From roland.kaeser at intersoft-networks.ch Sun Jan 2 16:46:04 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Sun, 2 Jan 2011 17:46:04 +0100 (CET) Subject: [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <4465210.12.1293961394648.JavaMail.javamailuser@localhost> Message-ID: <1568241.14.1293986764914.JavaMail.javamailuser@localhost> Hello Great, I just tested it on F-13 and it runs fine so far. But I'm missing a very important feature (to me) which is: Samba Support. Are there any plans to build samba support into freeipa 2? It would be very great to have on single authentication authority without the need of installing active directory. Regards Roland Kaeser ----- Urspr?ngliche Mail ----- Von: "Dmitri Pal" An: "freeipa-devel" , "." , freeipa-interest at redhat.com Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Beta 1 release of freeIPA 2.0 server [1]. - Binaries are available for F-13 and F-14. - With this beta freeIPA is feature complete. - Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com Main Highlights of the Beta - This beta is the first attempt to show all planned capabilities of the upcoming release. - For the first time the new UI is mostly operational and can be used to perform management of the system. - Some areas are still very rough and we will appreciate your help with those. Focus of the Beta Testing - Please take a moment and look at the new Web UI. Any feedback about the general approaches, work flows, and usability is appreciated. It is still very rough but one can hopefully get a good understanding of how we plan the final UI to function and look like. - Replication management was significantly improved. Testing of multi replica configurations should be easier. - We are looking for a feedback about the DNS integration and networking issues you find in your environment configuring and using IPA with the embedded DNS enabled. Significant Changes Since Alpha 5 - FreeIPA has changed its license to GPLv3+ - Having IPA manage the reverse zone is optional. - The access control subsystem was re-written to be more understandable. For details see [2] - Support for SUDO rules - There is now a distinction between replicas and their replication agreements in the ipa-replica-manage command. It is now much easier to manage the replication topology. - Renaming entries is easier with the --rename option of the mod commands. - Fix special character handling in passwords, ensure that passwords are not logged. - Certificates can be saved as PEM files in service-show and host-show commands. - All IPA services are now started/stopped using the ipactl command. This gives us better control over the start/stop order during reboot/shutdown. - Set up ntpd first so the time is sane. - Better multi-valued value handle with --setattr and --addattr. - Add support for both RFC2307 and RFC2307bis to migration. - UID ranges were reduced by default from 1M to 200k. - Add ability to add/remove DNS records when adding/removing a host entry. - A number of i18n issues have been addressed. - Updated a lot of man pages. What is not Complete - We are still using older version of the Dogtag. New version of the Dogtag Certificate System will be based on tomcat6 and is forthcoming. - We plan to take advantage of Kerberos 1.9 that was released today but we have not finished the integration effort yet. Known Issues - IPV6 works in the installer but not the server itself - Make sure you machine can properly resolve its name before installing the server. Edit /etc/hosts to remove host name from the localhost and localhost6 lines if needed. - The UI is still rough in places
Use the following query [3] to see the tickets currently open against UI. - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for the time being run: # ln -s /usr/share/java/xalan-j2-serializer.jar /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar - Instead of Dogtag on F14 you can also try the self-signed CA which is similar to the CA that was provided in IPA v1. This was designed for testing and development and not recommended for deployment. - Make sure you enable updates-testing repository on your fedora machine. Thank you, FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] http://freeipa.org/page/Permissions [3] https://fedorahosted.org/freeipa/report/12 _______________________________________________ Freeipa-interest mailing list Freeipa-interest at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ From dpal at redhat.com Mon Jan 3 13:56:03 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 03 Jan 2011 08:56:03 -0500 Subject: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <1568241.14.1293986764914.JavaMail.javamailuser@localhost> References: <1568241.14.1293986764914.JavaMail.javamailuser@localhost> Message-ID: <4D21D573.7090306@redhat.com> Roland Kaeser wrote: > Hello > > Great, I just tested it on F-13 and it runs fine so far. > But I'm missing a very important feature (to me) which is: Samba Support. > > Are there any plans to build samba support into freeipa 2? It would be very great to have on single > authentication authority without the need of installing active directory. > > Regards > > Roland Kaeser > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). Thank you Dmitri > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "freeipa-devel" , "." , freeipa-interest at redhat.com > Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 > Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users at redhat.com > > Main Highlights of the Beta > - This beta is the first attempt to show all planned capabilities of the > upcoming release. > - For the first time the new UI is mostly operational and can be used to > perform management of the system. > - Some areas are still very rough and we will appreciate your help with > those. > > Focus of the Beta Testing > - Please take a moment and look at the new Web UI. Any feedback about > the general approaches, work flows, and usability is appreciated. It is > still very rough but one can hopefully get a good understanding of how > we plan the final UI to function and look like. > - Replication management was significantly improved. Testing of multi > replica configurations should be easier. > - We are looking for a feedback about the DNS integration and networking > issues you find in your environment configuring and using IPA with the > embedded DNS enabled. > > Significant Changes Since Alpha 5 > - FreeIPA has changed its license to GPLv3+ > - Having IPA manage the reverse zone is optional. > - The access control subsystem was re-written to be more understandable. > For details see [2] > - Support for SUDO rules > - There is now a distinction between replicas and their replication > agreements in the ipa-replica-manage command. It is now much easier to > manage the replication topology. > - Renaming entries is easier with the --rename option of the mod commands. > - Fix special character handling in passwords, ensure that passwords are > not logged. > - Certificates can be saved as PEM files in service-show and host-show > commands. > - All IPA services are now started/stopped using the ipactl command. > This gives us better control over the start/stop order during > reboot/shutdown. > - Set up ntpd first so the time is sane. > - Better multi-valued value handle with --setattr and --addattr. > - Add support for both RFC2307 and RFC2307bis to migration. > - UID ranges were reduced by default from 1M to 200k. > - Add ability to add/remove DNS records when adding/removing a host entry. > - A number of i18n issues have been addressed. > - Updated a lot of man pages. > > What is not Complete > - We are still using older version of the Dogtag. New version of the > Dogtag Certificate System will be based on tomcat6 and is forthcoming. > - We plan to take advantage of Kerberos 1.9 that was released today but > we have not finished the integration effort yet. > > Known Issues > - IPV6 works in the installer but not the server itself > - Make sure you machine can properly resolve its name before installing > the server. Edit /etc/hosts to remove host name from the localhost and > localhost6 lines if needed. > - The UI is still rough in places
Use the following query [3] to see > the tickets currently open against UI. > - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for > the time being run: > # ln -s /usr/share/java/xalan-j2-serializer.jar > /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar > - Instead of Dogtag on F14 you can also try the self-signed CA which is > similar to the CA that was provided in IPA v1. This was designed for > testing and development and not recommended for deployment. > - Make sure you enable updates-testing repository on your fedora machine. > > Thank you, > FreeIPA development team > > [1] http://www.freeipa.org/page/Downloads > [2] http://freeipa.org/page/Permissions > [3] https://fedorahosted.org/freeipa/report/12 > > _______________________________________________ > Freeipa-interest mailing list > Freeipa-interest at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-interest > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Jan 3 19:20:30 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 03 Jan 2011 14:20:30 -0500 Subject: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <465055.24.1294079871281.JavaMail.javamailuser@localhost> References: <465055.24.1294079871281.JavaMail.javamailuser@localhost> Message-ID: <4D22217E.5020105@redhat.com> Roland Kaeser wrote: > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. I guess there is some misinterpretation. Samba 3 does not provide a way to integrate contemporary Windows clients. The Samba 3 integration mentioned in the outline is the integration of Samba 3 as a CIFS server. > If not its completly unusable to me, and verisimilar also to the most other potential users. It is assumed that most of the current users currently have AD in their environment anyways. We are not putting a goal of taking over the world and replacing AD altogether. Rather we plan to inter operate with it. > Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). Samba 4 is the alternative to AD. > FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together It will connect by allowing cross kerberos trust with AD/Samba 4 but its goal is not to replace AD as a primary identity server for Windows clients. It is just not possible to do other than re-implement AD which Samba 4 already does. So if you want to move away from AD you might take advantage of Samba 4 as a replacement for your AD and using cross kerberos trusts allow SSO with IPA environment. At some point we might make this integration more automatic but this is not on the road map for now. > Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. Absolutely! RHEV environment is something we definitely have in mind and the cross kerberos trust solution we plan for v3 should address this use case. It is the question of how complete will be the implementation of the trusts. Depending on time we might go for the higher priority use cases (IPA is a resource domain ) than the full trust required for VDI to work the way you envision. But still VDI is a significant use case we have in mind. > But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. > > The intention is to be realistic and not require drastic changes to existing environments where AD is dominating. > Regards > > Roland > > > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "Roland K?ser" > CC: freeipa-devel at redhat.com, freeipa-users at redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be very great to have on single >> authentication authority without the need of installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next > goal on this path is to allow cross Kerberos trusts (IPA v3) but > supporting Windows clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your > main domain is going to be Samba 4 instead of AD it might work without > installing AD. But we do not plan to carry install and configure Samba 4 > ourselves at least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> ----- Urspr?ngliche Mail ----- >> Von: "Dmitri Pal" >> An: "freeipa-devel" , "." , freeipa-interest at redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of the >> Beta 1 release of freeIPA 2.0 server [1]. >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or bugs with us on >> our mailing list: freeipa-users at redhat.com >> >> Main Highlights of the Beta >> - This beta is the first attempt to show all planned capabilities of the >> upcoming release. >> - For the first time the new UI is mostly operational and can be used to >> perform management of the system. >> - Some areas are still very rough and we will appreciate your help with >> those. >> >> Focus of the Beta Testing >> - Please take a moment and look at the new Web UI. Any feedback about >> the general approaches, work flows, and usability is appreciated. It is >> still very rough but one can hopefully get a good understanding of how >> we plan the final UI to function and look like. >> - Replication management was significantly improved. Testing of multi >> replica configurations should be easier. >> - We are looking for a feedback about the DNS integration and networking >> issues you find in your environment configuring and using IPA with the >> embedded DNS enabled. >> >> Significant Changes Since Alpha 5 >> - FreeIPA has changed its license to GPLv3+ >> - Having IPA manage the reverse zone is optional. >> - The access control subsystem was re-written to be more understandable. >> For details see [2] >> - Support for SUDO rules >> - There is now a distinction between replicas and their replication >> agreements in the ipa-replica-manage command. It is now much easier to >> manage the replication topology. >> - Renaming entries is easier with the --rename option of the mod commands. >> - Fix special character handling in passwords, ensure that passwords are >> not logged. >> - Certificates can be saved as PEM files in service-show and host-show >> commands. >> - All IPA services are now started/stopped using the ipactl command. >> This gives us better control over the start/stop order during >> reboot/shutdown. >> - Set up ntpd first so the time is sane. >> - Better multi-valued value handle with --setattr and --addattr. >> - Add support for both RFC2307 and RFC2307bis to migration. >> - UID ranges were reduced by default from 1M to 200k. >> - Add ability to add/remove DNS records when adding/removing a host entry. >> - A number of i18n issues have been addressed. >> - Updated a lot of man pages. >> >> What is not Complete >> - We are still using older version of the Dogtag. New version of the >> Dogtag Certificate System will be based on tomcat6 and is forthcoming. >> - We plan to take advantage of Kerberos 1.9 that was released today but >> we have not finished the integration effort yet. >> >> Known Issues >> - IPV6 works in the installer but not the server itself >> - Make sure you machine can properly resolve its name before installing >> the server. Edit /etc/hosts to remove host name from the localhost and >> localhost6 lines if needed. >> - The UI is still rough in places
Use the following query [3] to see >> the tickets currently open against UI. >> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for >> the time being run: >> # ln -s /usr/share/java/xalan-j2-serializer.jar >> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar >> - Instead of Dogtag on F14 you can also try the self-signed CA which is >> similar to the CA that was provided in IPA v1. This was designed for >> testing and development and not recommended for deployment. >> - Make sure you enable updates-testing repository on your fedora machine. >> >> Thank you, >> FreeIPA development team >> >> [1] http://www.freeipa.org/page/Downloads >> [2] http://freeipa.org/page/Permissions >> [3] https://fedorahosted.org/freeipa/report/12 >> >> _______________________________________________ >> Freeipa-interest mailing list >> Freeipa-interest at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-interest >> >> >> > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From roland.kaeser at intersoft-networks.ch Mon Jan 3 18:37:51 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Mon, 3 Jan 2011 19:37:51 +0100 (CET) Subject: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <4D21D573.7090306@redhat.com> Message-ID: <465055.24.1294079871281.JavaMail.javamailuser@localhost> Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. Regards Roland ----- Urspr?ngliche Mail ----- Von: "Dmitri Pal" An: "Roland K?ser" CC: freeipa-devel at redhat.com, freeipa-users at redhat.com Gesendet: Montag, 3. Januar 2011 14:56:03 Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Roland Kaeser wrote: > Hello > > Great, I just tested it on F-13 and it runs fine so far. > But I'm missing a very important feature (to me) which is: Samba Support. > > Are there any plans to build samba support into freeipa 2? It would be very great to have on single > authentication authority without the need of installing active directory. > > Regards > > Roland Kaeser > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). Thank you Dmitri > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "freeipa-devel" , "." , freeipa-interest at redhat.com > Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 > Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users at redhat.com > > Main Highlights of the Beta > - This beta is the first attempt to show all planned capabilities of the > upcoming release. > - For the first time the new UI is mostly operational and can be used to > perform management of the system. > - Some areas are still very rough and we will appreciate your help with > those. > > Focus of the Beta Testing > - Please take a moment and look at the new Web UI. Any feedback about > the general approaches, work flows, and usability is appreciated. It is > still very rough but one can hopefully get a good understanding of how > we plan the final UI to function and look like. > - Replication management was significantly improved. Testing of multi > replica configurations should be easier. > - We are looking for a feedback about the DNS integration and networking > issues you find in your environment configuring and using IPA with the > embedded DNS enabled. > > Significant Changes Since Alpha 5 > - FreeIPA has changed its license to GPLv3+ > - Having IPA manage the reverse zone is optional. > - The access control subsystem was re-written to be more understandable. > For details see [2] > - Support for SUDO rules > - There is now a distinction between replicas and their replication > agreements in the ipa-replica-manage command. It is now much easier to > manage the replication topology. > - Renaming entries is easier with the --rename option of the mod commands. > - Fix special character handling in passwords, ensure that passwords are > not logged. > - Certificates can be saved as PEM files in service-show and host-show > commands. > - All IPA services are now started/stopped using the ipactl command. > This gives us better control over the start/stop order during > reboot/shutdown. > - Set up ntpd first so the time is sane. > - Better multi-valued value handle with --setattr and --addattr. > - Add support for both RFC2307 and RFC2307bis to migration. > - UID ranges were reduced by default from 1M to 200k. > - Add ability to add/remove DNS records when adding/removing a host entry. > - A number of i18n issues have been addressed. > - Updated a lot of man pages. > > What is not Complete > - We are still using older version of the Dogtag. New version of the > Dogtag Certificate System will be based on tomcat6 and is forthcoming. > - We plan to take advantage of Kerberos 1.9 that was released today but > we have not finished the integration effort yet. > > Known Issues > - IPV6 works in the installer but not the server itself > - Make sure you machine can properly resolve its name before installing > the server. Edit /etc/hosts to remove host name from the localhost and > localhost6 lines if needed. > - The UI is still rough in places
Use the following query [3] to see > the tickets currently open against UI. > - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for > the time being run: > # ln -s /usr/share/java/xalan-j2-serializer.jar > /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar > - Instead of Dogtag on F14 you can also try the self-signed CA which is > similar to the CA that was provided in IPA v1. This was designed for > testing and development and not recommended for deployment. > - Make sure you enable updates-testing repository on your fedora machine. > > Thank you, > FreeIPA development team > > [1] http://www.freeipa.org/page/Downloads > [2] http://freeipa.org/page/Permissions > [3] https://fedorahosted.org/freeipa/report/12 > > _______________________________________________ > Freeipa-interest mailing list > Freeipa-interest at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-interest > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ From chorn at fluxcoil.net Mon Jan 3 19:38:52 2011 From: chorn at fluxcoil.net (Christian Horn) Date: Mon, 3 Jan 2011 20:38:52 +0100 Subject: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <465055.24.1294079871281.JavaMail.javamailuser@localhost> References: <4D21D573.7090306@redhat.com> <465055.24.1294079871281.JavaMail.javamailuser@localhost> Message-ID: <20110103193851.GA11575@fluxcoil.net> On Mon, Jan 03, 2011 at 07:37:51PM +0100, Roland Kaeser wrote: > Its sad, but in the most cases, sysadmins have to deal with > windows machines in their network. True, but IMHO the strategy FreeIPA is currently following in doing interop with crossrealm-trusts is the ony longterm way to go. Spending efforts to make FreeIPA behave like another exact-AD-clone is wasting resources; samba4 is already good in doing this special task. Yet its interesting to see how stable samba4-operation in windows-AD-environments will be since one cannot be sure the samba4-project will be notified of protocol-changes etc. Crossrealm is used in some environments and Microsoft did also help with debugging of problems. FreeIPA could be base for a linux/unix-worlds AD, bringing in all the good things about opensource software. Christian From benjamin.vogt at serv24.biz Mon Jan 3 20:17:48 2011 From: benjamin.vogt at serv24.biz (Benjamin Vogt) Date: Mon, 3 Jan 2011 21:17:48 +0100 Subject: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <465055.24.1294079871281.JavaMail.javamailuser@localhost> References: <4D21D573.7090306@redhat.com> <465055.24.1294079871281.JavaMail.javamailuser@localhost> Message-ID: <000001cbab83$4b278de0$e176a9a0$@serv24.biz> I have to agree with Roland. Linux is lacking a complete solution that acts as a "central authentication and identity management platform". I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. The reality is that Windows clients are too widespread in most enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. As for reimplementing AD, is there any reason we could not use Samba 4 as a backend? There are other interesting projects that build on it, such as openchange which could be a viable Exchange replacement. Regards, - Ben -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Roland Kaeser Sent: Monday, January 03, 2011 19:38 To: freeipa-devel at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. Regards Roland ----- Urspr?ngliche Mail ----- Von: "Dmitri Pal" An: "Roland K?ser" CC: freeipa-devel at redhat.com, freeipa-users at redhat.com Gesendet: Montag, 3. Januar 2011 14:56:03 Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Roland Kaeser wrote: > Hello > > Great, I just tested it on F-13 and it runs fine so far. > But I'm missing a very important feature (to me) which is: Samba Support. > > Are there any plans to build samba support into freeipa 2? It would be > very great to have on single authentication authority without the need of installing active directory. > > Regards > > Roland Kaeser > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). Thank you Dmitri > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "freeipa-devel" , "." > , freeipa-interest at redhat.com > Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 > Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 > Release > > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of > the Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us > on our mailing list: freeipa-users at redhat.com > > Main Highlights of the Beta > - This beta is the first attempt to show all planned capabilities of > the upcoming release. > - For the first time the new UI is mostly operational and can be used > to perform management of the system. > - Some areas are still very rough and we will appreciate your help > with those. > > Focus of the Beta Testing > - Please take a moment and look at the new Web UI. Any feedback about > the general approaches, work flows, and usability is appreciated. It > is still very rough but one can hopefully get a good understanding of > how we plan the final UI to function and look like. > - Replication management was significantly improved. Testing of multi > replica configurations should be easier. > - We are looking for a feedback about the DNS integration and > networking issues you find in your environment configuring and using > IPA with the embedded DNS enabled. > > Significant Changes Since Alpha 5 > - FreeIPA has changed its license to GPLv3+ > - Having IPA manage the reverse zone is optional. > - The access control subsystem was re-written to be more understandable. > For details see [2] > - Support for SUDO rules > - There is now a distinction between replicas and their replication > agreements in the ipa-replica-manage command. It is now much easier to > manage the replication topology. > - Renaming entries is easier with the --rename option of the mod commands. > - Fix special character handling in passwords, ensure that passwords > are not logged. > - Certificates can be saved as PEM files in service-show and host-show > commands. > - All IPA services are now started/stopped using the ipactl command. > This gives us better control over the start/stop order during > reboot/shutdown. > - Set up ntpd first so the time is sane. > - Better multi-valued value handle with --setattr and --addattr. > - Add support for both RFC2307 and RFC2307bis to migration. > - UID ranges were reduced by default from 1M to 200k. > - Add ability to add/remove DNS records when adding/removing a host entry. > - A number of i18n issues have been addressed. > - Updated a lot of man pages. > > What is not Complete > - We are still using older version of the Dogtag. New version of the > Dogtag Certificate System will be based on tomcat6 and is forthcoming. > - We plan to take advantage of Kerberos 1.9 that was released today > but we have not finished the integration effort yet. > > Known Issues > - IPV6 works in the installer but not the server itself > - Make sure you machine can properly resolve its name before > installing the server. Edit /etc/hosts to remove host name from the > localhost and > localhost6 lines if needed. > - The UI is still rough in places
Use the following query [3] to > see the tickets currently open against UI. > - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for > the time being run: > # ln -s /usr/share/java/xalan-j2-serializer.jar > /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar > - Instead of Dogtag on F14 you can also try the self-signed CA which > is similar to the CA that was provided in IPA v1. This was designed > for testing and development and not recommended for deployment. > - Make sure you enable updates-testing repository on your fedora machine. > > Thank you, > FreeIPA development team > > [1] http://www.freeipa.org/page/Downloads > [2] http://freeipa.org/page/Permissions > [3] https://fedorahosted.org/freeipa/report/12 > > _______________________________________________ > Freeipa-interest mailing list > Freeipa-interest at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-interest > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Mon Jan 3 21:42:59 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 03 Jan 2011 16:42:59 -0500 Subject: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <000001cbab83$4b278de0$e176a9a0$@serv24.biz> References: <4D21D573.7090306@redhat.com> <465055.24.1294079871281.JavaMail.javamailuser@localhost> <000001cbab83$4b278de0$e176a9a0$@serv24.biz> Message-ID: <4D2242E3.8090007@redhat.com> Benjamin Vogt wrote: > I have to agree with Roland. Linux is lacking a complete solution that acts as a "central authentication and identity management platform". I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. The reality is that Windows clients are too widespread in most enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. As for reimplementing AD, is there any reason we could not use Samba 4 as a backend? There are other interesting projects that build on it, such as openchange which could be a viable Exchange replacement. > We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri > Regards, > - Ben > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Roland Kaeser > Sent: Monday, January 03, 2011 19:38 > To: freeipa-devel at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. > > Regards > > Roland > > > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "Roland K?ser" > CC: freeipa-devel at redhat.com, freeipa-users at redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be >> very great to have on single authentication authority without the need of installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> ----- Urspr?ngliche Mail ----- >> Von: "Dmitri Pal" >> An: "freeipa-devel" , "." >> , freeipa-interest at redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 >> Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of >> the Beta 1 release of freeIPA 2.0 server [1]. >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or bugs with us >> on our mailing list: freeipa-users at redhat.com >> >> Main Highlights of the Beta >> - This beta is the first attempt to show all planned capabilities of >> the upcoming release. >> - For the first time the new UI is mostly operational and can be used >> to perform management of the system. >> - Some areas are still very rough and we will appreciate your help >> with those. >> >> Focus of the Beta Testing >> - Please take a moment and look at the new Web UI. Any feedback about >> the general approaches, work flows, and usability is appreciated. It >> is still very rough but one can hopefully get a good understanding of >> how we plan the final UI to function and look like. >> - Replication management was significantly improved. Testing of multi >> replica configurations should be easier. >> - We are looking for a feedback about the DNS integration and >> networking issues you find in your environment configuring and using >> IPA with the embedded DNS enabled. >> >> Significant Changes Since Alpha 5 >> - FreeIPA has changed its license to GPLv3+ >> - Having IPA manage the reverse zone is optional. >> - The access control subsystem was re-written to be more understandable. >> For details see [2] >> - Support for SUDO rules >> - There is now a distinction between replicas and their replication >> agreements in the ipa-replica-manage command. It is now much easier to >> manage the replication topology. >> - Renaming entries is easier with the --rename option of the mod commands. >> - Fix special character handling in passwords, ensure that passwords >> are not logged. >> - Certificates can be saved as PEM files in service-show and host-show >> commands. >> - All IPA services are now started/stopped using the ipactl command. >> This gives us better control over the start/stop order during >> reboot/shutdown. >> - Set up ntpd first so the time is sane. >> - Better multi-valued value handle with --setattr and --addattr. >> - Add support for both RFC2307 and RFC2307bis to migration. >> - UID ranges were reduced by default from 1M to 200k. >> - Add ability to add/remove DNS records when adding/removing a host entry. >> - A number of i18n issues have been addressed. >> - Updated a lot of man pages. >> >> What is not Complete >> - We are still using older version of the Dogtag. New version of the >> Dogtag Certificate System will be based on tomcat6 and is forthcoming. >> - We plan to take advantage of Kerberos 1.9 that was released today >> but we have not finished the integration effort yet. >> >> Known Issues >> - IPV6 works in the installer but not the server itself >> - Make sure you machine can properly resolve its name before >> installing the server. Edit /etc/hosts to remove host name from the >> localhost and >> localhost6 lines if needed. >> - The UI is still rough in places
Use the following query [3] to >> see the tickets currently open against UI. >> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for >> the time being run: >> # ln -s /usr/share/java/xalan-j2-serializer.jar >> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar >> - Instead of Dogtag on F14 you can also try the self-signed CA which >> is similar to the CA that was provided in IPA v1. This was designed >> for testing and development and not recommended for deployment. >> - Make sure you enable updates-testing repository on your fedora machine. >> >> Thank you, >> FreeIPA development team >> >> [1] http://www.freeipa.org/page/Downloads >> [2] http://freeipa.org/page/Permissions >> [3] https://fedorahosted.org/freeipa/report/12 >> >> _______________________________________________ >> Freeipa-interest mailing list >> Freeipa-interest at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-interest >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Tue Jan 4 16:25:31 2011 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 4 Jan 2011 16:25:31 +0000 Subject: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <16231773.32.1294131854733.JavaMail.javamailuser@localhost> Message-ID: On 1/4/11 1:04 AM, "Roland Kaeser" wrote: >>We return to this discussion once in a while... >>.... >>Samba 4 tries to do it and still struggles after many years >>of development. We definitely would look at Samba 4 again when we see it >>Sufficiently ready but this is not a priority for 2011. > >Maybe this is the reason why freeipa has that less users and nearly no >echo in the linux community. I disagree Roland. The linux community at large, is generally living in the dark ages of authorization management. There are no comparative comprehensive linux solutions in the community thus far which actually address scalable authentication and authorization from linux systems by a linux solution. My observation of the quiet in the community is due to lack of solutions out there. /etc/access.conf, pam_ldap, Certify, hosts.allow are very primitive means to control access with to linux client. Regardless of how complex you make your authentication database, to this day, you are still limited to: pam_ldap, access.conf, Certify, hosts.allow... These are very primitive means to control access with to linux client. With FreeIPA and SSSD, the first means of providing real RBAC/HBAC is available to the Open Source community. We cannot and should not attempt to explain the quiet with answers of disinterest or lack of Microsoft support. The fact is, there has not yet been a competent linux solution and as a result the utilization of pure Linux environments has been stunted with people settling for things like, /etc/passwd, /etc/access.conf, pam_ldap, and NIS... What you are describing is the reinventing of the wheel. Which has previously been answered: If the goal is to provide an alternative linux authentication/authorization method for Microsoft Windows, then there are already existing solutions out there: Samba4, Novell eDirectory + Directory Services for Windows... FreeIPA serves to facilitate some of the most basic authentication/authorization interactions that other OS's have taken for granted for years. > >>Samba 4 is intended to be a duplicate of AD this is how it is designed >>and implemented. >The problem here is that samba 4 is still alpha. > >>I would like to be able to use Linux as the IT backbone without having >>to resort to Microsoft. >This also our most implemented scenario. Only in last year we migrated a >half a dozend companies away from microsoft and AD (on the server side). >This year a lot of companies are already planned for migration. Specially >with the knowledge in mind that (based on the change of microsofts >licensing model for hosters) around 1000 companies only in switzerland >will switch their abacus (www.abacus.ch, large erp for switzerland) >platform to linux so its REALLY, REALLY (I cannot write how much I would >like to accentuate this) important to have a network wide authentication >and identity management software to build up large linux server >environments with windows frontents. >So, having windows clients in the network is the reality we cannot close >our eyes to this only because its challenge to implement it. Microsoft has designed a complete ecosystem to surround its client, server, email, and productivity solutions. It's not just a challenge to implement a successful means of replacing the backend, it is directly opposed to the goals of its creator: Microsoft. The various components within Microsoft's (and most commercial) solutions are designed at their core to be proprietary with the effort of drawing in consumers to more pieces of their puzzle. It is entirely likely that it will be necessary to have both solutions in place and working together, rather than attempting to circumvent Microsoft's solution. > >>Linux is lacking a complete solution that acts as a "central >>authentication and identity >management platform" >I think also this is the only huge area in linux which is really missing. > Just think about the huge potential of users and implementations if >freeipa acts also as authentication instance for windows environments. >Just we only (as small company with 8 persons) whould have the >possibility for around 20 migrations this year. It just wage to dream a >bit but from my point of view the authentication lack is the only >remaining one which prevents the rest of the world (or even europe and >switzerland) to massivly migrate to linux and opensource (at least on the >server side). While I agree that a truly unified solution which answers all clients authentication needs is a worthwhile concept, in practice, throughout my entire career, I've learned that the commercial design of this ecosystem conflicts with this ambitious ideal. I have had a great deal of experience in highly dense and distributed (world wide) native Linux installations which service Windows Clients. All tools are best used by their intended design. If the only tool you have is a Hammer, you may approach all of your problems as if they are nails. ~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino Information Security Specialist Citrix Online GCIH, CCNA From roland.kaeser at intersoft-networks.ch Tue Jan 4 09:04:14 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Tue, 4 Jan 2011 10:04:14 +0100 (CET) Subject: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <4D2242E3.8090007@redhat.com> Message-ID: <16231773.32.1294131854733.JavaMail.javamailuser@localhost> >We return to this discussion once in a while... >.... >Samba 4 tries to do it and still struggles after many years >of development. We definitely would look at Samba 4 again when we see it >Sufficiently ready but this is not a priority for 2011. Maybe this is the reason why freeipa has that less users and nearly no echo in the linux community. >Samba 4 is intended to be a duplicate of AD this is how it is designed >and implemented. The problem here is that samba 4 is still alpha. >I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. This also our most implemented scenario. Only in last year we migrated a half a dozend companies away from microsoft and AD (on the server side). This year a lot of companies are already planned for migration. Specially with the knowledge in mind that (based on the change of microsofts licensing model for hosters) around 1000 companies only in switzerland will switch their abacus (www.abacus.ch, large erp for switzerland) platform to linux so its REALLY, REALLY (I cannot write how much I would like to accentuate this) important to have a network wide authentication and identity management software to build up large linux server environments with windows frontents. So, having windows clients in the network is the reality we cannot close our eyes to this only because its challenge to implement it. >Linux is lacking a complete solution that acts as a "central authentication and identity >management platform" I think also this is the only huge area in linux which is really missing. Just think about the huge potential of users and implementations if freeipa acts also as authentication instance for windows environments. Just we only (as small company with 8 persons) whould have the possibility for around 20 migrations this year. It just wage to dream a bit but from my point of view the authentication lack is the only remaining one which prevents the rest of the world (or even europe and switzerland) to massivly migrate to linux and opensource (at least on the server side). Regards Roland ----- Urspr?ngliche Mail ----- Von: "Dmitri Pal" An: "Benjamin Vogt" CC: "Roland Kaeser" , freeipa-devel at redhat.com, freeipa-users at redhat.com Gesendet: Montag, 3. Januar 2011 22:42:59 Betreff: Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Benjamin Vogt wrote: > I have to agree with Roland. Linux is lacking a complete solution that acts as a "central authentication and identity management platform". I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. The reality is that Windows clients are too widespread in most enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. As for reimplementing AD, is there any reason we could not use Samba 4 as a backend? There are other interesting projects that build on it, such as openchange which could be a viable Exchange replacement. > We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri > Regards, > - Ben > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Roland Kaeser > Sent: Monday, January 03, 2011 19:38 > To: freeipa-devel at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. > > Regards > > Roland > > > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "Roland K?ser" > CC: freeipa-devel at redhat.com, freeipa-users at redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be >> very great to have on single authentication authority without the need of installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> ----- Urspr?ngliche Mail ----- >> Von: "Dmitri Pal" >> An: "freeipa-devel" , "." >> , freeipa-interest at redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 >> Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of >> the Beta 1 release of freeIPA 2.0 server [1]. >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or bugs with us >> on our mailing list: freeipa-users at redhat.com >> >> Main Highlights of the Beta >> - This beta is the first attempt to show all planned capabilities of >> the upcoming release. >> - For the first time the new UI is mostly operational and can be used >> to perform management of the system. >> - Some areas are still very rough and we will appreciate your help >> with those. >> >> Focus of the Beta Testing >> - Please take a moment and look at the new Web UI. Any feedback about >> the general approaches, work flows, and usability is appreciated. It >> is still very rough but one can hopefully get a good understanding of >> how we plan the final UI to function and look like. >> - Replication management was significantly improved. Testing of multi >> replica configurations should be easier. >> - We are looking for a feedback about the DNS integration and >> networking issues you find in your environment configuring and using >> IPA with the embedded DNS enabled. >> >> Significant Changes Since Alpha 5 >> - FreeIPA has changed its license to GPLv3+ >> - Having IPA manage the reverse zone is optional. >> - The access control subsystem was re-written to be more understandable. >> For details see [2] >> - Support for SUDO rules >> - There is now a distinction between replicas and their replication >> agreements in the ipa-replica-manage command. It is now much easier to >> manage the replication topology. >> - Renaming entries is easier with the --rename option of the mod commands. >> - Fix special character handling in passwords, ensure that passwords >> are not logged. >> - Certificates can be saved as PEM files in service-show and host-show >> commands. >> - All IPA services are now started/stopped using the ipactl command. >> This gives us better control over the start/stop order during >> reboot/shutdown. >> - Set up ntpd first so the time is sane. >> - Better multi-valued value handle with --setattr and --addattr. >> - Add support for both RFC2307 and RFC2307bis to migration. >> - UID ranges were reduced by default from 1M to 200k. >> - Add ability to add/remove DNS records when adding/removing a host entry. >> - A number of i18n issues have been addressed. >> - Updated a lot of man pages. >> >> What is not Complete >> - We are still using older version of the Dogtag. New version of the >> Dogtag Certificate System will be based on tomcat6 and is forthcoming. >> - We plan to take advantage of Kerberos 1.9 that was released today >> but we have not finished the integration effort yet. >> >> Known Issues >> - IPV6 works in the installer but not the server itself >> - Make sure you machine can properly resolve its name before >> installing the server. Edit /etc/hosts to remove host name from the >> localhost and >> localhost6 lines if needed. >> - The UI is still rough in places
Use the following query [3] to >> see the tickets currently open against UI. >> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for >> the time being run: >> # ln -s /usr/share/java/xalan-j2-serializer.jar >> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar >> - Instead of Dogtag on F14 you can also try the self-signed CA which >> is similar to the CA that was provided in IPA v1. This was designed >> for testing and development and not recommended for deployment. >> - Make sure you enable updates-testing repository on your fedora machine. >> >> Thank you, >> FreeIPA development team >> >> [1] http://www.freeipa.org/page/Downloads >> [2] http://freeipa.org/page/Permissions >> [3] https://fedorahosted.org/freeipa/report/12 >> >> _______________________________________________ >> Freeipa-interest mailing list >> Freeipa-interest at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-interest >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ From roland.kaeser at intersoft-networks.ch Tue Jan 4 09:18:46 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Tue, 4 Jan 2011 10:18:46 +0100 (CET) Subject: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release In-Reply-To: <4D2242E3.8090007@redhat.com> Message-ID: <28044184.36.1294132726351.JavaMail.javamailuser@localhost> Sorry forgot last note: >From my point of view, for the moment its not that much which is required. It would only be supporting the samba ldap attributes in the ldap server and extension of the management framework to create samba domains, users, groups and machine accounts until samba 4 is stable (already hope for end of this year). As far as I understand the problematics in windows kerberos and samba, it should possible to connect the windows machines directly to the kerberos server but have the windows related informations such as sid's etc. also available though samba so login scripts and network wide security and single sign on should be possible. Roland ----- Urspr?ngliche Mail ----- Von: "Dmitri Pal" An: "Benjamin Vogt" CC: "Roland Kaeser" , freeipa-devel at redhat.com, freeipa-users at redhat.com Gesendet: Montag, 3. Januar 2011 22:42:59 Betreff: Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Benjamin Vogt wrote: > I have to agree with Roland. Linux is lacking a complete solution that acts as a "central authentication and identity management platform". I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. The reality is that Windows clients are too widespread in most enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. As for reimplementing AD, is there any reason we could not use Samba 4 as a backend? There are other interesting projects that build on it, such as openchange which could be a viable Exchange replacement. > We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri > Regards, > - Ben > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Roland Kaeser > Sent: Monday, January 03, 2011 19:38 > To: freeipa-devel at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. > > Regards > > Roland > > > ----- Urspr?ngliche Mail ----- > Von: "Dmitri Pal" > An: "Roland K?ser" > CC: freeipa-devel at redhat.com, freeipa-users at redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be >> very great to have on single authentication authority without the need of installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> ----- Urspr?ngliche Mail ----- >> Von: "Dmitri Pal" >> An: "freeipa-devel" , "." >> , freeipa-interest at redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 >> Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of >> the Beta 1 release of freeIPA 2.0 server [1]. >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or bugs with us >> on our mailing list: freeipa-users at redhat.com >> >> Main Highlights of the Beta >> - This beta is the first attempt to show all planned capabilities of >> the upcoming release. >> - For the first time the new UI is mostly operational and can be used >> to perform management of the system. >> - Some areas are still very rough and we will appreciate your help >> with those. >> >> Focus of the Beta Testing >> - Please take a moment and look at the new Web UI. Any feedback about >> the general approaches, work flows, and usability is appreciated. It >> is still very rough but one can hopefully get a good understanding of >> how we plan the final UI to function and look like. >> - Replication management was significantly improved. Testing of multi >> replica configurations should be easier. >> - We are looking for a feedback about the DNS integration and >> networking issues you find in your environment configuring and using >> IPA with the embedded DNS enabled. >> >> Significant Changes Since Alpha 5 >> - FreeIPA has changed its license to GPLv3+ >> - Having IPA manage the reverse zone is optional. >> - The access control subsystem was re-written to be more understandable. >> For details see [2] >> - Support for SUDO rules >> - There is now a distinction between replicas and their replication >> agreements in the ipa-replica-manage command. It is now much easier to >> manage the replication topology. >> - Renaming entries is easier with the --rename option of the mod commands. >> - Fix special character handling in passwords, ensure that passwords >> are not logged. >> - Certificates can be saved as PEM files in service-show and host-show >> commands. >> - All IPA services are now started/stopped using the ipactl command. >> This gives us better control over the start/stop order during >> reboot/shutdown. >> - Set up ntpd first so the time is sane. >> - Better multi-valued value handle with --setattr and --addattr. >> - Add support for both RFC2307 and RFC2307bis to migration. >> - UID ranges were reduced by default from 1M to 200k. >> - Add ability to add/remove DNS records when adding/removing a host entry. >> - A number of i18n issues have been addressed. >> - Updated a lot of man pages. >> >> What is not Complete >> - We are still using older version of the Dogtag. New version of the >> Dogtag Certificate System will be based on tomcat6 and is forthcoming. >> - We plan to take advantage of Kerberos 1.9 that was released today >> but we have not finished the integration effort yet. >> >> Known Issues >> - IPV6 works in the installer but not the server itself >> - Make sure you machine can properly resolve its name before >> installing the server. Edit /etc/hosts to remove host name from the >> localhost and >> localhost6 lines if needed. >> - The UI is still rough in places
Use the following query [3] to >> see the tickets currently open against UI. >> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for >> the time being run: >> # ln -s /usr/share/java/xalan-j2-serializer.jar >> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar >> - Instead of Dogtag on F14 you can also try the self-signed CA which >> is similar to the CA that was provided in IPA v1. This was designed >> for testing and development and not recommended for deployment. >> - Make sure you enable updates-testing repository on your fedora machine. >> >> Thank you, >> FreeIPA development team >> >> [1] http://www.freeipa.org/page/Downloads >> [2] http://freeipa.org/page/Permissions >> [3] https://fedorahosted.org/freeipa/report/12 >> >> _______________________________________________ >> Freeipa-interest mailing list >> Freeipa-interest at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-interest >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ From dont at killbrad.com Tue Jan 11 15:54:51 2011 From: dont at killbrad.com (dont at killbrad.com) Date: Tue, 11 Jan 2011 09:54:51 -0600 Subject: [Freeipa-users] certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0 Message-ID: Hi all, It seems something broke somewhere along the lines when I was trying to set up Windows Sync. Please take a look at the following outputs. I can connect both directions manually via SSL, but the actual ipa-replica-manage script seems to be pulling certs from somewhere else. The current sync between ipaserver-01 & ipaserver-02 is working fine. If anyone has any suggestions, I would be open to them. Thanks! example.local = active directory domain example.com = ipa realm ----- [root at ipaserver-01 ~]# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI DigiCertCA CT,,C AD CA cert CT,,C ipaserver-01 u,u,u #----- # everything looks right #----- [root at ipaserver-01 ~]# [root at ipaserver-01 ~]# /usr/lib64/mozldap/ldapsearch -h adserver-01.example.local -p 636 -Z -P /etc/dirsrv/slapd-EXAMPLE-COM/cert8.db -D "passsync at example.local" -w 'notrealpassword' -s base -b "" "objectclass=*" version: 1 dn: currentTime: 20110111153848.0Z ... ... supportedControl: 1.2.840.113556.1.4.1948 supportedControl: 1.2.840.113556.1.4.1974 supportedControl: 1.2.840.113556.1.4.1341 supportedControl: 1.2.840.113556.1.4.2026 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads ... ... dnsHostName: adserver-01.example.local ldapServiceName: example.local:adserver-01$@example.local ... ... isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 3 forestFunctionality: 3 domainControllerFunctionality: 3 [root at ipaserver-01 ~]# #----- # good valid results for the query [reduced for clarity] #----- [root at ipaserver-01 ~]# ipa-replica-manage list Directory Manager password: unexpected error: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"} [root at ipaserver-01 ~]# #----- # welp, it looks like something is broken somewhere.. #----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From dont at killbrad.com Wed Jan 12 18:03:59 2011 From: dont at killbrad.com (dont at killbrad.com) Date: Wed, 12 Jan 2011 12:03:59 -0600 Subject: [Freeipa-users] certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0 In-Reply-To: References: Message-ID: Ok, so the ipa-server-certinstall script seems to be where things did not work as I perhaps expected them to. I manually put the certificates in the dirsrv cert db, and the web interface cert db. The ipa-replica-manage uses replication.py, which is declaring CACERT="/usr/share/ipa/html/ca.crt" It looks like this is where the error is being caused. The certification there is still the original "IPA Test Certificate Authority". If I point it to the DigiCertCA.crt (which should work), OR the AD-ca.crt file, I get the same error as originally mentioned when running 'ipa-replica-manage list'. If I comment out the CACERT variable it does as expected: unexpected error: global name 'CACERT' is not defined So, can someone give me some advice about where else it may be reading the certificate from, or how I can do things "the proper way" for IPA? Thanks! On Tue, Jan 11, 2011 at 9:54 AM, dont at killbrad.com wrote: > Hi all, > > It seems something broke somewhere along the lines when I was trying to > set up Windows Sync. Please take a look at the following outputs. I can > connect both directions manually via SSL, but the actual ipa-replica-manage > script seems to be pulling certs from somewhere else. The current sync > between ipaserver-01 & ipaserver-02 is working fine. If anyone has any > suggestions, I would be open to them. Thanks! > > example.local = active directory domain > example.com = ipa realm > ----- > > [root at ipaserver-01 ~]# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > DigiCertCA CT,,C > AD CA cert CT,,C > ipaserver-01 u,u,u > > #----- > # everything looks right > #----- > > [root at ipaserver-01 ~]# > [root at ipaserver-01 ~]# /usr/lib64/mozldap/ldapsearch -h > adserver-01.example.local -p 636 -Z -P > /etc/dirsrv/slapd-EXAMPLE-COM/cert8.db -D "passsync at example.local" -w > 'notrealpassword' -s base -b "" "objectclass=*" > version: 1 > dn: > currentTime: 20110111153848.0Z > ... > ... > supportedControl: 1.2.840.113556.1.4.1948 > supportedControl: 1.2.840.113556.1.4.1974 > supportedControl: 1.2.840.113556.1.4.1341 > supportedControl: 1.2.840.113556.1.4.2026 > supportedLDAPVersion: 3 > supportedLDAPVersion: 2 > supportedLDAPPolicies: MaxPoolThreads > ... > ... > dnsHostName: adserver-01.example.local > ldapServiceName: example.local:adserver-01$@example.local > ... > ... > isSynchronized: TRUE > isGlobalCatalogReady: TRUE > domainFunctionality: 3 > forestFunctionality: 3 > domainControllerFunctionality: 3 > [root at ipaserver-01 ~]# > > #----- > # good valid results for the query [reduced for clarity] > #----- > > > [root at ipaserver-01 ~]# ipa-replica-manage list > Directory Manager password: > unexpected error: {'info': 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': > "Can't contact LDAP server"} > [root at ipaserver-01 ~]# > > #----- > # welp, it looks like something is broken somewhere.. > #----- > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ide4you at gmail.com Wed Jan 12 18:58:31 2011 From: ide4you at gmail.com (Uzor Ide) Date: Wed, 12 Jan 2011 13:58:31 -0500 Subject: [Freeipa-users] Unable to change Admin password Message-ID: Hello List We are having problem with changing/reseting password. Even the admin password cannot be changed. During login users with expired passwords are warned that their password has expired and forced to change their password. But when the type new password, the operation fails with error "Authentication token manipulation error" When I tried the change the admin krb5 password from the ipa-server I got the following error "Cannot contact any KDC for requested realm while getting initial credentials" That's surprising because the KDC hostname resolves properly. This what's in the krb5kdc.log each time Jan 12 13:30:27 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857027, etypes {rep=18 tkt=18 ses=18}, admin at MYCOMPANY.COM for kadmin/ changepw at MYCOMPANY.COM Jan 12 13:30:39 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.12: NEEDED_PREAUTH: kadmin/ changepw at MYCOMPANY.COM for krbtgt/MYCOMPANY.COM at UZDOMAIN.CA, Additional pre-authentication required Jan 12 13:30:40 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857040, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYCOMPANY.COM for krbtgt/ MYCOMPANY.COM at UZDOMAIN.CA The server is freeipa-2.0 -beta and O/S is fedora 13 Any help will be greatly appreciated Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Wed Jan 12 19:16:38 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 12 Jan 2011 14:16:38 -0500 Subject: [Freeipa-users] Unable to change Admin password In-Reply-To: References: Message-ID: <20110112141638.10fab88b@willson.li.ssimo.org> On Wed, 12 Jan 2011 13:58:31 -0500 Uzor Ide wrote: > Hello List > > > We are having problem with changing/reseting password. Even the admin > password cannot be changed. During login users with expired > passwords are warned that their password has expired and forced to > change their password. But when the type new password, the operation > fails with error "Authentication token manipulation error" > > When I tried the change the admin krb5 password from the ipa-server I > got the following error > "Cannot contact any KDC for requested realm while getting initial > credentials" > > That's surprising because the KDC hostname resolves properly. > > This what's in the krb5kdc.log each time > > Jan 12 13:30:27 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857027, > etypes {rep=18 tkt=18 ses=18}, admin at MYCOMPANY.COM for kadmin/ > changepw at MYCOMPANY.COM > Jan 12 13:30:39 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.1.12: NEEDED_PREAUTH: kadmin/ > changepw at MYCOMPANY.COM for krbtgt/MYCOMPANY.COM at UZDOMAIN.CA, > Additional pre-authentication required > Jan 12 13:30:40 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857040, > etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYCOMPANY.COM for > krbtgt/ MYCOMPANY.COM at UZDOMAIN.CA > > The server is freeipa-2.0 -beta and O/S is fedora 13 > > Any help will be greatly appreciated Is ipa_kpasswd running ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ide4you at gmail.com Wed Jan 12 20:02:14 2011 From: ide4you at gmail.com (ide4you at gmail.com) Date: Wed, 12 Jan 2011 20:02:14 +0000 Subject: [Freeipa-users] Unable to change Admin password In-Reply-To: <20110112141638.10fab88b@willson.li.ssimo.org> References: <20110112141638.10fab88b@willson.li.ssimo.org> Message-ID: <1194306040-1294862536-cardhu_decombobulator_blackberry.rim.net-2058480114-@bda056.bisx.prod.on.blackberry> Yes ipa_kpasswd is running. Sent on the TELUS Mobility network with BlackBerry -----Original Message----- From: Simo Sorce Sender: freeipa-users-bounces at redhat.com Date: Wed, 12 Jan 2011 14:16:38 To: Subject: Re: [Freeipa-users] Unable to change Admin password On Wed, 12 Jan 2011 13:58:31 -0500 Uzor Ide wrote: > Hello List > > > We are having problem with changing/reseting password. Even the admin > password cannot be changed. During login users with expired > passwords are warned that their password has expired and forced to > change their password. But when the type new password, the operation > fails with error "Authentication token manipulation error" > > When I tried the change the admin krb5 password from the ipa-server I > got the following error > "Cannot contact any KDC for requested realm while getting initial > credentials" > > That's surprising because the KDC hostname resolves properly. > > This what's in the krb5kdc.log each time > > Jan 12 13:30:27 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857027, > etypes {rep=18 tkt=18 ses=18}, admin at MYCOMPANY.COM for kadmin/ > changepw at MYCOMPANY.COM > Jan 12 13:30:39 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.1.12: NEEDED_PREAUTH: kadmin/ > changepw at MYCOMPANY.COM for krbtgt/MYCOMPANY.COM at UZDOMAIN.CA, > Additional pre-authentication required > Jan 12 13:30:40 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 > etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857040, > etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYCOMPANY.COM for > krbtgt/ MYCOMPANY.COM at UZDOMAIN.CA > > The server is freeipa-2.0 -beta and O/S is fedora 13 > > Any help will be greatly appreciated Is ipa_kpasswd running ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From geerten at schram.name Wed Jan 12 22:45:21 2011 From: geerten at schram.name (Geerten Schram) Date: Wed, 12 Jan 2011 23:45:21 +0100 Subject: [Freeipa-users] ipa-server-install fails Message-ID: <201101122345.21824.geerten@schram.name> Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get "####################################################################### Unrecognized argument: Manager Use -help for help information #######################################################################" The only "Manager" comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, Geerten Schram -------------- next part -------------- [root at freeipa ~]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [freeipa.schram.name]: The domain name has been calculated based on the host name. Please confirm the domain name [schram.name]: The IPA Master Server will be configured with Hostname: freeipa.schram.name IP address: 10.1.128.52 Domain name: schram.name The server must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The set up procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [SCHRAM.NAME]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: restarting certificate server [4/16]: configuring certificate server instance root : CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname freeipa.schram.name -cs_port 9445 -client_certdb_dir /tmp/tmp-OWsgTC -client_certdb_pwd 'XXXXXXXX' -preop_pin RETsCSZH3uQHqlnk1GYU -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=SCHRAM.NAME" -ldap_host freeipa.schram.name -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=SCHRAM.NAME" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=SCHRAM.NAME" -ca_server_cert_subject_name "CN=freeipa.schram.name,O=SCHRAM.NAME" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=SCHRAM.NAME" -ca_sign_cert_subject_name "CN=Certificate Authority,O=SCHRAM.NAME" -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaserver-install.log Type: text/x-log Size: 18894 bytes Desc: not available URL: From rcritten at redhat.com Wed Jan 12 22:53:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Jan 2011 17:53:10 -0500 Subject: [Freeipa-users] ipa-server-install fails In-Reply-To: <201101122345.21824.geerten@schram.name> References: <201101122345.21824.geerten@schram.name> Message-ID: <4D2E30D6.8030506@redhat.com> Geerten Schram wrote: > Hi All, > > When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get > an error (see list1 and ipserver-install.log). I just don't get it. When I run > the pkisilent command by hand I get > > "####################################################################### > Unrecognized argument: Manager > Use -help for help information > > #######################################################################" > > The only "Manager" comes from the build in bind_dn, so I gues that's not the > problem. Does someone has a clue? > > Regards, > > Geerten Schram You would need to escape any spaces to try pasting the command on the command-line. What version of pki-ca and pki-silent do you have installed? You might also want to look at /var/log/pki-ca/debug for perhaps more details. rob From dpal at redhat.com Thu Jan 13 03:02:59 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 12 Jan 2011 22:02:59 -0500 Subject: [Freeipa-users] ipa-server-install fails In-Reply-To: <201101122345.21824.geerten@schram.name> References: <201101122345.21824.geerten@schram.name> Message-ID: <4D2E6B63.7090900@redhat.com> Geerten Schram wrote: > Hi All, > > When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get > an error (see list1 and ipserver-install.log). I just don't get it. When I run > the pkisilent command by hand I get > > "####################################################################### > Unrecognized argument: Manager > Use -help for help information > > #######################################################################" > > The only "Manager" comes from the build in bind_dn, so I gues that's not the > problem. Does someone has a clue? > > Regards, > > This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri > Geerten Schram > > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Jan 13 03:17:11 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 12 Jan 2011 22:17:11 -0500 Subject: [Freeipa-users] ipa-server-install fails In-Reply-To: <4D2E6B63.7090900@redhat.com> References: <201101122345.21824.geerten@schram.name> <4D2E6B63.7090900@redhat.com> Message-ID: <4D2E6EB7.5010303@redhat.com> Dmitri Pal wrote: > Geerten Schram wrote: > >> Hi All, >> >> When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get >> an error (see list1 and ipserver-install.log). I just don't get it. When I run >> the pkisilent command by hand I get >> >> "####################################################################### >> Unrecognized argument: Manager >> Use -help for help information >> >> #######################################################################" >> >> The only "Manager" comes from the build in bind_dn, so I gues that's not the >> problem. Does someone has a clue? >> >> Regards, >> >> >> > > This is the same issue I was hitting when I was testing beta and the > workaround with the links to java jars described in the release notes > fixed this issue. > The latest devel repository has this fixed. You might try installing > from there. > http://jdennis.fedorapeople.org/ipa-devel/ > Make sure you also have updates testing enabled since some other > packages we depend on have been fixed in the recent weeks. > > Just started package install will take a while since many packages > changed in last couple weeks. > Will let you know if I see any issues with the today's build. > > Yes it installed fine with all defaults. I will play with it more later today. > Thanks > Dmitri > > >> Geerten Schram >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jeffb.list at gmail.com Thu Jan 13 03:38:53 2011 From: jeffb.list at gmail.com (Jeff B) Date: Wed, 12 Jan 2011 22:38:53 -0500 Subject: [Freeipa-users] ipa-server-install fails In-Reply-To: <4D2E6B63.7090900@redhat.com> References: <201101122345.21824.geerten@schram.name> <4D2E6B63.7090900@redhat.com> Message-ID: The build right now is the first time I've been able to get everything(?) working including the UI. So grab it quick! :D I was updating yesterday evening and all day today and ran into all kinds of issues that came and went with today's checkins. On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal wrote: > Geerten Schram wrote: >> Hi All, >> >> When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get >> an error (see list1 and ipserver-install.log). I just don't get it. When I run >> the pkisilent command by hand I get >> >> "####################################################################### >> Unrecognized argument: Manager >> Use -help for help information >> >> #######################################################################" >> >> The only "Manager" comes from the build in bind_dn, so I gues that's not the >> problem. Does someone has a clue? >> >> Regards, >> >> > > This is the same issue I was hitting when I was testing beta and the > workaround with the links to java jars described in the release notes > fixed this issue. > The latest devel repository has this fixed. You might try installing > from there. > http://jdennis.fedorapeople.org/ipa-devel/ > Make sure you also have updates testing enabled since some other > packages we depend on have been fixed in the recent weeks. > > Just started package install will take a while since many packages > changed in last couple weeks. > Will let you know if I see any issues with the today's build. > > Thanks > Dmitri > >> Geerten Schram >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From dpal at redhat.com Thu Jan 13 05:40:30 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 13 Jan 2011 00:40:30 -0500 Subject: [Freeipa-users] ipa-server-install fails In-Reply-To: References: <201101122345.21824.geerten@schram.name> <4D2E6B63.7090900@redhat.com> Message-ID: <4D2E904E.1000608@redhat.com> Jeff B wrote: > The build right now is the first time I've been able to get > everything(?) working including the UI. So grab it quick! :D I was > updating yesterday evening and all day today and ran into all kinds of > issues that came and went with today's checkins. > > Sorry. It will get better. We really working hard to make it a first class product. We are not there yet but we are coming there from all sorts of directions at the same time. Thanks, Dmitri > On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal wrote: > >> Geerten Schram wrote: >> >>> Hi All, >>> >>> When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get >>> an error (see list1 and ipserver-install.log). I just don't get it. When I run >>> the pkisilent command by hand I get >>> >>> "####################################################################### >>> Unrecognized argument: Manager >>> Use -help for help information >>> >>> #######################################################################" >>> >>> The only "Manager" comes from the build in bind_dn, so I gues that's not the >>> problem. Does someone has a clue? >>> >>> Regards, >>> >>> >>> >> This is the same issue I was hitting when I was testing beta and the >> workaround with the links to java jars described in the release notes >> fixed this issue. >> The latest devel repository has this fixed. You might try installing >> from there. >> http://jdennis.fedorapeople.org/ipa-devel/ >> Make sure you also have updates testing enabled since some other >> packages we depend on have been fixed in the recent weeks. >> >> Just started package install will take a while since many packages >> changed in last couple weeks. >> Will let you know if I see any issues with the today's build. >> >> Thanks >> Dmitri >> >> >>> Geerten Schram >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jeffb.list at gmail.com Thu Jan 13 14:53:29 2011 From: jeffb.list at gmail.com (Jeff B) Date: Thu, 13 Jan 2011 09:53:29 -0500 Subject: [Freeipa-users] ipa-server-install fails In-Reply-To: <4D2E904E.1000608@redhat.com> References: <201101122345.21824.geerten@schram.name> <4D2E6B63.7090900@redhat.com> <4D2E904E.1000608@redhat.com> Message-ID: Dimitri, I didn't mean it to be an insult. yes it was unstable, very unstable for 24 hours. but also a ton of work was done in that time frame. I'm just starting to evaluate IPA and I found it encouraging that bugs got fixed quickly. I'd only suggest rolling pre2 since it seems that ipa-server-install is broken for more than just me and my environment. -Jeff On Thu, Jan 13, 2011 at 12:40 AM, Dmitri Pal wrote: > Jeff B wrote: >> The build right now is the first time I've been able to get >> everything(?) working including the UI. So grab it quick! ?:D ?I was >> updating yesterday evening and all day today and ran into all kinds of >> issues that came and went with today's checkins. >> >> > > Sorry. It will get better. > We really working hard to make it a first class product. We are not > there yet but we are coming there from all sorts of directions at the > same time. > > Thanks, > Dmitri >> On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal wrote: >> >>> Geerten Schram wrote: >>> >>>> Hi All, >>>> >>>> When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get >>>> an error (see list1 and ipserver-install.log). I just don't get it. When I run >>>> the pkisilent command by hand I get >>>> >>>> "####################################################################### >>>> Unrecognized argument: Manager >>>> Use -help for help information >>>> >>>> #######################################################################" >>>> >>>> The only "Manager" comes from the build in bind_dn, so I gues that's not the >>>> problem. Does someone has a clue? >>>> >>>> Regards, >>>> >>>> >>>> >>> This is the same issue I was hitting when I was testing beta and the >>> workaround with the links to java jars described in the release notes >>> fixed this issue. >>> The latest devel repository has this fixed. You might try installing >>> from there. >>> http://jdennis.fedorapeople.org/ipa-devel/ >>> Make sure you also have updates testing enabled since some other >>> packages we depend on have been fixed in the recent weeks. >>> >>> Just started package install will take a while since many packages >>> changed in last couple weeks. >>> Will let you know if I see any issues with the today's build. >>> >>> Thanks >>> Dmitri >>> >>> >>>> Geerten Schram >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IPA project, >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > From dpal at redhat.com Thu Jan 13 16:07:37 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 13 Jan 2011 11:07:37 -0500 Subject: [Freeipa-users] ipa-server-install fails In-Reply-To: References: <201101122345.21824.geerten@schram.name> <4D2E6B63.7090900@redhat.com> <4D2E904E.1000608@redhat.com> Message-ID: <4D2F2349.9010901@redhat.com> Jeff B wrote: > Dimitri, > > I didn't mean it to be an insult. Oh no, do not take me wrong. I just understand your pain and feel guilty. > yes it was unstable, very unstable > for 24 hours. but also a ton of work was done in that time frame. I'm > just starting to evaluate IPA and I found it encouraging that bugs got > fixed quickly. I'd only suggest rolling pre2 since it seems that > ipa-server-install is broken for more than just me and my environment. > > We will try... > -Jeff > > On Thu, Jan 13, 2011 at 12:40 AM, Dmitri Pal wrote: > >> Jeff B wrote: >> >>> The build right now is the first time I've been able to get >>> everything(?) working including the UI. So grab it quick! :D I was >>> updating yesterday evening and all day today and ran into all kinds of >>> issues that came and went with today's checkins. >>> >>> >>> >> Sorry. It will get better. >> We really working hard to make it a first class product. We are not >> there yet but we are coming there from all sorts of directions at the >> same time. >> >> Thanks, >> Dmitri >> >>> On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal wrote: >>> >>> >>>> Geerten Schram wrote: >>>> >>>> >>>>> Hi All, >>>>> >>>>> When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get >>>>> an error (see list1 and ipserver-install.log). I just don't get it. When I run >>>>> the pkisilent command by hand I get >>>>> >>>>> "####################################################################### >>>>> Unrecognized argument: Manager >>>>> Use -help for help information >>>>> >>>>> #######################################################################" >>>>> >>>>> The only "Manager" comes from the build in bind_dn, so I gues that's not the >>>>> problem. Does someone has a clue? >>>>> >>>>> Regards, >>>>> >>>>> >>>>> >>>>> >>>> This is the same issue I was hitting when I was testing beta and the >>>> workaround with the links to java jars described in the release notes >>>> fixed this issue. >>>> The latest devel repository has this fixed. You might try installing >>>> from there. >>>> http://jdennis.fedorapeople.org/ipa-devel/ >>>> Make sure you also have updates testing enabled since some other >>>> packages we depend on have been fixed in the recent weeks. >>>> >>>> Just started package install will take a while since many packages >>>> changed in last couple weeks. >>>> Will let you know if I see any issues with the today's build. >>>> >>>> Thanks >>>> Dmitri >>>> >>>> >>>> >>>>> Geerten Schram >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IPA project, >>>> Red Hat Inc. >>>> >>>> >>>> ------------------------------- >>>> Looking to carve out IT costs? >>>> www.redhat.com/carveoutcosts/ >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From aravind.gv at gmail.com Fri Jan 14 09:38:44 2011 From: aravind.gv at gmail.com (Aravind GV) Date: Fri, 14 Jan 2011 15:08:44 +0530 Subject: [Freeipa-users] ipa-replica-manage command fails while Setting up Windows Sync on the IPA Server V2 Message-ID: Hi I?m trying to set up password/identity sync to the FreeIPA V2 server from a Windows 2003R2 SP2 server to a Fedora 14. According to installation document in free ipa website [ http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ ] ipa-replica-manage add option is no more there if i use connect option i get below error. There is not much in logs to troubleshoot. Please help me to resolve this issue. [root at fedora ~]# ipa-replica-manage connect --winsync --binddn CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD --cacert /root/bgkerb.cer bgkerb.test02.com -v --passsync asd312ASD Directory Manager password: INFO:root:args=/sbin/service dirsrv stop INFO:root:stdout=Shutting down dirsrv: AGV-COM...[ OK ] PKI-IPA...[ OK ] INFO:root:stderr= unexpected error: DsInstance instance has no attribute 'subject_base' -- ---------------------------- With Best Regards Aravind G V Ph-9880346065 "I want it all, That's why I strive for it, I know that it's coming" - Drake from "Successful" -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Jan 14 10:15:23 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 14 Jan 2011 11:15:23 +0100 Subject: [Freeipa-users] ipa-replica-manage command fails while Setting up Windows Sync on the IPA Server V2 In-Reply-To: References: Message-ID: <20110114101522.GA17525@zeppelin.brq.redhat.com> On Fri, Jan 14, 2011 at 03:08:44PM +0530, Aravind GV wrote: > Hi > > I?m trying to set up password/identity sync to the FreeIPA V2 server from a > Windows 2003R2 SP2 server to a Fedora 14. According to installation document > in free ipa website [ > http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ ] > ipa-replica-manage add option is no more there if i use connect option i get > below error. There is not much in logs to troubleshoot. Please help me to > resolve this issue. > > [root at fedora ~]# ipa-replica-manage connect --winsync --binddn > CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD --cacert > /root/bgkerb.cer bgkerb.test02.com -v --passsync asd312ASD > Directory Manager password: > INFO:root:args=/sbin/service dirsrv stop > INFO:root:stdout=Shutting down dirsrv: > AGV-COM...[ OK ] > PKI-IPA...[ OK ] > > INFO:root:stderr= > unexpected error: DsInstance instance has no attribute 'subject_base' > Hi, The full Python exception can be found in /var/log/ipareplica-install.log. Can you post the last couple of lines with the traceback? Thank you, Jakub From rcritten at redhat.com Fri Jan 14 14:19:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Jan 2011 09:19:21 -0500 Subject: [Freeipa-users] certmonger selinux issue and freeipa dns database error problem In-Reply-To: References: Message-ID: <4D305B69.2090007@redhat.com> Uzor Ide wrote: > > We have a network that relies on kerberos, 389-ds, bind and nfs4. I am > currently testing out the freeipa version 2 to see if we can use it to > consolidate the various configuration into one interface. For the most > part it works great apart from the obvious area where it has not been > completed. However there are somethings that I have noticed. > > 1.) The DNS logging always logs database error every time it access the > ldap. even though the query returns okay and the dns reply is fine. > > here is an excerpt of the log named.run > > 24-Oct-2010 10:32:33.025 edns-disabled: info: success resolving > 'www.mailscanner.tv/A ' (in 'mailscanner.tv > '?) after reducing the advertised EDNS UDP packet > size to 512 octets > 24-Oct-2010 10:34:41.137 database: error: querying 'idnsName=wpad, > idnsname=uzdomain.ca ,cn=dns,dc=uzdomain,dc=ca' with > '(objectClass=idnsRecord)' > 24-Oct-2010 10:34:41.140 database: error: querying 'idnsname=uzdomain.ca > ,cn=dns,dc=uzdomain,dc=ca' with > '(objectClass=idnsRecord)' > 24-Oct-2010 10:34:41.143 database: error: entry count: 1 > 24-Oct-2010 10:34:41.146 database: error: querying 'idnsName=wpad, > idnsname=uzdomain.ca ,cn=dns,dc=uzdomain,dc=ca' with > '(objectClass=idnsRecord)' > 24-Oct-2010 10:39:43.581 database: error: querying 'idnsName=wpad, > idnsname=uzdomain.ca ,cn=dns,dc=uzdomain,dc=ca' with > '(objectClass=idnsRecord)' > 24-Oct-2010 10:39:43.583 database: error: querying 'idnsname=uzdomain.ca > ,cn=dns,dc=uzdomain,dc=ca' with > '(objectClass=idnsRecord)' > 24-Oct-2010 10:39:43.586 database: error: entry count: 1 > 24-Oct-2010 10:39:43.589 database: error: querying 'idnsName=wpad, > idnsname=uzdomain.ca ,cn=dns,dc=uzdomain,dc=ca' with > '(objectClass=idnsRecord)' > > here is our logging configuration > > // ******************* > // Logging definitions > // ******************* > > // Logging > logging { > channel "named_log" { > file "data/log/named.run" versions 5 size 4m; > severity dynamic; > print-category yes; > print-severity yes; > print-time yes; > }; > > channel "security_log" { > file "data/log/security.log" versions 5 size 10m; > severity dynamic; > print-category yes; > print-severity yes; > print-time yes; > }; > > channel "query_log" { > file "data/log/query.log" versions 5 size 50m; > #severity dynamic; > severity debug; > print-category yes; > print-severity yes; > print-time yes; > }; > > channel "transfer_log" { > file "data/log/transfer.log" versions 5 size 10m; > severity dynamic; > print-category yes; > print-severity yes; > }; > > category "default" { > "named_log"; > "default_syslog"; > "default_debug"; > }; > > category "general" { > "named_log"; > }; > > category "queries" { > "query_log"; > }; > > category "lame-servers" { > null; > }; > > category "security" { > "security_log"; > }; > > category "config" { > "named_log"; > }; > > category "resolver" { > "query_log"; > }; > > category "xfer-in" { > "transfer_log"; > }; > > category "xfer-out" { > "transfer_log"; > }; > > category "notify" { > "transfer_log"; > }; > > category "client" { > "query_log"; > }; > > category "network" { > "named_log"; > }; > > category "update" { > "transfer_log"; > }; > > category "dnssec" { > "security_log"; > }; > > category "dispatch" { > "security_log"; > }; > }; > > This error message keeps triggering our monitoring systems. This has been fixed in bug https://bugzilla.redhat.com/show_bug.cgi?id=656454. It should show up as bind-dyndb-ldap-0.2.0-1.fc14 in the Fedora updates-testing repo in the next day or so. rob From ssorce at redhat.com Mon Jan 17 19:10:37 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 17 Jan 2011 14:10:37 -0500 Subject: [Freeipa-users] Unable to change Admin password In-Reply-To: <1194306040-1294862536-cardhu_decombobulator_blackberry.rim.net-2058480114-@bda056.bisx.prod.on.blackberry> References: <20110112141638.10fab88b@willson.li.ssimo.org> <1194306040-1294862536-cardhu_decombobulator_blackberry.rim.net-2058480114-@bda056.bisx.prod.on.blackberry> Message-ID: <20110117141037.2d8993f7@willson.li.ssimo.org> On Wed, 12 Jan 2011 20:02:14 +0000 ide4you at gmail.com wrote: > Yes ipa_kpasswd is running. > > > Sent on the TELUS Mobility network with BlackBerry Can you check it was able to bind to udp ports ? I just noticed it wasn't able to in my fedora 14, and posted a patch. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jan 17 19:13:14 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 17 Jan 2011 14:13:14 -0500 Subject: [Freeipa-users] certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0 In-Reply-To: References: Message-ID: <20110117141314.2a80a513@willson.li.ssimo.org> On Wed, 12 Jan 2011 12:03:59 -0600 "dont at killbrad.com" wrote: > Ok, so the ipa-server-certinstall script seems to be where things did > not work as I perhaps expected them to. > > I manually put the certificates in the dirsrv cert db, and the web > interface cert db. The ipa-replica-manage uses replication.py, which > is declaring > > CACERT="/usr/share/ipa/html/ca.crt" > > It looks like this is where the error is being caused. The > certification there is still the original "IPA Test Certificate > Authority". If I point it to the DigiCertCA.crt (which should work), > OR the AD-ca.crt file, I get the same error as originally mentioned > when running 'ipa-replica-manage list'. If I comment out the CACERT > variable it does as expected: unexpected error: global name 'CACERT' > is not defined > > So, can someone give me some advice about where else it may be > reading the certificate from, or how I can do things "the proper way" > for IPA? /etc/ipa/ca.crt is another place where the cert can be found. but for winsync you can pass the cacert on the command line, have you tried that ? Simo. -- Simo Sorce * Red Hat, Inc * New York From geerten at schram.name Mon Jan 17 23:47:33 2011 From: geerten at schram.name (Geerten Schram) Date: Tue, 18 Jan 2011 00:47:33 +0100 Subject: [Freeipa-users] ipa-server-install fails In-Reply-To: <4D2E6EB7.5010303@redhat.com> References: <201101122345.21824.geerten@schram.name> <4D2E6B63.7090900@redhat.com> <4D2E6EB7.5010303@redhat.com> Message-ID: <201101180047.34231.geerten@schram.name> On Thursday 13 January 2011 04:17:11 Dmitri Pal wrote: > Dmitri Pal wrote: > > Geerten Schram wrote: > >> Hi All, > >> > >> When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 > >> I get an error (see list1 and ipserver-install.log). I just don't get > >> it. When I run the pkisilent command by hand I get > >> > >> "####################################################################### > >> Unrecognized argument: Manager > >> Use -help for help information > >> > >> #######################################################################" > >> > >> The only "Manager" comes from the build in bind_dn, so I gues that's not > >> the problem. Does someone has a clue? > >> > >> Regards, > > > > This is the same issue I was hitting when I was testing beta and the > > workaround with the links to java jars described in the release notes > > fixed this issue. > > The latest devel repository has this fixed. You might try installing > > from there. > > http://jdennis.fedorapeople.org/ipa-devel/ > > Make sure you also have updates testing enabled since some other > > packages we depend on have been fixed in the recent weeks. > > > > Just started package install will take a while since many packages > > changed in last couple weeks. > > Will let you know if I see any issues with the today's build. > > Yes it installed fine with all defaults. > I will play with it more later today. Indeed it does. Works very nicely with the ipa-devel + update-devel repos. Thank you for your help! > > > Thanks > > Dmitri > > Regards, Geerten From heco0701 at stcloudstate.edu Tue Jan 18 21:32:37 2011 From: heco0701 at stcloudstate.edu (Corey Hemminger) Date: Tue, 18 Jan 2011 15:32:37 -0600 Subject: [Freeipa-users] ipa-server-install fails In-Reply-To: References: Message-ID: How do I add the updates-devel repo to fedora. I'm having issues with fedora 14 and ipa 2.0 beta 1 installing. I added the bleeding edge repo for ipa and updates-testing for fedora but I still get errors during the ca authority portion of the install. Corey On Jan 18, 2011, at 11:00 AM, "freeipa-users-request at redhat.com" wrote: > Send Freeipa-users mailing list submissions to > freeipa-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-request at redhat.com > > You can reach the person managing the list at > freeipa-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: Unable to change Admin password (Simo Sorce) > 2. Re: certificate verify failed - WinSync strangeness - > ipa-server-1.2.2-0 (Simo Sorce) > 3. Re: ipa-server-install fails (Geerten Schram) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 17 Jan 2011 14:10:37 -0500 > From: Simo Sorce > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Unable to change Admin password > Message-ID: <20110117141037.2d8993f7 at willson.li.ssimo.org> > Content-Type: text/plain; charset=US-ASCII > > On Wed, 12 Jan 2011 20:02:14 +0000 > ide4you at gmail.com wrote: > >> Yes ipa_kpasswd is running. >> >> >> Sent on the TELUS Mobility network with BlackBerry > > Can you check it was able to bind to udp ports ? > > I just noticed it wasn't able to in my fedora 14, and posted a patch. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > > ------------------------------ > > Message: 2 > Date: Mon, 17 Jan 2011 14:13:14 -0500 > From: Simo Sorce > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] certificate verify failed - WinSync > strangeness - ipa-server-1.2.2-0 > Message-ID: <20110117141314.2a80a513 at willson.li.ssimo.org> > Content-Type: text/plain; charset=US-ASCII > > On Wed, 12 Jan 2011 12:03:59 -0600 > "dont at killbrad.com" wrote: > >> Ok, so the ipa-server-certinstall script seems to be where things did >> not work as I perhaps expected them to. >> >> I manually put the certificates in the dirsrv cert db, and the web >> interface cert db. The ipa-replica-manage uses replication.py, which >> is declaring >> >> CACERT="/usr/share/ipa/html/ca.crt" >> >> It looks like this is where the error is being caused. The >> certification there is still the original "IPA Test Certificate >> Authority". If I point it to the DigiCertCA.crt (which should work), >> OR the AD-ca.crt file, I get the same error as originally mentioned >> when running 'ipa-replica-manage list'. If I comment out the CACERT >> variable it does as expected: unexpected error: global name 'CACERT' >> is not defined >> >> So, can someone give me some advice about where else it may be >> reading the certificate from, or how I can do things "the proper way" >> for IPA? > > /etc/ipa/ca.crt is another place where the cert can be found. > > but for winsync you can pass the cacert on the command line, have you > tried that ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > > ------------------------------ > > Message: 3 > Date: Tue, 18 Jan 2011 00:47:33 +0100 > From: Geerten Schram > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-server-install fails > Message-ID: <201101180047.34231.geerten at schram.name> > Content-Type: Text/Plain; charset="iso-8859-1" > > On Thursday 13 January 2011 04:17:11 Dmitri Pal wrote: >> Dmitri Pal wrote: >>> Geerten Schram wrote: >>>> Hi All, >>>> >>>> When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 >>>> I get an error (see list1 and ipserver-install.log). I just don't get >>>> it. When I run the pkisilent command by hand I get >>>> >>>> "####################################################################### >>>> Unrecognized argument: Manager >>>> Use -help for help information >>>> >>>> #######################################################################" >>>> >>>> The only "Manager" comes from the build in bind_dn, so I gues that's not >>>> the problem. Does someone has a clue? >>>> >>>> Regards, >>> >>> This is the same issue I was hitting when I was testing beta and the >>> workaround with the links to java jars described in the release notes >>> fixed this issue. >>> The latest devel repository has this fixed. You might try installing >>> from there. >>> http://jdennis.fedorapeople.org/ipa-devel/ >>> Make sure you also have updates testing enabled since some other >>> packages we depend on have been fixed in the recent weeks. >>> >>> Just started package install will take a while since many packages >>> changed in last couple weeks. >>> Will let you know if I see any issues with the today's build. >> >> Yes it installed fine with all defaults. >> I will play with it more later today. > > Indeed it does. Works very nicely with the ipa-devel + update-devel repos. > Thank you for your help! > >> >>> Thanks >>> Dmitri >>> > > Regards, > > Geerten > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 30, Issue 9 > ******************************************** From jdennis at redhat.com Tue Jan 18 21:44:16 2011 From: jdennis at redhat.com (John Dennis) Date: Tue, 18 Jan 2011 16:44:16 -0500 Subject: [Freeipa-users] ipa-server-install fails In-Reply-To: References: Message-ID: <4D3609B0.5070804@redhat.com> On 01/18/2011 04:32 PM, Corey Hemminger wrote: > How do I add the updates-devel repo to fedora. I'm having issues with > fedora 14 and ipa 2.0 beta 1 installing. I added the bleeding edge > repo for ipa and updates-testing for fedora but I still get errors > during the ca authority portion of the install. > > Corey Hi Corey: That doesn't give us much information to go on. Could you please tell us what the errors are? It would also help to know the versions of a couple of the key packages, e.g. $ rpm -q ipa-server-install pki-ca After you enabled the repos did you do a yum upgrade? To enable updates-devel edit /etc/yum.repos.d/fedora-updates.repo and make sure the enabled value is 1, e.g. enabled=1 -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From aravind.gv at gmail.com Wed Jan 19 07:22:54 2011 From: aravind.gv at gmail.com (Aravind GV) Date: Wed, 19 Jan 2011 12:52:54 +0530 Subject: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8 In-Reply-To: References: Message-ID: Hi All Please help me in adding a synchronization agreement. I followed ( http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/) but the example given in 4.4. Creating Synchronization Agreements is not correct. There is no more option add in ipa-replica-manage command. After googling they suggested me to use connect instead of add. This command worked but it stopped directory server and thorws following errors. Jakub Hrozek suggested me to get logs from /var/log/ipareplica-install.log. But this file is not at all created only ipaclient-install.log ipaserver-install.log are the two files in that there is no reference to ipa-replica-mange command. I have installed ipa v2 from http://jdennis.fedorapeople.org repo. [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD --cacert /root/bgkerb.cer 10.0.65.28 -v --passsync asd312ASD INFO:root:args=/sbin/service dirsrv stop INFO:root:stdout=Shutting down dirsrv: AGV-COM...[ OK ] PKI-IPA...[ OK ] INFO:root:stderr= unexpected error: DsInstance instance has no attribute 'subject_base' Regards, AGV On Fri, Jan 14, 2011 at 10:30 PM, wrote: > Send Freeipa-users mailing list submissions to > freeipa-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-request at redhat.com > > You can reach the person managing the list at > freeipa-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. ipa-replica-manage command fails while Setting up Windows > Sync on the IPA Server V2 (Aravind GV) > 2. Re: ipa-replica-manage command fails while Setting up Windows > Sync on the IPA Server V2 (Jakub Hrozek) > 3. Re: certmonger selinux issue and freeipa dns database error > problem (Rob Crittenden) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 14 Jan 2011 15:08:44 +0530 > From: Aravind GV > To: freeipa-users at redhat.com > Subject: [Freeipa-users] ipa-replica-manage command fails while > Setting up Windows Sync on the IPA Server V2 > Message-ID: > > Content-Type: text/plain; charset="windows-1252" > > Hi > > I?m trying to set up password/identity sync to the FreeIPA V2 server from a > Windows 2003R2 SP2 server to a Fedora 14. According to installation > document > in free ipa website [ > http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/ ] > ipa-replica-manage add option is no more there if i use connect option i > get > below error. There is not much in logs to troubleshoot. Please help me to > resolve this issue. > > [root at fedora ~]# ipa-replica-manage connect --winsync --binddn > CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD --cacert > /root/bgkerb.cer bgkerb.test02.com -v --passsync asd312ASD > Directory Manager password: > INFO:root:args=/sbin/service dirsrv stop > INFO:root:stdout=Shutting down dirsrv: > AGV-COM...[ OK ] > PKI-IPA...[ OK ] > > INFO:root:stderr= > unexpected error: DsInstance instance has no attribute 'subject_base' > > -- > ---------------------------- > With Best Regards > Aravind G V > Ph-9880346065 > "I want it all, > That's why I strive for it, > I know that it's coming" - Drake from "Successful" > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://www.redhat.com/archives/freeipa-users/attachments/20110114/518de32f/attachment.html > > > > ------------------------------ > > Message: 2 > Date: Fri, 14 Jan 2011 11:15:23 +0100 > From: Jakub Hrozek > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-replica-manage command fails while > Setting up Windows Sync on the IPA Server V2 > Message-ID: <20110114101522.GA17525 at zeppelin.brq.redhat.com> > Content-Type: text/plain; charset=utf-8 > > On Fri, Jan 14, 2011 at 03:08:44PM +0530, Aravind GV wrote: > > Hi > > > > I?m trying to set up password/identity sync to the FreeIPA V2 server from > a > > Windows 2003R2 SP2 server to a Fedora 14. According to installation > document > > in free ipa website [ > > http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/] > > ipa-replica-manage add option is no more there if i use connect option i > get > > below error. There is not much in logs to troubleshoot. Please help me to > > resolve this issue. > > > > [root at fedora ~]# ipa-replica-manage connect --winsync --binddn > > CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD --cacert > > /root/bgkerb.cer bgkerb.test02.com -v --passsync asd312ASD > > Directory Manager password: > > INFO:root:args=/sbin/service dirsrv stop > > INFO:root:stdout=Shutting down dirsrv: > > AGV-COM...[ OK ] > > PKI-IPA...[ OK ] > > > > INFO:root:stderr= > > unexpected error: DsInstance instance has no attribute 'subject_base' > > > > Hi, > > The full Python exception can be found in > /var/log/ipareplica-install.log. Can you post the last couple of lines > with the traceback? > > Thank you, > Jakub > > > > ------------------------------ > > Message: 3 > Date: Fri, 14 Jan 2011 09:19:21 -0500 > From: Rob Crittenden > To: Uzor Ide > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] certmonger selinux issue and freeipa dns > database error problem > Message-ID: <4D305B69.2090007 at redhat.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Uzor Ide wrote: > > > > We have a network that relies on kerberos, 389-ds, bind and nfs4. I am > > currently testing out the freeipa version 2 to see if we can use it to > > consolidate the various configuration into one interface. For the most > > part it works great apart from the obvious area where it has not been > > completed. However there are somethings that I have noticed. > > > > 1.) The DNS logging always logs database error every time it access the > > ldap. even though the query returns okay and the dns reply is fine. > > > > here is an excerpt of the log named.run > > > > 24-Oct-2010 10:32:33.025 edns-disabled: info: success resolving > > 'www.mailscanner.tv/A ' (in 'mailscanner.tv > > '?) after reducing the advertised EDNS UDP packet > > size to 512 octets > > 24-Oct-2010 10:34:41.137 database: error: querying 'idnsName=wpad, > > idnsname=uzdomain.ca ,cn=dns,dc=uzdomain,dc=ca' with > > '(objectClass=idnsRecord)' > > 24-Oct-2010 10:34:41.140 database: error: querying 'idnsname=uzdomain.ca > > ,cn=dns,dc=uzdomain,dc=ca' with > > '(objectClass=idnsRecord)' > > 24-Oct-2010 10:34:41.143 database: error: entry count: 1 > > 24-Oct-2010 10:34:41.146 database: error: querying 'idnsName=wpad, > > idnsname=uzdomain.ca ,cn=dns,dc=uzdomain,dc=ca' with > > '(objectClass=idnsRecord)' > > 24-Oct-2010 10:39:43.581 database: error: querying 'idnsName=wpad, > > idnsname=uzdomain.ca ,cn=dns,dc=uzdomain,dc=ca' with > > '(objectClass=idnsRecord)' > > 24-Oct-2010 10:39:43.583 database: error: querying 'idnsname=uzdomain.ca > > ,cn=dns,dc=uzdomain,dc=ca' with > > '(objectClass=idnsRecord)' > > 24-Oct-2010 10:39:43.586 database: error: entry count: 1 > > 24-Oct-2010 10:39:43.589 database: error: querying 'idnsName=wpad, > > idnsname=uzdomain.ca ,cn=dns,dc=uzdomain,dc=ca' with > > '(objectClass=idnsRecord)' > > > > here is our logging configuration > > > > // ******************* > > // Logging definitions > > // ******************* > > > > // Logging > > logging { > > channel "named_log" { > > file "data/log/named.run" versions 5 size 4m; > > severity dynamic; > > print-category yes; > > print-severity yes; > > print-time yes; > > }; > > > > channel "security_log" { > > file "data/log/security.log" versions 5 size 10m; > > severity dynamic; > > print-category yes; > > print-severity yes; > > print-time yes; > > }; > > > > channel "query_log" { > > file "data/log/query.log" versions 5 size 50m; > > #severity dynamic; > > severity debug; > > print-category yes; > > print-severity yes; > > print-time yes; > > }; > > > > channel "transfer_log" { > > file "data/log/transfer.log" versions 5 size 10m; > > severity dynamic; > > print-category yes; > > print-severity yes; > > }; > > > > category "default" { > > "named_log"; > > "default_syslog"; > > "default_debug"; > > }; > > > > category "general" { > > "named_log"; > > }; > > > > category "queries" { > > "query_log"; > > }; > > > > category "lame-servers" { > > null; > > }; > > > > category "security" { > > "security_log"; > > }; > > > > category "config" { > > "named_log"; > > }; > > > > category "resolver" { > > "query_log"; > > }; > > > > category "xfer-in" { > > "transfer_log"; > > }; > > > > category "xfer-out" { > > "transfer_log"; > > }; > > > > category "notify" { > > "transfer_log"; > > }; > > > > category "client" { > > "query_log"; > > }; > > > > category "network" { > > "named_log"; > > }; > > > > category "update" { > > "transfer_log"; > > }; > > > > category "dnssec" { > > "security_log"; > > }; > > > > category "dispatch" { > > "security_log"; > > }; > > }; > > > > This error message keeps triggering our monitoring systems. > > This has been fixed in bug > https://bugzilla.redhat.com/show_bug.cgi?id=656454. It should show up as > bind-dyndb-ldap-0.2.0-1.fc14 in the Fedora updates-testing repo in the > next day or so. > > rob > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 30, Issue 8 > ******************************************** > -- ---------------------------- With Best Regards Aravind G V Ph-9880346065 "I want it all, That's why I strive for it, I know that it's coming" - Drake from "Successful" -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Wed Jan 19 14:28:45 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 09:28:45 -0500 Subject: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8 In-Reply-To: References: Message-ID: <20110119092845.62b8b93f@willson.li.ssimo.org> On Wed, 19 Jan 2011 12:52:54 +0530 Aravind GV wrote: > Hi All > > Please help me in adding a synchronization agreement. I followed ( > http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/) > but the example given in 4.4. Creating Synchronization Agreements is > not correct. There is no more option add in ipa-replica-manage > command. After googling they suggested me to use connect instead of > add. This command worked but it stopped directory server and thorws > following errors. Jakub Hrozek suggested me to get logs > from /var/log/ipareplica-install.log. But this file is not at all > created only ipaclient-install.log ipaserver-install.log are the two > files in that there is no reference to ipa-replica-mange command. > > I have installed ipa v2 from http://jdennis.fedorapeople.org repo. > > [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn > CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD --cacert > /root/bgkerb.cer 10.0.65.28 -v --passsync asd312ASD > INFO:root:args=/sbin/service dirsrv stop > INFO:root:stdout=Shutting down dirsrv: > AGV-COM...[ OK ] > PKI-IPA...[ OK ] > > INFO:root:stderr= > unexpected error: DsInstance instance has no attribute 'subject_base' I have opened ticket 807[1] to track this. Would you be available to test a patch ? Simo. [1] https://fedorahosted.org/freeipa/ticket/807 -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Wed Jan 19 14:59:20 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 09:59:20 -0500 Subject: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8 In-Reply-To: <20110119092845.62b8b93f@willson.li.ssimo.org> References: <20110119092845.62b8b93f@willson.li.ssimo.org> Message-ID: <20110119095920.42a8627e@willson.li.ssimo.org> On Wed, 19 Jan 2011 09:28:45 -0500 Simo Sorce wrote: > On Wed, 19 Jan 2011 12:52:54 +0530 > Aravind GV wrote: > > > Hi All > > > > Please help me in adding a synchronization agreement. I followed ( > > http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/) > > but the example given in 4.4. Creating Synchronization Agreements > > is not correct. There is no more option add in ipa-replica-manage > > command. After googling they suggested me to use connect instead of > > add. This command worked but it stopped directory server and thorws > > following errors. Jakub Hrozek suggested me to get logs > > from /var/log/ipareplica-install.log. But this file is not at all > > created only ipaclient-install.log ipaserver-install.log are the > > two files in that there is no reference to ipa-replica-mange > > command. > > > > I have installed ipa v2 from http://jdennis.fedorapeople.org repo. > > > > [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn > > CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD > > --cacert /root/bgkerb.cer 10.0.65.28 -v --passsync asd312ASD > > INFO:root:args=/sbin/service dirsrv stop > > INFO:root:stdout=Shutting down dirsrv: > > AGV-COM...[ OK ] > > PKI-IPA...[ OK ] > > > > INFO:root:stderr= > > unexpected error: DsInstance instance has no attribute > > 'subject_base' > > > I have opened ticket 807[1] to track this. > Would you be available to test a patch ? > > Simo. > > [1] https://fedorahosted.org/freeipa/ticket/807 > Can you test this patch and see if it solves your issue completely ? You should be able to manually fix it without having to redo the whole install by simplky editing the dsinstance.py file and adding the line you see in the patch. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0062-Initialize-subject_base-by-default.patch Type: text/x-patch Size: 960 bytes Desc: not available URL: From aravind.gv at gmail.com Wed Jan 19 16:52:45 2011 From: aravind.gv at gmail.com (Aravind GV) Date: Wed, 19 Jan 2011 22:22:45 +0530 Subject: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8 In-Reply-To: <20110119095920.42a8627e@willson.li.ssimo.org> References: <20110119092845.62b8b93f@willson.li.ssimo.org> <20110119095920.42a8627e@willson.li.ssimo.org> Message-ID: Hi Simo, Thanks for responding to my email. I updated /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py with the patch ie added extra line self.subject_base = None Now i am getting different error [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --cacert /root/bgkerb.cer bgkerb.test02.com --passsync asd312ASD --bindpw asd312ASD -v Directory Manager password: INFO:root:args=/sbin/service dirsrv stop INFO:root:stdout=Shutting down dirsrv: AGV-COM...[ OK ] PKI-IPA...[ OK ] *INFO:root:stderr=* *unexpected error: 'Env' object has no attribute 'ra_plugin'* Regards, AGV On Wed, Jan 19, 2011 at 8:29 PM, Simo Sorce wrote: > On Wed, 19 Jan 2011 09:28:45 -0500 > Simo Sorce wrote: > > > On Wed, 19 Jan 2011 12:52:54 +0530 > > Aravind GV wrote: > > > > > Hi All > > > > > > Please help me in adding a synchronization agreement. I followed ( > > > > http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/) > > > but the example given in 4.4. Creating Synchronization Agreements > > > is not correct. There is no more option add in ipa-replica-manage > > > command. After googling they suggested me to use connect instead of > > > add. This command worked but it stopped directory server and thorws > > > following errors. Jakub Hrozek suggested me to get logs > > > from /var/log/ipareplica-install.log. But this file is not at all > > > created only ipaclient-install.log ipaserver-install.log are the > > > two files in that there is no reference to ipa-replica-mange > > > command. > > > > > > I have installed ipa v2 from http://jdennis.fedorapeople.org repo. > > > > > > [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn > > > CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD > > > --cacert /root/bgkerb.cer 10.0.65.28 -v --passsync asd312ASD > > > INFO:root:args=/sbin/service dirsrv stop > > > INFO:root:stdout=Shutting down dirsrv: > > > AGV-COM...[ OK ] > > > PKI-IPA...[ OK ] > > > > > > INFO:root:stderr= > > > unexpected error: DsInstance instance has no attribute > > > 'subject_base' > > > > > > I have opened ticket 807[1] to track this. > > Would you be available to test a patch ? > > > > Simo. > > > > [1] https://fedorahosted.org/freeipa/ticket/807 > > > > Can you test this patch and see if it solves your issue completely ? > > You should be able to manually fix it without having to redo the whole > install by simplky editing the dsinstance.py file and adding the line > you see in the patch. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- ---------------------------- With Best Regards Aravind G V Ph-9880346065 "I want it all, That's why I strive for it, I know that it's coming" - Drake from "Successful" -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Wed Jan 19 20:04:22 2011 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 19 Jan 2011 15:04:22 -0500 Subject: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8 In-Reply-To: References: <20110119092845.62b8b93f@willson.li.ssimo.org> <20110119095920.42a8627e@willson.li.ssimo.org> Message-ID: <20110119150422.5fef28db@willson.li.ssimo.org> On Wed, 19 Jan 2011 22:22:45 +0530 Aravind GV wrote: > Hi Simo, > > Thanks for responding to my email. I > updated /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py > with the patch ie added extra line self.subject_base = None > > Now i am getting different error > > [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn > CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --cacert /root/bgkerb.cer > bgkerb.test02.com --passsync asd312ASD --bindpw asd312ASD -v > Directory Manager password: > INFO:root:args=/sbin/service dirsrv stop > INFO:root:stdout=Shutting down dirsrv: > AGV-COM...[ OK ] > PKI-IPA...[ OK ] > > *INFO:root:stderr=* > *unexpected error: 'Env' object has no attribute 'ra_plugin'* > > > > Regards, > AGV > > On Wed, Jan 19, 2011 at 8:29 PM, Simo Sorce wrote: > > > On Wed, 19 Jan 2011 09:28:45 -0500 > > Simo Sorce wrote: > > > > > On Wed, 19 Jan 2011 12:52:54 +0530 > > > Aravind GV wrote: > > > > > > > Hi All > > > > > > > > Please help me in adding a synchronization agreement. I > > > > followed ( > > > > > > http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/) > > > > but the example given in 4.4. Creating Synchronization > > > > Agreements is not correct. There is no more option add in > > > > ipa-replica-manage command. After googling they suggested me to > > > > use connect instead of add. This command worked but it stopped > > > > directory server and thorws following errors. Jakub Hrozek > > > > suggested me to get logs from /var/log/ipareplica-install.log. > > > > But this file is not at all created only ipaclient-install.log > > > > ipaserver-install.log are the two files in that there is no > > > > reference to ipa-replica-mange command. > > > > > > > > I have installed ipa v2 from http://jdennis.fedorapeople.org > > > > repo. > > > > > > > > [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn > > > > CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD > > > > --cacert /root/bgkerb.cer 10.0.65.28 -v --passsync asd312ASD > > > > INFO:root:args=/sbin/service dirsrv stop > > > > INFO:root:stdout=Shutting down dirsrv: > > > > AGV-COM...[ OK ] > > > > PKI-IPA...[ OK ] > > > > > > > > INFO:root:stderr= > > > > unexpected error: DsInstance instance has no attribute > > > > 'subject_base' > > > > > > > > > I have opened ticket 807[1] to track this. > > > Would you be available to test a patch ? > > > > > > Simo. > > > > > > [1] https://fedorahosted.org/freeipa/ticket/807 > > > > > > > Can you test this patch and see if it solves your issue completely ? > > > > You should be able to manually fix it without having to redo the > > whole install by simplky editing the dsinstance.py file and adding > > the line you see in the patch. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > Attached a corrected patch that should fix this second problem too. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0062-Fix-ipa-replica-manage-regressions-with-winsync.patch Type: text/x-patch Size: 1939 bytes Desc: not available URL: From aravind.gv at gmail.com Thu Jan 20 05:33:12 2011 From: aravind.gv at gmail.com (Aravind GV) Date: Thu, 20 Jan 2011 11:03:12 +0530 Subject: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8 In-Reply-To: <20110119150422.5fef28db@willson.li.ssimo.org> References: <20110119092845.62b8b93f@willson.li.ssimo.org> <20110119095920.42a8627e@willson.li.ssimo.org> <20110119150422.5fef28db@willson.li.ssimo.org> Message-ID: Hi Simo, Great repossess from you but still issue is not solved completely. After applying your patch iam getting below mention error [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --cacert /root/bgkerb.cer 10.0.65.28 --passsync asd312ASD --bindpw asd312ASD -v Added CA certificate /root/bgkerb.cer to certificate database for dirsrv.agv.com *unexpected error: basic_replication_setup() takes exactly 5 arguments (3 given)* Regards, AGV On Thu, Jan 20, 2011 at 1:34 AM, Simo Sorce wrote: > On Wed, 19 Jan 2011 22:22:45 +0530 > Aravind GV wrote: > > > Hi Simo, > > > > Thanks for responding to my email. I > > updated /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py > > with the patch ie added extra line self.subject_base = None > > > > Now i am getting different error > > > > [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn > > CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --cacert /root/bgkerb.cer > > bgkerb.test02.com --passsync asd312ASD --bindpw asd312ASD -v > > Directory Manager password: > > INFO:root:args=/sbin/service dirsrv stop > > INFO:root:stdout=Shutting down dirsrv: > > AGV-COM...[ OK ] > > PKI-IPA...[ OK ] > > > > *INFO:root:stderr=* > > *unexpected error: 'Env' object has no attribute 'ra_plugin'* > > > > > > > > Regards, > > AGV > > > > On Wed, Jan 19, 2011 at 8:29 PM, Simo Sorce wrote: > > > > > On Wed, 19 Jan 2011 09:28:45 -0500 > > > Simo Sorce wrote: > > > > > > > On Wed, 19 Jan 2011 12:52:54 +0530 > > > > Aravind GV wrote: > > > > > > > > > Hi All > > > > > > > > > > Please help me in adding a synchronization agreement. I > > > > > followed ( > > > > > > > > > http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US/html/) > > > > > but the example given in 4.4. Creating Synchronization > > > > > Agreements is not correct. There is no more option add in > > > > > ipa-replica-manage command. After googling they suggested me to > > > > > use connect instead of add. This command worked but it stopped > > > > > directory server and thorws following errors. Jakub Hrozek > > > > > suggested me to get logs from /var/log/ipareplica-install.log. > > > > > But this file is not at all created only ipaclient-install.log > > > > > ipaserver-install.log are the two files in that there is no > > > > > reference to ipa-replica-mange command. > > > > > > > > > > I have installed ipa v2 from http://jdennis.fedorapeople.org > > > > > repo. > > > > > > > > > > [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn > > > > > CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --bindpw asd312ASD > > > > > --cacert /root/bgkerb.cer 10.0.65.28 -v --passsync asd312ASD > > > > > INFO:root:args=/sbin/service dirsrv stop > > > > > INFO:root:stdout=Shutting down dirsrv: > > > > > AGV-COM...[ OK ] > > > > > PKI-IPA...[ OK ] > > > > > > > > > > INFO:root:stderr= > > > > > unexpected error: DsInstance instance has no attribute > > > > > 'subject_base' > > > > > > > > > > > > I have opened ticket 807[1] to track this. > > > > Would you be available to test a patch ? > > > > > > > > Simo. > > > > > > > > [1] https://fedorahosted.org/freeipa/ticket/807 > > > > > > > > > > Can you test this patch and see if it solves your issue completely ? > > > > > > You should be able to manually fix it without having to redo the > > > whole install by simplky editing the dsinstance.py file and adding > > > the line you see in the patch. > > > > > > Simo. > > > > > > -- > > > Simo Sorce * Red Hat, Inc * New York > > > > > Attached a corrected patch that should fix this second problem too. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- ---------------------------- With Best Regards Aravind G V Ph-9880346065 "I want it all, That's why I strive for it, I know that it's coming" - Drake from "Successful" -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Jan 20 13:57:58 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 20 Jan 2011 08:57:58 -0500 Subject: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8 In-Reply-To: References: <20110119092845.62b8b93f@willson.li.ssimo.org> <20110119095920.42a8627e@willson.li.ssimo.org> <20110119150422.5fef28db@willson.li.ssimo.org> Message-ID: <20110120085758.0bfe9f1e@willson.li.ssimo.org> On Thu, 20 Jan 2011 11:03:12 +0530 Aravind GV wrote: > Hi Simo, > > Great repossess from you but still issue is not solved completely. > After applying your patch iam getting below mention error > > > [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn > CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --cacert /root/bgkerb.cer > 10.0.65.28 --passsync asd312ASD --bindpw asd312ASD -v > Added CA certificate /root/bgkerb.cer to certificate database for > dirsrv.agv.com > *unexpected error: basic_replication_setup() takes exactly 5 > arguments (3 given)* I am sorry Aravind, but at the moment I do not have a test environment that lets me test winsync replication. Hopefully this new patch should fix the remaining regressions. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-0062-2-Fix-ipa-replica-manage-regressions-with-winsync.patch Type: text/x-patch Size: 3354 bytes Desc: not available URL: From aravind.gv at gmail.com Thu Jan 20 16:34:35 2011 From: aravind.gv at gmail.com (Aravind GV) Date: Thu, 20 Jan 2011 22:04:35 +0530 Subject: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8 In-Reply-To: <20110120085758.0bfe9f1e@willson.li.ssimo.org> References: <20110119092845.62b8b93f@willson.li.ssimo.org> <20110119095920.42a8627e@willson.li.ssimo.org> <20110119150422.5fef28db@willson.li.ssimo.org> <20110120085758.0bfe9f1e@willson.li.ssimo.org> Message-ID: <7026262557868922185@unknownmsgid> Hi Simon Iam traveling this week will test and let u know in a weeks time. Sent from my iPhone On Jan 20, 2011, at 7:28 PM, Simo Sorce wrote: > On Thu, 20 Jan 2011 11:03:12 +0530 > Aravind GV wrote: > >> Hi Simo, >> >> Great repossess from you but still issue is not solved completely. >> After applying your patch iam getting below mention error >> >> >> [root at dirsrv ~]# ipa-replica-manage connect --winsync --binddn >> CN=agv,OU=Users,DC=bgkerb,DC=test02,DC=com --cacert /root/bgkerb.cer >> 10.0.65.28 --passsync asd312ASD --bindpw asd312ASD -v >> Added CA certificate /root/bgkerb.cer to certificate database for >> dirsrv.agv.com >> *unexpected error: basic_replication_setup() takes exactly 5 >> arguments (3 given)* > > > I am sorry Aravind, > but at the moment I do not have a test environment that lets me test > winsync replication. > > Hopefully this new patch should fix the remaining regressions. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > From ijstokes at hkl.hms.harvard.edu Thu Jan 20 21:00:37 2011 From: ijstokes at hkl.hms.harvard.edu (Ian Stokes-Rees) Date: Thu, 20 Jan 2011 16:00:37 -0500 Subject: [Freeipa-users] IPA server certificate update and "Directory Manager" password Message-ID: <4D38A275.4010908@hkl.hms.harvard.edu> An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jan 20 21:26:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Jan 2011 16:26:53 -0500 Subject: [Freeipa-users] IPA server certificate update and "Directory Manager" password In-Reply-To: <4D38A275.4010908@hkl.hms.harvard.edu> References: <4D38A275.4010908@hkl.hms.harvard.edu> Message-ID: <4D38A89D.4030305@redhat.com> Ian Stokes-Rees wrote: > Hello, > > We have a deployment of IPA that we have been using successfully for 185 > days. We are 3 days past the "half year" mark, and the self-signed cert > that was created with the original IPA install (FreeIPA v2 alpha) has > expired. I have created a new self-signed cert, PKCS#12 format, but I > cannot load it using the command: > > ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap > > > When I try this, I am asked for: > > Directory Manager password: > > > And I have no idea what this would be. I've tried the Kerberos "admin" > password (used with "kinit admin"), and the root password. I don't know > what other passwords would work. > > Is there some way to force this, or reset it, without starting from > scratch? The added challenge is that the person who setup this version > of FreeIPA went on vacation for 2 weeks, so I have minimal background > with FreeIPA from an admin/install perspective. Just so I have the full context, where did the original self-signed cert come from? The initial cert should have been good for 12 months so I'm a little confused. Do you know where the initial certificate came from? You're running a pretty old build so maybe we didn't have this quite working but we use a tool named certmonger to keep the SSL certificates valid. It could be that we weren't using certmonger then, or not enabling it correctly, I'm not sure. If you want to see then as root run: ipa-getcert list. This will show you the certificates that certmonger is monitoring (and I suppose it could be none or you could get a DBus error. Since your infrastructure is probably down because of this here are the instructions you need to get going again. I hesitate because I don't want to make things worse for you by not understanding the history. The Directory Manager is essentially the super-user of 389-ds. It gets a separate password when IPA is installed. See these instructions for resetting it: http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword I'm also curious why only the 389-ds cert has expired and not the Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d /etc/httpd/alias -n Server-Cert' will show you. rob From ijstokes at hkl.hms.harvard.edu Thu Jan 20 21:45:06 2011 From: ijstokes at hkl.hms.harvard.edu (Ian Stokes-Rees) Date: Thu, 20 Jan 2011 16:45:06 -0500 Subject: [Freeipa-users] IPA server certificate update and "Directory Manager" password In-Reply-To: <4D38A89D.4030305@redhat.com> References: <4D38A275.4010908@hkl.hms.harvard.edu> <4D38A89D.4030305@redhat.com> Message-ID: <4D38ACE2.1000303@hkl.hms.harvard.edu> > Just so I have the full context, where did the original self-signed > cert come from? The initial cert should have been good for 12 months > so I'm a little confused. Do you know where the initial certificate > came from? I have to plead ignorance, since it was our regular sys admin (away on vacation for 2 weeks) who installed this summer of 2010. I'm a "user" stuck with managing the system while he's away. I assume this cert came from the default installation process. He chimed in with a quick comment on our internal ticket, and said he doesn't know any details about the cert infrastructure of FreeIPA. > You're running a pretty old build so maybe we didn't have this quite > working but we use a tool named certmonger to keep the SSL > certificates valid. It could be that we weren't using certmonger then, > or not enabling it correctly, I'm not sure.If you want to see then as > root run: ipa-getcert list. This will show you the certificates that > certmonger is monitoring (and I suppose it could be none or you could > get a DBus error. Probably not running it: # ipa-getcert list Error org.freedesktop.DBus.Error.ServiceUnknown: The name org.fedorahosted.certmonger was not provided by any .service files > > Since your infrastructure is probably down because of this here are > the instructions you need to get going again. I hesitate because I > don't want to make things worse for you by not understanding the history. > > The Directory Manager is essentially the super-user of 389-ds. It gets > a separate password when IPA is installed. See these instructions for > resetting it: > http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword Seemed straight forward, but it hasn't worked. After changing the password in the dse.ldif file I can't restart "dirsrv" successfully: our instance won't restart, but the PKI-IPA one will restart just fine. In either case, I can't execute the ipa-server-certinstall, as I get an error: # ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 --dirsrv_pin=ldap Directory Manager password: an unexpected error occurred: Can't contact LDAP server: [stacktrace] DatabaseError: Can't contact LDAP server: Also, I should reiterate that the PKCS#12 file is *self signed*, but I notice in /etc/ipa/ca.crt there is a cert (just public) for the IPA CA -- perhaps my cert needs to be signed by this CA? > I'm also curious why only the 389-ds cert has expired and not the > Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d > /etc/httpd/alias -n Server-Cert' will show you. Here you can see the expired cert and the 6 month lifespan: # certutil -L -d /etc/httpd/alias -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA" Validity: Not Before: Wed Jul 21 18:13:52 2010 Not After : Mon Jan 17 18:13:52 2011 Subject: "CN=nebio-directory.in.hwlab,O=IPA" From ijstokes at hkl.hms.harvard.edu Thu Jan 20 22:10:29 2011 From: ijstokes at hkl.hms.harvard.edu (Ian Stokes-Rees) Date: Thu, 20 Jan 2011 17:10:29 -0500 Subject: [Freeipa-users] IPA server certificate update and "Directory Manager" password In-Reply-To: <4D38ACE2.1000303@hkl.hms.harvard.edu> References: <4D38A275.4010908@hkl.hms.harvard.edu> <4D38A89D.4030305@redhat.com> <4D38ACE2.1000303@hkl.hms.harvard.edu> Message-ID: <4D38B2D5.7070408@hkl.hms.harvard.edu> An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jan 20 22:32:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Jan 2011 17:32:08 -0500 Subject: [Freeipa-users] IPA server certificate update and "Directory Manager" password In-Reply-To: <4D38ACE2.1000303@hkl.hms.harvard.edu> References: <4D38A275.4010908@hkl.hms.harvard.edu> <4D38A89D.4030305@redhat.com> <4D38ACE2.1000303@hkl.hms.harvard.edu> Message-ID: <4D38B7E8.4010202@redhat.com> Ian Stokes-Rees wrote: > >> Just so I have the full context, where did the original self-signed >> cert come from? The initial cert should have been good for 12 months >> so I'm a little confused. Do you know where the initial certificate >> came from? > > I have to plead ignorance, since it was our regular sys admin (away on > vacation for 2 weeks) who installed this summer of 2010. I'm a "user" > stuck with managing the system while he's away. I assume this cert came > from the default installation process. He chimed in with a quick > comment on our internal ticket, and said he doesn't know any details > about the cert infrastructure of FreeIPA. > Ouch, you have my sympathies. >> You're running a pretty old build so maybe we didn't have this quite >> working but we use a tool named certmonger to keep the SSL >> certificates valid. It could be that we weren't using certmonger then, >> or not enabling it correctly, I'm not sure.If you want to see then as >> root run: ipa-getcert list. This will show you the certificates that >> certmonger is monitoring (and I suppose it could be none or you could >> get a DBus error. > > Probably not running it: > > # ipa-getcert list > Error org.freedesktop.DBus.Error.ServiceUnknown: The name > org.fedorahosted.certmonger was not provided by any .service files > Ok, that's fine. Maybe we can use it once you get up and running again, but first things first. >> >> Since your infrastructure is probably down because of this here are >> the instructions you need to get going again. I hesitate because I >> don't want to make things worse for you by not understanding the history. >> >> The Directory Manager is essentially the super-user of 389-ds. It gets >> a separate password when IPA is installed. See these instructions for >> resetting it: >> http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword > > Seemed straight forward, but it hasn't worked. After changing the > password in the dse.ldif file I can't restart "dirsrv" successfully: our > instance won't restart, but the PKI-IPA one will restart just fine. In > either case, I can't execute the ipa-server-certinstall, as I get an error: > > # ipa-server-certinstall -d ldap-selfsigned-to20120120.pkcs12 > --dirsrv_pin=ldap > Directory Manager password: > an unexpected error occurred: Can't contact LDAP server: > [stacktrace] > DatabaseError: Can't contact LDAP server: /me smacks head Ok, of course you can't contact the LDAP server because it isn't up because the cert is expired! > Also, I should reiterate that the PKCS#12 file is *self signed*, but I > notice in /etc/ipa/ca.crt there is a cert (just public) for the IPA CA > -- perhaps my cert needs to be signed by this CA? Yes, that was going to be my next question. While throwing any old self-signed cert in there might get the server up other things won't work, notably replication. Ok, here are some steps I worked out that I think will get you back in business. I'm going to try to renew your 389-ds certificate using IPA. First we need to get 389-ds back up and running. I'm going to use REALM in place of the instance name for your 399-ds install. 1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif 2. Make a backup of your dirsrv NSS database (so /etc/dirsrv/slapd-REALM/*.db) 2. Edit dse.ldif and set nsslapd-security to off 3. Try starting dirsrv: service start dirsrv REALM 4. Get a kerberos ticket for admin: kinit admin 5. Generate a new CSR for your directory server: certutil -R -k 'NSS Certificate DB:Server-Cert' -s 'cn=nebio-directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f /etc/dirsrv/slapd-REALM/pwdfile.txt -a > renew.csr 6. Get a new certificate: ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab > 7. Paste the value in the output for Certificate into a file. This is a base64-encoded blob of text probably starting with MII and ending with ==. 8. Add this new cert to your 389-ds database certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a < cert.txt 9. service dirsrv stop REALM 10. edit dse.ldif and set nsslapd-security to on 11. service dirsrv start REALM I ran the majority of these steps against my own IPA installation and nothing caught on fire. I hope you have equal success. > >> I'm also curious why only the 389-ds cert has expired and not the >> Apache cert (or maybe you haven't noticed it yet). 'certutil -L -d >> /etc/httpd/alias -n Server-Cert' will show you. > > Here you can see the expired cert and the 6 month lifespan: > > # certutil -L -d /etc/httpd/alias -n Server-Cert > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 9 (0x9) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=Certificate Authority,O=IPA" > Validity: > Not Before: Wed Jul 21 18:13:52 2010 > Not After : Mon Jan 17 18:13:52 2011 > Subject: "CN=nebio-directory.in.hwlab,O=IPA" > Wow, not sure why it would do a 6 month cert but seeing is believing. regards rob From rcritten at redhat.com Thu Jan 20 22:54:23 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 20 Jan 2011 17:54:23 -0500 Subject: [Freeipa-users] IPA server certificate update and "Directory Manager" password In-Reply-To: <4D38B2D5.7070408@hkl.hms.harvard.edu> References: <4D38A275.4010908@hkl.hms.harvard.edu> <4D38A89D.4030305@redhat.com> <4D38ACE2.1000303@hkl.hms.harvard.edu> <4D38B2D5.7070408@hkl.hms.harvard.edu> Message-ID: <4D38BD1F.606@redhat.com> Ian Stokes-Rees wrote: > Some more info: > > 1. certmonger wasn't running, so I started it. Then I can execute > "ipa-getcert list" but it doesn't return anything. Ok, your install must have pre-dated our implementation of it. > 2. /var/log/ipa/default.log (the only log file in that dir) appears to > show the *new* cert being imported successfully (the latest timestamps > are from about 1000 seconds ago, or less than 20 minutes): As one might expect the Apache cert has also expired. Apache needs a valid cert and needs to contact 389-ds to start IPA. > 3. dirsrv errors has this as its last log entries: > /var/log/dirsrv/slapd-NEBIOGRID-ORG/errors: It doesn't seem to like the self-signed cert you installed. The key used to initially generate the 389-ds certificate should still be in your NSS database, certutil -K -d /etc/dirsrv/slapd-REALM should have it. We should be able to use that to get things working again. I think the fastest way to get back up would be to set your system clock back to Jan 15. Disable security in 389-ds and start that, then restart Apache. This should be enough to get part of your infrastructure back up and running long enough to renew the certs. Once you renew the 389-ds certificate and get that working you can do pretty much the same thing to Apache. The Apache NSS database is in /etc/httpd/alias. You won't need to disable security for this at all. Otherwise we may have to set up a sort of temporary CA, issue new certificates for Apache and 389-ds to get them back up and running, then renew things. If you try going back in time don't forget to reset the date. You'll have to stop ntpd when going back in time. rob From ijstokes at hkl.hms.harvard.edu Thu Jan 20 23:05:52 2011 From: ijstokes at hkl.hms.harvard.edu (Ian Stokes-Rees) Date: Thu, 20 Jan 2011 18:05:52 -0500 Subject: [Freeipa-users] IPA server certificate update and "Directory Manager" password In-Reply-To: <4D38BD1F.606@redhat.com> References: <4D38A275.4010908@hkl.hms.harvard.edu> <4D38A89D.4030305@redhat.com> <4D38ACE2.1000303@hkl.hms.harvard.edu> <4D38B2D5.7070408@hkl.hms.harvard.edu> <4D38BD1F.606@redhat.com> Message-ID: <4D38BFD0.5000608@hkl.hms.harvard.edu> An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jan 21 15:28:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 21 Jan 2011 10:28:29 -0500 Subject: [Freeipa-users] IPA server certificate update and "Directory Manager" password In-Reply-To: <4D38BFD0.5000608@hkl.hms.harvard.edu> References: <4D38A275.4010908@hkl.hms.harvard.edu> <4D38A89D.4030305@redhat.com> <4D38ACE2.1000303@hkl.hms.harvard.edu> <4D38B2D5.7070408@hkl.hms.harvard.edu> <4D38BD1F.606@redhat.com> <4D38BFD0.5000608@hkl.hms.harvard.edu> Message-ID: <4D39A61D.7040004@redhat.com> Ian Stokes-Rees wrote: > Rob, > > Thanks for your most recent comments. I'm not sure if I should try these > *before* or *after* the steps described in the 5:32 EST email. > > Ian I think roll back the time to the 15th, disable SSL in 389-ds and bring the servers back up. Then follow the instructions to renew the certificates. rob From ijstokes at hkl.hms.harvard.edu Fri Jan 21 19:35:41 2011 From: ijstokes at hkl.hms.harvard.edu (Ian Stokes-Rees) Date: Fri, 21 Jan 2011 14:35:41 -0500 Subject: [Freeipa-users] IPA server certificate update and "Directory Manager" password In-Reply-To: <4D38B7E8.4010202@redhat.com> References: <4D38A275.4010908@hkl.hms.harvard.edu> <4D38A89D.4030305@redhat.com> <4D38ACE2.1000303@hkl.hms.harvard.edu> <4D38B7E8.4010202@redhat.com> Message-ID: <4D39E00D.6060403@hkl.hms.harvard.edu> Some good news: turning off security has the Directory Server starting up properly. If the directory server is only accessible within our small intranet, can we safely run it without security enabled? If this is theoretically possible it looks like the trick will be to change the IPA config for Apache to allow non SSL access... Also, is there any scope to dump the current directory contents and start from scratch? I feel like I may be near the point where that is easier. The main sticking point now is step 5 where "certutil -R -k 'NSS Certificate DB:Server-Cert' ... " fails because the value specified for the -k argument is invalid (or there is some other problem with the certificate DB). More details below. > Yes, that was going to be my next question. While throwing any old > self-signed cert in there might get the server up other things won't > work, notably replication. I'm having trouble with accessing the certificate DB. When I try to connect I'm asked for a password: # certutil -K -d /etc/dirsrv/slapd-NEBIOGRID-ORG/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": I overwrote the "Directory Manager" password yesterday with "freeipa" but that isn't working for this. Also, my self signed cert (PKCS12 format) has *two* encryption passwords (both the same): one to open the PKCS12 file, and one to access the private key contained within the file (inherited from the PEM file). Should I remove the password on the private key PEM file before generating the PKCS#12 file with the pub/priv key pair? Or should I just abandon my self signed cert generated by OpenSSL and persevere with getting one out of FreeIPA? > Ok, here are some steps I worked out that I think will get you back in > business. I'm going to try to renew your 389-ds certificate using IPA. > > First we need to get 389-ds back up and running. > > I'm going to use REALM in place of the instance name for your 399-ds > install. > > 1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif > 2. Make a backup of your dirsrv NSS database (so > /etc/dirsrv/slapd-REALM/*.db) > 2. Edit dse.ldif and set nsslapd-security to off > 3. Try starting dirsrv: service start dirsrv REALM > 4. Get a kerberos ticket for admin: kinit admin > 5. Generate a new CSR for your directory server: > certutil -R -k 'NSS Certificate DB:Server-Cert' -s > 'cn=nebio-directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f > /etc/dirsrv/slapd-REALM/pwdfile.txt -a > renew.csr FAILS - it appears it doesn't know anything about 'NSS Certificate DB:Server-Cert' # certutil -R -k 'NSS Certificate DB:Server-Cert' -s 'cn=nebio-directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-NEBIOGRID-ORG/ -f /etc/dirsrv/slapd-NEBIOGRID-ORG/pwdfile.txt -a > renew.csr certutil: NSS Certificate DB:Server-Cert is neither a key-type nor a nickname: security library: bad database. The DB files and password file all seem to be there, so I'm not sure what "bad database" means: # ls -Fla /etc/dirsrv/slapd-NEBIOGRID-ORG/*.{db,txt} -rw-------. 1 root root 65536 Jan 10 13:35 /etc/dirsrv/slapd-NEBIOGRID-ORG/cert8.db -rw-------. 1 root root 16384 Jan 10 13:35 /etc/dirsrv/slapd-NEBIOGRID-ORG/key3.db -r--------. 1 dirsrv root 90 Jul 21 2010 /etc/dirsrv/slapd-NEBIOGRID-ORG/pin.txt -rw-------. 1 dirsrv root 77 Jan 10 13:35 /etc/dirsrv/slapd-NEBIOGRID-ORG/pwdfile.txt -rw-------. 1 root root 16384 Jan 10 13:35 /etc/dirsrv/slapd-NEBIOGRID-ORG/secmod.db > 6. Get a new certificate: > ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab > > 7. Paste the value in the output for Certificate into a file. This is > a base64-encoded blob of text probably starting with MII and ending > with ==. Since I can't get this far, I don't know if this is going to be the private key or public key, or both (one after the other) > 8. Add this new cert to your 389-ds database > certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a < > cert.txt So I tried doing this, but using the full text output of my self-signed PKCS#12 file with the base64 encoded public and private keys (since I can't run the "certutil" or "ipa cert-request" commands). It didn't complain, but I also don't think it exactly worked. Also, does this somehow link to the cert used by Apache httpd? > 9. service dirsrv stop REALM > 10. edit dse.ldif and set nsslapd-security to on > 11. service dirsrv start REALM Can't restart dirsrv after turning nsslapd-security back on. Similar errors to before: /var/log/dirsrv/slapd-NEBIOGRID-ORG/errors [21/Jan/2011:14:30:53 -0500] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [21/Jan/2011:14:30:53 -0500] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [21/Jan/2011:14:30:53 -0500] - SSL failure: None of the cipher are valid [21/Jan/2011:14:30:53 -0500] - ERROR: SSL Initialization phase 2 Failed. TIA for any advice on next steps. Ian From jeffb.list at gmail.com Sun Jan 23 16:17:34 2011 From: jeffb.list at gmail.com (Jeff B) Date: Sun, 23 Jan 2011 11:17:34 -0500 Subject: [Freeipa-users] Invalid Credentials error on migrate-ds Message-ID: I'm trying to test out migration from an Apple Open Directory Server to FreeIPA (unstable) The command I'm running is: ipa config-mod --enable-migration=true ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=xxxx,dc=com' --group-container='cn=groups,dc=xxx,dc=xxxx,dc=com' ldap://10.10.10.10:389 It prompts me for a password twice, then gives me a invalid credentials error ipa: INFO: Created connection context.xmlclient Password: Enter Password again to verify: ipa: DEBUG: raw: migrate_ds(u'ldap://10.10.10.10:389', u'********', usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com', groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com') ipa: INFO: migrate_ds(u'ldap://10.10.10.10:389', u'********', binddn=u'cn=directory manager', usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com', groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com', userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), schema=u'RFC2307bis', continue=False, exclude_groups=None, exclude_users=None) ipa: INFO: Forwarding 'migrate_ds' to server u'https://ipa0.xxxx.com/ipa/xml' ipa: DEBUG: NSSConnection init ipa0.xxxx.com ipa: DEBUG: connect: host=ipa0.xxxx.com port=443 ipa: DEBUG: connect: 10.10.10.11:443 ... ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=ipa0.xxxx.com,O=XXXX.COM" ipa: DEBUG: handshake complete, peer = 10.10.10.11:443 ipa: DEBUG: Caught fault 2100 from server https://ipa0.xxx.com/ipa/xml: Insufficient access: Invalid credentials ipa: INFO: Destroyed connection context.xmlclient ipa: ERROR: Insufficient access: Invalid credentials I'm able to connect to LDAP using the same password for cn="Directory Manager" which it appears to be the user it's asking the password for. Is this user error or a bug? If user error what am I doing wrong? Thanks. From rcritten at redhat.com Mon Jan 24 19:16:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 14:16:40 -0500 Subject: [Freeipa-users] Invalid Credentials error on migrate-ds In-Reply-To: References: Message-ID: <4D3DD018.6000400@redhat.com> Jeff B wrote: > I'm trying to test out migration from an Apple Open Directory Server > to FreeIPA (unstable) The command I'm running is: > > ipa config-mod --enable-migration=true > > ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=xxxx,dc=com' > --group-container='cn=groups,dc=xxx,dc=xxxx,dc=com' > ldap://10.10.10.10:389 > > It prompts me for a password twice, then gives me a invalid credentials error > > ipa: INFO: Created connection context.xmlclient > Password: > Enter Password again to verify: > ipa: DEBUG: raw: migrate_ds(u'ldap://10.10.10.10:389', u'********', > usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com', > groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com') > ipa: INFO: migrate_ds(u'ldap://10.10.10.10:389', u'********', > binddn=u'cn=directory manager', > usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com', > groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com', > userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', > u'groupOfNames'), schema=u'RFC2307bis', continue=False, > exclude_groups=None, exclude_users=None) > ipa: INFO: Forwarding 'migrate_ds' to server u'https://ipa0.xxxx.com/ipa/xml' > ipa: DEBUG: NSSConnection init ipa0.xxxx.com > ipa: DEBUG: connect: host=ipa0.xxxx.com port=443 > ipa: DEBUG: connect: 10.10.10.11:443 > ... > ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer > ipa: DEBUG: cert valid True for "CN=ipa0.xxxx.com,O=XXXX.COM" > ipa: DEBUG: handshake complete, peer = 10.10.10.11:443 > ipa: DEBUG: Caught fault 2100 from server > https://ipa0.xxx.com/ipa/xml: Insufficient access: Invalid > credentials > ipa: INFO: Destroyed connection context.xmlclient > ipa: ERROR: Insufficient access: Invalid credentials > > I'm able to connect to LDAP using the same password for cn="Directory > Manager" which it appears to be the user it's asking the password for. > > Is this user error or a bug? If user error what am I doing wrong? Thanks. Hmm, I'm stumped at this point. Can you look in your Apple DS logs to see if there is a bind error? You can use --binddn to bind as a different user. I should also note that you don't want to include basedn for the user and group containers, cn=users and cn=groups is enough. rob From jeffb.list at gmail.com Mon Jan 24 19:57:57 2011 From: jeffb.list at gmail.com (Jeff B) Date: Mon, 24 Jan 2011 14:57:57 -0500 Subject: [Freeipa-users] Invalid Credentials error on migrate-ds In-Reply-To: <4D3DD018.6000400@redhat.com> References: <4D3DD018.6000400@redhat.com> Message-ID: I might of missed this yesterday, is it trying to bind to the apple as Directory Manager? I thought that was for FreeIPA but now I'm not sure. I was intending to have it do an anonymous bind to the apple. If so I guess that would explain it. On Mon, Jan 24, 2011 at 2:16 PM, Rob Crittenden wrote: > Jeff B wrote: >> >> I'm trying to test out migration from an Apple Open Directory Server >> to FreeIPA (unstable) The command I'm running is: >> >> ipa config-mod --enable-migration=true >> >> ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=xxxx,dc=com' >> --group-container='cn=groups,dc=xxx,dc=xxxx,dc=com' >> ldap://10.10.10.10:389 >> >> It prompts me for a password twice, then gives me a invalid credentials >> error >> >> ipa: INFO: Created connection context.xmlclient >> Password: >> Enter Password again to verify: >> ipa: DEBUG: raw: migrate_ds(u'ldap://10.10.10.10:389', u'********', >> usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com', >> groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com') >> ipa: INFO: migrate_ds(u'ldap://10.10.10.10:389', u'********', >> binddn=u'cn=directory manager', >> usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com', >> groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com', >> userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', >> u'groupOfNames'), schema=u'RFC2307bis', continue=False, >> exclude_groups=None, exclude_users=None) >> ipa: INFO: Forwarding 'migrate_ds' to server >> u'https://ipa0.xxxx.com/ipa/xml' >> ipa: DEBUG: NSSConnection init ipa0.xxxx.com >> ipa: DEBUG: connect: host=ipa0.xxxx.com port=443 >> ipa: DEBUG: connect: 10.10.10.11:443 >> ... >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=ipa0.xxxx.com,O=XXXX.COM" >> ipa: DEBUG: handshake complete, peer = 10.10.10.11:443 >> ipa: DEBUG: Caught fault 2100 from server >> https://ipa0.xxx.com/ipa/xml: Insufficient access: ?Invalid >> credentials >> ipa: INFO: Destroyed connection context.xmlclient >> ipa: ERROR: Insufficient access: ?Invalid credentials >> >> I'm able to connect to LDAP using the same password for cn="Directory >> Manager" which it appears to be the user it's asking the password for. >> >> Is this user error or a bug? ?If user error what am I doing wrong? >> ?Thanks. > > Hmm, I'm stumped at this point. Can you look in your Apple DS logs to see if > there is a bind error? You can use --binddn to bind as a different user. > > I should also note that you don't want to include basedn for the user and > group containers, cn=users and cn=groups is enough. > > rob > From jhrozek at redhat.com Mon Jan 24 20:22:27 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 24 Jan 2011 21:22:27 +0100 Subject: [Freeipa-users] Invalid Credentials error on migrate-ds In-Reply-To: References: <4D3DD018.6000400@redhat.com> Message-ID: <4D3DDF83.4040301@redhat.com> On 01/24/2011 08:57 PM, Jeff B wrote: > I might of missed this yesterday, is it trying to bind to the apple > as Directory Manager? I thought that was for FreeIPA but now I'm not > sure. I was intending to have it do an anonymous bind to the apple. > > If so I guess that would explain it. > Yes, "cn=Directory Manager" against Apple DS. Anonymous bind wouldn't work, because during migration, you need to read LDAP attributes that store user passwords. Those are usually not readable anonymously. Jakub From jeffb.list at gmail.com Mon Jan 24 20:53:58 2011 From: jeffb.list at gmail.com (Jeff B) Date: Mon, 24 Jan 2011 15:53:58 -0500 Subject: [Freeipa-users] Invalid Credentials error on migrate-ds In-Reply-To: <4D3DDF83.4040301@redhat.com> References: <4D3DD018.6000400@redhat.com> <4D3DDF83.4040301@redhat.com> Message-ID: The Apple Open Directory uses kerberos so they aren't readable as the rood dn either. the password fields all have the same token: KioqKioqKio= I wasn't expecting to be able to import passwords so I thought I could run an import as an anonymous bind. I'll try again with a bind dn and see what hapens. On Mon, Jan 24, 2011 at 3:22 PM, Jakub Hrozek wrote: > On 01/24/2011 08:57 PM, Jeff B wrote: >> >> I might of missed this yesterday, ?is it trying to bind to the apple >> as Directory Manager? ?I thought that was for FreeIPA but now I'm not >> sure. ?I was intending to have it do an anonymous bind to the apple. >> >> If so I guess that would explain it. >> > > Yes, "cn=Directory Manager" against Apple DS. Anonymous bind wouldn't work, > because during migration, you need to read LDAP attributes that store user > passwords. Those are usually not readable anonymously. > > ? ? ? ?Jakub > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From jeffb.list at gmail.com Mon Jan 24 19:57:57 2011 From: jeffb.list at gmail.com (Jeff B) Date: Mon, 24 Jan 2011 14:57:57 -0500 Subject: [Freeipa-users] Invalid Credentials error on migrate-ds In-Reply-To: <4D3DD018.6000400@redhat.com> References: <4D3DD018.6000400@redhat.com> Message-ID: I might of missed this yesterday, is it trying to bind to the apple as Directory Manager? I thought that was for FreeIPA but now I'm not sure. I was intending to have it do an anonymous bind to the apple. If so I guess that would explain it. On Mon, Jan 24, 2011 at 2:16 PM, Rob Crittenden wrote: > Jeff B wrote: >> >> I'm trying to test out migration from an Apple Open Directory Server >> to FreeIPA (unstable) The command I'm running is: >> >> ipa config-mod --enable-migration=true >> >> ipa -d migrate-ds --user-container='cn=users,dc=xxx,dc=xxxx,dc=com' >> --group-container='cn=groups,dc=xxx,dc=xxxx,dc=com' >> ldap://10.10.10.10:389 >> >> It prompts me for a password twice, then gives me a invalid credentials >> error >> >> ipa: INFO: Created connection context.xmlclient >> Password: >> Enter Password again to verify: >> ipa: DEBUG: raw: migrate_ds(u'ldap://10.10.10.10:389', u'********', >> usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com', >> groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com') >> ipa: INFO: migrate_ds(u'ldap://10.10.10.10:389', u'********', >> binddn=u'cn=directory manager', >> usercontainer=u'cn=users,dc=xxx,dc=xxxx,dc=com', >> groupcontainer=u'cn=groups,dc=xxx,dc=xxxx,dc=com', >> userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', >> u'groupOfNames'), schema=u'RFC2307bis', continue=False, >> exclude_groups=None, exclude_users=None) >> ipa: INFO: Forwarding 'migrate_ds' to server >> u'https://ipa0.xxxx.com/ipa/xml' >> ipa: DEBUG: NSSConnection init ipa0.xxxx.com >> ipa: DEBUG: connect: host=ipa0.xxxx.com port=443 >> ipa: DEBUG: connect: 10.10.10.11:443 >> ... >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=ipa0.xxxx.com,O=XXXX.COM" >> ipa: DEBUG: handshake complete, peer = 10.10.10.11:443 >> ipa: DEBUG: Caught fault 2100 from server >> https://ipa0.xxx.com/ipa/xml: Insufficient access: ?Invalid >> credentials >> ipa: INFO: Destroyed connection context.xmlclient >> ipa: ERROR: Insufficient access: ?Invalid credentials >> >> I'm able to connect to LDAP using the same password for cn="Directory >> Manager" which it appears to be the user it's asking the password for. >> >> Is this user error or a bug? ?If user error what am I doing wrong? >> ?Thanks. > > Hmm, I'm stumped at this point. Can you look in your Apple DS logs to see if > there is a bind error? You can use --binddn to bind as a different user. > > I should also note that you don't want to include basedn for the user and > group containers, cn=users and cn=groups is enough. > > rob > From rcritten at redhat.com Mon Jan 24 21:07:40 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Jan 2011 16:07:40 -0500 Subject: [Freeipa-users] Invalid Credentials error on migrate-ds In-Reply-To: References: <4D3DD018.6000400@redhat.com> <4D3DDF83.4040301@redhat.com> Message-ID: <4D3DEA1C.8040206@redhat.com> Jeff B wrote: > The Apple Open Directory uses kerberos so they aren't readable as the > rood dn either. the password fields all have the same token: > KioqKioqKio= > > I wasn't expecting to be able to import passwords so I thought I could > run an import as an anonymous bind. > > I'll try again with a bind dn and see what hapens. Yes, any binddn should work. We intended this as a password migration mechanism which is why we bind as the root user by default but it can also just migrate your users I suppose. I briefly looked at the code and we aren't explicitly requiring userPassword so I'm thinking it may just work if you can bind. Note that KioqKioqKio= is '********'. Someone has a sense of humor at Apple :-) rob > > > > On Mon, Jan 24, 2011 at 3:22 PM, Jakub Hrozek wrote: >> On 01/24/2011 08:57 PM, Jeff B wrote: >>> >>> I might of missed this yesterday, is it trying to bind to the apple >>> as Directory Manager? I thought that was for FreeIPA but now I'm not >>> sure. I was intending to have it do an anonymous bind to the apple. >>> >>> If so I guess that would explain it. >>> >> >> Yes, "cn=Directory Manager" against Apple DS. Anonymous bind wouldn't work, >> because during migration, you need to read LDAP attributes that store user >> passwords. Those are usually not readable anonymously. >> >> Jakub >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dont at killbrad.com Mon Jan 24 20:05:05 2011 From: dont at killbrad.com (dont at killbrad.com) Date: Mon, 24 Jan 2011 14:05:05 -0600 Subject: [Freeipa-users] certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0 In-Reply-To: References: Message-ID: Hi Simo, yes, I had tried this and it was still causing the same issue. If anyone else encounters a similar problem, here is the solution that worked for me: This file: /usr/lib/python2.4/site-packages/ipaserver/replication.py Contains this line at the top: CACERT="/usr/share/ipa/html/ca.crt" When updating the dirsrv and http server NSS database certs with ipa-server-certinstall, this particular cert never gets updated. It keeps the original self-signed cert that was installed (standalone, not NSS). Backed up this file, and copied (for me, DigiCertCA2.crt) the proper CA cert to allow the verification worked finally. I had tried the full chain, the primary DigiCertCA.crt cert, etc. But the one that it wanted was the DigiCertCA2.crt certificate alone. Thanks! >> So, can someone give me some advice about where else it may be reading >> the certificate from, or how I can do things "the proper way" >> for IPA? >/etc/ipa/ca.crt is another place where the cert can be found. >but for winsync you can pass the cacert on the command line, have you tried that ? >Simo. -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.roman at ssaihq.com Tue Jan 25 17:04:25 2011 From: james.roman at ssaihq.com (James Roman) Date: Tue, 25 Jan 2011 12:04:25 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc Message-ID: <4D3F0299.9060408@ssaihq.com> I noticed today that one of our FreeIPA 1.2.2 servers has stopped issuing tickets. When I attempt to restart all the IPA services the krb5kdc service failed to restart with the following error: krb5kdc: Unable to access Kerberos database - while initializing database for realm DOMAIN.COM I don't see any issues with the local LDAP database, or the kdc account in the LDAP database. I suspect the problem is with the ticket granting ticket on the problem server, but am unsure how to go about validating this assertion. I have not tried to restart the ipa services on the working server for fera that it might stop working. From ssorce at redhat.com Tue Jan 25 17:42:58 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 12:42:58 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <4D3F0299.9060408@ssaihq.com> References: <4D3F0299.9060408@ssaihq.com> Message-ID: <20110125124258.18c4dd3f@willson.li.ssimo.org> On Tue, 25 Jan 2011 12:04:25 -0500 James Roman wrote: > I noticed today that one of our FreeIPA 1.2.2 servers has stopped > issuing tickets. When I attempt to restart all the IPA services the > krb5kdc service failed to restart with the following error: > > krb5kdc: Unable to access Kerberos database - while initializing > database for realm DOMAIN.COM > > I don't see any issues with the local LDAP database, or the kdc > account in the LDAP database. I suspect the problem is with the > ticket granting ticket on the problem server, but am unsure how to go > about validating this assertion. I have not tried to restart the ipa > services on the working server for fera that it might stop working. Do you see errors in /var/log/krb5kdc.log ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Jan 25 19:44:54 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 14:44:54 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <4D3F257A.8030003@ssaihq.com> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> Message-ID: <20110125144454.3e56c7b0@willson.li.ssimo.org> On Tue, 25 Jan 2011 14:33:14 -0500 James Roman wrote: > On 01/25/2011 12:42 PM, Simo Sorce wrote: > > On Tue, 25 Jan 2011 12:04:25 -0500 > > James Roman wrote: > > > >> I noticed today that one of our FreeIPA 1.2.2 servers has stopped > >> issuing tickets. When I attempt to restart all the IPA services the > >> krb5kdc service failed to restart with the following error: > >> > >> krb5kdc: Unable to access Kerberos database - while initializing > >> database for realm DOMAIN.COM > >> > >> I don't see any issues with the local LDAP database, or the kdc > >> account in the LDAP database. I suspect the problem is with the > >> ticket granting ticket on the problem server, but am unsure how to > >> go about validating this assertion. I have not tried to restart > >> the ipa services on the working server for fera that it might stop > >> working. > > Do you see errors in /var/log/krb5kdc.log ? > > > > Simo. > > > The error above is the only one that repeats in the krb5kdc.log when > I attempt to restart the krb5kdc service. The actual error that is > shown in standard out is: > > Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm DOMAIN.COM > - see log file for details Ok can you check the dirsrv logs and see if the KDC is actually trying (and perhaps getting auth refused) at all ? /var/log/dirsrv/slapd-DOMAIN-COM/access should show your KDC attempts to access the LDAP server and bind as the uid=kdc..... user. Simo. -- Simo Sorce * Red Hat, Inc * New York From james.roman at ssaihq.com Tue Jan 25 20:58:35 2011 From: james.roman at ssaihq.com (James Roman) Date: Tue, 25 Jan 2011 15:58:35 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <20110125144454.3e56c7b0@willson.li.ssimo.org> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> Message-ID: <4D3F397B.6020700@ssaihq.com> On 1/25/11 2:44 PM, Simo Sorce wrote: > On Tue, 25 Jan 2011 14:33:14 -0500 > James Roman wrote: > >> On 01/25/2011 12:42 PM, Simo Sorce wrote: >>> On Tue, 25 Jan 2011 12:04:25 -0500 >>> James Roman wrote: >>> >>>> I noticed today that one of our FreeIPA 1.2.2 servers has stopped >>>> issuing tickets. When I attempt to restart all the IPA services the >>>> krb5kdc service failed to restart with the following error: >>>> >>>> krb5kdc: Unable to access Kerberos database - while initializing >>>> database for realm DOMAIN.COM >>>> >>>> I don't see any issues with the local LDAP database, or the kdc >>>> account in the LDAP database. I suspect the problem is with the >>>> ticket granting ticket on the problem server, but am unsure how to >>>> go about validating this assertion. I have not tried to restart >>>> the ipa services on the working server for fera that it might stop >>>> working. >>> Do you see errors in /var/log/krb5kdc.log ? >>> >>> Simo. >>> >> The error above is the only one that repeats in the krb5kdc.log when >> I attempt to restart the krb5kdc service. The actual error that is >> shown in standard out is: >> >> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm DOMAIN.COM >> - see log file for details > Ok can you check the dirsrv logs and see if the KDC is actually trying > (and perhaps getting auth refused) at all ? > > /var/log/dirsrv/slapd-DOMAIN-COM/access should show your KDC attempts > to access the LDAP server and bind as the uid=kdc..... user. > > Simo. > Looks like an authentication failure: [25/Jan/2011:15:11:29 -0500] conn=391 op=0 BIND dn="uid=kdc,cn=sysaccounts,cn=etc,dc=domain,dc=com" method=128 version=3 [25/Jan/2011:15:11:29 -0500] conn=391 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [25/Jan/2011:15:11:29 -0500] conn=391 op=-1 fd=73 closed - B1 The ldappwd file on both systems look identical. I don't think that the SSL certificate comes into the equation, but I have no way of knowing whether it initiates TLS or not. From rmeggins at redhat.com Tue Jan 25 21:44:06 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 25 Jan 2011 14:44:06 -0700 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <4D3F397B.6020700@ssaihq.com> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> Message-ID: <4D3F4426.7060504@redhat.com> On 01/25/2011 01:58 PM, James Roman wrote: > On 1/25/11 2:44 PM, Simo Sorce wrote: >> On Tue, 25 Jan 2011 14:33:14 -0500 >> James Roman wrote: >> >>> On 01/25/2011 12:42 PM, Simo Sorce wrote: >>>> On Tue, 25 Jan 2011 12:04:25 -0500 >>>> James Roman wrote: >>>> >>>>> I noticed today that one of our FreeIPA 1.2.2 servers has stopped >>>>> issuing tickets. When I attempt to restart all the IPA services the >>>>> krb5kdc service failed to restart with the following error: >>>>> >>>>> krb5kdc: Unable to access Kerberos database - while initializing >>>>> database for realm DOMAIN.COM >>>>> >>>>> I don't see any issues with the local LDAP database, or the kdc >>>>> account in the LDAP database. I suspect the problem is with the >>>>> ticket granting ticket on the problem server, but am unsure how to >>>>> go about validating this assertion. I have not tried to restart >>>>> the ipa services on the working server for fera that it might stop >>>>> working. >>>> Do you see errors in /var/log/krb5kdc.log ? >>>> >>>> Simo. >>>> >>> The error above is the only one that repeats in the krb5kdc.log when >>> I attempt to restart the krb5kdc service. The actual error that is >>> shown in standard out is: >>> >>> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm DOMAIN.COM >>> - see log file for details >> Ok can you check the dirsrv logs and see if the KDC is actually trying >> (and perhaps getting auth refused) at all ? >> >> /var/log/dirsrv/slapd-DOMAIN-COM/access should show your KDC attempts >> to access the LDAP server and bind as the uid=kdc..... user. >> >> Simo. >> > Looks like an authentication failure: > > [25/Jan/2011:15:11:29 -0500] conn=391 op=0 BIND > dn="uid=kdc,cn=sysaccounts,cn=etc,dc=domain,dc=com" method=128 version=3 > [25/Jan/2011:15:11:29 -0500] conn=391 op=0 RESULT err=49 tag=97 > nentries=0 etime=0 > [25/Jan/2011:15:11:29 -0500] conn=391 op=-1 fd=73 closed - B1 > > The ldappwd file on both systems look identical. I don't think that > the SSL certificate comes into the equation, but I have no way of > knowing whether it initiates TLS or not. You can tell if the connection is using TLS/SSL because when the connection is opened you should see a log line that says what cipher suite is being used You can tell if client cert auth is being used because there will be a line for that too. Look for conn=391 lines before this one > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From ssorce at redhat.com Tue Jan 25 21:51:27 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 25 Jan 2011 16:51:27 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <4D3F397B.6020700@ssaihq.com> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> Message-ID: <20110125165127.695abe6c@willson.li.ssimo.org> On Tue, 25 Jan 2011 15:58:35 -0500 James Roman wrote: > On 1/25/11 2:44 PM, Simo Sorce wrote: > > On Tue, 25 Jan 2011 14:33:14 -0500 > > James Roman wrote: > > > >> On 01/25/2011 12:42 PM, Simo Sorce wrote: > >>> On Tue, 25 Jan 2011 12:04:25 -0500 > >>> James Roman wrote: > >>> > >>>> I noticed today that one of our FreeIPA 1.2.2 servers has stopped > >>>> issuing tickets. When I attempt to restart all the IPA services > >>>> the krb5kdc service failed to restart with the following error: > >>>> > >>>> krb5kdc: Unable to access Kerberos database - while initializing > >>>> database for realm DOMAIN.COM > >>>> > >>>> I don't see any issues with the local LDAP database, or the kdc > >>>> account in the LDAP database. I suspect the problem is with the > >>>> ticket granting ticket on the problem server, but am unsure how > >>>> to go about validating this assertion. I have not tried to > >>>> restart the ipa services on the working server for fera that it > >>>> might stop working. > >>> Do you see errors in /var/log/krb5kdc.log ? > >>> > >>> Simo. > >>> > >> The error above is the only one that repeats in the krb5kdc.log > >> when I attempt to restart the krb5kdc service. The actual error > >> that is shown in standard out is: > >> > >> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm > >> DOMAIN.COM > >> - see log file for details > > Ok can you check the dirsrv logs and see if the KDC is actually > > trying (and perhaps getting auth refused) at all ? > > > > /var/log/dirsrv/slapd-DOMAIN-COM/access should show your KDC > > attempts to access the LDAP server and bind as the uid=kdc..... > > user. > > > > Simo. > > > Looks like an authentication failure: > > [25/Jan/2011:15:11:29 -0500] conn=391 op=0 BIND > dn="uid=kdc,cn=sysaccounts,cn=etc,dc=domain,dc=com" method=128 > version=3 [25/Jan/2011:15:11:29 -0500] conn=391 op=0 RESULT err=49 > tag=97 nentries=0 etime=0 > [25/Jan/2011:15:11:29 -0500] conn=391 op=-1 fd=73 closed - B1 > > The ldappwd file on both systems look identical. I don't think that > the SSL certificate comes into the equation, but I have no way of > knowing whether it initiates TLS or not. No in ipa 1.2.x the kdc is configured to use ldap://127.0.0.1 with no auth. I wonder if your local DS is having problems. Can you change krb5.conf to point to the other server (maybe using ldaps:// so as to not expose the password in the clear) and see if the krb5kdc will start that way ? Don't use this in production, just as a test to identify where the problem lies. if it turns out it is the local DS that is having issues, then we can try to force sync it again. Ah btw, on what distribution version is this? what 389-ds base version are you using ? Simo. -- Simo Sorce * Red Hat, Inc * New York From james.roman at ssaihq.com Wed Jan 26 16:32:15 2011 From: james.roman at ssaihq.com (James Roman) Date: Wed, 26 Jan 2011 11:32:15 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <20110125165127.695abe6c@willson.li.ssimo.org> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> <20110125165127.695abe6c@willson.li.ssimo.org> Message-ID: <4D404C8F.6090901@ssaihq.com> An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jan 26 16:38:57 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 26 Jan 2011 09:38:57 -0700 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <4D404C8F.6090901@ssaihq.com> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> <20110125165127.695abe6c@willson.li.ssimo.org> <4D404C8F.6090901@ssaihq.com> Message-ID: <4D404E21.7090903@redhat.com> On 01/26/2011 09:32 AM, James Roman wrote: > Simo Sorce wrote: >> On Tue, 25 Jan 2011 15:58:35 -0500 >> James Roman wrote: >> >> >>> On 1/25/11 2:44 PM, Simo Sorce wrote: >>> >>>> On Tue, 25 Jan 2011 14:33:14 -0500 >>>> James Roman wrote: >>>> >>>> >>>>> On 01/25/2011 12:42 PM, Simo Sorce wrote: >>>>> >>>>>> On Tue, 25 Jan 2011 12:04:25 -0500 >>>>>> James Roman wrote: >>>>>> >>>>>> >>>>>>> I noticed today that one of our FreeIPA 1.2.2 servers has stopped >>>>>>> issuing tickets. When I attempt to restart all the IPA services >>>>>>> the krb5kdc service failed to restart with the following error: >>>>>>> >>>>>>> krb5kdc: Unable to access Kerberos database - while initializing >>>>>>> database for realm DOMAIN.COM >>>>>>> >>>>>>> I don't see any issues with the local LDAP database, or the kdc >>>>>>> account in the LDAP database. I suspect the problem is with the >>>>>>> ticket granting ticket on the problem server, but am unsure how >>>>>>> to go about validating this assertion. I have not tried to >>>>>>> restart the ipa services on the working server for fera that it >>>>>>> might stop working. >>>>>>> >>>>>> Do you see errors in /var/log/krb5kdc.log ? >>>>>> >>>>>> Simo. >>>>>> >>>>>> >>>>> The error above is the only one that repeats in the krb5kdc.log >>>>> when I attempt to restart the krb5kdc service. The actual error >>>>> that is shown in standard out is: >>>>> >>>>> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm >>>>> DOMAIN.COM >>>>> - see log file for details >>>>> >>>> Ok can you check the dirsrv logs and see if the KDC is actually >>>> trying (and perhaps getting auth refused) at all ? >>>> >>>> /var/log/dirsrv/slapd-DOMAIN-COM/access should show your KDC >>>> attempts to access the LDAP server and bind as the uid=kdc..... >>>> user. >>>> >>>> Simo. >>>> >>>> >>> Looks like an authentication failure: >>> >>> [25/Jan/2011:15:11:29 -0500] conn=391 op=0 BIND >>> dn="uid=kdc,cn=sysaccounts,cn=etc,dc=domain,dc=com" method=128 >>> version=3 [25/Jan/2011:15:11:29 -0500] conn=391 op=0 RESULT err=49 >>> tag=97 nentries=0 etime=0 >>> [25/Jan/2011:15:11:29 -0500] conn=391 op=-1 fd=73 closed - B1 >>> >>> The ldappwd file on both systems look identical. I don't think that >>> the SSL certificate comes into the equation, but I have no way of >>> knowing whether it initiates TLS or not. >>> >> >> No in ipa 1.2.x the kdc is configured to use ldap://127.0.0.1 with no >> auth. >> >> I wonder if your local DS is having problems. >> >> Can you change krb5.conf to point to the other server (maybe using >> ldaps:// so as to not expose the password in the clear) and see if the >> krb5kdc will start that way ? >> >> Don't use this in production, just as a test to identify where the >> problem lies. >> >> if it turns out it is the local DS that is having issues, then we can >> try to force sync it again. >> >> Ah btw, on what distribution version is this? what 389-ds base version >> are you using ? >> >> Simo. >> >> > So if I switch the kdc.conf to point to the other FreeIPA ldap server > the krb5kdc service starts up without any problems. I was just about > to force a sync when I noticed this in the error log on the working > ldap server (lets call it ipserver2): > > [17/Jan/2011:10:24:33 -0500] NSMMReplicationPlugin - > agmt="cn=meToipaserver1.domain.com636" (ipaserver1:636): Succesfully > bound cn=replication manager,cn=config to consumer, but password has > expired on consumer. > > This is the earliest record I have on the ldap replica without going > to tape. So it appears that the replica password has expired. So I > have this problem. ipaserver1 is used as my winsync server, but I can > not use it to start krb5kdc. ipaserver2 has a working ldap server, but > is not synchronizing with the winsync master. If I fix the password > expiration issue, is it going to break ipaserver2?\ See here for information about how to make the repl manager password not expire - http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Creating_the_Supplier_Bind_DN_Entry if you fix the password expiration issue, it should not break anything > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.roman at ssaihq.com Wed Jan 26 18:59:13 2011 From: james.roman at ssaihq.com (James Roman) Date: Wed, 26 Jan 2011 13:59:13 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <4D404E21.7090903@redhat.com> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> <20110125165127.695abe6c@willson.li.ssimo.org> <4D404C8F.6090901@ssaihq.com> <4D404E21.7090903@redhat.com> Message-ID: <4D406F01.8030509@ssaihq.com> An HTML attachment was scrubbed... URL: From ide4you at gmail.com Thu Jan 27 14:09:21 2011 From: ide4you at gmail.com (Uzor Ide) Date: Thu, 27 Jan 2011 09:09:21 -0500 Subject: [Freeipa-users] admin password Message-ID: Hi all How do I make admin password not to expire immediately after changing it? thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Jan 27 14:21:13 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 27 Jan 2011 09:21:13 -0500 Subject: [Freeipa-users] admin password In-Reply-To: References: Message-ID: <1296138073.8527.11.camel@willson.li.ssimo.org> On Thu, 2011-01-27 at 09:09 -0500, Uzor Ide wrote: > Hi all > > How do I make admin password not to expire immediately after changing > it? It is always set to expire even if you use kpasswd to change it ? Simo. -- Simo Sorce * Red Hat, Inc * New York From danieljamesscott at gmail.com Thu Jan 27 14:47:16 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 27 Jan 2011 09:47:16 -0500 Subject: [Freeipa-users] Fedora 14 dirsrv service problems Message-ID: Hi, I have a FreeIPA server running on Fedora 14 [root at ohm ~]# rpm -qa|grep ipa-server ipa-server-selinux-1.2.2-5.fc14.x86_64 ipa-server-1.2.2-5.fc14.x86_64 For the past few weeks, the dirsrv service has been 'crashing'. Randomly, as far as I can tell. - the service appears to remain running, but fails to serve any LDAP requests. /etc/init.d/dirsrv status claims that the service is still running, but I get these errors in the 'access' log file: [27/Jan/2011:03:30:01 -0500] conn=9 op=11582 RESULT err=0 tag=101 nentries=0 etime=0 [27/Jan/2011:03:35:11 -0500] conn=897 fd=86 slot=86 connection from 192.168.1.202 to 192.168.100.30 [27/Jan/2011:03:35:11 -0500] conn=897 op=-1 fd=86 closed - T2 There is nothing relevant in the 'errors' log file: [27/Jan/2011:00:00:00 -0500] NSMMReplicationPlugin - agmt="cn=meTocurie.example.com636" (curie:636): Incremental protocol: event update_window_opened should not occur in state wait_for_changes [27/Jan/2011:09:38:32 -0500] - slapd shutting down - signaling operation threads The entry at 09:38 is me restarting the service. 'curie' is a replica server which also occasionally crashes, but not at the same time as ohm. I have to do: /etc/init.d/dirsrv status to get things working again. Does anyone know how I can figure out what the problem is? I also have 2 Fedora 13 IPA FreeIPA servers which *don't* exhibit this problem. Thanks, Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 27 15:19:50 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 27 Jan 2011 08:19:50 -0700 Subject: [Freeipa-users] Fedora 14 dirsrv service problems In-Reply-To: References: Message-ID: <4D418D16.8020501@redhat.com> On 01/27/2011 07:47 AM, Dan Scott wrote: > Hi, > > I have a FreeIPA server running on Fedora 14 > > [root at ohm ~]# rpm -qa|grep ipa-server > ipa-server-selinux-1.2.2-5.fc14.x86_64 > ipa-server-1.2.2-5.fc14.x86_64 > > For the past few weeks, the dirsrv service has been 'crashing'. > Randomly, as far as I can tell. - the service appears to remain > running, but fails to serve any LDAP requests. > > /etc/init.d/dirsrv status > > claims that the service is still running, but I get these errors in > the 'access' log file: > > [27/Jan/2011:03:30:01 -0500] conn=9 op=11582 RESULT err=0 tag=101 > nentries=0 etime=0 > [27/Jan/2011:03:35:11 -0500] conn=897 fd=86 slot=86 connection from > 192.168.1.202 to 192.168.100.30 > [27/Jan/2011:03:35:11 -0500] conn=897 op=-1 fd=86 closed - T2 This looks like https://bugzilla.redhat.com/show_bug.cgi?id=668548 or https://bugzilla.redhat.com/show_bug.cgi?id=668619 > > There is nothing relevant in the 'errors' log file: > > [27/Jan/2011:00:00:00 -0500] NSMMReplicationPlugin - > agmt="cn=meTocurie.example.com636" (curie:636): Incremental protocol: > event update_window_opened should not occur in state wait_for_changes > [27/Jan/2011:09:38:32 -0500] - slapd shutting down - signaling > operation threads > > The entry at 09:38 is me restarting the service. 'curie' is a replica > server which also occasionally crashes, but not at the same time as ohm. > > I have to do: > > /etc/init.d/dirsrv status > > to get things working again. status? All status does is a kill -0 which just tests to see if the process is running. Are you absolutely positive that status makes things work again? > Does anyone know how I can figure out what the problem is? I also have > 2 Fedora 13 IPA FreeIPA servers which *don't* exhibit this problem. The problem is specific to F14? What version of 389-ds-base are you using on F13? > > Thanks, > > Dan > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Thu Jan 27 16:16:40 2011 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 27 Jan 2011 11:16:40 -0500 Subject: [Freeipa-users] Fedora 14 dirsrv service problems In-Reply-To: <4D418D16.8020501@redhat.com> References: <4D418D16.8020501@redhat.com> Message-ID: Hi, Thanks for the quick response On Thu, Jan 27, 2011 at 10:19, Rich Megginson wrote: > On 01/27/2011 07:47 AM, Dan Scott wrote: > > Hi, > > I have a FreeIPA server running on Fedora 14 > > [root at ohm ~]# rpm -qa|grep ipa-server > ipa-server-selinux-1.2.2-5.fc14.x86_64 > ipa-server-1.2.2-5.fc14.x86_64 > > For the past few weeks, the dirsrv service has been 'crashing'. Randomly, > as far as I can tell. - the service appears to remain running, but fails to > serve any LDAP requests. > > /etc/init.d/dirsrv status > > claims that the service is still running, but I get these errors in the > 'access' log file: > > [27/Jan/2011:03:30:01 -0500] conn=9 op=11582 RESULT err=0 tag=101 > nentries=0 etime=0 > [27/Jan/2011:03:35:11 -0500] conn=897 fd=86 slot=86 connection from > 192.168.1.202 to 192.168.100.30 > [27/Jan/2011:03:35:11 -0500] conn=897 op=-1 fd=86 closed - T2 > > This looks like https://bugzilla.redhat.com/show_bug.cgi?id=668548 or > https://bugzilla.redhat.com/show_bug.cgi?id=668619 > Yes, it could well be this. Thanks. There is nothing relevant in the 'errors' log file: > > [27/Jan/2011:00:00:00 -0500] NSMMReplicationPlugin - > agmt="cn=meTocurie.example.com636" (curie:636): Incremental protocol: event > update_window_opened should not occur in state wait_for_changes > [27/Jan/2011:09:38:32 -0500] - slapd shutting down - signaling operation > threads > > The entry at 09:38 is me restarting the service. 'curie' is a replica > server which also occasionally crashes, but not at the same time as ohm. > > I have to do: > > /etc/init.d/dirsrv status > > to get things working again. > > status? All status does is a kill -0 which just tests to see if the > process is running. Are you absolutely positive that status makes things > work again? > Very sorry about this. A copy-and-paste error, I meant: /etc/init.d/dirsrv restart Sorry. > Does anyone know how I can figure out what the problem is? I also have 2 > Fedora 13 IPA FreeIPA servers which *don't* exhibit this problem. > > The problem is specific to F14? What version of 389-ds-base are you using > on F13? > The Fedora 13 servers are using: [djscott at fileserver2 ~]$ rpm -qa|grep 389 389-ds-base-1.2.7.5-1.fc13.i686 The Fedora 14 servers are using: [djscott at ohm ~]# rpm -qa|grep 389 389-ds-base-1.2.7.5-1.fc14.x86_64 Thanks, Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Thu Jan 27 17:58:26 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 27 Jan 2011 12:58:26 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <4D406F01.8030509@ssaihq.com> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> <20110125165127.695abe6c@willson.li.ssimo.org> <4D404C8F.6090901@ssaihq.com> <4D404E21.7090903@redhat.com> <4D406F01.8030509@ssaihq.com> Message-ID: <1296151106.8527.35.camel@willson.li.ssimo.org> On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote: > So it looks like the replication password issue was a red herring as > far as the kerberos is concerned. I issued the command > "ipa-replica-manage synch ipaserver1.domain.com" from the working ldap > replica and no longer get password expiration errors in the error > logs. However, I still can not get the krb5kdc process on ipaserver1 > to start when it uses the local (ldap://127.0.0.1/) LDAP database. If > I perform an LDAP search of the kdc account using the Directory > Manager account, both kdc entries are identical, so it does not seem > to be the password for the KDC account that is preventing the krb5kdc > service from starting. Could it be the service or host principals? > Should I init from ipaserver2 -> ipaserver1 (Note: ipaserver1 is the > winsync server)? > > ipaserver1: > FC 11 > ipa-server-1.2.2-2.fc11.i586 > > ipaserver2: > FC10 > ipa-server-1.2.2-1.fc10.i386 I am surprised you get back INVALID CREDENTIALS as an error when the KDC tries to log in using the data in ldappwd, given it works against the other server ... If you search with directory manager the accounts on both servers, do you get back an identical userPassword field ? Simo. -- Simo Sorce * Red Hat, Inc * New York From james.roman at ssaihq.com Fri Jan 28 00:20:02 2011 From: james.roman at ssaihq.com (James Roman) Date: Thu, 27 Jan 2011 19:20:02 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <1296151106.8527.35.camel@willson.li.ssimo.org> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> <20110125165127.695abe6c@willson.li.ssimo.org> <4D404C8F.6090901@ssaihq.com> <4D404E21.7090903@redhat.com> <4D406F01.8030509@ssaihq.com> <1296151106.8527.35.camel@willson.li.ssimo.org> Message-ID: <4D420BB2.5040301@ssaihq.com> On 1/27/11 12:58 PM, Simo Sorce wrote: > On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote: >> So it looks like the replication password issue was a red herring as >> far as the kerberos is concerned. I issued the command >> "ipa-replica-manage synch ipaserver1.domain.com" from the working ldap >> replica and no longer get password expiration errors in the error >> logs. However, I still can not get the krb5kdc process on ipaserver1 >> to start when it uses the local (ldap://127.0.0.1/) LDAP database. If >> I perform an LDAP search of the kdc account using the Directory >> Manager account, both kdc entries are identical, so it does not seem >> to be the password for the KDC account that is preventing the krb5kdc >> service from starting. Could it be the service or host principals? >> Should I init from ipaserver2 -> ipaserver1 (Note: ipaserver1 is the >> winsync server)? >> >> ipaserver1: >> FC 11 >> ipa-server-1.2.2-2.fc11.i586 >> >> ipaserver2: >> FC10 >> ipa-server-1.2.2-1.fc10.i386 > I am surprised you get back INVALID CREDENTIALS as an error when the KDC > tries to log in using the data in ldappwd, given it works against the > other server ... > > If you search with directory manager the accounts on both servers, do > you get back an identical userPassword field ? > > Simo. > Yes, when I check the passwords are also identical. From ssorce at redhat.com Fri Jan 28 13:28:03 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 28 Jan 2011 08:28:03 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <4D420BB2.5040301@ssaihq.com> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> <20110125165127.695abe6c@willson.li.ssimo.org> <4D404C8F.6090901@ssaihq.com> <4D404E21.7090903@redhat.com> <4D406F01.8030509@ssaihq.com> <1296151106.8527.35.camel@willson.li.ssimo.org> <4D420BB2.5040301@ssaihq.com> Message-ID: <20110128082803.4c486f64@willson.li.ssimo.org> On Thu, 27 Jan 2011 19:20:02 -0500 James Roman wrote: > On 1/27/11 12:58 PM, Simo Sorce wrote: > > On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote: > >> So it looks like the replication password issue was a red herring > >> as far as the kerberos is concerned. I issued the command > >> "ipa-replica-manage synch ipaserver1.domain.com" from the working > >> ldap replica and no longer get password expiration errors in the > >> error logs. However, I still can not get the krb5kdc process on > >> ipaserver1 to start when it uses the local (ldap://127.0.0.1/) > >> LDAP database. If I perform an LDAP search of the kdc account > >> using the Directory Manager account, both kdc entries are > >> identical, so it does not seem to be the password for the KDC > >> account that is preventing the krb5kdc service from starting. > >> Could it be the service or host principals? Should I init from > >> ipaserver2 -> ipaserver1 (Note: ipaserver1 is the winsync server)? > >> > >> ipaserver1: > >> FC 11 > >> ipa-server-1.2.2-2.fc11.i586 > >> > >> ipaserver2: > >> FC10 > >> ipa-server-1.2.2-1.fc10.i386 > > I am surprised you get back INVALID CREDENTIALS as an error when > > the KDC tries to log in using the data in ldappwd, given it works > > against the other server ... > > > > If you search with directory manager the accounts on both servers, > > do you get back an identical userPassword field ? > > > > Simo. > > > Yes, when I check the passwords are also identical. Odd. Have you ever played with DS password policies by chance ? Can you search explicitly for the paswwordExpirationTime on both uid=kdc accounts and see if it set by chance ? You need to search explicitly for the attribute as it is not returned by default. Simo. -- Simo Sorce * Red Hat, Inc * New York From james.roman at ssaihq.com Fri Jan 28 14:20:37 2011 From: james.roman at ssaihq.com (James Roman) Date: Fri, 28 Jan 2011 09:20:37 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <20110128082803.4c486f64@willson.li.ssimo.org> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> <20110125165127.695abe6c@willson.li.ssimo.org> <4D404C8F.6090901@ssaihq.com> <4D404E21.7090903@redhat.com> <4D406F01.8030509@ssaihq.com> <1296151106.8527.35.camel@willson.li.ssimo.org> <4D420BB2.5040301@ssaihq.com> <20110128082803.4c486f64@willson.li.ssimo.org> Message-ID: <4D42D0B5.6020005@ssaihq.com> On 1/28/11 8:28 AM, Simo Sorce wrote: > On Thu, 27 Jan 2011 19:20:02 -0500 > James Roman wrote: > >> On 1/27/11 12:58 PM, Simo Sorce wrote: >>> On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote: >>>> So it looks like the replication password issue was a red herring >>>> as far as the kerberos is concerned. I issued the command >>>> "ipa-replica-manage synch ipaserver1.domain.com" from the working >>>> ldap replica and no longer get password expiration errors in the >>>> error logs. However, I still can not get the krb5kdc process on >>>> ipaserver1 to start when it uses the local (ldap://127.0.0.1/) >>>> LDAP database. If I perform an LDAP search of the kdc account >>>> using the Directory Manager account, both kdc entries are >>>> identical, so it does not seem to be the password for the KDC >>>> account that is preventing the krb5kdc service from starting. >>>> Could it be the service or host principals? Should I init from >>>> ipaserver2 -> ipaserver1 (Note: ipaserver1 is the winsync server)? >>>> >>>> ipaserver1: >>>> FC 11 >>>> ipa-server-1.2.2-2.fc11.i586 >>>> >>>> ipaserver2: >>>> FC10 >>>> ipa-server-1.2.2-1.fc10.i386 >>> I am surprised you get back INVALID CREDENTIALS as an error when >>> the KDC tries to log in using the data in ldappwd, given it works >>> against the other server ... >>> >>> If you search with directory manager the accounts on both servers, >>> do you get back an identical userPassword field ? >>> >>> Simo. >>> >> Yes, when I check the passwords are also identical. > Odd. > Have you ever played with DS password policies by chance ? > > Can you search explicitly for the paswwordExpirationTime on both > uid=kdc accounts and see if it set by chance ? > You need to search explicitly for the attribute as it is not returned > by default. > > Simo. > OK. Now I feel like an idiot. I swear that was the first thing I checked. It seems the password policy on this server was set at the base, instead of cn=users. We have a script that reports on expiring accounts in the cn=accounts branch, but not under cn=etc. I now know what to fix. Thanks. From ssorce at redhat.com Fri Jan 28 15:39:07 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 28 Jan 2011 10:39:07 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <4D42D0B5.6020005@ssaihq.com> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> <20110125165127.695abe6c@willson.li.ssimo.org> <4D404C8F.6090901@ssaihq.com> <4D404E21.7090903@redhat.com> <4D406F01.8030509@ssaihq.com> <1296151106.8527.35.camel@willson.li.ssimo.org> <4D420BB2.5040301@ssaihq.com> <20110128082803.4c486f64@willson.li.ssimo.org> <4D42D0B5.6020005@ssaihq.com> Message-ID: <20110128103907.7717462e@willson.li.ssimo.org> On Fri, 28 Jan 2011 09:20:37 -0500 James Roman wrote: > OK. Now I feel like an idiot. I swear that was the first thing I > checked. It seems the password policy on this server was set at the > base, instead of cn=users. We have a script that reports on expiring > accounts in the cn=accounts branch, but not under cn=etc. I now know > what to fix. Thanks. Rirst of all. I am glad this was resolved, it looked puzzling indeed. I just want to note that we do not support using the DS password policy in ipa as we already have the kerberos pw policy, that's why the uid=kdc was not "protected" against it. In v2 we perfected the pw policies check so that the kerberos policies covers also binds done against DS directly. I also am adding a patch so that uid=kdc is protected in case DS policy is enabled nonetheless for whatever reason. Simo. -- Simo Sorce * Red Hat, Inc * New York From james.roman at ssaihq.com Fri Jan 28 22:39:14 2011 From: james.roman at ssaihq.com (James Roman) Date: Fri, 28 Jan 2011 17:39:14 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <20110128103907.7717462e@willson.li.ssimo.org> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> <20110125165127.695abe6c@willson.li.ssimo.org> <4D404C8F.6090901@ssaihq.com> <4D404E21.7090903@redhat.com> <4D406F01.8030509@ssaihq.com> <1296151106.8527.35.camel@willson.li.ssimo.org> <4D420BB2.5040301@ssaihq.com> <20110128082803.4c486f64@willson.li.ssimo.org> <4D42D0B5.6020005@ssaihq.com> <20110128103907.7717462e@willson.li.ssimo.org> Message-ID: <4D434592.9070207@ssaihq.com> On 01/28/2011 10:39 AM, Simo Sorce wrote: > > Rirst of all. > I am glad this was resolved, it looked puzzling indeed. > > I just want to note that we do not support using the DS password policy > in ipa as we already have the kerberos pw policy, that's why the uid=kdc > was not "protected" against it. > > In v2 we perfected the pw policies check so that the kerberos policies > covers also binds done against DS directly. Just to clarify, in v2 Kerberos password policies also cover ldap binds? > I also am adding a patch so that uid=kdc is protected in case DS policy > is enabled nonetheless for whatever reason. > > Simo. > From ssorce at redhat.com Fri Jan 28 22:43:43 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 28 Jan 2011 17:43:43 -0500 Subject: [Freeipa-users] Unable to start the krb5kdc In-Reply-To: <4D434592.9070207@ssaihq.com> References: <4D3F0299.9060408@ssaihq.com> <20110125124258.18c4dd3f@willson.li.ssimo.org> <4D3F257A.8030003@ssaihq.com> <20110125144454.3e56c7b0@willson.li.ssimo.org> <4D3F397B.6020700@ssaihq.com> <20110125165127.695abe6c@willson.li.ssimo.org> <4D404C8F.6090901@ssaihq.com> <4D404E21.7090903@redhat.com> <4D406F01.8030509@ssaihq.com> <1296151106.8527.35.camel@willson.li.ssimo.org> <4D420BB2.5040301@ssaihq.com> <20110128082803.4c486f64@willson.li.ssimo.org> <4D42D0B5.6020005@ssaihq.com> <20110128103907.7717462e@willson.li.ssimo.org> <4D434592.9070207@ssaihq.com> Message-ID: <20110128174343.31d65e8d@willson.li.ssimo.org> On Fri, 28 Jan 2011 17:39:14 -0500 James Roman wrote: > On 01/28/2011 10:39 AM, Simo Sorce wrote: > > > > Rirst of all. > > I am glad this was resolved, it looked puzzling indeed. > > > > I just want to note that we do not support using the DS password > > policy in ipa as we already have the kerberos pw policy, that's why > > the uid=kdc was not "protected" against it. > > > > In v2 we perfected the pw policies check so that the kerberos > > policies covers also binds done against DS directly. > Just to clarify, in v2 Kerberos password policies also cover ldap > binds? Yes with have a bind pre/post op plugin that enforces the same account/password policies for ldap binds too. Simo. -- Simo Sorce * Red Hat, Inc * New York