From naufal26.tik at gmail.com Fri Jul 1 04:53:16 2011 From: naufal26.tik at gmail.com (Muhammad Naufal) Date: Fri, 1 Jul 2011 11:53:16 +0700 Subject: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp In-Reply-To: <20110630074356.GE21155@fluxcoil.net> References: <4E0B801E.1000204@redhat.com> <20110630074356.GE21155@fluxcoil.net> Message-ID: Thanks all, i am getting closer to configure FreeIPA correctly. I install FreeIPA v2 on fresh installation. MIT Kerberos works fine and generated ticket.. see the attachment. Next i'll try to configure the client web browser to connect to IPA web ui because in IPA server httpd *access_log* it still throw error *"POST /ipa/json HTTP/1.1" 401*. Any reference? On Thu, Jun 30, 2011 at 2:43 PM, Christian Horn wrote: > On Thu, Jun 30, 2011 at 01:58:32PM +0700, Muhammad Naufal wrote: > > Now it can authenticate against IPA server but no ticket generated when i > > type klist in XP cmd prompt. > > As a result i can not access IPA web ui. > > IIRC there can multiple ticket caches be used there. > Maybe the MIT windows kerberos tools show a bit more, found them quite > helpful to debug windows kerberos auth. > http://web.mit.edu/Kerberos/dist/index.html#kfw-3.2 > > Christian > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: web ui and cli - windows.jpg Type: image/jpeg Size: 238129 bytes Desc: not available URL: From ondrejv at s3group.cz Fri Jul 1 07:48:59 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Fri, 01 Jul 2011 09:48:59 +0200 Subject: [Freeipa-users] Automounter maps In-Reply-To: <4E0C965D.908@redhat.com> References: <4E0C8B91.2050602@s3group.cz> <4E0C8E60.8000806@redhat.com> <4E0C9153.6000602@s3group.cz> <4E0C965D.908@redhat.com> Message-ID: <4E0D7BEB.5070606@s3group.cz> Hi, On 30.06.2011 17:29, Dmitri Pal wrote: > Can you please rephrase? Do you mean that instead of documenting what we already have or in addition to it, we should also document how to > configure automount with DNS? > Does DNS allow specifying the search base? > Can you please point on any doc/man page that describes how to configure DNS for automount. We might add it as a reference into the doc. > Is this what you are looking for? First of all, I believe you guys in Redhat did a great job with the IPA. Why? Because with all the install scripts and the framework around it, you managed to integrate all services (DNS, Kerberos, LDAP) into simply manageable Identity management for Linux. Normal IT admin no longer has to dig various howtos in the Internet. Just run the install script and you get something very similar to Active Directory - robust and standard-based system. The key thing is for me the simplicity and the scripts around it. One should no longer be afraid of setting up all the services separately. From the client's prospective, You already covered Kerberos configuration and NSS, that's fine. Because of the reasons I outlined above I also believe that the *ipa-client-install* script should take care of the automounter, too (or at least offer the autofs configuration) - and this includes everything. As a helping hand I offer my adds to your existing howtos (I have already checked its functionality). [root at draco etc]# cat /etc/sysconfig/autofs: ... LDAP_URI="ldap:///dc=example,dc=com" # let the automounter discover LDAP server on its own .... [root at draco etc]# cat /etc/autofs_ldap_auth.conf This is I believe the best configuration you can get for autofs. It is not difficult (as you can see) so the ipa-client-install script should be able to take care of it automatically. And finally, regarding your question - see man auto.master. The DNS SRV lookup ability was added there because I asked autofs maintainer Ian Kent from Redhat to do it and he was kind enough to implement it for us (he actually grabbed a piece of Samba code to make it working). If you feel there should be something more (like you mentioned getting the search base from DNS as well), talk to him, I am sure he will help you. The ldap server SRV lookup has been there for quite some time so it is in RHEL5/6 already. Thanks! Ondrej -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Jul 1 14:28:54 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 01 Jul 2011 10:28:54 -0400 Subject: [Freeipa-users] [Freeipa-devel] Proposal: drop DENY rules from HBAC In-Reply-To: <4E0B8A1D.6000505@redhat.com> References: <1309377629.6189.32.camel@sgallagh520.bos.redhat.com> <4E0B8A1D.6000505@redhat.com> Message-ID: <1309530534.2681.165.camel@willson.li.ssimo.org> On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote: > By removing the deny rules, do we break compatibility with anything else > than the IPA tech preview in RHEL and upstream FreeIPA 2.0? Ok we've had a somewhat heated discussion internally about how to deal with the transition phase for those admins that decided to use HBAC DENY rules. Hopefully very few did and so very few people will actually be impacted, but we need to handle those cases the best we can to avoid security issues for those users. Here is a rough plan I'd like to get both developers *AND* users feedback on if you care about it. The premise to the following plan is that very few administrators, unfortunately, carefully read release notes before upgrading, so simply dropping and ignoring DENY rules is felt as something we can't do. We split the solution in 2 parts, one on the SSSD side (the only client currently able to understand IPA HBAC rules), and one on the server side. SSSD: Inconveniencing clients is probably the easiest way to cause the least disruption and attracting the administrators attention. The idea here is to treat any DENY rule as actually a DENY-ALL rule. Basically causing any login attempt for any service to fail as soon as the new sssd package will be installed. Even though admins normally do not read release notes, they still do a few test upgrades before upgrading the whole set of clients they administer. By having SSSD deny logins if any DENY rule is found (and spamming the log with pointers at the same time) we hope to give admins a good enough "wake up something changed" call. This change will be prominently advertised in SSSD release notes. Also to ease the pain for those places where the Server and client admins are different groups, we plan to add a transitional configuration option. This option will allow admins to ignore DENY rules entirely. The option will default to the DENYALL behavior described above, but admins will be able to toggle it to ignore so they can keep testing the client, while they make sure to warn the Server admins that DENY rules support is going to be dropped. FreeIPA: On the server side instead we will add 2 visual cues to the WebUI and probably something to the CLI commands used to manage HBAC rules. In the WebUI, pending UXD and UI developers approval/feedback we will have a prominent error message in the main page only for administrators that are allowed to manage HBAC rules. This warning will be shown if any DENY rule exist on the server. In the HBAC pages, deny rules will be highlighted and text explaining they are not supported anymore and need to be removed will be shown. These warnings will be dropped down the road after 1 more point release. Of course Release notes will prominently highlight this change so that most admins will be prepared to handle this change. Hopefully people will have enough cues to properly handle the situation. Simo. -- Simo Sorce * Red Hat, Inc * New York From ayoung at redhat.com Fri Jul 1 14:33:25 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 01 Jul 2011 10:33:25 -0400 Subject: [Freeipa-users] Automounter maps In-Reply-To: <4E0D7BEB.5070606@s3group.cz> References: <4E0C8B91.2050602@s3group.cz> <4E0C8E60.8000806@redhat.com> <4E0C9153.6000602@s3group.cz> <4E0C965D.908@redhat.com> <4E0D7BEB.5070606@s3group.cz> Message-ID: <4E0DDAB5.1060609@redhat.com> On 07/01/2011 03:48 AM, Ondrej Valousek wrote: > Hi, > > On 30.06.2011 17:29, Dmitri Pal wrote: >> Can you please rephrase? Do you mean that instead of documenting what >> we already have or in addition to it, we should also document how to >> configure automount with DNS? >> Does DNS allow specifying the search base? >> Can you please point on any doc/man page that describes how to >> configure DNS for automount. We might add it as a reference into the >> doc. Is this what you are looking for? > > First of all, I believe you guys in Redhat did a great job with the IPA. > Why? Because with all the install scripts and the framework around it, > you managed to integrate all services (DNS, Kerberos, LDAP) into > simply manageable Identity management for Linux. > > Normal IT admin no longer has to dig various howtos in the Internet. > Just run the install script and you get something very similar to > Active Directory - robust and standard-based system. > > The key thing is for me the simplicity and the scripts around it. One > should no longer be afraid of setting up all the services separately. > From the client's prospective, You already covered Kerberos > configuration and NSS, that's fine. > > Because of the reasons I outlined above I also believe that the > *ipa-client-install* script should take care of the automounter, too > (or at least offer the autofs configuration) - and this includes > everything. > > As a helping hand I offer my adds to your existing howtos (I have > already checked its functionality). > > [root at draco etc]# cat /etc/sysconfig/autofs: > ... > LDAP_URI="ldap:///dc=example,dc=com" # let the automounter > discover LDAP server on its own > .... > > [root at draco etc]# cat /etc/autofs_ldap_auth.conf > usetls="no" > tlsrequired="no" > authrequired="yes" > authtype="GSSAPI" > clientprinc="host/draco.prague.s3group.com at EXAMPLE.COM" # taken > from klist -k > /> > > This is I believe the best configuration you can get for autofs. It is > not difficult (as you can see) so the ipa-client-install script should > be able to take care of it automatically. > > And finally, regarding your question - see man auto.master. The DNS > SRV lookup ability was added there because I asked autofs maintainer > Ian Kent from Redhat to do it and he was kind enough to implement it > for us (he actually grabbed a piece of Samba code to make it working). > If you feel there should be something more (like you mentioned getting > the search base from DNS as well), talk to him, I am sure he will help > you. Very nice. I'm with you in the philosophy of Make it easy, make it work together, and provide a good basic approach that makes sense for most people. With IPA, the user and group stuff is pretty close to how you'd expect everyone to do things, but we have had to make minor divergences: notice the ipausers group for example. With automount, what we found is that there is a wide array of implementation approaches. Based on talking with people that are interested in IPA, we found that people can't even agree on whether the users home directories should be automatically created when the user is added to the system. Often, people have multiple locations, and the user does not get a home directory for a location until they need it. Thus, we've taken the blank slate approach to automount policy. What I suspect we'll find moving forward is that automount strategies will fall into one of two-three buckets, and we can work with the automount team and so on to make a clean unified strategy. Partially, I think we will need to assign a host to a Location and then it will be able to work with the maps and keys nested under there. We also will want to be able to trap a new user event and create the home directory on the file server, but we don't yet have an abstraction for a file server in IPA. There is the opportunity to write helper tools for configuration that exist outside of the ipa-client and ipa-server execution paths. I scripted up the Sudo test cases earlier in the year. > > The ldap server SRV lookup has been there for quite some time so it is > in RHEL5/6 already. > Thanks! > > Ondrej > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Jul 1 14:40:50 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 01 Jul 2011 10:40:50 -0400 Subject: [Freeipa-users] Automounter maps In-Reply-To: <4E0D7BEB.5070606@s3group.cz> References: <4E0C8B91.2050602@s3group.cz> <4E0C8E60.8000806@redhat.com> <4E0C9153.6000602@s3group.cz> <4E0C965D.908@redhat.com> <4E0D7BEB.5070606@s3group.cz> Message-ID: <4E0DDC72.8040207@redhat.com> On 07/01/2011 03:48 AM, Ondrej Valousek wrote: > Hi, > > On 30.06.2011 17:29, Dmitri Pal wrote: >> Can you please rephrase? Do you mean that instead of documenting what >> we already have or in addition to it, we should also document how to >> configure automount with DNS? >> Does DNS allow specifying the search base? >> Can you please point on any doc/man page that describes how to >> configure DNS for automount. We might add it as a reference into the >> doc. Is this what you are looking for? > > First of all, I believe you guys in Redhat did a great job with the IPA. > Why? Because with all the install scripts and the framework around it, > you managed to integrate all services (DNS, Kerberos, LDAP) into simply > manageable Identity management for Linux. > > Normal IT admin no longer has to dig various howtos in the Internet. > Just run the install script and you get something very similar to Active > Directory - robust and standard-based system. > > The key thing is for me the simplicity and the scripts around it. One > should no longer be afraid of setting up all the services separately. > From the client's prospective, You already covered Kerberos > configuration and NSS, that's fine. > > Because of the reasons I outlined above I also believe that the > *ipa-client-install* script should take care of the automounter, too (or > at least offer the autofs configuration) - and this includes everything. > > As a helping hand I offer my adds to your existing howtos (I have > already checked its functionality). > > [root at draco etc]# cat /etc/sysconfig/autofs: > ... > LDAP_URI="ldap:///dc=example,dc=com" # let the automounter discover > LDAP server on its own > .... > > [root at draco etc]# cat /etc/autofs_ldap_auth.conf > usetls="no" > tlsrequired="no" > authrequired="yes" > authtype="GSSAPI" > clientprinc="host/draco.prague.s3group.com at EXAMPLE.COM" # taken > from klist -k > /> > > This is I believe the best configuration you can get for autofs. It is > not difficult (as you can see) so the ipa-client-install script should > be able to take care of it automatically. > > And finally, regarding your question - see man auto.master. The DNS SRV > lookup ability was added there because I asked autofs maintainer Ian > Kent from Redhat to do it and he was kind enough to implement it for us > (he actually grabbed a piece of Samba code to make it working). If you > feel there should be something more (like you mentioned getting the > search base from DNS as well), talk to him, I am sure he will help you. > > The ldap server SRV lookup has been there for quite some time so it is > in RHEL5/6 already. > Thanks! > > Ondrej > > > I agree with Adam that there is quite a lot of possible configurations wrt. automount. With that in mind, I think that it would make sense to add the above into the HOWTO section on freeipa.org -- do we still maintain the section? From pavel at zhukoff.net Sun Jul 3 16:43:38 2011 From: pavel at zhukoff.net (Pavel Zhukov) Date: Sun, 03 Jul 2011 20:43:38 +0400 Subject: [Freeipa-users] FreeIPA automount Message-ID: Hi all I'm trying to install and configure FreeIPA and automount https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount /etc/sysconfig/autofs MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" LDAP_URI="ldap://freeipa.home.zhukoff.net" ##SEARCH_BASE="cn=dafault,cn=automount,dc=home,dc=zhukoff,dc=net" SEARCH_BASE="cn=automount,dc=home,dc=zhukoff,dc=net" $ showmount -e freeipa.home.zhukoff.net Export list for freeipa.home.zhukoff.net: /share/man 192.168.12.0/16 /home 192.168.12.0/16 $ ipa automountkey-find default auto.master Key: /- Mount information: auto.direct Key: /share Mount information: auto.share ---------------------------- Number of entries returned 2 ---------------------------- $ ipa automountkey-find default auto.share Key: man Mount information: -ro,soft,rsize=8192,wsize=8192 freeipa.home.zhukoff.net:/share/man ---------------------------- Number of entries returned 1 ---------------------------- $ ipa automountkey-find default auto.master Key: /- Mount information: auto.direct Key: /share Mount information: auto.share ---------------------------- Number of entries returned 2 ---------------------------- /var/log/messages: Jul 4 00:40:51 ipaclient automount[2227]: st_expire: state 1 path /net Jul 4 00:40:51 ipaclient automount[2227]: expire_proc: exp_proc = 139786245711616 path /net Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: got thid 139786245711616 path /net stat 0 Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: sigchld: exp 139786245711616 finished, switching from 2 to 1 Jul 4 00:40:51 ipaclient automount[2227]: st_ready: st_ready(): state = 2 path /net But automount doesn't work. Mount nothing. Can anybody help me? -- Regards Pavel Zhukov pavel at zhukoff.net From rcritten at redhat.com Wed Jul 6 13:11:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Jul 2011 09:11:29 -0400 Subject: [Freeipa-users] FreeIPA automount In-Reply-To: References: Message-ID: <4E145F01.3030703@redhat.com> Pavel Zhukov wrote: > Hi all > > I'm trying to install and configure FreeIPA and automount > https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount > > /etc/sysconfig/autofs > MAP_OBJECT_CLASS="automountMap" > ENTRY_OBJECT_CLASS="automount" > MAP_ATTRIBUTE="automountMapName" > ENTRY_ATTRIBUTE="automountKey" > VALUE_ATTRIBUTE="automountInformation" > LDAP_URI="ldap://freeipa.home.zhukoff.net" > ##SEARCH_BASE="cn=dafault,cn=automount,dc=home,dc=zhukoff,dc=net" > SEARCH_BASE="cn=automount,dc=home,dc=zhukoff,dc=net" > > $ showmount -e freeipa.home.zhukoff.net > Export list for freeipa.home.zhukoff.net: > /share/man 192.168.12.0/16 > /home 192.168.12.0/16 > > > $ ipa automountkey-find default auto.master > Key: /- > Mount information: auto.direct > > Key: /share > Mount information: auto.share > ---------------------------- > Number of entries returned 2 > ---------------------------- > $ ipa automountkey-find default auto.share > Key: man > Mount information: -ro,soft,rsize=8192,wsize=8192 > freeipa.home.zhukoff.net:/share/man > ---------------------------- > Number of entries returned 1 > ---------------------------- > $ ipa automountkey-find default auto.master > Key: /- > Mount information: auto.direct > > Key: /share > Mount information: auto.share > ---------------------------- > Number of entries returned 2 > ---------------------------- > > /var/log/messages: > Jul 4 00:40:51 ipaclient automount[2227]: st_expire: state 1 path /net > Jul 4 00:40:51 ipaclient automount[2227]: expire_proc: exp_proc = > 139786245711616 path /net > Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: got thid > 139786245711616 path /net stat 0 > Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: sigchld: exp > 139786245711616 finished, switching from 2 to 1 > Jul 4 00:40:51 ipaclient automount[2227]: st_ready: st_ready(): state = > 2 path /net > > But automount doesn't work. Mount nothing. > Can anybody help me? > Two suggestions for /etc/sysconfig/autofs on ipaclient: 1. Set LOGGING="debug" 2. Set SEARCH_BASE to cn=default,cn=automount,dc=home,dc=zhukoff,dc=net. Your commented-out line has default misspelled. Don't forget to restart autofs service rob From pavel at zhukoff.net Wed Jul 6 14:42:28 2011 From: pavel at zhukoff.net (Pavel Zhukov) Date: Wed, 06 Jul 2011 18:42:28 +0400 Subject: [Freeipa-users] FreeIPA automount In-Reply-To: <4E145F01.3030703@redhat.com> References: <4E145F01.3030703@redhat.com> Message-ID: Thank you for help. but automount doesn't work anyway. cat /etc/sysconfig/autofs | egrep -v "#.*" TIMEOUT=300 BROWSE_MODE="no" MOUNT_NFS_DEFAULT_PROTOCOL=4 LOGGING="debug" USE_MISC_DEVICE="yes" MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation" LDAP_URI="ldap://freeipa.home.zhukoff.net" SEARCH_BASE="cn=default,cn=automount,dc=home,dc=zhukoff,dc=net" cat /var/log/messages | grep automount Jul 6 22:35:31 ipaclient automount[1257]: st_expire: state 1 path /net Jul 6 22:35:31 ipaclient automount[1257]: expire_proc: exp_proc = 139679846762240 path /net Jul 6 22:35:31 ipaclient automount[1257]: expire_cleanup: got thid 139679846762240 path /net stat 0 Jul 6 22:35:31 ipaclient automount[1257]: expire_cleanup: sigchld: exp 139679846762240 finished, switching from 2 to 1 Jul 6 22:35:31 ipaclient automount[1257]: st_ready: st_ready(): state = 2 path /net Jul 6 22:36:00 ipaclient automount[1257]: st_expire: state 1 path /misc Jul 6 22:36:00 ipaclient automount[1257]: expire_proc: exp_proc = 139679846762240 path /misc Jul 6 22:36:00 ipaclient automount[1257]: expire_cleanup: got thid 139679846762240 path /misc stat 0 Jul 6 22:36:00 ipaclient automount[1257]: expire_cleanup: sigchld: exp 139679846762240 finished, switching from 2 to 1 Jul 6 22:36:00 ipaclient automount[1257]: st_ready: st_ready(): state = 2 path /misc mount | grep autofs ...... (some /dev and /sys) /etc/auto.misc on /misc type autofs (rw,relatime,fd=7,pgrp=1257,timeout=300,minproto=5,maxproto=5,indirect) -hosts on /net type autofs (rw,relatime,fd=13,pgrp=1257,timeout=300,minproto=5,maxproto=5,indirect) Pavel On Wed, 06 Jul 2011 09:11:29 -0400 Rob Crittenden wrote: > Pavel Zhukov wrote: >> Hi all >> >> I'm trying to install and configure FreeIPA and automount >> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount >> >> /etc/sysconfig/autofs >> MAP_OBJECT_CLASS="automountMap" >> ENTRY_OBJECT_CLASS="automount" >> MAP_ATTRIBUTE="automountMapName" >> ENTRY_ATTRIBUTE="automountKey" >> VALUE_ATTRIBUTE="automountInformation" >> LDAP_URI="ldap://freeipa.home.zhukoff.net" >> ##SEARCH_BASE="cn=dafault,cn=automount,dc=home,dc=zhukoff,dc=net" >> SEARCH_BASE="cn=automount,dc=home,dc=zhukoff,dc=net" >> >> $ showmount -e freeipa.home.zhukoff.net >> Export list for freeipa.home.zhukoff.net: >> /share/man 192.168.12.0/16 >> /home 192.168.12.0/16 >> >> >> $ ipa automountkey-find default auto.master >> Key: /- >> Mount information: auto.direct >> >> Key: /share >> Mount information: auto.share >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> $ ipa automountkey-find default auto.share >> Key: man >> Mount information: -ro,soft,rsize=8192,wsize=8192 >> freeipa.home.zhukoff.net:/share/man >> ---------------------------- >> Number of entries returned 1 >> ---------------------------- >> $ ipa automountkey-find default auto.master >> Key: /- >> Mount information: auto.direct >> >> Key: /share >> Mount information: auto.share >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> >> /var/log/messages: >> Jul 4 00:40:51 ipaclient automount[2227]: st_expire: state 1 path >>/net >> Jul 4 00:40:51 ipaclient automount[2227]: expire_proc: exp_proc = >> 139786245711616 path /net >> Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: got thid >> 139786245711616 path /net stat 0 >> Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: sigchld: >>exp >> 139786245711616 finished, switching from 2 to 1 >> Jul 4 00:40:51 ipaclient automount[2227]: st_ready: st_ready(): >>state = >> 2 path /net >> >> But automount doesn't work. Mount nothing. >> Can anybody help me? >> > > Two suggestions for /etc/sysconfig/autofs on ipaclient: > > 1. Set LOGGING="debug" > 2. Set SEARCH_BASE to >cn=default,cn=automount,dc=home,dc=zhukoff,dc=net. Your commented-out >line has default misspelled. > > Don't forget to restart autofs service > > rob From Steven.Jones at vuw.ac.nz Wed Jul 6 20:30:52 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 6 Jul 2011 20:30:52 +0000 Subject: [Freeipa-users] Alternatives to freeipa Message-ID: <833D8E48405E064EBC54C84EC6B36E402E6D2AC3@STAWINCOX10MBX1.staff.vuw.ac.nz> Not knowing much about connection to AD directly with RH guests....hopefully some ppl do... Advantages for AD 1) Zero first cost Disadvantages 1) Manual setup 2) managability? access control? other things? >From 3 days of googling I can find few or little info on the usefulness and practicality of connecting and using AD for linux authentication and authorisation in Enterprise situations....is it really used in an Enterprise? it looks like it might be OK for say 5 users where security isnt a concern for instance.... If anyone has actual experience to share that would be good.... regards From rcritten at redhat.com Wed Jul 6 21:16:16 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 06 Jul 2011 17:16:16 -0400 Subject: [Freeipa-users] FreeIPA automount In-Reply-To: References: <4E145F01.3030703@redhat.com> Message-ID: <4E14D0A0.30200@redhat.com> Pavel Zhukov wrote: > Thank you for help. but automount doesn't work anyway. > > cat /etc/sysconfig/autofs | egrep -v "#.*" > TIMEOUT=300 > BROWSE_MODE="no" > MOUNT_NFS_DEFAULT_PROTOCOL=4 > LOGGING="debug" > USE_MISC_DEVICE="yes" > MAP_OBJECT_CLASS="automountMap" > ENTRY_OBJECT_CLASS="automount" > MAP_ATTRIBUTE="automountMapName" > ENTRY_ATTRIBUTE="automountKey" > VALUE_ATTRIBUTE="automountInformation" > LDAP_URI="ldap://freeipa.home.zhukoff.net" > SEARCH_BASE="cn=default,cn=automount,dc=home,dc=zhukoff,dc=net" > > cat /var/log/messages | grep automount > Jul 6 22:35:31 ipaclient automount[1257]: st_expire: state 1 path /net > Jul 6 22:35:31 ipaclient automount[1257]: expire_proc: exp_proc = > 139679846762240 path /net > Jul 6 22:35:31 ipaclient automount[1257]: expire_cleanup: got thid > 139679846762240 path /net stat 0 > Jul 6 22:35:31 ipaclient automount[1257]: expire_cleanup: sigchld: exp > 139679846762240 finished, switching from 2 to 1 > Jul 6 22:35:31 ipaclient automount[1257]: st_ready: st_ready(): state = > 2 path /net > Jul 6 22:36:00 ipaclient automount[1257]: st_expire: state 1 path /misc > Jul 6 22:36:00 ipaclient automount[1257]: expire_proc: exp_proc = > 139679846762240 path /misc > Jul 6 22:36:00 ipaclient automount[1257]: expire_cleanup: got thid > 139679846762240 path /misc stat 0 > Jul 6 22:36:00 ipaclient automount[1257]: expire_cleanup: sigchld: exp > 139679846762240 finished, switching from 2 to 1 > Jul 6 22:36:00 ipaclient automount[1257]: st_ready: st_ready(): state = > 2 path /misc > > mount | grep autofs > ...... (some /dev and /sys) > /etc/auto.misc on /misc type autofs > (rw,relatime,fd=7,pgrp=1257,timeout=300,minproto=5,maxproto=5,indirect) > -hosts on /net type autofs > (rw,relatime,fd=13,pgrp=1257,timeout=300,minproto=5,maxproto=5,indirect) Can you check the 389-ds access log on the server when you restart the autofs service on the client? This should show us if it is connecting, what it is searching for and how many (if any) entries it found. Note that 389-ds buffers the access log so it could be a few seconds before you see any output. rob > > Pavel > On Wed, 06 Jul 2011 09:11:29 -0400 > Rob Crittenden wrote: >> Pavel Zhukov wrote: >>> Hi all >>> >>> I'm trying to install and configure FreeIPA and automount >>> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount >>> >>> /etc/sysconfig/autofs >>> MAP_OBJECT_CLASS="automountMap" >>> ENTRY_OBJECT_CLASS="automount" >>> MAP_ATTRIBUTE="automountMapName" >>> ENTRY_ATTRIBUTE="automountKey" >>> VALUE_ATTRIBUTE="automountInformation" >>> LDAP_URI="ldap://freeipa.home.zhukoff.net" >>> ##SEARCH_BASE="cn=dafault,cn=automount,dc=home,dc=zhukoff,dc=net" >>> SEARCH_BASE="cn=automount,dc=home,dc=zhukoff,dc=net" >>> >>> $ showmount -e freeipa.home.zhukoff.net >>> Export list for freeipa.home.zhukoff.net: >>> /share/man 192.168.12.0/16 >>> /home 192.168.12.0/16 >>> >>> >>> $ ipa automountkey-find default auto.master >>> Key: /- >>> Mount information: auto.direct >>> >>> Key: /share >>> Mount information: auto.share >>> ---------------------------- >>> Number of entries returned 2 >>> ---------------------------- >>> $ ipa automountkey-find default auto.share >>> Key: man >>> Mount information: -ro,soft,rsize=8192,wsize=8192 >>> freeipa.home.zhukoff.net:/share/man >>> ---------------------------- >>> Number of entries returned 1 >>> ---------------------------- >>> $ ipa automountkey-find default auto.master >>> Key: /- >>> Mount information: auto.direct >>> >>> Key: /share >>> Mount information: auto.share >>> ---------------------------- >>> Number of entries returned 2 >>> ---------------------------- >>> >>> /var/log/messages: >>> Jul 4 00:40:51 ipaclient automount[2227]: st_expire: state 1 path /net >>> Jul 4 00:40:51 ipaclient automount[2227]: expire_proc: exp_proc = >>> 139786245711616 path /net >>> Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: got thid >>> 139786245711616 path /net stat 0 >>> Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: sigchld: exp >>> 139786245711616 finished, switching from 2 to 1 >>> Jul 4 00:40:51 ipaclient automount[2227]: st_ready: st_ready(): state = >>> 2 path /net >>> >>> But automount doesn't work. Mount nothing. >>> Can anybody help me? >>> >> >> Two suggestions for /etc/sysconfig/autofs on ipaclient: >> >> 1. Set LOGGING="debug" >> 2. Set SEARCH_BASE to >> cn=default,cn=automount,dc=home,dc=zhukoff,dc=net. Your commented-out >> line has default misspelled. >> >> Don't forget to restart autofs service >> >> rob > From prjctgeek at gmail.com Wed Jul 6 21:36:33 2011 From: prjctgeek at gmail.com (Doug Chapman) Date: Wed, 6 Jul 2011 14:36:33 -0700 Subject: [Freeipa-users] FreeIPA automount In-Reply-To: <4E14D0A0.30200@redhat.com> References: <4E145F01.3030703@redhat.com> <4E14D0A0.30200@redhat.com> Message-ID: On Wed, Jul 6, 2011 at 2:16 PM, Rob Crittenden wrote: > Pavel Zhukov wrote: > >> Thank you for help. but automount doesn't work anyway. >> >> cat /etc/sysconfig/autofs | egrep -v "#.*" >> TIMEOUT=300 >> BROWSE_MODE="no" >> MOUNT_NFS_DEFAULT_PROTOCOL=4 >> LOGGING="debug" >> USE_MISC_DEVICE="yes" >> MAP_OBJECT_CLASS="**automountMap" >> ENTRY_OBJECT_CLASS="automount" >> MAP_ATTRIBUTE="**automountMapName" >> ENTRY_ATTRIBUTE="automountKey" >> VALUE_ATTRIBUTE="**automountInformation" >> LDAP_URI="ldap://freeipa.home.**zhukoff.net >> " >> SEARCH_BASE="cn=default,cn=**automount,dc=home,dc=zhukoff,**dc=net" >> >> I've had better luck running automount in the forground for debugging, eg: 'automount -f -d' It saves you from having to cross check the ldap access log with automount's log lines. Doug Chapman -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Thu Jul 7 06:46:04 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 07 Jul 2011 08:46:04 +0200 Subject: [Freeipa-users] FreeIPA automount In-Reply-To: <4E14D0A0.30200@redhat.com> References: <4E145F01.3030703@redhat.com> <4E14D0A0.30200@redhat.com> Message-ID: <4E15562C.5000901@s3group.cz> Check your /etc/nsswitch.conf. It must read: automount: files ldap If you have latest automounter installed you can also try: # automount -m .. to see if automounter really see all your maps Ondrej On 06.07.2011 23:16, Rob Crittenden wrote: > Pavel Zhukov wrote: >> Thank you for help. but automount doesn't work anyway. >> >> cat /etc/sysconfig/autofs | egrep -v "#.*" >> TIMEOUT=300 >> BROWSE_MODE="no" >> MOUNT_NFS_DEFAULT_PROTOCOL=4 >> LOGGING="debug" >> USE_MISC_DEVICE="yes" >> MAP_OBJECT_CLASS="automountMap" >> ENTRY_OBJECT_CLASS="automount" >> MAP_ATTRIBUTE="automountMapName" >> ENTRY_ATTRIBUTE="automountKey" >> VALUE_ATTRIBUTE="automountInformation" >> LDAP_URI="ldap://freeipa.home.zhukoff.net" >> SEARCH_BASE="cn=default,cn=automount,dc=home,dc=zhukoff,dc=net" >> >> cat /var/log/messages | grep automount >> Jul 6 22:35:31 ipaclient automount[1257]: st_expire: state 1 path /net >> Jul 6 22:35:31 ipaclient automount[1257]: expire_proc: exp_proc = >> 139679846762240 path /net >> Jul 6 22:35:31 ipaclient automount[1257]: expire_cleanup: got thid >> 139679846762240 path /net stat 0 >> Jul 6 22:35:31 ipaclient automount[1257]: expire_cleanup: sigchld: exp >> 139679846762240 finished, switching from 2 to 1 >> Jul 6 22:35:31 ipaclient automount[1257]: st_ready: st_ready(): state = >> 2 path /net >> Jul 6 22:36:00 ipaclient automount[1257]: st_expire: state 1 path /misc >> Jul 6 22:36:00 ipaclient automount[1257]: expire_proc: exp_proc = >> 139679846762240 path /misc >> Jul 6 22:36:00 ipaclient automount[1257]: expire_cleanup: got thid >> 139679846762240 path /misc stat 0 >> Jul 6 22:36:00 ipaclient automount[1257]: expire_cleanup: sigchld: exp >> 139679846762240 finished, switching from 2 to 1 >> Jul 6 22:36:00 ipaclient automount[1257]: st_ready: st_ready(): state = >> 2 path /misc >> >> mount | grep autofs >> ...... (some /dev and /sys) >> /etc/auto.misc on /misc type autofs >> (rw,relatime,fd=7,pgrp=1257,timeout=300,minproto=5,maxproto=5,indirect) >> -hosts on /net type autofs >> (rw,relatime,fd=13,pgrp=1257,timeout=300,minproto=5,maxproto=5,indirect) > > Can you check the 389-ds access log on the server when you restart the autofs service on the client? This should show us if it is > connecting, what it is searching for and how many (if any) entries it found. Note that 389-ds buffers the access log so it could be a few > seconds before you see any output. > > rob > >> >> Pavel >> On Wed, 06 Jul 2011 09:11:29 -0400 >> Rob Crittenden wrote: >>> Pavel Zhukov wrote: >>>> Hi all >>>> >>>> I'm trying to install and configure FreeIPA and automount >>>> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount >>>> >>>> /etc/sysconfig/autofs >>>> MAP_OBJECT_CLASS="automountMap" >>>> ENTRY_OBJECT_CLASS="automount" >>>> MAP_ATTRIBUTE="automountMapName" >>>> ENTRY_ATTRIBUTE="automountKey" >>>> VALUE_ATTRIBUTE="automountInformation" >>>> LDAP_URI="ldap://freeipa.home.zhukoff.net" >>>> ##SEARCH_BASE="cn=dafault,cn=automount,dc=home,dc=zhukoff,dc=net" >>>> SEARCH_BASE="cn=automount,dc=home,dc=zhukoff,dc=net" >>>> >>>> $ showmount -e freeipa.home.zhukoff.net >>>> Export list for freeipa.home.zhukoff.net: >>>> /share/man 192.168.12.0/16 >>>> /home 192.168.12.0/16 >>>> >>>> >>>> $ ipa automountkey-find default auto.master >>>> Key: /- >>>> Mount information: auto.direct >>>> >>>> Key: /share >>>> Mount information: auto.share >>>> ---------------------------- >>>> Number of entries returned 2 >>>> ---------------------------- >>>> $ ipa automountkey-find default auto.share >>>> Key: man >>>> Mount information: -ro,soft,rsize=8192,wsize=8192 >>>> freeipa.home.zhukoff.net:/share/man >>>> ---------------------------- >>>> Number of entries returned 1 >>>> ---------------------------- >>>> $ ipa automountkey-find default auto.master >>>> Key: /- >>>> Mount information: auto.direct >>>> >>>> Key: /share >>>> Mount information: auto.share >>>> ---------------------------- >>>> Number of entries returned 2 >>>> ---------------------------- >>>> >>>> /var/log/messages: >>>> Jul 4 00:40:51 ipaclient automount[2227]: st_expire: state 1 path /net >>>> Jul 4 00:40:51 ipaclient automount[2227]: expire_proc: exp_proc = >>>> 139786245711616 path /net >>>> Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: got thid >>>> 139786245711616 path /net stat 0 >>>> Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: sigchld: exp >>>> 139786245711616 finished, switching from 2 to 1 >>>> Jul 4 00:40:51 ipaclient automount[2227]: st_ready: st_ready(): state = >>>> 2 path /net >>>> >>>> But automount doesn't work. Mount nothing. >>>> Can anybody help me? >>>> >>> >>> Two suggestions for /etc/sysconfig/autofs on ipaclient: >>> >>> 1. Set LOGGING="debug" >>> 2. Set SEARCH_BASE to >>> cn=default,cn=automount,dc=home,dc=zhukoff,dc=net. Your commented-out >>> line has default misspelled. >>> >>> Don't forget to restart autofs service >>> >>> rob >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Thu Jul 7 06:52:56 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 07 Jul 2011 08:52:56 +0200 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E402E6D2AC3@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E402E6D2AC3@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E1557C8.70308@s3group.cz> 1. You can connect RH guests to AD - it works pretty much the same way as with IPA (IPA does many things the same way as AD). The only slight difference you might find with Kerberos configuration. Check my blog: http://*ondarnfs*.blogspot.com for more 2. AD does *not* come for free. As far as I know the license for AD controller + all CALs for guests costs quite some money 3. Yes, with freeIPA and all the installers, the things are quite easy. With AD you have to do lot of things manually, but it will work. In summary I would say it is worth considering if you already have an AD controller in place. Ondrej On 06.07.2011 22:30, Steven Jones wrote: > Not knowing much about connection to AD directly with RH guests....hopefully some ppl do... > > Advantages for AD > 1) Zero first cost > > Disadvantages > 1) Manual setup > 2) managability? > access control? > other things? > > > From 3 days of googling I can find few or little info on the usefulness and practicality of connecting and using AD for linux authentication and authorisation in Enterprise situations....is it really used in an Enterprise? it looks like it might be OK for say 5 users where security isnt a concern for instance.... > > If anyone has actual experience to share that would be good.... > > > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Thu Jul 7 12:36:17 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Thu, 07 Jul 2011 14:36:17 +0200 Subject: [Freeipa-users] Automounter maps In-Reply-To: <4E0DDAB5.1060609@redhat.com> References: <4E0C8B91.2050602@s3group.cz> <4E0C8E60.8000806@redhat.com> <4E0C9153.6000602@s3group.cz> <4E0C965D.908@redhat.com> <4E0D7BEB.5070606@s3group.cz> <4E0DDAB5.1060609@redhat.com> Message-ID: <4E15A841.8000706@s3group.cz> On 01.07.2011 16:33, Adam Young wrote: > With automount, what we found is that there is a wide array of implementation approaches. Based on talking with people that are > interested in IPA, we found that people can't even agree on whether the users home directories should be automatically created when the > user is added to the system. Often, people have multiple locations, and the user does not get a home directory for a location until they > need it. Thus, we've taken the blank slate approach to automount policy. Ok, I did not mention automounter maps at this point, I only discussed the very first step - how to bind automounter to our DS. And there, as I believe, should be wide consensus that the approach described above is the best (I even believe that anonymous binds to the DS should be forbidden by default - the same way AD does). By having it a part of the /ipa-client-install/ procedure we would sort out many questions about not-working automounter (see the recent discussion on this list) so admins can directly concentrate on the automounter maps. Will I get any attention if I submit a RFE into the RedHat bugzilla? I can try to code something myself but I am not too god in python :-( . Thanks, Ondrej -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 7 13:01:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 07 Jul 2011 09:01:45 -0400 Subject: [Freeipa-users] Automounter maps In-Reply-To: <4E15A841.8000706@s3group.cz> References: <4E0C8B91.2050602@s3group.cz> <4E0C8E60.8000806@redhat.com> <4E0C9153.6000602@s3group.cz> <4E0C965D.908@redhat.com> <4E0D7BEB.5070606@s3group.cz> <4E0DDAB5.1060609@redhat.com> <4E15A841.8000706@s3group.cz> Message-ID: <4E15AE39.4050201@redhat.com> Ondrej Valousek wrote: > > > On 01.07.2011 16:33, Adam Young wrote: >> With automount, what we found is that there is a wide array of >> implementation approaches. Based on talking with people that are >> interested in IPA, we found that people can't even agree on whether >> the users home directories should be automatically created when the >> user is added to the system. Often, people have multiple locations, >> and the user does not get a home directory for a location until they >> need it. Thus, we've taken the blank slate approach to automount policy. > > Ok, I did not mention automounter maps at this point, I only discussed > the very first step - how to bind automounter to our DS. > And there, as I believe, should be wide consensus that the approach > described above is the best (I even believe that anonymous binds to the > DS should be forbidden by default - the same way AD does). > > By having it a part of the /ipa-client-install/ procedure we would sort > out many questions about not-working automounter (see the recent > discussion on this list) so admins can directly concentrate on the > automounter maps. > > Will I get any attention if I submit a RFE into the RedHat bugzilla? I > can try to code something myself but I am not too god in python :-( . We have a ticket opened in our tracker for this, https://fedorahosted.org/freeipa/ticket/1233 . We probably won't have a chance to look at this for a while. rob From pavel at zhukoff.net Thu Jul 7 16:49:49 2011 From: pavel at zhukoff.net (Pavel Zhukov) Date: Thu, 07 Jul 2011 20:49:49 +0400 Subject: [Freeipa-users] FreeIPA automount In-Reply-To: <4E15562C.5000901@s3group.cz> References: <4E145F01.3030703@redhat.com> <4E14D0A0.30200@redhat.com> <4E15562C.5000901@s3group.cz> Message-ID: Ondrej , Thank you a lot!! I've added ldap to nsswitch.conf, Automount for auto.share works. On Thu, 07 Jul 2011 08:46:04 +0200 Ondrej Valousek wrote: > Check your /etc/nsswitch.conf. > It must read: > > automount: files ldap > > If you have latest automounter installed you can also try: > > # automount -m > > .. to see if automounter really see all your maps > > Ondrej > > On 06.07.2011 23:16, Rob Crittenden wrote: >> Pavel Zhukov wrote: >>> Thank you for help. but automount doesn't work anyway. >>> >>> cat /etc/sysconfig/autofs | egrep -v "#.*" >>> TIMEOUT=300 >>> BROWSE_MODE="no" >>> MOUNT_NFS_DEFAULT_PROTOCOL=4 >>> LOGGING="debug" >>> USE_MISC_DEVICE="yes" >>> MAP_OBJECT_CLASS="automountMap" >>> ENTRY_OBJECT_CLASS="automount" >>> MAP_ATTRIBUTE="automountMapName" >>> ENTRY_ATTRIBUTE="automountKey" >>> VALUE_ATTRIBUTE="automountInformation" >>> LDAP_URI="ldap://freeipa.home.zhukoff.net" >>> SEARCH_BASE="cn=default,cn=automount,dc=home,dc=zhukoff,dc=net" >>> >>> cat /var/log/messages | grep automount >>> Jul 6 22:35:31 ipaclient automount[1257]: st_expire: state 1 path >>>/net >>> Jul 6 22:35:31 ipaclient automount[1257]: expire_proc: exp_proc = >>> 139679846762240 path /net >>> Jul 6 22:35:31 ipaclient automount[1257]: expire_cleanup: got thid >>> 139679846762240 path /net stat 0 >>> Jul 6 22:35:31 ipaclient automount[1257]: expire_cleanup: sigchld: >>>exp >>> 139679846762240 finished, switching from 2 to 1 >>> Jul 6 22:35:31 ipaclient automount[1257]: st_ready: st_ready(): >>>state = >>> 2 path /net >>> Jul 6 22:36:00 ipaclient automount[1257]: st_expire: state 1 path >>>/misc >>> Jul 6 22:36:00 ipaclient automount[1257]: expire_proc: exp_proc = >>> 139679846762240 path /misc >>> Jul 6 22:36:00 ipaclient automount[1257]: expire_cleanup: got thid >>> 139679846762240 path /misc stat 0 >>> Jul 6 22:36:00 ipaclient automount[1257]: expire_cleanup: sigchld: >>>exp >>> 139679846762240 finished, switching from 2 to 1 >>> Jul 6 22:36:00 ipaclient automount[1257]: st_ready: st_ready(): >>>state = >>> 2 path /misc >>> >>> mount | grep autofs >>> ...... (some /dev and /sys) >>> /etc/auto.misc on /misc type autofs >>> (rw,relatime,fd=7,pgrp=1257,timeout=300,minproto=5,maxproto=5,indirect) >>> -hosts on /net type autofs >>> (rw,relatime,fd=13,pgrp=1257,timeout=300,minproto=5,maxproto=5,indirect) >> >> Can you check the 389-ds access log on the server when you restart >>the autofs service on the client? This should show us if it is >>connecting, what it is searching for and how many (if any) entries it >>found. Note that 389-ds buffers the access log so it could be a few >>seconds before you see any output. >> >> rob >> >>> >>> Pavel >>> On Wed, 06 Jul 2011 09:11:29 -0400 >>> Rob Crittenden wrote: >>>> Pavel Zhukov wrote: >>>>> Hi all >>>>> >>>>> I'm trying to install and configure FreeIPA and automount >>>>> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount >>>>> >>>>> /etc/sysconfig/autofs >>>>> MAP_OBJECT_CLASS="automountMap" >>>>> ENTRY_OBJECT_CLASS="automount" >>>>> MAP_ATTRIBUTE="automountMapName" >>>>> ENTRY_ATTRIBUTE="automountKey" >>>>> VALUE_ATTRIBUTE="automountInformation" >>>>> LDAP_URI="ldap://freeipa.home.zhukoff.net" >>>>> ##SEARCH_BASE="cn=dafault,cn=automount,dc=home,dc=zhukoff,dc=net" >>>>> SEARCH_BASE="cn=automount,dc=home,dc=zhukoff,dc=net" >>>>> >>>>> $ showmount -e freeipa.home.zhukoff.net >>>>> Export list for freeipa.home.zhukoff.net: >>>>> /share/man 192.168.12.0/16 >>>>> /home 192.168.12.0/16 >>>>> >>>>> >>>>> $ ipa automountkey-find default auto.master >>>>> Key: /- >>>>> Mount information: auto.direct >>>>> >>>>> Key: /share >>>>> Mount information: auto.share >>>>> ---------------------------- >>>>> Number of entries returned 2 >>>>> ---------------------------- >>>>> $ ipa automountkey-find default auto.share >>>>> Key: man >>>>> Mount information: -ro,soft,rsize=8192,wsize=8192 >>>>> freeipa.home.zhukoff.net:/share/man >>>>> ---------------------------- >>>>> Number of entries returned 1 >>>>> ---------------------------- >>>>> $ ipa automountkey-find default auto.master >>>>> Key: /- >>>>> Mount information: auto.direct >>>>> >>>>> Key: /share >>>>> Mount information: auto.share >>>>> ---------------------------- >>>>> Number of entries returned 2 >>>>> ---------------------------- >>>>> >>>>> /var/log/messages: >>>>> Jul 4 00:40:51 ipaclient automount[2227]: st_expire: state 1 path >>>>>/net >>>>> Jul 4 00:40:51 ipaclient automount[2227]: expire_proc: exp_proc = >>>>> 139786245711616 path /net >>>>> Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: got thid >>>>> 139786245711616 path /net stat 0 >>>>> Jul 4 00:40:51 ipaclient automount[2227]: expire_cleanup: sigchld: >>>>>exp >>>>> 139786245711616 finished, switching from 2 to 1 >>>>> Jul 4 00:40:51 ipaclient automount[2227]: st_ready: st_ready(): >>>>>state = >>>>> 2 path /net >>>>> >>>>> But automount doesn't work. Mount nothing. >>>>> Can anybody help me? >>>>> >>>> >>>> Two suggestions for /etc/sysconfig/autofs on ipaclient: >>>> >>>> 1. Set LOGGING="debug" >>>> 2. Set SEARCH_BASE to >>>> cn=default,cn=automount,dc=home,dc=zhukoff,dc=net. Your >>>>commented-out >>>> line has default misspelled. >>>> >>>> Don't forget to restart autofs service >>>> >>>> rob >>> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users -- Regards Pavel Zhukov pavel at zhukoff.net From Steven.Jones at vuw.ac.nz Thu Jul 7 20:10:47 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 7 Jul 2011 20:10:47 +0000 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: <4E1557C8.70308@s3group.cz> References: <833D8E48405E064EBC54C84EC6B36E402E6D2AC3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E1557C8.70308@s3group.cz> Message-ID: <833D8E48405E064EBC54C84EC6B36E402E6D44E0@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Thanks for the link, about the best comments/info Ive seen yet. We dont pay cals as we get educational pricing, so AD is a few hundred $ for the OS and nothing more. Up against free, Freeipa's cost will be a hard sell. So far Ive spent 4 days so far and been unable to connect to AD.....the lastest is when I run authconfig-tui in 6.1 and it segfaults, this is with RH support...it certainly isnt straightforward/simple. Also looking for docs I see no sign of the functionality in AD that Free-ipa offers....right now Im trying win2k8R2 to see if that has more than Win2k3R2....because the docs for win2k3r2 dont appear to have any functionailty in terms of management.....maybe I cant find the right docs. Looking at your blog it certainly covers stuff I havent been able to find googling, but it looks like a lot of manual work? setting up 300 RH machines manually would be no trivial task, unlike "ipa-client-install" which is very trivial by comparison and very easy to manage. I have got likewise express to work but anyone in the AD can connect/login so its useless in terms of management, but of course its free. Kind of makes IPA shine. regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Ondrej Valousek [ondrejv at s3group.cz] Sent: Thursday, 7 July 2011 6:52 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Alternatives to freeipa 1. You can connect RH guests to AD - it works pretty much the same way as with IPA (IPA does many things the same way as AD). The only slight difference you might find with Kerberos configuration. Check my blog: http://ondarnfs.blogspot.com for more 2. AD does not come for free. As far as I know the license for AD controller + all CALs for guests costs quite some money 3. Yes, with freeIPA and all the installers, the things are quite easy. With AD you have to do lot of things manually, but it will work. In summary I would say it is worth considering if you already have an AD controller in place. Ondrej On 06.07.2011 22:30, Steven Jones wrote: Not knowing much about connection to AD directly with RH guests....hopefully some ppl do... Advantages for AD 1) Zero first cost Disadvantages 1) Manual setup 2) managability? access control? other things? >From 3 days of googling I can find few or little info on the usefulness and practicality of connecting and using AD for linux authentication and authorisation in Enterprise situations....is it really used in an Enterprise? it looks like it might be OK for say 5 users where security isnt a concern for instance.... If anyone has actual experience to share that would be good.... regards _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Thu Jul 7 23:20:24 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 07 Jul 2011 19:20:24 -0400 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E402E6D44E0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E402E6D2AC3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E1557C8.70308@s3group.cz> <833D8E48405E064EBC54C84EC6B36E402E6D44E0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E163F38.3050501@redhat.com> On 07/07/2011 04:10 PM, Steven Jones wrote: > Hi, > > > > Thanks for the link, about the best comments/info Ive seen yet. We dont pay cals as we get educational pricing, so AD is a few hundred $ for the OS and nothing more. Up against free, Freeipa's cost will be a hard sell. > > > > So far Ive spent 4 days so far and been unable to connect to AD.....the lastest is when I run authconfig-tui in 6.1 and it segfaults, this is with RH support...it certainly isnt straightforward/simple. I thought there was a better alternative to authconfig-tui... > > > Also looking for docs I see no sign of the functionality in AD that Free-ipa offers....right now Im trying win2k8R2 to see if that has more than Win2k3R2....because the docs for win2k3r2 dont appear to have any functionailty in terms of management.....maybe I cant find the right docs. > > > > Looking at your blog it certainly covers stuff I havent been able to find googling, but it looks like a lot of manual work? setting up 300 RH machines manually would be no trivial task, unlike "ipa-client-install" which is very trivial by comparison and very easy to manage. > > > > I have got likewise express to work but anyone in the AD can connect/login so its useless in terms of management, but of course its free. Kind of makes IPA shine. > > > > regards > > > > > > ________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Ondrej Valousek [ondrejv at s3group.cz] > Sent: Thursday, 7 July 2011 6:52 p.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Alternatives to freeipa > > 1. You can connect RH guests to AD - it works pretty much the same way as with IPA (IPA does many things the same way as AD). The only slight difference you might find with Kerberos configuration. Check my blog: http://ondarnfs.blogspot.com for more > > 2. AD does not come for free. As far as I know the license for AD controller + all CALs for guests costs quite some money > > 3. Yes, with freeIPA and all the installers, the things are quite easy. With AD you have to do lot of things manually, but it will work. > > In summary I would say it is worth considering if you already have an AD controller in place. > > Ondrej > > On 06.07.2011 22:30, Steven Jones wrote: > > Not knowing much about connection to AD directly with RH guests....hopefully some ppl do... > > Advantages for AD > 1) Zero first cost > > Disadvantages > 1) Manual setup > 2) managability? > access control? > other things? > > >From 3 days of googling I can find few or little info on the usefulness and practicality of connecting and using AD for linux authentication and authorisation in Enterprise situations....is it really used in an Enterprise? it looks like it might be OK for say 5 users where security isnt a concern for instance.... > > If anyone has actual experience to share that would be good.... > > > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Thu Jul 7 23:50:03 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 7 Jul 2011 23:50:03 +0000 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: <4E163F38.3050501@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E402E6D2AC3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E1557C8.70308@s3group.cz> <833D8E48405E064EBC54C84EC6B36E402E6D44E0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E163F38.3050501@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E402E6D5838@STAWINCOX10MBX1.staff.vuw.ac.nz> 8><--------. I thought there was a better alternative to authconfig-tui... 6><---- I normally type setup, which gives you a splash popup that takes you to the auth config tool, but that dies silently.....doing authconfig-tui shows you the python failures....at least I assume that's what the tracbacks ending in "py" are.... However if I dont blindly follow supports advice they wash their hands of the call.....so I have to do it their way. regards From dpal at redhat.com Fri Jul 8 00:11:45 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 07 Jul 2011 20:11:45 -0400 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E402E6D5838@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E402E6D2AC3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E1557C8.70308@s3group.cz> <833D8E48405E064EBC54C84EC6B36E402E6D44E0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E163F38.3050501@redhat.com> <833D8E48405E064EBC54C84EC6B36E402E6D5838@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E164B41.1090808@redhat.com> On 07/07/2011 07:50 PM, Steven Jones wrote: > 8><--------. > > I thought there was a better alternative to authconfig-tui... > > 6><---- > > I normally type setup, which gives you a splash popup that takes you to the auth config tool, but that dies silently.....doing authconfig-tui shows you the python failures....at least I assume that's what the tracbacks ending in "py" are.... > > However if I dont blindly follow supports advice they wash their hands of the call.....so I have to do it their way. > > regards > I see, but to the best of my knowledge they are two different code bases so one dying silently and another producing stack trace might be unrelated to each other. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sgallagh at redhat.com Fri Jul 8 12:18:32 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 08 Jul 2011 08:18:32 -0400 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E402E6D5838@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E402E6D2AC3@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E1557C8.70308@s3group.cz> <833D8E48405E064EBC54C84EC6B36E402E6D44E0@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E163F38.3050501@redhat.com> <833D8E48405E064EBC54C84EC6B36E402E6D5838@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1310127517.2431.1.camel@sgallagh520.bos.redhat.com> On Thu, 2011-07-07 at 23:50 +0000, Steven Jones wrote: > 8><--------. > > I thought there was a better alternative to authconfig-tui... > > 6><---- > > I normally type setup, which gives you a splash popup that takes you to > the auth config tool, but that dies silently.....doing authconfig-tui > shows you the python failures....at least I assume that's what the > tracbacks ending in "py" are.... > > However if I dont blindly follow supports advice they wash their hands > of the call.....so I have to do it their way. Last I heard, authconfig-tui was deprecated and could be expected not to work with SSSD (aka for freeipa-client). What you want to use is either authconfig-gtk (if you need a graphical interface) or just use authconfig from the command-line and pass it the appropriate arguments. See 'authconfig --help' for details. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From ondrejv at s3group.cz Fri Jul 8 12:29:36 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Fri, 08 Jul 2011 14:29:36 +0200 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: <1310127517.2431.1.camel@sgallagh520.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E402E6D2AC3@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E1557C8.70308@s3group.cz> <833D8E48405E064EBC54C84EC6B36E402E6D44E0@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E163F38.3050501@redhat.com> <833D8E48405E064EBC54C84EC6B36E402E6D5838@STAWINCOX10MBX1.staff.vuw.ac.nz> <1310127517.2431.1.camel@sgallagh520.bos.redhat.com> Message-ID: <4E16F830.4090804@s3group.cz> Authconfig will definitely help you to configure nsswitch.conf and Kerberos (i.e. the easy bits), but the hard work with configuring winbind or ldap library has to be done manually anyway (assuming winbind is working correctly - unfortunately winbind is hopelessly broken in the last versions of Samba and none seems to care). Ondrej On 08.07.2011 14:18, Stephen Gallagher wrote: > Last I heard, authconfig-tui was deprecated and could be expected not to > work with SSSD (aka for freeipa-client). What you want to use is either > authconfig-gtk (if you need a graphical interface) or just use > authconfig from the command-line and pass it the appropriate arguments. > See 'authconfig --help' for details. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From oliver at linux-kernel.at Fri Jul 8 12:35:03 2011 From: oliver at linux-kernel.at (=?windows-1252?Q?Oliver_Falk?=) Date: Fri, 8 Jul 2011 14:35:03 +0200 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: <4E16F830.4090804@s3group.cz> References: <1310127517.2431.1.camel@sgallagh520.bos.redhat.com> Message-ID: Hi! ? Why do you think winbind is broken? It works fine on my machines? ? -of ? Von: ondrejv at s3group.cz [mailto:freeipa-users-bounces at redhat.com] Im Auftrag von Ondrej Valousek Gesendet: Freitag, 08. Juli 2011 14:30 An: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] Alternatives to freeipa ? Authconfig will definitely help you to configure nsswitch.conf and Kerberos (i.e. the easy bits), but the hard work with configuring winbind or ldap library has to be done manually anyway (assuming winbind is working correctly - unfortunately winbind is hopelessly broken in the last versions of Samba and none seems to care). Ondrej On 08.07.2011 14:18, Stephen Gallagher wrote: Last I heard, authconfig-tui was deprecated and could be expected not to work with SSSD (aka for freeipa-client). What you want to use is either authconfig-gtk (if you need a graphical interface) or just use authconfig from the command-line and pass it the appropriate arguments. See 'authconfig --help' for details. ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Fri Jul 8 12:50:38 2011 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Fri, 08 Jul 2011 14:50:38 +0200 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: References: <1310127517.2431.1.camel@sgallagh520.bos.redhat.com> Message-ID: <4E16FD1E.2050001@s3group.cz> https://bugzilla.redhat.com/show_bug.cgi?id=652609 On 08.07.2011 14:35, Oliver Falk wrote: > > Hi! > > Why do you think winbind is broken? It works fine on my machines? > > -of > > *Von:*ondrejv at s3group.cz [mailto:freeipa-users-bounces at redhat.com] *Im Auftrag von *Ondrej Valousek > *Gesendet:* Freitag, 08. Juli 2011 14:30 > *An:* freeipa-users at redhat.com > *Betreff:* Re: [Freeipa-users] Alternatives to freeipa > > Authconfig will definitely help you to configure nsswitch.conf and Kerberos (i.e. the easy bits), but the hard work with configuring > winbind or ldap library has to be done manually anyway (assuming winbind is working correctly - unfortunately winbind is hopelessly broken > in the last versions of Samba and none seems to care). > > Ondrej > > On 08.07.2011 14:18, Stephen Gallagher wrote: > > Last I heard, authconfig-tui was deprecated and could be expected not to > work with SSSD (aka for freeipa-client). What you want to use is either > authconfig-gtk (if you need a graphical interface) or just use > authconfig from the command-line and pass it the appropriate arguments. > See 'authconfig --help' for details. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Jul 8 12:54:15 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 08 Jul 2011 08:54:15 -0400 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: <4E16F830.4090804@s3group.cz> References: <833D8E48405E064EBC54C84EC6B36E402E6D2AC3@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E1557C8.70308@s3group.cz> <833D8E48405E064EBC54C84EC6B36E402E6D44E0@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E163F38.3050501@redhat.com> <833D8E48405E064EBC54C84EC6B36E402E6D5838@STAWINCOX10MBX1.staff.vuw.ac.nz> <1310127517.2431.1.camel@sgallagh520.bos.redhat.com> <4E16F830.4090804@s3group.cz> Message-ID: <1310129655.8182.58.camel@willson.li.ssimo.org> On Fri, 2011-07-08 at 14:29 +0200, Ondrej Valousek wrote: > Authconfig will definitely help you to configure nsswitch.conf and > Kerberos (i.e. the easy bits), but the hard work with configuring > winbind or ldap library has to be done manually anyway (assuming > winbind is working correctly - unfortunately winbind is hopelessly > broken in the last versions of Samba and none seems to care). What is broken ? I certainly do care. Please reply privately, as this is not the right place to discuss other projects bugs. Simo. -- Simo Sorce * Red Hat, Inc * New York From oliver at linux-kernel.at Fri Jul 8 13:00:48 2011 From: oliver at linux-kernel.at (=?windows-1252?Q?Oliver_Falk?=) Date: Fri, 8 Jul 2011 15:00:48 +0200 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: <4E16FD1E.2050001@s3group.cz> References: Message-ID: OK? Since winbind is somewhat off topic here, I?ve commented in the bugreport. ? -of ? Von: Ondrej Valousek [mailto:ondrejv at s3group.cz] Gesendet: Freitag, 08. Juli 2011 14:51 An: Oliver Falk Cc: freeipa-users at redhat.com Betreff: Re: AW: [Freeipa-users] Alternatives to freeipa ? https://bugzilla.redhat.com/show_bug.cgi?id=652609 On 08.07.2011 14:35, Oliver Falk wrote: Hi! ? Why do you think winbind is broken? It works fine on my machines? ? -of ? Von: ondrejv at s3group.cz [mailto:freeipa-users-bounces at redhat.com] Im Auftrag von Ondrej Valousek Gesendet: Freitag, 08. Juli 2011 14:30 An: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] Alternatives to freeipa ? Authconfig will definitely help you to configure nsswitch.conf and Kerberos (i.e. the easy bits), but the hard work with configuring winbind or ldap library has to be done manually anyway (assuming winbind is working correctly - unfortunately winbind is hopelessly broken in the last versions of Samba and none seems to care). Ondrej On 08.07.2011 14:18, Stephen Gallagher wrote: Last I heard, authconfig-tui was deprecated and could be expected not to work with SSSD (aka for freeipa-client). What you want to use is either authconfig-gtk (if you need a graphical interface) or just use authconfig from the command-line and pass it the appropriate arguments. See 'authconfig --help' for details. ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Jul 8 13:02:11 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 08 Jul 2011 09:02:11 -0400 Subject: [Freeipa-users] Alternatives to freeipa In-Reply-To: <4E16FD1E.2050001@s3group.cz> References: <1310127517.2431.1.camel@sgallagh520.bos.redhat.com> <4E16FD1E.2050001@s3group.cz> Message-ID: <1310130131.8182.66.camel@willson.li.ssimo.org> On Fri, 2011-07-08 at 14:50 +0200, Ondrej Valousek wrote: > > https://bugzilla.redhat.com/show_bug.cgi?id=652609 Last comment, as this is totally OT. Winbindd has been *designed* to use the users primary SID as the primary GID, there are reasons as to why that's needed for CIFS* You may argue you don't like the behavior, you can try to ask upstream to change it (unlikely to happen but hey), but it is not broken. It works as advertised (ie primary gidnumber is ignored on user entries, please do not spread FUD. Simo. *For the same reason we ignore the old primary group Sid ldap attribute on samba DCs with an ldap backend and instead force to use the primary gid to determine the primary group sid. The reason is that we cannot handle properly when admins mess up and put a primary sid and a primary gid that do not translate into each other. So the only reasonable thing to do in this case to avoid problems is to just ignore the 'non-authoritative' setting on the backend being used. On a Samba server with LDAP the authoritative id the gidNumber. On AD (obviously) the authoritative one is the primary group Sid, so gidNumber is ignored. -- Simo Sorce * Red Hat, Inc * New York From mcry0802 at stcloudstate.edu Fri Jul 8 18:21:34 2011 From: mcry0802 at stcloudstate.edu (McDougall, Ryan P. [mcry0802@stcloudstate.edu]) Date: Fri, 8 Jul 2011 18:21:34 +0000 Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" FreIPA V2 Message-ID: When joining a client to a FreeIPA server installed on F15, I get the error quoted in the subject. The install of the server went well with no errors during the process. I've been looking all over and I can't seem to find anything related to this on the forums and I haven't heard back from anyone yet in IRC. Is this a known issue? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Jul 8 18:30:42 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 08 Jul 2011 14:30:42 -0400 Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" FreIPA V2 In-Reply-To: References: Message-ID: <4E174CD2.4040101@redhat.com> On 07/08/2011 02:21 PM, McDougall, Ryan P. [mcry0802 at stcloudstate.edu] wrote: > > When joining a client to a FreeIPA server installed on F15, I get the > error quoted in the subject. The install of the server went well with > no errors during the process. I've been looking all over and I can't > seem to find anything related to this on the forums and I haven't > heard back from anyone yet in IRC. Is this a known issue? > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users I just started yesterday. Libcurl upgrade broke IPA. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jul 8 18:45:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Jul 2011 14:45:42 -0400 Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" FreIPA V2 In-Reply-To: References: Message-ID: <4E175056.3020406@redhat.com> McDougall, Ryan P. [mcry0802 at stcloudstate.edu] wrote: > When joining a client to a FreeIPA server installed on F15, I get the > error quoted in the subject. The install of the server went well with no > errors during the process. I?ve been looking all over and I can?t seem > to find anything related to this on the forums and I haven?t heard back > from anyone yet in IRC. Is this a known issue? This is caused by a recent update to libcurl that removed its ability to delegate tickets. Bugs have been opened against curl to add support for delegation and a bug against xmlrpc-c to take advantage of this new API. There is currently on ETA on a fix. The only workaround I've come up with so far is: - On the server: manually add a host entry for your client: ipa host-add client.example.com - Add the --force flag to ipa-client-install. This will allow it to continue past the enrolment failure - On the client: kinit admin - On the client: ipa-getkeytab -s ipa.example.com -p client.example.com at EXAMPLE.COM -k /etc/krb5.keytab - On the client: service sssd restart There will be no SSL server cert in /etc/pki/nssdb because certmonger can't communicate with the IPA backend. rob From dpal at redhat.com Fri Jul 8 18:51:33 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 08 Jul 2011 14:51:33 -0400 Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" FreIPA V2 In-Reply-To: <4E175056.3020406@redhat.com> References: <4E175056.3020406@redhat.com> Message-ID: <4E1751B5.8060000@redhat.com> On 07/08/2011 02:45 PM, Rob Crittenden wrote: > McDougall, Ryan P. [mcry0802 at stcloudstate.edu] wrote: >> When joining a client to a FreeIPA server installed on F15, I get the >> error quoted in the subject. The install of the server went well with no >> errors during the process. I?ve been looking all over and I can?t seem >> to find anything related to this on the forums and I haven?t heard back >> from anyone yet in IRC. Is this a known issue? > > This is caused by a recent update to libcurl that removed its ability > to delegate tickets. Bugs have been opened against curl to add support > for delegation and a bug against xmlrpc-c to take advantage of this > new API. > > There is currently on ETA on a fix. > > The only workaround I've come up with so far is: > > - On the server: manually add a host entry for your client: ipa > host-add client.example.com > - Add the --force flag to ipa-client-install. This will allow it to > continue past the enrolment failure > - On the client: kinit admin > - On the client: ipa-getkeytab -s ipa.example.com -p > client.example.com at EXAMPLE.COM -k /etc/krb5.keytab > - On the client: service sssd restart > > There will be no SSL server cert in /etc/pki/nssdb because certmonger > can't communicate with the IPA backend. > I wonder is there an option to roll back libcurl... > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Fri Jul 8 18:53:39 2011 From: simo at redhat.com (Simo Sorce) Date: Fri, 08 Jul 2011 14:53:39 -0400 Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" FreIPA V2 In-Reply-To: <4E175056.3020406@redhat.com> References: <4E175056.3020406@redhat.com> Message-ID: <1310151219.8182.104.camel@willson.li.ssimo.org> On Fri, 2011-07-08 at 14:45 -0400, Rob Crittenden wrote: > McDougall, Ryan P. [mcry0802 at stcloudstate.edu] wrote: > > When joining a client to a FreeIPA server installed on F15, I get the > > error quoted in the subject. The install of the server went well with no > > errors during the process. I?ve been looking all over and I can?t seem > > to find anything related to this on the forums and I haven?t heard back > > from anyone yet in IRC. Is this a known issue? > > This is caused by a recent update to libcurl that removed its ability to > delegate tickets. Bugs have been opened against curl to add support for > delegation and a bug against xmlrpc-c to take advantage of this new API. > > There is currently on ETA on a fix. > > The only workaround I've come up with so far is: > > - On the server: manually add a host entry for your client: ipa host-add > client.example.com > - Add the --force flag to ipa-client-install. This will allow it to > continue past the enrolment failure > - On the client: kinit admin > - On the client: ipa-getkeytab -s ipa.example.com -p > client.example.com at EXAMPLE.COM -k /etc/krb5.keytab > - On the client: service sssd restart > > There will be no SSL server cert in /etc/pki/nssdb because certmonger > can't communicate with the IPA backend. The other option is to downgrade curl to a previously working version, although the upgrade was supposedly a security fix and the fix was to remove this functionality ... Simo. -- Simo Sorce * Red Hat, Inc * New York From DLWillson at TheGeek.NU Sat Jul 9 19:02:37 2011 From: DLWillson at TheGeek.NU (David L. Willson) Date: Sat, 09 Jul 2011 13:02:37 -0600 (MDT) Subject: [Freeipa-users] Replica install breaking on DS step 23 of 27 (master-entry.ldif) In-Reply-To: <968fd41e-61b8-424c-bd7e-12df97494a10@dlwillson-laptop> Message-ID: <1a3d263f-5a2e-4ae1-9285-eb83429e6bb9@dlwillson-laptop> Second round of tries today. I've tried dropping the firewall on both servers, and disabling enforcement for SELinux, and a full yum upgrade. No change in the symptoms so far... :-( Attached is /var/log/ipa* and below is my console output. Any hints? Clues? Links to things I should know to read? ------------------------------------------------------------- [rmsel-admin at vizzini ~]$ sudo ipa-replica-install --setup-dns --forwarder=205.171.3.65 --forwarder=205.171.2.65 replica-info-vizzini.rmsel.org.gpg Directory Manager (existing master) password: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/27]: creating directory server user [2/27]: creating directory server instance [3/27]: adding default schema [4/27]: enabling memberof plugin [5/27]: enabling referential integrity plugin [6/27]: enabling winsync plugin [7/27]: configuring replication version plugin [8/27]: enabling IPA enrollment plugin [9/27]: enabling ldapi [10/27]: configuring uniqueness plugin [11/27]: configuring uuid plugin [12/27]: configuring modrdn plugin [13/27]: enabling entryUSN plugin [14/27]: configuring lockout plugin [15/27]: creating indices [16/27]: configuring ssl for ds instance [17/27]: configuring certmap.conf [18/27]: configure autobind for root [19/27]: restarting directory server [20/27]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [21/27]: adding replication acis [22/27]: initializing group membership [23/27]: adding master entry root : CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -h vizzini.rmsel.org -v -f /tmp/tmp0uC6BQ -x -D cn=Directory Manager -y /tmp/tmp4KPcxN' returned non-zero exit status 32 [24/27]: configuring Posix uid/gid generation [25/27]: enabling compatibility plugin [26/27]: tuning directory server Custom file limits are already set! Skipping [27/27]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: writing stash file from DS [3/10]: configuring KDC [4/10]: creating a keytab for the directory creation of replica failed: [Errno 2] No such file or directory: '/etc/dirsrv/ds.keytab' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-logs.tgz Type: application/x-compressed-tar Size: 21664 bytes Desc: not available URL: From sigbjorn at nixtra.com Mon Jul 11 18:31:07 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 11 Jul 2011 20:31:07 +0200 (CEST) Subject: [Freeipa-users] Using NexentaStor with FreeIPA In-Reply-To: References: <1309257296.8363.4.camel@jojo.apris.de> <4E09FA5F.5060505@redhat.com> <45537.92.40.121.155.1309278956.squirrel@www.nixtra.com> Message-ID: <37189.192.168.210.177.1310409067.squirrel@www.nixtra.com> On Tue, June 28, 2011 20:14, Natxo Asenjo wrote: > On Tue, Jun 28, 2011 at 6:35 PM, Sigbjorn Lie wrote: > >> In my NexentaStor configuration, the NFS service is using FreeIPA (nss_ldap+krb5), and the CIFS >> service is using Active Directory (nss_ad) for user authentication. > > that is awesome! Could you write an instruction of how you did that? > > Next month a big server with plenty of disks will be decommissioned > and I want to take a look at nexentastor, and kerberos would be a big plus. > Sorry for the late reply, I've been away travelling, and this email required more than 2 minutes to write. :) Making NexentaStor speak to AD and LDAP/IPA is easy, adding krb5 for NFS is a bit more tricky. First part: CIFS + NFS no-kerberos: Configure the CIFS service to join to AD, and configure the LDAP client to point at IPA. Use the following configuration for LDAP, REMEBER to edit /etc/nsswitch.ldap before applying LDAP configuration. Failing to do so will freeze NexentaStor as all services will be configured to use LDAP, and maps such as protocols and service is not served by IPA. You'll do this in a shell using expert_mode in the NMC. The only maps in /etc/nsswitch.ldap that should be configured for ldap lookup is passwd, group, and netgroup. Make the following changes under Settings -> Misc Services -> LDAP client -> Configure. LDAP config type: manual Profile name: Groups Service Descriptor: cn=groups,cn=compat,dc=ix,dc=test,dc=com Netgroup Service Descriptor: cn=ng,cn=compat,dc=ix,dc=test,dc=com Credential Level: anonymous Domain name: Base DN: dc=ix,dc=test,dc=com LDAP Authentication password: LDAP Servers: ipa01.ix.test.com, ipa02.ix.test.com Authentication Method: none Proxy DN: Proxy Password: Users Service Descriptor: cn=users,cn=compat,dc=ix,dc=test,dc=com In a shell using expert_mode, edit the nsswitch.conf as the following: passwd: files ldap ad group: files ldap ad This will make Nexenta look for Unix accounts and ground in IPA first, before looking up the rest from Active Directory. Second part, adding kerberos to NF4: NFS + KRB5: After the server has been joined to AD, scp the /etc/krb5/krb5.keytab file from the NexentaStor server to the IPA server. Add a host entry for the NexentaStor server to IPA, and retrieve the kerberos keytab and add them to the krb5.keytab file copied from the NexentaStor machine. This is required as the NFS service and the CIFS service share the same krb5.keytab file. $ ipa-getkeytab -s ipa-server -p nexentastorserver.fqdn -k /path/to/nexentastor/krb5.keytab scp the modified krb5.keytab file back into the NexentaStor server at /etc/krb5/krb5.keytab. Edit /etc/nsswitch.conf again, make sure "ad" is still present for passwd and group, if not, add it back in. Remove /etc/krb5/krb5.conf,v (bug in NexentaStor makes this file re-appear with old contents, even if it's edited trough the NMC. Edit /etc/krb5/krb5.conf, add a sections under [realms] for your IPA domain. I've specified admin_server, kdc, and kpasswd_server for all my IPA servers. Add "allow_weak_crypto = true" under libdefaults to widen the support for Linux clients. Set "default_realm = IPA-REALM-CAPITAL-LETTERS" Add a section for the IPA domain under [domain_realm]: .ipa-domain.com = IPA-REALM-CAPITAL-LETTERS ipa-domain.com = IPA-REALM-CAPITAL-LETTERS Edit /etc/defaultdomain, create the file if it does not exist already, and add the IPA domain. Edit /etc/resolv.conf: search addomain.com ipadomain.com domain addomain.com nameserver nameserver I have also configured my IPA DNS server to forward any requests for my AD domain directly to the AD dns servers. This should not be required if your domains is delegated properly, but it speeds AD requests up a bit. :) The addomain must be the first domain listed to make the nss_ad module work. Switch back to the NMC, and edit the nfs defaults file: NMC: $ setup network service nfs-server edit-settings Uncomment and modify: NFSMAPID_DOMAIN=ipa-domain Restart the NFS service. NMC $ setup network service nfs-server restart That's it. Your NexentaStor server will now look up LDAP/IPA users and groups first, and then generate UID/GID's for any other users/groups only found in AD. Regards, Siggi From mcry0802 at stcloudstate.edu Tue Jul 12 17:36:12 2011 From: mcry0802 at stcloudstate.edu (McDougall, Ryan P. [mcry0802@stcloudstate.edu]) Date: Tue, 12 Jul 2011 17:36:12 +0000 Subject: [Freeipa-users] Using Automount for NFS Message-ID: Would anyone be able to give me an example of how to configure autofs with the fstab, or tell me where I went wrong? I am having trouble getting things to work. The main thing is that the permissions don't seem to be correct for the home directories that we are creating for users, because when a user logs in, their home directory will be created, but it will say permission denied when it will try to change directory to it. The weird thing is then, they start in root, but then they can change to their home directory then. Any help would be appreciated! I attached sanitized versions of our configuration files. Thanks, Ryan McDougall -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: autofsop.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: fstabop.txt URL: From rcritten at redhat.com Wed Jul 13 13:37:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jul 2011 09:37:45 -0400 Subject: [Freeipa-users] Using Automount for NFS In-Reply-To: References: Message-ID: <4E1D9FA9.7070907@redhat.com> McDougall, Ryan P. [mcry0802 at stcloudstate.edu] wrote: > Would anyone be able to give me an example of how to configure autofs > with the fstab, or tell me where I went wrong? I am having trouble > getting things to work. The main thing is that the permissions don?t > seem to be correct for the home directories that we are creating for > users, because when a user logs in, their home directory will be > created, but it will say permission denied when it will try to change > directory to it. The weird thing is then, they start in root, but then > they can change to their home directory then. Any help would be appreciated! > > I attached sanitized versions of our configuration files. > > Thanks, > > Ryan McDougall Maybe the SELinux context is not correct. Is the ownership otherwise ok? Can you look in /var/log/audit/audit.log on the client machine to see if an AVC is raised? Also, can you see if you have the oddjob-mkhomedir package installed on the client? thanks rob From louis.coilliot at think.fr Thu Jul 14 08:39:42 2011 From: louis.coilliot at think.fr (Louis Coilliot) Date: Thu, 14 Jul 2011 09:39:42 +0100 Subject: [Freeipa-users] Failure of ipa-client-install Message-ID: Hello, The server side (station8) is a freshly installed ipa server on Fedora 15 with freeipa-server-2.0.1-2.fc15.x86_64 The client side (station7) is a RHEL 6.1 with ipa-client-2.0.0-23.el6.x86_64 Or another Fedora15 OS (same behaviour) The symptom is : # ipa-client-install --server station8.example.com --domain example.com -d (...) Discovery was successful! (...) Hostname: station7.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: station8.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes Enrollment principal: admin (...) Password for admin at EXAMPLE.COM: root : DEBUG args=kinit admin at EXAMPLE.COM root : DEBUG stdout= root : DEBUG stderr=kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials root : DEBUG args=kdestroy root : DEBUG stdout= root : DEBUG stderr=kdestroy: No credentials cache found while destroying cache kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials I check krb5.conf, and I find : [realms] EXAMPLE.COM = { kdc = kerberos.example.com admin_server = kerberos.example.com } If I change it manually to : [realms] EXAMPLE.COM = { kdc = station8.example.com admin_server = station8.example.com } then the kinit is fine manually : # kinit admin Password for admin at EXAMPLE.COM: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at EXAMPLE.COM Valid starting Expires Service principal 07/13/11 13:59:09 07/14/11 13:59:05 krbtgt/EXAMPLE.COM at EXAMPLE.COM renew until 07/20/11 13:59:05 But ipa-client-install still fails at this point Any idea ? Thanks in advance. Louis Coilliot From dlackey at redhat.com Thu Jul 14 21:11:12 2011 From: dlackey at redhat.com (Deon Lackey) Date: Thu, 14 Jul 2011 17:11:12 -0400 (EDT) Subject: [Freeipa-users] doc tickets In-Reply-To: <1972168476.411234.1310677673599.JavaMail.root@zmail02.collab.prod.int.phx2.redhat.com> Message-ID: <1075692736.411296.1310677872701.JavaMail.root@zmail02.collab.prod.int.phx2.redhat.com> Hey, guys. I have created a handful of doc tickets related to issues that have cropped up on the mailing list over the past couple of months. Trac ticket report: https://fedorahosted.org/freeipa-guide/report/3 This is for the freeipa-guide trac instance, not the freeipa trac instance. The freeipa instance is, of course, the real place to go for product ?tickets 'n' stuff. Anyway, if I missed anything that any of you think is important, let me know. https://fedorahosted.org/freeipa-guide/wiki/CommunityDocIssues Thanks! Deon -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Thu Jul 14 21:36:16 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 14 Jul 2011 23:36:16 +0200 Subject: [Freeipa-users] doc tickets In-Reply-To: <1075692736.411296.1310677872701.JavaMail.root@zmail02.collab.prod.int.phx2.redhat.com> References: <1075692736.411296.1310677872701.JavaMail.root@zmail02.collab.prod.int.phx2.redhat.com> Message-ID: <4E1F6150.5050404@nixtra.com> Hi, From: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/sudo.html Compatibility Translation for Native Sudo The native |sudo| binary does not yet support SSSD or the IPA Sudo Schema. As an interim solution, IPA has implemented a compatibility plug-in which transparently translates IPA Sudo rules into those supported by the current |sudo| binary. What is advantages of the IPA Sudo Schema compared to the LDAP Schema currently supported by sudo? Regards, Siggi On 07/14/2011 11:11 PM, Deon Lackey wrote: > > Hey, guys. > > I have created a handful of doc tickets related to issues that have > cropped up on the mailing list over the past couple of months. > > Trac ticket report: > > https://fedorahosted.org/freeipa-guide/report/3 > > This is for the freeipa-guide trac instance, not the freeipa trac > instance. The freeipa instance is, of course, the real place to go for > product tickets 'n' stuff. > > Anyway, if I missed anything that any of you think is important, let > me know. > > https://fedorahosted.org/freeipa-guide/wiki/CommunityDocIssues > > Thanks! > > Deon > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Fri Jul 15 02:54:24 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 15 Jul 2011 02:54:24 +0000 Subject: [Freeipa-users] Using Automount for NFS In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E40305F4937@STAWINCOX10MBX1.staff.vuw.ac.nz> Did you put "+" in front of the path? in auto.master (or whatever, i forget the file) regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of McDougall, Ryan P. [mcry0802 at stcloudstate.edu] [mcry0802 at stcloudstate.edu] Sent: Wednesday, 13 July 2011 5:36 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Using Automount for NFS Would anyone be able to give me an example of how to configure autofs with the fstab, or tell me where I went wrong? I am having trouble getting things to work. The main thing is that the permissions don?t seem to be correct for the home directories that we are creating for users, because when a user logs in, their home directory will be created, but it will say permission denied when it will try to change directory to it. The weird thing is then, they start in root, but then they can change to their home directory then. Any help would be appreciated! I attached sanitized versions of our configuration files. Thanks, Ryan McDougall From DLWillson at TheGeek.NU Fri Jul 15 21:57:35 2011 From: DLWillson at TheGeek.NU (David L. Willson) Date: Fri, 15 Jul 2011 15:57:35 -0600 (MDT) Subject: [Freeipa-users] Replica install breaking ... In-Reply-To: <1a3d263f-5a2e-4ae1-9285-eb83429e6bb9@dlwillson-laptop> Message-ID: Does anyone have an idea why this isn't working? If fixing this one is too hard, is there clean process I can follow to suck the data out of this installation, for implanting into a new one? The only hard thing I've done so far is connect Zimbra and I'm reasonably sure I can re-do that, because I doc'd it when I did it (here, in fact). David L. Willson Trainer, Engineer, Enthusiast RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP tel://720.333.LANS Freedom is better when you earn it. Learn Linux. ----- Original Message ----- > From: "David L. Willson" > To: "freeipa-users" > Sent: Saturday, July 9, 2011 1:02:37 PM > Subject: Re: [Freeipa-users] Replica install breaking on DS step 23 of 27 (master-entry.ldif) > > Second round of tries today. > I've tried dropping the firewall on both servers, and disabling > enforcement for SELinux, and a full yum upgrade. > No change in the symptoms so far... :-( > Attached is /var/log/ipa* and below is my console output. > Any hints? Clues? Links to things I should know to read? > ------------------------------------------------------------- > [rmsel-admin at vizzini ~]$ sudo ipa-replica-install --setup-dns > --forwarder=205.171.3.65 --forwarder=205.171.2.65 > replica-info-vizzini.rmsel.org.gpg > Directory Manager (existing master) password: > > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > Configuring directory server: Estimated time 1 minute > [1/27]: creating directory server user > [2/27]: creating directory server instance > [3/27]: adding default schema > [4/27]: enabling memberof plugin > [5/27]: enabling referential integrity plugin > [6/27]: enabling winsync plugin > [7/27]: configuring replication version plugin > [8/27]: enabling IPA enrollment plugin > [9/27]: enabling ldapi > [10/27]: configuring uniqueness plugin > [11/27]: configuring uuid plugin > [12/27]: configuring modrdn plugin > [13/27]: enabling entryUSN plugin > [14/27]: configuring lockout plugin > [15/27]: creating indices > [16/27]: configuring ssl for ds instance > [17/27]: configuring certmap.conf > [18/27]: configure autobind for root > [19/27]: restarting directory server > [20/27]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress > Update in progress > Update in progress > Update in progress > Update in progress > Update succeeded > [21/27]: adding replication acis > [22/27]: initializing group membership > [23/27]: adding master entry > root : CRITICAL Failed to load master-entry.ldif: Command > '/usr/bin/ldapmodify -h vizzini.rmsel.org -v -f /tmp/tmp0uC6BQ -x -D > cn=Directory Manager -y /tmp/tmp4KPcxN' returned non-zero exit > status 32 > [24/27]: configuring Posix uid/gid generation > [25/27]: enabling compatibility plugin > [26/27]: tuning directory server > Custom file limits are already set! Skipping > > [27/27]: configuring directory to start on boot > done configuring dirsrv. > Configuring Kerberos KDC: Estimated time 30 seconds > [1/10]: adding sasl mappings to the directory > [2/10]: writing stash file from DS > [3/10]: configuring KDC > [4/10]: creating a keytab for the directory > creation of replica failed: [Errno 2] No such file or directory: > '/etc/dirsrv/ds.keytab' > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Fri Jul 15 22:30:01 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jul 2011 18:30:01 -0400 Subject: [Freeipa-users] Replica install breaking ... In-Reply-To: References: Message-ID: <4E20BF69.3090504@redhat.com> David L. Willson wrote: > Does anyone have an idea why this isn't working? > > If fixing this one is too hard, is there clean process I can follow to suck the data out of this installation, for implanting into a new one? > > The only hard thing I've done so far is connect Zimbra and I'm reasonably sure I can re-do that, because I doc'd it when I did it (here, in fact). > > David L. Willson > Trainer, Engineer, Enthusiast > RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP > tel://720.333.LANS > Freedom is better when you earn it. Learn Linux. > > ----- Original Message ----- >> From: "David L. Willson" >> To: "freeipa-users" >> Sent: Saturday, July 9, 2011 1:02:37 PM >> Subject: Re: [Freeipa-users] Replica install breaking on DS step 23 of 27 (master-entry.ldif) >> >> Second round of tries today. >> I've tried dropping the firewall on both servers, and disabling >> enforcement for SELinux, and a full yum upgrade. >> No change in the symptoms so far... :-( >> Attached is /var/log/ipa* and below is my console output. >> Any hints? Clues? Links to things I should know to read? >> ------------------------------------------------------------- >> [rmsel-admin at vizzini ~]$ sudo ipa-replica-install --setup-dns >> --forwarder=205.171.3.65 --forwarder=205.171.2.65 >> replica-info-vizzini.rmsel.org.gpg >> Directory Manager (existing master) password: >> >> Configuring ntpd >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> done configuring ntpd. >> Configuring directory server: Estimated time 1 minute >> [1/27]: creating directory server user >> [2/27]: creating directory server instance >> [3/27]: adding default schema >> [4/27]: enabling memberof plugin >> [5/27]: enabling referential integrity plugin >> [6/27]: enabling winsync plugin >> [7/27]: configuring replication version plugin >> [8/27]: enabling IPA enrollment plugin >> [9/27]: enabling ldapi >> [10/27]: configuring uniqueness plugin >> [11/27]: configuring uuid plugin >> [12/27]: configuring modrdn plugin >> [13/27]: enabling entryUSN plugin >> [14/27]: configuring lockout plugin >> [15/27]: creating indices >> [16/27]: configuring ssl for ds instance >> [17/27]: configuring certmap.conf >> [18/27]: configure autobind for root >> [19/27]: restarting directory server >> [20/27]: setting up initial replication >> Starting replication, please wait until this has completed. >> Update in progress >> Update in progress >> Update in progress >> Update in progress >> Update in progress >> Update succeeded >> [21/27]: adding replication acis >> [22/27]: initializing group membership >> [23/27]: adding master entry >> root : CRITICAL Failed to load master-entry.ldif: Command >> '/usr/bin/ldapmodify -h vizzini.rmsel.org -v -f /tmp/tmp0uC6BQ -x -D >> cn=Directory Manager -y /tmp/tmp4KPcxN' returned non-zero exit >> status 32 >> [24/27]: configuring Posix uid/gid generation >> [25/27]: enabling compatibility plugin >> [26/27]: tuning directory server >> Custom file limits are already set! Skipping >> >> [27/27]: configuring directory to start on boot >> done configuring dirsrv. >> Configuring Kerberos KDC: Estimated time 30 seconds >> [1/10]: adding sasl mappings to the directory >> [2/10]: writing stash file from DS >> [3/10]: configuring KDC >> [4/10]: creating a keytab for the directory >> creation of replica failed: [Errno 2] No such file or directory: >> '/etc/dirsrv/ds.keytab' >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. It is failing trying to create the ldap principal: add_principal: Principal add failed: No such object while creating "ldap/vizzini.rmsel.org at RMSEL.ORG". Can you look in the 389-ds access log on that machine to see what wasn't found? rob From dpal at redhat.com Wed Jul 20 21:46:05 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 20 Jul 2011 17:46:05 -0400 Subject: [Freeipa-users] doc tickets In-Reply-To: <4E1F6150.5050404@nixtra.com> References: <1075692736.411296.1310677872701.JavaMail.root@zmail02.collab.prod.int.phx2.redhat.com> <4E1F6150.5050404@nixtra.com> Message-ID: <4E274C9D.2060803@redhat.com> On 07/14/2011 05:36 PM, Sigbjorn Lie wrote: > Hi, > > From: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/sudo.html > > > Compatibility Translation for Native Sudo > > The native |sudo| binary does not yet support SSSD or the IPA Sudo > Schema. As an interim solution, IPA has implemented a compatibility > plug-in which transparently translates IPA Sudo rules into those > supported by the current |sudo| binary. > > > > > What is advantages of the IPA Sudo Schema compared to the LDAP Schema > currently supported by sudo? http://www.freeipa.org/page/SUDO_Schema_Design In summary: better referential integrity and better command grouping. Nothing drastic in terms of the core SUDO logic just a cleaner way to reference other objects that are already available in IPA: users, user groups, hosts, host groups etc. > > > > Regards, > Siggi > > > On 07/14/2011 11:11 PM, Deon Lackey wrote: >> >> Hey, guys. >> >> >> >> I have created a handful of doc tickets related to issues that have >> cropped up on the mailing list over the past couple of months. >> >> >> >> Trac ticket report: >> >> https://fedorahosted.org/freeipa-guide/report/3 >> >> >> >> This is for the freeipa-guide trac instance, not the freeipa trac >> instance. The freeipa instance is, of course, the real place to go >> for product tickets 'n' stuff. >> >> >> >> Anyway, if I missed anything that any of you think is important, let >> me know. >> >> https://fedorahosted.org/freeipa-guide/wiki/CommunityDocIssues >> >> >> >> Thanks! >> >> Deon >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Jul 20 21:48:43 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 20 Jul 2011 17:48:43 -0400 Subject: [Freeipa-users] Failure of ipa-client-install In-Reply-To: References: Message-ID: <4E274D3B.4080102@redhat.com> On 07/14/2011 04:39 AM, Louis Coilliot wrote: > Hello, > > The server side (station8) is a freshly installed ipa server on Fedora > 15 with freeipa-server-2.0.1-2.fc15.x86_64 > > The client side (station7) is a RHEL 6.1 with ipa-client-2.0.0-23.el6.x86_64 > Or another Fedora15 OS (same behaviour) > > The symptom is : > # ipa-client-install --server station8.example.com --domain example.com -d > (...) > Discovery was successful! > (...) > Hostname: station7.example.com > Realm: EXAMPLE.COM > DNS Domain: example.com > IPA Server: station8.example.com > BaseDN: dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > Enrollment principal: admin > (...) > Password for admin at EXAMPLE.COM: > root : DEBUG args=kinit admin at EXAMPLE.COM > root : DEBUG stdout= > root : DEBUG stderr=kinit: Cannot contact any KDC for realm > 'EXAMPLE.COM' while getting initial credentials > root : DEBUG args=kdestroy > root : DEBUG stdout= > root : DEBUG stderr=kdestroy: No credentials cache found > while destroying cache > > kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting > initial credentials > > I check krb5.conf, and I find : > [realms] > EXAMPLE.COM = { > kdc = kerberos.example.com > admin_server = kerberos.example.com > } > > If I change it manually to : > [realms] > EXAMPLE.COM = { > kdc = station8.example.com > admin_server = station8.example.com > } > > then the kinit is fine manually : > # kinit admin > Password for admin at EXAMPLE.COM: > > # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at EXAMPLE.COM > > Valid starting Expires Service principal > 07/13/11 13:59:09 07/14/11 13:59:05 krbtgt/EXAMPLE.COM at EXAMPLE.COM > renew until 07/20/11 13:59:05 > > But ipa-client-install still fails at this point > > Any idea ? Thanks in advance. > > > Louis Coilliot > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users We are about to release 2.1. Would you mind trying the latest bits? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From louis.coilliot at think.fr Thu Jul 21 05:38:41 2011 From: louis.coilliot at think.fr (Louis Coilliot) Date: Thu, 21 Jul 2011 07:38:41 +0200 Subject: [Freeipa-users] Failure of ipa-client-install In-Reply-To: <4E274D3B.4080102@redhat.com> References: <4E274D3B.4080102@redhat.com> Message-ID: Sure I can do that. It's still a test at this time. Louis 2011/7/20 Dmitri Pal : > On 07/14/2011 04:39 AM, Louis Coilliot wrote: >> Hello, >> >> The server side (station8) is a freshly installed ipa server on Fedora >> 15 with freeipa-server-2.0.1-2.fc15.x86_64 >> >> The client side (station7) is a RHEL 6.1 with ipa-client-2.0.0-23.el6.x86_64 >> Or another Fedora15 OS (same behaviour) >> >> The symptom is : >> # ipa-client-install --server station8.example.com --domain example.com -d >> (...) >> Discovery was successful! >> (...) >> Hostname: station7.example.com >> Realm: EXAMPLE.COM >> DNS Domain: example.com >> IPA Server: station8.example.com >> BaseDN: dc=example,dc=com >> >> Continue to configure the system with these values? [no]: yes >> Enrollment principal: admin >> (...) >> Password for admin at EXAMPLE.COM: >> root ? ? ? ?: DEBUG ? ?args=kinit admin at EXAMPLE.COM >> root ? ? ? ?: DEBUG ? ?stdout= >> root ? ? ? ?: DEBUG ? ?stderr=kinit: Cannot contact any KDC for realm >> 'EXAMPLE.COM' while getting initial credentials >> root ? ? ? ?: DEBUG ? ?args=kdestroy >> root ? ? ? ?: DEBUG ? ?stdout= >> root ? ? ? ?: DEBUG ? ?stderr=kdestroy: No credentials cache found >> while destroying cache >> >> kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting >> initial credentials >> >> I check krb5.conf, and I find : >> [realms] >> ?EXAMPLE.COM = { >> ?kdc = kerberos.example.com >> ?admin_server = kerberos.example.com >> ?} >> >> If I change it manually to : >> [realms] >> ?EXAMPLE.COM = { >> ?kdc = station8.example.com >> ?admin_server = station8.example.com >> ?} >> >> then the kinit is fine manually : >> # kinit admin >> Password for admin at EXAMPLE.COM: >> >> # klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: admin at EXAMPLE.COM >> >> Valid starting ? ? Expires ? ? ? ? ? ?Service principal >> 07/13/11 13:59:09 ?07/14/11 13:59:05 ?krbtgt/EXAMPLE.COM at EXAMPLE.COM >> ? ? ? ?renew until 07/20/11 13:59:05 >> >> But ipa-client-install still fails at this point >> >> Any idea ? Thanks in advance. >> >> >> Louis Coilliot >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > We are about to release 2.1. > Would you mind trying the latest bits? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From fedora at romal.de Sat Jul 23 07:14:00 2011 From: fedora at romal.de (Robert M. Albrecht) Date: Sat, 23 Jul 2011 09:14:00 +0200 Subject: [Freeipa-users] Install problems with 2.0.1 on F15 Message-ID: <4E2A74B8.8030400@romal.de> Hi, I get an error message while installing freeipa on F15. ... ipa-server-install --setup-dns ... all testing updates are installed: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpJ8Tbtg' returned non-zero exit status 2 [3/3]: restarting directory server root : CRITICAL Failed to restart the directory server. See the installation log for details. done configuring dirsrv. Configuring certificate server: Estimated time 6 minutes [1/16]: creating certificate server user [2/16]: restarting certificate server [3/16]: configuring certificate server instance from ipserver-install.log 2011-07-23 09:10:06,059 DEBUG calling setup-ds.pl 2011-07-23 09:10:06,108 DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpJ8Tbtg 2011-07-23 09:10:06,109 DEBUG stdout= 2011-07-23 09:10:06,110 DEBUG stderr=Can't locate Setup.pm in @INC (@INC contains: /usr/lib64/dirsrv/perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/sbin/setup-ds.pl line 44. BEGIN failed--compilation aborted at /usr/sbin/setup-ds.pl line 44. 2011-07-23 09:10:06,111 CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpJ8Tbtg' returned non-zero exit status 2 2011-07-23 09:10:06,113 DEBUG duration: 0 seconds 2011-07-23 09:10:06,114 DEBUG [3/3]: restarting directory server 2011-07-23 09:10:06,226 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-07-23 09:10:06,227 DEBUG stdout= *** Error: no dirsrv instances configured 2011-07-23 09:10:06,227 DEBUG stderr= 2011-07-23 09:10:06,228 CRITICAL Failed to restart the directory server. See the installation log for details. 2011-07-23 09:10:06,229 DEBUG duration: 0 seconds 2011-07-23 09:10:06,230 DEBUG done configuring dirsrv. 2011-07-23 09:10:06,231 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-07-23 09:10:06,237 DEBUG Configuring certificate server: Estimated time 6 minutes 2011-07-23 09:10:06,238 DEBUG [1/16]: creating certificate server user 2011-07-23 09:10:06,239 DEBUG ca user pkiuser exists 2011-07-23 09:10:06,240 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-07-23 09:10:06,243 DEBUG duration: 0 seconds 2011-07-23 09:10:06,243 DEBUG [2/16]: restarting certificate server 2011-07-23 09:10:47,022 DEBUG args=/sbin/service pki-cad restart 2011-07-23 09:10:47,024 DEBUG stdout=Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] 'pki-ca' must still be CONFIGURED! (see /var/log/pki-ca-install.log) 2011-07-23 09:10:47,024 DEBUG stderr= 2011-07-23 09:10:47,083 DEBUG duration: 40 seconds 2011-07-23 09:10:47,084 DEBUG [3/16]: configuring certificate server instance Any idea ? cu romal From kollathodi at yahoo.com Mon Jul 25 00:58:35 2011 From: kollathodi at yahoo.com (nasir nasir) Date: Sun, 24 Jul 2011 17:58:35 -0700 (PDT) Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <879850.34869.qm@web161319.mail.bf1.yahoo.com> Message-ID: <1311555515.78649.YahooMailClassic@web161309.mail.bf1.yahoo.com> Hi, Further to the ongoing deployment of Linux clients and servers using FreeIPA, I was able to successfully get all the requirements like, ?-- complete centralized authentication and administration??-- NFS home share?-- HBAC?-- FreeIPA acting as Integrated DNS server Everything was good during the testing period. But when we went to production since day before yesterday, we are facing a serious issue. The DNS in IPA is giving out some problems. All of a sudden it becomes unresponsive. We already noticed this twice in the past 48 hours. Since this is the name server for the entire network, everything depending on this for name resolution fails. When I log in to FreeIPA server machine and tries to see the status of named service(service named status) the command hangs. Then I need to forcefully kill the named service and start it again(or alternatively restart ipa service) to get everything back to normal. I checked all the relevant log files and could see the following at various point of time in the /var/log/messages(trimmed out most of the part to show only possible named/sssd/ipa errors) Jul 22 05:57:55 openipa named[10135]: semaphore.c:70: fatal error:Jul 22 05:57:55 openipa named[10135]: RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == 0) failedJul 22 05:57:55 openipa named[10135]: exiting (due to fatal error in library)Jul 22 05:57:55 openipa abrt[12698]: /var/named/core.10135 is not a regular file with link count 1: Permission denied Jul 22 14:35:56 openipa [sssd[ldap_child[17070]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection.Jul 22 14:35:56 openipa [sssd[ldap_child[17072]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. Jul 22 17:54:33 openipa named[15678]: error (network unreachable) resolving 'snapfiles.com/AAAA/IN': 2001:503:231d::2:30#53 Jul 22 20:00:02 openipa python: IPA compliance checking failed: Error initializing principal host/openipa.hugayet.com at HUGAYET.COM in /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') Jul 23 09:10:01 openipa abrt[21599]: saved core dump of pid 20934 (/usr/sbin/named) to /var/spool/abrt/ccpp-1311401401-20934.new/coredump (37900288 bytes)Jul 23 09:10:01 openipa abrtd: Directory 'ccpp-1311401401-20934' creation detectedJul 23 09:10:01 openipa abrtd: Crash is in database already (dup of /var/spool/abrt/ccpp-1307530903-2297)Jul 23 09:10:01 openipa abrtd: Deleting crash ccpp-1311401401-20934 (dup of ccpp-1307530903-2297), sending dbus signalJul 23 09:10:03 openipa named[21631]: starting BIND 9.7.3-RedHat-9.7.3-2.el6 -u named -4 Jul 23 15:35:56 openipa [sssd[ldap_child[22297]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection.Jul 23 15:35:56 openipa [sssd[ldap_child[22298]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. Jul 23 09:10:03 openipa named[21631]: adjusted limit on open files from 1024 to 1048576 Jul 24 03:16:01 openipa [sssd[ldap_child[22964]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection.Jul 24 04:00:02 openipa python: IPA compliance checking failed: Error initializing principal host/openipa.hugayet.com at HUGAYET.COM in /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed')Jul 24 06:17:25 openipa named[21631]: semaphore.c:70: fatal error:Jul 24 06:17:25 openipa named[21631]: RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == 0) failedJul 24 06:17:25 openipa named[21631]: exiting (due to fatal error in library)Jul 24 06:17:25 openipa abrt[23220]: saved core dump of pid 21631 (/usr/sbin/named) to /var/spool/abrt/ccpp-1311477445-21631.new/coredump (143396864 bytes) Also, I could see the following in my krb5kdc.log, ul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit supportJul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): setting up network...Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on fd 9: udp 0.0.0.0.88 (pktinfo)krb5kdc: setsockopt(10,IPV6_V6ONLY,1) workedkrb5kdc: No realms configured correctly for pkinit support - Cannot request packet info for udp socket address :: port 88Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping unrecognized local address family 17Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping unrecognized local address family 17krb5kdc: setsockopt(10,IPV6_V6ONLY,1) workedJul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on fd 10: udp fe80::6ab5:99ff:fec8:160%eth0.88krb5kdc: setsockopt(11,IPV6_V6ONLY,1) workedJul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on fd 12: tcp 0.0.0.0.88Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on fd 11: tcp ::.88Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): set up 4 sockets Also, please note the following points, ?---- For the DHCP service, I have a cobbler server running the service which will use the FreeIPA server's DNS servicee.(with?ddns-update-style interim; option in the dhcp configuration file)?---- After seeing some permission related issues for named, I have given /var/named sufficient permission to named daemon for the folder.?---- Disabled ipv6 for named as I don't use it anyway(OPTIONS="-4" in /etc/sysconfig/named) Thanks indeed for for all the help so far and waiting for your valuable input on this! Regards,Nidal --- On Wed, 5/18/11, nasir nasir wrote: From: nasir nasir Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "Adam Young" Cc: freeipa-users at redhat.com Date: Wednesday, May 18, 2011, 11:00 AM Adam, I will look more in to this aspect and update later. Big thanks to everyone for making me reach up to this point. I appreciate it tremendously. Now in my test environement I have a working FreeIPA server, NFS server(which is and IPA client), 2 more IPA clients. All running RHEL 6.1 beta.? Following things work fine now,?? ? ? -- Centralized authentication and user/group management? ? ? -- Shared home folder automatically gets mounted to the client machine when the user login for the first time(Only catch is it needs to be created manually on the NFS server first)? ? ?-- User profiles are preserved in the home folder Next steps, ? ? -- Try whether I can have this WITHOUT creating the home folder manually on the NFS server first? ? -- Replication of FreeIPA by adding one more server? ? -- Try out HBAC, Roles, Netgroups and other features of FreeIPA? ? -- Implement quota for user home folder I will update the list about progress of all these later. Thanks indeed to everyone once again! Regards,Nidal ? ? ?? I'm guessing that there is some policy enforced by the NFS server here that lets you do something like this.? ...and here's the source code.... http://autofs5.sourcearchive.com/documentation/5.0.4-2/mount__nfs_8c-source.html Here's the comment right above the line that generates that message. * If the "port" option is specified, then we don't want * a bind mount. Use the "port" option if you want to * avoid attempting a local bind mount, such as when * tunneling NFS via localhost. So no surprise that the behavior is different on the NFS server than the rest of the cluster. ?27 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): calling mkdir_path /home/nasir ?28 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): calling mount --bind -s ?-o defaults /xtra/home/nasir /home/nasir ?29 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): mounted /xtra/home/nasir type bind on /home/nasir 2. ssh -l rhel.cohort.org ?7 May 17 07:46:06 rhel automount[15387]: find_server: trying server uri ldap://192.168.1.240 ? 8 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap): auth_required: 1, sasl_mech (null) ? 9 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap): ldap simple bind returned 0 ?10 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): check search base list ?11 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): found search base under cn=automount,dc=cohort,dc=org ?12 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): found query dn automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org ?13 May 17 07:46:06 rhel automount[15387]: connected to uri ldap://192.168.1.240 ?14 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): searching for "(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))" under "automountmapname=auto.home, ? ?cn=default,cn=automount,dc=cohort,dc=org" ?15 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): getting first entry for automountKey="nasir" ?16 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): examining first entry ?17 May 17 07:46:06 rhel automount[15387]: lookup_mount: lookup(ldap): nasir -> -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/& ?18 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/nasir ?19 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 ?20 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): dequote("hugayat.cohort.org:/xtra/home/nasir") -> hugayat.cohort.org:/xtra/home/nasir ?21 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): core of entry: options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, loc=hugayat.cohort.org:/xtra/home/nasir ?22 May 17 07:46:06 rhel automount[15387]: sun_mount: parse(sun): mounting root /home, mountpoint nasir, what hugayat.cohort.org:/xtra/home/nasir, fstype nfs4, options rw,sec=krb5,soft,rsize=8192,wsize=8 ? ?192 ?23 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): root=/home name=nasir what=hugayat.cohort.org:/xtra/home/nasir, fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192 ?24 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): nfs options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0 ?25 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): calling mkdir_path /home/nasir ?26 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): calling mount -t nfs4 -s -o rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/nasir /home/nasir ?27 May 17 07:46:06 rhel automount[15387]: >> mount.nfs4: mounting hugayat.cohort.org:/xtra/home/nasir failed, reason given by server: ?28 May 17 07:46:06 rhel automount[15387]: >> ? No such file or directory Please compare the lines between 20-30 in both the cases. All the?parameters are same but in the first case it says the user "nasir is local". What does it mean ?? Thanks and regards, Nidal Thanks again! ?To answer your queries, ? ? -- I get the same error for su - nasir ? ? -- I don't think ssh is not creating oddjobd ; see the error in the trailing mail which I am getting in the konsole while trying to login. It does try to create home folder ? ? -- The client IPA machine was created with --mkhomedir switch. Also, I can see?pam_oddjob_mkhomedir.so entry in the system-auth and password-auth files of pam(But not in ssh file, though I manually tried once to insert in ssh file and then it was trying to create the home folder twice while SSHing !!). ? ? -- As I said in previous mail, Pre-created directories get autmounted and setup correctly when I try to login to NFS server(cohort.org.hugyat) but NOT to other machines. ? ? -- When autofs is disabled, directories get created successfully in the local hard disk on all the machines configured with --mkhomedir switch Any clue ? Thanks and regards, Nidal Lets try to isolate it a little further.? If you log in to that machine as root, and then do su - nasir, does it let you create the directory or give you the same error?? I'm guessing it is ssh that is complaining here.? If the mount point is set up correctly, you should be able to crete and chown the /home/nasir directory, either via odd job, or just test it as root. What I am guessing is happening here is that ssh is not triggereing the odd job creation of the home directory.? Either that, or this particular IPA client was run without the switch to create the home-dir.? If Automount is commented out, does the /home/nasir directory get created on the local disk? On 05/16/2011 09:19 PM, nasir nasir wrote: Thanks again! No! it allows auto mount that pre created home folder ONLY ?to the NFS server. For e.g if I have /xtra/home/nasir alread created, then it automatically mounts ?while login to NFS server ( ssh -l nasir NFS_SERVER ). But when I try to login as the same user to some other machine ( ssh -l nasir ANY_IPA_MACHINE) it gives the following error, [root at openipa ~]# ssh -l nasir 192.168.1.222 -X nasir at 192.168.1.222's password:? Creating home directory for nasir. Last login: Tue May 17 04:06:43 2011 from openipa.cohort.org Could not chdir to home directory /home/nasir: No such file or directory -sh-4.1$ ls So it is not working right ? Hope it is clear to you now. Thanks and regards, Nidal If I manually create one home folder( e.g /xtra/home/abc ) under than, then I can mount it, but nothing can be written to it by the user as it gives permission denied error. Yes, but it should allow the root user to create and chown the directory, so the autocreation of home dirs should work. -----Inline Attachment Follows----- _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -----Inline Attachment Follows----- _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 25 13:12:26 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2011 09:12:26 -0400 Subject: [Freeipa-users] Install problems with 2.0.1 on F15 In-Reply-To: <4E2A74B8.8030400@romal.de> References: <4E2A74B8.8030400@romal.de> Message-ID: <4E2D6BBA.4080305@redhat.com> Robert M. Albrecht wrote: > Hi, > > I get an error message while installing freeipa on F15. > > ... > ipa-server-install --setup-dns > ... > > all testing updates are installed: > > Configuring ntpd > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > done configuring ntpd. > Configuring directory server for the CA: Estimated time 30 seconds > [1/3]: creating directory server user > [2/3]: creating directory server instance > root : CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpJ8Tbtg' returned > non-zero exit status 2 > [3/3]: restarting directory server > root : CRITICAL Failed to restart the directory server. See the > installation log for details. > done configuring dirsrv. > Configuring certificate server: Estimated time 6 minutes > [1/16]: creating certificate server user > [2/16]: restarting certificate server > [3/16]: configuring certificate server instance > > > from ipserver-install.log > > > 2011-07-23 09:10:06,059 DEBUG calling setup-ds.pl > 2011-07-23 09:10:06,108 DEBUG args=/usr/sbin/setup-ds.pl --silent > --logfile - -f /tmp/tmpJ8Tbtg > 2011-07-23 09:10:06,109 DEBUG stdout= > 2011-07-23 09:10:06,110 DEBUG stderr=Can't locate Setup.pm in @INC (@INC > contains: /usr/lib64/dirsrv/perl /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > /usr/sbin/setup-ds.pl line 44. > BEGIN failed--compilation aborted at /usr/sbin/setup-ds.pl line 44. > > 2011-07-23 09:10:06,111 CRITICAL failed to restart ds instance Command > '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpJ8Tbtg' returned > non-zero exit status 2 > 2011-07-23 09:10:06,113 DEBUG duration: 0 seconds > 2011-07-23 09:10:06,114 DEBUG [3/3]: restarting directory server > 2011-07-23 09:10:06,226 DEBUG args=/sbin/service dirsrv restart PKI-IPA > 2011-07-23 09:10:06,227 DEBUG stdout= *** Error: no dirsrv instances > configured > > 2011-07-23 09:10:06,227 DEBUG stderr= > 2011-07-23 09:10:06,228 CRITICAL Failed to restart the directory server. > See the installation log for details. > 2011-07-23 09:10:06,229 DEBUG duration: 0 seconds > 2011-07-23 09:10:06,230 DEBUG done configuring dirsrv. > 2011-07-23 09:10:06,231 DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-07-23 09:10:06,237 DEBUG Configuring certificate server: Estimated > time 6 minutes > 2011-07-23 09:10:06,238 DEBUG [1/16]: creating certificate server user > 2011-07-23 09:10:06,239 DEBUG ca user pkiuser exists > 2011-07-23 09:10:06,240 DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2011-07-23 09:10:06,243 DEBUG duration: 0 seconds > 2011-07-23 09:10:06,243 DEBUG [2/16]: restarting certificate server > 2011-07-23 09:10:47,022 DEBUG args=/sbin/service pki-cad restart > 2011-07-23 09:10:47,024 DEBUG stdout=Stopping pki-ca: [ OK ] > Starting pki-ca: [ OK ] > 'pki-ca' must still be CONFIGURED! > (see /var/log/pki-ca-install.log) > > 2011-07-23 09:10:47,024 DEBUG stderr= > 2011-07-23 09:10:47,083 DEBUG duration: 40 seconds > 2011-07-23 09:10:47,084 DEBUG [3/16]: configuring certificate server > instance > > Any idea ? > > cu romal Can you give us some information on your system? It would appear that you are running a 64-bit kernel, is that right? (uname -a). Can you give us the output from the following: rpm -q --queryformat='%{N}-%{V}-%{R}.%{arch}\n' 389-ds-base rpm -q --queryformat='%{N}-%{V}-%{R}.%{arch}\n' ipa-server Does /usr/lib64/dirsrv/perl exist? rob From rcritten at redhat.com Mon Jul 25 13:16:55 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2011 09:16:55 -0400 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <1311555515.78649.YahooMailClassic@web161309.mail.bf1.yahoo.com> References: <1311555515.78649.YahooMailClassic@web161309.mail.bf1.yahoo.com> Message-ID: <4E2D6CC7.5020903@redhat.com> nasir nasir wrote: > Hi, > > Further to the ongoing deployment of Linux clients and servers using > FreeIPA, I was able to successfully get all the requirements like, > > -- complete centralized authentication and administration > -- NFS home share > -- HBAC > -- FreeIPA acting as Integrated DNS server > > Everything was good during the testing period. But when we went to > production since day before yesterday, we are facing a serious issue. > The DNS in IPA is giving out some problems. All of a sudden it becomes > unresponsive. We already noticed this twice in the past 48 hours. Since > this is the name server for the entire network, everything depending on > this for name resolution fails. When I log in to FreeIPA server machine > and tries to see the status of named service(service named status) the > command hangs. Then I need to forcefully kill the named service and > start it again(or alternatively restart ipa service) to get everything > back to normal. I checked all the relevant log files and could see the > following at various point of time in the /var/log/messages(trimmed out > most of the part to show only possible named/sssd/ipa errors) > > Jul 22 05:57:55 openipa named[10135]: semaphore.c:70: fatal error: > Jul 22 05:57:55 openipa named[10135]: > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == > 0) failed > Jul 22 05:57:55 openipa named[10135]: exiting (due to fatal error in > library) > Jul 22 05:57:55 openipa abrt[12698]: /var/named/core.10135 is not a > regular file with link count 1: Permission denied > > > Jul 22 14:35:56 openipa [sssd[ldap_child[17070]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 22 14:35:56 openipa [sssd[ldap_child[17072]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > > > Jul 22 17:54:33 openipa named[15678]: error (network unreachable) > resolving 'snapfiles.com/AAAA/IN': 2001:503:231d::2:30#53 > > > Jul 22 20:00:02 openipa python: IPA compliance checking failed: Error > initializing principal host/openipa.hugayet.com at HUGAYET.COM in > /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') > > > Jul 23 09:10:01 openipa abrt[21599]: saved core dump of pid 20934 > (/usr/sbin/named) to /var/spool/abrt/ccpp-1311401401-20934.new/coredump > (37900288 bytes) > Jul 23 09:10:01 openipa abrtd: Directory 'ccpp-1311401401-20934' > creation detected > Jul 23 09:10:01 openipa abrtd: Crash is in database already (dup of > /var/spool/abrt/ccpp-1307530903-2297) > Jul 23 09:10:01 openipa abrtd: Deleting crash ccpp-1311401401-20934 (dup > of ccpp-1307530903-2297), sending dbus signal > Jul 23 09:10:03 openipa named[21631]: starting BIND > 9.7.3-RedHat-9.7.3-2.el6 -u named -4 > > > Jul 23 15:35:56 openipa [sssd[ldap_child[22297]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 23 15:35:56 openipa [sssd[ldap_child[22298]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > > Jul 23 09:10:03 openipa named[21631]: adjusted limit on open files from > 1024 to 1048576 > > > Jul 24 03:16:01 openipa [sssd[ldap_child[22964]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 24 04:00:02 openipa python: IPA compliance checking failed: Error > initializing principal host/openipa.hugayet.com at HUGAYET.COM in > /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') > Jul 24 06:17:25 openipa named[21631]: semaphore.c:70: fatal error: > Jul 24 06:17:25 openipa named[21631]: > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == > 0) failed > Jul 24 06:17:25 openipa named[21631]: exiting (due to fatal error in > library) > Jul 24 06:17:25 openipa abrt[23220]: saved core dump of pid 21631 > (/usr/sbin/named) to /var/spool/abrt/ccpp-1311477445-21631.new/coredump > (143396864 bytes) > > Also, I could see the following in my krb5kdc.log, > > ul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](Error): preauth pkinit > failed to initialize: No realms configured correctly for pkinit support > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): setting up > network... > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 9: udp 0.0.0.0.88 (pktinfo) > krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked > krb5kdc: No realms configured correctly for pkinit support - Cannot > request packet info for udp socket address :: port 88 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping > unrecognized local address family 17 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping > unrecognized local address family 17 > krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 10: udp fe80::6ab5:99ff:fec8:160%eth0.88 > krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 12: tcp 0.0.0.0.88 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 11: tcp ::.88 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): set up 4 sockets > > Also, please note the following points, > > ---- For the DHCP service, I have a cobbler server running the service > which will use the FreeIPA server's DNS servicee.(with > *ddns-update-style interim; *option in the dhcp configuration file) > ---- After seeing some permission related issues for named, I have given > /var/named sufficient permission to named daemon for the folder. > ---- Disabled ipv6 for named as I don't use it anyway(OPTIONS="-4" in > /etc/sysconfig/named) > > Thanks indeed for for all the help so far and waiting for your valuable > input on this! If you can get a backtrace on the named core I think that would be very helpful. It could be a problem in bind or in the bind-dyndb-ldap plugin that we use to LDAP as a backend store for bind. rob From dpal at redhat.com Mon Jul 25 13:30:07 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 25 Jul 2011 09:30:07 -0400 Subject: [Freeipa-users] Install problems with 2.0.1 on F15 In-Reply-To: <4E2D6BBA.4080305@redhat.com> References: <4E2A74B8.8030400@romal.de> <4E2D6BBA.4080305@redhat.com> Message-ID: <4E2D6FDF.5030901@redhat.com> On 07/25/2011 09:12 AM, Rob Crittenden wrote: > 2011-07-23 09:10:06,110 DEBUG stderr=Can't locate Setup.pm in @INC (@INC > contains: /usr/lib64/dirsrv/perl /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > /usr/sbin/setup-ds.pl line 44. Rob, do you know what this Setup.pm is about? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Jul 25 13:38:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2011 09:38:42 -0400 Subject: [Freeipa-users] Install problems with 2.0.1 on F15 In-Reply-To: <4E2D6FDF.5030901@redhat.com> References: <4E2A74B8.8030400@romal.de> <4E2D6BBA.4080305@redhat.com> <4E2D6FDF.5030901@redhat.com> Message-ID: <4E2D71E2.9040905@redhat.com> Dmitri Pal wrote: > On 07/25/2011 09:12 AM, Rob Crittenden wrote: >> 2011-07-23 09:10:06,110 DEBUG stderr=Can't locate Setup.pm in @INC (@INC >> contains: /usr/lib64/dirsrv/perl /usr/local/lib64/perl5 >> /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl >> /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at >> /usr/sbin/setup-ds.pl line 44. > > Rob, do you know what this Setup.pm is about? > It is a perl module used by the 389-ds configuration utility. I wonder if this is some odd multilib problem mixing i686 and x86_64 packages. rob From kollathodi at yahoo.com Mon Jul 25 14:11:46 2011 From: kollathodi at yahoo.com (nasir nasir) Date: Mon, 25 Jul 2011 07:11:46 -0700 (PDT) Subject: [Freeipa-users] FreeIPA for Linux desktop deployment Message-ID: <1311603106.73644.YahooMailClassic@web161316.mail.bf1.yahoo.com> Hi Rob, Thanks indeed for the quick reply! Please see the attached backtrace files. I have generated it with the abrt. Is it OK ? please let me know if you need anything else. Regards,Nasir --- On Mon, 7/25/11, Rob Crittenden wrote: From: Rob Crittenden Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" Cc: freeipa-users at redhat.com Date: Monday, July 25, 2011, 6:16 AM nasir nasir wrote: > Hi, > > Further to the ongoing deployment of Linux clients and servers using > FreeIPA, I was able to successfully get all the requirements like, > > -- complete centralized authentication and administration > -- NFS home share > -- HBAC > -- FreeIPA acting as Integrated DNS server > > Everything was good during the testing period. But when we went to > production since day before yesterday, we are facing a serious issue. > The DNS in IPA is giving out some problems. All of a sudden it becomes > unresponsive. We already noticed this twice in the past 48 hours. Since > this is the name server for the entire network, everything depending on > this for name resolution fails. When I log in to FreeIPA server machine > and tries to see the status of named service(service named status) the > command hangs. Then I need to forcefully kill the named service and > start it again(or alternatively restart ipa service) to get everything > back to normal. I checked all the relevant log files and could see the > following at various point of time in the /var/log/messages(trimmed out > most of the part to show only possible named/sssd/ipa errors) > > Jul 22 05:57:55 openipa named[10135]: semaphore.c:70: fatal error: > Jul 22 05:57:55 openipa named[10135]: > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == > 0) failed > Jul 22 05:57:55 openipa named[10135]: exiting (due to fatal error in > library) > Jul 22 05:57:55 openipa abrt[12698]: /var/named/core.10135 is not a > regular file with link count 1: Permission denied > > > Jul 22 14:35:56 openipa [sssd[ldap_child[17070]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 22 14:35:56 openipa [sssd[ldap_child[17072]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > > > Jul 22 17:54:33 openipa named[15678]: error (network unreachable) > resolving 'snapfiles.com/AAAA/IN': 2001:503:231d::2:30#53 > > > Jul 22 20:00:02 openipa python: IPA compliance checking failed: Error > initializing principal host/openipa.hugayet.com at HUGAYET.COM in > /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') > > > Jul 23 09:10:01 openipa abrt[21599]: saved core dump of pid 20934 > (/usr/sbin/named) to /var/spool/abrt/ccpp-1311401401-20934.new/coredump > (37900288 bytes) > Jul 23 09:10:01 openipa abrtd: Directory 'ccpp-1311401401-20934' > creation detected > Jul 23 09:10:01 openipa abrtd: Crash is in database already (dup of > /var/spool/abrt/ccpp-1307530903-2297) > Jul 23 09:10:01 openipa abrtd: Deleting crash ccpp-1311401401-20934 (dup > of ccpp-1307530903-2297), sending dbus signal > Jul 23 09:10:03 openipa named[21631]: starting BIND > 9.7.3-RedHat-9.7.3-2.el6 -u named -4 > > > Jul 23 15:35:56 openipa [sssd[ldap_child[22297]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 23 15:35:56 openipa [sssd[ldap_child[22298]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > > Jul 23 09:10:03 openipa named[21631]: adjusted limit on open files from > 1024 to 1048576 > > > Jul 24 03:16:01 openipa [sssd[ldap_child[22964]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 24 04:00:02 openipa python: IPA compliance checking failed: Error > initializing principal host/openipa.hugayet.com at HUGAYET.COM in > /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') > Jul 24 06:17:25 openipa named[21631]: semaphore.c:70: fatal error: > Jul 24 06:17:25 openipa named[21631]: > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == > 0) failed > Jul 24 06:17:25 openipa named[21631]: exiting (due to fatal error in > library) > Jul 24 06:17:25 openipa abrt[23220]: saved core dump of pid 21631 > (/usr/sbin/named) to /var/spool/abrt/ccpp-1311477445-21631.new/coredump > (143396864 bytes) > > Also, I could see the following in my krb5kdc.log, > > ul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](Error): preauth pkinit > failed to initialize: No realms configured correctly for pkinit support > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): setting up > network... > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 9: udp 0.0.0.0.88 (pktinfo) > krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked > krb5kdc: No realms configured correctly for pkinit support - Cannot > request packet info for udp socket address :: port 88 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping > unrecognized local address family 17 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping > unrecognized local address family 17 > krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 10: udp fe80::6ab5:99ff:fec8:160%eth0.88 > krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 12: tcp 0.0.0.0.88 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 11: tcp ::.88 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): set up 4 sockets > > Also, please note the following points, > > ---- For the DHCP service, I have a cobbler server running the service > which will use the FreeIPA server's DNS servicee.(with > *ddns-update-style interim; *option in the dhcp configuration file) > ---- After seeing some permission related issues for named, I have given > /var/named sufficient permission to named daemon for the folder. > ---- Disabled ipv6 for named as I don't use it anyway(OPTIONS="-4" in > /etc/sysconfig/named) > > Thanks indeed for for all the help so far and waiting for your valuable > input on this! If you can get a backtrace on the named core I think that would be very helpful. It could be a problem in bind or in the bind-dyndb-ldap plugin that we use to LDAP as a backend store for bind. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: abrt-report.cRw0D7 Type: application/octet-stream Size: 6033 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: abrt-report.JOtGx9 Type: application/octet-stream Size: 5975 bytes Desc: not available URL: From rcritten at redhat.com Mon Jul 25 14:22:03 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Jul 2011 10:22:03 -0400 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <1311603106.73644.YahooMailClassic@web161316.mail.bf1.yahoo.com> References: <1311603106.73644.YahooMailClassic@web161316.mail.bf1.yahoo.com> Message-ID: <4E2D7C0B.5060502@redhat.com> nasir nasir wrote: > Hi Rob, > > Thanks indeed for the quick reply! Please see the attached backtrace > files. I have generated it with the abrt. Is it OK ? please let me know > if you need anything else. As I feared this doesn't quite show us whether bind-dyndb-ldap is the culprit or not. Knowing that this is a production system is it possible to install the bind debuginfo package so we can get a more complete backtrace the next time it crashes? rob > > Regards, > Nasir > > > --- On *Mon, 7/25/11, Rob Crittenden //* wrote: > > > From: Rob Crittenden > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: freeipa-users at redhat.com > Date: Monday, July 25, 2011, 6:16 AM > > nasir nasir wrote: > > Hi, > > > > Further to the ongoing deployment of Linux clients and servers using > > FreeIPA, I was able to successfully get all the requirements like, > > > > -- complete centralized authentication and administration > > -- NFS home share > > -- HBAC > > -- FreeIPA acting as Integrated DNS server > > > > Everything was good during the testing period. But when we went to > > production since day before yesterday, we are facing a serious issue. > > The DNS in IPA is giving out some problems. All of a sudden it > becomes > > unresponsive. We already noticed this twice in the past 48 hours. > Since > > this is the name server for the entire network, everything > depending on > > this for name resolution fails. When I log in to FreeIPA server > machine > > and tries to see the status of named service(service named > status) the > > command hangs. Then I need to forcefully kill the named service and > > start it again(or alternatively restart ipa service) to get > everything > > back to normal. I checked all the relevant log files and could > see the > > following at various point of time in the > /var/log/messages(trimmed out > > most of the part to show only possible named/sssd/ipa errors) > > > > Jul 22 05:57:55 openipa named[10135]: semaphore.c:70: fatal error: > > Jul 22 05:57:55 openipa named[10135]: > > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : > 34) == > > 0) failed > > Jul 22 05:57:55 openipa named[10135]: exiting (due to fatal error in > > library) > > Jul 22 05:57:55 openipa abrt[12698]: /var/named/core.10135 is not a > > regular file with link count 1: Permission denied > > > > > > Jul 22 14:35:56 openipa [sssd[ldap_child[17070]]]: Failed to > initialize > > credentials using keytab [(null)]: Decrypt integrity check failed. > > Unable to create GSSAPI-encrypted LDAP connection. > > Jul 22 14:35:56 openipa [sssd[ldap_child[17072]]]: Failed to > initialize > > credentials using keytab [(null)]: Decrypt integrity check failed. > > Unable to create GSSAPI-encrypted LDAP connection. > > > > > > Jul 22 17:54:33 openipa named[15678]: error (network unreachable) > > resolving 'snapfiles.com/AAAA/IN': 2001:503:231d::2:30#53 > > > > > > Jul 22 20:00:02 openipa python: IPA compliance checking failed: Error > > initializing principal host/openipa.hugayet.com at HUGAYET.COM > in > > /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') > > > > > > Jul 23 09:10:01 openipa abrt[21599]: saved core dump of pid 20934 > > (/usr/sbin/named) to > /var/spool/abrt/ccpp-1311401401-20934.new/coredump > > (37900288 bytes) > > Jul 23 09:10:01 openipa abrtd: Directory 'ccpp-1311401401-20934' > > creation detected > > Jul 23 09:10:01 openipa abrtd: Crash is in database already (dup of > > /var/spool/abrt/ccpp-1307530903-2297) > > Jul 23 09:10:01 openipa abrtd: Deleting crash > ccpp-1311401401-20934 (dup > > of ccpp-1307530903-2297), sending dbus signal > > Jul 23 09:10:03 openipa named[21631]: starting BIND > > 9.7.3-RedHat-9.7.3-2.el6 -u named -4 > > > > > > Jul 23 15:35:56 openipa [sssd[ldap_child[22297]]]: Failed to > initialize > > credentials using keytab [(null)]: Decrypt integrity check failed. > > Unable to create GSSAPI-encrypted LDAP connection. > > Jul 23 15:35:56 openipa [sssd[ldap_child[22298]]]: Failed to > initialize > > credentials using keytab [(null)]: Decrypt integrity check failed. > > Unable to create GSSAPI-encrypted LDAP connection. > > > > Jul 23 09:10:03 openipa named[21631]: adjusted limit on open > files from > > 1024 to 1048576 > > > > > > Jul 24 03:16:01 openipa [sssd[ldap_child[22964]]]: Failed to > initialize > > credentials using keytab [(null)]: Decrypt integrity check failed. > > Unable to create GSSAPI-encrypted LDAP connection. > > Jul 24 04:00:02 openipa python: IPA compliance checking failed: Error > > initializing principal host/openipa.hugayet.com at HUGAYET.COM > in > > /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') > > Jul 24 06:17:25 openipa named[21631]: semaphore.c:70: fatal error: > > Jul 24 06:17:25 openipa named[21631]: > > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : > 34) == > > 0) failed > > Jul 24 06:17:25 openipa named[21631]: exiting (due to fatal error in > > library) > > Jul 24 06:17:25 openipa abrt[23220]: saved core dump of pid 21631 > > (/usr/sbin/named) to > /var/spool/abrt/ccpp-1311477445-21631.new/coredump > > (143396864 bytes) > > > > Also, I could see the following in my krb5kdc.log, > > > > ul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](Error): preauth > pkinit > > failed to initialize: No realms configured correctly for pkinit > support > > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): setting up > > network... > > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): > listening on > > fd 9: udp 0.0.0.0.88 (pktinfo) > > krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked > > krb5kdc: No realms configured correctly for pkinit support - Cannot > > request packet info for udp socket address :: port 88 > > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping > > unrecognized local address family 17 > > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping > > unrecognized local address family 17 > > krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked > > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): > listening on > > fd 10: udp fe80::6ab5:99ff:fec8:160%eth0.88 > > krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked > > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): > listening on > > fd 12: tcp 0.0.0.0.88 > > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): > listening on > > fd 11: tcp ::.88 > > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): set up > 4 sockets > > > > Also, please note the following points, > > > > ---- For the DHCP service, I have a cobbler server running the > service > > which will use the FreeIPA server's DNS servicee.(with > > *ddns-update-style interim; *option in the dhcp configuration file) > > ---- After seeing some permission related issues for named, I > have given > > /var/named sufficient permission to named daemon for the folder. > > ---- Disabled ipv6 for named as I don't use it anyway(OPTIONS="-4" in > > /etc/sysconfig/named) > > > > Thanks indeed for for all the help so far and waiting for your > valuable > > input on this! > > If you can get a backtrace on the named core I think that would be very > helpful. It could be a problem in bind or in the bind-dyndb-ldap plugin > that we use to LDAP as a backend store for bind. > > rob > From kollathodi at yahoo.com Mon Jul 25 16:04:56 2011 From: kollathodi at yahoo.com (nasir nasir) Date: Mon, 25 Jul 2011 09:04:56 -0700 (PDT) Subject: [Freeipa-users] FreeIPA for Linux desktop deployment Message-ID: <1311609896.50678.YahooMailClassic@web161316.mail.bf1.yahoo.com> Rob, Thanks again! I installed the debuginfo package for bind and the named crashed after a few minutes and gave a core dump file . But this time abrt is not listing any crash(for previous crashes it was listing). I generated a stacktrace from the core file using gdb. But I had not installed debuginfo for bind-dyndb-ldap package. Now I have installed debuginfo package for bind-dyndb-ldap package too. Please find the attached stack trace along with this. I can afford to reboot/test the server today for a few hours from now. Please let me know anything that can be done to help you to fix this. It is really causing a big issue as the entire IPA becomes useless and people cannot login to their system at all or do anything because of this. Regards, Nidal --- On Mon, 7/25/11, Rob Crittenden wrote: > From: Rob Crittenden > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: freeipa-users at redhat.com > Date: Monday, July 25, 2011, 7:22 AM > nasir nasir wrote: > > Hi Rob, > > > > Thanks indeed for the quick reply! Please see the > attached backtrace > > files. I have generated it with the abrt. Is it OK ? > please let me know > > if you need anything else. > > As I feared this doesn't quite show us whether > bind-dyndb-ldap is the > culprit or not. Knowing that this is a production system is > it possible > to install the bind debuginfo package so we can get a more > complete > backtrace the next time it crashes? > > rob > > > > > Regards, > > Nasir > > > > > > --- On *Mon, 7/25/11, Rob Crittenden //* > wrote: > > > > > >? ???From: Rob Crittenden > >? ???Subject: Re: [Freeipa-users] > FreeIPA for Linux desktop deployment > >? ???To: "nasir nasir" > >? ???Cc: freeipa-users at redhat.com > >? ???Date: Monday, July 25, 2011, > 6:16 AM > > > >? ???nasir nasir wrote: > >? ? ? > Hi, > >? ? ? > > >? ? ? > Further to the ongoing > deployment of Linux clients and servers using > >? ? ? > FreeIPA, I was able to > successfully get all the requirements like, > >? ? ? > > >? ? ? > -- complete centralized > authentication and administration > >? ? ? > -- NFS home share > >? ? ? > -- HBAC > >? ? ? > -- FreeIPA acting as > Integrated DNS server > >? ? ? > > >? ? ? > Everything was good during > the testing period. But when we went to > >? ? ? > production since day before > yesterday, we are facing a serious issue. > >? ? ? > The DNS in IPA is giving out > some problems. All of a sudden it > >? ???becomes > >? ? ? > unresponsive. We already > noticed this twice in the past 48 hours. > >? ???Since > >? ? ? > this is the name server for > the entire network, everything > >? ???depending on > >? ? ? > this for name resolution > fails. When I log in to FreeIPA server > >? ???machine > >? ? ? > and tries to see the status > of named service(service named > >? ???status) the > >? ? ? > command hangs. Then I need to > forcefully kill the named service and > >? ? ? > start it again(or > alternatively restart ipa service) to get > >? ???everything > >? ? ? > back to normal. I checked all > the relevant log files and could > >? ???see the > >? ? ? > following at various point of > time in the > >? ???/var/log/messages(trimmed out > >? ? ? > most of the part to show only > possible named/sssd/ipa errors) > >? ? ? > > >? ? ? > Jul 22 05:57:55 openipa > named[10135]: semaphore.c:70: fatal error: > >? ? ? > Jul 22 05:57:55 openipa > named[10135]: > >? ? ? > > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) > == 0) ? 0 : > >? ???34) == > >? ? ? > 0) failed > >? ? ? > Jul 22 05:57:55 openipa > named[10135]: exiting (due to fatal error in > >? ? ? > library) > >? ? ? > Jul 22 05:57:55 openipa > abrt[12698]: /var/named/core.10135 is not a > >? ? ? > regular file with link count > 1: Permission denied > >? ? ? > > >? ? ? > > >? ? ? > Jul 22 14:35:56 openipa > [sssd[ldap_child[17070]]]: Failed to > >? ???initialize > >? ? ? > credentials using keytab > [(null)]: Decrypt integrity check failed. > >? ? ? > Unable to create > GSSAPI-encrypted LDAP connection. > >? ? ? > Jul 22 14:35:56 openipa > [sssd[ldap_child[17072]]]: Failed to > >? ???initialize > >? ? ? > credentials using keytab > [(null)]: Decrypt integrity check failed. > >? ? ? > Unable to create > GSSAPI-encrypted LDAP connection. > >? ? ? > > >? ? ? > > >? ? ? > Jul 22 17:54:33 openipa > named[15678]: error (network unreachable) > >? ? ? > resolving > 'snapfiles.com/AAAA/IN': 2001:503:231d::2:30#53 > >? ? ? > > >? ? ? > > >? ? ? > Jul 22 20:00:02 openipa > python: IPA compliance checking failed: Error > >? ? ? > initializing principal > host/openipa.hugayet.com at HUGAYET.COM > >? ??? > in > >? ? ? > /etc/krb5.keytab: > (-1765328353, 'Decrypt integrity check failed') > >? ? ? > > >? ? ? > > >? ? ? > Jul 23 09:10:01 openipa > abrt[21599]: saved core dump of pid 20934 > >? ? ? > (/usr/sbin/named) to > >? > ???/var/spool/abrt/ccpp-1311401401-20934.new/coredump > >? ? ? > (37900288 bytes) > >? ? ? > Jul 23 09:10:01 openipa > abrtd: Directory 'ccpp-1311401401-20934' > >? ? ? > creation detected > >? ? ? > Jul 23 09:10:01 openipa > abrtd: Crash is in database already (dup of > >? ? ? > > /var/spool/abrt/ccpp-1307530903-2297) > >? ? ? > Jul 23 09:10:01 openipa > abrtd: Deleting crash > >? ???ccpp-1311401401-20934 (dup > >? ? ? > of ccpp-1307530903-2297), > sending dbus signal > >? ? ? > Jul 23 09:10:03 openipa > named[21631]: starting BIND > >? ? ? > 9.7.3-RedHat-9.7.3-2.el6 -u > named -4 > >? ? ? > > >? ? ? > > >? ? ? > Jul 23 15:35:56 openipa > [sssd[ldap_child[22297]]]: Failed to > >? ???initialize > >? ? ? > credentials using keytab > [(null)]: Decrypt integrity check failed. > >? ? ? > Unable to create > GSSAPI-encrypted LDAP connection. > >? ? ? > Jul 23 15:35:56 openipa > [sssd[ldap_child[22298]]]: Failed to > >? ???initialize > >? ? ? > credentials using keytab > [(null)]: Decrypt integrity check failed. > >? ? ? > Unable to create > GSSAPI-encrypted LDAP connection. > >? ? ? > > >? ? ? > Jul 23 09:10:03 openipa > named[21631]: adjusted limit on open > >? ???files from > >? ? ? > 1024 to 1048576 > >? ? ? > > >? ? ? > > >? ? ? > Jul 24 03:16:01 openipa > [sssd[ldap_child[22964]]]: Failed to > >? ???initialize > >? ? ? > credentials using keytab > [(null)]: Decrypt integrity check failed. > >? ? ? > Unable to create > GSSAPI-encrypted LDAP connection. > >? ? ? > Jul 24 04:00:02 openipa > python: IPA compliance checking failed: Error > >? ? ? > initializing principal > host/openipa.hugayet.com at HUGAYET.COM > >? ??? > in > >? ? ? > /etc/krb5.keytab: > (-1765328353, 'Decrypt integrity check failed') > >? ? ? > Jul 24 06:17:25 openipa > named[21631]: semaphore.c:70: fatal error: > >? ? ? > Jul 24 06:17:25 openipa > named[21631]: > >? ? ? > > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) > == 0) ? 0 : > >? ???34) == > >? ? ? > 0) failed > >? ? ? > Jul 24 06:17:25 openipa > named[21631]: exiting (due to fatal error in > >? ? ? > library) > >? ? ? > Jul 24 06:17:25 openipa > abrt[23220]: saved core dump of pid 21631 > >? ? ? > (/usr/sbin/named) to > >? > ???/var/spool/abrt/ccpp-1311477445-21631.new/coredump > >? ? ? > (143396864 bytes) > >? ? ? > > >? ? ? > Also, I could see the > following in my krb5kdc.log, > >? ? ? > > >? ? ? > ul 24 06:20:46 > openipa.hugayet.com krb5kdc[23721](Error): preauth > >? ???pkinit > >? ? ? > failed to initialize: No > realms configured correctly for pkinit > >? ???support > >? ? ? > Jul 24 06:20:46 > openipa.hugayet.com krb5kdc[23721](info): setting up > >? ? ? > network... > >? ? ? > Jul 24 06:20:46 > openipa.hugayet.com krb5kdc[23721](info): > >? ???listening on > >? ? ? > fd 9: udp 0.0.0.0.88 > (pktinfo) > >? ? ? > krb5kdc: > setsockopt(10,IPV6_V6ONLY,1) worked > >? ? ? > krb5kdc: No realms configured > correctly for pkinit support - Cannot > >? ? ? > request packet info for udp > socket address :: port 88 > >? ? ? > Jul 24 06:20:46 > openipa.hugayet.com krb5kdc[23721](info): skipping > >? ? ? > unrecognized local address > family 17 > >? ? ? > Jul 24 06:20:46 > openipa.hugayet.com krb5kdc[23721](info): skipping > >? ? ? > unrecognized local address > family 17 > >? ? ? > krb5kdc: > setsockopt(10,IPV6_V6ONLY,1) worked > >? ? ? > Jul 24 06:20:46 > openipa.hugayet.com krb5kdc[23721](info): > >? ???listening on > >? ? ? > fd 10: udp > fe80::6ab5:99ff:fec8:160%eth0.88 > >? ? ? > krb5kdc: > setsockopt(11,IPV6_V6ONLY,1) worked > >? ? ? > Jul 24 06:20:46 > openipa.hugayet.com krb5kdc[23721](info): > >? ???listening on > >? ? ? > fd 12: tcp 0.0.0.0.88 > >? ? ? > Jul 24 06:20:46 > openipa.hugayet.com krb5kdc[23721](info): > >? ???listening on > >? ? ? > fd 11: tcp ::.88 > >? ? ? > Jul 24 06:20:46 > openipa.hugayet.com krb5kdc[23721](info): set up > >? ???4 sockets > >? ? ? > > >? ? ? > Also, please note the > following points, > >? ? ? > > >? ? ? > ---- For the DHCP service, I > have a cobbler server running the > >? ???service > >? ? ? > which will use the FreeIPA > server's DNS servicee.(with > >? ? ? > *ddns-update-style interim; > *option in the dhcp configuration file) > >? ? ? > ---- After seeing some > permission related issues for named, I > >? ???have given > >? ? ? > /var/named sufficient > permission to named daemon for the folder. > >? ? ? > ---- Disabled ipv6 for named > as I don't use it anyway(OPTIONS="-4" in > >? ? ? > /etc/sysconfig/named) > >? ? ? > > >? ? ? > Thanks indeed for for all the > help so far and waiting for your > >? ???valuable > >? ? ? > input on this! > > > >? ???If you can get a backtrace on > the named core I think that would be very > >? ???helpful. It could be a problem > in bind or in the bind-dyndb-ldap plugin > >? ???that we use to LDAP as a > backend store for bind. > > > >? ???rob > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: gdb_core Type: application/octet-stream Size: 12166 bytes Desc: not available URL: From rmeggins at redhat.com Mon Jul 25 18:32:28 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 25 Jul 2011 12:32:28 -0600 Subject: [Freeipa-users] Install problems with 2.0.1 on F15 In-Reply-To: <4E2D71E2.9040905@redhat.com> References: <4E2A74B8.8030400@romal.de> <4E2D6BBA.4080305@redhat.com> <4E2D6FDF.5030901@redhat.com> <4E2D71E2.9040905@redhat.com> Message-ID: <4E2DB6BC.9090505@redhat.com> On 07/25/2011 07:38 AM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 07/25/2011 09:12 AM, Rob Crittenden wrote: >>> 2011-07-23 09:10:06,110 DEBUG stderr=Can't locate Setup.pm in @INC >>> (@INC >>> contains: /usr/lib64/dirsrv/perl /usr/local/lib64/perl5 >>> /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl >>> /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at >>> /usr/sbin/setup-ds.pl line 44. >> >> Rob, do you know what this Setup.pm is about? >> > > It is a perl module used by the 389-ds configuration utility. I wonder > if this is some odd multilib problem mixing i686 and x86_64 packages. the 389-ds-base package provides /usr/lib[64]/dirsrv/perl/Setup.pm > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From atkac at redhat.com Tue Jul 26 08:06:08 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 26 Jul 2011 10:06:08 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <1311609896.50678.YahooMailClassic@web161316.mail.bf1.yahoo.com> References: <1311609896.50678.YahooMailClassic@web161316.mail.bf1.yahoo.com> Message-ID: <4E2E7570.6010307@redhat.com> Hello Nasir, I checked the backtrace and this is a bug in the bind-dyndb-ldap plugin. I wasn't able to reproduce your crash but I think the workaround is to limit "connections" argument to 1 (note this is number of connections from bind-dyndb-ldap to LDAP server, not number of clients that named can handle simultaneously). You can simply open your named.conf, search the "dynamic-db {}" statement and add (or modify) following line: arg "connections 1"; Would it be possible to send me your named log messages before named crashes, please? Thank you in advance. Regards, Adam On 07/25/2011 06:04 PM, nasir nasir wrote: > Rob, > Thanks again! I installed the debuginfo package for bind and the named crashed after a few minutes and gave a core dump file . But this time abrt is not listing any crash(for previous crashes it was listing). I generated a stacktrace from the core file using gdb. But I had not installed debuginfo for bind-dyndb-ldap package. Now I have installed debuginfo package for bind-dyndb-ldap package too. Please find the attached stack trace along with this. > > I can afford to reboot/test the server today for a few hours from now. Please let me know anything that can be done to help you to fix this. It is really causing a big issue as the entire IPA becomes useless and people cannot login to their system at all or do anything because of this. > > Regards, > Nidal From atkac at redhat.com Tue Jul 26 08:14:25 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 26 Jul 2011 10:14:25 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2E7570.6010307@redhat.com> References: <1311609896.50678.YahooMailClassic@web161316.mail.bf1.yahoo.com> <4E2E7570.6010307@redhat.com> Message-ID: <4E2E7761.7000005@redhat.com> Note this issue is also tracked in RH bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=725577 Regards, Adam On 07/26/2011 10:06 AM, Adam Tkac wrote: > Hello Nasir, > > I checked the backtrace and this is a bug in the bind-dyndb-ldap plugin. > > I wasn't able to reproduce your crash but I think the workaround is to > limit "connections" argument to 1 (note this is number of connections > from bind-dyndb-ldap to LDAP server, not number of clients that named > can handle simultaneously). You can simply open your named.conf, search > the "dynamic-db {}" statement and add (or modify) following line: > > arg "connections 1"; > > Would it be possible to send me your named log messages before named > crashes, please? Thank you in advance. > > Regards, Adam > > On 07/25/2011 06:04 PM, nasir nasir wrote: >> Rob, >> Thanks again! I installed the debuginfo package for bind and the named crashed after a few minutes and gave a core dump file . But this time abrt is not listing any crash(for previous crashes it was listing). I generated a stacktrace from the core file using gdb. But I had not installed debuginfo for bind-dyndb-ldap package. Now I have installed debuginfo package for bind-dyndb-ldap package too. Please find the attached stack trace along with this. >> >> I can afford to reboot/test the server today for a few hours from now. Please let me know anything that can be done to help you to fix this. It is really causing a big issue as the entire IPA becomes useless and people cannot login to their system at all or do anything because of this. >> >> Regards, >> Nidal > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sylvain.pannetrat at net-optima.fr Tue Jul 26 09:21:10 2011 From: sylvain.pannetrat at net-optima.fr (Sylvain PANNETRAT) Date: Tue, 26 Jul 2011 11:21:10 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2E7761.7000005@redhat.com> References: <1311609896.50678.YahooMailClassic@web161316.mail.bf1.yahoo.com> <4E2E7570.6010307@redhat.com> <4E2E7761.7000005@redhat.com> Message-ID: <4E2E8706.6080001@net-optima.fr> Hello, I saw this problem from 02/2011 (Fedora 14/freeipa 2.0.0RC1). Many times, as a MacOS computer started on network, he made deja vu request, (4 dns request in the same time), and freezed bind. I made a script to request bind every 3 seconds, and restart when nedded. Regards, Sylvain PANNETRAT Le 26/07/11 10:14, Adam Tkac a ?crit : > Note this issue is also tracked in RH bugzilla: > > https://bugzilla.redhat.com/show_bug.cgi?id=725577 > > Regards, Adam > > On 07/26/2011 10:06 AM, Adam Tkac wrote: >> Hello Nasir, >> >> I checked the backtrace and this is a bug in the bind-dyndb-ldap plugin. >> >> I wasn't able to reproduce your crash but I think the workaround is to >> limit "connections" argument to 1 (note this is number of connections >> from bind-dyndb-ldap to LDAP server, not number of clients that named >> can handle simultaneously). You can simply open your named.conf, search >> the "dynamic-db {}" statement and add (or modify) following line: >> >> arg "connections 1"; >> >> Would it be possible to send me your named log messages before named >> crashes, please? Thank you in advance. >> >> Regards, Adam >> >> On 07/25/2011 06:04 PM, nasir nasir wrote: >>> Rob, >>> Thanks again! I installed the debuginfo package for bind and the named crashed after a few minutes and gave a core dump file . But this time abrt is not listing any crash(for previous crashes it was listing). I generated a stacktrace from the core file using gdb. But I had not installed debuginfo for bind-dyndb-ldap package. Now I have installed debuginfo package for bind-dyndb-ldap package too. Please find the attached stack trace along with this. >>> >>> I can afford to reboot/test the server today for a few hours from now. Please let me know anything that can be done to help you to fix this. It is really causing a big issue as the entire IPA becomes useless and people cannot login to their system at all or do anything because of this. >>> >>> Regards, >>> Nidal >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From kollathodi at yahoo.com Tue Jul 26 09:53:53 2011 From: kollathodi at yahoo.com (nasir nasir) Date: Tue, 26 Jul 2011 02:53:53 -0700 (PDT) Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2E7761.7000005@redhat.com> Message-ID: <1311674033.28873.YahooMailClassic@web161303.mail.bf1.yahoo.com> Hi Adam/Rob, Many many thanks indeed for the lightning fast action on this and the workaround! As per your suggestion, I have modified the named.conf file and attached the log file to the bugzilla entry. Please let me know if there is anything else that I can do to help you to help me. Thanks again and best regards, Nidal --- On Tue, 7/26/11, Adam Tkac wrote: > From: Adam Tkac > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: freeipa-users at redhat.com > Date: Tuesday, July 26, 2011, 1:14 AM > Note this issue is also tracked in RH > bugzilla: > > https://bugzilla.redhat.com/show_bug.cgi?id=725577 > > Regards, Adam > > On 07/26/2011 10:06 AM, Adam Tkac wrote: > > Hello Nasir, > > > > I checked the backtrace and this is a bug in the > bind-dyndb-ldap plugin. > > > > I wasn't able to reproduce your crash but I think the > workaround is to > > limit "connections" argument to 1 (note this is number > of connections > > from bind-dyndb-ldap to LDAP server, not number of > clients that named > > can handle simultaneously). You can simply open your > named.conf, search > > the "dynamic-db {}" statement and add (or modify) > following line: > > > > arg "connections 1"; > > > > Would it be possible to send me your named log > messages before named > > crashes, please? Thank you in advance. > > > > Regards, Adam > > > > On 07/25/2011 06:04 PM, nasir nasir wrote: > >> Rob, > >> Thanks again! I installed the debuginfo package > for bind and the named crashed after a few minutes and gave > a core dump file . But this time abrt is not listing any > crash(for previous crashes it was listing). I generated a > stacktrace from the core file using gdb. But I had not > installed debuginfo for bind-dyndb-ldap package. Now I have > installed debuginfo package for bind-dyndb-ldap package too. > Please find the attached stack trace along with this. > >> > >> I can afford to reboot/test the server today for a > few hours from now. Please let me know anything that can be > done to help you to fix this. It is really causing a big > issue as the entire IPA becomes useless and people cannot > login to their system at all or do anything because of > this. > >> > >> Regards, > >> Nidal > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > From fedora at romal.de Tue Jul 26 12:02:02 2011 From: fedora at romal.de (Robert M. Albrecht) Date: Tue, 26 Jul 2011 14:02:02 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2E7761.7000005@redhat.com> References: <1311609896.50678.YahooMailClassic@web161316.mail.bf1.yahoo.com> <4E2E7570.6010307@redhat.com> <4E2E7761.7000005@redhat.com> Message-ID: <4E2EACBA.8080204@romal.de> Hi, I think I have a similar problem on a fully patched F15. After booting name resolution is working for about a minute, after that it suddenly stops. /var/log/messages Jul 26 13:51:50 zerberus named[2948]: starting BIND 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 -u named Jul 26 13:51:50 zerberus named[2948]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' Jul 26 13:51:50 zerberus named[2948]: adjusted limit on open files from 1024 to 1048576 Jul 26 13:51:50 zerberus named[2948]: found 4 CPUs, using 4 worker threads Jul 26 13:51:50 zerberus named[2948]: using up to 4096 sockets Jul 26 13:51:50 zerberus named[2948]: loading configuration from '/etc/named.conf' Jul 26 13:51:50 zerberus named[2948]: using default UDP/IPv4 port range: [1024, 65535] Jul 26 13:51:50 zerberus named[2948]: using default UDP/IPv6 port range: [1024, 65535] Jul 26 13:51:50 zerberus named[2948]: listening on IPv6 interfaces, port 53 Jul 26 13:51:50 zerberus named[2948]: listening on IPv4 interface lo, 127.0.0.1#53 Jul 26 13:51:50 zerberus named[2948]: listening on IPv4 interface em1, 192.168.0.230#53 Jul 26 13:51:50 zerberus named[2948]: generating session key for dynamic DNS Jul 26 13:51:50 zerberus named[2948]: set up managed keys zone for view _default, file 'managed-keys.bind' Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 127.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 254.169.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 100.51.198.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 113.0.203.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: D.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 8.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 9.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: A.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: B.E.F.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Jul 26 13:51:50 zerberus named[2948]: command channel listening on 127.0.0.1#953 Jul 26 13:51:50 zerberus named[2948]: command channel listening on ::1#953 Jul 26 13:51:50 zerberus named[2948]: the working directory is not writable Jul 26 13:51:50 zerberus named[2948]: zone 0.in-addr.arpa/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone localhost.localdomain/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: zone localhost/IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found Jul 26 13:51:50 zerberus named[2948]: managed-keys-zone ./IN: loaded serial 0 Jul 26 13:51:50 zerberus named[2948]: running (END) ---- shell Non-authoritative answer: www.google.de canonical name = www.google.com. www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 209.85.149.105 Name: www.l.google.com Address: 209.85.149.106 Name: www.l.google.com Address: 209.85.149.147 Name: www.l.google.com Address: 209.85.149.99 Name: www.l.google.com Address: 209.85.149.103 Name: www.l.google.com Address: 209.85.149.104 [root at zerberus ~]# nslookup www.google.de Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: www.google.de canonical name = www.google.com. www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 209.85.149.104 Name: www.l.google.com Address: 209.85.149.105 Name: www.l.google.com Address: 209.85.149.106 Name: www.l.google.com Address: 209.85.149.147 Name: www.l.google.com Address: 209.85.149.99 Name: www.l.google.com Address: 209.85.149.103 [root at zerberus ~]# nslookup www.google.de ;; connection timed out; no servers could be reached [root at zerberus ~]# A service ipa restart [root at zerberus ~]# service ipa restart Restarting Directory Service Shutting down dirsrv: VORLON-LAN... [ OK ] Starting dirsrv: VORLON-LAN... [ OK ] Restarting KDC Service Kerberos 5 KDC beenden: [ OK ] Kerberos 5 KDC starten: [ OK ] Restarting KPASSWD Service ipa_kpasswd herunterfahren: [ OK ] ipa_kpasswd starten: [ OK ] Restarting DNS Service Named beenden: hangs at named. At this moment abrt seems to catch a problem: Jul 26 13:59:36 zerberus named[2948]: semaphore.c:70: fatal error: Jul 26 13:59:36 zerberus named[2948]: RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == 0) failed Jul 26 13:59:36 zerberus named[2948]: exiting (due to fatal error in library) Jul 26 13:59:36 zerberus abrt[3223]: Unrecognized variable 'DumpLocation' in '/etc/abrt/abrt.conf' Jul 26 13:59:36 zerberus abrt[3223]: /var/named/core.2948 is not a regular file with link count 1: Permission denied Jul 26 13:59:36 zerberus abrtd: Unrecognized variable 'DumpLocation' in '/etc/abrt/abrt.conf' Jul 26 13:59:37 zerberus abrt[3223]: saved core dump of pid 2948 (/usr/sbin/named) to /var/spool/abrt/ccpp-2011-07-26-13:59:36-2948.new/coredump (64675840 bytes) Jul 26 13:59:37 zerberus abrtd: Unrecognized variable 'DumpLocation' in '/etc/abrt/abrt.conf' Jul 26 13:59:37 zerberus abrtd: Directory 'ccpp-2011-07-26-13:59:36-2948' creation detected Jul 26 13:59:38 zerberus abrtd: Can't open file '/var/spool/abrt/oops-2011-07-10-21:21:24-909-0/uid': Datei oder Verzeichnis nicht gefunden Jul 26 13:59:38 zerberus abrtd: Can't open file '/var/spool/abrt/oops-2011-07-06-22:24:33-912-0/uid': Datei oder Verzeichnis nicht gefunden Jul 26 13:59:38 zerberus abrtd: Dump directory is a duplicate of /var/spool/abrt/ccpp-2011-07-25-07:00:35-1088 Jul 26 13:59:38 zerberus abrtd: Deleting dump directory ccpp-2011-07-26-13:59:36-2948 (dup of ccpp-2011-07-25-07:00:35-1088), sending dbus signal Jul 26 13:59:38 zerberus abrtd: Unrecognized variable 'DumpLocation' in '/etc/abrt/abrt.conf' cu romal From fedora at romal.de Tue Jul 26 12:08:10 2011 From: fedora at romal.de (Robert M. Albrecht) Date: Tue, 26 Jul 2011 14:08:10 +0200 Subject: [Freeipa-users] Install problems with 2.0.1 on F15 In-Reply-To: <4E2D6BBA.4080305@redhat.com> References: <4E2A74B8.8030400@romal.de> <4E2D6BBA.4080305@redhat.com> Message-ID: <4E2EAE2A.4020507@romal.de> Hi, sorry, that was my own mistake: from the docs at http://directory.fedoraproject.org/wiki/Install_Guide#Removing_Packages Extra cleanup After removing all of the packages, you can do something like this to make sure your system is back to a clean state: rm -rf /etc/dirsrv /usr/lib*/dirsrv /var/*/dirsrv /etc/sysconfig/dirsrv* -------------- I didn't notice the /lib*/. I used it to remove some left over configuration files. I didn't see that it will also remove parts of the directory server programm files. Was a bit late that night ... cu romal Am 25.07.11 15:12, schrieb Rob Crittenden: > Robert M. Albrecht wrote: >> Hi, >> >> I get an error message while installing freeipa on F15. >> >> ... >> ipa-server-install --setup-dns >> ... >> >> all testing updates are installed: >> >> Configuring ntpd >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> done configuring ntpd. >> Configuring directory server for the CA: Estimated time 30 seconds >> [1/3]: creating directory server user >> [2/3]: creating directory server instance >> root : CRITICAL failed to restart ds instance Command >> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpJ8Tbtg' returned >> non-zero exit status 2 >> [3/3]: restarting directory server >> root : CRITICAL Failed to restart the directory server. See the >> installation log for details. >> done configuring dirsrv. >> Configuring certificate server: Estimated time 6 minutes >> [1/16]: creating certificate server user >> [2/16]: restarting certificate server >> [3/16]: configuring certificate server instance >> >> >> from ipserver-install.log >> >> >> 2011-07-23 09:10:06,059 DEBUG calling setup-ds.pl >> 2011-07-23 09:10:06,108 DEBUG args=/usr/sbin/setup-ds.pl --silent >> --logfile - -f /tmp/tmpJ8Tbtg >> 2011-07-23 09:10:06,109 DEBUG stdout= >> 2011-07-23 09:10:06,110 DEBUG stderr=Can't locate Setup.pm in @INC (@INC >> contains: /usr/lib64/dirsrv/perl /usr/local/lib64/perl5 >> /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl >> /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at >> /usr/sbin/setup-ds.pl line 44. >> BEGIN failed--compilation aborted at /usr/sbin/setup-ds.pl line 44. >> >> 2011-07-23 09:10:06,111 CRITICAL failed to restart ds instance Command >> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpJ8Tbtg' returned >> non-zero exit status 2 >> 2011-07-23 09:10:06,113 DEBUG duration: 0 seconds >> 2011-07-23 09:10:06,114 DEBUG [3/3]: restarting directory server >> 2011-07-23 09:10:06,226 DEBUG args=/sbin/service dirsrv restart PKI-IPA >> 2011-07-23 09:10:06,227 DEBUG stdout= *** Error: no dirsrv instances >> configured >> >> 2011-07-23 09:10:06,227 DEBUG stderr= >> 2011-07-23 09:10:06,228 CRITICAL Failed to restart the directory server. >> See the installation log for details. >> 2011-07-23 09:10:06,229 DEBUG duration: 0 seconds >> 2011-07-23 09:10:06,230 DEBUG done configuring dirsrv. >> 2011-07-23 09:10:06,231 DEBUG Loading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' >> 2011-07-23 09:10:06,237 DEBUG Configuring certificate server: Estimated >> time 6 minutes >> 2011-07-23 09:10:06,238 DEBUG [1/16]: creating certificate server user >> 2011-07-23 09:10:06,239 DEBUG ca user pkiuser exists >> 2011-07-23 09:10:06,240 DEBUG Saving StateFile to >> '/var/lib/ipa/sysrestore/sysrestore.state' >> 2011-07-23 09:10:06,243 DEBUG duration: 0 seconds >> 2011-07-23 09:10:06,243 DEBUG [2/16]: restarting certificate server >> 2011-07-23 09:10:47,022 DEBUG args=/sbin/service pki-cad restart >> 2011-07-23 09:10:47,024 DEBUG stdout=Stopping pki-ca: [ OK ] >> Starting pki-ca: [ OK ] >> 'pki-ca' must still be CONFIGURED! >> (see /var/log/pki-ca-install.log) >> >> 2011-07-23 09:10:47,024 DEBUG stderr= >> 2011-07-23 09:10:47,083 DEBUG duration: 40 seconds >> 2011-07-23 09:10:47,084 DEBUG [3/16]: configuring certificate server >> instance >> >> Any idea ? >> >> cu romal > > Can you give us some information on your system? It would appear that > you are running a 64-bit kernel, is that right? (uname -a). > > Can you give us the output from the following: > > rpm -q --queryformat='%{N}-%{V}-%{R}.%{arch}\n' 389-ds-base > rpm -q --queryformat='%{N}-%{V}-%{R}.%{arch}\n' ipa-server > > Does /usr/lib64/dirsrv/perl exist? > > rob > From rcritten at redhat.com Tue Jul 26 12:52:10 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jul 2011 08:52:10 -0400 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2EACBA.8080204@romal.de> References: <1311609896.50678.YahooMailClassic@web161316.mail.bf1.yahoo.com> <4E2E7570.6010307@redhat.com> <4E2E7761.7000005@redhat.com> <4E2EACBA.8080204@romal.de> Message-ID: <4E2EB87A.9050801@redhat.com> Robert M. Albrecht wrote: > Hi, > > I think I have a similar problem on a fully patched F15. > > After booting name resolution is working for about a minute, after that > it suddenly stops. The logged error sure looks similar. Can you try the configuration option as well to see if it helps? thanks rob From fedora at romal.de Tue Jul 26 12:52:50 2011 From: fedora at romal.de (Robert M. Albrecht) Date: Tue, 26 Jul 2011 14:52:50 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2EACBA.8080204@romal.de> References: <1311609896.50678.YahooMailClassic@web161316.mail.bf1.yahoo.com> <4E2E7570.6010307@redhat.com> <4E2E7761.7000005@redhat.com> <4E2EACBA.8080204@romal.de> Message-ID: <4E2EB8A2.8030105@romal.de> Hi, abrt-upload at: https://bugzilla.redhat.com/show_bug.cgi?id=725741 cu romal Am 26.07.11 14:02, schrieb Robert M. Albrecht: > Hi, > > I think I have a similar problem on a fully patched F15. > > After booting name resolution is working for about a minute, after that > it suddenly stops. > > /var/log/messages > > Jul 26 13:51:50 zerberus named[2948]: starting BIND > 9.8.0-P4-RedHat-9.8.0-7.P4.fc15 -u named > Jul 26 13:51:50 zerberus named[2948]: built with > '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' > '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' > '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' > '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' > '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' > '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' > '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' > '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' > '--disable-openssl-version-check' '--enable-exportlib' > '--with-export-libdir=/usr/lib64' > '--with-export-includedir=/usr/include' > '--includedir=/usr/include/bind9' > '--with-pkcs11=/usr/lib64/pkcs11/PKCS11_API.so' '--with-dlz-ldap=yes' > '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' > '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' > 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall > -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector > --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' > Jul 26 13:51:50 zerberus named[2948]: adjusted limit on open files from > 1024 to 1048576 > Jul 26 13:51:50 zerberus named[2948]: found 4 CPUs, using 4 worker threads > Jul 26 13:51:50 zerberus named[2948]: using up to 4096 sockets > Jul 26 13:51:50 zerberus named[2948]: loading configuration from > '/etc/named.conf' > Jul 26 13:51:50 zerberus named[2948]: using default UDP/IPv4 port range: > [1024, 65535] > Jul 26 13:51:50 zerberus named[2948]: using default UDP/IPv6 port range: > [1024, 65535] > Jul 26 13:51:50 zerberus named[2948]: listening on IPv6 interfaces, port 53 > Jul 26 13:51:50 zerberus named[2948]: listening on IPv4 interface lo, > 127.0.0.1#53 > Jul 26 13:51:50 zerberus named[2948]: listening on IPv4 interface em1, > 192.168.0.230#53 > Jul 26 13:51:50 zerberus named[2948]: generating session key for dynamic > DNS > Jul 26 13:51:50 zerberus named[2948]: set up managed keys zone for view > _default, file 'managed-keys.bind' > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: > 127.IN-ADDR.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: > 254.169.IN-ADDR.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: > 2.0.192.IN-ADDR.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: > 100.51.198.IN-ADDR.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: > 113.0.203.IN-ADDR.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: > 255.255.255.255.IN-ADDR.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: > 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: D.F.IP6.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 8.E.F.IP6.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: 9.E.F.IP6.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: A.E.F.IP6.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: B.E.F.IP6.ARPA > Jul 26 13:51:50 zerberus named[2948]: automatic empty zone: > 8.B.D.0.1.0.0.2.IP6.ARPA > Jul 26 13:51:50 zerberus named[2948]: command channel listening on > 127.0.0.1#953 > Jul 26 13:51:50 zerberus named[2948]: command channel listening on ::1#953 > Jul 26 13:51:50 zerberus named[2948]: the working directory is not writable > Jul 26 13:51:50 zerberus named[2948]: zone 0.in-addr.arpa/IN: loaded > serial 0 > Jul 26 13:51:50 zerberus named[2948]: zone 1.0.0.127.in-addr.arpa/IN: > loaded serial 0 > Jul 26 13:51:50 zerberus named[2948]: zone > 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: > loaded serial 0 > Jul 26 13:51:50 zerberus named[2948]: zone localhost.localdomain/IN: > loaded serial 0 > Jul 26 13:51:50 zerberus named[2948]: zone localhost/IN: loaded serial 0 > Jul 26 13:51:50 zerberus named[2948]: managed-keys-zone ./IN: loading > from master file managed-keys.bind failed: file not found > Jul 26 13:51:50 zerberus named[2948]: managed-keys-zone ./IN: loaded > serial 0 > Jul 26 13:51:50 zerberus named[2948]: running > (END) > > > ---- shell > > > Non-authoritative answer: > www.google.de canonical name = www.google.com. > www.google.com canonical name = www.l.google.com. > Name: www.l.google.com > Address: 209.85.149.105 > Name: www.l.google.com > Address: 209.85.149.106 > Name: www.l.google.com > Address: 209.85.149.147 > Name: www.l.google.com > Address: 209.85.149.99 > Name: www.l.google.com > Address: 209.85.149.103 > Name: www.l.google.com > Address: 209.85.149.104 > > [root at zerberus ~]# nslookup www.google.de > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > Non-authoritative answer: > www.google.de canonical name = www.google.com. > www.google.com canonical name = www.l.google.com. > Name: www.l.google.com > Address: 209.85.149.104 > Name: www.l.google.com > Address: 209.85.149.105 > Name: www.l.google.com > Address: 209.85.149.106 > Name: www.l.google.com > Address: 209.85.149.147 > Name: www.l.google.com > Address: 209.85.149.99 > Name: www.l.google.com > Address: 209.85.149.103 > > [root at zerberus ~]# nslookup www.google.de > ;; connection timed out; no servers could be reached > > [root at zerberus ~]# > > A service ipa restart > > [root at zerberus ~]# service ipa restart > Restarting Directory Service > Shutting down dirsrv: > VORLON-LAN... [ OK ] > Starting dirsrv: > VORLON-LAN... [ OK ] > Restarting KDC Service > Kerberos 5 KDC beenden: [ OK ] > Kerberos 5 KDC starten: [ OK ] > Restarting KPASSWD Service > ipa_kpasswd herunterfahren: [ OK ] > ipa_kpasswd starten: [ OK ] > Restarting DNS Service > Named beenden: > > hangs at named. > > At this moment abrt seems to catch a problem: > > Jul 26 13:59:36 zerberus named[2948]: semaphore.c:70: fatal error: > Jul 26 13:59:36 zerberus named[2948]: > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == > 0) failed > Jul 26 13:59:36 zerberus named[2948]: exiting (due to fatal error in > library) > Jul 26 13:59:36 zerberus abrt[3223]: Unrecognized variable > 'DumpLocation' in '/etc/abrt/abrt.conf' > Jul 26 13:59:36 zerberus abrt[3223]: /var/named/core.2948 is not a > regular file with link count 1: Permission denied > Jul 26 13:59:36 zerberus abrtd: Unrecognized variable 'DumpLocation' in > '/etc/abrt/abrt.conf' > Jul 26 13:59:37 zerberus abrt[3223]: saved core dump of pid 2948 > (/usr/sbin/named) to > /var/spool/abrt/ccpp-2011-07-26-13:59:36-2948.new/coredump (64675840 bytes) > Jul 26 13:59:37 zerberus abrtd: Unrecognized variable 'DumpLocation' in > '/etc/abrt/abrt.conf' > Jul 26 13:59:37 zerberus abrtd: Directory > 'ccpp-2011-07-26-13:59:36-2948' creation detected > Jul 26 13:59:38 zerberus abrtd: Can't open file > '/var/spool/abrt/oops-2011-07-10-21:21:24-909-0/uid': Datei oder > Verzeichnis nicht gefunden > Jul 26 13:59:38 zerberus abrtd: Can't open file > '/var/spool/abrt/oops-2011-07-06-22:24:33-912-0/uid': Datei oder > Verzeichnis nicht gefunden > Jul 26 13:59:38 zerberus abrtd: Dump directory is a duplicate of > /var/spool/abrt/ccpp-2011-07-25-07:00:35-1088 > Jul 26 13:59:38 zerberus abrtd: Deleting dump directory > ccpp-2011-07-26-13:59:36-2948 (dup of ccpp-2011-07-25-07:00:35-1088), > sending dbus signal > Jul 26 13:59:38 zerberus abrtd: Unrecognized variable 'DumpLocation' in > '/etc/abrt/abrt.conf' > > > cu romal > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From fedora at romal.de Tue Jul 26 13:01:18 2011 From: fedora at romal.de (Robert M. Albrecht) Date: Tue, 26 Jul 2011 15:01:18 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2EB87A.9050801@redhat.com> References: <1311609896.50678.YahooMailClassic@web161316.mail.bf1.yahoo.com> <4E2E7570.6010307@redhat.com> <4E2E7761.7000005@redhat.com> <4E2EACBA.8080204@romal.de> <4E2EB87A.9050801@redhat.com> Message-ID: <4E2EBA9E.80104@romal.de> Am 26.07.11 14:52, schrieb Rob Crittenden: > Robert M. Albrecht wrote: >> Hi, >> >> I think I have a similar problem on a fully patched F15. >> >> After booting name resolution is working for about a minute, after that >> it suddenly stops. > > The logged error sure looks similar. Can you try the configuration > option as well to see if it helps? > > thanks > > rob > Hi, I already included it, it's running for 15 minutes now. It never survived longer than a minute before. Keep fingers crossed :-) cu romal From kollathodi at yahoo.com Tue Jul 26 13:22:32 2011 From: kollathodi at yahoo.com (nasir nasir) Date: Tue, 26 Jul 2011 06:22:32 -0700 (PDT) Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2EBA9E.80104@romal.de> Message-ID: <1311686552.31237.YahooMailClassic@web161309.mail.bf1.yahoo.com> Hi, > > Hi, > > I already included it, it's running for 15 minutes now. It > never > survived longer than a minute before. > > Keep fingers crossed :-) In my case things are getting worse after the configuration change. Earlier the issue used to pops up once in a day or so. But now it is recurring in every hour or so. So I have reverted that parameter. Thanks again. Regards, Nidal From fedora at romal.de Tue Jul 26 13:39:04 2011 From: fedora at romal.de (Robert M. Albrecht) Date: Tue, 26 Jul 2011 15:39:04 +0200 Subject: [Freeipa-users] version mismatch while joining a client ? Message-ID: <4E2EC378.9050401@romal.de> Hi, I tried to join my first client (another fully patched F15, like the ipa-server). Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. [root at chessur ~]# ipa-client-install --debug --enable-dns-updates root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': True, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' ^C^C^C^C^C^C^C^C^C[root at chessur ~]# ipa-client-install --debug --enable-dns-updates root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': True, 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None} root : DEBUG missing options might be asked for interactively later root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG [ipadnssearchldap(vorlon.lan)] root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap] root : DEBUG args=/usr/bin/wget -O /tmp/tmpLob8Sc/ca.crt http://zerberus.vorlon.lan/ipa/config/ca.crt root : DEBUG stdout= root : DEBUG stderr=--2011-07-26 15:34:18-- http://zerberus.vorlon.lan/ipa/config/ca.crt Aufl?sen des Hostnamen ?zerberus.vorlon.lan?.... 192.168.0.230 Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden. HTTP Anforderung gesendet, warte auf Antwort... 200 OK L?nge: 767 [application/x-x509-ca-cert] In ??/tmp/tmpLob8Sc/ca.crt?? speichern. 0K 100% 96,8M=0s 2011-07-26 15:34:18 (96,8 MB/s) - ??/tmp/tmpLob8Sc/ca.crt?? gespeichert [767/767] root : DEBUG Init ldap with: ldap://zerberus.vorlon.lan:389 root : DEBUG Search rootdse root : DEBUG Search for (info=*) in dc=vorlon,dc=lan(base) root : DEBUG Found: [('dc=vorlon,dc=lan', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['vorlon.lan'], 'dc': ['vorlon'], 'nisDomain': ['vorlon.lan']})] root : DEBUG Search for (objectClass=krbRealmContainer) in dc=vorlon,dc=lan(sub) root : DEBUG Found: [('cn=VORLON.LAN,cn=kerberos,dc=vorlon,dc=lan', {'krbSubTrees': ['dc=vorlon,dc=lan'], 'cn': ['VORLON.LAN'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] root : DEBUG will use domain: vorlon.lan root : DEBUG will use server: zerberus.vorlon.lan Discovery was successful! root : DEBUG will use cli_realm: VORLON.LAN root : DEBUG will use cli_basedn: dc=vorlon,dc=lan Hostname: chessur.vorlon.lan Realm: VORLON.LAN DNS Domain: vorlon.lan IPA Server: zerberus.vorlon.lan BaseDN: dc=vorlon,dc=lan Continue to configure the system with these values? [no]: yes Enrollment principal: admin root : DEBUG will use principal: admin root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://zerberus.vorlon.lan/ipa/config/ca.crt root : DEBUG stdout= root : DEBUG stderr=--2011-07-26 15:34:28-- http://zerberus.vorlon.lan/ipa/config/ca.crt Aufl?sen des Hostnamen ?zerberus.vorlon.lan?.... 192.168.0.230 Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden. HTTP Anforderung gesendet, warte auf Antwort... 200 OK L?nge: 767 [application/x-x509-ca-cert] In ??/etc/ipa/ca.crt?? speichern. 0K 100% 64,6M=0s 2011-07-26 15:34:28 (64,6 MB/s) - ??/etc/ipa/ca.crt?? gespeichert [767/767] root : DEBUG Writing Kerberos configuration to /tmp/tmphXdPGl: #File modified by ipa-client-install [libdefaults] default_realm = VORLON.LAN dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] VORLON.LAN = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .vorlon.lan = VORLON.LAN vorlon.lan = VORLON.LAN [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Password for admin at VORLON.LAN: root : DEBUG args=kinit admin at VORLON.LAN root : DEBUG stdout=Password for admin at VORLON.LAN: root : DEBUG stderr= root : DEBUG args=/usr/sbin/ipa-join -s zerberus.vorlon.lan -d root : DEBUG stdout= root : DEBUG stderr=XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n chessur.vorlon.lan\r\n \r\n \r\n nsosversion\r\n 2.6.38.8-35.fc15.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n HTTP response code is 500, not 200 Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. root : DEBUG args=kdestroy root : DEBUG stdout= root : DEBUG stderr= [root at chessur ~]# cu romal From fedora at romal.de Tue Jul 26 13:40:27 2011 From: fedora at romal.de (Robert M. Albrecht) Date: Tue, 26 Jul 2011 15:40:27 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <1311686552.31237.YahooMailClassic@web161309.mail.bf1.yahoo.com> References: <1311686552.31237.YahooMailClassic@web161309.mail.bf1.yahoo.com> Message-ID: <4E2EC3CB.5030404@romal.de> Hi, it just died. Limiting the connections seems to help, but does not solve the problem. cu romal Am 26.07.11 15:22, schrieb nasir nasir: > Hi, > > >> >> Hi, >> >> I already included it, it's running for 15 minutes now. It >> never >> survived longer than a minute before. >> >> Keep fingers crossed :-) > > > In my case things are getting worse after the configuration change. Earlier the issue used to pops up once in a day or so. But now it is recurring in every hour or so. So I have reverted that parameter. > > Thanks again. > > Regards, > Nidal > > From atkac at redhat.com Tue Jul 26 13:43:15 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 26 Jul 2011 15:43:15 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <1311686552.31237.YahooMailClassic@web161309.mail.bf1.yahoo.com> References: <1311686552.31237.YahooMailClassic@web161309.mail.bf1.yahoo.com> Message-ID: <4E2EC473.1060704@redhat.com> On 07/26/2011 03:22 PM, nasir nasir wrote: > Hi, > > >> Hi, >> >> I already included it, it's running for 15 minutes now. It >> never >> survived longer than a minute before. >> >> Keep fingers crossed :-) > > In my case things are getting worse after the configuration change. Earlier the issue used to pops up once in a day or so. But now it is recurring in every hour or so. So I have reverted that parameter. > May I ask you if you send reload (rndc reload or kill -HUP) or stop command to named right before it dies, please? Or you don't send any signals or rndc commands. Thanks. Regards, Adam From kollathodi at yahoo.com Tue Jul 26 13:56:44 2011 From: kollathodi at yahoo.com (nasir nasir) Date: Tue, 26 Jul 2011 06:56:44 -0700 (PDT) Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2EC473.1060704@redhat.com> Message-ID: <1311688604.41001.YahooMailClassic@web161316.mail.bf1.yahoo.com> Hi, > > > > In my case things are getting worse after the > configuration change. Earlier the issue used to pops up once > in a day or so. But now it is recurring in? every hour > or so.? So I have reverted that parameter. > > > May I ask you if you send reload (rndc reload or kill -HUP) > or stop > command to named right before it dies, please? Or you don't > send any > signals or rndc commands. Thanks. > > Regards, Adam I had done this while I had noticed this crash in the beginning and didn't know what impact it had on this. Do you want me to try anything now ? Also, if you want I can afford downtime now. Please let me know. Regards, Nidal From rcritten at redhat.com Tue Jul 26 14:03:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Jul 2011 10:03:28 -0400 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <4E2EC378.9050401@romal.de> References: <4E2EC378.9050401@romal.de> Message-ID: <4E2EC930.1060501@redhat.com> Robert M. Albrecht wrote: > Hi, > > I tried to join my first client (another fully patched F15, like the > ipa-server). > > Joining realm failed because of failing XML-RPC request. > This error may be caused by incompatible server/client major versions. I think this is the problem caused by a recent libcurl change. libcurl recently dropped support for GSSAPI ticket delegation which is needed for the enrollment. If you look in the Apache error log on the IPA server I'll bet there is an error about principal. We're waiting on upstream to add support for forwarding back in. Until then your options are limited. The change was made because it was considered a security issue: whenever forwarding was allow the ticket was sent whether it was requested or not. Downgrading libcurl will fix the problem for enrollment. You should evaluate the CVE to decide the course of action: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192 rob > > > > [root at chessur ~]# ipa-client-install --debug --enable-dns-updates > root : DEBUG /usr/sbin/ipa-client-install was invoked with > options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': > False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, > 'prompt_password': False, 'realm_name': None, 'dns_updates': True, > 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': > False, 'unattended': None, 'principal': None} > root : DEBUG missing options might be asked for interactively > later > > root : DEBUG Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > > ^C^C^C^C^C^C^C^C^C[root at chessur ~]# ipa-client-install --debug > --enable-dns-updates > root : DEBUG /usr/sbin/ipa-client-install was invoked with > options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': > False, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, > 'prompt_password': False, 'realm_name': None, 'dns_updates': True, > 'debug': True, 'on_master': False, 'ntp_server': None, 'mkhomedir': > False, 'unattended': None, 'principal': None} > root : DEBUG missing options might be asked for interactively > later > > root : DEBUG Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > root : DEBUG [ipadnssearchldap(vorlon.lan)] > root : DEBUG [ipadnssearchkrb] > root : DEBUG [ipacheckldap] > root : DEBUG args=/usr/bin/wget -O /tmp/tmpLob8Sc/ca.crt > http://zerberus.vorlon.lan/ipa/config/ca.crt > root : DEBUG stdout= > root : DEBUG stderr=--2011-07-26 15:34:18-- > http://zerberus.vorlon.lan/ipa/config/ca.crt > Aufl?sen des Hostnamen ?zerberus.vorlon.lan?.... 192.168.0.230 > Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden. > HTTP Anforderung gesendet, warte auf Antwort... 200 OK > L?nge: 767 [application/x-x509-ca-cert] > In ??/tmp/tmpLob8Sc/ca.crt?? speichern. > > 0K 100% 96,8M=0s > > 2011-07-26 15:34:18 (96,8 MB/s) - ??/tmp/tmpLob8Sc/ca.crt?? gespeichert > [767/767] > > > root : DEBUG Init ldap with: ldap://zerberus.vorlon.lan:389 > root : DEBUG Search rootdse > root : DEBUG Search for (info=*) in dc=vorlon,dc=lan(base) > root : DEBUG Found: [('dc=vorlon,dc=lan', {'objectClass': > ['top', 'domain', 'pilotObject', 'nisDomainObject', > 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': > ['vorlon.lan'], 'dc': ['vorlon'], 'nisDomain': ['vorlon.lan']})] > root : DEBUG Search for (objectClass=krbRealmContainer) in > dc=vorlon,dc=lan(sub) > root : DEBUG Found: > [('cn=VORLON.LAN,cn=kerberos,dc=vorlon,dc=lan', {'krbSubTrees': > ['dc=vorlon,dc=lan'], 'cn': ['VORLON.LAN'], 'krbDefaultEncSaltTypes': > ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', > 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', > 'krbticketpolicyaux'], 'krbSearchScope': ['2'], > 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', > 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', > 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', > 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', > 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], > 'krbMaxRenewableAge': ['604800']})] > root : DEBUG will use domain: vorlon.lan > > root : DEBUG will use server: zerberus.vorlon.lan > > Discovery was successful! > root : DEBUG will use cli_realm: VORLON.LAN > > root : DEBUG will use cli_basedn: dc=vorlon,dc=lan > > Hostname: chessur.vorlon.lan > Realm: VORLON.LAN > DNS Domain: vorlon.lan > IPA Server: zerberus.vorlon.lan > BaseDN: dc=vorlon,dc=lan > > > Continue to configure the system with these values? [no]: yes > Enrollment principal: admin > root : DEBUG will use principal: admin > > root : DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt > http://zerberus.vorlon.lan/ipa/config/ca.crt > root : DEBUG stdout= > root : DEBUG stderr=--2011-07-26 15:34:28-- > http://zerberus.vorlon.lan/ipa/config/ca.crt > Aufl?sen des Hostnamen ?zerberus.vorlon.lan?.... 192.168.0.230 > Verbindungsaufbau zu zerberus.vorlon.lan|192.168.0.230|:80... verbunden. > HTTP Anforderung gesendet, warte auf Antwort... 200 OK > L?nge: 767 [application/x-x509-ca-cert] > In ??/etc/ipa/ca.crt?? speichern. > > 0K 100% 64,6M=0s > > 2011-07-26 15:34:28 (64,6 MB/s) - ??/etc/ipa/ca.crt?? gespeichert [767/767] > > > root : DEBUG Writing Kerberos configuration to /tmp/tmphXdPGl: > #File modified by ipa-client-install > > [libdefaults] > default_realm = VORLON.LAN > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > VORLON.LAN = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .vorlon.lan = VORLON.LAN > vorlon.lan = VORLON.LAN > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > Password for admin at VORLON.LAN: > root : DEBUG args=kinit admin at VORLON.LAN > root : DEBUG stdout=Password for admin at VORLON.LAN: > > root : DEBUG stderr= > > root : DEBUG args=/usr/sbin/ipa-join -s zerberus.vorlon.lan -d > root : DEBUG stdout= > root : DEBUG stderr=XML-RPC CALL: > > \r\n > \r\n > join\r\n > \r\n > \r\n > chessur.vorlon.lan\r\n > \r\n > \r\n > nsosversion\r\n > 2.6.38.8-35.fc15.x86_64\r\n > nshardwareplatform\r\n > x86_64\r\n > \r\n > \r\n > \r\n > > HTTP response code is 500, not 200 > > Joining realm failed because of failing XML-RPC request. > This error may be caused by incompatible server/client major versions. > root : DEBUG args=kdestroy > root : DEBUG stdout= > root : DEBUG stderr= > [root at chessur ~]# > > > cu romal > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From atkac at redhat.com Tue Jul 26 14:13:04 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 26 Jul 2011 16:13:04 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <1311688604.41001.YahooMailClassic@web161316.mail.bf1.yahoo.com> References: <1311688604.41001.YahooMailClassic@web161316.mail.bf1.yahoo.com> Message-ID: <4E2ECB70.706@redhat.com> On 07/26/2011 03:56 PM, nasir nasir wrote: > Hi, > >>> In my case things are getting worse after the >> configuration change. Earlier the issue used to pops up once >> in a day or so. But now it is recurring in every hour >> or so. So I have reverted that parameter. >> May I ask you if you send reload (rndc reload or kill -HUP) >> or stop >> command to named right before it dies, please? Or you don't >> send any >> signals or rndc commands. Thanks. >> >> Regards, Adam > I had done this while I had noticed this crash in the beginning and didn't know what impact it had on this. Do you want me to try anything now ? Also, if you want I can afford downtime now. Please let me know. I just created the patch which should solve this issue, it is located on http://people.redhat.com/atkac/bind/bind97-rh725577.patch (note this is patch for bind, not for the bind-dyndb-ldap plugin) I also created patched source rpms for RHEL-6 and Fedora 15: el6: http://people.redhat.com/atkac/bind/bind-9.7.3-2.el6_1.P3.2.1.rh725577.src.rpm fc15: http://people.redhat.com/atkac/bind/bind-9.8.0-7.P4.fc15.1.src.rpm Please test if patched version solves this issue. Thanks in advance. Regards, Adam From kollathodi at yahoo.com Tue Jul 26 14:51:29 2011 From: kollathodi at yahoo.com (nasir nasir) Date: Tue, 26 Jul 2011 07:51:29 -0700 (PDT) Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2ECB70.706@redhat.com> Message-ID: <1311691889.76614.YahooMailClassic@web161319.mail.bf1.yahoo.com> Hi All, Thanks a ton for every one who helped to have such a quick fix for this issue. I truly appreciate it. I have applied the patch (generated from the source rpm and applied with rpm -Uvh ***) and restarted IPA service. Had a preliminary test of the services and everything seems to be fine. Will keep watching and update the list in due course. Adam, Do you want me to update the bugzilla now or wait for a couple of days to observe ? Thanks again and regards, Nidal --- On Tue, 7/26/11, Adam Tkac wrote: > From: Adam Tkac > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: freeipa-users at redhat.com, "Robert M. Albrecht" > Date: Tuesday, July 26, 2011, 7:13 AM > On 07/26/2011 03:56 PM, nasir nasir > wrote: > > Hi, > > > >>> In my case things are getting worse after the > >> configuration change. Earlier the issue used to > pops up once > >> in a day or so. But now it is recurring in? > every hour > >> or so.? So I have reverted that parameter. > >> May I ask you if you send reload (rndc reload or > kill -HUP) > >> or stop > >> command to named right before it dies, please? Or > you don't > >> send any > >> signals or rndc commands. Thanks. > >> > >> Regards, Adam > > I had done this while I had noticed this crash in the > beginning and didn't know what impact it had on this. Do you > want me to try anything now ? Also, if you want I can afford > downtime now. Please let me know. > I just created the patch which should solve this issue, it > is located on > http://people.redhat.com/atkac/bind/bind97-rh725577.patch > (note this is > patch for bind, not for the bind-dyndb-ldap plugin) > > I also created patched source rpms for RHEL-6 and Fedora > 15: > el6: > http://people.redhat.com/atkac/bind/bind-9.7.3-2.el6_1.P3.2.1.rh725577.src.rpm > fc15: http://people.redhat.com/atkac/bind/bind-9.8.0-7.P4.fc15.1.src.rpm > > Please test if patched version solves this issue. Thanks in > advance. > > Regards, Adam > From atkac at redhat.com Tue Jul 26 14:58:53 2011 From: atkac at redhat.com (Adam Tkac) Date: Tue, 26 Jul 2011 16:58:53 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <1311691889.76614.YahooMailClassic@web161319.mail.bf1.yahoo.com> References: <1311691889.76614.YahooMailClassic@web161319.mail.bf1.yahoo.com> Message-ID: <4E2ED62D.1000500@redhat.com> On 07/26/2011 04:51 PM, nasir nasir wrote: > Hi All, > > Thanks a ton for every one who helped to have such a quick fix for this issue. I truly appreciate it. I have applied the patch (generated from the source rpm and applied with rpm -Uvh ***) and restarted IPA service. Had a preliminary test of the services and everything seems to be fine. Will keep watching and update the list in due course. > > Adam, > > Do you want me to update the bugzilla now or wait for a couple of days to observe ? Thanks for your feedback, you don't have to update bugzilla, update it only in case if named crashes again, please. For now I will consider the patch as correct. Regards, Adam From fedora at romal.de Tue Jul 26 16:08:01 2011 From: fedora at romal.de (Robert M. Albrecht) Date: Tue, 26 Jul 2011 18:08:01 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2ED62D.1000500@redhat.com> References: <1311691889.76614.YahooMailClassic@web161319.mail.bf1.yahoo.com> <4E2ED62D.1000500@redhat.com> Message-ID: <4E2EE661.3010202@romal.de> Hi, the new named just died again: [root at zerberus ~]# nslookup www.google.de ;; connection timed out; no servers could be reached [root at zerberus ~]# rpm --query --all | grep bind bind-debuginfo-9.8.0-7.P4.fc15.x86_64 bind-libs-9.8.0-7.P4.fc15.x86_64 bind-libs-lite-9.8.0-7.P4.fc15.x86_64 bind-dyndb-ldap-debuginfo-0.2.0-3.fc15.x86_64 bind-utils-9.8.0-7.P4.fc15.x86_64 bind-dyndb-ldap-0.2.0-3.fc15.x86_64 bind-9.8.0-7.P4.fc15.1.x86_64 bind-license-9.8.0-7.P4.fc15.noarch [root at zerberus ~]# rndc trace or rndc reload will just freeze or wait forever. cu romal Am 26.07.11 16:58, schrieb Adam Tkac: > On 07/26/2011 04:51 PM, nasir nasir wrote: >> Hi All, >> >> Thanks a ton for every one who helped to have such a quick fix for this issue. I truly appreciate it. I have applied the patch (generated from the source rpm and applied with rpm -Uvh ***) and restarted IPA service. Had a preliminary test of the services and everything seems to be fine. Will keep watching and update the list in due course. >> >> Adam, >> >> Do you want me to update the bugzilla now or wait for a couple of days to observe ? > > Thanks for your feedback, you don't have to update bugzilla, update it > only in case if named crashes again, please. For now I will consider the > patch as correct. > > Regards, Adam > From kollathodi at yahoo.com Tue Jul 26 17:26:52 2011 From: kollathodi at yahoo.com (nasir nasir) Date: Tue, 26 Jul 2011 10:26:52 -0700 (PDT) Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <4E2ED62D.1000500@redhat.com> Message-ID: <1311701212.19704.YahooMailClassic@web161320.mail.bf1.yahoo.com> Hi all, After applying the patches and restarting the service, everything was fine for about couple of hours. But again it crashed and gave core dump. I have updated the latest /var/log/messages and core dump with the bugzilla report. Please help. Regards, Nidal --- On Tue, 7/26/11, Adam Tkac wrote: > From: Adam Tkac > Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment > To: "nasir nasir" > Cc: freeipa-users at redhat.com, "Robert M. Albrecht" > Date: Tuesday, July 26, 2011, 7:58 AM > On 07/26/2011 04:51 PM, nasir nasir > wrote: > > Hi All, > > > > Thanks a ton for every one who helped to have such a > quick fix for this issue. I truly appreciate it. I have > applied the patch (generated from the source rpm and applied > with rpm -Uvh ***) and restarted IPA service. Had a > preliminary test of the services and everything seems to be > fine. Will keep watching and update the list in due course. > > > > > Adam, > > > > Do you want me to update the bugzilla now or wait for > a couple of days to observe ? > > Thanks for your feedback, you don't have to update > bugzilla, update it > only in case if named crashes again, please. For now I will > consider the > patch as correct. > > Regards, Adam > From Steven.Jones at vuw.ac.nz Wed Jul 27 20:58:43 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 27 Jul 2011 20:58:43 +0000 Subject: [Freeipa-users] Dead Freeipa Message-ID: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.....quite why on an unchanged environment this occurs is a mystery. So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.....like Oops... The KDC is dead, =========== Jul 27 16:00:02 vuwunicoipamt01 krb5kdc[2922](info): TGS_REQ (4 etypes {18 17 16 23}) 130.195.87.236: ISSUE: authtime 1311739202, etypes {rep=18 tkt=18 ses=18}, host/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ for ldap/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ Jul 27 16:00:03 vuwunicoipamt01 krb5kdc[2922](info): TGS_REQ (4 etypes {18 17 16 23}) 130.195.87.236: ISSUE: authtime 1311739202, etypes {rep=18 tkt=18 ses=18}, host/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ for ldap/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2922](info): shutdown signal received Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2922](info): closing down fd 11 Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2922](info): closing down fd 12 Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2922](info): closing down fd 10 Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2922](info): closing down fd 9 Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2922](info): shutting down Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2923](info): shutdown signal received Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2923](info): closing down fd 11 Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2923](info): closing down fd 12 Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2923](info): closing down fd 10 Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2923](info): closing down fd 9 Jul 27 16:00:16 vuwunicoipamt01 krb5kdc[2923](info): shutting down krb5kdc: Can't contact LDAP server - while initializing database for realm UNIX.VUW.AC.NZ [jonesst1 at 8KXL72S ~]$ date Thu Jul 28 08:47:10 NZST 2011 ======================= and named isnt or wont run any longer..... dirsrv isnt running.... Ive attached a screenshot of the boot fail Ive looked through messages and other logs, cant see any reason for this..... :( regards Technical Specialist - Linux RHCE Victoria University, Wellington, NZ -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-drvsrv-fail1.jpeg Type: image/jpeg Size: 31755 bytes Desc: ipa-drvsrv-fail1.jpeg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: krb5kdc.log Type: application/octet-stream Size: 789396 bytes Desc: krb5kdc.log URL: From simo at redhat.com Wed Jul 27 21:10:54 2011 From: simo at redhat.com (Simo Sorce) Date: Wed, 27 Jul 2011 17:10:54 -0400 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1311801054.19717.269.camel@willson.li.ssimo.org> On Wed, 2011-07-27 at 20:58 +0000, Steven Jones wrote: > Hi, > > I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.....quite why on an unchanged environment this occurs is a mystery. > > So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.....like Oops... > > The KDC is dead, The KDC simply tells you it can't operate w/o Directory Server running. [..] > and named isnt or wont run any longer..... Same here, the bind-dyndb-ldap plugin depends on Directory Server running. > dirsrv isnt running.... Here is the culprit, check DSs access and errors log and see if there are any complaints there. Also if you run service ipa start do you get errors ? > Ive attached a screenshot of the boot fail > > Ive looked through messages and other logs, cant see any reason for this..... Try the above, see if you missed anything. Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Wed Jul 27 21:12:38 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 27 Jul 2011 21:12:38 +0000 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <4E2EC930.1060501@redhat.com> References: <4E2EC378.9050401@romal.de>,<4E2EC930.1060501@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, It appears this change also effects RHEL6.1 as well....I have the same message when I try and join new machines. regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 8><----- > Joining realm failed because of failing XML-RPC request. > This error may be caused by incompatible server/client major versions. 8><----- I think this is the problem caused by a recent libcurl change. libcurl recently dropped support for GSSAPI ticket delegation which is needed for the enrollment. If you look in the Apache error log on the IPA server I'll bet there is an error about principal. We're waiting on upstream to add support for forwarding back in. Until then your options are limited. The change was made because it was considered a security issue: whenever forwarding was allow the ticket was sent whether it was requested or not. Downgrading libcurl will fix the problem for enrollment. You should evaluate the CVE to decide the course of action: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192 rob 8><---- From rcritten at redhat.com Wed Jul 27 21:13:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 17:13:07 -0400 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E307F63.2060107@redhat.com> Steven Jones wrote: > > Hi, > > I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.....quite why on an unchanged environment this occurs is a mystery. > > So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.....like Oops... > > The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob From rcritten at redhat.com Wed Jul 27 21:13:53 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Jul 2011 17:13:53 -0400 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4E2EC378.9050401@romal.de>, <4E2EC930.1060501@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E307F91.10309@redhat.com> Steven Jones wrote: > Hi, > > It appears this change also effects RHEL6.1 as well....I have the same message when I try and join new machines. Yes, updates were done for at least Fedora 14, 15, rawhide, EL5 and EL6. This was considered a security issue so updates were pushed everywhere. rob > > regards > > Steven > Technical Specialist - Linux RHCE > Victoria University, Wellington, NZ > > 8><----- > >> Joining realm failed because of failing XML-RPC request. >> This error may be caused by incompatible server/client major versions. > > 8><----- > > I think this is the problem caused by a recent libcurl change. libcurl > recently dropped support for GSSAPI ticket delegation which is needed > for the enrollment. If you look in the Apache error log on the IPA > server I'll bet there is an error about principal. > > We're waiting on upstream to add support for forwarding back in. Until > then your options are limited. The change was made because it was > considered a security issue: whenever forwarding was allow the ticket > was sent whether it was requested or not. > > Downgrading libcurl will fix the problem for enrollment. You should > evaluate the CVE to decide the course of action: > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192 > > rob > > 8><---- From Steven.Jones at vuw.ac.nz Wed Jul 27 21:14:33 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 27 Jul 2011 21:14:33 +0000 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <1311801054.19717.269.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1311801054.19717.269.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369C9552@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, After some (5?+) minutes I have fianlly been able to start dirsrv, then I have been able to restart all the services....I am going to try a reboot and see if this happens again. regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From Steven.Jones at vuw.ac.nz Wed Jul 27 21:15:41 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 27 Jul 2011 21:15:41 +0000 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <4E307F63.2060107@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F63.2060107@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have incl the krb log, and error log from the slapd directory, what else do you need? regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: > > Hi, > > I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.....quite why on an unchanged environment this occurs is a mystery. > > So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.....like Oops... > > The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob From Steven.Jones at vuw.ac.nz Wed Jul 27 21:25:34 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 27 Jul 2011 21:25:34 +0000 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F63.2060107@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> I have rebooted the server and the dirsrv wont start at boot. Ive gone into /etc/rc3.d and started dirsrv which did I then tried ipa, ipa shutdown itself and dirsrv... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 28 July 2011 9:15 a.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Hi, I have incl the krb log, and error log from the slapd directory, what else do you need? regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: > > Hi, > > I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.....quite why on an unchanged environment this occurs is a mystery. > > So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.....like Oops... > > The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed Jul 27 21:40:25 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 27 Jul 2011 21:40:25 +0000 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F63.2060107@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz> regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 28 July 2011 9:25 a.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Dead Freeipa I have rebooted the server and the dirsrv wont start at boot. Ive gone into /etc/rc3.d and started dirsrv which did I then tried ipa, ipa shutdown itself and dirsrv... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 28 July 2011 9:15 a.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Hi, I have incl the krb log, and error log from the slapd directory, what else do you need? regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: > > Hi, > > I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.....quite why on an unchanged environment this occurs is a mystery. > > So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.....like Oops... > > The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: errors Type: application/octet-stream Size: 9743 bytes Desc: errors URL: From rmeggins at redhat.com Wed Jul 27 21:53:09 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 27 Jul 2011 15:53:09 -0600 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F63.2060107@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E3088C5.6040105@redhat.com> On 07/27/2011 03:40 PM, Steven Jones wrote: > regards Thanks. To follow up from IRC: If Steven starts up dirsrv manually, then krb, then named then httpd, everything works fine. Not sure what the ipa script is doing that kills dirsrv immediately upon startup. > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Thursday, 28 July 2011 9:25 a.m. > To: Rob Crittenden > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Dead Freeipa > > I have rebooted the server and the dirsrv wont start at boot. > > Ive gone into /etc/rc3.d and started dirsrv which did I then tried ipa, ipa shutdown itself and dirsrv... > > :/ > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Thursday, 28 July 2011 9:15 a.m. > To: Rob Crittenden > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Dead Freeipa > > Hi, > > I have incl the krb log, and error log from the slapd directory, what else do you need? > > regards > > Steven > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Thursday, 28 July 2011 9:13 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Dead Freeipa > > Steven Jones wrote: >> Hi, >> >> I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.....quite why on an unchanged environment this occurs is a mystery. >> >> So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.....like Oops... >> >> The KDC is dead, > If dirsrv won't start then we need to see those logs. Without it the KDC > and named can't start. > > The client enrollment problem is probably the libcurl update a few weeks > ago which dropped a feature required by IPA. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed Jul 27 22:10:59 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 27 Jul 2011 22:10:59 +0000 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <4E3088C5.6040105@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F63.2060107@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E3088C5.6040105@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369C95CE@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Further issues, when I change the password in freeipa gui, and then login to the first RHEL5.6 guest it asks for the password and insists on a change, but doesnt update it, so I cant login. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 28 July 2011 9:53 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Dead Freeipa On 07/27/2011 03:40 PM, Steven Jones wrote: regards Thanks. To follow up from IRC: If Steven starts up dirsrv manually, then krb, then named then httpd, everything works fine. Not sure what the ipa script is doing that kills dirsrv immediately upon startup. Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 28 July 2011 9:25 a.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Dead Freeipa I have rebooted the server and the dirsrv wont start at boot. Ive gone into /etc/rc3.d and started dirsrv which did I then tried ipa, ipa shutdown itself and dirsrv... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 28 July 2011 9:15 a.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Hi, I have incl the krb log, and error log from the slapd directory, what else do you need? regards Steven Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: Hi, I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.....quite why on an unchanged environment this occurs is a mystery. So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.....like Oops... The KDC is dead, If dirsrv won't start then we need to see those logs. Without it the KDC and named can't start. The client enrollment problem is probably the libcurl update a few weeks ago which dropped a feature required by IPA. rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From fedora at romal.de Thu Jul 28 05:11:39 2011 From: fedora at romal.de (Robert M. Albrecht) Date: Thu, 28 Jul 2011 07:11:39 +0200 Subject: [Freeipa-users] FreeIPA for Linux desktop deployment In-Reply-To: <1311701212.19704.YahooMailClassic@web161320.mail.bf1.yahoo.com> References: <1311701212.19704.YahooMailClassic@web161320.mail.bf1.yahoo.com> Message-ID: <4E30EF8B.8010008@romal.de> Hi, my IPA is still dying. Strange thing is,it's very random. Most times is stops after some minutes, but yesterday named worked for several hours. If it`s help, I can provide shell access to the system. cu romal Am 26.07.11 19:26, schrieb nasir nasir: > > Hi all, > > After applying the patches and restarting the service, everything was fine for about couple of hours. But again it crashed and gave core dump. I have updated the latest /var/log/messages and core dump with the bugzilla report. > Please help. > > Regards, > Nidal > > --- On Tue, 7/26/11, Adam Tkac wrote: > >> From: Adam Tkac >> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment >> To: "nasir nasir" >> Cc: freeipa-users at redhat.com, "Robert M. Albrecht" >> Date: Tuesday, July 26, 2011, 7:58 AM >> On 07/26/2011 04:51 PM, nasir nasir >> wrote: >>> Hi All, >>> >>> Thanks a ton for every one who helped to have such a >> quick fix for this issue. I truly appreciate it. I have >> applied the patch (generated from the source rpm and applied >> with rpm -Uvh ***) and restarted IPA service. Had a >> preliminary test of the services and everything seems to be >> fine. Will keep watching and update the list in due course. >> >>> >>> Adam, >>> >>> Do you want me to update the bugzilla now or wait for >> a couple of days to observe ? >> >> Thanks for your feedback, you don't have to update >> bugzilla, update it >> only in case if named crashes again, please. For now I will >> consider the >> patch as correct. >> >> Regards, Adam >> > From simo at redhat.com Thu Jul 28 11:30:29 2011 From: simo at redhat.com (Simo Sorce) Date: Thu, 28 Jul 2011 07:30:29 -0400 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <4E3088C5.6040105@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E307F63.2060107@redhat.com> , <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz> <4E3088C5.6040105@redhat.com> Message-ID: <1311852629.19717.275.camel@willson.li.ssimo.org> On Wed, 2011-07-27 at 15:53 -0600, Rich Megginson wrote: > On 07/27/2011 03:40 PM, Steven Jones wrote: > > regards > Thanks. To follow up from IRC: > If Steven starts up dirsrv manually, then krb, then named then httpd, > everything works fine. Not sure what the ipa script is doing that > kills > dirsrv immediately upon startup. The only case where ipactl stops dirsrv is when it fails to find information with the ldapsearch done immediately after dirsrv starts. Is it possible the dirsrv init script returns before dirsrv is actually ready to serve requests ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Thu Jul 28 13:14:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 09:14:35 -0400 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <1311852629.19717.275.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E307F63.2060107@redhat.com> , <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz> <4E3088C5.6040105@redhat.com> <1311852629.19717.275.camel@willson.li.ssimo.org> Message-ID: <4E3160BB.7060606@redhat.com> Simo Sorce wrote: > On Wed, 2011-07-27 at 15:53 -0600, Rich Megginson wrote: >> On 07/27/2011 03:40 PM, Steven Jones wrote: >>> regards >> Thanks. To follow up from IRC: >> If Steven starts up dirsrv manually, then krb, then named then httpd, >> everything works fine. Not sure what the ipa script is doing that >> kills >> dirsrv immediately upon startup. > > The only case where ipactl stops dirsrv is when it fails to find > information with the ldapsearch done immediately after dirsrv starts. > > Is it possible the dirsrv init script returns before dirsrv is actually > ready to serve requests ? > > Simo. > It also does a query to determine what services it needs to start in what order. If the query fails it shuts dirsrv down. rob From rcritten at redhat.com Thu Jul 28 13:16:39 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 09:16:39 -0400 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369C95CE@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F63.2060107@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E3088C5.6040105@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C95CE@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E316137.80804@redhat.com> Steven Jones wrote: > Hi, > > Further issues, when I change the password in freeipa gui, and then login to the first RHEL5.6 guest it asks for the password and insists on a change, but doesnt update it, so I cant login. We need a lot more details: * what release of freeipa on what platform * what version of ipa-client do you have installed on 5.6 * were any errors logged on either the client or the server? * how do you know the password wasn't updated? If you started your services manually on the server did you start ipa_kpasswd? rob From sigbjorn at nixtra.com Thu Jul 28 20:19:08 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 28 Jul 2011 22:19:08 +0200 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F63.2060107@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E31C43C.7000300@nixtra.com> Hi, I had a similar problem. For me the /etc/dirsrv/slapd-IX-TEST-COM/dse.ldif file was suddenly 0 bytes long. I recovered by restoring a copy of the dse.ldif.bak file in the same folder. I was under the impression that this was my own fault due to continuous power cuts to my test bench, but have a look. Rgds, Siggi On 07/27/2011 11:40 PM, Steven Jones wrote: > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhatcom] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Thursday, 28 July 2011 9:25 a.m. > To: Rob Crittenden > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Dead Freeipa > > I have rebooted the server and the dirsrv wont start at boot. > > Ive gone into /etc/rc3.d and started dirsrv which did I then tried ipa, ipa shutdown itself and dirsrv... > > :/ > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Thursday, 28 July 2011 9:15 a.m. > To: Rob Crittenden > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Dead Freeipa > > Hi, > > I have incl the krb log, and error log from the slapd directory, what else do you need? > > regards > > Steven > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Thursday, 28 July 2011 9:13 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Dead Freeipa > > Steven Jones wrote: >> Hi, >> >> I just went back to the prrod of concept to have a wee play and I find that without going near it for a month when I try and join a new client I get a client / server version mismatch.....quite why on an unchanged environment this occurs is a mystery. >> >> So Ok I have put the new client and ipa server onto the internet and patched them, but now IPA wont start.....like Oops... >> >> The KDC is dead, > If dirsrv won't start then we need to see those logs. Without it the KDC > and named can't start. > > The client enrollment problem is probably the libcurl update a few weeks > ago which dropped a feature required by IPA. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhatcom > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Jul 28 20:28:00 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 28 Jul 2011 20:28:00 +0000 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <1311852629.19717.275.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E307F63.2060107@redhat.com> , <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz> <4E3088C5.6040105@redhat.com>, <1311852629.19717.275.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369C9D9F@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Im wondering that....I was tempted to edit the existing or write my own simple wrapper script with sleep's in it to see....certainly starting by hand seems to be ok, so 30secs sleeps say.... At the moment of course with libcurl and password changing failure in effect I have a sev 1 on my hands....fortunately its only a POC, otherwise if this were to happen in production there would be a lot of Q's asked.......such a hole shouldn't exist frankly. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ======================== 8><---- Is it possible the dirsrv init script returns before dirsrv is actually ready to serve requests ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Jul 28 20:36:34 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 28 Jul 2011 20:36:34 +0000 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <4E316137.80804@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F63.2060107@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E3088C5.6040105@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C95CE@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E316137.80804@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369C9DAB@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Nope....didnt know I had to, never heard of this service! is it documented? I will start it....and test. For the record, what are the packages and what is the correct manual order to stop and start please? or is this documented somewhere? In the troubleshooting part of teh guide can we have an order ans a command line test for each service in turn with the correct return? Also using yum to downgrade libcurl fails....lots of broken dependencies....oops as they say. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ what release of freeipa on what platform RHEL6.1 client, as patched yesterday...ditto I patched the IPA server because of the minor/major version problem in adding new clients. ipa-client = 2.0.0-23 64bit password not updated, because I cant login with the new password but continue to login with the old and it asks me every time to change.....like ground-hog day.... ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Friday, 29 July 2011 1:16 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Dead Freeipa Steven Jones wrote: > Hi, > > Further issues, when I change the password in freeipa gui, and then login to the first RHEL5.6 guest it asks for the password and insists on a change, but doesnt update it, so I cant login. We need a lot more details: * what release of freeipa on what platform * what version of ipa-client do you have installed on 5.6 * were any errors logged on either the client or the server? * how do you know the password wasn't updated? If you started your services manually on the server did you start ipa_kpasswd? rob From rcritten at redhat.com Thu Jul 28 20:44:05 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 16:44:05 -0400 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369C9D9F@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz> , <4E307F63.2060107@redhat.com> , <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz> <4E3088C5.6040105@redhat.com>, <1311852629.19717.275.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E40369C9D9F@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E31CA15.1030704@redhat.com> Steven Jones wrote: > Hi, > > Im wondering that....I was tempted to edit the existing or write my own simple wrapper script with sleep's in it to see....certainly starting by hand seems to be ok, so 30secs sleeps say.... Starting by hand != running ipactl. If you want to put a sleep anywhere put it in that script. > > At the moment of course with libcurl and password changing failure in effect I have a sev 1 on my hands....fortunately its only a POC, otherwise if this were to happen in production there would be a lot of Q's asked.......such a hole shouldn't exist frankly. We have no control over libcurl nor its upstream. It was as much a surprise to us as anyone. rob From rcritten at redhat.com Thu Jul 28 20:48:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 16:48:34 -0400 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369C9DAB@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F63.2060107@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E3088C5.6040105@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C95CE@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E316137.80804@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C9DAB@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E31CB22.1090502@redhat.com> Steven Jones wrote: > Hi, > > Nope....didnt know I had to, never heard of this service! is it documented? I will start it....and test. > > For the record, what are the packages and what is the correct manual order to stop and start please? or is this documented somewhere? It is the same as in v1, I assume that stuff was pulled forward to the v2 docs. ipactl is authoritative in this regard though. > > In the troubleshooting part of teh guide can we have an order ans a command line test for each service in turn with the correct return? > > Also using yum to downgrade libcurl fails....lots of broken dependencies....oops as they say. # yum downgrade curl libcurl* > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > what release of freeipa on what platform > > RHEL6.1 client, as patched yesterday...ditto I patched the IPA server because of the minor/major version problem in adding new clients. I thought you said this was RHEL 5.6, or is it happening on 6.1 as well? > > ipa-client = 2.0.0-23 64bit > > password not updated, because I cant login with the new password but continue to login with the old and it asks me every time to change.....like ground-hog day.... Did you start ipa_kpasswd as suggested? rob From Steven.Jones at vuw.ac.nz Thu Jul 28 21:58:28 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 28 Jul 2011 21:58:28 +0000 Subject: [Freeipa-users] Dead Freeipa In-Reply-To: <4E316137.80804@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E40369C89D9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F63.2060107@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369C9568@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40369C9587@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369C95A0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E3088C5.6040105@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C95CE@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E316137.80804@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369CA014@STAWINCOX10MBX1.staff.vuw.ac.nz> regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ============== 8><----- that fixed it thanks....now to try and fix the minor/major problem 8><------- If you started your services manually on the server did you start ipa_kpasswd? rob From Steven.Jones at vuw.ac.nz Thu Jul 28 21:59:46 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 28 Jul 2011 21:59:46 +0000 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <4E307F91.10309@redhat.com> References: <4E2EC378.9050401@romal.de>,<4E2EC930.1060501@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F91.10309@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369CA01E@STAWINCOX10MBX1.staff.vuw.ac.nz> I just downgraded libcurl and curl on rhel6.1 client....still broken. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 28 July 2011 9:13 a.m. To: Steven Jones Cc: Robert M. Albrecht; freeipa-users at redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > Hi, > > It appears this change also effects RHEL6.1 as well....I have the same message when I try and join new machines. Yes, updates were done for at least Fedora 14, 15, rawhide, EL5 and EL6. This was considered a security issue so updates were pushed everywhere. rob > > regards > > Steven > Technical Specialist - Linux RHCE > Victoria University, Wellington, NZ > > 8><----- > >> Joining realm failed because of failing XML-RPC request. >> This error may be caused by incompatible server/client major versions. > > 8><----- > > I think this is the problem caused by a recent libcurl change. libcurl > recently dropped support for GSSAPI ticket delegation which is needed > for the enrollment. If you look in the Apache error log on the IPA > server I'll bet there is an error about principal. > > We're waiting on upstream to add support for forwarding back in. Until > then your options are limited. The change was made because it was > considered a security issue: whenever forwarding was allow the ticket > was sent whether it was requested or not. > > Downgrading libcurl will fix the problem for enrollment. You should > evaluate the CVE to decide the course of action: > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192 > > rob > > 8><---- From rcritten at redhat.com Thu Jul 28 22:12:54 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 18:12:54 -0400 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369CA01E@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4E2EC378.9050401@romal.de>, <4E2EC930.1060501@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F91.10309@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369CA01E@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E31DEE6.2050706@redhat.com> Steven Jones wrote: > I just downgraded libcurl and curl on rhel6.1 client....still broken. Broken how? We need logs, command output, etc. to diagnose the problem. rob > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Thursday, 28 July 2011 9:13 a.m. > To: Steven Jones > Cc: Robert M. Albrecht; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > Steven Jones wrote: >> Hi, >> >> It appears this change also effects RHEL6.1 as well....I have the same message when I try and join new machines. > > Yes, updates were done for at least Fedora 14, 15, rawhide, EL5 and EL6. > This was considered a security issue so updates were pushed everywhere. > > rob > >> >> regards >> >> Steven >> Technical Specialist - Linux RHCE >> Victoria University, Wellington, NZ >> >> 8><----- >> >>> Joining realm failed because of failing XML-RPC request. >>> This error may be caused by incompatible server/client major versions. >> >> 8><----- >> >> I think this is the problem caused by a recent libcurl change. libcurl >> recently dropped support for GSSAPI ticket delegation which is needed >> for the enrollment. If you look in the Apache error log on the IPA >> server I'll bet there is an error about principal. >> >> We're waiting on upstream to add support for forwarding back in. Until >> then your options are limited. The change was made because it was >> considered a security issue: whenever forwarding was allow the ticket >> was sent whether it was requested or not. >> >> Downgrading libcurl will fix the problem for enrollment. You should >> evaluate the CVE to decide the course of action: >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2192 >> >> rob >> >> 8><---- > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Jul 28 22:13:14 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 28 Jul 2011 22:13:14 +0000 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369CA01E@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4E2EC378.9050401@romal.de>,<4E2EC930.1060501@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F91.10309@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369CA01E@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369CA033@STAWINCOX10MBX1.staff.vuw.ac.nz> client install attempt info regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 29 July 2011 9:59 a.m. Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? I just downgraded libcurl and curl on rhel6.1 client....still broken. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ -------------- next part -------------- A non-text attachment was scrubbed... Name: client-libcurl-fail1 Type: application/octet-stream Size: 5341 bytes Desc: client-libcurl-fail1 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaclient-install.log Type: application/octet-stream Size: 4822 bytes Desc: ipaclient-install.log URL: From rcritten at redhat.com Thu Jul 28 22:17:34 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 28 Jul 2011 18:17:34 -0400 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369CA033@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4E2EC378.9050401@romal.de>, <4E2EC930.1060501@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F91.10309@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369CA01E@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369CA033@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E31DFFE.9040209@redhat.com> Steven Jones wrote: > client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Friday, 29 July 2011 9:59 a.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > I just downgraded libcurl and curl on rhel6.1 client....still broken. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Jul 28 22:25:55 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 28 Jul 2011 22:25:55 +0000 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <4E31DFFE.9040209@redhat.com> References: <4E2EC378.9050401@romal.de>,<4E2EC930.1060501@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F91.10309@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369CA01E@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369CA033@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E31DFFE.9040209@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369CA061@STAWINCOX10MBX1.staff.vuw.ac.nz> its in the XXXfail script which was the screenshot...... I ran rpm -q when it failed.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Friday, 29 July 2011 9:59 a.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > I just downgraded libcurl and curl on rhel6.1 client....still broken. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Jul 28 22:27:56 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 28 Jul 2011 22:27:56 +0000 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369CA061@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4E2EC378.9050401@romal.de>,<4E2EC930.1060501@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F91.10309@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369CA01E@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369CA033@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E31DFFE.9040209@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369CA061@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369CA06E@STAWINCOX10MBX1.staff.vuw.ac.nz> hmm I think thats stuffed, I dont think it downgraded....libcurl...doh.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 29 July 2011 10:25 a.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? its in the XXXfail script which was the screenshot...... I ran rpm -q when it failed.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Friday, 29 July 2011 9:59 a.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > I just downgraded libcurl and curl on rhel6.1 client....still broken. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Jul 28 22:31:18 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 28 Jul 2011 22:31:18 +0000 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369CA06E@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4E2EC378.9050401@romal.de>,<4E2EC930.1060501@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F91.10309@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369CA01E@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369CA033@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E31DFFE.9040209@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369CA061@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40369CA06E@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369CA081@STAWINCOX10MBX1.staff.vuw.ac.nz> I have a case with RH support on why I cant downgrade....will egt back to you. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 29 July 2011 10:27 a.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? hmm I think thats stuffed, I dont think it downgraded....libcurl...doh.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 29 July 2011 10:25 a.m. To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? its in the XXXfail script which was the screenshot...... I ran rpm -q when it failed.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Friday, 29 July 2011 9:59 a.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > I just downgraded libcurl and curl on rhel6.1 client....still broken. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rapidnorepeat at gmail.com Fri Jul 29 04:34:47 2011 From: rapidnorepeat at gmail.com (Rapid Noreapeat) Date: Fri, 29 Jul 2011 11:34:47 +0700 Subject: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS? Message-ID: Is it possible to integrate my web applications like portal website, helpdesk website, and other web apps login using FreeIPA's login accounts (SSO) like CAS? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jul 29 04:50:47 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Jul 2011 00:50:47 -0400 Subject: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS? In-Reply-To: References: Message-ID: <4E323C27.5040203@redhat.com> Rapid Noreapeat wrote: > Is it possible to integrate my web applications like portal website, > helpdesk website, and other web apps login using FreeIPA's login > accounts (SSO) like CAS? It depends. The FreeIPA SSO is Kerberos-based so you'd need to provide access to your KDC for this to work. If we're talking external portal then you may not want to expose your KDC. It also requires some configuration. Your browser has to be configured to do Negotiate auth against a given domain. It will also need to trust the IPA CA (and since CAS seems at least partially SSL-based you already handle this). I don't know much about CAS other than what I just read on their web site but it looks like they handle redirecting when you aren't authenticated, seemingly allowing a nice way to mix protected and unprotected data. I think you'd have to do much of this configuration yourself in Apache. Probably not a huge amount of work though. So it is basically whatever mod_auth_kerb provides. rob From rapidnorepeat at gmail.com Fri Jul 29 06:30:10 2011 From: rapidnorepeat at gmail.com (Rapid Noreapeat) Date: Fri, 29 Jul 2011 13:30:10 +0700 Subject: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS? In-Reply-To: <4E323C27.5040203@redhat.com> References: <4E323C27.5040203@redhat.com> Message-ID: Thank you for your quick reply Rob, I'll try it. On Fri, Jul 29, 2011 at 11:50 AM, Rob Crittenden wrote: > Rapid Noreapeat wrote: > >> Is it possible to integrate my web applications like portal website, >> helpdesk website, and other web apps login using FreeIPA's login >> accounts (SSO) like CAS? >> > > It depends. The FreeIPA SSO is Kerberos-based so you'd need to provide > access to your KDC for this to work. If we're talking external portal then > you may not want to expose your KDC. > > It also requires some configuration. Your browser has to be configured to > do Negotiate auth against a given domain. It will also need to trust the > IPA CA (and since CAS seems at least partially SSL-based you already handle > this). > > I don't know much about CAS other than what I just read on their web site > but it looks like they handle redirecting when you aren't authenticated, > seemingly allowing a nice way to mix protected and unprotected data. I think > you'd have to do much of this configuration yourself in Apache. Probably not > a huge amount of work though. > > So it is basically whatever mod_auth_kerb provides. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ayoung at redhat.com Fri Jul 29 14:07:46 2011 From: ayoung at redhat.com (Adam Young) Date: Fri, 29 Jul 2011 10:07:46 -0400 Subject: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS? In-Reply-To: References: <4E323C27.5040203@redhat.com> Message-ID: <4E32BEB2.5080206@redhat.com> In order to authenticate through the firewall you have to allow kinit and kerberos web traffic through, which means opening port 88. If you are unwilling to do that, you need to come up with an authentication solution that will pass through firewalls, which means either basic auth, digest, or certificates. IPA has an embeded CA in it (Dogtag) but does not yet manage user certificates. http://pki.fedoraproject.org/wiki/PKI_Main_Page The approaches for web only single sign on (OpenID, OAuth, SAML and so forth) still require the initial authentication. Since IPA doesn't currently have a solution for that piece, we do not yet support one of hte HTTP SSO mechanisms, but it is under discussion. On 07/29/2011 02:30 AM, Rapid Noreapeat wrote: > Thank you for your quick reply Rob, > > I'll try it. > > On Fri, Jul 29, 2011 at 11:50 AM, Rob Crittenden > wrote: > > Rapid Noreapeat wrote: > > Is it possible to integrate my web applications like portal > website, > helpdesk website, and other web apps login using FreeIPA's login > accounts (SSO) like CAS? > > > It depends. The FreeIPA SSO is Kerberos-based so you'd need to > provide access to your KDC for this to work. If we're talking > external portal then you may not want to expose your KDC. > > It also requires some configuration. Your browser has to be > configured to do Negotiate auth against a given domain. It will > also need to trust the IPA CA (and since CAS seems at least > partially SSL-based you already handle this). > > I don't know much about CAS other than what I just read on their > web site but it looks like they handle redirecting when you aren't > authenticated, seemingly allowing a nice way to mix protected and > unprotected data. I think you'd have to do much of this > configuration yourself in Apache. Probably not a huge amount of > work though. > > So it is basically whatever mod_auth_kerb provides. > > rob > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From roland.kaeser at intersoft-networks.ch Sat Jul 30 16:40:49 2011 From: roland.kaeser at intersoft-networks.ch (roland.kaeser at intersoft-networks.ch) Date: Sat, 30 Jul 2011 18:40:49 +0200 Subject: [Freeipa-users] Problems with single signon with firefox Message-ID: Hello I just installed freeipa on scientific linux 6.1. Installation worked find so far but I cannot logon to the web interface. Firefox is configured with the ca cert and single sign on settings. Login as admin via ssh works fine and I get the valid ticket. But when I open the ipa web interface I get only: Your kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. In the titlebar I see : "Logged in as: user at FREEIPA.ORG" This is a bit strange to me I cannot see where this error comes from. Has someone a hint for me Regards Roland -------------- next part -------------- An HTML attachment was scrubbed... URL: From roland.kaeser at intersoft-networks.ch Sat Jul 30 18:29:13 2011 From: roland.kaeser at intersoft-networks.ch (roland.kaeser at intersoft-networks.ch) Date: Sat, 30 Jul 2011 20:29:13 +0200 Subject: [Freeipa-users] Problems with single signon with firefox In-Reply-To: References: Message-ID: Hello Reinstallation fixed the problem. Thanks Roland Von: roland.kaeser at intersoft-networks.ch An: freeipa-users at redhat.com Datum: 30.07.2011 18:47 Betreff: [Freeipa-users] Problems with single signon with firefox Gesendet von: freeipa-users-bounces at redhat.com Hello I just installed freeipa on scientific linux 6.1. Installation worked find so far but I cannot logon to the web interface. Firefox is configured with the ca cert and single sign on settings. Login as admin via ssh works fine and I get the valid ticket. But when I open the ipa web interface I get only: Your kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. In the titlebar I see : "Logged in as: user at FREEIPA.ORG" This is a bit strange to me I cannot see where this error comes from. Has someone a hint for me Regards Roland_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sat Jul 30 19:02:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 30 Jul 2011 15:02:04 -0400 Subject: [Freeipa-users] Problems with single signon with firefox In-Reply-To: References: Message-ID: <4E34552C.8060404@redhat.com> roland.kaeser at intersoft-networks.ch wrote: > Hello > > I just installed freeipa on scientific linux 6.1. Installation worked > find so far but I cannot logon to the web interface. > Firefox is configured with the ca cert and single sign on settings. > Login as admin via ssh works fine and I get the valid > ticket. > But when I open the ipa web interface I get only: Your kerberos ticket > is no longer valid. Please run kinit and then click 'Retry'. > > In the titlebar I see : "_Logged in as: *user at FREEIPA.ORG*_** > " > > > This is a bit strange to me I cannot see where this error comes from. > Has someone a hint for me > > > Regards > > Roland On the server side you can increase debug output by setting LogLevel to debug in /etc/httpd/conf.d/nss.conf and restarting or you can troubleshoot it from the client side by looking at: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Troubleshooting-UI.html One important factor is that you are going to the server that we created a web principal for. If your server has a CNAME, for example, you have to use the A record. We do a fair bit of redirecting using mod_rewrite to be sure you get to the right host but it isn't perfect. rob From roland.kaeser at intersoft-networks.ch Sun Jul 31 08:44:18 2011 From: roland.kaeser at intersoft-networks.ch (roland.kaeser at intersoft-networks.ch) Date: Sun, 31 Jul 2011 10:44:18 +0200 Subject: [Freeipa-users] Once Again: Freeipa and Windows 7 Message-ID: Hello I'm trying again to setup a pilot freeipa infrastructure for linux/afs servers and windows clients. So the first (and most hard) task is to join a "windows 7" into freeipa/kerberos. I already read the available documentation and setup my pilot client with the following parameters: ksetup /setdomain SAMPLE.CH ksetup /SetRealm SAMPLE.CH ksetup /AddKdc SAMPLE.CH freeipa.sample.ch ksetup /AddKpasswd SAMPLE.CH freeipa.sample.ch ksetup /SetComputerPassword MYPASSWORDHERE ksetup /MapUser * * Changed the available encryption types for kerberos in secpool.msc under Local Policies/Security Options/Network Security/Network Security: Configure encryption types allowed for Kerberos to: DES_CBC_CRC,DES_CBC_MD5,RC4_HMAC_MD5,AES128_HMAC_SHA1,AES256_HMAC_SHA1, Furter encryption types Created a host principal in the freeipa webinterface and set the OTP to MYPASSWORDHERE. The clock of the windows 7 machine is synced with the ntpd of the freeipa server. When I try to login I get the usual password change request dialog on the windows 7 client and the following krb5log entry: Jul 31 10:39:05 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: CLIENT KEY EXPIRED: isn-roland at SAMPLE.CH for krbtgt/SAMPLE.CH at SAMPLE.CH, Password has expired When try to change the password I get only "The username or password is wrong" with the following krb5log entries: Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: NEEDED_PREAUTH: isn-roland at SAMPLE.CH for kadmin/changepw at SAMPLE.CH, Additional pre-authentication required Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth (timestamp) verify failure: Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: isn-roland at SAMPLE.CH for kadmin/changepw at SAMPLE.CH, Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth (timestamp) verify failure: Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: isn-roland at SAMPLE.CH for kadmin/changepw at SAMPLE.CH, Decrypt integrity check failed After long googeling and long investigation, I can't see the issue behind this problems. Does someone has setup a similar environment and give me some advice to get this up and running? Regards Roland -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Sun Jul 31 22:30:41 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 31 Jul 2011 22:30:41 +0000 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <4E31DFFE.9040209@redhat.com> References: <4E2EC378.9050401@romal.de>,<4E2EC930.1060501@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F91.10309@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369CA01E@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369CA033@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E31DFFE.9040209@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40369CAEFB@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, For RHEL6.1 64bit, Can you tell me which "old" libcurl is the right one? I seem to be getting bogged down with RH support....seems the gdowngrade wnet from x86_64 to i686 but still the same subpatch -26....I think I want -16? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: > client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] > Sent: Friday, 29 July 2011 9:59 a.m. > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > I just downgraded libcurl and curl on rhel6.1 client....still broken. > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sylvain.pannetrat at net-optima.fr Sun Jul 31 22:55:04 2011 From: sylvain.pannetrat at net-optima.fr (Sylvain PANNETRAT) Date: Mon, 01 Aug 2011 00:55:04 +0200 Subject: [Freeipa-users] version mismatch while joining a client ? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40369CAEFB@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4E2EC378.9050401@romal.de>, <4E2EC930.1060501@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369C9545@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E307F91.10309@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40369CA01E@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40369CA033@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4E31DFFE.9040209@redhat.com> <833D8E48405E064EBC54C84EC6B36E40369CAEFB@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4E35DD48.5080405@net-optima.fr> Hi, You can take the file with F14 intallation DVD. It work for me. You may need to make a script to be able to swap you libcurl file, because when you install the old version, yum doesn't work any more. Regards, Sylvain PANNETRAT Le 01/08/11 00:30, Steven Jones a ?crit : > Hi, > > > For RHEL6.1 64bit, Can you tell me which "old" libcurl is the right one? > > I seem to be getting bogged down with RH support....seems the gdowngrade wnet from x86_64 to i686 but still the same subpatch -26....I think I want -16? > > :/ > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Friday, 29 July 2011 10:17 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] version mismatch while joining a client ? > > Steven Jones wrote: >> client install attempt info > What version of libcurl do you have installed on the client? I realize > you downgraded it, just curious what you ended up with. > > Can you look on the server and see if there is an exception related to > principal not being set? > > rob > >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] >> Sent: Friday, 29 July 2011 9:59 a.m. >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] version mismatch while joining a client ? >> >> I just downgraded libcurl and curl on rhel6.1 client....still broken. >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users