<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt">Dmitri, Rob, Lucas et al. Thank you for all your help and patience and pointing me to the right direction. I was able to fix most of my issues. My setup is a little complex where I am trying to have a master and the replica in different networks and are in sync + each of them is serving a different set of hosts.<br><div><span><br></span></div><div> </div><div>Shreeraj
<br>----------------------------------------------------------------------------------------
<br>
<br>Change is the only Constant !</div><div style="display: block;" class="yahoo_quoted"> <br> <br> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Thursday, February 20, 2014 2:20 PM, Dmitri Pal <dpal@redhat.com> wrote:<br> </font> </div> <div class="y_msg_container"><div id="yiv7550882482"><div>
On 02/20/2014 02:58 PM, Shree wrote:
<div class="yiv7550882482yqt2477497469" id="yiv7550882482yqt45177"><blockquote type="cite">
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">Can you help me figure
out, below is some info on the existing working configuration
one one of the clients<br clear="none">
1)Sudo version 1.7.4p5<br clear="none">
<br clear="none">
2)[root@test500 ~]# sssd --version<br clear="none">
1.9.2<br clear="none">
<br clear="none">
3)These are the uncommented lines in /etc/sssd/sssd.conf<br clear="none">
[sssd]<br clear="none">
config_file_version = 2<br clear="none">
services = nss, pam<br clear="none">
domains = mydomain.com<br clear="none">
[domain/mydomain.com]<br clear="none">
cache_credentials = True<br clear="none">
krb5_store_password_if_offline = True<br clear="none">
ipa_domain = mydomain.com<br clear="none">
id_provider = ipa<br clear="none">
auth_provider = ipa<br clear="none">
access_provider = ipa<br clear="none">
ipa_hostname = dns.mydomain.com<br clear="none">
chpass_provider = ipa<br clear="none">
ipa_server = ldap.mydomain.com<br clear="none">
ldap_netgroup_search_base = cn=ng,cn=compat,dc=mydomain,dc=com<br clear="none">
ldap_tls_cacert = /etc/ipa/ca.crt<br clear="none">
<div id="yiv7550882482">
<div>
<div class="yiv7550882482" style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">
<div id="yiv7550882482yui_3_13_0_ym1_9_1392920997931_10">=======================================<br clear="none">
4)And these are the options in /etc/nsswitch.conf<br clear="none">
sudoers: files ldap<br clear="none">
passwd: files sss<br clear="none">
shadow: files sss<br clear="none">
group: files sss<br clear="none">
</div>
<div id="yiv7550882482yui_3_13_0_ym1_9_1392920997931_12"><br clear="none">
Shreeraj
<br clear="none">
----------------------------------------------------------------------------------------
<br clear="none">
<br clear="none">
Change is the only Constant !</div>
<div class="yiv7550882482" id="yiv7550882482yui_3_13_0_ym1_9_1392920997931_14" style="display:none;"> <br clear="none">
<br clear="none">
<div class="yiv7550882482" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">
<div class="yiv7550882482" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;">
<div class="yiv7550882482" id="yiv7550882482yqt76401">
<div dir="ltr"> <font face="Arial" size="2"> On
Thursday, February 20, 2014 7:20 AM, Dmitri
Pal <a rel="nofollow" shape="rect" class="yiv7550882482moz-txt-link-rfc2396E" ymailto="mailto:dpal@redhat.com" target="_blank" href="mailto:dpal@redhat.com"><dpal@redhat.com></a> wrote:<br clear="none">
</font> </div>
<div class="yiv7550882482">
<div id="yiv7550882482">
<div> On 02/19/2014 06:52 PM, Shree wrote:
<blockquote type="cite">
<div class="yiv7550882482" style="color:rgb(0, 0, 0);background-color:rgb(255, 255, 255);font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">Rob<br clear="none">
You were right. After upgrading the
client to the
ipa-client-3.0.0-37.el6.x86_64 version I
started seeing a warning during the
client install that went something like
<br clear="none">
=================<br clear="none">
Autodiscovery of servers for failover
cannot work with this configuration.<br clear="none">
If you proceed with the installation,
services will be configured to always
access the discovered server for all
operations and will not fail over to
other servers in case of failure.<br clear="none">
Proceed with fixed values and no DNS
discovery? [no]: yes<br clear="none">
=================<br clear="none">
<div><span>I continued by saying yes
because in my case the master and
the replica are in different VLANs
and failover is not possible for me.
I have tried in two hosts
successfully and am hoping that does
the trick.</span></div>
<div class="yiv7550882482" style="color:rgb(0, 0, 0);font-size:10.6667px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><br clear="none">
<span></span></div>
<div class="yiv7550882482" style="color:rgb(0, 0, 0);font-size:10.6667px;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;background-color:transparent;font-style:normal;"><span>However
I see one issue immediately that my
sudo access does not seem to work
now on the newly added clients! Do
you know what might be happening?<br clear="none">
</span></div>
<div> </div>
</div>
</blockquote>
Are you using SSSD and SUDO integration?<br clear="none">
What version of sudo and sssd?<br clear="none">
See if this would help: <a rel="nofollow" shape="rect" class="yiv7550882482" target="_blank" href="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</a>
<div class="yiv7550882482" id="yiv7550882482yqtfd92823"><br clear="none">
<br clear="none">
</div>
<blockquote type="cite">
<div class="yiv7550882482" id="yiv7550882482yqtfd11561">
<div class="yiv7550882482" style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">
<div>Shreeraj <br clear="none">
----------------------------------------------------------------------------------------
<br clear="none">
<br clear="none">
Change is the only Constant !</div>
<div class="yiv7550882482" style="display:block;">
<br clear="none">
<br clear="none">
<div class="yiv7550882482" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt;">
<div class="yiv7550882482" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;">
<div dir="ltr"> <font face="Arial" size="2"> On
Wednesday, February 19, 2014
2:21 PM, Rob Crittenden <a rel="nofollow" shape="rect" class="yiv7550882482" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>
wrote:<br clear="none">
</font> </div>
<div class="yiv7550882482">Shree wrote:<br clear="none">
> <a rel="nofollow" shape="rect" ymailto="mailto:root@test500" target="_blank" href="mailto:root@test500">root@test500</a>
~]# rpm -q ipa-client<br clear="none">
>
ipa-client-2.2.0-16.el6.x86_64<br clear="none">
> [<a rel="nofollow" shape="rect" ymailto="mailto:root@test500" target="_blank" href="mailto:root@test500">root@test500</a>
~]#<br clear="none">
<br clear="none">
You'll definitely want to
update to 2.2.0-17, that fixes
CVE-2012-5484<br clear="none">
<br clear="none">
Unfortunately our logging
around discovery was rather
horrible in 2.2.x <br clear="none">
so it is difficult to know
exactly what is going on.<br clear="none">
<br clear="none">
I believe the problem is that
it is still doing DNS
discovery even <br clear="none">
though you've passed in a
server name so it is setting
up Kerberos to <br clear="none">
look up the KDC which it finds
but can't talk to.<br clear="none">
<br clear="none">
This should be fixed in the
3.0 packages so updating to
those is the <br clear="none">
preferred solution.<br clear="none">
<br clear="none">
For 2.x you can try the
--force option which should
make it skip some <br clear="none">
discovery.<br clear="none">
<br clear="none">
rob<br clear="none">
<br clear="none">
><br clear="none">
><br clear="none">
> Shreeraj<br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
><br clear="none">
><br clear="none">
> Change is the only
Constant !<br clear="none">
><br clear="none">
><br clear="none">
> On Wednesday, February
19, 2014 1:17 PM, Rob
Crittenden<br clear="none">
> <<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>
wrote:<br clear="none">
> Shree wrote:<br clear="none">
> > Here are a couple
of things<br clear="none">
> ><br clear="none">
> > [<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>
~]$ rpm -q ipa-client<br clear="none">
> >
ipa-client-3.0.0-26.el6_4.4.x86_64<br clear="none">
><br clear="none">
> What is the version on
the client that is failing to
enroll?<br clear="none">
><br clear="none">
> rob<br clear="none">
><br clear="none">
> ><br clear="none">
> > and my
/etc/krb5.conf looks like
..........<br clear="none">
> >
=======================================<br clear="none">
> > includedir
/var/lib/sss/pubconf/krb5.include.d/<br clear="none">
> ><br clear="none">
> > [logging]<br clear="none">
> > default = <a href="" rel="nofollow" shape="rect" class="yiv7550882482">FILE:/var/log/krb5libs.log</a><br clear="none">
> > kdc = <a href="" rel="nofollow" shape="rect" class="yiv7550882482">FILE:/var/log/krb5kdc.log</a><br clear="none">
> > admin_server = <a href="" rel="nofollow" shape="rect" class="yiv7550882482">FILE:/var/log/kadmind.log</a><br clear="none">
> ><br clear="none">
> > [libdefaults]<br clear="none">
> > default_realm =
MYDOMAIN.COM<br clear="none">
> > dns_lookup_realm =
false<br clear="none">
> > dns_lookup_kdc =
true<br clear="none">
> > rdns = false<br clear="none">
> > ticket_lifetime =
24h<br clear="none">
> > forwardable = yes<br clear="none">
> ><br clear="none">
> > [realms]<br clear="none">
> > MYDOMAIN.COM = {<br clear="none">
> > kdc =
ldap2.mydomain.com:88<br clear="none">
> > master_kdc =
ldap2.mydomain.com:88<br clear="none">
> > admin_server =
ldap2.mydomain.com:749<br clear="none">
> > default_domain =
mydomain.com<br clear="none">
> > pkinit_anchors =
<a href="" rel="nofollow" shape="rect" class="yiv7550882482">FILE:/etc/ipa/ca.crt</a><br clear="none">
> > default_domain =
mydomain.com<br clear="none">
> > pkinit_anchors =
<a href="" rel="nofollow" shape="rect" class="yiv7550882482">FILE:/etc/ipa/ca.crt</a><br clear="none">
> > }<br clear="none">
> ><br clear="none">
> > [domain_realm]<br clear="none">
> > .mydomain.com =
MYDOMAIN.COM<br clear="none">
> > mydomain.com =
MYDOMAIN.COM<br clear="none">
> ><br clear="none">
> > [dbmodules]<br clear="none">
> > MYDOMAIN.COM = {<br clear="none">
> > db_library =
ipadb.so<br clear="none">
> > }<br clear="none">
> ><br clear="none">
> >
=======================================<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > Shreeraj<br clear="none">
> ><br clear="none">
>
----------------------------------------------------------------------------------------<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > Change is the only
Constant !<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > On Wednesday,
February 19, 2014 12:59 PM,
Rob Crittenden<br clear="none">
> > <<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>
wrote:<br clear="none">
> > Shree wrote:<br clear="none">
> > > 1) I have got
a step furthur. My replica is
not running CA Service. To<br clear="none">
> > > achieve this
I had to remove the existing
cert with this command<br clear="none">
> > ><br clear="none">
> > > pkiremove
-pki_instance_root=/var/lib
-pki_instance_name=pki-ca
-force<br clear="none">
> > ><br clear="none">
> > > Now the
replica looks like this<br clear="none">
> > ><br clear="none">
> > > <a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a><br clear="none">
> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>>
tmp]$ sudo ipactl status<br clear="none">
> > > [sudo]
password for skarulkar:<br clear="none">
> > > Directory
Service: RUNNING<br clear="none">
> > > KDC Service:
RUNNING<br clear="none">
> > > KPASSWD
Service: RUNNING<br clear="none">
> > > MEMCACHE
Service: RUNNING<br clear="none">
> > > HTTP Service:
RUNNING<br clear="none">
> > > CA Service:
RUNNING<br clear="none">
> > > [<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>
<mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<div class="yiv7550882482" id="yiv7550882482yqtfd53238"><br clear="none">
> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:skarulkar@ldap2" target="_blank" href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>>
tmp]$<br clear="none">
><br clear="none">
> ><br clear="none">
> > The tracking
failed with:<br clear="none">
> ><br clear="none">
> >
2014-02-18T20:20:43Z DEBUG
stdout=Error initializing
Kerberos library:<br clear="none">
> > Improper format
of Kerberos configuration
file.<br clear="none">
> ><br clear="none">
> > It looks like it
failed on this for most if
not all the tracking. What<br clear="none">
> > does
/etc/krb5.conf look like?<br clear="none">
> ><br clear="none">
> > ><br clear="none">
> > > 2) I am
still not able to add client
using ipa-client-install<br clear="none">
> using the<br clear="none">
> > > replica.<br clear="none">
> ><br clear="none">
> > The temporary
krb5.conf that is used
during enrollment has<br clear="none">
> >
dns_lookup_kdc=True so it is
probably trying to contact
the other KDC<br clear="none">
> > and failing.<br clear="none">
> ><br clear="none">
> > What is the
output of:<br clear="none">
> ><br clear="none">
> > $ rpm -q
ipa-client<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > rob<br clear="none">
> ><br clear="none">
> ><br clear="none">
> ><br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
<br clear="none">
</div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
<br clear="none">
<fieldset class="yiv7550882482"></fieldset>
<br clear="none">
<pre>_______________________________________________
Freeipa-users mailing list
<a rel="nofollow" shape="rect" class="yiv7550882482" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a rel="nofollow" shape="rect" class="yiv7550882482" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</div>
</blockquote>
<br clear="none">
<br clear="none">
<pre class="yiv7550882482">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a rel="nofollow" shape="rect" class="yiv7550882482" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a></pre>
<div class="yiv7550882482" id="yiv7550882482yqtfd01221">
</div>
<div class="yiv7550882482" id="yiv7550882482yqtfd53142">
</div>
</div>
</div>
<br clear="none">
<div class="yiv7550882482" id="yiv7550882482yqtfd31381">_______________________________________________<br clear="none">
Freeipa-users mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div>
It seems like you do not use SSSD integration so turning the debug
on sudo and seeing what it is doing is the next step.<br clear="none">
<br clear="none">
<pre class="yiv7550882482moz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a rel="nofollow" shape="rect" class="yiv7550882482moz-txt-link-abbreviated" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</div></div><br><br></div> </div> </div> </div> </div></body></html>