From scott.kaminski at gmail.com Mon Feb 1 18:57:35 2010 From: scott.kaminski at gmail.com (Scott Kaminski) Date: Mon, 1 Feb 2010 10:57:35 -0800 Subject: [Freeipa-users] DNS replica setup problem Message-ID: I'm not sure what I'm doing wrong here. I'm trying to setup a replica server and this is the output i'm getting: [root at ldap-4 tmp]# ipa-replica-install -d replica-info-ldap-4.quadrant.local.gpg Directory Manager (existing master) password: root : INFO root : INFO gpg: WARNING: unsafe permissions on homedir `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg' gpg: keyring `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg/pubring.gpg' created gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected root : INFO root : INFO root : ERROR The host name ldap-4.quadrant.local does not match the reverse lookup ldap-4 [root at ldap-4 tmp]# dig +short -x 10.10.1.134 ldap-4.quadrant.local. [root at ldap-4 tmp]# dig +short ldap-4.quadrant.local A 10.10.1.134 [root at ldap-4 tmp]# What is it that i'm missing here? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Feb 1 19:18:01 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 1 Feb 2010 14:18:01 -0500 Subject: [Freeipa-users] DNS replica setup problem In-Reply-To: References: Message-ID: <20100201141801.7f1247a9@willson.li.ssimo.org> On Mon, 1 Feb 2010 10:57:35 -0800 Scott Kaminski wrote: > What is it that i'm missing here? Anything in /etc/hosts ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Feb 1 19:18:28 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Feb 2010 14:18:28 -0500 Subject: [Freeipa-users] DNS replica setup problem In-Reply-To: References: Message-ID: <4B672904.9030108@redhat.com> Scott Kaminski wrote: > I'm not sure what I'm doing wrong here. I'm trying to setup a replica > server and this is the output i'm getting: > > [root at ldap-4 tmp]# ipa-replica-install -d > replica-info-ldap-4.quadrant.local.gpg > Directory Manager (existing master) password: > > root : INFO > root : INFO gpg: WARNING: unsafe permissions on homedir > `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg' > gpg: keyring `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg/secring.gpg' created > gpg: keyring `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg/pubring.gpg' created > gpg: CAST5 encrypted data > gpg: encrypted with 1 passphrase > gpg: WARNING: message was not integrity protected > > root : INFO > root : INFO > root : ERROR The host name ldap-4.quadrant.local does not > match the reverse lookup ldap-4 > [root at ldap-4 tmp]# dig +short -x 10.10.1.134 > ldap-4.quadrant.local. > [root at ldap-4 tmp]# dig +short ldap-4.quadrant.local A > 10.10.1.134 > [root at ldap-4 tmp]# > > What is it that i'm missing here? Check /etc/hosts to be sure the FQDN appears first in the list for ldap-4. rob > > Thanks, > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From scott.kaminski at gmail.com Mon Feb 1 22:26:25 2010 From: scott.kaminski at gmail.com (Scott Kaminski) Date: Mon, 1 Feb 2010 14:26:25 -0800 Subject: [Freeipa-users] DNS replica setup problem In-Reply-To: <20100201141801.7f1247a9@willson.li.ssimo.org> References: <20100201141801.7f1247a9@willson.li.ssimo.org> Message-ID: Okay this is a weird one. I made nice typo in my /etc/hosts file. Proper hosts file: [root at ldap-4 tmp]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.10.1.134 ldap-4.quadrant.local ldap-4 172.16.2.135 ldap-5.quadrant.local ldap-5 172.16.2.136 ldap-6.quadrant.local ldap-6 Improper hosts file: [root at ldap-4 tmp]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.10.1.134 ldap-4 ldap-4.quadrant.local 172.16.2.135 ldap-5 ldap-5.quadrant.local 172.16.2.136 ldap-6 ldap-6.quadrant.local I can see that the ipv6 local hosts follows the improper format. Which just seams weird to me. Thanks for the help though, Scott On Mon, Feb 1, 2010 at 11:18 AM, Simo Sorce wrote: > On Mon, 1 Feb 2010 10:57:35 -0800 > Scott Kaminski wrote: > > > What is it that i'm missing here? > > Anything in /etc/hosts ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Feb 1 22:44:31 2010 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 1 Feb 2010 17:44:31 -0500 Subject: [Freeipa-users] loadbalancer? In-Reply-To: References: Message-ID: <20100201174431.18352fb3@willson.li.ssimo.org> On Fri, 22 Jan 2010 11:35:22 -0800 Doug Chapman wrote: > We're currently running SunDS and using Citrix (Netscaler) load > balancers to keep the load on our client facing LDAP servers balanced > between 2 hosts. > > I'm evaluating FreeIPA and wondered if anyone can share any > experience with using IPA behind a load balancer (or point me at > wikidocs)? > > I know the ldap portion will work, it's the kerberos bits I'm > unfamiliar with. Note, this would only be for client connections, > not replication. Hi Doug, sorry for not replying earlier, I'd missed this message. With krb5 you only have a problem if you wan to use SASL/GSSAPI to authenticate LDAP clients to your servers. That's because clients need to acquire a ticket for the server their are going to connect, but you basically lie to clients by using a load balancer and changing target server without their knowledge. so clients will try to acquire a ticket in the name of the balancer (assuming you created a principal for it) and when they reach the server the server will not be able to use it. If you are not planning to use SASL/GSSAPI to authenticate clients to the LDAP server there should be no other issues. Note that in v2 with sssd as a client we assume we can use SASL/GSSAPI by default, but with current clients/freeipa server we don't. Simo. -- Simo Sorce * Red Hat, Inc * New York From scott.kaminski at gmail.com Tue Feb 2 07:39:16 2010 From: scott.kaminski at gmail.com (Scott) Date: Mon, 1 Feb 2010 23:39:16 -0800 Subject: [Freeipa-users] Epel packages Message-ID: <8297A594-C237-43FA-B56B-0C50B236B1DF@gmail.com> Just wondering are there any plans to put any of the packages into the epel repository? I wouldn't mind seeing atleast the Ipa client packages as a start. Sent from my iPhone From dpal at redhat.com Tue Feb 2 15:16:21 2010 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 02 Feb 2010 10:16:21 -0500 Subject: [Freeipa-users] Epel packages In-Reply-To: <8297A594-C237-43FA-B56B-0C50B236B1DF@gmail.com> References: <8297A594-C237-43FA-B56B-0C50B236B1DF@gmail.com> Message-ID: <4B6841C5.5030205@redhat.com> Scott wrote: > Just wondering are there any plans to put any of the packages into the > epel repository? > > I wouldn't mind seeing atleast the Ipa client packages as a start. By the client packages I assume you mean SSSD, certmonger and ipa-client, right? Yes, sure we plan to do this. Just do not have time for it right now and we think that we are not ready yet. We are focusing on making the code stable for the next major RHEL release. When it is ready we will put it into EPEL. > > Sent from my iPhone > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Tue Feb 2 20:01:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Feb 2010 15:01:33 -0500 Subject: [Freeipa-users] Installing IPA on Solaris 10 In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C6906026B089E@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C6906026B089E@waterloo.t24uk.tipp24.net> Message-ID: <4B68849D.6070009@redhat.com> Andy Singleton wrote: > Hi guys, > > > > I am installing IPA 1.2.2 client installation on one of our Solaris > servers, and I cant seem to get the system to see the IPA users. ?getent > passwd? only returns local users, and no traffic is leaving the client > for the IPA server for ldap. > > > > I have followed the instructions from the documentation, but I > definitely get the feeling that something is missing. > > All the various configuration files are populated, and the Kerberos > portion works correctly because I can obtain a ticket. > > So possibly there is a problem with the nss_ldap part, or the ldap.conf > itself. > > > > Does anyone know common problems that might have this result on Solaris 10? > > > > For reference, here is the /etc/ldap.conf file: > > > > ldap_version 3 > > base cn=compat,dc=live,dc=tipp24,dc=net > > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub > > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub > > nss_schema rfc2307bis > > nss_map_objectclass shadowAccount posixAccount > > nss_map_attribute uniqueMember member > > nss_initgroups_ignoreusers root,dirsrv,oracle > > nss_reconnect_maxsleeptime 8 > > nss_reconnect_sleeptime 1 > > bind_timelimit 2 > > timelimit 4 > > nss_srv_domain live.tipp24.net > > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net > > > > Thanks > > Andy Sorry, missed this one last week.. What does /etc/nsswitch.conf read? Is it configured to use ldap? You might also try killing nscd in case it is interfering. rob From shan.sysadm at gmail.com Wed Feb 3 12:58:27 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Wed, 3 Feb 2010 15:58:27 +0300 Subject: [Freeipa-users] FreeIPA 1.2.2 Server Message-ID: <68b7c79a1002030458u2c680b80q5971989d9adc109e@mail.gmail.com> Dear All, Greetings, I am planning to deploy FreeIPA (stable version 1.2.2) under RHEL 5 server (not a client) using RHDS 8.1, please clarify me, whether the FreeIPA 1.2.2 will complie and install in RHEL 5 Server using RHDS 8.1 version? -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Feb 3 15:11:19 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Feb 2010 10:11:19 -0500 Subject: [Freeipa-users] Installing IPA on Solaris 10 In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C6906EF11C1@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C6906EF11C1@waterloo.t24uk.tipp24.net> Message-ID: <4B699217.8020508@redhat.com> Andy Singleton wrote: > Hi rob, > > Glad you caught up with this problem. > > The nsswitch.conf is set up as per the install document. So: > passwd: files ldap[NOTFOUND=return] > group: files ldap[NOTFOUND=return] > > The system uses the standard solaris nss_ldap package. Ok, can you see if you can get a specific user and group: getent passwd admin getent group ipausers rob > > Cheers > Andy > > ----- Original Message ----- > From: Rob Crittenden > To: Andy Singleton > Cc: freeipa-users at redhat.com > Sent: Tue Feb 02 21:01:33 2010 > Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 > > Andy Singleton wrote: > > Hi guys, > > > > > > > > I am installing IPA 1.2.2 client installation on one of our Solaris > > servers, and I cant seem to get the system to see the IPA users. ?getent > > passwd? only returns local users, and no traffic is leaving the client > > for the IPA server for ldap. > > > > > > > > I have followed the instructions from the documentation, but I > > definitely get the feeling that something is missing. > > > > All the various configuration files are populated, and the Kerberos > > portion works correctly because I can obtain a ticket. > > > > So possibly there is a problem with the nss_ldap part, or the ldap.conf > > itself. > > > > > > > > Does anyone know common problems that might have this result on > Solaris 10? > > > > > > > > For reference, here is the /etc/ldap.conf file: > > > > > > > > ldap_version 3 > > > > base cn=compat,dc=live,dc=tipp24,dc=net > > > > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub > > > > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub > > > > nss_schema rfc2307bis > > > > nss_map_objectclass shadowAccount posixAccount > > > > nss_map_attribute uniqueMember member > > > > nss_initgroups_ignoreusers root,dirsrv,oracle > > > > nss_reconnect_maxsleeptime 8 > > > > nss_reconnect_sleeptime 1 > > > > bind_timelimit 2 > > > > timelimit 4 > > > > nss_srv_domain live.tipp24.net > > > > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net > > > > > > > > Thanks > > > > Andy > > Sorry, missed this one last week.. > > What does /etc/nsswitch.conf read? Is it configured to use ldap? > > You might also try killing nscd in case it is interfering. > > rob > From rcritten at redhat.com Wed Feb 3 15:40:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Feb 2010 10:40:00 -0500 Subject: [Freeipa-users] FreeIPA 1.2.2 Server In-Reply-To: <68b7c79a1002030458u2c680b80q5971989d9adc109e@mail.gmail.com> References: <68b7c79a1002030458u2c680b80q5971989d9adc109e@mail.gmail.com> Message-ID: <4B6998D0.1000203@redhat.com> Shan Kumaraswamy wrote: > Dear All, > > > > Greetings, I am planning to deploy FreeIPA (stable version 1.2.2) under > RHEL 5 server (not a client) using RHDS 8.1, please clarify me, whether > the FreeIPA 1.2.2 will complie and install in RHEL 5 Server using RHDS > 8.1 version? Sure. % cd rpmbuild/SOURCES % wget http://kojipkgs.fedoraproject.org/packages/ipa/1.2.2/2.fc11/src/ipa-1.2.2-2.fc11.src.rpm % rpm2cpio ipa-1.2.2-2.fc11.src.rpm |cpio -idv % --- ipa.spec.orig 2010-02-03 10:22:04.000000000 -0500 +++ ipa.spec 2010-02-03 10:25:23.000000000 -0500 @@ -16,7 +16,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Patch1: ipa-schema.patch -BuildRequires: fedora-ds-base-devel >= 1.1.3 +BuildRequires: redhat-ds-base-devel >= 8.1 BuildRequires: mozldap-devel BuildRequires: svrcore-devel BuildRequires: nspr-devel @@ -30,7 +30,7 @@ BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool -BuildRequires: popt-devel +BuildRequires: popt BuildRequires: /usr/share/selinux/devel/Makefile BuildRequires: m4 BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} @@ -49,7 +49,7 @@ Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} Requires(post): %{name}-server-selinux = %{version}-%{release} -Requires: fedora-ds-base >= 1.1.3 +Requires: redhat-ds-base >= 8.1 Requires: openldap-clients Requires: nss Requires: nss-tools % rpmbuild -ba ipa.spec % su # cd ../RPMS/x86_64 # rpm -Uvh ipa-admintools-1.2.2-2.x86_64.rpm ipa-client-1.2.2-2.x86_64.rpm ipa-python-1.2.2-2.x86_64.rpm ipa-server-1.2.2-2.x86_64.rpm ipa-server-selinux-1.2.2-2.x86_64.rpm # /usr/sbin/ipa-server-install # kinit admin # /usr/sbin/ipa-finduser admin Home Directory: /home/admin Login Shell: /bin/bash Last Name: Administrator Login: admin # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.2 (Tikanga) The UI works too: # curl -k --negotiate -u : https://ipa.example.com/ipa/ui 2>&1 | grep Logged Logged in as: admin rob From rcritten at redhat.com Wed Feb 3 16:34:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Feb 2010 11:34:02 -0500 Subject: [Freeipa-users] Installing IPA on Solaris 10 In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C6906026B0F38@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C6906EF11C1@waterloo.t24uk.tipp24.net> <4B699217.8020508@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B0F38@waterloo.t24uk.tipp24.net> Message-ID: <4B69A57A.8080908@redhat.com> Andy Singleton wrote: > Hi Rob, > > Neither of the commands give any results. /me smacks head Ok, sorry I didn't see this the first go-round. The Solaris nss_ldap doesn't use /etc/ldap.conf. What you want to do is something like: # ldapclient init ipa.example.com This should set everything up for you on the Solaris side assuming you're running freeIPA 1.2.2. You'll also need to enable the compat schema on the IPA side by running ipa-compat-manage enable and restarting the DS (if you haven't done so already). Note that the Solaris LDAP client assumes that if you want to use LDAP for anything then you want to use it for EVERYTHING, so you'll want to fix up /etc/nsswitch.conf, at least setting files and ipnodes back to dns from ldap. rob > > Andy > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: 03 February 2010 16:11 > To: Andy Singleton > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 > > Andy Singleton wrote: >> Hi rob, >> >> Glad you caught up with this problem. >> >> The nsswitch.conf is set up as per the install document. So: >> passwd: files ldap[NOTFOUND=return] >> group: files ldap[NOTFOUND=return] >> >> The system uses the standard solaris nss_ldap package. > > Ok, can you see if you can get a specific user and group: > > getent passwd admin > getent group ipausers > > rob > >> Cheers >> Andy >> >> ----- Original Message ----- >> From: Rob Crittenden >> To: Andy Singleton >> Cc: freeipa-users at redhat.com >> Sent: Tue Feb 02 21:01:33 2010 >> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >> >> Andy Singleton wrote: >> > Hi guys, >> > >> > >> > >> > I am installing IPA 1.2.2 client installation on one of our Solaris >> > servers, and I cant seem to get the system to see the IPA users. ?getent >> > passwd? only returns local users, and no traffic is leaving the client >> > for the IPA server for ldap. >> > >> > >> > >> > I have followed the instructions from the documentation, but I >> > definitely get the feeling that something is missing. >> > >> > All the various configuration files are populated, and the Kerberos >> > portion works correctly because I can obtain a ticket. >> > >> > So possibly there is a problem with the nss_ldap part, or the ldap.conf >> > itself. >> > >> > >> > >> > Does anyone know common problems that might have this result on >> Solaris 10? >> > >> > >> > >> > For reference, here is the /etc/ldap.conf file: >> > >> > >> > >> > ldap_version 3 >> > >> > base cn=compat,dc=live,dc=tipp24,dc=net >> > >> > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub >> > >> > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub >> > >> > nss_schema rfc2307bis >> > >> > nss_map_objectclass shadowAccount posixAccount >> > >> > nss_map_attribute uniqueMember member >> > >> > nss_initgroups_ignoreusers root,dirsrv,oracle >> > >> > nss_reconnect_maxsleeptime 8 >> > >> > nss_reconnect_sleeptime 1 >> > >> > bind_timelimit 2 >> > >> > timelimit 4 >> > >> > nss_srv_domain live.tipp24.net >> > >> > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net >> > >> > >> > >> > Thanks >> > >> > Andy >> >> Sorry, missed this one last week.. >> >> What does /etc/nsswitch.conf read? Is it configured to use ldap? >> >> You might also try killing nscd in case it is interfering. >> >> rob >> > From Andy.Singleton at tipp24os.co.uk Fri Feb 5 16:03:05 2010 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Fri, 5 Feb 2010 16:03:05 -0000 Subject: [Freeipa-users] Installing IPA on Solaris 10 References: <1CD40A4DEEA320479C98D8A93A5C6906EF11C1@waterloo.t24uk.tipp24.net> <4B699217.8020508@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B0F38@waterloo.t24uk.tipp24.net> <4B69A57A.8080908@redhat.com> Message-ID: <1CD40A4DEEA320479C98D8A93A5C6906026B1103@waterloo.t24uk.tipp24.net> Hi Rob, Ok ive switched on the compat plugin. Incidentally, does this need to be done separately for all replicas? However, when I run ldapclient init , I get this message: "Failed to find defaultSearchBase for domain" Cheers Andy -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: 03 February 2010 17:34 To: Andy Singleton; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 Andy Singleton wrote: > Hi Rob, > > Neither of the commands give any results. /me smacks head Ok, sorry I didn't see this the first go-round. The Solaris nss_ldap doesn't use /etc/ldap.conf. What you want to do is something like: # ldapclient init ipa.example.com This should set everything up for you on the Solaris side assuming you're running freeIPA 1.2.2. You'll also need to enable the compat schema on the IPA side by running ipa-compat-manage enable and restarting the DS (if you haven't done so already). Note that the Solaris LDAP client assumes that if you want to use LDAP for anything then you want to use it for EVERYTHING, so you'll want to fix up /etc/nsswitch.conf, at least setting files and ipnodes back to dns from ldap. rob > > Andy > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: 03 February 2010 16:11 > To: Andy Singleton > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 > > Andy Singleton wrote: >> Hi rob, >> >> Glad you caught up with this problem. >> >> The nsswitch.conf is set up as per the install document. So: >> passwd: files ldap[NOTFOUND=return] >> group: files ldap[NOTFOUND=return] >> >> The system uses the standard solaris nss_ldap package. > > Ok, can you see if you can get a specific user and group: > > getent passwd admin > getent group ipausers > > rob > >> Cheers >> Andy >> >> ----- Original Message ----- >> From: Rob Crittenden >> To: Andy Singleton >> Cc: freeipa-users at redhat.com >> Sent: Tue Feb 02 21:01:33 2010 >> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >> >> Andy Singleton wrote: >> > Hi guys, >> > >> > >> > >> > I am installing IPA 1.2.2 client installation on one of our Solaris >> > servers, and I cant seem to get the system to see the IPA users. ?getent >> > passwd? only returns local users, and no traffic is leaving the client >> > for the IPA server for ldap. >> > >> > >> > >> > I have followed the instructions from the documentation, but I >> > definitely get the feeling that something is missing. >> > >> > All the various configuration files are populated, and the Kerberos >> > portion works correctly because I can obtain a ticket. >> > >> > So possibly there is a problem with the nss_ldap part, or the ldap.conf >> > itself. >> > >> > >> > >> > Does anyone know common problems that might have this result on >> Solaris 10? >> > >> > >> > >> > For reference, here is the /etc/ldap.conf file: >> > >> > >> > >> > ldap_version 3 >> > >> > base cn=compat,dc=live,dc=tipp24,dc=net >> > >> > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub >> > >> > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub >> > >> > nss_schema rfc2307bis >> > >> > nss_map_objectclass shadowAccount posixAccount >> > >> > nss_map_attribute uniqueMember member >> > >> > nss_initgroups_ignoreusers root,dirsrv,oracle >> > >> > nss_reconnect_maxsleeptime 8 >> > >> > nss_reconnect_sleeptime 1 >> > >> > bind_timelimit 2 >> > >> > timelimit 4 >> > >> > nss_srv_domain live.tipp24.net >> > >> > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net >> > >> > >> > >> > Thanks >> > >> > Andy >> >> Sorry, missed this one last week.. >> >> What does /etc/nsswitch.conf read? Is it configured to use ldap? >> >> You might also try killing nscd in case it is interfering. >> >> rob >> > From rcritten at redhat.com Fri Feb 5 16:57:42 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Feb 2010 11:57:42 -0500 Subject: [Freeipa-users] Installing IPA on Solaris 10 In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C6906026B1103@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C6906EF11C1@waterloo.t24uk.tipp24.net> <4B699217.8020508@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B0F38@waterloo.t24uk.tipp24.net> <4B69A57A.8080908@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B1103@waterloo.t24uk.tipp24.net> Message-ID: <4B6C4E06.6080703@redhat.com> Andy Singleton wrote: > Hi Rob, > > Ok ive switched on the compat plugin. > Incidentally, does this need to be done separately for all replicas? Yes. The plugin configuration of each 389-ds is not replicated. > However, when I run ldapclient init , I get this message: > "Failed to find defaultSearchBase for domain" Hmm, can you look in the DS logs to see what queries it is making/ (/var/log/dirsrv/slapd-YOUR-INSTANCE/access). Probably a good idea to ensure you have the Solaris default profile set up too: ldapsearch -x -b "cn=default,ou=profile,dc=example,dc=com" rob > > Cheers > Andy > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: 03 February 2010 17:34 > To: Andy Singleton; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 > > Andy Singleton wrote: >> Hi Rob, >> >> Neither of the commands give any results. > > /me smacks head > > Ok, sorry I didn't see this the first go-round. > > The Solaris nss_ldap doesn't use /etc/ldap.conf. > > What you want to do is something like: > > # ldapclient init ipa.example.com > > This should set everything up for you on the Solaris side assuming > you're running freeIPA 1.2.2. > > You'll also need to enable the compat schema on the IPA side by running > ipa-compat-manage enable and restarting the DS (if you haven't done so > already). > > Note that the Solaris LDAP client assumes that if you want to use LDAP > for anything then you want to use it for EVERYTHING, so you'll want to > fix up /etc/nsswitch.conf, at least setting files and ipnodes back to > dns from ldap. > > rob >> Andy >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: 03 February 2010 16:11 >> To: Andy Singleton >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >> >> Andy Singleton wrote: >>> Hi rob, >>> >>> Glad you caught up with this problem. >>> >>> The nsswitch.conf is set up as per the install document. So: >>> passwd: files ldap[NOTFOUND=return] >>> group: files ldap[NOTFOUND=return] >>> >>> The system uses the standard solaris nss_ldap package. >> Ok, can you see if you can get a specific user and group: >> >> getent passwd admin >> getent group ipausers >> >> rob >> >>> Cheers >>> Andy >>> >>> ----- Original Message ----- >>> From: Rob Crittenden >>> To: Andy Singleton >>> Cc: freeipa-users at redhat.com >>> Sent: Tue Feb 02 21:01:33 2010 >>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >>> >>> Andy Singleton wrote: >>> > Hi guys, >>> > >>> > >>> > >>> > I am installing IPA 1.2.2 client installation on one of our Solaris >>> > servers, and I cant seem to get the system to see the IPA users. ?getent >>> > passwd? only returns local users, and no traffic is leaving the client >>> > for the IPA server for ldap. >>> > >>> > >>> > >>> > I have followed the instructions from the documentation, but I >>> > definitely get the feeling that something is missing. >>> > >>> > All the various configuration files are populated, and the Kerberos >>> > portion works correctly because I can obtain a ticket. >>> > >>> > So possibly there is a problem with the nss_ldap part, or the ldap.conf >>> > itself. >>> > >>> > >>> > >>> > Does anyone know common problems that might have this result on >>> Solaris 10? >>> > >>> > >>> > >>> > For reference, here is the /etc/ldap.conf file: >>> > >>> > >>> > >>> > ldap_version 3 >>> > >>> > base cn=compat,dc=live,dc=tipp24,dc=net >>> > >>> > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub >>> > >>> > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub >>> > >>> > nss_schema rfc2307bis >>> > >>> > nss_map_objectclass shadowAccount posixAccount >>> > >>> > nss_map_attribute uniqueMember member >>> > >>> > nss_initgroups_ignoreusers root,dirsrv,oracle >>> > >>> > nss_reconnect_maxsleeptime 8 >>> > >>> > nss_reconnect_sleeptime 1 >>> > >>> > bind_timelimit 2 >>> > >>> > timelimit 4 >>> > >>> > nss_srv_domain live.tipp24.net >>> > >>> > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net >>> > >>> > >>> > >>> > Thanks >>> > >>> > Andy >>> >>> Sorry, missed this one last week.. >>> >>> What does /etc/nsswitch.conf read? Is it configured to use ldap? >>> >>> You might also try killing nscd in case it is interfering. >>> >>> rob >>> > From nalin at redhat.com Fri Feb 5 17:05:27 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 5 Feb 2010 12:05:27 -0500 Subject: [Freeipa-users] Installing IPA on Solaris 10 In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C6906026B1103@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C6906EF11C1@waterloo.t24uk.tipp24.net> <4B699217.8020508@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B0F38@waterloo.t24uk.tipp24.net> <4B69A57A.8080908@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B1103@waterloo.t24uk.tipp24.net> Message-ID: <20100205170527.GB9792@redhat.com> On Fri, Feb 05, 2010 at 04:03:05PM -0000, Andy Singleton wrote: > Hi Rob, > > Ok ive switched on the compat plugin. > Incidentally, does this need to be done separately for all replicas? I believe so. The set of plugins which are configured is configured on each server. > However, when I run ldapclient init , I get this message: > "Failed to find defaultSearchBase for domain" Does the client have its domain set to match the name of the IPA domain before you run 'ldapclient init'? The ldapclient command will look for the profile information using the client's domain name as a starting point. I believe this is done with the 'domainname' command, though I'm not sure of the name the configuration file which you'd need to edit to make that setting permanent. HTH, Nalin From Andy.Singleton at tipp24os.co.uk Mon Feb 8 10:22:00 2010 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Mon, 8 Feb 2010 10:22:00 -0000 Subject: [Freeipa-users] Installing IPA on Solaris 10 References: <1CD40A4DEEA320479C98D8A93A5C6906EF11C1@waterloo.t24uk.tipp24.net> <4B699217.8020508@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B0F38@waterloo.t24uk.tipp24.net> <4B69A57A.8080908@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B1103@waterloo.t24uk.tipp24.net> <20100205170527.GB9792@redhat.com> Message-ID: <1CD40A4DEEA320479C98D8A93A5C6906026B1176@waterloo.t24uk.tipp24.net> Hi guys, For the default profile setup, here is the result of that query: ldapsearch -x -b "cn=default,ou=profile,dc=live,dc=tipp24,dc=net" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # default, profile, live.tipp24.net dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net cn: default authenticationMethod: none bindTimeLimit: 5 objectclassMap: shadow:shadowAccount=posixAccount followReferrals: TRUE searchTimeLimit: 15 serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=live,dc=tipp24,dc=net serviceSearchDescriptor: group:cn=groups,cn=compat,dc=live,dc=tipp24,dc=net objectClass: top objectClass: DUAConfigProfile defaultSearchBase: dc=live,dc=tipp24,dc=net defaultServerList: [IPA master hostname] # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 As for the actual queries, here is the access log from when I execute the ldapclient command on the Solaris box: [08/Feb/2010:11:12:18 +0100] conn=686769 fd=122 slot=122 connection from [client IP] to [server IP] [08/Feb/2010:11:12:18 +0100] conn=686769 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="namingContexts" [08/Feb/2010:11:12:18 +0100] conn=686769 op=0 RESULT err=0 tag=101 nentries=1 etime=0 [08/Feb/2010:11:12:18 +0100] conn=686769 op=1 SRCH base="dc=live,dc=tipp24,dc=net" scope=2 filter="(&(objectClass=nisDomainObject)(nisDomain=live.tipp24.net))" attrs=ALL [08/Feb/2010:11:12:18 +0100] conn=686769 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [08/Feb/2010:11:12:18 +0100] conn=686769 op=2 UNBIND [08/Feb/2010:11:12:18 +0100] conn=686769 op=2 fd=122 closed - U1 I hope that's of some help. Andy -----Original Message----- From: Nalin Dahyabhai [mailto:nalin at redhat.com] Sent: 05 February 2010 17:05 To: Andy Singleton Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 On Fri, Feb 05, 2010 at 04:03:05PM -0000, Andy Singleton wrote: > Hi Rob, > > Ok ive switched on the compat plugin. > Incidentally, does this need to be done separately for all replicas? I believe so. The set of plugins which are configured is configured on each server. > However, when I run ldapclient init , I get this message: > "Failed to find defaultSearchBase for domain" Does the client have its domain set to match the name of the IPA domain before you run 'ldapclient init'? The ldapclient command will look for the profile information using the client's domain name as a starting point. I believe this is done with the 'domainname' command, though I'm not sure of the name the configuration file which you'd need to edit to make that setting permanent. HTH, Nalin From scott.kaminski at gmail.com Tue Feb 9 02:00:25 2010 From: scott.kaminski at gmail.com (Scott Kaminski) Date: Mon, 8 Feb 2010 18:00:25 -0800 Subject: [Freeipa-users] FreeIPA with C4 http authentication Message-ID: I have a cactiEZ v0.6 server, and its actually running CentOS4.7. I wanted to hook my cacti to my FreeIPA domain. I seam to have a number of issues I can't actually work out with this machine and they appear to be related to HTTP kerberos authentication. I seam to be-able to authenticate to the machine locally using FreeIPA without any major issues. I noticed one thing that seams odd to me is that when I execute id as a user on C5 machine i see all my group membership, when I login to the C4 machine and execute id I only see 1 group associate for my user account and other user accounts have the same issue. I want to access the machine by host and ip. I can authenticate via hostname without a problem. When i attempt to access the machine via ip it doesn't work. I have a C5 machine that doesn't have this problem, hostname or ip i can authenticate. When I attempt to access via the ip here is what shows in the apache logs: [Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194] krb5_sname_to_principal() failed: Cannot determine realm for numeric host address Here are the packages i installed: [root at wtw-man6 conf]# rpm -qa | grep mod_auth mod_auth_kerb-5.0-1.3 mod_authz_ldap-0.26-2.1 Here is my apache auth configuration: SSLRequireSSL AuthType Kerberos AuthName "Cacti login" KrbMethodNegotiate on KrbMethodK5Passwd on KrbServiceName HTTP KrbAuthRealms QUADRANT.LOCAL Krb5KeyTab /etc/httpd/conf/http.keytab KrbSaveCredentials on #KrbVerifyKDC off AuthLDAPUrl ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName #require group cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local require valid-user C4 seams to be running an older version of the mod_auth_kerb, and apache when compared to C5. I suspect this is part of the issue I'm sure. The other detail i'm having a problem with seams to be related to group membership. On the C4 machine the require group or require ldap-group doesn't seam to work at all. I really don't mind this as much, but if anyone has any ideas i would love to hear what the solution is? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Feb 9 19:34:32 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Feb 2010 14:34:32 -0500 Subject: [Freeipa-users] FreeIPA with C4 http authentication In-Reply-To: References: Message-ID: <4B71B8C8.3000009@redhat.com> Scott Kaminski wrote: > I have a cactiEZ v0.6 server, and its actually running CentOS4.7. I > wanted to hook my cacti to my FreeIPA domain. I seam to have a number of > issues I can't actually work out with this machine and they appear to be > related to HTTP kerberos authentication. > > I seam to be-able to authenticate to the machine locally using FreeIPA > without any major issues. I noticed one thing that seams odd to me is > that when I execute id as a user on C5 machine i see all my group > membership, when I login to the C4 machine and execute id I only see 1 > group associate for my user account and other user accounts have the > same issue. > > I want to access the machine by host and ip. I can authenticate via > hostname without a problem. When i attempt to access the machine via ip > it doesn't work. I have a C5 machine that doesn't have this problem, > hostname or ip i can authenticate. > > When I attempt to access via the ip here is what shows in the apache logs: > > [Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194] > krb5_sname_to_principal() failed: Cannot determine realm for numeric > host address Does the IP resolve into a host name? I think that may be the problem. > Here are the packages i installed: > [root at wtw-man6 conf]# rpm -qa | grep mod_auth > mod_auth_kerb-5.0-1.3 > mod_authz_ldap-0.26-2.1 > > Here is my apache auth configuration: > > SSLRequireSSL > AuthType Kerberos > AuthName "Cacti login" > > KrbMethodNegotiate on > KrbMethodK5Passwd on > KrbServiceName HTTP > > KrbAuthRealms QUADRANT.LOCAL > Krb5KeyTab /etc/httpd/conf/http.keytab > KrbSaveCredentials on > #KrbVerifyKDC off > AuthLDAPUrl > ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName > #require group > cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local > require valid-user > > > C4 seams to be running an older version of the mod_auth_kerb, and apache > when compared to C5. I suspect this is part of the issue I'm sure. > > The other detail i'm having a problem with seams to be related to group > membership. On the C4 machine the require group or require ldap-group > doesn't seam to work at all. I really don't mind this as much, but if > anyone has any ideas i would love to hear what the solution is? What does it do/not do? You may need to watch the DS access log while doing an authentication so you can see the query being sent and how many entries (if any) are being returned. rob > > Thanks, > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From scott.kaminski at gmail.com Tue Feb 9 22:42:33 2010 From: scott.kaminski at gmail.com (Scott Kaminski) Date: Tue, 9 Feb 2010 14:42:33 -0800 Subject: [Freeipa-users] FreeIPA with C4 http authentication In-Reply-To: References: <4B71B8C8.3000009@redhat.com> Message-ID: Forgot to CC the mailing list on my original reply. On Tue, Feb 9, 2010 at 2:40 PM, Scott Kaminski wrote: > > > On Tue, Feb 9, 2010 at 11:34 AM, Rob Crittenden wrote: > >> Scott Kaminski wrote: >> >>> I have a cactiEZ v0.6 server, and its actually running CentOS4.7. I >>> wanted to hook my cacti to my FreeIPA domain. I seam to have a number of >>> issues I can't actually work out with this machine and they appear to be >>> related to HTTP kerberos authentication. >>> >>> I seam to be-able to authenticate to the machine locally using FreeIPA >>> without any major issues. I noticed one thing that seams odd to me is that >>> when I execute id as a user on C5 machine i see all my group membership, >>> when I login to the C4 machine and execute id I only see 1 group associate >>> for my user account and other user accounts have the same issue. >>> >>> I want to access the machine by host and ip. I can authenticate via >>> hostname without a problem. When i attempt to access the machine via ip it >>> doesn't work. I have a C5 machine that doesn't have this problem, hostname >>> or ip i can authenticate. >>> >>> When I attempt to access via the ip here is what shows in the apache >>> logs: >>> >>> [Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194] >>> krb5_sname_to_principal() failed: Cannot determine realm for numeric host >>> address >>> >> >> Does the IP resolve into a host name? I think that may be the problem. >> >> > Keep in mind this is authentication via apache that is giving me problems > at this point. If I login to the server via ssh I can do passwordless > authentication from this machine to other servers and from other servers to > this machine, assuming i have a valid krb ticket. > > Here is verification of the dns entries just incase: > [root at ldap-6 log]# dig +short -x 172.16.2.36 > wtw-man6.quadrant.local. > [root at ldap-6 log]# dig +short wtw-man6.quadrant.local > 172.16.2.36 > > The clientip listed above is not part of the IPA domain if that really > matters. To clairfy if i put in my browser https://wtw-man6.quadrant.local/scott > i can successfully authenticate. If i do https://172.16.2.36/scott I > cannot authenticate and i see the above log message in the apache error log. > > > I just tried it now and here is what showed up in the krb5.log > > Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: NEEDED_PREAUTH: scottk at QUADRANT.LOCALfor krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL, > Additional pre-authentication required > Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754847, etypes > {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for > krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > > > If i use wtw-man6.quadrant.local i see this instead in the krb log which > looks like a valid request/ticket issue process. > > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, etypes > {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for > krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, > etypes {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for > HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: > repeated (retransmitted?) request from 172.16.2.36, resending previous > response > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, etypes > {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for > krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754894, > etypes {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for > HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: NEEDED_PREAUTH: scottk at QUADRANT.LOCALfor krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL, > Additional pre-authentication required > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes > {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for > krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, > etypes {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for > HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: > repeated (retransmitted?) request from 172.16.2.36, resending previous > response > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: > repeated (retransmitted?) request from 172.16.2.36, resending previous > response > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes > {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for > krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, > etypes {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for > HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 etypes > {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, etypes > {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for > krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36: ISSUE: authtime 1265754895, > etypes {rep=18 tkt=18 ses=18}, scottk at QUADRANT.LOCAL for > HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL > > > > >> >> Here are the packages i installed: >>> [root at wtw-man6 conf]# rpm -qa | grep mod_auth >>> mod_auth_kerb-5.0-1.3 >>> mod_authz_ldap-0.26-2.1 >>> >>> Here is my apache auth configuration: >>> >>> SSLRequireSSL >>> AuthType Kerberos >>> AuthName "Cacti login" >>> >>> KrbMethodNegotiate on >>> KrbMethodK5Passwd on >>> KrbServiceName HTTP >>> >>> KrbAuthRealms QUADRANT.LOCAL >>> Krb5KeyTab /etc/httpd/conf/http.keytab >>> KrbSaveCredentials on >>> #KrbVerifyKDC off >>> AuthLDAPUrl >>> ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName >>> #require group >>> cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local >>> require valid-user >>> >>> >>> C4 seams to be running an older version of the mod_auth_kerb, and apache >>> when compared to C5. I suspect this is part of the issue I'm sure. >>> >>> The other detail i'm having a problem with seams to be related to group >>> membership. On the C4 machine the require group or require ldap-group >>> doesn't seam to work at all. I really don't mind this as much, but if >>> anyone has any ideas i would love to hear what the solution is? >>> >> >> What does it do/not do? You may need to watch the DS access log while >> doing an authentication so you can see the query being sent and how many >> entries (if any) are being returned. >> >> rob >> >> >>> Thanks, >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Feb 10 04:11:13 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Feb 2010 23:11:13 -0500 Subject: [Freeipa-users] FreeIPA with C4 http authentication In-Reply-To: References: <4B71B8C8.3000009@redhat.com> Message-ID: <4B7231E1.8030500@redhat.com> Scott Kaminski wrote: > Forgot to CC the mailing list on my original reply. > > On Tue, Feb 9, 2010 at 2:40 PM, Scott Kaminski > wrote: > > > > On Tue, Feb 9, 2010 at 11:34 AM, Rob Crittenden > wrote: > > Scott Kaminski wrote: > > I have a cactiEZ v0.6 server, and its actually running > CentOS4.7. I wanted to hook my cacti to my FreeIPA domain. > I seam to have a number of issues I can't actually work out > with this machine and they appear to be related to HTTP > kerberos authentication. > > I seam to be-able to authenticate to the machine locally > using FreeIPA without any major issues. I noticed one thing > that seams odd to me is that when I execute id as a user on > C5 machine i see all my group membership, when I login to > the C4 machine and execute id I only see 1 group associate > for my user account and other user accounts have the same issue. > > I want to access the machine by host and ip. I can > authenticate via hostname without a problem. When i attempt > to access the machine via ip it doesn't work. I have a C5 > machine that doesn't have this problem, hostname or ip i can > authenticate. > > When I attempt to access via the ip here is what shows in > the apache logs: > > [Mon Feb 08 17:23:04 2010] [error] [client 192.168.169.194] > krb5_sname_to_principal() failed: Cannot determine realm for > numeric host address > > > Does the IP resolve into a host name? I think that may be the > problem. > > > Keep in mind this is authentication via apache that is giving me > problems at this point. If I login to the server via ssh I can do > passwordless authentication from this machine to other servers and > from other servers to this machine, assuming i have a valid krb ticket. > > Here is verification of the dns entries just incase: > [root at ldap-6 log]# dig +short -x 172.16.2.36 > wtw-man6.quadrant.local. > [root at ldap-6 log]# dig +short wtw-man6.quadrant.local > 172.16.2.36 Does this same reverse lookup work on wtw-man6? Have you tried setting the LogLevel to debug in Apache to see if you get more output? Note that mod_auth_kerb output is not always that useful in RHEL 4-based systems but we can always hope. rob > > The clientip listed above is not part of the IPA domain if that > really matters. To clairfy if i put in my browser > https://wtw-man6.quadrant.local/scott i can successfully > authenticate. If i do https://172.16.2.36/scott I cannot > authenticate and i see the above log message in the apache error log. > > I just tried it now and here is what showed up in the krb5.log > > Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36 : > NEEDED_PREAUTH: scottk at QUADRANT.LOCAL for > krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL, Additional pre-authentication > required > Feb 09 14:34:07 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36 : ISSUE: > authtime 1265754847, etypes {rep=18 tkt=18 ses=18}, > scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > > > If i use wtw-man6.quadrant.local i see this instead in the krb log > which looks like a valid request/ticket issue process. > > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36 : ISSUE: > authtime 1265754894, etypes {rep=18 tkt=18 ses=18}, > scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ > (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 : > ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18}, > scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: > repeated (retransmitted?) request from 172.16.2.36, resending > previous response > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36 : ISSUE: > authtime 1265754894, etypes {rep=18 tkt=18 ses=18}, > scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > Feb 09 14:34:54 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ > (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 : > ISSUE: authtime 1265754894, etypes {rep=18 tkt=18 ses=18}, > scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36 : > NEEDED_PREAUTH: scottk at QUADRANT.LOCAL for > krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL, Additional pre-authentication > required > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36 : ISSUE: > authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, > scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ > (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 : > ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, > scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: > repeated (retransmitted?) request from 172.16.2.36, resending > previous response > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): DISPATCH: > repeated (retransmitted?) request from 172.16.2.36, resending > previous response > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36 : ISSUE: > authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, > scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ > (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 : > ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, > scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 172.16.2.36 : ISSUE: > authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, > scottk at QUADRANT.LOCAL for krbtgt/QUADRANT.LOCAL at QUADRANT.LOCAL > Feb 09 14:34:55 ldap-5.quadrant.local krb5kdc[2628](info): TGS_REQ > (7 etypes {18 17 16 23 1 3 2}) 172.16.2.36 : > ISSUE: authtime 1265754895, etypes {rep=18 tkt=18 ses=18}, > scottk at QUADRANT.LOCAL for HTTP/wtw-man6.quadrant.local at QUADRANT.LOCAL > > > > > > Here are the packages i installed: > [root at wtw-man6 conf]# rpm -qa | grep mod_auth > mod_auth_kerb-5.0-1.3 > mod_authz_ldap-0.26-2.1 > > Here is my apache auth configuration: > > SSLRequireSSL > AuthType Kerberos > AuthName "Cacti login" > > KrbMethodNegotiate on > KrbMethodK5Passwd on > KrbServiceName HTTP > > KrbAuthRealms QUADRANT.LOCAL > Krb5KeyTab /etc/httpd/conf/http.keytab > KrbSaveCredentials on > #KrbVerifyKDC off > AuthLDAPUrl > ldap://ldap.quadrant.local:389/dc=quadrant,dc=local?krbPrincipalName > #require group > cn=NetopsResources,cn=groups,cn=accounts,dc=quadrant,dc=local > require valid-user > > > C4 seams to be running an older version of the > mod_auth_kerb, and apache when compared to C5. I suspect > this is part of the issue I'm sure. > > The other detail i'm having a problem with seams to be > related to group membership. On the C4 machine the require > group or require ldap-group doesn't seam to work at all. I > really don't mind this as much, but if anyone has any ideas > i would love to hear what the solution is? > > > What does it do/not do? You may need to watch the DS access log > while doing an authentication so you can see the query being > sent and how many entries (if any) are being returned. > > rob > > > Thanks, > > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > From jdennis at redhat.com Thu Feb 11 15:45:04 2010 From: jdennis at redhat.com (John Dennis) Date: Thu, 11 Feb 2010 10:45:04 -0500 Subject: [Freeipa-users] Calling for translation help Message-ID: <4B742600.7010109@redhat.com> Are you multilingual? Would you like to contribute to the FreeIPA project by providing translations? If so we could use your help! We just recently added FreeIPA to the Transifex.net translation portal. You can register yourself as a translator on Transifex.net, select a language of your choice and go to the FreeIPA project area in Transifex.net and provide translations for FreeIPA. The FreeIPA project area is: https://www.transifex.net/projects/p/freeipa/c/master We will include your translations in a future release and credit you for your contribution. For more information about Transifex, how to sign up and how to contribute please start with the Transifex main page: https://www.transifex.net Thank you for your help! The FreeIPA team. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Feb 18 19:07:54 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Feb 2010 14:07:54 -0500 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Alpha 2 Release Message-ID: <4B7D900A.2090605@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Alpha 2 release of the long-awaited freeIPA 2.0 server [1]. This version of the server includes: * Draft UI pages for all plugins that fit into a Create-Retrieve-Update-Delete model. After running the `ipa-server-install` script, point your browser to: https://yourhost.com/ipa/ui/ Replacing `yourhost.com` with the fully-qualified domain name of your IPA server. Please take a moment to play with these pages. Please do not pay attention to style, rather focus attention to the work flow, layout and data being added, displayed or modified. We need to understand if the direction that this interface establishes is the right one. Should we continue with the proposed approach or do something else. What? Your opinion is very important to us! Please do not hesitate to share it with us on the mailing list: freeipa-users at redhat.com * Optionally installable DNS server * Optionally installable Certificate Authority to manage server certificates * NIS compatibility plug-in * Simplified migration of the users from IPA v1 or external LDAP server * IPA client component to configure SSSD to integrate with IPA * Integration with "certmonger" certificate tracking utility. The utility allows automatic provisioning, tracking and renewal of certificates on a member server. * General improvements and enhancements across the whole project. The freeIPA 2.0 server is capable of: * Providing Kerberos authentication of users and hosts * Managing different objects via extensible CLI and UI framework Including: * Managing user and host identities * Managing user and host groups * Managing kerberised services * Managing default kerberos policies * Defining host-based access control rules that will be enforced on the client side by the IPA back end for SSSD * Serving netgroups based on user and host objects stored in IPA * Serving sets of different automount maps to different clients * Finer-grained management delegation * Group-based password policies * Provisioning of the certificates for services running on member servers. The FreeIPA 2.0 client machines can be configured in the same way as the clients of freeIPA 1.2 following the installation instructions [2]. FreeIPA 2.0 client machines running Red Hat Enterprise Linux 5.4, Fedora 11 and 12 will be configured to take advantage of the SSSD client component. (Note that we currently only provide Fedora builds). For more information about SSSD its features, how to build it and how to manually configure it see the SSSD project page [3]. For Fedora 11 and 12 the SSSD component is available from the Fedora repository. For Red Hat Enterprise Lunix 5.4 the SSSD can be downloaded and built from sources. To configure SSSD automatically install ipa-client package and use ipa-client-install command. Use "--help" command line argument to get full list of options for the ipa-client-install command. For more information about features delivered in this release, see documentation [4] on the freeIPA web site. For all other freeIPA-related documentation [5], see freeIPA web site. [1] http://www.freeipa.org/page/Downloads [2] http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/ [3] https://fedorahosted.org/sssd/ [4] http://www.freeipa.org/page/IPAv2_development_status#Documentation [5] http://www.freeipa.org/page/DocumentationPortal From ryan at pet.ubc.ca Fri Feb 19 00:36:12 2010 From: ryan at pet.ubc.ca (Ryan Thomson) Date: Thu, 18 Feb 2010 16:36:12 -0800 Subject: [Freeipa-users] Alpha 2 Bugs or Misconfigurations? In-Reply-To: <4B7D900A.2090605@redhat.com> References: <4B7D900A.2090605@redhat.com> Message-ID: <4B7DDCFC.4000901@pet.ubc.ca> Hi, First off, thanks to the freeIPA team for releasing the next iteration of v2! I eagerly follow this project despite my limited deployment goals. As such, I've already downloaded the source code and built it on my Fedora 12 PPC server (IBM p505) for testing. The new web UI is definitely a move in the right direction! Good work. It's quite difficult to judge the workflow at this point though because there's a couple problems I'm facing that seem like bugs or errors in my installation/configuration which prevent me from really starting to hammer data into the UI. On both the Automount Maps and Automount Keys pages, I can't see any of the existing automount entries. An error is displayed above the table: "'cn' is required". I'm thinking this might be referring to the cn for the automount "location" being missing/not provided? Is there someone to provide it that I'm just obviously missing? When I use the "ipa" command on the CLI, I can verify the existence of my entry: # ipa automountkey-find Location: default Map: auto.home : ryan : -wsize=65536,rsize=65536,intr dnsname:/home/ryan ---------------------------- Number of entries returned 1 ---------------------------- but browsing from the web UI, both the key and map tables appear empty. I can however create automount key and map entries through the web UI and when I do so, I can see the entry listed right after I create it but once I navigate away from the map or key page and go back, it's gone with the "'cn' is required' error in bold red again. Looking in the httpd error logs, this is all I get when viewing the key or map pages: ipa: INFO: Created connection context.ldap2 ipa: INFO: Destroyed connection context.ldap2 ipa: INFO: Created connection context.ldap2 ipa: DEBUG: raw: automountmap_find(u'', None) ipa: INFO: automountmap_find(None, None, all=False, raw=False) ipa: INFO: Destroyed connection context.ldap2 It seems like automountmap_find() maybe isn't specifying any automount "location" for where to find entries for but I'm not entirely certain here. Is there somewhere I'm missing in the UI where I can specify automount location I want to work with? Next, on the "Services" page of the web UI, I see an error in bold red above the table which says "Request failed to /ipa/json". Checking my httpd error logs, I find the following error: ipa: ERROR: jsonserver.__call__(): Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 141, in __call__ response = self.wsgi_execute(environ) File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 128, in wsgi_execute return self.marshal(result, error, _id) File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 244, in marshal return json.dumps(response, sort_keys=True, indent=4) File "/usr/lib/python2.6/json/__init__.py", line 237, in dumps **kw).encode(obj) File "/usr/lib/python2.6/json/encoder.py", line 367, in encode chunks = list(self.iterencode(o)) File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode for chunk in self._iterencode_dict(o, markers): File "/usr/lib/python2.6/json/encoder.py", line 275, in _iterencode_dict for chunk in self._iterencode(value, markers): File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode for chunk in self._iterencode_dict(o, markers): File "/usr/lib/python2.6/json/encoder.py", line 275, in _iterencode_dict for chunk in self._iterencode(value, markers): File "/usr/lib/python2.6/json/encoder.py", line 306, in _iterencode for chunk in self._iterencode_list(o, markers): File "/usr/lib/python2.6/json/encoder.py", line 204, in _iterencode_list for chunk in self._iterencode(value, markers): File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode for chunk in self._iterencode_dict(o, markers): File "/usr/lib/python2.6/json/encoder.py", line 275, in _iterencode_dict for chunk in self._iterencode(value, markers): File "/usr/lib/python2.6/json/encoder.py", line 306, in _iterencode for chunk in self._iterencode_list(o, markers): File "/usr/lib/python2.6/json/encoder.py", line 204, in _iterencode_list for chunk in self._iterencode(value, markers): File "/usr/lib/python2.6/json/encoder.py", line 294, in _iterencode yield encoder(o) UnicodeDecodeError: 'utf8' codec can't decode byte 0x82 in position 1: unexpected code byte Unfortunately, I'm not entirely certain where to start investigating this problem as I don't posses any significant knowledge of python, JSON or UTF encoding! Let me know how I can help discover what is going on here and then I'll get to doing the more interesting testing of UI workflow, layout, etc. --Ryan From dpal at redhat.com Fri Feb 19 01:04:35 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 18 Feb 2010 20:04:35 -0500 Subject: [Freeipa-users] Alpha 2 Bugs or Misconfigurations? In-Reply-To: <4B7DDCFC.4000901@pet.ubc.ca> References: <4B7D900A.2090605@redhat.com> <4B7DDCFC.4000901@pet.ubc.ca> Message-ID: <4B7DE3A3.9030904@redhat.com> Ryan Thomson wrote: > Hi, > > First off, thanks to the freeIPA team for releasing the next iteration > of v2! I eagerly follow this project despite my limited deployment > goals. As such, I've already downloaded the source code and built it > on my Fedora 12 PPC server (IBM p505) for testing. > > The new web UI is definitely a move in the right direction! Good work. > It's quite difficult to judge the workflow at this point though > because there's a couple problems I'm facing that seem like bugs or > errors in my installation/configuration which prevent me from really > starting to hammer data into the UI. > > On both the Automount Maps and Automount Keys pages, I can't see any > of the existing automount entries. An error is displayed above the > table: "'cn' is required". I'm thinking this might be referring to the > cn for the automount "location" being missing/not provided? Is there > someone to provide it that I'm just obviously missing? > > When I use the "ipa" command on the CLI, I can verify the existence of > my entry: > > # ipa automountkey-find > Location: default > Map: auto.home > : ryan > : -wsize=65536,rsize=65536,intr dnsname:/home/ryan > ---------------------------- > Number of entries returned 1 > ---------------------------- > > but browsing from the web UI, both the key and map tables appear > empty. I can however create automount key and map entries through the > web UI and when I do so, I can see the entry listed right after I > create it but once I navigate away from the map or key page and go > back, it's gone with the "'cn' is required' error in bold red again. > Looking in the httpd error logs, this is all I get when viewing the > key or map pages: > > ipa: INFO: Created connection context.ldap2 > ipa: INFO: Destroyed connection context.ldap2 > ipa: INFO: Created connection context.ldap2 > ipa: DEBUG: raw: automountmap_find(u'', None) > ipa: INFO: automountmap_find(None, None, all=False, raw=False) > ipa: INFO: Destroyed connection context.ldap2 > > It seems like automountmap_find() maybe isn't specifying any automount > "location" for where to find entries for but I'm not entirely certain > here. Is there somewhere I'm missing in the UI where I can specify > automount location I want to work with? > > Next, on the "Services" page of the web UI, I see an error in bold red > above the table which says "Request failed to /ipa/json". Checking my > httpd error logs, I find the following error: > > ipa: ERROR: jsonserver.__call__(): > Traceback (most recent call last): > File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line > 141, in __call__ > response = self.wsgi_execute(environ) > File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line > 128, in wsgi_execute > return self.marshal(result, error, _id) > File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line > 244, in marshal > return json.dumps(response, sort_keys=True, indent=4) > File "/usr/lib/python2.6/json/__init__.py", line 237, in dumps > **kw).encode(obj) > File "/usr/lib/python2.6/json/encoder.py", line 367, in encode > chunks = list(self.iterencode(o)) > File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode > for chunk in self._iterencode_dict(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 275, in _iterencode_dict > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode > for chunk in self._iterencode_dict(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 275, in _iterencode_dict > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 306, in _iterencode > for chunk in self._iterencode_list(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 204, in _iterencode_list > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode > for chunk in self._iterencode_dict(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 275, in _iterencode_dict > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 306, in _iterencode > for chunk in self._iterencode_list(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 204, in _iterencode_list > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 294, in _iterencode > yield encoder(o) > UnicodeDecodeError: 'utf8' codec can't decode byte 0x82 in position 1: > unexpected code byte > > Unfortunately, I'm not entirely certain where to start investigating > this problem as I don't posses any significant knowledge of python, > JSON or UTF encoding! > > Let me know how I can help discover what is going on here and then > I'll get to doing the more interesting testing of UI workflow, layout, > etc. > Unfortunately this might be one of many cases where the UI just does not work yet. There are some patches pending but we decided not to apply them since they are big and could cause side effects. The UI that you see is more a declaration of the direction of the UI rather than a working functionality. It has a lot of glitches we will be cleaning in the upcoming month leading to Beta. I guess the main goal at the moment is answering the questions like: a) Is the whole model of the "list-select-do" like it was in old dialog boxes is the right model? b) Do the buttons make sense? Does their meaning makes sense? c) Should we pre-fill the lists automatically (like it is done now) or require search first? d) Is it Ok to switch back and forth between the list view and item view or we should combine them in some way? And many more... Ideas and comment are always welcome! Thank you for looking into this. Sorry if we did not meet your expectations. Thank you, Dmitri From ryan at pet.ubc.ca Fri Feb 19 02:28:38 2010 From: ryan at pet.ubc.ca (Ryan Thomson) Date: Thu, 18 Feb 2010 18:28:38 -0800 Subject: [Freeipa-users] Alpha 2 Bugs or Misconfigurations? In-Reply-To: <4B7DE3A3.9030904@redhat.com> References: <4B7D900A.2090605@redhat.com> <4B7DDCFC.4000901@pet.ubc.ca> <4B7DE3A3.9030904@redhat.com> Message-ID: > Unfortunately this might be one of many cases where the UI just does not > work yet. > There are some patches pending but we decided not to apply them since > they are big and could cause side effects. > The UI that you see is more a declaration of the direction of the UI > rather than a working functionality. > It has a lot of glitches we will be cleaning in the upcoming month > leading to Beta. Thanks for the information. Good to know I'm not just doing something obviously wrong right now. Should I be filing bug reports for these kinds of issues at this time or wait until further releases when some of the pending patches have been applied? > I guess the main goal at the moment is answering the questions like: > a) Is the whole model of the "list-select-do" like it was in old dialog > boxes is the right model? > b) Do the buttons make sense? Does their meaning makes sense? > c) Should we pre-fill the lists automatically (like it is done now) or > require search first? I much prefer listing items automatically but I could see this being problematic in huge installations of there is no "paging" functionality when you reach over X number of records. > d) Is it Ok to switch back and forth between the list view and item view > or we should combine them in some way? > And many more... > > Ideas and comment are always welcome! > Thank you for looking into this. Sorry if we did not meet your expectations. I'll spend more time with the UI tomorrow and see if I can get a feel for the other questions you're looking for feedback on. --Ryan From rcritten at redhat.com Fri Feb 19 04:04:42 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Feb 2010 23:04:42 -0500 Subject: [Freeipa-users] Alpha 2 Bugs or Misconfigurations? In-Reply-To: <4B7DDCFC.4000901@pet.ubc.ca> References: <4B7D900A.2090605@redhat.com> <4B7DDCFC.4000901@pet.ubc.ca> Message-ID: <4B7E0DDA.4020301@redhat.com> Ryan Thomson wrote: > Hi, > > First off, thanks to the freeIPA team for releasing the next iteration > of v2! I eagerly follow this project despite my limited deployment > goals. As such, I've already downloaded the source code and built it on > my Fedora 12 PPC server (IBM p505) for testing. Wow, nice! > The new web UI is definitely a move in the right direction! Good work. > It's quite difficult to judge the workflow at this point though because > there's a couple problems I'm facing that seem like bugs or errors in my > installation/configuration which prevent me from really starting to > hammer data into the UI. > > On both the Automount Maps and Automount Keys pages, I can't see any of > the existing automount entries. An error is displayed above the table: > "'cn' is required". I'm thinking this might be referring to the cn for > the automount "location" being missing/not provided? Is there someone to > provide it that I'm just obviously missing? > > When I use the "ipa" command on the CLI, I can verify the existence of > my entry: > > # ipa automountkey-find > Location: default > Map: auto.home > : ryan > : -wsize=65536,rsize=65536,intr dnsname:/home/ryan > ---------------------------- > Number of entries returned 1 > ---------------------------- > > but browsing from the web UI, both the key and map tables appear empty. > I can however create automount key and map entries through the web UI > and when I do so, I can see the entry listed right after I create it but > once I navigate away from the map or key page and go back, it's gone > with the "'cn' is required' error in bold red again. Looking in the > httpd error logs, this is all I get when viewing the key or map pages: > > ipa: INFO: Created connection context.ldap2 > ipa: INFO: Destroyed connection context.ldap2 > ipa: INFO: Created connection context.ldap2 > ipa: DEBUG: raw: automountmap_find(u'', None) > ipa: INFO: automountmap_find(None, None, all=False, raw=False) > ipa: INFO: Destroyed connection context.ldap2 > > It seems like automountmap_find() maybe isn't specifying any automount > "location" for where to find entries for but I'm not entirely certain > here. Is there somewhere I'm missing in the UI where I can specify > automount location I want to work with? Yes, I think you're on the right path. We may need to add some additional meta-data to help the UI know what to do. The command-line has another option, automountlocation-tofiles, which should spit out the maps as they would appear in discrete files if you weren't storing the data in LDAP. I use this to help check my work but I'm not sure it's all that useful otherwise. Does this seem like something you might use? > Next, on the "Services" page of the web UI, I see an error in bold red > above the table which says "Request failed to /ipa/json". Checking my > httpd error logs, I find the following error: > > ipa: ERROR: jsonserver.__call__(): > Traceback (most recent call last): > File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line > 141, in __call__ > response = self.wsgi_execute(environ) > File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line > 128, in wsgi_execute > return self.marshal(result, error, _id) > File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line > 244, in marshal > return json.dumps(response, sort_keys=True, indent=4) > File "/usr/lib/python2.6/json/__init__.py", line 237, in dumps > **kw).encode(obj) > File "/usr/lib/python2.6/json/encoder.py", line 367, in encode > chunks = list(self.iterencode(o)) > File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode > for chunk in self._iterencode_dict(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 275, in _iterencode_dict > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode > for chunk in self._iterencode_dict(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 275, in _iterencode_dict > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 306, in _iterencode > for chunk in self._iterencode_list(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 204, in _iterencode_list > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode > for chunk in self._iterencode_dict(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 275, in _iterencode_dict > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 306, in _iterencode > for chunk in self._iterencode_list(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 204, in _iterencode_list > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 294, in _iterencode > yield encoder(o) > UnicodeDecodeError: 'utf8' codec can't decode byte 0x82 in position 1: > unexpected code byte > > Unfortunately, I'm not entirely certain where to start investigating > this problem as I don't posses any significant knowledge of python, JSON > or UTF encoding! It is probably choking on displaying the SSL certificate stored within the service. We have some special handling for this on the command-line (we base64-encode it), I guess we need something similar in the UI. > Let me know how I can help discover what is going on here and then I'll > get to doing the more interesting testing of UI workflow, layout, etc. You've done most of the legwork already on the automount problem, I think enough for us to figure out the problem. I recognize the encoding problem from running into it on the cli so fixing it should be relatively straightforward (famous last words). Thanks for the bug reports! cheers rob rob From jderose at redhat.com Fri Feb 19 11:39:57 2010 From: jderose at redhat.com (Jason Gerard DeRose) Date: Fri, 19 Feb 2010 04:39:57 -0700 Subject: [Freeipa-users] Alpha 2 Bugs or Misconfigurations? In-Reply-To: <4B7DDCFC.4000901@pet.ubc.ca> References: <4B7D900A.2090605@redhat.com> <4B7DDCFC.4000901@pet.ubc.ca> Message-ID: <1266579597.26979.6.camel@jgd-dsk> On Thu, 2010-02-18 at 16:36 -0800, Ryan Thomson wrote: > Hi, > > First off, thanks to the freeIPA team for releasing the next iteration > of v2! I eagerly follow this project despite my limited deployment > goals. As such, I've already downloaded the source code and built it > on my Fedora 12 PPC server (IBM p505) for testing. > > The new web UI is definitely a move in the right direction! Good work. > It's quite difficult to judge the workflow at this point though > because there's a couple problems I'm facing that seem like bugs or > errors in my installation/configuration which prevent me from really > starting to hammer data into the UI. Thanks so much for taking time to test the alpha and give us feedback! Yes, the UI has some rough spots, but I have patches in the works that should bring a lot more polish in the next week. Feel free to ping me (jderose) on #freeipa if you have any suggestions. > On both the Automount Maps and Automount Keys pages, I can't see any > of the existing automount entries. An error is displayed above the > table: "'cn' is required". I'm thinking this might be referring to the > cn for the automount "location" being missing/not provided? Is there > someone to provide it that I'm just obviously missing? > > When I use the "ipa" command on the CLI, I can verify the existence of > my entry: > > # ipa automountkey-find > Location: default > Map: auto.home > : ryan > : -wsize=65536,rsize=65536,intr > dnsname:/home/ryan > ---------------------------- > Number of entries returned 1 > ---------------------------- > > but browsing from the web UI, both the key and map tables appear > empty. I can however create automount key and map entries through the > web UI and when I do so, I can see the entry listed right after I > create it but once I navigate away from the map or key page and go > back, it's gone with the "'cn' is required' error in bold red again. > Looking in the httpd error logs, this is all I get when viewing the > key or map pages: I'll figure out what's going on here... I can't think of what automountkey-find would be returning that isn't UTF-8 encode-able, but this should be a fairly quick fix. Thanks for pointing this out. > ipa: INFO: Created connection context.ldap2 > ipa: INFO: Destroyed connection context.ldap2 > ipa: INFO: Created connection context.ldap2 > ipa: DEBUG: raw: automountmap_find(u'', None) > ipa: INFO: automountmap_find(None, None, all=False, raw=False) > ipa: INFO: Destroyed connection context.ldap2 > > It seems like automountmap_find() maybe isn't specifying any automount > "location" for where to find entries for but I'm not entirely certain > here. Is there somewhere I'm missing in the UI where I can specify > automount location I want to work with? > > Next, on the "Services" page of the web UI, I see an error in bold red > above the table which says "Request failed to /ipa/json". Checking my > httpd error logs, I find the following error: > > ipa: ERROR: jsonserver.__call__(): > Traceback (most recent call last): > File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line > 141, in __call__ > response = self.wsgi_execute(environ) > File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line > 128, in wsgi_execute > return self.marshal(result, error, _id) > File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line > 244, in marshal > return json.dumps(response, sort_keys=True, indent=4) > File "/usr/lib/python2.6/json/__init__.py", line 237, in dumps > **kw).encode(obj) > File "/usr/lib/python2.6/json/encoder.py", line 367, in encode > chunks = list(self.iterencode(o)) > File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode > for chunk in self._iterencode_dict(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 275, in > _iterencode_dict > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode > for chunk in self._iterencode_dict(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 275, in > _iterencode_dict > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 306, in _iterencode > for chunk in self._iterencode_list(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 204, in > _iterencode_list > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 309, in _iterencode > for chunk in self._iterencode_dict(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 275, in > _iterencode_dict > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 306, in _iterencode > for chunk in self._iterencode_list(o, markers): > File "/usr/lib/python2.6/json/encoder.py", line 204, in > _iterencode_list > for chunk in self._iterencode(value, markers): > File "/usr/lib/python2.6/json/encoder.py", line 294, in _iterencode > yield encoder(o) > UnicodeDecodeError: 'utf8' codec can't decode byte 0x82 in position 1: > unexpected code byte > > Unfortunately, I'm not entirely certain where to start investigating > this problem as I don't posses any significant knowledge of python, > JSON or UTF encoding! > > Let me know how I can help discover what is going on here and then > I'll get to doing the more interesting testing of UI workflow, layout, > etc. > > --Ryan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Fri Feb 19 15:56:24 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 19 Feb 2010 10:56:24 -0500 Subject: [Freeipa-users] Alpha 2 Bugs or Misconfigurations? In-Reply-To: References: <4B7D900A.2090605@redhat.com> <4B7DDCFC.4000901@pet.ubc.ca> <4B7DE3A3.9030904@redhat.com> Message-ID: <4B7EB4A8.9080206@redhat.com> Ryan Thomson wrote: >> Unfortunately this might be one of many cases where the UI just does not >> work yet. >> There are some patches pending but we decided not to apply them since >> they are big and could cause side effects. >> The UI that you see is more a declaration of the direction of the UI >> rather than a working functionality. >> It has a lot of glitches we will be cleaning in the upcoming month >> leading to Beta. >> > > Thanks for the information. Good to know I'm not just doing something obviously wrong right now. > > Should I be filing bug reports for these kinds of issues at this time or wait until further releases when some of the pending patches have been applied? > > >> I guess the main goal at the moment is answering the questions like: >> a) Is the whole model of the "list-select-do" like it was in old dialog >> boxes is the right model? >> b) Do the buttons make sense? Does their meaning makes sense? >> c) Should we pre-fill the lists automatically (like it is done now) or >> require search first? >> > > I much prefer listing items automatically but I could see this being problematic in huge installations of there is no "paging" functionality when you reach over X number of records. > > >> d) Is it Ok to switch back and forth between the list view and item view >> or we should combine them in some way? >> And many more... >> >> Ideas and comment are always welcome! >> Thank you for looking into this. Sorry if we did not meet your expectations. >> > > I'll spend more time with the UI tomorrow and see if I can get a feel for the other questions you're looking for feedback on. > > --Ryan If you can summarize your thoughts about the UI in a bulleted list and just send it out would be better. Filing bigs for every single issue might be an overhead at the moment. Thank you again for you help and interest. Dmitri -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ryan at pet.ubc.ca Fri Feb 19 22:50:23 2010 From: ryan at pet.ubc.ca (Ryan Thomson) Date: Fri, 19 Feb 2010 14:50:23 -0800 Subject: [Freeipa-users] Alpha 2 Bugs or Misconfigurations? In-Reply-To: <4B7EB4A8.9080206@redhat.com> References: <4B7D900A.2090605@redhat.com> <4B7DDCFC.4000901@pet.ubc.ca> <4B7DE3A3.9030904@redhat.com> <4B7EB4A8.9080206@redhat.com> Message-ID: <4B7F15AF.2050207@pet.ubc.ca> > If you can summarize your thoughts about the UI in a bulleted list and > just send it out would be better. Ok, here goes: * The context sensitive search and great and intuitive but it may also be useful to have a global search that can return results from more than one context. Say I want to find all records that relate to "ryan", I could perform a global search on this term and get results from user accounts, automounts, groups, HBACs, etc. all on the same page Right now, I'd have to search for "ryan" several times on several pages, making note of search results from each page to keep track of all of it. * The button labels are logical to me but perhaps "View" or "Show" are better labels for the current "Retrieve" button, although this is entirely minor and it is certainly not a problem to understand the functionality of the button as-is. Consider this mostly irrelevant. * I like the double-click to "Retrieve" functionality. It's minor but helps reduce the amount of mouse movement necessary to view a record in detail and makes the UI more desktop-like. * When viewing a record, the "Close" button is on the far right and the "Update" and "Delete" buttons are on the left. I like how that keeps the action buttons separate from the non-action buttons. However, in the "Update" page, the "Cancel" button is on the left and the "Update" button is on the right. It's just a minor layout thing, but keeping the action and non-action buttons on the same side for every page would be more consistent. I found my mouse going to the wrong side sometimes as a result of this, depending on whether I was viewing or updating data. * Sorting by column is a good must-have feature for when looking at a lot of records. Can we expect this functionality to be extended to all columns that will eventually be displayed? It appears right now that more columns will be used in the future to display more information about each record without having to "retrieve" it and thus extending the column sorting to all columns would be useful. * I don't mind the switching between list and view modes as it currently is but I could potentially be faster to navigate the records by having both list and view visible at the same time. You could just perform a single click on the list to update the view with whatever record was clicked on. I don't know if this would make the best use of screen real-estate or not and I don't really have a strong opinion on it either way right now. * If the separate of list/view model is maintained, all the empty white space currently on the view/update pages could be used to display context-sensitive help and detailed descriptions of each field. This would not only help administrators determine the correct fields in which to enter the necessary details, but also provide information on the expected format of the input or even a list of valid inputs for fields where the input is only going to be one of several possible values. Right now, I'm finding myself having to look up the Administration guide a bunch to remember exactly what each field represents and what to enter into that field to produce my desired end result. Of course, some fields are obvious simply by their label, but not all of them currently are. I applaud the overall effort thus far but I fear I'm the wrong person to be asking for HCI/UI feedback so hopefully more people are sending their ideas, suggestions and feedback as well! > Thank you again for you help and interest. No problem ;) --Ryan From dpal at redhat.com Fri Feb 19 23:04:44 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 19 Feb 2010 18:04:44 -0500 Subject: [Freeipa-users] Alpha 2 Bugs or Misconfigurations? In-Reply-To: <4B7F15AF.2050207@pet.ubc.ca> References: <4B7D900A.2090605@redhat.com> <4B7DDCFC.4000901@pet.ubc.ca> <4B7DE3A3.9030904@redhat.com> <4B7EB4A8.9080206@redhat.com> <4B7F15AF.2050207@pet.ubc.ca> Message-ID: <4B7F190C.4060806@redhat.com> Ryan Thomson wrote: >> If you can summarize your thoughts about the UI in a bulleted list and >> just send it out would be better. > > Ok, here goes: > > * The context sensitive search and great and intuitive but it may also > be useful to have a global search that can return results from more > than one context. Say I want to find all records that relate to > "ryan", I could perform a global search on this term and get results > from user accounts, automounts, groups, HBACs, etc. all on the same > page Right now, I'd have to search for "ryan" several times on several > pages, making note of search results from each page to keep track of > all of it. > > * The button labels are logical to me but perhaps "View" or "Show" are > better labels for the current "Retrieve" button, although this is > entirely minor and it is certainly not a problem to understand the > functionality of the button as-is. Consider this mostly irrelevant. > > * I like the double-click to "Retrieve" functionality. It's minor but > helps reduce the amount of mouse movement necessary to view a record > in detail and makes the UI more desktop-like. > > * When viewing a record, the "Close" button is on the far right and > the "Update" and "Delete" buttons are on the left. I like how that > keeps the action buttons separate from the non-action buttons. > However, in the "Update" page, the "Cancel" button is on the left and > the "Update" button is on the right. It's just a minor layout thing, > but keeping the action and non-action buttons on the same side for > every page would be more consistent. I found my mouse going to the > wrong side sometimes as a result of this, depending on whether I was > viewing or updating data. > > * Sorting by column is a good must-have feature for when looking at a > lot of records. Can we expect this functionality to be extended to all > columns that will eventually be displayed? It appears right now that > more columns will be used in the future to display more information > about each record without having to "retrieve" it and thus extending > the column sorting to all columns would be useful. > > * I don't mind the switching between list and view modes as it > currently is but I could potentially be faster to navigate the records > by having both list and view visible at the same time. You could just > perform a single click on the list to update the view with whatever > record was clicked on. I don't know if this would make the best use of > screen real-estate or not and I don't really have a strong opinion on > it either way right now. > > * If the separate of list/view model is maintained, all the empty > white space currently on the view/update pages could be used to > display context-sensitive help and detailed descriptions of each > field. This would not only help administrators determine the correct > fields in which to enter the necessary details, but also provide > information on the expected format of the input or even a list of > valid inputs for fields where the input is only going to be one of > several possible values. Right now, I'm finding myself having to look > up the Administration guide a bunch to remember exactly what each > field represents and what to enter into that field to produce my > desired end result. Of course, some fields are obvious simply by their > label, but not all of them currently are. > > I applaud the overall effort thus far but I fear I'm the wrong person > to be asking for HCI/UI feedback so hopefully more people are sending > their ideas, suggestions and feedback as well! > >> Thank you again for you help and interest. > > No problem ;) > > --Ryan This is a great feedback! Thank you for your time! -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From david at adurotec.com Sun Feb 21 01:31:33 2010 From: david at adurotec.com (David Christensen) Date: Sat, 20 Feb 2010 19:31:33 -0600 Subject: [Freeipa-users] MultiHomed Server SSH login issue Message-ID: <4B808CF5.2060303@adurotec.com> I have my ipa 1.2.2 setup in an environment where my servers have two NICs each in a different VLAN. With the multi NIC setup I have two different DNS names for a single host to control which interface is is used when accessing the host e.g. host.example.com and host.priv.example.com. The hostname of the server is set to host.example.com. I first configured the ipa-client on the host with the host.example.com service principle and all is well; I can login via ssh and authentication occurs via kerberos. I then setup another service principle with the host.priv.example.com and downloaded the keytab to the target server. However when I try to login via ssh I am prompted for a password. Turning on verbose output for ssh and upping the syslog to debug, I came across this: Error code krb5 144 which I discovered means "wrong principal in request." Is what I am trying to do, having more then one host/ssh service principle for a single host that is multihomed? If so what is causing the error code 144 when I can see that in my local klist the ticket for the host.priv.example.com is present? Thanks. -- David From steven at whately.me Sun Feb 21 09:57:47 2010 From: steven at whately.me (Steven Whately) Date: Sun, 21 Feb 2010 20:27:47 +1030 Subject: [Freeipa-users] Alpha 2 Bugs or Misconfigurations? Message-ID: <4B81039B.8040304@whately.me> On Fedora 12, I un-installed 1.2 and then installed 1.9. My clients could not log in. The server was logging the following message: sssd_be: GSSAPI Error: The referenced context has expired (Unknown error) Not being able to resolve the message I ran: ipa-client-install --uninstall ipa-client-install --no-sssd With this second command I got: Joining realm failed: Host is already joined. Then I noticed that files like nsswitch.conf had not been updated. So I ran: ipa host-del ClientHostname ipa-client-install --no-sssd Thankfully this time nsswitch.conf got updated and I now have a working system. It would be nice if ipa-client-install still updated the client files even if the client had been previously added. I very happy that I can now see what's going on with this important product. I did not want to miss out on what the freeipa team was working on. Regards Steve From rcritten at redhat.com Mon Feb 22 15:43:12 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Feb 2010 10:43:12 -0500 Subject: [Freeipa-users] Alpha 2 Bugs or Misconfigurations? In-Reply-To: <4B81039B.8040304@whately.me> References: <4B81039B.8040304@whately.me> Message-ID: <4B82A610.8020406@redhat.com> Steven Whately wrote: > On Fedora 12, I un-installed 1.2 and then installed 1.9. > > My clients could not log in. The server was logging the following message: > sssd_be: GSSAPI Error: The referenced context has expired (Unknown error) Hmm, is the time on the client close to the time on the IPA server? (within 5 min) > Not being able to resolve the message I ran: > ipa-client-install --uninstall > ipa-client-install --no-sssd > > With this second command I got: > Joining realm failed: Host is already joined. > Then I noticed that files like nsswitch.conf had not been updated. > > So I ran: > ipa host-del ClientHostname > ipa-client-install --no-sssd Yeah, the second time the installation was aborted, hence no nsswitch.conf updating. I guess we could make that clearer. The reason for this is because a lot is stored on the server when you join a client. Re-enrollment requires a new keytab to be generated and new server certificate issued. Currently the uninstaller doesn't remove the host (we'd have to require admin privs to run the uninstaller which seemed a bit draconian). > Thankfully this time nsswitch.conf got updated and I now have a working > system. > It would be nice if ipa-client-install still updated the client files > even if the client had been previously added. Well, in the sssd case you'd probably still be left in a bogus state. If using nss_ldap then we might be able to do this but the client machine would be in an iffy state which would likely cause problems later on (like sshd not working). > I very happy that I can now see what's going on with this important > product. > I did not want to miss out on what the freeipa team was working on. > > Regards > Steve Thanks for looking at it. I'm totally open to suggestions if there is a more graceful way to handle client enrollment/unenrollment/re-enrollment. cheers rob From rcritten at redhat.com Mon Feb 22 15:48:54 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 22 Feb 2010 10:48:54 -0500 Subject: [Freeipa-users] MultiHomed Server SSH login issue In-Reply-To: <4B808CF5.2060303@adurotec.com> References: <4B808CF5.2060303@adurotec.com> Message-ID: <4B82A766.7000901@redhat.com> David Christensen wrote: > I have my ipa 1.2.2 setup in an environment where my servers have two > NICs each in a different VLAN. > > With the multi NIC setup I have two different DNS names for a single > host to control which interface is is used when accessing the host e.g. > host.example.com and host.priv.example.com. The hostname of the server > is set to host.example.com. > > I first configured the ipa-client on the host with the host.example.com > service principle and all is well; I can login via ssh and > authentication occurs via kerberos. I then setup another service > principle with the host.priv.example.com and downloaded the keytab to > the target server. However when I try to login via ssh I am prompted > for a password. > > Turning on verbose output for ssh and upping the syslog to debug, I came > across this: Error code krb5 144 which I discovered means "wrong > principal in request." > > Is what I am trying to do, having more then one host/ssh service > principle for a single host that is multihomed? > > If so what is causing the error code 144 when I can see that in my local > klist the ticket for the host.priv.example.com is present? How did you add the new host principal to /etc/krb5.conf? Can you run: klist -kt /etc/krb5.keytab? I suspect you overwrite the host principal for host.example.com. rob From nalin at redhat.com Mon Feb 22 17:56:14 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 22 Feb 2010 12:56:14 -0500 Subject: [Freeipa-users] MultiHomed Server SSH login issue In-Reply-To: <4B808CF5.2060303@adurotec.com> References: <4B808CF5.2060303@adurotec.com> Message-ID: <20100222175614.GC16206@redhat.com> On Sat, Feb 20, 2010 at 07:31:33PM -0600, David Christensen wrote: > I have my ipa 1.2.2 setup in an environment where my servers have two > NICs each in a different VLAN. > > With the multi NIC setup I have two different DNS names for a single > host to control which interface is is used when accessing the host e.g. > host.example.com and host.priv.example.com. The hostname of the server > is set to host.example.com. > > I first configured the ipa-client on the host with the host.example.com > service principle and all is well; I can login via ssh and > authentication occurs via kerberos. I then setup another service > principle with the host.priv.example.com and downloaded the keytab to > the target server. However when I try to login via ssh I am prompted > for a password. > > Turning on verbose output for ssh and upping the syslog to debug, I came > across this: Error code krb5 144 which I discovered means "wrong > principal in request." > > Is what I am trying to do, having more then one host/ssh service > principle for a single host that is multihomed? > > If so what is causing the error code 144 when I can see that in my local > klist the ticket for the host.priv.example.com is present? In order for authentication to succeed, the client and server need to agree on what the server's principal name is. Based on your tests, it looks as though the client is happy to think the server's name is "host/host.priv.example.com", but the server continues to assume it's name is more or less host@`hostname`, which in this case works out to "host/host.example.com". At the API level, if an application avoids specifying its service name when accepting authentication, it'll able to accept authentication to any name for which it has a key in its keytab, which is what I think you want to have happen here. The big caveat is that each application (if it even supports this) has to be configured differently. In the case of sshd, I'd suggest setting GSSAPIStrictAcceptorCheck no in /etc/ssh/sshd_config and seeing if that makes things work. HTH, Nalin From david at adurotec.com Mon Feb 22 20:26:07 2010 From: david at adurotec.com (David Christensen) Date: Mon, 22 Feb 2010 14:26:07 -0600 Subject: [Freeipa-users] MultiHomed Server SSH login issue In-Reply-To: <20100222175614.GC16206@redhat.com> References: <4B808CF5.2060303@adurotec.com> <20100222175614.GC16206@redhat.com> Message-ID: <4B82E85F.4080206@adurotec.com> Nalin, Thank you for the information it does help. You have confirmed what today's research has yielded; the need to modify sshd's behavior and have it accept authentication for any name that has a key present in the keytab. I am running CentOS 5.4 and apparently the version of ssh that is installed, 4.3p2 does not support "GSSAPIStrictAcceptorCheck". I need to do some additional digging. Thanks again. David On 02/22/2010 11:56 AM, Nalin Dahyabhai wrote: > On Sat, Feb 20, 2010 at 07:31:33PM -0600, David Christensen wrote: >> I have my ipa 1.2.2 setup in an environment where my servers have two >> NICs each in a different VLAN. >> >> With the multi NIC setup I have two different DNS names for a single >> host to control which interface is is used when accessing the host e.g. >> host.example.com and host.priv.example.com. The hostname of the server >> is set to host.example.com. >> >> I first configured the ipa-client on the host with the host.example.com >> service principle and all is well; I can login via ssh and >> authentication occurs via kerberos. I then setup another service >> principle with the host.priv.example.com and downloaded the keytab to >> the target server. However when I try to login via ssh I am prompted >> for a password. >> >> Turning on verbose output for ssh and upping the syslog to debug, I came >> across this: Error code krb5 144 which I discovered means "wrong >> principal in request." >> >> Is what I am trying to do, having more then one host/ssh service >> principle for a single host that is multihomed? >> >> If so what is causing the error code 144 when I can see that in my local >> klist the ticket for the host.priv.example.com is present? > > In order for authentication to succeed, the client and server need to > agree on what the server's principal name is. Based on your tests, it > looks as though the client is happy to think the server's name is > "host/host.priv.example.com", but the server continues to assume it's > name is more or less host@`hostname`, which in this case works out to > "host/host.example.com". > > At the API level, if an application avoids specifying its service name > when accepting authentication, it'll able to accept authentication to > any name for which it has a key in its keytab, which is what I think you > want to have happen here. The big caveat is that each application (if > it even supports this) has to be configured differently. > > In the case of sshd, I'd suggest setting > GSSAPIStrictAcceptorCheck no > in /etc/ssh/sshd_config and seeing if that makes things work. > > HTH, > > Nalin From Andy.Singleton at tipp24os.co.uk Wed Feb 24 11:11:05 2010 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Wed, 24 Feb 2010 11:11:05 -0000 Subject: [Freeipa-users] Installing IPA on Solaris 10 References: <1CD40A4DEEA320479C98D8A93A5C6906EF11C1@waterloo.t24uk.tipp24.net> <4B699217.8020508@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B0F38@waterloo.t24uk.tipp24.net> <4B69A57A.8080908@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B1103@waterloo.t24uk.tipp24.net> <4B6C4E06.6080703@redhat.com> Message-ID: <1CD40A4DEEA320479C98D8A93A5C6906028BFA25@waterloo.t24uk.tipp24.net> Hi Rob, Some notes on my attempts to integrate my Solaris 10 client into freeipa 1.2.2: We still have an issue that ipa users cannot log on to our Solaris 10 client. ("800047 auth.error: pam Authentication failed") Currently I can get a ticket with "kinit", and can see the ipa users/groups with "getent". "ldapclient init" worked eventually. However, there was some hoop jumping to get to this state: I changed the following parts of the freeipa schema contents: 1) The "passwd" serviceSearchDescriptor pointed to cn=accounts instead of cn=compat. I am not sure if this is deliberately set or not. "getent passwd" would refused to work otherwise. "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net" serviceSearchDescriptor: passwd:cn=users,cn=compat,dc=live,dc=tipp24,dc=net 2) The defaultServerList defaults to the master server, which was not reachable from the clients subnet. (the linux clients rely on two slaves in this subnet) "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net" defaultServerList: [slave].live.tipp24.net 3) Our install covers three separate domains, and solaris appears to require that nisDomain and associatedDomain conform to the clients specific domain only. "dn: dc=live,dc=tipp24,dc=net" nisDomain: live.tipp24.net associatedDomain: live.tipp24.net Finally, when users attempt to connect, the dirsrv log on the slave has the following contents: [24/Feb/2010:11:53:45 +0100] conn=4672696 fd=389 slot=389 connection from [client IP] to [slave IP] [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms" [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 RESULT err=0 tag=101 nentries=1 etime=0 [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 UNBIND [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 fd=389 closed - U1 Any comments/advice would be appreciated. Thanks Andy -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: 05 February 2010 16:58 To: Andy Singleton Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 Andy Singleton wrote: > Hi Rob, > > Ok ive switched on the compat plugin. > Incidentally, does this need to be done separately for all replicas? Yes. The plugin configuration of each 389-ds is not replicated. > However, when I run ldapclient init , I get this message: > "Failed to find defaultSearchBase for domain" Hmm, can you look in the DS logs to see what queries it is making/ (/var/log/dirsrv/slapd-YOUR-INSTANCE/access). Probably a good idea to ensure you have the Solaris default profile set up too: ldapsearch -x -b "cn=default,ou=profile,dc=example,dc=com" rob > > Cheers > Andy > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: 03 February 2010 17:34 > To: Andy Singleton; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 > > Andy Singleton wrote: >> Hi Rob, >> >> Neither of the commands give any results. > > /me smacks head > > Ok, sorry I didn't see this the first go-round. > > The Solaris nss_ldap doesn't use /etc/ldap.conf. > > What you want to do is something like: > > # ldapclient init ipa.example.com > > This should set everything up for you on the Solaris side assuming > you're running freeIPA 1.2.2. > > You'll also need to enable the compat schema on the IPA side by running > ipa-compat-manage enable and restarting the DS (if you haven't done so > already). > > Note that the Solaris LDAP client assumes that if you want to use LDAP > for anything then you want to use it for EVERYTHING, so you'll want to > fix up /etc/nsswitch.conf, at least setting files and ipnodes back to > dns from ldap. > > rob >> Andy >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: 03 February 2010 16:11 >> To: Andy Singleton >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >> >> Andy Singleton wrote: >>> Hi rob, >>> >>> Glad you caught up with this problem. >>> >>> The nsswitch.conf is set up as per the install document. So: >>> passwd: files ldap[NOTFOUND=return] >>> group: files ldap[NOTFOUND=return] >>> >>> The system uses the standard solaris nss_ldap package. >> Ok, can you see if you can get a specific user and group: >> >> getent passwd admin >> getent group ipausers >> >> rob >> >>> Cheers >>> Andy >>> >>> ----- Original Message ----- >>> From: Rob Crittenden >>> To: Andy Singleton >>> Cc: freeipa-users at redhat.com >>> Sent: Tue Feb 02 21:01:33 2010 >>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >>> >>> Andy Singleton wrote: >>> > Hi guys, >>> > >>> > >>> > >>> > I am installing IPA 1.2.2 client installation on one of our Solaris >>> > servers, and I cant seem to get the system to see the IPA users. ?getent >>> > passwd? only returns local users, and no traffic is leaving the client >>> > for the IPA server for ldap. >>> > >>> > >>> > >>> > I have followed the instructions from the documentation, but I >>> > definitely get the feeling that something is missing. >>> > >>> > All the various configuration files are populated, and the Kerberos >>> > portion works correctly because I can obtain a ticket. >>> > >>> > So possibly there is a problem with the nss_ldap part, or the ldap.conf >>> > itself. >>> > >>> > >>> > >>> > Does anyone know common problems that might have this result on >>> Solaris 10? >>> > >>> > >>> > >>> > For reference, here is the /etc/ldap.conf file: >>> > >>> > >>> > >>> > ldap_version 3 >>> > >>> > base cn=compat,dc=live,dc=tipp24,dc=net >>> > >>> > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub >>> > >>> > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub >>> > >>> > nss_schema rfc2307bis >>> > >>> > nss_map_objectclass shadowAccount posixAccount >>> > >>> > nss_map_attribute uniqueMember member >>> > >>> > nss_initgroups_ignoreusers root,dirsrv,oracle >>> > >>> > nss_reconnect_maxsleeptime 8 >>> > >>> > nss_reconnect_sleeptime 1 >>> > >>> > bind_timelimit 2 >>> > >>> > timelimit 4 >>> > >>> > nss_srv_domain live.tipp24.net >>> > >>> > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net >>> > >>> > >>> > >>> > Thanks >>> > >>> > Andy >>> >>> Sorry, missed this one last week.. >>> >>> What does /etc/nsswitch.conf read? Is it configured to use ldap? >>> >>> You might also try killing nscd in case it is interfering. >>> >>> rob >>> > From rcritten at redhat.com Wed Feb 24 14:46:35 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Feb 2010 09:46:35 -0500 Subject: [Freeipa-users] Installing IPA on Solaris 10 In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C6906028BFA25@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C6906EF11C1@waterloo.t24uk.tipp24.net> <4B699217.8020508@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B0F38@waterloo.t24uk.tipp24.net> <4B69A57A.8080908@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B1103@waterloo.t24uk.tipp24.net> <4B6C4E06.6080703@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906028BFA25@waterloo.t24uk.tipp24.net> Message-ID: <4B853BCB.9030408@redhat.com> Andy Singleton wrote: > Hi Rob, > > Some notes on my attempts to integrate my Solaris 10 client into freeipa 1.2.2: > > We still have an issue that ipa users cannot log on to our Solaris 10 client. ("800047 auth.error: pam Authentication failed") Can't log in via console, ssh? > Currently I can get a ticket with "kinit", and can see the ipa users/groups with "getent". "ldapclient init" worked eventually. > However, there was some hoop jumping to get to this state: > > I changed the following parts of the freeipa schema contents: > > 1) The "passwd" serviceSearchDescriptor pointed to cn=accounts instead of cn=compat. I am not sure if this is deliberately set or not. "getent passwd" would refused to work otherwise. > "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net" > serviceSearchDescriptor: passwd:cn=users,cn=compat,dc=live,dc=tipp24,dc=net Yeah, I need to investigate this further. It should work without having to go through compat. There is some VLV problem I need to figure out. > 2) The defaultServerList defaults to the master server, which was not reachable from the clients subnet. (the linux clients rely on two slaves in this subnet) > "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net" > defaultServerList: [slave].live.tipp24.net Hmm, I think we can probably add in the replicas to this list when they are installed. Would that be an acceptable solution? Assuming of course that Solaris will skip to the next entry if one is not accessible. > 3) Our install covers three separate domains, and solaris appears to require that nisDomain and associatedDomain conform to the clients specific domain only. > "dn: dc=live,dc=tipp24,dc=net" > nisDomain: live.tipp24.net > associatedDomain: live.tipp24.net That is a limitation of the Solaris ldap client. associatedDomain needs to match the client domain. I don't think there is a workaround for this. > > Finally, when users attempt to connect, the dirsrv log on the slave has the following contents: > [24/Feb/2010:11:53:45 +0100] conn=4672696 fd=389 slot=389 connection from [client IP] to [slave IP] > [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms" > [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 RESULT err=0 tag=101 nentries=1 etime=0 > [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 UNBIND > [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 fd=389 closed - U1 Clients attempt to connect and fail right? Are you saying this is the only thing logged in that case? rob > > > Any comments/advice would be appreciated. > > Thanks > Andy > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: 05 February 2010 16:58 > To: Andy Singleton > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 > > Andy Singleton wrote: >> Hi Rob, >> >> Ok ive switched on the compat plugin. >> Incidentally, does this need to be done separately for all replicas? > > Yes. The plugin configuration of each 389-ds is not replicated. > >> However, when I run ldapclient init , I get this message: >> "Failed to find defaultSearchBase for domain" > > Hmm, can you look in the DS logs to see what queries it is making/ > (/var/log/dirsrv/slapd-YOUR-INSTANCE/access). > > Probably a good idea to ensure you have the Solaris default profile set > up too: > > ldapsearch -x -b "cn=default,ou=profile,dc=example,dc=com" > > rob > >> Cheers >> Andy >> >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: 03 February 2010 17:34 >> To: Andy Singleton; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >> >> Andy Singleton wrote: >>> Hi Rob, >>> >>> Neither of the commands give any results. >> /me smacks head >> >> Ok, sorry I didn't see this the first go-round. >> >> The Solaris nss_ldap doesn't use /etc/ldap.conf. >> >> What you want to do is something like: >> >> # ldapclient init ipa.example.com >> >> This should set everything up for you on the Solaris side assuming >> you're running freeIPA 1.2.2. >> >> You'll also need to enable the compat schema on the IPA side by running >> ipa-compat-manage enable and restarting the DS (if you haven't done so >> already). >> >> Note that the Solaris LDAP client assumes that if you want to use LDAP >> for anything then you want to use it for EVERYTHING, so you'll want to >> fix up /etc/nsswitch.conf, at least setting files and ipnodes back to >> dns from ldap. >> >> rob >>> Andy >>> >>> -----Original Message----- >>> From: Rob Crittenden [mailto:rcritten at redhat.com] >>> Sent: 03 February 2010 16:11 >>> To: Andy Singleton >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >>> >>> Andy Singleton wrote: >>>> Hi rob, >>>> >>>> Glad you caught up with this problem. >>>> >>>> The nsswitch.conf is set up as per the install document. So: >>>> passwd: files ldap[NOTFOUND=return] >>>> group: files ldap[NOTFOUND=return] >>>> >>>> The system uses the standard solaris nss_ldap package. >>> Ok, can you see if you can get a specific user and group: >>> >>> getent passwd admin >>> getent group ipausers >>> >>> rob >>> >>>> Cheers >>>> Andy >>>> >>>> ----- Original Message ----- >>>> From: Rob Crittenden >>>> To: Andy Singleton >>>> Cc: freeipa-users at redhat.com >>>> Sent: Tue Feb 02 21:01:33 2010 >>>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >>>> >>>> Andy Singleton wrote: >>>> > Hi guys, >>>> > >>>> > >>>> > >>>> > I am installing IPA 1.2.2 client installation on one of our Solaris >>>> > servers, and I cant seem to get the system to see the IPA users. ?getent >>>> > passwd? only returns local users, and no traffic is leaving the client >>>> > for the IPA server for ldap. >>>> > >>>> > >>>> > >>>> > I have followed the instructions from the documentation, but I >>>> > definitely get the feeling that something is missing. >>>> > >>>> > All the various configuration files are populated, and the Kerberos >>>> > portion works correctly because I can obtain a ticket. >>>> > >>>> > So possibly there is a problem with the nss_ldap part, or the ldap.conf >>>> > itself. >>>> > >>>> > >>>> > >>>> > Does anyone know common problems that might have this result on >>>> Solaris 10? >>>> > >>>> > >>>> > >>>> > For reference, here is the /etc/ldap.conf file: >>>> > >>>> > >>>> > >>>> > ldap_version 3 >>>> > >>>> > base cn=compat,dc=live,dc=tipp24,dc=net >>>> > >>>> > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub >>>> > >>>> > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub >>>> > >>>> > nss_schema rfc2307bis >>>> > >>>> > nss_map_objectclass shadowAccount posixAccount >>>> > >>>> > nss_map_attribute uniqueMember member >>>> > >>>> > nss_initgroups_ignoreusers root,dirsrv,oracle >>>> > >>>> > nss_reconnect_maxsleeptime 8 >>>> > >>>> > nss_reconnect_sleeptime 1 >>>> > >>>> > bind_timelimit 2 >>>> > >>>> > timelimit 4 >>>> > >>>> > nss_srv_domain live.tipp24.net >>>> > >>>> > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net >>>> > >>>> > >>>> > >>>> > Thanks >>>> > >>>> > Andy >>>> >>>> Sorry, missed this one last week.. >>>> >>>> What does /etc/nsswitch.conf read? Is it configured to use ldap? >>>> >>>> You might also try killing nscd in case it is interfering. >>>> >>>> rob >>>> > From shan.sysadm at gmail.com Wed Feb 24 14:58:35 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Wed, 24 Feb 2010 17:58:35 +0300 Subject: [Freeipa-users] AD Sync Error Message-ID: <68b7c79a1002240658w222a5333l12e0c31fe1eaffee@mail.gmail.com> Dear All, I am facing the AD Sync issue with FreeIPA to Active Directory, and as per the redhat-ds doc I have done all the settings from AD front. please help me to resolve this issue. And find the below error message: [root at sbttipa001 ~]# ipa-replica-manage add --winsync --binddn CN=ipaadmin,CN=users,DC=bmitest,DC=com --bindpw secretpw --ca cert /etc/dirsrv/slapd-BMITEST-COM/adsync.cer sbtaddc001.bmitest.com -v --passsync bmi.123 Directory Manager password: INFO:root:Shutting down dirsrv: BMITEST-COM... [ OK ] INFO:root: INFO:root: INFO:root: INFO:root:Starting dirsrv: BMITEST-COM... [ OK ] INFO:root: INFO:root:Added CA certificate /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to certificate database for sbttipa001.bmitest.com INFO:root:Restarted directory server sbttipa001.bmitest.com INFO:root:Could not validate connection to remote server sbtaddc001.bmitest.com:636 - continuing INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc ': "Can't contact LDAP server"} The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 49 - LDAP error: Invalid credentials: start: 0: end: 0 INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [sbttipa001.bmitest.com] reports: Update failed! Status: [49 - LDAP error: Invalid credentials] INFO:root:Added agreement for other host sbtaddc001.bmitest.com -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Feb 24 15:20:56 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 24 Feb 2010 08:20:56 -0700 Subject: [Freeipa-users] AD Sync Error In-Reply-To: <68b7c79a1002240658w222a5333l12e0c31fe1eaffee@mail.gmail.com> References: <68b7c79a1002240658w222a5333l12e0c31fe1eaffee@mail.gmail.com> Message-ID: <4B8543D8.3050806@redhat.com> Shan Kumaraswamy wrote: > Dear All, > I am facing the AD Sync issue with FreeIPA to Active Directory, and as > per the redhat-ds doc I have done all the settings from AD front. > please help me to resolve this issue. And find the below error message: > > [root at sbttipa001 ~]# ipa-replica-manage add --winsync --binddn > CN=ipaadmin,CN=users,DC=bmitest,DC=com --bindpw secretpw --ca cert > /etc/dirsrv/slapd-BMITEST-COM/adsync.cer sbtaddc001.bmitest.com > -v --passsync bmi.123 > Directory Manager password: > INFO:root:Shutting down dirsrv: > BMITEST-COM... [ OK ] > INFO:root: > INFO:root: > INFO:root: > INFO:root:Starting dirsrv: > BMITEST-COM... [ OK ] > INFO:root: > INFO:root:Added CA certificate > /etc/dirsrv/slapd-BMITEST-COM/adsync.cer to certificate database for > sbttipa001.bmitest.com > INFO:root:Restarted directory server sbttipa001.bmitest.com > > INFO:root:Could not validate connection to remote server > sbtaddc001.bmitest.com:636 - > continuing > INFO:root:The error was: {'info': 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc > ': "Can't contact LDAP server"} > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=bmitest,dc=com > Windows PassSync entry exists, not resetting password > INFO:root:Added new sync agreement, waiting for it to become ready . . . > INFO:root:Replication Update in progress: FALSE: status: 49 - LDAP > error: Invalid credentials: start: 0: end: 0 > INFO:root:Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > [sbttipa001.bmitest.com ] reports: > Update failed! Status: [49 - LDAP error: Invalid credentials] > INFO:root:Added agreement for other host sbtaddc001.bmitest.com > Error 49 usually means the password is not correct. You can use mozldap ldapsearch to test the connection like this: /usr/lib/mozldap/ldapsearch -h dchost -p 636 -Z -P /etc/dirsrv/slapd-BMITEST-COM/cert8.db -D CN=ipaadmin,CN=users,DC=bmitest,DC=com -w "secretpw" -s base -b "" "objectclass=*" > > > -- > Thanks & Regards > Shan Kumaraswamy > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Andy.Singleton at tipp24os.co.uk Wed Feb 24 15:39:36 2010 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Wed, 24 Feb 2010 15:39:36 -0000 Subject: [Freeipa-users] Installing IPA on Solaris 10 References: <1CD40A4DEEA320479C98D8A93A5C6906EF11C1@waterloo.t24uk.tipp24.net> <4B699217.8020508@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B0F38@waterloo.t24uk.tipp24.net> <4B69A57A.8080908@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B1103@waterloo.t24uk.tipp24.net> <4B6C4E06.6080703@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906028BFA25@waterloo.t24uk.tipp24.net> <4B853BCB.9030408@redhat.com> Message-ID: <1CD40A4DEEA320479C98D8A93A5C6906028BFA8E@waterloo.t24uk.tipp24.net> Hi Rob, I should have mentioned that, yes it's all ssh. For defaultServerList's, I guess it depends on the timeout values. If every operation suddenly gets a 4 second delay, I don't think that's going to work. For the associatedDomain issue, that's not really a problem for us. I just wanted to flag it up as something that could limit a deployment for someone else. For the dirsrv log, yes that?s the only thing logged. Nothing in the krb5kdc.log, and only the pam error in the clients /var/adm/messages If there's any more information I can provide, let me know. Cheers Andy -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: 24 February 2010 14:47 To: Andy Singleton Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 Andy Singleton wrote: > Hi Rob, > > Some notes on my attempts to integrate my Solaris 10 client into freeipa 1.2.2: > > We still have an issue that ipa users cannot log on to our Solaris 10 client. ("800047 auth.error: pam Authentication failed") Can't log in via console, ssh? > Currently I can get a ticket with "kinit", and can see the ipa users/groups with "getent". "ldapclient init" worked eventually. > However, there was some hoop jumping to get to this state: > > I changed the following parts of the freeipa schema contents: > > 1) The "passwd" serviceSearchDescriptor pointed to cn=accounts instead of cn=compat. I am not sure if this is deliberately set or not. "getent passwd" would refused to work otherwise. > "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net" > serviceSearchDescriptor: passwd:cn=users,cn=compat,dc=live,dc=tipp24,dc=net Yeah, I need to investigate this further. It should work without having to go through compat. There is some VLV problem I need to figure out. > 2) The defaultServerList defaults to the master server, which was not reachable from the clients subnet. (the linux clients rely on two slaves in this subnet) > "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net" > defaultServerList: [slave].live.tipp24.net Hmm, I think we can probably add in the replicas to this list when they are installed. Would that be an acceptable solution? Assuming of course that Solaris will skip to the next entry if one is not accessible. > 3) Our install covers three separate domains, and solaris appears to require that nisDomain and associatedDomain conform to the clients specific domain only. > "dn: dc=live,dc=tipp24,dc=net" > nisDomain: live.tipp24.net > associatedDomain: live.tipp24.net That is a limitation of the Solaris ldap client. associatedDomain needs to match the client domain. I don't think there is a workaround for this. > > Finally, when users attempt to connect, the dirsrv log on the slave has the following contents: > [24/Feb/2010:11:53:45 +0100] conn=4672696 fd=389 slot=389 connection from [client IP] to [slave IP] > [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms" > [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 RESULT err=0 tag=101 nentries=1 etime=0 > [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 UNBIND > [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 fd=389 closed - U1 Clients attempt to connect and fail right? Are you saying this is the only thing logged in that case? rob > > > Any comments/advice would be appreciated. > > Thanks > Andy > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: 05 February 2010 16:58 > To: Andy Singleton > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 > > Andy Singleton wrote: >> Hi Rob, >> >> Ok ive switched on the compat plugin. >> Incidentally, does this need to be done separately for all replicas? > > Yes. The plugin configuration of each 389-ds is not replicated. > >> However, when I run ldapclient init , I get this message: >> "Failed to find defaultSearchBase for domain" > > Hmm, can you look in the DS logs to see what queries it is making/ > (/var/log/dirsrv/slapd-YOUR-INSTANCE/access). > > Probably a good idea to ensure you have the Solaris default profile set > up too: > > ldapsearch -x -b "cn=default,ou=profile,dc=example,dc=com" > > rob > >> Cheers >> Andy >> >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: 03 February 2010 17:34 >> To: Andy Singleton; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >> >> Andy Singleton wrote: >>> Hi Rob, >>> >>> Neither of the commands give any results. >> /me smacks head >> >> Ok, sorry I didn't see this the first go-round. >> >> The Solaris nss_ldap doesn't use /etc/ldap.conf. >> >> What you want to do is something like: >> >> # ldapclient init ipa.example.com >> >> This should set everything up for you on the Solaris side assuming >> you're running freeIPA 1.2.2. >> >> You'll also need to enable the compat schema on the IPA side by running >> ipa-compat-manage enable and restarting the DS (if you haven't done so >> already). >> >> Note that the Solaris LDAP client assumes that if you want to use LDAP >> for anything then you want to use it for EVERYTHING, so you'll want to >> fix up /etc/nsswitch.conf, at least setting files and ipnodes back to >> dns from ldap. >> >> rob >>> Andy >>> >>> -----Original Message----- >>> From: Rob Crittenden [mailto:rcritten at redhat.com] >>> Sent: 03 February 2010 16:11 >>> To: Andy Singleton >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >>> >>> Andy Singleton wrote: >>>> Hi rob, >>>> >>>> Glad you caught up with this problem. >>>> >>>> The nsswitch.conf is set up as per the install document. So: >>>> passwd: files ldap[NOTFOUND=return] >>>> group: files ldap[NOTFOUND=return] >>>> >>>> The system uses the standard solaris nss_ldap package. >>> Ok, can you see if you can get a specific user and group: >>> >>> getent passwd admin >>> getent group ipausers >>> >>> rob >>> >>>> Cheers >>>> Andy >>>> >>>> ----- Original Message ----- >>>> From: Rob Crittenden >>>> To: Andy Singleton >>>> Cc: freeipa-users at redhat.com >>>> Sent: Tue Feb 02 21:01:33 2010 >>>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >>>> >>>> Andy Singleton wrote: >>>> > Hi guys, >>>> > >>>> > >>>> > >>>> > I am installing IPA 1.2.2 client installation on one of our Solaris >>>> > servers, and I cant seem to get the system to see the IPA users. ?getent >>>> > passwd? only returns local users, and no traffic is leaving the client >>>> > for the IPA server for ldap. >>>> > >>>> > >>>> > >>>> > I have followed the instructions from the documentation, but I >>>> > definitely get the feeling that something is missing. >>>> > >>>> > All the various configuration files are populated, and the Kerberos >>>> > portion works correctly because I can obtain a ticket. >>>> > >>>> > So possibly there is a problem with the nss_ldap part, or the ldap.conf >>>> > itself. >>>> > >>>> > >>>> > >>>> > Does anyone know common problems that might have this result on >>>> Solaris 10? >>>> > >>>> > >>>> > >>>> > For reference, here is the /etc/ldap.conf file: >>>> > >>>> > >>>> > >>>> > ldap_version 3 >>>> > >>>> > base cn=compat,dc=live,dc=tipp24,dc=net >>>> > >>>> > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub >>>> > >>>> > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub >>>> > >>>> > nss_schema rfc2307bis >>>> > >>>> > nss_map_objectclass shadowAccount posixAccount >>>> > >>>> > nss_map_attribute uniqueMember member >>>> > >>>> > nss_initgroups_ignoreusers root,dirsrv,oracle >>>> > >>>> > nss_reconnect_maxsleeptime 8 >>>> > >>>> > nss_reconnect_sleeptime 1 >>>> > >>>> > bind_timelimit 2 >>>> > >>>> > timelimit 4 >>>> > >>>> > nss_srv_domain live.tipp24.net >>>> > >>>> > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net >>>> > >>>> > >>>> > >>>> > Thanks >>>> > >>>> > Andy >>>> >>>> Sorry, missed this one last week.. >>>> >>>> What does /etc/nsswitch.conf read? Is it configured to use ldap? >>>> >>>> You might also try killing nscd in case it is interfering. >>>> >>>> rob >>>> > From dpal at redhat.com Thu Feb 25 19:59:16 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 25 Feb 2010 14:59:16 -0500 Subject: [Freeipa-users] IPA CLI help - setting up expectations Message-ID: <4B86D694.5050602@redhat.com> Hello, We tried to formulate some rules around the CLI and mostly about help for the CLI for IPA v2. IPA CLI infrastructure consists of different kinds of commands so we thought it would be helpful to define what one should expect from those commands and how to acquire help for those commands. Here is the first pass at the problem. http://freeipa.org/page/CommandDocumentation Comments and suggestions are welcome! -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Feb 26 13:49:05 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 26 Feb 2010 08:49:05 -0500 Subject: [Freeipa-users] Installing IPA on Solaris 10 In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C6906028BFA8E@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C6906EF11C1@waterloo.t24uk.tipp24.net> <4B699217.8020508@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B0F38@waterloo.t24uk.tipp24.net> <4B69A57A.8080908@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906026B1103@waterloo.t24uk.tipp24.net> <4B6C4E06.6080703@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906028BFA25@waterloo.t24uk.tipp24.net> <4B853BCB.9030408@redhat.com> <1CD40A4DEEA320479C98D8A93A5C6906028BFA8E@waterloo.t24uk.tipp24.net> Message-ID: <4B87D151.9040404@redhat.com> Andy Singleton wrote: > Hi Rob, > > I should have mentioned that, yes it's all ssh. > > For defaultServerList's, I guess it depends on the timeout values. If every operation suddenly gets a 4 second delay, I don't think that's going to work. > > For the associatedDomain issue, that's not really a problem for us. I just wanted to flag it up as something that could limit a deployment for someone else. > > For the dirsrv log, yes that?s the only thing logged. > Nothing in the krb5kdc.log, and only the pam error in the clients /var/adm/messages > > If there's any more information I can provide, let me know. Andy, I opened a couple of bugs to track these: Solaris 10 nss passwd db not working https://bugzilla.redhat.com/show_bug.cgi?id=568087 I'll look at the login problem as part of 568087 as it may be related. In Solaris 10 LDAP configuration replicas aren't added to server list https://bugzilla.redhat.com/show_bug.cgi?id=568104 rob > > Cheers > Andy > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: 24 February 2010 14:47 > To: Andy Singleton > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 > > Andy Singleton wrote: >> Hi Rob, >> >> Some notes on my attempts to integrate my Solaris 10 client into freeipa 1.2.2: >> >> We still have an issue that ipa users cannot log on to our Solaris 10 client. ("800047 auth.error: pam Authentication failed") > > Can't log in via console, ssh? > >> Currently I can get a ticket with "kinit", and can see the ipa users/groups with "getent". "ldapclient init" worked eventually. >> However, there was some hoop jumping to get to this state: >> >> I changed the following parts of the freeipa schema contents: >> >> 1) The "passwd" serviceSearchDescriptor pointed to cn=accounts instead of cn=compat. I am not sure if this is deliberately set or not. "getent passwd" would refused to work otherwise. >> "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net" >> serviceSearchDescriptor: passwd:cn=users,cn=compat,dc=live,dc=tipp24,dc=net > > Yeah, I need to investigate this further. It should work without having > to go through compat. There is some VLV problem I need to figure out. > >> 2) The defaultServerList defaults to the master server, which was not reachable from the clients subnet. (the linux clients rely on two slaves in this subnet) >> "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net" >> defaultServerList: [slave].live.tipp24.net > > Hmm, I think we can probably add in the replicas to this list when they > are installed. Would that be an acceptable solution? Assuming of course > that Solaris will skip to the next entry if one is not accessible. > >> 3) Our install covers three separate domains, and solaris appears to require that nisDomain and associatedDomain conform to the clients specific domain only. >> "dn: dc=live,dc=tipp24,dc=net" >> nisDomain: live.tipp24.net >> associatedDomain: live.tipp24.net > > That is a limitation of the Solaris ldap client. associatedDomain needs > to match the client domain. I don't think there is a workaround for this. > >> Finally, when users attempt to connect, the dirsrv log on the slave has the following contents: >> [24/Feb/2010:11:53:45 +0100] conn=4672696 fd=389 slot=389 connection from [client IP] to [slave IP] >> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms" >> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 UNBIND >> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 fd=389 closed - U1 > > Clients attempt to connect and fail right? Are you saying this is the > only thing logged in that case? > > rob > >> >> Any comments/advice would be appreciated. >> >> Thanks >> Andy >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: 05 February 2010 16:58 >> To: Andy Singleton >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >> >> Andy Singleton wrote: >>> Hi Rob, >>> >>> Ok ive switched on the compat plugin. >>> Incidentally, does this need to be done separately for all replicas? >> Yes. The plugin configuration of each 389-ds is not replicated. >> >>> However, when I run ldapclient init , I get this message: >>> "Failed to find defaultSearchBase for domain" >> Hmm, can you look in the DS logs to see what queries it is making/ >> (/var/log/dirsrv/slapd-YOUR-INSTANCE/access). >> >> Probably a good idea to ensure you have the Solaris default profile set >> up too: >> >> ldapsearch -x -b "cn=default,ou=profile,dc=example,dc=com" >> >> rob >> >>> Cheers >>> Andy >>> >>> >>> -----Original Message----- >>> From: Rob Crittenden [mailto:rcritten at redhat.com] >>> Sent: 03 February 2010 17:34 >>> To: Andy Singleton; freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >>> >>> Andy Singleton wrote: >>>> Hi Rob, >>>> >>>> Neither of the commands give any results. >>> /me smacks head >>> >>> Ok, sorry I didn't see this the first go-round. >>> >>> The Solaris nss_ldap doesn't use /etc/ldap.conf. >>> >>> What you want to do is something like: >>> >>> # ldapclient init ipa.example.com >>> >>> This should set everything up for you on the Solaris side assuming >>> you're running freeIPA 1.2.2. >>> >>> You'll also need to enable the compat schema on the IPA side by running >>> ipa-compat-manage enable and restarting the DS (if you haven't done so >>> already). >>> >>> Note that the Solaris LDAP client assumes that if you want to use LDAP >>> for anything then you want to use it for EVERYTHING, so you'll want to >>> fix up /etc/nsswitch.conf, at least setting files and ipnodes back to >>> dns from ldap. >>> >>> rob >>>> Andy >>>> >>>> -----Original Message----- >>>> From: Rob Crittenden [mailto:rcritten at redhat.com] >>>> Sent: 03 February 2010 16:11 >>>> To: Andy Singleton >>>> Cc: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >>>> >>>> Andy Singleton wrote: >>>>> Hi rob, >>>>> >>>>> Glad you caught up with this problem. >>>>> >>>>> The nsswitch.conf is set up as per the install document. So: >>>>> passwd: files ldap[NOTFOUND=return] >>>>> group: files ldap[NOTFOUND=return] >>>>> >>>>> The system uses the standard solaris nss_ldap package. >>>> Ok, can you see if you can get a specific user and group: >>>> >>>> getent passwd admin >>>> getent group ipausers >>>> >>>> rob >>>> >>>>> Cheers >>>>> Andy >>>>> >>>>> ----- Original Message ----- >>>>> From: Rob Crittenden >>>>> To: Andy Singleton >>>>> Cc: freeipa-users at redhat.com >>>>> Sent: Tue Feb 02 21:01:33 2010 >>>>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10 >>>>> >>>>> Andy Singleton wrote: >>>>> > Hi guys, >>>>> > >>>>> > >>>>> > >>>>> > I am installing IPA 1.2.2 client installation on one of our Solaris >>>>> > servers, and I cant seem to get the system to see the IPA users. ?getent >>>>> > passwd? only returns local users, and no traffic is leaving the client >>>>> > for the IPA server for ldap. >>>>> > >>>>> > >>>>> > >>>>> > I have followed the instructions from the documentation, but I >>>>> > definitely get the feeling that something is missing. >>>>> > >>>>> > All the various configuration files are populated, and the Kerberos >>>>> > portion works correctly because I can obtain a ticket. >>>>> > >>>>> > So possibly there is a problem with the nss_ldap part, or the ldap.conf >>>>> > itself. >>>>> > >>>>> > >>>>> > >>>>> > Does anyone know common problems that might have this result on >>>>> Solaris 10? >>>>> > >>>>> > >>>>> > >>>>> > For reference, here is the /etc/ldap.conf file: >>>>> > >>>>> > >>>>> > >>>>> > ldap_version 3 >>>>> > >>>>> > base cn=compat,dc=live,dc=tipp24,dc=net >>>>> > >>>>> > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub >>>>> > >>>>> > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub >>>>> > >>>>> > nss_schema rfc2307bis >>>>> > >>>>> > nss_map_objectclass shadowAccount posixAccount >>>>> > >>>>> > nss_map_attribute uniqueMember member >>>>> > >>>>> > nss_initgroups_ignoreusers root,dirsrv,oracle >>>>> > >>>>> > nss_reconnect_maxsleeptime 8 >>>>> > >>>>> > nss_reconnect_sleeptime 1 >>>>> > >>>>> > bind_timelimit 2 >>>>> > >>>>> > timelimit 4 >>>>> > >>>>> > nss_srv_domain live.tipp24.net >>>>> > >>>>> > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net >>>>> > >>>>> > >>>>> > >>>>> > Thanks >>>>> > >>>>> > Andy >>>>> >>>>> Sorry, missed this one last week.. >>>>> >>>>> What does /etc/nsswitch.conf read? Is it configured to use ldap? >>>>> >>>>> You might also try killing nscd in case it is interfering. >>>>> >>>>> rob >>>>> >