<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/20/2014 02:58 PM, Shree wrote:
<blockquote
cite="mid:1392926335.76571.YahooMailNeo@web160105.mail.bf1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif;font-size:8pt">Can you help me figure
out, below is some info on the existing working configuration
one one of the clients<br>
1)Sudo version 1.7.4p5<br>
<br>
2)[root@test500 ~]# sssd --version<br>
1.9.2<br>
<br>
3)These are the uncommented lines in /etc/sssd/sssd.conf<br>
[sssd]<br>
config_file_version = 2<br>
services = nss, pam<br>
domains = mydomain.com<br>
[domain/mydomain.com]<br>
cache_credentials = True<br>
krb5_store_password_if_offline = True<br>
ipa_domain = mydomain.com<br>
id_provider = ipa<br>
auth_provider = ipa<br>
access_provider = ipa<br>
ipa_hostname = dns.mydomain.com<br>
chpass_provider = ipa<br>
ipa_server = ldap.mydomain.com<br>
ldap_netgroup_search_base = cn=ng,cn=compat,dc=mydomain,dc=com<br>
ldap_tls_cacert = /etc/ipa/ca.crt<br>
<div id="yiv4785094012">
<div>
<div class=""
style="color:#000;background-color:#fff;font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:8pt;">
<div id="yiv4785094012yui_3_13_0_ym1_9_1392920997931_10">=======================================<br>
4)And these are the options in /etc/nsswitch.conf<br>
sudoers: files ldap<br>
passwd: files sss<br>
shadow: files sss<br>
group: files sss<br>
</div>
<div id="yiv4785094012yui_3_13_0_ym1_9_1392920997931_12"><br>
Shreeraj
<br clear="none">
----------------------------------------------------------------------------------------
<br clear="none">
<br clear="none">
Change is the only Constant !</div>
<div class=""
id="yiv4785094012yui_3_13_0_ym1_9_1392920997931_14"
style="display: none;"> <br clear="none">
<br clear="none">
<div class="" style="font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:8pt;">
<div class="" style="font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:12pt;">
<div class="" id="yiv4785094012yqt76401">
<div dir="ltr"> <font face="Arial" size="2"> On
Thursday, February 20, 2014 7:20 AM, Dmitri
Pal <a class="moz-txt-link-rfc2396E" href="mailto:dpal@redhat.com"><dpal@redhat.com></a> wrote:<br
clear="none">
</font> </div>
<div class="">
<div id="yiv4785094012">
<div> On 02/19/2014 06:52 PM, Shree wrote:
<blockquote type="cite">
<div class="" style="color:rgb(0, 0,
0);background-color:rgb(255, 255,
255);font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial, Lucida
Grande, sans-serif;font-size:8pt;">Rob<br
clear="none">
You were right. After upgrading the
client to the
ipa-client-3.0.0-37.el6.x86_64 version I
started seeing a warning during the
client install that went something like
<br clear="none">
=================<br clear="none">
Autodiscovery of servers for failover
cannot work with this configuration.<br
clear="none">
If you proceed with the installation,
services will be configured to always
access the discovered server for all
operations and will not fail over to
other servers in case of failure.<br
clear="none">
Proceed with fixed values and no DNS
discovery? [no]: yes<br clear="none">
=================<br clear="none">
<div><span>I continued by saying yes
because in my case the master and
the replica are in different VLANs
and failover is not possible for me.
I have tried in two hosts
successfully and am hoping that does
the trick.</span></div>
<div class="" style="color:rgb(0, 0,
0);font-size:10.6667px;font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial,
Lucida Grande,
sans-serif;background-color:transparent;font-style:normal;"><br
clear="none">
<span></span></div>
<div class="" style="color:rgb(0, 0,
0);font-size:10.6667px;font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial,
Lucida Grande,
sans-serif;background-color:transparent;font-style:normal;"><span>However
I see one issue immediately that my
sudo access does not seem to work
now on the newly added clients! Do
you know what might be happening?<br
clear="none">
</span></div>
<div> </div>
</div>
</blockquote>
Are you using SSSD and SUDO integration?<br
clear="none">
What version of sudo and sssd?<br
clear="none">
See if this would help: <a
moz-do-not-send="true" rel="nofollow"
shape="rect" class="" target="_blank"
href="http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf">http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf</a>
<div class="" id="yiv4785094012yqtfd92823"><br
clear="none">
<br clear="none">
</div>
<blockquote type="cite">
<div class="" id="yiv4785094012yqtfd11561">
<div class=""
style="color:#000;background-color:#fff;font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial,
Lucida Grande,
sans-serif;font-size:8pt;">
<div>Shreeraj <br clear="none">
----------------------------------------------------------------------------------------
<br clear="none">
<br clear="none">
Change is the only Constant !</div>
<div class="" style="display:block;">
<br clear="none">
<br clear="none">
<div class=""
style="font-family:HelveticaNeue,
Helvetica Neue, Helvetica, Arial,
Lucida Grande,
sans-serif;font-size:8pt;">
<div class=""
style="font-family:HelveticaNeue,
Helvetica Neue, Helvetica,
Arial, Lucida Grande,
sans-serif;font-size:12pt;">
<div dir="ltr"> <font
face="Arial" size="2"> On
Wednesday, February 19, 2014
2:21 PM, Rob Crittenden <a
moz-do-not-send="true"
rel="nofollow"
shape="rect" class=""
ymailto="mailto:rcritten@redhat.com"
target="_blank"
href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>
wrote:<br clear="none">
</font> </div>
<div class="">Shree wrote:<br
clear="none">
> <a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:root@test500" target="_blank" href="mailto:root@test500">root@test500</a>
~]# rpm -q ipa-client<br
clear="none">
>
ipa-client-2.2.0-16.el6.x86_64<br
clear="none">
> [<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:root@test500" target="_blank" href="mailto:root@test500">root@test500</a>
~]#<br clear="none">
<br clear="none">
You'll definitely want to
update to 2.2.0-17, that fixes
CVE-2012-5484<br clear="none">
<br clear="none">
Unfortunately our logging
around discovery was rather
horrible in 2.2.x <br
clear="none">
so it is difficult to know
exactly what is going on.<br
clear="none">
<br clear="none">
I believe the problem is that
it is still doing DNS
discovery even <br
clear="none">
though you've passed in a
server name so it is setting
up Kerberos to <br
clear="none">
look up the KDC which it finds
but can't talk to.<br
clear="none">
<br clear="none">
This should be fixed in the
3.0 packages so updating to
those is the <br clear="none">
preferred solution.<br
clear="none">
<br clear="none">
For 2.x you can try the
--force option which should
make it skip some <br
clear="none">
discovery.<br clear="none">
<br clear="none">
rob<br clear="none">
<br clear="none">
><br clear="none">
><br clear="none">
> Shreeraj<br clear="none">
>
----------------------------------------------------------------------------------------<br
clear="none">
><br clear="none">
><br clear="none">
> Change is the only
Constant !<br clear="none">
><br clear="none">
><br clear="none">
> On Wednesday, February
19, 2014 1:17 PM, Rob
Crittenden<br clear="none">
> <<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:rcritten@redhat.com" target="_blank"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>
wrote:<br clear="none">
> Shree wrote:<br
clear="none">
> > Here are a couple
of things<br clear="none">
> ><br clear="none">
> > [<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:skarulkar@ldap2" target="_blank"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<mailto:<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:skarulkar@ldap2" target="_blank"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>
~]$ rpm -q ipa-client<br
clear="none">
> >
ipa-client-3.0.0-26.el6_4.4.x86_64<br
clear="none">
><br clear="none">
> What is the version on
the client that is failing to
enroll?<br clear="none">
><br clear="none">
> rob<br clear="none">
><br clear="none">
> ><br clear="none">
> > and my
/etc/krb5.conf looks like
..........<br clear="none">
> >
=======================================<br
clear="none">
> > includedir
/var/lib/sss/pubconf/krb5.include.d/<br
clear="none">
> ><br clear="none">
> > [logging]<br
clear="none">
> > default = <a
moz-do-not-send="true"
href="" rel="nofollow"
shape="rect" class="">FILE:/var/log/krb5libs.log</a><br
clear="none">
> > kdc = <a
moz-do-not-send="true"
href="" rel="nofollow"
shape="rect" class="">FILE:/var/log/krb5kdc.log</a><br
clear="none">
> > admin_server = <a
moz-do-not-send="true"
href="" rel="nofollow"
shape="rect" class="">FILE:/var/log/kadmind.log</a><br
clear="none">
> ><br clear="none">
> > [libdefaults]<br
clear="none">
> > default_realm =
MYDOMAIN.COM<br clear="none">
> > dns_lookup_realm =
false<br clear="none">
> > dns_lookup_kdc =
true<br clear="none">
> > rdns = false<br
clear="none">
> > ticket_lifetime =
24h<br clear="none">
> > forwardable = yes<br
clear="none">
> ><br clear="none">
> > [realms]<br
clear="none">
> > MYDOMAIN.COM = {<br
clear="none">
> > kdc =
ldap2.mydomain.com:88<br
clear="none">
> > master_kdc =
ldap2.mydomain.com:88<br
clear="none">
> > admin_server =
ldap2.mydomain.com:749<br
clear="none">
> > default_domain =
mydomain.com<br clear="none">
> > pkinit_anchors =
<a moz-do-not-send="true"
href="" rel="nofollow"
shape="rect" class="">FILE:/etc/ipa/ca.crt</a><br
clear="none">
> > default_domain =
mydomain.com<br clear="none">
> > pkinit_anchors =
<a moz-do-not-send="true"
href="" rel="nofollow"
shape="rect" class="">FILE:/etc/ipa/ca.crt</a><br
clear="none">
> > }<br clear="none">
> ><br clear="none">
> > [domain_realm]<br
clear="none">
> > .mydomain.com =
MYDOMAIN.COM<br clear="none">
> > mydomain.com =
MYDOMAIN.COM<br clear="none">
> ><br clear="none">
> > [dbmodules]<br
clear="none">
> > MYDOMAIN.COM = {<br
clear="none">
> > db_library =
ipadb.so<br clear="none">
> > }<br
clear="none">
> ><br clear="none">
> >
=======================================<br
clear="none">
> ><br clear="none">
> ><br clear="none">
> > Shreeraj<br
clear="none">
> ><br clear="none">
>
----------------------------------------------------------------------------------------<br
clear="none">
> ><br clear="none">
> ><br clear="none">
> > Change is the only
Constant !<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > On Wednesday,
February 19, 2014 12:59 PM,
Rob Crittenden<br clear="none">
> > <<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:rcritten@redhat.com" target="_blank"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>
<mailto:<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:rcritten@redhat.com" target="_blank"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>
wrote:<br clear="none">
> > Shree wrote:<br
clear="none">
> > > 1) I have got
a step furthur. My replica is
not running CA Service. To<br
clear="none">
> > > achieve this
I had to remove the existing
cert with this command<br
clear="none">
> > ><br
clear="none">
> > > pkiremove
-pki_instance_root=/var/lib
-pki_instance_name=pki-ca
-force<br clear="none">
> > ><br
clear="none">
> > > Now the
replica looks like this<br
clear="none">
> > ><br
clear="none">
> > > <a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:skarulkar@ldap2" target="_blank"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<mailto:<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:skarulkar@ldap2" target="_blank"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>
<mailto:<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:skarulkar@ldap2" target="_blank"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a><br
clear="none">
> <mailto:<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:skarulkar@ldap2" target="_blank"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>>
tmp]$ sudo ipactl status<br
clear="none">
> > > [sudo]
password for skarulkar:<br
clear="none">
> > > Directory
Service: RUNNING<br
clear="none">
> > > KDC Service:
RUNNING<br clear="none">
> > > KPASSWD
Service: RUNNING<br
clear="none">
> > > MEMCACHE
Service: RUNNING<br
clear="none">
> > > HTTP Service:
RUNNING<br clear="none">
> > > CA Service:
RUNNING<br clear="none">
> > > [<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:skarulkar@ldap2" target="_blank"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<mailto:<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:skarulkar@ldap2" target="_blank"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>
<mailto:<a
moz-do-not-send="true"
rel="nofollow" shape="rect"
ymailto="mailto:skarulkar@ldap2" target="_blank"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>
<div class=""
id="yiv4785094012yqtfd53238"><br
clear="none">
> <mailto:<a
moz-do-not-send="true"
rel="nofollow"
shape="rect"
ymailto="mailto:skarulkar@ldap2"
target="_blank"
href="mailto:skarulkar@ldap2">skarulkar@ldap2</a>>>
tmp]$<br clear="none">
><br clear="none">
> ><br clear="none">
> > The tracking
failed with:<br clear="none">
> ><br clear="none">
> >
2014-02-18T20:20:43Z DEBUG
stdout=Error initializing
Kerberos library:<br
clear="none">
> > Improper format
of Kerberos configuration
file.<br clear="none">
> ><br clear="none">
> > It looks like it
failed on this for most if
not all the tracking. What<br
clear="none">
> > does
/etc/krb5.conf look like?<br
clear="none">
> ><br clear="none">
> > ><br
clear="none">
> > > 2) I am
still not able to add client
using ipa-client-install<br
clear="none">
> using the<br
clear="none">
> > > replica.<br
clear="none">
> ><br clear="none">
> > The temporary
krb5.conf that is used
during enrollment has<br
clear="none">
> >
dns_lookup_kdc=True so it is
probably trying to contact
the other KDC<br
clear="none">
> > and failing.<br
clear="none">
> ><br clear="none">
> > What is the
output of:<br clear="none">
> ><br clear="none">
> > $ rpm -q
ipa-client<br clear="none">
> ><br clear="none">
> ><br clear="none">
> > rob<br
clear="none">
> ><br clear="none">
> ><br clear="none">
> ><br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
<br clear="none">
</div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
<br clear="none">
<fieldset class=""></fieldset>
<br clear="none">
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</div>
</blockquote>
<br clear="none">
<br clear="none">
<pre class="">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" rel="nofollow" shape="rect" class="" target="_blank" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a></pre>
<div class="" id="yiv4785094012yqtfd01221">
</div>
<div class="" id="yiv4785094012yqtfd53142">
</div>
</div>
</div>
<br clear="none">
<div class="" id="yiv4785094012yqtfd31381">_______________________________________________<br
clear="none">
Freeipa-users mailing list<br clear="none">
<a moz-do-not-send="true" rel="nofollow"
shape="rect"
ymailto="mailto:Freeipa-users@redhat.com"
target="_blank"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br
clear="none">
<a moz-do-not-send="true" rel="nofollow"
shape="rect" target="_blank"
href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div>
<br clear="none">
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
It seems like you do not use SSSD integration so turning the debug
on sudo and seeing what it is doing is the next step.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>