled in freeipa, it will attempt to sync this state to AD. This is as expected, but since it appears disable sync is not working from AD to ipa, it "re-enables" the user in AD. > > Settings for ipa-winsync are: > # ipa-winsync, plugins, config > dn: cn=ipa-winsync,cn=plugins,cn=config > ipawinsyncacctdisable: both > > Is this the expected behaviour? What version of Windows? 32-bit or 64-bit? Can you run with the REPL and PLUGIN log levels on? That may reveal some useful clue. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > Thanks, > Attila > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sgallagh at redhat.com Tue Jun 21 18:19:07 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 21 Jun 2011 14:19:07 -0400 Subject: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server In-Reply-To: References: <1308669653.32513.26.camel@sgallagh520.bos.redhat.com> <1308670622.32513.27.camel@sgallagh520.bos.redhat.com> Message-ID: <1308680348.32513.31.camel@sgallagh520.bos.redhat.com> On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote: > On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher wrote: > > On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: > >> Hi, > >> > >> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher wrote: > >> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: > >> >> Hi, > >> >> > >> >> I'm still running a FreeIPA 1.2 server but have started installing > >> >> Fedora 15 clients and am trying to figure out how to manually setup > >> >> the Krb/LDAP configuration. > >> >> > >> >> I've run the 'authconfig-tui' command and manually setup Krb > >> >> authentication and LDAP authorisation, using DNS discovery for the > >> >> servers. The authentication is working correctly, but when I run 'id > >> >> $USERNAME' I don't receive the correct groups, so I believe that > >> >> Kerberos is working, but the LDAP configuration is wrong. I've turned > >> >> the sssd loglevel up to 100, but I can't figure out why I'm not > >> >> getting the correct groups > >> >> > >> >> My system has a variety of files and I'm not sure which are still in use: > >> >> > >> >> /etc/krb5.conf > >> >> /etc/pam_ldap.conf > >> >> /etc/sssd/sssd.conf > >> >> > >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - > >> >> this is not present on F15. > >> >> > >> >> Can anyone help me figure out how to get the group lookups working? > >> > > >> > > >> > Probably you need to add ldap_schema=rfc2307bis into the > >> > [domain/default] section of /etc/sssd/sssd.conf. > >> > > >> > If you just set authconfig up as an LDAP server, it defaults to > >> > ldap_schema = rfc2307, which uses a different attribute on the server to > >> > contain group memberships. > >> > >> Thanks, but I've tried both of those entries - it doesn't appear to > >> make any difference. > >> > >> Dan > > > > > > Could you attach your > > (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf > > and /etc/pam.d/system-auth? > > Attached, thanks. The only changes are domain names and 'dc=*' entries. > > One thing that I just noticed, the system-auth file has pam_krb5.so > entries, previously, these were pam_sss.so - I've tried using both, > but neither appears to work. > > Thanks, > > Dan Your /etc/nsswitch.conf is wrong. I just noticed that you were using authconfig-tui which is deprecated upstream and does not properly set up SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works properly. Feel free to file a bug against authconfig. /etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD. Similarly system-auth needs to use pam_sss.so, not pam_krb5.so. If you run 'authconfig --enablesssd --enablesssdauth --update' you should be fine. This will update the config files with the correct SSSD-related settings. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From danieljamesscott at gmail.com Tue Jun 21 18:41:19 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 21 Jun 2011 14:41:19 -0400 Subject: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server In-Reply-To: <1308680348.32513.31.camel@sgallagh520.bos.redhat.com> References: <1308669653.32513.26.camel@sgallagh520.bos.redhat.com> <1308670622.32513.27.camel@sgallagh520.bos.redhat.com> <1308680348.32513.31.camel@sgallagh520.bos.redhat.com> Message-ID: On Tue, Jun 21, 2011 at 14:19, Stephen Gallagher wrote: > On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote: >> On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher wrote: >> > On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: >> >> Hi, >> >> >> >> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher wrote: >> >> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: >> >> >> Hi, >> >> >> >> >> >> I'm still running a FreeIPA 1.2 server but have started installing >> >> >> Fedora 15 clients and am trying to figure out how to manually setup >> >> >> the Krb/LDAP configuration. >> >> >> >> >> >> I've run the 'authconfig-tui' command and manually setup Krb >> >> >> authentication and LDAP authorisation, using DNS discovery for the >> >> >> servers. The authentication is working correctly, but when I run 'id >> >> >> $USERNAME' I don't receive the correct groups, so I believe that >> >> >> Kerberos is working, but the LDAP configuration is wrong. I've turned >> >> >> the sssd loglevel up to 100, but I can't figure out why I'm not >> >> >> getting the correct groups >> >> >> >> >> >> My system has a variety of files and I'm not sure which are still in use: >> >> >> >> >> >> /etc/krb5.conf >> >> >> /etc/pam_ldap.conf >> >> >> /etc/sssd/sssd.conf >> >> >> >> >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - >> >> >> this is not present on F15. >> >> >> >> >> >> Can anyone help me figure out how to get the group lookups working? >> >> > >> >> > >> >> > Probably you need to add ldap_schema=rfc2307bis into the >> >> > [domain/default] section of /etc/sssd/sssd.conf. >> >> > >> >> > If you just set authconfig up as an LDAP server, it defaults to >> >> > ldap_schema = rfc2307, which uses a different attribute on the server to >> >> > contain group memberships. >> >> >> >> Thanks, but I've tried both of those entries - it doesn't appear to >> >> make any difference. >> >> >> >> Dan >> > >> > >> > Could you attach your >> > (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf >> > and /etc/pam.d/system-auth? >> >> Attached, thanks. The only changes are domain names and 'dc=*' entries. >> >> One thing that I just noticed, the system-auth file has pam_krb5.so >> entries, previously, these were pam_sss.so - I've tried using both, >> but neither appears to work. >> >> Thanks, >> >> Dan > > > Your /etc/nsswitch.conf is wrong. I just noticed that you were using > authconfig-tui which is deprecated upstream and does not properly set up > SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works > properly. Feel free to file a bug against authconfig. > > /etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD. > Similarly system-auth needs to use pam_sss.so, not pam_krb5.so. > > If you run 'authconfig --enablesssd --enablesssdauth --update' you > should be fine. This will update the config files with the correct > SSSD-related settings. Excellent! Thanks - that makes much more sense. I've been using authconfig-tui all this time and had no idea that it was doing things incorrectly. One small issue that I found, if I switch on the "Use DNS to resolve hosts to realms" option, then the krb5_realm (in sssd.conf) and default_realm (in krb5.conf) are removed and my authentication fails. I'm pretty sure that I have DNS correctly configured (_kerberos IN TXT EXAMPLE.COM). Does the sssd client look for different DNS records for realm discovery? Thanks for your help, Dan From sgallagh at redhat.com Tue Jun 21 18:49:27 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 21 Jun 2011 14:49:27 -0400 Subject: [Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server In-Reply-To: References: <1308669653.32513.26.camel@sgallagh520.bos.redhat.com> <1308670622.32513.27.camel@sgallagh520.bos.redhat.com> <1308680348.32513.31.camel@sgallagh520.bos.redhat.com> Message-ID: <1308682167.32513.34.camel@sgallagh520.bos.redhat.com> On Tue, 2011-06-21 at 14:41 -0400, Dan Scott wrote: > > Excellent! Thanks - that makes much more sense. I've been using > authconfig-tui all this time and had no idea that it was doing things > incorrectly. > > One small issue that I found, if I switch on the "Use DNS to resolve > hosts to realms" option, then the krb5_realm (in sssd.conf) and > default_realm (in krb5.conf) are removed and my authentication fails. > I'm pretty sure that I have DNS correctly configured (_kerberos > IN TXT EXAMPLE.COM). Does the sssd client look for different > DNS records for realm discovery? Actually, we don't currently support *realm* discovery. We only support KDC discovery (using ._kerberos._tcp IN SRV EXAMPLE.COM) Feel free to open an RFE at https://fedorahosted.org/sssd (Fedora Account required to open tickets) for support of detecting the realm by TXT record. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From shelltoesuperstar at gmail.com Wed Jun 22 09:44:54 2011 From: shelltoesuperstar at gmail.com (Charlie Derwent) Date: Wed, 22 Jun 2011 10:44:54 +0100 Subject: [Freeipa-users] ipa-client-install errors via kickstart Message-ID: Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root : DEBUG root : ERROR LDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Thanks Charlie -------------- next part -------------- An HTML attachment was scrubbed... URL: From attila.bogar at linguamatics.com Wed Jun 22 09:47:57 2011 From: attila.bogar at linguamatics.com (=?ISO-8859-1?Q?Attila_Bog=E1r?=) Date: Wed, 22 Jun 2011 10:47:57 +0100 Subject: [Freeipa-users] syncing custom attributes from AD In-Reply-To: <4E00C327.1000407@redhat.com> References: <4E009BA4.9030607@linguamatics.com> <4E00C327.1000407@redhat.com> Message-ID: <4E01BA4D.60504@linguamatics.com> Hi Rich, On 21/06/11 17:13, Rich Megginson wrote: > Can you enable REPL and PLUGIN error logging level and reproduce the > problem? I would like to see the errors log. See > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting for more > information. I enabled REPL || PLUGIN, the problem was reproducible. Sending logs in private. Thanks, Attila From attila.bogar at linguamatics.com Wed Jun 22 09:50:56 2011 From: attila.bogar at linguamatics.com (=?ISO-8859-1?Q?Attila_Bog=E1r?=) Date: Wed, 22 Jun 2011 10:50:56 +0100 Subject: [Freeipa-users] ipa-winsync account disable In-Reply-To: <4E00C4C4.4080907@redhat.com> References: <4E00B626.4050401@linguamatics.com> <4E00C4C4.4080907@redhat.com> Message-ID: <4E01BB00.3000204@linguamatics.com> Hi, On 21/06/11 17:20, Rich Megginson wrote: > What version of Windows? 32-bit or 64-bit? Windows Server 2008 R2 Standard 64-bit. > Can you run with the REPL and PLUGIN log levels on? That may reveal > some useful clue. > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting Sending logs in private... Thanks, Attila From shelltoesuperstar at gmail.com Wed Jun 22 11:13:46 2011 From: shelltoesuperstar at gmail.com (Charlie Derwent) Date: Wed, 22 Jun 2011 12:13:46 +0100 Subject: [Freeipa-users] ipa-client-install errors via kickstart In-Reply-To: References: Message-ID: Apologies, I didn't get the whole debug log message in the email: root : DEBUG Init ldap with: ldap://ipa.test.net:389 root : ERROR LDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL root : DEBUG will use domain: test.net root : DEBUG will use server: ipa.test.net Failed to verify that ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall setting Regards, Charlie On Wed, Jun 22, 2011 at 10:44 AM, Charlie Derwent < shelltoesuperstar at gmail.com> wrote: > Hi > > I'm running FreeIPA server on F14 and connecting to a F14 client. When I > run ipa-client-install (via kickstart or after the client has installed) I'm > getting the following error message. > > root : DEBUG > root : ERROR LDAP Error: Connect error: Start TLS request > accepted. Server willing to negotiate SSL > Failed to verify that ipa.test.net is an IPA server > This may mean that the remote server is not up or is not reachable due to > network or firewall settings > > > > The ipa server is definately up and running, it's still authenticating > other servers in the network and when I rebuild the client with rhel or > centos it can enroll (almost) without issue (see below). > > The second issue was this certmonger related bug where certmonger fails > to start on new install ( > https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red > Hat 5 as I think i'm expering the issue with my RH5u6 clients? > > Thanks > Charlie > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed Jun 22 20:39:53 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Jun 2011 20:39:53 +0000 Subject: [Freeipa-users] ipa-client-install errors via kickstart In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E40286D006C@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, 2.0 or 1.2? Also ppl who know way more than me always seem to want the logs..... ;] regards Steven ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Charlie Derwent [shelltoesuperstar at gmail.com] Sent: Wednesday, 22 June 2011 9:44 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] ipa-client-install errors via kickstart Hi I'm running FreeIPA server on F14 and connecting to a F14 client. When I run ipa-client-install (via kickstart or after the client has installed) I'm getting the following error message. root : DEBUG root : ERROR LDAP Error: Connect error: Start TLS request accepted. Server willing to negotiate SSL Failed to verify that ipa.test.net is an IPA server This may mean that the remote server is not up or is not reachable due to network or firewall settings The ipa server is definately up and running, it's still authenticating other servers in the network and when I rebuild the client with rhel or centos it can enroll (almost) without issue (see below). The second issue was this certmonger related bug where certmonger fails to start on new install (https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Thanks Charlie From rcritten at redhat.com Wed Jun 22 21:49:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2011 17:49:10 -0400 Subject: [Freeipa-users] ipa-client-install errors via kickstart In-Reply-To: References: Message-ID: <4E026356.1040805@redhat.com> Charlie Derwent wrote: > Hi > > I'm running FreeIPA server on F14 and connecting to a F14 client. When I > run ipa-client-install (via kickstart or after the client has installed) > I'm getting the following error message. > > root : DEBUG > root : ERROR LDAP Error: Connect error: Start TLS request > accepted. Server willing to negotiate SSL > Failed to verify that ipa.test.net is an IPA server > This may mean that the remote server is not up or is not reachable due > to network or firewall settings What version of IPA are you running on the client and server? Can you check the 389-ds access log to see if you can see the connection and any errors reported with it? > > > The ipa server is definately up and running, it's still authenticating > other servers in the network and when I rebuild the client with rhel or > centos it can enroll (almost) without issue (see below). > > The second issue was this certmonger related bug where certmonger fails > to start on new install > (https://bugzilla.redhat.com/show_bug.cgi?id=636894) was it resolved in > Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart messagebus after installing certmonger. Should be easy to do in a kickstart. rob From pieter.baele at gmail.com Thu Jun 23 12:15:37 2011 From: pieter.baele at gmail.com (Pieter Baele) Date: Thu, 23 Jun 2011 14:15:37 +0200 Subject: [Freeipa-users] TLS: hostname does not match CN in peer certificate Message-ID: Probably, this question is been asked before.... I try to register an IPA client but get the following error. (primary kerberos are AD hosts, so I use --server etc) What can be wrong? The necessary firewall ports are opened.... ipa-client-install --server testclient03 --domain example.org root : ERROR LDAP Error: Connect error: TLS: hostname does not match CN in peer certificate Failed to verify that testclient03 is an IPA Server. This may mean that the remote server is not up or is not reachabl Greetings PieterB From pieter.baele at gmail.com Thu Jun 23 12:24:53 2011 From: pieter.baele at gmail.com (Pieter Baele) Date: Thu, 23 Jun 2011 14:24:53 +0200 Subject: [Freeipa-users] TLS: hostname does not match CN in peer certificate In-Reply-To: References: Message-ID: Solved. --server also needs FQDN I've to think twice before posting ;-) From sbose at redhat.com Thu Jun 23 12:27:57 2011 From: sbose at redhat.com (Sumit Bose) Date: Thu, 23 Jun 2011 14:27:57 +0200 Subject: [Freeipa-users] TLS: hostname does not match CN in peer certificate In-Reply-To: References: Message-ID: <20110623122757.GS2197@localhost.localdomain> On Thu, Jun 23, 2011 at 02:15:37PM +0200, Pieter Baele wrote: > Probably, this question is been asked before.... > > I try to register an IPA client but get the following error. > (primary kerberos are AD hosts, so I use --server etc) > > What can be wrong? The necessary firewall ports are opened.... > > ipa-client-install --server testclient03 --domain example.org > > root : ERROR LDAP Error: Connect error: TLS: hostname does > not match CN in peer certificate > Failed to verify that testclient03 is an IPA Server. > This may mean that the remote server is not up or is not reachabl Please try to use the FQDN of testclient03. HTH bye, Sumit > > Greetings PieterB > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From attila.bogar at linguamatics.com Thu Jun 23 12:35:56 2011 From: attila.bogar at linguamatics.com (=?ISO-8859-1?Q?Attila_Bog=E1r?=) Date: Thu, 23 Jun 2011 13:35:56 +0100 Subject: [Freeipa-users] Custom Fields on UI Message-ID: <4E03332C.1040609@linguamatics.com> Hi, When I apply the following ldif, the custom fields are not appearing on the web interface (ipa restart doesn't help). -- 8< -- dn: cn=ipaConfig,cn=etc,dc=linguamatics,dc=com changetype: modify replace: ipaCustomFields ipaCustomFields: "Employee Type,employeeType,false$Employee Number,employeeNumber,false" -- 8< -- I'm wondering if this is the correct behaviour and I have to modify some web ui related distro files a'la https://www.redhat.com/archives/freeipa-users/2009-June/msg00049.html Thanks, Attila From attila.bogar at linguamatics.com Thu Jun 23 12:48:55 2011 From: attila.bogar at linguamatics.com (=?ISO-8859-1?Q?Attila_Bog=E1r?=) Date: Thu, 23 Jun 2011 13:48:55 +0100 Subject: [Freeipa-users] AD/IPA Full Name Message-ID: <4E033637.1000102@linguamatics.com> Dear List, We dumped our existing LDAP users into AD using a powershell script. When creating the users with powershell, the Name: field gets populated with the username (eg. abogar). However if creating a user with the dsa.msc the Name: field get populated with the fullname (eg. Attila Bogar). The Name: attribute seems to be a read-only attribute either from powershell or dsa.msc, therefore we are setting the DisplayName: attribute to be the full name. IPA is fetching Full Name from the Name: field. When I change a user's full name in IPA, usermod --cn="New Name", IPA pushes back the full name into the (read-only) Name: attribute succesfully. So this workaround does exactly what I want, though I'm wondering if anyone knows what consequences it could have, that IPA is changing read-only attributes in the AD? Thanks, Attila From simo at redhat.com Thu Jun 23 13:04:28 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 23 Jun 2011 09:04:28 -0400 Subject: [Freeipa-users] AD/IPA Full Name In-Reply-To: <4E033637.1000102@linguamatics.com> References: <4E033637.1000102@linguamatics.com> Message-ID: <1308834268.25324.60.camel@willson.li.ssimo.org> On Thu, 2011-06-23 at 13:48 +0100, Attila Bog?r wrote: > When I change a user's full name in IPA, usermod --cn="New Name", IPA > pushes back the full name into the (read-only) Name: attribute > succesfully. > > So this workaround does exactly what I want, though I'm wondering if > anyone knows what consequences it could have, that IPA is changing > read-only attributes in the AD? The Full Name field is not read-only in AD. It is exactly the attribute in which you are supposed to put the user's Full Name. Simo. -- Simo Sorce * Red Hat, Inc * New York From loris at lgs.com.ve Thu Jun 23 13:05:33 2011 From: loris at lgs.com.ve (Loris Santamaria) Date: Thu, 23 Jun 2011 08:35:33 -0430 Subject: [Freeipa-users] DNS zone transfers In-Reply-To: <4E00A45F.7040004@redhat.com> References: <1308236476.3716.12.camel@arepa.pzo.lgs.com.ve> <1308238059.3182.101.camel@willson.li.ssimo.org> <1308253102.3716.20.camel@arepa.pzo.lgs.com.ve> <4E006E78.6010903@redhat.com> <1308664266.5070.10.camel@arepa.pzo.lgs.com.ve> <4E00A45F.7040004@redhat.com> Message-ID: <1308834336.5070.54.camel@arepa.pzo.lgs.com.ve> El mar, 21-06-2011 a las 16:02 +0200, Adam Tkac escribi?: > On 06/21/2011 03:51 PM, Loris Santamaria wrote: > > El mar, 21-06-2011 a las 12:12 +0200, Adam Tkac escribi?: > >> On 06/16/2011 09:38 PM, Loris Santamaria wrote: > >>> El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribi?: > >>>> On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote: > >>>>> Hi, > >>>>> > >>>>> I would like to use my freeIPA v2 server as my master name server and > >>>>> have other normal (non ldap based) bind servers as caching / secondary > >>>>> name servers. Ideally the clients would query only the secondary servers > >>>>> and the secondary name servers would perform regular zone transfers from > >>>>> the master server. > >>>>> > >>>>> So I'm trying to setup zone transfer in my IPA based name server. First > >>>>> of all I see that the attribute "idnsAllowTransfer" referenced in the > >>>>> bind-dyndb-ldap documentation is not really supported in the schema > >>>>> installed in IPA. Next, using a global "allow-transfer" in named.conf > >>>>> doesn't work also. > >>>> A global allow-transfer should work, have you restarted named after > >>>> setting it ? > >>>> > >>>> If it doesn't work we may have a bug. > >>> I'm adding to named.conf options section: > >>> > >>> allow-transfer { 127.0.0.1; }; > >>> > >>> then I restart named and try a zone transfer on the same host: > >>> > >>> # host -l ipa.corpfbk. 127.0.0.1 > >>> ; Transfer failed. > >>> Using domain server: > >>> Name: 127.0.0.1 > >>> Address: 127.0.0.1#53 > >>> Aliases: > >>> > >>> Host ipa.corpfbk not found: 9(NOTAUTH) > >>> ; Transfer failed. > >>> > >>> In the logs I get: > >>> > >>> Jun 16 11:10:26 ipa01 named[30044]: client 127.0.0.1#59303: bad zone transfer request: 'ipa.corpfbk/IN': non-authoritative zone (NOTAUTH) > >>> > >> Hello Loris, > >> > >> the bind-dyndb-ldap plugin currently doesn't support zone transfers but > >> you should receive SERVFAIL error in this case, not NOTAUTH. > >> > >> Are you sure the 127.0.0.1 server is authoritative for the ipa.corpfbk > >> zone? Can you please post output of "dig @127.0.0.1 ipa.corpfbk SOA" here? > > The zone's SOA seems right to me: > > > > [root at ipa01 ~]# dig @127.0.0.1 ipa.corpfbk SOA > > > > ; <<>> DiG 9.8.0-P1-RedHat-9.8.0-3.P1.fc15 <<>> @127.0.0.1 ipa.corpfbk SOA > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43430 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 > > > > ;; QUESTION SECTION: > > ;ipa.corpfbk. IN SOA > > > > ;; ANSWER SECTION: > > ipa.corpfbk. 86400 IN SOA ipa01.central.corpfbk. soporte.tiendaskioto.com. 2011020601 3600 900 1209600 3600 > > > > ;; AUTHORITY SECTION: > > ipa.corpfbk. 86400 IN NS ipa01.central.corpfbk. > > > > ;; ADDITIONAL SECTION: > > ipa01.central.corpfbk. 86400 IN A 192.168.3.6 > > > > ;; Query time: 3 msec > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > ;; WHEN: Tue Jun 21 09:15:43 2011 > > ;; MSG SIZE rcvd: 133 > That's weird if server still returns NOTAUTH. Are you sure you perform > zone transfer from 192.168.3.6? (i.e. you execute host utility on > machine with IP 192.168.3.6). Yes I'm working directly on the machine with IP 192.168.3.6 (the IPA server), I added a global allow-transfer directive for 127.0.0.1 and I am using the host utility to query directly the 127.0.0.1 nameserver. -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ -O9 -omg-optimize -fomit-instructions -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5909 bytes Desc: not available URL: From pieter.baele at gmail.com Thu Jun 23 13:26:33 2011 From: pieter.baele at gmail.com (Pieter Baele) Date: Thu, 23 Jun 2011 15:26:33 +0200 Subject: [Freeipa-users] kinit working, but ipa-client-install not (client not found) Message-ID: My new freeipa installation is working (server + kinit on a host where I configured krb5.conf manually) but ipa-client-install gives the typical Kerberos error: kinit: Client not found in Kerberos database while getting initial credentials Both hosts are resolvable From ayoung at redhat.com Thu Jun 23 13:51:11 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 23 Jun 2011 09:51:11 -0400 Subject: [Freeipa-users] Custom Fields on UI In-Reply-To: <4E03332C.1040609@linguamatics.com> References: <4E03332C.1040609@linguamatics.com> Message-ID: <4E0344CF.5090806@redhat.com> On 06/23/2011 08:35 AM, Attila Bog?r wrote: > Hi, > > When I apply the following ldif, the custom fields are not appearing > on the web interface (ipa restart doesn't help). > > -- 8< -- > dn: cn=ipaConfig,cn=etc,dc=linguamatics,dc=com > changetype: modify > replace: ipaCustomFields > ipaCustomFields: "Employee Type,employeeType,false$Employee > Number,employeeNumber,false" > -- 8< -- > > I'm wondering if this is the correct behaviour and I have to modify > some web ui related distro files a'la > https://www.redhat.com/archives/freeipa-users/2009-June/msg00049.html > > Thanks, > Attila There are a lot of things in the Directory Server schema that we don't show in the UI. This is a deliberate decision, and comparable to what we've done with explicit attributes in the CLI. If you want customer fields in the UI, there are three steps. 1. Add it to the schema. You've done that. 2. Add it to the CLI. For this one, you want to modify /usr/lib64/python2.7/site-packages/ipalib/plugins/user.py. 3. Add an entry into the Javascript for the webui. /usr/share/ipa/ui/user.js For employee number, you probably want to make it an integer data type in user.py. For employee type, you probably want to use IPA.select_widget to constrain the potential values. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From attila.bogar at linguamatics.com Thu Jun 23 14:02:17 2011 From: attila.bogar at linguamatics.com (=?ISO-8859-1?Q?Attila_Bog=E1r?=) Date: Thu, 23 Jun 2011 15:02:17 +0100 Subject: [Freeipa-users] 389-DS crashed Message-ID: <4E034769.5010709@linguamatics.com> Hi, I deleted more than 50 users from AD and expected IPA to do the same. However the EXAMPLE-COM 389-ds instance just crashed and I can't start it anymore. Could you please help with this issue? The error logging is set to REPL|PLUGIN. I can see the following in error log: tail /var/log/dirsrv/slapd-EXAMPLE-COM/errors [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - agmt="cn=meTodc1.win.example.com" (dc1:389): map_entry_dn_outbound: looking for AD entry for DS dn="uid=mtf,cn=users,cn=accounts,dc=example,dc=com" guid="cc62cd9765c139458d9a21fdddf50eae" [23/Jun/2011:14:55:51 +0100] - Calling windows entry search request plugin [23/Jun/2011:14:55:51 +0100] ipa-winsync - --> ipa_winsync_pre_ad_search_cb -- begin [23/Jun/2011:14:55:51 +0100] ipa-winsync - <-- ipa_winsync_pre_ad_search_cb -- end [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - Could not retrieve entry from Windows using search base [] scope [0] filter [(objectclass=*)]: error 32:No such object [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - agmt="cn=meTodc1.win.example.com" (dc1:389): map_entry_dn_outbound: return code -1 from search for AD entry dn="" or dn="(null)" [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - agmt="cn=meTodc1.win.example.com" (dc1:389): map_entry_dn_outbound: entry not found - rc -1 [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - agmt="cn=meTodc1.win.example.com" (dc1:389): windows_replay_update: Processing modify operation local dn="uid=mtf,cn=users,cn=accounts,dc=example,dc=com" remote dn="" [23/Jun/2011:14:55:51 +0100] ipa-winsync - --> ipa_winsync_pre_ad_mod_user_mods_cb -- begin [23/Jun/2011:14:55:51 +0100] ipa-winsync - <-- ipa_check_account_lock - entry [uid=mtf,cn=users,cn=accounts,dc=example,dc=com] has real attribute nsAccountLock and entry is locked From attila.bogar at linguamatics.com Thu Jun 23 14:25:02 2011 From: attila.bogar at linguamatics.com (=?UTF-8?B?QXR0aWxhIEJvZ8Ohcg==?=) Date: Thu, 23 Jun 2011 15:25:02 +0100 Subject: [Freeipa-users] AD/IPA Full Name In-Reply-To: <1308834268.25324.60.camel@willson.li.ssimo.org> References: <4E033637.1000102@linguamatics.com> <1308834268.25324.60.camel@willson.li.ssimo.org> Message-ID: <4E034CBE.6040000@linguamatics.com> Hi, On 23/06/11 14:04, Simo Sorce wrote: > The Full Name field is not read-only in AD. > It is exactly the attribute in which you are supposed to put the user's > Full Name. There are 3 fields, namely: "name", "displayName" and "cn". I can see, that IPA was changing the "cn" and "name" fields. If you start dsa.msc right click on a user, Attribute Editor tab, click Filter, tick show only writable attributes. "name" is not a writable attribute. However you are partly right, because it's possible to change it by renaming the user. Right click on the user, select rename. According to M$, the name attribute is actually the RDN http://support.microsoft.com/kb/257218 Thanks, Attila -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jun 23 15:06:33 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Jun 2011 09:06:33 -0600 Subject: [Freeipa-users] 389-DS crashed In-Reply-To: <4E034769.5010709@linguamatics.com> References: <4E034769.5010709@linguamatics.com> Message-ID: <4E035679.6090207@redhat.com> On 06/23/2011 08:02 AM, Attila Bog?r wrote: > Hi, > > I deleted more than 50 users from AD and expected IPA to do the same. > However the EXAMPLE-COM 389-ds instance just crashed and I can't start > it anymore. > > Could you please help with this issue? > > The error logging is set to REPL|PLUGIN. > I can see the following in error log: > > tail /var/log/dirsrv/slapd-EXAMPLE-COM/errors > > [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - > agmt="cn=meTodc1.win.example.com" (dc1:389): map_entry_dn_outbound: > looking for AD entry for DS > dn="uid=mtf,cn=users,cn=accounts,dc=example,dc=com" > guid="cc62cd9765c139458d9a21fdddf50eae" > [23/Jun/2011:14:55:51 +0100] - Calling windows entry search request > plugin > [23/Jun/2011:14:55:51 +0100] ipa-winsync - --> > ipa_winsync_pre_ad_search_cb -- begin > [23/Jun/2011:14:55:51 +0100] ipa-winsync - <-- > ipa_winsync_pre_ad_search_cb -- end > [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - Could not > retrieve entry from Windows using search base > [] scope [0] filter > [(objectclass=*)]: error 32:No such object > [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - > agmt="cn=meTodc1.win.example.com" (dc1:389): map_entry_dn_outbound: > return code -1 from search for AD entry > dn="" or dn="(null)" > [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - > agmt="cn=meTodc1.win.example.com" (dc1:389): map_entry_dn_outbound: > entry not found - rc -1 > [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - > agmt="cn=meTodc1.win.example.com" (dc1:389): windows_replay_update: > Processing modify operation local > dn="uid=mtf,cn=users,cn=accounts,dc=example,dc=com" remote > dn="" > [23/Jun/2011:14:55:51 +0100] ipa-winsync - --> > ipa_winsync_pre_ad_mod_user_mods_cb -- begin > [23/Jun/2011:14:55:51 +0100] ipa-winsync - <-- ipa_check_account_lock > - entry [uid=mtf,cn=users,cn=accounts,dc=example,dc=com] has real > attribute nsAccountLock and entry is locked Does the user mtf exist in AD? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Thu Jun 23 15:21:41 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 23 Jun 2011 11:21:41 -0400 Subject: [Freeipa-users] AD/IPA Full Name In-Reply-To: <4E034CBE.6040000@linguamatics.com> References: <4E033637.1000102@linguamatics.com> <1308834268.25324.60.camel@willson.li.ssimo.org> <4E034CBE.6040000@linguamatics.com> Message-ID: <1308842501.25324.69.camel@willson.li.ssimo.org> On Thu, 2011-06-23 at 15:25 +0100, Attila Bog?r wrote: > Hi, > > On 23/06/11 14:04, Simo Sorce wrote: > > The Full Name field is not read-only in AD. > > It is exactly the attribute in which you are supposed to put the user's > > Full Name. > There are 3 fields, namely: "name", "displayName" and "cn". > > I can see, that IPA was changing the "cn" and "name" fields. > If you start dsa.msc right click on a user, Attribute Editor tab, > click Filter, tick show only writable attributes. > "name" is not a writable attribute. > > However you are partly right, because it's possible to change it by > renaming the user. > Right click on the user, select rename. > > According to M$, the name attribute is actually the RDN > http://support.microsoft.com/kb/257218 It is. Sorry I thought you were referring to 'cn' not to the 'name' attribute. CN usually holds the Full Name of a user in AD. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Jun 23 15:28:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Jun 2011 11:28:02 -0400 Subject: [Freeipa-users] Custom Fields on UI In-Reply-To: <4E03332C.1040609@linguamatics.com> References: <4E03332C.1040609@linguamatics.com> Message-ID: <4E035B82.2000904@redhat.com> Attila Bog?r wrote: > Hi, > > When I apply the following ldif, the custom fields are not appearing on > the web interface (ipa restart doesn't help). > > -- 8< -- > dn: cn=ipaConfig,cn=etc,dc=linguamatics,dc=com > changetype: modify > replace: ipaCustomFields > ipaCustomFields: "Employee Type,employeeType,false$Employee > Number,employeeNumber,false" > -- 8< -- > > I'm wondering if this is the correct behaviour and I have to modify some > web ui related distro files a'la > https://www.redhat.com/archives/freeipa-users/2009-June/msg00049.html What version of ipa are you using? rob From rmeggins at redhat.com Thu Jun 23 15:31:13 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Jun 2011 09:31:13 -0600 Subject: [Freeipa-users] 389-DS crashed In-Reply-To: <4E035679.6090207@redhat.com> References: <4E034769.5010709@linguamatics.com> <4E035679.6090207@redhat.com> Message-ID: <4E035C41.1080204@redhat.com> On 06/23/2011 09:06 AM, Rich Megginson wrote: > On 06/23/2011 08:02 AM, Attila Bog?r wrote: >> Hi, >> >> I deleted more than 50 users from AD and expected IPA to do the same. >> However the EXAMPLE-COM 389-ds instance just crashed and I can't >> start it anymore. >> >> Could you please help with this issue? >> >> The error logging is set to REPL|PLUGIN. >> I can see the following in error log: >> >> tail /var/log/dirsrv/slapd-EXAMPLE-COM/errors >> >> [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - >> agmt="cn=meTodc1.win.example.com" (dc1:389): map_entry_dn_outbound: >> looking for AD entry for DS >> dn="uid=mtf,cn=users,cn=accounts,dc=example,dc=com" >> guid="cc62cd9765c139458d9a21fdddf50eae" >> [23/Jun/2011:14:55:51 +0100] - Calling windows entry search request >> plugin >> [23/Jun/2011:14:55:51 +0100] ipa-winsync - --> >> ipa_winsync_pre_ad_search_cb -- begin >> [23/Jun/2011:14:55:51 +0100] ipa-winsync - <-- >> ipa_winsync_pre_ad_search_cb -- end >> [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - Could not >> retrieve entry from Windows using search base >> [] scope [0] filter >> [(objectclass=*)]: error 32:No such object >> [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - >> agmt="cn=meTodc1.win.example.com" (dc1:389): map_entry_dn_outbound: >> return code -1 from search for AD entry >> dn="" or dn="(null)" >> [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - >> agmt="cn=meTodc1.win.example.com" (dc1:389): map_entry_dn_outbound: >> entry not found - rc -1 >> [23/Jun/2011:14:55:51 +0100] NSMMReplicationPlugin - >> agmt="cn=meTodc1.win.example.com" (dc1:389): windows_replay_update: >> Processing modify operation local >> dn="uid=mtf,cn=users,cn=accounts,dc=example,dc=com" remote >> dn="" >> [23/Jun/2011:14:55:51 +0100] ipa-winsync - --> >> ipa_winsync_pre_ad_mod_user_mods_cb -- begin >> [23/Jun/2011:14:55:51 +0100] ipa-winsync - <-- ipa_check_account_lock >> - entry [uid=mtf,cn=users,cn=accounts,dc=example,dc=com] has real >> attribute nsAccountLock and entry is locked > Does the user mtf exist in AD? Looks like something happens to the mtf user - it's there, then it's not: [23/Jun/2011:14:46:15 +0100] NSMMReplicationPlugin - agmt="cn=meTodc1.win.linguamatics.com" (dc1:389): map_entry_dn_outbound: return code 0 from search for AD entry dn="" or dn="CN=Matt Francomb,CN=ipa,DC=win,DC=linguamatics,DC=com" [23/Jun/2011:14:46:15 +0100] NSMMReplicationPlugin - agmt="cn=meTodc1.win.linguamatics.com" (dc1:389): windows_replay_update: Processing modify operation local dn="uid=mtf,cn=users,cn=accounts,dc=linguamatics,dc=com" remote dn="" then the next time this entry comes up: [23/Jun/2011:14:46:18 +0100] NSMMReplicationPlugin - agmt="cn=meTodc1.win.linguamatics.com" (dc1:389): map_entry_dn_outbound: looking for AD entry for DS dn="uid=mtf,cn=users,cn=accounts,dc=linguamatics,dc=com" guid="cc62cd9765c139458d9a21fdddf50eae" [23/Jun/2011:14:46:18 +0100] NSMMReplicationPlugin - agmt="cn=meTodc1.win.linguamatics.com" (dc1:389): map_entry_dn_outbound: return code -1 from search for AD entry dn="" or dn="(null)" [23/Jun/2011:14:46:18 +0100] NSMMReplicationPlugin - agmt="cn=meTodc1.win.linguamatics.com" (dc1:389): map_entry_dn_outbound: entry not found - rc -1 Is it possible this entry was deleted from AD between 23/Jun/2011:14:46:15 and 23/Jun/2011:14:46:18 ? >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > From sgallagh at redhat.com Thu Jun 23 16:27:01 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 23 Jun 2011 12:27:01 -0400 Subject: [Freeipa-users] kinit working, but ipa-client-install not (client not found) In-Reply-To: References: Message-ID: <1308846421.1990.5.camel@sgallagh520.bos.redhat.com> On Thu, 2011-06-23 at 15:26 +0200, Pieter Baele wrote: > My new freeipa installation is working (server + kinit on a host where > I configured krb5.conf manually) > but ipa-client-install gives the typical Kerberos error: > > kinit: Client not found in Kerberos database while getting initial credentials > > Both hosts are resolvable What are you passing to ipa-client-install? You need to make sure you've specified -p and -W in order to get the appropriate credentials. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From shelltoesuperstar at gmail.com Thu Jun 23 17:04:21 2011 From: shelltoesuperstar at gmail.com (Charlie Derwent) Date: Thu, 23 Jun 2011 18:04:21 +0100 Subject: [Freeipa-users] ipa-client-install errors via kickstart In-Reply-To: <4E026356.1040805@redhat.com> References: <4E026356.1040805@redhat.com> Message-ID: On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden wrote: > Charlie Derwent wrote: > >> Hi >> >> I'm running FreeIPA server on F14 and connecting to a F14 client. When I >> run ipa-client-install (via kickstart or after the client has installed) >> I'm getting the following error message. >> >> root : DEBUG >> root : ERROR LDAP Error: Connect error: Start TLS request >> accepted. Server willing to negotiate SSL >> Failed to verify that ipa.test.net is an IPA server >> >> This may mean that the remote server is not up or is not reachable due >> to network or firewall settings >> > > What version of IPA are you running on the client and server? > Server is running 2.0.0.rc3-0 F14 Client is running 2.0.0.rc3-0 RHEL 5.6 Clients are running 2.0-10.el5_6.1 All the boxes are 64-bit Can you check the 389-ds access log to see if you can see the connection and > any errors reported with it? > > Nothing in the access.log on the server. > >> >> The ipa server is definately up and running, it's still authenticating >> other servers in the network and when I rebuild the client with rhel or >> centos it can enroll (almost) without issue (see below). >> >> The second issue was this certmonger related bug where certmonger fails >> to start on new install >> (https://bugzilla.redhat.com/**show_bug.cgi?id=636894) >> was it resolved in >> Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? >> > > Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to restart > messagebus after installing certmonger. Should be easy to do in a kickstart. > yeah got the "killall -HUP dbus-daemon" in there now. Cheers Charlie > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 23 17:54:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Jun 2011 13:54:15 -0400 Subject: [Freeipa-users] ipa-client-install errors via kickstart In-Reply-To: References: <4E026356.1040805@redhat.com> Message-ID: <4E037DC7.5010805@redhat.com> Charlie Derwent wrote: > > > On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden > wrote: > > Charlie Derwent wrote: > > Hi > > I'm running FreeIPA server on F14 and connecting to a F14 > client. When I > run ipa-client-install (via kickstart or after the client has > installed) > I'm getting the following error message. > > root : DEBUG > root : ERROR LDAP Error: Connect error: Start TLS request > accepted. Server willing to negotiate SSL > Failed to verify that ipa.test.net > is an IPA server > > This may mean that the remote server is not up or is not > reachable due > to network or firewall settings > > > What version of IPA are you running on the client and server? > > Server is running 2.0.0.rc3-0 > F14 Client is running 2.0.0.rc3-0 > RHEL 5.6 Clients are running 2.0-10.el5_6.1 > All the boxes are 64-bit How are you invoking ipa-client-install? The error message looks a bit odd and I'm not sure if it is a mail client mucking it up or something else (the addition of http://ipa.test.net) rob > > Can you check the 389-ds access log to see if you can see the > connection and any errors reported with it? > > Nothing in the access.log on the server. > > > > > The ipa server is definately up and running, it's still > authenticating > other servers in the network and when I rebuild the client with > rhel or > centos it can enroll (almost) without issue (see below). > > The second issue was this certmonger related bug where > certmonger fails > to start on new install > (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 > ) was it > resolved in > Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? > > > Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to > restart messagebus after installing certmonger. Should be easy to do > in a kickstart. > > > yeah got the "killall -HUP dbus-daemon" in there now. > > Cheers > Charlie > > > rob > > From rcritten at redhat.com Thu Jun 23 17:59:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Jun 2011 13:59:27 -0400 Subject: [Freeipa-users] kinit working, but ipa-client-install not (client not found) In-Reply-To: References: Message-ID: <4E037EFF.70809@redhat.com> Pieter Baele wrote: > My new freeipa installation is working (server + kinit on a host where > I configured krb5.conf manually) > but ipa-client-install gives the typical Kerberos error: > > kinit: Client not found in Kerberos database while getting initial credentials > > Both hosts are resolvable I'd suggest looking at /var/log/krb5kdc.log on the server after trying a kinit. This should tell you the name it is trying to resolve. rob From dlackey at redhat.com Thu Jun 23 18:33:43 2011 From: dlackey at redhat.com (Deon Lackey) Date: Thu, 23 Jun 2011 14:33:43 -0400 Subject: [Freeipa-users] issues + docs Message-ID: <4E038707.4030208@redhat.com> Hey, guys. I'm culling through some of the recent issues on this list to make sure they end up on the FreeIPA wiki or in the FreeIPA guide (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html). Just as a side note, I have created a doc wiki page to help trac the issues that crop up on the mailing list, so feel free to drop anything you want into that page: https://fedorahosted.org/freeipa-guide/wiki/CommunityDocIssues Or you can always email me or file a bugzilla. :) Thanks! Deon (the docs person) -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Jun 23 21:16:07 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 23 Jun 2011 21:16:07 +0000 Subject: [Freeipa-users] issues + docs In-Reply-To: <4E038707.4030208@redhat.com> References: <4E038707.4030208@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E402A611EC9@STAWINCOX10MBX1.staff.vuw.ac.nz> Wow this looks like a huge improvement...I can see my next few days is booked. More pictures showing how to do things please.... regards From Steven.Jones at vuw.ac.nz Thu Jun 23 21:17:39 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 23 Jun 2011 21:17:39 +0000 Subject: [Freeipa-users] sssd v "other" methods Message-ID: <833D8E48405E064EBC54C84EC6B36E402A611ED2@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, looking at sssd enforcing the HBAC, is it possible to [easily] or even possible to achieve the same thing with say openlap or 389? regards From sgallagh at redhat.com Thu Jun 23 21:32:01 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 23 Jun 2011 17:32:01 -0400 Subject: [Freeipa-users] sssd v "other" methods In-Reply-To: <833D8E48405E064EBC54C84EC6B36E402A611ED2@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E402A611ED2@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1308864722.1990.20.camel@sgallagh520.bos.redhat.com> On Thu, 2011-06-23 at 21:17 +0000, Steven Jones wrote: > Hi, > > looking at sssd enforcing the HBAC, is it possible to [easily] or even > possible to achieve the same thing with say openlap or 389? Right now, the SSSD is making certain assumptions that the server providing the HBAC rules is an IPA server. However, I know that JR Aquino wrote a pam_python module a while ago that works (without offline capabilities) with the current HBAC approach. Things will get a little more complex when the HBAC rules are extended to support time ranges, though. But there's no firm timeline on that yet. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From Steven.Jones at vuw.ac.nz Thu Jun 23 22:08:38 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 23 Jun 2011 22:08:38 +0000 Subject: [Freeipa-users] sssd v "other" methods In-Reply-To: <1308864722.1990.20.camel@sgallagh520.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E402A611ED2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1308864722.1990.20.camel@sgallagh520.bos.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E402A612F03@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I didnt really mean point sssd at something else besides IPA, but where any other "package" can do what sssd and HBAC can achieve.... In a way I'm looking to justify why we buy IPA as opposed to connecting directly to AD or using something like Likewise. regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com] Sent: Friday, 24 June 2011 9:32 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] sssd v "other" methods On Thu, 2011-06-23 at 21:17 +0000, Steven Jones wrote: > Hi, > > looking at sssd enforcing the HBAC, is it possible to [easily] or even > possible to achieve the same thing with say openlap or 389? Right now, the SSSD is making certain assumptions that the server providing the HBAC rules is an IPA server. However, I know that JR Aquino wrote a pam_python module a while ago that works (without offline capabilities) with the current HBAC approach. Things will get a little more complex when the HBAC rules are extended to support time ranges, though. But there's no firm timeline on that yet. From dpal at redhat.com Thu Jun 23 22:26:35 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 23 Jun 2011 18:26:35 -0400 Subject: [Freeipa-users] sssd v "other" methods In-Reply-To: <833D8E48405E064EBC54C84EC6B36E402A612F03@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E402A611ED2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1308864722.1990.20.camel@sgallagh520.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E402A612F03@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E03BD9B.20608@redhat.com> On 06/23/2011 06:08 PM, Steven Jones wrote: > Hi, > > I didnt really mean point sssd at something else besides IPA, but where any other "package" can do what sssd and HBAC can achieve.... > > In a way I'm looking to justify why we buy IPA as opposed to connecting directly to AD or using something like Likewise. I do not get the question. If you considering Likewise it will extend the AD access controls to the client. It is up to you to compare all the technical and non technical benefits of either approach. Unfortunately we can't help you with any white papers containing comparisons of the alternatives or pricing for IPA at the moment. But we will be very interested to hear your opinion why it is worth or not worth to use IPA + SSSD vs AD + Likewise. > regards > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com] > Sent: Friday, 24 June 2011 9:32 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] sssd v "other" methods > > On Thu, 2011-06-23 at 21:17 +0000, Steven Jones wrote: >> Hi, >> >> looking at sssd enforcing the HBAC, is it possible to [easily] or even >> possible to achieve the same thing with say openlap or 389? > Right now, the SSSD is making certain assumptions that the server > providing the HBAC rules is an IPA server. However, I know that JR > Aquino wrote a pam_python module a while ago that works (without offline > capabilities) with the current HBAC approach. > > Things will get a little more complex when the HBAC rules are extended > to support time ranges, though. But there's no firm timeline on that > yet. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From shelltoesuperstar at gmail.com Thu Jun 23 22:37:28 2011 From: shelltoesuperstar at gmail.com (Charlie Derwent) Date: Thu, 23 Jun 2011 23:37:28 +0100 Subject: [Freeipa-users] ipa-client-install errors via kickstart In-Reply-To: <4E037DC7.5010805@redhat.com> References: <4E026356.1040805@redhat.com> <4E037DC7.5010805@redhat.com> Message-ID: On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden wrote: > Charlie Derwent wrote: > >> >> >> On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden > > wrote: >> >> Charlie Derwent wrote: >> >> Hi >> >> I'm running FreeIPA server on F14 and connecting to a F14 >> client. When I >> run ipa-client-install (via kickstart or after the client has >> installed) >> I'm getting the following error message. >> >> root : DEBUG >> root : ERROR LDAP Error: Connect error: Start TLS request >> accepted. Server willing to negotiate SSL >> Failed to verify that ipa.test.net >> is an IPA server >> >> This may mean that the remote server is not up or is not >> reachable due >> to network or firewall settings >> >> >> What version of IPA are you running on the client and server? >> >> Server is running 2.0.0.rc3-0 >> F14 Client is running 2.0.0.rc3-0 >> RHEL 5.6 Clients are running 2.0-10.el5_6.1 >> All the boxes are 64-bit >> > > How are you invoking ipa-client-install? The error message looks a bit odd > and I'm not sure if it is a mail client mucking it up or something else (the > addition of http://ipa.test.net) > > rob > > Yeah thats a mail client quirk there was only one http://ipa.test.net in my original email. I'm getting the same error if I run "ipa-client-install" with no switches or "ipa-client-install --server=ipa.test.net --domain=test.net --realm=TEST.NETetc..". there are other switches I have in my kickstart scripts but I'm not at the lab right now so I couldn't tell you what they are, suffice to say I'm connecting without any issue if I rekick a rhel or centos build on the exact same server. The really weird thing is I have an older box I built to F14 a few weeks ago and that's been connected for weeks with the exact same client rpm, I just hope I don't have to rebuild it! Is there anyway to check if the dependencies between the two builds vary? Charlie > > > >> Can you check the 389-ds access log to see if you can see the >> connection and any errors reported with it? >> >> Nothing in the access.log on the server. >> >> >> >> >> The ipa server is definately up and running, it's still >> authenticating >> other servers in the network and when I rebuild the client with >> rhel or >> centos it can enroll (almost) without issue (see below). >> >> The second issue was this certmonger related bug where >> certmonger fails >> to start on new install >> (https://bugzilla.redhat.com/_**_show_bug.cgi?id=636894 >> >) >> was it >> resolved in >> Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? >> >> >> Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to >> restart messagebus after installing certmonger. Should be easy to do >> in a kickstart. >> >> >> yeah got the "killall -HUP dbus-daemon" in there now. >> >> Cheers >> Charlie >> >> >> rob >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dlackey at redhat.com Thu Jun 23 22:53:13 2011 From: dlackey at redhat.com (Deon Lackey) Date: Thu, 23 Jun 2011 18:53:13 -0400 Subject: [Freeipa-users] issues + docs In-Reply-To: <833D8E48405E064EBC54C84EC6B36E402A611EC9@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4E038707.4030208@redhat.com> <833D8E48405E064EBC54C84EC6B36E402A611EC9@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E03C3D9.5080300@redhat.com> Steven Jones wrote, on 06/23/2011 05:16 PM: > Wow this looks like a huge improvement...I can see my next few days is booked. > > More pictures showing how to do things please.... > For you, I'll do it! But only for you. :) Actually, it's already on my project to-do list. FreeIPAv2.1 is having a big UI facelift, so I'll probably wait till that's more complete before I start grabbing screenshots. I'm estimating about a month or so. It's coming: https://fedorahosted.org/freeipa-guide/roadmap (I'll be adding tickets for the roadmap soon.) In the meantime, I'm going to work on enhancing the CLI examples for the existing procedures. Any and all input is welcome. Deon From pieter.baele at gmail.com Fri Jun 24 08:28:41 2011 From: pieter.baele at gmail.com (Pieter Baele) Date: Fri, 24 Jun 2011 10:28:41 +0200 Subject: [Freeipa-users] kinit working, but ipa-client-install not (client not found) In-Reply-To: <4E037EFF.70809@redhat.com> References: <4E037EFF.70809@redhat.com> Message-ID: On Thu, Jun 23, 2011 at 19:59, Rob Crittenden wrote: > Pieter Baele wrote: >> >> My new freeipa installation is working (server + kinit on a host where >> I configured krb5.conf manually) >> but ipa-client-install gives the typical Kerberos error: >> >> kinit: Client not found in Kerberos database while getting initial >> credentials >> >> Both hosts are resolvable > > I'd suggest looking at /var/log/krb5kdc.log on the server after trying a > kinit. This should tell you the name it is trying to resolve. > > rob > About this issue, nothing is logged in /var/log/krb5kdc.log..... I used this command now: ipa-client-install --server ipa1.example.org --domain example.org -p pieterb -W -d User 'pieterb' exists and has admin privileges Password for pieterb at EXAMPLE.ORG root : DEBUG args=kinit pieterb at EXAMPLE.ORG root : DEBUG stdout= root : DEBUG stderr=kinit: Client not found in Kerberos database while getting initial credentials root : DEBUG args=kdestroy root : DEBUG stdout= root : DEBUG stderr=kdestroy: No credentials cache found while destroying cache kinit: Client not found in Kerberos database while getting initial credentials From attila.bogar at linguamatics.com Fri Jun 24 08:32:40 2011 From: attila.bogar at linguamatics.com (=?ISO-8859-1?Q?Attila_Bog=E1r?=) Date: Fri, 24 Jun 2011 09:32:40 +0100 Subject: [Freeipa-users] 389-DS crashed In-Reply-To: <4E035C41.1080204@redhat.com> References: <4E034769.5010709@linguamatics.com> <4E035679.6090207@redhat.com> <4E035C41.1080204@redhat.com> Message-ID: <4E044BA8.2060003@linguamatics.com> On 23/06/11 16:31, Rich Megginson wrote: > > Is it possible this entry was deleted from AD between > 23/Jun/2011:14:46:15 and 23/Jun/2011:14:46:18 ? Yes, it can be. I mass-deleted all users in the container. Thanks, Attila From attila.bogar at linguamatics.com Fri Jun 24 08:34:56 2011 From: attila.bogar at linguamatics.com (=?ISO-8859-1?Q?Attila_Bog=E1r?=) Date: Fri, 24 Jun 2011 09:34:56 +0100 Subject: [Freeipa-users] Custom Fields on UI In-Reply-To: <4E035B82.2000904@redhat.com> References: <4E03332C.1040609@linguamatics.com> <4E035B82.2000904@redhat.com> Message-ID: <4E044C30.8070509@linguamatics.com> Hi, On 23/06/11 16:28, Rob Crittenden wrote: > What version of ipa are you using? The one bundled with F15. # rpm -qi freeipa-server Name : freeipa-server Version : 2.0.1 Release : 2.fc15 Architecture: x86_64 Install Date: Mon 20 Jun 2011 10:52:12 BST Group : System Environment/Base Size : 2567882 License : GPLv3+ Signature : RSA/SHA256, Sun 08 May 2011 22:28:28 BST, Key ID b4ebf579069c8460 Source RPM : freeipa-2.0.1-2.fc15.src.rpm Build Date : Fri 06 May 2011 15:50:09 BST Build Host : x86-06.phx2.fedoraproject.org Thanks, Attila From mkosek at redhat.com Fri Jun 24 12:37:08 2011 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 24 Jun 2011 14:37:08 +0200 Subject: [Freeipa-users] kinit working, but ipa-client-install not (client not found) In-Reply-To: References: <4E037EFF.70809@redhat.com> Message-ID: <1308919031.12273.30.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-06-24 at 10:28 +0200, Pieter Baele wrote: > On Thu, Jun 23, 2011 at 19:59, Rob Crittenden wrote: > > Pieter Baele wrote: > >> > >> My new freeipa installation is working (server + kinit on a host where > >> I configured krb5.conf manually) > >> but ipa-client-install gives the typical Kerberos error: > >> > >> kinit: Client not found in Kerberos database while getting initial > >> credentials > >> > >> Both hosts are resolvable > > > > I'd suggest looking at /var/log/krb5kdc.log on the server after trying a > > kinit. This should tell you the name it is trying to resolve. > > > > rob > > > > About this issue, nothing is logged in /var/log/krb5kdc.log..... > > I used this command now: > ipa-client-install --server ipa1.example.org --domain example.org -p > pieterb -W -d > > User 'pieterb' exists and has admin privileges > > > Password for pieterb at EXAMPLE.ORG > root : DEBUG args=kinit pieterb at EXAMPLE.ORG > root : DEBUG stdout= > root : DEBUG stderr=kinit: Client not found in Kerberos > database while getting initial credentials > > > root : DEBUG args=kdestroy > root : DEBUG stdout= > root : DEBUG stderr=kdestroy: No credentials cache found > while destroying cache > > kinit: Client not found in Kerberos database while getting initial credentials > Is pieterb a user you added in your IPA server or its just in your local master machine local files (/etc/passwd)? I.e. can you run `ipa user-show pieterb`? What if you run ipa-client-install with "-p admin" instead of "-p pieterb" - does it work? Martin From rcritten at redhat.com Fri Jun 24 12:48:12 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Jun 2011 08:48:12 -0400 Subject: [Freeipa-users] kinit working, but ipa-client-install not (client not found) In-Reply-To: References: <4E037EFF.70809@redhat.com> Message-ID: <4E04878C.4060501@redhat.com> Pieter Baele wrote: > On Thu, Jun 23, 2011 at 19:59, Rob Crittenden wrote: >> Pieter Baele wrote: >>> >>> My new freeipa installation is working (server + kinit on a host where >>> I configured krb5.conf manually) >>> but ipa-client-install gives the typical Kerberos error: >>> >>> kinit: Client not found in Kerberos database while getting initial >>> credentials >>> >>> Both hosts are resolvable >> >> I'd suggest looking at /var/log/krb5kdc.log on the server after trying a >> kinit. This should tell you the name it is trying to resolve. >> >> rob >> > > About this issue, nothing is logged in /var/log/krb5kdc.log..... > > I used this command now: > ipa-client-install --server ipa1.example.org --domain example.org -p > pieterb -W -d > > User 'pieterb' exists and has admin privileges > > > Password for pieterb at EXAMPLE.ORG > root : DEBUG args=kinit pieterb at EXAMPLE.ORG > root : DEBUG stdout= > root : DEBUG stderr=kinit: Client not found in Kerberos > database while getting initial credentials > > > root : DEBUG args=kdestroy > root : DEBUG stdout= > root : DEBUG stderr=kdestroy: No credentials cache found > while destroying cache > > kinit: Client not found in Kerberos database while getting initial credentials If you aren't seeing anything in the kerberos logs I wonder if this is talking to the wrong KDC. ipa-client-install should include a copy of the krb5.conf it is using, does it match your working manual install? rob From danieljamesscott at gmail.com Fri Jun 24 17:57:03 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 24 Jun 2011 13:57:03 -0400 Subject: [Freeipa-users] Server installation problem Message-ID: Hi, I've just installed Fedora 15 onto a VM, configured networking and run the ipa-server-install script - the installation fails with the error: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmplNsX1T' returned non-zero exit status 1 [3/3]: restarting directory server root : CRITICAL Failed to restart the directory server. See the installation log for details. Logfile is attached. Can anyone help with this? It looks like it's failing to start/configure the dirsrv service. Is it possible that it's conflicting with my existing FreeIPA 1.2.x servers elsewhere on the network? Thanks, Dan Scott -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaserver-install.log Type: text/x-log Size: 13400 bytes Desc: not available URL: From rcritten at redhat.com Fri Jun 24 18:00:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Jun 2011 14:00:47 -0400 Subject: [Freeipa-users] Server installation problem In-Reply-To: References: Message-ID: <4E04D0CF.7020606@redhat.com> Dan Scott wrote: > Hi, > > I've just installed Fedora 15 onto a VM, configured networking and run > the ipa-server-install script - the installation fails with the error: > > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > Configuring directory server for the CA: Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmplNsX1T' > returned non-zero exit status 1 > [3/3]: restarting directory server > root : CRITICAL Failed to restart the directory server. See the > installation log for details. > > Logfile is attached. > > Can anyone help with this? It looks like it's failing to > start/configure the dirsrv service. Is it possible that it's > conflicting with my existing FreeIPA 1.2.x servers elsewhere on the > network? > > Thanks, > > Dan Scott There has recently been an SELinux problem on F-15 that has affected 389-ds installation. Can you see if there are any AVCS for ns-slapd in /var/log/audit/audit.log? rob From danieljamesscott at gmail.com Fri Jun 24 18:18:38 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 24 Jun 2011 14:18:38 -0400 Subject: [Freeipa-users] Server installation problem In-Reply-To: <4E04D0CF.7020606@redhat.com> References: <4E04D0CF.7020606@redhat.com> Message-ID: Hi, On Fri, Jun 24, 2011 at 14:00, Rob Crittenden wrote: > Dan Scott wrote: >> I've just installed Fedora 15 onto a VM, configured networking and run >> the ipa-server-install script - the installation fails with the error: >> >> Configuring ntpd >> ? [1/4]: stopping ntpd >> ? [2/4]: writing configuration >> ? [3/4]: configuring ntpd to start on boot >> ? [4/4]: starting ntpd >> done configuring ntpd. >> Configuring directory server for the CA: Estimated time 30 seconds >> ? [1/3]: creating directory server user >> ? [2/3]: creating directory server instance >> root ? ? ? ?: CRITICAL failed to restart ds instance Command >> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmplNsX1T' >> returned non-zero exit status 1 >> ? [3/3]: restarting directory server >> root ? ? ? ?: CRITICAL Failed to restart the directory server. See the >> installation log for details. >> >> Logfile is attached. >> >> Can anyone help with this? It looks like it's failing to >> start/configure the dirsrv service. Is it possible that it's >> conflicting with my existing FreeIPA 1.2.x servers elsewhere on the >> network? >> >> Thanks, >> >> Dan Scott > > There has recently been an SELinux problem on F-15 that has affected 389-ds > installation. Can you see if there are any AVCS for ns-slapd in > /var/log/audit/audit.log? > > rob > That seems to be the problem, thanks. [root at pc51 ~]# grep denied /var/log/audit/audit.log type=AVC msg=audit(1308936867.797:102): avc: denied { read } for pid=8274 comm="ns-slapd" name="lock" dev=dm-1 ino=1307 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file type=AVC msg=audit(1308937468.228:103): avc: denied { read } for pid=8323 comm="ns-slapd" name="lock" dev=dm-1 ino=1307 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file [root at pc51 ~]# grep denied /var/log/audit/audit.log|audit2allow #============= dirsrv_t ============== allow dirsrv_t var_t:lnk_file read; [root at pc51 ~]# I had a quick look through bugzilla, and didn't find a bug related to this. Do I need to file one? Or is it all OK? Thanks, Dan From shelltoesuperstar at gmail.com Sun Jun 26 12:35:14 2011 From: shelltoesuperstar at gmail.com (Charlie Derwent) Date: Sun, 26 Jun 2011 13:35:14 +0100 Subject: [Freeipa-users] ipa-client-install errors via kickstart In-Reply-To: <4E037DC7.5010805@redhat.com> References: <4E026356.1040805@redhat.com> <4E037DC7.5010805@redhat.com> Message-ID: On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden wrote: > Charlie Derwent wrote: > >> >> >> On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden > > wrote: >> >> Charlie Derwent wrote: >> >> Hi >> >> I'm running FreeIPA server on F14 and connecting to a F14 >> client. When I >> run ipa-client-install (via kickstart or after the client has >> installed) >> I'm getting the following error message. >> >> root : DEBUG >> root : ERROR LDAP Error: Connect error: Start TLS request >> accepted. Server willing to negotiate SSL >> Failed to verify that ipa.test.net >> is an IPA server >> >> This may mean that the remote server is not up or is not >> reachable due >> to network or firewall settings >> >> >> What version of IPA are you running on the client and server? >> >> Server is running 2.0.0.rc3-0 >> F14 Client is running 2.0.0.rc3-0 >> RHEL 5.6 Clients are running 2.0-10.el5_6.1 >> All the boxes are 64-bit >> > > How are you invoking ipa-client-install? The error message looks a bit odd > and I'm not sure if it is a mail client mucking it up or something else (the > addition of http://ipa.test.net) > > rob > > > >> Can you check the 389-ds access log to see if you can see the >> connection and any errors reported with it? >> >> Nothing in the access.log on the server. >> >> >> >> >> The ipa server is definately up and running, it's still >> authenticating >> other servers in the network and when I rebuild the client with >> rhel or >> centos it can enroll (almost) without issue (see below). >> >> The second issue was this certmonger related bug where >> certmonger fails >> to start on new install >> (https://bugzilla.redhat.com/_**_show_bug.cgi?id=636894 >> >) >> was it >> resolved in >> Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? >> >> >> Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to >> restart messagebus after installing certmonger. Should be easy to do >> in a kickstart. >> >> >> yeah got the "killall -HUP dbus-daemon" in there now. >> >> Cheers >> Charlie >> >> >> rob >> >> >> > Figured it out! Well partly... it's a dependency issue. I installed pretty much everything onto the box and it started to work but on my cut down server no joy. Finding the missing RPM might be a little bit more trickier unless someone could deduce what RPM's absence could cause that error? It's hard cause it may be a dependency for the ipa-client or a dependency of a dependency and so forth! Cheers Charlie -------------- next part -------------- An HTML attachment was scrubbed... URL: From chorn at fluxcoil.net Sun Jun 26 19:55:40 2011 From: chorn at fluxcoil.net (Christian Horn) Date: Sun, 26 Jun 2011 21:55:40 +0200 Subject: [Freeipa-users] issues + docs In-Reply-To: <4E038707.4030208@redhat.com> References: <4E038707.4030208@redhat.com> Message-ID: <20110626195540.GB13250@fluxcoil.net> On Thu, Jun 23, 2011 at 02:33:43PM -0400, Deon Lackey wrote: > > I'm culling through some of the recent issues on this list to make > sure they end up on the FreeIPA wiki or in the FreeIPA guide (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html). Really nice to see the multi stages concept with development happening at Fedora and the code used in a enterprise grade supported product extended to documentation here :) Christian From Steven.Jones at vuw.ac.nz Sun Jun 26 21:13:36 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 26 Jun 2011 21:13:36 +0000 Subject: [Freeipa-users] Kevin Unthank Message-ID: <833D8E48405E064EBC54C84EC6B36E402A620B9B@STAWINCOX10MBX1.staff.vuw.ac.nz> Has he left Red Hat? If so who is his replacement? regards From naufal26.tik at gmail.com Mon Jun 27 08:00:03 2011 From: naufal26.tik at gmail.com (Muhammad Naufal) Date: Mon, 27 Jun 2011 15:00:03 +0700 Subject: [Freeipa-users] Help, cert validation failed Message-ID: Please help, i've installed freeipa v2 on fedora 15 freeipa web interface work fine, but in cli when i type ipa user-find admin i got this error. ipa: ERROR: cert validation failed for "CN=freeipa.local,O=FREEIPA.LOCAL" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to u'https://freeipa.local/ipa/xml': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. What's wrong with the cert? Thanks for any assistance provided. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ca error.jpg Type: image/jpeg Size: 97351 bytes Desc: not available URL: From naufal26.tik at gmail.com Mon Jun 27 08:50:18 2011 From: naufal26.tik at gmail.com (Muhammad Naufal) Date: Mon, 27 Jun 2011 15:50:18 +0700 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp Message-ID: *I have read the documentation here http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Using_Microsoft_Windows.html But i'm stuck in instruction number 5. * *5. *Select *Download from web path*, and enter the following URL: http:///ipa/config/ I've got error when downloading the config it says: *Download failed HTTP/1.0 504 Gateway Time-out* Then i go to my freeipa server config url http://freeipa.local/ipa/config/and it say *Forbidden. You don't have permission to access /ipa/config/ on this server. * How to install MIT Kerberos in microsoft windows xp correctly? How should my configuration on the freeipa server? Thanks for any assistance provided. again. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: win kerberos error.jpg Type: image/jpeg Size: 152381 bytes Desc: not available URL: From badzong at wizard.franken.de Sun Jun 26 17:00:51 2011 From: badzong at wizard.franken.de (JoachimBadzong) Date: Sun, 26 Jun 2011 19:00:51 +0200 Subject: [Freeipa-users] ipa client install problem Message-ID: <1309107651.26434.6.camel@notebookjojo> Hi, i have setup an freeipa server ( 2.0.1-2 ) with FC15 and have now tried to install the ipa client on client machine. When i start the ipa-client-install ( 2.0.1-2 ) it detects everyting as it should be. I can enter admin prinicipal and the passowrd, but then i get the following error message : Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. As both rpms ( server and client ) have the same version i just dont understand the message. Whats wrong ? Where can i look to find more information to solve that ? Thanks for any hint. J From ayoung at redhat.com Mon Jun 27 13:07:06 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 27 Jun 2011 09:07:06 -0400 Subject: [Freeipa-users] ipa-client-install errors via kickstart In-Reply-To: References: <4E026356.1040805@redhat.com> <4E037DC7.5010805@redhat.com> Message-ID: <4E08807A.5070003@redhat.com> On 06/26/2011 08:35 AM, Charlie Derwent wrote: > > > On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden > wrote: > > Charlie Derwent wrote: > > > > On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden > > >> wrote: > > Charlie Derwent wrote: > > Hi > > I'm running FreeIPA server on F14 and connecting to a F14 > client. When I > run ipa-client-install (via kickstart or after the > client has > installed) > I'm getting the following error message. > > root : DEBUG > root : ERROR LDAP Error: Connect error: Start > TLS request > accepted. Server willing to negotiate SSL > Failed to verify that ipa.test.net > > is an IPA server > > This may mean that the remote server is not up or is not > reachable due > to network or firewall settings > > > What version of IPA are you running on the client and server? > > Server is running 2.0.0.rc3-0 > F14 Client is running 2.0.0.rc3-0 > RHEL 5.6 Clients are running 2.0-10.el5_6.1 > All the boxes are 64-bit > > > How are you invoking ipa-client-install? The error message looks a > bit odd and I'm not sure if it is a mail client mucking it up or > something else (the addition of http://ipa.test.net) > > rob > > > > Can you check the 389-ds access log to see if you can see the > connection and any errors reported with it? > > Nothing in the access.log on the server. > > > > > The ipa server is definately up and running, it's still > authenticating > other servers in the network and when I rebuild the > client with > rhel or > centos it can enroll (almost) without issue (see below). > > The second issue was this certmonger related bug where > certmonger fails > to start on new install > (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 > ) was it > resolved in > Red Hat 5 as I think i'm expering the issue with my > RH5u6 clients? > > > Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix > is to > restart messagebus after installing certmonger. Should be > easy to do > in a kickstart. > > > yeah got the "killall -HUP dbus-daemon" in there now. > > Cheers > Charlie > > > rob > > > > > Figured it out! Well partly... it's a dependency issue. I installed > pretty much everything onto the box and it started to work but on my > cut down server no joy. Finding the missing RPM might be a little bit > more trickier unless someone could deduce what RPM's absence could > cause that error? > > It's hard cause it may be a dependency for the ipa-client or a > dependency of a dependency and so forth! If you are doing a DNS install for the server, you need bind-dyndb-ldap, which is the LDAP backend for the DNS server. > > Cheers > Charlie > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ide4you at gmail.com Mon Jun 27 13:08:57 2011 From: ide4you at gmail.com (Uzor Ide) Date: Mon, 27 Jun 2011 09:08:57 -0400 Subject: [Freeipa-users] ipa client install problem In-Reply-To: <1309107651.26434.6.camel@notebookjojo> References: <1309107651.26434.6.camel@notebookjojo> Message-ID: Your server is missing some files. Check and make sure that you have some files in the /etc/ipa/html directory This usually occurs when you do an in-place upgrade of the fedora box containing freeipa-server __Ide On Sun, Jun 26, 2011 at 1:00 PM, JoachimBadzong wrote: > Hi, > > i have setup an freeipa server ( 2.0.1-2 ) with FC15 and have now tried > to install the ipa client on client machine. > When i start the ipa-client-install ( 2.0.1-2 ) it detects everyting as > it should be. I can enter admin prinicipal and the passowrd, but then i > get the following error message : > > Joining realm failed because of failing XML-RPC request. > This error may be caused by incompatible server/client major versions. > > As both rpms ( server and client ) have the same version i just dont > understand the message. > > Whats wrong ? > Where can i look to find more information to solve that ? > > Thanks for any hint. > J > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shelltoesuperstar at gmail.com Mon Jun 27 13:54:50 2011 From: shelltoesuperstar at gmail.com (Charlie Derwent) Date: Mon, 27 Jun 2011 14:54:50 +0100 Subject: [Freeipa-users] ipa-client-install errors via kickstart In-Reply-To: <4E08807A.5070003@redhat.com> References: <4E026356.1040805@redhat.com> <4E037DC7.5010805@redhat.com> <4E08807A.5070003@redhat.com> Message-ID: On Mon, Jun 27, 2011 at 2:07 PM, Adam Young wrote: > ** > On 06/26/2011 08:35 AM, Charlie Derwent wrote: > > > > On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden wrote: > >> Charlie Derwent wrote: >> >>> >>> >>> On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden >> > wrote: >>> >>> Charlie Derwent wrote: >>> >>> Hi >>> >>> I'm running FreeIPA server on F14 and connecting to a F14 >>> client. When I >>> run ipa-client-install (via kickstart or after the client has >>> installed) >>> I'm getting the following error message. >>> >>> root : DEBUG >>> root : ERROR LDAP Error: Connect error: Start TLS >>> request >>> accepted. Server willing to negotiate SSL >>> Failed to verify that ipa.test.net >>> is an IPA server >>> >>> This may mean that the remote server is not up or is not >>> reachable due >>> to network or firewall settings >>> >>> >>> What version of IPA are you running on the client and server? >>> >>> Server is running 2.0.0.rc3-0 >>> F14 Client is running 2.0.0.rc3-0 >>> RHEL 5.6 Clients are running 2.0-10.el5_6.1 >>> All the boxes are 64-bit >>> >> >> How are you invoking ipa-client-install? The error message looks a bit odd >> and I'm not sure if it is a mail client mucking it up or something else (the >> addition of http://ipa.test.net) >> >> rob >> >> >> >>> Can you check the 389-ds access log to see if you can see the >>> connection and any errors reported with it? >>> >>> Nothing in the access.log on the server. >>> >>> >>> >>> >>> The ipa server is definately up and running, it's still >>> authenticating >>> other servers in the network and when I rebuild the client with >>> rhel or >>> centos it can enroll (almost) without issue (see below). >>> >>> The second issue was this certmonger related bug where >>> certmonger fails >>> to start on new install >>> (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 >>> ) was it >>> resolved in >>> Red Hat 5 as I think i'm expering the issue with my RH5u6 clients? >>> >>> >>> Looks like it wasn't fixed in RHEL 5.x. IIRC the simple fix is to >>> restart messagebus after installing certmonger. Should be easy to do >>> in a kickstart. >>> >>> >>> yeah got the "killall -HUP dbus-daemon" in there now. >>> >>> Cheers >>> Charlie >>> >>> >>> rob >>> >>> >>> >> > Figured it out! Well partly... it's a dependency issue. I installed pretty > much everything onto the box and it started to work but on my cut down > server no joy. Finding the missing RPM might be a little bit more trickier > unless someone could deduce what RPM's absence could cause that error? > > It's hard cause it may be a dependency for the ipa-client or a dependency > of a dependency and so forth! > > > If you are doing a DNS install for the server, you need bind-dyndb-ldap, > which is the LDAP backend for the DNS server. > > This was a client side issue (apologies for saying "cut down server" I meant server in a hardware sense rather that server/client model). But yeah bind-dyndb-ldap is installed on my server. Charlie > > Cheers > Charlie > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 27 14:53:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jun 2011 10:53:27 -0400 Subject: [Freeipa-users] Server installation problem In-Reply-To: References: <4E04D0CF.7020606@redhat.com> Message-ID: <4E089967.1010701@redhat.com> Dan Scott wrote: > Hi, > > On Fri, Jun 24, 2011 at 14:00, Rob Crittenden wrote: >> Dan Scott wrote: >>> I've just installed Fedora 15 onto a VM, configured networking and run >>> the ipa-server-install script - the installation fails with the error: >>> >>> Configuring ntpd >>> [1/4]: stopping ntpd >>> [2/4]: writing configuration >>> [3/4]: configuring ntpd to start on boot >>> [4/4]: starting ntpd >>> done configuring ntpd. >>> Configuring directory server for the CA: Estimated time 30 seconds >>> [1/3]: creating directory server user >>> [2/3]: creating directory server instance >>> root : CRITICAL failed to restart ds instance Command >>> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmplNsX1T' >>> returned non-zero exit status 1 >>> [3/3]: restarting directory server >>> root : CRITICAL Failed to restart the directory server. See the >>> installation log for details. >>> >>> Logfile is attached. >>> >>> Can anyone help with this? It looks like it's failing to >>> start/configure the dirsrv service. Is it possible that it's >>> conflicting with my existing FreeIPA 1.2.x servers elsewhere on the >>> network? >>> >>> Thanks, >>> >>> Dan Scott >> >> There has recently been an SELinux problem on F-15 that has affected 389-ds >> installation. Can you see if there are any AVCS for ns-slapd in >> /var/log/audit/audit.log? >> >> rob >> > > That seems to be the problem, thanks. > > [root at pc51 ~]# grep denied /var/log/audit/audit.log > type=AVC msg=audit(1308936867.797:102): avc: denied { read } for > pid=8274 comm="ns-slapd" name="lock" dev=dm-1 ino=1307 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > type=AVC msg=audit(1308937468.228:103): avc: denied { read } for > pid=8323 comm="ns-slapd" name="lock" dev=dm-1 ino=1307 > scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:var_t:s0 tclass=lnk_file > [root at pc51 ~]# grep denied /var/log/audit/audit.log|audit2allow > > > #============= dirsrv_t ============== > allow dirsrv_t var_t:lnk_file read; > [root at pc51 ~]# > > I had a quick look through bugzilla, and didn't find a bug related to > this. Do I need to file one? Or is it all OK? > > Thanks, > > Dan The bug is https://bugzilla.redhat.com/show_bug.cgi?id=696819 which is modified, you may want to see if there is a pending fix in updates-testing. rob From rcritten at redhat.com Mon Jun 27 15:01:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jun 2011 11:01:44 -0400 Subject: [Freeipa-users] ipa-client-install errors via kickstart In-Reply-To: References: <4E026356.1040805@redhat.com> <4E037DC7.5010805@redhat.com> <4E08807A.5070003@redhat.com> Message-ID: <4E089B58.10800@redhat.com> Charlie Derwent wrote: > > > On Mon, Jun 27, 2011 at 2:07 PM, Adam Young > wrote: > > __ > On 06/26/2011 08:35 AM, Charlie Derwent wrote: >> >> >> On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden >> > wrote: >> >> Charlie Derwent wrote: >> >> >> >> On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden >> >> >> >> wrote: >> >> Charlie Derwent wrote: >> >> Hi >> >> I'm running FreeIPA server on F14 and connecting to >> a F14 >> client. When I >> run ipa-client-install (via kickstart or after the >> client has >> installed) >> I'm getting the following error message. >> >> root : DEBUG >> root : ERROR LDAP Error: Connect error: >> Start TLS request >> accepted. Server willing to negotiate SSL >> Failed to verify that ipa.test.net >> >> is an IPA server >> >> This may mean that the remote server is not up or >> is not >> reachable due >> to network or firewall settings >> >> >> What version of IPA are you running on the client and >> server? >> >> Server is running 2.0.0.rc3-0 >> F14 Client is running 2.0.0.rc3-0 >> RHEL 5.6 Clients are running 2.0-10.el5_6.1 >> All the boxes are 64-bit >> >> >> How are you invoking ipa-client-install? The error message >> looks a bit odd and I'm not sure if it is a mail client >> mucking it up or something else (the addition of >> http://ipa.test.net) >> >> rob >> >> >> >> Can you check the 389-ds access log to see if you can >> see the >> connection and any errors reported with it? >> >> Nothing in the access.log on the server. >> >> >> >> >> The ipa server is definately up and running, it's still >> authenticating >> other servers in the network and when I rebuild the >> client with >> rhel or >> centos it can enroll (almost) without issue (see >> below). >> >> The second issue was this certmonger related bug where >> certmonger fails >> to start on new install >> (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 >> ) was it >> resolved in >> Red Hat 5 as I think i'm expering the issue with my >> RH5u6 clients? >> >> >> Looks like it wasn't fixed in RHEL 5.x. IIRC the simple >> fix is to >> restart messagebus after installing certmonger. Should >> be easy to do >> in a kickstart. >> >> >> yeah got the "killall -HUP dbus-daemon" in there now. >> >> Cheers >> Charlie >> >> >> rob >> >> >> >> >> Figured it out! Well partly... it's a dependency issue. I >> installed pretty much everything onto the box and it started to >> work but on my cut down server no joy. Finding the missing RPM >> might be a little bit more trickier unless someone could deduce >> what RPM's absence could cause that error? >> >> It's hard cause it may be a dependency for the ipa-client or a >> dependency of a dependency and so forth! > > If you are doing a DNS install for the server, you need > bind-dyndb-ldap, which is the LDAP backend for the DNS server. > > > This was a client side issue (apologies for saying "cut down server" I > meant server in a hardware sense rather that server/client model). But > yeah bind-dyndb-ldap is installed on my server. > A brute force way would be to do rpm -qa > list on both installs so we can compare the two and try to find some important difference. rob From rcritten at redhat.com Mon Jun 27 15:24:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jun 2011 11:24:24 -0400 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp In-Reply-To: References: Message-ID: <4E08A0A8.3000709@redhat.com> Muhammad Naufal wrote: > *I have read the documentation here > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Using_Microsoft_Windows.html > But i'm stuck in instruction number 5. > > * > *5. *Select *Download from web path*, and enter the following URL: > http:///ipa/config/ > > I've got error when downloading the config it says: *Download failed > HTTP/1.0 504 Gateway Time-out* > Then i go to my freeipa server config url > http://freeipa.local/ipa/config/ and it say *Forbidden. You don't have > permission to access /ipa/config/ on this server.* > How to install MIT Kerberos in microsoft windows xp correctly? How > should my configuration on the freeipa server? > > Thanks for any assistance provided. again. Are you using a proxy server? I wonder if the proxy can get to the IPA installation. Directory indexing is disabled on the directory so you can't browse the files. You can confirm they exist by trying: http://freeipa.local/ipa/config/krbrealm.con rob From ayoung at redhat.com Mon Jun 27 16:13:28 2011 From: ayoung at redhat.com (Adam Young) Date: Mon, 27 Jun 2011 12:13:28 -0400 Subject: [Freeipa-users] ipa-client-install errors via kickstart In-Reply-To: <4E089B58.10800@redhat.com> References: <4E026356.1040805@redhat.com> <4E037DC7.5010805@redhat.com> <4E08807A.5070003@redhat.com> <4E089B58.10800@redhat.com> Message-ID: <4E08AC28.7020909@redhat.com> On 06/27/2011 11:01 AM, Rob Crittenden wrote: > Charlie Derwent wrote: >> >> >> On Mon, Jun 27, 2011 at 2:07 PM, Adam Young > > wrote: >> >> __ >> On 06/26/2011 08:35 AM, Charlie Derwent wrote: >>> >>> >>> On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden >>> > wrote: >>> >>> Charlie Derwent wrote: >>> >>> >>> >>> On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden >>> >>> >> >>> wrote: >>> >>> Charlie Derwent wrote: >>> >>> Hi >>> >>> I'm running FreeIPA server on F14 and connecting to >>> a F14 >>> client. When I >>> run ipa-client-install (via kickstart or after the >>> client has >>> installed) >>> I'm getting the following error message. >>> >>> root : DEBUG >>> root : ERROR LDAP Error: Connect error: >>> Start TLS request >>> accepted. Server willing to negotiate SSL >>> Failed to verify that ipa.test.net >>> >>> is an IPA server >>> >>> This may mean that the remote server is not up or >>> is not >>> reachable due >>> to network or firewall settings >>> >>> >>> What version of IPA are you running on the client and >>> server? >>> >>> Server is running 2.0.0.rc3-0 >>> F14 Client is running 2.0.0.rc3-0 >>> RHEL 5.6 Clients are running 2.0-10.el5_6.1 >>> All the boxes are 64-bit >>> >>> >>> How are you invoking ipa-client-install? The error message >>> looks a bit odd and I'm not sure if it is a mail client >>> mucking it up or something else (the addition of >>> http://ipa.test.net) >>> >>> rob >>> >>> >>> >>> Can you check the 389-ds access log to see if you can >>> see the >>> connection and any errors reported with it? >>> >>> Nothing in the access.log on the server. >>> >>> >>> >>> >>> The ipa server is definately up and running, it's >>> still >>> authenticating >>> other servers in the network and when I rebuild the >>> client with >>> rhel or >>> centos it can enroll (almost) without issue (see >>> below). >>> >>> The second issue was this certmonger related bug >>> where >>> certmonger fails >>> to start on new install >>> >>> (https://bugzilla.redhat.com/__show_bug.cgi?id=636894 >>> ) was it >>> resolved in >>> Red Hat 5 as I think i'm expering the issue with my >>> RH5u6 clients? >>> >>> >>> Looks like it wasn't fixed in RHEL 5.x. IIRC the simple >>> fix is to >>> restart messagebus after installing certmonger. Should >>> be easy to do >>> in a kickstart. >>> >>> >>> yeah got the "killall -HUP dbus-daemon" in there now. >>> >>> Cheers >>> Charlie >>> >>> >>> rob >>> >>> >>> >>> >>> Figured it out! Well partly... it's a dependency issue. I >>> installed pretty much everything onto the box and it started to >>> work but on my cut down server no joy. Finding the missing RPM >>> might be a little bit more trickier unless someone could deduce >>> what RPM's absence could cause that error? >>> >>> It's hard cause it may be a dependency for the ipa-client or a >>> dependency of a dependency and so forth! >> >> If you are doing a DNS install for the server, you need >> bind-dyndb-ldap, which is the LDAP backend for the DNS server. >> >> >> This was a client side issue (apologies for saying "cut down server" I >> meant server in a hardware sense rather that server/client model). But >> yeah bind-dyndb-ldap is installed on my server. >> > > A brute force way would be to do rpm -qa > list on both installs so we > can compare the two and try to find some important difference. > > rob Would the client install log report an error if something was missing? /var/log/ipaclient-install.log From badzong at wizard.franken.de Mon Jun 27 16:01:21 2011 From: badzong at wizard.franken.de (JoachimBadzong) Date: Mon, 27 Jun 2011 18:01:21 +0200 Subject: [Freeipa-users] ipa client install problem In-Reply-To: References: <1309107651.26434.6.camel@notebookjojo> Message-ID: <1309190481.26434.9.camel@notebookjojo> Hi, have just checked that folder on server side: -rw-r--r-- 1 root root 1209 6. Mai 16:50 browserconfig.html -rw-r--r-- 1 root root 15076 6. Mai 16:50 ipa_error.css -rw-r--r-- 1 root root 2954 6. Mai 16:50 ssbrowser.html -rw-r--r-- 1 root root 1502 6. Mai 16:50 unauthorized.html Is there anything missing ? Its an new install on naked new installed fc15 box. Thanks Am Montag, den 27.06.2011, 09:08 -0400 schrieb Uzor Ide: > Your server is missing some files. > Check and make sure that you have some files in the /etc/ipa/html > directory > > This usually occurs when you do an in-place upgrade of the fedora box > containing freeipa-server > > > __Ide > > On Sun, Jun 26, 2011 at 1:00 PM, JoachimBadzong > wrote: > Hi, > > i have setup an freeipa server ( 2.0.1-2 ) with FC15 and have > now tried > to install the ipa client on client machine. > When i start the ipa-client-install ( 2.0.1-2 ) it detects > everyting as > it should be. I can enter admin prinicipal and the passowrd, > but then i > get the following error message : > > Joining realm failed because of failing XML-RPC request. > This error may be caused by incompatible server/client major > versions. > > As both rpms ( server and client ) have the same version i > just dont > understand the message. > > Whats wrong ? > Where can i look to find more information to solve that ? > > Thanks for any hint. > J > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From ide4you at gmail.com Mon Jun 27 16:41:37 2011 From: ide4you at gmail.com (Uzor Ide) Date: Mon, 27 Jun 2011 12:41:37 -0400 Subject: [Freeipa-users] ipa client install problem In-Reply-To: <1309190481.26434.9.camel@notebookjojo> References: <1309107651.26434.6.camel@notebookjojo> <1309190481.26434.9.camel@notebookjojo> Message-ID: If it is new install you can run the install command with a --debug switch to see what it would report. You can also take look at /var/log/httpd/error_log and access_log on the server. I had simillar issue but the server was an upgrade. I found out though, that the error is very generic. The fix in my case, was a re-install of some packages on the server. __Ide On Mon, Jun 27, 2011 at 12:01 PM, JoachimBadzong wrote: > Hi, > > have just checked that folder on server side: > -rw-r--r-- 1 root root 1209 6. Mai 16:50 browserconfig.html > -rw-r--r-- 1 root root 15076 6. Mai 16:50 ipa_error.css > -rw-r--r-- 1 root root 2954 6. Mai 16:50 ssbrowser.html > -rw-r--r-- 1 root root 1502 6. Mai 16:50 unauthorized.html > > Is there anything missing ? > Its an new install on naked new installed fc15 box. > > Thanks > > Am Montag, den 27.06.2011, 09:08 -0400 schrieb Uzor Ide: > > Your server is missing some files. > > Check and make sure that you have some files in the /etc/ipa/html > > directory > > > > This usually occurs when you do an in-place upgrade of the fedora box > > containing freeipa-server > > > > > > __Ide > > > > On Sun, Jun 26, 2011 at 1:00 PM, JoachimBadzong > > wrote: > > Hi, > > > > i have setup an freeipa server ( 2.0.1-2 ) with FC15 and have > > now tried > > to install the ipa client on client machine. > > When i start the ipa-client-install ( 2.0.1-2 ) it detects > > everyting as > > it should be. I can enter admin prinicipal and the passowrd, > > but then i > > get the following error message : > > > > Joining realm failed because of failing XML-RPC request. > > This error may be caused by incompatible server/client major > > versions. > > > > As both rpms ( server and client ) have the same version i > > just dont > > understand the message. > > > > Whats wrong ? > > Where can i look to find more information to solve that ? > > > > Thanks for any hint. > > J > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From badzong at wizard.franken.de Mon Jun 27 17:20:47 2011 From: badzong at wizard.franken.de (JoachimBadzong) Date: Mon, 27 Jun 2011 19:20:47 +0200 Subject: [Freeipa-users] ipa client install problem In-Reply-To: References: <1309107651.26434.6.camel@notebookjojo> <1309190481.26434.9.camel@notebookjojo> Message-ID: <1309195247.26434.16.camel@notebookjojo> Hi, ok, your advice to take a look into the /var/log/httpd/error_log was good as far as i found here more information. On the other side i have to admit that these errors doesn't tell me really anything about what i could do. So i post the messages here and hope that somebody has further ideas :-) So from error_log when i try to make ipa-client-install: [Mon Jun 27 19:13:57 2011] [error] ipa: ERROR: non-public: AttributeError: 'thread._local' object has no attribute 'principal' [Mon Jun 27 19:13:57 2011] [error] Traceback (most recent call last): [Mon Jun 27 19:13:57 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 218, in wsgi_execute [Mon Jun 27 19:13:57 2011] [error] result = self.Command[name](*args, **options) [Mon Jun 27 19:13:57 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 421, in __call__ [Mon Jun 27 19:13:57 2011] [error] ret = self.run(*args, **options) [Mon Jun 27 19:13:57 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 727, in run [Mon Jun 27 19:13:57 2011] [error] return self.execute(*args, **options) [Mon Jun 27 19:13:57 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/join.py", line 105, in execute [Mon Jun 27 19:13:57 2011] [error] allowed = ldap.can_write(dn, 'krblastpwdchange') [Mon Jun 27 19:13:57 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f [Mon Jun 27 19:13:57 2011] [error] return f(*new_args, **kwargs) [Mon Jun 27 19:13:57 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 705, in can_write [Mon Jun 27 19:13:57 2011] [error] (dn, attrs) = self.get_effective_rights(dn, [attr]) [Mon Jun 27 19:13:57 2011] [error] File "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f [Mon Jun 27 19:13:57 2011] [error] return f(*new_args, **kwargs) [Mon Jun 27 19:13:57 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 691, in get_effective_rights [Mon Jun 27 19:13:57 2011] [error] principal = getattr(context, 'principal') [Mon Jun 27 19:13:57 2011] [error] AttributeError: 'thread._local' object has no attribute 'principal' [Mon Jun 27 19:13:57 2011] [error] ipa: ERROR: xmlserver.__call__(): [Mon Jun 27 19:13:57 2011] [error] Traceback (most recent call last): [Mon Jun 27 19:13:57 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 246, in __call__ [Mon Jun 27 19:13:57 2011] [error] response = self.wsgi_execute(environ) [Mon Jun 27 19:13:57 2011] [error] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 230, in wsgi_execute [Mon Jun 27 19:13:57 2011] [error] self.info('%s: %s(%s): %s', context.principal, name, ', '.join(self.Command[name]._repr_iter(**params)), e.__class__.__name__) [Mon Jun 27 19:13:57 2011] [error] AttributeError: 'thread._local' object has no attribute 'principal' Thanks Am Montag, den 27.06.2011, 12:41 -0400 schrieb Uzor Ide: > If it is new install you can run the install command with a --debug > switch to see what it would report. You can also take look > at /var/log/httpd/error_log and access_log on the server. > > I had simillar issue but the server was an upgrade. > I found out though, that the error is very generic. > > The fix in my case, was a re-install of some packages on the server. > > __Ide > > On Mon, Jun 27, 2011 at 12:01 PM, JoachimBadzong > wrote: > Hi, > > have just checked that folder on server side: > -rw-r--r-- 1 root root 1209 6. Mai 16:50 browserconfig.html > -rw-r--r-- 1 root root 15076 6. Mai 16:50 ipa_error.css > -rw-r--r-- 1 root root 2954 6. Mai 16:50 ssbrowser.html > -rw-r--r-- 1 root root 1502 6. Mai 16:50 unauthorized.html > > Is there anything missing ? > Its an new install on naked new installed fc15 box. > > Thanks > > Am Montag, den 27.06.2011, 09:08 -0400 schrieb Uzor Ide: > > > Your server is missing some files. > > Check and make sure that you have some files in > the /etc/ipa/html > > directory > > > > This usually occurs when you do an in-place upgrade of the > fedora box > > containing freeipa-server > > > > > > __Ide > > > > On Sun, Jun 26, 2011 at 1:00 PM, JoachimBadzong > > wrote: > > Hi, > > > > i have setup an freeipa server ( 2.0.1-2 ) with FC15 > and have > > now tried > > to install the ipa client on client machine. > > When i start the ipa-client-install ( 2.0.1-2 ) it > detects > > everyting as > > it should be. I can enter admin prinicipal and the > passowrd, > > but then i > > get the following error message : > > > > Joining realm failed because of failing XML-RPC > request. > > This error may be caused by incompatible > server/client major > > versions. > > > > As both rpms ( server and client ) have the same > version i > > just dont > > understand the message. > > > > Whats wrong ? > > Where can i look to find more information to solve > that ? > > > > Thanks for any hint. > > J > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > From ide4you at gmail.com Mon Jun 27 17:49:34 2011 From: ide4you at gmail.com (Uzor Ide) Date: Mon, 27 Jun 2011 13:49:34 -0400 Subject: [Freeipa-users] ipa client install problem In-Reply-To: <1309195247.26434.16.camel@notebookjojo> References: <1309107651.26434.6.camel@notebookjojo> <1309190481.26434.9.camel@notebookjojo> <1309195247.26434.16.camel@notebookjojo> Message-ID: Did you provide the join-in principal (admin at YOUR_REALM)? If you didn't try providing it and the password at the command line. On Mon, Jun 27, 2011 at 1:20 PM, JoachimBadzong wrote: > Hi, > > ok, your advice to take a look into the /var/log/httpd/error_log was > good as far as i found here more information. > On the other side i have to admit that these errors doesn't tell me > really anything about what i could do. > So i post the messages here and hope that somebody has further ideas :-) > > So from error_log when i try to make ipa-client-install: > > [Mon Jun 27 19:13:57 2011] [error] ipa: ERROR: non-public: > AttributeError: 'thread._local' object has no attribute 'principal' > [Mon Jun 27 19:13:57 2011] [error] Traceback (most recent call last): > [Mon Jun 27 19:13:57 2011] [error] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 218, in > wsgi_execute > [Mon Jun 27 19:13:57 2011] [error] result = > self.Command[name](*args, **options) > [Mon Jun 27 19:13:57 2011] [error] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 421, in > __call__ > [Mon Jun 27 19:13:57 2011] [error] ret = self.run(*args, **options) > [Mon Jun 27 19:13:57 2011] [error] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 727, in run > [Mon Jun 27 19:13:57 2011] [error] return self.execute(*args, > **options) > [Mon Jun 27 19:13:57 2011] [error] File > "/usr/lib/python2.7/site-packages/ipaserver/plugins/join.py", line 105, > in execute > [Mon Jun 27 19:13:57 2011] [error] allowed = ldap.can_write(dn, > 'krblastpwdchange') > [Mon Jun 27 19:13:57 2011] [error] File > "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f > [Mon Jun 27 19:13:57 2011] [error] return f(*new_args, **kwargs) > [Mon Jun 27 19:13:57 2011] [error] File > "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 705, > in can_write > [Mon Jun 27 19:13:57 2011] [error] (dn, attrs) = > self.get_effective_rights(dn, [attr]) > [Mon Jun 27 19:13:57 2011] [error] File > "/usr/lib/python2.7/site-packages/ipalib/encoder.py", line 188, in new_f > [Mon Jun 27 19:13:57 2011] [error] return f(*new_args, **kwargs) > [Mon Jun 27 19:13:57 2011] [error] File > "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 691, > in get_effective_rights > [Mon Jun 27 19:13:57 2011] [error] principal = getattr(context, > 'principal') > [Mon Jun 27 19:13:57 2011] [error] AttributeError: 'thread._local' > object has no attribute 'principal' > [Mon Jun 27 19:13:57 2011] [error] ipa: ERROR: xmlserver.__call__(): > [Mon Jun 27 19:13:57 2011] [error] Traceback (most recent call last): > [Mon Jun 27 19:13:57 2011] [error] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 246, in > __call__ > [Mon Jun 27 19:13:57 2011] [error] response = > self.wsgi_execute(environ) > [Mon Jun 27 19:13:57 2011] [error] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 230, in > wsgi_execute > [Mon Jun 27 19:13:57 2011] [error] self.info('%s: %s(%s): %s', > context.principal, name, ', > '.join(self.Command[name]._repr_iter(**params)), e.__class__.__name__) > [Mon Jun 27 19:13:57 2011] [error] AttributeError: 'thread._local' > object has no attribute 'principal' > > Thanks > > > Am Montag, den 27.06.2011, 12:41 -0400 schrieb Uzor Ide: > > If it is new install you can run the install command with a --debug > > switch to see what it would report. You can also take look > > at /var/log/httpd/error_log and access_log on the server. > > > > I had simillar issue but the server was an upgrade. > > I found out though, that the error is very generic. > > > > The fix in my case, was a re-install of some packages on the server. > > > > __Ide > > > > On Mon, Jun 27, 2011 at 12:01 PM, JoachimBadzong > > wrote: > > Hi, > > > > have just checked that folder on server side: > > -rw-r--r-- 1 root root 1209 6. Mai 16:50 browserconfig.html > > -rw-r--r-- 1 root root 15076 6. Mai 16:50 ipa_error.css > > -rw-r--r-- 1 root root 2954 6. Mai 16:50 ssbrowser.html > > -rw-r--r-- 1 root root 1502 6. Mai 16:50 unauthorized.html > > > > Is there anything missing ? > > Its an new install on naked new installed fc15 box. > > > > Thanks > > > > Am Montag, den 27.06.2011, 09:08 -0400 schrieb Uzor Ide: > > > > > Your server is missing some files. > > > Check and make sure that you have some files in > > the /etc/ipa/html > > > directory > > > > > > This usually occurs when you do an in-place upgrade of the > > fedora box > > > containing freeipa-server > > > > > > > > > __Ide > > > > > > On Sun, Jun 26, 2011 at 1:00 PM, JoachimBadzong > > > wrote: > > > Hi, > > > > > > i have setup an freeipa server ( 2.0.1-2 ) with FC15 > > and have > > > now tried > > > to install the ipa client on client machine. > > > When i start the ipa-client-install ( 2.0.1-2 ) it > > detects > > > everyting as > > > it should be. I can enter admin prinicipal and the > > passowrd, > > > but then i > > > get the following error message : > > > > > > Joining realm failed because of failing XML-RPC > > request. > > > This error may be caused by incompatible > > server/client major > > > versions. > > > > > > As both rpms ( server and client ) have the same > > version i > > > just dont > > > understand the message. > > > > > > Whats wrong ? > > > Where can i look to find more information to solve > > that ? > > > > > > Thanks for any hint. > > > J > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Mon Jun 27 17:51:41 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Mon, 27 Jun 2011 13:51:41 -0400 Subject: [Freeipa-users] v1 to v2 migration problem: unknown object class "radiusprofile" and attribute "memberofindirect" not allowed In-Reply-To: <4DE5283A.6080404@redhat.com> References: <4DE514C8.4050400@redhat.com> <4DE5283A.6080404@redhat.com> Message-ID: Hi, On Tue, May 31, 2011 at 13:41, Rob Crittenden wrote: > Dmitri Pal wrote: >> >> ?On 05/31/2011 10:45 AM, tomasz.napierala at allegro.pl wrote: >>> >>> Hi, >>> I'm trying to migrate data form our current FreeIPA install (v1) and I'm >>> having problems with nonexistant objectClass in v2, which seems to be by >>> default present in v1: >>> >>> ipa migrate-ds --user-container=cn=users,cn=accounts >>> --group-container=cn=groups,cn=accountsldap://ipaserverv1:389 >>> Failed user: >>> ? username: unknown object class "radiusprofile" >>> >>> Also groups that are memboers of other groups are having problems too: >>> groupname: attribute "memberofindirect" not allowed >>> >>> Is there any way to avoid this errors during migration? >> >> I do not think we tried this migration. >> >> Do you have any radius data populated in the v1? It seems that this is >> in come way getting in the way. >> The second issue is more worrying. We will see what can be done. >> >> Please file two tickets and we will try to look at them. > > The second problem is fixed upstream. > > The objectclass problem is a bit trickier. We don't currently offer e > mechanism for adding/dropping objectclasses on-the-fly. > > The best fix would be to remove the OC from all users in the v1 server then > do the migration. This is assuming you aren't using radius in v1. > > An alternative fix would be to drop the file 60radius.ldif into the v2 > schema directory and restart dirsrv: > > On your v1 server it is in /etc/dirsrv/slapd-INSTANCE/schema. Copy this to > the equivalent location on the v2 server. Sorry to jump on this so late. Do you know if the fix for "groupname: attribute "memberofindirect" not allowed" has been released yet? I'm running Fedora 15 with the latest updates from updates-testing and trying to migrate from FreeIPA 1.2. I've fixed the Radius issue by adding the 60radius.ldif file to the FreeIPA 2.0 schema as suggested. Now, I'm getting "groupname: attribute "memberofindirect" not allowed" for all of my members. The groups all appear to migrate successfully. Thanks, Dan From rcritten at redhat.com Mon Jun 27 19:25:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jun 2011 15:25:33 -0400 Subject: [Freeipa-users] ipa client install problem In-Reply-To: <1309190481.26434.9.camel@notebookjojo> References: <1309107651.26434.6.camel@notebookjojo> <1309190481.26434.9.camel@notebookjojo> Message-ID: <4E08D92D.1040700@redhat.com> JoachimBadzong wrote: > Hi, > > have just checked that folder on server side: > -rw-r--r-- 1 root root 1209 6. Mai 16:50 browserconfig.html > -rw-r--r-- 1 root root 15076 6. Mai 16:50 ipa_error.css > -rw-r--r-- 1 root root 2954 6. Mai 16:50 ssbrowser.html > -rw-r--r-- 1 root root 1502 6. Mai 16:50 unauthorized.html > > Is there anything missing ? > Its an new install on naked new installed fc15 box. > Yes, you're missing quite a few files. You are missing the windows config files: krb5.ini, krbrealm.con and krb.con, a copy of the CA, the and the browser autoconfig jar (configure.jar) at least. Your installation was completely successful? rob > Thanks > > Am Montag, den 27.06.2011, 09:08 -0400 schrieb Uzor Ide: >> Your server is missing some files. >> Check and make sure that you have some files in the /etc/ipa/html >> directory >> >> This usually occurs when you do an in-place upgrade of the fedora box >> containing freeipa-server >> >> >> __Ide >> >> On Sun, Jun 26, 2011 at 1:00 PM, JoachimBadzong >> wrote: >> Hi, >> >> i have setup an freeipa server ( 2.0.1-2 ) with FC15 and have >> now tried >> to install the ipa client on client machine. >> When i start the ipa-client-install ( 2.0.1-2 ) it detects >> everyting as >> it should be. I can enter admin prinicipal and the passowrd, >> but then i >> get the following error message : >> >> Joining realm failed because of failing XML-RPC request. >> This error may be caused by incompatible server/client major >> versions. >> >> As both rpms ( server and client ) have the same version i >> just dont >> understand the message. >> >> Whats wrong ? >> Where can i look to find more information to solve that ? >> >> Thanks for any hint. >> J >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From thildred at redhat.com Tue Jun 28 03:30:59 2011 From: thildred at redhat.com (Tim Hildred) Date: Mon, 27 Jun 2011 23:30:59 -0400 (EDT) Subject: [Freeipa-users] adding PTR record for a host on the network In-Reply-To: <1197585615.976643.1309231747176.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Message-ID: <314664785.976725.1309231859975.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> I am trying to install the RHEV-M on a box with a hostname of rhel6.mysandbox.com, which is also where my free IPA install lives. RHEV-M needs reverse lookups, otherwise fails. I've tried to add one with this command: ipa dnsrecord-add rhel6.mysandbox.com --ptr-rec 4.22.168.192.in-addr.arpa. No dice. Have I got that wrong? Tim From naufal26.tik at gmail.com Tue Jun 28 07:03:27 2011 From: naufal26.tik at gmail.com (Muhammad Naufal) Date: Tue, 28 Jun 2011 14:03:27 +0700 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp In-Reply-To: <4E08A0A8.3000709@redhat.com> References: <4E08A0A8.3000709@redhat.com> Message-ID: Thanks rob, yes the config krbrealm.con is exist. I didn't use proxy for freeipa connection. I bypass proxy server for local addresses via ie internet options. But the mit kerberos installation still failed. *HTTP/1.0 504 Gateway Time-out*. Has anyone tried win xp as an ipa client? On Mon, Jun 27, 2011 at 10:24 PM, Rob Crittenden wrote: > Muhammad Naufal wrote: > >> *I have read the documentation here >> >> http://docs.fedoraproject.org/**en-US/Fedora/15/html/FreeIPA_** >> Guide/Using_Microsoft_Windows.**html >> But i'm stuck in instruction number 5. >> >> * >> *5. *Select *Download from web path*, and enter the following URL: >> http:///ipa/config/ >> >> I've got error when downloading the config it says: *Download failed >> HTTP/1.0 504 Gateway Time-out* >> Then i go to my freeipa server config url >> http://freeipa.local/ipa/**config/ and >> it say *Forbidden. You don't have >> permission to access /ipa/config/ on this server.* >> How to install MIT Kerberos in microsoft windows xp correctly? How >> should my configuration on the freeipa server? >> >> Thanks for any assistance provided. again. >> > > Are you using a proxy server? I wonder if the proxy can get to the IPA > installation. > > Directory indexing is disabled on the directory so you can't browse the > files. You can confirm they exist by trying: > > http://freeipa.local/ipa/**config/krbrealm.con > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ie bypass.jpg Type: image/jpeg Size: 191887 bytes Desc: not available URL: From raal.goff at zettaserve.com Tue Jun 28 07:44:28 2011 From: raal.goff at zettaserve.com (Goff, Raal) Date: Tue, 28 Jun 2011 15:44:28 +0800 Subject: [Freeipa-users] Replica setup fails to configure httpd correctly Message-ID: <835FC11C-4695-46FA-BAA0-53FE6DC73CDD@zettaserve.com> Hi List, I'm having trouble setting up an IPA replica. It seems to fail when configuring httpd: Configuring the web interface: Estimated time 1 minute [1/11]: disabling mod_ssl in httpd [2/11]: setting mod_nss port to 443 [3/11]: setting mod_nss password file [4/11]: adding URL rewriting rules [5/11]: configuring httpd [6/11]: setting up ssl [7/11]: publish CA cert [8/11]: creating a keytab for httpd [9/11]: configuring SELinux for httpd [10/11]: restarting httpd creation of replica failed: Command '/sbin/service httpd restart ' returned non-zero exit status 1 Looking in /var/log/httpd/error_log gives: [Tue Jun 28 14:50:35 2011] [error] Certificate not found: 'Server-Cert' Running certutil i can see that the certificate exists in the NSS certificate directory: [root at ipa2 conf.d]# certutil -d /etc/httpd/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert ,, AUTH.EXAMPLE.COM IPA CA CT,C, Looking at /etc/httpd/conf/password.conf , it seems that no password has been set: [root at ipa2 alias]# cat /etc/httpd/conf/password.conf internal: Is there any known issue that would cause this to happen? It seems to be reason mod_nss cant load the certificate. -R ________________________________ ZettaServe Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately if you have received this email by mistake and delete this email from your system. Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. ZettaServe Pty Ltd accepts no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From badzong at wizard.franken.de Tue Jun 28 10:34:56 2011 From: badzong at wizard.franken.de (Joachim Badzong) Date: Tue, 28 Jun 2011 12:34:56 +0200 Subject: [Freeipa-users] freeipa and NAS Message-ID: <1309257296.8363.4.camel@jojo.apris.de> Hi, has anybody real experience to bind an QNAP NAS or an freenas box to an freeipa server ? First of all it would of course best to get the original QNAP bound to freeipa. I assume that would have to done by AD. Alternative would be to install freenas and get that bound to freeipa. By LDAP ? Or by AD ? Thanks for any good hints. J. From simo at redhat.com Tue Jun 28 11:09:25 2011 From: simo at redhat.com (Simo Sorce) Date: Tue, 28 Jun 2011 07:09:25 -0400 Subject: [Freeipa-users] adding PTR record for a host on the network In-Reply-To: <314664785.976725.1309231859975.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> References: <314664785.976725.1309231859975.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Message-ID: <1309259365.2681.48.camel@willson.li.ssimo.org> On Mon, 2011-06-27 at 23:30 -0400, Tim Hildred wrote: > I am trying to install the RHEV-M on a box with a hostname of rhel6.mysandbox.com, which is also where my free IPA install lives. RHEV-M needs reverse lookups, otherwise fails. I've tried to add one with this command: > > ipa dnsrecord-add rhel6.mysandbox.com --ptr-rec 4.22.168.192.in-addr.arpa. > > > No dice. Have I got that wrong? Should look like this: ipa dnsrecord-add 22.168.192.in-addr.arpa 4 --ptr-rec rhel6.mysandbox.com. To zone 22.168.192.in-addr.arpa add record named '4' of type PTR with value rhel6.mysandbox.com. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Tue Jun 28 15:53:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2011 11:53:15 -0400 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp In-Reply-To: References: <4E08A0A8.3000709@redhat.com> Message-ID: <4E09F8EB.3050703@redhat.com> Muhammad Naufal wrote: > Thanks rob, yes the config krbrealm.con is exist. > > I didn't use proxy for freeipa connection. I bypass proxy server for > local addresses via ie internet options. > But the mit kerberos installation still failed. *HTTP/1.0 504 Gateway > Time-out*. Can you check the Apache access log on the IPA server to see if is is throwing the 504? rob > Has anyone tried win xp as an ipa client? > > On Mon, Jun 27, 2011 at 10:24 PM, Rob Crittenden > wrote: > > Muhammad Naufal wrote: > > *I have read the documentation here > > http://docs.fedoraproject.org/__en-US/Fedora/15/html/FreeIPA___Guide/Using_Microsoft_Windows.__html > > But i'm stuck in instruction number 5. > > * > *5. *Select *Download from web path*, and enter the following URL: > http:// name>/ipa/config/ > > I've got error when downloading the config it says: *Download failed > HTTP/1.0 504 Gateway Time-out* > Then i go to my freeipa server config url > http://freeipa.local/ipa/__config/ > and it say *Forbidden. You > don't have > permission to access /ipa/config/ on this server.* > How to install MIT Kerberos in microsoft windows xp correctly? How > should my configuration on the freeipa server? > > Thanks for any assistance provided. again. > > > Are you using a proxy server? I wonder if the proxy can get to the > IPA installation. > > Directory indexing is disabled on the directory so you can't browse > the files. You can confirm they exist by trying: > > http://freeipa.local/ipa/__config/krbrealm.con > > > rob > > From dpal at redhat.com Tue Jun 28 15:59:27 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 28 Jun 2011 11:59:27 -0400 Subject: [Freeipa-users] freeipa and NAS In-Reply-To: <1309257296.8363.4.camel@jojo.apris.de> References: <1309257296.8363.4.camel@jojo.apris.de> Message-ID: <4E09FA5F.5060505@redhat.com> On 06/28/2011 06:34 AM, Joachim Badzong wrote: > Hi, > > has anybody real experience to bind an QNAP NAS or an freenas box to an > freeipa server ? > First of all it would of course best to get the original QNAP bound to > freeipa. I assume that would have to done by AD. > Alternative would be to install freenas and get that bound to freeipa. > By LDAP ? Or by AD ? > > Thanks for any good hints. > J. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users I did a quick search on the freenas web site. I do not find any mention of Kerberos. That makes me think that it can't be configured to use Kerberos. The LDAP config instructions are here: http://doc.freenas.org/index.php/LDAP IPA users are in the "cn=users, cn=accounts, " -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Tue Jun 28 16:35:56 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 28 Jun 2011 18:35:56 +0200 (CEST) Subject: [Freeipa-users] freeipa and NAS In-Reply-To: <4E09FA5F.5060505@redhat.com> References: <1309257296.8363.4.camel@jojo.apris.de> <4E09FA5F.5060505@redhat.com> Message-ID: <45537.92.40.121.155.1309278956.squirrel@www.nixtra.com> Hi, You could consider using NexentaStor which is also using ZFS, providing a feature rich GUI and CLI for NAS management. I've successfully used FreeIPA 2 with NexentaStor for CIFS, NFS3 and NFS4 + Kerberos 5, having Linux clients connecting to kerberized NFS4 shares, and Windows clients connecting to the CIFS service. I assume anything that supports LDAP will be usable with IPA, at least for user lookup. In my NexentaStor configuration, the NFS service is using FreeIPA (nss_ldap+krb5), and the CIFS service is using Active Directory (nss_ad) for user authentication. Rgds, Siggi On Tue, June 28, 2011 17:59, Dmitri Pal wrote: > On 06/28/2011 06:34 AM, Joachim Badzong wrote: > >> Hi, >> >> >> has anybody real experience to bind an QNAP NAS or an freenas box to an freeipa server ? First of >> all it would of course best to get the original QNAP bound to freeipa. I assume that would have >> to done by AD. Alternative would be to install freenas and get that bound to freeipa. >> By LDAP ? Or by AD ? >> >> >> Thanks for any good hints. >> J. >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > I did a quick search on the freenas web site. I do not find any mention > of Kerberos. That makes me think that it can't be configured to use Kerberos. > > > The LDAP config instructions are here: http://doc.freenas.org/index.php/LDAP > IPA users are in the "cn=users, cn=accounts, " > > > -- > Thank you, > Dmitri Pal > > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From natxo.asenjo at gmail.com Tue Jun 28 18:14:49 2011 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 28 Jun 2011 20:14:49 +0200 Subject: [Freeipa-users] freeipa and NAS In-Reply-To: <45537.92.40.121.155.1309278956.squirrel@www.nixtra.com> References: <1309257296.8363.4.camel@jojo.apris.de> <4E09FA5F.5060505@redhat.com> <45537.92.40.121.155.1309278956.squirrel@www.nixtra.com> Message-ID: On Tue, Jun 28, 2011 at 6:35 PM, Sigbjorn Lie wrote: > In my NexentaStor configuration, the NFS service is using FreeIPA (nss_ldap+krb5), and the CIFS > service is using Active Directory (nss_ad) for user authentication. that is awesome! Could you write an instruction of how you did that? Next month a big server with plenty of disks will be decommissioned and I want to take a look at nexentastor, and kerberos would be a big plus. -- Thanks, Natxo From Steven.Jones at vuw.ac.nz Tue Jun 28 20:20:29 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 28 Jun 2011 20:20:29 +0000 Subject: [Freeipa-users] freeipa and NAS In-Reply-To: <45537.92.40.121.155.1309278956.squirrel@www.nixtra.com> References: <1309257296.8363.4.camel@jojo.apris.de> <4E09FA5F.5060505@redhat.com>, <45537.92.40.121.155.1309278956.squirrel@www.nixtra.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E402A62CBA0@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, There is also openfiler which is linux underneath but the one that is drawing my attention right now is gluster....which can be installed on RHEL....so I assume would use freeipa underneath "easily" The idea behind gluster is its a global file system....so its got some very interesting tech for resiliency. I have not tried gluster with IPA yet as Im waiting on access to the AD and replication channel and confirmation it will be sold in AP before I spend more time on IPA. Ive used Openfiler and Freenas for iscsi and Freenas I didnt find very stable...Openfiler on the other hand seemed bomb proof....I hammered it for 6 months and it never missed a beat...Freenas used to fall over every week... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com] Sent: Wednesday, 29 June 2011 4:35 a.m. To: dpal at redhat.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] freeipa and NAS Hi, You could consider using NexentaStor which is also using ZFS, providing a feature rich GUI and CLI for NAS management. I've successfully used FreeIPA 2 with NexentaStor for CIFS, NFS3 and NFS4 + Kerberos 5, having Linux clients connecting to kerberized NFS4 shares, and Windows clients connecting to the CIFS service. I assume anything that supports LDAP will be usable with IPA, at least for user lookup. In my NexentaStor configuration, the NFS service is using FreeIPA (nss_ldap+krb5), and the CIFS service is using Active Directory (nss_ad) for user authentication. Rgds, Siggi On Tue, June 28, 2011 17:59, Dmitri Pal wrote: > On 06/28/2011 06:34 AM, Joachim Badzong wrote: > >> Hi, >> >> >> has anybody real experience to bind an QNAP NAS or an freenas box to an freeipa server ? First of >> all it would of course best to get the original QNAP bound to freeipa. I assume that would have >> to done by AD. Alternative would be to install freenas and get that bound to freeipa. >> By LDAP ? Or by AD ? >> >> >> Thanks for any good hints. >> J. >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > I did a quick search on the freenas web site. I do not find any mention > of Kerberos. That makes me think that it can't be configured to use Kerberos. > > > The LDAP config instructions are here: http://doc.freenas.org/index.php/LDAP > IPA users are in the "cn=users, cn=accounts, " > > > -- > Thank you, > Dmitri Pal > > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Jun 28 20:26:23 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 28 Jun 2011 20:26:23 +0000 Subject: [Freeipa-users] freeipa and NAS In-Reply-To: References: <1309257296.8363.4.camel@jojo.apris.de> <4E09FA5F.5060505@redhat.com> <45537.92.40.121.155.1309278956.squirrel@www.nixtra.com>, Message-ID: <833D8E48405E064EBC54C84EC6B36E402A62CBBC@STAWINCOX10MBX1.staff.vuw.ac.nz> I'd suggest taking a look at gluster as well... http://www.gluster.org/ "Welcome to the Gluster community, the source for all resources about downloading, installing, and running Gluster Storage. GlusterFS is an open source scale-out NAS solution. The software is a powerful and flexible solution that simplifies the task of managing unstructured file data whether you have a few terabytes of storage or multiple petabytes. " There are RHEL rpms.... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Natxo Asenjo [natxo.asenjo at gmail.com] Sent: Wednesday, 29 June 2011 6:14 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] freeipa and NAS On Tue, Jun 28, 2011 at 6:35 PM, Sigbjorn Lie wrote: > In my NexentaStor configuration, the NFS service is using FreeIPA (nss_ldap+krb5), and the CIFS > service is using Active Directory (nss_ad) for user authentication. that is awesome! Could you write an instruction of how you did that? Next month a big server with plenty of disks will be decommissioned and I want to take a look at nexentastor, and kerberos would be a big plus. -- Thanks, Natxo _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From thildred at redhat.com Tue Jun 28 23:06:05 2011 From: thildred at redhat.com (Tim Hildred) Date: Tue, 28 Jun 2011 19:06:05 -0400 (EDT) Subject: [Freeipa-users] adding PTR record for a host on the network In-Reply-To: <1309259365.2681.48.camel@willson.li.ssimo.org> Message-ID: <741639172.1001591.1309302365925.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> >>Should look like this: >>ipa dnsrecord-add 22.168.192.in-addr.arpa 4 --ptr-rec rhel6.mysandbox.com. Does the first part need a trailing "." after arpa? I saw something (https://fedorahosted.org/freeipa/ticket/1129) that looked like what I got when I pasted what you provided into a terminal. However, when I added a "." on the end of arpa and removed it from mysandbox.com".", I got: Record name: 4 PTR record: rhel6.mysandbox.com., rhel6.mysandbox.com Even so, when I try to do: [root at rhel6 ~]# host 192.168.22.4 Host 4.22.168.192.in-addr.arpa. not found: 3(NXDOMAIN) Thanks for having a look! Tim From rapidnorepeat at gmail.com Wed Jun 29 04:26:04 2011 From: rapidnorepeat at gmail.com (Rapid Noreapeat) Date: Wed, 29 Jun 2011 11:26:04 +0700 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp Message-ID: If you can not download the config from web path url, you can download the config files directly: *http://freeipa.local/ipa/config/krb.ini*, *http://freeipa.local/ipa/config/krb.con*, *http://freeipa.local/ipa/config/krbrealm.con* and place the files under Windows folder. Hope it can help :) -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Jun 29 12:29:49 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 29 Jun 2011 08:29:49 -0400 Subject: [Freeipa-users] adding PTR record for a host on the network In-Reply-To: <741639172.1001591.1309302365925.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> References: <741639172.1001591.1309302365925.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Message-ID: <1309350589.2681.54.camel@willson.li.ssimo.org> On Tue, 2011-06-28 at 19:06 -0400, Tim Hildred wrote: > >>Should look like this: > >>ipa dnsrecord-add 22.168.192.in-addr.arpa 4 --ptr-rec rhel6.mysandbox.com. > > Does the first part need a trailing "." after arpa? I saw something (https://fedorahosted.org/freeipa/ticket/1129) that looked like what I got when I pasted what you provided into a terminal. However, when I added a "." on the end of arpa and removed it from mysandbox.com".", I got: > > Record name: 4 > PTR record: rhel6.mysandbox.com., rhel6.mysandbox.com > > > Even so, when I try to do: > > [root at rhel6 ~]# host 192.168.22.4 > Host 4.22.168.192.in-addr.arpa. not found: 3(NXDOMAIN) > > > Thanks for having a look! Have you just recently created the 22.168.192.in-addr.arpa zone ? One thing we still haven't addressed is that when you create new zones you have to restart named before it will serve them. Simo. -- Simo Sorce * Red Hat, Inc * New York From naufal26.tik at gmail.com Wed Jun 29 16:40:55 2011 From: naufal26.tik at gmail.com (Muhammad Naufal) Date: Wed, 29 Jun 2011 23:40:55 +0700 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp In-Reply-To: References: Message-ID: Thanks to both of you, i reinstall kfw-3-2-2.exe and now it can get /ipa/config/ files. 3 config files just like Rapid said. But new error coming up it said Clock skew too great* while getting initial credentials. Does this have anything to do with ntp? I equate time setting in win xp and ipa server but have no change. On 6/29/11, Rapid Noreapeat wrote: > If you can not download the config from web path url, you can download the > config files directly: > *http://freeipa.local/ipa/config/krb.ini*, > *http://freeipa.local/ipa/config/krb.con*, > *http://freeipa.local/ipa/config/krbrealm.con* and place the files under > Windows folder. > > Hope it can help :) > From dpal at redhat.com Wed Jun 29 17:42:44 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 29 Jun 2011 13:42:44 -0400 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp In-Reply-To: References: Message-ID: <4E0B6414.6030400@redhat.com> On 06/29/2011 12:40 PM, Muhammad Naufal wrote: > Thanks to both of you, i reinstall kfw-3-2-2.exe and now it can get > /ipa/config/ files. > 3 config files just like Rapid said. But new error coming up it said > Clock skew too great* while getting initial credentials. Does this > have anything to do with ntp? I equate time setting in win xp and ipa > server but have no change. Make sure you have same time zones. > On 6/29/11, Rapid Noreapeat wrote: >> If you can not download the config from web path url, you can download the >> config files directly: >> *http://freeipa.local/ipa/config/krb.ini*, >> *http://freeipa.local/ipa/config/krb.con*, >> *http://freeipa.local/ipa/config/krbrealm.con* and place the files under >> Windows folder. >> >> Hope it can help :) >> > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Jun 29 17:46:02 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 29 Jun 2011 13:46:02 -0400 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp In-Reply-To: <4E0B6414.6030400@redhat.com> References: <4E0B6414.6030400@redhat.com> Message-ID: <4E0B64DA.2090204@redhat.com> On 06/29/2011 01:42 PM, Dmitri Pal wrote: > On 06/29/2011 12:40 PM, Muhammad Naufal wrote: >> Thanks to both of you, i reinstall kfw-3-2-2.exe and now it can get >> /ipa/config/ files. >> 3 config files just like Rapid said. But new error coming up it said >> Clock skew too great* while getting initial credentials. Does this >> have anything to do with ntp? I equate time setting in win xp and ipa >> server but have no change. > Make sure you have same time zones. Not that it is a requirement for it to be in the same zone but if the time is the same it might just look same but zones might be different. Worth checking. >> On 6/29/11, Rapid Noreapeat wrote: >>> If you can not download the config from web path url, you can download the >>> config files directly: >>> *http://freeipa.local/ipa/config/krb.ini*, >>> *http://freeipa.local/ipa/config/krb.con*, >>> *http://freeipa.local/ipa/config/krbrealm.con* and place the files under >>> Windows folder. >>> >>> Hope it can help :) >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed Jun 29 19:42:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Jun 2011 15:42:22 -0400 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp In-Reply-To: References: Message-ID: <4E0B801E.1000204@redhat.com> Muhammad Naufal wrote: > Thanks to both of you, i reinstall kfw-3-2-2.exe and now it can get > /ipa/config/ files. > 3 config files just like Rapid said. But new error coming up it said > Clock skew too great* while getting initial credentials. Does this > have anything to do with ntp? I equate time setting in win xp and ipa > server but have no change. Can you verify that the time is actually within 5 minutes between the IPA server and XP? rob > > On 6/29/11, Rapid Noreapeat wrote: >> If you can not download the config from web path url, you can download the >> config files directly: >> *http://freeipa.local/ipa/config/krb.ini*, >> *http://freeipa.local/ipa/config/krb.con*, >> *http://freeipa.local/ipa/config/krbrealm.con* and place the files under >> Windows folder. >> >> Hope it can help :) >> From sgallagh at redhat.com Wed Jun 29 20:00:28 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 29 Jun 2011 16:00:28 -0400 Subject: [Freeipa-users] Proposal: drop DENY rules from HBAC Message-ID: <1309377629.6189.32.camel@sgallagh520.bos.redhat.com> We discussed today on the FreeIPA status meeting the possibility of dropping support for DENY rules from the HBAC specification. I'm submitting it for discussion. Specifically, I'm looking to hear whether there any any FreeIPA admins out there that have a strong opinion on whether the DENY rules need to be included. The current design of HBAC specifies that 1) If no ALLOW rules match, access is denied 2) If one or more ALLOW rules match and no DENY rules match, access is allowed. 3) If one or more DENY rules match, access is denied. Thus, DENY rules exist only to provide exceptions from the ALLOW rules. There exists no ALLOW+DENY combination that cannot be constructed from ALLOW rules only.[1] DENY rules introduce a lot of edge-cases for evaluation. The most important of which is the availability of the group membership for the user logging in. Depending on the mechanism used to log in (for example, GSSAPI over SSH or cross-realm Kerberos trust where the user is provided by the PAC), SSSD's cache may not have a complete list of groups for this user. If the login is occurring during offline mode (where SSSD cannot contact the LDAP server to refresh the user's groups), SSSD cannot determine whether DENY rules would match for the user. This therefore translates into a potential security issue. We implemented a workaround in the SSSD evaluator to resolve this by guaranteeing that we do a full lookup of all groups referenced by rules while we are retrieving the rules from FreeIPA. However, this requires at least one additional lookup against the LDAP server (possibly many if there is need to resolve nestings). This results in a significantly slower login while online. We also have issues related to source host evaluation. Some applications will provide an IP address instead of a hostname in the pam_rhost attribute. Our only recourse here is to perform a reverse-DNS lookup to try and identify the real hostname(s) of the server. However, in many real-world environments, reverse DNS is unavailable or misconfigured. In the case of ALLOW rules, this would lead to a match failure and an implicit denial. However, a failure to properly match a DENY rule can result in unexpected access being granted. This is a potentially serious security issue. Given these edge cases (and performance issues of the noted workaround), I propose that we should drop DENY rules from the HBAC specification and limit ourselves only to ALLOW rules (which are much safer). Beyond the obvious advantages for our implementation, I believe that this will be less complex for users to write their rules. [1] Some rules are complex to simulate, such as "Allow access from all PAM services EXCEPT telnet". But in a sane environment, all access should be via whitelist. If a customer is using an exception rule, they should re-evaluate this. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From naufal26.tik at gmail.com Thu Jun 30 06:58:32 2011 From: naufal26.tik at gmail.com (Muhammad Naufal) Date: Thu, 30 Jun 2011 13:58:32 +0700 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp In-Reply-To: <4E0B801E.1000204@redhat.com> References: <4E0B801E.1000204@redhat.com> Message-ID: Sorry, i am wrong in equating pm and am between IPA server and XP. After correcting it the clock skew error vanished. Now it can authenticate against IPA server but no ticket generated when i type klist in XP cmd prompt. As a result i can not access IPA web ui. On Thu, Jun 30, 2011 at 2:42 AM, Rob Crittenden wrote: > Muhammad Naufal wrote: > >> Thanks to both of you, i reinstall kfw-3-2-2.exe and now it can get >> /ipa/config/ files. >> 3 config files just like Rapid said. But new error coming up it said >> Clock skew too great* while getting initial credentials. Does this >> have anything to do with ntp? I equate time setting in win xp and ipa >> server but have no change. >> > > Can you verify that the time is actually within 5 minutes between the IPA > server and XP? > > rob > > > >> On 6/29/11, Rapid Noreapeat> >> wrote: >> >>> If you can not download the config from web path url, you can download >>> the >>> config files directly: >>> *http://freeipa.local/ipa/**config/krb.ini* >>> , >>> *http://freeipa.local/ipa/**config/krb.con* >>> , >>> *http://freeipa.local/ipa/**config/krbrealm.con*and place the files under >>> Windows folder. >>> >>> Hope it can help :) >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: windows.jpg Type: image/jpeg Size: 613256 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: IPA server.jpg Type: image/jpeg Size: 353296 bytes Desc: not available URL: From chorn at fluxcoil.net Thu Jun 30 07:43:56 2011 From: chorn at fluxcoil.net (Christian Horn) Date: Thu, 30 Jun 2011 09:43:56 +0200 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp In-Reply-To: References: <4E0B801E.1000204@redhat.com> Message-ID: <20110630074356.GE21155@fluxcoil.net> On Thu, Jun 30, 2011 at 01:58:32PM +0700, Muhammad Naufal wrote: > Now it can authenticate against IPA server but no ticket generated when i > type klist in XP cmd prompt. > As a result i can not access IPA web ui. IIRC there can multiple ticket caches be used there. Maybe the MIT windows kerberos tools show a bit more, found them quite helpful to debug windows kerberos auth. http://web.mit.edu/Kerberos/dist/index.html#kfw-3.2 Christian From ondrejv at s3group.cz Thu Jun 30 09:26:04 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 30 Jun 2011 11:26:04 +0200 Subject: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect Message-ID: <4E0C412C.3020102@s3group.cz> Hi List, I have just noticed that the ipa-client-install fails miserably if the clients /etc/resolv.conf points to some foreign DNS server. The symptoms are that KDC (on the IPA server) fails to locate self in Kerberos database: Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: NEEDED_PREAUTH: admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: ISSUE: authtime 1309425108, etypes {rep=18 tkt=18 ses=18}, admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM Jun 30 11:11:49 polaris krb5kdc[1279](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: UNKNOWN_SERVER: authtime 0, admin at EXAMPLE.COM for HTTP/*polaris.prague.s3group.com*@EXAMPLE.COM, *Server not found in Kerberos database* Question: Should probably try to autoconfigure /etc/resolv.conf as well or at least warn user that join might fail? Thanks, Ondrej -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 30 13:27:32 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Jun 2011 09:27:32 -0400 Subject: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect In-Reply-To: <4E0C412C.3020102@s3group.cz> References: <4E0C412C.3020102@s3group.cz> Message-ID: <4E0C79C4.8010908@redhat.com> Ondrej Valousek wrote: > Hi List, > > I have just noticed that the ipa-client-install fails miserably if the > clients /etc/resolv.conf points to some foreign DNS server. The symptoms > are that KDC (on the IPA server) fails to locate self in Kerberos database: The KDC is just trying to look up a service that was requested, it was the client that requested this host. Note that the host name used is the detected IPA server. This can often be wrong if there is another server in your network with SRV records (such as AD). > > Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 > 23}) 192.168.60.135: NEEDED_PREAUTH: admin at EXAMPLE.COM for > krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required > Jun 30 11:11:48 polaris krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 > 23}) 192.168.60.135: ISSUE: authtime 1309425108, etypes {rep=18 tkt=18 > ses=18}, admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM > Jun 30 11:11:49 polaris krb5kdc[1279](info): TGS_REQ (4 etypes {18 17 16 > 23}) 192.168.60.135: UNKNOWN_SERVER: authtime 0, admin at EXAMPLE.COM for > HTTP/polaris.prague.s3group.com at EXAMPLE.COM, Server not found in > Kerberos database > > Question: Should probably try to autoconfigure /etc/resolv.conf as well > or at least warn user that join might fail? The resolver is a bit of a chicken and egg problem. Hard to look anything up if you don't have one configured. The installer should prompt that the detected settings are ok. Were they ok and we still went to the wrong place? rob From ondrejv at s3group.cz Thu Jun 30 13:52:21 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 30 Jun 2011 15:52:21 +0200 Subject: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect In-Reply-To: <4E0C79C4.8010908@redhat.com> References: <4E0C412C.3020102@s3group.cz> <4E0C79C4.8010908@redhat.com> Message-ID: <4E0C7F95.8030602@s3group.cz> > The KDC is just trying to look up a service that was requested, it was the client that requested this host. Note that the host name used > is the detected IPA server. This can often be wrong if there is another server in your network with SRV records (such as AD). Apparently not the KDC. I had to fix the resolv.conf on the *client* in order to resolve the problem. Problem was in reverse records - company DNS server returned /polaris.prague.s3group.com/ (this rendered the error on KDC) for the IP of the IPA server whereas the correct one should be /polaris.example.com /(as per the DNS server running on the IPA server). When the clients resolv.conf pointed to the company DNS, it did not work. I had to fix resolv.conf manually to make it working. > > The resolver is a bit of a chicken and egg problem. Hard to look anything up if you don't have one configured. > > The installer should prompt that the detected settings are ok. Were they ok and we still went to the wrong place? > Ok let me explain it more. The machine I was running the ipa-client-install was using company DNS server. On that DNS server I made a forward rule for 'example.com' domain. Therefore, once I ran # ipa-client-install --domain=example.com .. the tool was able to detect everything correctly, BUT the wrong DNS server (which was left behind in /etc/resolv.conf) returned wrong names from its reverse zone. I believe it should be fairly easy for the installer to do few sanity checks to see whether the reverse DNS lookup works well... Ondrej -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu Jun 30 14:22:52 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 30 Jun 2011 10:22:52 -0400 Subject: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect In-Reply-To: <4E0C7F95.8030602@s3group.cz> References: <4E0C412C.3020102@s3group.cz> <4E0C79C4.8010908@redhat.com> <4E0C7F95.8030602@s3group.cz> Message-ID: <1309443772.2681.125.camel@willson.li.ssimo.org> On Thu, 2011-06-30 at 15:52 +0200, Ondrej Valousek wrote: > > > The KDC is just trying to look up a service that was requested, it > > was the client that requested this host. Note that the host name > > used is the detected IPA server. This can often be wrong if there is > > another server in your network with SRV records (such as AD). > Apparently not the KDC. I had to fix the resolv.conf on the client in > order to resolve the problem. Problem was in reverse records - company > DNS server returned polaris.prague.s3group.com (this rendered the > error on KDC) for the IP of the IPA server whereas the correct one > should be polaris.example.com (as per the DNS server running on the > IPA server). When the clients resolv.conf pointed to the company DNS, > it did not work. I had to fix resolv.conf manually to make it working. > > > > The resolver is a bit of a chicken and egg problem. Hard to look > > anything up if you don't have one configured. > > > > The installer should prompt that the detected settings are ok. Were > > they ok and we still went to the wrong place? > > > Ok let me explain it more. The machine I was running the > ipa-client-install was using company DNS server. On that DNS server I > made a forward rule for 'example.com' domain. Therefore, once I ran > > # ipa-client-install --domain=example.com > > .. the tool was able to detect everything correctly, BUT the wrong DNS > server (which was left behind in /etc/resolv.conf) returned wrong > names from its reverse zone. > > I believe it should be fairly easy for the installer to do few sanity > checks to see whether the reverse DNS lookup works well... We are actively working on trying to never depend on reverse lookups. Unfortunately there are still some bugs and limitations in various libraries but we are working on fixing them. That said if you want to use your main DNS for client, you can simply fix issues by adding reverse records into it at least for IPA servers. Or give the IPA machine a subnet and forward requests for that subnet too. Simo. -- Simo Sorce * Red Hat, Inc * New York From ondrejv at s3group.cz Thu Jun 30 14:32:44 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 30 Jun 2011 16:32:44 +0200 Subject: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect In-Reply-To: <1309443772.2681.125.camel@willson.li.ssimo.org> References: <4E0C412C.3020102@s3group.cz> <4E0C79C4.8010908@redhat.com> <4E0C7F95.8030602@s3group.cz> <1309443772.2681.125.camel@willson.li.ssimo.org> Message-ID: <4E0C890C.6040805@s3group.cz> On 30.06.2011 16:22, Simo Sorce wrote: > We are actively working on trying to never depend on reverse lookups. > Unfortunately there are still some bugs and limitations in various > libraries but we are working on fixing them. Ok, thanks for explanation. I have also seen similar errors when talking to AD based KDC - I take it I have experienced the similar dependency - probably in MIT libraries, right? But it would be just perfect if this dependency is gone, that's true. Ondrej -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Thu Jun 30 14:43:29 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 30 Jun 2011 16:43:29 +0200 Subject: [Freeipa-users] Automounter maps Message-ID: <4E0C8B91.2050602@s3group.cz> Hi List, I am just wondering what's the situation regarding storing automounter maps in IPA? I see support for it on the roadmap but I am wondering how it is going to be done, because: 1. sssd can not do it, and I think it is going to take a long time before it will (due to the libc NSS limitations) 2. automounter has its own ldap support Ian has recently added DNS SRV support for the automounter and I have verified that I can store maps in Active Directory (accessing via ldap/gssapi) so I am thinking the same should be possible right now even with IPA, just a small DS schema extension would be needed. Does anyone know? Thanks, Ondrej -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 30 14:55:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Jun 2011 10:55:28 -0400 Subject: [Freeipa-users] Automounter maps In-Reply-To: <4E0C8B91.2050602@s3group.cz> References: <4E0C8B91.2050602@s3group.cz> Message-ID: <4E0C8E60.8000806@redhat.com> Ondrej Valousek wrote: > Hi List, > > I am just wondering what's the situation regarding storing automounter > maps in IPA? I see support for it on the roadmap but I am wondering how > it is going to be done, because: > 1. sssd can not do it, and I think it is going to take a long time > before it will (due to the libc NSS limitations) > 2. automounter has its own ldap support > > Ian has recently added DNS SRV support for the automounter and I have > verified that I can store maps in Active Directory (accessing via > ldap/gssapi) so I am thinking the same should be possible right now even > with IPA, just a small DS schema extension would be needed. > > Does anyone know? > Thanks, IPA v2 supports managing and storing automount maps in its LDAP server. Look at the output of this for details: ipa help automount rob From ondrejv at s3group.cz Thu Jun 30 15:08:03 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 30 Jun 2011 17:08:03 +0200 Subject: [Freeipa-users] Automounter maps In-Reply-To: <4E0C8E60.8000806@redhat.com> References: <4E0C8B91.2050602@s3group.cz> <4E0C8E60.8000806@redhat.com> Message-ID: <4E0C9153.6000602@s3group.cz> On 30.06.2011 16:55, Rob Crittenden wrote: > Look at the output of this for details: ipa help automount I see, thanks! It would be nice to update man pages like: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html to say something like: LDAP_URI="ldap:///dc=example,dc=com" SEARCH_BASE="cn=,cn=automount,dc=example,dc=com" So people know more automounter's ability to locate ldap server via DNS SRV.... Thanks! Ondrej -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Thu Jun 30 15:26:50 2011 From: ayoung at redhat.com (Adam Young) Date: Thu, 30 Jun 2011 11:26:50 -0400 Subject: [Freeipa-users] Automounter maps In-Reply-To: <4E0C9153.6000602@s3group.cz> References: <4E0C8B91.2050602@s3group.cz> <4E0C8E60.8000806@redhat.com> <4E0C9153.6000602@s3group.cz> Message-ID: <4E0C95BA.9060004@redhat.com> Good point. Take a look at the test day instructions, I found them very useful for setting up both SUDO and automount. https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount On 06/30/2011 11:08 AM, Ondrej Valousek wrote: > > > On 30.06.2011 16:55, Rob Crittenden wrote: >> Look at the output of this for details: ipa help automount > > I see, thanks! > It would be nice to update man pages like: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html > to say something like: > LDAP_URI="ldap:///dc=example,dc=com" > SEARCH_BASE="cn=,cn=automount,dc=example,dc=com" > So people know more automounter's ability to locate ldap server via > DNS SRV.... > > Thanks! > Ondrej > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Jun 30 15:29:33 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 30 Jun 2011 11:29:33 -0400 Subject: [Freeipa-users] Automounter maps In-Reply-To: <4E0C9153.6000602@s3group.cz> References: <4E0C8B91.2050602@s3group.cz> <4E0C8E60.8000806@redhat.com> <4E0C9153.6000602@s3group.cz> Message-ID: <4E0C965D.908@redhat.com> On 06/30/2011 11:08 AM, Ondrej Valousek wrote: > > > On 30.06.2011 16:55, Rob Crittenden wrote: >> Look at the output of this for details: ipa help automount > > I see, thanks! > It would be nice to update man pages like: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html > to say something like: > LDAP_URI="ldap:///dc=example,dc=com" > SEARCH_BASE="cn=,cn=automount,dc=example,dc=com" > So people know more automounter's ability to locate ldap server via > DNS SRV.... > Can you please rephrase? Do you mean that instead of documenting what we already have or in addition to it, we should also document how to configure automount with DNS? Does DNS allow specifying the search base? Can you please point on any doc/man page that describes how to configure DNS for automount. We might add it as a reference into the doc. Is this what you are looking for? > Thanks! > Ondrej > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Thu Jun 30 16:04:31 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 30 Jun 2011 18:04:31 +0200 Subject: [Freeipa-users] Automounter maps In-Reply-To: <4E0C95BA.9060004@redhat.com> References: <4E0C8B91.2050602@s3group.cz> <4E0C8E60.8000806@redhat.com> <4E0C9153.6000602@s3group.cz> <4E0C95BA.9060004@redhat.com> Message-ID: <4E0C9E8F.6010208@s3group.cz> Hmm, To me, these instructions are very vague - for example it completely omits LDAP security configuration for the automounter (stored in /etc/autofs_ldap_auth.conf). How does the automounter bind to the ldap server? Anonymously? I would not recommend it. I would recommend to configure automounter to use the host/ principal in the local Kerberos system database and bind using SASL/GSSAPI instead. It is more secure and elegant solution. Ondrej On 30.06.2011 17:26, Adam Young wrote: > Good point. > > Take a look at the test day instructions, I found them very useful for setting up both SUDO and automount. > > https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount > > > On 06/30/2011 11:08 AM, Ondrej Valousek wrote: >> >> >> On 30.06.2011 16:55, Rob Crittenden wrote: >>> Look at the output of this for details: ipa help automount >> >> I see, thanks! >> It would be nice to update man pages like: >> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html >> to say something like: >> LDAP_URI="ldap:///dc=example,dc=com" >> SEARCH_BASE="cn=,cn=automount,dc=example,dc=com" >> So people know more automounter's ability to locate ldap server via DNS SRV.... >> >> Thanks! >> Ondrej >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Jun 30 16:23:15 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 30 Jun 2011 12:23:15 -0400 Subject: [Freeipa-users] Automounter maps In-Reply-To: <4E0C9E8F.6010208@s3group.cz> References: <4E0C8B91.2050602@s3group.cz> <4E0C8E60.8000806@redhat.com> <4E0C9153.6000602@s3group.cz> <4E0C95BA.9060004@redhat.com> <4E0C9E8F.6010208@s3group.cz> Message-ID: <4E0CA2F3.2080201@redhat.com> On 06/30/2011 12:04 PM, Ondrej Valousek wrote: > Hmm, > To me, these instructions are very vague - for example it completely > omits LDAP security configuration for the automounter (stored in > /etc/autofs_ldap_auth.conf). How does the automounter bind to the ldap > server? Anonymously? > I would not recommend it. > > I would recommend to configure automounter to use the host/ principal > in the local Kerberos system database and bind using SASL/GSSAPI > instead. It is more secure and elegant solution. > Sure but the point is to give you an example of how to do it with IPA. I .e. to demonstrate the IPA specific context which is the "location". We do not control the autofs on the client side so the configuration of it is out of scope of the IPA documentation. Good description on how to set up the autofs with GSSAPI or using other security mechanisms is always welcome but it has no specifics to IPA (unless I am missing something). It is nothing different from any other kerberos enabled LDAP server so any generic guidelines documented in autofs (I assume they exist) should apply. Thanks Dmitri > Ondrej > > > On 30.06.2011 17:26, Adam Young wrote: >> Good point. >> >> Take a look at the test day instructions, I found them very useful >> for setting up both SUDO and automount. >> >> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount >> >> >> On 06/30/2011 11:08 AM, Ondrej Valousek wrote: >>> >>> >>> On 30.06.2011 16:55, Rob Crittenden wrote: >>>> Look at the output of this for details: ipa help automount >>> >>> I see, thanks! >>> It would be nice to update man pages like: >>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html >>> to say something like: >>> LDAP_URI="ldap:///dc=example,dc=com" >>> SEARCH_BASE="cn=,cn=automount,dc=example,dc=com" >>> So people know more automounter's ability to locate ldap server via >>> DNS SRV.... >>> >>> Thanks! >>> Ondrej >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 30 21:42:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Jun 2011 17:42:47 -0400 Subject: [Freeipa-users] v1 to v2 migration problem: unknown object class "radiusprofile" and attribute "memberofindirect" not allowed In-Reply-To: References: <4DE514C8.4050400@redhat.com> <4DE5283A.6080404@redhat.com> Message-ID: <4E0CEDD7.8010001@redhat.com> Dan Scott wrote: > Hi, > > On Tue, May 31, 2011 at 13:41, Rob Crittenden wrote: >> Dmitri Pal wrote: >>> >>> On 05/31/2011 10:45 AM, tomasz.napierala at allegro.pl wrote: >>>> >>>> Hi, >>>> I'm trying to migrate data form our current FreeIPA install (v1) and I'm >>>> having problems with nonexistant objectClass in v2, which seems to be by >>>> default present in v1: >>>> >>>> ipa migrate-ds --user-container=cn=users,cn=accounts >>>> --group-container=cn=groups,cn=accountsldap://ipaserverv1:389 >>>> Failed user: >>>> username: unknown object class "radiusprofile" >>>> >>>> Also groups that are memboers of other groups are having problems too: >>>> groupname: attribute "memberofindirect" not allowed >>>> >>>> Is there any way to avoid this errors during migration? >>> >>> I do not think we tried this migration. >>> >>> Do you have any radius data populated in the v1? It seems that this is >>> in come way getting in the way. >>> The second issue is more worrying. We will see what can be done. >>> >>> Please file two tickets and we will try to look at them. >> >> The second problem is fixed upstream. >> >> The objectclass problem is a bit trickier. We don't currently offer e >> mechanism for adding/dropping objectclasses on-the-fly. >> >> The best fix would be to remove the OC from all users in the v1 server then >> do the migration. This is assuming you aren't using radius in v1. >> >> An alternative fix would be to drop the file 60radius.ldif into the v2 >> schema directory and restart dirsrv: >> >> On your v1 server it is in /etc/dirsrv/slapd-INSTANCE/schema. Copy this to >> the equivalent location on the v2 server. > > Sorry to jump on this so late. > > Do you know if the fix for "groupname: attribute "memberofindirect" > not allowed" has been released yet? I'm running Fedora 15 with the > latest updates from updates-testing and trying to migrate from FreeIPA > 1.2. I've fixed the Radius issue by adding the 60radius.ldif file to > the FreeIPA 2.0 schema as suggested. Now, I'm getting "groupname: > attribute "memberofindirect" not allowed" for all of my members. The > groups all appear to migrate successfully. > > Thanks, > > Dan Not released yet. I had wanted to release another 2.0.x dot release and update the tarball in Fedora. We're close to releasing 2.1 so I wonder if we'd be better off waiting for that (few more weeks). rob