<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/19/2014 06:52 PM, Shree wrote:
<blockquote
cite="mid:1392853943.52122.YahooMailNeo@web160103.mail.bf1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: HelveticaNeue,Helvetica
Neue,Helvetica,Arial,Lucida Grande,sans-serif; font-size: 8pt;">Rob<br>
You were right. After upgrading the client to the
ipa-client-3.0.0-37.el6.x86_64 version I started seeing a
warning during the client install that went something like <br>
=================<br>
Autodiscovery of servers for failover cannot work with this
configuration.<br>
If you proceed with the installation, services will be
configured to always access the discovered server for all
operations and will not fail over to other servers in case of
failure.<br>
Proceed with fixed values and no DNS discovery? [no]: yes<br>
=================<br>
<div><span>I continued by saying yes because in my case the
master and the replica are in different VLANs and failover
is not possible for me. I have tried in two hosts
successfully and am hoping that does the trick.</span></div>
<div style="color: rgb(0, 0, 0); font-size: 10.6667px;
font-family: HelveticaNeue,Helvetica
Neue,Helvetica,Arial,Lucida Grande,sans-serif;
background-color: transparent; font-style: normal;"><br>
<span></span></div>
<div style="color: rgb(0, 0, 0); font-size: 10.6667px;
font-family: HelveticaNeue,Helvetica
Neue,Helvetica,Arial,Lucida Grande,sans-serif;
background-color: transparent; font-style: normal;"><span>However
I see one issue immediately that my sudo access does not
seem to work now on the newly added clients! Do you know
what might be happening?<br>
</span></div>
<div> </div>
</div>
</blockquote>
Are you using SSSD and SUDO integration?<br>
What version of sudo and sssd?<br>
See if this would help:
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</a><br>
<br>
<blockquote
cite="mid:1392853943.52122.YahooMailNeo@web160103.mail.bf1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif;font-size:8pt">
<div>Shreeraj
<br>
----------------------------------------------------------------------------------------
<br>
<br>
Change is the only Constant !</div>
<div style="display: block;" class="yahoo_quoted"> <br>
<br>
<div style="font-family: HelveticaNeue, Helvetica Neue,
Helvetica, Arial, Lucida Grande, sans-serif; font-size:
8pt;">
<div style="font-family: HelveticaNeue, Helvetica Neue,
Helvetica, Arial, Lucida Grande, sans-serif; font-size:
12pt;">
<div dir="ltr"> <font face="Arial" size="2"> On
Wednesday, February 19, 2014 2:21 PM, Rob Crittenden
<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> wrote:<br>
</font> </div>
<div class="y_msg_container">Shree wrote:<br clear="none">
> <a moz-do-not-send="true" shape="rect"
ymailto="mailto:root@test500"
href="mailto:root@test500">root@test500</a> ~]# rpm -q
ipa-client<br clear="none">
> ipa-client-2.2.0-16.el6.x86_64<br clear="none">
> [<a moz-do-not-send="true" shape="rect"
ymailto="mailto:root@test500"
href="mailto:root@test500">root@test500</a> ~]#<br
clear="none">
<br clear="none">
You'll definitely want to update to 2.2.0-17, that fixes
CVE-2012-5484<br clear="none">
<br clear="none">
Unfortunately our logging around discovery was rather
horrible in 2.2.x <br clear="none">
so it is difficult to know exactly what is going on.<br
clear="none">
<br clear="none">
I believe the problem is that it is still doing DNS
discovery even <br clear="none">
though you've passed in a server name so it is setting
up Kerberos to <br clear="none">
look up the KDC which it finds but can't talk to.<br
clear="none">
<br clear="none">
This should be fixed in the 3.0 packages so updating to
those is the <br clear="none">
preferred solution.<br clear="none">
<br clear="none">
For 2.x you can try the --force option which should make
it skip some <br clear="none">
discovery.<br clear="none">
<br clear="none">
rob<br clear="none">
<br clear="none">
><br clear="none">
><br clear="none">
> Shreeraj<br clear="none">
>
----------------------------------------------------------------------------------------<br
clear="none">
><br clear="none">
><br clear="none">
> Change is the only Constant !<br clear="none">
><br clear="none">
><br clear="none">
> On Wednesday, February 19, 2014 1:17 PM, Rob
Crittenden<br clear="none">
> <<a moz-do-not-send="true" shape="rect"
ymailto="mailto:rcritten@redhat.com"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>
wrote:<br clear="none">
> Shree wrote:<br clear="none">
> > Here are a couple of things<br clear="none">
> ><br clear="none">
> > [<a moz-do-not-send="true" shape="rect"
ymailto="mailto:skarulkar@ldap2"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<mailto:<a moz-do-not-send="true" shape="rect"
ymailto="mailto:skarulkar@ldap2"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>
~]$ rpm -q ipa-client<br clear="none">
> > ipa-client-3.0.0-26.el6_4.4.x86_64<br
clear="none">
><br clear="none">
> What is the version on the client that is failing
to enroll?<br clear="none">
><br clear="none">
> rob<br clear="none">
><br clear="none">
> ><br clear="none">
> > and my /etc/krb5.conf looks like ..........<br
clear="none">
> > =======================================<br
clear="none">
> > includedir
/var/lib/sss/pubconf/krb5.include.d/<br clear="none">
> ><br clear="none">
> > [logging]<br clear="none">
> > default = <a class="moz-txt-link-freetext" href="FILE:/var/log/krb5libs.log">FILE:/var/log/krb5libs.log</a><br
clear="none">
> > kdc = <a class="moz-txt-link-freetext" href="FILE:/var/log/krb5kdc.log">FILE:/var/log/krb5kdc.log</a><br
clear="none">
> > admin_server = <a class="moz-txt-link-freetext" href="FILE:/var/log/kadmind.log">FILE:/var/log/kadmind.log</a><br
clear="none">
> ><br clear="none">
> > [libdefaults]<br clear="none">
> > default_realm = MYDOMAIN.COM<br clear="none">
> > dns_lookup_realm = false<br clear="none">
> > dns_lookup_kdc = true<br clear="none">
> > rdns = false<br clear="none">
> > ticket_lifetime = 24h<br clear="none">
> > forwardable = yes<br clear="none">
> ><br clear="none">
> > [realms]<br clear="none">
> > MYDOMAIN.COM = {<br clear="none">
> > kdc = ldap2.mydomain.com:88<br
clear="none">
> > master_kdc = ldap2.mydomain.com:88<br
clear="none">
> > admin_server = ldap2.mydomain.com:749<br
clear="none">
> > default_domain = mydomain.com<br
clear="none">
> > pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a><br
clear="none">
> > default_domain = mydomain.com<br clear="none">
> > pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a><br
clear="none">
> > }<br clear="none">
> ><br clear="none">
> > [domain_realm]<br clear="none">
> > .mydomain.com = MYDOMAIN.COM<br clear="none">
> > mydomain.com = MYDOMAIN.COM<br clear="none">
> ><br clear="none">
> > [dbmodules]<br clear="none">
> > MYDOMAIN.COM = {<br clear="none">
> > db_library = ipadb.so<br clear="none">
> > }<br clear="none">
> ><br clear="none">
> > =======================================<br
clear="none">
> ><br clear="none">
> ><br clear="none">
> > Shreeraj<br clear="none">
> ><br clear="none">
>
----------------------------------------------------------------------------------------<br
clear="none">
> ><br clear="none">
> ><br clear="none">
> > Change is the only Constant !<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > On Wednesday, February 19, 2014 12:59 PM, Rob
Crittenden<br clear="none">
> > <<a moz-do-not-send="true" shape="rect"
ymailto="mailto:rcritten@redhat.com"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a moz-do-not-send="true" shape="rect"
ymailto="mailto:rcritten@redhat.com"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>
wrote:<br clear="none">
> > Shree wrote:<br clear="none">
> > > 1) I have got a step furthur. My
replica is not running CA Service. To<br clear="none">
> > > achieve this I had to remove the
existing cert with this command<br clear="none">
> > ><br clear="none">
> > > pkiremove -pki_instance_root=/var/lib
-pki_instance_name=pki-ca -force<br clear="none">
> > ><br clear="none">
> > > Now the replica looks like this<br
clear="none">
> > ><br clear="none">
> > > <a moz-do-not-send="true" shape="rect"
ymailto="mailto:skarulkar@ldap2"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<mailto:<a moz-do-not-send="true" shape="rect"
ymailto="mailto:skarulkar@ldap2"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>
<mailto:<a moz-do-not-send="true" shape="rect"
ymailto="mailto:skarulkar@ldap2"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a><br
clear="none">
> <mailto:<a moz-do-not-send="true" shape="rect"
ymailto="mailto:skarulkar@ldap2"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>>
tmp]$ sudo ipactl status<br clear="none">
> > > [sudo] password for skarulkar:<br
clear="none">
> > > Directory Service: RUNNING<br
clear="none">
> > > KDC Service: RUNNING<br clear="none">
> > > KPASSWD Service: RUNNING<br
clear="none">
> > > MEMCACHE Service: RUNNING<br
clear="none">
> > > HTTP Service: RUNNING<br clear="none">
> > > CA Service: RUNNING<br clear="none">
> > > [<a moz-do-not-send="true" shape="rect"
ymailto="mailto:skarulkar@ldap2"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<mailto:<a moz-do-not-send="true" shape="rect"
ymailto="mailto:skarulkar@ldap2"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>
<mailto:<a moz-do-not-send="true" shape="rect"
ymailto="mailto:skarulkar@ldap2"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<div class="yqt3074115429" id="yqtfd53238"><br
clear="none">
> <mailto:<a moz-do-not-send="true" shape="rect"
ymailto="mailto:skarulkar@ldap2"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>>
tmp]$<br clear="none">
><br clear="none">
> ><br clear="none">
> > The tracking failed with:<br clear="none">
> ><br clear="none">
> > 2014-02-18T20:20:43Z DEBUG stdout=Error
initializing Kerberos library:<br clear="none">
> > Improper format of Kerberos configuration
file.<br clear="none">
> ><br clear="none">
> > It looks like it failed on this for most if
not all the tracking. What<br clear="none">
> > does /etc/krb5.conf look like?<br
clear="none">
> ><br clear="none">
> > ><br clear="none">
> > > 2) I am still not able to add client
using ipa-client-install<br clear="none">
> using the<br clear="none">
> > > replica.<br clear="none">
> ><br clear="none">
> > The temporary krb5.conf that is used during
enrollment has<br clear="none">
> > dns_lookup_kdc=True so it is probably
trying to contact the other KDC<br clear="none">
> > and failing.<br clear="none">
> ><br clear="none">
> > What is the output of:<br clear="none">
> ><br clear="none">
> > $ rpm -q ipa-client<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > rob<br clear="none">
> ><br clear="none">
> ><br clear="none">
> ><br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
<br clear="none">
</div>
<br>
<br>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>