From danieljamesscott at gmail.com Wed Dec 1 16:59:02 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 1 Dec 2010 11:59:02 -0500 Subject: [Freeipa-users] Connecting RHEL6 system to Fedora 13 FreeIPA server Message-ID: Hi, I'm trying to connect a RHEL6 system to a Fedora 13 FreeIPA server. When I run ipa-client-install, I receive the following: Joining realm failed: XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n hostname.example.com\r\n \r\n \r\n nsosversion\r\n 2.6.32-71.7.1.el6.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n XML-RPC RESPONSE: \n \n \n \n \n faultCode\n 1\n \n \n faultString\n Traceback (most recent call last):\n File "/usr/share/ipa/ipaserver/ipaxmlrpc.py", line 179, in _marshaled_dispatch\n response = self._dispatch(method, params)\n File "/usr/share/ipa/ipaserver/ipaxmlrpc.py", line 205, in _dispatch\n raise Fault(1, "Invalid method: %s" % method)\n Fault: <Fault 1: u'Invalid method: join'>\n \n \n \n \n \n Is this configuration supported? The current FreeIPA documentation only provides instructions for RHEL 4 and 5. Thanks, Dan Scott From dpal at redhat.com Wed Dec 1 18:58:59 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Dec 2010 13:58:59 -0500 Subject: [Freeipa-users] Connecting RHEL6 system to Fedora 13 FreeIPA server In-Reply-To: References: Message-ID: <4CF69AF3.1070900@redhat.com> Dan Scott wrote: > Hi, > > I'm trying to connect a RHEL6 system to a Fedora 13 FreeIPA server. > Which IPA version you are trying to connect to? I suspect it is trying to invoke an IPA v2 RPC call against an IPA v1.2.x server. > When I run ipa-client-install, I receive the following: > > Joining realm failed: XML-RPC CALL: > > \r\n > \r\n > join\r\n > \r\n > \r\n > hostname.example.com\r\n > \r\n > \r\n > nsosversion\r\n > 2.6.32-71.7.1.el6.x86_64\r\n > nshardwareplatform\r\n > x86_64\r\n > \r\n > \r\n > \r\n > > XML-RPC RESPONSE: > > \n > \n > \n > \n > \n > faultCode\n > 1\n > \n > \n > faultString\n > Traceback (most recent call last):\n > File "/usr/share/ipa/ipaserver/ipaxmlrpc.py", line 179, in > _marshaled_dispatch\n > response = self._dispatch(method, params)\n > File "/usr/share/ipa/ipaserver/ipaxmlrpc.py", line 205, in _dispatch\n > raise Fault(1, "Invalid method: %s" % method)\n > Fault: <Fault 1: u'Invalid method: join'>\n > \n > \n > \n > \n > \n > > Is this configuration supported? The current FreeIPA documentation > only provides instructions for RHEL 4 and 5. > > Thanks, > > Dan Scott > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgallagh at redhat.com Wed Dec 1 19:14:17 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 01 Dec 2010 14:14:17 -0500 Subject: [Freeipa-users] Connecting RHEL6 system to Fedora 13 FreeIPA server In-Reply-To: References: Message-ID: <4CF69E89.1020900@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/01/2010 11:59 AM, Dan Scott wrote: > Hi, > > I'm trying to connect a RHEL6 system to a Fedora 13 FreeIPA server. > When I run ipa-client-install, I receive the following: > The ipa-client package in RHEL 6 is there to prepare the way for FreeIPA v2, which is due out fairly soon. Unfortunately, it isn't the proper way to set up a client of FreeIPA v1. Right now, the normal way to go about this is to use authconfig to set up access to FreeIPA as an LDAP and Kerberos environment, then edit /etc/sssd/sssd.conf and add 'ldap_schema = rfc2307bis' to the [domain/default] section. After that, you can follow the instructions here: http://bit.ly/e1oMYe for setting up a host keytab for SSH single-sign-on. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz2nokACgkQeiVVYja6o6O4fwCeNAXKDBe4RlFJ2uPJHIkUcTcp 70MAoJGQASGD+xdgH193aYAJfhZWzkCy =wGwM -----END PGP SIGNATURE----- From danieljamesscott at gmail.com Wed Dec 1 20:47:20 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 1 Dec 2010 15:47:20 -0500 Subject: [Freeipa-users] Connecting RHEL6 system to Fedora 13 FreeIPA server In-Reply-To: <4CF69AF3.1070900@redhat.com> References: <4CF69AF3.1070900@redhat.com> Message-ID: Hi, On Wed, Dec 1, 2010 at 13:58, Dmitri Pal wrote: > Dan Scott wrote: >> I'm trying to connect a RHEL6 system to a Fedora 13 FreeIPA server. >> > Which IPA version you are trying to connect to? > I suspect it is trying to invoke an IPA v2 RPC call against an IPA > v1.2.x server. It's the latest version in the Fedora 13 repositories: ipa-server-1.2.2-4.fc13.i686 So it appears that I'll have to manually configure Kerberos/LDAP because the IPA client in RHEL6 is for FreeIPA2. Thanks for the advice, Dan From sailer at sailer.dynip.lugs.ch Sat Dec 4 09:57:13 2010 From: sailer at sailer.dynip.lugs.ch (Thomas Sailer) Date: Sat, 04 Dec 2010 10:57:13 +0100 Subject: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client Message-ID: <1291456633.30282.27.camel@unreal.home.sailer.dynip.lugs.ch> Hi, after upgrading a F12 freeipa server to F14, krb5 nfs no longer works. 1) ipa-getkeytab works only very unreliably. I get the following about 4 out of 5 times: # ipa-getkeytab -s 192.168.1.2 -p nfs/client.xxxx.xxx -k /etc/krb5.keytab Operation failed! Unable to set key ipa-delservice, ipa-addservice and other ipa- commands seem to work fine, though. 2) I get the following log from rpc.gssd on the client: # rpc.gssd -f -v -v -v -v -v beginning poll dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580 handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c) handle_gssd_upcall: 'mech=krb5 uid=0 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c) process_krb5_upcall: service is '' Full hostname for 'server.xxxx.xxx' is 'server.xxxx.xxx' Full hostname for 'client.xxxx.xxx' is 'client.xxxx.xxx' Key table entry not found while getting keytab entry for 'root/client.xxxx.xxx at XXXX.XXX' Success getting keytab entry for 'nfs/client.xxxx.xxx at XXXX.XXX' WARNING: Generic error (see e-text) while getting initial ticket for principal 'nfs/client.xxxx.xxx at XXXX.XXX' using keytab 'WRFILE:/etc/krb5.keytab' ERROR: No credentials found for connection to server server.xxxx.xxx doing error downcall dir_notify_handler: sig 37 si 0x7ffffd2a1170 data 0x7ffffd2a1040 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1c 3) In the server's kdc log, I find the following: Dec 04 02:09:08 server.xxxx.xxx krb5kdc[6933](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.220: LOOKING_UP_CLIENT: nfs/client.xxxx.xxx at XXXX.XXX for krbtgt/XXXX.XXX at XXXX.XXX, unable to decode stored principal key data (ASN.1 structure is missing a required field) Does anybody have an idea how I could get krb5 nfs working again? Thanks, Tom From ssorce at redhat.com Mon Dec 6 15:55:59 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 6 Dec 2010 10:55:59 -0500 Subject: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client In-Reply-To: <1291456633.30282.27.camel@unreal.home.sailer.dynip.lugs.ch> References: <1291456633.30282.27.camel@unreal.home.sailer.dynip.lugs.ch> Message-ID: <20101206105559.6e20f796@willson.li.ssimo.org> On Sat, 04 Dec 2010 10:57:13 +0100 Thomas Sailer wrote: > Hi, > > after upgrading a F12 freeipa server to F14, krb5 nfs no longer works. > > 1) ipa-getkeytab works only very unreliably. I get the following > about 4 out of 5 times: > # ipa-getkeytab -s 192.168.1.2 -p nfs/client.xxxx.xxx > -k /etc/krb5.keytab Operation failed! Unable to set key > > ipa-delservice, ipa-addservice and other ipa- commands seem to work > fine, though. > > 2) I get the following log from rpc.gssd on the client: > # rpc.gssd -f -v -v -v -v -v beginning poll > dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580 > dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580 > dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data 0x7ffffd2a1580 > handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c) > handle_gssd_upcall: 'mech=krb5 uid=0 ' > handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c) > process_krb5_upcall: service is '' > Full hostname for 'server.xxxx.xxx' is 'server.xxxx.xxx' > Full hostname for 'client.xxxx.xxx' is 'client.xxxx.xxx' > Key table entry not found while getting keytab entry for > 'root/client.xxxx.xxx at XXXX.XXX' Success getting keytab entry for > 'nfs/client.xxxx.xxx at XXXX.XXX' WARNING: Generic error (see e-text) > while getting initial ticket for principal > 'nfs/client.xxxx.xxx at XXXX.XXX' using keytab 'WRFILE:/etc/krb5.keytab' > ERROR: No credentials found for connection to server server.xxxx.xxx > doing error downcall dir_notify_handler: sig 37 si 0x7ffffd2a1170 > data 0x7ffffd2a1040 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data > 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data > 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data > 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data > 0x7ffffd2a1580 dir_notify_handler: sig 37 si 0x7ffffd2a16b0 data > 0x7ffffd2a1580 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1c > > > 3) In the server's kdc log, I find the following: > Dec 04 02:09:08 server.xxxx.xxx krb5kdc[6933](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 192.168.1.220: LOOKING_UP_CLIENT: > nfs/client.xxxx.xxx at XXXX.XXX for krbtgt/XXXX.XXX at XXXX.XXX, unable to > decode stored principal key data (ASN.1 structure is missing a > required field) > > Does anybody have an idea how I could get krb5 nfs working again? We are seeing an issue with F14 DS where it has been built against opneldap libraries while we still have plugins built against mozldap. We have a patch that should be solving some issues against ipav2, if that checks out we will se if we can backport them to ipa 1.2.2 but it may take a little while. Meanwhile you may want to try to downgrade 389-ds (make sure you backup your data first). Simo. -- Simo Sorce * Red Hat, Inc * New York From sailer at sailer.dynip.lugs.ch Mon Dec 6 17:31:37 2010 From: sailer at sailer.dynip.lugs.ch (Thomas Sailer) Date: Mon, 06 Dec 2010 18:31:37 +0100 Subject: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client In-Reply-To: <20101206105559.6e20f796@willson.li.ssimo.org> References: <1291456633.30282.27.camel@unreal.home.sailer.dynip.lugs.ch> <20101206105559.6e20f796@willson.li.ssimo.org> Message-ID: <1291656697.4558.5.camel@xbox360.hq.axsem.com> On Mon, 2010-12-06 at 10:55 -0500, Simo Sorce wrote: Hi Simo, thanks for your response! > We are seeing an issue with F14 DS where it has been built against > opneldap libraries while we still have plugins built against mozldap. Where would that help? just for the ipa-getkeytab reliability issue? Because after the kerberos keys are in the client's keytab, how is ldap even involved in the nfs issues? Tom From dpal at redhat.com Mon Dec 6 18:24:45 2010 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 06 Dec 2010 13:24:45 -0500 Subject: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client In-Reply-To: <1291656697.4558.5.camel@xbox360.hq.axsem.com> References: <1291456633.30282.27.camel@unreal.home.sailer.dynip.lugs.ch> <20101206105559.6e20f796@willson.li.ssimo.org> <1291656697.4558.5.camel@xbox360.hq.axsem.com> Message-ID: <4CFD2A6D.1040006@redhat.com> Thomas Sailer wrote: > On Mon, 2010-12-06 at 10:55 -0500, Simo Sorce wrote: > > Hi Simo, > > thanks for your response! > > >> We are seeing an issue with F14 DS where it has been built against >> opneldap libraries while we still have plugins built against mozldap. >> > > Where would that help? > just for the ipa-getkeytab reliability issue? > > Because after the kerberos keys are in the client's keytab, how is ldap > even involved in the nfs issues? > > Tom > > Directory server is the data storage for KDC in IPA so it will help for all lookups KDC does. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Mon Dec 6 18:35:18 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 6 Dec 2010 13:35:18 -0500 Subject: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client In-Reply-To: <1291656697.4558.5.camel@xbox360.hq.axsem.com> References: <1291456633.30282.27.camel@unreal.home.sailer.dynip.lugs.ch> <20101206105559.6e20f796@willson.li.ssimo.org> <1291656697.4558.5.camel@xbox360.hq.axsem.com> Message-ID: <20101206133518.20087faa@willson.li.ssimo.org> On Mon, 06 Dec 2010 18:31:37 +0100 Thomas Sailer wrote: > On Mon, 2010-12-06 at 10:55 -0500, Simo Sorce wrote: > > Hi Simo, > > thanks for your response! > > > We are seeing an issue with F14 DS where it has been built against > > opneldap libraries while we still have plugins built against > > mozldap. > > Where would that help? > just for the ipa-getkeytab reliability issue? Yes, that is probably a side effect of the problem we're solving. > Because after the kerberos keys are in the client's keytab, how is > ldap even involved in the nfs issues? Keys are stored in ldap and asn.1 encoding is generated using ldap libraries before storing it. If that operation fails it may generate malformed entries that the KDC later can't properly decode. Simo. -- Simo Sorce * Red Hat, Inc * New York From sailer at sailer.dynip.lugs.ch Mon Dec 6 18:43:29 2010 From: sailer at sailer.dynip.lugs.ch (Thomas Sailer) Date: Mon, 06 Dec 2010 19:43:29 +0100 Subject: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client In-Reply-To: <20101206133518.20087faa@willson.li.ssimo.org> References: <1291456633.30282.27.camel@unreal.home.sailer.dynip.lugs.ch> <20101206105559.6e20f796@willson.li.ssimo.org> <1291656697.4558.5.camel@xbox360.hq.axsem.com> <20101206133518.20087faa@willson.li.ssimo.org> Message-ID: <1291661009.4558.10.camel@xbox360.hq.axsem.com> On Mon, 2010-12-06 at 13:35 -0500, Simo Sorce wrote: > Keys are stored in ldap and asn.1 encoding is generated using ldap > libraries before storing it. > If that operation fails it may generate malformed entries that the KDC > later can't properly decode. Which patch are you talking about? Is it included in the current alpha (binaries)? Upgrade to the current alpha might be a better idea than trying to downgrade, or am I overlooking something? Thanks, Tom From ssorce at redhat.com Mon Dec 6 18:53:57 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 6 Dec 2010 13:53:57 -0500 Subject: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client In-Reply-To: <1291661009.4558.10.camel@xbox360.hq.axsem.com> References: <1291456633.30282.27.camel@unreal.home.sailer.dynip.lugs.ch> <20101206105559.6e20f796@willson.li.ssimo.org> <1291656697.4558.5.camel@xbox360.hq.axsem.com> <20101206133518.20087faa@willson.li.ssimo.org> <1291661009.4558.10.camel@xbox360.hq.axsem.com> Message-ID: <20101206135357.155a1260@willson.li.ssimo.org> On Mon, 06 Dec 2010 19:43:29 +0100 Thomas Sailer wrote: > On Mon, 2010-12-06 at 13:35 -0500, Simo Sorce wrote: > > > Keys are stored in ldap and asn.1 encoding is generated using ldap > > libraries before storing it. > > If that operation fails it may generate malformed entries that the > > KDC later can't properly decode. > > Which patch are you talking about? Is it included in the current alpha > (binaries)? I pushed the patch in git just today :) > Upgrade to the current alpha might be a better idea than > trying to downgrade, or am I overlooking something? V2 will need a migration, upgrades are not really possible as we have added/changed a ton of schema and other things in the LDAP tree. Simo. -- Simo Sorce * Red Hat, Inc * New York From sailer at sailer.dynip.lugs.ch Tue Dec 7 09:51:55 2010 From: sailer at sailer.dynip.lugs.ch (Thomas Sailer) Date: Tue, 07 Dec 2010 10:51:55 +0100 Subject: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client In-Reply-To: <20101206135357.155a1260@willson.li.ssimo.org> References: <1291456633.30282.27.camel@unreal.home.sailer.dynip.lugs.ch> <20101206105559.6e20f796@willson.li.ssimo.org> <1291656697.4558.5.camel@xbox360.hq.axsem.com> <20101206133518.20087faa@willson.li.ssimo.org> <1291661009.4558.10.camel@xbox360.hq.axsem.com> <20101206135357.155a1260@willson.li.ssimo.org> Message-ID: <1291715515.4558.16.camel@xbox360.hq.axsem.com> On Mon, 2010-12-06 at 13:53 -0500, Simo Sorce wrote: Hi Simo, > I pushed the patch in git just today :) Your patch indeed helps :) I've adapted it to the fc14 srpm, compiled it, and at least the extop plugin now uses the openldap libraries: http://sailer.fedorapeople.org/ipa-1.2.2-5.fc14.jnx.src.rpm The unreliability of ipa-getkeytab seems now gone, and the krb5 kdc now issues nfs tickets (the ASN.1 parse error is now gone). However krb5nfs still does not work, it hangs now (instead of giving me an instantaneous error). Will investigate further. > V2 will need a migration, upgrades are not really possible as we have > added/changed a ton of schema and other things in the LDAP tree. That indeed seems like a bigger project... Tom From ssorce at redhat.com Wed Dec 8 16:00:01 2010 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 8 Dec 2010 11:00:01 -0500 Subject: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client In-Reply-To: <1291715515.4558.16.camel@xbox360.hq.axsem.com> References: <1291456633.30282.27.camel@unreal.home.sailer.dynip.lugs.ch> <20101206105559.6e20f796@willson.li.ssimo.org> <1291656697.4558.5.camel@xbox360.hq.axsem.com> <20101206133518.20087faa@willson.li.ssimo.org> <1291661009.4558.10.camel@xbox360.hq.axsem.com> <20101206135357.155a1260@willson.li.ssimo.org> <1291715515.4558.16.camel@xbox360.hq.axsem.com> Message-ID: <20101208110001.118f84ef@willson.li.ssimo.org> On Tue, 07 Dec 2010 10:51:55 +0100 Thomas Sailer wrote: > On Mon, 2010-12-06 at 13:53 -0500, Simo Sorce wrote: > > Hi Simo, > > > I pushed the patch in git just today :) > > Your patch indeed helps :) > > I've adapted it to the fc14 srpm, compiled it, and at least the extop > plugin now uses the openldap libraries: > http://sailer.fedorapeople.org/ipa-1.2.2-5.fc14.jnx.src.rpm > > The unreliability of ipa-getkeytab seems now gone, and the krb5 kdc > now issues nfs tickets (the ASN.1 parse error is now gone). Great, we will "steal" your port of the patch and release new Fedora packages then :) > However krb5nfs still does not work, it hangs now (instead of giving > me an instantaneous error). Will investigate further. Let us know if you solve this problem. Thank you, Simo. -- Simo Sorce * Red Hat, Inc * New York From sailer at sailer.dynip.lugs.ch Thu Dec 9 12:19:13 2010 From: sailer at sailer.dynip.lugs.ch (Thomas Sailer) Date: Thu, 09 Dec 2010 13:19:13 +0100 Subject: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client In-Reply-To: <20101208110001.118f84ef@willson.li.ssimo.org> References: <1291456633.30282.27.camel@unreal.home.sailer.dynip.lugs.ch> <20101206105559.6e20f796@willson.li.ssimo.org> <1291656697.4558.5.camel@xbox360.hq.axsem.com> <20101206133518.20087faa@willson.li.ssimo.org> <1291661009.4558.10.camel@xbox360.hq.axsem.com> <20101206135357.155a1260@willson.li.ssimo.org> <1291715515.4558.16.camel@xbox360.hq.axsem.com> <20101208110001.118f84ef@willson.li.ssimo.org> Message-ID: <1291897153.4558.26.camel@xbox360.hq.axsem.com> On Wed, 2010-12-08 at 11:00 -0500, Simo Sorce wrote: > On Tue, 07 Dec 2010 10:51:55 +0100 > Thomas Sailer wrote: > > On Mon, 2010-12-06 at 13:53 -0500, Simo Sorce wrote: > > However krb5nfs still does not work, it hangs now (instead of giving > > me an instantaneous error). Will investigate further. > > Let us know if you solve this problem. It wasn't really a hang, it terminated after many minutes. I can now mount the nfs4 exports on all clients with krb5p. However, access to the nfs4 exports is quite unreliable, much too unreliable to have home directories on nfs4. When I start gnome, gnome-settings-daemon and many other daemons get stuck in D state, usually somewhere within nfs4_delay. With KDE, a simple sed with destination file in the home directory gets stuck in fchown. So I'm back to nfs3 at the moment. Thanks, Tom From danieljamesscott at gmail.com Fri Dec 17 15:47:06 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 17 Dec 2010 10:47:06 -0500 Subject: [Freeipa-users] Upgraded server from Fedora 13 to 14: Cannot reset user passwords Message-ID: Hi, I have recently upgraded one of our server from Fedora 13 to 14. Recently, I noticed that I cannot reset user passwords any more: A database error occurred: Operations error: Failed to update password The log file contains the following entries: [16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - encoding asn1 EncryptionKey failed [16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - encoding asn1 KrbSalt failed [16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - key encryption/encoding failed Packages: 389-ds-base-1.2.7.4-1.fc14.x86_64 ipa-server-1.2.2-5.fc14.x86_64 This appears similar to a bug reported a couple of weeks ago: https://bugzilla.redhat.com/show_bug.cgi?id=658832 Although the above report is related to ipa-getkeytab rather than ipa-passwd. If they are the same issue, then this bug is more serious since I can't create new users or allow password changes. Does anyone have a status on this? Thanks, Dan Scott From ssorce at redhat.com Fri Dec 17 18:25:32 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 17 Dec 2010 13:25:32 -0500 Subject: [Freeipa-users] Upgraded server from Fedora 13 to 14: Cannot reset user passwords In-Reply-To: References: Message-ID: <20101217132532.05adbf15@willson.li.ssimo.org> On Fri, 17 Dec 2010 10:47:06 -0500 Dan Scott wrote: > Hi, > > I have recently upgraded one of our server from Fedora 13 to 14. > Recently, I noticed that I cannot reset user passwords any more: > > A database error occurred: Operations error: Failed to update password > > The log file contains the following entries: > [16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - encoding asn1 > EncryptionKey failed [16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - > encoding asn1 KrbSalt failed [16/Dec/2010:10:47:08 -0500] > ipa_pwd_extop - key encryption/encoding failed > > Packages: > 389-ds-base-1.2.7.4-1.fc14.x86_64 > ipa-server-1.2.2-5.fc14.x86_64 > > This appears similar to a bug reported a couple of weeks ago: > > https://bugzilla.redhat.com/show_bug.cgi?id=658832 > > Although the above report is related to ipa-getkeytab rather than > ipa-passwd. If they are the same issue, then this bug is more serious > since I can't create new users or allow password changes. Yes it is almost certainly the same issue, as the ipa-pwd-exop plugin handles all password changes and keytab issuance. > Does anyone have a status on this? We have a patch for the v2 version of the plugins but haven't yet found the time to backport to 1.2.2. A workaround is to downgrade DS to a version not compiled with openldap libs (or recompile it with mozldap). If you look in this list archives you will also find that Thomas Sailer has created a backport of the patch and posted a srpm on his fedora people page. We hope to address the issue as soon as possible, but we are short on time in this period. Simo. -- Simo Sorce * Red Hat, Inc * New York From danieljamesscott at gmail.com Fri Dec 17 18:39:09 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 17 Dec 2010 13:39:09 -0500 Subject: [Freeipa-users] Upgraded server from Fedora 13 to 14: Cannot reset user passwords In-Reply-To: <20101217132532.05adbf15@willson.li.ssimo.org> References: <20101217132532.05adbf15@willson.li.ssimo.org> Message-ID: Hi, On Fri, Dec 17, 2010 at 13:25, Simo Sorce wrote: >> I have recently upgraded one of our server from Fedora 13 to 14. >> Recently, I noticed that I cannot reset user passwords any more: >> >> A database error occurred: Operations error: Failed to update password >> >> The log file contains the following entries: >> [16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - encoding asn1 >> EncryptionKey failed [16/Dec/2010:10:47:08 -0500] ipa_pwd_extop - >> encoding asn1 KrbSalt failed [16/Dec/2010:10:47:08 -0500] >> ipa_pwd_extop - key encryption/encoding failed >> >> Packages: >> 389-ds-base-1.2.7.4-1.fc14.x86_64 >> ipa-server-1.2.2-5.fc14.x86_64 >> >> This appears similar to a bug reported a couple of weeks ago: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=658832 >> >> Although the above report is related to ipa-getkeytab rather than >> ipa-passwd. If they are the same issue, then this bug is more serious >> since I can't create new users or allow password changes. > > Yes it is almost certainly the same issue, as the ipa-pwd-exop plugin > handles all password changes and keytab issuance. > >> Does anyone have a status on this? > > We have a patch for the v2 version of the plugins but haven't yet found > the time to backport to 1.2.2. > > A workaround is to downgrade DS to a version not compiled with openldap > libs (or recompile it with mozldap). > > If you look in this list archives you will also find that Thomas Sailer > has created a backport of the patch and posted a srpm on his fedora > people page. > > We hope to address the issue as soon as possible, but we are short on > time in this period. No problem, thanks for the response. For reference, the archived post with link to the SRPM is here: https://www.redhat.com/archives/freeipa-users/2010-December/msg00011.html Thanks, Dan From luis_lugo74 at yahoo.com Tue Dec 21 20:33:00 2010 From: luis_lugo74 at yahoo.com (luis lugo) Date: Tue, 21 Dec 2010 12:33:00 -0800 (PST) Subject: [Freeipa-users] FreeIPA 1.2.2 Fedora 14 ldap problem Message-ID: <910795.9409.qm@web38608.mail.mud.yahoo.com> Hi all, I have problem with freeipa 1.2.2 on fedora 14, when I add new users and use id command to view the numeric user and group ID get id: No such user, the same thing with getent passwd no info about new users, but with ipa-finduser commando get the user information . Help me with this problem please. Thank's. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Dec 22 15:30:40 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Dec 2010 10:30:40 -0500 Subject: [Freeipa-users] FreeIPA 1.2.2 Fedora 14 ldap problem In-Reply-To: <910795.9409.qm@web38608.mail.mud.yahoo.com> References: <910795.9409.qm@web38608.mail.mud.yahoo.com> Message-ID: <4D1219A0.7080708@redhat.com> luis lugo wrote: > Hi all, > > I have problem with freeipa 1.2.2 on fedora 14, when I add new users and > use id command to view the numeric user and group ID get id: No such > user, the same thing with getent passwd no info about new users, but > with ipa-finduser commando get the user information . Help me with this > problem please. Thank's. What version of 389-ds are you using? There is a known problem with 389-ds-1.2.7 (https://bugzilla.redhat.com/show_bug.cgi?id=658832) rob From danieljamesscott at gmail.com Wed Dec 22 15:41:00 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 22 Dec 2010 10:41:00 -0500 Subject: [Freeipa-users] FreeIPA 1.2.2 Fedora 14 ldap problem In-Reply-To: <4D1219A0.7080708@redhat.com> References: <910795.9409.qm@web38608.mail.mud.yahoo.com> <4D1219A0.7080708@redhat.com> Message-ID: Hi, I saw a similar problem with a recently installed VM. There was a problem with: /etc/nss_ldap.conf which didn't contain the correct configuration. I copied the config from: /etc/ldap.conf and the 'id' command started working correctly. Hope this helps, Dan On Wed, Dec 22, 2010 at 10:30, Rob Crittenden wrote: > luis lugo wrote: >> >> Hi all, >> >> I have problem with freeipa 1.2.2 on fedora 14, when I add new users and >> use id command to view the numeric user and group ID get id: No such >> user, the same thing with getent passwd no info about new users, but >> with ipa-finduser commando get the user information . Help me with this >> problem please. Thank's. > > What version of 389-ds are you using? There is a known problem with > 389-ds-1.2.7 (https://bugzilla.redhat.com/show_bug.cgi?id=658832) > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From dpal at redhat.com Thu Dec 23 08:06:58 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 23 Dec 2010 03:06:58 -0500 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Beta 1 Release Message-ID: <4D130322.9070900@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Beta 1 release of freeIPA 2.0 server [1]. - Binaries are available for F-13 and F-14. - With this beta freeIPA is feature complete. - Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com Main Highlights of the Beta - This beta is the first attempt to show all planned capabilities of the upcoming release. - For the first time the new UI is mostly operational and can be used to perform management of the system. - Some areas are still very rough and we will appreciate your help with those. Focus of the Beta Testing - Please take a moment and look at the new Web UI. Any feedback about the general approaches, work flows, and usability is appreciated. It is still very rough but one can hopefully get a good understanding of how we plan the final UI to function and look like. - Replication management was significantly improved. Testing of multi replica configurations should be easier. - We are looking for a feedback about the DNS integration and networking issues you find in your environment configuring and using IPA with the embedded DNS enabled. Significant Changes Since Alpha 5 - FreeIPA has changed its license to GPLv3+ - Having IPA manage the reverse zone is optional. - The access control subsystem was re-written to be more understandable. For details see [2] - Support for SUDO rules - There is now a distinction between replicas and their replication agreements in the ipa-replica-manage command. It is now much easier to manage the replication topology. - Renaming entries is easier with the --rename option of the mod commands. - Fix special character handling in passwords, ensure that passwords are not logged. - Certificates can be saved as PEM files in service-show and host-show commands. - All IPA services are now started/stopped using the ipactl command. This gives us better control over the start/stop order during reboot/shutdown. - Set up ntpd first so the time is sane. - Better multi-valued value handle with --setattr and --addattr. - Add support for both RFC2307 and RFC2307bis to migration. - UID ranges were reduced by default from 1M to 200k. - Add ability to add/remove DNS records when adding/removing a host entry. - A number of i18n issues have been addressed. - Updated a lot of man pages. What is not Complete - We are still using older version of the Dogtag. New version of the Dogtag Certificate System will be based on tomcat6 and is forthcoming. - We plan to take advantage of Kerberos 1.9 that was released today but we have not finished the integration effort yet. Known Issues - IPV6 works in the installer but not the server itself - Make sure you machine can properly resolve its name before installing the server. Edit /etc/hosts to remove host name from the localhost and localhost6 lines if needed. - The UI is still rough in places
Use the following query [3] to see the tickets currently open against UI. - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for the time being run: # ln -s /usr/share/java/xalan-j2-serializer.jar /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar - Instead of Dogtag on F14 you can also try the self-signed CA which is similar to the CA that was provided in IPA v1. This was designed for testing and development and not recommended for deployment. - Make sure you enable updates-testing repository on your fedora machine. Thank you, FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] http://freeipa.org/page/Permissions [3] https://fedorahosted.org/freeipa/report/12 From amrossi at linux.it Thu Dec 23 08:47:14 2010 From: amrossi at linux.it (Andrea Modesto Rossi) Date: Thu, 23 Dec 2010 09:47:14 +0100 (CET) Subject: [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <4D130322.9070900@redhat.com> References: <4D130322.9070900@redhat.com> Message-ID: On Gio, 23 Dicembre 2010 9:06 am, Dmitri Pal wrote: > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users at redhat.com This is a great gift for Christmas! Thank you very much. -- Andrea Modesto Rossi Fedora Ambassador From vic_1980 at bk.ru Thu Dec 23 14:23:31 2010 From: vic_1980 at bk.ru (=?UTF-8?B?0JLQuNC60YLQvtGAINCh0LXRgNCz0LXQtdCy0LjRhw==?=) Date: Thu, 23 Dec 2010 17:23:31 +0300 Subject: [Freeipa-users] install from debug repo Message-ID: <4D135B63.2080500@bk.ru> Hi! Try install from debug repo and have some problems with: version 389-ds-base - available 1.2.6.1-2 (need 1.2.7.4) slapi-nis available 0.17-4 (need 0.21) where i'am can take it? Thanks From dpal at redhat.com Thu Dec 23 15:18:54 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 23 Dec 2010 10:18:54 -0500 Subject: [Freeipa-users] install from debug repo In-Reply-To: <4D135B63.2080500@bk.ru> References: <4D135B63.2080500@bk.ru> Message-ID: <4D13685E.4050507@redhat.com> ?????? ????????? wrote: > Hi! > > Try install from debug repo and have some problems with: > version 389-ds-base - available 1.2.6.1-2 (need 1.2.7.4) > slapi-nis available 0.17-4 (need 0.21) > What version of Fedora you are using? Both versions are in Fedora 13 & 14 so may be you just need to enable updates-testing repo. > where i'am can take it? > > Thanks > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From vic_1980 at bk.ru Fri Dec 24 06:46:00 2010 From: vic_1980 at bk.ru (=?UTF-8?B?0JLQuNC60YLQvtGAINCh0LXRgNCz0LXQtdCy0LjRhw==?=) Date: Fri, 24 Dec 2010 09:46:00 +0300 Subject: [Freeipa-users] about install FreeIPA 2 on fedora 14 Message-ID: <4D1441A8.8010905@bk.ru> I'am try to install yum install freeipa: yum install ipa-server and have error "like Scenario check is finished by an error": file /usr/lib/libnss_ldap.so from install of nss-pam-ldapd-0.7.7-1.fc14 conflict with file from pakage nss_ldap-265-6.fc14.i686 From dpal at redhat.com Fri Dec 24 21:42:36 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 24 Dec 2010 16:42:36 -0500 Subject: [Freeipa-users] about install FreeIPA 2 on fedora 14 In-Reply-To: <4D1441A8.8010905@bk.ru> References: <4D1441A8.8010905@bk.ru> Message-ID: <4D1513CC.206@redhat.com> ?????? ????????? wrote: > I'am try to install yum install freeipa: > > yum install ipa-server > > and have error "like Scenario check is finished by an error": > > file /usr/lib/libnss_ldap.so from install of > nss-pam-ldapd-0.7.7-1.fc14 conflict with file from pakage > nss_ldap-265-6.fc14.i686 It seems that you are upgrading from F13 or earlier. In the past you have been using nss_ldap but in F14 the nss_ldap comes from a completely different package. Please uninstall nss_ldap and pam_ldap packages and try again. That will clean the way for the nss-pam-ldap package that now brings both nss and pam LDAP .so. S nastupayuwim :-) Dmitri > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ide4you at gmail.com Tue Dec 28 17:21:49 2010 From: ide4you at gmail.com (Uzor Ide) Date: Tue, 28 Dec 2010 12:21:49 -0500 Subject: [Freeipa-users] Unable to access web interface Message-ID: Hi all I just noticed that am unable to access the web interface for freeipa. I had updated the server 2.0 alpha-5 and then beta version that came out some days ago. but since I do not use that web interface I have not idea when I lost the web interface ability. Now, though when I try to get to the web interface from a kerberized account all I get is an http error "The requested URL /ipa/ui was not found on this server" In the httpd error log, all that is there are [Tue Dec 28 11:55:29 2010] [error] [client 192.168.17.13] File does not exist: /var/www/html/favicon.ico [Tue Dec 28 11:55:32 2010] [error] [client 192.168.17.13] File does not exist: /var/www/html/favicon.ico access_log shows: 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui HTTP/1.1" 301 319 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.6.13-1.fc13 Firefox/3.6.13" 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui HTTP/1.1" 401 1164 192.168.17.13 - uz at MYDOMAIN [28/Dec/2010:11:56:36 -0500] "GET /ipa/ui HTTP/1.1" 404 174 ssl_error_log is empty ipa files version are: ipa-python-2.0.0.pre1-0.fc13. i686 ipa-admintools-2.0.0.pre1-0.fc13.i686 ipa-server-2.0.0.pre1-0.fc13.i686 ipa-client-2.0.0.pre1-0.fc13.i686 All my command line still works. Thanks for you help Ide -------------- next part -------------- An HTML attachment was scrubbed... URL: From miljank at gmail.com Tue Dec 28 22:09:09 2010 From: miljank at gmail.com (Miljan Karadzic) Date: Tue, 28 Dec 2010 23:09:09 +0100 Subject: [Freeipa-users] Unable to access web interface In-Reply-To: References: Message-ID: <4D1A6005.3080907@gmail.com> Hi Uzor, I had the same problem. You need to add the following line to your /etc/httpd/conf.d/ipa.conf file: Alias /ipa/ui "/usr/share/ipa/static" I added this line right before directory instructions for folder /usr/share/ipa/static, on line 88. Restart httpd server and you should have access to web interface. Regards, Miljan On 12/28/10 6:21 PM, Uzor Ide wrote: > Hi all > > I just noticed that am unable to access the web interface for freeipa. > I had updated the server 2.0 alpha-5 and then beta version that came > out some days ago. but since I do not use that web interface I have > not idea when I lost the web interface ability. > Now, though when I try to get to the web interface from a kerberized > account all I get is an http error > > "The requested URL /ipa/ui was not found on this server" > > In the httpd error log, all that is there are > > [Tue Dec 28 11:55:29 2010] [error] [client 192.168.17.13] File does > not exist: /var/www/html/favicon.ico > [Tue Dec 28 11:55:32 2010] [error] [client 192.168.17.13] File does > not exist: /var/www/html/favicon.ico > > access_log shows: > > 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui HTTP/1.1" > 301 319 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) > Gecko/20101209 Fedora/3.6.13-1.fc13 Firefox/3.6.13" > 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui HTTP/1.1" > 401 1164 > 192.168.17.13 - uz at MYDOMAIN [28/Dec/2010:11:56:36 -0500] "GET /ipa/ui > HTTP/1.1" 404 174 > > ssl_error_log is empty > ipa files version are: > ipa-python-2.0.0.pre1-0.fc13. > i686 > ipa-admintools-2.0.0.pre1-0.fc13.i686 > ipa-server-2.0.0.pre1-0.fc13.i686 > ipa-client-2.0.0.pre1-0.fc13.i686 > > All my command line still works. > > Thanks for you help > > Ide > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ide4you at gmail.com Wed Dec 29 16:15:06 2010 From: ide4you at gmail.com (Uzor Ide) Date: Wed, 29 Dec 2010 11:15:06 -0500 Subject: [Freeipa-users] Unable to access web interface In-Reply-To: <4D1A6005.3080907@gmail.com> References: <4D1A6005.3080907@gmail.com> Message-ID: Thanks Miljan out installation for some reason does not have have the entire Directory definition for "/usr/share/ipa/static". I think something sinister happened with the upgrade. I have managed to create the following for that block of directory declarative Alias /ipa/ui "/usr/share/ipa/static" SetHandler None AllowOverride None Allow from all I don't know if it is correct, but it is only able to display just the https://aba.uzdomain.ca/ipa/ui/ (home) without any menu or anything. If you help me correct this directory declaration for so that I'll modify my configuration with it, I will be very grateful thanks _Ide On Tue, Dec 28, 2010 at 5:09 PM, Miljan Karadzic wrote: > Hi Uzor, > > I had the same problem. You need to add the following line to your > /etc/httpd/conf.d/ipa.conf file: > > Alias /ipa/ui "/usr/share/ipa/static" > > I added this line right before directory instructions for folder /usr/share/ipa/static, > on line 88. > Restart httpd server and you should have access to web interface. > > Regards, > Miljan > > > On 12/28/10 6:21 PM, Uzor Ide wrote: > > Hi all > > I just noticed that am unable to access the web interface for freeipa. I > had updated the server 2.0 alpha-5 and then beta version that came out some > days ago. but since I do not use that web interface I have not idea when I > lost the web interface ability. > Now, though when I try to get to the web interface from a kerberized > account all I get is an http error > > "The requested URL /ipa/ui was not found on this server" > > In the httpd error log, all that is there are > > [Tue Dec 28 11:55:29 2010] [error] [client 192.168.17.13] File does not > exist: /var/www/html/favicon.ico > [Tue Dec 28 11:55:32 2010] [error] [client 192.168.17.13] File does not > exist: /var/www/html/favicon.ico > > access_log shows: > > 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui HTTP/1.1" 301 > 319 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101209 > Fedora/3.6.13-1.fc13 Firefox/3.6.13" > 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui HTTP/1.1" 401 > 1164 > 192.168.17.13 - uz at MYDOMAIN [28/Dec/2010:11:56:36 -0500] "GET /ipa/ui > HTTP/1.1" 404 174 > > ssl_error_log is empty > ipa files version are: > ipa-python-2.0.0.pre1-0.fc13. > i686 > ipa-admintools-2.0.0.pre1-0.fc13.i686 > ipa-server-2.0.0.pre1-0.fc13.i686 > ipa-client-2.0.0.pre1-0.fc13.i686 > > All my command line still works. > > Thanks for you help > > Ide > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From miljank at gmail.com Fri Dec 31 08:27:14 2010 From: miljank at gmail.com (Miljan Karadzic) Date: Fri, 31 Dec 2010 09:27:14 +0100 Subject: [Freeipa-users] Unable to access web interface In-Reply-To: References: <4D1A6005.3080907@gmail.com> Message-ID: <4D1D93E2.5010203@gmail.com> Hi, The complete definition should look like this: # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/static" SetHandler None AllowOverride None Satisfy Any Allow from all I would suggest to replace both this file and ipa-rewrite.conf file with files directly from the latest ipa-server package. Maybe there are some additional things missing. Regards, Miljan On 12/29/10 5:15 PM, Uzor Ide wrote: > Thanks Miljan > > out installation for some reason does not have have the entire > Directory definition for "/usr/share/ipa/static". I think something > sinister happened with the upgrade. I have managed to create the > following for that block of directory declarative > > Alias /ipa/ui "/usr/share/ipa/static" > > SetHandler None > AllowOverride None > Allow from all > > > I don't know if it is correct, but it is only able to display just the > https://aba.uzdomain.ca/ipa/ui/ (home) without any menu or anything. > > If you help me correct this directory declaration for so that I'll > modify my configuration with it, I will be very grateful > > thanks > > _Ide > > On Tue, Dec 28, 2010 at 5:09 PM, Miljan Karadzic > wrote: > > Hi Uzor, > > I had the same problem. You need to add the following line to your > /etc/httpd/conf.d/ipa.conf file: > > Alias /ipa/ui "/usr/share/ipa/static" > > I added this line right before directory instructions for folder > /usr/share/ipa/static, on line 88. > Restart httpd server and you should have access to web interface. > > Regards, > Miljan > > > On 12/28/10 6:21 PM, Uzor Ide wrote: >> Hi all >> >> I just noticed that am unable to access the web interface for >> freeipa. I had updated the server 2.0 alpha-5 and then beta >> version that came out some days ago. but since I do not use that >> web interface I have not idea when I lost the web interface ability. >> Now, though when I try to get to the web interface from a >> kerberized account all I get is an http error >> >> "The requested URL /ipa/ui was not found on this server" >> >> In the httpd error log, all that is there are >> >> [Tue Dec 28 11:55:29 2010] [error] [client 192.168.17.13] File >> does not exist: /var/www/html/favicon.ico >> [Tue Dec 28 11:55:32 2010] [error] [client 192.168.17.13] File >> does not exist: /var/www/html/favicon.ico >> >> access_log shows: >> >> 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui >> HTTP/1.1" 301 319 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; >> rv:1.9.2.13) Gecko/20101209 Fedora/3.6.13-1.fc13 Firefox/3.6.13" >> 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui >> HTTP/1.1" 401 1164 >> 192.168.17.13 - uz at MYDOMAIN [28/Dec/2010:11:56:36 -0500] "GET >> /ipa/ui HTTP/1.1" 404 174 >> >> ssl_error_log is empty >> ipa files version are: >> ipa-python-2.0.0.pre1-0.fc13. >> i686 >> ipa-admintools-2.0.0.pre1-0.fc13.i686 >> ipa-server-2.0.0.pre1-0.fc13.i686 >> ipa-client-2.0.0.pre1-0.fc13.i686 >> >> All my command line still works. >> >> Thanks for you help >> >> Ide >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Fri Dec 31 09:54:18 2010 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 31 Dec 2010 04:54:18 -0500 (EST) Subject: [Freeipa-users] Unable to access web interface In-Reply-To: Message-ID: <240702605.85919.1293789258148.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > Hi all > > I just noticed that am unable to access the web interface for freeipa. > I had > updated the server 2.0 alpha-5 and then beta version that came out > some days > ago. but since I do not use that web interface I have not idea when I > lost > the web interface ability. Hi Uzor, until the final version will come out we keep making changes to the directory tree that requires a full reinstall. You can probably get the web interface to work, but then most probably you will get weird errors or failures during use. In particular we completely changed the way permissions/privileges/roles are stored/handled between the alphas and the beta. HTH, Simo. > Now, though when I try to get to the web interface from a kerberized > account > all I get is an http error > > "The requested URL /ipa/ui was not found on this server" > > In the httpd error log, all that is there are > > [Tue Dec 28 11:55:29 2010] [error] [client 192.168.17.13] File does > not > exist: /var/www/html/favicon.ico > [Tue Dec 28 11:55:32 2010] [error] [client 192.168.17.13] File does > not > exist: /var/www/html/favicon.ico > > access_log shows: > > 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui HTTP/1.1" > 301 > 319 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) > Gecko/20101209 > Fedora/3.6.13-1.fc13 Firefox/3.6.13" > 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui HTTP/1.1" > 401 > 1164 > 192.168.17.13 - uz at MYDOMAIN [28/Dec/2010:11:56:36 -0500] "GET /ipa/ui > HTTP/1.1" 404 174 > > ssl_error_log is empty > ipa files version are: > ipa-python-2.0.0.pre1-0.fc13. > i686 > ipa-admintools-2.0.0.pre1-0.fc13.i686 > ipa-server-2.0.0.pre1-0.fc13.i686 > ipa-client-2.0.0.pre1-0.fc13.i686 > > All my command line still works. > > Thanks for you help > > Ide > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- --- Simo Sorce * Red Hat, Inc. * New York From dpal at redhat.com Fri Dec 31 16:40:23 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 31 Dec 2010 11:40:23 -0500 Subject: [Freeipa-users] Unable to access web interface In-Reply-To: References: <4D1A6005.3080907@gmail.com> Message-ID: <4D1E0777.1070609@redhat.com> Uzor Ide wrote: > Thanks Miljan > > out installation for some reason does not have have the entire > Directory definition for "/usr/share/ipa/static". I think something > sinister happened with the upgrade. I have managed to create the > following for that block of directory declarative > > Alias /ipa/ui "/usr/share/ipa/static" > > SetHandler None > AllowOverride None > Allow from all > > > I don't know if it is correct, but it is only able to display just the > https://aba.uzdomain.ca/ipa/ui/ (home) without any menu or anything. > > If you help me correct this directory declaration for so that I'll > modify my configuration with it, I will be very grateful > > thanks > Sorry for the slow response. The whole team is on a holiday break now. We will get back to you in January. However Beta you are trying to use is not an upgrade for an earlier version and implies a new install presumably on a clean machine. It should work on F13 & F14 however after the New Year we will rapidly move all our effort to F14 support since the we will be using later versions of Kerberos and certificate system that are not available or portable to the earlier versions of Fedora. Thank you Dmitri > _Ide > > On Tue, Dec 28, 2010 at 5:09 PM, Miljan Karadzic > wrote: > > Hi Uzor, > > I had the same problem. You need to add the following line to your > /etc/httpd/conf.d/ipa.conf file: > > Alias /ipa/ui "/usr/share/ipa/static" > > I added this line right before directory instructions for folder > /usr/share/ipa/static, on line 88. > Restart httpd server and you should have access to web interface. > > Regards, > Miljan > > > On 12/28/10 6:21 PM, Uzor Ide wrote: >> Hi all >> >> I just noticed that am unable to access the web interface for >> freeipa. I had updated the server 2.0 alpha-5 and then beta >> version that came out some days ago. but since I do not use that >> web interface I have not idea when I lost the web interface ability. >> Now, though when I try to get to the web interface from a >> kerberized account all I get is an http error >> >> "The requested URL /ipa/ui was not found on this server" >> >> In the httpd error log, all that is there are >> >> [Tue Dec 28 11:55:29 2010] [error] [client 192.168.17.13] File >> does not exist: /var/www/html/favicon.ico >> [Tue Dec 28 11:55:32 2010] [error] [client 192.168.17.13] File >> does not exist: /var/www/html/favicon.ico >> >> access_log shows: >> >> 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui >> HTTP/1.1" 301 319 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; >> rv:1.9.2.13) Gecko/20101209 Fedora/3.6.13-1.fc13 Firefox/3.6.13" >> 192.168.17.13 - - [28/Dec/2010:11:56:35 -0500] "GET /ipa/ui >> HTTP/1.1" 401 1164 >> 192.168.17.13 - uz at MYDOMAIN [28/Dec/2010:11:56:36 -0500] "GET >> /ipa/ui HTTP/1.1" 404 174 >> >> ssl_error_log is empty >> ipa files version are: >> ipa-python-2.0.0.pre1-0.fc13. >> i686 >> ipa-admintools-2.0.0.pre1-0.fc13.i686 >> ipa-server-2.0.0.pre1-0.fc13.i686 >> ipa-client-2.0.0.pre1-0.fc13.i686 >> >> All my command line still works. >> >> Thanks for you help >> >> Ide >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/