From brian at cukerinteractive.com Thu Sep 2 20:10:35 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Thu, 2 Sep 2010 13:10:35 -0700 Subject: [Freeipa-users] 389-ds to free-ipa transition; transparent? In-Reply-To: <4C746F00.5090102@redhat.com> References: <4C746F00.5090102@redhat.com> Message-ID: On Tue, Aug 24, 2010 at 6:16 PM, Rob Crittenden wrote: > Brian LaMere wrote: > >> Yes, if not easier. It is just 389-ds under the hood, we have some simple >> management tools that create the agreements for you. Since we use our own CA >> SSL is easy as well. > > if I already have certs for the servers that would be running the IPA, would it be easy enough to use those? I ask because my gold images come out of the box already trusting my ldap servers, which means using someone else's CA can potentially be a concern. That's not a show-stopper, because I can work around that anyway. > Depending on your configuration the data migration should be relatively > straightforward but know that the IPA DIT is completely flat. All users are > in one container, groups in another, etc. I have to admit that while I'm very good at some things, I was only "ok" with ldap way back long long ago when I did anything with it. I just created a custom schema with a couple hundred attributeTypes and a couple dozen objectclasses so that I can manage a lot of different things within ldap (single point of pluggable info to allow an object-oriented framework, independent of what tools are used). So when I read your "the IPA DIT is completely flat" statement I got a bit worried. Much of what I am doing will be far more difficult if I can't give texture to things, and my understanding is that a "completely flat DIT" is very difficult to create good aci's against. I know that the obvious answer is to just install it, and look and see if it does what I want anyway ;) But without spending time to do that...if I leave the users/groups in their current flat places, could I add texture to the DIT elsewhere (aci's are almost vital for what I'm doing; I want to expose methods, which means I can't just "trust" tools or hosts) without causing problems for FreeIPA? It's a lazy bred not out of laziness of not wanting to just experiment and test myself, but out of having a high workload; I'd like to use FreeIPA, and am just wondering if the above question has an obvious answer that doesn't even need to be tested. Thanks, Brian LaMere -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Sep 2 21:00:27 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 02 Sep 2010 17:00:27 -0400 Subject: [Freeipa-users] 389-ds to free-ipa transition; transparent? In-Reply-To: References: <4C746F00.5090102@redhat.com> Message-ID: <4C80106B.6030502@redhat.com> Brian LaMere wrote: > On Tue, Aug 24, 2010 at 6:16 PM, Rob Crittenden > wrote: > > Brian LaMere wrote: > > Yes, if not easier. It is just 389-ds under the hood, we have > some simple management tools that create the agreements for > you. Since we use our own CA SSL is easy as well. > > > if I already have certs for the servers that would be running the IPA, > would it be easy enough to use those? I ask because my gold images > come out of the box already trusting my ldap servers, which means > using someone else's CA can potentially be a concern. That's not a > show-stopper, because I can work around that anyway. I think you can use the certs that you already have. http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP http://www.freeipa.org/page/Administrators_Guide#Managing_Certificates_and_Certificate_Authorities If you need more details you need to wait a bit for Rob to get back from leave. > > > Depending on your configuration the data migration should be > relatively straightforward but know that the IPA DIT is completely > flat. All users are in one container, groups in another, etc. > > > I have to admit that while I'm very good at some things, I was only > "ok" with ldap way back long long ago when I did anything with it. I > just created a custom schema with a couple hundred attributeTypes and > a couple dozen objectclasses so that I can manage a lot of different > things within ldap (single point of pluggable info to allow an > object-oriented framework, independent of what tools are used). So > when I read your "the IPA DIT is completely flat" statement I got a > bit worried. Much of what I am doing will be far more difficult if I > can't give texture to things, and my understanding is that a > "completely flat DIT" is very difficult to create good aci's against. > > I know that the obvious answer is to just install it, and look and see > if it does what I want anyway ;) But without spending time to do > that...if I leave the users/groups in their current flat places, could > I add texture to the DIT elsewhere (aci's are almost vital for what > I'm doing; I want to expose methods, which means I can't just "trust" > tools or hosts) without causing problems for FreeIPA? > > It's a lazy bred not out of laziness of not wanting to just experiment > and test myself, but out of having a high workload; I'd like to use > FreeIPA, and am just wondering if the above question has an obvious > answer that doesn't even need to be tested. > The ACIs are defined inside the underlaying Directory Server. See details and syntax are here http://directory.fedoraproject.org/wiki/Howto:AccessControl The ACIs as you see can be group based. One does not need a hierarchical "ou" user structure in the DS for ACIs - just groups. So all the users live in one container without any hierarchy. All the hierarchy can be accomplished by creating a combination of nested groups. Groups live in another container but on the same level. This is what we mean by "flat tree". > Thanks, > Brian LaMere > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From brian at cukerinteractive.com Thu Sep 2 23:07:39 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Thu, 2 Sep 2010 16:07:39 -0700 Subject: [Freeipa-users] 389-ds to free-ipa transition; transparent? In-Reply-To: <4C80106B.6030502@redhat.com> References: <4C746F00.5090102@redhat.com> <4C80106B.6030502@redhat.com> Message-ID: > > The ACIs are defined inside the underlaying Directory Server. See > details and syntax are here > http://directory.fedoraproject.org/wiki/Howto:AccessControl > The ACIs as you see can be group based. One does not need a hierarchical > "ou" user structure in the DS for ACIs - just groups. So all the users > live in one container without any hierarchy. All the hierarchy can be > accomplished by creating a combination of nested groups. Groups live in > another container but on the same level. This is what we mean by "flat > tree". > > well, problem is that I want project managers to be able to create customers within ou=customers...how does a flat DIT allow otherwise unprivileged users the ability to create entries? Note that most of my directory won't be people or groups, but objects that define things that tools then access for monitoring, extending/expanding services, etc. I could always create aci's that allow particular groups to create entries with only a certain set of attributeTypes and objectclasses, but in some cases those customers should show up as valid users on a machine; "id customername" should respond with stuff. If the answer is that I'm not creative enough to imagine how to restrict based on something other than ACIs on an ou, then I suppose that's the answer ;) If that's the case then I'll just have to find the time to do an install, load my schema, and test to see if everything I want to happen can be made to happen, and everything I don't want to happen can be made to not happen. Thanks, Brian LaMere -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 2 23:20:18 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 02 Sep 2010 17:20:18 -0600 Subject: [Freeipa-users] 389-ds to free-ipa transition; transparent? In-Reply-To: References: <4C746F00.5090102@redhat.com> <4C80106B.6030502@redhat.com> Message-ID: <4C803132.6040101@redhat.com> Brian LaMere wrote: > > The ACIs are defined inside the underlaying Directory Server. See > details and syntax are here > http://directory.fedoraproject.org/wiki/Howto:AccessControl > The ACIs as you see can be group based. One does not need a > hierarchical > "ou" user structure in the DS for ACIs - just groups. So all the > users > live in one container without any hierarchy. All the hierarchy can be > accomplished by creating a combination of nested groups. Groups > live in > another container but on the same level. This is what we mean by "flat > tree". > > > well, problem is that I want project managers to be able to create > customers within ou=customers...how does a flat DIT allow > otherwise unprivileged users the ability to create entries? Note that > most of my directory won't be people or groups, but objects that > define things that tools then access for monitoring, > extending/expanding services, etc. I could always create aci's that > allow particular groups to create entries with only a certain set of > attributeTypes and objectclasses, but in some cases those customers > should show up as valid users on a machine; "id customername" should > respond with stuff. If the answer is that I'm not creative enough to > imagine how to restrict based on something other than ACIs on an ou, > then I suppose that's the answer ;) If that's the case then I'll just > have to find the time to do an install, load my schema, and test to > see if everything I want to happen can be made to happen, and > everything I don't want to happen can be made to not happen. 389 access control is pretty powerful and flexible. There's usually a way to do what you want to do without having to resort to using subtrees (as in AD). http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access_Control.html > > Thanks, > Brian LaMere > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From brian at cukerinteractive.com Thu Sep 2 23:26:26 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Thu, 2 Sep 2010 16:26:26 -0700 Subject: [Freeipa-users] 389-ds to free-ipa transition; transparent? In-Reply-To: <4C803132.6040101@redhat.com> References: <4C746F00.5090102@redhat.com> <4C80106B.6030502@redhat.com> <4C803132.6040101@redhat.com> Message-ID: > > 389 access control is pretty powerful and flexible. There's usually a way > to do what you want to do without having to resort to using subtrees (as in > AD). > > http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access_Control.html > > aye - I already have everything on that side of the house working perfectly, in exactly the way I want it. However, part of how I have that is based on ACIs attached to specific ou units. So if it could probably be made to work without resorting to ACIs for individual OUs, then...ok. I want PMs to be able to make people that are customers, but not people who are People (that sounds horrible, but you know what I mean...heh). That's just one of example of many, including batch processes that make changes to specific ou units reserved for the activities of those processes. Perhaps I'll just install FreeIPA and see, then. Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Sep 2 23:39:53 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 2 Sep 2010 19:39:53 -0400 Subject: [Freeipa-users] 389-ds to free-ipa transition; transparent? In-Reply-To: References: <4C746F00.5090102@redhat.com> <4C80106B.6030502@redhat.com> <4C803132.6040101@redhat.com> Message-ID: <20100902193953.6dcd8e15@willson.li.ssimo.org> On Thu, 2 Sep 2010 16:26:26 -0700 Brian LaMere wrote: > > > > 389 access control is pretty powerful and flexible. There's > > usually a way to do what you want to do without having to resort to > > using subtrees (as in AD). > > > > http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access_Control.html > > > > > aye - I already have everything on that side of the house working > perfectly, in exactly the way I want it. However, part of how I have > that is based on ACIs attached to specific ou units. So if it could > probably be made to work without resorting to ACIs for individual > OUs, then...ok. I want PMs to be able to make people that are > customers, but not people who are People (that sounds horrible, but > you know what I mean...heh). That's just one of example of many, > including batch processes that make changes to specific ou units > reserved for the activities of those processes. > > Perhaps I'll just install FreeIPA and see, then. Brian, for non user/group/host objects you fully own and control you can use whatever directory structure you want as long as you do not put them under the cn=accounts subtree and keep them generally away from any IPA controlled subtree. Simo. -- Simo Sorce * Red Hat, Inc * New York From brian at cukerinteractive.com Fri Sep 3 00:05:46 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Thu, 2 Sep 2010 17:05:46 -0700 Subject: [Freeipa-users] 389-ds to free-ipa transition; transparent? In-Reply-To: <20100902193953.6dcd8e15@willson.li.ssimo.org> References: <4C746F00.5090102@redhat.com> <4C80106B.6030502@redhat.com> <4C803132.6040101@redhat.com> <20100902193953.6dcd8e15@willson.li.ssimo.org> Message-ID: > > Brian, > for non user/group/host objects you fully own and control you can use > whatever directory structure you want as long as you do not put them > under the cn=accounts subtree and keep them generally away from any IPA > controlled subtree. > > ah - well if that's the case, then I asked my initial question very poorly, as that's ultimately what I was trying to find out. If I can do things outside of that area then I it will do what I need; I was just concerned that the "completely flat DIT" might object to a tree next to it in the same 389-DS. Having kerberized systems would improve more workflow issues around here than I can even comprehend, and there are other features of the IPA I am very interested in as well that will help solve other issues...once I get around to having enough time to get to those tasks. Apologies, as mentioned I'm quite ldap-rusty. Brian LaMere -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian at cukerinteractive.com Tue Sep 7 23:45:40 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Tue, 7 Sep 2010 16:45:40 -0700 Subject: [Freeipa-users] updated FreeIPA documentation? Message-ID: Let me start by saying I work at a software development co; I "get it" - so this isn't a harsh at all. However, the latest docs I could find ( http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ ) seem a bit outdated already. For example, this section: ----------------------------------------------- Procedure 3.1. To install the IPA server interactively: Run the following command: - ipa-server-install - Enter the server's host name, realm name and other details when prompted. When installing the master IPA server, the start values for the UID and GID ranges are automatically set to a random value between 1,000,000 and (2^31 - 1,000,000). You can pass the --uidstart and --gidstart options to the ipa-server-installcommand to specify different starting values if desired. --------------------------------- At this point, uidstart and gidstart don't appear to be valid flags to ipa-server-install; this is unfortunate, because I'd really rather not start at a number that high (while not my personal reason for wanting a smaller number, older machines won't accept uid's that large...some won't accept UIDs higher than 65535, in fact). That document also references that it requires "Fedora 9 or 10" - while we're now pushing on rawhide at 14, and describes nscd while the default/suggested cache provider in current versions is sssd, etc. Is there anything a bit more current? Is there a wiki documentation project (none shows in a couple minutes of google searching)? If there's nothing more current, I'd be happy to update whatever is where ever while I'm going through it myself. Thanks, Brian LaMere -------------- next part -------------- An HTML attachment was scrubbed... URL: From davido at redhat.com Wed Sep 8 03:08:42 2010 From: davido at redhat.com (David O'Brien) Date: Wed, 08 Sep 2010 13:08:42 +1000 Subject: [Freeipa-users] updated FreeIPA documentation? In-Reply-To: References: Message-ID: <4C86FE3A.901@redhat.com> Brian LaMere wrote: > Let me start by saying I work at a software development co; I "get it" - > so this isn't a harsh at all. However, the latest docs I could find > ( http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ ) seem > a bit outdated already. Hi Brian, It's true, they're "outdated" because at the moment they largely consist of relabeled v1 docs with a notice at the beginning advising that we're just now starting to update them. Large sections will no longer apply, and we're doing our best to keep up. We only have one doc writer on this project (me) and I've been off working on the SSSD project for quite a while, so expect the IPA doc to take a bit of catching up. > For example, this section: > > ----------------------------------------------- > Procedure 3.1. To install the IPA server interactively: > > Run the following command: > > * ipa-server-install > o Enter the server's host name, realm name and other details > when prompted. When installing the master IPA server, the > start values for the UID and GID ranges are automatically > set to a random value between 1,000,000 and (2^31 - > 1,000,000). You can pass > the --uidstart and --gidstart options to > the ipa-server-installcommand to specify different starting > values if desired. > > --------------------------------- > > At this point, uidstart and gidstart don't appear to be valid flags to > ipa-server-install; this is unfortunate, because I'd really rather not > start at a number that high (while not my personal reason for wanting a > smaller number, older machines won't accept uid's that large...some > won't accept UIDs higher than 65535, in fact). I can't comment with certainty, but I don't know why that would be. These flags still appear in the man page (man ipa-server-install, your best source of up-to-date doc atm). Hopefully one of the developers will pipe up with a better answer. > > That document also references that it requires "Fedora 9 or 10" - while > we're now pushing on rawhide at 14, and describes nscd while the > default/suggested cache provider in current versions is sssd, etc. Is > there anything a bit more current? By the time this doc goes out the door, we'll probably be talking about F14/15, yes, and with info on using sssd with IPA. > > Is there a wiki documentation project (none shows in a couple minutes of > google searching)? If there's nothing more current, I'd be happy to > update whatever is where ever while I'm going through it myself. > We're still working on the best way of implementing this. Apart from the many changes in IPA, there have also been many changes in the way we produce and deliver documentation. We're always happy to accept contributions and feedback (even if it's only in email); as soon as we get the process sorted we'll be looking forward to as many community contributions as possible. Thanks for your input and offer. David > Thanks, > Brian LaMere > > -- David O'Brien Senior Content Author Red Hat APAC Pty Ltd "We couldn't care less about comfort. We make you feel good." Federico Minoli CEO Ducati Motor S.p.A. From rcritten at redhat.com Wed Sep 8 03:08:59 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 07 Sep 2010 23:08:59 -0400 Subject: [Freeipa-users] updated FreeIPA documentation? In-Reply-To: References: Message-ID: <4C86FE4B.5030808@redhat.com> Brian LaMere wrote: > Let me start by saying I work at a software development co; I "get it" - > so this isn't a harsh at all. However, the latest docs I could find ( > http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ ) seem > a bit outdated already. > For example, this section: > > ----------------------------------------------- > Procedure 3.1. To install the IPA server interactively: > > Run the following command: > > * ipa-server-install > o Enter the server's host name, realm name and other details > when prompted. When installing the master IPA server, the > start values for the UID and GID ranges are automatically > set to a random value between 1,000,000 and (2^31 - > 1,000,000). You can pass > the --uidstart and --gidstart options to > the ipa-server-installcommand to specify different starting > values if desired. > > --------------------------------- > > At this point, uidstart and gidstart don't appear to be valid flags to > ipa-server-install; this is unfortunate, because I'd really rather not > start at a number that high (while not my personal reason for wanting a > smaller number, older machines won't accept uid's that large...some > won't accept UIDs higher than 65535, in fact). What version of IPA are you looking at? I have both options in mine. Note that if you want to use magic-private groups only set uidstart. We made this configurable for those installations that may have limited UIDs. > That document also references that it requires "Fedora 9 or 10" - while > we're now pushing on rawhide at 14, and describes nscd while the > default/suggested cache provider in current versions is sssd, etc. Is > there anything a bit more current? Not yet. We have an open ticket to update this but haven't had a chance to yet. Our trac instance is at https://fedorahosted.org/freeipa > > Is there a wiki documentation project (none shows in a couple minutes of > google searching)? If there's nothing more current, I'd be happy to > update whatever is where ever while I'm going through it myself. We had the documentation in the wiki originally but it was incredibly difficult to keep that and our docbook-based documentation in sync so we dropped the wiki version. The git repo for the documentation is at http://git.fedorahosted.org/git/ipadocs.git regards rob From brian at cukerinteractive.com Wed Sep 8 17:01:53 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Wed, 8 Sep 2010 10:01:53 -0700 Subject: [Freeipa-users] updated FreeIPA documentation? In-Reply-To: <4C86FE4B.5030808@redhat.com> References: <4C86FE4B.5030808@redhat.com> Message-ID: > > What version of IPA are you looking at? I have both options in mine. Note > that if you want to use magic-private groups only set uidstart. We made this > configurable for those installations that may have limited UIDs. > > The lastest in the fedora repo; just installed it last night. ---------------- root at myserver:/etc# rpm -qa |grep ipa-server ipa-server-selinux-1.2.2-4.fc13.x86_64 ipa-server-1.2.2-4.fc13.x86_64 root at myserver:/etc# ipa-server-install --uidstart 5000 Usage: ipa-server-install [options] ipa-server-install: error: no such option: --uidstart root at myserver:/etc# ipa-server-install --gidstart 5000 Usage: ipa-server-install [options] ipa-server-install: error: no such option: --gidstart ----------------------- When I type "ip-server-install --help" nothing along that lines is listed, either. > We had the documentation in the wiki originally but it was incredibly > difficult to keep that and our docbook-based documentation in sync so we > dropped the wiki version. The git repo for the documentation is at > http://git.fedorahosted.org/git/ipadocs.git > Ah, I always considered it a specificity/sensitivity issue; the official docs would have less info but would be more accurate, whereas the wiki would be far more info but with less accuracy. I'll check out the docs in git, thanks! Brian LaMere -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 8 17:18:20 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Sep 2010 13:18:20 -0400 Subject: [Freeipa-users] updated FreeIPA documentation? In-Reply-To: References: <4C86FE4B.5030808@redhat.com> Message-ID: <4C87C55C.101@redhat.com> Brian LaMere wrote: > What version of IPA are you looking at? I have both options in mine. > Note that if you want to use magic-private groups only set uidstart. > We made this configurable for those installations that may have > limited UIDs. > > > The lastest in the fedora repo; just installed it last night. > > ---------------- > root at myserver:/etc# rpm -qa |grep ipa-server > ipa-server-selinux-1.2.2-4.fc13.x86_64 > ipa-server-1.2.2-4.fc13.x86_64 > root at myserver:/etc# ipa-server-install --uidstart 5000 > Usage: ipa-server-install [options] > ipa-server-install: error: no such option: --uidstart > root at myserver:/etc# ipa-server-install --gidstart 5000 > Usage: ipa-server-install [options] > ipa-server-install: error: no such option: --gidstart > ----------------------- > > When I type "ip-server-install --help" nothing along that lines is > listed, either. Yes, this is IPA v1. Those options are only available in IPA v2 which is current in alpha. You can try it at http://www.freeipa.org/page/Downloads > > We had the documentation in the wiki originally but it was > incredibly difficult to keep that and our docbook-based > documentation in sync so we dropped the wiki version. The git repo > for the documentation is at http://git.fedorahosted.org/git/ipadocs.git > > > Ah, I always considered it a specificity/sensitivity issue; the > official docs would have less info but would be more accurate, whereas > the wiki would be far more info but with less accuracy. I'll check out > the docs in git, thanks! Sure rob From jerome.fereyre at bull.net Wed Sep 15 09:29:26 2010 From: jerome.fereyre at bull.net (Fereyre Jerome) Date: Wed, 15 Sep 2010 11:29:26 +0200 Subject: [Freeipa-users] freeipa and postgresql Message-ID: <4C9091F6.2070908@bull.net> Hi all I am trying to connect postgresql to freeipa/kerberos to ensure user authentication... but i did not find a lot of information concerning this type of configuration. currently the messages i encounter arewhen i'm using the psql command: psql: FATAL: accepting GSS security context failed D?TAIL : Unspecified GSS failure. Minor code may provide more information: Permission denied but i'm not able to find out what is the problem. Does anyone of you has already built such a configuration? can gave me some information or link to documentation to do so? Thank you. Jerome From rcritten at redhat.com Wed Sep 15 13:09:55 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Sep 2010 09:09:55 -0400 Subject: [Freeipa-users] freeipa and postgresql In-Reply-To: <4C9091F6.2070908@bull.net> References: <4C9091F6.2070908@bull.net> Message-ID: <4C90C5A3.8000805@redhat.com> Fereyre Jerome wrote: > Hi all > > I am trying to connect postgresql to freeipa/kerberos to ensure user > authentication... > but i did not find a lot of information concerning this type of > configuration. > > currently the messages i encounter arewhen i'm using the psql command: > psql: FATAL: accepting GSS security context failed > D?TAIL : Unspecified GSS failure. Minor code may provide more > information: Permission denied > but i'm not able to find out what is the problem. > > Does anyone of you has already built such a configuration? can gave me > some information or link > to documentation to do so? I don't know anything about kerberizing postgres but I would guess that you created a service keytab for psql, is that right? Check the permissions of the keytab. Permission denied usually means that the server can't read its own keytab. If this doesn't fix it can you outline what you've done so far in configuring psql? rob From jerome.fereyre at bull.net Wed Sep 15 15:10:12 2010 From: jerome.fereyre at bull.net (Fereyre Jerome) Date: Wed, 15 Sep 2010 17:10:12 +0200 Subject: [Freeipa-users] freeipa and postgresql In-Reply-To: <4C90C5A3.8000805@redhat.com> References: <4C9091F6.2070908@bull.net> <4C90C5A3.8000805@redhat.com> Message-ID: <4C90E1D4.5060507@bull.net> Hi rob > I don't know anything about kerberizing postgres but I would guess > that you created a service keytab for psql, is that right? Yes i have created a service keytab for postgres . > Check the permissions of the keytab. Permission denied usually means > that the server can't read its own keytab. Thank you. You were right. I have changed the file ownership to set the postgres user as file owner and i don't have the permission denied message anymore :) > If this doesn't fix it can you outline what you've done so far in > configuring psql? I walk forward in the configuration, but there is always some issues that i don't understand... but they are closest to postgres than kerberos. I have configured a user called jeradm in postgres and created a principal in freeipa/kerberos called jeradm at MYIPA.ORG. I need to do (starting from an other user account) : su - jeradm; kinit jeradm; psql -d postgres -h ipa0 to connect to the database with the jeradm account. If i stay as the root user system and do : kinit jeradm; psql -d postgres -h ipa0 Postgresql prevent me from connecting to the database and in the log i have messages like [ipa0][postgres] FATAL: GSSAPI authentication failed for user "root" [ipa0][postgres] LOG: provided username (root) and authenticated username (jeradm) don't match In my rookie comprehension of kerberos, psql will have to use my ticket to identify the user to use for connection... but it keep using my current linux user account ... I think that i haved missed something.... Thank you Rob :) J?r?me > > rob > > From sgallagh at redhat.com Wed Sep 15 15:17:32 2010 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 15 Sep 2010 11:17:32 -0400 Subject: [Freeipa-users] freeipa and postgresql In-Reply-To: <4C90E1D4.5060507@bull.net> References: <4C9091F6.2070908@bull.net> <4C90C5A3.8000805@redhat.com> <4C90E1D4.5060507@bull.net> Message-ID: <4C90E38C.6020900@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/15/2010 11:10 AM, Fereyre Jerome wrote: > If i stay as the root user system and do : > kinit jeradm; > psql -d postgres -h ipa0 > > Postgresql prevent me from connecting to the database and in the log i > have messages like > [ipa0][postgres] FATAL: GSSAPI authentication failed for user "root" > [ipa0][postgres] LOG: provided username (root) and authenticated > username (jeradm) don't match > > In my rookie comprehension of kerberos, psql will have to use my ticket > to identify the user to use for connection... but > it keep using my current linux user account ... > > I think that i haved missed something.... try doing: kinit jeradm psql -d postgres -h ipa0 -U jeradm That tells psql that you're trying to log in as user jeradm instead of root (by default it assumes it should use your logged-in username) - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyQ44sACgkQeiVVYja6o6NUOgCeN9cY4d9HCpWoV0QINH7SaI1A IlgAn1FS2jIm9T0uZHxTf4jmBqf/lC4g =bzkP -----END PGP SIGNATURE----- From miljank at gmail.com Wed Sep 15 15:59:02 2010 From: miljank at gmail.com (Miljan Karadzic) Date: Wed, 15 Sep 2010 17:59:02 +0200 Subject: [Freeipa-users] FreeIPA 1.9.0.pre4 installation problem Message-ID: <4C90ED46.8000904@gmail.com> Hello all, I am having some problems installing FreeIPA server on a freshly installed Fedora 13 machine. Installation fails during configuration of certificate server at step 3/14: ----------- [3/14]: configuring certificate server instance root : CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname loznica.lhs-systems.com -cs_port 9445 -client_certdb_dir /tmp/tmp-0ANqdU -client_certdb_pwd XXXXXXXX -preop_pin eTvJduILXN6kCgkX46ih -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host loznica.lhs-systems.com -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" -ca_server_cert_subject_name "CN=loznica.lhs-systems.com,O=IPA" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external false -clone false' returned non-zero exit status 255 [4/14]: creating CA agent PKCS#12 file in /root Unexpected error - see ipaserver-install.log for details: Command '/usr/bin/pk12util -n ipa-ca-agent -o /root/ca-agent.p12 -d /tmp/tmp-0ANqdU -k /tmp/tmplUonD_ -w /tmp/tmplUonD_' returned non-zero exit status 24 ----------- Even if installation continues to next step PKI-CA is not configured. Debug message from the installation log file says (complete installation log is attached): ----------- Required parameter -key_algorithm is not specified. Use -help for help information ----------- Installed packages are as follows: ----------- pki-common-1.3.8-1.fc13.noarch pki-util-1.3.2-1.fc13.noarch pki-console-1.3.2-1.fc13.noarch pki-native-tools-1.3.0-5.fc13.i686 dogtag-pki-ca-ui-1.3.2-1.fc13.noarch pki-silent-1.3.4-1.fc13.noarch pki-symkey-1.3.2-4.fc13.i686 pki-java-tools-1.3.1-1.fc13.noarch dogtag-pki-console-ui-1.3.2-2.fc13.noarch pki-ca-1.3.6-1.fc13.noarch pki-selinux-1.3.5-1.fc13.noarch dogtag-pki-common-ui-1.3.3-1.fc13.noarch pki-setup-1.3.4-1.fc13.noarch - ipa-server-1.9.0.pre4-0.fc13.i686 ipa-admintools-1.9.0.pre4-0.fc13.i686 ipa-python-1.9.0.pre4-0.fc13.i686 ipa-server-selinux-1.9.0.pre4-0.fc13.i686 ipa-client-1.9.0.pre4-0.fc13.i686 - 389-ds-base-1.2.6-1.fc13.i686 ----------- Any ideas what could be the problem? Regards, Miljan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ipaserver-install.log URL: From rcritten at redhat.com Wed Sep 15 17:45:05 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Sep 2010 13:45:05 -0400 Subject: [Freeipa-users] FreeIPA 1.9.0.pre4 installation problem In-Reply-To: <4C90ED46.8000904@gmail.com> References: <4C90ED46.8000904@gmail.com> Message-ID: <4C910621.1060308@redhat.com> Miljan Karadzic wrote: > Hello all, > > I am having some problems installing FreeIPA server on a freshly > installed Fedora 13 machine. Installation fails during configuration of > certificate server at step 3/14: > > ----------- > [3/14]: configuring certificate server instance > root : CRITICAL failed to restart ca instance Command '/usr/bin/perl > /usr/bin/pkisilent ConfigureCA -cs_hostname loznica.lhs-systems.com > -cs_port 9445 -client_certdb_dir /tmp/tmp-0ANqdU -client_certdb_pwd > XXXXXXXX -preop_pin eTvJduILXN6kCgkX46ih -domain_name IPA -admin_user > admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host > loznica.lhs-systems.com -ldap_port 7389 -bind_dn "cn=Directory Manager" > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 > -key_type rsa -save_p12 true -backup_pwd XXXXXXXX -subsystem_name > pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA > Subsystem,O=IPA" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" > -ca_server_cert_subject_name "CN=loznica.lhs-systems.com,O=IPA" > -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" > -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external > false -clone false' returned non-zero exit status 255 > [4/14]: creating CA agent PKCS#12 file in /root > Unexpected error - see ipaserver-install.log for details: > Command '/usr/bin/pk12util -n ipa-ca-agent -o /root/ca-agent.p12 -d > /tmp/tmp-0ANqdU -k /tmp/tmplUonD_ -w /tmp/tmplUonD_' returned non-zero > exit status 24 > ----------- > > Even if installation continues to next step PKI-CA is not configured. > > Debug message from the installation log file says (complete installation > log is attached): > > ----------- > Required parameter -key_algorithm is not specified. > Use -help for help information > ----------- > > Installed packages are as follows: > > ----------- > pki-common-1.3.8-1.fc13.noarch > pki-util-1.3.2-1.fc13.noarch > pki-console-1.3.2-1.fc13.noarch > pki-native-tools-1.3.0-5.fc13.i686 > dogtag-pki-ca-ui-1.3.2-1.fc13.noarch > pki-silent-1.3.4-1.fc13.noarch > pki-symkey-1.3.2-4.fc13.i686 > pki-java-tools-1.3.1-1.fc13.noarch > dogtag-pki-console-ui-1.3.2-2.fc13.noarch > pki-ca-1.3.6-1.fc13.noarch > pki-selinux-1.3.5-1.fc13.noarch > dogtag-pki-common-ui-1.3.3-1.fc13.noarch > pki-setup-1.3.4-1.fc13.noarch > - > ipa-server-1.9.0.pre4-0.fc13.i686 > ipa-admintools-1.9.0.pre4-0.fc13.i686 > ipa-python-1.9.0.pre4-0.fc13.i686 > ipa-server-selinux-1.9.0.pre4-0.fc13.i686 > ipa-client-1.9.0.pre4-0.fc13.i686 > - > 389-ds-base-1.2.6-1.fc13.i686 > ----------- > > Any ideas what could be the problem? The problem is that pkisilent requires a new argument, -key_algorithm, that we aren't providing. To wokr around this you'll need to modify /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py. Search for pkisilent and you'll see we create a huge array of arguments to pass. Add this: "-key_algorithm", "SHA256withRSA", I put it in right after: "-key_type", "rsa", but order shouldn't matter. rob From miljank at gmail.com Wed Sep 15 18:50:08 2010 From: miljank at gmail.com (Miljan Karadzic) Date: Wed, 15 Sep 2010 20:50:08 +0200 Subject: [Freeipa-users] FreeIPA 1.9.0.pre4 installation problem In-Reply-To: <4C910621.1060308@redhat.com> References: <4C90ED46.8000904@gmail.com> <4C910621.1060308@redhat.com> Message-ID: <4C911560.8010903@gmail.com> On 9/15/10 7:45 PM, Rob Crittenden wrote: > Miljan Karadzic wrote: >> Hello all, >> >> I am having some problems installing FreeIPA server on a freshly >> installed Fedora 13 machine. Installation fails during configuration of >> certificate server at step 3/14: >> >> ----------- >> [3/14]: configuring certificate server instance >> root : CRITICAL failed to restart ca instance Command '/usr/bin/perl >> /usr/bin/pkisilent ConfigureCA -cs_hostname loznica.lhs-systems.com >> -cs_port 9445 -client_certdb_dir /tmp/tmp-0ANqdU -client_certdb_pwd >> XXXXXXXX -preop_pin eTvJduILXN6kCgkX46ih -domain_name IPA -admin_user >> admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name >> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >> -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host >> loznica.lhs-systems.com -ldap_port 7389 -bind_dn "cn=Directory Manager" >> -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 >> -key_type rsa -save_p12 true -backup_pwd XXXXXXXX -subsystem_name >> pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA >> Subsystem,O=IPA" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" >> -ca_server_cert_subject_name "CN=loznica.lhs-systems.com,O=IPA" >> -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" >> -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external >> false -clone false' returned non-zero exit status 255 >> [4/14]: creating CA agent PKCS#12 file in /root >> Unexpected error - see ipaserver-install.log for details: >> Command '/usr/bin/pk12util -n ipa-ca-agent -o /root/ca-agent.p12 -d >> /tmp/tmp-0ANqdU -k /tmp/tmplUonD_ -w /tmp/tmplUonD_' returned non-zero >> exit status 24 >> ----------- >> >> Even if installation continues to next step PKI-CA is not configured. >> >> Debug message from the installation log file says (complete installation >> log is attached): >> >> ----------- >> Required parameter -key_algorithm is not specified. >> Use -help for help information >> ----------- >> >> Installed packages are as follows: >> >> ----------- >> pki-common-1.3.8-1.fc13.noarch >> pki-util-1.3.2-1.fc13.noarch >> pki-console-1.3.2-1.fc13.noarch >> pki-native-tools-1.3.0-5.fc13.i686 >> dogtag-pki-ca-ui-1.3.2-1.fc13.noarch >> pki-silent-1.3.4-1.fc13.noarch >> pki-symkey-1.3.2-4.fc13.i686 >> pki-java-tools-1.3.1-1.fc13.noarch >> dogtag-pki-console-ui-1.3.2-2.fc13.noarch >> pki-ca-1.3.6-1.fc13.noarch >> pki-selinux-1.3.5-1.fc13.noarch >> dogtag-pki-common-ui-1.3.3-1.fc13.noarch >> pki-setup-1.3.4-1.fc13.noarch >> - >> ipa-server-1.9.0.pre4-0.fc13.i686 >> ipa-admintools-1.9.0.pre4-0.fc13.i686 >> ipa-python-1.9.0.pre4-0.fc13.i686 >> ipa-server-selinux-1.9.0.pre4-0.fc13.i686 >> ipa-client-1.9.0.pre4-0.fc13.i686 >> - >> 389-ds-base-1.2.6-1.fc13.i686 >> ----------- >> >> Any ideas what could be the problem? > > The problem is that pkisilent requires a new argument, -key_algorithm, > that we aren't providing. To wokr around this you'll need to modify > /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py. > > Search for pkisilent and you'll see we create a huge array of > arguments to pass. Add this: > > "-key_algorithm", "SHA256withRSA", > > I put it in right after: > > "-key_type", "rsa", > > but order shouldn't matter. > > rob Hi Rob, I found the same thing after writing the email, but I didn't know what to use as an argument - putting just 'rsa' didn't work. :) Thanks a lot for the help! From prjctgeek at gmail.com Wed Sep 15 23:12:18 2010 From: prjctgeek at gmail.com (Doug Chapman) Date: Wed, 15 Sep 2010 16:12:18 -0700 Subject: [Freeipa-users] userPassword change with ldif Message-ID: I'm working on migrating from SunDS to IPA and I've got everything moved over, but I'm having some issues with userPassword. I'd like users to be able to connect with their existing passwords and set an force a password expiration after our transition is done. I can copy the {SHA} hash from SunDS to IPA and ldap authentication works in IPA, but when I try to use kinit user at REALM it is failing with an 'invalid password'. I've looked through the schema and can't find a separate 'krbPassword' entry, can someone clarify for me why this is failing? Is there another place where the password is stored besides userPassword ? tia DougC -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Sep 15 23:42:03 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 15 Sep 2010 19:42:03 -0400 Subject: [Freeipa-users] userPassword change with ldif In-Reply-To: References: Message-ID: <4C9159CB.4050709@redhat.com> Doug Chapman wrote: > I'm working on migrating from SunDS to IPA and I've got everything > moved over, but I'm having some issues with userPassword. I'd like > users to be able to connect with their existing passwords and set an > force a password expiration after our transition is done. > > I can copy the {SHA} hash from SunDS to IPA and ldap authentication > works in IPA, but when I try to use kinit user at REALM it is failing > with an 'invalid password'. > > I've looked through the schema and can't find a separate 'krbPassword' > entry, can someone clarify for me why this is failing? > > Is there another place where the password is stored besides userPassword ? The user password in IPA is not simple hash. If you create a user in IPA and set his password this user will get a kerberos hash not a DS hash. So the problem you are facing is the problem of migrating passwords. It is not easily solvable with IPA 1.2.x. It is solved (as much as we think it can be solved) in v2. In v2 there are two options: 1) You can instruct users to go to a special URL and pass the authentication there. The authentication against that page will allow IPA server to capture user password and generate appropriate kerberos hash 2) Using SSSD as a client. SSSD has special logic that allows it to handle this case behind the scenes. When user logs in and SSSD and IPA are configured is migration mode then SSSD will do everything automatically. What is the version of IPA you are using? Would any of the two options work for you? > > tia > > DougC > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Sep 16 02:14:00 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Sep 2010 22:14:00 -0400 Subject: [Freeipa-users] userPassword change with ldif In-Reply-To: <4C9159CB.4050709@redhat.com> References: <4C9159CB.4050709@redhat.com> Message-ID: <4C917D68.5050809@redhat.com> Dmitri Pal wrote: > Doug Chapman wrote: >> I'm working on migrating from SunDS to IPA and I've got everything >> moved over, but I'm having some issues with userPassword. I'd like >> users to be able to connect with their existing passwords and set an >> force a password expiration after our transition is done. >> >> I can copy the {SHA} hash from SunDS to IPA and ldap authentication >> works in IPA, but when I try to use kinit user at REALM it is failing >> with an 'invalid password'. >> >> I've looked through the schema and can't find a separate 'krbPassword' >> entry, can someone clarify for me why this is failing? >> >> Is there another place where the password is stored besides userPassword ? > > The user password in IPA is not simple hash. If you create a user in > IPA and set his password this user will get a kerberos hash not a DS > hash. So the problem you are facing is the problem of migrating > passwords. It is not easily solvable with IPA 1.2.x. It is solved (as > much as we think it can be solved) in v2. > In v2 there are two options: > 1) You can instruct users to go to a special URL and pass the > authentication there. The authentication against that page will allow > IPA server to capture user password and generate appropriate kerberos hash > 2) Using SSSD as a client. SSSD has special logic that allows it to > handle this case behind the scenes. When user logs in and SSSD and IPA > are configured is migration mode then SSSD will do everything > automatically. > > > What is the version of IPA you are using? Would any of the two options > work for you? As Dmitri said, the problem is that kerberos uses a different password attribute than LDAP. For passwords set within IPA we capture password changes from both LDAP and kerberos and keep the two in sync. When you migrate just the LDAP password you need some mechanism to authenticate the user and reset the password, therefore creating the kerberos credentials and starting to keep the two in sync. Off the top of my head, you may be able to do something in v1 with a little bit of work: - When you load users via ldif add the krbPrincipalAux objectclass and set krbprincipalname to user at REALM. - Write a simple web page that uses LDAP authentication. On the page itself prompt for a new password and use the LDAP protocol to change the password (this is pretty standard stuff). - This should, in theory, add the kerberos credentials. It should be pretty easy to verify using ldappasswd. If you get credentials by resetting the password with that then it should work using the more complex web-based procedure I outlined. Actually, when you load your uses via LDIF be sure to configure them using the same objectclasses we use to ensure that the IPA framework is going to see them as IPA users. You'll need to adhere to our tree structure as well. rob From danieljamesscott at gmail.com Thu Sep 16 16:19:27 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 16 Sep 2010 12:19:27 -0400 Subject: [Freeipa-users] 389-base-1.2.6-1.fc13.x86_64 package installed - fail to replicate. Message-ID: Hi, This morning, I installed 389-base-1.2.6-1.fc13.x86_64 package on our Fedora 13 replica FreeIPA server (Update made available yesterday). Ever since, the LDAP server has not been responding to requests. It is failing to replicate from our (name 'ohm' - Fedora 11) master FreeIPA server. The dirsrv service appears to start correctly, however the log contains the following: [16/Sep/2010:12:09:22 -0400] NSMMReplicationPlugin - agmt="cn=meToohm.example.com636" (ohm:636): Unable to parse the response to the startReplication extended operation. Replication is aborting. [16/Sep/2010:12:09:22 -0400] NSMMReplicationPlugin - agmt="cn=meToohm.example.com636" (ohm:636): Incremental update failed and requires administrator action [16/Sep/2010:12:10:09 -0400] - dn2entry: the dn "dc=example,dc=com" was in the entryrdn index, but it did not exist in id2entry of instance userRoot. The krb5kdc service fails to start at all. Does anyone have any ideas for how to fix this? Thanks, Dan Scott From rmeggins at redhat.com Thu Sep 16 19:49:39 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Sep 2010 13:49:39 -0600 Subject: [Freeipa-users] 389-base-1.2.6-1.fc13.x86_64 package installed - fail to replicate. In-Reply-To: References: Message-ID: <4C9274D3.6030508@redhat.com> Dan Scott wrote: > Hi, > > This morning, I installed 389-base-1.2.6-1.fc13.x86_64 package on our > Fedora 13 replica FreeIPA server (Update made available yesterday). > What version did you update from? Sounds like you are upgrading from an alpha or release candidate. http://directory.fedoraproject.org/wiki/Release_Notes > Ever since, the LDAP server has not been responding to requests. It is > failing to replicate from our (name 'ohm' - Fedora 11) master FreeIPA > server. > > The dirsrv service appears to start correctly, however the log > contains the following: > > [16/Sep/2010:12:09:22 -0400] NSMMReplicationPlugin - > agmt="cn=meToohm.example.com636" (ohm:636): Unable to parse the > response to the startReplication extended operation. Replication is > aborting. > [16/Sep/2010:12:09:22 -0400] NSMMReplicationPlugin - > agmt="cn=meToohm.example.com636" (ohm:636): Incremental update failed > and requires administrator action > [16/Sep/2010:12:10:09 -0400] - dn2entry: the dn "dc=example,dc=com" > was in the entryrdn index, but it did not exist in id2entry of > instance userRoot. > > The krb5kdc service fails to start at all. > > Does anyone have any ideas for how to fix this? > > Thanks, > > Dan Scott > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From danieljamesscott at gmail.com Thu Sep 16 20:09:51 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 16 Sep 2010 16:09:51 -0400 Subject: [Freeipa-users] 389-base-1.2.6-1.fc13.x86_64 package installed - fail to replicate. In-Reply-To: <4C9274D3.6030508@redhat.com> References: <4C9274D3.6030508@redhat.com> Message-ID: Hi, Thanks for the reply. It's been upgraded from F12: On Thu, Sep 16, 2010 at 15:49, Rich Megginson wrote: > Dan Scott wrote: >> This morning, I installed 389-base-1.2.6-1.fc13.x86_64 package on our >> Fedora 13 replica FreeIPA server (Update made available yesterday). >> > > What version did you update from? ?Sounds like you are upgrading from an > alpha or release candidate. > http://directory.fedoraproject.org/wiki/Release_Notes grep 389-ds-base yum.log Jan 14 04:06:19 Updated: 389-ds-base-1.2.5-1.fc12.x86_64 Sep 16 08:17:29 Updated: 389-ds-base-1.2.6-1.fc13.x86_64 So from 1.2.5-1 (Fedora 12 version.) Thanks, Dan From rmeggins at redhat.com Thu Sep 16 20:15:22 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Sep 2010 14:15:22 -0600 Subject: [Freeipa-users] 389-base-1.2.6-1.fc13.x86_64 package installed - fail to replicate. In-Reply-To: References: <4C9274D3.6030508@redhat.com> Message-ID: <4C927ADA.7050903@redhat.com> Dan Scott wrote: > Hi, > > Thanks for the reply. It's been upgraded from F12: > > On Thu, Sep 16, 2010 at 15:49, Rich Megginson wrote: > >> Dan Scott wrote: >> >>> This morning, I installed 389-base-1.2.6-1.fc13.x86_64 package on our >>> Fedora 13 replica FreeIPA server (Update made available yesterday). >>> >>> >> What version did you update from? Sounds like you are upgrading from an >> alpha or release candidate. >> http://directory.fedoraproject.org/wiki/Release_Notes >> > > grep 389-ds-base yum.log > Jan 14 04:06:19 Updated: 389-ds-base-1.2.5-1.fc12.x86_64 > Sep 16 08:17:29 Updated: 389-ds-base-1.2.6-1.fc13.x86_64 > > So from 1.2.5-1 (Fedora 12 version.) > > Thanks, > > Dan > hmm - looks like something went wrong with the entryrdn upgrade. Can you post your errors log e.g. on fpaste.org? From danieljamesscott at gmail.com Thu Sep 16 20:30:39 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 16 Sep 2010 16:30:39 -0400 Subject: [Freeipa-users] 389-base-1.2.6-1.fc13.x86_64 package installed - fail to replicate. In-Reply-To: <4C927ADA.7050903@redhat.com> References: <4C9274D3.6030508@redhat.com> <4C927ADA.7050903@redhat.com> Message-ID: Hi, I think that the (yum) log file I provided might be incorrect - not including packages upgraded using preupgrade. I fixed it using this: http://directory.fedoraproject.org/wiki/Subtree_Rename#warning:_upgrade_from_389_v1.2.6_.28a.3F.2C_rc1_.7E_rc6.29_to_v1.2.6_rc6_or_newer I've used this fix before (and I believe that you helped me last time) :). (Hmm, I just looked, and it appears that the error was different - dirsrv dying randomly compared to krb5kdc dying repeatably) https://www.redhat.com/archives/freeipa-users/2010-August/msg00014.html I was sure that this was a different error, sorry. Thanks for your help, Dan On Thu, Sep 16, 2010 at 16:15, Rich Megginson wrote: > Dan Scott wrote: >> >> Hi, >> >> Thanks for the reply. It's been upgraded from F12: >> >> On Thu, Sep 16, 2010 at 15:49, Rich Megginson wrote: >> >>> >>> Dan Scott wrote: >>> >>>> >>>> This morning, I installed 389-base-1.2.6-1.fc13.x86_64 package on our >>>> Fedora 13 replica FreeIPA server (Update made available yesterday). >>>> >>>> >>> >>> What version did you update from? ?Sounds like you are upgrading from an >>> alpha or release candidate. >>> http://directory.fedoraproject.org/wiki/Release_Notes >>> >> >> grep 389-ds-base yum.log >> Jan 14 04:06:19 Updated: 389-ds-base-1.2.5-1.fc12.x86_64 >> Sep 16 08:17:29 Updated: 389-ds-base-1.2.6-1.fc13.x86_64 >> >> So from 1.2.5-1 (Fedora 12 version.) >> >> Thanks, >> >> Dan >> > > hmm - looks like something went wrong with the entryrdn upgrade. ?Can you > post your errors log e.g. on fpaste.org? > From james.roman at ssaihq.com Thu Sep 16 20:37:34 2010 From: james.roman at ssaihq.com (James Roman) Date: Thu, 16 Sep 2010 16:37:34 -0400 Subject: [Freeipa-users] userPassword change with ldif In-Reply-To: <4C917D68.5050809@redhat.com> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> Message-ID: <4C92800E.80105@ssaihq.com> On 09/15/2010 10:14 PM, Rob Crittenden wrote: > > As Dmitri said, the problem is that kerberos uses a different password > attribute than LDAP. For passwords set within IPA we capture password > changes from both LDAP and kerberos and keep the two in sync. > > When you migrate just the LDAP password you need some mechanism to > authenticate the user and reset the password, therefore creating the > kerberos credentials and starting to keep the two in sync. > > Off the top of my head, you may be able to do something in v1 with a > little bit of work: > > - When you load users via ldif add the krbPrincipalAux objectclass and > set krbprincipalname to user at REALM. > - Write a simple web page that uses LDAP authentication. On the page > itself prompt for a new password and use the LDAP protocol to change > the password (this is pretty standard stuff). > - This should, in theory, add the kerberos credentials. I can confirm that using an LDAP password reset function will sync both the LDAP and Kerberos passwords. If using Perl website, be sure to use Net::LDAP::Extension::SetPassword. This is critical if your FreeIPA server is connected an Active Directory server. Methods where you insert a pre-hashed value into the LDAP directory can't be propagated to the Windows Domain. > > It should be pretty easy to verify using ldappasswd. If you get > credentials by resetting the password with that then it should work > using the more complex web-based procedure I outlined. > > Actually, when you load your uses via LDIF be sure to configure them > using the same objectclasses we use to ensure that the IPA framework > is going to see them as IPA users. You'll need to adhere to our tree > structure as well. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From marc.schlinger at agorabox.org Fri Sep 17 18:11:42 2010 From: marc.schlinger at agorabox.org (Marc Schlinger) Date: Fri, 17 Sep 2010 20:11:42 +0200 Subject: [Freeipa-users] Bug in ipa-server-install Message-ID: <4C93AF5E.3030402@agorabox.org> Hello all, I have juste spotted a bug during ipa server installation process While configuring the CA server the installation crash if the DirectoryManager password contains parenthesis "(" The version I tried to install is ipa-server-1.9.0GITe42d3bc-0.ufo2.i686.rpm This is this command which failed with: -bash: syntax error near unexpected token `(' java -cp /usr/share/java/silent.jar:/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/pki/certsrv.jar:/usr/share/java/pki/cmscore.jar:/usr/share/java/pki/nsutil.jar:/usr/share/java/pki/cmsutil.jar:/usr/share/java/pkitools.jar:/usr/share/java/cstools.jar:/usr/share/java/pki/cstools.jar:/usr/share/pki/classes:/usr/share/java/xml-commons-resolver.jar:/usr/share/java/xerces-j2.jar:/usr/lib/java/osutil.jar: ConfigureCA -cs_hostname ipa-server.beta.agorabox.org -cs_port 9445 -client_certdb_dir /tmp/tmp-PNQa1v -client_certdb_pwd XXXXXXX -preop_pin MCOs0y2x2uBprJLhxDe7 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host ipa-server.beta.agorabox.org -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" -ca_server_cert_subject_name "CN=ipa-server.beta.agorabox.org,O=IPA" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external false -clone false Should't the passwords be quoted ? Thanks for all, Marc Schlinger # Installation output Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring directory server for the CA: [1/4]: creating directory server user [2/4]: creating directory server instance [3/4]: configuring directory to start on boot [4/4]: restarting directory server done configuring pkids. Configuring certificate server: [1/15]: creating certificate server user [2/15]: restarting certificate server [3/15]: configuring certificate server instance root : CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa-server.beta.agorabox.org -cs_port 9445 -client_certdb_dir /tmp/tmp-PNQa1v -client_certdb_pwd XXXXXXXX -preop_pin MCOs0y2x2uBprJLhxDe7 -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host ipa-server.beta.agorabox.org -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" -ca_server_cert_subject_name "CN=ipa-server.beta.agorabox.org,O=IPA" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external false -clone false' returned non-zero exit status 255 [4/15]: restarting certificate server [5/15]: creating CA agent PKCS#12 file in /root Unexpected error - see ipaserver-install.log for details: Command '/usr/bin/pk12util -n ipa-ca-agent -o /root/ca-agent.p12 -d /tmp/tmp-PNQa1v -k /tmp/tmpCuiRb3 -w /tmp/tmpCuiRb3' returned non-zero exit status 24 From marc.schlinger at agorabox.org Fri Sep 17 18:17:29 2010 From: marc.schlinger at agorabox.org (Marc Schlinger) Date: Fri, 17 Sep 2010 20:17:29 +0200 Subject: [Freeipa-users] Bug in ipa-server-install In-Reply-To: <4C93AF5E.3030402@agorabox.org> References: <4C93AF5E.3030402@agorabox.org> Message-ID: <4C93B0B9.7010408@agorabox.org> Re, The original IPA commit I build my package from is the f20f4e63083638cecf8a9a8c88e9c4d164b89fcc We have some home made mods so the package name I gave won't be of any help. sorry From rcritten at redhat.com Fri Sep 17 18:27:59 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Sep 2010 14:27:59 -0400 Subject: [Freeipa-users] Bug in ipa-server-install In-Reply-To: <4C93AF5E.3030402@agorabox.org> References: <4C93AF5E.3030402@agorabox.org> Message-ID: <4C93B32F.2020509@redhat.com> Marc Schlinger wrote: > Hello all, > > I have juste spotted a bug during ipa server installation process > > While configuring the CA server the installation crash if the > DirectoryManager password contains parenthesis "(" > > The version I tried to install is > ipa-server-1.9.0GITe42d3bc-0.ufo2.i686.rpm > > > This is this command which failed with: > -bash: syntax error near unexpected token `(' > > java -cp > /usr/share/java/silent.jar:/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/pki/certsrv.jar:/usr/share/java/pki/cmscore.jar:/usr/share/java/pki/nsutil.jar:/usr/share/java/pki/cmsutil.jar:/usr/share/java/pkitools.jar:/usr/share/java/cstools.jar:/usr/share/java/pki/cstools.jar:/usr/share/pki/classes:/usr/share/java/xml-commons-resolver.jar:/usr/share/java/xerces-j2.jar:/usr/lib/java/osutil.jar: > ConfigureCA -cs_hostname ipa-server.beta.agorabox.org -cs_port 9445 > -client_certdb_dir /tmp/tmp-PNQa1v -client_certdb_pwd XXXXXXX -preop_pin > MCOs0y2x2uBprJLhxDe7 -domain_name IPA -admin_user admin -admin_email > root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent > -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject > "CN=ipa-ca-agent,O=IPA" -ldap_host ipa-server.beta.agorabox.org > -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" > -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" > -ca_server_cert_subject_name "CN=ipa-server.beta.agorabox.org,O=IPA" > -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" > -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external > false -clone false > > Should't the passwords be quoted ? > > Thanks for all, > > > > Marc Schlinger > > > # Installation output > > Directory Manager password: > Password (confirm): > > The IPA server requires an administrative user, named 'admin'. > This user is a regular system account used for IPA server administration. > > IPA admin password: > Password (confirm): > > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring directory server for the CA: > [1/4]: creating directory server user > [2/4]: creating directory server instance > [3/4]: configuring directory to start on boot > [4/4]: restarting directory server > done configuring pkids. > Configuring certificate server: > [1/15]: creating certificate server user > [2/15]: restarting certificate server > [3/15]: configuring certificate server instance > root : CRITICAL failed to restart ca instance Command '/usr/bin/perl > /usr/bin/pkisilent ConfigureCA -cs_hostname ipa-server.beta.agorabox.org > -cs_port 9445 -client_certdb_dir /tmp/tmp-PNQa1v -client_certdb_pwd > XXXXXXXX -preop_pin MCOs0y2x2uBprJLhxDe7 -domain_name IPA -admin_user > admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host > ipa-server.beta.agorabox.org -ldap_port 7389 -bind_dn "cn=Directory > Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca > -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" > -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" > -ca_server_cert_subject_name "CN=ipa-server.beta.agorabox.org,O=IPA" > -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" > -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external > false -clone false' returned non-zero exit status 255 > [4/15]: restarting certificate server > [5/15]: creating CA agent PKCS#12 file in /root > Unexpected error - see ipaserver-install.log for details: > Command '/usr/bin/pk12util -n ipa-ca-agent -o /root/ca-agent.p12 -d > /tmp/tmp-PNQa1v -k /tmp/tmpCuiRb3 -w /tmp/tmpCuiRb3' returned non-zero > exit status 24 Yes, I guess it wouldn't hurt to quote the passwords. We call exec() so avoid bash but it gets invoked later down the line by pkisilent so it gets interpreted. I'll open a ticket in our trac instance for this. rob From shan.sysadm at gmail.com Mon Sep 20 14:19:13 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Mon, 20 Sep 2010 17:19:13 +0300 Subject: [Freeipa-users] IPA AD Sync error Message-ID: Rich, I am again facing some issue with IPA+AD Sync and I tested all the levels: Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: Can't contact LDAP server: start: 0: end: 0 INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [saprhds001.bmibank.com] reports: Update failed! Status: [81 - LDAP error: Can't contact LDAP server] I have imported right CA to IPA box and the out put is: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,Cu Imported CA CT,,C Server-Cert u,u,u And also I done the openssl s_client option too, but no luck. Without cert when I try ldap search its gives out put. but with cert (AD CA) through error. Please help me fix this issue. -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Sep 20 15:31:56 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Sep 2010 09:31:56 -0600 Subject: [Freeipa-users] IPA AD Sync error In-Reply-To: References: Message-ID: <4C977E6C.5020805@redhat.com> Shan Kumaraswamy wrote: > Rich, > I am again facing some issue with IPA+AD Sync and I tested all the levels: > > > Windows PassSync entry exists, not resetting password > INFO:root:Added new sync agreement, waiting for it to become ready . . . > INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP > error: Can't contact LDAP server: start: 0: end: 0 > INFO:root:Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > [saprhds001.bmibank.com ] reports: > Update failed! Status: [81 - LDAP error: Can't contact LDAP server] > I have imported right CA to IPA box and the out put is: > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > CA certificate CTu,u,Cu > Imported CA CT,,C > Server-Cert u,u,u > > And also I done the openssl s_client option too, but no luck. What exactly did you do? with openssl s_client? Did you try /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h fqdn.of.ad.hostname -p 389 -Z -s base -b "" > Without cert when I try ldap search its gives out put. but with cert > (AD CA) through error. > > Please help me fix this issue. > > > > -- > Thanks & Regards > Shan Kumaraswamy > From Steven.Jones at vuw.ac.nz Tue Sep 21 00:57:34 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 21 Sep 2010 12:57:34 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <4C917D68.5050809@redhat.com> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> Section 4.3 of the manual.... Running the command, ldapmodify -x -D "cn=Directory Manager" -W Enter LDAP Password: ******* dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz ldapmodify: wrong attributeType at line 4, entry "cn=ipa_pwd_extop,cn=plugins,cn=config I cannot figure out what is wrong here? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand From Steven.Jones at vuw.ac.nz Tue Sep 21 01:34:27 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 21 Sep 2010 13:34:27 +1200 Subject: [Freeipa-users] getting a kerberos ticket for Firefox In-Reply-To: <4C917D68.5050809@redhat.com> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959AD9@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, I am trying to web browse to the localhost and it is telling me to obtain a valid kerberos ticket and configure Firefox... Where do I export / find this ticket? and how do I install it as a user so I can connect? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand From rcritten at redhat.com Tue Sep 21 02:30:15 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Sep 2010 22:30:15 -0400 Subject: [Freeipa-users] getting a kerberos ticket for Firefox In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959AD9@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AD9@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4C9818B7.1060605@redhat.com> Steven Jones wrote: > Hi, > > I am trying to web browse to the localhost and it is telling me to obtain a valid kerberos ticket and configure Firefox... > > Where do I export / find this ticket? and how do I install it as a user so I can connect? To configure Firefox see these instructions: http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_the_IPA_Server-Configuring_Your_Browser.html On the machine (and user) you are running Firefox from run: kinit admin Then you should be able connect to https://ipa.example.com/ You really should use the FQDN of the IPA host. We do a fair bit of redirecting so it may do the right thing but kerberos is very picky about host names. If they don't match up as it expected then things won't work. Even with an unconfigured browser going to https://ipa.example.com/ should provide some instructions for configuring Firefox and provide a button that can auto-configure the browser. You just need to trust our CA first. Javascript is very picky (and for good reason) about letting a web site change your browser configuration. rob > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From shan.sysadm at gmail.com Tue Sep 21 08:49:21 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Tue, 21 Sep 2010 11:49:21 +0300 Subject: [Freeipa-users] IPA AD Sync error In-Reply-To: <4C977E6C.5020805@redhat.com> References: <4C977E6C.5020805@redhat.com> Message-ID: Hi Rich, While executing your command (ldapserch), I am getting the following output: ** *Command:* /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" ** *Output:* ldap_search: Can't contact LDAP server SSL error -8179 (Peer's Certificate issuer is not recognized.) *Command:* LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h fqdn.of.ad.hostname -p 389 -Z -s base -b "" *Output:* ** [root at saprhds001 ~]# LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad -p 389 -Z -s base -b "" ldap_create ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.8.27.22:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x1aa8c6f0 msgid 1 wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout) wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1 ** ld 0x1aa8c6f0 Connections: * host: sbpaddc003.corp.mydomain.ad port: 389 (default) refcnt: 2 status: Connected last used: Tue Sep 21 10:23:41 2010 ** ld 0x1aa8c6f0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1aa8c6f0 Response Queue: Empty ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1 ldap_chkResponseList returns ld 0x1aa8c6f0 NULL ldap_int_select read1msg: ld 0x1aa8c6f0 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x1aa8c6f0 0 new referrals read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1 request done: ld 0x1aa8c6f0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 0, err: 27, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 14 bytes to sd 3 ldap_result ld 0x1aa8c6f0 msgid 2 wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout) wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1 ** ld 0x1aa8c6f0 Connections: * host: sbpaddc003.corp.mydomain.ad port: 389 (default) refcnt: 2 status: Connected last used: Tue Sep 21 10:23:41 2010 ** ld 0x1aa8c6f0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1aa8c6f0 Response Queue: Empty ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1 ldap_chkResponseList returns ld 0x1aa8c6f0 NULL ldap_int_select read1msg: ld 0x1aa8c6f0 msgid 2 all 1 ber_get_next ldap_perror ldap_result: Can't contact LDAP server (-1) Please help to resolve this issue. On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson wrote: > Shan Kumaraswamy wrote: > >> Rich, >> I am again facing some issue with IPA+AD Sync and I tested all the levels: >> Windows PassSync entry exists, not resetting password >> INFO:root:Added new sync agreement, waiting for it to become ready . . . >> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: >> Can't contact LDAP server: start: 0: end: 0 >> INFO:root:Agreement is ready, starting replication . . . >> Starting replication, please wait until this has completed. >> [saprhds001.bmibank.com ] reports: Update >> failed! Status: [81 - LDAP error: Can't contact LDAP server] >> >> I have imported right CA to IPA box and the out put is: >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> CA certificate CTu,u,Cu >> Imported CA CT,,C >> Server-Cert u,u,u >> And also I done the openssl s_client option too, but no luck. >> > What exactly did you do? with openssl s_client? > > Did you try > /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" > > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > > Without cert when I try ldap search its gives out put. but with cert (AD >> CA) through error. >> Please help me fix this issue. >> >> >> -- >> Thanks & Regards >> Shan Kumaraswamy >> >> > -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From shan.sysadm at gmail.com Tue Sep 21 08:49:21 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Tue, 21 Sep 2010 11:49:21 +0300 Subject: [Freeipa-users] IPA AD Sync error In-Reply-To: <4C977E6C.5020805@redhat.com> References: <4C977E6C.5020805@redhat.com> Message-ID: Hi Rich, While executing your command (ldapserch), I am getting the following output: ** *Command:* /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" ** *Output:* ldap_search: Can't contact LDAP server SSL error -8179 (Peer's Certificate issuer is not recognized.) *Command:* LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h fqdn.of.ad.hostname -p 389 -Z -s base -b "" *Output:* ** [root at saprhds001 ~]# LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad -p 389 -Z -s base -b "" ldap_create ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.8.27.22:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x1aa8c6f0 msgid 1 wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout) wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1 ** ld 0x1aa8c6f0 Connections: * host: sbpaddc003.corp.mydomain.ad port: 389 (default) refcnt: 2 status: Connected last used: Tue Sep 21 10:23:41 2010 ** ld 0x1aa8c6f0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1aa8c6f0 Response Queue: Empty ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1 ldap_chkResponseList returns ld 0x1aa8c6f0 NULL ldap_int_select read1msg: ld 0x1aa8c6f0 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x1aa8c6f0 0 new referrals read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1 request done: ld 0x1aa8c6f0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 0, err: 27, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 14 bytes to sd 3 ldap_result ld 0x1aa8c6f0 msgid 2 wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout) wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1 ** ld 0x1aa8c6f0 Connections: * host: sbpaddc003.corp.mydomain.ad port: 389 (default) refcnt: 2 status: Connected last used: Tue Sep 21 10:23:41 2010 ** ld 0x1aa8c6f0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1aa8c6f0 Response Queue: Empty ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1 ldap_chkResponseList returns ld 0x1aa8c6f0 NULL ldap_int_select read1msg: ld 0x1aa8c6f0 msgid 2 all 1 ber_get_next ldap_perror ldap_result: Can't contact LDAP server (-1) Please help to resolve this issue. On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson wrote: > Shan Kumaraswamy wrote: > >> Rich, >> I am again facing some issue with IPA+AD Sync and I tested all the levels: >> Windows PassSync entry exists, not resetting password >> INFO:root:Added new sync agreement, waiting for it to become ready . . . >> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: >> Can't contact LDAP server: start: 0: end: 0 >> INFO:root:Agreement is ready, starting replication . . . >> Starting replication, please wait until this has completed. >> [saprhds001.bmibank.com ] reports: Update >> failed! Status: [81 - LDAP error: Can't contact LDAP server] >> >> I have imported right CA to IPA box and the out put is: >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> CA certificate CTu,u,Cu >> Imported CA CT,,C >> Server-Cert u,u,u >> And also I done the openssl s_client option too, but no luck. >> > What exactly did you do? with openssl s_client? > > Did you try > /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" > > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > > Without cert when I try ldap search its gives out put. but with cert (AD >> CA) through error. >> Please help me fix this issue. >> >> >> -- >> Thanks & Regards >> Shan Kumaraswamy >> >> > -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From shan.sysadm at gmail.com Tue Sep 21 08:49:21 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Tue, 21 Sep 2010 11:49:21 +0300 Subject: [Freeipa-users] IPA AD Sync error In-Reply-To: <4C977E6C.5020805@redhat.com> References: <4C977E6C.5020805@redhat.com> Message-ID: Hi Rich, While executing your command (ldapserch), I am getting the following output: ** *Command:* /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" ** *Output:* ldap_search: Can't contact LDAP server SSL error -8179 (Peer's Certificate issuer is not recognized.) *Command:* LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h fqdn.of.ad.hostname -p 389 -Z -s base -b "" *Output:* ** [root at saprhds001 ~]# LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad -p 389 -Z -s base -b "" ldap_create ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.8.27.22:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x1aa8c6f0 msgid 1 wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout) wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1 ** ld 0x1aa8c6f0 Connections: * host: sbpaddc003.corp.mydomain.ad port: 389 (default) refcnt: 2 status: Connected last used: Tue Sep 21 10:23:41 2010 ** ld 0x1aa8c6f0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1aa8c6f0 Response Queue: Empty ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1 ldap_chkResponseList returns ld 0x1aa8c6f0 NULL ldap_int_select read1msg: ld 0x1aa8c6f0 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x1aa8c6f0 0 new referrals read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1 request done: ld 0x1aa8c6f0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 0, err: 27, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 14 bytes to sd 3 ldap_result ld 0x1aa8c6f0 msgid 2 wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout) wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1 ** ld 0x1aa8c6f0 Connections: * host: sbpaddc003.corp.mydomain.ad port: 389 (default) refcnt: 2 status: Connected last used: Tue Sep 21 10:23:41 2010 ** ld 0x1aa8c6f0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1aa8c6f0 Response Queue: Empty ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1 ldap_chkResponseList returns ld 0x1aa8c6f0 NULL ldap_int_select read1msg: ld 0x1aa8c6f0 msgid 2 all 1 ber_get_next ldap_perror ldap_result: Can't contact LDAP server (-1) Please help to resolve this issue. On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson wrote: > Shan Kumaraswamy wrote: > >> Rich, >> I am again facing some issue with IPA+AD Sync and I tested all the levels: >> Windows PassSync entry exists, not resetting password >> INFO:root:Added new sync agreement, waiting for it to become ready . . . >> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: >> Can't contact LDAP server: start: 0: end: 0 >> INFO:root:Agreement is ready, starting replication . . . >> Starting replication, please wait until this has completed. >> [saprhds001.bmibank.com ] reports: Update >> failed! Status: [81 - LDAP error: Can't contact LDAP server] >> >> I have imported right CA to IPA box and the out put is: >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> CA certificate CTu,u,Cu >> Imported CA CT,,C >> Server-Cert u,u,u >> And also I done the openssl s_client option too, but no luck. >> > What exactly did you do? with openssl s_client? > > Did you try > /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" > > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > > Without cert when I try ldap search its gives out put. but with cert (AD >> CA) through error. >> Please help me fix this issue. >> >> >> -- >> Thanks & Regards >> Shan Kumaraswamy >> >> > -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From shan.sysadm at gmail.com Tue Sep 21 08:49:21 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Tue, 21 Sep 2010 11:49:21 +0300 Subject: [Freeipa-users] IPA AD Sync error In-Reply-To: <4C977E6C.5020805@redhat.com> References: <4C977E6C.5020805@redhat.com> Message-ID: Hi Rich, While executing your command (ldapserch), I am getting the following output: ** *Command:* /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" ** *Output:* ldap_search: Can't contact LDAP server SSL error -8179 (Peer's Certificate issuer is not recognized.) *Command:* LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h fqdn.of.ad.hostname -p 389 -Z -s base -b "" *Output:* ** [root at saprhds001 ~]# LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad -p 389 -Z -s base -b "" ldap_create ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.8.27.22:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x1aa8c6f0 msgid 1 wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout) wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1 ** ld 0x1aa8c6f0 Connections: * host: sbpaddc003.corp.mydomain.ad port: 389 (default) refcnt: 2 status: Connected last used: Tue Sep 21 10:23:41 2010 ** ld 0x1aa8c6f0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1aa8c6f0 Response Queue: Empty ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1 ldap_chkResponseList returns ld 0x1aa8c6f0 NULL ldap_int_select read1msg: ld 0x1aa8c6f0 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x1aa8c6f0 0 new referrals read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1 request done: ld 0x1aa8c6f0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 0, err: 27, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 14 bytes to sd 3 ldap_result ld 0x1aa8c6f0 msgid 2 wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout) wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1 ** ld 0x1aa8c6f0 Connections: * host: sbpaddc003.corp.mydomain.ad port: 389 (default) refcnt: 2 status: Connected last used: Tue Sep 21 10:23:41 2010 ** ld 0x1aa8c6f0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1aa8c6f0 Response Queue: Empty ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1 ldap_chkResponseList returns ld 0x1aa8c6f0 NULL ldap_int_select read1msg: ld 0x1aa8c6f0 msgid 2 all 1 ber_get_next ldap_perror ldap_result: Can't contact LDAP server (-1) Please help to resolve this issue. On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson wrote: > Shan Kumaraswamy wrote: > >> Rich, >> I am again facing some issue with IPA+AD Sync and I tested all the levels: >> Windows PassSync entry exists, not resetting password >> INFO:root:Added new sync agreement, waiting for it to become ready . . . >> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: >> Can't contact LDAP server: start: 0: end: 0 >> INFO:root:Agreement is ready, starting replication . . . >> Starting replication, please wait until this has completed. >> [saprhds001.bmibank.com ] reports: Update >> failed! Status: [81 - LDAP error: Can't contact LDAP server] >> >> I have imported right CA to IPA box and the out put is: >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> CA certificate CTu,u,Cu >> Imported CA CT,,C >> Server-Cert u,u,u >> And also I done the openssl s_client option too, but no luck. >> > What exactly did you do? with openssl s_client? > > Did you try > /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" > > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > > Without cert when I try ldap search its gives out put. but with cert (AD >> CA) through error. >> Please help me fix this issue. >> >> >> -- >> Thanks & Regards >> Shan Kumaraswamy >> >> > -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From shan.sysadm at gmail.com Tue Sep 21 08:49:21 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Tue, 21 Sep 2010 11:49:21 +0300 Subject: [Freeipa-users] IPA AD Sync error In-Reply-To: <4C977E6C.5020805@redhat.com> References: <4C977E6C.5020805@redhat.com> Message-ID: Hi Rich, While executing your command (ldapserch), I am getting the following output: ** *Command:* /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" ** *Output:* ldap_search: Can't contact LDAP server SSL error -8179 (Peer's Certificate issuer is not recognized.) *Command:* LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h fqdn.of.ad.hostname -p 389 -Z -s base -b "" *Output:* ** [root at saprhds001 ~]# LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad -p 389 -Z -s base -b "" ldap_create ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.8.27.22:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x1aa8c6f0 msgid 1 wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout) wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1 ** ld 0x1aa8c6f0 Connections: * host: sbpaddc003.corp.mydomain.ad port: 389 (default) refcnt: 2 status: Connected last used: Tue Sep 21 10:23:41 2010 ** ld 0x1aa8c6f0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1aa8c6f0 Response Queue: Empty ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1 ldap_chkResponseList returns ld 0x1aa8c6f0 NULL ldap_int_select read1msg: ld 0x1aa8c6f0 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x1aa8c6f0 0 new referrals read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1 request done: ld 0x1aa8c6f0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 0, err: 27, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject: /CN= SBPADDC003.Corp.MYDOMAIN.AD, issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 14 bytes to sd 3 ldap_result ld 0x1aa8c6f0 msgid 2 wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout) wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1 ** ld 0x1aa8c6f0 Connections: * host: sbpaddc003.corp.mydomain.ad port: 389 (default) refcnt: 2 status: Connected last used: Tue Sep 21 10:23:41 2010 ** ld 0x1aa8c6f0 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1aa8c6f0 Response Queue: Empty ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1 ldap_chkResponseList returns ld 0x1aa8c6f0 NULL ldap_int_select read1msg: ld 0x1aa8c6f0 msgid 2 all 1 ber_get_next ldap_perror ldap_result: Can't contact LDAP server (-1) Please help to resolve this issue. On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson wrote: > Shan Kumaraswamy wrote: > >> Rich, >> I am again facing some issue with IPA+AD Sync and I tested all the levels: >> Windows PassSync entry exists, not resetting password >> INFO:root:Added new sync agreement, waiting for it to become ready . . . >> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: >> Can't contact LDAP server: start: 0: end: 0 >> INFO:root:Agreement is ready, starting replication . . . >> Starting replication, please wait until this has completed. >> [saprhds001.bmibank.com ] reports: Update >> failed! Status: [81 - LDAP error: Can't contact LDAP server] >> >> I have imported right CA to IPA box and the out put is: >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> CA certificate CTu,u,Cu >> Imported CA CT,,C >> Server-Cert u,u,u >> And also I done the openssl s_client option too, but no luck. >> > What exactly did you do? with openssl s_client? > > Did you try > /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" > > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > > Without cert when I try ldap search its gives out put. but with cert (AD >> CA) through error. >> Please help me fix this issue. >> >> >> -- >> Thanks & Regards >> Shan Kumaraswamy >> >> > -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Sep 21 13:16:51 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Sep 2010 07:16:51 -0600 Subject: [Freeipa-users] IPA AD Sync error In-Reply-To: References: <4C977E6C.5020805@redhat.com> Message-ID: <4C98B043.10700@redhat.com> Shan Kumaraswamy wrote: > Hi Rich, > While executing your command (ldapserch), I am getting the following > output: > > _Command:_ > /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" > > _Output:_ > ldap_search: Can't contact LDAP server > SSL error -8179 (Peer's Certificate issuer is not recognized.) > _Command:_ > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > > _Output:_ > > [root at saprhds001 ~]# > LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer > ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad > -p 389 -Z -s base -b "" > ldap_create > ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389 > ) > ldap_extended_operation_s > ldap_extended_operation > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 > > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 10.8.27.22:389 > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > ldap_open_defconn: successful > ldap_send_server_request > ber_scanf fmt ({it) ber: > ber_scanf fmt ({) ber: > ber_flush: 31 bytes to sd 3 > ldap_result ld 0x1aa8c6f0 msgid 1 > wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout) > wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1 > ** ld 0x1aa8c6f0 Connections: > * host: sbpaddc003.corp.mydomain.ad > port: 389 (default) > refcnt: 2 status: Connected > last used: Tue Sep 21 10:23:41 2010 > ** ld 0x1aa8c6f0 Outstanding Requests: > * msgid 1, origid 1, status InProgress > outstanding referrals 0, parent count 0 > ** ld 0x1aa8c6f0 Response Queue: > Empty > ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1 > ldap_chkResponseList returns ld 0x1aa8c6f0 NULL > ldap_int_select > read1msg: ld 0x1aa8c6f0 msgid 1 all 1 > ber_get_next > ber_get_next: tag 0x30 len 40 contents: > read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result > ber_scanf fmt ({eaa) ber: > read1msg: ld 0x1aa8c6f0 0 new referrals > read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1 > request done: ld 0x1aa8c6f0 msgid 1 > res_errno: 0, res_error: <>, res_matched: <> > ldap_free_request (origid 1, msgid 1) > ldap_parse_extended_result > ber_scanf fmt ({eaa) ber: > ber_scanf fmt (a) ber: > ldap_parse_result > ber_scanf fmt ({iaa) ber: > ber_scanf fmt (x) ber: > ber_scanf fmt (}) ber: > ldap_msgfree > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 0, err: 20, subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD , > issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > TLS certificate verification: Error, unable to get local issuer > certificate Unable to get local issuer certificate? Is the adcacert.asc file the actual CA cert in ascii/pem/base64 format from the AD CA? Do you have more than one CA or subordinate CAs? If so, you may need to have the entire CA cert chain in the file. If you are sure that adcacert.asc is from the AD CA, then try adding TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and try the above ldapsearch again. Let's see what the subject and issuer are in the CA cert: openssl x509 -in /path/to/adcacert.asc -text > TLS certificate verification: depth: 0, err: 27, subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD , > issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > TLS certificate verification: Error, certificate not trusted > TLS certificate verification: depth: 0, err: 21, subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD , > issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > TLS certificate verification: Error, unable to verify the first > certificate > TLS trace: SSL_connect:SSLv3 read server certificate A > TLS trace: SSL_connect:SSLv3 read server certificate request A > TLS trace: SSL_connect:SSLv3 read server done A > TLS trace: SSL_connect:SSLv3 write client certificate A > TLS trace: SSL_connect:SSLv3 write client key exchange A > TLS trace: SSL_connect:SSLv3 write change cipher spec A > TLS trace: SSL_connect:SSLv3 write finished A > TLS trace: SSL_connect:SSLv3 flush data > TLS trace: SSL_connect:SSLv3 read finished A > TLS trace: SSL3 alert write:warning:bad certificate > TLS: unable to get peer certificate. > ldap_bind > ldap_simple_bind > ldap_sasl_bind > ldap_send_initial_request > ldap_send_server_request > ber_scanf fmt ({it) ber: > ber_scanf fmt ({i) ber: > ber_flush: 14 bytes to sd 3 > ldap_result ld 0x1aa8c6f0 msgid 2 > wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout) > wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1 > ** ld 0x1aa8c6f0 Connections: > * host: sbpaddc003.corp.mydomain.ad > port: 389 (default) > refcnt: 2 status: Connected > last used: Tue Sep 21 10:23:41 2010 > ** ld 0x1aa8c6f0 Outstanding Requests: > * msgid 2, origid 2, status InProgress > outstanding referrals 0, parent count 0 > ** ld 0x1aa8c6f0 Response Queue: > Empty > ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1 > ldap_chkResponseList returns ld 0x1aa8c6f0 NULL > ldap_int_select > read1msg: ld 0x1aa8c6f0 msgid 2 all 1 > ber_get_next > ldap_perror > ldap_result: Can't contact LDAP server (-1) > > Please help to resolve this issue. > > > > > On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson > wrote: > > Shan Kumaraswamy wrote: > > Rich, > I am again facing some issue with IPA+AD Sync and I tested all > the levels: > Windows PassSync entry exists, not resetting password > INFO:root:Added new sync agreement, waiting for it to become > ready . . . > INFO:root:Replication Update in progress: FALSE: status: 81 - > LDAP error: Can't contact LDAP server: start: 0: end: 0 > INFO:root:Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > [saprhds001.bmibank.com > >] reports: Update failed! > Status: [81 - LDAP error: Can't contact LDAP server] > > I have imported right CA to IPA box and the out put is: > Certificate Nickname > Trust Attributes > > SSL,S/MIME,JAR/XPI > CA certificate > CTu,u,Cu > Imported CA CT,,C > Server-Cert u,u,u > And also I done the openssl s_client option too, but no luck. > > What exactly did you do? with openssl s_client? > > Did you try > /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" > > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > > Without cert when I try ldap search its gives out put. but > with cert (AD CA) through error. > Please help me fix this issue. > > > -- > Thanks & Regards > Shan Kumaraswamy > > > > > > -- > Thanks & Regards > Shan Kumaraswamy > From danieljamesscott at gmail.com Tue Sep 21 14:03:01 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 21 Sep 2010 10:03:01 -0400 Subject: [Freeipa-users] Upgrade from Fedora 11 to 13 Message-ID: Hi, We have 2 FreeIPA servers. The slave has already been upgraded from Fedora 11 to 13 and I am preparing to upgrade the master from 11. Does anyone have any hints/tips for this process? I'm planning to use preupgrade (Which worked fine for the slave server). I'm just concerned about what to do if there are any problems. I'll obviously take a full backup before I start. If the upgrade fails and I need to re-install, will it be OK to just configure it as a new server? I guess that I'll need to copy in the certificate, but can I just replicate from the slave server? Or will the slave server replicate my new server and lose everything? Thanks, Dan From shan.sysadm at gmail.com Tue Sep 21 16:43:12 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Tue, 21 Sep 2010 19:43:12 +0300 Subject: [Freeipa-users] IPA AD Sync error In-Reply-To: <4C98B043.10700@redhat.com> References: <4C977E6C.5020805@redhat.com> <4C98B043.10700@redhat.com> Message-ID: Hi Rich, Finall I impoted right CA in to IPA box, now I am getting this error while executing sycn command: INFO:root: INFO:root: INFO:root: INFO:root:Starting dirsrv: MYDOMAIN-COM... [ OK ] INFO:root: INFO:root:Added CA certificate /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate database for saprhds001.mydomain.com INFO:root:Restarted directory server saprhds001.mydomain.com INFO:root:Could not validate connection to remote server sbpaddc003.mydomain.ad:636 - continuing INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"} The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 Incremental update started: start: 20100921163646Z: end: 20100921163646Z INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded INFO:root:Added agreement for other host sbpaddc003.corp.mydomain.ad Please advice. On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson wrote: > Shan Kumaraswamy wrote: > >> Hi Rich, >> While executing your command (ldapserch), I am getting the following >> output: >> _Command:_ >> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P >> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" >> _Output:_ >> ldap_search: Can't contact LDAP server >> SSL error -8179 (Peer's Certificate issuer is not recognized.) >> _Command:_ >> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h >> fqdn.of.ad.hostname -p 389 -Z -s base -b "" >> _Output:_ >> [root at saprhds001 ~]# >> LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer ldapsearch -d 1 >> -x -h sbpaddc003.corp.mydomain.ad -p >> 389 -Z -s base -b "" >> ldap_create >> ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389 > sbpaddc003.corp.mydomain.ad:389/>) >> >> ldap_extended_operation_s >> ldap_extended_operation >> ldap_send_initial_request >> ldap_new_connection 1 1 0 >> ldap_int_open_connection >> ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 < >> http://sbpaddc003.corp.mydomain.ad:389> >> >> ldap_new_socket: 3 >> ldap_prepare_socket: 3 >> ldap_connect_to_host: Trying 10.8.27.22:389 >> >> ldap_connect_timeout: fd: 3 tm: -1 async: 0 >> ldap_open_defconn: successful >> ldap_send_server_request >> ber_scanf fmt ({it) ber: >> ber_scanf fmt ({) ber: >> ber_flush: 31 bytes to sd 3 >> ldap_result ld 0x1aa8c6f0 msgid 1 >> wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout) >> wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1 >> ** ld 0x1aa8c6f0 Connections: >> * host: sbpaddc003.corp.mydomain.ad >> port: 389 (default) >> >> refcnt: 2 status: Connected >> last used: Tue Sep 21 10:23:41 2010 >> ** ld 0x1aa8c6f0 Outstanding Requests: >> * msgid 1, origid 1, status InProgress >> outstanding referrals 0, parent count 0 >> ** ld 0x1aa8c6f0 Response Queue: >> Empty >> ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1 >> ldap_chkResponseList returns ld 0x1aa8c6f0 NULL >> ldap_int_select >> read1msg: ld 0x1aa8c6f0 msgid 1 all 1 >> ber_get_next >> ber_get_next: tag 0x30 len 40 contents: >> read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result >> ber_scanf fmt ({eaa) ber: >> read1msg: ld 0x1aa8c6f0 0 new referrals >> read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1 >> request done: ld 0x1aa8c6f0 msgid 1 >> res_errno: 0, res_error: <>, res_matched: <> >> ldap_free_request (origid 1, msgid 1) >> ldap_parse_extended_result >> ber_scanf fmt ({eaa) ber: >> ber_scanf fmt (a) ber: >> ldap_parse_result >> ber_scanf fmt ({iaa) ber: >> ber_scanf fmt (x) ber: >> ber_scanf fmt (}) ber: >> ldap_msgfree >> TLS trace: SSL_connect:before/connect initialization >> TLS trace: SSL_connect:SSLv2/v3 write client hello A >> TLS trace: SSL_connect:SSLv3 read server hello A >> TLS certificate verification: depth: 0, err: 20, subject: /CN= >> SBPADDC003.Corp.MYDOMAIN.AD < >> http://SBPADDC003.Corp.MYDOMAIN.AD >, >> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA >> >> TLS certificate verification: Error, unable to get local issuer >> certificate >> > Unable to get local issuer certificate? Is the adcacert.asc file the > actual CA cert in ascii/pem/base64 format from the AD CA? Do you have more > than one CA or subordinate CAs? If so, you may need to have the entire CA > cert chain in the file. > > If you are sure that adcacert.asc is from the AD CA, then try adding > TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and try the above > ldapsearch again. > > Let's see what the subject and issuer are in the CA cert: > openssl x509 -in /path/to/adcacert.asc -text > >> TLS certificate verification: depth: 0, err: 27, subject: /CN= >> SBPADDC003.Corp.MYDOMAIN.AD < >> http://SBPADDC003.Corp.MYDOMAIN.AD >, >> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA >> >> TLS certificate verification: Error, certificate not trusted >> TLS certificate verification: depth: 0, err: 21, subject: /CN= >> SBPADDC003.Corp.MYDOMAIN.AD < >> http://SBPADDC003.Corp.MYDOMAIN.AD >, >> issuer: /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA >> >> TLS certificate verification: Error, unable to verify the first >> certificate >> TLS trace: SSL_connect:SSLv3 read server certificate A >> TLS trace: SSL_connect:SSLv3 read server certificate request A >> TLS trace: SSL_connect:SSLv3 read server done A >> TLS trace: SSL_connect:SSLv3 write client certificate A >> TLS trace: SSL_connect:SSLv3 write client key exchange A >> TLS trace: SSL_connect:SSLv3 write change cipher spec A >> TLS trace: SSL_connect:SSLv3 write finished A >> TLS trace: SSL_connect:SSLv3 flush data >> TLS trace: SSL_connect:SSLv3 read finished A >> TLS trace: SSL3 alert write:warning:bad certificate >> TLS: unable to get peer certificate. >> ldap_bind >> ldap_simple_bind >> ldap_sasl_bind >> ldap_send_initial_request >> ldap_send_server_request >> ber_scanf fmt ({it) ber: >> ber_scanf fmt ({i) ber: >> ber_flush: 14 bytes to sd 3 >> ldap_result ld 0x1aa8c6f0 msgid 2 >> wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout) >> wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1 >> ** ld 0x1aa8c6f0 Connections: >> * host: sbpaddc003.corp.mydomain.ad >> port: 389 (default) >> >> refcnt: 2 status: Connected >> last used: Tue Sep 21 10:23:41 2010 >> ** ld 0x1aa8c6f0 Outstanding Requests: >> * msgid 2, origid 2, status InProgress >> outstanding referrals 0, parent count 0 >> ** ld 0x1aa8c6f0 Response Queue: >> Empty >> ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1 >> ldap_chkResponseList returns ld 0x1aa8c6f0 NULL >> ldap_int_select >> read1msg: ld 0x1aa8c6f0 msgid 2 all 1 >> ber_get_next >> ldap_perror >> ldap_result: Can't contact LDAP server (-1) >> Please help to resolve this issue. >> > > >> >> >> On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson > rmeggins at redhat.com>> wrote: >> >> Shan Kumaraswamy wrote: >> >> Rich, >> I am again facing some issue with IPA+AD Sync and I tested all >> the levels: >> Windows PassSync entry exists, not resetting password >> INFO:root:Added new sync agreement, waiting for it to become >> ready . . . >> INFO:root:Replication Update in progress: FALSE: status: 81 - >> LDAP error: Can't contact LDAP server: start: 0: end: 0 >> INFO:root:Agreement is ready, starting replication . . . >> Starting replication, please wait until this has completed. >> [saprhds001.bmibank.com >> > >> >] reports: Update failed! >> Status: [81 - LDAP error: Can't contact LDAP server] >> >> I have imported right CA to IPA box and the out put is: >> Certificate Nickname >> Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> CA certificate >> CTu,u,Cu >> Imported CA CT,,C >> Server-Cert u,u,u >> And also I done the openssl s_client option too, but no luck. >> >> What exactly did you do? with openssl s_client? >> >> Did you try >> /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P >> /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" "objectclass=*" >> >> LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h >> fqdn.of.ad.hostname -p 389 -Z -s base -b "" >> >> Without cert when I try ldap search its gives out put. but >> with cert (AD CA) through error. >> Please help me fix this issue. >> >> -- Thanks & Regards >> Shan Kumaraswamy >> >> >> >> >> >> -- >> Thanks & Regards >> Shan Kumaraswamy >> >> > -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Sep 21 17:20:04 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Sep 2010 11:20:04 -0600 Subject: [Freeipa-users] IPA AD Sync error In-Reply-To: References: <4C977E6C.5020805@redhat.com> <4C98B043.10700@redhat.com> Message-ID: <4C98E944.7030104@redhat.com> Shan Kumaraswamy wrote: > Hi Rich, > Finall I impoted right CA in to IPA box, now I am getting this error > while executing sycn command: > > > > INFO:root: > INFO:root: > INFO:root: > INFO:root:Starting dirsrv: > MYDOMAIN-COM... [ OK ] > INFO:root: > INFO:root:Added CA certificate > /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate database for > saprhds001.mydomain.com > INFO:root:Restarted directory server saprhds001.mydomain.com > > INFO:root:Could not validate connection to remote server > sbpaddc003.mydomain.ad:636 - > continuing > INFO:root:The error was: {'info': 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', > 'desc': "Can't contact LDAP server"} This is normal, due to a limitation in the way python-ldap loads CA certs. You can ignore this. > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com > Windows PassSync entry exists, not resetting password > INFO:root:Added new sync agreement, waiting for it to become ready . . . > INFO:root:Replication Update in progress: FALSE: status: 0 Incremental > update started: start: 20100921163646Z: end: 20100921163646Z > INFO:root:Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > Update succeeded > INFO:root:Added agreement for other host sbpaddc003.corp.mydomain.ad > > Looks like it is working - so far, so good. > > > Please advice. > > On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson > wrote: > > Shan Kumaraswamy wrote: > > Hi Rich, > While executing your command (ldapserch), I am getting the > following output: > _Command:_ > /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" > "objectclass=*" > _Output:_ > ldap_search: Can't contact LDAP server > SSL error -8179 (Peer's Certificate issuer is not > recognized.) > _Command:_ > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > _Output:_ > [root at saprhds001 ~]# > LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer > ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad > > > -p 389 -Z -s base -b "" > ldap_create > ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389 > > >) > > ldap_extended_operation_s > ldap_extended_operation > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP sbpaddc003.corp.mydomain.ad:389 > > > > > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 10.8.27.22:389 > > > > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > ldap_open_defconn: successful > ldap_send_server_request > ber_scanf fmt ({it) ber: > ber_scanf fmt ({) ber: > ber_flush: 31 bytes to sd 3 > ldap_result ld 0x1aa8c6f0 msgid 1 > wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout) > wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1 > ** ld 0x1aa8c6f0 Connections: > * host: sbpaddc003.corp.mydomain.ad > > > port: 389 (default) > > refcnt: 2 status: Connected > last used: Tue Sep 21 10:23:41 2010 > ** ld 0x1aa8c6f0 Outstanding Requests: > * msgid 1, origid 1, status InProgress > outstanding referrals 0, parent count 0 > ** ld 0x1aa8c6f0 Response Queue: > Empty > ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1 > ldap_chkResponseList returns ld 0x1aa8c6f0 NULL > ldap_int_select > read1msg: ld 0x1aa8c6f0 msgid 1 all 1 > ber_get_next > ber_get_next: tag 0x30 len 40 contents: > read1msg: ld 0x1aa8c6f0 msgid 1 message type extended-result > ber_scanf fmt ({eaa) ber: > read1msg: ld 0x1aa8c6f0 0 new referrals > read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1 > request done: ld 0x1aa8c6f0 msgid 1 > res_errno: 0, res_error: <>, res_matched: <> > ldap_free_request (origid 1, msgid 1) > ldap_parse_extended_result > ber_scanf fmt ({eaa) ber: > ber_scanf fmt (a) ber: > ldap_parse_result > ber_scanf fmt ({iaa) ber: > ber_scanf fmt (x) ber: > ber_scanf fmt (}) ber: > ldap_msgfree > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 0, err: 20, subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD > > >, issuer: > /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > > TLS certificate verification: Error, unable to get local > issuer certificate > > Unable to get local issuer certificate? Is the adcacert.asc file > the actual CA cert in ascii/pem/base64 format from the AD CA? Do > you have more than one CA or subordinate CAs? If so, you may need > to have the entire CA cert chain in the file. > > If you are sure that adcacert.asc is from the AD CA, then try > adding TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc file and > try the above ldapsearch again. > > Let's see what the subject and issuer are in the CA cert: > openssl x509 -in /path/to/adcacert.asc -text > > TLS certificate verification: depth: 0, err: 27, subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD > > >, issuer: > /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > > TLS certificate verification: Error, certificate not trusted > TLS certificate verification: depth: 0, err: 21, subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD > > >, issuer: > /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > > TLS certificate verification: Error, unable to verify the > first certificate > TLS trace: SSL_connect:SSLv3 read server certificate A > TLS trace: SSL_connect:SSLv3 read server certificate request A > TLS trace: SSL_connect:SSLv3 read server done A > TLS trace: SSL_connect:SSLv3 write client certificate A > TLS trace: SSL_connect:SSLv3 write client key exchange A > TLS trace: SSL_connect:SSLv3 write change cipher spec A > TLS trace: SSL_connect:SSLv3 write finished A > TLS trace: SSL_connect:SSLv3 flush data > TLS trace: SSL_connect:SSLv3 read finished A > TLS trace: SSL3 alert write:warning:bad certificate > TLS: unable to get peer certificate. > ldap_bind > ldap_simple_bind > ldap_sasl_bind > ldap_send_initial_request > ldap_send_server_request > ber_scanf fmt ({it) ber: > ber_scanf fmt ({i) ber: > ber_flush: 14 bytes to sd 3 > ldap_result ld 0x1aa8c6f0 msgid 2 > wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout) > wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1 > ** ld 0x1aa8c6f0 Connections: > * host: sbpaddc003.corp.mydomain.ad > > > port: 389 (default) > > refcnt: 2 status: Connected > last used: Tue Sep 21 10:23:41 2010 > ** ld 0x1aa8c6f0 Outstanding Requests: > * msgid 2, origid 2, status InProgress > outstanding referrals 0, parent count 0 > ** ld 0x1aa8c6f0 Response Queue: > Empty > ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1 > ldap_chkResponseList returns ld 0x1aa8c6f0 NULL > ldap_int_select > read1msg: ld 0x1aa8c6f0 msgid 2 all 1 > ber_get_next > ldap_perror > ldap_result: Can't contact LDAP server (-1) > Please help to resolve this issue. > > > > > > On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson > > >> wrote: > > Shan Kumaraswamy wrote: > > Rich, > I am again facing some issue with IPA+AD Sync and I > tested all > the levels: > Windows PassSync entry exists, not resetting password > INFO:root:Added new sync agreement, waiting for it to > become > ready . . . > INFO:root:Replication Update in progress: FALSE: > status: 81 - > LDAP error: Can't contact LDAP server: start: 0: end: 0 > INFO:root:Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > [saprhds001.bmibank.com > > > > >] reports: Update failed! > Status: [81 - LDAP error: Can't contact LDAP server] > > I have imported right CA to IPA box and the out put is: > Certificate Nickname > Trust Attributes > > SSL,S/MIME,JAR/XPI > CA certificate > CTu,u,Cu > Imported CA > CT,,C > Server-Cert > u,u,u > And also I done the openssl s_client option too, but > no luck. > > What exactly did you do? with openssl s_client? > > Did you try > /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" > "objectclass=*" > > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > > Without cert when I try ldap search its gives out put. but > with cert (AD CA) through error. > Please help me fix this issue. > > -- Thanks & Regards > Shan Kumaraswamy > > > > > > -- > Thanks & Regards > Shan Kumaraswamy > > > > > > -- > Thanks & Regards > Shan Kumaraswamy > From Steven.Jones at vuw.ac.nz Tue Sep 21 21:49:49 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Sep 2010 09:49:49 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Since there seems to be no explanation why I cant update via ldapmodify, Can I install "some" the 389 gui parts to allow me to do this via its GUI? If so how? And/Or how can I get a look at the attributes to figure out what's wrong with the commands? something like you have changed ver2 from ver1 and the doc hasnt been corrected? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 21 September 2010 12:58 p.m. To: Freeipa-users at redhat.com Subject: [Freeipa-users] probems installin freeipa v2 Section 4.3 of the manual.... Running the command, ldapmodify -x -D "cn=Directory Manager" -W Enter LDAP Password: ******* dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz ldapmodify: wrong attributeType at line 4, entry "cn=ipa_pwd_extop,cn=plugins,cn=config I cannot figure out what is wrong here? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Tue Sep 21 22:02:02 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Sep 2010 18:02:02 -0400 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4C992B5A.5010402@redhat.com> Steven Jones wrote: > Hi, > > Since there seems to be no explanation why I cant update via ldapmodify, It wasn't entirely clear what version of IPA you were using. You filed a doc bug against v1 and asked other basic questions, I assumed you had the version wrong. I figured this would come back up once you were able to kinit and get to the GUI. > Can I install "some" the 389 gui parts to allow me to do this via its GUI? This is strongly discouraged. > > If so how? > > And/Or how can I get a look at the attributes to figure out what's wrong with the commands? something like you have changed ver2 from ver1 and the doc hasnt been corrected? It works for me in the IPA v2 git head. What does your entry look like now? $ ldapsearch -x -D 'cn=directory manager' -W -s base -b 'cn=ipa_pwd_extop,cn=plugins,cn=config' And more importantly, what is the rpm version of the IPA server you are using? The version of 389-ds-base might be handy too. rob > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones > Sent: Tuesday, 21 September 2010 12:58 p.m. > To: Freeipa-users at redhat.com > Subject: [Freeipa-users] probems installin freeipa v2 > > Section 4.3 of the manual.... > > Running the command, > > ldapmodify -x -D "cn=Directory Manager" -W > Enter LDAP Password: ******* > dn: cn=ipa_pwd_extop,cn=plugins,cn=config > changetype: modify > add: passSyncManagersDNs > passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz > > > ldapmodify: wrong attributeType at line 4, entry "cn=ipa_pwd_extop,cn=plugins,cn=config > > I cannot figure out what is wrong here? > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Sep 21 22:17:49 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Sep 2010 10:17:49 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <4C992B5A.5010402@redhat.com> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, This is Fedora 13 with the yum repo setup as per your web site... 389-ds-base-1.2.6-1.fc13.x86_64 ipa-server-1.2.2-4.fc13.x86_64 Your ldapsearch command gives me, ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) um...... So the LDAP server is dead? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, 22 September 2010 10:02 a.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: > Hi, > > Since there seems to be no explanation why I cant update via ldapmodify, It wasn't entirely clear what version of IPA you were using. You filed a doc bug against v1 and asked other basic questions, I assumed you had the version wrong. I figured this would come back up once you were able to kinit and get to the GUI. > Can I install "some" the 389 gui parts to allow me to do this via its GUI? This is strongly discouraged. > > If so how? > > And/Or how can I get a look at the attributes to figure out what's wrong with the commands? something like you have changed ver2 from ver1 and the doc hasnt been corrected? It works for me in the IPA v2 git head. What does your entry look like now? $ ldapsearch -x -D 'cn=directory manager' -W -s base -b 'cn=ipa_pwd_extop,cn=plugins,cn=config' And more importantly, what is the rpm version of the IPA server you are using? The version of 389-ds-base might be handy too. rob > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones > Sent: Tuesday, 21 September 2010 12:58 p.m. > To: Freeipa-users at redhat.com > Subject: [Freeipa-users] probems installin freeipa v2 > > Section 4.3 of the manual.... > > Running the command, > > ldapmodify -x -D "cn=Directory Manager" -W > Enter LDAP Password: ******* > dn: cn=ipa_pwd_extop,cn=plugins,cn=config > changetype: modify > add: passSyncManagersDNs > passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz > > > ldapmodify: wrong attributeType at line 4, entry "cn=ipa_pwd_extop,cn=plugins,cn=config > > I cannot figure out what is wrong here? > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Sep 21 22:48:56 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Sep 2010 10:48:56 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, I backed out the snapshot and restarted....now I get, ==================== # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: ALL # # ipa_pwd_extop, plugins, config dn: cn=ipa_pwd_extop,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: ipa_pwd_extop nsslapd-pluginPath: libipa_pwd_extop nsslapd-pluginInitfunc: ipapwd_init nsslapd-pluginType: extendedop nsslapd-pluginEnabled: on nsslapd-pluginId: IPA Password Manager nsslapd-pluginVersion: FreeIPA/1.0 nsslapd-pluginVendor: FreeIPA project nsslapd-pluginDescription: IPA Password Extended Operation plugin nsslapd-plugin-depends-on-type: database nsslapd-realmtree: dc=vuw,dc=ac,dc=nz # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 =============================== I tried again, this line seems to be the issue, dn: cn=ipa_pwd_extop,cn=plugins,cn=config So I simply follow the guide and input each line one by one? hitting enter at the end of each line? My impression is its like I am doing something wrong because the instruction is so un-clear....really the manuals are written by ppl that know how to do this syntax well....so you are maybe over looking my simple mis-understanding of how to enter these commands correctly. regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Wednesday, 22 September 2010 10:18 a.m. To: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Hi, This is Fedora 13 with the yum repo setup as per your web site... 389-ds-base-1.2.6-1.fc13.x86_64 ipa-server-1.2.2-4.fc13.x86_64 Your ldapsearch command gives me, ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) um...... So the LDAP server is dead? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, 22 September 2010 10:02 a.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: > Hi, > > Since there seems to be no explanation why I cant update via ldapmodify, It wasn't entirely clear what version of IPA you were using. You filed a doc bug against v1 and asked other basic questions, I assumed you had the version wrong. I figured this would come back up once you were able to kinit and get to the GUI. > Can I install "some" the 389 gui parts to allow me to do this via its GUI? This is strongly discouraged. > > If so how? > > And/Or how can I get a look at the attributes to figure out what's wrong with the commands? something like you have changed ver2 from ver1 and the doc hasnt been corrected? It works for me in the IPA v2 git head. What does your entry look like now? $ ldapsearch -x -D 'cn=directory manager' -W -s base -b 'cn=ipa_pwd_extop,cn=plugins,cn=config' And more importantly, what is the rpm version of the IPA server you are using? The version of 389-ds-base might be handy too. rob > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones > Sent: Tuesday, 21 September 2010 12:58 p.m. > To: Freeipa-users at redhat.com > Subject: [Freeipa-users] probems installin freeipa v2 > > Section 4.3 of the manual.... > > Running the command, > > ldapmodify -x -D "cn=Directory Manager" -W > Enter LDAP Password: ******* > dn: cn=ipa_pwd_extop,cn=plugins,cn=config > changetype: modify > add: passSyncManagersDNs > passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz > > > ldapmodify: wrong attributeType at line 4, entry "cn=ipa_pwd_extop,cn=plugins,cn=config > > I cannot figure out what is wrong here? > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed Sep 22 01:25:34 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Sep 2010 13:25:34 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> This time I copied the output from the ldapsearch command "dn: cn=ipa_pwd_extop,cn=plugins,cn=config" and it worked... ? So, section 4.4 ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v This appears to be wrong? It should be, ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ --cacert /path/to/certfile.cer adserver.example.com --passsync -v ? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Steven Jones Sent: Wednesday, 22 September 2010 10:49 a.m. To: Steven Jones; Freeipa-users at redhat.com Subject: RE: [Freeipa-users] probems installin freeipa v2 Hi, I backed out the snapshot and restarted....now I get, ==================== # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: ALL # # ipa_pwd_extop, plugins, config dn: cn=ipa_pwd_extop,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: ipa_pwd_extop nsslapd-pluginPath: libipa_pwd_extop nsslapd-pluginInitfunc: ipapwd_init nsslapd-pluginType: extendedop nsslapd-pluginEnabled: on nsslapd-pluginId: IPA Password Manager nsslapd-pluginVersion: FreeIPA/1.0 nsslapd-pluginVendor: FreeIPA project nsslapd-pluginDescription: IPA Password Extended Operation plugin nsslapd-plugin-depends-on-type: database nsslapd-realmtree: dc=vuw,dc=ac,dc=nz # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 =============================== I tried again, this line seems to be the issue, dn: cn=ipa_pwd_extop,cn=plugins,cn=config So I simply follow the guide and input each line one by one? hitting enter at the end of each line? My impression is its like I am doing something wrong because the instruction is so un-clear....really the manuals are written by ppl that know how to do this syntax well....so you are maybe over looking my simple mis-understanding of how to enter these commands correctly. regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Wednesday, 22 September 2010 10:18 a.m. To: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Hi, This is Fedora 13 with the yum repo setup as per your web site... 389-ds-base-1.2.6-1.fc13.x86_64 ipa-server-1.2.2-4.fc13.x86_64 Your ldapsearch command gives me, ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) um...... So the LDAP server is dead? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, 22 September 2010 10:02 a.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: > Hi, > > Since there seems to be no explanation why I cant update via ldapmodify, It wasn't entirely clear what version of IPA you were using. You filed a doc bug against v1 and asked other basic questions, I assumed you had the version wrong. I figured this would come back up once you were able to kinit and get to the GUI. > Can I install "some" the 389 gui parts to allow me to do this via its GUI? This is strongly discouraged. > > If so how? > > And/Or how can I get a look at the attributes to figure out what's wrong with the commands? something like you have changed ver2 from ver1 and the doc hasnt been corrected? It works for me in the IPA v2 git head. What does your entry look like now? $ ldapsearch -x -D 'cn=directory manager' -W -s base -b 'cn=ipa_pwd_extop,cn=plugins,cn=config' And more importantly, what is the rpm version of the IPA server you are using? The version of 389-ds-base might be handy too. rob > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones > Sent: Tuesday, 21 September 2010 12:58 p.m. > To: Freeipa-users at redhat.com > Subject: [Freeipa-users] probems installin freeipa v2 > > Section 4.3 of the manual.... > > Running the command, > > ldapmodify -x -D "cn=Directory Manager" -W > Enter LDAP Password: ******* > dn: cn=ipa_pwd_extop,cn=plugins,cn=config > changetype: modify > add: passSyncManagersDNs > passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz > > > ldapmodify: wrong attributeType at line 4, entry "cn=ipa_pwd_extop,cn=plugins,cn=config > > I cannot figure out what is wrong here? > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Wed Sep 22 01:57:15 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Sep 2010 21:57:15 -0400 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4C99627B.4080905@redhat.com> Steven Jones wrote: > This time I copied the output from the ldapsearch command > > "dn: cn=ipa_pwd_extop,cn=plugins,cn=config" > > and it worked... Cosmic rays maybe, those strings look identical to me. Glad its working now in any case. > > ? > > So, section 4.4 > > ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ > --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v > > This appears to be wrong? > > It should be, > > ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ > --cacert /path/to/certfile.cer adserver.example.com --passsync -v > You're right in that --passsync is required but --bindpw should also be required. I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this. rob From Steven.Jones at vuw.ac.nz Wed Sep 22 02:10:25 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Sep 2010 14:10:25 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <4C99627B.4080905@redhat.com> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, yes I think you are correct, --binpw is ndded except running this crashed the LDAP server....or sends it off to zombie land and I have to reboot it! ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw \ --cacert /path/to/certfile.cer adserver.example.com --passsync -v Is there a log somewhere to look for why? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, 22 September 2010 1:57 p.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: > This time I copied the output from the ldapsearch command > > "dn: cn=ipa_pwd_extop,cn=plugins,cn=config" > > and it worked... Cosmic rays maybe, those strings look identical to me. Glad its working now in any case. > > ? > > So, section 4.4 > > ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ > --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v > > This appears to be wrong? > > It should be, > > ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ > --cacert /path/to/certfile.cer adserver.example.com --passsync -v > You're right in that --passsync is required but --bindpw should also be required. I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this. rob From Steven.Jones at vuw.ac.nz Wed Sep 22 02:18:17 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Sep 2010 14:18:17 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <4C99627B.4080905@redhat.com> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959DA3@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, I have created a user only to find that the login, home directory, UID and GID are all auto-generated... How can I set the gui to let me put these values in myself? The linux account and AD account already have these...so I need to be able to set these. regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand From rcritten at redhat.com Wed Sep 22 02:20:09 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Sep 2010 22:20:09 -0400 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4C9967D9.8030704@redhat.com> Steven Jones wrote: > Hi, > > yes I think you are correct, --binpw is ndded except running this crashed the LDAP server....or sends it off to zombie land and I have to reboot it! > > > ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw \ > --cacert /path/to/certfile.cer adserver.example.com --passsync -v > > Is there a log somewhere to look for why? Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME. Can you provide the output of ipa-replica-manage? rob > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Wednesday, 22 September 2010 1:57 p.m. > To: Steven Jones > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > Steven Jones wrote: >> This time I copied the output from the ldapsearch command >> >> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config" >> >> and it worked... > > Cosmic rays maybe, those strings look identical to me. Glad its working > now in any case. > >> >> ? >> >> So, section 4.4 >> >> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >> --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v >> >> This appears to be wrong? >> >> It should be, >> >> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >> > > You're right in that --passsync is required but --bindpw should also be > required. > > I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed Sep 22 02:27:19 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Sep 2010 14:27:19 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <4C9967D9.8030704@redhat.com> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> For ipa-replica-manage list The output is my AD vuwwincodc00001.vuw.ac.nz regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, 22 September 2010 2:20 p.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: > Hi, > > yes I think you are correct, --binpw is ndded except running this crashed the LDAP server....or sends it off to zombie land and I have to reboot it! > > > ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw \ > --cacert /path/to/certfile.cer adserver.example.com --passsync -v > > Is there a log somewhere to look for why? Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME. Can you provide the output of ipa-replica-manage? rob > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Wednesday, 22 September 2010 1:57 p.m. > To: Steven Jones > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > Steven Jones wrote: >> This time I copied the output from the ldapsearch command >> >> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config" >> >> and it worked... > > Cosmic rays maybe, those strings look identical to me. Glad its working > now in any case. > >> >> ? >> >> So, section 4.4 >> >> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >> --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v >> >> This appears to be wrong? >> >> It should be, >> >> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >> > > You're right in that --passsync is required but --bindpw should also be > required. > > I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed Sep 22 02:36:15 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Sep 2010 14:36:15 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Ok, it isnt crashing the LDAP server/service its doing a shutdown of it according to the error log... So while a sync is happening the LDAP server is offline? How long should this take? 30secs? 3mins? 30mins? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Wednesday, 22 September 2010 2:27 p.m. To: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 For ipa-replica-manage list The output is my AD vuwwincodc00001.vuw.ac.nz regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, 22 September 2010 2:20 p.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: > Hi, > > yes I think you are correct, --binpw is ndded except running this crashed the LDAP server....or sends it off to zombie land and I have to reboot it! > > > ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw \ > --cacert /path/to/certfile.cer adserver.example.com --passsync -v > > Is there a log somewhere to look for why? Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME. Can you provide the output of ipa-replica-manage? rob > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Wednesday, 22 September 2010 1:57 p.m. > To: Steven Jones > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > Steven Jones wrote: >> This time I copied the output from the ldapsearch command >> >> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config" >> >> and it worked... > > Cosmic rays maybe, those strings look identical to me. Glad its working > now in any case. > >> >> ? >> >> So, section 4.4 >> >> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >> --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v >> >> This appears to be wrong? >> >> It should be, >> >> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >> > > You're right in that --passsync is required but --bindpw should also be > required. > > I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Wed Sep 22 02:45:19 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Sep 2010 20:45:19 -0600 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4C996DBF.8060701@redhat.com> Steven Jones wrote: > Hi, > > Ok, it isnt crashing the LDAP server/service its doing a shutdown of it according to the error log... > What exactly do you see in the error log? Can you provide excerpts? Can you also provide excerpts of the access log from around the time of the shutdown? > So while a sync is happening the LDAP server is offline? > No, not possible. Something is going wrong. > How long should this take? > > 30secs? > > 3mins? > > 30mins? > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones > Sent: Wednesday, 22 September 2010 2:27 p.m. > To: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > For ipa-replica-manage list > > The output is my AD > > vuwwincodc00001.vuw.ac.nz > > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Wednesday, 22 September 2010 2:20 p.m. > To: Steven Jones > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > Steven Jones wrote: > >> Hi, >> >> yes I think you are correct, --binpw is ndded except running this crashed the LDAP server....or sends it off to zombie land and I have to reboot it! >> >> >> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw \ >> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >> >> Is there a log somewhere to look for why? >> > > Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME. > > Can you provide the output of ipa-replica-manage? > > rob > > >> regards >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Wednesday, 22 September 2010 1:57 p.m. >> To: Steven Jones >> Cc: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] probems installin freeipa v2 >> >> Steven Jones wrote: >> >>> This time I copied the output from the ldapsearch command >>> >>> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config" >>> >>> and it worked... >>> >> Cosmic rays maybe, those strings look identical to me. Glad its working >> now in any case. >> >> >>> ? >>> >>> So, section 4.4 >>> >>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >>> --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v >>> >>> This appears to be wrong? >>> >>> It should be, >>> >>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >>> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >>> >>> >> You're right in that --passsync is required but --bindpw should also be >> required. >> >> I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this. >> >> rob >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From Steven.Jones at vuw.ac.nz Wed Sep 22 02:57:53 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Sep 2010 14:57:53 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <4C996DBF.8060701@redhat.com> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C996DBF.8060701@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959DCA@STAWINCOEXMAIL1.staff.vuw.ac.nz> After I do the sync command, ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw \ --cacert /path/to/certfile.cer adserver.example.com --passsync -v this is what starts in the error log, [22/Sep/2010:14:33:36 +1200] - slapd shutting down - signaling operation threads [22/Sep/2010:14:33:36 +1200] - slapd shutting down - closing down internal subsystems and plugins [22/Sep/2010:14:43:35 +1200] NSMMReplicationPlugin - error in windows_conn_get_search_result, rc=-1 [22/Sep/2010:14:43:35 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636): Failed to get search operation: LDAP error 81 (Can't contact LDAP server) [22/Sep/2010:14:43:35 +1200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [22/Sep/2010:14:43:36 +1200] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636)". Sent 0 entries. So after ten mins the LDAP server isnt responding, After ten minutes there is some more in the error log, [22/Sep/2010:14:53:36 +1200] NSMMReplicationPlugin - Warning: incremental protocol for replica "agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636)" did not shut down properly. [22/Sep/2010:14:53:37 +1200] - Waiting for 4 database threads to stop [22/Sep/2010:14:53:37 +1200] - All database threads now stopped [22/Sep/2010:14:53:37 +1200] - slapd stopped. regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Wednesday, 22 September 2010 2:45 p.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: > Hi, > > Ok, it isnt crashing the LDAP server/service its doing a shutdown of it according to the error log... > What exactly do you see in the error log? Can you provide excerpts? Can you also provide excerpts of the access log from around the time of the shutdown? > So while a sync is happening the LDAP server is offline? > No, not possible. Something is going wrong. > How long should this take? > > 30secs? > > 3mins? > > 30mins? > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones > Sent: Wednesday, 22 September 2010 2:27 p.m. > To: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > For ipa-replica-manage list > > The output is my AD > > vuwwincodc00001.vuw.ac.nz > > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Wednesday, 22 September 2010 2:20 p.m. > To: Steven Jones > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > Steven Jones wrote: > >> Hi, >> >> yes I think you are correct, --binpw is ndded except running this crashed the LDAP server....or sends it off to zombie land and I have to reboot it! >> >> >> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw \ >> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >> >> Is there a log somewhere to look for why? >> > > Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME. > > Can you provide the output of ipa-replica-manage? > > rob > > >> regards >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Wednesday, 22 September 2010 1:57 p.m. >> To: Steven Jones >> Cc: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] probems installin freeipa v2 >> >> Steven Jones wrote: >> >>> This time I copied the output from the ldapsearch command >>> >>> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config" >>> >>> and it worked... >>> >> Cosmic rays maybe, those strings look identical to me. Glad its working >> now in any case. >> >> >>> ? >>> >>> So, section 4.4 >>> >>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >>> --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v >>> >>> This appears to be wrong? >>> >>> It should be, >>> >>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >>> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >>> >>> >> You're right in that --passsync is required but --bindpw should also be >> required. >> >> I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this. >> >> rob >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From Steven.Jones at vuw.ac.nz Wed Sep 22 03:00:32 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Sep 2010 15:00:32 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <4C996DBF.8060701@redhat.com> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C996DBF.8060701@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959DCC@STAWINCOEXMAIL1.staff.vuw.ac.nz> access log, [22/Sep/2010:14:22:39 +1200] conn=48 fd=65 slot=65 connection from 127.0.0.1 to 127.0.0.1 [22/Sep/2010:14:22:39 +1200] conn=48 op=0 BIND dn="" method=128 version=3 [22/Sep/2010:14:22:39 +1200] conn=48 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [22/Sep/2010:14:22:39 +1200] conn=48 op=1 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp" [22/Sep/2010:14:22:39 +1200] conn=48 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [22/Sep/2010:14:23:57 +1200] conn=49 fd=66 slot=66 SSL connection from 130.195.53.104 to 130.195.53.104 [22/Sep/2010:14:23:57 +1200] conn=49 SSL 256-bit AES [22/Sep/2010:14:23:57 +1200] conn=49 op=0 BIND dn="cn=directory manager" method=128 version=3 [22/Sep/2010:14:23:57 +1200] conn=49 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [22/Sep/2010:14:23:57 +1200] conn=49 op=1 UNBIND [22/Sep/2010:14:23:57 +1200] conn=49 op=1 fd=66 closed - U1 [22/Sep/2010:14:24:02 +1200] conn=50 fd=66 slot=66 SSL connection from 130.195.53.104 to 130.195.53.104 [22/Sep/2010:14:24:02 +1200] conn=50 SSL 256-bit AES [22/Sep/2010:14:24:02 +1200] conn=50 op=0 BIND dn="cn=directory manager" method=128 version=3 [22/Sep/2010:14:24:02 +1200] conn=50 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [22/Sep/2010:14:24:02 +1200] conn=50 op=1 SRCH base="cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog nsslapd-certdir nsslapd-schemadir" [22/Sep/2010:14:24:02 +1200] conn=50 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [22/Sep/2010:14:24:02 +1200] conn=50 op=2 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" [22/Sep/2010:14:24:02 +1200] conn=50 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [22/Sep/2010:14:24:02 +1200] conn=50 op=3 SRCH base="cn=mapping tree,cn=config" scope=2 filter="(|(objectClass=nsDSWindowsReplicationAgreement)(objectClass=nsds5ReplicationAgreement))" attrs=ALL [22/Sep/2010:14:24:02 +1200] conn=50 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [22/Sep/2010:14:24:02 +1200] conn=50 op=4 SRCH base="cn=meTovuwwincodc00001.vuw.ac.nz636, cn=replica, cn=\22dc=vuw,dc=ac,dc=nz\22, cn=mapping tree, cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [22/Sep/2010:14:24:02 +1200] conn=50 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [22/Sep/2010:14:24:02 +1200] conn=50 op=5 UNBIND [22/Sep/2010:14:24:02 +1200] conn=50 op=5 fd=66 closed - U1 [22/Sep/2010:14:33:36 +1200] conn=51 fd=66 slot=66 SSL connection from 130.195.53.104 to 130.195.53.104 [22/Sep/2010:14:33:36 +1200] conn=51 SSL 256-bit AES [22/Sep/2010:14:33:36 +1200] conn=51 op=0 BIND dn="cn=directory manager" method=128 version=3 [22/Sep/2010:14:33:36 +1200] conn=51 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [22/Sep/2010:14:33:36 +1200] conn=51 op=1 SRCH base="cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog nsslapd-certdir nsslapd-schemadir" [22/Sep/2010:14:33:36 +1200] conn=51 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [22/Sep/2010:14:33:36 +1200] conn=51 op=2 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" [22/Sep/2010:14:33:36 +1200] conn=51 op=2 RESULT err=0 tag=101 nentries=1 etime=0 Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Wednesday, 22 September 2010 2:45 p.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: > Hi, > > Ok, it isnt crashing the LDAP server/service its doing a shutdown of it according to the error log... > What exactly do you see in the error log? Can you provide excerpts? Can you also provide excerpts of the access log from around the time of the shutdown? > So while a sync is happening the LDAP server is offline? > No, not possible. Something is going wrong. > How long should this take? > > 30secs? > > 3mins? > > 30mins? > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones > Sent: Wednesday, 22 September 2010 2:27 p.m. > To: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > For ipa-replica-manage list > > The output is my AD > > vuwwincodc00001.vuw.ac.nz > > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Wednesday, 22 September 2010 2:20 p.m. > To: Steven Jones > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > Steven Jones wrote: > >> Hi, >> >> yes I think you are correct, --binpw is ndded except running this crashed the LDAP server....or sends it off to zombie land and I have to reboot it! >> >> >> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw \ >> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >> >> Is there a log somewhere to look for why? >> > > Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME. > > Can you provide the output of ipa-replica-manage? > > rob > > >> regards >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Wednesday, 22 September 2010 1:57 p.m. >> To: Steven Jones >> Cc: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] probems installin freeipa v2 >> >> Steven Jones wrote: >> >>> This time I copied the output from the ldapsearch command >>> >>> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config" >>> >>> and it worked... >>> >> Cosmic rays maybe, those strings look identical to me. Glad its working >> now in any case. >> >> >>> ? >>> >>> So, section 4.4 >>> >>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >>> --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v >>> >>> This appears to be wrong? >>> >>> It should be, >>> >>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >>> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >>> >>> >> You're right in that --passsync is required but --bindpw should also be >> required. >> >> I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this. >> >> rob >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From rmeggins at redhat.com Wed Sep 22 03:23:57 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Sep 2010 21:23:57 -0600 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959DCA@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C996DBF.8060701@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DCA@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4C9976CD.2020101@redhat.com> Steven Jones wrote: > After I do the sync command, > > ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw \ > --cacert /path/to/certfile.cer adserver.example.com --passsync -v > > > this is what starts in the error log, > > > [22/Sep/2010:14:33:36 +1200] - slapd shutting down - signaling operation threads > [22/Sep/2010:14:33:36 +1200] - slapd shutting down - closing down internal subsystems and plugins > what's in the access log from around this time? This looks like some sort of bug in the directory server - the directory server did not finish shutting down . . . > [22/Sep/2010:14:43:35 +1200] NSMMReplicationPlugin - error in windows_conn_get_search_result, rc=-1 > [22/Sep/2010:14:43:35 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636): Failed to get search operation: LDAP error 81 (Can't contact LDAP server) > [22/Sep/2010:14:43:35 +1200] NSMMReplicationPlugin - failed to send dirsync search request: 2 > And I think the fact that the directory server is in this weird state is what causes these errors. > [22/Sep/2010:14:43:36 +1200] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636)". Sent 0 entries. > > So after ten mins the LDAP server isnt responding, After ten minutes there is some more in the error log, > > [22/Sep/2010:14:53:36 +1200] NSMMReplicationPlugin - Warning: incremental protocol for replica "agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636)" did not shut down properly. > [22/Sep/2010:14:53:37 +1200] - Waiting for 4 database threads to stop > [22/Sep/2010:14:53:37 +1200] - All database threads now stopped > [22/Sep/2010:14:53:37 +1200] - slapd stopped. > > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Wednesday, 22 September 2010 2:45 p.m. > To: Steven Jones > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > Steven Jones wrote: > >> Hi, >> >> Ok, it isnt crashing the LDAP server/service its doing a shutdown of it according to the error log... >> >> > What exactly do you see in the error log? Can you provide excerpts? > Can you also provide excerpts of the access log from around the time of > the shutdown? > >> So while a sync is happening the LDAP server is offline? >> >> > No, not possible. Something is going wrong. > >> How long should this take? >> >> 30secs? >> >> 3mins? >> >> 30mins? >> >> regards >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones >> Sent: Wednesday, 22 September 2010 2:27 p.m. >> To: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] probems installin freeipa v2 >> >> For ipa-replica-manage list >> >> The output is my AD >> >> vuwwincodc00001.vuw.ac.nz >> >> >> regards >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Wednesday, 22 September 2010 2:20 p.m. >> To: Steven Jones >> Cc: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] probems installin freeipa v2 >> >> Steven Jones wrote: >> >> >>> Hi, >>> >>> yes I think you are correct, --binpw is ndded except running this crashed the LDAP server....or sends it off to zombie land and I have to reboot it! >>> >>> >>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw \ >>> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >>> >>> Is there a log somewhere to look for why? >>> >>> >> Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME. >> >> Can you provide the output of ipa-replica-manage? >> >> rob >> >> >> >>> regards >>> >>> Steven Jones Technical Specialist Linux/Vmware >>> Tele 64 4 463 6272 >>> Victoria University >>> Kelburn >>> New Zealand >>> >>> >>> -----Original Message----- >>> From: Rob Crittenden [mailto:rcritten at redhat.com] >>> Sent: Wednesday, 22 September 2010 1:57 p.m. >>> To: Steven Jones >>> Cc: Freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] probems installin freeipa v2 >>> >>> Steven Jones wrote: >>> >>> >>>> This time I copied the output from the ldapsearch command >>>> >>>> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config" >>>> >>>> and it worked... >>>> >>>> >>> Cosmic rays maybe, those strings look identical to me. Glad its working >>> now in any case. >>> >>> >>> >>>> ? >>>> >>>> So, section 4.4 >>>> >>>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >>>> --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v >>>> >>>> This appears to be wrong? >>>> >>>> It should be, >>>> >>>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >>>> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >>>> >>>> >>>> >>> You're right in that --passsync is required but --bindpw should also be >>> required. >>> >>> I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this. >>> >>> rob >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > From rmeggins at redhat.com Wed Sep 22 03:28:33 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Sep 2010 21:28:33 -0600 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959DCC@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C996DBF.8060701@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DCC@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4C9977E1.8080202@redhat.com> Steven Jones wrote: > access log, > > [22/Sep/2010:14:22:39 +1200] conn=48 fd=65 slot=65 connection from 127.0.0.1 to 127.0.0.1 > [22/Sep/2010:14:22:39 +1200] conn=48 op=0 BIND dn="" method=128 version=3 > [22/Sep/2010:14:22:39 +1200] conn=48 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > [22/Sep/2010:14:22:39 +1200] conn=48 op=1 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp" > [22/Sep/2010:14:22:39 +1200] conn=48 op=1 RESULT err=0 tag=101 nentries=0 etime=0 > [22/Sep/2010:14:23:57 +1200] conn=49 fd=66 slot=66 SSL connection from 130.195.53.104 to 130.195.53.104 > [22/Sep/2010:14:23:57 +1200] conn=49 SSL 256-bit AES > [22/Sep/2010:14:23:57 +1200] conn=49 op=0 BIND dn="cn=directory manager" method=128 version=3 > [22/Sep/2010:14:23:57 +1200] conn=49 op=0 RESULT err=49 tag=97 nentries=0 etime=0 > [22/Sep/2010:14:23:57 +1200] conn=49 op=1 UNBIND > [22/Sep/2010:14:23:57 +1200] conn=49 op=1 fd=66 closed - U1 > [22/Sep/2010:14:24:02 +1200] conn=50 fd=66 slot=66 SSL connection from 130.195.53.104 to 130.195.53.104 > [22/Sep/2010:14:24:02 +1200] conn=50 SSL 256-bit AES > [22/Sep/2010:14:24:02 +1200] conn=50 op=0 BIND dn="cn=directory manager" method=128 version=3 > [22/Sep/2010:14:24:02 +1200] conn=50 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" > [22/Sep/2010:14:24:02 +1200] conn=50 op=1 SRCH base="cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog nsslapd-certdir nsslapd-schemadir" > [22/Sep/2010:14:24:02 +1200] conn=50 op=1 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Sep/2010:14:24:02 +1200] conn=50 op=2 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" > [22/Sep/2010:14:24:02 +1200] conn=50 op=2 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Sep/2010:14:24:02 +1200] conn=50 op=3 SRCH base="cn=mapping tree,cn=config" scope=2 filter="(|(objectClass=nsDSWindowsReplicationAgreement)(objectClass=nsds5ReplicationAgreement))" attrs=ALL > [22/Sep/2010:14:24:02 +1200] conn=50 op=3 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Sep/2010:14:24:02 +1200] conn=50 op=4 SRCH base="cn=meTovuwwincodc00001.vuw.ac.nz636, cn=replica, cn=\22dc=vuw,dc=ac,dc=nz\22, cn=mapping tree, cn=config" scope=2 filter="(objectClass=*)" attrs=ALL > [22/Sep/2010:14:24:02 +1200] conn=50 op=4 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Sep/2010:14:24:02 +1200] conn=50 op=5 UNBIND > [22/Sep/2010:14:24:02 +1200] conn=50 op=5 fd=66 closed - U1 > [22/Sep/2010:14:33:36 +1200] conn=51 fd=66 slot=66 SSL connection from 130.195.53.104 to 130.195.53.104 > [22/Sep/2010:14:33:36 +1200] conn=51 SSL 256-bit AES > [22/Sep/2010:14:33:36 +1200] conn=51 op=0 BIND dn="cn=directory manager" method=128 version=3 > [22/Sep/2010:14:33:36 +1200] conn=51 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" > [22/Sep/2010:14:33:36 +1200] conn=51 op=1 SRCH base="cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog nsslapd-certdir nsslapd-schemadir" > [22/Sep/2010:14:33:36 +1200] conn=51 op=1 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Sep/2010:14:33:36 +1200] conn=51 op=2 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" > [22/Sep/2010:14:33:36 +1200] conn=51 op=2 RESULT err=0 tag=101 nentries=1 etime=0 > The time corresponds to this from the errors log: [22/Sep/2010:14:33:36 +1200] - slapd shutting down - signaling operation threads [22/Sep/2010:14:33:36 +1200] - slapd shutting down - closing down internal subsystems and plugins But a SRCH operation should not trigger a shutdown. Not sure what's going on here. Can you reliably reproduce this behavior after restarting directory server? > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Wednesday, 22 September 2010 2:45 p.m. > To: Steven Jones > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > Steven Jones wrote: > >> Hi, >> >> Ok, it isnt crashing the LDAP server/service its doing a shutdown of it according to the error log... >> >> > What exactly do you see in the error log? Can you provide excerpts? > Can you also provide excerpts of the access log from around the time of > the shutdown? > >> So while a sync is happening the LDAP server is offline? >> >> > No, not possible. Something is going wrong. > >> How long should this take? >> >> 30secs? >> >> 3mins? >> >> 30mins? >> >> regards >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones >> Sent: Wednesday, 22 September 2010 2:27 p.m. >> To: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] probems installin freeipa v2 >> >> For ipa-replica-manage list >> >> The output is my AD >> >> vuwwincodc00001.vuw.ac.nz >> >> >> regards >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Wednesday, 22 September 2010 2:20 p.m. >> To: Steven Jones >> Cc: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] probems installin freeipa v2 >> >> Steven Jones wrote: >> >> >>> Hi, >>> >>> yes I think you are correct, --binpw is ndded except running this crashed the LDAP server....or sends it off to zombie land and I have to reboot it! >>> >>> >>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw \ >>> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >>> >>> Is there a log somewhere to look for why? >>> >>> >> Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME. >> >> Can you provide the output of ipa-replica-manage? >> >> rob >> >> >> >>> regards >>> >>> Steven Jones Technical Specialist Linux/Vmware >>> Tele 64 4 463 6272 >>> Victoria University >>> Kelburn >>> New Zealand >>> >>> >>> -----Original Message----- >>> From: Rob Crittenden [mailto:rcritten at redhat.com] >>> Sent: Wednesday, 22 September 2010 1:57 p.m. >>> To: Steven Jones >>> Cc: Freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] probems installin freeipa v2 >>> >>> Steven Jones wrote: >>> >>> >>>> This time I copied the output from the ldapsearch command >>>> >>>> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config" >>>> >>>> and it worked... >>>> >>>> >>> Cosmic rays maybe, those strings look identical to me. Glad its working >>> now in any case. >>> >>> >>> >>>> ? >>>> >>>> So, section 4.4 >>>> >>>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >>>> --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v >>>> >>>> This appears to be wrong? >>>> >>>> It should be, >>>> >>>> ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ >>>> --cacert /path/to/certfile.cer adserver.example.com --passsync -v >>>> >>>> >>>> >>> You're right in that --passsync is required but --bindpw should also be >>> required. >>> >>> I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this. >>> >>> rob >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From Steven.Jones at vuw.ac.nz Wed Sep 22 04:10:55 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 22 Sep 2010 16:10:55 +1200 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <4C9977E1.8080202@redhat.com> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C996DBF.8060701@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DCC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9977E1.8080202@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959E19@STAWINCOEXMAIL1.staff.vuw.ac.nz> 8><------- Can you reliably reproduce this behavior after restarting directory server? 8><-------- Yes it appears so.......... =============error [22/Sep/2010:15:58:16 +1200] - slapd shutting down - signaling operation threads [22/Sep/2010:15:58:16 +1200] - slapd shutting down - closing down internal subsystems and plugins [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - error in windows_conn_get_search_result, rc=-1 [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636): Failed to get search operation: LDAP error 81 (Can't contact LDAP server) [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [22/Sep/2010:16:08:32 +1200] - Waiting for 4 database threads to stop [22/Sep/2010:16:08:32 +1200] - All database threads now stopped [22/Sep/2010:16:08:32 +1200] - slapd stopped. ============= =============access [22/Sep/2010:15:57:41 +1200] conn=6 op=15 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp" [22/Sep/2010:15:57:41 +1200] conn=6 op=15 RESULT err=0 tag=101 nentries=0 etime=0 [22/Sep/2010:15:58:16 +1200] conn=8 fd=70 slot=70 SSL connection from 130.195.53.104 to 130.195.53.104 [22/Sep/2010:15:58:16 +1200] conn=8 SSL 256-bit AES [22/Sep/2010:15:58:16 +1200] conn=8 op=0 BIND dn="cn=directory manager" method=128 version=3 [22/Sep/2010:15:58:16 +1200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [22/Sep/2010:15:58:16 +1200] conn=8 op=1 SRCH base="cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog nsslapd-certdir nsslapd-schemadir" [22/Sep/2010:15:58:16 +1200] conn=8 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [22/Sep/2010:15:58:16 +1200] conn=8 op=2 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" [22/Sep/2010:15:58:16 +1200] conn=8 op=2 RESULT err=0 tag=101 nentries=1 etime=0 ============= regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand From rmeggins at redhat.com Wed Sep 22 13:17:13 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Sep 2010 07:17:13 -0600 Subject: [Freeipa-users] IPA AD Sync error In-Reply-To: References: <4C977E6C.5020805@redhat.com> <4C98B043.10700@redhat.com> <4C98E944.7030104@redhat.com> Message-ID: <4C9A01D9.3020807@redhat.com> Shan Kumaraswamy wrote: > And also I checked the directory server log (error log) its show error: > > > NSMMReplicationPlugin - failed to send dirsync search request: 2 Can you post more of the errors log? Also, the replication log level is also used for winsync debugging: http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > > > > On Tue, Sep 21, 2010 at 8:20 PM, Rich Megginson > wrote: > > Shan Kumaraswamy wrote: > > Hi Rich, > > Finall I impoted right CA in to IPA box, now I am getting this > error while executing sycn command: > > INFO:root: > INFO:root: > INFO:root: > INFO:root:Starting dirsrv: > MYDOMAIN-COM... [ > OK ] > INFO:root: > INFO:root:Added CA certificate > /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate > database for saprhds001.mydomain.com > > > > INFO:root:Restarted directory server saprhds001.mydomain.com > > > > INFO:root:Could not validate connection to remote server > sbpaddc003.mydomain.ad:636 > > > - continuing > > INFO:root:The error was: {'info': 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed', 'desc': "Can't contact LDAP server"} > > This is normal, due to a limitation in the way python-ldap loads > CA certs. You can ignore this. > > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com > Windows PassSync entry exists, not resetting password > INFO:root:Added new sync agreement, waiting for it to become > ready . . . > INFO:root:Replication Update in progress: FALSE: status: 0 > Incremental update started: start: 20100921163646Z: end: > 20100921163646Z > INFO:root:Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > Update succeeded > INFO:root:Added agreement for other host > sbpaddc003.corp.mydomain.ad > > > > > > Looks like it is working - so far, so good. > > Please advice. > > > On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson > > >> wrote: > > Shan Kumaraswamy wrote: > > Hi Rich, > While executing your command (ldapserch), I am getting the > following output: > _Command:_ > /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" > "objectclass=*" > _Output:_ > ldap_search: Can't contact LDAP server > SSL error -8179 (Peer's Certificate issuer is not > recognized.) > _Command:_ > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > _Output:_ > [root at saprhds001 ~]# > > LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer > ldapsearch -d 1 -x -h sbpaddc003.corp.mydomain.ad > > > > > > -p 389 -Z -s > base -b "" > ldap_create > > ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389 > > > > > >) > > ldap_extended_operation_s > ldap_extended_operation > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP > sbpaddc003.corp.mydomain.ad:389 > > > > > > > > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 10.8.27.22:389 > > > > > > > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > ldap_open_defconn: successful > ldap_send_server_request > ber_scanf fmt ({it) ber: > ber_scanf fmt ({) ber: > ber_flush: 31 bytes to sd 3 > ldap_result ld 0x1aa8c6f0 msgid 1 > wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout) > wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1 > ** ld 0x1aa8c6f0 Connections: > * host: sbpaddc003.corp.mydomain.ad > > > > > > port: 389 > (default) > > refcnt: 2 status: Connected > last used: Tue Sep 21 10:23:41 2010 > ** ld 0x1aa8c6f0 Outstanding Requests: > * msgid 1, origid 1, status InProgress > outstanding referrals 0, parent count 0 > ** ld 0x1aa8c6f0 Response Queue: > Empty > ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1 > ldap_chkResponseList returns ld 0x1aa8c6f0 NULL > ldap_int_select > read1msg: ld 0x1aa8c6f0 msgid 1 all 1 > ber_get_next > ber_get_next: tag 0x30 len 40 contents: > read1msg: ld 0x1aa8c6f0 msgid 1 message type > extended-result > ber_scanf fmt ({eaa) ber: > read1msg: ld 0x1aa8c6f0 0 new referrals > read1msg: mark request completed, ld 0x1aa8c6f0 msgid 1 > request done: ld 0x1aa8c6f0 msgid 1 > res_errno: 0, res_error: <>, res_matched: <> > ldap_free_request (origid 1, msgid 1) > ldap_parse_extended_result > ber_scanf fmt ({eaa) ber: > ber_scanf fmt (a) ber: > ldap_parse_result > ber_scanf fmt ({iaa) ber: > ber_scanf fmt (x) ber: > ber_scanf fmt (}) ber: > ldap_msgfree > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 0, err: 20, subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD > > > > >, issuer: > > /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > > TLS certificate verification: Error, unable to get local > issuer certificate > > Unable to get local issuer certificate? Is the > adcacert.asc file > the actual CA cert in ascii/pem/base64 format from the AD > CA? Do > you have more than one CA or subordinate CAs? If so, you > may need > to have the entire CA cert chain in the file. > > If you are sure that adcacert.asc is from the AD CA, then try > adding TLS_CACERT /path/to/adcacert.asc to your ~/.ldaprc > file and > try the above ldapsearch again. > > Let's see what the subject and issuer are in the CA cert: > openssl x509 -in /path/to/adcacert.asc -text > > TLS certificate verification: depth: 0, err: 27, subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD > > > > >, issuer: > > /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > > TLS certificate verification: Error, certificate not > trusted > TLS certificate verification: depth: 0, err: 21, subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD > > > > >, issuer: > > /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > > TLS certificate verification: Error, unable to verify the > first certificate > TLS trace: SSL_connect:SSLv3 read server certificate A > TLS trace: SSL_connect:SSLv3 read server certificate > request A > TLS trace: SSL_connect:SSLv3 read server done A > TLS trace: SSL_connect:SSLv3 write client certificate A > TLS trace: SSL_connect:SSLv3 write client key exchange A > TLS trace: SSL_connect:SSLv3 write change cipher spec A > TLS trace: SSL_connect:SSLv3 write finished A > TLS trace: SSL_connect:SSLv3 flush data > TLS trace: SSL_connect:SSLv3 read finished A > TLS trace: SSL3 alert write:warning:bad certificate > TLS: unable to get peer certificate. > ldap_bind > ldap_simple_bind > ldap_sasl_bind > ldap_send_initial_request > ldap_send_server_request > ber_scanf fmt ({it) ber: > ber_scanf fmt ({i) ber: > ber_flush: 14 bytes to sd 3 > ldap_result ld 0x1aa8c6f0 msgid 2 > wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout) > wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1 > ** ld 0x1aa8c6f0 Connections: > * host: sbpaddc003.corp.mydomain.ad > > > > > > port: 389 > (default) > > refcnt: 2 status: Connected > last used: Tue Sep 21 10:23:41 2010 > ** ld 0x1aa8c6f0 Outstanding Requests: > * msgid 2, origid 2, status InProgress > outstanding referrals 0, parent count 0 > ** ld 0x1aa8c6f0 Response Queue: > Empty > ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1 > ldap_chkResponseList returns ld 0x1aa8c6f0 NULL > ldap_int_select > read1msg: ld 0x1aa8c6f0 msgid 2 all 1 > ber_get_next > ldap_perror > ldap_result: Can't contact LDAP server (-1) > Please help to resolve this issue. > > > > > > On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson > > > > >>> wrote: > > Shan Kumaraswamy wrote: > > Rich, > I am again facing some issue with IPA+AD Sync and I > tested all > the levels: > Windows PassSync entry exists, not resetting > password > INFO:root:Added new sync agreement, waiting for > it to > become > ready . . . > INFO:root:Replication Update in progress: FALSE: > status: 81 - > LDAP error: Can't contact LDAP server: start: 0: > end: 0 > INFO:root:Agreement is ready, starting > replication . . . > Starting replication, please wait until this has > completed. > [saprhds001.bmibank.com > > > > > > > >] reports: > Update failed! > Status: [81 - LDAP error: Can't contact LDAP > server] > > I have imported right CA to IPA box and the out > put is: > Certificate Nickname > Trust Attributes > > SSL,S/MIME,JAR/XPI > CA certificate > CTu,u,Cu > Imported CA > CT,,C > Server-Cert > u,u,u > And also I done the openssl s_client option > too, but > no luck. > > What exactly did you do? with openssl s_client? > > Did you try > /usr/lib64/mozldap/ldapsearch -h fqdn.of.ad.hostname > -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base -b "" > "objectclass=*" > > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch -d 1 > -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > > Without cert when I try ldap search its gives > out put. but > with cert (AD CA) through error. > Please help me fix this issue. > -- Thanks & Regards > Shan Kumaraswamy > > > > > > -- Thanks & Regards > Shan Kumaraswamy > > > > > > -- > Thanks & Regards > Shan Kumaraswamy > > > > > > -- > Thanks & Regards > Shan Kumaraswamy > From danieljamesscott at gmail.com Wed Sep 22 14:52:17 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 22 Sep 2010 10:52:17 -0400 Subject: [Freeipa-users] Fedora 11 master replication problems Message-ID: Hi, Recently I have been seeing a constant stream of entries in my dirsrv logs for my Fedora 11 FreeIPA master: Replica has a different generation ID than the local data. I'm also seeing issues which appear to be related to incorrect replication. e.g. User changes password and is then unable to login. I enabled verbose logging as suggested here: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Troubleshooting_Replication_Related_Problems.html However, now I am stuck and don't know how to proceed. Here is an extract of the verbose logs. They appear roughly every 5 seconds: [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - agmt="cn=meTocurie.example.com636" (curie:636): State: start_backoff -> backoff [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - agmt="cn=meTocurie.example.com636" (curie:636): Cancelling linger on the connection [22/Sep/2010:10:48:44 -0400] - _csngen_adjust_local_time: gen state before 4c9a17f30001:1285166920:0:171 [22/Sep/2010:10:48:44 -0400] - _csngen_adjust_local_time: gen state after 4c9a17f70000:1285166924:0:171 [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - agmt="cn=meTocurie.example.com636" (curie:636): Replica was successfully acquired. [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - agmt="cn=meTocurie.example.com636" (curie:636): State: backoff -> sending_updates [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - agmt="cn=meTocurie.example.com636" (curie:636): Replica has a different generation ID than the local data. [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - agmt="cn=meTocurie.example.com636" (curie:636): Successfully released consumer [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - agmt="cn=meTocurie.example.com636" (curie:636): Beginning linger on the connection [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - agmt="cn=meTocurie.example.com636" (curie:636): State: sending_updates -> start_backoff curie is the replicated server. Does anyone have any suggestions for resolving this? Thanks, Dan From rmeggins at redhat.com Wed Sep 22 15:54:17 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Sep 2010 09:54:17 -0600 Subject: [Freeipa-users] IPA AD Sync error In-Reply-To: References: <4C977E6C.5020805@redhat.com> <4C98B043.10700@redhat.com> <4C98E944.7030104@redhat.com> <4C9A01D9.3020807@redhat.com> Message-ID: <4C9A26A9.2040600@redhat.com> Shan Kumaraswamy wrote: > Hi Rich, > Please find the attached error log file. Please file a bug and include all of the steps necessary to reproduce the issue. > > > > > On Wed, Sep 22, 2010 at 4:17 PM, Rich Megginson > wrote: > > Shan Kumaraswamy wrote: > > And also I checked the directory server log (error log) its > show error: > NSMMReplicationPlugin - failed to send dirsync search request: 2 > > Can you post more of the errors log? > Also, the replication log level is also used for winsync > debugging: http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > > > On Tue, Sep 21, 2010 at 8:20 PM, Rich Megginson > > >> wrote: > > Shan Kumaraswamy wrote: > > Hi Rich, > > Finall I impoted right CA in to IPA box, now I am > getting this > error while executing sycn command: > INFO:root: > INFO:root: > INFO:root: > INFO:root:Starting dirsrv: > MYDOMAIN-COM... > [ > OK ] > INFO:root: > INFO:root:Added CA certificate > /etc/dirsrv/slapd-MYDOMAIN-COM/adca1.cer to certificate > database for saprhds001.mydomain.com > > > > > > > INFO:root:Restarted directory server > saprhds001.mydomain.com > > > > > > INFO:root:Could not validate connection to remote server > sbpaddc003.mydomain.ad:636 > > > > > > - continuing > > INFO:root:The error was: {'info': 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed', 'desc': "Can't contact LDAP server"} > > This is normal, due to a limitation in the way python-ldap > loads > CA certs. You can ignore this. > > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=mydomain,dc=com > Windows PassSync entry exists, not resetting password > INFO:root:Added new sync agreement, waiting for it to > become > ready . . . > INFO:root:Replication Update in progress: FALSE: status: 0 > Incremental update started: start: 20100921163646Z: end: > 20100921163646Z > INFO:root:Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > Update succeeded > INFO:root:Added agreement for other host > sbpaddc003.corp.mydomain.ad > > > > > > > > > Looks like it is working - so far, so good. > > Please advice. > > > On Tue, Sep 21, 2010 at 4:16 PM, Rich Megginson > > > > >>> wrote: > > Shan Kumaraswamy wrote: > > Hi Rich, > While executing your command (ldapserch), I am > getting the > following output: > _Command:_ > /usr/lib64/mozldap/ldapsearch -h > fqdn.of.ad.hostname -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s base > -b "" > "objectclass=*" > _Output:_ > ldap_search: Can't contact LDAP server > SSL error -8179 (Peer's Certificate > issuer is not > recognized.) > _Command:_ > LDAPTLS_CACERT=/path/to/adcacert.asc ldapsearch > -d 1 -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > _Output:_ > [root at saprhds001 ~]# > > LDAPTLS_CACERT=/etc/dirsrv/slapd-MYDOMAIN-COM/sbpaddc003.cer > ldapsearch -d 1 -x -h > sbpaddc003.corp.mydomain.ad > > > > > > > -p 389 -Z -s > base -b "" > ldap_create > > ldap_url_parse_ext(ldap://sbpaddc003.corp.mydomain.ad:389 > > > > > > > >) > > ldap_extended_operation_s > ldap_extended_operation > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP > sbpaddc003.corp.mydomain.ad:389 > > > > > > > > > > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 10.8.27.22:389 > > > > > > > > > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > ldap_open_defconn: successful > ldap_send_server_request > ber_scanf fmt ({it) ber: > ber_scanf fmt ({) ber: > ber_flush: 31 bytes to sd 3 > ldap_result ld 0x1aa8c6f0 msgid 1 > wait4msg ld 0x1aa8c6f0 msgid 1 (infinite timeout) > wait4msg continue ld 0x1aa8c6f0 msgid 1 all 1 > ** ld 0x1aa8c6f0 Connections: > * host: sbpaddc003.corp.mydomain.ad > > > > > > > > port: 389 > (default) > > refcnt: 2 status: Connected > last used: Tue Sep 21 10:23:41 2010 > ** ld 0x1aa8c6f0 Outstanding Requests: > * msgid 1, origid 1, status InProgress > outstanding referrals 0, parent count 0 > ** ld 0x1aa8c6f0 Response Queue: > Empty > ldap_chkResponseList ld 0x1aa8c6f0 msgid 1 all 1 > ldap_chkResponseList returns ld 0x1aa8c6f0 NULL > ldap_int_select > read1msg: ld 0x1aa8c6f0 msgid 1 all 1 > ber_get_next > ber_get_next: tag 0x30 len 40 contents: > read1msg: ld 0x1aa8c6f0 msgid 1 message type > extended-result > ber_scanf fmt ({eaa) ber: > read1msg: ld 0x1aa8c6f0 0 new referrals > read1msg: mark request completed, ld 0x1aa8c6f0 > msgid 1 > request done: ld 0x1aa8c6f0 msgid 1 > res_errno: 0, res_error: <>, res_matched: <> > ldap_free_request (origid 1, msgid 1) > ldap_parse_extended_result > ber_scanf fmt ({eaa) ber: > ber_scanf fmt (a) ber: > ldap_parse_result > ber_scanf fmt ({iaa) ber: > ber_scanf fmt (x) ber: > ber_scanf fmt (}) ber: > ldap_msgfree > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 0, err: 20, > subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD > > > > > > >, issuer: > > /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > > TLS certificate verification: Error, unable to > get local > issuer certificate > > Unable to get local issuer certificate? Is the > adcacert.asc file > the actual CA cert in ascii/pem/base64 format from > the AD > CA? Do > you have more than one CA or subordinate CAs? If > so, you > may need > to have the entire CA cert chain in the file. > > If you are sure that adcacert.asc is from the AD CA, > then try > adding TLS_CACERT /path/to/adcacert.asc to your > ~/.ldaprc > file and > try the above ldapsearch again. > > Let's see what the subject and issuer are in the CA > cert: > openssl x509 -in /path/to/adcacert.asc -text > > TLS certificate verification: depth: 0, err: 27, > subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD > > > > > > >, issuer: > > /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > > TLS certificate verification: Error, certificate not > trusted > TLS certificate verification: depth: 0, err: 21, > subject: > /CN=SBPADDC003.Corp.MYDOMAIN.AD > > > > > > >, issuer: > > /DC=AD/DC=MYDOMAIN/DC=Corp/CN=Corp-SAPDHCP001-CA > > TLS certificate verification: Error, unable to > verify the > first certificate > TLS trace: SSL_connect:SSLv3 read server > certificate A > TLS trace: SSL_connect:SSLv3 read server certificate > request A > TLS trace: SSL_connect:SSLv3 read server done A > TLS trace: SSL_connect:SSLv3 write client > certificate A > TLS trace: SSL_connect:SSLv3 write client key > exchange A > TLS trace: SSL_connect:SSLv3 write change cipher > spec A > TLS trace: SSL_connect:SSLv3 write finished A > TLS trace: SSL_connect:SSLv3 flush data > TLS trace: SSL_connect:SSLv3 read finished A > TLS trace: SSL3 alert write:warning:bad certificate > TLS: unable to get peer certificate. > ldap_bind > ldap_simple_bind > ldap_sasl_bind > ldap_send_initial_request > ldap_send_server_request > ber_scanf fmt ({it) ber: > ber_scanf fmt ({i) ber: > ber_flush: 14 bytes to sd 3 > ldap_result ld 0x1aa8c6f0 msgid 2 > wait4msg ld 0x1aa8c6f0 msgid 2 (infinite timeout) > wait4msg continue ld 0x1aa8c6f0 msgid 2 all 1 > ** ld 0x1aa8c6f0 Connections: > * host: sbpaddc003.corp.mydomain.ad > > > > > > > > port: 389 > (default) > > refcnt: 2 status: Connected > last used: Tue Sep 21 10:23:41 2010 > ** ld 0x1aa8c6f0 Outstanding Requests: > * msgid 2, origid 2, status InProgress > outstanding referrals 0, parent count 0 > ** ld 0x1aa8c6f0 Response Queue: > Empty > ldap_chkResponseList ld 0x1aa8c6f0 msgid 2 all 1 > ldap_chkResponseList returns ld 0x1aa8c6f0 NULL > ldap_int_select > read1msg: ld 0x1aa8c6f0 msgid 2 all 1 > ber_get_next > ldap_perror > ldap_result: Can't contact LDAP server (-1) > Please help to resolve this issue. > > > > > > On Mon, Sep 20, 2010 at 6:31 PM, Rich Megginson > > > >> > > > > >>>> wrote: > > Shan Kumaraswamy wrote: > > Rich, > I am again facing some issue with IPA+AD > Sync and I > tested all > the levels: > Windows PassSync entry exists, not resetting > password > INFO:root:Added new sync agreement, > waiting for > it to > become > ready . . . > INFO:root:Replication Update in progress: > FALSE: > status: 81 - > LDAP error: Can't contact LDAP server: > start: 0: > end: 0 > INFO:root:Agreement is ready, starting > replication . . . > Starting replication, please wait until > this has > completed. > [saprhds001.bmibank.com > > > > > > > > > >] reports: > Update failed! > Status: [81 - LDAP error: Can't contact LDAP > server] > > I have imported right CA to IPA box and > the out > put is: > Certificate Nickname > Trust Attributes > > SSL,S/MIME,JAR/XPI > CA certificate > CTu,u,Cu > Imported CA > CT,,C > Server-Cert > u,u,u > And also I done the openssl s_client option > too, but > no luck. > > What exactly did you do? with openssl s_client? > > Did you try > /usr/lib64/mozldap/ldapsearch -h > fqdn.of.ad.hostname > -Z -P > /etc/dirsrv/slapd-YOURINSTANCE/cert8.db -s > base -b "" > "objectclass=*" > > LDAPTLS_CACERT=/path/to/adcacert.asc > ldapsearch -d 1 > -x -h > fqdn.of.ad.hostname -p 389 -Z -s base -b "" > > Without cert when I try ldap search its gives > out put. but > with cert (AD CA) through error. > Please help me fix this issue. > -- Thanks & Regards > Shan Kumaraswamy > > > > > > -- Thanks & Regards > Shan Kumaraswamy > > > > > > -- Thanks & Regards > Shan Kumaraswamy > > > > > > -- > Thanks & Regards > Shan Kumaraswamy > > > > > > -- > Thanks & Regards > Shan Kumaraswamy > From rmeggins at redhat.com Wed Sep 22 15:56:18 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Sep 2010 09:56:18 -0600 Subject: [Freeipa-users] Fedora 11 master replication problems In-Reply-To: References: Message-ID: <4C9A2722.7000302@redhat.com> Dan Scott wrote: > Hi, > > Recently I have been seeing a constant stream of entries in my dirsrv > logs for my Fedora 11 FreeIPA master: > > Replica has a different generation ID than the local data. > > I'm also seeing issues which appear to be related to incorrect > replication. e.g. User changes password and is then unable to login. > > I enabled verbose logging as suggested here: > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Troubleshooting_Replication_Related_Problems.html > > However, now I am stuck and don't know how to proceed. Here is an > extract of the verbose logs. They appear roughly every 5 seconds: > > [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - > agmt="cn=meTocurie.example.com636" (curie:636): State: start_backoff > -> backoff > [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - > agmt="cn=meTocurie.example.com636" (curie:636): Cancelling linger on > the connection > [22/Sep/2010:10:48:44 -0400] - _csngen_adjust_local_time: gen state > before 4c9a17f30001:1285166920:0:171 > [22/Sep/2010:10:48:44 -0400] - _csngen_adjust_local_time: gen state > after 4c9a17f70000:1285166924:0:171 > [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - > agmt="cn=meTocurie.example.com636" (curie:636): Replica was > successfully acquired. > [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - > agmt="cn=meTocurie.example.com636" (curie:636): State: backoff -> > sending_updates > [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - > agmt="cn=meTocurie.example.com636" (curie:636): Replica has a > different generation ID than the local data. > This usually means the consumer has not been initialized. > [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - > agmt="cn=meTocurie.example.com636" (curie:636): Successfully released > consumer > [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - > agmt="cn=meTocurie.example.com636" (curie:636): Beginning linger on > the connection > [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - > agmt="cn=meTocurie.example.com636" (curie:636): State: sending_updates > -> start_backoff > > curie is the replicated server. > > Does anyone have any suggestions for resolving this? > > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From rmeggins at redhat.com Wed Sep 22 15:56:42 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Sep 2010 09:56:42 -0600 Subject: [Freeipa-users] probems installin freeipa v2 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959E19@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C996DBF.8060701@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DCC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9977E1.8080202@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959E19@STAWINCOEXMAIL1.staff.vuw.a! c.nz> Message-ID: <4C9A273A.4020006@redhat.com> Steven Jones wrote: > 8><------- > > > Can you reliably reproduce this behavior after restarting directory server? > Please file a bug with the necessary steps to reproduce the issue. > > 8><-------- > > Yes it appears so.......... > > =============error > [22/Sep/2010:15:58:16 +1200] - slapd shutting down - signaling operation threads > [22/Sep/2010:15:58:16 +1200] - slapd shutting down - closing down internal subsystems and plugins > [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - error in windows_conn_get_search_result, rc=-1 > [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636): Failed to get search operation: LDAP error 81 (Can't contact LDAP server) > [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - failed to send dirsync search request: 2 > [22/Sep/2010:16:08:32 +1200] - Waiting for 4 database threads to stop > [22/Sep/2010:16:08:32 +1200] - All database threads now stopped > [22/Sep/2010:16:08:32 +1200] - slapd stopped. > ============= > > =============access > [22/Sep/2010:15:57:41 +1200] conn=6 op=15 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp" > [22/Sep/2010:15:57:41 +1200] conn=6 op=15 RESULT err=0 tag=101 nentries=0 etime=0 > [22/Sep/2010:15:58:16 +1200] conn=8 fd=70 slot=70 SSL connection from 130.195.53.104 to 130.195.53.104 > [22/Sep/2010:15:58:16 +1200] conn=8 SSL 256-bit AES > [22/Sep/2010:15:58:16 +1200] conn=8 op=0 BIND dn="cn=directory manager" method=128 version=3 > [22/Sep/2010:15:58:16 +1200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" > [22/Sep/2010:15:58:16 +1200] conn=8 op=1 SRCH base="cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog nsslapd-certdir nsslapd-schemadir" > [22/Sep/2010:15:58:16 +1200] conn=8 op=1 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Sep/2010:15:58:16 +1200] conn=8 op=2 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" > [22/Sep/2010:15:58:16 +1200] conn=8 op=2 RESULT err=0 tag=101 nentries=1 etime=0 > ============= > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From brian at cukerinteractive.com Wed Sep 22 16:00:13 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Wed, 22 Sep 2010 09:00:13 -0700 Subject: [Freeipa-users] ldap.so problem after --setup-dns Message-ID: I have the following error in the log after named refuses to start: named[1736]: failed to dynamically load driver 'ldap.so': libldap-2.4.so.2: cannot open shared object file: No such file or directory At first I thought it was simply a "bah, they require the i686 library and I only have x86_64" but after installing the i686 packages the issue remains. Then I found this bug: https://bugzilla.redhat.com/show_bug.cgi?id=596325 I'd rather bind run in chroot; was there any headway on why this wasn't/isn't working? Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Wed Sep 22 16:04:56 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 22 Sep 2010 12:04:56 -0400 Subject: [Freeipa-users] Fedora 11 master replication problems In-Reply-To: <4C9A2722.7000302@redhat.com> References: <4C9A2722.7000302@redhat.com> Message-ID: Hi, Thanks for the reply. On Wed, Sep 22, 2010 at 11:56, Rich Megginson wrote: >> Recently I have been seeing a constant stream of entries in my dirsrv >> logs for my Fedora 11 FreeIPA master: >> >> Replica has a different generation ID than the local data. >> >> I'm also seeing issues which appear to be related to incorrect >> replication. e.g. User changes password and is then unable to login. >> >> I enabled verbose logging as suggested here: >> >> >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Troubleshooting_Replication_Related_Problems.html >> >> However, now I am stuck and don't know how to proceed. Here is an >> extract of the verbose logs. They appear roughly every 5 seconds: >> >> [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - >> agmt="cn=meTocurie.example.com636" (curie:636): State: start_backoff >> -> backoff >> [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - >> agmt="cn=meTocurie.example.com636" (curie:636): Cancelling linger on >> the connection >> [22/Sep/2010:10:48:44 -0400] - _csngen_adjust_local_time: gen state >> before 4c9a17f30001:1285166920:0:171 >> [22/Sep/2010:10:48:44 -0400] - _csngen_adjust_local_time: gen state >> after 4c9a17f70000:1285166924:0:171 >> [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - >> agmt="cn=meTocurie.example.com636" (curie:636): Replica was >> successfully acquired. >> [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - >> agmt="cn=meTocurie.example.com636" (curie:636): State: backoff -> >> sending_updates >> [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - >> agmt="cn=meTocurie.example.com636" (curie:636): Replica has a >> different generation ID than the local data. >> > > This usually means the consumer has not been initialized. I'm not sure what 'initialized' means. Do you mean that replication has not been configured? This server has been replicating fine for over a year. According to this: http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Managing_Multi_Master_Replication.html Initialization is the initial copy of data from the master - The slave server (curie) has been configured and replicating for a while. Maybe I need to re-initialize with a fresh copy? Do you have any instructions for doing this? Thanks, Dan Scott From rmeggins at redhat.com Wed Sep 22 16:08:29 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Sep 2010 10:08:29 -0600 Subject: [Freeipa-users] Fedora 11 master replication problems In-Reply-To: References: <4C9A2722.7000302@redhat.com> Message-ID: <4C9A29FD.5000201@redhat.com> Dan Scott wrote: > Hi, > > Thanks for the reply. > > On Wed, Sep 22, 2010 at 11:56, Rich Megginson wrote: > >>> Recently I have been seeing a constant stream of entries in my dirsrv >>> logs for my Fedora 11 FreeIPA master: >>> >>> Replica has a different generation ID than the local data. >>> >>> I'm also seeing issues which appear to be related to incorrect >>> replication. e.g. User changes password and is then unable to login. >>> >>> I enabled verbose logging as suggested here: >>> >>> >>> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Troubleshooting_Replication_Related_Problems.html >>> >>> However, now I am stuck and don't know how to proceed. Here is an >>> extract of the verbose logs. They appear roughly every 5 seconds: >>> >>> [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - >>> agmt="cn=meTocurie.example.com636" (curie:636): State: start_backoff >>> -> backoff >>> [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - >>> agmt="cn=meTocurie.example.com636" (curie:636): Cancelling linger on >>> the connection >>> [22/Sep/2010:10:48:44 -0400] - _csngen_adjust_local_time: gen state >>> before 4c9a17f30001:1285166920:0:171 >>> [22/Sep/2010:10:48:44 -0400] - _csngen_adjust_local_time: gen state >>> after 4c9a17f70000:1285166924:0:171 >>> [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - >>> agmt="cn=meTocurie.example.com636" (curie:636): Replica was >>> successfully acquired. >>> [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - >>> agmt="cn=meTocurie.example.com636" (curie:636): State: backoff -> >>> sending_updates >>> [22/Sep/2010:10:48:44 -0400] NSMMReplicationPlugin - >>> agmt="cn=meTocurie.example.com636" (curie:636): Replica has a >>> different generation ID than the local data. >>> >>> >> This usually means the consumer has not been initialized. >> > > I'm not sure what 'initialized' means. Do you mean that replication > has not been configured? This server has been replicating fine for > over a year. > > According to this: > http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Managing_Multi_Master_Replication.html > > Initialization is the initial copy of data from the master - The slave > server (curie) has been configured and replicating for a while. Has curie been restored from a backup? Initialized from another master? Been shutdown for over a week? > Maybe > I need to re-initialize with a fresh copy? Do you have any > instructions for doing this? > Does the ipa-replica-manage command line tool have an option for doing a reinit? > Thanks, > > Dan Scott > From danieljamesscott at gmail.com Wed Sep 22 16:12:45 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 22 Sep 2010 12:12:45 -0400 Subject: [Freeipa-users] Fedora 11 master replication problems In-Reply-To: <4C9A29FD.5000201@redhat.com> References: <4C9A2722.7000302@redhat.com> <4C9A29FD.5000201@redhat.com> Message-ID: Hi, Sorry, I just checked the manpage myself and I see that there's an init option to ipa-replica-manage. On Wed, Sep 22, 2010 at 12:08, Rich Megginson wrote: >> Initialization is the initial copy of data from the master - The slave >> server (curie) has been configured and replicating for a while. > > Has curie been restored from a backup? ?Initialized from another master? > ?Been shutdown for over a week? Nope, none of these: Not restored, initialized from another master or shutdown for over a week. There is a possibility that there was an un-noticed problem with dirsrv which lasted for a week though. > Does the ipa-replica-manage command line tool have an option for doing a > reinit? I see that there's an 'init' option. If I'm happy to throw away any changes on curie, can I just run the init on curie and it will re-initialize from the master? Thanks for your help. Dan From rmeggins at redhat.com Wed Sep 22 16:27:27 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Sep 2010 10:27:27 -0600 Subject: [Freeipa-users] Fedora 11 master replication problems In-Reply-To: References: <4C9A2722.7000302@redhat.com> <4C9A29FD.5000201@redhat.com> Message-ID: <4C9A2E6F.8030605@redhat.com> Dan Scott wrote: > Hi, > > Sorry, I just checked the manpage myself and I see that there's an > init option to ipa-replica-manage. > > On Wed, Sep 22, 2010 at 12:08, Rich Megginson wrote: > >>> Initialization is the initial copy of data from the master - The slave >>> server (curie) has been configured and replicating for a while. >>> >> Has curie been restored from a backup? Initialized from another master? >> Been shutdown for over a week? >> > > Nope, none of these: Not restored, initialized from another master or > shutdown for over a week. There is a possibility that there was an > un-noticed problem with dirsrv which lasted for a week though. > > >> Does the ipa-replica-manage command line tool have an option for doing a >> reinit? >> > > I see that there's an 'init' option. If I'm happy to throw away any > changes on curie, can I just run the init on curie and it will > re-initialize from the master? > I'm not sure how the init option works - not sure if it means to init curie from the master - anyone? > Thanks for your help. > > Dan > From dpal at redhat.com Wed Sep 22 16:42:02 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 22 Sep 2010 12:42:02 -0400 Subject: [Freeipa-users] ldap.so problem after --setup-dns In-Reply-To: References: Message-ID: <4C9A31DA.2090200@redhat.com> Brian LaMere wrote: > I have the following error in the log after named refuses to start: > > named[1736]: failed to dynamically load driver 'ldap.so': > libldap-2.4.so.2: cannot open shared object file: No such file or > directory > > At first I thought it was simply a "bah, they require the i686 library > and I only have x86_64" but after installing the i686 packages the > issue remains. Then I found this bug: > https://bugzilla.redhat.com/show_bug.cgi?id=596325 > > I'd rather bind run in chroot; was there any headway on why this > wasn't/isn't working? > We have not had a chance to get a closer look to this issue. And unfortunately I do not have a clear vision on when we will be able to. This week we will continue bug triage so we will create a ticket in trac and prioritize it against other work we have. Sorry for delays Thank you Dmitri From rcritten at redhat.com Wed Sep 22 17:18:04 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Sep 2010 13:18:04 -0400 Subject: [Freeipa-users] ldap.so problem after --setup-dns In-Reply-To: References: Message-ID: <4C9A3A4C.5030701@redhat.com> Brian LaMere wrote: > I have the following error in the log after named refuses to start: > > named[1736]: failed to dynamically load driver 'ldap.so': > libldap-2.4.so.2: cannot open shared object file: No such file or directory > > At first I thought it was simply a "bah, they require the i686 library > and I only have x86_64" but after installing the i686 packages the issue > remains. Then I found this bug: > https://bugzilla.redhat.com/show_bug.cgi?id=596325 > > I'd rather bind run in chroot; was there any headway on why this > wasn't/isn't working? > > Brian No, I haven't had a chance to look at it yet. It is probably just a matter of copying the right library to your chroot though. If this fixes the loading issue then you may run into a problem trying to bind to the LDAP server. We use ldapi to bind. You'll see in your named.conf something like "uri ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket" You may need to change this to a regular LDAP uri "uri ldap://ipa.example.com" rob From rcritten at redhat.com Wed Sep 22 17:32:33 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Sep 2010 13:32:33 -0400 Subject: [Freeipa-users] Fedora 11 master replication problems In-Reply-To: References: <4C9A2722.7000302@redhat.com> <4C9A29FD.5000201@redhat.com> Message-ID: <4C9A3DB1.500@redhat.com> Dan Scott wrote: > Hi, > > Sorry, I just checked the manpage myself and I see that there's an > init option to ipa-replica-manage. > > On Wed, Sep 22, 2010 at 12:08, Rich Megginson wrote: >>> Initialization is the initial copy of data from the master - The slave >>> server (curie) has been configured and replicating for a while. >> >> Has curie been restored from a backup? Initialized from another master? >> Been shutdown for over a week? > > Nope, none of these: Not restored, initialized from another master or > shutdown for over a week. There is a possibility that there was an > un-noticed problem with dirsrv which lasted for a week though. > >> Does the ipa-replica-manage command line tool have an option for doing a >> reinit? > > I see that there's an 'init' option. If I'm happy to throw away any > changes on curie, can I just run the init on curie and it will > re-initialize from the master? > > Thanks for your help. You should log into the "master" (the host that is replicating to curie) and run: # ipa-replica-manage init curie.example.com rob From brian at cukerinteractive.com Wed Sep 22 18:42:15 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Wed, 22 Sep 2010 11:42:15 -0700 Subject: [Freeipa-users] changing primary GID for a user? Message-ID: The primary GID for a user isn't in the web interface for the user to be able to change it. /usr/sbin/ipa-moduser (what the document references) doesn't exist, nor does "ipa user-mod" have an options for changing the GID. How is this done? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 22 19:05:21 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Sep 2010 15:05:21 -0400 Subject: [Freeipa-users] changing primary GID for a user? In-Reply-To: References: Message-ID: <4C9A5371.2000502@redhat.com> Brian LaMere wrote: > The primary GID for a user isn't in the web interface for the user to be > able to change it. /usr/sbin/ipa-moduser (what the document references) > doesn't exist, nor does "ipa user-mod" have an options for changing the GID. > > How is this done? I'll assume you're using IPA v2. You can do it this way: ipa user-mod --setattr=gidnumber=12345 brian rob From brian at cukerinteractive.com Wed Sep 22 19:31:01 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Wed, 22 Sep 2010 12:31:01 -0700 Subject: [Freeipa-users] changing primary GID for a user? In-Reply-To: <4C9A5482.7060006@ssaihq.com> References: <4C9A5482.7060006@ssaihq.com> Message-ID: On Wed, Sep 22, 2010 at 12:09 PM, James Roman wrote: > On 9/22/10 2:42 PM, Brian LaMere wrote: > >> The primary GID for a user isn't in the web interface for the user to be >> able to change it. >> > Holy cow. What a security flaw that would be if it were. How about a sign > up sheet for admin access to the mail server. > > /usr/sbin/ipa-moduser (what the document references) doesn't exist, nor >> does "ipa user-mod" have an options for changing the GID. >> >> How is this done? >> > You don't. The administrators (or those appropriately designated) assign > you to the appropriate group. Perhaps you could provide an idea of why you > would want to extend this privilege? > you're substantially misunderstanding. When logging in to the web interface as admin, with the ability to create users, hosts, roles, etc etc - there's no box for the GID. There's no box to even see what it is. I *am* the administrator. I was only looking at the web page because the command line didn't have the option listed, either. Which seemed to suggest that a very, very basic component of creating and modifying user accounts was not easily adjustable. Rob answered the question, however - thanks. Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian at cukerinteractive.com Wed Sep 22 19:35:50 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Wed, 22 Sep 2010 12:35:50 -0700 Subject: [Freeipa-users] changing search base during migration? Message-ID: I know about --user-container and --group-container, but that's not sufficient; the domain is different, so I want to completely change the search base for migration. Is this possible? Thanks! Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 22 19:44:18 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Sep 2010 15:44:18 -0400 Subject: [Freeipa-users] changing search base during migration? In-Reply-To: References: Message-ID: <4C9A5C92.7020006@redhat.com> Brian LaMere wrote: > I know about --user-container and --group-container, but that's not > sufficient; the domain is different, so I want to completely change the > search base for migration. Is this possible? > > Thanks! > Brian It looks like it tries to auto-detect the remote search base using the equivalent of: ldapsearch -h remote_host -x -s base -b '' namingcontexts So for example, on my LDAP server it returns: dn: namingcontexts: dc=example,dc=com Does this do the right thing for you? rob From brian at cukerinteractive.com Wed Sep 22 19:51:57 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Wed, 22 Sep 2010 12:51:57 -0700 Subject: [Freeipa-users] changing search base during migration? In-Reply-To: <4C9A5C92.7020006@redhat.com> References: <4C9A5C92.7020006@redhat.com> Message-ID: seems to, yes (some values changed, but consistently): # ldapsearch -LLL -h oldserver.briandomain.com -x -s base -b '' namingcontexts dn: namingcontexts: dc=briandomain,dc=com However, when I go to the "oldserver" and look in the logs, I see this: conn=1416 op=1 SRCH base="dc=brian,dc=internal" scope=0 filter="(objectClass=*)" attrs="namingContexts" Since I'm going from "dc=briandomain,dc=com" to "dc=brian,dc=internal" (mostly due to the forward and reverse lookups, which I don't want to mess around with extensively for the actual domain) then looking for namingContexts within that base won't work; I would like instead to just grab everything from one base, and import it in to the new base. Is it not working as you would expect it? Or, is it just not possible to do what I'm wanting? Thanks :) Brian On Wed, Sep 22, 2010 at 12:44 PM, Rob Crittenden wrote: > Brian LaMere wrote: > >> I know about --user-container and --group-container, but that's not >> sufficient; the domain is different, so I want to completely change the >> search base for migration. Is this possible? >> >> Thanks! >> Brian >> > > It looks like it tries to auto-detect the remote search base using the > equivalent of: > > ldapsearch -h remote_host -x -s base -b '' namingcontexts > > So for example, on my LDAP server it returns: > > dn: > namingcontexts: dc=example,dc=com > > Does this do the right thing for you? > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 22 20:14:43 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Sep 2010 16:14:43 -0400 Subject: [Freeipa-users] changing search base during migration? In-Reply-To: References: <4C9A5C92.7020006@redhat.com> Message-ID: <4C9A63B3.9010308@redhat.com> Brian LaMere wrote: > seems to, yes (some values changed, but consistently): > > # ldapsearch -LLL -h oldserver.briandomain.com > -x -s base -b '' namingcontexts > dn: > namingcontexts: dc=briandomain,dc=com > > > However, when I go to the "oldserver" and look in the logs, I see this: > > conn=1416 op=1 SRCH base="dc=brian,dc=internal" scope=0 > filter="(objectClass=*)" attrs="namingContexts" And this request came from newserver? I don't see where we would query namingContexts with this search base. Seems strange that something knew about the new basedn though. > > > Since I'm going from "dc=briandomain,dc=com" to "dc=brian,dc=internal" > (mostly due to the forward and reverse lookups, which I don't want to > mess around with extensively for the actual domain) then looking for > namingContexts within that base won't work; I would like instead to just > grab everything from one base, and import it in to the new base. > > Is it not working as you would expect it? Or, is it just not possible > to do what I'm wanting? Well, we want flexibility for sure, what you're asking for isn't unreasonable. Have you run the migration script and it failed or are you just worried that it isn't going to do the right thing? rob > > Thanks :) > Brian > > > > On Wed, Sep 22, 2010 at 12:44 PM, Rob Crittenden > wrote: > > Brian LaMere wrote: > > I know about --user-container and --group-container, but that's not > sufficient; the domain is different, so I want to completely > change the > search base for migration. Is this possible? > > Thanks! > Brian > > > It looks like it tries to auto-detect the remote search base using > the equivalent of: > > ldapsearch -h remote_host -x -s base -b '' namingcontexts > > So for example, on my LDAP server it returns: > > dn: > namingcontexts: dc=example,dc=com > > Does this do the right thing for you? > > rob > > From brian at cukerinteractive.com Wed Sep 22 20:39:37 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Wed, 22 Sep 2010 13:39:37 -0700 Subject: [Freeipa-users] changing search base during migration? In-Reply-To: <4C9A63B3.9010308@redhat.com> References: <4C9A5C92.7020006@redhat.com> <4C9A63B3.9010308@redhat.com> Message-ID: On Wed, Sep 22, 2010 at 1:14 PM, Rob Crittenden wrote: > And this request came from newserver? I don't see where we would query > namingContexts with this search base. Seems strange that something knew > about the new basedn though. aye - and I can say that the only thing pointing at oldserver that would even think of asking about a "brian.internal" would be this particular query - which happens at exactly the time the entry on the oldserver that references that search base. > Well, we want flexibility for sure, what you're asking for isn't > unreasonable. Have you run the migration script and it failed or are you > just worried that it isn't going to do the right thing? > aye, I get the old: # ipa migrate-ds ldap://oldserver.briandomain.com password: Enter password again to verify: ipa: ERROR: no such entry Which is to say, it found nothing to import (right? isn't that what the error means?). "oldserver" is a default 389-ds server (which as you might recall is 1.2.6-0.1.a1, but I don't want to upgrade that without getting the data off first). While I created all sorts of funny things elsewhere in the tree, the normal users and groups are all in the normal places. I tried adding a little debug line in ipalib/migrate.py ahead of the only place I saw namingcontexts mentioned, but...even though I raised an exception, nothing changed (so I guess migrate_ds.execute doesn't get run until...err...execute. So where is the search base found?). I'm digging around, but that's the only place I find /namingcontext/i in the python libs, at least, and nothing jumped out at me in strace (though stuff did scroll past my 2k lines buffer...) Thanks again, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed Sep 22 20:58:06 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 23 Sep 2010 08:58:06 +1200 Subject: [Freeipa-users] Probems syncing freeipa v2 to AD In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959E19@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9159CB.4050709@redhat.com> <4C917D68.5050809@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959AAC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C996DBF.8060701@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DCC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9977E1.8080202@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959E19@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959E85@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Any idea how to stop the LDAP server hosing itself? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Wednesday, 22 September 2010 4:11 p.m. To: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 8><------- Can you reliably reproduce this behavior after restarting directory server? 8><-------- Yes it appears so.......... =============error [22/Sep/2010:15:58:16 +1200] - slapd shutting down - signaling operation threads [22/Sep/2010:15:58:16 +1200] - slapd shutting down - closing down internal subsystems and plugins [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - error in windows_conn_get_search_result, rc=-1 [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636): Failed to get search operation: LDAP error 81 (Can't contact LDAP server) [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [22/Sep/2010:16:08:32 +1200] - Waiting for 4 database threads to stop [22/Sep/2010:16:08:32 +1200] - All database threads now stopped [22/Sep/2010:16:08:32 +1200] - slapd stopped. ============= =============access [22/Sep/2010:15:57:41 +1200] conn=6 op=15 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp" [22/Sep/2010:15:57:41 +1200] conn=6 op=15 RESULT err=0 tag=101 nentries=0 etime=0 [22/Sep/2010:15:58:16 +1200] conn=8 fd=70 slot=70 SSL connection from 130.195.53.104 to 130.195.53.104 [22/Sep/2010:15:58:16 +1200] conn=8 SSL 256-bit AES [22/Sep/2010:15:58:16 +1200] conn=8 op=0 BIND dn="cn=directory manager" method=128 version=3 [22/Sep/2010:15:58:16 +1200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [22/Sep/2010:15:58:16 +1200] conn=8 op=1 SRCH base="cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog nsslapd-certdir nsslapd-schemadir" [22/Sep/2010:15:58:16 +1200] conn=8 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [22/Sep/2010:15:58:16 +1200] conn=8 op=2 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" [22/Sep/2010:15:58:16 +1200] conn=8 op=2 RESULT err=0 tag=101 nentries=1 etime=0 ============= regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Wed Sep 22 21:18:32 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 22 Sep 2010 17:18:32 -0400 Subject: [Freeipa-users] Probems syncing freeipa v2 to AD In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959E85@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C996DBF.8060701@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DCC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9977E1.8080202@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959E19@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959E85@STAWINCOEXMAIL1.staff.vuw.a! c.nz> Message-ID: <4C9A72A8.2070501@redhat.com> Steven Jones wrote: > Hi, > > Any idea how to stop the LDAP server hosing itself? > Have you filed a bug with this issue as Rich suggested in his last email? Thank you Dmitri > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones > Sent: Wednesday, 22 September 2010 4:11 p.m. > To: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > > 8><------- > > > Can you reliably reproduce this behavior after restarting directory server? > > > 8><-------- > > Yes it appears so.......... > > =============error > [22/Sep/2010:15:58:16 +1200] - slapd shutting down - signaling operation threads > [22/Sep/2010:15:58:16 +1200] - slapd shutting down - closing down internal subsystems and plugins > [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - error in windows_conn_get_search_result, rc=-1 > [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636): Failed to get search operation: LDAP error 81 (Can't contact LDAP server) > [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - failed to send dirsync search request: 2 > [22/Sep/2010:16:08:32 +1200] - Waiting for 4 database threads to stop > [22/Sep/2010:16:08:32 +1200] - All database threads now stopped > [22/Sep/2010:16:08:32 +1200] - slapd stopped. > ============= > > =============access > [22/Sep/2010:15:57:41 +1200] conn=6 op=15 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp" > [22/Sep/2010:15:57:41 +1200] conn=6 op=15 RESULT err=0 tag=101 nentries=0 etime=0 > [22/Sep/2010:15:58:16 +1200] conn=8 fd=70 slot=70 SSL connection from 130.195.53.104 to 130.195.53.104 > [22/Sep/2010:15:58:16 +1200] conn=8 SSL 256-bit AES > [22/Sep/2010:15:58:16 +1200] conn=8 op=0 BIND dn="cn=directory manager" method=128 version=3 > [22/Sep/2010:15:58:16 +1200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" > [22/Sep/2010:15:58:16 +1200] conn=8 op=1 SRCH base="cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog nsslapd-certdir nsslapd-schemadir" > [22/Sep/2010:15:58:16 +1200] conn=8 op=1 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Sep/2010:15:58:16 +1200] conn=8 op=2 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" > [22/Sep/2010:15:58:16 +1200] conn=8 op=2 RESULT err=0 tag=101 nentries=1 etime=0 > ============= > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Wed Sep 22 21:22:32 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 23 Sep 2010 09:22:32 +1200 Subject: [Freeipa-users] Probems syncing freeipa v2 to AD In-Reply-To: <4C9A72A8.2070501@redhat.com> References: <61DF826607311A4EBE75A77ED59E4CDE43F6959C69@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C992B5A.5010402@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C996DBF.8060701@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DCC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9977E1.8080202@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959E19@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959E85@STAWINCOEXMAIL1.staff.vuw.a! c.nz> <4C9A72A8.2070501@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F6959EA0@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, I have not seen such an email. regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Dmitri Pal [mailto:dpal at redhat.com] Sent: Thursday, 23 September 2010 9:19 a.m. To: Steven Jones Cc: Freeipa-users at redhat.com Subject: Re: [Freeipa-users] Probems syncing freeipa v2 to AD Steven Jones wrote: > Hi, > > Any idea how to stop the LDAP server hosing itself? > Have you filed a bug with this issue as Rich suggested in his last email? Thank you Dmitri > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones > Sent: Wednesday, 22 September 2010 4:11 p.m. > To: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] probems installin freeipa v2 > > > 8><------- > > > Can you reliably reproduce this behavior after restarting directory server? > > > 8><-------- > > Yes it appears so.......... > > =============error > [22/Sep/2010:15:58:16 +1200] - slapd shutting down - signaling operation threads > [22/Sep/2010:15:58:16 +1200] - slapd shutting down - closing down internal subsystems and plugins > [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - error in windows_conn_get_search_result, rc=-1 > [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636): Failed to get search operation: LDAP error 81 (Can't contact LDAP server) > [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - failed to send dirsync search request: 2 > [22/Sep/2010:16:08:32 +1200] - Waiting for 4 database threads to stop > [22/Sep/2010:16:08:32 +1200] - All database threads now stopped > [22/Sep/2010:16:08:32 +1200] - slapd stopped. > ============= > > =============access > [22/Sep/2010:15:57:41 +1200] conn=6 op=15 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp" > [22/Sep/2010:15:57:41 +1200] conn=6 op=15 RESULT err=0 tag=101 nentries=0 etime=0 > [22/Sep/2010:15:58:16 +1200] conn=8 fd=70 slot=70 SSL connection from 130.195.53.104 to 130.195.53.104 > [22/Sep/2010:15:58:16 +1200] conn=8 SSL 256-bit AES > [22/Sep/2010:15:58:16 +1200] conn=8 op=0 BIND dn="cn=directory manager" method=128 version=3 > [22/Sep/2010:15:58:16 +1200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" > [22/Sep/2010:15:58:16 +1200] conn=8 op=1 SRCH base="cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog nsslapd-certdir nsslapd-schemadir" > [22/Sep/2010:15:58:16 +1200] conn=8 op=1 RESULT err=0 tag=101 nentries=1 etime=0 > [22/Sep/2010:15:58:16 +1200] conn=8 op=2 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" > [22/Sep/2010:15:58:16 +1200] conn=8 op=2 RESULT err=0 tag=101 nentries=1 etime=0 > ============= > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rmeggins at redhat.com Wed Sep 22 21:28:24 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Sep 2010 15:28:24 -0600 Subject: [Freeipa-users] Probems syncing freeipa v2 to AD In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F6959EA0@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <61DF826607311A4EBE75A77ED59E4CDE43F6959C8D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959CB2@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959D6A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C99627B.4080905@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959D9E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9967D9.8030704@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DAB@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959DB1@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C996DBF.8060701@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959DCC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9977E1.8080202@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959E19@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE43F6959E85@STAWINCOEXMAIL1.staff.vuw.a! c.nz> <4C9A72A8.2070501@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F6959EA0@STAWINCOEXMAIL1.staff.vuw! .ac.nz> Message-ID: <4C9A74F8.8060206@redhat.com> Steven Jones wrote: > Hi, > > I have not seen such an email. > https://www.redhat.com/archives/freeipa-users/2010-September/msg00062.html > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Dmitri Pal [mailto:dpal at redhat.com] > Sent: Thursday, 23 September 2010 9:19 a.m. > To: Steven Jones > Cc: Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Probems syncing freeipa v2 to AD > > Steven Jones wrote: > >> Hi, >> >> Any idea how to stop the LDAP server hosing itself? >> >> > > Have you filed a bug with this issue as Rich suggested in his last email? > > Thank you > Dmitri > > >> regards >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Steven Jones >> Sent: Wednesday, 22 September 2010 4:11 p.m. >> To: Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] probems installin freeipa v2 >> >> >> 8><------- >> >> >> Can you reliably reproduce this behavior after restarting directory server? >> >> >> 8><-------- >> >> Yes it appears so.......... >> >> =============error >> [22/Sep/2010:15:58:16 +1200] - slapd shutting down - signaling operation threads >> [22/Sep/2010:15:58:16 +1200] - slapd shutting down - closing down internal subsystems and plugins >> [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - error in windows_conn_get_search_result, rc=-1 >> [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - agmt="cn=meTovuwwincodc00001.vuw.ac.nz636" (vuwwincodc00001:636): Failed to get search operation: LDAP error 81 (Can't contact LDAP server) >> [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - failed to send dirsync search request: 2 >> [22/Sep/2010:16:08:32 +1200] - Waiting for 4 database threads to stop >> [22/Sep/2010:16:08:32 +1200] - All database threads now stopped >> [22/Sep/2010:16:08:32 +1200] - slapd stopped. >> ============= >> >> =============access >> [22/Sep/2010:15:57:41 +1200] conn=6 op=15 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp" >> [22/Sep/2010:15:57:41 +1200] conn=6 op=15 RESULT err=0 tag=101 nentries=0 etime=0 >> [22/Sep/2010:15:58:16 +1200] conn=8 fd=70 slot=70 SSL connection from 130.195.53.104 to 130.195.53.104 >> [22/Sep/2010:15:58:16 +1200] conn=8 SSL 256-bit AES >> [22/Sep/2010:15:58:16 +1200] conn=8 op=0 BIND dn="cn=directory manager" method=128 version=3 >> [22/Sep/2010:15:58:16 +1200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" >> [22/Sep/2010:15:58:16 +1200] conn=8 op=1 SRCH base="cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog nsslapd-certdir nsslapd-schemadir" >> [22/Sep/2010:15:58:16 +1200] conn=8 op=1 RESULT err=0 tag=101 nentries=1 etime=0 >> [22/Sep/2010:15:58:16 +1200] conn=8 op=2 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" >> [22/Sep/2010:15:58:16 +1200] conn=8 op=2 RESULT err=0 tag=101 nentries=1 etime=0 >> ============= >> >> regards >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> > > > From danieljamesscott at gmail.com Wed Sep 22 21:27:39 2010 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 22 Sep 2010 17:27:39 -0400 Subject: [Freeipa-users] Fedora 11 master replication problems In-Reply-To: <4C9A3DB1.500@redhat.com> References: <4C9A2722.7000302@redhat.com> <4C9A29FD.5000201@redhat.com> <4C9A3DB1.500@redhat.com> Message-ID: Excellent, that seems to have solved it, thanks. Dan On Wed, Sep 22, 2010 at 13:32, Rob Crittenden wrote: > Dan Scott wrote: >> >> Hi, >> >> Sorry, I just checked the manpage myself and I see that there's an >> init option to ipa-replica-manage. >> >> On Wed, Sep 22, 2010 at 12:08, Rich Megginson ?wrote: >>>> >>>> Initialization is the initial copy of data from the master - The slave >>>> server (curie) has been configured and replicating for a while. >>> >>> Has curie been restored from a backup? ?Initialized from another master? >>> ?Been shutdown for over a week? >> >> Nope, none of these: Not restored, initialized from another master or >> shutdown for over a week. There is a possibility that there was an >> un-noticed problem with dirsrv which lasted for a week though. >> >>> Does the ipa-replica-manage command line tool have an option for doing a >>> reinit? >> >> I see that there's an 'init' option. If I'm happy to throw away any >> changes on curie, can I just run the init on curie and it will >> re-initialize from the master? >> >> Thanks for your help. > > You should log into the "master" (the host that is replicating to curie) and > run: > > # ipa-replica-manage init curie.example.com > > rob > From rcritten at redhat.com Wed Sep 22 21:44:41 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Sep 2010 17:44:41 -0400 Subject: [Freeipa-users] changing search base during migration? In-Reply-To: References: <4C9A5C92.7020006@redhat.com> <4C9A63B3.9010308@redhat.com> Message-ID: <4C9A78C9.2010502@redhat.com> Brian LaMere wrote: > On Wed, Sep 22, 2010 at 1:14 PM, Rob Crittenden > wrote: > > And this request came from newserver? I don't see where we would > query namingContexts with this search base. Seems strange that > something knew about the new basedn though. > > > aye - and I can say that the only thing pointing at oldserver that would > even think of asking about a "brian.internal" would be this particular > query - which happens at exactly the time the entry on the oldserver > that references that search base. Ok, it was the camel case that was throwing me. It looks like we have a bug when setting an empty base_dn. We try to set it blank but it ends up getting set to the IPA base. > > Well, we want flexibility for sure, what you're asking for isn't > unreasonable. Have you run the migration script and it failed or are > you just worried that it isn't going to do the right thing? > > > aye, I get the old: > > # ipa migrate-ds ldap://oldserver.briandomain.com > > password: > Enter password again to verify: > ipa: ERROR: no such entry > > Which is to say, it found nothing to import (right? isn't that what the > error means?). "oldserver" is a default 389-ds server (which as you > might recall is 1.2.6-0.1.a1, but I don't want to upgrade that without > getting the data off first). While I created all sorts of funny things > elsewhere in the tree, the normal users and groups are all in the normal > places. > > I tried adding a little debug line in ipalib/migrate.py ahead of the > only place I saw namingcontexts mentioned, but...even though I raised an > exception, nothing changed (so I guess migrate_ds.execute doesn't get > run until...err...execute. So where is the search base found?). I'm > digging around, but that's the only place I find /namingcontext/i in the > python libs, at least, and nothing jumped out at me in strace (though > stuff did scroll past my 2k lines buffer...) I think what it's failing to find is the ipaconfig entry. Look in your access log for a query for cn=ipaconfig. I've created a ticket to track this work, https://fedorahosted.org/freeipa/ticket/289 Are you working from IPA v2 pre4 or did you build the source yourself from git? This might take me a couple of days to hammer out. thanks rob From brian at cukerinteractive.com Wed Sep 22 22:00:39 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Wed, 22 Sep 2010 15:00:39 -0700 Subject: [Freeipa-users] changing search base during migration? In-Reply-To: <4C9A78C9.2010502@redhat.com> References: <4C9A5C92.7020006@redhat.com> <4C9A63B3.9010308@redhat.com> <4C9A78C9.2010502@redhat.com> Message-ID: > > It looks like we have a bug when setting an empty base_dn. We try to set it > blank but it ends up getting set to the IPA base. > so if I just change base_dn from '' to 'dc=briandomain,dc=com' then my selfish desire to complete the migration might complete? ; ) > Are you working from IPA v2 pre4 or did you build the source yourself from > git? pre4, though I made 2 slight mods...1 each in cainstance.py and dsinstance.py (for 2 different show-stopping bugs which have already been patched in git). I can change to the git version if you would prefer. I'll catch up with the bug tracker you've created. Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Sep 22 22:04:03 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Sep 2010 18:04:03 -0400 Subject: [Freeipa-users] changing search base during migration? In-Reply-To: References: <4C9A5C92.7020006@redhat.com> <4C9A63B3.9010308@redhat.com> <4C9A78C9.2010502@redhat.com> Message-ID: <4C9A7D53.7000604@redhat.com> Brian LaMere wrote: > It looks like we have a bug when setting an empty base_dn. We try to > set it blank but it ends up getting set to the IPA base. > > > so if I just change base_dn from '' to 'dc=briandomain,dc=com' then my > selfish desire to complete the migration might complete? ; ) Maybe. I don't think the cn=ipaconfig stuff was added in until after pre4. I don't think this represents a tremendous amount of work on my end, just need to find time for it... > > Are you working from IPA v2 pre4 or did you build the source > yourself from git? > > > pre4, though I made 2 slight mods...1 each in cainstance.py and > dsinstance.py (for 2 different show-stopping bugs which have already > been patched in git). I can change to the git version if you would prefer. > > I'll catch up with the bug tracker you've created. You're probably fine with pre4 but merging in my change might be tricky, that's all. rob From shan.sysadm at gmail.com Thu Sep 23 10:18:07 2010 From: shan.sysadm at gmail.com (Shan Kumaraswamy) Date: Thu, 23 Sep 2010 13:18:07 +0300 Subject: [Freeipa-users] IPA Webgui error Message-ID: Hi All, I have installed IPA Replica server and the installation is succeed, after configured Firefox browser setting, I could not able to access ipa webui, and I couple of time I restarted IPA replica server as well, but no luck and I found this error message view in the log file: [root at sbprhds001 init.d]# service ipa_webgui status ipa_webgui dead but pid file exists under /var/log/httpd/nss_error_log [Wed Sep 22 18:23:36 2010] [error] ap_proxy_connect_backend disabling worker for (localhost) [Wed Sep 22 18:23:36 2010] [error] [client 10.8.27.32] File does not exist: /var/www/html/favicon.ico [Wed Sep 22 18:23:36 2010] [error] [client 10.8.27.32] File does not exist: /var/www/html/favicon.ico [Thu Sep 23 11:32:07 2010] [error] (111)Connection refused: proxy: HTTP: attempt to connect to [::1]:8080 (localhost) failed Please help me fix this issue. -- Thanks & Regards Shan Kumaraswamy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Sep 23 13:24:44 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Sep 2010 09:24:44 -0400 Subject: [Freeipa-users] IPA Webgui error In-Reply-To: References: Message-ID: <4C9B551C.3000005@redhat.com> Shan Kumaraswamy wrote: > Hi All, > > I have installed IPA Replica server and the installation is succeed, > after configured Firefox browser setting, I could not able to access ipa > webui, and I couple of time I restarted IPA replica server as well, but > no luck and I found this error message view in the log file: > > [root at sbprhds001 init.d]# service ipa_webgui status > ipa_webgui dead but pid file exists > under /var/log/httpd/nss_error_log > [Wed Sep 22 18:23:36 2010] [error] ap_proxy_connect_backend disabling > worker for (localhost) > [Wed Sep 22 18:23:36 2010] [error] [client 10.8.27.32] File does not > exist: /var/www/html/favicon.ico > [Wed Sep 22 18:23:36 2010] [error] [client 10.8.27.32] File does not > exist: /var/www/html/favicon.ico > [Thu Sep 23 11:32:07 2010] [error] (111)Connection refused: proxy: HTTP: > attempt to connect to [::1]:8080 (localhost) failed > Please help me fix this issue. > See if anything is logged in /var/log/ipa_error.log. This is the log for the IPA gui. rob From Steven.Jones at vuw.ac.nz Thu Sep 23 20:05:21 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 24 Sep 2010 08:05:21 +1200 Subject: [Freeipa-users] bug 634561 In-Reply-To: <4C9B551C.3000005@redhat.com> References: <4C9B551C.3000005@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Bug 634561 has been fixed... How do I get this into/onto my setup please? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand From rmeggins at redhat.com Thu Sep 23 20:19:30 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Sep 2010 14:19:30 -0600 Subject: [Freeipa-users] bug 634561 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4C9BB652.3070203@redhat.com> Steven Jones wrote: > Hi, > > Bug 634561 has been fixed... > > How do I get this into/onto my setup please? > We're working on a 389-ds-base 1.2.6.1 release. Should be in testing very soon. > regards > > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From Steven.Jones at vuw.ac.nz Fri Sep 24 03:46:37 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 24 Sep 2010 15:46:37 +1200 Subject: [Freeipa-users] Migrating passwd files etc into free-ipa In-Reply-To: <4C9BB652.3070203@redhat.com> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE43F695A2D4@STAWINCOEXMAIL1.staff.vuw.ac.nz> Is there a method to do this? I tried to use LdapImport.pl from the 389 project and this failed.... Giving me all # = entry not added to destination (other error) Possibly the password criteria in freeipa is "too strong"? How can I disable this feature? or is there another way to import? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand From dpal at redhat.com Fri Sep 24 11:18:04 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 24 Sep 2010 07:18:04 -0400 Subject: [Freeipa-users] Migrating passwd files etc into free-ipa In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE43F695A2D4@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A2D4@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4C9C88EC.80608@redhat.com> Steven Jones wrote: > Is there a method to do this? > > I tried to use LdapImport.pl from the 389 project and this failed.... > > Giving me all # = entry not added to destination (other error) > > Possibly the password criteria in freeipa is "too strong"? > > How can I disable this feature? > > or is there another way to import? > > Migration of the passwords is a tough problem. The issue is that the passwords in the local files are hashed using simple hash algorithm while in IPA they are hashed to create kerberos keys. Converting from one to another without knowing clear password is not possible. If you already have an LDAP server with password you can take advantage of our LDAP migration schemes but if you have local files this will be a challenge. For migrating from LDAP case you can load your users into the IPA and then configure SSSD to use migration mode on the client or you can instruct users to go to a special migration web page. In both cases you already have the password hashed in the LDAP format in the IPA so SSSD or Migration page will capture the cleartext password and pass it to IPA so that it can use it to generate the Kerberos hashes. A quick search around migrating passwords from flat files to LDAP showed that it is in some cases possible (if the hash that is used by the flat file is supported by the DS server, but tricky). We do not have any aid here so it is simpler to reset the password. If this is not an option, as far as I understand you need to create user accounts first with some password and then overwrite the password attribute in the LDAP with the properly decorated hash take from the password file. And after that you still need the kerberos keys for IPA to work so you still need to use Migration page or SSSD. It might be less trouble just to bite the bullet and reset passwords as you migrate to IPA. Thanks Dmitri > regards > > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Sep 24 13:34:54 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Sep 2010 09:34:54 -0400 Subject: [Freeipa-users] IPA Webgui error In-Reply-To: References: <4C9B551C.3000005@redhat.com> Message-ID: <4C9CA8FE.8080806@redhat.com> Please keep responses on the list. Shan Kumaraswamy wrote: > Hi Rob, > Please find the error details below: > 2010-09-22 14:59:07,019 root ERROR failed to start web gui: Cheetah>=2.0.1 > File "/usr/sbin/ipa_webgui", line 201, in ? > main() > File "/usr/sbin/ipa_webgui", line 158, in main > import pkg_resources > File "/usr/lib/python2.4/site-packages/pkg_resources.py", line 2479, in ? > working_set.require(__requires__) > File "/usr/lib/python2.4/site-packages/pkg_resources.py", line 585, > in require > needed = self.resolve(parse_requirements(requirements)) > File "/usr/lib/python2.4/site-packages/pkg_resources.py", line 483, > in resolve > raise DistributionNotFound(req) # XXX put more info here You reported this same error earlier this summer and said that the problem was in the version of python-cheetah you had installed: http://www.mail-archive.com/freeipa-users at redhat.com/msg00560.html rob From brian at cukerinteractive.com Fri Sep 24 16:23:58 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Fri, 24 Sep 2010 09:23:58 -0700 Subject: [Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif Message-ID: the attribute "hostMask" attribute in the 60sudo.ldif schema def has a syntax of 1.3.6.1.4.1.1466.115.121.1.15 but it should be 1.3.6.1.4.1.1466.115.121.1.26...maybe? attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreIA5Match ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) equality as IA5, but ordering and substr as regular strings? I'm tempted to think it should be IA5 across the board, as an IP. Yes? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Sep 24 16:30:45 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 24 Sep 2010 12:30:45 -0400 Subject: [Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif In-Reply-To: References: Message-ID: <4C9CD235.9020001@redhat.com> Brian LaMere wrote: > the attribute "hostMask" attribute in the 60sudo.ldif schema def has a > syntax of 1.3.6.1.4.1.1466.115.121.1.15 but it should be > 1.3.6.1.4.1.1466.115.121.1.26...maybe? > > attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'hostMask' DESC 'IP > mask to identify a subnet.' EQUALITY caseIgnoreIA5Match ORDERING > caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) > > equality as IA5, but ordering and substr as regular strings? I'm > tempted to think it should be IA5 across the board, as an IP. Yes? > Yes this is an inconsistency fixed by the patch on the list. After some discussion we decided to treat it as a DirectoryString i.e. 15 and remove the IA5 from the match rule. Thanks , Dmitri > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From brian at cukerinteractive.com Fri Sep 24 16:44:36 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Fri, 24 Sep 2010 09:44:36 -0700 Subject: [Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif In-Reply-To: <4C9CD235.9020001@redhat.com> References: <4C9CD235.9020001@redhat.com> Message-ID: ah, odd - I'm used to IPs being IA5. then the equality match should be changed? Can't have caseIgnoreIA5Match on a directory string :) On Fri, Sep 24, 2010 at 9:30 AM, Dmitri Pal wrote: > Brian LaMere wrote: > > the attribute "hostMask" attribute in the 60sudo.ldif schema def has a > > syntax of 1.3.6.1.4.1.1466.115.121.1.15 but it should be > > 1.3.6.1.4.1.1466.115.121.1.26...maybe? > > > > attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'hostMask' DESC 'IP > > mask to identify a subnet.' EQUALITY caseIgnoreIA5Match ORDERING > > caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX > > 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) > > > > equality as IA5, but ordering and substr as regular strings? I'm > > tempted to think it should be IA5 across the board, as an IP. Yes? > > > Yes this is an inconsistency fixed by the patch on the list. After some > discussion we decided to treat it as a DirectoryString i.e. 15 and > remove the IA5 from the match rule. > Thanks , > Dmitri > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Sep 24 17:43:38 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 24 Sep 2010 13:43:38 -0400 Subject: [Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif In-Reply-To: References: <4C9CD235.9020001@redhat.com> Message-ID: <4C9CE34A.10600@redhat.com> Brian LaMere wrote: > ah, odd - I'm used to IPs being IA5. then the equality match should > be changed? Can't have caseIgnoreIA5Match on a directory string :) Yes. This is what the patch does :-) > > On Fri, Sep 24, 2010 at 9:30 AM, Dmitri Pal > wrote: > > Brian LaMere wrote: > > the attribute "hostMask" attribute in the 60sudo.ldif schema def > has a > > syntax of 1.3.6.1.4.1.1466.115.121.1.15 but it should be > > 1.3.6.1.4.1.1466.115.121.1.26...maybe? > > > > attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'hostMask' DESC 'IP > > mask to identify a subnet.' EQUALITY caseIgnoreIA5Match ORDERING > > caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX > > 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) > > > > equality as IA5, but ordering and substr as regular strings? I'm > > tempted to think it should be IA5 across the board, as an IP. Yes? > > > Yes this is an inconsistency fixed by the patch on the list. After > some > discussion we decided to treat it as a DirectoryString i.e. 15 and > remove the IA5 from the match rule. > Thanks , > Dmitri > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From brian at cukerinteractive.com Fri Sep 24 19:26:47 2010 From: brian at cukerinteractive.com (Brian LaMere) Date: Fri, 24 Sep 2010 12:26:47 -0700 Subject: [Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif In-Reply-To: <4C9CE34A.10600@redhat.com> References: <4C9CD235.9020001@redhat.com> <4C9CE34A.10600@redhat.com> Message-ID: On Fri, Sep 24, 2010 at 10:43 AM, Dmitri Pal wrote: > Brian LaMere wrote: > > ah, odd - I'm used to IPs being IA5. then the equality match should > > be changed? Can't have caseIgnoreIA5Match on a directory string :) > Yes. This is what the patch does :-) > > so, out of curiousity...why 60sudo? Seems like a string matching netmask could be used more generically...it's redefined over as radiusFramedIPNetmask in 60radius.ldif. I go through and purge my tree of attributes I'll never need, sorry - I have strange quirks. Also, I've noted that when I stop services, then start them again per the order in /etc/rc3.d, named doesn't know about the local domain yet because it connects to an empty socket (since the krb and dirsrv services aren't started yet) trying to establish LDAP connection to ldapi://%2fvar%2frun%2fslapd-BRIAN-INTERNAL.socket which fails at: Principal not found in cred cache (Matching credential not found) Once everything is up, if I run "rndc reload" the local domain lookups (and thus, everything else) works again. Should one of the other services incorporate a rndc reload, for this reason? I didn't actually restart the server (can't, due to something else it is doing) I just stopped things per rc3.d/k* order, and then started them per s* order. Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Sep 24 19:53:30 2010 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 24 Sep 2010 15:53:30 -0400 Subject: [Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif In-Reply-To: References: <4C9CD235.9020001@redhat.com> <4C9CE34A.10600@redhat.com> Message-ID: <4C9D01BA.8010004@redhat.com> Brian LaMere wrote: > On Fri, Sep 24, 2010 at 10:43 AM, Dmitri Pal > wrote: > > Brian LaMere wrote: > > ah, odd - I'm used to IPs being IA5. then the equality match should > > be changed? Can't have caseIgnoreIA5Match on a directory string :) > Yes. This is what the patch does :-) > > > so, out of curiousity...why 60sudo? Seems like a string matching > netmask could be used more generically...it's redefined over as > radiusFramedIPNetmask in 60radius.ldif. I go through and purge my > tree of attributes I'll never need, sorry - I have strange quirks. See some discussion of the subject here: http://www.freeipa.org/page/SUDO_Schema_Design#Proposed_Schema under sudoHost. I tried to find something suitable but could not. I did not look at RADIUS though. Reusing core, well known attributes is a good practice since they are common. Relying on RADIUS schema to be present might be not. Yes we plan to support RADIUS in future but this work is deferred. The hope is that other DS servers will see the value in the new schema and start supporting it in future. In this case having it independent from RADIUS schema will be the right approach. Also i am considering that this attribute can be used to denote a host name with a wildcard. I am not saying we agoing to support it but at least I thought about that too. Those minor factors added up to a decision to define a new attribute rather than reuse some existing but not 100% suitable one. Thanks Dmitri Regarding the rest- I do not know and hope somebody else will be able to answer. > > Also, I've noted that when I stop services, then start them again per > the order in /etc/rc3.d, named doesn't know about the local domain yet > because it connects to an empty socket (since the krb and dirsrv > services aren't started yet) > > trying to establish LDAP connection to > ldapi://%2fvar%2frun%2fslapd-BRIAN-INTERNAL.socket > > which fails at: > > Principal not found in cred cache (Matching credential not found) > > Once everything is up, if I run "rndc reload" the local domain lookups > (and thus, everything else) works again. Should one of the other > services incorporate a rndc reload, for this reason? I didn't > actually restart the server (can't, due to something else it is doing) > I just stopped things per rc3.d/k* order, and then started them per s* > order. > > Brian > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Sep 24 20:09:11 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Sep 2010 16:09:11 -0400 Subject: [Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif In-Reply-To: References: <4C9CD235.9020001@redhat.com> <4C9CE34A.10600@redhat.com> Message-ID: <4C9D0567.2090708@redhat.com> Brian LaMere wrote: > On Fri, Sep 24, 2010 at 10:43 AM, Dmitri Pal > wrote: > > Brian LaMere wrote: > > ah, odd - I'm used to IPs being IA5. then the equality match should > > be changed? Can't have caseIgnoreIA5Match on a directory string :) > Yes. This is what the patch does :-) > > > so, out of curiousity...why 60sudo? Seems like a string matching netmask > could be used more generically...it's redefined over as > radiusFramedIPNetmask in 60radius.ldif. I go through and purge my tree > of attributes I'll never need, sorry - I have strange quirks. > > Also, I've noted that when I stop services, then start them again per > the order in /etc/rc3.d, named doesn't know about the local domain yet > because it connects to an empty socket (since the krb and dirsrv > services aren't started yet) > > trying to establish LDAP connection to > ldapi://%2fvar%2frun%2fslapd-BRIAN-INTERNAL.socket > > which fails at: > > Principal not found in cred cache (Matching credential not found) > > Once everything is up, if I run "rndc reload" the local domain lookups > (and thus, everything else) works again. Should one of the other > services incorporate a rndc reload, for this reason? I didn't actually > restart the server (can't, due to something else it is doing) I just > stopped things per rc3.d/k* order, and then started them per s* order. > > Brian I use /usr/sbin/ipactl to restart all the IPA services myself. This could definitely be a problem on reboot though. I filed ticket https://fedorahosted.org/freeipa/ticket/294 to investigate this further. rob From jdennis at redhat.com Fri Sep 24 21:37:12 2010 From: jdennis at redhat.com (John Dennis) Date: Fri, 24 Sep 2010 17:37:12 -0400 Subject: [Freeipa-users] hostMask attribute syntax issue in 60sudo.ldif In-Reply-To: <4C9D01BA.8010004@redhat.com> References: <4C9CD235.9020001@redhat.com> <4C9CE34A.10600@redhat.com> <4C9D01BA.8010004@redhat.com> Message-ID: <4C9D1A08.1020206@redhat.com> On 09/24/2010 03:53 PM, Dmitri Pal wrote: > Brian LaMere wrote: >> On Fri, Sep 24, 2010 at 10:43 AM, Dmitri Pal> > wrote: >> >> Brian LaMere wrote: >> > ah, odd - I'm used to IPs being IA5. then the equality match should >> > be changed? Can't have caseIgnoreIA5Match on a directory string :) >> Yes. This is what the patch does :-) >> >> >> so, out of curiousity...why 60sudo? Seems like a string matching >> netmask could be used more generically...it's redefined over as >> radiusFramedIPNetmask in 60radius.ldif. I go through and purge my >> tree of attributes I'll never need, sorry - I have strange quirks. > > See some discussion of the subject here: > http://www.freeipa.org/page/SUDO_Schema_Design#Proposed_Schema under > sudoHost. I tried to find something suitable but could not. I did not > look at RADIUS though. > Reusing core, well known attributes is a good practice since they are > common. Relying on RADIUS schema to be present might be not. Yes we plan > to support RADIUS in future but this work is deferred. FWIW, I have been in conversation with the upstream FreeRADIUS folks concerning the RADIUS ldap schema (In part because I just contributed code to store RADIUS clients (e.g. NAS's) in ldap) which included schema updates. During that discussion I pointed out how a number of the RADIUS attributes appeared to be incorrectly specified as IA5 strings and suggested the ldap schema should be updated to use UTF-8 instead (e.g. DirectoryString). There was buy-in this was the correct thing to do. However I don't specifically recall the status of the radiusFramedIPNetmask attribute. Anyway, all that is a long winded way of saying the use of IA5 appears to have been historic and incorrect in many schemas and there is an ongoing effort to fix the use of IA5. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Sun Sep 26 22:49:02 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 27 Sep 2010 11:49:02 +1300 Subject: [Freeipa-users] Migrating passwd files etc into free-ipa In-Reply-To: <4C9C88EC.80608@redhat.com> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A2D4@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9C88EC.80608@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE4DE018B4AE@STAWINCOEXMAIL1.staff.vuw.ac.nz> Ok, So lets avoid the passwords.... Is there an automatic / scripted way to import the passwd file so I get the UID's, GID's etc into ipa? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Dmitri Pal [mailto:dpal at redhat.com] Sent: Friday, 24 September 2010 11:18 p.m. To: Steven Jones Cc: freeipa-users Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa Steven Jones wrote: > Is there a method to do this? > > I tried to use LdapImport.pl from the 389 project and this failed.... > > Giving me all # = entry not added to destination (other error) > > Possibly the password criteria in freeipa is "too strong"? > > How can I disable this feature? > > or is there another way to import? > > Migration of the passwords is a tough problem. The issue is that the passwords in the local files are hashed using simple hash algorithm while in IPA they are hashed to create kerberos keys. Converting from one to another without knowing clear password is not possible. If you already have an LDAP server with password you can take advantage of our LDAP migration schemes but if you have local files this will be a challenge. For migrating from LDAP case you can load your users into the IPA and then configure SSSD to use migration mode on the client or you can instruct users to go to a special migration web page. In both cases you already have the password hashed in the LDAP format in the IPA so SSSD or Migration page will capture the cleartext password and pass it to IPA so that it can use it to generate the Kerberos hashes. A quick search around migrating passwords from flat files to LDAP showed that it is in some cases possible (if the hash that is used by the flat file is supported by the DS server, but tricky). We do not have any aid here so it is simpler to reset the password. If this is not an option, as far as I understand you need to create user accounts first with some password and then overwrite the password attribute in the LDAP with the properly decorated hash take from the password file. And after that you still need the kerberos keys for IPA to work so you still need to use Migration page or SSSD. It might be less trouble just to bite the bullet and reset passwords as you migrate to IPA. Thanks Dmitri > regards > > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Mon Sep 27 03:02:48 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 27 Sep 2010 16:02:48 +1300 Subject: [Freeipa-users] Free-ipa no longer working In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE4DE018B4AE@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A2D4@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9C88EC.80608@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018B4AE@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE4DE018B60F@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, I have come back after the weekend and find that the gui no longer works.... While trying to get a new kerberos ticket I get, "kinit: Cannot contact and KDC realm 'VUW.AC.NZ' while getting credentials" So any ideas where I go looking? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand From nalin at redhat.com Mon Sep 27 14:41:21 2010 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 27 Sep 2010 10:41:21 -0400 Subject: [Freeipa-users] Free-ipa no longer working In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE4DE018B60F@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A2D4@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9C88EC.80608@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018B4AE@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE4DE018B60F@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <20100927144121.GB12786@redhat.com> On Mon, Sep 27, 2010 at 04:02:48PM +1300, Steven Jones wrote: > While trying to get a new kerberos ticket I get, > > "kinit: Cannot contact and KDC realm 'VUW.AC.NZ' while getting credentials" > > So any ideas where I go looking? The KDC is the 'krb5kdc' service, so I'd suggest checking that the 'krb5kdc' service is running on the server. If it is, then check that port 88 isn't firewalled off, and that the client can ping the server. HTH, Nalin From rcritten at redhat.com Mon Sep 27 15:30:50 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Sep 2010 11:30:50 -0400 Subject: [Freeipa-users] Migrating passwd files etc into free-ipa In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE4DE018B4AE@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A2D4@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9C88EC.80608@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018B4AE@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4CA0B8AA.80106@redhat.com> Steven Jones wrote: > Ok, > > So lets avoid the passwords.... > > Is there an automatic / scripted way to import the passwd file so I get the UID's, GID's etc into ipa? We have generally left this as an exercise for the end-user because it isn't a technically difficult problem. It is more a policy and config problem. Attached is a simple demonstration of doing this using IPA command-line. The tricky part is dealing with names. There is no universal way of getting it right. Entries without a gecos are skipped. It worked fine on my system with 2 password entries. YYMV. rob > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Dmitri Pal [mailto:dpal at redhat.com] > Sent: Friday, 24 September 2010 11:18 p.m. > To: Steven Jones > Cc: freeipa-users > Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa > > Steven Jones wrote: >> Is there a method to do this? >> >> I tried to use LdapImport.pl from the 389 project and this failed.... >> >> Giving me all # = entry not added to destination (other error) >> >> Possibly the password criteria in freeipa is "too strong"? >> >> How can I disable this feature? >> >> or is there another way to import? >> >> > Migration of the passwords is a tough problem. > The issue is that the passwords in the local files are hashed using > simple hash algorithm while in IPA they are hashed to create kerberos keys. > Converting from one to another without knowing clear password is not > possible. If you already have an LDAP server with password you can take > advantage of our LDAP migration schemes but if you have local files this > will be a challenge. > For migrating from LDAP case you can load your users into the IPA and > then configure SSSD to use migration mode on the client or you can > instruct users to go to a special migration web page. In both cases you > already have the password hashed in the LDAP format in the IPA so SSSD > or Migration page will capture the cleartext password and pass it to IPA > so that it can use it to generate the Kerberos hashes. > > A quick search around migrating passwords from flat files to LDAP showed > that it is in some cases possible (if the hash that is used by the flat > file is supported by the DS server, but tricky). > We do not have any aid here so it is simpler to reset the password. If > this is not an option, as far as I understand you need to create user > accounts first with some password and then overwrite the password > attribute in the LDAP with the properly decorated hash take from the > password file. And after that you still need the kerberos keys for IPA > to work so you still need to use Migration page or SSSD. It might be > less trouble just to bite the bullet and reset passwords as you migrate > to IPA. > > Thanks > Dmitri > >> regards >> >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: import.py Type: text/x-python Size: 1135 bytes Desc: not available URL: From Steven.Jones at vuw.ac.nz Mon Sep 27 19:52:16 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 28 Sep 2010 08:52:16 +1300 Subject: [Freeipa-users] Migrating passwd files etc into free-ipa In-Reply-To: <4CA0B8AA.80106@redhat.com> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A2D4@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9C88EC.80608@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018B4AE@STAWINCOEXMAIL1.staff.vuw.ac.nz>, <4CA0B8AA.80106@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE4DE0450363@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Thanks....... Re: your comment...However I will re-direct you to one of the core ideas I thought was behind FreeIPA?....to make it easy for the end user to deploy and use? In my situation I have hundreds of users, over 2 hundred RHEL servers and probably shortly a pile of workstations.......I have no experience/knowledge with any centralised system, LDAP, AD etc and zero programming capability beyond bash scripting, no money and no time....so this is actually VERY technically challenging for me ESPECIALLY with a management that are all Windows trained and are used to typing "dcpromo" and job done with no cost and would happliy rip out RedHat to save money at the drop of a hat if they could. Redhat I assume wants to sell this into the enterprise?, in version RHEL 6.1? this is certainly what our friendly RH architect tells us...He recommended we try freeIPA, I will feed back to him..... So please dont under-estimate the value of migration tools. For you, sure, its techinically easy, for me at the bottom of the identity management ladder, I have a huge setup, so its close to impossible. You dont deploy this as a one off in the real world or day to day.....? So anyway I used the existing padl tools and oh that didnt work....easy would have been...it worked. Its very simple, vendors who want to sell their [alternative] product into the market place have to supply a migration tool from the competition's product or there wont be a deal.... regards Steven bcc MW. ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Tuesday, 28 September 2010 4:30 a.m. To: Steven Jones Cc: Dmitri Pal; freeipa-users Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa Steven Jones wrote: > Ok, > > So lets avoid the passwords.... > > Is there an automatic / scripted way to import the passwd file so I get the UID's, GID's etc into ipa? We have generally left this as an exercise for the end-user because it isn't a technically difficult problem. It is more a policy and config problem. Attached is a simple demonstration of doing this using IPA command-line. The tricky part is dealing with names. There is no universal way of getting it right. Entries without a gecos are skipped. It worked fine on my system with 2 password entries. YYMV. rob > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Dmitri Pal [mailto:dpal at redhat.com] > Sent: Friday, 24 September 2010 11:18 p.m. > To: Steven Jones > Cc: freeipa-users > Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa > > Steven Jones wrote: >> Is there a method to do this? >> >> I tried to use LdapImport.pl from the 389 project and this failed.... >> >> Giving me all # = entry not added to destination (other error) >> >> Possibly the password criteria in freeipa is "too strong"? >> >> How can I disable this feature? >> >> or is there another way to import? >> >> > Migration of the passwords is a tough problem. > The issue is that the passwords in the local files are hashed using > simple hash algorithm while in IPA they are hashed to create kerberos keys. > Converting from one to another without knowing clear password is not > possible. If you already have an LDAP server with password you can take > advantage of our LDAP migration schemes but if you have local files this > will be a challenge. > For migrating from LDAP case you can load your users into the IPA and > then configure SSSD to use migration mode on the client or you can > instruct users to go to a special migration web page. In both cases you > already have the password hashed in the LDAP format in the IPA so SSSD > or Migration page will capture the cleartext password and pass it to IPA > so that it can use it to generate the Kerberos hashes. > > A quick search around migrating passwords from flat files to LDAP showed > that it is in some cases possible (if the hash that is used by the flat > file is supported by the DS server, but tricky). > We do not have any aid here so it is simpler to reset the password. If > this is not an option, as far as I understand you need to create user > accounts first with some password and then overwrite the password > attribute in the LDAP with the properly decorated hash take from the > password file. And after that you still need the kerberos keys for IPA > to work so you still need to use Migration page or SSSD. It might be > less trouble just to bite the bullet and reset passwords as you migrate > to IPA. > > Thanks > Dmitri > >> regards >> >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > From rcritten at redhat.com Mon Sep 27 21:03:28 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Sep 2010 17:03:28 -0400 Subject: [Freeipa-users] Migrating passwd files etc into free-ipa In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE4DE0450363@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A2D4@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9C88EC.80608@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018B4AE@STAWINCOEXMAIL1.staff.vuw.ac.nz>, <4CA0B8AA.80106@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE0450363@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4CA106A0.1060601@redhat.com> Steven Jones wrote: > Hi, > > Thanks....... > > Re: your comment...However I will re-direct you to one of the core ideas I thought was behind FreeIPA?....to make it easy for the end user to deploy and use? > > In my situation I have hundreds of users, over 2 hundred RHEL servers and probably shortly a pile of workstations.......I have no experience/knowledge with any centralised system, LDAP, AD etc and zero programming capability beyond bash scripting, no money and no time....so this is actually VERY technically challenging for me ESPECIALLY with a management that are all Windows trained and are used to typing "dcpromo" and job done with no cost and would happliy rip out RedHat to save money at the drop of a hat if they could. > > Redhat I assume wants to sell this into the enterprise?, in version RHEL 6.1? this is certainly what our friendly RH architect tells us...He recommended we try freeIPA, I will feed back to him..... > > So please dont under-estimate the value of migration tools. For you, sure, its techinically easy, for me at the bottom of the identity management ladder, I have a huge setup, so its close to impossible. > > You dont deploy this as a one off in the real world or day to day.....? > > So anyway I used the existing padl tools and oh that didnt work....easy would have been...it worked. > > Its very simple, vendors who want to sell their [alternative] product into the market place have to supply a migration tool from the competition's product or there wont be a deal.... Thank you for the feedback. The problem is that we have our own data requirements that /etc/passwd doesn't always satisfy. In almost all cases some sort of human intervention/data massaging will be necessary so whatever we provide will come up short. We do offer a way to migrate users and groups out of an LDAP server, including maintaining passwords. regards rob From Steven.Jones at vuw.ac.nz Wed Sep 29 03:15:16 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 29 Sep 2010 16:15:16 +1300 Subject: [Freeipa-users] bug 634561 In-Reply-To: <4C9BB652.3070203@redhat.com> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE4DE018BBCF@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Sorry if this sounds pushy but any chance of an ETA please? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -----Original Message----- From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Friday, 24 September 2010 8:20 a.m. To: Steven Jones Cc: freeipa-users Subject: Re: [Freeipa-users] bug 634561 Steven Jones wrote: > Hi, > > Bug 634561 has been fixed... > > How do I get this into/onto my setup please? > We're working on a 389-ds-base 1.2.6.1 release. Should be in testing very soon. > regards > > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From rcritten at redhat.com Wed Sep 29 13:12:16 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Sep 2010 09:12:16 -0400 Subject: [Freeipa-users] bug 634561 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE4DE018BBCF@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018BBCF@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4CA33B30.7010507@redhat.com> Steven Jones wrote: > Hi, > > Sorry if this sounds pushy but any chance of an ETA please? Looks like it is in updates-testing: https://admin.fedoraproject.org/updates/search/389-ds-base?_csrf_token=02164f85ca5037bd97fa8deacbd13fda7ea300f0 # yum update --enablerepo=updates-testing 389-ds-base rob > > regards > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Friday, 24 September 2010 8:20 a.m. > To: Steven Jones > Cc: freeipa-users > Subject: Re: [Freeipa-users] bug 634561 > > Steven Jones wrote: >> Hi, >> >> Bug 634561 has been fixed... >> >> How do I get this into/onto my setup please? >> > We're working on a 389-ds-base 1.2.6.1 release. Should be in testing > very soon. >> regards >> >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Wed Sep 29 14:17:23 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 29 Sep 2010 08:17:23 -0600 Subject: [Freeipa-users] bug 634561 In-Reply-To: <4CA33B30.7010507@redhat.com> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018BBCF@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4CA33B30.7010507@redhat.com> Message-ID: <4CA34A73.60306@redhat.com> Rob Crittenden wrote: > Steven Jones wrote: >> Hi, >> >> Sorry if this sounds pushy but any chance of an ETA please? > > Looks like it is in updates-testing: > https://admin.fedoraproject.org/updates/search/389-ds-base?_csrf_token=02164f85ca5037bd97fa8deacbd13fda7ea300f0 > > > # yum update --enablerepo=updates-testing 389-ds-base It's still not in the mirrors yet. In the meantime, you can install directly from koji: http://koji.fedoraproject.org/koji/buildinfo?buildID=196612 > > rob > >> >> regards >> >> Steven Jones Technical Specialist Linux/Vmware >> Tele 64 4 463 6272 >> Victoria University >> Kelburn >> New Zealand >> >> >> -----Original Message----- >> From: Rich Megginson [mailto:rmeggins at redhat.com] >> Sent: Friday, 24 September 2010 8:20 a.m. >> To: Steven Jones >> Cc: freeipa-users >> Subject: Re: [Freeipa-users] bug 634561 >> >> Steven Jones wrote: >>> Hi, >>> >>> Bug 634561 has been fixed... >>> >>> How do I get this into/onto my setup please? >>> >> We're working on a 389-ds-base 1.2.6.1 release. Should be in testing >> very soon. >>> regards >>> >>> >>> Steven Jones Technical Specialist Linux/Vmware >>> Tele 64 4 463 6272 >>> Victoria University >>> Kelburn >>> New Zealand >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Sep 30 01:42:39 2010 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 30 Sep 2010 14:42:39 +1300 Subject: [Freeipa-users] Adding a freeipa version 2 repo to RHEL 5 In-Reply-To: <4CA34A73.60306@redhat.com> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018BBCF@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4CA33B30.7010507@redhat.com> <4CA34A73.60306@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE4DE018BDDC@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Is it possible to install a ipafree v2 client on RHELu5 64bit? I cannot find anything via Google that indicates this is so or how to do it. If so what's the repo config pls? If not will the ver1 of freeipa work and if so what is the repo? The client documentation simply says its possible....yet nothing on google indicates how or if this is actually the case... regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand From rcritten at redhat.com Thu Sep 30 03:48:05 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Sep 2010 23:48:05 -0400 Subject: [Freeipa-users] Adding a freeipa version 2 repo to RHEL 5 In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE4DE018BDDC@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018BBCF@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4CA33B30.7010507@redhat.com> <4CA34A73.60306@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018BDDC@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4CA40875.7080408@redhat.com> Steven Jones wrote: > Hi, > > Is it possible to install a ipafree v2 client on RHELu5 64bit? > > I cannot find anything via Google that indicates this is so or how to do it. > > If so what's the repo config pls? > > If not will the ver1 of freeipa work and if so what is the repo? > > The client documentation simply says its possible....yet nothing on google indicates how or if this is actually the case... There is not currently a v2 client for RHEL 5 (or anything other than Fedora, really). You might find a v1 client for RHEL 5 in a centos repo, or you can pull the rheipa srpms from ftp.redhat.com to build a v1.x client. Another user recently confirmed that a v1 client works with a v2 server but it will configure nss_ldap/pam_ldap and not sssd. You also don't get automatic host enrollment like you do with a v2 client. The current authconfig that ships with RHEL 5 doesn't support sssd at all though manually configuring it isn't terribly difficult. Beware when it comes to the current v2 documentation, it is in a dangerous quasi-state right now. Much of it has been copied from v1 and it is being slowly updated but it is far from complete right now. rob From dpal at redhat.com Thu Sep 30 04:33:11 2010 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 30 Sep 2010 00:33:11 -0400 Subject: [Freeipa-users] Adding a freeipa version 2 repo to RHEL 5 In-Reply-To: <4CA40875.7080408@redhat.com> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018BBCF@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4CA33B30.7010507@redhat.com> <4CA34A73.60306@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018BDDC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4CA40875.7080408@redhat.com> Message-ID: <4CA41307.9010204@redhat.com> Rob Crittenden wrote: > Steven Jones wrote: >> Hi, >> >> Is it possible to install a ipafree v2 client on RHELu5 64bit? >> >> I cannot find anything via Google that indicates this is so or how to >> do it. >> >> If so what's the repo config pls? >> >> If not will the ver1 of freeipa work and if so what is the repo? >> >> The client documentation simply says its possible....yet nothing on >> google indicates how or if this is actually the case... > You might want to consider using SSSD and configure it with IPA. It is available from EPEL. We are actively working on making SSSD and corresponding ipa-client component to become available in RHEL 5.x and 6.x versions. But SSSD from EPEL is the solution to use at the moment. If you are talking about the client administrative CLI for IPA v2 there is currently no support for RHEL versions. That will become available later. > There is not currently a v2 client for RHEL 5 (or anything other than > Fedora, really). > > You might find a v1 client for RHEL 5 in a centos repo, or you can > pull the rheipa srpms from ftp.redhat.com to build a v1.x client. > > Another user recently confirmed that a v1 client works with a v2 > server but it will configure nss_ldap/pam_ldap and not sssd. You also > don't get automatic host enrollment like you do with a v2 client. The > current authconfig that ships with RHEL 5 doesn't support sssd at all > though manually configuring it isn't terribly difficult. > > Beware when it comes to the current v2 documentation, it is in a > dangerous quasi-state right now. Much of it has been copied from v1 > and it is being slowly updated but it is far from complete right now. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From marc.schlinger at agorabox.org Thu Sep 30 14:05:52 2010 From: marc.schlinger at agorabox.org (Marc Schlinger) Date: Thu, 30 Sep 2010 16:05:52 +0200 Subject: [Freeipa-users] Kerberos Password change limitation while behind a NAT Message-ID: <4CA49940.7010501@agorabox.org> Hello all, I cannot change a expired user password while behind a NAT. The error I get is: kpasswd[6756]: Failed to decrypt password: Incorrect net address I believe this is a kerberos limitation due to the difference between the host ip adress enclosed in the ticket - the host's rfc1918 address - and the address used to communicate with the server - the router's address. This setup is very common @home There must be a way to disable the verification for kpasswd since it works for other services. But it may have been set for security purposes, so disabling it may introduce some flaws. I know that ipa passwd can set the password by calling a special method through xmlrpc, but if the client has no credential, he must retrieve one - with kinit - before calling this method. And kinit will ask to change the password. My problem is, how can I handle the case where a user has a expired password and is behind a NAT? Thanks for all Marc From kambiz at mcnc.org Thu Sep 30 16:10:00 2010 From: kambiz at mcnc.org (Kambiz Aghaiepour) Date: Thu, 30 Sep 2010 12:10:00 -0400 Subject: [Freeipa-users] Adding a freeipa version 2 repo to RHEL 5 In-Reply-To: <4CA40875.7080408@redhat.com> References: <4C9B551C.3000005@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE43F695A0D8@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4C9BB652.3070203@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018BBCF@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4CA33B30.7010507@redhat.com> <4CA34A73.60306@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE4DE018BDDC@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4CA40875.7080408@redhat.com> Message-ID: <4CA4B658.4040306@mcnc.org> Confirmed here as well. We've been using version 1.2.1-4 from F11 sources built for CentOS5/RHEL5 for some time now. I followed the following write-up: http://howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5 along with ipa-1.2.1 (from base F11), as the howtoforge writeup points to http://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHEIPA/SRPMS/ which only includes ipa-1.0.0. I have not tried to update to ipa-1.2.2-2.fc11.src.rpm Once we got everything up and running, updates from fedora-ds to 389-ds seemed not to cause any issues and ipa was confirmed to work fine. Kambiz Rob Crittenden wrote: > Steven Jones wrote: >> Hi, >> >> Is it possible to install a ipafree v2 client on RHELu5 64bit? >> >> I cannot find anything via Google that indicates this is so or how to >> do it. >> >> If so what's the repo config pls? >> >> If not will the ver1 of freeipa work and if so what is the repo? >> >> The client documentation simply says its possible....yet nothing on >> google indicates how or if this is actually the case... > > There is not currently a v2 client for RHEL 5 (or anything other than > Fedora, really). > > You might find a v1 client for RHEL 5 in a centos repo, or you can pull > the rheipa srpms from ftp.redhat.com to build a v1.x client. > > Another user recently confirmed that a v1 client works with a v2 server > but it will configure nss_ldap/pam_ldap and not sssd. You also don't get > automatic host enrollment like you do with a v2 client. The current > authconfig that ships with RHEL 5 doesn't support sssd at all though > manually configuring it isn't terribly difficult. > > Beware when it comes to the current v2 documentation, it is in a > dangerous quasi-state right now. Much of it has been copied from v1 and > it is being slowly updated but it is far from complete right now. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- "All tyranny needs to gain a foothold is for people of good conscience to remain silent." --Thomas Jefferson From ssorce at redhat.com Thu Sep 30 16:30:36 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 30 Sep 2010 12:30:36 -0400 Subject: [Freeipa-users] Kerberos Password change limitation while behind a NAT In-Reply-To: <4CA49940.7010501@agorabox.org> References: <4CA49940.7010501@agorabox.org> Message-ID: <20100930123036.2fb62d9b@willson.li.ssimo.org> On Thu, 30 Sep 2010 16:05:52 +0200 Marc Schlinger wrote: > Hello all, > > I cannot change a expired user password while behind a NAT. > The error I get is: > > kpasswd[6756]: Failed to decrypt password: Incorrect net address > > I believe this is a kerberos limitation due to the difference between > the host ip adress enclosed in the ticket - the host's rfc1918 > address - and the address used to communicate with the server - the > router's address. This setup is very common @home > > There must be a way to disable the verification for kpasswd since it > works for other services. But it may have been set for security > purposes, so disabling it may introduce some flaws. > > I know that ipa passwd can set the password by calling a special > method through xmlrpc, but if the client has no credential, he must > retrieve one - with kinit - before calling this method. And kinit > will ask to change the password. > > My problem is, how can I handle the case where a user has a expired > password and is behind a NAT? You can use ldappasswd too, either with GSSAPI auth or eventually even with plaintext auth (require using SSL) in that case though you will neeed to know the user DN. Simo. -- Simo Sorce * Red Hat, Inc * New York From marc.schlinger at agorabox.org Thu Sep 30 17:29:20 2010 From: marc.schlinger at agorabox.org (Marc Schlinger) Date: Thu, 30 Sep 2010 19:29:20 +0200 Subject: [Freeipa-users] Kerberos Password change limitation while behind a NAT In-Reply-To: <20100930123036.2fb62d9b@willson.li.ssimo.org> References: <4CA49940.7010501@agorabox.org> <20100930123036.2fb62d9b@willson.li.ssimo.org> Message-ID: <4CA4C8F0.2090801@agorabox.org> Le 30/09/2010 18:30, Simo Sorce a ?crit : > You can use ldappasswd too, either with GSSAPI auth or eventually even > with plaintext auth (require using SSL) in that case though you will > neeed to know the user DN. > > Simo. > > So if a user logs in when his password is expired, will pam_ldap in the pam password step do the trick ? I still wonder how ldappasswd can change the kerberos password. Thanks Marc. From rcritten at redhat.com Thu Sep 30 17:34:04 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Sep 2010 13:34:04 -0400 Subject: [Freeipa-users] Kerberos Password change limitation while behind a NAT In-Reply-To: <4CA4C8F0.2090801@agorabox.org> References: <4CA49940.7010501@agorabox.org> <20100930123036.2fb62d9b@willson.li.ssimo.org> <4CA4C8F0.2090801@agorabox.org> Message-ID: <4CA4CA0C.5030306@redhat.com> Marc Schlinger wrote: > Le 30/09/2010 18:30, Simo Sorce a ?crit : >> You can use ldappasswd too, either with GSSAPI auth or eventually even >> with plaintext auth (require using SSL) in that case though you will >> neeed to know the user DN. >> >> Simo. >> > > So if a user logs in when his password is expired, will pam_ldap in the > pam password step do the trick ? > > I still wonder how ldappasswd can change the kerberos password. We keep passwords in sync regardless of the mechanism used to change it. rob From dennis at ausil.us Thu Sep 30 18:54:40 2010 From: dennis at ausil.us (Dennis Gilmore) Date: Thu, 30 Sep 2010 13:54:40 -0500 Subject: [Freeipa-users] Supporting multiple seperate kerberos providers Message-ID: <20100930185440.GB4329@pegasus.ausil.us> Hi All, One thing that some folks in Fedora are evaluating is to integrate freeipa with fas, this would enable services like koji to gain kerberos auth, as well as git etc. It could also be enabled on fedorahosted etc. but it brings to light a deficiency in krb5. while you can define multiple realms and manually switch between them in various ways. its not user friendly, and doesnt lend itself to having to frequently switch between kerberos providers. the lacking thing is that you can only cache one tgt at a time. you can work around this by manually defining different caches or running kinit each time you need to switch. the soultion seems to me to enable krb5 to cache multiple tgt's personally right now i have 2 kerberos servers i frequently deal with. 1 for home and one for work, if we end up deploying kerberos support in fedora ill have 3. and it will get really messy fast. I can keep things seperate now. but with fedora and work using kerberos that will be impossible. I wanted to throw out there the very real and possible usage senarios and get some further discussion on how best it will be to handle this going forward. Dennis -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From ssorce at redhat.com Thu Sep 30 20:39:39 2010 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 30 Sep 2010 16:39:39 -0400 Subject: [Freeipa-users] Supporting multiple seperate kerberos providers In-Reply-To: <20100930185440.GB4329@pegasus.ausil.us> References: <20100930185440.GB4329@pegasus.ausil.us> Message-ID: <20100930163939.4872f4ea@willson.li.ssimo.org> On Thu, 30 Sep 2010 13:54:40 -0500 Dennis Gilmore wrote: > Hi All, > > One thing that some folks in Fedora are evaluating is to integrate > freeipa with fas, this would enable services like koji to gain > kerberos auth, as well as git etc. It could also be enabled on > fedorahosted etc. > > > but it brings to light a deficiency in krb5. while you can define > multiple realms and manually switch between them in various ways. its > not user friendly, and doesnt lend itself to having to frequently > switch between kerberos providers. > > the lacking thing is that you can only cache one tgt at a time. you > can work around this by manually defining different caches or running > kinit each time you need to switch. > > the soultion seems to me to enable krb5 to cache multiple tgt's > personally right now i have 2 kerberos servers i frequently deal > with. 1 for home and one for work, if we end up deploying kerberos > support in fedora ill have 3. and it will get really messy fast. I > can keep things seperate now. but with fedora and work using > kerberos that will be impossible. > > I wanted to throw out there the very real and possible usage senarios > and get some further discussion on how best it will be to handle this > going forward. I guess we should discuss this with the broader kerberos community. In theory credential caches can hold multiple tickets, but the tools (kinit,kdestroy and friends) just do not support it now and tend to wipe out everything. I think I've seen recently something about this so maybe voicing the problem on the "kerberos" (at mit.edu) mailing list may spark a good discussion. On my side I will try to make this problem known to some MIT devs and see what they think. Simo. -- Simo Sorce * Red Hat, Inc * New York