From Steven.Jones at vuw.ac.nz Tue Mar 1 00:21:02 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 Mar 2011 13:21:02 +1300 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <4D6C0EA5.3040708@redhat.com> References: <4D6C0EA5.3040708@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB722@STAWINCOEXMAIL1.staff.vuw.ac.nz> Not sure if I have to change anything in the repo? but rc2.0 does not appear... regards On Mon, 2011-02-28 at 16:07 -0500, Rob Crittenden wrote: > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Release Candidate 2 release of freeIPA 2.0 server [1]. > > * Binaries are available for F-14 and F-15 [2]. > * Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users at redhat.com > > Main Highlights of the Release Candidate. > > This release consists primarily of bug fixes and polish across all areas > of the project. Modifications include but are not limited to > * Make Indirect membership clearer. > * Input validation fixes. > * WebUI improvements. > * Created default Roles. > * IPv6 support > * Documentation updates > > Focus of the Release Candidate Testing > * There was a Fedora test day for FreeIPA on Feb 15th [3]. These tests > are still relevant and feedback would be appreciated. > * The following section outlines the areas that we are mostly interested > to test [4]. > > Significant Changes Since RC 1 > To see all the tickets addressed since the beta 2 release see [6]. > > Repositories and Installation > * Use the following link to install the RC 2 packages [5]. > * FreeIPA relies on the latest versions of the packages currently > available from the updates-testing repository. Please make sure to > enable this repository before you proceed with installation. > > Known Issues: > * There are known issues that currently prevent FreeIPA from > successfully installing with dogtag on F-15 [2]. We will send a separate > message when this issue is resolved. The FreeIPA server is installable > with the --selfsign option on F-15, or with dogtag on F-14. > * Server-generated error messages are not translated yet. > * The 'ipa help' command does not support localization. > > We plan to address all the outstanding tickets before the final 2.0 > release. For the complete list see [7]. > > Thank you, > The FreeIPA development team > > [1] http://www.freeipa.org/page/Downloads > [2] dogtag is having issues with systemd: > https://bugzilla.redhat.com/show_bug.cgi?id=676330 > [3] https://fedoraproject.org/wiki/QA/Fedora_15_test_days > [4] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test > [5] http://freeipa.org/downloads/freeipa-devel.repo > [6] > https://fedorahosted.org/freeipa/query?status=closed&milestone=2.0.2+Bug+fixing+(RC2) > [7] > https://fedorahosted.org/freeipa/milestone/2.0.3.%20Bug%20Fixing%20%28GA%29 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 1 00:21:02 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 Mar 2011 13:21:02 +1300 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <4D6C0EA5.3040708@redhat.com> References: <4D6C0EA5.3040708@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB721@STAWINCOEXMAIL1.staff.vuw.ac.nz> um........checksum error? =========== [root at fed14-64-ipacl01 yum.repos.d]# yum update Loaded plugins: langpacks, presto, refresh-packagekit Adding en_US to language list freeipa-devel | 1.3 kB 00:00 freeipa-devel/primary | 10 kB 00:00 http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: [Errno -1] Metadata file does not match checksum Trying other mirror. updates/metalink | 2.1 kB 00:00 updates-testing/metalink | 45 kB 00:01 Setting up Update Process No Packages marked for Update [root at fed14-64-ipacl01 yum.repos.d]# =========== ? regards From Steven.Jones at vuw.ac.nz Tue Mar 1 00:32:17 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 1 Mar 2011 13:32:17 +1300 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <4D6C0EA5.3040708@redhat.com> References: <4D6C0EA5.3040708@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> I have tried to download the rpms by hand and the dependencies are all broken ie python........well stuffed by the looks of it... regards From sigbjorn at nixtra.com Tue Mar 1 10:55:07 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 1 Mar 2011 11:55:07 +0100 (CET) Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw. ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> Hi, I updated my IPA test servers last night without a problem. I have only the default Fedora 14 repo + Fedora 14 updates-testing repo and the Freeipa-devel repo enabled on my IPA test servers. Rgds, Siggi On Tue, March 1, 2011 01:32, Steven Jones wrote: > I have tried to download the rpms by hand and the dependencies are all > broken ie python........well stuffed by the looks of it... > > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From sigbjorn at nixtra.com Tue Mar 1 11:11:18 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 1 Mar 2011 12:11:18 +0100 (CET) Subject: [Freeipa-users] IPA v2 in Red Hat Message-ID: <47953.213.225.75.97.1298977878.squirrel@www.nixtra.com> Hi, Is there a roadmap for when version 2 of IPA is expected to be seen in RHEL? Regards, Siggi From dpal at redhat.com Tue Mar 1 14:06:48 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 01 Mar 2011 09:06:48 -0500 Subject: [Freeipa-users] IPA v2 in Red Hat In-Reply-To: <47953.213.225.75.97.1298977878.squirrel@www.nixtra.com> References: <47953.213.225.75.97.1298977878.squirrel@www.nixtra.com> Message-ID: <4D6CFD78.7060908@redhat.com> On 03/01/2011 06:11 AM, Sigbjorn Lie wrote: > Hi, > > Is there a roadmap for when version 2 of IPA is expected to be seen in RHEL? > > > Regards, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > It is planned to be in tech preview in RHEL 6.1. We will be working towards releasing it as a fully supported version in RHEL 6.2. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Tue Mar 1 15:17:14 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 1 Mar 2011 16:17:14 +0100 (CET) Subject: [Freeipa-users] IPA v2 in Red Hat In-Reply-To: <4D6CFD78.7060908@redhat.com> References: <47953.213.225.75.97.1298977878.squirrel@www.nixtra.com> <4D6CFD78.7060908@redhat.com> Message-ID: <50709.213.225.75.97.1298992634.squirrel@www.nixtra.com> On Tue, March 1, 2011 15:06, Dmitri Pal wrote: > On 03/01/2011 06:11 AM, Sigbjorn Lie wrote: > >> Hi, >> >> >> Is there a roadmap for when version 2 of IPA is expected to be seen in RHEL? >> >> >> >> Regards, >> Siggi >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > It is planned to be in tech preview in RHEL 6.1. > We will be working towards releasing it as a fully supported version in > RHEL 6.2. > > > -- > Thank you, > Dmitri Pal > > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > Hi, Thank you for your answer. Is there a release date for 6.1 yet? Rgds, Siggi From dpal at redhat.com Tue Mar 1 15:51:29 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 01 Mar 2011 10:51:29 -0500 Subject: [Freeipa-users] IPA v2 in Red Hat In-Reply-To: <50709.213.225.75.97.1298992634.squirrel@www.nixtra.com> References: <47953.213.225.75.97.1298977878.squirrel@www.nixtra.com> <4D6CFD78.7060908@redhat.com> <50709.213.225.75.97.1298992634.squirrel@www.nixtra.com> Message-ID: <4D6D1601.8040704@redhat.com> On 03/01/2011 10:17 AM, Sigbjorn Lie wrote: > > On Tue, March 1, 2011 15:06, Dmitri Pal wrote: >> On 03/01/2011 06:11 AM, Sigbjorn Lie wrote: >> >>> Hi, >>> >>> >>> Is there a roadmap for when version 2 of IPA is expected to be seen in RHEL? >>> >>> >>> >>> Regards, >>> Siggi >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >> It is planned to be in tech preview in RHEL 6.1. >> We will be working towards releasing it as a fully supported version in >> RHEL 6.2. >> >> >> -- >> Thank you, >> Dmitri Pal >> >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> > > Hi, > > Thank you for your answer. > > Is there a release date for 6.1 yet? I can't give out this data but you can deduce it from the fact that 6.0 was released in Nov 2010 while the minor release cycle is usually around 6-8 months. > > > Rgds, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Tue Mar 1 19:03:58 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 2 Mar 2011 08:03:58 +1300 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> Im getting a pycurl error 6....so every few hours the errors change.... regards Steven On Tue, 2011-03-01 at 11:55 +0100, Sigbjorn Lie wrote: > Hi, > > I updated my IPA test servers last night without a problem. I have only the default Fedora 14 repo > + Fedora 14 updates-testing repo and the Freeipa-devel repo enabled on my IPA test servers. > > > Rgds, > Siggi > > > > > On Tue, March 1, 2011 01:32, Steven Jones wrote: > > I have tried to download the rpms by hand and the dependencies are all > > broken ie python........well stuffed by the looks of it... > > > > regards > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > From sigbjorn at nixtra.com Tue Mar 1 19:28:39 2011 From: sigbjorn at nixtra.com (=?ISO-8859-1?Q?Sigbj=F8rn_Lie?=) Date: Tue, 01 Mar 2011 20:28:39 +0100 Subject: [Freeipa-users] IPA v2 in Red Hat In-Reply-To: <4D6D1601.8040704@redhat.com> References: <47953.213.225.75.97.1298977878.squirrel@www.nixtra.com> <4D6CFD78.7060908@redhat.com> <50709.213.225.75.97.1298992634.squirrel@www.nixtra.com> <4D6D1601.8040704@redhat.com> Message-ID: <4D6D48E7.3090104@nixtra.com> On 03/01/2011 04:51 PM, Dmitri Pal wrote: > On 03/01/2011 10:17 AM, Sigbjorn Lie wrote: >> On Tue, March 1, 2011 15:06, Dmitri Pal wrote: >>> On 03/01/2011 06:11 AM, Sigbjorn Lie wrote: >>> >>>> Hi, >>>> >>>> >>>> Is there a roadmap for when version 2 of IPA is expected to be seen in RHEL? >>>> >>>> >>>> >>>> Regards, >>>> Siggi >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>> It is planned to be in tech preview in RHEL 6.1. >>> We will be working towards releasing it as a fully supported version in >>> RHEL 6.2. >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> >>> Sr. Engineering Manager IPA project, >>> Red Hat Inc. >>> >>> >>> >> Hi, >> >> Thank you for your answer. >> >> Is there a release date for 6.1 yet? > I can't give out this data but you can deduce it from the fact that 6.0 > was released in Nov 2010 while the minor release cycle is usually around > 6-8 months. > Excellent, thanks. :) From rcritten at redhat.com Tue Mar 1 21:10:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Mar 2011 16:10:41 -0500 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D6D60D1.70303@redhat.com> Steven Jones wrote: > Im getting a pycurl error 6....so every few hours the errors change.... I don't know if the pycurl errors are equivalent to the curl errors but in curl error 6 means couldn?t resolve host. You might try: yum clean all I tried the repo myself and was able to install rc2 ok. rob > > regards > > Steven > > > > On Tue, 2011-03-01 at 11:55 +0100, Sigbjorn Lie wrote: >> Hi, >> >> I updated my IPA test servers last night without a problem. I have only the default Fedora 14 repo >> + Fedora 14 updates-testing repo and the Freeipa-devel repo enabled on my IPA test servers. >> >> >> Rgds, >> Siggi >> >> >> >> >> On Tue, March 1, 2011 01:32, Steven Jones wrote: >>> I have tried to download the rpms by hand and the dependencies are all >>> broken ie python........well stuffed by the looks of it... >>> >>> regards >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 1 21:22:48 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 2 Mar 2011 10:22:48 +1300 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <4D6D60D1.70303@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Yes Ive now figured it out....the KVM software seems to spit the dummy every day or so and simply stop forwarding / returning dns requests.... I have uninstalled rc1 and installed rc2 but its still dying with the previous msgs....so it wont survive a reboot, but kinit admin etc works fine before the reboot.... =========== [root at fed14-64-ipam001 init.d]# /usr/sbin/ipactl start Starting Directory Service Starting dirsrv: IPA-AC-NZ... [ OK ] PKI-IPA... [ OK ] Error retrieving list of services {'matched': 'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz', 'desc': 'No such object'} Is IPA installed? Failed to read data from Directory Service Shutting down Shutting down dirsrv: IPA-AC-NZ... [ OK ] PKI-IPA... [ OK ] [root at fed14-64-ipam001 init.d]# ============ regards On Tue, 2011-03-01 at 16:10 -0500, Rob Crittenden wrote: > Steven Jones wrote: > > Im getting a pycurl error 6....so every few hours the errors change.... > > I don't know if the pycurl errors are equivalent to the curl errors but > in curl error 6 means couldn?t resolve host. > > You might try: yum clean all > > I tried the repo myself and was able to install rc2 ok. > > rob > > > > > regards > > > > Steven > > > > > > > > On Tue, 2011-03-01 at 11:55 +0100, Sigbjorn Lie wrote: > >> Hi, > >> > >> I updated my IPA test servers last night without a problem. I have only the default Fedora 14 repo > >> + Fedora 14 updates-testing repo and the Freeipa-devel repo enabled on my IPA test servers. > >> > >> > >> Rgds, > >> Siggi > >> > >> > >> > >> > >> On Tue, March 1, 2011 01:32, Steven Jones wrote: > >>> I have tried to download the rpms by hand and the dependencies are all > >>> broken ie python........well stuffed by the looks of it... > >>> > >>> regards > >>> > >>> _______________________________________________ > >>> Freeipa-users mailing list > >>> Freeipa-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> > >>> > >> > >> > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > From rcritten at redhat.com Tue Mar 1 22:31:04 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Mar 2011 17:31:04 -0500 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D6D73A8.5060606@redhat.com> Steven Jones wrote: > Hi, > > Yes Ive now figured it out....the KVM software seems to spit the dummy > every day or so and simply stop forwarding / returning dns requests.... > > I have uninstalled rc1 and installed rc2 but its still dying with the > previous msgs....so it wont survive a reboot, but kinit admin etc works > fine before the reboot.... > > =========== > [root at fed14-64-ipam001 init.d]# /usr/sbin/ipactl start > Starting Directory Service > Starting dirsrv: > IPA-AC-NZ... [ OK ] > PKI-IPA... [ OK ] > Error retrieving list of services {'matched': > 'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz', 'desc': 'No such object'} > Is IPA installed? > Failed to read data from Directory Service > Shutting down > Shutting down dirsrv: > IPA-AC-NZ... [ OK ] > PKI-IPA... [ OK ] > [root at fed14-64-ipam001 init.d]# > ============ I think it is a mismatch between what we've stored as the hostname and the hostname of the machine. Can you look at the output of these commands and see if the hostname is the same between them all? $ ldapsearch -x -s one -b cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz dn $ hostname $ cat /etc/sysconfig/network (there should be only one HOSTNAME) thanks rob > > regards > > > > > On Tue, 2011-03-01 at 16:10 -0500, Rob Crittenden wrote: >> Steven Jones wrote: >>> Im getting a pycurl error 6....so every few hours the errors change.... >> >> I don't know if the pycurl errors are equivalent to the curl errors but >> in curl error 6 means couldn?t resolve host. >> >> You might try: yum clean all >> >> I tried the repo myself and was able to install rc2 ok. >> >> rob >> >>> >>> regards >>> >>> Steven >>> >>> >>> >>> On Tue, 2011-03-01 at 11:55 +0100, Sigbjorn Lie wrote: >>>> Hi, >>>> >>>> I updated my IPA test servers last night without a problem. I have only the default Fedora 14 repo >>>> + Fedora 14 updates-testing repo and the Freeipa-devel repo enabled on my IPA test servers. >>>> >>>> >>>> Rgds, >>>> Siggi >>>> >>>> >>>> >>>> >>>> On Tue, March 1, 2011 01:32, Steven Jones wrote: >>>>> I have tried to download the rpms by hand and the dependencies are all >>>>> broken ie python........well stuffed by the looks of it... >>>>> >>>>> regards >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>> >>>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > From Steven.Jones at vuw.ac.nz Tue Mar 1 22:44:43 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 2 Mar 2011 11:44:43 +1300 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <4D6D73A8.5060606@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB734@STAWINCOEXMAIL1.staff.vuw.ac.nz> 8><--------- > I think it is a mismatch between what we've stored as the hostname and > the hostname of the machine. > > Can you look at the output of these commands and see if the hostname is > the same between them all? > > $ ldapsearch -x -s one -b cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz dn LDAP server is dead.... > $ hostname fed14-64-ipam001 > $ cat /etc/sysconfig/network (there should be only one HOSTNAME) HOSTNAME=fed14-64-ipam001 From Steven.Jones at vuw.ac.nz Wed Mar 2 03:45:07 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 2 Mar 2011 16:45:07 +1300 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <4D6D73A8.5060606@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> > I think it is a mismatch between what we've stored as the hostname and > the hostname of the machine. > > Can you look at the output of these commands and see if the hostname is > the same between them all? > > $ ldapsearch -x -s one -b cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz dn > $ hostname > $ cat /etc/sysconfig/network (there should be only one HOSTNAME) > > thanks > > rob So I un-installed and re-installed rc2, here is the output as requested, =============== [root at fed14-64-ipam001 /]# kinit admin Password for admin at IPA.AC.NZ: [root at fed14-64-ipam001 /]# ldapsearch -x -s one -b cn=masters,cn=ipa,cn=etc,dc=ac,dc=nz dn # extended LDIF # # LDAPv3 # base with scope oneLevel # filter: (objectclass=*) # requesting: dn # # search result search: 2 result: 32 No such object # numResponses: 1 [root at fed14-64-ipam001 /]# fed14-64-ipam001 NETWORKING=yes HOSTNAME=fed14-64-ipam001 NTPSERVERARGS=iburst From ssorce at redhat.com Wed Mar 2 04:31:57 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 1 Mar 2011 23:31:57 -0500 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <20110301233157.32568766@willson.li.ssimo.org> On Wed, 2 Mar 2011 16:45:07 +1300 Steven Jones wrote: > > > I think it is a mismatch between what we've stored as the hostname > > and the hostname of the machine. > > > > Can you look at the output of these commands and see if the > > hostname is the same between them all? > > > > $ ldapsearch -x -s one -b > > cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz dn $ hostname > > $ cat /etc/sysconfig/network (there should be only one HOSTNAME) > > > > thanks > > > > rob > > > > So I un-installed and re-installed rc2, here is the output as > requested, > > =============== > > [root at fed14-64-ipam001 /]# kinit admin > Password for admin at IPA.AC.NZ: > [root at fed14-64-ipam001 /]# ldapsearch -x -s one -b > cn=masters,cn=ipa,cn=etc,dc=ac,dc=nz dn > # extended LDIF > # > # LDAPv3 > # base with scope oneLevel > # filter: (objectclass=*) > # requesting: dn > # > > # search result > search: 2 > result: 32 No such object What is the realm name you choose ? > # numResponses: 1 > [root at fed14-64-ipam001 /]# > > fed14-64-ipam001 > NETWORKING=yes > HOSTNAME=fed14-64-ipam001 > NTPSERVERARGS=iburst The server hostname must be fully qualified on an ipa server. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Mar 2 04:41:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 01 Mar 2011 23:41:45 -0500 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D6DCA89.3080808@redhat.com> Steven Jones wrote: > >> I think it is a mismatch between what we've stored as the hostname and >> the hostname of the machine. >> >> Can you look at the output of these commands and see if the hostname is >> the same between them all? >> >> $ ldapsearch -x -s one -b cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz dn >> $ hostname >> $ cat /etc/sysconfig/network (there should be only one HOSTNAME) >> >> thanks >> >> rob > > > > So I un-installed and re-installed rc2, here is the output as requested, > > =============== > > [root at fed14-64-ipam001 /]# kinit admin > Password for admin at IPA.AC.NZ: > [root at fed14-64-ipam001 /]# ldapsearch -x -s one -b > cn=masters,cn=ipa,cn=etc,dc=ac,dc=nz dn > # extended LDIF > # > # LDAPv3 > # base with scope oneLevel > # filter: (objectclass=*) > # requesting: dn > # Did you install with the same domain as before? Looks like it is now ipa.ac.nz rather than just ac.nz, or maybe I misread it before. Can you try again with dc=ipa,dc=ac,dc=nz? > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > [root at fed14-64-ipam001 /]# > > fed14-64-ipam001 > NETWORKING=yes > HOSTNAME=fed14-64-ipam001 > NTPSERVERARGS=iburst The hostname is lacking a domain name, that may be what is confusing things. As an test you might try setting hostname to be a fqdn and see if things improve. rob From Steven.Jones at vuw.ac.nz Wed Mar 2 19:48:58 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 3 Mar 2011 08:48:58 +1300 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <4D6DCA89.3080808@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Yep....that is the issue....I put it in, rebooted, worked, took it out rebooted, didnt work, put it back in rebooted and it worked again. Wonders of a gui setup....normally I do it by hand and do a FQDN....I assumed because it was short form in the file that is the way it is now, obviously not.....bugger. 8><----- > > The hostname is lacking a domain name, that may be what is confusing > things. As an test you might try setting hostname to be a fqdn and see > if things improve. > > rob thanks... regards Steven From rcritten at redhat.com Wed Mar 2 20:21:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Mar 2011 15:21:13 -0500 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D6EA6B9.9030505@redhat.com> Steven Jones wrote: > > Hi, > > Yep....that is the issue....I put it in, rebooted, worked, took it out > rebooted, didnt work, put it back in rebooted and it worked again. > Wonders of a gui setup....normally I do it by hand and do a FQDN....I > assumed because it was short form in the file that is the way it is now, > obviously not.....bugger. Thanks for confirming. I've opened this ticket to track the issue, we should try to detect it https://fedorahosted.org/freeipa/ticket/1035 regards rob > > 8><----- >> >> The hostname is lacking a domain name, that may be what is confusing >> things. As an test you might try setting hostname to be a fqdn and see >> if things improve. >> >> rob > > > thanks... > > regards > > Steven From Steven.Jones at vuw.ac.nz Thu Mar 3 00:18:19 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 3 Mar 2011 13:18:19 +1300 Subject: [Freeipa-users] Definitive firewall ruleset. In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> This is becoming a bit of a grind.... Anyway, either I have not found it yet, or a definitive set of ports that need to be open isnt there, this is my best shot so far, Have I missed any or are there some not needed? ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:88 ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:464 ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:443 ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp dpt:123 ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp dpt:389 ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:389 ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp dpt:636 ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:636 ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:7389 ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp dpt:7389 ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp dpt:9180 ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:9180 ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp dpt:9444 ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:9444 ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:9445 ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp dpt:9445 From Steven.Jones at vuw.ac.nz Thu Mar 3 00:30:49 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 3 Mar 2011 13:30:49 +1300 Subject: [Freeipa-users] replication setup failure In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB748@STAWINCOEXMAIL1.staff.vuw.ac.nz> 8><---- starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [21/27]: adding replication acis [22/27]: initializing group membership [23/27]: adding master entry [24/27]: configuring Posix uid/gid generation [25/27]: enabling compatibility plugin [26/27]: tuning directory server [27/27]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication creation of replica failed: list index out of range Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root at fed14-64-ipam002 ~]# messages log ================== Mar 3 00:12:04 fed14-64-ipam002 kernel: [11214.180151] ns-slapd[7867]: segfault at 0 ip 00007f e9a7fd5de4 sp 00007fe9617e0910 error 4 in libipa_uuid.so[7fe9a7fd3000 +5000] ================== Replica install log ================== 8><---- 2011-03-03 00:12:14,977 INFO Changing agreement cn=meTofed14-64-ipam002.ipa.ac.nz,cn=replica,cn =dc\3Dipa\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping tree,cn=config to restore original schedule 0000-2359 0123456 2011-03-03 00:12:15,997 INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110302111214Z: end: 20110302111214Z 2011-03-03 00:12:16,048 DEBUG list index out of range File "/usr/sbin/ipa-replica-install", line 507, in main() File "/usr/sbin/ipa-replica-install", line 468, in main install_krb(config, setup_pkinit=options.setup_pkinit) File "/usr/sbin/ipa-replica-install", line 216, in install_krb setup_pkinit, pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 211, in create _replica self.start_creation("Configuring Kerberos KDC", 30) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 283, in start_crea tion method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 556, in __conv ert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 688, in conver t_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 458, in gssapi _update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 451, in setup_ krb_princs_as_replica_binddns mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)] ==================== So how to fix? regards Steven From ayik at freebsd.or.id Thu Mar 3 02:40:24 2011 From: ayik at freebsd.or.id (Sayid Munawar) Date: Thu, 3 Mar 2011 09:40:24 +0700 Subject: [Freeipa-users] Setup windows AD Sync Failure Message-ID: Dear, I have successfully installed freeipa-server 2 rc2. and create some test user and tested machine enrollment. now, what i want to do next is sync all my windows 2008r2 AD accounts. i've got already get the cert needed, and tested it with ldapsearch tools in the same host as the freeipa-server. so i assume that AD connection is ok. but when i did ipa-manage-replica, it complaints about "Can't connect LDAP server". here it is: [root at yk ~]# ipa-replica-manage connect --winsync --binddn "cn=Fedora DS,ou=JogjaCamp,dc=dot,dc=jc" --bindpw "somesecret" --cacert /root/jcamp-DC1-buat-389DirServ.cer --passsync secretagain -p anothersecret DC1.DOT.JC Added CA certificate /root/jcamp-DC1-buat-389DirServ.cer to certificate database for yk.nix.jc ipa: INFO: Failed to connect to AD server dc1.dot.jc ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': "Can't contact LDAP server"} ipa: INFO: Continuning ... The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=nix,dc=jc Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 No replication sessions started since server startup: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Can't contact LDAP server [root at yk ~]# - I have no idea why AD connection is fail here, while it was ok with ldapsearch tool. any clue ? - and one more question: what is --passsync argument for? is it for foce setting a "new password" for passsync user, or we have to first define a password for passsync user ? TIA Sayid Munawar -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Mar 3 03:15:03 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 02 Mar 2011 20:15:03 -0700 Subject: [Freeipa-users] Setup windows AD Sync Failure In-Reply-To: References: Message-ID: <4D6F07B7.5020102@redhat.com> On 03/02/2011 07:40 PM, Sayid Munawar wrote: > Dear, > > I have successfully installed freeipa-server 2 rc2. and create some > test user and tested machine enrollment. now, what i want to do next > is sync all my windows 2008r2 AD accounts. i've got already get the > cert needed, and tested it with ldapsearch tools in the same host as > the freeipa-server. so i assume that AD connection is ok. but when i > did ipa-manage-replica, it complaints about "Can't connect LDAP > server". here it is: > > [root at yk ~]# ipa-replica-manage connect --winsync --binddn "cn=Fedora > DS,ou=JogjaCamp,dc=dot,dc=jc" --bindpw "somesecret" --cacert > /root/jcamp-DC1-buat-389DirServ.cer --passsync secretagain -p > anothersecret DC1.DOT.JC > > Added CA certificate /root/jcamp-DC1-buat-389DirServ.cer to > certificate database for yk.nix.jc > ipa: INFO: Failed to connect to AD server dc1.dot.jc > ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f > 13', 'desc': "Can't contact LDAP server"} > ipa: INFO: Continuning ... > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=nix,dc=jc > Windows PassSync entry exists, not resetting password > ipa: INFO: Added new sync agreement, waiting for it to become ready . . . > ipa: INFO: Replication Update in progress: FALSE: status: 0 No > replication sessions started since server startup: start: 0: end: 0 > ipa: INFO: Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > Can't contact LDAP server Is your ldap server running after this? What is your platform? What version of 389-ds-base? rpm -qi 389-ds-base > [root at yk ~]# > > > - I have no idea why AD connection is fail here, while it was ok with > ldapsearch tool. any clue ? > > - and one more question: what is --passsync argument for? is it for > foce setting a "new password" for passsync user, or we have to first > define a password for passsync user ? > > TIA > > Sayid Munawar > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Mar 3 04:21:52 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Mar 2011 23:21:52 -0500 Subject: [Freeipa-users] Setup windows AD Sync Failure In-Reply-To: References: Message-ID: <4D6F1760.8080105@redhat.com> Sayid Munawar wrote: > Dear, > > I have successfully installed freeipa-server 2 rc2. and create some test > user and tested machine enrollment. now, what i want to do next is sync > all my windows 2008r2 AD accounts. i've got already get the cert needed, > and tested it with ldapsearch tools in the same host as the > freeipa-server. so i assume that AD connection is ok. but when i did > ipa-manage-replica, it complaints about "Can't connect LDAP server". > here it is: > > [root at yk ~]# ipa-replica-manage connect --winsync --binddn "cn=Fedora > DS,ou=JogjaCamp,dc=dot,dc=jc" --bindpw "somesecret" --cacert > /root/jcamp-DC1-buat-389DirServ.cer --passsync secretagain -p > anothersecret DC1.DOT.JC > > Added CA certificate /root/jcamp-DC1-buat-389DirServ.cer to certificate > database for yk.nix.jc > ipa: INFO: Failed to connect to AD server dc1.dot.jc > ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f > 13', 'desc': "Can't contact LDAP server"} > ipa: INFO: Continuning ... > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=nix,dc=jc > Windows PassSync entry exists, not resetting password > ipa: INFO: Added new sync agreement, waiting for it to become ready . . . > ipa: INFO: Replication Update in progress: FALSE: status: 0 No > replication sessions started since server startup: start: 0: end: 0 > ipa: INFO: Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > Can't contact LDAP server > [root at yk ~]# > > > - I have no idea why AD connection is fail here, while it was ok with > ldapsearch tool. any clue ? > > - and one more question: what is --passsync argument for? is it for foce > setting a "new password" for passsync user, or we have to first define a > password for passsync user ? > > TIA > > Sayid Munawar Passsync is a service that needs to run on all of your AD servers. It is a windows service that intercepts password requests and sends them along to IPA (over SSL). We need to have the password in the clear in order to generate Kerberos key material. A special LDAP user is used for authentication to the Passsync service, the --passsync option sets the password for that account. Make sure your CA was installed as an Enterprise CA (apparently it is the only kind that sets up a pure SSL LDAP port as opposed to using TLS over 389). We discovered several winsync issues shortly after RC 2 was released. They are fixed now, you can take a look at them here: https://fedorahosted.org/freeipa/ticket/1006 https://fedorahosted.org/freeipa/ticket/1015 https://fedorahosted.org/freeipa/ticket/1020 https://fedorahosted.org/freeipa/ticket/1021 https://fedorahosted.org/freeipa/ticket/1022 We discovered these while fixing this: https://fedorahosted.org/freeipa/ticket/266 regards rob From rcritten at redhat.com Thu Mar 3 04:32:33 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 02 Mar 2011 23:32:33 -0500 Subject: [Freeipa-users] replication setup failure In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB748@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB748@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D6F19E1.7090500@redhat.com> Steven Jones wrote: > 8><---- > starting replication, please wait until this has completed. > Update in progress > Update in progress > Update in progress > Update in progress > Update in progress > Update succeeded > [21/27]: adding replication acis > [22/27]: initializing group membership > [23/27]: adding master entry > [24/27]: configuring Posix uid/gid generation > [25/27]: enabling compatibility plugin > [26/27]: tuning directory server > [27/27]: configuring directory to start on boot > done configuring dirsrv. > Configuring Kerberos KDC: Estimated time 30 seconds > [1/9]: adding sasl mappings to the directory > [2/9]: writing stash file from DS > [3/9]: configuring KDC > [4/9]: creating a keytab for the directory > [5/9]: creating a keytab for the machine > [6/9]: adding the password extension to the directory > [7/9]: enable GSSAPI for replication > creation of replica failed: list index out of range > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > [root at fed14-64-ipam002 ~]# > > > messages log > ================== > Mar 3 00:12:04 fed14-64-ipam002 kernel: [11214.180151] ns-slapd[7867]: > segfault at 0 ip 00007f > e9a7fd5de4 sp 00007fe9617e0910 error 4 in libipa_uuid.so[7fe9a7fd3000 > +5000] > ================== > > Replica install log > ================== > 8><---- > 2011-03-03 00:12:14,977 INFO Changing agreement > cn=meTofed14-64-ipam002.ipa.ac.nz,cn=replica,cn > =dc\3Dipa\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping tree,cn=config to restore > original schedule 0000-2359 > 0123456 > 2011-03-03 00:12:15,997 INFO Replication Update in progress: FALSE: > status: 0 Replica acquired > successfully: Incremental update succeeded: start: 20110302111214Z: end: > 20110302111214Z > 2011-03-03 00:12:16,048 DEBUG list index out of range > File "/usr/sbin/ipa-replica-install", line 507, in > main() > > File "/usr/sbin/ipa-replica-install", line 468, in main > install_krb(config, setup_pkinit=options.setup_pkinit) > > File "/usr/sbin/ipa-replica-install", line 216, in install_krb > setup_pkinit, pkcs12_info) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", > line 211, in create > _replica > self.start_creation("Configuring Kerberos KDC", 30) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 283, in start_crea > tion > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", > line 556, in __conv > ert_to_gssapi_replication > r_bindpw=self.dm_password) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 688, in conver > t_to_gssapi_replication > self.gssapi_update_agreements(self.conn, r_conn) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 458, in gssapi > _update_agreements > self.setup_krb_princs_as_replica_binddns(a, b) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 451, in setup_ > krb_princs_as_replica_binddns > mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)] > ==================== > > > So how to fix? > > regards > > Steven > Ok, this is a new one and may be similar to other hostname issues you've run into. Can you give me the output of this search: ldapsearch -x -b 'dc=example,dc=com' 'krbprincipalname=ldap/*' dn I would expect the same results from both your new replica and your existing master but if they're different that would be good to know. I'm going to guess that either we stored a non-fqdn or we're searching for a non-fqdn (we'll have to infer that, I think, if you have the fqdn stored in LDAP). We are doing a very specific search for the principal for the hostnames on each side of the replication agreement, I'm guessing that we're not finding one of them and we haven't taken that into consideration. I filed https://fedorahosted.org/freeipa/ticket/1044 for this. rob From rcritten at redhat.com Thu Mar 3 14:13:20 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Mar 2011 09:13:20 -0500 Subject: [Freeipa-users] Definitive firewall ruleset. In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D6FA200.3090206@redhat.com> Steven Jones wrote: > This is becoming a bit of a grind.... > > Anyway, either I have not found it yet, or a definitive set of ports > that need to be open isnt there, this is my best shot so far, > > Have I missed any or are there some not needed? > > ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:80 > ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp dpt:88 > ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp > dpt:464 > ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp > dpt:443 > ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp > dpt:123 > ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp > dpt:389 > ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp > dpt:389 > ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp > dpt:636 > ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp > dpt:636 > ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp > dpt:7389 > ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp > dpt:7389 > ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp > dpt:9180 > ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp > dpt:9180 > ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp > dpt:9444 > ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp > dpt:9444 > ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0 tcp > dpt:9445 > ACCEPT udp -- 192.168.100.0/24 0.0.0.0/0 udp > dpt:9445 > If you set up IPA as a DNS server you'll want to allow port 53. You don't need udp for 9180, 9444 and 9445. You probably don't need 9180, 9444 and 9445 open at all. You need 7389 open only if you are doing replication (and you might want to restrict it to those hosts that it replicates to). rob From Steven.Jones at vuw.ac.nz Thu Mar 3 19:21:56 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 4 Mar 2011 08:21:56 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D6FA200.3090206@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> I appear to have IPA running, I have run the install client on a fed14 KVM guest and that guest is in the IPA system, however the users in IPA cannot authenticate via IPA and get onto the client. There appears to be traffic to port 389, so I assume its "almost" working....but I can find anything in logs to say whats wrong....not that I can determine what logs to check.....Ive been looking in /var/log so far....are there any other logs about? And/or where do I start looking to get this working? regards From rcritten at redhat.com Thu Mar 3 19:30:08 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 03 Mar 2011 14:30:08 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D6FEC40.8010906@redhat.com> Steven Jones wrote: > I appear to have IPA running, I have run the install client on a fed14 > KVM guest and that guest is in the IPA system, however the users in IPA > cannot authenticate via IPA and get onto the client. There appears to > be traffic to port 389, so I assume its "almost" working....but I can > find anything in logs to say whats wrong....not that I can determine > what logs to check.....Ive been looking in /var/log so far....are there > any other logs about? > > And/or where do I start looking to get this working? > > regards > > On that client can you do things like: $ getent passwd or $ id ? That should cause sssd to fetch user information. If it fails then we'll start by looking at the sssd configuration. If not I guess we'll turn up some debugging knobs to see what is going on. rob From Steven.Jones at vuw.ac.nz Thu Mar 3 19:30:22 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 4 Mar 2011 08:30:22 +1300 Subject: [Freeipa-users] replication setup failure In-Reply-To: <4D6F19E1.7090500@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB748@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6F19E1.7090500@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB751@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi The original ipa master has a running LDAP, the replica does not so the install failed on it.....so I cant give you an ldapsearch output from the replica. Here's the master's output.... ================= # extended LDIF # # LDAPv3 # base with scope subtree # filter: krbprincipalname=ldap/* # requesting: dn # # ldap/fed14-64-ipam001.ipa.ac.nz at IPA.AC.NZ, services, accounts, ipa.ac.nz dn: krbprincipalname=ldap/fed14-64-ipam001.ipa.ac.nz at IPA.AC.NZ,cn=services,cn= accounts,dc=ipa,dc=ac,dc=nz # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 =============== On Wed, 2011-03-02 at 23:32 -0500, Rob Crittenden wrote: > Steven Jones wrote: > > 8><---- > > starting replication, please wait until this has completed. > > Update in progress > > Update in progress > > Update in progress > > Update in progress > > Update in progress > > Update succeeded > > [21/27]: adding replication acis > > [22/27]: initializing group membership > > [23/27]: adding master entry > > [24/27]: configuring Posix uid/gid generation > > [25/27]: enabling compatibility plugin > > [26/27]: tuning directory server > > [27/27]: configuring directory to start on boot > > done configuring dirsrv. > > Configuring Kerberos KDC: Estimated time 30 seconds > > [1/9]: adding sasl mappings to the directory > > [2/9]: writing stash file from DS > > [3/9]: configuring KDC > > [4/9]: creating a keytab for the directory > > [5/9]: creating a keytab for the machine > > [6/9]: adding the password extension to the directory > > [7/9]: enable GSSAPI for replication > > creation of replica failed: list index out of range > > > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > [root at fed14-64-ipam002 ~]# > > > > > > messages log > > ================== > > Mar 3 00:12:04 fed14-64-ipam002 kernel: [11214.180151] ns-slapd[7867]: > > segfault at 0 ip 00007f > > e9a7fd5de4 sp 00007fe9617e0910 error 4 in libipa_uuid.so[7fe9a7fd3000 > > +5000] > > ================== > > > > Replica install log > > ================== > > 8><---- > > 2011-03-03 00:12:14,977 INFO Changing agreement > > cn=meTofed14-64-ipam002.ipa.ac.nz,cn=replica,cn > > =dc\3Dipa\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping tree,cn=config to restore > > original schedule 0000-2359 > > 0123456 > > 2011-03-03 00:12:15,997 INFO Replication Update in progress: FALSE: > > status: 0 Replica acquired > > successfully: Incremental update succeeded: start: 20110302111214Z: end: > > 20110302111214Z > > 2011-03-03 00:12:16,048 DEBUG list index out of range > > File "/usr/sbin/ipa-replica-install", line 507, in > > main() > > > > File "/usr/sbin/ipa-replica-install", line 468, in main > > install_krb(config, setup_pkinit=options.setup_pkinit) > > > > File "/usr/sbin/ipa-replica-install", line 216, in install_krb > > setup_pkinit, pkcs12_info) > > > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", > > line 211, in create > > _replica > > self.start_creation("Configuring Kerberos KDC", 30) > > > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 283, in start_crea > > tion > > method() > > > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", > > line 556, in __conv > > ert_to_gssapi_replication > > r_bindpw=self.dm_password) > > > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > > line 688, in conver > > t_to_gssapi_replication > > self.gssapi_update_agreements(self.conn, r_conn) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > > line 458, in gssapi > > _update_agreements > > self.setup_krb_princs_as_replica_binddns(a, b) > > > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > > line 451, in setup_ > > krb_princs_as_replica_binddns > > mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)] > > ==================== > > > > > > So how to fix? > > > > regards > > > > Steven > > > > Ok, this is a new one and may be similar to other hostname issues you've > run into. Can you give me the output of this search: > > ldapsearch -x -b 'dc=example,dc=com' 'krbprincipalname=ldap/*' dn > > I would expect the same results from both your new replica and your > existing master but if they're different that would be good to know. > > I'm going to guess that either we stored a non-fqdn or we're searching > for a non-fqdn (we'll have to infer that, I think, if you have the fqdn > stored in LDAP). > > We are doing a very specific search for the principal for the hostnames > on each side of the replication agreement, I'm guessing that we're not > finding one of them and we haven't taken that into consideration. I > filed https://fedorahosted.org/freeipa/ticket/1044 for this. > > rob From dpal at redhat.com Thu Mar 3 19:31:16 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 03 Mar 2011 14:31:16 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D6FEC84.7060201@redhat.com> On 03/03/2011 02:21 PM, Steven Jones wrote: > I appear to have IPA running, I have run the install client on a fed14 > KVM guest and that guest is in the IPA system, however the users in IPA > cannot authenticate via IPA and get onto the client. There appears to > be traffic to port 389, so I assume its "almost" working....but I can > find anything in logs to say whats wrong....not that I can determine > what logs to check.....Ive been looking in /var/log so far....are there > any other logs about? > > And/or where do I start looking to get this working? > > regards > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Are you planning to use pam_ldap + nss_ldap or SSSD? If SSSD have you installed SSSD packages first? The pam and nss config files as well as SSSD config and SSSD logs if it is in picture together with ipa-client-install logs would be a good starting point to troubleshoot the issue. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Thu Mar 3 19:49:27 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 4 Mar 2011 08:49:27 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D6FEC40.8010906@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC40.8010906@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB754@STAWINCOEXMAIL1.staff.vuw.ac.nz> "id thing" returns id: thing: no such user... In iptraf there is a port 389 connection, suggesting its asking the ipa master about user "thing"....so its either asking the wrong Q or the ipa master cant see the user "thing" yet its there in the gui. One thing "thing" only exists on the ipa master, with "irwin" it exists locally so id returns local info as I see no 389 connection taking place.... there was no nslcd.conf so I wrote one as per, 8.1.4. Configuring System Login You need to modify the /etc/nslcd.conf file, used by the nslcd service, on the client, to include additional information about the IPA server. This is so that the client can reach the IPA server's LDAP server for getent commands and also for ssh. For example, you should include the following information in your /etc/nslcd.conf file: uri host ip-address-of-ipaserver.example.com-here base dc=example,dc=com So mine says, uri host 192.168.100.2 base dc=ipa,dc=ac,dc=nz Where 192.168.100.2 is the original master. regards On Thu, 2011-03-03 at 14:30 -0500, Rob Crittenden wrote: > Steven Jones wrote: > > I appear to have IPA running, I have run the install client on a fed14 > > KVM guest and that guest is in the IPA system, however the users in IPA > > cannot authenticate via IPA and get onto the client. There appears to > > be traffic to port 389, so I assume its "almost" working....but I can > > find anything in logs to say whats wrong....not that I can determine > > what logs to check.....Ive been looking in /var/log so far....are there > > any other logs about? > > > > And/or where do I start looking to get this working? > > > > regards > > > > > > On that client can you do things like: > > $ getent passwd > > or > > $ id > > ? > > That should cause sssd to fetch user information. If it fails then we'll > start by looking at the sssd configuration. If not I guess we'll turn up > some debugging knobs to see what is going on. > > rob From Steven.Jones at vuw.ac.nz Thu Mar 3 19:53:27 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 4 Mar 2011 08:53:27 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D6FEC84.7060201@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB755@STAWINCOEXMAIL1.staff.vuw.ac.nz> 8><---- I have no idea, Im trying to follow the ipa document (version 0.5)....so if it says do something I try and do it....if it doesnt say do something well....it doesnt get done as I cant mind read. What I want is encrypted connections on all services / communications so it is secure and safe. regards > > Are you planning to use pam_ldap + nss_ldap or SSSD? > If SSSD have you installed SSSD packages first? > > The pam and nss config files as well as SSSD config and SSSD logs if it > is in picture together with ipa-client-install logs would be a good > starting point to troubleshoot the issue. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Thu Mar 3 23:22:44 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 03 Mar 2011 18:22:44 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D6FEC84.7060201@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> Message-ID: <4D7022C4.4000409@redhat.com> On 03/03/2011 02:31 PM, Dmitri Pal wrote: > On 03/03/2011 02:21 PM, Steven Jones wrote: >> I appear to have IPA running, I have run the install client on a fed14 >> KVM guest and that guest is in the IPA system, however the users in IPA >> cannot authenticate via IPA and get onto the client. There appears to >> be traffic to port 389, so I assume its "almost" working....but I can >> find anything in logs to say whats wrong....not that I can determine >> what logs to check.....Ive been looking in /var/log so far....are there >> any other logs about? >> >> And/or where do I start looking to get this working? >> >> regards >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Are you planning to use pam_ldap + nss_ldap or SSSD? > If SSSD have you installed SSSD packages first? > > The pam and nss config files as well as SSSD config and SSSD logs if it > is in picture together with ipa-client-install logs would be a good > starting point to troubleshoot the issue. > Sorry but the doc might be incomplete. We are in the middle of reviewing it actually and adding information to it. Please go to your system-authconfig dialog and configure LDAP + Kerberos with the IPA server. It should be intuitive. It will update all the right config files. The logs are in the sub-directory under /var/log. The name starts with ipa but I do not remember the exact name from the top of my head. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Fri Mar 4 00:30:45 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 4 Mar 2011 13:30:45 +1300 Subject: [Freeipa-users] Documentation In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB751@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB748@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6F19E1.7090500@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB751@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB758@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Is it possible to have the ipa 0.5 documentation (and future documentation) as a pdf file? I'd like to download it and print it off. regards From davido at redhat.com Fri Mar 4 01:24:28 2011 From: davido at redhat.com (David O'Brien) Date: Fri, 04 Mar 2011 11:24:28 +1000 Subject: [Freeipa-users] Documentation In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB758@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB748@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6F19E1.7090500@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB751@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB758@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D703F4C.6030303@redhat.com> Steven Jones wrote: > Hi, > > Is it possible to have the ipa 0.5 documentation (and future > documentation) as a pdf file? I'd like to download it and print it > off. > > regards I've pushed the latest versions in both formats here: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/ This is the first time I've built the pdf so it might be a bit rough around the edges. For future versions I'll build both so you can download it. As Dmitri mentioned, this is undergoing review and active development, so expect lots of changes in the near future. cheers -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From Steven.Jones at vuw.ac.nz Fri Mar 4 01:35:53 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 4 Mar 2011 14:35:53 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D7022C4.4000409@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB767@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Thanks, I think there maybe a dependency missing for the yum install of the client....when I go to the system-auth, ipa is there as an option but its missing a .so in nss-pam-ldapd and asks for it to be installed, the dependency off that is nscd and pam_ldap.... Hopefully this will work....I am dwnloading now. regards On Thu, 2011-03-03 at 18:22 -0500, Dmitri Pal wrote: > On 03/03/2011 02:31 PM, Dmitri Pal wrote: > > On 03/03/2011 02:21 PM, Steven Jones wrote: > >> I appear to have IPA running, I have run the install client on a fed14 > >> KVM guest and that guest is in the IPA system, however the users in IPA > >> cannot authenticate via IPA and get onto the client. There appears to > >> be traffic to port 389, so I assume its "almost" working....but I can > >> find anything in logs to say whats wrong....not that I can determine > >> what logs to check.....Ive been looking in /var/log so far....are there > >> any other logs about? > >> > >> And/or where do I start looking to get this working? > >> > >> regards > >> > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > Are you planning to use pam_ldap + nss_ldap or SSSD? > > If SSSD have you installed SSSD packages first? > > > > The pam and nss config files as well as SSSD config and SSSD logs if it > > is in picture together with ipa-client-install logs would be a good > > starting point to troubleshoot the issue. > > > > Sorry but the doc might be incomplete. We are in the middle of reviewing > it actually and adding information to it. > > Please go to your system-authconfig dialog and configure LDAP + Kerberos > with the IPA server. It should be intuitive. > It will update all the right config files. > > The logs are in the sub-directory under /var/log. > The name starts with ipa but I do not remember the exact name from the > top of my head. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Fri Mar 4 01:37:29 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 4 Mar 2011 14:37:29 +1300 Subject: [Freeipa-users] Documentation In-Reply-To: <4D703F4C.6030303@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB748@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6F19E1.7090500@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB751@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB758@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D703F4C.6030303@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB768@STAWINCOEXMAIL1.staff.vuw.ac.nz> Thanks very much.... I can live with rough.....lets me study it on the train.... regards On Fri, 2011-03-04 at 11:24 +1000, David O'Brien wrote: > Steven Jones wrote: > > Hi, > > > > Is it possible to have the ipa 0.5 documentation (and future > > documentation) as a pdf file? I'd like to download it and print it > > off. > > > > regards > > I've pushed the latest versions in both formats here: > > http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/ > > This is the first time I've built the pdf so it might be a bit rough > around the edges. > > For future versions I'll build both so you can download it. As Dmitri > mentioned, this is undergoing review and active development, so expect > lots of changes in the near future. > > cheers > > -- > > David O'Brien > Red Hat Asia Pacific Pty Ltd > +61 7 3514 8189 > > > "He who asks is a fool for five minutes, but he who does not ask remains > a fool forever." > ~ Chinese proverb From Steven.Jones at vuw.ac.nz Fri Mar 4 02:16:36 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 4 Mar 2011 15:16:36 +1300 Subject: [Freeipa-users] Time bug In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB768@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB748@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6F19E1.7090500@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB751@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB758@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D703F4C.6030303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB768@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB76D@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Americans are funny ppl they put the date format as month then day.....the problem is in the real world, its day then month.... So I have registered 1 client and 2 ipa masters as of 4th march 2011 NZST, but the IPA server's gui says I registered them a month in the future, ie 3rd April 2011 GMT+12 NZST....very neat... ;] So you need some sort of detection script/software to sort that I suspect.....or fix the display format in the gui...? Possibly this might not be helping with my issues as all my machines think its NZST while the IPA master server's software might be thinking they are telling it April? hence security certificates etc go "boom"? regards From jhrozek at redhat.com Fri Mar 4 07:24:26 2011 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 04 Mar 2011 08:24:26 +0100 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB767@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB767@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D7093AA.9040209@redhat.com> On 03/04/2011 02:35 AM, Steven Jones wrote: > Hi, > > Thanks, I think there maybe a dependency missing for the yum install of > the client....when I go to the system-auth, ipa is there as an option > but its missing a .so in nss-pam-ldapd and asks for it to be installed, > the dependency off that is nscd and pam_ldap.... > > Hopefully this will work....I am dwnloading now. > > regards > > May I suggest using SSSD instead of nss-pam-ldapd. Apart from caching mechanism, it also enables client side of features such as HBAC or dynamic DNS update. Also all the client installation bits such as ipa-client-install default to using SSSD. That said, if you opt for nss-pam-ldapd, it should work, too.. From ssorce at redhat.com Fri Mar 4 12:57:58 2011 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 4 Mar 2011 07:57:58 -0500 Subject: [Freeipa-users] Time bug In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB76D@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB748@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6F19E1.7090500@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB751@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB758@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D703F4C.6030303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB768@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB76D@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <20110304075758.3c2ef76c@willson.li.ssimo.org> On Fri, 4 Mar 2011 15:16:36 +1300 Steven Jones wrote: > Hi, > > Americans are funny ppl they put the date format as month then > day.....the problem is in the real world, its day then month.... > > So I have registered 1 client and 2 ipa masters as of 4th march 2011 > NZST, but the IPA server's gui says I registered them a month in the > future, ie 3rd April 2011 GMT+12 NZST....very neat... > > ;] > > So you need some sort of detection script/software to sort that I > suspect.....or fix the display format in the gui...? > > Possibly this might not be helping with my issues as all my machines > think its NZST while the IPA master server's software might be > thinking they are telling it April? hence security certificates etc > go "boom"? No, it is just a display issue in the UI, internally all software uses unix timestamps and UTC. Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Fri Mar 4 14:55:44 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Mar 2011 09:55:44 -0500 Subject: [Freeipa-users] Time bug In-Reply-To: <20110304075758.3c2ef76c@willson.li.ssimo.org> References: <4D6C0EA5.3040708@redhat.com> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB748@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6F19E1.7090500@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB751@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB758@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D703F4C.6030303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB768@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB76D@STAWINCOEXMAIL1.staff.vuw.ac.nz> <20110304075758.3c2ef76c@willson.li.ssimo.org> Message-ID: <4D70FD70.8000305@redhat.com> Simo Sorce wrote: > On Fri, 4 Mar 2011 15:16:36 +1300 > Steven Jones wrote: > >> Hi, >> >> Americans are funny ppl they put the date format as month then >> day.....the problem is in the real world, its day then month.... >> >> So I have registered 1 client and 2 ipa masters as of 4th march 2011 >> NZST, but the IPA server's gui says I registered them a month in the >> future, ie 3rd April 2011 GMT+12 NZST....very neat... >> >> ;] >> >> So you need some sort of detection script/software to sort that I >> suspect.....or fix the display format in the gui...? >> >> Possibly this might not be helping with my issues as all my machines >> think its NZST while the IPA master server's software might be >> thinking they are telling it April? hence security certificates etc >> go "boom"? > > No, it is just a display issue in the UI, internally all software uses > unix timestamps and UTC. > > Simo. > I filed https://fedorahosted.org/freeipa/ticket/1053 for this issue rob From dpal at redhat.com Fri Mar 4 15:30:00 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 04 Mar 2011 10:30:00 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB755@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB755@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D710578.8000801@redhat.com> On 03/03/2011 02:53 PM, Steven Jones wrote: > 8><---- > > I have no idea, Im trying to follow the ipa document (version 0.5)....so > if it says do something I try and do it....if it doesnt say do something > well....it doesnt get done as I cant mind read. > > What I want is encrypted connections on all services / communications so > it is secure and safe. > > regards Here is some more information for you on SSSD. https://fedorahosted.org/sssd/wiki/HOWTO_Configure And also SSSD man pages are good. >> Are you planning to use pam_ldap + nss_ldap or SSSD? >> If SSSD have you installed SSSD packages first? >> >> The pam and nss config files as well as SSSD config and SSSD logs if it >> is in picture together with ipa-client-install logs would be a good >> starting point to troubleshoot the issue. >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Mar 4 15:45:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Mar 2011 10:45:37 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D710578.8000801@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB755@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D710578.8000801@redhat.com> Message-ID: <4D710921.4060109@redhat.com> Dmitri Pal wrote: > On 03/03/2011 02:53 PM, Steven Jones wrote: >> 8><---- >> >> I have no idea, Im trying to follow the ipa document (version 0.5)....so >> if it says do something I try and do it....if it doesnt say do something >> well....it doesnt get done as I cant mind read. >> >> What I want is encrypted connections on all services / communications so >> it is secure and safe. >> >> regards > > Here is some more information for you on SSSD. > https://fedorahosted.org/sssd/wiki/HOWTO_Configure > And also SSSD man pages are good. Let me also point out that ipa-client-install already configures the client to use sssd. No additional configuration should be required. rob From dpal at redhat.com Fri Mar 4 16:03:34 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 04 Mar 2011 11:03:34 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D710921.4060109@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB755@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D710578.8000801@redhat.com> <4D710921.4060109@redhat.com> Message-ID: <4D710D56.6030809@redhat.com> On 03/04/2011 10:45 AM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 03/03/2011 02:53 PM, Steven Jones wrote: >>> 8><---- >>> >>> I have no idea, Im trying to follow the ipa document (version >>> 0.5)....so >>> if it says do something I try and do it....if it doesnt say do >>> something >>> well....it doesnt get done as I cant mind read. >>> >>> What I want is encrypted connections on all services / >>> communications so >>> it is secure and safe. >>> >>> regards >> >> Here is some more information for you on SSSD. >> https://fedorahosted.org/sssd/wiki/HOWTO_Configure >> And also SSSD man pages are good. > > Let me also point out that ipa-client-install already configures the > client to use sssd. No additional configuration should be required. Rob, I do not remember does the ipa-client-install pull sssd automatically or you have to yum install it first? > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Mar 4 19:58:49 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Mar 2011 14:58:49 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D710D56.6030809@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB755@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D710578.8000801@redhat.com> <4D710921.4060109@redhat.com> <4D710D56.6030809@redhat.com> Message-ID: <4D714479.2060305@redhat.com> Dmitri Pal wrote: > On 03/04/2011 10:45 AM, Rob Crittenden wrote: >> Dmitri Pal wrote: >>> On 03/03/2011 02:53 PM, Steven Jones wrote: >>>> 8><---- >>>> >>>> I have no idea, Im trying to follow the ipa document (version >>>> 0.5)....so >>>> if it says do something I try and do it....if it doesnt say do >>>> something >>>> well....it doesnt get done as I cant mind read. >>>> >>>> What I want is encrypted connections on all services / >>>> communications so >>>> it is secure and safe. >>>> >>>> regards >>> >>> Here is some more information for you on SSSD. >>> https://fedorahosted.org/sssd/wiki/HOWTO_Configure >>> And also SSSD man pages are good. >> >> Let me also point out that ipa-client-install already configures the >> client to use sssd. No additional configuration should be required. > > Rob, I do not remember does the ipa-client-install pull sssd > automatically or you have to yum install it first? It is a package dependency so install automatically. We configure it by default. rob From Steven.Jones at vuw.ac.nz Sun Mar 6 19:23:49 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 7 Mar 2011 08:23:49 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D710921.4060109@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB755@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D710578.8000801@redhat.com> <4D710921.4060109@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB770@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Well client to ipa server doesnt work...... regards On Fri, 2011-03-04 at 10:45 -0500, Rob Crittenden wrote: > Dmitri Pal wrote: > > On 03/03/2011 02:53 PM, Steven Jones wrote: > >> 8><---- > >> > >> I have no idea, Im trying to follow the ipa document (version 0.5)....so > >> if it says do something I try and do it....if it doesnt say do something > >> well....it doesnt get done as I cant mind read. > >> > >> What I want is encrypted connections on all services / communications so > >> it is secure and safe. > >> > >> regards > > > > Here is some more information for you on SSSD. > > https://fedorahosted.org/sssd/wiki/HOWTO_Configure > > And also SSSD man pages are good. > > Let me also point out that ipa-client-install already configures the > client to use sssd. No additional configuration should be required. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Sun Mar 6 19:27:57 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 7 Mar 2011 08:27:57 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D7022C4.4000409@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> 8><--- This didnt work...intuitive, no I guess not.... regards > Sorry but the doc might be incomplete. We are in the middle of reviewing > it actually and adding information to it. > > Please go to your system-authconfig dialog and configure LDAP + Kerberos > with the IPA server. It should be intuitive. > It will update all the right config files. > > The logs are in the sub-directory under /var/log. > The name starts with ipa but I do not remember the exact name from the > top of my head. There are no logs....... regards From Steven.Jones at vuw.ac.nz Sun Mar 6 19:48:13 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 7 Mar 2011 08:48:13 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> How do i turn on logging on the client and the server so as to start troubleshooting this authentication failure? regards From dpal at redhat.com Mon Mar 7 17:33:17 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 07 Mar 2011 12:33:17 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D7516DD.7090002@redhat.com> On 03/06/2011 02:48 PM, Steven Jones wrote: > How do i turn on logging on the client and the server so as to start > troubleshooting this authentication failure? > > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > http://freeipa.org/page/IPAv2_config_files -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Tue Mar 8 00:31:44 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 8 Mar 2011 13:31:44 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D7516DD.7090002@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Where does this log to? regards On Mon, 2011-03-07 at 12:33 -0500, Dmitri Pal wrote: > On 03/06/2011 02:48 PM, Steven Jones wrote: > > How do i turn on logging on the client and the server so as to start > > troubleshooting this authentication failure? > > > > regards > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > http://freeipa.org/page/IPAv2_config_files > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > From Steven.Jones at vuw.ac.nz Tue Mar 8 03:04:10 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 8 Mar 2011 16:04:10 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB723@STAWINCOEXMAIL1.staff.vuw.ac.nz> <45249.213.225.75.97.1298976907.squirrel@www.nixtra.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB72C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> I can do a ldapsearch -x -b "dc=ipa,dc=ac,dc=nz' |more Which returns LDAP info....that looks fine....the query looks OK.... getent passwd "user" however only returns one line, not the two I should expect? It also returns very fast....like its not even looking remotely. I have run authconfig-tui and that looks OK as far as I can tell.... I have set cli.conf and server.conf but there are no logs any where I can find........ Ideas please? Also how to get logging going so I have something to look at!!!! regards On Tue, 2011-03-08 at 13:31 +1300, Steven Jones wrote: > Hi, > > Where does this log to? > > regards > > On Mon, 2011-03-07 at 12:33 -0500, Dmitri Pal wrote: > > On 03/06/2011 02:48 PM, Steven Jones wrote: > > > How do i turn on logging on the client and the server so as to start > > > troubleshooting this authentication failure? > > > > > > regards > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > http://freeipa.org/page/IPAv2_config_files > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IPA project, > > Red Hat Inc. > > > > > > ------------------------------- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Tue Mar 8 14:51:15 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Mar 2011 09:51:15 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D764263.5010900@redhat.com> Steven Jones wrote: > > I can do a ldapsearch -x -b "dc=ipa,dc=ac,dc=nz' |more > > Which returns LDAP info....that looks fine....the query looks OK.... > > getent passwd "user" however only returns one line, not the two I should > expect? Why do you expect two lines? It should only return one, for that user. > > It also returns very fast....like its not even looking remotely. Is the user in /etc/passwd too? > > I have run authconfig-tui and that looks OK as far as I can tell.... > > I have set cli.conf and server.conf but there are no logs any where I > can find........ > > Ideas please? > > Also how to get logging going so I have something to look at!!!! Logging depends entirely on the context you are in. For nss data (user, group, etc) you'll need to check system logs. If you are using sssd, the default, then you can try adding debug_level = 9 to /etc/sssd/sssd.conf in the ipa provider (domain/example.com) and restart sssd. Watch the logs in /var/log/sssd. Since sssd uses LDAP you can also see the queries it makes on your IPA server in /var/log/dirsrv/slapd-REALM/access. This log is buffered. cli.conf and server.conf are only used by the IPA management framework (the ipa command the webUI). The server-side log is the Apache error log, /var/log/httpd/error_log. So if the question is "why can't user log in" or "why can't I see user " then look in the sssd error logs. If you can't manage users using the ipa command, the Apache error log is the place to look. rob From Steven.Jones at vuw.ac.nz Tue Mar 8 19:30:19 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Mar 2011 08:30:19 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D764263.5010900@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB789@STAWINCOEXMAIL1.staff.vuw.ac.nz> 8><----- > > > > getent passwd "user" however only returns one line, not the two I should > > expect? > > Why do you expect two lines? It should only return one, for that user. > > > > > It also returns very fast....like its not even looking remotely. > > Is the user in /etc/passwd too? > When I tried to get FDS going a few years ago getent used to return 2, the local one and the ldap one, hence two lines....if it was working..... I guess the ipa manual is lacking somewhat in that it says run these commands, but doesnt say what the expected output is or looks like, so how am I meant to know if its right or wrong? like duh..... regards From Steven.Jones at vuw.ac.nz Tue Mar 8 19:43:46 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Mar 2011 08:43:46 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D764263.5010900@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <4D6D60D1.70303@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB731@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> 8><------ So how do I fault find? where do I start? ie Where do I start to look to determine why a user cannot login to a client via freeipa? How can I be more clear? because so far the replies have been not very productive. regards From sgallagh at redhat.com Tue Mar 8 19:59:58 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 08 Mar 2011 14:59:58 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D768ABE.10202@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/08/2011 02:43 PM, Steven Jones wrote: > 8><------ > > > So how do I fault find? where do I start? > > ie Where do I start to look to determine why a user cannot login to a > client via freeipa? > > How can I be more clear? because so far the replies have been not very > productive. > Steven, sorry you're having such a hard time with this. Let me see if I can help point you in the right direction. I'm trying to look at the history of this thread, but I'm coming into it late, so please forgive me if I retread any ground that's already been covered. First, I need to verify that I understand the state from which you're working. Have you installed FreeIPA from the jdennis.fedorapeople.org yum repository? What version of the RPM packages for freeipa-server, freeipa-client and sssd do you have? (rpm -q) I noticed that you mentioned in an earlier email that you were editing nslcd.conf. This is not the preferred mechanism for setting up a FreeIPA client (any more). We now use SSSD (and ipa-client-install should be setting this up for you). So what I need to see are the following configuration files: 1) /etc/nsswitch.conf 2) /etc/sssd/sssd.conf 3) /etc/pam.d/system-auth 4) /etc/pam.d/password-auth (if using GDM) Also, to start debugging login problems, the best place to look is in /var/log/secure, which should report any PAM modules that are denying access to the account (and the reason why it's being denied). Please provide us with the above information and we'll see what we can do to get you up and running. Also, for much faster triage and debugging, you can join the #freeipa and/or #sssd IRC channels on the irc.freenode.net IRC server and speak with us directly. My nick on those channels is 'sgallagh'. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk12iroACgkQeiVVYja6o6NIQQCfWpxNdMTQyjJ8HojOOeBOIcuS qdsAoIrVUcvY2lgDv9bVFjyWqUjjH9ZU =wJNo -----END PGP SIGNATURE----- From Steven.Jones at vuw.ac.nz Tue Mar 8 20:49:39 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Mar 2011 09:49:39 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D768ABE.10202@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D768ABE.10202@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78B@STAWINCOEXMAIL1.staff.vuw.ac.nz> 8><-------- > > Steven, sorry you're having such a hard time with this. Let me see if I > can help point you in the right direction. > > I'm trying to look at the history of this thread, but I'm coming into it > late, so please forgive me if I retread any ground that's already been > covered. > > First, I need to verify that I understand the state from which you're > working. Have you installed FreeIPA from the jdennis.fedorapeople.org > yum repository? [freeipa-devel] name=FreeIPA Development baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch enabled=1 gpgcheck=0 F14 and 64bit. > What version of the RPM packages for freeipa-server, freeipa-client and > sssd do you have? (rpm -q) ">>" 'd output, ============== sssd-1.5.1-9.fc14.x86_64 freeipa-client-2.0.0.rc2-0.fc14.x86_64 freeipa-server-2.0.0.rc2-0.fc14.x86_64 # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files sss publickey: nisplus automount: files aliases: files nisplus [sssd] services = nss, pam config_file_version = 2 domains = ipa.ac.nz [nss] [pam] [domain/ipa.ac.nz] cache_credentials = True ipa_domain = ipa.ac.nz id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, fed14-64-ipam001.ipa.ac.nz [domain/default] cache_credentials = True krb5_realm = IPA.AC.NZ krb5_kdcip = fed14-64-ipam001.ipa.ac.nz:88 auth_provider = krb5 chpass_provider = krb5 krb5_kpasswd = fed14-64-ipam001.ipa.ac.nz:749 debug_level=9 #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so ==================== So I wiped the secure log, logged out and tried to loging. The secure log on the guest maybe interesting, looks like the sssd isnt running on the guest? I restarted it but to no avail, ==================== Mar 9 09:36:54 fed14-64-ipacl01 su: pam_unix(su-l:session): session closed for user root Mar 9 09:36:54 fed14-64-ipacl01 pam: gdm-password[1682]: pam_unix(gdm-password:session): session closed for user jonesst1 Mar 9 09:36:54 fed14-64-ipacl01 pam: gdm-password[1682]: pam_sss(gdm-password:session): Request to sssd failed. Connection refused Mar 9 09:36:54 fed14-64-ipacl01 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.22, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Mar 9 09:36:54 fed14-64-ipacl01 polkitd(authority=local): Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session2 (system bus name :1.40, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Mar 9 09:36:57 fed14-64-ipacl01 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session3 (system bus name :1.65 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]: pam_unix(gdm-password:auth): conversation failed Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]: pam_unix(gdm-password:auth): auth could not identify password for [irwinph] Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]: pam_sss(gdm-password:auth): Request to sssd failed. Connection refused Mar 9 09:37:02 fed14-64-ipacl01 pam: gdm-password[2265]: gkr-pam: no password is available for user Mar 9 09:37:10 fed14-64-ipacl01 unix_chkpwd[2279]: password check failed for user (jonesst1) Mar 9 09:37:10 fed14-64-ipacl01 pam: gdm-password[2276]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jonesst1 Mar 9 09:37:10 fed14-64-ipacl01 pam: gdm-password[2276]: pam_sss(gdm-password:auth): Request to sssd failed. Connection refused Mar 9 09:37:22 fed14-64-ipacl01 pam: gdm-password[2284]: pam_unix(gdm-password:session): session opened for user jonesst1 by (uid=0) Mar 9 09:37:22 fed14-64-ipacl01 pam: gdm-password[2284]: pam_sss(gdm-password:session): Request to sssd failed. Connection refused Mar 9 09:37:24 fed14-64-ipacl01 polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session4 (system bus name :1.80 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Mar 9 09:37:36 fed14-64-ipacl01 su: pam_unix(su-l:session): session opened for user root by jonesst1(uid=500) =================== regards > I noticed that you mentioned in an earlier email that you were editing > nslcd.conf. This is not the preferred mechanism for setting up a FreeIPA > client (any more). We now use SSSD (and ipa-client-install should be > setting this up for you). > > So what I need to see are the following configuration files: > 1) /etc/nsswitch.conf > 2) /etc/sssd/sssd.conf > 3) /etc/pam.d/system-auth > 4) /etc/pam.d/password-auth (if using GDM) > > Also, to start debugging login problems, the best place to look is in > /var/log/secure, which should report any PAM modules that are denying > access to the account (and the reason why it's being denied). > > Please provide us with the above information and we'll see what we can > do to get you up and running. > > Also, for much faster triage and debugging, you can join the #freeipa > and/or #sssd IRC channels on the irc.freenode.net IRC server and speak > with us directly. My nick on those channels is 'sgallagh'. I will try and get access to freenode again, but security policy might now stop that..........also I used to find that because im in NZ no one responds (in other channels)...wrong time zone. regards From rcritten at redhat.com Tue Mar 8 20:50:45 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Mar 2011 15:50:45 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D7696A5.6050100@redhat.com> Steven Jones wrote: > 8><------ > > > So how do I fault find? where do I start? > > ie Where do I start to look to determine why a user cannot login to a > client via freeipa? > > How can I be more clear? because so far the replies have been not very > productive. > > regards > > Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart sssd, and try your login again. Look in/var/log/sssd/sssd_example.com.log for information on the login attempt. Your uid/gid will likely differ. # getent passwd admin admin:*:264200000:264200000:Administrator:/home/admin:/bin/bash # id admin uid=264200000(admin) gid=264200000(admins) groups=264200000(admins) # getent group admins admins:*:264200000:admin # finger admin Login: admin Name: Administrator Directory: /home/admin Shell: /bin/bash Never logged in. No mail. No Plan. From Steven.Jones at vuw.ac.nz Tue Mar 8 21:40:29 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Mar 2011 10:40:29 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D7696A5.6050100@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <4D6D73A8.5060606@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB739@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote: > Steven Jones wrote: > > 8><------ > > > > > > So how do I fault find? where do I start? > > > > ie Where do I start to look to determine why a user cannot login to a > > client via freeipa? > > > > How can I be more clear? because so far the replies have been not very > > productive. > > > > regards > > > > > > Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart > sssd, and try your login again. Look > in/var/log/sssd/sssd_example.com.log for information on the login attempt. > > Your uid/gid will likely differ. > > # getent passwd admin > admin:*:264200000:264200000:Administrator:/home/admin:/bin/bash > # id admin > uid=264200000(admin) gid=264200000(admins) groups=264200000(admins) > # getent group admins > admins:*:264200000:admin > # finger admin > Login: admin Name: Administrator > Directory: /home/admin Shell: /bin/bash > Never logged in. > No mail. > No Plan. (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:37:32 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 15:37:32 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:37:32 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:37:32 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:37:32 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:37:33 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 15:37:33 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:37:33 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:37:33 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:37:33 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:37:34 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 15:37:34 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:37:34 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:37:34 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:37:34 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:39:10 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 15:39:10 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:39:10 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:39:10 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:39:10 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:39:11 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 15:39:11 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:39:11 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:39:11 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:39:11 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:39:12 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 15:39:12 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:39:12 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:39:12 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:39:12 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:39:13 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 15:39:13 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:39:13 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:39:13 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:39:13 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:39:14 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Tue Mar 8 15:39:14 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:39:14 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:39:14 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:39:14 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Wed Mar 9 09:22:27 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Wed Mar 9 09:22:27 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Wed Mar 9 09:22:27 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Wed Mar 9 09:22:27 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Wed Mar 9 09:22:27 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Wed Mar 9 09:22:28 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Wed Mar 9 09:22:28 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Wed Mar 9 09:22:28 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Wed Mar 9 09:22:28 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Wed Mar 9 09:22:28 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Wed Mar 9 09:22:34 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Wed Mar 9 09:22:34 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Wed Mar 9 09:22:34 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Wed Mar 9 09:22:34 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Wed Mar 9 09:22:34 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Wed Mar 9 09:22:35 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Wed Mar 9 09:22:35 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Wed Mar 9 09:22:35 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Wed Mar 9 09:22:35 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Wed Mar 9 09:22:35 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Wed Mar 9 09:22:36 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Wed Mar 9 09:22:36 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Wed Mar 9 09:22:36 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Wed Mar 9 09:22:36 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Wed Mar 9 09:22:36 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Wed Mar 9 09:35:56 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Wed Mar 9 09:35:56 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Wed Mar 9 09:35:56 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Wed Mar 9 09:35:56 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Wed Mar 9 09:35:56 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Wed Mar 9 09:35:57 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Wed Mar 9 09:35:57 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Wed Mar 9 09:35:57 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Wed Mar 9 09:35:57 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Wed Mar 9 09:35:57 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Wed Mar 9 09:35:58 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Wed Mar 9 09:35:58 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Wed Mar 9 09:35:58 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Wed Mar 9 09:35:58 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Wed Mar 9 09:35:58 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Wed Mar 9 09:35:59 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Wed Mar 9 09:35:59 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Wed Mar 9 09:35:59 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Wed Mar 9 09:35:59 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Wed Mar 9 09:35:59 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Wed Mar 9 09:36:00 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab [default] (Wed Mar 9 09:36:00 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Wed Mar 9 09:36:00 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Wed Mar 9 09:36:00 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Wed Mar 9 09:36:00 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] From sgallagh at redhat.com Tue Mar 8 22:10:38 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 08 Mar 2011 17:10:38 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D76A95E.200@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/08/2011 04:40 PM, Steven Jones wrote: > On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote: >> Steven Jones wrote: >>> 8><------ >>> >>> >>> So how do I fault find? where do I start? >>> >>> ie Where do I start to look to determine why a user cannot login to a >>> client via freeipa? >>> >>> How can I be more clear? because so far the replies have been not very >>> productive. >>> >>> regards >>> >>> >> >> Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart >> sssd, and try your login again. Look >> in/var/log/sssd/sssd_example.com.log for information on the login attempt. >> >> Your uid/gid will likely differ. >> >> # getent passwd admin >> admin:*:264200000:264200000:Administrator:/home/admin:/bin/bash >> # id admin >> uid=264200000(admin) gid=264200000(admins) groups=264200000(admins) >> # getent group admins >> admins:*:264200000:admin >> # finger admin >> Login: admin Name: Administrator >> Directory: /home/admin Shell: /bin/bash >> Never logged in. >> No mail. >> No Plan. > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] > [sss_krb5_verify_keytab_ex] (0): Principal > [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab > [default] > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): > Could not verify keytab > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] > (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): > fatal error initializing data providers > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not > initialize backend [14] > (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] > [sss_krb5_verify_keytab_ex] (0): Principal > [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab > [default] Well, here's your problem. The SSSD isn't starting up successfully because you don't have a host principal for this server in your /etc/krb5.keytab file. This was probably a bug in the ipa-client-install. What does klist -k /etc/krb5.keytab return to you? - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk12qV4ACgkQeiVVYja6o6OH/gCfabjbwcx/WSookcjKPXeq9N70 HpgAn3gj78oH0CW/WKS0F6X1Whvx/Wai =R7BT -----END PGP SIGNATURE----- From Steven.Jones at vuw.ac.nz Tue Mar 8 22:44:56 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Mar 2011 11:44:56 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D76A95E.200@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 8><--------- > > Well, here's your problem. The SSSD isn't starting up successfully > because you don't have a host principal for this server in your > /etc/krb5.keytab file. This was probably a bug in the ipa-client-install. > > What does > klist -k /etc/krb5.keytab > return to you? > > - -- > Stephen Gallagher > RHCE 804006346421761 > From sgallagh at redhat.com Wed Mar 9 00:05:45 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Tue, 8 Mar 2011 19:05:45 -0500 (EST) Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EB! E75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> On Mar 8, 2011, at 5:45 PM, Steven Jones wrote: > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > > 8><--------- >> >> >> >> Looks like you have no host key in the keytab. That's the root of the problem. Seems like IPA-client-install failed to populate it. Rob, do you have any insight here? From ssorce at redhat.com Wed Mar 9 00:28:44 2011 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 8 Mar 2011 19:28:44 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EB! E75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> Message-ID: <20110308192844.4f7d60ff@willson.li.ssimo.org> On Tue, 8 Mar 2011 19:05:45 -0500 (EST) Stephen Gallagher wrote: > > > On Mar 8, 2011, at 5:45 PM, Steven Jones > wrote: > > > Keytab name: WRFILE:/etc/krb5.keytab > > KVNO Principal > > ---- > > -------------------------------------------------------------------------- > > > > 8><--------- > >> > >> > >> > >> > > Looks like you have no host key in the keytab. That's the root of the > problem. Seems like IPA-client-install failed to populate it. Rob, do > you have any insight here? does /var/log/ipaclient-install.log show any error ? Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Wed Mar 9 01:33:41 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Mar 2011 14:33:41 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <20110308192844.4f7d60ff@willson.li.ssimo.org> References: <4D6C0EA5.3040708@redhat.com> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EB! E75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> <20110308192844.4f7d60ff@willson.li.ssimo.org> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB791@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, Log, ============ 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': True, 'sssd': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'realm_name': None, 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server': None, 'mkhomedir': False, 'unattended': None, 'principal': None} 2011-03-04 15:08:58,726 DEBUG missing options might be asked for interactively later 2011-03-04 15:08:58,726 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)] 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb] 2011-03-04 15:08:58,729 DEBUG [ipacheckldap] 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget -O /tmp/tmp7MhOze/ca.crt http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt 2011-03-04 15:08:58,736 DEBUG stdout= 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58-- http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1321 (1.3K) [application/x-x509-ca-cert] Saving to: `/tmp/tmp7MhOze/ca.crt' 0K . 100% 237M=0s 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved [1321/1321] 2011-03-04 15:08:58,736 DEBUG Init ldap with: ldap://fed14-64-ipam001.ipa.ac.nz:389 2011-03-04 15:08:58,749 DEBUG Search rootdse 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in dc=ipa,dc=ac,dc=nz(base) 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz', {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})] 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer) in dc=ipa,dc=ac,dc=nz(sub) 2011-03-04 15:08:58,753 DEBUG Found: [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees': ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz 2011-03-04 15:08:58,753 DEBUG will use server: fed14-64-ipam001.ipa.ac.nz 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz 2011-03-04 15:09:04,645 DEBUG will use principal: admin 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt 2011-03-04 15:09:04,659 DEBUG stdout= 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04-- http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1321 (1.3K) [application/x-x509-ca-cert] Saving to: `/etc/ipa/ca.crt' 0K . 100% 249M=0s 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321] 2011-03-04 15:09:11,665 DEBUG args=kinit admin at IPA.AC.NZ 2011-03-04 15:09:11,665 DEBUG stdout=Password for admin at IPA.AC.NZ: 2011-03-04 15:09:11,665 DEBUG stderr= 2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s fed14-64-ipam001.ipa.ac.nz 2011-03-04 15:09:13,931 DEBUG stdout= 2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined. 2011-03-04 15:09:13,937 DEBUG args=kdestroy 2011-03-04 15:09:13,937 DEBUG stdout= 2011-03-04 15:09:13,937 DEBUG stderr= 2011-03-04 15:09:13,937 DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2011-03-04 15:09:13,938 DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist 2011-03-04 15:09:13,938 DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2011-03-04 15:09:13,938 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt 2011-03-04 15:09:14,012 DEBUG stdout= 2011-03-04 15:09:14,012 DEBUG stderr= 2011-03-04 15:09:14,012 DEBUG Backing up system configuration file '/etc/krb5.conf' 2011-03-04 15:09:14,013 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:09:14,104 DEBUG args=/sbin/service certmonger status 2011-03-04 15:09:14,104 DEBUG stdout=certmonger is stopped 2011-03-04 15:09:14,104 DEBUG stderr= 2011-03-04 15:09:14,279 DEBUG args=/sbin/service certmonger restart 2011-03-04 15:09:14,280 DEBUG stdout=Stopping certmonger: [FAILED] Starting certmonger: [ OK ] 2011-03-04 15:09:14,280 DEBUG stderr= 2011-03-04 15:09:14,295 DEBUG args=/sbin/chkconfig certmonger --list 2011-03-04 15:09:14,295 DEBUG stdout=certmonger 0:off 1:off 2:off 3:off 4:off 5:off 6:off 2011-03-04 15:09:14,295 DEBUG stderr= 2011-03-04 15:09:14,564 DEBUG args=/sbin/chkconfig certmonger on 2011-03-04 15:09:14,564 DEBUG stdout= 2011-03-04 15:09:14,564 DEBUG stderr= 2011-03-04 15:09:14,586 DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - fed14-64-ipacl01.ipa.ac.nz -N CN=fed14-64-ipacl01.ipa.ac.nz,O=IPA.AC.NZ -K host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ 2011-03-04 15:09:14,586 DEBUG stdout=Error org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request "20110303020539". 2011-03-04 15:09:14,586 DEBUG stderr= 2011-03-04 15:09:14,605 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab 2011-03-04 15:09:14,605 DEBUG stdout= 2011-03-04 15:09:14,605 DEBUG stderr=kinit: Hostname cannot be canonicalized when creating default server principal name 2011-03-04 15:09:14,764 DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2011-03-04 15:09:14,764 DEBUG stdout= 2011-03-04 15:09:14,765 DEBUG stderr=Check your Kerberos ticket, it may have expired. 2011-03-04 15:09:14,827 DEBUG args=/sbin/service nscd status 2011-03-04 15:09:14,827 DEBUG stdout=nscd (pid 1238) is running... 2011-03-04 15:09:14,827 DEBUG stderr= 2011-03-04 15:09:14,855 DEBUG args=/sbin/service nscd stop 2011-03-04 15:09:14,855 DEBUG stdout=Stopping nscd: [ OK ] 2011-03-04 15:09:14,856 DEBUG stderr= 2011-03-04 15:09:14,858 DEBUG args=/sbin/chkconfig nscd --list 2011-03-04 15:09:14,858 DEBUG stdout=nscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off 2011-03-04 15:09:14,858 DEBUG stderr= 2011-03-04 15:09:14,958 DEBUG args=/sbin/chkconfig nscd off 2011-03-04 15:09:14,958 DEBUG stdout= 2011-03-04 15:09:14,958 DEBUG stderr= 2011-03-04 15:09:16,401 DEBUG args=/usr/sbin/authconfig --enablesssd --enablesssdauth --update 2011-03-04 15:09:16,401 DEBUG stdout=Starting sssd: [ OK ] [ OK ] 2011-03-04 15:09:16,402 DEBUG stderr= 2011-03-04 15:09:16,419 DEBUG args=getent passwd admin 2011-03-04 15:09:16,419 DEBUG stdout= 2011-03-04 15:09:16,419 DEBUG stderr= 2011-03-04 15:09:17,424 DEBUG args=getent passwd admin 2011-03-04 15:09:17,424 DEBUG stdout= 2011-03-04 15:09:17,424 DEBUG stderr= 2011-03-04 15:09:18,429 DEBUG args=getent passwd admin 2011-03-04 15:09:18,429 DEBUG stdout= 2011-03-04 15:09:18,429 DEBUG stderr= 2011-03-04 15:09:19,432 DEBUG args=getent passwd admin 2011-03-04 15:09:19,432 DEBUG stdout= 2011-03-04 15:09:19,432 DEBUG stderr= 2011-03-04 15:09:20,435 DEBUG args=getent passwd admin 2011-03-04 15:09:20,436 DEBUG stdout= 2011-03-04 15:09:20,436 DEBUG stderr= 2011-03-04 15:09:22,303 DEBUG args=/usr/sbin/authconfig --enablekrb5 --update --nostart 2011-03-04 15:09:22,303 DEBUG stdout= 2011-03-04 15:09:22,303 DEBUG stderr= 2011-03-04 15:09:22,303 DEBUG Backing up system configuration file '/etc/ntp.conf' 2011-03-04 15:09:22,304 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:09:22,305 DEBUG Backing up system configuration file '/etc/sysconfig/ntpd' 2011-03-04 15:09:22,305 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:09:22,398 DEBUG args=/sbin/chkconfig ntpd on 2011-03-04 15:09:22,398 DEBUG stdout= 2011-03-04 15:09:22,398 DEBUG stderr= 2011-03-04 15:09:22,537 DEBUG args=/sbin/service ntpd restart 2011-03-04 15:09:22,537 DEBUG stdout=Shutting down ntpd: [ OK ] Starting ntpd: [ OK ] 2011-03-04 15:09:22,537 DEBUG stderr= ============ regards On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote: > On Tue, 8 Mar 2011 19:05:45 -0500 (EST) > Stephen Gallagher wrote: > > > > > > > On Mar 8, 2011, at 5:45 PM, Steven Jones > > wrote: > > > > > Keytab name: WRFILE:/etc/krb5.keytab > > > KVNO Principal > > > ---- > > > -------------------------------------------------------------------------- > > > > > > 8><--------- > > >> > > >> > > >> > > >> > > > > Looks like you have no host key in the keytab. That's the root of the > > problem. Seems like IPA-client-install failed to populate it. Rob, do > > you have any insight here? > > does /var/log/ipaclient-install.log show any error ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed Mar 9 02:12:45 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Mar 2011 15:12:45 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <20110308192844.4f7d60ff@willson.li.ssimo.org> References: <4D6C0EA5.3040708@redhat.com> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EB! E75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> <20110308192844.4f7d60ff@willson.li.ssimo.org> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB794@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, I have just done another F14 client and I have the same issue. regards regards On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote: > On Tue, 8 Mar 2011 19:05:45 -0500 (EST) > Stephen Gallagher wrote: > > > > > > > On Mar 8, 2011, at 5:45 PM, Steven Jones > > wrote: > > > > > Keytab name: WRFILE:/etc/krb5.keytab > > > KVNO Principal > > > ---- > > > -------------------------------------------------------------------------- > > > > > > 8><--------- > > >> > > >> > > >> > > >> > > > > Looks like you have no host key in the keytab. That's the root of the > > problem. Seems like IPA-client-install failed to populate it. Rob, do > > you have any insight here? > > does /var/log/ipaclient-install.log show any error ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Wed Mar 9 04:29:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 08 Mar 2011 23:29:27 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB791@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EB! E75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> <20110308192844.4f7d60ff@willson.li.ssimo.org> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB791@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D770227.2000900@redhat.com> Steven Jones wrote: > Hi, > > Log, > The error is "Host is already joined" so no keytab is requested. The enrollment failed. ipa-client-install --uninstall should unenroll the client (you can verify that Keytab is False in ipa host-show on the IPA server. If so running ipa-client-install on the client should configure things properly. rob > ============ > 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked > with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, > 'force': True, 'sssd': True, 'hostname': None, 'permit': False, > 'server': None, 'prompt_password': False, 'realm_name': None, > 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server': > None, 'mkhomedir': False, 'unattended': None, 'principal': None} > 2011-03-04 15:08:58,726 DEBUG missing options might be asked for > interactively later > > 2011-03-04 15:08:58,726 DEBUG Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)] > 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb] > 2011-03-04 15:08:58,729 DEBUG [ipacheckldap] > 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget > -O /tmp/tmp7MhOze/ca.crt > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt > 2011-03-04 15:08:58,736 DEBUG stdout= > 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58-- > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt > Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 > Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 1321 (1.3K) [application/x-x509-ca-cert] > Saving to: `/tmp/tmp7MhOze/ca.crt' > > 0K . 100% > 237M=0s > > 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved > [1321/1321] > > > 2011-03-04 15:08:58,736 DEBUG Init ldap with: > ldap://fed14-64-ipam001.ipa.ac.nz:389 > 2011-03-04 15:08:58,749 DEBUG Search rootdse > 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in > dc=ipa,dc=ac,dc=nz(base) > 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz', > {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', > 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': > ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})] > 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer) > in dc=ipa,dc=ac,dc=nz(sub) > 2011-03-04 15:08:58,753 DEBUG Found: > [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees': > ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes': > ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', > 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', > 'krbticketpolicyaux'], 'krbSearchScope': ['2'], > 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', > 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', > 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', > 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', > 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], > 'krbMaxRenewableAge': ['604800']})] > 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz > > 2011-03-04 15:08:58,753 DEBUG will use server: > fed14-64-ipam001.ipa.ac.nz > > 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ > > 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz > > 2011-03-04 15:09:04,645 DEBUG will use principal: admin > > 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt > 2011-03-04 15:09:04,659 DEBUG stdout= > 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04-- > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt > Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 > Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 1321 (1.3K) [application/x-x509-ca-cert] > Saving to: `/etc/ipa/ca.crt' > > 0K . 100% > 249M=0s > > 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321] > > > 2011-03-04 15:09:11,665 DEBUG args=kinit admin at IPA.AC.NZ > 2011-03-04 15:09:11,665 DEBUG stdout=Password for admin at IPA.AC.NZ: > > 2011-03-04 15:09:11,665 DEBUG stderr= > 2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s > fed14-64-ipam001.ipa.ac.nz > 2011-03-04 15:09:13,931 DEBUG stdout= > 2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined. > > 2011-03-04 15:09:13,937 DEBUG args=kdestroy > 2011-03-04 15:09:13,937 DEBUG stdout= > 2011-03-04 15:09:13,937 DEBUG stderr= > 2011-03-04 15:09:13,937 DEBUG Backing up system configuration file > '/etc/ipa/default.conf' > 2011-03-04 15:09:13,938 DEBUG -> Not backing up - > '/etc/ipa/default.conf' doesn't exist > 2011-03-04 15:09:13,938 DEBUG Backing up system configuration file > '/etc/sssd/sssd.conf' > 2011-03-04 15:09:13,938 DEBUG Saving Index File to > '/var/lib/ipa-client/sysrestore/sysrestore.index' > 2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A > -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt > 2011-03-04 15:09:14,012 DEBUG stdout= > 2011-03-04 15:09:14,012 DEBUG stderr= > 2011-03-04 15:09:14,012 DEBUG Backing up system configuration file > '/etc/krb5.conf' > 2011-03-04 15:09:14,013 DEBUG Saving Index File to > '/var/lib/ipa-client/sysrestore/sysrestore.index' > 2011-03-04 15:09:14,104 DEBUG args=/sbin/service certmonger status > 2011-03-04 15:09:14,104 DEBUG stdout=certmonger is stopped > > 2011-03-04 15:09:14,104 DEBUG stderr= > 2011-03-04 15:09:14,279 DEBUG args=/sbin/service certmonger restart > 2011-03-04 15:09:14,280 DEBUG stdout=Stopping certmonger: [FAILED] > Starting certmonger: [ OK ] > > 2011-03-04 15:09:14,280 DEBUG stderr= > 2011-03-04 15:09:14,295 DEBUG args=/sbin/chkconfig certmonger --list > 2011-03-04 15:09:14,295 DEBUG stdout=certmonger 0:off 1:off 2:off > 3:off 4:off 5:off 6:off > > 2011-03-04 15:09:14,295 DEBUG stderr= > 2011-03-04 15:09:14,564 DEBUG args=/sbin/chkconfig certmonger on > 2011-03-04 15:09:14,564 DEBUG stdout= > 2011-03-04 15:09:14,564 DEBUG stderr= > 2011-03-04 15:09:14,586 DEBUG args=ipa-getcert request -d /etc/pki/nssdb > -n IPA Machine Certificate - fed14-64-ipacl01.ipa.ac.nz -N > CN=fed14-64-ipacl01.ipa.ac.nz,O=IPA.AC.NZ -K > host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ > 2011-03-04 15:09:14,586 DEBUG stdout=Error > org.fedorahosted.certmonger.duplicate: Certificate at same location is > already used by request "20110303020539". > > 2011-03-04 15:09:14,586 DEBUG stderr= > 2011-03-04 15:09:14,605 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab > 2011-03-04 15:09:14,605 DEBUG stdout= > 2011-03-04 15:09:14,605 DEBUG stderr=kinit: Hostname cannot be > canonicalized when creating default server principal name > > 2011-03-04 15:09:14,764 DEBUG args=/usr/bin/nsupdate > -g /etc/ipa/.dns_update.txt > 2011-03-04 15:09:14,764 DEBUG stdout= > 2011-03-04 15:09:14,765 DEBUG stderr=Check your Kerberos ticket, it may > have expired. > > 2011-03-04 15:09:14,827 DEBUG args=/sbin/service nscd status > 2011-03-04 15:09:14,827 DEBUG stdout=nscd (pid 1238) is running... > > 2011-03-04 15:09:14,827 DEBUG stderr= > 2011-03-04 15:09:14,855 DEBUG args=/sbin/service nscd stop > 2011-03-04 15:09:14,855 DEBUG stdout=Stopping nscd: [ OK ] > > 2011-03-04 15:09:14,856 DEBUG stderr= > 2011-03-04 15:09:14,858 DEBUG args=/sbin/chkconfig nscd --list > 2011-03-04 15:09:14,858 DEBUG stdout=nscd 0:off 1:off 2:on > 3:on 4:on 5:on 6:off > > 2011-03-04 15:09:14,858 DEBUG stderr= > 2011-03-04 15:09:14,958 DEBUG args=/sbin/chkconfig nscd off > 2011-03-04 15:09:14,958 DEBUG stdout= > 2011-03-04 15:09:14,958 DEBUG stderr= > 2011-03-04 15:09:16,401 DEBUG args=/usr/sbin/authconfig --enablesssd > --enablesssdauth --update > 2011-03-04 15:09:16,401 DEBUG stdout=Starting sssd: [ OK ] > [ OK ] > > 2011-03-04 15:09:16,402 DEBUG stderr= > 2011-03-04 15:09:16,419 DEBUG args=getent passwd admin > 2011-03-04 15:09:16,419 DEBUG stdout= > 2011-03-04 15:09:16,419 DEBUG stderr= > 2011-03-04 15:09:17,424 DEBUG args=getent passwd admin > 2011-03-04 15:09:17,424 DEBUG stdout= > 2011-03-04 15:09:17,424 DEBUG stderr= > 2011-03-04 15:09:18,429 DEBUG args=getent passwd admin > 2011-03-04 15:09:18,429 DEBUG stdout= > 2011-03-04 15:09:18,429 DEBUG stderr= > 2011-03-04 15:09:19,432 DEBUG args=getent passwd admin > 2011-03-04 15:09:19,432 DEBUG stdout= > 2011-03-04 15:09:19,432 DEBUG stderr= > 2011-03-04 15:09:20,435 DEBUG args=getent passwd admin > 2011-03-04 15:09:20,436 DEBUG stdout= > 2011-03-04 15:09:20,436 DEBUG stderr= > 2011-03-04 15:09:22,303 DEBUG args=/usr/sbin/authconfig --enablekrb5 > --update --nostart > 2011-03-04 15:09:22,303 DEBUG stdout= > 2011-03-04 15:09:22,303 DEBUG stderr= > 2011-03-04 15:09:22,303 DEBUG Backing up system configuration file > '/etc/ntp.conf' > 2011-03-04 15:09:22,304 DEBUG Saving Index File to > '/var/lib/ipa-client/sysrestore/sysrestore.index' > 2011-03-04 15:09:22,305 DEBUG Backing up system configuration file > '/etc/sysconfig/ntpd' > 2011-03-04 15:09:22,305 DEBUG Saving Index File to > '/var/lib/ipa-client/sysrestore/sysrestore.index' > 2011-03-04 15:09:22,398 DEBUG args=/sbin/chkconfig ntpd on > 2011-03-04 15:09:22,398 DEBUG stdout= > 2011-03-04 15:09:22,398 DEBUG stderr= > 2011-03-04 15:09:22,537 DEBUG args=/sbin/service ntpd restart > 2011-03-04 15:09:22,537 DEBUG stdout=Shutting down ntpd: [ OK ] > Starting ntpd: [ OK ] > > 2011-03-04 15:09:22,537 DEBUG stderr= > ============ > > regards > > On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote: >> On Tue, 8 Mar 2011 19:05:45 -0500 (EST) >> Stephen Gallagher wrote: >> >>> >>> >>> On Mar 8, 2011, at 5:45 PM, Steven Jones >>> wrote: >>> >>>> Keytab name: WRFILE:/etc/krb5.keytab >>>> KVNO Principal >>>> ---- >>>> -------------------------------------------------------------------------- >>>> >>>> 8><--------- >>>>> >>>>> >>>>> >>>>> >>> >>> Looks like you have no host key in the keytab. That's the root of the >>> problem. Seems like IPA-client-install failed to populate it. Rob, do >>> you have any insight here? >> >> does /var/log/ipaclient-install.log show any error ? >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From tomasz.napierala at allegro.pl Wed Mar 9 13:20:47 2011 From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl) Date: Wed, 9 Mar 2011 14:20:47 +0100 Subject: [Freeipa-users] Problem with replication after restore Message-ID: <3E2D37A9-E107-4061-86A9-DD2C072ED879@allegro.pl> Hi, Recently we had to move our freeipa master into separate infrastructure. Because we use KVM, server was shutdown, gzipped, scped nad restored on other KVM host. It looks like since then replication stopped completely. On the slave I can see such entries in the logs: [04/Mar/2011:14:59:17 +0100] - slapd started. Listening on All Interfaces port 389 for LDAP requests [04/Mar/2011:14:59:17 +0100] - Listening on All Interfaces port 636 for LDAPS requests [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Missing data encountered [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Incremental update failed and requires administrator action On the master [09/Mar/2011:00:00:00 +0100] NSMMReplicationPlugin - agmt="cn=meToSLAVE636" XXX:636): Incremental protocol: event update_window_opened should not occur in state wait_for_changes We have 389-ds-base-1.2.6.1-2.fc12.x86_64 ipa-server-1.2.2-3.fc12.x86_64 on both servers. How can I force synchronization to work? Regards, -- Tomasz Z. Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995. From rmeggins at redhat.com Wed Mar 9 14:09:27 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Mar 2011 07:09:27 -0700 Subject: [Freeipa-users] Problem with replication after restore In-Reply-To: <3E2D37A9-E107-4061-86A9-DD2C072ED879@allegro.pl> References: <3E2D37A9-E107-4061-86A9-DD2C072ED879@allegro.pl> Message-ID: <4D778A17.6020900@redhat.com> On 03/09/2011 06:20 AM, tomasz.napierala at allegro.pl wrote: > Hi, > > Recently we had to move our freeipa master into separate infrastructure. Because we use KVM, server was shutdown, gzipped, scped nad restored on other KVM host. It looks like since then replication stopped completely. > On the slave I can see such entries in the logs: > [04/Mar/2011:14:59:17 +0100] - slapd started. Listening on All Interfaces port 389 for LDAP requests > [04/Mar/2011:14:59:17 +0100] - Listening on All Interfaces port 636 for LDAPS requests > [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Missing data encountered > [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Incremental update failed and requires administrator action Not sure what happened here. How long has the server been down? You will need to reinitialize the slave from the master. > On the master > [09/Mar/2011:00:00:00 +0100] NSMMReplicationPlugin - agmt="cn=meToSLAVE636" XXX:636): Incremental protocol: event update_window_opened should not occur in state wait_for_changes You can ignore this message. > We have > 389-ds-base-1.2.6.1-2.fc12.x86_64 > ipa-server-1.2.2-3.fc12.x86_64 > on both servers. > > How can I force synchronization to work? > > Regards, From tomasz.napierala at allegro.pl Wed Mar 9 16:15:33 2011 From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl) Date: Wed, 9 Mar 2011 17:15:33 +0100 Subject: [Freeipa-users] Problem with replication after restore In-Reply-To: <4D778A17.6020900@redhat.com> References: <3E2D37A9-E107-4061-86A9-DD2C072ED879@allegro.pl> <4D778A17.6020900@redhat.com> Message-ID: On 2011-03-09, at 15:09, Rich Megginson wrote: 8><----------------- >> [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Missing data encountered >> [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Incremental update failed and requires administrator action > Not sure what happened here. How long has the server been down? You > will need to reinitialize the slave from the master. Server was down for 2-3 hours. Currently slave has more recent data, because it is in our production environment (master is in backup DC) I don't have much experience with 389, and it seems that in FreeIPA setup 389 DS is in minimal form. So how can I reinitialize slave? Is there any chance to transfer changes form slave to master? Im afraid that loosing changes on slave would be a disaster (there were hundreds of users added) Regards, -- Tomasz Z. Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995. From Steven.Jones at vuw.ac.nz Wed Mar 9 19:21:17 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 Mar 2011 08:21:17 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D770227.2000900@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EB! E75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> <20110308192844.4f7d60ff@willson.li.ssimo.org> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB791@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D770227.2000900@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB796@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, I had/have already done the uninstall...and re-install. Also I registered a brand new 2nd client...that hasnt worked either...... regards On Tue, 2011-03-08 at 23:29 -0500, Rob Crittenden wrote: > Steven Jones wrote: > > Hi, > > > > Log, > > > > The error is "Host is already joined" so no keytab is requested. The > enrollment failed. > > ipa-client-install --uninstall should unenroll the client (you can > verify that Keytab is False in ipa host-show on the IPA > server. > > If so running ipa-client-install on the client should configure things > properly. > > rob > > > ============ > > 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked > > with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, > > 'force': True, 'sssd': True, 'hostname': None, 'permit': False, > > 'server': None, 'prompt_password': False, 'realm_name': None, > > 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server': > > None, 'mkhomedir': False, 'unattended': None, 'principal': None} > > 2011-03-04 15:08:58,726 DEBUG missing options might be asked for > > interactively later > > > > 2011-03-04 15:08:58,726 DEBUG Loading Index file from > > '/var/lib/ipa-client/sysrestore/sysrestore.index' > > 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)] > > 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb] > > 2011-03-04 15:08:58,729 DEBUG [ipacheckldap] > > 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget > > -O /tmp/tmp7MhOze/ca.crt > > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt > > 2011-03-04 15:08:58,736 DEBUG stdout= > > 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58-- > > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt > > Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 > > Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. > > HTTP request sent, awaiting response... 200 OK > > Length: 1321 (1.3K) [application/x-x509-ca-cert] > > Saving to: `/tmp/tmp7MhOze/ca.crt' > > > > 0K . 100% > > 237M=0s > > > > 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved > > [1321/1321] > > > > > > 2011-03-04 15:08:58,736 DEBUG Init ldap with: > > ldap://fed14-64-ipam001.ipa.ac.nz:389 > > 2011-03-04 15:08:58,749 DEBUG Search rootdse > > 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in > > dc=ipa,dc=ac,dc=nz(base) > > 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz', > > {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', > > 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': > > ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})] > > 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer) > > in dc=ipa,dc=ac,dc=nz(sub) > > 2011-03-04 15:08:58,753 DEBUG Found: > > [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees': > > ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes': > > ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', > > 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', > > 'krbticketpolicyaux'], 'krbSearchScope': ['2'], > > 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', > > 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', > > 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', > > 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', > > 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], > > 'krbMaxRenewableAge': ['604800']})] > > 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz > > > > 2011-03-04 15:08:58,753 DEBUG will use server: > > fed14-64-ipam001.ipa.ac.nz > > > > 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ > > > > 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz > > > > 2011-03-04 15:09:04,645 DEBUG will use principal: admin > > > > 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt > > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt > > 2011-03-04 15:09:04,659 DEBUG stdout= > > 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04-- > > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt > > Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 > > Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. > > HTTP request sent, awaiting response... 200 OK > > Length: 1321 (1.3K) [application/x-x509-ca-cert] > > Saving to: `/etc/ipa/ca.crt' > > > > 0K . 100% > > 249M=0s > > > > 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321] > > > > > > 2011-03-04 15:09:11,665 DEBUG args=kinit admin at IPA.AC.NZ > > 2011-03-04 15:09:11,665 DEBUG stdout=Password for admin at IPA.AC.NZ: > > > > 2011-03-04 15:09:11,665 DEBUG stderr= > > 2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s > > fed14-64-ipam001.ipa.ac.nz > > 2011-03-04 15:09:13,931 DEBUG stdout= > > 2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined. > > > > 2011-03-04 15:09:13,937 DEBUG args=kdestroy > > 2011-03-04 15:09:13,937 DEBUG stdout= > > 2011-03-04 15:09:13,937 DEBUG stderr= > > 2011-03-04 15:09:13,937 DEBUG Backing up system configuration file > > '/etc/ipa/default.conf' > > 2011-03-04 15:09:13,938 DEBUG -> Not backing up - > > '/etc/ipa/default.conf' doesn't exist > > 2011-03-04 15:09:13,938 DEBUG Backing up system configuration file > > '/etc/sssd/sssd.conf' > > 2011-03-04 15:09:13,938 DEBUG Saving Index File to > > '/var/lib/ipa-client/sysrestore/sysrestore.index' > > 2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A > > -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt > > 2011-03-04 15:09:14,012 DEBUG stdout= > > 2011-03-04 15:09:14,012 DEBUG stderr= > > 2011-03-04 15:09:14,012 DEBUG Backing up system configuration file > > '/etc/krb5.conf' > > 2011-03-04 15:09:14,013 DEBUG Saving Index File to > > '/var/lib/ipa-client/sysrestore/sysrestore.index' > > 2011-03-04 15:09:14,104 DEBUG args=/sbin/service certmonger status > > 2011-03-04 15:09:14,104 DEBUG stdout=certmonger is stopped > > > > 2011-03-04 15:09:14,104 DEBUG stderr= > > 2011-03-04 15:09:14,279 DEBUG args=/sbin/service certmonger restart > > 2011-03-04 15:09:14,280 DEBUG stdout=Stopping certmonger: [FAILED] > > Starting certmonger: [ OK ] > > > > 2011-03-04 15:09:14,280 DEBUG stderr= > > 2011-03-04 15:09:14,295 DEBUG args=/sbin/chkconfig certmonger --list > > 2011-03-04 15:09:14,295 DEBUG stdout=certmonger 0:off 1:off 2:off > > 3:off 4:off 5:off 6:off > > > > 2011-03-04 15:09:14,295 DEBUG stderr= > > 2011-03-04 15:09:14,564 DEBUG args=/sbin/chkconfig certmonger on > > 2011-03-04 15:09:14,564 DEBUG stdout= > > 2011-03-04 15:09:14,564 DEBUG stderr= > > 2011-03-04 15:09:14,586 DEBUG args=ipa-getcert request -d /etc/pki/nssdb > > -n IPA Machine Certificate - fed14-64-ipacl01.ipa.ac.nz -N > > CN=fed14-64-ipacl01.ipa.ac.nz,O=IPA.AC.NZ -K > > host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ > > 2011-03-04 15:09:14,586 DEBUG stdout=Error > > org.fedorahosted.certmonger.duplicate: Certificate at same location is > > already used by request "20110303020539". > > > > 2011-03-04 15:09:14,586 DEBUG stderr= > > 2011-03-04 15:09:14,605 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab > > 2011-03-04 15:09:14,605 DEBUG stdout= > > 2011-03-04 15:09:14,605 DEBUG stderr=kinit: Hostname cannot be > > canonicalized when creating default server principal name > > > > 2011-03-04 15:09:14,764 DEBUG args=/usr/bin/nsupdate > > -g /etc/ipa/.dns_update.txt > > 2011-03-04 15:09:14,764 DEBUG stdout= > > 2011-03-04 15:09:14,765 DEBUG stderr=Check your Kerberos ticket, it may > > have expired. > > > > 2011-03-04 15:09:14,827 DEBUG args=/sbin/service nscd status > > 2011-03-04 15:09:14,827 DEBUG stdout=nscd (pid 1238) is running... > > > > 2011-03-04 15:09:14,827 DEBUG stderr= > > 2011-03-04 15:09:14,855 DEBUG args=/sbin/service nscd stop > > 2011-03-04 15:09:14,855 DEBUG stdout=Stopping nscd: [ OK ] > > > > 2011-03-04 15:09:14,856 DEBUG stderr= > > 2011-03-04 15:09:14,858 DEBUG args=/sbin/chkconfig nscd --list > > 2011-03-04 15:09:14,858 DEBUG stdout=nscd 0:off 1:off 2:on > > 3:on 4:on 5:on 6:off > > > > 2011-03-04 15:09:14,858 DEBUG stderr= > > 2011-03-04 15:09:14,958 DEBUG args=/sbin/chkconfig nscd off > > 2011-03-04 15:09:14,958 DEBUG stdout= > > 2011-03-04 15:09:14,958 DEBUG stderr= > > 2011-03-04 15:09:16,401 DEBUG args=/usr/sbin/authconfig --enablesssd > > --enablesssdauth --update > > 2011-03-04 15:09:16,401 DEBUG stdout=Starting sssd: [ OK ] > > [ OK ] > > > > 2011-03-04 15:09:16,402 DEBUG stderr= > > 2011-03-04 15:09:16,419 DEBUG args=getent passwd admin > > 2011-03-04 15:09:16,419 DEBUG stdout= > > 2011-03-04 15:09:16,419 DEBUG stderr= > > 2011-03-04 15:09:17,424 DEBUG args=getent passwd admin > > 2011-03-04 15:09:17,424 DEBUG stdout= > > 2011-03-04 15:09:17,424 DEBUG stderr= > > 2011-03-04 15:09:18,429 DEBUG args=getent passwd admin > > 2011-03-04 15:09:18,429 DEBUG stdout= > > 2011-03-04 15:09:18,429 DEBUG stderr= > > 2011-03-04 15:09:19,432 DEBUG args=getent passwd admin > > 2011-03-04 15:09:19,432 DEBUG stdout= > > 2011-03-04 15:09:19,432 DEBUG stderr= > > 2011-03-04 15:09:20,435 DEBUG args=getent passwd admin > > 2011-03-04 15:09:20,436 DEBUG stdout= > > 2011-03-04 15:09:20,436 DEBUG stderr= > > 2011-03-04 15:09:22,303 DEBUG args=/usr/sbin/authconfig --enablekrb5 > > --update --nostart > > 2011-03-04 15:09:22,303 DEBUG stdout= > > 2011-03-04 15:09:22,303 DEBUG stderr= > > 2011-03-04 15:09:22,303 DEBUG Backing up system configuration file > > '/etc/ntp.conf' > > 2011-03-04 15:09:22,304 DEBUG Saving Index File to > > '/var/lib/ipa-client/sysrestore/sysrestore.index' > > 2011-03-04 15:09:22,305 DEBUG Backing up system configuration file > > '/etc/sysconfig/ntpd' > > 2011-03-04 15:09:22,305 DEBUG Saving Index File to > > '/var/lib/ipa-client/sysrestore/sysrestore.index' > > 2011-03-04 15:09:22,398 DEBUG args=/sbin/chkconfig ntpd on > > 2011-03-04 15:09:22,398 DEBUG stdout= > > 2011-03-04 15:09:22,398 DEBUG stderr= > > 2011-03-04 15:09:22,537 DEBUG args=/sbin/service ntpd restart > > 2011-03-04 15:09:22,537 DEBUG stdout=Shutting down ntpd: [ OK ] > > Starting ntpd: [ OK ] > > > > 2011-03-04 15:09:22,537 DEBUG stderr= > > ============ > > > > regards > > > > On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote: > >> On Tue, 8 Mar 2011 19:05:45 -0500 (EST) > >> Stephen Gallagher wrote: > >> > >>> > >>> > >>> On Mar 8, 2011, at 5:45 PM, Steven Jones > >>> wrote: > >>> > >>>> Keytab name: WRFILE:/etc/krb5.keytab > >>>> KVNO Principal > >>>> ---- > >>>> -------------------------------------------------------------------------- > >>>> > >>>> 8><--------- > >>>>> > >>>>> > >>>>> > >>>>> > >>> > >>> Looks like you have no host key in the keytab. That's the root of the > >>> problem. Seems like IPA-client-install failed to populate it. Rob, do > >>> you have any insight here? > >> > >> does /var/log/ipaclient-install.log show any error ? > >> > >> Simo. > >> > >> -- > >> Simo Sorce * Red Hat, Inc * New York > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > From rmeggins at redhat.com Wed Mar 9 19:33:43 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Mar 2011 12:33:43 -0700 Subject: [Freeipa-users] Problem with replication after restore In-Reply-To: References: <3E2D37A9-E107-4061-86A9-DD2C072ED879@allegro.pl> <4D778A17.6020900@redhat.com> Message-ID: <4D77D617.7040605@redhat.com> On 03/09/2011 09:15 AM, tomasz.napierala at allegro.pl wrote: > On 2011-03-09, at 15:09, Rich Megginson wrote: > > 8><----------------- >>> [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Missing data encountered >>> [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Incremental update failed and requires administrator action >> Not sure what happened here. How long has the server been down? You >> will need to reinitialize the slave from the master. > Server was down for 2-3 hours. Currently slave has more recent data, because it is in our production environment (master is in backup DC) > > I don't have much experience with 389, and it seems that in FreeIPA setup 389 DS is in minimal form. So how can I reinitialize slave? Is there any chance to transfer changes form slave to master? Im afraid that loosing changes on slave would be a disaster (there were hundreds of users added) ipa-replica-manage - you would want to initialize the master from the slave. Please make a backup of your slave first. > Regards, From dpal at redhat.com Wed Mar 9 19:42:12 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 09 Mar 2011 14:42:12 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB796@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EB! E75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> <20110308192844.4f7d60ff@willson.li.ssimo.org> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB791@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D770227.2000900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB796@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D77D814.1040701@redhat.com> On 03/09/2011 02:21 PM, Steven Jones wrote: > Hi, > > I had/have already done the uninstall...and re-install. > > Also I registered a brand new 2nd client...that hasnt worked > either...... > How did you create the host record for it on the server? > regards > > > On Tue, 2011-03-08 at 23:29 -0500, Rob Crittenden wrote: >> Steven Jones wrote: >>> Hi, >>> >>> Log, >>> >> The error is "Host is already joined" so no keytab is requested. The >> enrollment failed. >> >> ipa-client-install --uninstall should unenroll the client (you can >> verify that Keytab is False in ipa host-show on the IPA >> server. >> >> If so running ipa-client-install on the client should configure things >> properly. >> >> rob >> >>> ============ >>> 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked >>> with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, >>> 'force': True, 'sssd': True, 'hostname': None, 'permit': False, >>> 'server': None, 'prompt_password': False, 'realm_name': None, >>> 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server': >>> None, 'mkhomedir': False, 'unattended': None, 'principal': None} >>> 2011-03-04 15:08:58,726 DEBUG missing options might be asked for >>> interactively later >>> >>> 2011-03-04 15:08:58,726 DEBUG Loading Index file from >>> '/var/lib/ipa-client/sysrestore/sysrestore.index' >>> 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)] >>> 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb] >>> 2011-03-04 15:08:58,729 DEBUG [ipacheckldap] >>> 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget >>> -O /tmp/tmp7MhOze/ca.crt >>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt >>> 2011-03-04 15:08:58,736 DEBUG stdout= >>> 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58-- >>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt >>> Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 >>> Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. >>> HTTP request sent, awaiting response... 200 OK >>> Length: 1321 (1.3K) [application/x-x509-ca-cert] >>> Saving to: `/tmp/tmp7MhOze/ca.crt' >>> >>> 0K . 100% >>> 237M=0s >>> >>> 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved >>> [1321/1321] >>> >>> >>> 2011-03-04 15:08:58,736 DEBUG Init ldap with: >>> ldap://fed14-64-ipam001.ipa.ac.nz:389 >>> 2011-03-04 15:08:58,749 DEBUG Search rootdse >>> 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in >>> dc=ipa,dc=ac,dc=nz(base) >>> 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz', >>> {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', >>> 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': >>> ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})] >>> 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer) >>> in dc=ipa,dc=ac,dc=nz(sub) >>> 2011-03-04 15:08:58,753 DEBUG Found: >>> [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees': >>> ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes': >>> ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', >>> 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', >>> 'krbticketpolicyaux'], 'krbSearchScope': ['2'], >>> 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', >>> 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', >>> 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', >>> 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', >>> 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], >>> 'krbMaxRenewableAge': ['604800']})] >>> 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz >>> >>> 2011-03-04 15:08:58,753 DEBUG will use server: >>> fed14-64-ipam001.ipa.ac.nz >>> >>> 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ >>> >>> 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz >>> >>> 2011-03-04 15:09:04,645 DEBUG will use principal: admin >>> >>> 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt >>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt >>> 2011-03-04 15:09:04,659 DEBUG stdout= >>> 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04-- >>> http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt >>> Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2 >>> Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected. >>> HTTP request sent, awaiting response... 200 OK >>> Length: 1321 (1.3K) [application/x-x509-ca-cert] >>> Saving to: `/etc/ipa/ca.crt' >>> >>> 0K . 100% >>> 249M=0s >>> >>> 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321] >>> >>> >>> 2011-03-04 15:09:11,665 DEBUG args=kinit admin at IPA.AC.NZ >>> 2011-03-04 15:09:11,665 DEBUG stdout=Password for admin at IPA.AC.NZ: >>> >>> 2011-03-04 15:09:11,665 DEBUG stderr= >>> 2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s >>> fed14-64-ipam001.ipa.ac.nz >>> 2011-03-04 15:09:13,931 DEBUG stdout= >>> 2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined. >>> >>> 2011-03-04 15:09:13,937 DEBUG args=kdestroy >>> 2011-03-04 15:09:13,937 DEBUG stdout= >>> 2011-03-04 15:09:13,937 DEBUG stderr= >>> 2011-03-04 15:09:13,937 DEBUG Backing up system configuration file >>> '/etc/ipa/default.conf' >>> 2011-03-04 15:09:13,938 DEBUG -> Not backing up - >>> '/etc/ipa/default.conf' doesn't exist >>> 2011-03-04 15:09:13,938 DEBUG Backing up system configuration file >>> '/etc/sssd/sssd.conf' >>> 2011-03-04 15:09:13,938 DEBUG Saving Index File to >>> '/var/lib/ipa-client/sysrestore/sysrestore.index' >>> 2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A >>> -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt >>> 2011-03-04 15:09:14,012 DEBUG stdout= >>> 2011-03-04 15:09:14,012 DEBUG stderr= >>> 2011-03-04 15:09:14,012 DEBUG Backing up system configuration file >>> '/etc/krb5.conf' >>> 2011-03-04 15:09:14,013 DEBUG Saving Index File to >>> '/var/lib/ipa-client/sysrestore/sysrestore.index' >>> 2011-03-04 15:09:14,104 DEBUG args=/sbin/service certmonger status >>> 2011-03-04 15:09:14,104 DEBUG stdout=certmonger is stopped >>> >>> 2011-03-04 15:09:14,104 DEBUG stderr= >>> 2011-03-04 15:09:14,279 DEBUG args=/sbin/service certmonger restart >>> 2011-03-04 15:09:14,280 DEBUG stdout=Stopping certmonger: [FAILED] >>> Starting certmonger: [ OK ] >>> >>> 2011-03-04 15:09:14,280 DEBUG stderr= >>> 2011-03-04 15:09:14,295 DEBUG args=/sbin/chkconfig certmonger --list >>> 2011-03-04 15:09:14,295 DEBUG stdout=certmonger 0:off 1:off 2:off >>> 3:off 4:off 5:off 6:off >>> >>> 2011-03-04 15:09:14,295 DEBUG stderr= >>> 2011-03-04 15:09:14,564 DEBUG args=/sbin/chkconfig certmonger on >>> 2011-03-04 15:09:14,564 DEBUG stdout= >>> 2011-03-04 15:09:14,564 DEBUG stderr= >>> 2011-03-04 15:09:14,586 DEBUG args=ipa-getcert request -d /etc/pki/nssdb >>> -n IPA Machine Certificate - fed14-64-ipacl01.ipa.ac.nz -N >>> CN=fed14-64-ipacl01.ipa.ac.nz,O=IPA.AC.NZ -K >>> host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ >>> 2011-03-04 15:09:14,586 DEBUG stdout=Error >>> org.fedorahosted.certmonger.duplicate: Certificate at same location is >>> already used by request "20110303020539". >>> >>> 2011-03-04 15:09:14,586 DEBUG stderr= >>> 2011-03-04 15:09:14,605 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab >>> 2011-03-04 15:09:14,605 DEBUG stdout= >>> 2011-03-04 15:09:14,605 DEBUG stderr=kinit: Hostname cannot be >>> canonicalized when creating default server principal name >>> >>> 2011-03-04 15:09:14,764 DEBUG args=/usr/bin/nsupdate >>> -g /etc/ipa/.dns_update.txt >>> 2011-03-04 15:09:14,764 DEBUG stdout= >>> 2011-03-04 15:09:14,765 DEBUG stderr=Check your Kerberos ticket, it may >>> have expired. >>> >>> 2011-03-04 15:09:14,827 DEBUG args=/sbin/service nscd status >>> 2011-03-04 15:09:14,827 DEBUG stdout=nscd (pid 1238) is running... >>> >>> 2011-03-04 15:09:14,827 DEBUG stderr= >>> 2011-03-04 15:09:14,855 DEBUG args=/sbin/service nscd stop >>> 2011-03-04 15:09:14,855 DEBUG stdout=Stopping nscd: [ OK ] >>> >>> 2011-03-04 15:09:14,856 DEBUG stderr= >>> 2011-03-04 15:09:14,858 DEBUG args=/sbin/chkconfig nscd --list >>> 2011-03-04 15:09:14,858 DEBUG stdout=nscd 0:off 1:off 2:on >>> 3:on 4:on 5:on 6:off >>> >>> 2011-03-04 15:09:14,858 DEBUG stderr= >>> 2011-03-04 15:09:14,958 DEBUG args=/sbin/chkconfig nscd off >>> 2011-03-04 15:09:14,958 DEBUG stdout= >>> 2011-03-04 15:09:14,958 DEBUG stderr= >>> 2011-03-04 15:09:16,401 DEBUG args=/usr/sbin/authconfig --enablesssd >>> --enablesssdauth --update >>> 2011-03-04 15:09:16,401 DEBUG stdout=Starting sssd: [ OK ] >>> [ OK ] >>> >>> 2011-03-04 15:09:16,402 DEBUG stderr= >>> 2011-03-04 15:09:16,419 DEBUG args=getent passwd admin >>> 2011-03-04 15:09:16,419 DEBUG stdout= >>> 2011-03-04 15:09:16,419 DEBUG stderr= >>> 2011-03-04 15:09:17,424 DEBUG args=getent passwd admin >>> 2011-03-04 15:09:17,424 DEBUG stdout= >>> 2011-03-04 15:09:17,424 DEBUG stderr= >>> 2011-03-04 15:09:18,429 DEBUG args=getent passwd admin >>> 2011-03-04 15:09:18,429 DEBUG stdout= >>> 2011-03-04 15:09:18,429 DEBUG stderr= >>> 2011-03-04 15:09:19,432 DEBUG args=getent passwd admin >>> 2011-03-04 15:09:19,432 DEBUG stdout= >>> 2011-03-04 15:09:19,432 DEBUG stderr= >>> 2011-03-04 15:09:20,435 DEBUG args=getent passwd admin >>> 2011-03-04 15:09:20,436 DEBUG stdout= >>> 2011-03-04 15:09:20,436 DEBUG stderr= >>> 2011-03-04 15:09:22,303 DEBUG args=/usr/sbin/authconfig --enablekrb5 >>> --update --nostart >>> 2011-03-04 15:09:22,303 DEBUG stdout= >>> 2011-03-04 15:09:22,303 DEBUG stderr= >>> 2011-03-04 15:09:22,303 DEBUG Backing up system configuration file >>> '/etc/ntp.conf' >>> 2011-03-04 15:09:22,304 DEBUG Saving Index File to >>> '/var/lib/ipa-client/sysrestore/sysrestore.index' >>> 2011-03-04 15:09:22,305 DEBUG Backing up system configuration file >>> '/etc/sysconfig/ntpd' >>> 2011-03-04 15:09:22,305 DEBUG Saving Index File to >>> '/var/lib/ipa-client/sysrestore/sysrestore.index' >>> 2011-03-04 15:09:22,398 DEBUG args=/sbin/chkconfig ntpd on >>> 2011-03-04 15:09:22,398 DEBUG stdout= >>> 2011-03-04 15:09:22,398 DEBUG stderr= >>> 2011-03-04 15:09:22,537 DEBUG args=/sbin/service ntpd restart >>> 2011-03-04 15:09:22,537 DEBUG stdout=Shutting down ntpd: [ OK ] >>> Starting ntpd: [ OK ] >>> >>> 2011-03-04 15:09:22,537 DEBUG stderr= >>> ============ >>> >>> regards >>> >>> On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote: >>>> On Tue, 8 Mar 2011 19:05:45 -0500 (EST) >>>> Stephen Gallagher wrote: >>>> >>>>> >>>>> On Mar 8, 2011, at 5:45 PM, Steven Jones >>>>> wrote: >>>>> >>>>>> Keytab name: WRFILE:/etc/krb5.keytab >>>>>> KVNO Principal >>>>>> ---- >>>>>> -------------------------------------------------------------------------- >>>>>> >>>>>> 8><--------- >>>>>>> >>>>>>> >>>>>>> >>>>> Looks like you have no host key in the keytab. That's the root of the >>>>> problem. Seems like IPA-client-install failed to populate it. Rob, do >>>>> you have any insight here? >>>> does /var/log/ipaclient-install.log show any error ? >>>> >>>> Simo. >>>> >>>> -- >>>> Simo Sorce * Red Hat, Inc * New York >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Wed Mar 9 19:45:20 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 Mar 2011 08:45:20 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D76A95E.200@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <4D6DCA89.3080808@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB73C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB799@STAWINCOEXMAIL1.staff.vuw.ac.nz> I have setup a 2nd client I have the same result....but it looks like the keytab is correct? however LDAP logins still dont work... Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ regards On Tue, 2011-03-08 at 17:10 -0500, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/08/2011 04:40 PM, Steven Jones wrote: > > On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote: > >> Steven Jones wrote: > >>> 8><------ > >>> > >>> > >>> So how do I fault find? where do I start? > >>> > >>> ie Where do I start to look to determine why a user cannot login to a > >>> client via freeipa? > >>> > >>> How can I be more clear? because so far the replies have been not very > >>> productive. > >>> > >>> regards > >>> > >>> > >> > >> Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart > >> sssd, and try your login again. Look > >> in/var/log/sssd/sssd_example.com.log for information on the login attempt. > >> > >> Your uid/gid will likely differ. > >> > >> # getent passwd admin > >> admin:*:264200000:264200000:Administrator:/home/admin:/bin/bash > >> # id admin > >> uid=264200000(admin) gid=264200000(admins) groups=264200000(admins) > >> # getent group admins > >> admins:*:264200000:admin > >> # finger admin > >> Login: admin Name: Administrator > >> Directory: /home/admin Shell: /bin/bash > >> Never logged in. > >> No mail. > >> No Plan. > > > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] > > [sss_krb5_verify_keytab_ex] (0): Principal > > [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab > > [default] > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): > > Could not verify keytab > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] > > (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): > > fatal error initializing data providers > > (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not > > initialize backend [14] > > (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] > > [sss_krb5_verify_keytab_ex] (0): Principal > > [host/fed14-64-ipacl01.ipa.ac.nz at IPA.AC.NZ] not found in keytab > > [default] > > > Well, here's your problem. The SSSD isn't starting up successfully > because you don't have a host principal for this server in your > /etc/krb5.keytab file. This was probably a bug in the ipa-client-install. > > What does > klist -k /etc/krb5.keytab > return to you? > > - -- > Stephen Gallagher > RHCE 804006346421761 > > Delivering value year after year. > Red Hat ranks #1 in value among software vendors. > http://www.redhat.com/promo/vendor/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk12qV4ACgkQeiVVYja6o6OH/gCfabjbwcx/WSookcjKPXeq9N70 > HpgAn3gj78oH0CW/WKS0F6X1Whvx/Wai > =R7BT > -----END PGP SIGNATURE----- > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sgallagh at redhat.com Wed Mar 9 19:51:00 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 09 Mar 2011 14:51:00 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB799@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB799@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D77DA24.7000604@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/09/2011 02:45 PM, Steven Jones wrote: > I have setup a 2nd client I have the same result....but it looks like > the keytab is correct? however LDAP logins still dont work... > > > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ > 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ > 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ > 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ > > Could you please check the SSSD debug logs on that machine as well? It may be a different problem now. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk132iQACgkQeiVVYja6o6PMmwCfZutW0kF3eZKT9l9ZSs0gh0Zo x+gAnRtixQjNA8cZcZRZE0AQjxP38SdN =PBNu -----END PGP SIGNATURE----- From Steven.Jones at vuw.ac.nz Wed Mar 9 20:09:43 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 Mar 2011 09:09:43 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D77D814.1040701@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EB! E75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> <20110308192844.4f7d60ff@willson.li.ssimo.org> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB791@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D770227.2000900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB796@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D77D814.1040701@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB79A@STAWINCOEXMAIL1.staff.vuw.ac.nz> On Wed, 2011-03-09 at 14:42 -0500, Dmitri Pal wrote: > On 03/09/2011 02:21 PM, Steven Jones wrote: > > Hi, > > > > I had/have already done the uninstall...and re-install. > > > > Also I registered a brand new 2nd client...that hasnt worked > > either...... > > > How did you create the host record for it on the server? > I didnt, I ran ipa-client-install from the client.... I have just run with the --uninstall flag and then re-run and its failing as the client record was not removed... "Joining realm failed: Host is already joined" So the un-install script/flag isnt removing the client/host regards From Steven.Jones at vuw.ac.nz Wed Mar 9 20:16:06 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 Mar 2011 09:16:06 +1300 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D77DA24.7000604@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB747@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB799@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D77DA24.7000604@redhat.com> Message-ID: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB79B@STAWINCOEXMAIL1.staff.vuw.ac.nz> Hi, I have gone into the webgui and manually removed the no1 client/host, it has now joined successfully... So Yes, the next issue.... regards On Wed, 2011-03-09 at 14:51 -0500, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/09/2011 02:45 PM, Steven Jones wrote: > > I have setup a 2nd client I have the same result....but it looks like > > the keytab is correct? however LDAP logins still dont work... > > > > > > Keytab name: WRFILE:/etc/krb5.keytab > > KVNO Principal > > ---- -------------------------------------------------------------------------- > > 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ > > 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ > > 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ > > 1 host/fed14-64-ipacl02.ipa.ac.nz at IPA.AC.NZ > > > > > > Could you please check the SSSD debug logs on that machine as well? It > may be a different problem now. > - -- > Stephen Gallagher > RHCE 804006346421761 > > Delivering value year after year. > Red Hat ranks #1 in value among software vendors. > http://www.redhat.com/promo/vendor/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk132iQACgkQeiVVYja6o6PMmwCfZutW0kF3eZKT9l9ZSs0gh0Zo > x+gAnRtixQjNA8cZcZRZE0AQjxP38SdN > =PBNu > -----END PGP SIGNATURE----- From dpal at redhat.com Wed Mar 9 20:21:27 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 09 Mar 2011 15:21:27 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB79A@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EB! E75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> <20110308192844.4f7d60ff@willson.li.ssimo.org> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB791@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D770227.2000900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB796@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D77D814.1040701@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB79A@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D77E147.5040907@redhat.com> On 03/09/2011 03:09 PM, Steven Jones wrote: > On Wed, 2011-03-09 at 14:42 -0500, Dmitri Pal wrote: >> On 03/09/2011 02:21 PM, Steven Jones wrote: >>> Hi, >>> >>> I had/have already done the uninstall...and re-install. >>> >>> Also I registered a brand new 2nd client...that hasnt worked >>> either...... >>> >> How did you create the host record for it on the server? >> > > I didnt, I ran ipa-client-install from the client.... > > I have just run with the --uninstall flag and then re-run and its > failing as the client record was not removed... > > "Joining realm failed: Host is already joined" > > So the un-install script/flag isnt removing the client/host We have a bug when it does not remove the keytab on the client. It is addressed but have not yet been in the build you are using. When you uninstall the machine tries to remove it keytab from the server (if it is accessible). If the server is not accessible for whatever reason you have to clean keytab on the host entry manually. I either via the ipa host commands or via ipa-rmkeytab remotely. The actual entry is not removed. 1) Run unsinstall on the client 2) Make sure that the host entry is clean. Remove it on the server and re-add again. 3) Remove the keytab file and cert on the client (these bugs are fixed https://fedorahosted.org/freeipa/ticket/1028 https://fedorahosted.org/freeipa/ticket/1029) 4) Install client again Everything should work. If not please send us the logs. > regards > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed Mar 9 21:47:28 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Mar 2011 16:47:28 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <61DF826607311A4EBE75A77ED59E4CDE5C81BEB79B@STAWINCOEXMAIL1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB799@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D77DA24.7000604@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB79B@STAWINCOEXMAIL1.staff.vuw.ac.nz> Message-ID: <4D77F570.30201@redhat.com> Steven Jones wrote: > Hi, > > I have gone into the webgui and manually removed the no1 client/host, it > has now joined successfully... > > So Yes, the next issue.... > > regards > I'm going to try to consolidate a few things here from some other responses. * You do not need to pre-create the host in order to enroll it using kerberos credentials. It is ok if the host already exists but not absolutely required. * When a host is unenrolled it uses its own credentials (the service principal in /etc/krb5.keytab host/client.example.com at EXAMPLE.COM) to authenticate to IPA and say "I'm done with these credentials." If you lack this principal it cannot authenticate to IPA to say "I'm done with these credentials." If a keytab was actually created for this host and the contents are lost then you will need to manually free it up for enrollment again either with: # ipa host-disable client.example.com or # ipa host-del client.example.com You can see if a keytab was issued with: # ipa host-show client.example.com Look for Keytab: True * Tickets 1028 and 1029 probably don't apply here. 1028 relates only to tracking SSL certificates and 1029 only applies if you used the --hostname option with ipa-client-install. * ipa-rmkeytab is client side only. It just removes the principals for a specific host or realm from a keytab file. It has no effect on the server at all. regards rob From Steven.Jones at vuw.ac.nz Wed Mar 9 22:35:24 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Mar 2011 22:35:24 +0000 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D77E147.5040907@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EB! E75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> <20110308192844.4f7d60ff@willson.li.ssimo.org> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB791@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D770227.2000900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB796@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D77D814.1040701@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB79A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D77E147.5040907@redhat.com> Message-ID: A<1299710124.25549.1.camel@8KXL72S.vuw.ac.nz> 8><------- > 4) Install client again > > Everything should work. > If not please send us the logs. Not sure which logs as Im losing track of so many suggestions/threads....but, On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is zero length.... I just tried to add a local user and set a password and Im getting "passwd: Authentication token manipulation error" regards From Steven.Jones at vuw.ac.nz Wed Mar 9 22:50:02 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Mar 2011 22:50:02 +0000 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D77F570.30201@redhat.com> References: <4D6C0EA5.3040708@redhat.com> <4D6FA200.3090206@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB750@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB799@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D77DA24.7000604@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB79B@STAWINCOEXMAIL1.staff.vuw.ac.nz>, <4D77F570.30201@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40E4A8@STAWINCOX10MBX1.staff.vuw.ac.nz> Ok, However I cant LDAP/Ipa authenticate still....on either client.......... So what next? regards Steven ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Thursday, 10 March 2011 10:47 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA Steven Jones wrote: > Hi, > > I have gone into the webgui and manually removed the no1 client/host, it > has now joined successfully... > > So Yes, the next issue.... > > regards > I'm going to try to consolidate a few things here from some other responses. * You do not need to pre-create the host in order to enroll it using kerberos credentials. It is ok if the host already exists but not absolutely required. * When a host is unenrolled it uses its own credentials (the service principal in /etc/krb5.keytab host/client.example.com at EXAMPLE.COM) to authenticate to IPA and say "I'm done with these credentials." If you lack this principal it cannot authenticate to IPA to say "I'm done with these credentials." If a keytab was actually created for this host and the contents are lost then you will need to manually free it up for enrollment again either with: # ipa host-disable client.example.com or # ipa host-del client.example.com You can see if a keytab was issued with: # ipa host-show client.example.com Look for Keytab: True * Tickets 1028 and 1029 probably don't apply here. 1028 relates only to tracking SSL certificates and 1029 only applies if you used the --hostname option with ipa-client-install. * ipa-rmkeytab is client side only. It just removes the principals for a specific host or realm from a keytab file. It has no effect on the server at all. regards rob From Steven.Jones at vuw.ac.nz Wed Mar 9 23:05:16 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Mar 2011 23:05:16 +0000 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: A<1299710124.25549.1.camel@8KXL72S.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EB! E75A77ED59E4CDE5C81BEB78E@STAWINCOEXMAIL1.staff.vuw.ac.nz> <9599D99A-7291-4695-B4B8-EDF4F78D0827@redhat.com> <20110308192844.4f7d60ff@willson.li.ssimo.org> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB791@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D770227.2000900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB796@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D77D814.1040701@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB79A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D77E147.5040907@redhat.com>, A<1299710124.25549.1.camel@8KXL72S.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40E6CF@STAWINCOX10MBX1.staff.vuw.ac.nz> I rebooted both clients and after the reboot they now do IPA authentication...... So client1 we did some work on and it wouldnt work until a reboot....client2 I did nothing to until I rebooted.....then that also worked.... So I will make a third client and try that.... Are there rpms & scripts for a rhel6ws? I could try that as well...also RHEL5.... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Thursday, 10 March 2011 11:35 a.m. To: dpal at redhat.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA 8><------- > 4) Install client again > > Everything should work. > If not please send us the logs. Not sure which logs as Im losing track of so many suggestions/threads....but, On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is zero length.... I just tried to add a local user and set a password and Im getting "passwd: Authentication token manipulation error" regards _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Wed Mar 9 23:15:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 09 Mar 2011 18:15:18 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40E4A8@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <4D6C0EA5.3040708@redhat.com> <4D6FEC84.7060201@redhat.com> <4D7022C4.4000409@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB771@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB773@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7516DD.7090002@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB784@STAWINCOEXMAIL1.staff.vuw.ac.nz> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB787@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D764263.5010900@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78A@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D7696A5.6050100@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB78C@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D76A95E.200@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB799@STAWINCOEXMAIL1.staff.vuw.ac.nz> <4D77DA24.7000604@redhat.com> <61DF826607311A4EBE75A77ED59E4CDE5C81BEB79B@STAWINCOEXMAIL1.staff.vuw.ac.nz>, <4D77F570.30201@redhat.com> <833D8E48405E064EBC54C84EC6B36E40E4A8@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D780A06.5070206@redhat.com> Steven Jones wrote: > Ok, > > However I cant LDAP/Ipa authenticate still....on either client.......... > > So what next? sssd handles logins, you can try turning up the log level on that (though I suspect it wasn't the reboot that fixed this but restarting sssd). As part of ipa-client-install sssd is restarted and tested via 'getent passwd admin'. This should be visible in /var/log/ipaclient-install.log. Did this command succeed? rob From ssorce at redhat.com Thu Mar 10 15:10:18 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 10 Mar 2011 10:10:18 -0500 (EST) Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D780A06.5070206@redhat.com> Message-ID: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > Steven Jones wrote: > > Ok, > > > > However I cant LDAP/Ipa authenticate still....on either > > client.......... > > > > So what next? > > sssd handles logins, you can try turning up the log level on that > (though I suspect it wasn't the reboot that fixed this but restarting > sssd). If sssd was never used before then what was needed was a restart of the services using it (sshd, gdm), as nsswitch.conf is never re-read by glibc, you can't use the new users until those services are restarted after nsswitch.conf is modified. I think we also offer to restart the client after ipa-client-install exactly as a way to restart all services that may depend on picking up this change. That reboot is not necessary if you manually restart all services after that, but if you don't than you better do a reboot as we suggest. > As part of ipa-client-install sssd is restarted and tested via 'getent > passwd admin'. This should be visible in > /var/log/ipaclient-install.log. > Did this command succeed? Even if this succeed, authentication via gdm or ssh can still fail until the services are restarted. Just pointing out this fact as a help point for other users testing ipa-client-install in future. Simo. -- Simo Sorce * Red Hat, Inc. * New York From sgallagh at redhat.com Thu Mar 10 15:31:25 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 10 Mar 2011 10:31:25 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D78EECD.4030706@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: > ----- Original Message ----- >> Steven Jones wrote: >>> Ok, >>> >>> However I cant LDAP/Ipa authenticate still....on either >>> client.......... >>> >>> So what next? >> >> sssd handles logins, you can try turning up the log level on that >> (though I suspect it wasn't the reboot that fixed this but >> restarting sssd). > > If sssd was never used before then what was needed was a restart of > the services using it (sshd, gdm), as nsswitch.conf is never re-read > by glibc, you can't use the new users until those services are > restarted after nsswitch.conf is modified. > > I think we also offer to restart the client after ipa-client-install > exactly as a way to restart all services that may depend on picking > up this change. That reboot is not necessary if you manually restart > all services after that, but if you don't than you better do a reboot > as we suggest. > >> As part of ipa-client-install sssd is restarted and tested via >> 'getent passwd admin'. This should be visible in >> /var/log/ipaclient-install.log. Did this command succeed? > > Even if this succeed, authentication via gdm or ssh can still fail > until the services are restarted. > > Just pointing out this fact as a help point for other users testing > ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -----END PGP SIGNATURE----- From rcritten at redhat.com Thu Mar 10 20:52:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Mar 2011 15:52:14 -0500 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 3 Release Message-ID: <4D7939FE.8070100@redhat.com> To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 3 release of freeIPA 2.0 server [1]. This should be the last release candidate, becoming the final release if no critical problems are found. * Binaries are available for F-14 and F-15. * Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users at redhat.com Main Highlights of the Release Candidate. This release consists primarily of bug fixes and polish across all areas of the project. Modifications include but are not limited to * i18n improvements * Fixed the self-service page in the WebUI * Use TLS for CA replication * Setting up Winsync agreements has been fixed Focus of the Release Candidate Testing * There was a Fedora test day for FreeIPA on Feb 15th [2]. These tests are still relevant and feedback would be appreciated. We are particularly interested to know if there are any problems setting up replication. * The following section outlines the areas that we are mostly interested to test [3]. Significant Changes Since RC 2 To see all the tickets addressed since the rc2 release see [5]. Repositories and Installation * Use the following link to install the RC 3 packages [4]. * FreeIPA relies on the latest versions of the packages currently available from the updates-testing repository. Please make sure to enable this repository before you proceed with installation. Known Issues: * Installing IPA on Fedora-15 works but can take more time than Fedora 14 due to systemd. It is not recognizing some restarts as being successful so only continues after a 3-minute timeout. We are working on a solution. Thank you, The FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] https://fedoraproject.org/wiki/QA/Fedora_15_test_days [3] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test [4] http://freeipa.org/downloads/freeipa-devel.repo [5] https://fedorahosted.org/freeipa/milestone/2.0.3.%20Bug%20Fixing%20%28GA%29 Detailed Changelog Adam Young (7): * Revert "Set hard limit on number of commands in batch request to 256." * update API.txt * Use modified entity find commands for associations * fix truncated message * typo in truncation message * type in default text * Better truncated message Endi S. Dewata (13): * Removed association facets based on memberofindirect. * Replaced SUDO with Sudo in UI test data. * Fixed attribute for SUDO command group membership. * Save changes before modifying association. * Fixed host enrollment time * Fixed memory leak caused by IPA.dialog. * Fixed memory leak caused by is_dirty dialogs. * Fixed memory leak caused by reset password dialog. * Fixed memory leak caused by DNS record adder dialog. * Fixed memory leak caused by DNS record deleter dialog. * Fixed memory leak caused by IPA.error_dialog. * Fixed memory leak caused by certificate dialogs. * Fixed self service page. John Dennis (1): * Add Transifex tx client configuration file Martin Kosek (4): * IPA replica/server install does not check for a client * Inconsistent sysrestore file handling by IPA server installer * Improve error handling and return status codes in ipactl * ipa-dns-install script fails Pavel Zuna (10): * Remove deprecated i18n code from ipalib/request and all references to it. * Send Accept-Language header over XML-RPC and translate on server. * Fallback to default locale (en_US) if env. setting is corrupt. * Translate docstrings. * Fix translatable strings in ipalib plugins. * Fix i18n related failures in unit tests. * Use pygettext to generate translatable strings from plugin files. * Final i18n unit test fixes. * Fix error in user plugin email normalizer for empty --setattr=email=. * Use ldapi: instead of unsecured ldap: in ipa core tools. Rob Crittenden (12): * Set SuiteSpotGroup when setting up our 389-ds instances. * Use Sudo rather than SUDO as a label. * Replace only if old and new have nothing in common * Need to restart the dogtag 388-ds instance before using it. * Skip DNS validation checks if we're setting up DNS in ipa-server-install. * Fix style and grammatical issues in built-in command help. * Update API to reflect doc change in force parameter in dnszone_add * Always try to stop tracking the server cert when uninstalling client. * If --hostname is provided for ipa-client-install use it everywhere. * chkconfig the ipa service off when it is uninstalled. * Use TLS for dogtag replication agreements. * Become IPA v2 RC 3 (2.0.0.rc3) Simo Sorce (9): * Set the loginShell attribute on winsynced entries if configured * Fix winsync agreements setup * Unbreak the ipa winsync plugin. * Fix user synchronization. * Make activated/inactivated groups optional * Use wrapper for sasl gssapi binds so it behaves like other binds * Fix replica setup using replication admin kerberos credentials * Fix kinit invocation in ipa-client-install * Store list of non-master replicas in DIT and provide way to list them From Steven.Jones at vuw.ac.nz Thu Mar 10 22:06:14 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 Mar 2011 22:06:14 +0000 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D78EECD.4030706@redhat.com> References: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com>, <4D78EECD.4030706@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40010A73@STAWINCOX10MBX1.staff.vuw.ac.nz> While installing my third client selinux popped up a warning it was blocking access to krb5....so Im wondering if the reason teh install of the client is failing is due to selinux? regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com] Sent: Friday, 11 March 2011 4:31 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: > ----- Original Message ----- >> Steven Jones wrote: >>> Ok, >>> >>> However I cant LDAP/Ipa authenticate still....on either >>> client.......... >>> >>> So what next? >> >> sssd handles logins, you can try turning up the log level on that >> (though I suspect it wasn't the reboot that fixed this but >> restarting sssd). > > If sssd was never used before then what was needed was a restart of > the services using it (sshd, gdm), as nsswitch.conf is never re-read > by glibc, you can't use the new users until those services are > restarted after nsswitch.conf is modified. > > I think we also offer to restart the client after ipa-client-install > exactly as a way to restart all services that may depend on picking > up this change. That reboot is not necessary if you manually restart > all services after that, but if you don't than you better do a reboot > as we suggest. > >> As part of ipa-client-install sssd is restarted and tested via >> 'getent passwd admin'. This should be visible in >> /var/log/ipaclient-install.log. Did this command succeed? > > Even if this succeed, authentication via gdm or ssh can still fail > until the services are restarted. > > Just pointing out this fact as a help point for other users testing > ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Mar 10 22:17:35 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 Mar 2011 22:17:35 +0000 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40010A73@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com>, <4D78EECD.4030706@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40010A73@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40010ABF@STAWINCOX10MBX1.staff.vuw.ac.nz> third client wont authenticate either.... So I guess its a problem around the install script if not selinux regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 11 March 2011 11:06 a.m. To: Stephen Gallagher; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA While installing my third client selinux popped up a warning it was blocking access to krb5....so Im wondering if the reason teh install of the client is failing is due to selinux? regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com] Sent: Friday, 11 March 2011 4:31 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: > ----- Original Message ----- >> Steven Jones wrote: >>> Ok, >>> >>> However I cant LDAP/Ipa authenticate still....on either >>> client.......... >>> >>> So what next? >> >> sssd handles logins, you can try turning up the log level on that >> (though I suspect it wasn't the reboot that fixed this but >> restarting sssd). > > If sssd was never used before then what was needed was a restart of > the services using it (sshd, gdm), as nsswitch.conf is never re-read > by glibc, you can't use the new users until those services are > restarted after nsswitch.conf is modified. > > I think we also offer to restart the client after ipa-client-install > exactly as a way to restart all services that may depend on picking > up this change. That reboot is not necessary if you manually restart > all services after that, but if you don't than you better do a reboot > as we suggest. > >> As part of ipa-client-install sssd is restarted and tested via >> 'getent passwd admin'. This should be visible in >> /var/log/ipaclient-install.log. Did this command succeed? > > Even if this succeed, authentication via gdm or ssh can still fail > until the services are restarted. > > Just pointing out this fact as a help point for other users testing > ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Thu Mar 10 22:37:22 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 Mar 2011 22:37:22 +0000 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40010ABF@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com>, <4D78EECD.4030706@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40010A73@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40010ABF@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40010AE2@STAWINCOX10MBX1.staff.vuw.ac.nz> I have run the in-install script and it wont delete the client in the ipa system, so again I had to delete it via the web gui....I will try re-installing. A release candidate? I dont see how....for me a release candidate should pretty much work with the odd bug in an "odd" area....this is still like alpha....major functionality failure, as personally I class being unable to do the very first thing you need to do as a major failure..... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 11 March 2011 11:17 a.m. To: Stephen Gallagher; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA third client wont authenticate either.... So I guess its a problem around the install script if not selinux regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 11 March 2011 11:06 a.m. To: Stephen Gallagher; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA While installing my third client selinux popped up a warning it was blocking access to krb5....so Im wondering if the reason teh install of the client is failing is due to selinux? regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com] Sent: Friday, 11 March 2011 4:31 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: > ----- Original Message ----- >> Steven Jones wrote: >>> Ok, >>> >>> However I cant LDAP/Ipa authenticate still....on either >>> client.......... >>> >>> So what next? >> >> sssd handles logins, you can try turning up the log level on that >> (though I suspect it wasn't the reboot that fixed this but >> restarting sssd). > > If sssd was never used before then what was needed was a restart of > the services using it (sshd, gdm), as nsswitch.conf is never re-read > by glibc, you can't use the new users until those services are > restarted after nsswitch.conf is modified. > > I think we also offer to restart the client after ipa-client-install > exactly as a way to restart all services that may depend on picking > up this change. That reboot is not necessary if you manually restart > all services after that, but if you don't than you better do a reboot > as we suggest. > >> As part of ipa-client-install sssd is restarted and tested via >> 'getent passwd admin'. This should be visible in >> /var/log/ipaclient-install.log. Did this command succeed? > > Even if this succeed, authentication via gdm or ssh can still fail > until the services are restarted. > > Just pointing out this fact as a help point for other users testing > ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Thu Mar 10 22:58:30 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 10 Mar 2011 17:58:30 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40010AE2@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com>, <4D78EECD.4030706@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40010A73@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40010ABF@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40010AE2@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D795796.8020401@redhat.com> On 03/10/2011 05:37 PM, Steven Jones wrote: > I have run the in-install script and it wont delete the client in the ipa system, so again I had to delete it via the web gui....I will try re-installing. > > A release candidate? > > I dont see how....for me a release candidate should pretty much work with the odd bug in an "odd" area....this is still like alpha....major functionality failure, as personally I class being unable to do the very first thing you need to do as a major failure..... > > regards > Steve, Sorry but it looks like you are doing something wrong over and over again or there is something mis-configured in your environment. We are executing tests every day with new and old machines bare metal and VMs. And everything works so there is definitely something specific to your environment which is different. May be it is DNS or NTP or something like. We do not know. May be it is a bug that we do not hit because we do not run things in the sequence you run or with configuration you use. You write a lot of mails to us but few contain any substantial information about your setup. To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client. You do not include them in your emails. How do you think we can troubleshoot the problems? If you want us to help please include more detailed information. I am really sorry that you are experiencing the issues and spending that much time but I do not see a way to help you since we do not have sufficient information to do the troubleshooting. We will be happy to help you as soon as you provide such information. Thank you, Dmitri -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Thu Mar 10 23:30:54 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 10 Mar 2011 23:30:54 +0000 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D795796.8020401@redhat.com> References: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com>, <4D78EECD.4030706@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40010A73@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40010ABF@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40010AE2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D795796.8020401@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40010B45@STAWINCOX10MBX1.staff.vuw.ac.nz> My problem is "To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client." Thats just it.....I dont know where to look.....its simply not documented....so what I need is for someone to tell me what logs you need....and how to make the system log reliably...... for instance debug_level = 9 in the sssd.conf still produces 0 length logs on client1....so there is nothing to report.... It may well be my problems stems from trying to use RHEL6 svr and KVM with fedora 14 clients inside it which I am finding very flaky....I may need to blow it away and move the test bed to vmware ESXi..... Or maybe indeed I am serially doing something wrong..... I am trying again to setup client 3, what selinux is telling me is ipa-submit is trying to open krb5.keytab.... I will test and maybe turn selinux off, if i can figur eout how! regards Steven Steve, Sorry but it looks like you are doing something wrong over and over again or there is something mis-configured in your environment. We are executing tests every day with new and old machines bare metal and VMs. And everything works so there is definitely something specific to your environment which is different. May be it is DNS or NTP or something like. We do not know. May be it is a bug that we do not hit because we do not run things in the sequence you run or with configuration you use. You write a lot of mails to us but few contain any substantial information about your setup. To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client. You do not include them in your emails. How do you think we can troubleshoot the problems? If you want us to help please include more detailed information. I am really sorry that you are experiencing the issues and spending that much time but I do not see a way to help you since we do not have sufficient information to do the troubleshooting. We will be happy to help you as soon as you provide such information. Thank you, Dmitri From Steven.Jones at vuw.ac.nz Fri Mar 11 00:13:40 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 11 Mar 2011 00:13:40 +0000 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D795796.8020401@redhat.com> References: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com>, <4D78EECD.4030706@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40010A73@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40010ABF@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40010AE2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D795796.8020401@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40010B5C@STAWINCOX10MBX1.staff.vuw.ac.nz> Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/Fed14-64-ipacl03.ipa.ac.nz at IPA.AC .NZ] not found in keytab [default] (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id _init)! (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/Fed14-64-ipacl03.ipa.ac.nz at IPA.A C.NZ] not found in keytab [default] (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id _init)! (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] [root at Fed14-64-ipacl03 sssd]# ======================== root at Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ [root at Fed14-64-ipacl03 sssd]# ? regards ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Friday, 11 March 2011 11:58 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA On 03/10/2011 05:37 PM, Steven Jones wrote: > I have run the in-install script and it wont delete the client in the ipa system, so again I had to delete it via the web gui....I will try re-installing. > > A release candidate? > > I dont see how....for me a release candidate should pretty much work with the odd bug in an "odd" area....this is still like alpha....major functionality failure, as personally I class being unable to do the very first thing you need to do as a major failure..... > > regards > Steve, Sorry but it looks like you are doing something wrong over and over again or there is something mis-configured in your environment. We are executing tests every day with new and old machines bare metal and VMs. And everything works so there is definitely something specific to your environment which is different. May be it is DNS or NTP or something like. We do not know. May be it is a bug that we do not hit because we do not run things in the sequence you run or with configuration you use. You write a lot of mails to us but few contain any substantial information about your setup. To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client. You do not include them in your emails. How do you think we can troubleshoot the problems? If you want us to help please include more detailed information. I am really sorry that you are experiencing the issues and spending that much time but I do not see a way to help you since we do not have sufficient information to do the troubleshooting. We will be happy to help you as soon as you provide such information. Thank you, Dmitri From dpal at redhat.com Fri Mar 11 00:14:42 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 10 Mar 2011 19:14:42 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40010B45@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com>, <4D78EECD.4030706@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40010A73@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40010ABF@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40010AE2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D795796.8020401@redhat.com> <833D8E48405E064EBC54C84EC6B36E40010B45@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D796972.6070004@redhat.com> On 03/10/2011 06:30 PM, Steven Jones wrote: > My problem is "To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client." > > Thats just it.....I dont know where to look.....its simply not documented....so what I need is for someone to tell me what logs you need....and how to make the system log reliably...... for instance debug_level = 9 in the sssd.conf still produces 0 length logs on client1....so there is nothing to report.... > > It may well be my problems stems from trying to use RHEL6 svr and KVM with fedora 14 clients inside it which I am finding very flaky....I may need to blow it away and move the test bed to vmware ESXi..... > > Or maybe indeed I am serially doing something wrong..... > > I am trying again to setup client 3, what selinux is telling me is ipa-submit is trying to open krb5.keytab.... > > I will test and maybe turn selinux off, if i can figur eout how! > > regards > > Steven > > > > Steve, > > Sorry but it looks like you are doing something wrong over and over again or there is something mis-configured in your environment. > We are executing tests every day with new and old machines bare metal and VMs. > And everything works so there is definitely something specific to your environment which is different. > May be it is DNS or NTP or something like. We do not know. May be it is a bug that we do not hit because we do not run things in the sequence you run or with configuration you use. > > You write a lot of mails to us but few contain any substantial information about your setup. > To troubleshoot we need logs. > There are all sorts of logs and configuration files on the server and on the client. > You do not include them in your emails. > How do you think we can troubleshoot the problems? > > If you want us to help please include more detailed information. > I am really sorry that you are experiencing the issues and spending that much time but I do not see a way to help you since we do not have sufficient information to do the troubleshooting. > > We will be happy to help you as soon as you provide such information. > > > Thank you, > Dmitri > I plan to play with the installation tomorrow morning. I will send you the fill list of the config and log files from both sides. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Fri Mar 11 00:26:03 2011 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 10 Mar 2011 19:26:03 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40010B45@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com>, <4D78EECD.4030706@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40010A73@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40010ABF@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40010AE2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D795796.8020401@redhat.com> <833D8E48405E064EBC54C84EC6B36E40010B45@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D796C1B.7010007@redhat.com> On 03/10/2011 06:30 PM, Steven Jones wrote: > My problem is "To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client." On the client: Config: 1) /etc/sssd/sssd.conf 2) /etc/pam.d/system-auth-ac 3) /etc/nsswitch.conf Logs /var/log/sssd The most interesting one is sssd_default.log but you can include all of them. /var/log/ipaclient-install.log /var/log/ipaclient-uninstall.log On the server there are all sorts of logs in the /var/log and under the directories. Dirsrv for DS, http for apache etc. Do not have the directory in front of me. Make sure that the versions of the packages are latest and match each other on both sides. Make sure the time is in synch. Make sure that names are resolvable if you are not using IPA with the embedded DNS. It makes sense to reboot machine after installing and configuring SSSD. Test a user on the server first make sure you can authenticate and he has a valid password. Include the commands you used to install the server and the client in the mail. Good luck! Thanks Dmitri > Thats just it.....I dont know where to look.....its simply not documented....so what I need is for someone to tell me what logs you need....and how to make the system log reliably...... for instance debug_level = 9 in the sssd.conf still produces 0 length logs on client1....so there is nothing to report.... > > It may well be my problems stems from trying to use RHEL6 svr and KVM with fedora 14 clients inside it which I am finding very flaky....I may need to blow it away and move the test bed to vmware ESXi..... > > Or maybe indeed I am serially doing something wrong..... > > I am trying again to setup client 3, what selinux is telling me is ipa-submit is trying to open krb5.keytab.... > > I will test and maybe turn selinux off, if i can figur eout how! > > regards > > Steven > > > > Steve, > > Sorry but it looks like you are doing something wrong over and over again or there is something mis-configured in your environment. > We are executing tests every day with new and old machines bare metal and VMs. > And everything works so there is definitely something specific to your environment which is different. > May be it is DNS or NTP or something like. We do not know. May be it is a bug that we do not hit because we do not run things in the sequence you run or with configuration you use. > > You write a lot of mails to us but few contain any substantial information about your setup. > To troubleshoot we need logs. > There are all sorts of logs and configuration files on the server and on the client. > You do not include them in your emails. > How do you think we can troubleshoot the problems? > > If you want us to help please include more detailed information. > I am really sorry that you are experiencing the issues and spending that much time but I do not see a way to help you since we do not have sufficient information to do the troubleshooting. > > We will be happy to help you as soon as you provide such information. > > > Thank you, > Dmitri > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ssorce at redhat.com Fri Mar 11 00:48:50 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 10 Mar 2011 19:48:50 -0500 (EST) Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40010B5C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <873947094.376932.1299804530431.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] > [sss_krb5_verify_keytab_ex] (0): Principal > [host/Fed14-64-ipacl03.ipa.ac.nz at IPA.AC > .NZ] not found in keytab [default] > (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): > Could not verify keytab > (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] > (0): Error (14) in module (ipa) initialization (sssm_ipa_id > _init)! > (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] > (0): fatal error initializing data providers > (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not > initialize backend [14] > (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] > [sss_krb5_verify_keytab_ex] (0): Principal > [host/Fed14-64-ipacl03.ipa.ac.nz at IPA.A > C.NZ] not found in keytab [default] > (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): > Could not verify keytab > (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] > (0): Error (14) in module (ipa) initialization (sssm_ipa_id > _init)! > (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] > (0): fatal error initializing data providers > (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not > initialize backend [14] > [root at Fed14-64-ipacl03 sssd]# > > ======================== > root at Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ > 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ > 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ > 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ > [root at Fed14-64-ipacl03 sssd]# > > ? > Caught Steven on IRC, this was a case of hostname being mixed case, which confuses kerberos libraries as they are case-sensitive and expect all lowercase names for hosts. This would not have been a problem if sssd just used the first key in the keytab instead of trying to guess the principal name in advance. (Yeah being stingy, no pressure Stephen :-) Simo. -- Simo Sorce * Red Hat, Inc. * New York From sgallagh at redhat.com Fri Mar 11 09:37:49 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 11 Mar 2011 04:37:49 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40010B45@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com>, <4D78EECD.4030706@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40010A73@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40010ABF@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40010AE2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D795796.8020401@redhat.com> <833D8E48405E064EBC54C84EC6B36E40010B45@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D79ED6D.9070209@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/2011 06:30 PM, Steven Jones wrote: > My problem is "To troubleshoot we need logs. There are all sorts of > logs and configuration files on the server and on the client." > > Thats just it.....I dont know where to look.....its simply not > documented....so what I need is for someone to tell me what logs you > need....and how to make the system log reliably...... for instance > debug_level = 9 in the sssd.conf still produces 0 length logs on > client1....so there is nothing to report.... > If that's happening, then it likely means that SSSD was never started (or not restarted after adding debug_level=9; SSSD doesn't autodetect this change). Please try 'service sssd restart' > It may well be my problems stems from trying to use RHEL6 svr and KVM > with fedora 14 clients inside it which I am finding very flaky....I > may need to blow it away and move the test bed to vmware ESXi..... > > Or maybe indeed I am serially doing something wrong..... > > I am trying again to setup client 3, what selinux is telling me is > ipa-submit is trying to open krb5.keytab.... > > I will test and maybe turn selinux off, if i can figur eout how! > As root, run 'setenforce 0'. This will set SELinux into "permissive" mode. It will still report SELinux errors, but it won't prevent the functionality. Please keep an eye on any such errors and report them to us. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk157WkACgkQeiVVYja6o6M3oACeIb9tbVL8A7PMWcbrqfQedykZ cnUAoJGIa9lvGbPJbg1fecogYYwU4VWk =E+gl -----END PGP SIGNATURE----- From sgallagh at redhat.com Fri Mar 11 09:39:52 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 11 Mar 2011 04:39:52 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <4D796C1B.7010007@redhat.com> References: <665916649.366782.1299769818103.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com>, <4D78EECD.4030706@redhat.com>, <833D8E48405E064EBC54C84EC6B36E40010A73@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E40010ABF@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40010AE2@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D795796.8020401@redhat.com> <833D8E48405E064EBC54C84EC6B36E40010B45@STAWINCOX10MBX1.staff.vuw.ac.nz> <4D796C1B.7010007@redhat.com> Message-ID: <4D79EDE8.7020507@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/2011 07:26 PM, Dmitri Pal wrote: > On 03/10/2011 06:30 PM, Steven Jones wrote: >> My problem is "To troubleshoot we need logs. There are all sorts of >> logs and configuration files on the server and on the client." > On the client: > > Config: 1) /etc/sssd/sssd.conf 2) /etc/pam.d/system-auth-ac 3) > /etc/nsswitch.conf > > Logs /var/log/sssd The most interesting one is sssd_default.log but > you can include all of them. /var/log/ipaclient-install.log > /var/log/ipaclient-uninstall.log Just a correction, it wouldn't be sssd_default.log. It would be sssd_.log. The ipa-client doesn't set up the 'default' domain, it names it after the IPA domain. So it's possible you've been looking at the wrong log. (This could also explain your comment about zero-length logs earlier). Sorry for the confusion. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk157egACgkQeiVVYja6o6NMeQCfaq3Or5XENZp97ORVyRqE/awa h1QAniJllm1U19aSj3ryXPo3SbbqD5p+ =w27/ -----END PGP SIGNATURE----- From rcritten at redhat.com Fri Mar 11 14:49:36 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Mar 2011 09:49:36 -0500 Subject: [Freeipa-users] Unable to authenticate a client user against IPA In-Reply-To: <873947094.376932.1299804530431.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> References: <873947094.376932.1299804530431.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com> Message-ID: <4D7A3680.9070502@redhat.com> Simo Sorce wrote: > ----- Original Message ----- >> Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] >> [sss_krb5_verify_keytab_ex] (0): Principal >> [host/Fed14-64-ipacl03.ipa.ac.nz at IPA.AC >> .NZ] not found in keytab [default] >> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): >> Could not verify keytab >> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] >> (0): Error (14) in module (ipa) initialization (sssm_ipa_id >> _init)! >> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] >> (0): fatal error initializing data providers >> (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not >> initialize backend [14] >> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] >> [sss_krb5_verify_keytab_ex] (0): Principal >> [host/Fed14-64-ipacl03.ipa.ac.nz at IPA.A >> C.NZ] not found in keytab [default] >> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): >> Could not verify keytab >> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] >> (0): Error (14) in module (ipa) initialization (sssm_ipa_id >> _init)! >> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] >> (0): fatal error initializing data providers >> (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not >> initialize backend [14] >> [root at Fed14-64-ipacl03 sssd]# >> >> ======================== >> root at Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab >> Keytab name: WRFILE:/etc/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ >> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ >> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ >> 1 host/fed14-64-ipacl03.ipa.ac.nz at IPA.AC.NZ >> [root at Fed14-64-ipacl03 sssd]# >> >> ? >> > > Caught Steven on IRC, this was a case of hostname being mixed case, which confuses kerberos libraries as they are case-sensitive and expect all lowercase names for hosts. > > This would not have been a problem if sssd just used the first key in the keytab instead of trying to guess the principal name in advance. (Yeah being stingy, no pressure Stephen :-) > > Simo. > Simo, this probably explain why the keytab isn't disabled on the server when he uninstalls the client. I'll make sure that gets tested as part of ticket 1080. rob From sylvain.pannetrat at net-optima.fr Fri Mar 11 15:06:06 2011 From: sylvain.pannetrat at net-optima.fr (Sylvain PANNETRAT) Date: Fri, 11 Mar 2011 16:06:06 +0100 Subject: [Freeipa-users] Repository error Message-ID: <38ce516c05c12cefb4f9ee1f0793accc@192.168.111.251> Hello, I try to update a fedora 14 client, and get: http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: [Errno -1] Metadata file does not match checksum After yum clean all, i get: freeipa-devel/primary | 8.8 kB 00:00 http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: [Errno -1] Metadata file does not match checksum Essai d'un autre miroir. Erreur : failure: repodata/primary.xml.gz from freeipa-devel: [Errno 256] No more mirrors to try. What can I do ? Regards, Sylvain PANNETRAT -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Mar 11 15:15:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Mar 2011 10:15:25 -0500 Subject: [Freeipa-users] Repository error In-Reply-To: <38ce516c05c12cefb4f9ee1f0793accc@192.168.111.251> References: <38ce516c05c12cefb4f9ee1f0793accc@192.168.111.251> Message-ID: <4D7A3C8D.8020103@redhat.com> Sylvain PANNETRAT wrote: > Hello, > I try to update a fedora 14 client, and get: > http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: > [Errno -1] Metadata file does not match checksum > After yum clean all, i get: > freeipa-devel/primary | 8.8 kB 00:00 > http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: > [Errno -1] Metadata file does not match checksum > Essai d'un autre miroir. > Erreur : failure: repodata/primary.xml.gz from freeipa-devel: [Errno > 256] No more mirrors to try. > What can I do ? > Regards, > Sylvain PANNETRAT Try cleaning the yum cache for the repo. yum clean --disablerepo=* --enablerepo=freeipa-devel all rob From sylvain.pannetrat at net-optima.fr Fri Mar 11 15:26:24 2011 From: sylvain.pannetrat at net-optima.fr (Sylvain PANNETRAT) Date: Fri, 11 Mar 2011 16:26:24 +0100 Subject: [Freeipa-users] Repository error In-Reply-To: <4D7A3C8D.8020103@redhat.com> Message-ID: De: "Rob Crittenden" rcritten at redhat.com > Sylvain PANNETRAT wrote: >> Hello, >> I try to update a fedora 14 client, and get: >> >> http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primar >> y.xml.gz: >> [Errno -1] Metadata file does not match checksum >> After yum clean all, i get: >> freeipa-devel/primary | 8.8 kB 00:00 >> >> http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primar >> y.xml.gz: >> [Errno -1] Metadata file does not match checksum >> Essai d'un autre miroir. >> Erreur : failure: repodata/primary.xml.gz from freeipa-devel: [Errno >> 256] No more mirrors to try. >> What can I do ? >> Regards, >> Sylvain PANNETRAT > > Try cleaning the yum cache for the repo. > > yum clean --disablerepo=* --enablerepo=freeipa-devel all > > rob > I made: yum clean --disablerepo=* --enablerepo=freeipa-devel all with the same error. I change my proxy to another squid, and now it's OK Thanks Sylvain PANNETRAT From sigbjorn at nixtra.com Fri Mar 11 20:00:02 2011 From: sigbjorn at nixtra.com (=?ISO-8859-1?Q?Sigbj=F8rn_Lie?=) Date: Fri, 11 Mar 2011 21:00:02 +0100 Subject: [Freeipa-users] Sync with AD error Message-ID: <4D7A7F42.5040306@nixtra.com> Hi, I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a sync agreement with Active Directory. Added CA certificate /root/testing-ca.cer to certificate database for ipasrv01.ix.testing.com ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110311195207Z: end: 20110311195207Z ipa: INFO: Agreement is ready, starting replication . . . ipa: INFO: Failed to create public entry for winsync replica Starting replication, please wait until this has completed. Update succeeded Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' Now I can't list the sync agreements. All I get is: # ipa-replica-manage list unexpected error: * not found Any ideas? Rgds, Siggi From dpal at redhat.com Fri Mar 11 20:15:52 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 11 Mar 2011 15:15:52 -0500 Subject: [Freeipa-users] Sync with AD error In-Reply-To: <4D7A7F42.5040306@nixtra.com> References: <4D7A7F42.5040306@nixtra.com> Message-ID: <4D7A82F8.50009@redhat.com> On 03/11/2011 03:00 PM, Sigbj?rn Lie wrote: > Hi, > > I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a > sync agreement with Active Directory. Did you upgrade in place or re-installed? The recent (a month ago or so) changes moved the location of the replication agreements. There were a lot of other changes in this area. We do not support smooth migration between beta and RCs that would have taken too much effort. Can you please try on a fresh install? Thank you Dmitri > > Added CA certificate /root/testing-ca.cer to certificate database for > ipasrv01.ix.testing.com > ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com > Windows PassSync entry exists, not resetting password > ipa: INFO: Added new sync agreement, waiting for it to become ready . . . > ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica > acquired successfully: Incremental update succeeded: start: > 20110311195207Z: end: 20110311195207Z > ipa: INFO: Agreement is ready, starting replication . . . > ipa: INFO: Failed to create public entry for winsync replica > Starting replication, please wait until this has completed. > Update succeeded > Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' > > > Now I can't list the sync agreements. All I get is: > > # ipa-replica-manage list > unexpected error: * not found > > Any ideas? > > > Rgds, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Mar 11 20:16:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Mar 2011 15:16:35 -0500 Subject: [Freeipa-users] Sync with AD error In-Reply-To: <4D7A7F42.5040306@nixtra.com> References: <4D7A7F42.5040306@nixtra.com> Message-ID: <4D7A8323.6000405@redhat.com> Sigbj?rn Lie wrote: > Hi, > > I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a > sync agreement with Active Directory. > > Added CA certificate /root/testing-ca.cer to certificate database for > ipasrv01.ix.testing.com > ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com > Windows PassSync entry exists, not resetting password > ipa: INFO: Added new sync agreement, waiting for it to become ready . . . > ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica > acquired successfully: Incremental update succeeded: start: > 20110311195207Z: end: 20110311195207Z > ipa: INFO: Agreement is ready, starting replication . . . > ipa: INFO: Failed to create public entry for winsync replica > Starting replication, please wait until this has completed. > Update succeeded > Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' > > > Now I can't list the sync agreements. All I get is: > > # ipa-replica-manage list > unexpected error: * not found > > Any ideas? Can you try running /us/sbin/ipa-ldap-updater? The problem is this didn't run at install so the spot in the DIT to store windows replication agreement info wasn't created, so it couldn't be added (the Failed to create public entry for winsync replica part). Once you've run ipa-ldap-updater you can add the info with something like: ldapmodify -x -D 'cn=directory manager' -W dn: cn=addc01.ad.testing.com,cn=replicas,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com changetype: add objectclass: nsContainer objectclass: ipaConfigObject cn: addc01.ad.testing.com ipaConfigString: winsync:ipasrv01.ix.testing.com ^D to quit From sigbjorn at nixtra.com Fri Mar 11 20:30:05 2011 From: sigbjorn at nixtra.com (=?ISO-8859-1?Q?Sigbj=F8rn_Lie?=) Date: Fri, 11 Mar 2011 21:30:05 +0100 Subject: [Freeipa-users] Sync with AD error In-Reply-To: <4D7A8323.6000405@redhat.com> References: <4D7A7F42.5040306@nixtra.com> <4D7A8323.6000405@redhat.com> Message-ID: <4D7A864D.5040107@nixtra.com> On 03/11/2011 09:16 PM, Rob Crittenden wrote: > Sigbj?rn Lie wrote: >> Hi, >> >> I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a >> sync agreement with Active Directory. >> >> Added CA certificate /root/testing-ca.cer to certificate database for >> ipasrv01.ix.testing.com >> ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com >> The user for the Windows PassSync service is >> uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com >> Windows PassSync entry exists, not resetting password >> ipa: INFO: Added new sync agreement, waiting for it to become ready . >> . . >> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica >> acquired successfully: Incremental update succeeded: start: >> 20110311195207Z: end: 20110311195207Z >> ipa: INFO: Agreement is ready, starting replication . . . >> ipa: INFO: Failed to create public entry for winsync replica >> Starting replication, please wait until this has completed. >> Update succeeded >> Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' >> >> >> Now I can't list the sync agreements. All I get is: >> >> # ipa-replica-manage list >> unexpected error: * not found >> >> Any ideas? > > Can you try running /us/sbin/ipa-ldap-updater? > > The problem is this didn't run at install so the spot in the DIT to > store windows replication agreement info wasn't created, so it > couldn't be added (the Failed to create public entry for winsync > replica part). > > Once you've run ipa-ldap-updater you can add the info with something > like: > > ldapmodify -x -D 'cn=directory manager' -W > dn: > cn=addc01.ad.testing.com,cn=replicas,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com > changetype: add > objectclass: nsContainer > objectclass: ipaConfigObject > cn: addc01.ad.testing.com > ipaConfigString: winsync:ipasrv01.ix.testing.com > > > ^D to quit > Hi, Thank you. I tried this, the ipa-ldap-updater script updated and created quite a few entries and exited without any errors. I then added the info as you suggested, also without any errors. However listing replicas still doesn't work. Actually, running force-sync or re-initialize yells exactly the same error message. # ipa-replica-manage list unexpected error: * not found Rgds, Siggi From sigbjorn at nixtra.com Fri Mar 11 20:31:50 2011 From: sigbjorn at nixtra.com (=?ISO-8859-1?Q?Sigbj=F8rn_Lie?=) Date: Fri, 11 Mar 2011 21:31:50 +0100 Subject: [Freeipa-users] Sync with AD error In-Reply-To: <4D7A82F8.50009@redhat.com> References: <4D7A7F42.5040306@nixtra.com> <4D7A82F8.50009@redhat.com> Message-ID: <4D7A86B6.9030807@nixtra.com> On 03/11/2011 09:15 PM, Dmitri Pal wrote: > On 03/11/2011 03:00 PM, Sigbj?rn Lie wrote: >> Hi, >> >> I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a >> sync agreement with Active Directory. > Did you upgrade in place or re-installed? > The recent (a month ago or so) changes moved the location of the > replication agreements. > There were a lot of other changes in this area. > We do not support smooth migration between beta and RCs that would have > taken too much effort. > Can you please try on a fresh install? > > Thank you > Dmitri > >> Added CA certificate /root/testing-ca.cer to certificate database for >> ipasrv01.ix.testing.com >> ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com >> The user for the Windows PassSync service is >> uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com >> Windows PassSync entry exists, not resetting password >> ipa: INFO: Added new sync agreement, waiting for it to become ready . . . >> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica >> acquired successfully: Incremental update succeeded: start: >> 20110311195207Z: end: 20110311195207Z >> ipa: INFO: Agreement is ready, starting replication . . . >> ipa: INFO: Failed to create public entry for winsync replica >> Starting replication, please wait until this has completed. >> Update succeeded >> Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' >> >> >> Now I can't list the sync agreements. All I get is: >> >> # ipa-replica-manage list >> unexpected error: * not found >> >> Any ideas? >> >> >> Rgds, >> Siggi >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > Hi, I upgraded in place. I did the initial installation on the 12th of February. I think I started out with the first RC. Do I still have to reinstall? Rgds, Siggi From dpal at redhat.com Fri Mar 11 20:43:23 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 11 Mar 2011 15:43:23 -0500 Subject: [Freeipa-users] Sync with AD error In-Reply-To: <4D7A86B6.9030807@nixtra.com> References: <4D7A7F42.5040306@nixtra.com> <4D7A82F8.50009@redhat.com> <4D7A86B6.9030807@nixtra.com> Message-ID: <4D7A896B.5060506@redhat.com> On 03/11/2011 03:31 PM, Sigbj?rn Lie wrote: > > > On 03/11/2011 09:15 PM, Dmitri Pal wrote: >> On 03/11/2011 03:00 PM, Sigbj?rn Lie wrote: >>> Hi, >>> >>> I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a >>> sync agreement with Active Directory. >> Did you upgrade in place or re-installed? >> The recent (a month ago or so) changes moved the location of the >> replication agreements. >> There were a lot of other changes in this area. >> We do not support smooth migration between beta and RCs that would have >> taken too much effort. >> Can you please try on a fresh install? >> >> Thank you >> Dmitri >> >>> Added CA certificate /root/testing-ca.cer to certificate database for >>> ipasrv01.ix.testing.com >>> ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com >>> The user for the Windows PassSync service is >>> uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com >>> Windows PassSync entry exists, not resetting password >>> ipa: INFO: Added new sync agreement, waiting for it to become ready >>> . . . >>> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica >>> acquired successfully: Incremental update succeeded: start: >>> 20110311195207Z: end: 20110311195207Z >>> ipa: INFO: Agreement is ready, starting replication . . . >>> ipa: INFO: Failed to create public entry for winsync replica >>> Starting replication, please wait until this has completed. >>> Update succeeded >>> Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' >>> >>> >>> Now I can't list the sync agreements. All I get is: >>> >>> # ipa-replica-manage list >>> unexpected error: * not found >>> >>> Any ideas? >>> >>> >>> Rgds, >>> Siggi >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> > > > Hi, > > I upgraded in place. I did the initial installation on the 12th of > February. I think I started out with the first RC. Do I still have to > reinstall? Should be fine then. > > > Rgds, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Mar 11 21:19:30 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Mar 2011 16:19:30 -0500 Subject: [Freeipa-users] Sync with AD error In-Reply-To: <4D7A864D.5040107@nixtra.com> References: <4D7A7F42.5040306@nixtra.com> <4D7A8323.6000405@redhat.com> <4D7A864D.5040107@nixtra.com> Message-ID: <4D7A91E2.70000@redhat.com> Sigbj?rn Lie wrote: > On 03/11/2011 09:16 PM, Rob Crittenden wrote: >> Sigbj?rn Lie wrote: >>> Hi, >>> >>> I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a >>> sync agreement with Active Directory. >>> >>> Added CA certificate /root/testing-ca.cer to certificate database for >>> ipasrv01.ix.testing.com >>> ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com >>> The user for the Windows PassSync service is >>> uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com >>> Windows PassSync entry exists, not resetting password >>> ipa: INFO: Added new sync agreement, waiting for it to become ready . >>> . . >>> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica >>> acquired successfully: Incremental update succeeded: start: >>> 20110311195207Z: end: 20110311195207Z >>> ipa: INFO: Agreement is ready, starting replication . . . >>> ipa: INFO: Failed to create public entry for winsync replica >>> Starting replication, please wait until this has completed. >>> Update succeeded >>> Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' >>> >>> >>> Now I can't list the sync agreements. All I get is: >>> >>> # ipa-replica-manage list >>> unexpected error: * not found >>> >>> Any ideas? >> >> Can you try running /us/sbin/ipa-ldap-updater? >> >> The problem is this didn't run at install so the spot in the DIT to >> store windows replication agreement info wasn't created, so it >> couldn't be added (the Failed to create public entry for winsync >> replica part). >> >> Once you've run ipa-ldap-updater you can add the info with something >> like: >> >> ldapmodify -x -D 'cn=directory manager' -W >> dn: >> cn=addc01.ad.testing.com,cn=replicas,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com >> >> changetype: add >> objectclass: nsContainer >> objectclass: ipaConfigObject >> cn: addc01.ad.testing.com >> ipaConfigString: winsync:ipasrv01.ix.testing.com >> >> >> ^D to quit >> > Hi, > > Thank you. I tried this, the ipa-ldap-updater script updated and created > quite a few entries and exited without any errors. I then added the info > as you suggested, also without any errors. However listing replicas > still doesn't work. Actually, running force-sync or re-initialize yells > exactly the same error message. > > # ipa-replica-manage list > unexpected error: * not found Hmm, can you provide the output of (you can send privately if you want): kinit admin ldapsearch -Y GSSAPI -b cn=masters,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com and ldapsearch -Y GSSAPI -b cn=replicas,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com There must be an additional entry that wasn't added but I haven't figured out what it is yet. rob From tomasz.napierala at allegro.pl Sat Mar 12 19:06:19 2011 From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl) Date: Sat, 12 Mar 2011 20:06:19 +0100 Subject: [Freeipa-users] RC3 Install fails with " Unable to connect to LDAP server " Message-ID: Hi, I'm trying to install FreeIPA 2.0. RC3 on fresh, minimal F14 box, but it fails for some reason: 2011-03-12 19:36:10,240 DEBUG stdout=add objectclass: top extensibleObject add cn: Posix IDs add dnaType: uidNumber gidNumber add dnaNextValue: 344800000 add dnaMaxValue: 344999999 add dnaMagicRegen: 999 add dnaFilter: (|(objectclass=posixAccount)(objectClass=posixGroup)) add dnaScope: dc=qxltest add dnaThreshold: 500 add dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=qxltest adding new entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" modify complete 2011-03-12 19:36:10,240 DEBUG stderr=ldap_initialize( ldap://ipa20-test.dc2 ) 2011-03-12 19:36:10,241 DEBUG duration: 0 seconds 2011-03-12 19:36:10,241 DEBUG [30/32]: enabling compatibility plugin 2011-03-12 19:36:10,273 DEBUG Unable to connect to LDAP server ipa20-test.dc2 File "/usr/sbin/ipa-server-install", line 975, in sys.exit(main()) File "/usr/sbin/ipa-server-install", line 813, in main hbac_allow=not options.hbac_allow) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 262, in create_instance self.start_creation("Configuring directory server", 60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 282, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 453, in __enable_compat_plugin ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 117, in __init__ raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) Looks like 389 DS is running and acceting connections [root at ipa20-test ~]# netstat -nltp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1044/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1063/sendmail: acce tcp 0 0 :::22 :::* LISTEN 1044/sshd tcp 0 0 :::636 :::* LISTEN 9559/ns-slapd tcp 0 0 :::9180 :::* LISTEN 8918/java tcp 0 0 :::7389 :::* LISTEN 6701/ns-slapd tcp 0 0 :::9443 :::* LISTEN 8918/java tcp 0 0 :::9444 :::* LISTEN 8918/java tcp 0 0 :::389 :::* LISTEN 9559/ns-slapd tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN 8918/java tcp 0 0 :::9445 :::* LISTEN 8918/java tcp 0 0 :::9446 :::* LISTEN 8918/java Any clues what might be wrong? -- Tomasz Z. Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995. From sigbjorn at nixtra.com Sat Mar 12 19:23:46 2011 From: sigbjorn at nixtra.com (=?UTF-8?B?U2lnYmrDuHJuIExpZQ==?=) Date: Sat, 12 Mar 2011 20:23:46 +0100 Subject: [Freeipa-users] RC3 Install fails with " Unable to connect to LDAP server " In-Reply-To: References: Message-ID: <4D7BC842.5070809@nixtra.com> Hi, I second that. I just did a fresh install as well and I got exactly the same error message when installing the compatibility plug in. My log file looks exactly the same, and my dirsrv was running at the time the installation failed. Rgds, Siggi On 03/12/2011 08:06 PM, tomasz.napierala at allegro.pl wrote: > Hi, > I'm trying to install FreeIPA 2.0. RC3 on fresh, minimal F14 box, but it fails for some reason: > 2011-03-12 19:36:10,240 DEBUG stdout=add objectclass: > top > extensibleObject > add cn: > Posix IDs > add dnaType: > uidNumber > gidNumber > add dnaNextValue: > 344800000 > add dnaMaxValue: > 344999999 > add dnaMagicRegen: > 999 > add dnaFilter: > (|(objectclass=posixAccount)(objectClass=posixGroup)) > add dnaScope: > dc=qxltest > add dnaThreshold: > 500 > add dnaSharedCfgDN: > cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=qxltest > adding new entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" > modify complete > > > 2011-03-12 19:36:10,240 DEBUG stderr=ldap_initialize( ldap://ipa20-test.dc2 ) > > 2011-03-12 19:36:10,241 DEBUG duration: 0 seconds > 2011-03-12 19:36:10,241 DEBUG [30/32]: enabling compatibility plugin > 2011-03-12 19:36:10,273 DEBUG Unable to connect to LDAP server ipa20-test.dc2 > File "/usr/sbin/ipa-server-install", line 975, in > sys.exit(main()) > > File "/usr/sbin/ipa-server-install", line 813, in main > hbac_allow=not options.hbac_allow) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 262, in create_instance > self.start_creation("Configuring directory server", 60) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 282, in start_creation > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 453, in __enable_compat_plugin > ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password, sub_dict=self.sub_dict) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 117, in __init__ > raise RuntimeError("Unable to connect to LDAP server %s" % fqdn) > > Looks like 389 DS is running and acceting connections > [root at ipa20-test ~]# netstat -nltp > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1044/sshd > tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1063/sendmail: acce > tcp 0 0 :::22 :::* LISTEN 1044/sshd > tcp 0 0 :::636 :::* LISTEN 9559/ns-slapd > tcp 0 0 :::9180 :::* LISTEN 8918/java > tcp 0 0 :::7389 :::* LISTEN 6701/ns-slapd > tcp 0 0 :::9443 :::* LISTEN 8918/java > tcp 0 0 :::9444 :::* LISTEN 8918/java > tcp 0 0 :::389 :::* LISTEN 9559/ns-slapd > tcp 0 0 ::ffff:127.0.0.1:9701 :::* LISTEN 8918/java > tcp 0 0 :::9445 :::* LISTEN 8918/java > tcp 0 0 :::9446 :::* LISTEN 8918/java > > Any clues what might be wrong? > > From tomasz.napierala at allegro.pl Sat Mar 12 20:58:28 2011 From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl) Date: Sat, 12 Mar 2011 21:58:28 +0100 Subject: [Freeipa-users] RC3 Install fails with " Unable to connect to LDAP server " In-Reply-To: References: Message-ID: On 2011-03-12, at 20:06, tomasz.napierala at allegro.pl wrote: > Hi, > I'm trying to install FreeIPA 2.0. RC3 on fresh, minimal F14 box, but it fails for some reason: Looks like the problem is that my realm is different than domain name (QXLTEST vs. DC2). After accepting defaults installation was completed succesfully. Can anybody confirm? Regards, -- Tomasz Z. Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995. From sigbjorn at nixtra.com Sun Mar 13 16:36:50 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 13 Mar 2011 17:36:50 +0100 Subject: [Freeipa-users] RC3 Install fails with " Unable to connect to LDAP server " In-Reply-To: References: Message-ID: <4D7CF2A2.9060205@nixtra.com> On 03/12/2011 09:58 PM, tomasz.napierala at allegro.pl wrote: > On 2011-03-12, at 20:06, tomasz.napierala at allegro.pl wrote: > >> Hi, >> I'm trying to install FreeIPA 2.0. RC3 on fresh, minimal F14 box, but it fails for some reason: > Looks like the problem is that my realm is different than domain name (QXLTEST vs. DC2). After accepting defaults installation was completed succesfully. Can anybody confirm? > > Regards, Hi, I reinstalled and found the same to be the problem for me. Rgds, Siggi From ssorce at redhat.com Sun Mar 13 19:35:34 2011 From: ssorce at redhat.com (Simo Sorce) Date: Sun, 13 Mar 2011 15:35:34 -0400 Subject: [Freeipa-users] Sync with AD error In-Reply-To: <4D7A86B6.9030807@nixtra.com> References: <4D7A7F42.5040306@nixtra.com> <4D7A82F8.50009@redhat.com> <4D7A86B6.9030807@nixtra.com> Message-ID: <20110313153534.22f6f955@willson.li.ssimo.org> On Fri, 11 Mar 2011 21:31:50 +0100 Sigbj?rn Lie wrote: > > > On 03/11/2011 09:15 PM, Dmitri Pal wrote: > > On 03/11/2011 03:00 PM, Sigbj?rn Lie wrote: > >> Hi, > >> > >> I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to > >> add a sync agreement with Active Directory. > > Did you upgrade in place or re-installed? > > The recent (a month ago or so) changes moved the location of the > > replication agreements. > > There were a lot of other changes in this area. > > We do not support smooth migration between beta and RCs that would > > have taken too much effort. > > Can you please try on a fresh install? > > > > Thank you > > Dmitri > > > >> Added CA certificate /root/testing-ca.cer to certificate database > >> for ipasrv01.ix.testing.com > >> ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com > >> The user for the Windows PassSync service is > >> uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com > >> Windows PassSync entry exists, not resetting password > >> ipa: INFO: Added new sync agreement, waiting for it to become > >> ready . . . ipa: INFO: Replication Update in progress: FALSE: > >> status: 0 Replica acquired successfully: Incremental update > >> succeeded: start: 20110311195207Z: end: 20110311195207Z > >> ipa: INFO: Agreement is ready, starting replication . . . > >> ipa: INFO: Failed to create public entry for winsync replica > >> Starting replication, please wait until this has completed. > >> Update succeeded > >> Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' > >> > >> > >> Now I can't list the sync agreements. All I get is: > >> > >> # ipa-replica-manage list > >> unexpected error: * not found > >> > >> Any ideas? > >> > >> > >> Rgds, > >> Siggi > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> > > > > > Hi, > > I upgraded in place. I did the initial installation on the 12th of > February. I think I started out with the first RC. Do I still have to > reinstall? Have you run ipa-ldap-updater after the rpm upgrade ? Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Sun Mar 13 22:43:46 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 13 Mar 2011 23:43:46 +0100 Subject: [Freeipa-users] Sync with AD error In-Reply-To: <20110313153534.22f6f955@willson.li.ssimo.org> References: <4D7A7F42.5040306@nixtra.com> <4D7A82F8.50009@redhat.com> <4D7A86B6.9030807@nixtra.com> <20110313153534.22f6f955@willson.li.ssimo.org> Message-ID: <4D7D48A2.5070708@nixtra.com> On 03/13/2011 08:35 PM, Simo Sorce wrote: > On Fri, 11 Mar 2011 21:31:50 +0100 > Sigbj?rn Lie wrote: > >> >> On 03/11/2011 09:15 PM, Dmitri Pal wrote: >>> On 03/11/2011 03:00 PM, Sigbj?rn Lie wrote: >>>> Hi, >>>> >>>> I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to >>>> add a sync agreement with Active Directory. >>> Did you upgrade in place or re-installed? >>> The recent (a month ago or so) changes moved the location of the >>> replication agreements. >>> There were a lot of other changes in this area. >>> We do not support smooth migration between beta and RCs that would >>> have taken too much effort. >>> Can you please try on a fresh install? >>> >>> Thank you >>> Dmitri >>> >>>> Added CA certificate /root/testing-ca.cer to certificate database >>>> for ipasrv01.ix.testing.com >>>> ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com >>>> The user for the Windows PassSync service is >>>> uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com >>>> Windows PassSync entry exists, not resetting password >>>> ipa: INFO: Added new sync agreement, waiting for it to become >>>> ready . . . ipa: INFO: Replication Update in progress: FALSE: >>>> status: 0 Replica acquired successfully: Incremental update >>>> succeeded: start: 20110311195207Z: end: 20110311195207Z >>>> ipa: INFO: Agreement is ready, starting replication . . . >>>> ipa: INFO: Failed to create public entry for winsync replica >>>> Starting replication, please wait until this has completed. >>>> Update succeeded >>>> Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' >>>> >>>> >>>> Now I can't list the sync agreements. All I get is: >>>> >>>> # ipa-replica-manage list >>>> unexpected error: * not found >>>> >>>> Any ideas? >>>> >>>> >>>> Rgds, >>>> Siggi >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >> >> Hi, >> >> I upgraded in place. I did the initial installation on the 12th of >> February. I think I started out with the first RC. Do I still have to >> reinstall? > Have you run ipa-ldap-updater after the rpm upgrade ? > > Simo. > > Hi, Yes I have. Rgds, Siggi From davido at redhat.com Mon Mar 14 02:40:53 2011 From: davido at redhat.com (David O'Brien) Date: Mon, 14 Mar 2011 12:40:53 +1000 Subject: [Freeipa-users] Updated freeIPA Documentation Message-ID: <4D7D8035.4060705@redhat.com> All, Edition 0.6 of the IPA documentation is now available in both html and pdf versions. Please note that this is an ongoing effort and should still be considered draft material. Please do not hesitate to advertise any errors or identify areas that could use improvement, either by email to the list or by raising bugs. Refer to the document Revision History for a list of the major changes. The updated documentation can be found at the following address: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/ Regards, -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 "He who asks is a fool for five minutes, but he who does not ask remains a fool forever." ~ Chinese proverb From tomasz.napierala at allegro.pl Mon Mar 14 08:57:30 2011 From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl) Date: Mon, 14 Mar 2011 09:57:30 +0100 Subject: [Freeipa-users] RC3 Install fails with " Unable to connect to LDAP server " In-Reply-To: <4D7CF2A2.9060205@nixtra.com> References: <4D7CF2A2.9060205@nixtra.com> Message-ID: <9FD291BB-880A-4B8B-87CB-999D6C11EC3C@allegro.pl> On 2011-03-13, at 17:36, Sigbjorn Lie wrote: > On 03/12/2011 09:58 PM, tomasz.napierala at allegro.pl wrote: >> On 2011-03-12, at 20:06, tomasz.napierala at allegro.pl wrote: >> >>> Hi, >>> I'm trying to install FreeIPA 2.0. RC3 on fresh, minimal F14 box, but it fails for some reason: >> Looks like the problem is that my realm is different than domain name (QXLTEST vs. DC2). After accepting defaults installation was completed succesfully. Can anybody confirm? >> >> Regards, > Hi, > > I reinstalled and found the same to be the problem for me. Filled bug 684690 Regards, -- Tomasz Z. Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995. From dpal at redhat.com Mon Mar 14 12:25:17 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 14 Mar 2011 08:25:17 -0400 Subject: [Freeipa-users] RC3 Install fails with " Unable to connect to LDAP server " In-Reply-To: <9FD291BB-880A-4B8B-87CB-999D6C11EC3C@allegro.pl> References: <4D7CF2A2.9060205@nixtra.com> <9FD291BB-880A-4B8B-87CB-999D6C11EC3C@allegro.pl> Message-ID: <4D7E092D.70001@redhat.com> On 03/14/2011 04:57 AM, tomasz.napierala at allegro.pl wrote: > On 2011-03-13, at 17:36, Sigbjorn Lie wrote: > >> On 03/12/2011 09:58 PM, tomasz.napierala at allegro.pl wrote: >>> On 2011-03-12, at 20:06, tomasz.napierala at allegro.pl wrote: >>> >>>> Hi, >>>> I'm trying to install FreeIPA 2.0. RC3 on fresh, minimal F14 box, but it fails for some reason: >>> Looks like the problem is that my realm is different than domain name (QXLTEST vs. DC2). After accepting defaults installation was completed succesfully. Can anybody confirm? >>> >>> Regards, >> Hi, >> >> I reinstalled and found the same to be the problem for me. > Filled bug 684690 > > Regards, Thanks! -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From tomasz.napierala at allegro.pl Mon Mar 14 15:50:19 2011 From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl) Date: Mon, 14 Mar 2011 16:50:19 +0100 Subject: [Freeipa-users] Problem with replication after restore In-Reply-To: <4D77D617.7040605@redhat.com> References: <3E2D37A9-E107-4061-86A9-DD2C072ED879@allegro.pl> <4D778A17.6020900@redhat.com> <4D77D617.7040605@redhat.com> Message-ID: On 2011-03-09, at 20:33, Rich Megginson wrote: > On 03/09/2011 09:15 AM, tomasz.napierala at allegro.pl wrote: >> On 2011-03-09, at 15:09, Rich Megginson wrote: >> >> 8><----------------- >>>> [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Missing data encountered >>>> [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Incremental update failed and requires administrator action >>> Not sure what happened here. How long has the server been down? You >>> will need to reinitialize the slave from the master. >> Server was down for 2-3 hours. Currently slave has more recent data, because it is in our production environment (master is in backup DC) >> >> I don't have much experience with 389, and it seems that in FreeIPA setup 389 DS is in minimal form. So how can I reinitialize slave? Is there any chance to transfer changes form slave to master? Im afraid that loosing changes on slave would be a disaster (there were hundreds of users added) > ipa-replica-manage - you would want to initialize the master from the > slave. Please make a backup of your slave first. Just to make sure I'm getting the thing right: is there any risk for slave during reinitialization? Regards, -- Tomasz Z. Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995. From sigbjorn at nixtra.com Sun Mar 20 17:28:12 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 20 Mar 2011 18:28:12 +0100 Subject: [Freeipa-users] Delete AD replica failure Message-ID: <4D86392C.9020708@nixtra.com> Hi, I just did a fresh installation of FreeIPA 2 on a host called ipa1, created a replica on a second server called ipa2. I then created a winsync replica to an AD domain on the ipa1 host. I noticed that I forgot the --win-subtree option and decided to delete the replication agreement: # ipa-replica-manage -H ipa1.ix.nowhere.com del dc01.ad.nowhere.com Directory Manager password: Unable to delete replica dc01.ad.nowhere.com: {'desc': "Can't contact LDAP server"} If I did a force a got a bit more output, where it complains about the ipa2 replica server not having a sync agreement with the dc01 server. # ipa-replica-manage -v -f -H ipa1.ix.nowhere.com del dc01.ad.nowhere.com Directory Manager password: Unable to connect to replica dc01.ad.nowhere.com, forcing removal Forcing removal on 'dc01.ad.nowhere.com' 'ipa2.ix.nowhere.com' has no replication agreement for 'dc01.ad.nowhere.com' Is this intended behavior or a bug? After re-creating the sync agreement with the win-subtree option, IPA synced with AD successfully. Rgds, Siggi From ssorce at redhat.com Mon Mar 21 13:31:15 2011 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 21 Mar 2011 09:31:15 -0400 Subject: [Freeipa-users] Delete AD replica failure In-Reply-To: <4D86392C.9020708@nixtra.com> References: <4D86392C.9020708@nixtra.com> Message-ID: <20110321093115.29fc52cd@willson.li.ssimo.org> On Sun, 20 Mar 2011 18:28:12 +0100 Sigbjorn Lie wrote: > Hi, > > I just did a fresh installation of FreeIPA 2 on a host called ipa1, > created a replica on a second server called ipa2. I then created a > winsync replica to an AD domain on the ipa1 host. > > I noticed that I forgot the --win-subtree option and decided to > delete the replication agreement: > > # ipa-replica-manage -H ipa1.ix.nowhere.com del dc01.ad.nowhere.com > Directory Manager password: > Unable to delete replica dc01.ad.nowhere.com: {'desc': "Can't contact > LDAP server"} This is not the correct command to use. > If I did a force a got a bit more output, where it complains about > the ipa2 replica server not having a sync agreement with the dc01 > server. > > # ipa-replica-manage -v -f -H ipa1.ix.nowhere.com del > dc01.ad.nowhere.com Directory Manager password: > Unable to connect to replica dc01.ad.nowhere.com, forcing removal > Forcing removal on 'dc01.ad.nowhere.com' > 'ipa2.ix.nowhere.com' has no replication agreement for > 'dc01.ad.nowhere.com' > > > Is this intended behavior or a bug? Intended, to remove the AD replication link you need to 'disconnect' the AD server. Use: ipa-replica-manage disconnect dc01.ad.nowhere.com > After re-creating the sync agreement with the win-subtree option, IPA > synced with AD successfully. Great, Simo. -- Simo Sorce * Red Hat, Inc * New York From sbernst at gmail.com Mon Mar 21 16:43:39 2011 From: sbernst at gmail.com (Steven Bernstein) Date: Mon, 21 Mar 2011 11:43:39 -0500 Subject: [Freeipa-users] Standalone or VM instance of FreeIPA Message-ID: Hey there! Please forgive my n00b level question, but is there good documentation on setting up a test environment using FreeIPA? I'd like to tinker with this using VMware if possible. I took a cursory look on Google and Bing, but mostly found pay-for VM Appliances. I really would like to learn how to set it up (with the help of the install scripts... I'm not scared of install work, but those scripts were created for a reason) My point is: When I go to run the installation script on my Fedora box, it tells me the script cannot be run unless the IP resolves in both directions. Is there a 'decent' way to go 'round this? Looking for help, if you please. Thanks so much! Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: From chorn at fluxcoil.net Mon Mar 21 18:25:03 2011 From: chorn at fluxcoil.net (Christian Horn) Date: Mon, 21 Mar 2011 19:25:03 +0100 Subject: [Freeipa-users] Standalone or VM instance of FreeIPA In-Reply-To: References: Message-ID: <20110321182503.GA18090@fluxcoil.net> Hi, On Mon, Mar 21, 2011 at 11:43:39AM -0500, Steven Bernstein wrote: > > My point is: When I go to run the installation script on my Fedora box, it > tells me the script cannot be run unless the IP resolves in both > directions. Is there a 'decent' way to go 'round this? Looking for help, > if you please. Setup a dns-server serving this. Thats really not hard, its a matter of minutes on a RHEL/CentOS if you know what to do. Christian From sgallagh at redhat.com Mon Mar 21 18:30:28 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 21 Mar 2011 14:30:28 -0400 Subject: [Freeipa-users] Standalone or VM instance of FreeIPA In-Reply-To: <20110321182503.GA18090@fluxcoil.net> References: <20110321182503.GA18090@fluxcoil.net> Message-ID: <4D879944.6020402@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/21/2011 02:25 PM, Christian Horn wrote: > Hi, > > On Mon, Mar 21, 2011 at 11:43:39AM -0500, Steven Bernstein wrote: >> >> My point is: When I go to run the installation script on my Fedora box, it >> tells me the script cannot be run unless the IP resolves in both >> directions. Is there a 'decent' way to go 'round this? Looking for help, >> if you please. > > Setup a dns-server serving this. Thats really not hard, its a matter > of minutes on a RHEL/CentOS if you know what to do. > Also, manually editing the /etc/hosts file on the VM to use the fully-qualified hostname for your primary IP address will work. This is a good way to bootstrap the system if you're planning to use FreeIPA v2 as a DNS server as well. Once setup is complete you can point /etc/resolv.conf at the FreeIPA server you just set up. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2HmUQACgkQeiVVYja6o6ODHgCfUc7xv0kTeoLiQqIEIXY1M0FC ZjgAoIRaVbdrCerOS9IKG5k59L4hXItR =5LN3 -----END PGP SIGNATURE----- From Steven.Jones at vuw.ac.nz Mon Mar 21 19:45:38 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 21 Mar 2011 19:45:38 +0000 Subject: [Freeipa-users] Standalone or VM instance of FreeIPA In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E40020776@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, A year or two back free vm's were easy to find/common, these days its quite hard....mostly I look, give up and go build my own VM for the job. If you want to do some routeing in VMware vyatta do a free vm and it does dhcp as well. You can set up bind on your fedora VM just invent a domain, ive invented ipa.ac.nz and off you go. You just need 2 zone files forward and reverse, if need be I can post mine. There is an option to do an integrated dns but maybe dns has to be going first... regards Steven ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Bernstein [sbernst at gmail.com] Sent: Tuesday, 22 March 2011 5:43 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Standalone or VM instance of FreeIPA Hey there! Please forgive my n00b level question, but is there good documentation on setting up a test environment using FreeIPA? I'd like to tinker with this using VMware if possible. I took a cursory look on Google and Bing, but mostly found pay-for VM Appliances. I really would like to learn how to set it up (with the help of the install scripts... I'm not scared of install work, but those scripts were created for a reason) My point is: When I go to run the installation script on my Fedora box, it tells me the script cannot be run unless the IP resolves in both directions. Is there a 'decent' way to go 'round this? Looking for help, if you please. Thanks so much! Steven From sigbjorn at nixtra.com Mon Mar 21 22:04:59 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 21 Mar 2011 23:04:59 +0100 Subject: [Freeipa-users] Delete AD replica failure In-Reply-To: <20110321093115.29fc52cd@willson.li.ssimo.org> References: <4D86392C.9020708@nixtra.com> <20110321093115.29fc52cd@willson.li.ssimo.org> Message-ID: <4D87CB8B.905@nixtra.com> On 03/21/2011 02:31 PM, Simo Sorce wrote: > On Sun, 20 Mar 2011 18:28:12 +0100 > Sigbjorn Lie wrote: > >> Hi, >> >> I just did a fresh installation of FreeIPA 2 on a host called ipa1, >> created a replica on a second server called ipa2. I then created a >> winsync replica to an AD domain on the ipa1 host. >> >> I noticed that I forgot the --win-subtree option and decided to >> delete the replication agreement: >> >> # ipa-replica-manage -H ipa1.ix.nowhere.com del dc01.ad.nowhere.com >> Directory Manager password: >> Unable to delete replica dc01.ad.nowhere.com: {'desc': "Can't contact >> LDAP server"} > This is not the correct command to use. > >> If I did a force a got a bit more output, where it complains about >> the ipa2 replica server not having a sync agreement with the dc01 >> server. >> >> # ipa-replica-manage -v -f -H ipa1.ix.nowhere.com del >> dc01.ad.nowhere.com Directory Manager password: >> Unable to connect to replica dc01.ad.nowhere.com, forcing removal >> Forcing removal on 'dc01.ad.nowhere.com' >> 'ipa2.ix.nowhere.com' has no replication agreement for >> 'dc01.ad.nowhere.com' >> >> >> Is this intended behavior or a bug? > Intended, to remove the AD replication link you need to 'disconnect' > the AD server. > > Use: > ipa-replica-manage disconnect dc01.ad.nowhere.com Ah, thank you. :) From Andy.Singleton at tipp24os.co.uk Tue Mar 22 10:11:47 2011 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Tue, 22 Mar 2011 10:11:47 -0000 Subject: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords Message-ID: <1CD40A4DEEA320479C98D8A93A5C690603F41FDE@waterloo.t24uk.tipp24.net> Hello, I am trying to install a rhel6 machine with the ipa-1.2.2 client. Everything appears to work fine, with the exception of updating users passwords from the client. >From the user perspective, I get this: Changing password for user andytest. Kerberos 5 Password: New password: Retype new password: passwd: Authentication token manipulation error >From the local secure log, I see this: Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user "andytest" does not exist in /etc/passwd Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user "andytest" does not exist in /etc/passwd Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for requested realm There are no local or network firewalls between the client and the IPA server, and every other piece of IPA functionality appears to work fine. On the IPA server itself, I see this in krb5kdc: Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth type found: Success Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication required Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18 tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for kadmin/changepw at LIVE.TIPP24.NET nsswitch.conf has the usual stuff: passwd: files ldap shadow: files ldap group: files ldap I'm not sure what else to check. Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: From ide4you at gmail.com Tue Mar 22 13:31:17 2011 From: ide4you at gmail.com (Uzor Ide) Date: Tue, 22 Mar 2011 09:31:17 -0400 Subject: [Freeipa-users] ipa client install Message-ID: Hi Is there a requirement for the same version of client as the server. I've just install freeipa server version 2.0 rc3. While on the client side, I have a previously installed client version 2.0 beta1. It would not join the realm. I had run the client install script to remove the client from the another 2.0 beta1 server. But when I try to run against the new server, to join the server version 2.0 rc3 realm, the discovery goes on smoothly after which I get the following Continue to configure the system with these values? [no]: yes Joining realm failed: Operation failed! unsupported extended operation child exited with 9 Certificate subject base is: o=uzdomainco The client's kerberos keytab is not update and non of the config files are update. However when you use the command ipa host-find on the server the host is listed. Any ideas what the issue would be? thanks ide -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Mar 22 13:43:33 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 22 Mar 2011 09:43:33 -0400 Subject: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C690603F41FDE@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C690603F41FDE@waterloo.t24uk.tipp24.net> Message-ID: <4D88A785.6040002@redhat.com> On 03/22/2011 06:11 AM, Andy Singleton wrote: > Hello, > > > > I am trying to install a rhel6 machine with the ipa-1.2.2 client. > > Everything appears to work fine, with the exception of updating users > passwords from the client. > > > > >From the user perspective, I get this: > > > > Changing password for user andytest. > > Kerberos 5 Password: > > New password: > > Retype new password: > > passwd: Authentication token manipulation error > > > > >From the local secure log, I see this: > > > > Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user > "andytest" does not exist in /etc/passwd > > Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user > "andytest" does not exist in /etc/passwd > > Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change > failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for > requested realm > > > > There are no local or network firewalls between the client and the IPA > server, and every other piece of IPA functionality appears to work fine. > > > > On the IPA server itself, I see this in krb5kdc: > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth > type found: Success > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication required > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18 > tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET > > > > nsswitch.conf has the usual stuff: > > > > passwd: files ldap > > shadow: files ldap > > group: files ldap > > > > I'm not sure what else to check. > > > > Andy > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Mar 22 13:44:18 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Mar 2011 09:44:18 -0400 Subject: [Freeipa-users] ipa client install In-Reply-To: References: Message-ID: <4D88A7B2.4040006@redhat.com> Uzor Ide wrote: > Hi > > Is there a requirement for the same version of client as the server. > I've just install freeipa server version 2.0 rc3. While on the client > side, I have a previously installed client version 2.0 beta1. It would > not join the realm. I had run the client install script to remove the > client from the another 2.0 beta1 server. > But when I try to run against the new server, to join the server version > 2.0 rc3 realm, the discovery goes on smoothly after which I get the > following > > > Continue to configure the system with these values? [no]: yes > > Joining realm failed: Operation failed! unsupported extended operation > child exited with 9 > Certificate subject base is: o=uzdomainco > > The client's kerberos keytab is not update and non of the config files > are update. > However when you use the command ipa host-find on the server the host is > listed. > > Any ideas what the issue would be? > > thanks > > ide A change was made in 2.0rc2 in the release that made pre rc2 clients unable to join rc2 and beyond servers. We changed the LDAP extended operation OID used for doing online enrollment and retrieving keytabs which is why the older clients now fail (we had inadvertently used them in more than one place). You should be able to just upgrade the client rpm and enrollment will work. rob From rcritten at redhat.com Tue Mar 22 13:45:25 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Mar 2011 09:45:25 -0400 Subject: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C690603F41FDE@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C690603F41FDE@waterloo.t24uk.tipp24.net> Message-ID: <4D88A7F5.9090701@redhat.com> Andy Singleton wrote: > Hello, > > I am trying to install a rhel6 machine with the ipa-1.2.2 client. > > Everything appears to work fine, with the exception of updating users > passwords from the client. > > From the user perspective, I get this: > > /Changing password for user andytest./ > > /Kerberos 5 Password: / > > /New password: / > > /Retype new password: / > > /passwd: Authentication token manipulation error/ > > From the local secure log, I see this: > > /Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user > "andytest" does not exist in /etc/passwd/ > > /Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user > "andytest" does not exist in /etc/passwd/ > > /Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change > failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for > requested realm/ > > There are no local or network firewalls between the client and the IPA > server, and every other piece of IPA functionality appears to work fine. > > On the IPA server itself, I see this in krb5kdc: > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth > type found: Success > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication required > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18 > tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET > > nsswitch.conf has the usual stuff: > > /passwd: files ldap/ > > /shadow: files ldap/ > > /group: files ldap/ > > I?m not sure what else to check. > > Andy Is ipa_kpasswd running on the IPA server? rob From dpal at redhat.com Tue Mar 22 13:54:22 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 22 Mar 2011 09:54:22 -0400 Subject: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C690603F41FDE@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C690603F41FDE@waterloo.t24uk.tipp24.net> Message-ID: <4D88AA0E.40308@redhat.com> On 03/22/2011 06:11 AM, Andy Singleton wrote: > Hello, > > > > I am trying to install a rhel6 machine with the ipa-1.2.2 client. > > Everything appears to work fine, with the exception of updating users > passwords from the client. > > > > >From the user perspective, I get this: > > > > Changing password for user andytest. > > Kerberos 5 Password: > > New password: > > Retype new password: > > passwd: Authentication token manipulation error > > > > >From the local secure log, I see this: > > > > Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user > "andytest" does not exist in /etc/passwd > > Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user > "andytest" does not exist in /etc/passwd > > Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change > failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for > requested realm > > > > There are no local or network firewalls between the client and the IPA > server, and every other piece of IPA functionality appears to work fine. > > > > On the IPA server itself, I see this in krb5kdc: > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth > type found: Success > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication required > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18 > tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET > > > > nsswitch.conf has the usual stuff: > > > > passwd: files ldap > > shadow: files ldap > > group: files ldap > > > > I'm not sure what else to check. > > > > Andy > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Sorry, clicked the send button before typed anything. It looks like this is the result of the OID fix we made some time ago. We recommend using ipa-client 2.0 with the latest IPA. The client in RHEL 6.0 has the bug related to password change that prevents it to work with IPA v2. There is no fix for 6.0 yet and since ipa-client in RHEL 6.0 is in tech preview there is no plan to release any asynch errata for it. RHEL 6.1 will carry the right version of ipa-client. We might be able to build an upstream version of the ipa-client for RHEL but not sooner we release the 2.0 (any time now...). -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ide4you at gmail.com Tue Mar 22 14:34:23 2011 From: ide4you at gmail.com (ide4you at gmail.com) Date: Tue, 22 Mar 2011 14:34:23 +0000 Subject: [Freeipa-users] ipa client install Message-ID: <1497443241-1300804466-cardhu_decombobulator_blackberry.rim.net-101926776-@bda057.bisx.prod.on.blackberry> Thanks Rob, However the client is a fedora 13 box. There is no client rpm for fedora 13 ------Original Message------ From: Rob Crittenden To: Uzor Ide Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa client install Sent: Mar 22, 2011 9:44 AM Uzor Ide wrote: > Hi > > Is there a requirement for the same version of client as the server. > I've just install freeipa server version 2.0 rc3. While on the client > side, I have a previously installed client version 2.0 beta1. It would > not join the realm. I had run the client install script to remove the > client from the another 2.0 beta1 server. > But when I try to run against the new server, to join the server version > 2.0 rc3 realm, the discovery goes on smoothly after which I get the > following > > > Continue to configure the system with these values? [no]: yes > > Joining realm failed: Operation failed! unsupported extended operation > child exited with 9 > Certificate subject base is: o=uzdomainco > > The client's kerberos keytab is not update and non of the config files > are update. > However when you use the command ipa host-find on the server the host is > listed. > > Any ideas what the issue would be? > > thanks > > ide A change was made in 2.0rc2 in the release that made pre rc2 clients unable to join rc2 and beyond servers. We changed the LDAP extended operation OID used for doing online enrollment and retrieving keytabs which is why the older clients now fail (we had inadvertently used them in more than one place). You should be able to just upgrade the client rpm and enrollment will work. rob Sent on the TELUS Mobility network with BlackBerry From sbernst at gmail.com Tue Mar 22 15:49:07 2011 From: sbernst at gmail.com (Steven Bernstein) Date: Tue, 22 Mar 2011 10:49:07 -0500 Subject: [Freeipa-users] Standalone or VM instance of FreeIPA In-Reply-To: <20110321182503.GA18090@fluxcoil.net> References: <20110321182503.GA18090@fluxcoil.net> Message-ID: Christian, (sorry for the dbl-post, but I forgot to hit reply-all so evidence of my n00b-ness is shared) Alright... I'll admit my ignorance. "I Don't know what I'm doing!" Would you be able to point me towards an instructable / how-to on that, please? Or is the hosts file solution simpler? B/c otherwise I'll try to do both and just show back up here at the list-serv, pouting. Thanks! Steven On Mon, Mar 21, 2011 at 1:25 PM, Christian Horn wrote: > Hi, > > On Mon, Mar 21, 2011 at 11:43:39AM -0500, Steven Bernstein wrote: > > > > My point is: When I go to run the installation script on my Fedora box, > it > > tells me the script cannot be run unless the IP resolves in both > > directions. Is there a 'decent' way to go 'round this? Looking for > help, > > if you please. > > Setup a dns-server serving this. Thats really not hard, its a matter > of minutes on a RHEL/CentOS if you know what to do. > > Christian > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Mar 22 16:25:10 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 22 Mar 2011 12:25:10 -0400 Subject: [Freeipa-users] ipa client install In-Reply-To: <1497443241-1300804466-cardhu_decombobulator_blackberry.rim.net-101926776-@bda057.bisx.prod.on.blackberry> References: <1497443241-1300804466-cardhu_decombobulator_blackberry.rim.net-101926776-@bda057.bisx.prod.on.blackberry> Message-ID: <4D88CD66.1000603@redhat.com> On 03/22/2011 10:34 AM, ide4you at gmail.com wrote: > Thanks Rob, > > However the client is a fedora 13 box. > There is no client rpm for fedora 13 We do not build F13 any more as the packages and functionality they provide deviated so far between F14-F15 and F13. > ------Original Message------ > From: Rob Crittenden > To: Uzor Ide > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa client install > Sent: Mar 22, 2011 9:44 AM > > Uzor Ide wrote: >> Hi >> >> Is there a requirement for the same version of client as the server. >> I've just install freeipa server version 2.0 rc3. While on the client >> side, I have a previously installed client version 2.0 beta1. It would >> not join the realm. I had run the client install script to remove the >> client from the another 2.0 beta1 server. >> But when I try to run against the new server, to join the server version >> 2.0 rc3 realm, the discovery goes on smoothly after which I get the >> following >> >> >> Continue to configure the system with these values? [no]: yes >> >> Joining realm failed: Operation failed! unsupported extended operation >> child exited with 9 >> Certificate subject base is: o=uzdomainco >> >> The client's kerberos keytab is not update and non of the config files >> are update. >> However when you use the command ipa host-find on the server the host is >> listed. >> >> Any ideas what the issue would be? >> >> thanks >> >> ide > A change was made in 2.0rc2 in the release that made pre rc2 clients > unable to join rc2 and beyond servers. We changed the LDAP extended > operation OID used for doing online enrollment and retrieving keytabs > which is why the older clients now fail (we had inadvertently used them > in more than one place). > > You should be able to just upgrade the client rpm and enrollment will work. > > rob > > Sent on the TELUS Mobility network with BlackBerry > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Andy.Singleton at tipp24os.co.uk Tue Mar 22 15:54:29 2011 From: Andy.Singleton at tipp24os.co.uk (Andy Singleton) Date: Tue, 22 Mar 2011 15:54:29 -0000 Subject: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords References: <1CD40A4DEEA320479C98D8A93A5C690603F41FDE@waterloo.t24uk.tipp24.net> <4D88A7F5.9090701@redhat.com> Message-ID: <1CD40A4DEEA320479C98D8A93A5C690603F42034@waterloo.t24uk.tipp24.net> Yes ipa_kpasswd is running. I have some additional information: kpasswd on the client does work, passwd does not. This is fine, except when a user attempts to connect when they need a password reset - They get prompted to change it, but then the same error as before occurs. Andy -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Tuesday, March 22, 2011 1:45 PM To: Andy Singleton Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords Andy Singleton wrote: > Hello, > > I am trying to install a rhel6 machine with the ipa-1.2.2 client. > > Everything appears to work fine, with the exception of updating users > passwords from the client. > > From the user perspective, I get this: > > /Changing password for user andytest./ > > /Kerberos 5 Password: / > > /New password: / > > /Retype new password: / > > /passwd: Authentication token manipulation error/ > > From the local secure log, I see this: > > /Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user > "andytest" does not exist in /etc/passwd/ > > /Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user > "andytest" does not exist in /etc/passwd/ > > /Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change > failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for > requested realm/ > > There are no local or network firewalls between the client and the IPA > server, and every other piece of IPA functionality appears to work fine. > > On the IPA server itself, I see this in krb5kdc: > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth > type found: Success > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication required > > Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 > 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18 > tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for > kadmin/changepw at LIVE.TIPP24.NET > > nsswitch.conf has the usual stuff: > > /passwd: files ldap/ > > /shadow: files ldap/ > > /group: files ldap/ > > I'm not sure what else to check. > > Andy Is ipa_kpasswd running on the IPA server? rob From rmeggins at redhat.com Tue Mar 22 16:40:05 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Mar 2011 10:40:05 -0600 Subject: [Freeipa-users] Problem with replication after restore In-Reply-To: References: <3E2D37A9-E107-4061-86A9-DD2C072ED879@allegro.pl> <4D778A17.6020900@redhat.com> <4D77D617.7040605@redhat.com> Message-ID: <4D88D0E5.1020207@redhat.com> On 03/14/2011 09:50 AM, tomasz.napierala at allegro.pl wrote: > On 2011-03-09, at 20:33, Rich Megginson wrote: > >> On 03/09/2011 09:15 AM, tomasz.napierala at allegro.pl wrote: >>> On 2011-03-09, at 15:09, Rich Megginson wrote: >>> >>> 8><----------------- >>>>> [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Missing data encountered >>>>> [04/Mar/2011:14:59:17 +0100] NSMMReplicationPlugin - agmt="cn=meToMASTER636" (XXX:636): Incremental update failed and requires administrator action >>>> Not sure what happened here. How long has the server been down? You >>>> will need to reinitialize the slave from the master. >>> Server was down for 2-3 hours. Currently slave has more recent data, because it is in our production environment (master is in backup DC) >>> >>> I don't have much experience with 389, and it seems that in FreeIPA setup 389 DS is in minimal form. So how can I reinitialize slave? Is there any chance to transfer changes form slave to master? Im afraid that loosing changes on slave would be a disaster (there were hundreds of users added) >> ipa-replica-manage - you would want to initialize the master from the >> slave. Please make a backup of your slave first. > Just to make sure I'm getting the thing right: is there any risk for slave during reinitialization? There should not be a risk for the slave. > Regards, From nalin at redhat.com Tue Mar 22 16:53:26 2011 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 22 Mar 2011 12:53:26 -0400 Subject: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords In-Reply-To: <1CD40A4DEEA320479C98D8A93A5C690603F41FDE@waterloo.t24uk.tipp24.net> References: <1CD40A4DEEA320479C98D8A93A5C690603F41FDE@waterloo.t24uk.tipp24.net> Message-ID: <20110322165326.GC4859@redhat.com> On Tue, Mar 22, 2011 at 10:11:47AM -0000, Andy Singleton wrote: > I am trying to install a rhel6 machine with the ipa-1.2.2 client. > > Everything appears to work fine, with the exception of updating users > passwords from the client. Does running kpasswd instead of passwd work? The pam_krb5 module exercises a different code path in the client than kpasswd and sssd use, which I think could be sending ipa-kpasswdd a request it doesn't understand. If it does, then you're running into #676526. HTH, Nalin From dpal at redhat.com Tue Mar 22 17:12:48 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 22 Mar 2011 13:12:48 -0400 Subject: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords In-Reply-To: <4D88AA0E.40308@redhat.com> References: <1CD40A4DEEA320479C98D8A93A5C690603F41FDE@waterloo.t24uk.tipp24.net> <4D88AA0E.40308@redhat.com> Message-ID: <4D88D890.4090806@redhat.com> On 03/22/2011 09:54 AM, Dmitri Pal wrote: > On 03/22/2011 06:11 AM, Andy Singleton wrote: >> Hello, >> >> >> >> I am trying to install a rhel6 machine with the ipa-1.2.2 client. >> >> Everything appears to work fine, with the exception of updating users >> passwords from the client. >> >> >> >> >From the user perspective, I get this: >> >> >> >> Changing password for user andytest. >> >> Kerberos 5 Password: >> >> New password: >> >> Retype new password: >> >> passwd: Authentication token manipulation error >> >> >> >> >From the local secure log, I see this: >> >> >> >> Mar 22 10:57:19 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user >> "andytest" does not exist in /etc/passwd >> >> Mar 22 10:57:29 rhel6-test2 passwd: pam_unix(passwd:chauthtok): user >> "andytest" does not exist in /etc/passwd >> >> Mar 22 10:58:01 rhel6-test2 passwd: pam_krb5[25306]: password change >> failed for andytest at LIVE.TIPP24.NET: Cannot contact any KDC for >> requested realm >> >> >> >> There are no local or network firewalls between the client and the IPA >> server, and every other piece of IPA functionality appears to work fine. >> >> >> >> On the IPA server itself, I see this in krb5kdc: >> >> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): no valid preauth >> type found: Success >> >> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 >> 17 16 23}) XX.XX.XX.XX: PREAUTH_FAILED: andytest at LIVE.TIPP24.NET for >> kadmin/changepw at LIVE.TIPP24.NET, Preauthentication failed >> >> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 >> 17 16 23}) XX.XX.XX.XX: NEEDED_PREAUTH: andytest at LIVE.TIPP24.NET for >> kadmin/changepw at LIVE.TIPP24.NET, Additional pre-authentication required >> >> Mar 22 10:57:26 myipa.mydomain krb5kdc[2255](info): AS_REQ (4 etypes {18 >> 17 16 23}) XX.XX.XX.XX: ISSUE: authtime 1300787846, etypes {rep=18 >> tkt=18 ses=18}, andytest at LIVE.TIPP24.NET for >> kadmin/changepw at LIVE.TIPP24.NET >> >> >> >> nsswitch.conf has the usual stuff: >> >> >> >> passwd: files ldap >> >> shadow: files ldap >> >> group: files ldap >> >> >> >> I'm not sure what else to check. >> >> >> >> Andy >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Sorry, clicked the send button before typed anything. > It looks like this is the result of the OID fix we made some time ago. > We recommend using ipa-client 2.0 with the latest IPA. > The client in RHEL 6.0 has the bug related to password change that > prevents it to work with IPA v2. > There is no fix for 6.0 yet and since ipa-client in RHEL 6.0 is in tech > preview there is no plan to release any asynch errata for it. > RHEL 6.1 will carry the right version of ipa-client. > We might be able to build an upstream version of the ipa-client for RHEL > but not sooner we release the 2.0 (any time now...). > > Please ignore my reply. Mixed the two issues on the list. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From chorn at fluxcoil.net Tue Mar 22 18:34:30 2011 From: chorn at fluxcoil.net (Christian Horn) Date: Tue, 22 Mar 2011 19:34:30 +0100 Subject: [Freeipa-users] Standalone or VM instance of FreeIPA In-Reply-To: References: <20110321182503.GA18090@fluxcoil.net> Message-ID: <20110322183430.GA22191@fluxcoil.net> Hi, On Tue, Mar 22, 2011 at 10:49:07AM -0500, Steven Bernstein wrote: > Would you be able to point me towards an instructable / how-to on that, > please? These were my notes for setting it up on rhel5 some time ago: http://fluxcoil.net/doku.php/kerberos/3_setup_bind Yet one has to know some basics to be able to debug things in case its not running from start. > Or is the hosts file solution simpler? B/c otherwise I'll try to > do both and just show back up here at the list-serv, pouting. Wasnt sure if FreeIPA was ok with hosts or is really insisting on dns (some other software does), but since Stephen cleared it up its the much easier solution to go for you. Christian From ide4you at gmail.com Wed Mar 23 22:51:16 2011 From: ide4you at gmail.com (Uzor Ide) Date: Wed, 23 Mar 2011 18:51:16 -0400 Subject: [Freeipa-users] ipa client install In-Reply-To: <4D88CD66.1000603@redhat.com> References: <1497443241-1300804466-cardhu_decombobulator_blackberry.rim.net-101926776-@bda057.bisx.prod.on.blackberry> <4D88CD66.1000603@redhat.com> Message-ID: I have manually enrolled and configured the client. I am able to log into the client and access nfs4 shares. What I am wondering is if there are anything that the client would miss by joining this way. The client authenticate to the ipa-server through sssd. I would like to know if HBAC and centrally managed SUDO and other policy enforcements will fail to work because the manual enrolment. Note that host certificate was not generated because of the manual joining. Thanks On Tue, Mar 22, 2011 at 12:25 PM, Dmitri Pal wrote: > On 03/22/2011 10:34 AM, ide4you at gmail.com wrote: > > Thanks Rob, > > > > However the client is a fedora 13 box. > > There is no client rpm for fedora 13 > > We do not build F13 any more as the packages and functionality they > provide deviated so far between F14-F15 and F13. > > > ------Original Message------ > > From: Rob Crittenden > > To: Uzor Ide > > Cc: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] ipa client install > > Sent: Mar 22, 2011 9:44 AM > > > > Uzor Ide wrote: > >> Hi > >> > >> Is there a requirement for the same version of client as the server. > >> I've just install freeipa server version 2.0 rc3. While on the client > >> side, I have a previously installed client version 2.0 beta1. It would > >> not join the realm. I had run the client install script to remove the > >> client from the another 2.0 beta1 server. > >> But when I try to run against the new server, to join the server version > >> 2.0 rc3 realm, the discovery goes on smoothly after which I get the > >> following > >> > >> > >> Continue to configure the system with these values? [no]: yes > >> > >> Joining realm failed: Operation failed! unsupported extended operation > >> child exited with 9 > >> Certificate subject base is: o=uzdomainco > >> > >> The client's kerberos keytab is not update and non of the config files > >> are update. > >> However when you use the command ipa host-find on the server the host is > >> listed. > >> > >> Any ideas what the issue would be? > >> > >> thanks > >> > >> ide > > A change was made in 2.0rc2 in the release that made pre rc2 clients > > unable to join rc2 and beyond servers. We changed the LDAP extended > > operation OID used for doing online enrollment and retrieving keytabs > > which is why the older clients now fail (we had inadvertently used them > > in more than one place). > > > > You should be able to just upgrade the client rpm and enrollment will > work. > > > > rob > > > > Sent on the TELUS Mobility network with BlackBerry > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Mar 24 00:43:24 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Mar 2011 20:43:24 -0400 Subject: [Freeipa-users] ipa client install In-Reply-To: References: <1497443241-1300804466-cardhu_decombobulator_blackberry.rim.net-101926776-@bda057.bisx.prod.on.blackberry> <4D88CD66.1000603@redhat.com> Message-ID: <4D8A93AC.2040602@redhat.com> Uzor Ide wrote: > I have manually enrolled and configured the client. I am able to log > into the client and access nfs4 shares. What I am wondering is if there > are anything that the client would miss by joining this way. The client > authenticate to the ipa-server through sssd. I would like to know if > HBAC and centrally managed SUDO and other policy enforcements will fail > to work because the manual enrolment. Note that host certificate was > not generated because of the manual joining. I guess it means by how you manually joined but based on what you can do I think you covered the major details. If you have a host service principal in /etc/krb5.keytab and a correctly configured sssd then you are fine for HBAC and nss (users, groups, etc). SUDO works through nss_ldap so you should be fine there as well. ipa-client-install doesn't do anything too special, it just makes sure the environment is sane and then sets up sssd.conf, krb5.conf, fetches a host service principal and uses certmonger to get an SSL server cert. This last step is done as a convenience, it otherwise isn't used by IPA. But if you wanted to setup an HTTP server that uses the same PKI as IPA you'd have a certificate and key available. cheers rob > > Thanks > > > On Tue, Mar 22, 2011 at 12:25 PM, Dmitri Pal > wrote: > > On 03/22/2011 10:34 AM, ide4you at gmail.com > wrote: > > Thanks Rob, > > > > However the client is a fedora 13 box. > > There is no client rpm for fedora 13 > > We do not build F13 any more as the packages and functionality they > provide deviated so far between F14-F15 and F13. > > > ------Original Message------ > > From: Rob Crittenden > > To: Uzor Ide > > Cc: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] ipa client install > > Sent: Mar 22, 2011 9:44 AM > > > > Uzor Ide wrote: > >> Hi > >> > >> Is there a requirement for the same version of client as the server. > >> I've just install freeipa server version 2.0 rc3. While on the > client > >> side, I have a previously installed client version 2.0 beta1. It > would > >> not join the realm. I had run the client install script to > remove the > >> client from the another 2.0 beta1 server. > >> But when I try to run against the new server, to join the server > version > >> 2.0 rc3 realm, the discovery goes on smoothly after which I get the > >> following > >> > >> > >> Continue to configure the system with these values? [no]: yes > >> > >> Joining realm failed: Operation failed! unsupported extended > operation > >> child exited with 9 > >> Certificate subject base is: o=uzdomainco > >> > >> The client's kerberos keytab is not update and non of the config > files > >> are update. > >> However when you use the command ipa host-find on the server the > host is > >> listed. > >> > >> Any ideas what the issue would be? > >> > >> thanks > >> > >> ide > > A change was made in 2.0rc2 in the release that made pre rc2 clients > > unable to join rc2 and beyond servers. We changed the LDAP extended > > operation OID used for doing online enrollment and retrieving keytabs > > which is why the older clients now fail (we had inadvertently > used them > > in more than one place). > > > > You should be able to just upgrade the client rpm and enrollment > will work. > > > > rob > > > > Sent on the TELUS Mobility network with BlackBerry > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From ssorce at redhat.com Thu Mar 24 16:50:10 2011 From: ssorce at redhat.com (Simo Sorce) Date: Thu, 24 Mar 2011 12:50:10 -0400 Subject: [Freeipa-users] ipa client install In-Reply-To: <4D8A93AC.2040602@redhat.com> References: <1497443241-1300804466-cardhu_decombobulator_blackberry.rim.net-101926776-@bda057.bisx.prod.on.blackberry> <4D88CD66.1000603@redhat.com> <4D8A93AC.2040602@redhat.com> Message-ID: <20110324125010.22e2f45e@willson.li.ssimo.org> On Wed, 23 Mar 2011 20:43:24 -0400 Rob Crittenden wrote: > Uzor Ide wrote: > > I have manually enrolled and configured the client. I am able to log > > into the client and access nfs4 shares. What I am wondering is if > > there are anything that the client would miss by joining this way. > > The client authenticate to the ipa-server through sssd. I would > > like to know if HBAC and centrally managed SUDO and other policy > > enforcements will fail to work because the manual enrolment. Note > > that host certificate was not generated because of the manual > > joining. > > I guess it means by how you manually joined but based on what you can > do I think you covered the major details. > > If you have a host service principal in /etc/krb5.keytab and a > correctly configured sssd then you are fine for HBAC and nss (users, > groups, etc). > > SUDO works through nss_ldap so you should be fine there as well. To avoid confusion (if possible :) sudo uses the nss_ldap config file, but not the nss_ldap code. So all you need to do is to read the sudo docs to find which file you need to touch. Of course because sudo doesn't go though sssd (yet) it will not work properly in offline mode, unfortunately. > ipa-client-install doesn't do anything too special, it just makes > sure the environment is sane and then sets up sssd.conf, krb5.conf, > fetches a host service principal and uses certmonger to get an SSL > server cert. This last step is done as a convenience, it otherwise > isn't used by IPA. But if you wanted to setup an HTTP server that > uses the same PKI as IPA you'd have a certificate and key available. > > cheers -- Simo Sorce * Red Hat, Inc * New York From prjctgeek at gmail.com Fri Mar 25 14:43:50 2011 From: prjctgeek at gmail.com (Doug Chapman) Date: Fri, 25 Mar 2011 07:43:50 -0700 Subject: [Freeipa-users] osx 10.6 setup Message-ID: Does anyone have updates to the OSX instructions for 10.6 ? (this is for ipa 1.2.x): http://freeipa.org/page/ConfiguringMacintoshClients The error I'm getting trying to add our realm (under Acounts -> login options -> Network account server) is: "An invalid attribute type was provided" I'm guess that's referring to a misconfigured DNS SRV record, but before I go down that road I wonder if anyone else has outlined the proper steps? -- Doug Chapman -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Mar 25 15:03:28 2011 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 25 Mar 2011 11:03:28 -0400 Subject: [Freeipa-users] osx 10.6 setup In-Reply-To: References: Message-ID: <4D8CAEC0.50101@redhat.com> On 03/25/2011 10:43 AM, Doug Chapman wrote: > Does anyone have updates to the OSX instructions for 10.6 ? (this is for ipa > 1.2.x): > > http://freeipa.org/page/ConfiguringMacintoshClients > > > The error I'm getting trying to add our realm (under Acounts -> login > options -> Network account server) is: > "An invalid attribute type was provided" > > I'm guess that's referring to a misconfigured DNS SRV record, but before I > go down that road I wonder if anyone else has outlined the proper steps? > We have not done anything on MAC for couple years so you are in the uncharted territory. And we would appreciate if you give IPA v2 a try in this setup. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Mar 25 18:22:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Mar 2011 14:22:35 -0400 Subject: [Freeipa-users] Announcing FreeIPA v2 Server Message-ID: <4D8CDD6B.6000703@redhat.com> The FreeIPA Project (http://freeipa.org) is proud to present FreeIPA version 2.0. FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos and NTP. FreeIPA binds together a number of technologies and adds a web interface and command-line administration tools. Features of FreeIPA v2.0 include: * Centralized authentication via Kerberos or LDAP * Identity management for users, groups, hosts and services * Pluggable and extensible framework for UI/CLI * Rich CLI * Web-based User Interface * Server X.509 v3 certificate provisioning capabilities * Managing host identities including grouping hosts * Defining host-based access control rules that will be enforced on the client side by the IPA back end for SSSD [1] * Serving netgroups based on user and host objects stored in IPA * Serving sets of automount maps to different clients * Finer-grained management delegation * Group-based password policies * Centrally-managed SUDO * Automatic management of private groups * Compatibility with broad set of clients * Painless password migration * Optional integrated DNS server managed by IPA * Optional integrated Certificate Authority to manage server certificates managed by IPA * Can act as NIS server for legacy systems * Supports multi-server deployment based on the multi-master replication * User and group replication with MS Active Directory We encourage users and developers to start testing and deploying FreeIPA in their environments. A very simple installation procedure is provided and is part of the effort of making these complex technologies simple to use and friendly to administrators. We encourage people to experiment and evaluate the current release, we welcome feedback on the overall experience and bug reports [2]. We also would like to encourage interested users and developers to join our mailing list and discuss features and development directions [3]. The complete source code[4] is available for download here: http://www.freeipa.org/page/Downloads See our git repository at http://git.fedorahosted.org/git/freeipa.git/ for a complete changelog. FreeIPA 2.0 is available in Fedora 15, see Known Issues below. You will need to enable the updates-testing repository, e.g. # yum install freeipa-server --enablerepo=updates-testing Have Fun! The FreeIPA Project Team. --- [1] https://fedorahosted.org/sssd/ [2] https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora (component is ipa) [3] http://freeipa.org/page/Contribute Known Issues * The latest tomcat6 package has not been pushed to updates-testing. You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 . The installation will fail restarting the CA with the current tomcat6 package in Fedora 15. * If the domain and realm do not match you may need to use the --force flag with ipa-client-install. * Dogtag replication is done separately from IPA replication. The ipa-replica-manage tool does not currently operate on dogtag replication agreements. * The OCSP URL encoded in dogtag certificates is by default the CA machine that issued the certificate. Detailed Changlog since FreeIPA v2.0.0 rc3 Adam Young (1): * pwpolicy priority Priority is now a required field in order to add a new password policy. Thus, not having the field present means we cannot create one. Endi S. Dewata (1): * Removed nested role from UI. Martin Kosek (2): * Wait for Directory Server ports to open * Prevent stacktrace when DNS AAAA record is added Pavel Zuna (1): * Update translation file (ipa.pot). Rob Crittenden (4): * Always consider domain and server when doing DNS discovery in client. * Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. * Ensure that the system hostname is lower-case. * Automatically update IPA LDAP on rpm upgrades Simo Sorce (1): * Domain to Realm Explicitly use the realm specified on the command line. Many places were assuming that the domain and realm were the same. * Fix uninitialized variable. From sigbjorn at nixtra.com Fri Mar 25 19:13:01 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 25 Mar 2011 20:13:01 +0100 Subject: [Freeipa-users] Adding user accounts Message-ID: <4D8CE93D.20802@nixtra.com> Hi, Using --gidnumber when adding a new user with "ipa user-add" does not seem to have any effect. A gid number with the same value as what I specify in with the --uid parameter is chosen. I presume this is not the way user-add is intended to work? # ipa user-add mysql14 --first=MySQL --last=Server --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 -------------------- Added user "mysql14" -------------------- User login: mysql14 First name: MySQL Last name: Server Full name: MySQL Server Display name: MySQL Server Initials: MS Home directory: /var/lib/mysql GECOS field: mysql14 Login shell: /bin/false Kerberos principal: mysql14 at IX.NIXTRA.COM UID: 110 GID: 110 Regards, Siggi From janfrode at tanso.net Fri Mar 25 20:21:40 2011 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 25 Mar 2011 21:21:40 +0100 Subject: [Freeipa-users] migrate from LDAP to FreeIPA ? Message-ID: We run a quite pure RHEL server environment, with users, groups, authentication (ldap bind), sudorules and netgroups all in two master-master replicating 389ds?. The users and groups are managed by Sun Identity Manager (SIM), which pushes them to the directory servers -- but we?re not really using it and might as well have managed these directly in an LDAP editor. So, it?s time to drop SIM, and I?m a bit torn between implementing some simple shell scripts to manage the users/groups in LDAP and take advantage of the new password policy features of 386ds etc.. , or if we should deploy IPAv2 and get kerberos, nice UIs, machine/service identity and lots more. So, to my question -- are there any migration guides that can help us move from LDAP to IPA ? Is it a complicated procedure ? -jf From rcritten at redhat.com Fri Mar 25 21:14:02 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 25 Mar 2011 17:14:02 -0400 Subject: [Freeipa-users] migrate from LDAP to FreeIPA ? In-Reply-To: References: Message-ID: <4D8D059A.4000307@redhat.com> Jan-Frode Myklebust wrote: > We run a quite pure RHEL server environment, with users, groups, > authentication (ldap bind), sudorules and netgroups all in two > master-master replicating 389ds?. The users and groups are managed by > Sun Identity Manager (SIM), which pushes them to the directory servers > -- but we?re not really using it and might as well have managed these > directly in an LDAP editor. So, it?s time to drop SIM, and I?m a bit > torn between implementing some simple shell scripts to manage the > users/groups in LDAP and take advantage of the new password policy > features of 386ds etc.. , or if we should deploy IPAv2 and get > kerberos, nice UIs, machine/service identity and lots more. > > So, to my question -- are there any migration guides that can help us > move from LDAP to IPA ? Is it a complicated procedure ? > Shouldn't be too bad. Here is our beta documentation on migration: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#chap-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA From dpal at redhat.com Sat Mar 26 16:21:31 2011 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 26 Mar 2011 12:21:31 -0400 Subject: [Freeipa-users] Adding user accounts In-Reply-To: <4D8CE93D.20802@nixtra.com> References: <4D8CE93D.20802@nixtra.com> Message-ID: <4D8E128B.4090003@redhat.com> On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: > Hi, > > Using --gidnumber when adding a new user with "ipa user-add" does not > seem to have any effect. A gid number with the same value as what I > specify in with the --uid parameter is chosen. > > I presume this is not the way user-add is intended to work? We will take a look. https://fedorahosted.org/freeipa/ticket/1127 Looks like a bug so I filed a ticket. > > > # ipa user-add mysql14 --first=MySQL --last=Server > --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 > -------------------- > Added user "mysql14" > -------------------- > User login: mysql14 > First name: MySQL > Last name: Server > Full name: MySQL Server > Display name: MySQL Server > Initials: MS > Home directory: /var/lib/mysql > GECOS field: mysql14 > Login shell: /bin/false > Kerberos principal: mysql14 at IX.NIXTRA.COM > UID: 110 > GID: 110 > > > > Regards, > Siggi -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Sun Mar 27 22:14:57 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Mar 2011 00:14:57 +0200 Subject: [Freeipa-users] NIS/local files to IPA migration Message-ID: <4D8FB6E1.1080806@nixtra.com> Hi, I have written some scripts for migration from NIS/local files to IPA. They will import the passwd, group, netgroup, and hosts maps. This is the first version, be aware of bugs. :) Please read the README file before using. You can download them from here if you are interested: http://www.nixtra.com/ipa/NIS-TO-IPA-current.php Rgds, Siggi From mkosek at redhat.com Mon Mar 28 09:10:49 2011 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 28 Mar 2011 11:10:49 +0200 Subject: [Freeipa-users] Adding user accounts In-Reply-To: <4D8CE93D.20802@nixtra.com> References: <4D8CE93D.20802@nixtra.com> Message-ID: <1301303449.3592.8.camel@dhcp-25-52.brq.redhat.com> On Fri, 2011-03-25 at 20:13 +0100, Sigbjorn Lie wrote: > Hi, > > Using --gidnumber when adding a new user with "ipa user-add" does not > seem to have any effect. A gid number with the same value as what I > specify in with the --uid parameter is chosen. > > I presume this is not the way user-add is intended to work? > > > # ipa user-add mysql14 --first=MySQL --last=Server > --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 > -------------------- > Added user "mysql14" > -------------------- > User login: mysql14 > First name: MySQL > Last name: Server > Full name: MySQL Server > Display name: MySQL Server > Initials: MS > Home directory: /var/lib/mysql > GECOS field: mysql14 > Login shell: /bin/false > Kerberos principal: mysql14 at IX.NIXTRA.COM > UID: 110 > GID: 110 > > > > Regards, > Siggi > Hello Sigbjorn, it is not common to manually specify GID. Can you please tell me what's your use case for doing that? Maybe I can help with a proper way to do that. In your case, GID was set to UID because it's the GID of User Private Group "mysql14" which was automatically associated with the user "mysql14". Martin From sigbjorn at nixtra.com Mon Mar 28 09:41:46 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Mar 2011 11:41:46 +0200 (CEST) Subject: [Freeipa-users] Adding user accounts In-Reply-To: <1301303449.3592.8.camel@dhcp-25-52.brq.redhat.com> References: <4D8CE93D.20802@nixtra.com> <1301303449.3592.8.camel@dhcp-25-52.brq.redhat.com> Message-ID: <47093.213.225.75.97.1301305306.squirrel@www.nixtra.com> On Mon, March 28, 2011 11:10, Martin Kosek wrote: > On Fri, 2011-03-25 at 20:13 +0100, Sigbjorn Lie wrote: > >> Hi, >> >> >> Using --gidnumber when adding a new user with "ipa user-add" does not >> seem to have any effect. A gid number with the same value as what I specify in with the --uid >> parameter is chosen. >> >> I presume this is not the way user-add is intended to work? >> >> >> >> # ipa user-add mysql14 --first=MySQL --last=Server >> --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 >> -------------------- >> Added user "mysql14" >> -------------------- >> User login: mysql14 >> First name: MySQL >> Last name: Server >> Full name: MySQL Server >> Display name: MySQL Server >> Initials: MS >> Home directory: /var/lib/mysql >> GECOS field: mysql14 >> Login shell: /bin/false >> Kerberos principal: mysql14 at IX.NIXTRA.COM >> UID: 110 >> GID: 110 >> >> >> >> >> Regards, >> Siggi >> >> > > Hello Sigbjorn, > > > it is not common to manually specify GID. Can you please tell me what's your use case for doing > that? Maybe I can help with a proper way to do that. > > In your case, GID was set to UID because it's the GID of User Private > Group "mysql14" which was automatically associated with the user > "mysql14". > > > Martin > Hi Martin, I discovered this when I was writing scripts to migrate from existing a existing NIS/local files environemnt. I agree that this would not be used normally, but when you're migrating from an existing environment it's a requirement. :) Rgds, Siggi From sigbjorn at nixtra.com Mon Mar 28 09:50:01 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Mar 2011 11:50:01 +0200 (CEST) Subject: [Freeipa-users] Adding user accounts In-Reply-To: <4D8E128B.4090003@redhat.com> References: <4D8CE93D.20802@nixtra.com> <4D8E128B.4090003@redhat.com> Message-ID: <48322.213.225.75.97.1301305801.squirrel@www.nixtra.com> Thanks. I also noticed that a group with the same GID number as the users UID number is automatically created when creating the user account, this is a problem for existing environments who's already used the same ID number for a group. I see that even after doing a user-mod, changing the GID of the account, the private (invisible) group still exists. I'm missing an option to choose if I want to create or not create a private group for the user. Rgds, Siggi On Sat, March 26, 2011 18:21, Dmitri Pal wrote: > On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: > >> Hi, >> >> >> Using --gidnumber when adding a new user with "ipa user-add" does not >> seem to have any effect. A gid number with the same value as what I specify in with the --uid >> parameter is chosen. >> >> I presume this is not the way user-add is intended to work? >> > > We will take a look. > https://fedorahosted.org/freeipa/ticket/1127 > > > Looks like a bug so I filed a ticket. > > > >> >> >> # ipa user-add mysql14 --first=MySQL --last=Server >> --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 >> -------------------- >> Added user "mysql14" >> -------------------- >> User login: mysql14 >> First name: MySQL >> Last name: Server >> Full name: MySQL Server >> Display name: MySQL Server >> Initials: MS >> Home directory: /var/lib/mysql >> GECOS field: mysql14 >> Login shell: /bin/false >> Kerberos principal: mysql14 at IX.NIXTRA.COM >> UID: 110 >> GID: 110 >> >> >> >> >> Regards, >> Siggi >> > > > -- > Thank you, > Dmitri Pal > > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From steven at whately.me Sat Mar 26 01:41:25 2011 From: steven at whately.me (Steven Whately) Date: Sat, 26 Mar 2011 12:11:25 +1030 Subject: [Freeipa-users] Regression in adding reverse dns records Message-ID: Thanks for all the hard work thats gone into V2.0 GA. I can no-longer add reverse dns records. Either the command has changed, or the new validation added to reverse dns records is broken. ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa 1 ipa: ERROR: invalid 'cn': IP address must have exactly 4 components Cheers Steve Whately From steven at whately.me Sat Mar 26 03:07:17 2011 From: steven at whately.me (Steven Whately) Date: Sat, 26 Mar 2011 13:37:17 +1030 Subject: [Freeipa-users] Regression in adding reverse dns records In-Reply-To: References: Message-ID: My mistake. I was missing the trailing . Before: ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa 1 After: ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa. 1 Cheers Steve Whately On Sat, Mar 26, 2011 at 12:11 PM, Steven Whately wrote: > Thanks for all the hard work thats gone into V2.0 GA. > > I can no-longer add reverse dns records. > Either the command has changed, or the new validation added to reverse > dns records is broken. > > ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa 1 > ipa: ERROR: invalid 'cn': IP address must have exactly 4 components > > Cheers > Steve Whately > From sgallagh at redhat.com Mon Mar 28 12:26:52 2011 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 28 Mar 2011 08:26:52 -0400 Subject: [Freeipa-users] Regression in adding reverse dns records In-Reply-To: References: Message-ID: <4D907E8C.4050503@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/25/2011 11:07 PM, Steven Whately wrote: > My mistake. I was missing the trailing . > Before: > ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa 1 > After: > ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa. 1 > > Cheers > Steve Whately > > On Sat, Mar 26, 2011 at 12:11 PM, Steven Whately wrote: >> Thanks for all the hard work thats gone into V2.0 GA. >> >> I can no-longer add reverse dns records. >> Either the command has changed, or the new validation added to reverse >> dns records is broken. >> >> ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa 1 >> ipa: ERROR: invalid 'cn': IP address must have exactly 4 components >> For the record, does that mean that the bug you're reporting was just caused by the typo, or that there's still a bug, but you reported it incorrectly in your first email? - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2Qfn4ACgkQeiVVYja6o6PalgCfc0vldo8J/VyecJWBvX5z2Hd4 5psAn3lO+yhKx8JoC5y+jFoVXHBj8Qv6 =bqxg -----END PGP SIGNATURE----- From dpal at redhat.com Mon Mar 28 12:31:59 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 28 Mar 2011 08:31:59 -0400 Subject: [Freeipa-users] NIS/local files to IPA migration In-Reply-To: <4D8FB6E1.1080806@nixtra.com> References: <4D8FB6E1.1080806@nixtra.com> Message-ID: <4D907FBF.2090709@redhat.com> On 03/27/2011 06:14 PM, Sigbjorn Lie wrote: > Hi, > > I have written some scripts for migration from NIS/local files to IPA. > They will import the passwd, group, netgroup, and hosts maps. > > This is the first version, be aware of bugs. :) > > Please read the README file before using. > > You can download them from here if you are interested: > http://www.nixtra.com/ipa/NIS-TO-IPA-current.php Thank you for the contribution! I see that it is under GPL v2. Would you mind relicensing it under GPL v3? http://www.gnu.org/licenses/gpl-3.0.html Would you be interested in these scripts being incorporated into the project source? Rob, can you please take a look into this? Should we consider rewriting them in Python and incorporating into the main tool set or leave and use as is? > > > Rgds, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Mon Mar 28 13:01:35 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Mar 2011 15:01:35 +0200 (CEST) Subject: [Freeipa-users] NIS/local files to IPA migration In-Reply-To: <4D907FBF.2090709@redhat.com> References: <4D8FB6E1.1080806@nixtra.com> <4D907FBF.2090709@redhat.com> Message-ID: <45284.213.225.75.97.1301317295.squirrel@www.nixtra.com> On Mon, March 28, 2011 14:31, Dmitri Pal wrote: > On 03/27/2011 06:14 PM, Sigbjorn Lie wrote: > >> Hi, >> >> >> I have written some scripts for migration from NIS/local files to IPA. >> They will import the passwd, group, netgroup, and hosts maps. >> >> >> This is the first version, be aware of bugs. :) >> >> >> Please read the README file before using. >> >> >> You can download them from here if you are interested: >> http://www.nixtra.com/ipa/NIS-TO-IPA-current.php >> > > Thank you for the contribution! > I see that it is under GPL v2. Would you mind relicensing it under GPL v3? > http://www.gnu.org/licenses/gpl-3.0.html > > > Would you be interested in these scripts being incorporated into the > project source? Rob, can you please take a look into this? Should we consider rewriting > them in Python and incorporating into the main tool set or leave and use as is? > > >> Sure I can relicense to GPL v3. All I care about is the scripts staying open and free to use. :) You can include as a part of IPA if you would like. I was planning to re-write them all into perl, as my initial efforts to write them in bash for maximum portability didn't work out, and the netgroup and hosts import scripts ended up written in perl. I cannot help re-writing to python, I don't know the language. Rgds, Siggi From dpal at redhat.com Mon Mar 28 13:24:33 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 28 Mar 2011 09:24:33 -0400 Subject: [Freeipa-users] NIS/local files to IPA migration In-Reply-To: <45284.213.225.75.97.1301317295.squirrel@www.nixtra.com> References: <4D8FB6E1.1080806@nixtra.com> <4D907FBF.2090709@redhat.com> <45284.213.225.75.97.1301317295.squirrel@www.nixtra.com> Message-ID: <4D908C11.7080502@redhat.com> On 03/28/2011 09:01 AM, Sigbjorn Lie wrote: > On Mon, March 28, 2011 14:31, Dmitri Pal wrote: >> On 03/27/2011 06:14 PM, Sigbjorn Lie wrote: >> >>> Hi, >>> >>> >>> I have written some scripts for migration from NIS/local files to IPA. >>> They will import the passwd, group, netgroup, and hosts maps. >>> >>> >>> This is the first version, be aware of bugs. :) >>> >>> >>> Please read the README file before using. >>> >>> >>> You can download them from here if you are interested: >>> http://www.nixtra.com/ipa/NIS-TO-IPA-current.php >>> >> Thank you for the contribution! >> I see that it is under GPL v2. Would you mind relicensing it under GPL v3? >> http://www.gnu.org/licenses/gpl-3.0.html >> >> >> Would you be interested in these scripts being incorporated into the >> project source? Rob, can you please take a look into this? Should we consider rewriting >> them in Python and incorporating into the main tool set or leave and use as is? >> >> > Sure I can relicense to GPL v3. All I care about is the scripts staying open and free to use. :) > > You can include as a part of IPA if you would like. I was planning to re-write them all into perl, > as my initial efforts to write them in bash for maximum portability didn't work out, and the > netgroup and hosts import scripts ended up written in perl. > > I cannot help re-writing to python, I don't know the language. > Ok, thank you! Can you elaborate a bit about the constraints you have regarding migration. As far as I understand you have users and groups with colliding gids and you have to resolve things manually to make things exactly as they were and IPA as is does not allow you to do so as it always creates a privite group with the same GID. I have a stupid question: what is the implication of actually not doing things exactly as they were but rather embracing the IPA model of the unified UID/GID namespace? Is the reason that there are some applications scattered in the enterprise that might have gids configured explicitly in the configuration files (like SUDO for example) and updating those would be a challenge or there is something else? Thanks Dmitri > Rgds, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Mon Mar 28 13:26:39 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Mar 2011 15:26:39 +0200 (CEST) Subject: [Freeipa-users] Ethers table? Message-ID: <48485.213.225.75.97.1301318799.squirrel@www.nixtra.com> Hi, We're using the ethers table in NIS today to generate DHCP config files for clients to we can send different TFTP,DNS,etc options to different clients depening on which type of machine they are (mostly Windows, Linux, etc). At some locations we're also required to only serve IP to clients known by mac address. I'm missing a ethers table in IPA. Having the MAC address added as an attribute to the host object, and a lookup table for ethers, like hostgroup to netgroup is done would be very useful. Any plans for this? Rgds, Siggi From sigbjorn at nixtra.com Mon Mar 28 13:43:18 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Mar 2011 15:43:18 +0200 (CEST) Subject: [Freeipa-users] NIS/local files to IPA migration In-Reply-To: <4D908C11.7080502@redhat.com> References: <4D8FB6E1.1080806@nixtra.com> <4D907FBF.2090709@redhat.com> <45284.213.225.75.97.1301317295.squirrel@www.nixtra.com> <4D908C11.7080502@redhat.com> Message-ID: <50965.213.225.75.97.1301319798.squirrel@www.nixtra.com> On Mon, March 28, 2011 15:24, Dmitri Pal wrote: > On 03/28/2011 09:01 AM, Sigbjorn Lie wrote: > >> On Mon, March 28, 2011 14:31, Dmitri Pal wrote: >> >>> On 03/27/2011 06:14 PM, Sigbjorn Lie wrote: >>> >>> >>>> Hi, >>>> >>>> >>>> >>>> I have written some scripts for migration from NIS/local files to IPA. >>>> They will import the passwd, group, netgroup, and hosts maps. >>>> >>>> >>>> >>>> This is the first version, be aware of bugs. :) >>>> >>>> >>>> >>>> Please read the README file before using. >>>> >>>> >>>> >>>> You can download them from here if you are interested: >>>> http://www.nixtra.com/ipa/NIS-TO-IPA-current.php >>>> >>>> >>> Thank you for the contribution! >>> I see that it is under GPL v2. Would you mind relicensing it under GPL v3? >>> http://www.gnu.org/licenses/gpl-3.0.html >>> >>> >>> >>> Would you be interested in these scripts being incorporated into the >>> project source? Rob, can you please take a look into this? Should we consider rewriting them in >>> Python and incorporating into the main tool set or leave and use as is? >>> >>> >>> >> Sure I can relicense to GPL v3. All I care about is the scripts staying open and free to use. >> :) >> >> >> You can include as a part of IPA if you would like. I was planning to re-write them all into >> perl, as my initial efforts to write them in bash for maximum portability didn't work out, and >> the netgroup and hosts import scripts ended up written in perl. >> >> I cannot help re-writing to python, I don't know the language. >> >> > > Ok, thank you! > > > Can you elaborate a bit about the constraints you have regarding migration. > As far as I understand you have users and groups with colliding gids and > you have to resolve things manually to make things exactly as they were and IPA as is does not > allow you to do so as it always creates a privite group with the same GID. > > I have a stupid question: what is the implication of actually not doing > things exactly as they were but rather embracing the IPA model of the unified UID/GID namespace? Is > the reason that there are some applications scattered in the enterprise that might have gids > configured explicitly in the configuration files (like SUDO for example) and updating those would > be a challenge or there is something else? > That question is not stupid. However...:) Migrating group id's is possible, but quite a job. We just moved a few users's uid's as they had been in the enterprise for very many years, and had a dangerously low UID's. Searching trough the file servers for files belonging to these few users using a "find -exec chown ..." took 3 days. Migrating GID's would also take a very long time. Secondly, any files restored from backup would have the wrong uid/gid. Several of our clients have a rentention time of 10 years for backups. That's quite some time to keep a mapping table over new/old uids/gids. Third, we would need to map our applications to see if any of them store or use the GID. As you can see, migrating to IPA just became a much more time consuming and higher risk project than it could be. Is there a reason for why the approach with a private group per user is forcibly chosen? Rgds, Siggi From dpal at redhat.com Mon Mar 28 13:49:01 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 28 Mar 2011 09:49:01 -0400 Subject: [Freeipa-users] Ethers table? In-Reply-To: <48485.213.225.75.97.1301318799.squirrel@www.nixtra.com> References: <48485.213.225.75.97.1301318799.squirrel@www.nixtra.com> Message-ID: <4D9091CD.1080200@redhat.com> On 03/28/2011 09:26 AM, Sigbjorn Lie wrote: > Hi, > > We're using the ethers table in NIS today to generate DHCP config files for clients to we can send > different TFTP,DNS,etc options to different clients depening on which type of machine they are > (mostly Windows, Linux, etc). At some locations we're also required to only serve IP to clients > known by mac address. > > I'm missing a ethers table in IPA. Having the MAC address added as an attribute to the host > object, and a lookup table for ethers, like hostgroup to netgroup is done would be very useful. > > Any plans for this? > Please file a ticket with the request and describe the requirement in as many details as you can. https://fedorahosted.org/freeipa > Rgds, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Mar 28 13:57:09 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Mar 2011 09:57:09 -0400 Subject: [Freeipa-users] Regression in adding reverse dns records In-Reply-To: References: Message-ID: <4D9093B5.1060704@redhat.com> Steven Whately wrote: > My mistake. I was missing the trailing . > Before: > ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa 1 > After: > ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa. 1 > > Cheers > Steve Whately A bit of a lousy error message though. I filed https://fedorahosted.org/freeipa/ticket/1129 so we can try to improve it. thanks rob > > On Sat, Mar 26, 2011 at 12:11 PM, Steven Whately wrote: >> Thanks for all the hard work thats gone into V2.0 GA. >> >> I can no-longer add reverse dns records. >> Either the command has changed, or the new validation added to reverse >> dns records is broken. >> >> ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa 1 >> ipa: ERROR: invalid 'cn': IP address must have exactly 4 components >> >> Cheers >> Steve Whately >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Mon Mar 28 14:02:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Mar 2011 10:02:48 -0400 Subject: [Freeipa-users] Adding user accounts In-Reply-To: <48322.213.225.75.97.1301305801.squirrel@www.nixtra.com> References: <4D8CE93D.20802@nixtra.com> <4D8E128B.4090003@redhat.com> <48322.213.225.75.97.1301305801.squirrel@www.nixtra.com> Message-ID: <4D909508.2010802@redhat.com> Sigbjorn Lie wrote: > Thanks. > > I also noticed that a group with the same GID number as the users UID number is automatically > created when creating the user account, this is a problem for existing environments who's already > used the same ID number for a group. > > I see that even after doing a user-mod, changing the GID of the account, the private (invisible) > group still exists. > > I'm missing an option to choose if I want to create or not create a private group for the user. There currently isn't an option for that. You can delete a managed group this way: $ ipa user-add --first=Tim --last=Test ttest You now have a group ttest too, lets delete it. $ ipa group-detach ttest $ ipa group-del ttest The first command detaches it from the user (this is not reversible) and the second removes it altogether. rob > > > Rgds, > Siggi > > > > > > > On Sat, March 26, 2011 18:21, Dmitri Pal wrote: >> On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: >> >>> Hi, >>> >>> >>> Using --gidnumber when adding a new user with "ipa user-add" does not >>> seem to have any effect. A gid number with the same value as what I specify in with the --uid >>> parameter is chosen. >>> >>> I presume this is not the way user-add is intended to work? >>> >> >> We will take a look. >> https://fedorahosted.org/freeipa/ticket/1127 >> >> >> Looks like a bug so I filed a ticket. >> >> >> >>> >>> >>> # ipa user-add mysql14 --first=MySQL --last=Server >>> --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 >>> -------------------- >>> Added user "mysql14" >>> -------------------- >>> User login: mysql14 >>> First name: MySQL >>> Last name: Server >>> Full name: MySQL Server >>> Display name: MySQL Server >>> Initials: MS >>> Home directory: /var/lib/mysql >>> GECOS field: mysql14 >>> Login shell: /bin/false >>> Kerberos principal: mysql14 at IX.NIXTRA.COM >>> UID: 110 >>> GID: 110 >>> >>> >>> >>> >>> Regards, >>> Siggi >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Mon Mar 28 14:40:52 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Mar 2011 16:40:52 +0200 (CEST) Subject: [Freeipa-users] Adding user accounts In-Reply-To: <4D909508.2010802@redhat.com> References: <4D8CE93D.20802@nixtra.com> <4D8E128B.4090003@redhat.com> <48322.213.225.75.97.1301305801.squirrel@www.nixtra.com> <4D909508.2010802@redhat.com> Message-ID: <51110.213.225.75.97.1301323252.squirrel@www.nixtra.com> Fantastic! Thanks. I will update my scripts. Is there any downside to doing this? Rgds, Siggi On Mon, March 28, 2011 16:02, Rob Crittenden wrote: > Sigbjorn Lie wrote: > >> Thanks. >> >> >> I also noticed that a group with the same GID number as the users UID number is automatically >> created when creating the user account, this is a problem for existing environments who's >> already used the same ID number for a group. >> >> I see that even after doing a user-mod, changing the GID of the account, the private >> (invisible) >> group still exists. >> >> I'm missing an option to choose if I want to create or not create a private group for the user. >> > > There currently isn't an option for that. You can delete a managed group > this way: > > $ ipa user-add --first=Tim --last=Test ttest > > > You now have a group ttest too, lets delete it. > > > $ ipa group-detach ttest > $ ipa group-del ttest > > > The first command detaches it from the user (this is not reversible) and > the second removes it altogether. > > rob > >> >> >> Rgds, >> Siggi >> >> >> >> >> >> >> >> On Sat, March 26, 2011 18:21, Dmitri Pal wrote: >> >>> On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: >>> >>> >>>> Hi, >>>> >>>> >>>> >>>> Using --gidnumber when adding a new user with "ipa user-add" does not >>>> seem to have any effect. A gid number with the same value as what I specify in with the >>>> --uid >>>> parameter is chosen. >>>> >>>> I presume this is not the way user-add is intended to work? >>>> >>>> >>> >>> We will take a look. >>> https://fedorahosted.org/freeipa/ticket/1127 >>> >>> >>> >>> Looks like a bug so I filed a ticket. >>> >>> >>> >>> >>>> >>>> >>>> # ipa user-add mysql14 --first=MySQL --last=Server >>>> --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 >>>> -------------------- >>>> Added user "mysql14" >>>> -------------------- >>>> User login: mysql14 >>>> First name: MySQL >>>> Last name: Server >>>> Full name: MySQL Server >>>> Display name: MySQL Server >>>> Initials: MS >>>> Home directory: /var/lib/mysql >>>> GECOS field: mysql14 >>>> Login shell: /bin/false >>>> Kerberos principal: mysql14 at IX.NIXTRA.COM >>>> UID: 110 >>>> GID: 110 >>>> >>>> >>>> >>>> >>>> >>>> Regards, >>>> Siggi >>>> >>>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> >>> >>> Sr. Engineering Manager IPA project, >>> Red Hat Inc. >>> >>> >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > From sigbjorn at nixtra.com Mon Mar 28 14:45:58 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Mar 2011 16:45:58 +0200 (CEST) Subject: [Freeipa-users] Ethers table? In-Reply-To: <4D9091CD.1080200@redhat.com> References: <48485.213.225.75.97.1301318799.squirrel@www.nixtra.com> <4D9091CD.1080200@redhat.com> Message-ID: <43697.213.225.75.97.1301323558.squirrel@www.nixtra.com> Done, thanks. Rgds, Siggi On Mon, March 28, 2011 15:49, Dmitri Pal wrote: > On 03/28/2011 09:26 AM, Sigbjorn Lie wrote: > >> Hi, >> >> >> We're using the ethers table in NIS today to generate DHCP config files for clients to we can >> send different TFTP,DNS,etc options to different clients depening on which type of machine they >> are (mostly Windows, Linux, etc). At some locations we're also required to only serve IP to >> clients known by mac address. >> >> I'm missing a ethers table in IPA. Having the MAC address added as an attribute to the host >> object, and a lookup table for ethers, like hostgroup to netgroup is done would be very useful. >> >> Any plans for this? >> >> > > > Please file a ticket with the request and describe the requirement in as > many details as you can. https://fedorahosted.org/freeipa > > >> Rgds, >> Siggi >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- > Thank you, > Dmitri Pal > > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From rcritten at redhat.com Mon Mar 28 14:50:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Mar 2011 10:50:14 -0400 Subject: [Freeipa-users] Adding user accounts In-Reply-To: <51110.213.225.75.97.1301323252.squirrel@www.nixtra.com> References: <4D8CE93D.20802@nixtra.com> <4D8E128B.4090003@redhat.com> <48322.213.225.75.97.1301305801.squirrel@www.nixtra.com> <4D909508.2010802@redhat.com> <51110.213.225.75.97.1301323252.squirrel@www.nixtra.com> Message-ID: <4D90A026.2010302@redhat.com> Sigbjorn Lie wrote: > Fantastic! Thanks. I will update my scripts. > > Is there any downside to doing this? One thing I should warn you of though that we've run into from time to time. Some of our LDAP operations are done as post-operations, that is they execute after the data has been returned to the client. Managed Entries (private groups) is one of these. I can definitely see the case where you try to detach a managed group that hasn't quite finished being created yet. I'd probably put a 1 or 2 second sleep after the user creation to be sure, even if it does slow things considerably. We're working with the 389-ds devs on this. There is the tradeoff of speed vs correctness (users don't like watching a blinking prompt). Some of these post-ops could take a while. rob > > > > Rgds, > Siggi > > > > > On Mon, March 28, 2011 16:02, Rob Crittenden wrote: >> Sigbjorn Lie wrote: >> >>> Thanks. >>> >>> >>> I also noticed that a group with the same GID number as the users UID number is automatically >>> created when creating the user account, this is a problem for existing environments who's >>> already used the same ID number for a group. >>> >>> I see that even after doing a user-mod, changing the GID of the account, the private >>> (invisible) >>> group still exists. >>> >>> I'm missing an option to choose if I want to create or not create a private group for the user. >>> >> >> There currently isn't an option for that. You can delete a managed group >> this way: >> >> $ ipa user-add --first=Tim --last=Test ttest >> >> >> You now have a group ttest too, lets delete it. >> >> >> $ ipa group-detach ttest >> $ ipa group-del ttest >> >> >> The first command detaches it from the user (this is not reversible) and >> the second removes it altogether. >> >> rob >> >>> >>> >>> Rgds, >>> Siggi >>> >>> >>> >>> >>> >>> >>> >>> On Sat, March 26, 2011 18:21, Dmitri Pal wrote: >>> >>>> On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> Using --gidnumber when adding a new user with "ipa user-add" does not >>>>> seem to have any effect. A gid number with the same value as what I specify in with the >>>>> --uid >>>>> parameter is chosen. >>>>> >>>>> I presume this is not the way user-add is intended to work? >>>>> >>>>> >>>> >>>> We will take a look. >>>> https://fedorahosted.org/freeipa/ticket/1127 >>>> >>>> >>>> >>>> Looks like a bug so I filed a ticket. >>>> >>>> >>>> >>>> >>>>> >>>>> >>>>> # ipa user-add mysql14 --first=MySQL --last=Server >>>>> --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 >>>>> -------------------- >>>>> Added user "mysql14" >>>>> -------------------- >>>>> User login: mysql14 >>>>> First name: MySQL >>>>> Last name: Server >>>>> Full name: MySQL Server >>>>> Display name: MySQL Server >>>>> Initials: MS >>>>> Home directory: /var/lib/mysql >>>>> GECOS field: mysql14 >>>>> Login shell: /bin/false >>>>> Kerberos principal: mysql14 at IX.NIXTRA.COM >>>>> UID: 110 >>>>> GID: 110 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Regards, >>>>> Siggi >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> >>>> >>>> Sr. Engineering Manager IPA project, >>>> Red Hat Inc. >>>> >>>> >>>> >>>> >>>> ------------------------------- >>>> Looking to carve out IT costs? >>>> www.redhat.com/carveoutcosts/ >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > > From dpal at redhat.com Mon Mar 28 14:56:20 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 28 Mar 2011 10:56:20 -0400 Subject: [Freeipa-users] Adding user accounts In-Reply-To: <4D90A026.2010302@redhat.com> References: <4D8CE93D.20802@nixtra.com> <4D8E128B.4090003@redhat.com> <48322.213.225.75.97.1301305801.squirrel@www.nixtra.com> <4D909508.2010802@redhat.com> <51110.213.225.75.97.1301323252.squirrel@www.nixtra.com> <4D90A026.2010302@redhat.com> Message-ID: <4D90A194.2010101@redhat.com> On 03/28/2011 10:50 AM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> Fantastic! Thanks. I will update my scripts. >> >> Is there any downside to doing this? > > One thing I should warn you of though that we've run into from time to > time. Some of our LDAP operations are done as post-operations, that is > they execute after the data has been returned to the client. Managed > Entries (private groups) is one of these. I can definitely see the > case where you try to detach a managed group that hasn't quite > finished being created yet. I'd probably put a 1 or 2 second sleep > after the user creation to be sure, even if it does slow things > considerably. > > We're working with the 389-ds devs on this. There is the tradeoff of > speed vs correctness (users don't like watching a blinking prompt). > Some of these post-ops could take a while. I think we should seriously consider a -noprivategroup option > > rob > >> >> >> >> Rgds, >> Siggi >> >> >> >> >> On Mon, March 28, 2011 16:02, Rob Crittenden wrote: >>> Sigbjorn Lie wrote: >>> >>>> Thanks. >>>> >>>> >>>> I also noticed that a group with the same GID number as the users >>>> UID number is automatically >>>> created when creating the user account, this is a problem for >>>> existing environments who's >>>> already used the same ID number for a group. >>>> >>>> I see that even after doing a user-mod, changing the GID of the >>>> account, the private >>>> (invisible) >>>> group still exists. >>>> >>>> I'm missing an option to choose if I want to create or not create a >>>> private group for the user. >>>> >>> >>> There currently isn't an option for that. You can delete a managed >>> group >>> this way: >>> >>> $ ipa user-add --first=Tim --last=Test ttest >>> >>> >>> You now have a group ttest too, lets delete it. >>> >>> >>> $ ipa group-detach ttest >>> $ ipa group-del ttest >>> >>> >>> The first command detaches it from the user (this is not reversible) >>> and >>> the second removes it altogether. >>> >>> rob >>> >>>> >>>> >>>> Rgds, >>>> Siggi >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Sat, March 26, 2011 18:21, Dmitri Pal wrote: >>>> >>>>> On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: >>>>> >>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>> >>>>>> Using --gidnumber when adding a new user with "ipa user-add" does >>>>>> not >>>>>> seem to have any effect. A gid number with the same value as what >>>>>> I specify in with the >>>>>> --uid >>>>>> parameter is chosen. >>>>>> >>>>>> I presume this is not the way user-add is intended to work? >>>>>> >>>>>> >>>>> >>>>> We will take a look. >>>>> https://fedorahosted.org/freeipa/ticket/1127 >>>>> >>>>> >>>>> >>>>> Looks like a bug so I filed a ticket. >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> # ipa user-add mysql14 --first=MySQL --last=Server >>>>>> --homedir=/var/lib/mysql --shell=/bin/false --uid=110 >>>>>> --gidnumber=3004 >>>>>> -------------------- >>>>>> Added user "mysql14" >>>>>> -------------------- >>>>>> User login: mysql14 >>>>>> First name: MySQL >>>>>> Last name: Server >>>>>> Full name: MySQL Server >>>>>> Display name: MySQL Server >>>>>> Initials: MS >>>>>> Home directory: /var/lib/mysql >>>>>> GECOS field: mysql14 >>>>>> Login shell: /bin/false >>>>>> Kerberos principal: mysql14 at IX.NIXTRA.COM >>>>>> UID: 110 >>>>>> GID: 110 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Regards, >>>>>> Siggi >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> >>>>> >>>>> Sr. Engineering Manager IPA project, >>>>> Red Hat Inc. >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------- >>>>> Looking to carve out IT costs? >>>>> www.redhat.com/carveoutcosts/ >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >> >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From roland.kaeser at intersoft-networks.ch Mon Mar 28 15:56:02 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Mon, 28 Mar 2011 17:56:02 +0200 (CEST) Subject: [Freeipa-users] FreeIPA 2 on F14 In-Reply-To: Message-ID: Hello Just tried to install 2.0 on a F14. It tells my that freeipa-server-2.0rc3 requires 389-ds-base 1.2.8 but available is only 1.2.7. Can I also use 389-ds-base-1.2.7 and is it actually possible to install freeipa on F14? I wouldn't like to use F15 because its already beta. Regards Roland -- ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Mar 28 16:11:56 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 28 Mar 2011 12:11:56 -0400 Subject: [Freeipa-users] FreeIPA 2 on F14 In-Reply-To: References: Message-ID: <4D90B34C.1000607@redhat.com> Roland Kaeser wrote: > Hello > > Just tried to install 2.0 on a F14. It tells my that > freeipa-server-2.0rc3 requires 389-ds-base 1.2.8 but available is only > 1.2.7. > Can I also use 389-ds-base-1.2.7 and is it actually possible to install > freeipa on F14? I wouldn't like to use F15 because its already beta. > > Regards > > Roland I didn't add the 2.0.0 GA builds for our devel repo. The GA release is in Fedora 15 and rawhide. The problem with Fedora 14 is we require dogtag 9 and while it works fine the dogtag team hasn't really done a lot of their own testing and AFAIU don't want to certify that it works in production. I did a great majority of the IPA development in F-14 and dogtag really works fine there but I'm not sure I'd want to put my infrastructure on non-official bits. That said, it should work fine you'd just have to build it yourself. You should be able to get the F-15 srpm from http://koji.fedoraproject.org/koji/buildinfo?buildID=235696 and do a mock build of it: mock -r fedora-14-x86_64 freeipa-2.0.0-1.fc15.src.rpm You'll also want to enable updates-testing and add this repo to get dogtag to actually install it: [freeipa-devel] name=FreeIPA Development baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch enabled=1 gpgcheck=0 regards rob From roland.kaeser at intersoft-networks.ch Mon Mar 28 17:59:01 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Mon, 28 Mar 2011 19:59:01 +0200 (CEST) Subject: [Freeipa-users] FreeIPA 2 on F14 In-Reply-To: <4D90B34C.1000607@redhat.com> Message-ID: Hello Thanks a lot. Worked fine. FreeIPA is up and running. Btw: Thanks for all the development work on it. Sorry for this addional offtopic question: The ipa server is part of pilot project to establish a new network software stack based on this free ipa and openafs for a company wide authentication- and network file system. I made some extended googeling for setting up openafs but couldn't find good documentations for it. Do You know about some good howtos to install openafs and integrate it with kerberos? Regards Roland ----- Urspr?ngliche Mail ----- Von: "Rob Crittenden" An: "Roland K?ser" CC: freeipa-users at redhat.com Gesendet: Montag, 28. M?rz 2011 18:11:56 Betreff: Re: [Freeipa-users] FreeIPA 2 on F14 Roland Kaeser wrote: > Hello > > Just tried to install 2.0 on a F14. It tells my that > freeipa-server-2.0rc3 requires 389-ds-base 1.2.8 but available is only > 1.2.7. > Can I also use 389-ds-base-1.2.7 and is it actually possible to install > freeipa on F14? I wouldn't like to use F15 because its already beta. > > Regards > > Roland I didn't add the 2.0.0 GA builds for our devel repo. The GA release is in Fedora 15 and rawhide. The problem with Fedora 14 is we require dogtag 9 and while it works fine the dogtag team hasn't really done a lot of their own testing and AFAIU don't want to certify that it works in production. I did a great majority of the IPA development in F-14 and dogtag really works fine there but I'm not sure I'd want to put my infrastructure on non-official bits. That said, it should work fine you'd just have to build it yourself. You should be able to get the F-15 srpm from http://koji.fedoraproject.org/koji/buildinfo?buildID=235696 and do a mock build of it: mock -r fedora-14-x86_64 freeipa-2.0.0-1.fc15.src.rpm You'll also want to enable updates-testing and add this repo to get dogtag to actually install it: [freeipa-devel] name=FreeIPA Development baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch enabled=1 gpgcheck=0 regards rob -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ From sigbjorn at nixtra.com Mon Mar 28 18:05:14 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 28 Mar 2011 20:05:14 +0200 Subject: [Freeipa-users] Adding user accounts In-Reply-To: <4D90A194.2010101@redhat.com> References: <4D8CE93D.20802@nixtra.com> <4D8E128B.4090003@redhat.com> <48322.213.225.75.97.1301305801.squirrel@www.nixtra.com> <4D909508.2010802@redhat.com> <51110.213.225.75.97.1301323252.squirrel@www.nixtra.com> <4D90A026.2010302@redhat.com> <4D90A194.2010101@redhat.com> Message-ID: <4D90CDDA.1050208@nixtra.com> I have updated the NIS-TO-IPA scripts with the suggestions for private group workarounds from Rob, and the license updated to GPL v3 as suggested by Dmitri. Download link is still the same: http://www.nixtra.com/ipa/NIS-TO-IPA-current.php A -noprivategroup option is very much welcome. Shall I open a request in bugzilla? Rgds, Siggi On 03/28/2011 04:56 PM, Dmitri Pal wrote: > On 03/28/2011 10:50 AM, Rob Crittenden wrote: >> Sigbjorn Lie wrote: >>> Fantastic! Thanks. I will update my scripts. >>> >>> Is there any downside to doing this? >> One thing I should warn you of though that we've run into from time to >> time. Some of our LDAP operations are done as post-operations, that is >> they execute after the data has been returned to the client. Managed >> Entries (private groups) is one of these. I can definitely see the >> case where you try to detach a managed group that hasn't quite >> finished being created yet. I'd probably put a 1 or 2 second sleep >> after the user creation to be sure, even if it does slow things >> considerably. >> >> We're working with the 389-ds devs on this. There is the tradeoff of >> speed vs correctness (users don't like watching a blinking prompt). >> Some of these post-ops could take a while. > I think we should seriously consider a -noprivategroup option > > >> rob >> >>> >>> >>> Rgds, >>> Siggi >>> >>> >>> >>> >>> On Mon, March 28, 2011 16:02, Rob Crittenden wrote: >>>> Sigbjorn Lie wrote: >>>> >>>>> Thanks. >>>>> >>>>> >>>>> I also noticed that a group with the same GID number as the users >>>>> UID number is automatically >>>>> created when creating the user account, this is a problem for >>>>> existing environments who's >>>>> already used the same ID number for a group. >>>>> >>>>> I see that even after doing a user-mod, changing the GID of the >>>>> account, the private >>>>> (invisible) >>>>> group still exists. >>>>> >>>>> I'm missing an option to choose if I want to create or not create a >>>>> private group for the user. >>>>> >>>> There currently isn't an option for that. You can delete a managed >>>> group >>>> this way: >>>> >>>> $ ipa user-add --first=Tim --last=Test ttest >>>> >>>> >>>> You now have a group ttest too, lets delete it. >>>> >>>> >>>> $ ipa group-detach ttest >>>> $ ipa group-del ttest >>>> >>>> >>>> The first command detaches it from the user (this is not reversible) >>>> and >>>> the second removes it altogether. >>>> >>>> rob >>>> >>>>> >>>>> Rgds, >>>>> Siggi >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Sat, March 26, 2011 18:21, Dmitri Pal wrote: >>>>> >>>>>> On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: >>>>>> >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> >>>>>>> >>>>>>> Using --gidnumber when adding a new user with "ipa user-add" does >>>>>>> not >>>>>>> seem to have any effect. A gid number with the same value as what >>>>>>> I specify in with the >>>>>>> --uid >>>>>>> parameter is chosen. >>>>>>> >>>>>>> I presume this is not the way user-add is intended to work? >>>>>>> >>>>>>> >>>>>> We will take a look. >>>>>> https://fedorahosted.org/freeipa/ticket/1127 >>>>>> >>>>>> >>>>>> >>>>>> Looks like a bug so I filed a ticket. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> # ipa user-add mysql14 --first=MySQL --last=Server >>>>>>> --homedir=/var/lib/mysql --shell=/bin/false --uid=110 >>>>>>> --gidnumber=3004 >>>>>>> -------------------- >>>>>>> Added user "mysql14" >>>>>>> -------------------- >>>>>>> User login: mysql14 >>>>>>> First name: MySQL >>>>>>> Last name: Server >>>>>>> Full name: MySQL Server >>>>>>> Display name: MySQL Server >>>>>>> Initials: MS >>>>>>> Home directory: /var/lib/mysql >>>>>>> GECOS field: mysql14 >>>>>>> Login shell: /bin/false >>>>>>> Kerberos principal: mysql14 at IX.NIXTRA.COM >>>>>>> UID: 110 >>>>>>> GID: 110 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Siggi >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Thank you, >>>>>> Dmitri Pal >>>>>> >>>>>> >>>>>> >>>>>> Sr. Engineering Manager IPA project, >>>>>> Red Hat Inc. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------- >>>>>> Looking to carve out IT costs? >>>>>> www.redhat.com/carveoutcosts/ >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>> >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > From Steven.Jones at vuw.ac.nz Mon Mar 28 21:30:20 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 28 Mar 2011 21:30:20 +0000 Subject: [Freeipa-users] FreeIPA 2 on F14/RHEl 6.1 Message-ID: <833D8E48405E064EBC54C84EC6B36E400290D4@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi. I see IPA 2.0 is F15.....uh..... Is free-ipa 2.0 going to be put into RHEL6.1? ie Im assuming that F14 will become 6.1? sometime in the next few months? Or should I assume that since ipa2.0 is in F15 only we wont see anything vaguely usable til 6.2 sometime near the end of the year? The reason for this is I want to spend the next few months learning IPA and deploy it to limited selected users as a POC (proof of concept) so Im assuming it will be available in 6.1 with a full capability in 6.2...is this a correct assumption? So to do this I have to put together a huge virtualised test bed of NAS, SAN, clients and shiboleth type stuff to test our systems that's a lot of work to re-do. So should I abandon ipa on F14 and go to F15? and then delay things until the end of the year? or next year? what is the roadmap pls? regards From Steven.Jones at vuw.ac.nz Mon Mar 28 21:32:03 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 28 Mar 2011 21:32:03 +0000 Subject: [Freeipa-users] FreeIPA 2 on F14 / RHEL 6.1 Message-ID: <833D8E48405E064EBC54C84EC6B36E400290D0@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi. Is free-ipa going to be put into RHEL6.1? ie Im assuming that F14will become 6.1? Or should I assume that since ipa2 is in F15 we wont see anything til 6.2 sometime near the end of the year? I want to spend the next few months learning IPA and deploy it to limited selected users as a POC (proof of concept) so Im assuming it will be available in 6.1 with a full capability in 6.2...is this a correct assumption? I have to put together a huge visualised test bed to test our systems thats a lot of work to re-do..So should I abandon F14 and go to F15 and then delay things until the end of the year? or next year? regards From dpal at redhat.com Mon Mar 28 22:15:49 2011 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 28 Mar 2011 18:15:49 -0400 Subject: [Freeipa-users] FreeIPA 2 on F14/RHEl 6.1 In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400290D4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E400290D4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D910895.6070908@redhat.com> On 03/28/2011 05:30 PM, Steven Jones wrote: > Hi. > > I see IPA 2.0 is F15.....uh..... > > Is free-ipa 2.0 going to be put into RHEL6.1? ie Im assuming that F14 will become 6.1? sometime in the next few months? > > Or should I assume that since ipa2.0 is in F15 only we wont see anything vaguely usable til 6.2 sometime near the end of the year? > > The reason for this is I want to spend the next few months learning IPA and deploy it to limited selected users as a POC (proof of concept) so Im assuming it will be available in 6.1 with a full capability in 6.2...is this a correct assumption? You assumption is correct. IPA is planned for 6.1 as tech preview in the same shape as FreeIPA v2. We will be working on 2.1 for several months now. It will be a stabilization release. See the trak instance for the list of the issues we plan to address. The intent is to have 2.1 or core parts of it ported to RHEL and released as fully supported version in 6.2. So I guess you do not need to delay or abandon your plans. Hope this helps. > So to do this I have to put together a huge virtualised test bed of NAS, SAN, clients and shiboleth type stuff to test our systems that's a lot of work to re-do. > > So should I abandon ipa on F14 and go to F15? and then delay things until the end of the year? or next year? what is the roadmap pls? > > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Mon Mar 28 22:25:38 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 28 Mar 2011 22:25:38 +0000 Subject: [Freeipa-users] FreeIPA 2 on F14/RHEl 6.1 In-Reply-To: <4D910895.6070908@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E400290D4@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D910895.6070908@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40029112@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Thanks close enough.... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, 29 March 2011 11:15 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA 2 on F14/RHEl 6.1 On 03/28/2011 05:30 PM, Steven Jones wrote: > Hi. > > I see IPA 2.0 is F15.....uh..... > > Is free-ipa 2.0 going to be put into RHEL6.1? ie Im assuming that F14 will become 6.1? sometime in the next few months? > > Or should I assume that since ipa2.0 is in F15 only we wont see anything vaguely usable til 6.2 sometime near the end of the year? > > The reason for this is I want to spend the next few months learning IPA and deploy it to limited selected users as a POC (proof of concept) so Im assuming it will be available in 6.1 with a full capability in 6.2...is this a correct assumption? You assumption is correct. IPA is planned for 6.1 as tech preview in the same shape as FreeIPA v2. We will be working on 2.1 for several months now. It will be a stabilization release. See the trak instance for the list of the issues we plan to address. The intent is to have 2.1 or core parts of it ported to RHEL and released as fully supported version in 6.2. So I guess you do not need to delay or abandon your plans. Hope this helps. > So to do this I have to put together a huge virtualised test bed of NAS, SAN, clients and shiboleth type stuff to test our systems that's a lot of work to re-do. > > So should I abandon ipa on F14 and go to F15? and then delay things until the end of the year? or next year? what is the roadmap pls? > > regards > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Mon Mar 28 23:45:48 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 28 Mar 2011 23:45:48 +0000 Subject: [Freeipa-users] replica install failure.... Message-ID: <833D8E48405E064EBC54C84EC6B36E40029163@STAWINCOX10MBX1.staff.vuw.ac.nz> Just tried to make a replica and the install failed with, [4/11]: configuring certificate server instance root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root at fed14-64-ipam002 jonesst1]# From Steven.Jones at vuw.ac.nz Tue Mar 29 00:08:59 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 00:08:59 +0000 Subject: [Freeipa-users] client setup failure Message-ID: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz> Trying to set up a fed14 cleint and since DNS is on the AD server (dc0002) there is no dns_discovery....so as per doc I ran the install and it should ask me for the info....but it fails with, Complete! [root at fed14-64-cli01 yum.repos.d]# ipa-client-install DNS discovery failed to determine your DNS domain Please provide the domain name of your IPA server (ex: example.com): ipa.ac.nz Retrieving CA from dc0002.ipa.ac.nz failed. Command '/usr/bin/wget -O /tmp/tmpzR381G/ca.crt http://dc0002.ipa.ac.nz/ipa/config/ca.crt' returned non-zero exit status 4 [root at fed14-64-cli01 yum.repos.d]# So its asking the dns server for the cert which doesnt have it instead of the ipa server....which does. I think the install script needs some work.... regards From Steven.Jones at vuw.ac.nz Tue Mar 29 02:24:41 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 02:24:41 +0000 Subject: [Freeipa-users] AD setup failure Message-ID: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Following the install guide I get, [root at fed14-64-ipam001 samba]# ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \ > --bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v Usage: ipa-replica-manage [options] ipa-replica-manage: error: must provide a command [force-sync | disconnect | list | del | connect | re-initialize] [root at fed14-64-ipam001 samba]# So its connect instead of add.....? Nope connect fails root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement [root at fed14-64-ipam001 samba]# So section 4.4 in the manual needs fixing i think....and what do I actually type pls? regards From Steven.Jones at vuw.ac.nz Tue Mar 29 03:13:35 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 03:13:35 +0000 Subject: [Freeipa-users] AD setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz> Got a bit further.......I was missing "--passsync" [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} unexpected error: Failed to setup winsync replication [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz dc0001.ipa.ac.nz has address 192.168.101.2 [root at fed14-64-ipam001 samba]# But still isnt working......... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Tuesday, 29 March 2011 3:24 p.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] AD setup failure Following the install guide I get, [root at fed14-64-ipam001 samba]# ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \ > --bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v Usage: ipa-replica-manage [options] ipa-replica-manage: error: must provide a command [force-sync | disconnect | list | del | connect | re-initialize] [root at fed14-64-ipam001 samba]# So its connect instead of add.....? Nope connect fails root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement [root at fed14-64-ipam001 samba]# So section 4.4 in the manual needs fixing i think....and what do I actually type pls? regards _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From mkosek at redhat.com Tue Mar 29 08:09:07 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 29 Mar 2011 10:09:07 +0200 Subject: [Freeipa-users] replica install failure.... In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40029163@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40029163@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1301386147.3592.21.camel@dhcp-25-52.brq.redhat.com> On Mon, 2011-03-28 at 23:45 +0000, Steven Jones wrote: > Just tried to make a replica and the install failed with, > > [4/11]: configuring certificate server instance > root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA! A! > udit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255 > creation of replica failed: Configuration of CA failed > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > [root at fed14-64-ipam002 jonesst1]# > Hello Steven, can you please send me a version of tomcat6 server on your Fedora 15 with IPA replica? This is most probably a known issue which was stated in Freeipa v2 announcement: [Freeipa-devel] Announcing FreeIPA v2 Server [snip] Known Issues * The latest tomcat6 package has not been pushed to updates-testing. You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 . The installation will fail restarting the CA with the current tomcat6 package in Fedora 15. [snip] If this is your case, you may want to install the RPMs from koji or just install them from rawhide repository. Regards, Martin From mkosek at redhat.com Tue Mar 29 08:20:52 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 29 Mar 2011 10:20:52 +0200 Subject: [Freeipa-users] client setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-03-29 at 00:08 +0000, Steven Jones wrote: > Trying to set up a fed14 cleint and since DNS is on the AD server (dc0002) there is no dns_discovery....so as per doc I ran the install and it should ask me for the info....but it fails with, > > Complete! > [root at fed14-64-cli01 yum.repos.d]# ipa-client-install > DNS discovery failed to determine your DNS domain > Please provide the domain name of your IPA server (ex: example.com): ipa.ac.nz > Retrieving CA from dc0002.ipa.ac.nz failed. > Command '/usr/bin/wget -O /tmp/tmpzR381G/ca.crt http://dc0002.ipa.ac.nz/ipa/config/ca.crt' returned non-zero exit status 4 > [root at fed14-64-cli01 yum.repos.d]# > > So its asking the dns server for the cert which doesnt have it instead of the ipa server....which does. > > I think the install script needs some work.... > > regards What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client installation uses this DNS record in an autodiscovery of IPA server in the given DNS domain. You may want to check the DNS record or set the domain and server manually: # ipa-client-install --server= --domain= Regards, Martin From tomasz.napierala at allegro.pl Tue Mar 29 10:49:32 2011 From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl) Date: Tue, 29 Mar 2011 12:49:32 +0200 Subject: [Freeipa-users] client setup failure In-Reply-To: <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz> <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> Message-ID: On 2011-03-29, at 10:20, Martin Kosek wrote: > On Tue, 2011-03-29 at 00:08 +0000, Steven Jones wrote: > > What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client > installation uses this DNS record in an autodiscovery of IPA server in > the given DNS domain. In AD managed zone that would be domain controller itself. pz -- Tomasz Z. Napiera?a Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995. From mkosek at redhat.com Tue Mar 29 10:52:41 2011 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 29 Mar 2011 12:52:41 +0200 Subject: [Freeipa-users] client setup failure In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz> <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> Message-ID: <1301395961.3592.33.camel@dhcp-25-52.brq.redhat.com> On Tue, 2011-03-29 at 12:49 +0200, tomasz.napierala at allegro.pl wrote: > On 2011-03-29, at 10:20, Martin Kosek wrote: > > > On Tue, 2011-03-29 at 00:08 +0000, Steven Jones wrote: > > > > What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client > > installation uses this DNS record in an autodiscovery of IPA server in > > the given DNS domain. > > In AD managed zone that would be domain controller itself. > > pz You are right. In that case the autodiscovery have to be skipped and --server/--domain parameters need to be added to the client installation script manually. Martin From rcritten at redhat.com Tue Mar 29 13:37:21 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 09:37:21 -0400 Subject: [Freeipa-users] replica install failure.... In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40029163@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40029163@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D91E091.6080805@redhat.com> Steven Jones wrote: > Just tried to make a replica and the install failed with, > > [4/11]: configuring certificate server instance > root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA A! > udit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255 > creation of replica failed: Configuration of CA failed > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > [root at fed14-64-ipam002 jonesst1]# You'll need to take a look in /var/log/ipareplica-install.log for more details on why the install failed. What distro is this, F-15? rob From rcritten at redhat.com Tue Mar 29 13:41:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 09:41:41 -0400 Subject: [Freeipa-users] client setup failure In-Reply-To: <1301395961.3592.33.camel@dhcp-25-52.brq.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz> <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <1301395961.3592.33.camel@dhcp-25-52.brq.redhat.com> Message-ID: <4D91E195.6090807@redhat.com> Martin Kosek wrote: > On Tue, 2011-03-29 at 12:49 +0200, tomasz.napierala at allegro.pl wrote: >> On 2011-03-29, at 10:20, Martin Kosek wrote: >> >>> On Tue, 2011-03-29 at 00:08 +0000, Steven Jones wrote: >>> >>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >>> installation uses this DNS record in an autodiscovery of IPA server in >>> the given DNS domain. >> >> In AD managed zone that would be domain controller itself. >> >> pz > > You are right. In that case the autodiscovery have to be skipped and > --server/--domain parameters need to be added to the client installation > script manually. > > Martin Yes, please try with --server as a workaround. This is a rather tricky one. We fetch the IPA CA so we can make a TLS connection and gather some data for autodiscovery. I guess we need to make the failure to retrieve the CA non-fatal, I'm just not sure what other implications that will have. I thought we passed along the provided server to to autodiscovery so this wouldn't happen. I've opened https://fedorahosted.org/freeipa/ticket/1135 to track this. thanks rob From rcritten at redhat.com Tue Mar 29 13:50:35 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 09:50:35 -0400 Subject: [Freeipa-users] AD setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D91E3AB.1090004@redhat.com> Steven Jones wrote: > Got a bit further.......I was missing "--passsync" I think you were using the V1 documentation. The "Enterprise Identity Management Guide" is what you want off freeipa.org in the Documentation section. > > [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v > ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement > [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v > Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz > ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz > ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} > unexpected error: Failed to setup winsync replication > [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz > dc0001.ipa.ac.nz has address 192.168.101.2 > [root at fed14-64-ipam001 samba]# > > But still isnt working......... I think you have the wrong AD cert. -8179 translates to "Certificate is signed by an unknown issuer". Can you verify that you have the AD CA certificate? rob From Steven.Jones at vuw.ac.nz Tue Mar 29 19:10:38 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 19:10:38 +0000 Subject: [Freeipa-users] AD setup failure In-Reply-To: <4D91E3AB.1090004@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400295FB@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, It would be the self cert off the AD controller I got made for me....that is the limit of my knowledge on AD.... I will ask the MS ppl when they get in......... regards Steven ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 2:50 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: > Got a bit further.......I was missing "--passsync" I think you were using the V1 documentation. The "Enterprise Identity Management Guide" is what you want off freeipa.org in the Documentation section. > > [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v > ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement > [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v > Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz > ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz > ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} > unexpected error: Failed to setup winsync replication > [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz > dc0001.ipa.ac.nz has address 192.168.101.2 > [root at fed14-64-ipam001 samba]# > > But still isnt working......... I think you have the wrong AD cert. -8179 translates to "Certificate is signed by an unknown issuer". Can you verify that you have the AD CA certificate? rob From Steven.Jones at vuw.ac.nz Tue Mar 29 19:23:12 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 19:23:12 +0000 Subject: [Freeipa-users] replica install failure.... In-Reply-To: <1301386147.3592.21.camel@dhcp-25-52.brq.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E40029163@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386147.3592.21.camel@dhcp-25-52.brq.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4002961B@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, This is F14, guess you missed the hostnames... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Martin Kosek [mkosek at redhat.com] Sent: Tuesday, 29 March 2011 9:09 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replica install failure.... On Mon, 2011-03-28 at 23:45 +0000, Steven Jones wrote: > Just tried to make a replica and the install failed with, > > [4/11]: configuring certificate server instance > root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA! A! > udit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255 > creation of replica failed: Configuration of CA failed > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > [root at fed14-64-ipam002 jonesst1]# > Hello Steven, can you please send me a version of tomcat6 server on your Fedora 15 with IPA replica? This is most probably a known issue which was stated in Freeipa v2 announcement: [Freeipa-devel] Announcing FreeIPA v2 Server [snip] Known Issues * The latest tomcat6 package has not been pushed to updates-testing. You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 . The installation will fail restarting the CA with the current tomcat6 package in Fedora 15. [snip] If this is your case, you may want to install the RPMs from koji or just install them from rawhide repository. Regards, Martin _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 29 19:26:04 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 19:26:04 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, The DNS is in AD so it cant be set to suit IPA.... I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. 8><-------- What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client installation uses this DNS record in an autodiscovery of IPA server in the given DNS domain. You may want to check the DNS record or set the domain and server manually: # ipa-client-install --server= --domain= Regards, Martin _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 29 19:27:03 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 19:27:03 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <1301395961.3592.33.camel@dhcp-25-52.brq.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz> <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> , <1301395961.3592.33.camel@dhcp-25-52.brq.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40029630@STAWINCOX10MBX1.staff.vuw.ac.nz> How do I add these manually to the script? regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Martin Kosek [mkosek at redhat.com] Sent: Tuesday, 29 March 2011 11:52 p.m. To: tomasz.napierala at allegro.pl Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] client setup failure On Tue, 2011-03-29 at 12:49 +0200, tomasz.napierala at allegro.pl wrote: > On 2011-03-29, at 10:20, Martin Kosek wrote: > > > On Tue, 2011-03-29 at 00:08 +0000, Steven Jones wrote: > > > > What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client > > installation uses this DNS record in an autodiscovery of IPA server in > > the given DNS domain. > > In AD managed zone that would be domain controller itself. > > pz You are right. In that case the autodiscovery have to be skipped and --server/--domain parameters need to be added to the client installation script manually. Martin _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 29 19:29:25 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 19:29:25 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <4D91E195.6090807@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz> <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <1301395961.3592.33.camel@dhcp-25-52.brq.redhat.com>, <4D91E195.6090807@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4002963E@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I cant use --server or --domain the install script ignores those........it insists on going to AD for its info.... regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 2:41 a.m. To: Martin Kosek Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] client setup failure Martin Kosek wrote: > On Tue, 2011-03-29 at 12:49 +0200, tomasz.napierala at allegro.pl wrote: >> On 2011-03-29, at 10:20, Martin Kosek wrote: >> >>> On Tue, 2011-03-29 at 00:08 +0000, Steven Jones wrote: >>> >>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >>> installation uses this DNS record in an autodiscovery of IPA server in >>> the given DNS domain. >> >> In AD managed zone that would be domain controller itself. >> >> pz > > You are right. In that case the autodiscovery have to be skipped and > --server/--domain parameters need to be added to the client installation > script manually. > > Martin Yes, please try with --server as a workaround. This is a rather tricky one. We fetch the IPA CA so we can make a TLS connection and gather some data for autodiscovery. I guess we need to make the failure to retrieve the CA non-fatal, I'm just not sure what other implications that will have. I thought we passed along the provided server to to autodiscovery so this wouldn't happen. I've opened https://fedorahosted.org/freeipa/ticket/1135 to track this. thanks rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Tue Mar 29 19:29:47 2011 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 29 Mar 2011 15:29:47 -0400 Subject: [Freeipa-users] client setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D92332B.4010108@redhat.com> On 03/29/2011 03:26 PM, Steven Jones wrote: > Hi, > > The DNS is in AD so it cant be set to suit IPA.... > > I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. > > 8><-------- > > What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client > installation uses this DNS record in an autodiscovery of IPA server in > the given DNS domain. > > You may want to check the DNS record or set the domain and server > manually: > > # ipa-client-install --server= --domain= > That was the bug that we fixed last week. Rob, did it make the GA? Or the bits you are using are not GA. > Regards, > Martin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Tue Mar 29 19:08:50 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 19:08:50 +0000 Subject: [Freeipa-users] replica install failure.... In-Reply-To: <4D91E091.6080805@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E40029163@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E091.6080805@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400295F1@STAWINCOX10MBX1.staff.vuw.ac.nz> F14 IPA-2.0-rc3 =============== 011-03-28 23:37:29,052 DEBUG /usr/sbin/ipa-replica-install was invoked with argument "replica-info-fed14-64-ipam002.ipa.ac.nz.gpg" and options: {'no_forwarders': False, 'setup_pkinit': True, 'no_host_dns': False, 'no_reverse': False, 'setup_dns': False, 'forwarders': None, 'debug': False, 'conf_ntp': True, 'unattended': False} 2011-03-28 23:37:29,052 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-28 23:37:29,052 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-03-28 23:37:35,681 DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpygiLqWipa/ipa-0JuP__/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpygiLqWipa/files.tar -d replica-info-fed14-64-ipam002.ipa.ac.nz.gpg 2011-03-28 23:37:35,682 DEBUG stdout= 2011-03-28 23:37:35,682 DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpygiLqWipa/ipa-0JuP__/.gnupg' gpg: keyring `/tmp/tmpygiLqWipa/ipa-0JuP__/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpygiLqWipa/ipa-0JuP__/.gnupg/pubring.gpg' created gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected 2011-03-28 23:37:35,686 DEBUG args=tar xf /tmp/tmpygiLqWipa/files.tar -C /tmp/tmpygiLqWipa 2011-03-28 23:37:35,687 DEBUG stdout= 2011-03-28 23:37:35,687 DEBUG stderr=tar: realm_info/ldappwd: time stamp 2011-03-29 11:37:36 is 43200.314994836 s in the future tar: realm_info/http_pin.txt: time stamp 2011-03-29 11:37:35 is 43199.314835063 s in the future tar: realm_info/cacert.p12: time stamp 2011-03-29 11:37:33 is 43197.314667199 s in the future tar: realm_info/ca.crt: time stamp 2011-03-29 11:37:36 is 43200.31454535 s in the future tar: realm_info/realm_info: time stamp 2011-03-29 11:37:36 is 43200.314436529 s in the future tar: realm_info/pwdfile.txt.orig: time stamp 2011-03-29 11:37:35 is 43199.314326755 s in the future tar: realm_info/configure.jar: time stamp 2011-03-29 11:37:36 is 43200.314210218 s in the future tar: realm_info/httpcert.p12: time stamp 2011-03-29 11:37:36 is 43200.314100775 s in the future tar: realm_info/dscert.p12: time stamp 2011-03-29 11:37:35 is 43199.313990749 s in the future tar: realm_info/pwdfile.txt: time stamp 2011-03-29 11:37:35 is 43199.313887882 s in the future tar: realm_info/kpasswd.keytab: time stamp 2011-03-29 11:37:36 is 43200.313777439 s in the future tar: realm_info/dirsrv_pin.txt: time stamp 2011-03-29 11:37:33 is 43197.313586943 s in the future tar: realm_info/ra.p12: time stamp 2011-03-29 11:37:36 is 43200.313470433 s in the future tar: realm_info/preferences.html: time stamp 2011-03-29 11:37:36 is 43200.313358277 s in the future tar: realm_info: time stamp 2011-03-29 11:37:36 is 43200.313290539 s in the future 2011-03-28 23:37:35,693 DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... 2011-03-28 23:37:35,693 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' 2011-03-28 23:37:35,705 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' 2011-03-28 23:37:35,743 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' 2011-03-28 23:37:35,743 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' 2011-03-28 23:37:35,744 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' 2011-03-28 23:37:35,752 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' 2011-03-28 23:37:35,755 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' 2011-03-28 23:37:35,757 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' 2011-03-28 23:37:35,762 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py' 2011-03-28 23:37:35,763 DEBUG skipping plugin module ipalib.plugins.entitle: No module named rhsm.connection 2011-03-28 23:37:35,763 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' 2011-03-28 23:37:35,765 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' 2011-03-28 23:37:35,769 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' 2011-03-28 23:37:35,770 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' 2011-03-28 23:37:35,771 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' 2011-03-28 23:37:35,778 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' 2011-03-28 23:37:35,779 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' 2011-03-28 23:37:35,780 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' 2011-03-28 23:37:35,781 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' 2011-03-28 23:37:35,782 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' 2011-03-28 23:37:35,784 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' 2011-03-28 23:37:35,784 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' 2011-03-28 23:37:35,787 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' 2011-03-28 23:37:35,788 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' 2011-03-28 23:37:35,790 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' 2011-03-28 23:37:35,790 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' 2011-03-28 23:37:35,791 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' 2011-03-28 23:37:35,792 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' 2011-03-28 23:37:35,812 DEBUG args=klist -V 2011-03-28 23:37:35,812 DEBUG stdout=Kerberos 5 version 1.8.2 2011-03-28 23:37:35,812 DEBUG stderr= 2011-03-28 23:37:35,815 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' 2011-03-28 23:37:35,816 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' 2011-03-28 23:37:35,818 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' 2011-03-28 23:37:35,818 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' 2011-03-28 23:37:35,820 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' 2011-03-28 23:37:35,821 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' 2011-03-28 23:37:35,828 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' 2011-03-28 23:37:35,834 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py' 2011-03-28 23:37:35,835 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/xmlclient.py' 2011-03-28 23:37:35,835 DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipaserver/plugins'... 2011-03-28 23:37:35,835 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py' 2011-03-28 23:37:35,973 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/join.py' 2011-03-28 23:37:35,975 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py' 2011-03-28 23:37:35,975 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/rabase.py' 2011-03-28 23:37:35,975 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/selfsign.py' 2011-03-28 23:37:35,975 DEBUG skipping plugin module ipaserver.plugins.selfsign: selfsign is not selected as RA plugin, it is dogtag 2011-03-28 23:37:35,975 DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipaserver/plugins/xmlserver.py' 2011-03-28 23:37:36,104 DEBUG Mounting ipaserver.rpcserver.xmlserver() at 'xml' 2011-03-28 23:37:36,111 DEBUG Mounting ipaserver.rpcserver.jsonserver() at 'json' 2011-03-28 23:37:36,704 DEBUG args=/usr/sbin/groupadd -r dirsrv 2011-03-28 23:37:36,705 DEBUG stdout= 2011-03-28 23:37:36,705 DEBUG stderr= 2011-03-28 23:37:36,705 DEBUG done adding DS group 2011-03-28 23:37:36,705 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-03-28 23:37:37,010 DEBUG Created connection context.ldap2_38247312 2011-03-28 23:37:37,014 DEBUG Destroyed connection context.ldap2_38247312 2011-03-28 23:37:37,015 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-03-28 23:37:37,015 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2011-03-28 23:37:37,015 DEBUG Configuring ntpd 2011-03-28 23:37:37,015 DEBUG [1/4]: stopping ntpd 2011-03-28 23:37:37,270 DEBUG args=/sbin/service ntpd status 2011-03-28 23:37:37,271 DEBUG stdout=ntpd is stopped 2011-03-28 23:37:37,271 DEBUG stderr= 2011-03-28 23:37:37,271 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-03-28 23:37:37,355 DEBUG args=/sbin/service ntpd stop 2011-03-28 23:37:37,355 DEBUG stdout=Shutting down ntpd: [FAILED] 2011-03-28 23:37:37,356 DEBUG stderr= 2011-03-28 23:37:37,356 DEBUG duration: 0 seconds 2011-03-28 23:37:37,357 DEBUG [2/4]: writing configuration 2011-03-28 23:37:37,357 DEBUG Backing up system configuration file '/etc/ntp.conf' 2011-03-28 23:37:37,366 DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2011-03-28 23:37:37,368 DEBUG Backing up system configuration file '/etc/sysconfig/ntpd' 2011-03-28 23:37:37,371 DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2011-03-28 23:37:37,376 DEBUG duration: 0 seconds 2011-03-28 23:37:37,376 DEBUG [3/4]: configuring ntpd to start on boot 2011-03-28 23:37:37,388 DEBUG args=/sbin/chkconfig --list ntpd 2011-03-28 23:37:37,388 DEBUG stdout=ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off 2011-03-28 23:37:37,388 DEBUG stderr= 2011-03-28 23:37:37,388 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-03-28 23:37:37,556 DEBUG args=/sbin/chkconfig ntpd on 2011-03-28 23:37:37,556 DEBUG stdout= 2011-03-28 23:37:37,556 DEBUG stderr= 2011-03-28 23:37:37,556 DEBUG duration: 0 seconds 2011-03-28 23:37:37,556 DEBUG [4/4]: starting ntpd 2011-03-28 23:37:37,644 DEBUG args=/sbin/service ntpd start 2011-03-28 23:37:37,644 DEBUG stdout=Starting ntpd: [ OK ] 2011-03-28 23:37:37,644 DEBUG stderr= 2011-03-28 23:37:37,644 DEBUG duration: 0 seconds 2011-03-28 23:37:37,644 DEBUG done configuring ntpd. 2011-03-28 23:37:37,646 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-03-28 23:37:37,647 DEBUG Configuring directory server for the CA: Estimated time 30 seconds 2011-03-28 23:37:37,647 DEBUG [1/3]: creating directory server user 2011-03-28 23:37:37,647 DEBUG adding ds user pkisrv 2011-03-28 23:37:37,908 DEBUG args=/usr/sbin/useradd -g dirsrv -c PKI DS System User -d /var/lib/dirsrv -s /sbin/nologin -M -r pkisrv 2011-03-28 23:37:37,908 DEBUG stdout= 2011-03-28 23:37:37,908 DEBUG stderr= 2011-03-28 23:37:37,908 DEBUG done adding user 2011-03-28 23:37:37,909 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-03-28 23:37:37,909 DEBUG duration: 0 seconds 2011-03-28 23:37:37,909 DEBUG [2/3]: creating directory server instance 2011-03-28 23:37:37,970 DEBUG args=/sbin/service dirsrv status 2011-03-28 23:37:37,970 DEBUG stdout= *** Error: no dirsrv instances configured 2011-03-28 23:37:37,970 DEBUG stderr= 2011-03-28 23:37:37,970 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-03-28 23:37:37,971 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-03-28 23:37:37,972 DEBUG writing inf template 2011-03-28 23:37:37,973 DEBUG [General] FullMachineName= fed14-64-ipam002.ipa.ac.nz SuiteSpotUserID= pkisrv SuiteSpotGroup= dirsrv ServerRoot= /usr/lib64/dirsrv [slapd] ServerPort= 7389 ServerIdentifier= PKI-IPA Suffix= dc=ipa,dc=ac,dc=nz RootDN= cn=Directory Manager 2011-03-28 23:37:37,973 DEBUG calling setup-ds.pl 2011-03-28 23:38:06,982 DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpO4GgGA 2011-03-28 23:38:06,982 DEBUG stdout=[11/03/28:23:38:06] - [Setup] Info Your new DS instance 'PKI-IPA' was successfully created. Your new DS instance 'PKI-IPA' was successfully created. [11/03/28:23:38:06] - [Setup] Success Exiting . . . Log file is '-' Exiting . . . Log file is '-' 2011-03-28 23:38:06,983 DEBUG stderr= 2011-03-28 23:38:06,983 DEBUG completed creating ds instance 2011-03-28 23:38:06,985 DEBUG duration: 29 seconds 2011-03-28 23:38:06,985 DEBUG [3/3]: restarting directory server 2011-03-28 23:38:09,175 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-03-28 23:38:09,175 DEBUG stdout=Shutting down dirsrv: PKI-IPA...[ OK ] Starting dirsrv: PKI-IPA...[ OK ] 2011-03-28 23:38:09,175 DEBUG stderr= 2011-03-28 23:38:09,204 DEBUG args=/sbin/service dirsrv status 2011-03-28 23:38:09,204 DEBUG stdout=dirsrv PKI-IPA (pid 3443) is running... 2011-03-28 23:38:09,204 DEBUG stderr= 2011-03-28 23:38:09,204 DEBUG duration: 2 seconds 2011-03-28 23:38:09,204 DEBUG done configuring pkids. 2011-03-28 23:38:09,205 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2011-03-28 23:38:09,228 DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PKI-IPA/ -N -f /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt 2011-03-28 23:38:09,228 DEBUG stdout= 2011-03-28 23:38:09,228 DEBUG stderr= 2011-03-28 23:38:09,260 DEBUG args=/usr/bin/pk12util -d /etc/dirsrv/slapd-PKI-IPA/ -i /tmp/tmpygiLqWipa/realm_info/dscert.p12 -k /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt -w /tmp/tmpygiLqWipa/realm_info/dirsrv_pin.txt 2011-03-28 23:38:09,260 DEBUG stdout=pk12util: PKCS12 IMPORT SUCCESSFUL 2011-03-28 23:38:09,260 DEBUG stderr= 2011-03-28 23:38:09,274 DEBUG args=/usr/bin/pk12util -d /etc/dirsrv/slapd-PKI-IPA/ -l /tmp/tmpygiLqWipa/realm_info/dscert.p12 -k /tmp/tmpygiLqWipa/realm_info/dirsrv_pin.txt -w /tmp/tmpygiLqWipa/realm_info/dirsrv_pin.txt 2011-03-28 23:38:09,274 DEBUG stdout=Key(shrouded): Friendly Name: Server-Cert Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC Parameters: Salt: 6f:b2:a9:a2:8c:2d:1e:b5:67:c0:34:0f:f4:77:82:ba Iteration Count: 1 (0x1) Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA.AC.NZ" Validity: Not Before: Mon Mar 28 21:17:04 2011 Not After : Thu Mar 28 21:17:04 2019 Subject: "CN=Certificate Authority,O=IPA.AC.NZ" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: c0:f0:09:ce:7c:57:8f:1c:a4:a3:13:68:ef:68:5d:19: d8:c8:af:e2:66:5e:83:c8:37:e1:48:fa:bd:f6:5b:76: 29:b5:f9:0b:af:53:c3:5a:1c:95:b4:2d:87:8b:0b:b7: 81:42:a4:97:5c:c1:cf:63:84:cc:a4:f7:53:bb:41:ea: de:4d:05:cf:fa:5c:c4:52:a7:40:0a:b2:80:99:2e:f5: e5:a9:43:84:22:d0:14:e5:31:9c:47:b8:77:e2:1c:d4: 20:cd:7a:b4:05:0e:48:ad:7d:d4:1f:99:ab:3e:8b:8c: a3:a9:be:45:a9:f9:35:bd:f9:c9:ea:e1:80:c8:7e:fc: b2:48:0a:24:88:13:74:e4:d1:4f:90:72:26:c8:03:9c: e7:9c:d2:62:2a:43:be:2b:6a:1d:06:dd:bb:3d:c7:b5: e1:81:1d:0d:61:0f:0e:8f:64:a9:42:1b:9b:6f:aa:3a: ae:00:24:1c:88:b8:6b:b6:f1:38:0e:4b:91:18:85:c6: 89:06:80:b6:b5:8f:4b:21:63:b5:a2:b7:5d:ab:96:72: 3b:ca:01:14:52:d8:89:b7:47:43:2f:50:b1:7a:82:3e: 00:61:ab:71:fa:dc:ce:31:fb:3b:b5:3c:25:3f:27:25: e4:a3:1d:8a:cc:6d:e7:d1:7c:aa:7a:33:0e:76:5b:d3 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 7b:e2:43:1b:12:ac:f1:16:60:19:d8:0a:47:8a:c9:3b: df:a2:56:60 Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Certificate Signing CRL Signing Name: Certificate Subject Key ID Data: 7b:e2:43:1b:12:ac:f1:16:60:19:d8:0a:47:8a:c9:3b: df:a2:56:60 Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://fed14-64-ipam001.ipa.ac.nz:9180/ca/ocsp" Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 00:0c:96:c4:56:dd:ce:f2:10:65:13:cf:9f:5e:41:f7: f7:1f:8c:0e:59:2b:4b:64:30:34:c0:00:ef:9b:a1:b5: 81:27:21:83:b0:f4:e1:93:51:13:e0:23:5f:bd:b8:69: e2:dd:b7:13:bd:be:94:3c:ca:ba:83:c5:85:58:09:5d: 76:9f:b5:cc:69:19:dc:c4:48:42:1b:51:42:55:f8:d2: 7f:72:9c:4e:05:0d:36:af:22:54:52:40:42:0d:7a:ec: 32:1b:b6:c9:1d:6f:51:d1:59:9f:ea:1b:d0:1a:58:6c: 30:58:91:44:31:fd:3f:f2:d7:8b:e0:16:97:69:ce:76: 81:69:45:a0:16:1e:5f:45:ec:a7:7f:49:a6:d7:ca:70: ce:73:4b:88:a1:d7:56:96:47:1e:2d:84:d4:72:18:15: 8f:5f:ca:6b:f8:6f:ae:ce:b9:13:95:17:94:8d:37:f3: 56:2b:b8:71:f1:ef:a6:b9:af:1f:05:30:47:f0:e9:9d: b5:3c:de:ae:28:f6:ab:ff:65:41:58:61:68:aa:19:a3: d2:f8:58:41:d4:48:1b:ec:e4:92:86:1b:cb:29:7b:15: 54:85:49:d8:4a:34:47:f8:47:2c:cf:23:3d:ce:e4:82: bc:5b:72:0d:17:0c:e6:06:ac:a1:ea:c2:a7:47:35:50 Fingerprint (MD5): 2E:2E:41:C9:59:69:56:88:B7:A2:F7:53:0B:01:E2:A9 Fingerprint (SHA1): 52:78:11:D9:CA:23:E7:1A:F6:0C:80:DC:73:F3:D2:B9:59:89:3D:49 Friendly Name: IPA.AC.NZ IPA CA Certificate(has private key): Data: Version: 3 (0x2) Serial Number: 11 (0xb) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA.AC.NZ" Validity: Not Before: Mon Mar 28 22:37:34 2011 Not After : Sat Sep 24 22:37:34 2011 Subject: "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: bf:bb:6f:be:3b:33:3c:e3:25:f3:d6:f5:1b:1c:49:bb: fe:84:ed:ab:60:2b:6f:4d:4a:07:c7:d5:5c:65:25:66: 99:43:1d:4c:75:32:ee:af:c5:a8:bb:f3:4b:b3:16:de: 3b:27:c7:10:06:48:fe:b4:e6:2b:25:fb:fe:66:8e:81: 3f:cf:2e:02:ae:47:ec:0c:f0:11:fc:f2:aa:4a:e9:88: 7c:de:8c:36:4f:68:35:a0:03:0d:93:a3:d6:0a:c6:52: b9:10:fd:ce:40:c9:81:fb:27:3f:56:7b:b3:fa:75:45: 90:33:68:d4:49:40:27:88:27:11:3b:26:9f:7d:38:7f: c0:80:1b:ba:a9:76:f1:37:91:7b:25:9e:30:07:c1:e1: 5a:5a:3c:90:57:33:33:fa:ac:54:d0:d5:bf:a5:cd:f2: a9:25:a4:d1:8b:ef:8e:36:c6:4c:2f:80:52:2f:8b:bb: 22:54:f7:9e:69:32:30:01:bd:fd:27:e9:d1:4b:32:bb: 7c:61:ec:cb:45:7c:e7:79:60:e4:ac:86:da:29:1f:5c: a8:db:2f:29:8b:9f:cd:9e:0b:85:ac:e2:fd:16:51:4e: fc:51:5a:c2:b4:f1:ed:83:99:09:00:1f:39:d5:ef:6b: 32:04:2c:c7:10:4c:5f:c5:f7:9d:5d:1b:81:12:1c:f1 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 7b:e2:43:1b:12:ac:f1:16:60:19:d8:0a:47:8a:c9:3b: df:a2:56:60 Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://fed14-64-ipam001.ipa.ac.nz:9180/ca/ocsp" Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Server Authentication Certificate Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 99:cb:70:c3:66:85:6f:50:6d:09:90:0a:d7:1f:60:6e: 5d:a8:d6:85:f6:31:29:c4:9e:ec:62:53:f4:dc:84:ae: 11:56:d9:c5:4d:93:17:e0:04:ad:83:75:f5:b2:86:15: 98:ba:31:07:c5:82:91:44:73:46:36:91:c5:f6:ea:62: 74:23:4d:b7:15:25:1e:33:30:bc:8a:2b:71:86:c6:92: 4d:35:25:03:4e:e5:48:03:5f:5f:92:95:9b:35:77:17: f6:b1:e7:1f:46:9e:71:1d:3b:73:8a:12:fc:4e:c3:db: b2:da:d6:8a:a4:9a:7f:2b:1f:9d:a6:8e:99:1f:74:13: 3e:91:54:10:d6:d4:e5:e7:6b:0d:db:e8:11:1e:f1:5d: 4d:59:3f:79:d8:bc:e9:71:08:00:0e:62:95:0c:23:ce: cb:c4:56:ea:e6:47:e0:a6:f4:d4:a2:1b:ba:9d:75:8a: 6a:20:cc:c4:ba:0a:8b:db:c3:a4:24:16:61:4a:a8:9a: fc:aa:cf:68:5e:37:39:55:f3:61:b0:85:34:e2:e8:94: c0:7b:4d:80:9e:4a:32:c9:d6:71:61:3b:f6:cb:45:a0: 0a:04:71:52:4e:03:80:0a:7c:51:6c:44:11:f0:6d:1b: 10:af:ec:89:8e:7a:8f:33:cb:95:82:30:2b:25:ff:b2 Fingerprint (MD5): CC:3A:23:F9:54:13:75:38:0E:00:47:60:96:1A:B1:BE Fingerprint (SHA1): 44:26:56:83:C3:50:11:EE:E5:3B:E9:00:D9:F9:57:30:D9:82:83:08 Friendly Name: Server-Cert 2011-03-28 23:38:09,275 DEBUG stderr= 2011-03-28 23:38:09,282 DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PKI-IPA/ -M -n IPA.AC.NZ IPA CA -t CT,CT, 2011-03-28 23:38:09,283 DEBUG stdout= 2011-03-28 23:38:09,283 DEBUG stderr= 2011-03-28 23:38:09,296 DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PKI-IPA/ -L -n IPA.AC.NZ IPA CA -a 2011-03-28 23:38:09,297 DEBUG stdout=-----BEGIN CERTIFICATE----- MIIDlDCCAnygAwIBAgIBATANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlJUEEu QUMuTloxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTAzMjgy MTE3MDRaFw0xOTAzMjgyMTE3MDRaMDQxEjAQBgNVBAoTCUlQQS5BQy5OWjEeMBwG A1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAwPAJznxXjxykoxNo72hdGdjIr+JmXoPIN+FI+r32W3YptfkL r1PDWhyVtC2Hiwu3gUKkl1zBz2OEzKT3U7tB6t5NBc/6XMRSp0AKsoCZLvXlqUOE ItAU5TGcR7h34hzUIM16tAUOSK191B+Zqz6LjKOpvkWp+TW9+cnq4YDIfvyySAok iBN05NFPkHImyAOc55zSYipDvitqHQbduz3HteGBHQ1hDw6PZKlCG5tvqjquACQc iLhrtvE4DkuRGIXGiQaAtrWPSyFjtaK3XauWcjvKARRS2Im3R0MvULF6gj4AYatx +tzOMfs7tTwlPycl5KMdisxt59F8qnozDnZb0wIDAQABo4GwMIGtMB8GA1UdIwQY MBaAFHviQxsSrPEWYBnYCkeKyTvfolZgMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P AQH/BAQDAgHGMB0GA1UdDgQWBBR74kMbEqzxFmAZ2ApHisk736JWYDBKBggrBgEF BQcBAQQ+MDwwOgYIKwYBBQUHMAGGLmh0dHA6Ly9mZWQxNC02NC1pcGFtMDAxLmlw YS5hYy5uejo5MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAAAMlsRW3c7y EGUTz59eQff3H4wOWStLZDA0wADvm6G1gSchg7D04ZNRE+AjX724aeLdtxO9vpQ8 yrqDxYVYCV12n7XMaRncxEhCG1FCVfjSf3KcTgUNNq8iVFJAQg167DIbtskdb1HR WZ/qG9AaWGwwWJFEMf0/8teL4BaXac52gWlFoBYeX0Xsp39JptfKcM5zS4ih11aW Rx4thNRyGBWPX8pr+G+uzrkTlReUjTfzViu4cfHvprmvHwUwR/DpnbU83q4o9qv/ ZUFYYWiqGaPS+FhB1Egb7OSShhvLKXsVVIVJ2Eo0R/hHLM8jPc7kgrxbcg0XDOYG rKHqwqdHNVA= -----END CERTIFICATE----- 2011-03-28 23:38:09,297 DEBUG stderr= 2011-03-28 23:38:09,310 DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-PKI-IPA/ -L -n Server-Cert -a 2011-03-28 23:38:09,311 DEBUG stdout=-----BEGIN CERTIFICATE----- MIIDfjCCAmagAwIBAgIBCzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlJUEEu QUMuTloxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTAzMjgy MjM3MzRaFw0xMTA5MjQyMjM3MzRaMDkxEjAQBgNVBAoTCUlQQS5BQy5OWjEjMCEG A1UEAxMaZmVkMTQtNjQtaXBhbTAwMi5pcGEuYWMubnowggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC/u2++OzM84yXz1vUbHEm7/oTtq2Arb01KB8fVXGUl ZplDHUx1Mu6vxai780uzFt47J8cQBkj+tOYrJfv+Zo6BP88uAq5H7AzwEfzyqkrp iHzejDZPaDWgAw2To9YKxlK5EP3OQMmB+yc/Vnuz+nVFkDNo1ElAJ4gnETsmn304 f8CAG7qpdvE3kXslnjAHweFaWjyQVzMz+qxU0NW/pc3yqSWk0YvvjjbGTC+AUi+L uyJU955pMjABvf0n6dFLMrt8YezLRXzneWDkrIbaKR9cqNsvKYufzZ4Lhazi/RZR TvxRWsK08e2DmQkAHznV72syBCzHEExfxfedXRuBEhzxAgMBAAGjgZUwgZIwHwYD VR0jBBgwFoAUe+JDGxKs8RZgGdgKR4rJO9+iVmAwSgYIKwYBBQUHAQEEPjA8MDoG CCsGAQUFBzABhi5odHRwOi8vZmVkMTQtNjQtaXBhbTAwMS5pcGEuYWMubno6OTE4 MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDATAN BgkqhkiG9w0BAQsFAAOCAQEAmctww2aFb1BtCZAK1x9gbl2o1oX2MSnEnuxiU/Tc hK4RVtnFTZMX4AStg3X1soYVmLoxB8WCkURzRjaRxfbqYnQjTbcVJR4zMLyKK3GG xpJNNSUDTuVIA19fkpWbNXcX9rHnH0aecR07c4oS/E7D27La1oqkmn8rH52mjpkf dBM+kVQQ1tTl52sN2+gRHvFdTVk/edi86XEIAA5ilQwjzsvEVurmR+Cm9NSiG7qd dYpqIMzEugqL28OkJBZhSqia/KrPaF43OVXzYbCFNOLolMB7TYCeSjLJ1nFhO/bL RaAKBHFSTgOACnxRbEQR8G0bEK/siY56jzPLlYIwKyX/sg== -----END CERTIFICATE----- 2011-03-28 23:38:09,311 DEBUG stderr= 2011-03-28 23:38:11,534 DEBUG args=/sbin/service dirsrv restart PKI-IPA 2011-03-28 23:38:11,534 DEBUG stdout=Shutting down dirsrv: PKI-IPA...[ OK ] Starting dirsrv: PKI-IPA...[ OK ] 2011-03-28 23:38:11,535 DEBUG stderr= 2011-03-28 23:38:11,564 DEBUG args=/sbin/service dirsrv status 2011-03-28 23:38:11,564 DEBUG stdout=dirsrv PKI-IPA (pid 3575) is running... 2011-03-28 23:38:11,564 DEBUG stderr= 2011-03-28 23:38:11,564 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2011-03-28 23:38:11,565 DEBUG Configuring certificate server: Estimated time 6 minutes 2011-03-28 23:38:11,565 DEBUG [1/11]: creating certificate server user 2011-03-28 23:38:11,565 DEBUG adding ca user pkiuser 2011-03-28 23:38:11,929 DEBUG args=/usr/sbin/useradd -c CA System User -d /var/lib -s /sbin/nologin -M -r pkiuser 2011-03-28 23:38:11,929 DEBUG stdout= 2011-03-28 23:38:11,929 DEBUG stderr= 2011-03-28 23:38:11,929 DEBUG done adding user 2011-03-28 23:38:11,930 DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2011-03-28 23:38:11,930 DEBUG duration: 0 seconds 2011-03-28 23:38:11,930 DEBUG [2/11]: creating pki-ca instance 2011-03-28 23:38:43,871 DEBUG args=/usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca 2011-03-28 23:38:43,871 DEBUG stdout=PKI instance creation Utility ... Capturing installation information in /var/log/pki-ca-install.log PKI instance creation completed ... Installation information recorded in /var/log/pki-ca-install.log. Before proceeding with the configuration, make sure the firewall settings of this machine permit proper access to this subsystem. Please start the configuration by accessing: https://fed14-64-ipam002.ipa.ac.nz:9445/ca/admin/console/config/login?pin=nnARxLnIWvR9Aw1RYjRn After configuration, the server can be operated by the command: /sbin/service pki-cad restart pki-ca 2011-03-28 23:38:43,871 DEBUG stderr= 2011-03-28 23:38:43,872 DEBUG duration: 31 seconds 2011-03-28 23:38:43,872 DEBUG [3/11]: restarting certificate server 2011-03-28 23:38:47,115 DEBUG args=/sbin/service pki-cad restart 2011-03-28 23:38:47,116 DEBUG stdout=Stopping pki-ca: [FAILED] Starting pki-ca: [ OK ] 'pki-ca' must still be CONFIGURED! (see /var/log/pki-ca-install.log) 2011-03-28 23:38:47,116 DEBUG stderr= 2011-03-28 23:38:47,132 DEBUG duration: 3 seconds 2011-03-28 23:38:47,132 DEBUG [4/11]: configuring certificate server instance 2011-03-28 23:39:05,352 DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444 2011-03-28 23:39:05,352 DEBUG stdout=libpath=/usr/lib64 ####################################################################### CRYPTO INIT WITH CERTDB:/tmp/tmp-r_2iHV tokenpwd:XXXXXXXX ############################################# Attempting to connect to: fed14-64-ipam002.ipa.ac.nz:9445 in TestCertApprovalCallback.approve() Peer cert details: subject: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12 issuer: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12 serial: 0 item 1 reason=-8156 depth=1 cert details: subject: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12 issuer: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12 serial: 0 item 2 reason=-8172 depth=1 cert details: subject: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12 issuer: CN=fed14-64-ipam002.ipa.ac.nz,O=2011-03-28 23:38:12 serial: 0 importing certificate. Connected. Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/login?pin=nnARxLnIWvR9Aw1RYjRn&xml=true RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Set-Cookie: JSESSIONID=E0D1A31548F4A63493FB7CC74DE9E873; Path=/ca; Secure RESPONSE HEADER: Location: https://fed14-64-ipam002.ipa.ac.nz:9445/ca/admin/console/config/wizard RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 RESPONSE HEADER: Content-Length: 0 RESPONSE HEADER: Date: Mon, 28 Mar 2011 10:38:49 GMT RESPONSE HEADER: Connection: keep-alive xml returned: cookie list: JSESSIONID=E0D1A31548F4A63493FB7CC74DE9E873; Path=/ca; Secure ############################################# Attempting to connect to: fed14-64-ipam002.ipa.ac.nz:9445 Connected. Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/wizard?p=0&op=next&xml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Mon, 28 Mar 2011 10:38:49 GMT RESPONSE HEADER: Connection: close admin/console/config/modulepanel.vm display 2 NSS Internal PKCS #11 Module NSS Internal PKCS #11 Module ../img/clearpixel.gif nfast nCipher's nFast Token Hardware Module ../img/clearpixel.gif lunasa SafeNet's LunaSA Token Hardware Module ../img/clearpixel.gif 19 Key Store welcome Welcome module Key Store confighsmlogin ConfigHSMLogin securitydomain Security Domain securitydomain Display Certificate Chain subsystem Subsystem Type clone Display Certificate Chain restorekeys Import Keys and Certificates cahierarchy PKI Hierarchy database Internal Database size Key Pairs subjectname Subject Names certrequest Requests and Certificates backupkeys Export Keys and Certificates savepk12 Save Keys and Certificates importcachain Import CA's Certificate Chain admin Administrator importadmincert Import Administrator's Certificate done Done

1

CA Setup Wizard Internal Key Storage Token module Sleeping for 5 secs.. ############################################# Attempting to connect to: fed14-64-ipam002.ipa.ac.nz:9445 Connected. Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/wizard?p=1&op=next&xml=true&choice=Internal+Key+Storage+Token RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Mon, 28 Mar 2011 10:38:55 GMT RESPONSE HEADER: Connection: close fed14-64-ipam002.ipa.ac.nz admin/console/config/securitydomainpanel.vm /sbin/service pki-cad IpaAc Domain https://fed14-64-ipam002.ipa.ac.nz:9445 9180 CA Security Domain welcome Welcome module Key Store confighsmlogin ConfigHSMLogin securitydomain Security Domain securitydomain Display Certificate Chain subsystem Subsystem Type clone Display Certificate Chain restorekeys Import Keys and Certificates cahierarchy PKI Hierarchy database Internal Database size Key Pairs subjectname Subject Names certrequest Requests and Certificates backupkeys Export Keys and Certificates savepk12 Save Keys and Certificates importcachain Import CA's Certificate Chain admin Administrator importadmincert Import Administrator's Certificate done Done https://fed14-64-ipam002.ipa.ac.nz:9445 CA Setup Wizard 9444 9445 securitydomain 9443 CA <security_domain_instance_name> 19

3

checked CA Setup Wizard Sleeping for 5 secs.. ############################################# Attempting to connect to: fed14-64-ipam002.ipa.ac.nz:9445 Connected. Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/wizard?sdomainURL=https%3A%2F%2Ffed14-64-ipam001.ipa.ac.nz%3A9445&sdomainName=&choice=existingdomain&p=3&op=next&xml=true RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Mon, 28 Mar 2011 10:39:00 GMT RESPONSE HEADER: Connection: close admin/console/config/securitydomainpanel.vm 9443 fed14-64-ipam002.ipa.ac.nz CA /sbin/service pki-cad <security_domain_instance_name> https://fed14-64-ipam002.ipa.ac.nz:9445 9180 Illegal SSL Admin HTTPS url value for the security domain 19 Security Domain welcome Welcome module Key Store confighsmlogin ConfigHSMLogin securitydomain Security Domain securitydomain Display Certificate Chain subsystem Subsystem Type clone Display Certificate Chain restorekeys Import Keys and Certificates cahierarchy PKI Hierarchy database Internal Database size Key Pairs subjectname Subject Names certrequest Requests and Certificates backupkeys Export Keys and Certificates savepk12 Save Keys and Certificates importcachain Import CA's Certificate Chain admin Administrator importadmincert Import Administrator's Certificate done Done https://fed14-64-ipam002.ipa.ac.nz:9445

3

CA Setup Wizard checked 9444 9445 securitydomain ERROR: Tag=sdomainNamehas no values sdomainname=null Sleeping for 5 secs.. ############################################# Attempting to connect to: fed14-64-ipam002.ipa.ac.nz:9445 Connected. Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/wizard?p=4&op=next&xml=true RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Location: https://:-1/ca/admin/ca/securityDomainLogin?url=https%3A%2F%2Ffed14-64-ipam002.ipa.ac.nz%3A9445%2Fca%2Fadmin%2Fconsole%2Fconfig%2Fwizard%3Fp%3D5%26subsystem%3DCA RESPONSE HEADER: Content-Type: text/html;charset=UTF-8 RESPONSE HEADER: Content-Length: 0 RESPONSE HEADER: Date: Mon, 28 Mar 2011 10:39:05 GMT RESPONSE HEADER: Connection: keep-alive ############################################# Attempting to connect to: fed14-64-ipam001.ipa.ac.nz:9445 ############################################# Attempting to connect to: fed14-64-ipam001.ipa.ac.nz:9445 Exception in SecurityDomainLoginPanel(): java.lang.NullPointerException ERROR: ConfigureSubCA: SecurityDomainLoginPanel() failure ERROR: unable to create CA ####################################################################### 2011-03-28 23:39:05,352 DEBUG stderr=Exception: Unable to Send Request:java.net.NoRouteToHostException: No route to host java.net.NoRouteToHostException: No route to host at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) at java.net.Socket.connect(Socket.java:546) at java.net.Socket.connect(Socket.java:495) at java.net.Socket.(Socket.java:392) at java.net.Socket.(Socket.java:235) at HTTPClient.sslConnect(HTTPClient.java:326) at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:359) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239) at ConfigureCA.main(ConfigureCA.java:1761) Exception: Unable to Send Request:java.net.NoRouteToHostException: No route to host java.net.NoRouteToHostException: No route to host at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) at java.net.Socket.connect(Socket.java:546) at java.net.Socket.connect(Socket.java:495) at java.net.Socket.(Socket.java:392) at java.net.Socket.(Socket.java:235) at HTTPClient.sslConnect(HTTPClient.java:326) at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:364) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239) at ConfigureCA.main(ConfigureCA.java:1761) java.lang.NullPointerException at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:369) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239) at ConfigureCA.main(ConfigureCA.java:1761) 2011-03-28 23:39:05,352 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255 2011-03-28 23:39:05,388 DEBUG Configuration of CA failed File "/usr/sbin/ipa-replica-install", line 551, in main() File "/usr/sbin/ipa-replica-install", line 490, in main CA = install_ca(config) File "/usr/sbin/ipa-replica-install", line 190, in install_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 514, in configure_instance self.start_creation("Configuring certificate server", 360) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 282, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 653, in __configure_instance raise RuntimeError('Configuration of CA failed') ============ regards ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 2:37 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] replica install failure.... Steven Jones wrote: > Just tried to make a replica and the install failed with, > > [4/11]: configuring certificate server instance > root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA A! > udit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255 > creation of replica failed: Configuration of CA failed > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > [root at fed14-64-ipam002 jonesst1]# You'll need to take a look in /var/log/ipareplica-install.log for more details on why the install failed. What distro is this, F-15? rob From rcritten at redhat.com Tue Mar 29 19:36:14 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 15:36:14 -0400 Subject: [Freeipa-users] client setup failure In-Reply-To: <4D92332B.4010108@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz> <4D92332B.4010108@redhat.com> Message-ID: <4D9234AE.4020505@redhat.com> Dmitri Pal wrote: > On 03/29/2011 03:26 PM, Steven Jones wrote: >> Hi, >> >> The DNS is in AD so it cant be set to suit IPA.... >> >> I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. >> >> 8><-------- >> >> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >> installation uses this DNS record in an autodiscovery of IPA server in >> the given DNS domain. >> >> You may want to check the DNS record or set the domain and server >> manually: >> >> # ipa-client-install --server= --domain= >> > > That was the bug that we fixed last week. > Rob, did it make the GA? > Or the bits you are using are not GA. This is a different problem. The retrieval of the CA during discovery (which we always do) is causing the install to quit. rob From Steven.Jones at vuw.ac.nz Tue Mar 29 19:37:07 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 19:37:07 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <4D92332B.4010108@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40029665@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, This is RC3 on F14 which seems to be the latest available for F14?, guess you need a rc4..........not F15 with 2.0....that's alpha....I have enough bugs to battle with. regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Wednesday, 30 March 2011 8:29 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] client setup failure On 03/29/2011 03:26 PM, Steven Jones wrote: > Hi, > > The DNS is in AD so it cant be set to suit IPA.... > > I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. > > 8><-------- > > What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client > installation uses this DNS record in an autodiscovery of IPA server in > the given DNS domain. > > You may want to check the DNS record or set the domain and server > manually: > > # ipa-client-install --server= --domain= > That was the bug that we fixed last week. Rob, did it make the GA? Or the bits you are using are not GA. > Regards, > Martin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 29 19:37:42 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 19:37:42 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <4D92332B.4010108@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz> What do I put in the python script as a work around? regards ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Wednesday, 30 March 2011 8:29 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] client setup failure On 03/29/2011 03:26 PM, Steven Jones wrote: > Hi, > > The DNS is in AD so it cant be set to suit IPA.... > > I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. > > 8><-------- > > What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client > installation uses this DNS record in an autodiscovery of IPA server in > the given DNS domain. > > You may want to check the DNS record or set the domain and server > manually: > > # ipa-client-install --server= --domain= > That was the bug that we fixed last week. Rob, did it make the GA? Or the bits you are using are not GA. > Regards, > Martin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Tue Mar 29 19:43:22 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 15:43:22 -0400 Subject: [Freeipa-users] replica install failure.... In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4002961B@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40029163@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386147.3592.21.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E4002961B@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D92365A.1090500@redhat.com> Steven Jones wrote: > Hi, > > This is F14, guess you missed the hostnames... It is not safe to assume based on hostname which is why I also asked. Your problem is this: Unable to Send Request:java.net.NoRouteToHostException: No route to host java.net.NoRouteToHostException: No route to host It looks to be resolving to a very strange reverse, :-1? Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/wizard?p=4&op=next&xml=true RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Location: https://:-1/ Can you double-check that /etc/hosts is set up correctly? thanks rob > > regards > > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Martin Kosek [mkosek at redhat.com] > Sent: Tuesday, 29 March 2011 9:09 p.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] replica install failure.... > > On Mon, 2011-03-28 at 23:45 +0000, Steven Jones wrote: >> Just tried to make a replica and the install failed with, >> >> [4/11]: configuring certificate server instance >> root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA ! > A! >> udit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255 >> creation of replica failed: Configuration of CA failed >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> [root at fed14-64-ipam002 jonesst1]# >> > > Hello Steven, > > can you please send me a version of tomcat6 server on your Fedora 15 > with IPA replica? > > This is most probably a known issue which was stated in Freeipa v2 > announcement: > > [Freeipa-devel] Announcing FreeIPA v2 Server > > [snip] > Known Issues > > * The latest tomcat6 package has not been pushed to updates-testing. > You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from > koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 . > The installation will fail restarting the CA with the current tomcat6 > package in Fedora 15. > [snip] > > > If this is your case, you may want to install the RPMs from koji or just > install them from rawhide repository. > > Regards, > Martin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Tue Mar 29 19:50:29 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 15:50:29 -0400 Subject: [Freeipa-users] client setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D923805.5070200@redhat.com> Steven Jones wrote: > What do I put in the python script as a work around? https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html > > regards > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Wednesday, 30 March 2011 8:29 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > On 03/29/2011 03:26 PM, Steven Jones wrote: >> Hi, >> >> The DNS is in AD so it cant be set to suit IPA.... >> >> I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. >> >> 8><-------- >> >> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >> installation uses this DNS record in an autodiscovery of IPA server in >> the given DNS domain. >> >> You may want to check the DNS record or set the domain and server >> manually: >> >> # ipa-client-install --server= --domain= >> > > That was the bug that we fixed last week. > Rob, did it make the GA? > Or the bits you are using are not GA. > >> Regards, >> Martin >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 29 19:54:17 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 19:54:17 +0000 Subject: [Freeipa-users] replica install failure.... In-Reply-To: <4D92365A.1090500@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E40029163@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386147.3592.21.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E4002961B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92365A.1090500@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400296A2@STAWINCOX10MBX1.staff.vuw.ac.nz> The ipv6 wasnt "right" I guess. I have added the host's name into that line.....will retry. regards ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 8:43 a.m. To: Steven Jones Cc: Martin Kosek; freeipa-users at redhat.com Subject: Re: [Freeipa-users] replica install failure.... Steven Jones wrote: > Hi, > > This is F14, guess you missed the hostnames... It is not safe to assume based on hostname which is why I also asked. Your problem is this: Unable to Send Request:java.net.NoRouteToHostException: No route to host java.net.NoRouteToHostException: No route to host It looks to be resolving to a very strange reverse, :-1? Posting Query = https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/wizard?p=4&op=next&xml=true RESPONSE STATUS: HTTP/1.1 302 Moved Temporarily RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Location: https://:-1/ Can you double-check that /etc/hosts is set up correctly? thanks rob > > regards > > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Martin Kosek [mkosek at redhat.com] > Sent: Tuesday, 29 March 2011 9:09 p.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] replica install failure.... > > On Mon, 2011-03-28 at 23:45 +0000, Steven Jones wrote: >> Just tried to make a replica and the install failed with, >> >> [4/11]: configuring certificate server instance >> root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 'XXXXXXXX' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" -ca_audit_signing_cert_subject_name "CN=CA ! > A! >> udit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 -clone_p12_password 'XXXXXXXX' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password 'XXXXXXXX' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255 >> creation of replica failed: Configuration of CA failed >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> [root at fed14-64-ipam002 jonesst1]# >> > > Hello Steven, > > can you please send me a version of tomcat6 server on your Fedora 15 > with IPA replica? > > This is most probably a known issue which was stated in Freeipa v2 > announcement: > > [Freeipa-devel] Announcing FreeIPA v2 Server > > [snip] > Known Issues > > * The latest tomcat6 package has not been pushed to updates-testing. > You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from > koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 . > The installation will fail restarting the CA with the current tomcat6 > package in Fedora 15. > [snip] > > > If this is your case, you may want to install the RPMs from koji or just > install them from rawhide repository. > > Regards, > Martin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 29 19:56:37 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 19:56:37 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <4D923805.5070200@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz> uh OK.....but why is it ignoring my --server and --domain ? and going to the dc for the certificate? This ticket still does not help me proceed.... regards ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 8:50 a.m. To: Steven Jones Cc: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: > What do I put in the python script as a work around? https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html > > regards > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Wednesday, 30 March 2011 8:29 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > On 03/29/2011 03:26 PM, Steven Jones wrote: >> Hi, >> >> The DNS is in AD so it cant be set to suit IPA.... >> >> I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. >> >> 8><-------- >> >> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >> installation uses this DNS record in an autodiscovery of IPA server in >> the given DNS domain. >> >> You may want to check the DNS record or set the domain and server >> manually: >> >> # ipa-client-install --server= --domain= >> > > That was the bug that we fixed last week. > Rob, did it make the GA? > Or the bits you are using are not GA. > >> Regards, >> Martin >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Tue Mar 29 19:58:42 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 15:58:42 -0400 Subject: [Freeipa-users] client setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D9239F2.4010807@redhat.com> Steven Jones wrote: > uh OK.....but why is it ignoring my --server and --domain ? and going to the dc for the certificate? > > This ticket still does not help me proceed.... You need --force as well. We try very hard not to hardcode values into the configuration files which is why we always autodiscover. With the patch and --force it should push through and complete the installation. rob > > regards > > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 8:50 a.m. > To: Steven Jones > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > Steven Jones wrote: >> What do I put in the python script as a work around? > > https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html > >> >> regards >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] >> Sent: Wednesday, 30 March 2011 8:29 a.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] client setup failure >> >> On 03/29/2011 03:26 PM, Steven Jones wrote: >>> Hi, >>> >>> The DNS is in AD so it cant be set to suit IPA.... >>> >>> I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. >>> >>> 8><-------- >>> >>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >>> installation uses this DNS record in an autodiscovery of IPA server in >>> the given DNS domain. >>> >>> You may want to check the DNS record or set the domain and server >>> manually: >>> >>> # ipa-client-install --server= --domain= >>> >> >> That was the bug that we fixed last week. >> Rob, did it make the GA? >> Or the bits you are using are not GA. >> >>> Regards, >>> Martin >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > From Steven.Jones at vuw.ac.nz Tue Mar 29 20:00:01 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 20:00:01 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <4D9239F2.4010807@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9239F2.4010807@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz> I used --force as well....it still ignores it.... regards ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 8:58 a.m. To: Steven Jones Cc: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: > uh OK.....but why is it ignoring my --server and --domain ? and going to the dc for the certificate? > > This ticket still does not help me proceed.... You need --force as well. We try very hard not to hardcode values into the configuration files which is why we always autodiscover. With the patch and --force it should push through and complete the installation. rob > > regards > > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 8:50 a.m. > To: Steven Jones > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > Steven Jones wrote: >> What do I put in the python script as a work around? > > https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html > >> >> regards >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] >> Sent: Wednesday, 30 March 2011 8:29 a.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] client setup failure >> >> On 03/29/2011 03:26 PM, Steven Jones wrote: >>> Hi, >>> >>> The DNS is in AD so it cant be set to suit IPA.... >>> >>> I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. >>> >>> 8><-------- >>> >>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >>> installation uses this DNS record in an autodiscovery of IPA server in >>> the given DNS domain. >>> >>> You may want to check the DNS record or set the domain and server >>> manually: >>> >>> # ipa-client-install --server= --domain= >>> >> >> That was the bug that we fixed last week. >> Rob, did it make the GA? >> Or the bits you are using are not GA. >> >>> Regards, >>> Martin >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > From Steven.Jones at vuw.ac.nz Tue Mar 29 20:02:02 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 20:02:02 +0000 Subject: [Freeipa-users] AD setup failure In-Reply-To: <4D91E3AB.1090004@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? regards Steven ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 2:50 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: > Got a bit further.......I was missing "--passsync" I think you were using the V1 documentation. The "Enterprise Identity Management Guide" is what you want off freeipa.org in the Documentation section. > > [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v > ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement > [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v > Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz > ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz > ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} > unexpected error: Failed to setup winsync replication > [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz > dc0001.ipa.ac.nz has address 192.168.101.2 > [root at fed14-64-ipam001 samba]# > > But still isnt working......... I think you have the wrong AD cert. -8179 translates to "Certificate is signed by an unknown issuer". Can you verify that you have the AD CA certificate? rob From rcritten at redhat.com Tue Mar 29 20:03:37 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 16:03:37 -0400 Subject: [Freeipa-users] client setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9239F2.4010807@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D923B19.4000806@redhat.com> Steven Jones wrote: > I used --force as well....it still ignores it.... More information would be helpful. Ignores it how, what error messages do you get, etc. rob > > regards > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 8:58 a.m. > To: Steven Jones > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > Steven Jones wrote: >> uh OK.....but why is it ignoring my --server and --domain ? and going to the dc for the certificate? >> >> This ticket still does not help me proceed.... > > You need --force as well. > > We try very hard not to hardcode values into the configuration files > which is why we always autodiscover. > > With the patch and --force it should push through and complete the > installation. > > rob > >> >> regards >> >> >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 8:50 a.m. >> To: Steven Jones >> Cc: dpal at redhat.com; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] client setup failure >> >> Steven Jones wrote: >>> What do I put in the python script as a work around? >> >> https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html >> >>> >>> regards >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] >>> Sent: Wednesday, 30 March 2011 8:29 a.m. >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] client setup failure >>> >>> On 03/29/2011 03:26 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> The DNS is in AD so it cant be set to suit IPA.... >>>> >>>> I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. >>>> >>>> 8><-------- >>>> >>>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >>>> installation uses this DNS record in an autodiscovery of IPA server in >>>> the given DNS domain. >>>> >>>> You may want to check the DNS record or set the domain and server >>>> manually: >>>> >>>> # ipa-client-install --server= --domain= >>>> >>> >>> That was the bug that we fixed last week. >>> Rob, did it make the GA? >>> Or the bits you are using are not GA. >>> >>>> Regards, >>>> Martin >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IPA project, >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > From rcritten at redhat.com Tue Mar 29 20:05:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 16:05:58 -0400 Subject: [Freeipa-users] AD setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D923BA6.3010307@redhat.com> Steven Jones wrote: > Hi, > > My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? That's what we're doing here. You need to provide the CA that issued the SSL certificate for the AD server we're connecting to. I'm guessing they didn't give you the root CA cert. rob > > regards > > Steven > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 2:50 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > Steven Jones wrote: >> Got a bit further.......I was missing "--passsync" > > I think you were using the V1 documentation. The "Enterprise Identity > Management Guide" is what you want off freeipa.org in the Documentation > section. > >> >> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >> unexpected error: Failed to setup winsync replication >> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >> dc0001.ipa.ac.nz has address 192.168.101.2 >> [root at fed14-64-ipam001 samba]# >> >> But still isnt working......... > > I think you have the wrong AD cert. -8179 translates to "Certificate is > signed by an unknown issuer". Can you verify that you have the AD CA > certificate? > > rob From rmeggins at redhat.com Tue Mar 29 20:04:58 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 29 Mar 2011 14:04:58 -0600 Subject: [Freeipa-users] AD setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D923B6A.9020105@redhat.com> On 03/29/2011 02:02 PM, Steven Jones wrote: > Hi, > > My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? can you paste the output of openssl x509 -in /home/jonesst1/domaincert.cer -text ? > regards > > Steven > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 2:50 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > Steven Jones wrote: >> Got a bit further.......I was missing "--passsync" > I think you were using the V1 documentation. The "Enterprise Identity > Management Guide" is what you want off freeipa.org in the Documentation > section. > >> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >> unexpected error: Failed to setup winsync replication >> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >> dc0001.ipa.ac.nz has address 192.168.101.2 >> [root at fed14-64-ipam001 samba]# >> >> But still isnt working......... > I think you have the wrong AD cert. -8179 translates to "Certificate is > signed by an unknown issuer". Can you verify that you have the AD CA > certificate? > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 29 20:11:03 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 20:11:03 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <4D923B19.4000806@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9239F2.4010807@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923B19.4000806@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400296EC@STAWINCOX10MBX1.staff.vuw.ac.nz> [root at fed14-64-cli01 tmp]# ipa-client-install --server fed14-64-ipam001.vuw.ac.nz --domain ipa.ac.nz --force Retrieving CA from dc0001.ipa.ac.nz failed. Command '/usr/bin/wget -O /tmp/tmpjur_Xa/ca.crt http://dc0001.ipa.ac.nz/ipa/config/ca.crt' returned non-zero exit status 8 [root at fed14-64-cli01 tmp]# So the client isnt appearing in the IPA web gui.....so its a total failure to join... regards ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 9:03 a.m. To: Steven Jones Cc: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: > I used --force as well....it still ignores it.... More information would be helpful. Ignores it how, what error messages do you get, etc. rob > > regards > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 8:58 a.m. > To: Steven Jones > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > Steven Jones wrote: >> uh OK.....but why is it ignoring my --server and --domain ? and going to the dc for the certificate? >> >> This ticket still does not help me proceed.... > > You need --force as well. > > We try very hard not to hardcode values into the configuration files > which is why we always autodiscover. > > With the patch and --force it should push through and complete the > installation. > > rob > >> >> regards >> >> >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 8:50 a.m. >> To: Steven Jones >> Cc: dpal at redhat.com; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] client setup failure >> >> Steven Jones wrote: >>> What do I put in the python script as a work around? >> >> https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html >> >>> >>> regards >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] >>> Sent: Wednesday, 30 March 2011 8:29 a.m. >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] client setup failure >>> >>> On 03/29/2011 03:26 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> The DNS is in AD so it cant be set to suit IPA.... >>>> >>>> I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. >>>> >>>> 8><-------- >>>> >>>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >>>> installation uses this DNS record in an autodiscovery of IPA server in >>>> the given DNS domain. >>>> >>>> You may want to check the DNS record or set the domain and server >>>> manually: >>>> >>>> # ipa-client-install --server= --domain= >>>> >>> >>> That was the bug that we fixed last week. >>> Rob, did it make the GA? >>> Or the bits you are using are not GA. >>> >>>> Regards, >>>> Martin >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IPA project, >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > From jdennis at redhat.com Tue Mar 29 20:14:15 2011 From: jdennis at redhat.com (John Dennis) Date: Tue, 29 Mar 2011 16:14:15 -0400 Subject: [Freeipa-users] replica install failure.... In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400296A2@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E40029163@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386147.3592.21.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E4002961B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92365A.1090500@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296A2@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D923D97.4050505@redhat.com> On 03/29/2011 03:54 PM, Steven Jones wrote: >> Can you double-check that /etc/hosts is set up correctly? > The ipv6 wasnt "right" I guess. > > I have added the host's name into that line.....will retry. Hmm... last I knew the hosts file cannot be used for IPv6 addresses. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Tue Mar 29 20:14:46 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 20:14:46 +0000 Subject: [Freeipa-users] AD setup failure In-Reply-To: <4D923BA6.3010307@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz> So I need 2 certificates? and I have to manually add the root CA with certutil? to the IPA master as a separate process? regards ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 9:05 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: > Hi, > > My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? That's what we're doing here. You need to provide the CA that issued the SSL certificate for the AD server we're connecting to. I'm guessing they didn't give you the root CA cert. rob > > regards > > Steven > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 2:50 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > Steven Jones wrote: >> Got a bit further.......I was missing "--passsync" > > I think you were using the V1 documentation. The "Enterprise Identity > Management Guide" is what you want off freeipa.org in the Documentation > section. > >> >> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >> unexpected error: Failed to setup winsync replication >> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >> dc0001.ipa.ac.nz has address 192.168.101.2 >> [root at fed14-64-ipam001 samba]# >> >> But still isnt working......... > > I think you have the wrong AD cert. -8179 translates to "Certificate is > signed by an unknown issuer". Can you verify that you have the AD CA > certificate? > > rob From rcritten at redhat.com Tue Mar 29 20:16:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 16:16:07 -0400 Subject: [Freeipa-users] client setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400296EC@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9239F2.4010807@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923B19.4000806@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296EC@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D923E07.6050003@redhat.com> Steven Jones wrote: > [root at fed14-64-cli01 tmp]# ipa-client-install --server fed14-64-ipam001.vuw.ac.nz --domain ipa.ac.nz --force > Retrieving CA from dc0001.ipa.ac.nz failed. > Command '/usr/bin/wget -O /tmp/tmpjur_Xa/ca.crt http://dc0001.ipa.ac.nz/ipa/config/ca.crt' returned non-zero exit status 8 > [root at fed14-64-cli01 tmp]# > > So the client isnt appearing in the IPA web gui.....so its a total failure to join... The patch hasn't been applied. It will cause the wget to be non-fatal, it will just log and return. rob > > regards > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 9:03 a.m. > To: Steven Jones > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > Steven Jones wrote: >> I used --force as well....it still ignores it.... > > More information would be helpful. Ignores it how, what error messages > do you get, etc. > > rob > >> >> regards >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 8:58 a.m. >> To: Steven Jones >> Cc: dpal at redhat.com; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] client setup failure >> >> Steven Jones wrote: >>> uh OK.....but why is it ignoring my --server and --domain ? and going to the dc for the certificate? >>> >>> This ticket still does not help me proceed.... >> >> You need --force as well. >> >> We try very hard not to hardcode values into the configuration files >> which is why we always autodiscover. >> >> With the patch and --force it should push through and complete the >> installation. >> >> rob >> >>> >>> regards >>> >>> >>> ________________________________________ >>> From: Rob Crittenden [rcritten at redhat.com] >>> Sent: Wednesday, 30 March 2011 8:50 a.m. >>> To: Steven Jones >>> Cc: dpal at redhat.com; freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] client setup failure >>> >>> Steven Jones wrote: >>>> What do I put in the python script as a work around? >>> >>> https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html >>> >>>> >>>> regards >>>> ________________________________________ >>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] >>>> Sent: Wednesday, 30 March 2011 8:29 a.m. >>>> To: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] client setup failure >>>> >>>> On 03/29/2011 03:26 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> The DNS is in AD so it cant be set to suit IPA.... >>>>> >>>>> I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. >>>>> >>>>> 8><-------- >>>>> >>>>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >>>>> installation uses this DNS record in an autodiscovery of IPA server in >>>>> the given DNS domain. >>>>> >>>>> You may want to check the DNS record or set the domain and server >>>>> manually: >>>>> >>>>> # ipa-client-install --server= --domain= >>>>> >>>> >>>> That was the bug that we fixed last week. >>>> Rob, did it make the GA? >>>> Or the bits you are using are not GA. >>>> >>>>> Regards, >>>>> Martin >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IPA project, >>>> Red Hat Inc. >>>> >>>> >>>> ------------------------------- >>>> Looking to carve out IT costs? >>>> www.redhat.com/carveoutcosts/ >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> > From Steven.Jones at vuw.ac.nz Tue Mar 29 20:21:05 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 20:21:05 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <4D923E07.6050003@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9239F2.4010807@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923B19.4000806@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296EC@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923E07.6050003@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4002991F@STAWINCOX10MBX1.staff.vuw.ac.nz> What patch? and how do I apply it? ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 9:16 a.m. To: Steven Jones Cc: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: > [root at fed14-64-cli01 tmp]# ipa-client-install --server fed14-64-ipam001.vuw.ac.nz --domain ipa.ac.nz --force > Retrieving CA from dc0001.ipa.ac.nz failed. > Command '/usr/bin/wget -O /tmp/tmpjur_Xa/ca.crt http://dc0001.ipa.ac.nz/ipa/config/ca.crt' returned non-zero exit status 8 > [root at fed14-64-cli01 tmp]# > > So the client isnt appearing in the IPA web gui.....so its a total failure to join... The patch hasn't been applied. It will cause the wget to be non-fatal, it will just log and return. rob > > regards > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 9:03 a.m. > To: Steven Jones > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > Steven Jones wrote: >> I used --force as well....it still ignores it.... > > More information would be helpful. Ignores it how, what error messages > do you get, etc. > > rob > >> >> regards >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 8:58 a.m. >> To: Steven Jones >> Cc: dpal at redhat.com; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] client setup failure >> >> Steven Jones wrote: >>> uh OK.....but why is it ignoring my --server and --domain ? and going to the dc for the certificate? >>> >>> This ticket still does not help me proceed.... >> >> You need --force as well. >> >> We try very hard not to hardcode values into the configuration files >> which is why we always autodiscover. >> >> With the patch and --force it should push through and complete the >> installation. >> >> rob >> >>> >>> regards >>> >>> >>> ________________________________________ >>> From: Rob Crittenden [rcritten at redhat.com] >>> Sent: Wednesday, 30 March 2011 8:50 a.m. >>> To: Steven Jones >>> Cc: dpal at redhat.com; freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] client setup failure >>> >>> Steven Jones wrote: >>>> What do I put in the python script as a work around? >>> >>> https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html >>> >>>> >>>> regards >>>> ________________________________________ >>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] >>>> Sent: Wednesday, 30 March 2011 8:29 a.m. >>>> To: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] client setup failure >>>> >>>> On 03/29/2011 03:26 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> The DNS is in AD so it cant be set to suit IPA.... >>>>> >>>>> I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. >>>>> >>>>> 8><-------- >>>>> >>>>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >>>>> installation uses this DNS record in an autodiscovery of IPA server in >>>>> the given DNS domain. >>>>> >>>>> You may want to check the DNS record or set the domain and server >>>>> manually: >>>>> >>>>> # ipa-client-install --server= --domain= >>>>> >>>> >>>> That was the bug that we fixed last week. >>>> Rob, did it make the GA? >>>> Or the bits you are using are not GA. >>>> >>>>> Regards, >>>>> Martin >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IPA project, >>>> Red Hat Inc. >>>> >>>> >>>> ------------------------------- >>>> Looking to carve out IT costs? >>>> www.redhat.com/carveoutcosts/ >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> > From rcritten at redhat.com Tue Mar 29 20:24:07 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 16:24:07 -0400 Subject: [Freeipa-users] client setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4002991F@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9239F2.4010807@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923B19.4000806@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296EC@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923E07.6050003@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002991F@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D923FE7.7070103@redhat.com> Steven Jones wrote: > What patch? > > and how do I apply it? You asked "What do I put in the python script as a work around?" and I pointed you to the patch in https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html It is just a 2-liner, you should be able to easily make the changes by hand. rob > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 9:16 a.m. > To: Steven Jones > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > Steven Jones wrote: >> [root at fed14-64-cli01 tmp]# ipa-client-install --server fed14-64-ipam001.vuw.ac.nz --domain ipa.ac.nz --force >> Retrieving CA from dc0001.ipa.ac.nz failed. >> Command '/usr/bin/wget -O /tmp/tmpjur_Xa/ca.crt http://dc0001.ipa.ac.nz/ipa/config/ca.crt' returned non-zero exit status 8 >> [root at fed14-64-cli01 tmp]# >> >> So the client isnt appearing in the IPA web gui.....so its a total failure to join... > > The patch hasn't been applied. It will cause the wget to be non-fatal, > it will just log and return. > > rob > >> >> regards >> >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 9:03 a.m. >> To: Steven Jones >> Cc: dpal at redhat.com; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] client setup failure >> >> Steven Jones wrote: >>> I used --force as well....it still ignores it.... >> >> More information would be helpful. Ignores it how, what error messages >> do you get, etc. >> >> rob >> >>> >>> regards >>> ________________________________________ >>> From: Rob Crittenden [rcritten at redhat.com] >>> Sent: Wednesday, 30 March 2011 8:58 a.m. >>> To: Steven Jones >>> Cc: dpal at redhat.com; freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] client setup failure >>> >>> Steven Jones wrote: >>>> uh OK.....but why is it ignoring my --server and --domain ? and going to the dc for the certificate? >>>> >>>> This ticket still does not help me proceed.... >>> >>> You need --force as well. >>> >>> We try very hard not to hardcode values into the configuration files >>> which is why we always autodiscover. >>> >>> With the patch and --force it should push through and complete the >>> installation. >>> >>> rob >>> >>>> >>>> regards >>>> >>>> >>>> ________________________________________ >>>> From: Rob Crittenden [rcritten at redhat.com] >>>> Sent: Wednesday, 30 March 2011 8:50 a.m. >>>> To: Steven Jones >>>> Cc: dpal at redhat.com; freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] client setup failure >>>> >>>> Steven Jones wrote: >>>>> What do I put in the python script as a work around? >>>> >>>> https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html >>>> >>>>> >>>>> regards >>>>> ________________________________________ >>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] >>>>> Sent: Wednesday, 30 March 2011 8:29 a.m. >>>>> To: freeipa-users at redhat.com >>>>> Subject: Re: [Freeipa-users] client setup failure >>>>> >>>>> On 03/29/2011 03:26 PM, Steven Jones wrote: >>>>>> Hi, >>>>>> >>>>>> The DNS is in AD so it cant be set to suit IPA.... >>>>>> >>>>>> I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD info....and obviously the cert isnt on the AD box. >>>>>> >>>>>> 8><-------- >>>>>> >>>>>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client >>>>>> installation uses this DNS record in an autodiscovery of IPA server in >>>>>> the given DNS domain. >>>>>> >>>>>> You may want to check the DNS record or set the domain and server >>>>>> manually: >>>>>> >>>>>> # ipa-client-install --server= --domain= >>>>>> >>>>> >>>>> That was the bug that we fixed last week. >>>>> Rob, did it make the GA? >>>>> Or the bits you are using are not GA. >>>>> >>>>>> Regards, >>>>>> Martin >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IPA project, >>>>> Red Hat Inc. >>>>> >>>>> >>>>> ------------------------------- >>>>> Looking to carve out IT costs? >>>>> www.redhat.com/carveoutcosts/ >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >> > From Steven.Jones at vuw.ac.nz Tue Mar 29 20:26:14 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 20:26:14 +0000 Subject: [Freeipa-users] AD setup failure In-Reply-To: <4D923B6A.9020105@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923B6A.9020105@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4002994F@STAWINCOX10MBX1.staff.vuw.ac.nz> Certificate: Data: Version: 3 (0x2) Serial Number: 12:fb:5c:b4:00:00:00:00:00:02 Signature Algorithm: sha1WithRSAEncryption Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001 Validity Not Before: Mar 29 00:54:45 2011 GMT Not After : Mar 28 00:54:45 2012 GMT Subject: CN=dc0001.ipa.ac.nz Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:9b:68:bb:1f:8d:62:c4:7c:08:65:f2:ec:c0:32: 0a:99:17:b6:02:1a:02:90:e1:d7:64:38:de:ef:f0: 58:b0:bb:06:6a:6f:82:ed:c1:8c:9e:ae:44:91:6e: 8e:3c:6f:5b:04:44:92:40:cd:af:3e:a2:2f:c8:ad: 1f:7a:7f:d7:53:25:2b:f9:b7:c7:ac:c4:cc:3d:92: 05:47:a7:96:25:e9:d5:78:a1:4d:e1:a0:65:1d:66: 03:d3:e1:11:f6:d5:cc:c5:e5:73:e3:e3:98:ee:c1: 23:c2:32:5c:4f:5f:66:ef:98:61:4b:e0:2a:3a:e6: 55:67:08:ed:2a:ae:6b:db:ab Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Key Encipherment S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. X509v3 Subject Key Identifier: 7F:03:DF:87:27:A7:F2:59:C7:17:E8:CF:19:01:51:1B:FA:EF:D7:D3 1.3.6.1.4.1.311.20.2: . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r X509v3 Authority Key Identifier: keyid:CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB X509v3 CRL Distribution Points: Full Name: URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl Authority Information Access: CA Issuers - URI:ldap:///CN=dc0001,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?cACertificate?base?objectClass=certificationAuthority CA Issuers - URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.ipa.ac.nz_dc0001.crt X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Alternative Name: othername:, DNS:dc0001.ipa.ac.nz Signature Algorithm: sha1WithRSAEncryption 6e:11:ea:99:64:72:59:56:71:e8:6d:ab:cd:ee:93:be:cd:d4: 94:d4:cb:b4:d1:e1:ad:d3:02:a6:1c:15:db:e6:13:6c:74:07: 21:a0:1d:65:81:de:27:0d:8b:65:9c:5b:e2:2f:8e:67:fb:3f: 63:7c:a4:a3:ab:15:3d:57:fc:b8:2c:5c:e2:75:fd:71:68:73: 1d:14:49:cc:a8:5c:fb:62:5d:fd:61:b3:57:6f:18:d7:46:b7: 5c:7d:6d:5a:ee:5c:8c:66:b6:45:cb:62:8d:72:20:40:b1:cb: fa:e8:f5:06:44:19:d1:fc:f3:b7:a0:86:52:39:20:6b:4f:20: c5:8f:7f:5c:0d:2f:a3:a1:d7:4f:c7:5e:36:1a:d4:22:33:ea: 59:31:eb:9e:6a:31:9f:8d:7a:3a:b8:dc:b2:09:4e:64:d5:17: 14:28:09:c0:b0:48:ff:38:00:4f:cd:01:e1:62:7e:82:dc:4d: d6:62:3c:54:e9:c2:ff:7d:9d:c7:b0:cf:ee:f7:6f:0a:e0:c8: ec:f0:c0:01:b2:41:56:01:22:a4:31:4d:cd:98:6b:a1:83:db: 10:de:4d:43:59:b1:d3:4c:2a:16:03:9c:91:97:98:92:23:15: 04:41:3f:9d:77:9b:fd:b2:32:0d:36:35:06:64:ff:80:6a:e8: a0:5b:12:85 -----BEGIN CERTIFICATE----- MIIFjzCCBHegAwIBAgIKEvtctAAAAAAAAjANBgkqhkiG9w0BAQUFADBOMRIwEAYK CZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmSJomT8ixk ARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNTQ0NVoXDTEyMDMy ODAwNTQ0NVowGzEZMBcGA1UEAxMQZGMwMDAxLmlwYS5hYy5uejCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAm2i7H41ixHwIZfLswDIKmRe2AhoCkOHXZDje7/BY sLsGam+C7cGMnq5EkW6OPG9bBESSQM2vPqIvyK0fen/XUyUr+bfHrMTMPZIFR6eW JenVeKFN4aBlHWYD0+ER9tXMxeVz4+OY7sEjwjJcT19m75hhS+AqOuZVZwjtKq5r 26sCAwEAAaOCAyQwggMgMAsGA1UdDwQEAwIFoDBEBgkqhkiG9w0BCQ8ENzA1MA4G CCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcN AwcwHQYDVR0OBBYEFH8D34cnp/JZxxfozxkBURv679fTMC8GCSsGAQQBgjcUAgQi HiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAfBgNVHSMEGDAWgBTM 1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHfhoGtbGRh cDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWlwYSxE Qz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0 Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEuaXBhLmFj Lm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDCCAQUGCCsGAQUFBwEBBIH4MIH1MIGm BggrBgEFBQcwAoaBmWxkYXA6Ly8vQ049ZGMwMDAxLENOPUFJQSxDTj1QdWJsaWMl MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD PWlwYSxEQz1hYyxEQz1uej9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9 Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBKBggrBgEFBQcwAoY+aHR0cDovL2RjMDAw MS5pcGEuYWMubnovQ2VydEVucm9sbC9kYzAwMDEuaXBhLmFjLm56X2RjMDAwMS5j cnQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDwGA1UdEQQ1MDOgHwYJ KwYBBAGCNxkBoBIEEAdtYFw3yQ9DmIgdDBjdl92CEGRjMDAwMS5pcGEuYWMubnow DQYJKoZIhvcNAQEFBQADggEBAG4R6plkcllWcehtq83uk77N1JTUy7TR4a3TAqYc FdvmE2x0ByGgHWWB3icNi2WcW+Ivjmf7P2N8pKOrFT1X/LgsXOJ1/XFocx0UScyo XPtiXf1hs1dvGNdGt1x9bVruXIxmtkXLYo1yIECxy/ro9QZEGdH887eghlI5IGtP IMWPf1wNL6Oh10/HXjYa1CIz6lkx655qMZ+Nejq43LIJTmTVFxQoCcCwSP84AE/N AeFifoLcTdZiPFTpwv99ncewz+73bwrgyOzwwAGyQVYBIqQxTc2Ya6GD2xDeTUNZ sdNMKhYDnJGXmJIjFQRBP513m/2yMg02NQZk/4Bq6KBbEoU= -----END CERTIFICATE----- ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 30 March 2011 9:04 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:02 PM, Steven Jones wrote: > Hi, > > My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? can you paste the output of openssl x509 -in /home/jonesst1/domaincert.cer -text ? > regards > > Steven > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 2:50 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > Steven Jones wrote: >> Got a bit further.......I was missing "--passsync" > I think you were using the V1 documentation. The "Enterprise Identity > Management Guide" is what you want off freeipa.org in the Documentation > section. > >> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >> unexpected error: Failed to setup winsync replication >> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >> dc0001.ipa.ac.nz has address 192.168.101.2 >> [root at fed14-64-ipam001 samba]# >> >> But still isnt working......... > I think you have the wrong AD cert. -8179 translates to "Certificate is > signed by an unknown issuer". Can you verify that you have the AD CA > certificate? > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Tue Mar 29 20:27:02 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 29 Mar 2011 14:27:02 -0600 Subject: [Freeipa-users] AD setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D924096.5010405@redhat.com> On 03/29/2011 02:14 PM, Steven Jones wrote: > So I need 2 certificates? No. > and I have to manually add the root CA with certutil? No. > to the IPA master as a separate process? No. You only need the CA certificate for the CA that issued the MS AD server certificate. ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer will add the CA. If the MS CA is an intermediate CA, you should ask the administrator to give you a single CA certificate file (base64 encoded) that contains the intermediate CA and all of the parent CA up to the root CA. > regards > > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 9:05 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > Steven Jones wrote: >> Hi, >> >> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? > That's what we're doing here. You need to provide the CA that issued the > SSL certificate for the AD server we're connecting to. > > I'm guessing they didn't give you the root CA cert. > > rob > >> regards >> >> Steven >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 2:50 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] AD setup failure >> >> Steven Jones wrote: >>> Got a bit further.......I was missing "--passsync" >> I think you were using the V1 documentation. The "Enterprise Identity >> Management Guide" is what you want off freeipa.org in the Documentation >> section. >> >>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >>> unexpected error: Failed to setup winsync replication >>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >>> dc0001.ipa.ac.nz has address 192.168.101.2 >>> [root at fed14-64-ipam001 samba]# >>> >>> But still isnt working......... >> I think you have the wrong AD cert. -8179 translates to "Certificate is >> signed by an unknown issuer". Can you verify that you have the AD CA >> certificate? >> >> rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Tue Mar 29 20:28:54 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 29 Mar 2011 14:28:54 -0600 Subject: [Freeipa-users] AD setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4002994F@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923B6A.9020105@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002994F@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D924106.10702@redhat.com> On 03/29/2011 02:26 PM, Steven Jones wrote: > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 12:fb:5c:b4:00:00:00:00:00:02 > Signature Algorithm: sha1WithRSAEncryption > Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001 > Validity > Not Before: Mar 29 00:54:45 2011 GMT > Not After : Mar 28 00:54:45 2012 GMT > Subject: CN=dc0001.ipa.ac.nz > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (1024 bit) > Modulus: > 00:9b:68:bb:1f:8d:62:c4:7c:08:65:f2:ec:c0:32: > 0a:99:17:b6:02:1a:02:90:e1:d7:64:38:de:ef:f0: > 58:b0:bb:06:6a:6f:82:ed:c1:8c:9e:ae:44:91:6e: > 8e:3c:6f:5b:04:44:92:40:cd:af:3e:a2:2f:c8:ad: > 1f:7a:7f:d7:53:25:2b:f9:b7:c7:ac:c4:cc:3d:92: > 05:47:a7:96:25:e9:d5:78:a1:4d:e1:a0:65:1d:66: > 03:d3:e1:11:f6:d5:cc:c5:e5:73:e3:e3:98:ee:c1: > 23:c2:32:5c:4f:5f:66:ef:98:61:4b:e0:2a:3a:e6: > 55:67:08:ed:2a:ae:6b:db:ab > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Key Encipherment > S/MIME Capabilities: > 050...*.H.. > ......0...*.H.. > ......0...+....0 > ..*.H.. > .. > X509v3 Subject Key Identifier: > 7F:03:DF:87:27:A7:F2:59:C7:17:E8:CF:19:01:51:1B:FA:EF:D7:D3 > 1.3.6.1.4.1.311.20.2: > . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r > X509v3 Authority Key Identifier: > keyid:CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB > > X509v3 CRL Distribution Points: > > Full Name: > URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint > URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl > > Authority Information Access: > CA Issuers - URI:ldap:///CN=dc0001,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?cACertificate?base?objectClass=certificationAuthority > CA Issuers - URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.ipa.ac.nz_dc0001.crt > > X509v3 Extended Key Usage: > TLS Web Client Authentication, TLS Web Server Authentication > X509v3 Subject Alternative Name: > othername:, DNS:dc0001.ipa.ac.nz > Signature Algorithm: sha1WithRSAEncryption > 6e:11:ea:99:64:72:59:56:71:e8:6d:ab:cd:ee:93:be:cd:d4: > 94:d4:cb:b4:d1:e1:ad:d3:02:a6:1c:15:db:e6:13:6c:74:07: > 21:a0:1d:65:81:de:27:0d:8b:65:9c:5b:e2:2f:8e:67:fb:3f: > 63:7c:a4:a3:ab:15:3d:57:fc:b8:2c:5c:e2:75:fd:71:68:73: > 1d:14:49:cc:a8:5c:fb:62:5d:fd:61:b3:57:6f:18:d7:46:b7: > 5c:7d:6d:5a:ee:5c:8c:66:b6:45:cb:62:8d:72:20:40:b1:cb: > fa:e8:f5:06:44:19:d1:fc:f3:b7:a0:86:52:39:20:6b:4f:20: > c5:8f:7f:5c:0d:2f:a3:a1:d7:4f:c7:5e:36:1a:d4:22:33:ea: > 59:31:eb:9e:6a:31:9f:8d:7a:3a:b8:dc:b2:09:4e:64:d5:17: > 14:28:09:c0:b0:48:ff:38:00:4f:cd:01:e1:62:7e:82:dc:4d: > d6:62:3c:54:e9:c2:ff:7d:9d:c7:b0:cf:ee:f7:6f:0a:e0:c8: > ec:f0:c0:01:b2:41:56:01:22:a4:31:4d:cd:98:6b:a1:83:db: > 10:de:4d:43:59:b1:d3:4c:2a:16:03:9c:91:97:98:92:23:15: > 04:41:3f:9d:77:9b:fd:b2:32:0d:36:35:06:64:ff:80:6a:e8: > a0:5b:12:85 > -----BEGIN CERTIFICATE----- > MIIFjzCCBHegAwIBAgIKEvtctAAAAAAAAjANBgkqhkiG9w0BAQUFADBOMRIwEAYK > CZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmSJomT8ixk > ARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNTQ0NVoXDTEyMDMy > ODAwNTQ0NVowGzEZMBcGA1UEAxMQZGMwMDAxLmlwYS5hYy5uejCBnzANBgkqhkiG > 9w0BAQEFAAOBjQAwgYkCgYEAm2i7H41ixHwIZfLswDIKmRe2AhoCkOHXZDje7/BY > sLsGam+C7cGMnq5EkW6OPG9bBESSQM2vPqIvyK0fen/XUyUr+bfHrMTMPZIFR6eW > JenVeKFN4aBlHWYD0+ER9tXMxeVz4+OY7sEjwjJcT19m75hhS+AqOuZVZwjtKq5r > 26sCAwEAAaOCAyQwggMgMAsGA1UdDwQEAwIFoDBEBgkqhkiG9w0BCQ8ENzA1MA4G > CCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcN > AwcwHQYDVR0OBBYEFH8D34cnp/JZxxfozxkBURv679fTMC8GCSsGAQQBgjcUAgQi > HiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAfBgNVHSMEGDAWgBTM > 1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHfhoGtbGRh > cDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl > MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWlwYSxE > Qz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0 > Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEuaXBhLmFj > Lm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDCCAQUGCCsGAQUFBwEBBIH4MIH1MIGm > BggrBgEFBQcwAoaBmWxkYXA6Ly8vQ049ZGMwMDAxLENOPUFJQSxDTj1QdWJsaWMl > MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD > PWlwYSxEQz1hYyxEQz1uej9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9 > Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBKBggrBgEFBQcwAoY+aHR0cDovL2RjMDAw > MS5pcGEuYWMubnovQ2VydEVucm9sbC9kYzAwMDEuaXBhLmFjLm56X2RjMDAwMS5j > cnQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDwGA1UdEQQ1MDOgHwYJ > KwYBBAGCNxkBoBIEEAdtYFw3yQ9DmIgdDBjdl92CEGRjMDAwMS5pcGEuYWMubnow > DQYJKoZIhvcNAQEFBQADggEBAG4R6plkcllWcehtq83uk77N1JTUy7TR4a3TAqYc > FdvmE2x0ByGgHWWB3icNi2WcW+Ivjmf7P2N8pKOrFT1X/LgsXOJ1/XFocx0UScyo > XPtiXf1hs1dvGNdGt1x9bVruXIxmtkXLYo1yIECxy/ro9QZEGdH887eghlI5IGtP > IMWPf1wNL6Oh10/HXjYa1CIz6lkx655qMZ+Nejq43LIJTmTVFxQoCcCwSP84AE/N > AeFifoLcTdZiPFTpwv99ncewz+73bwrgyOzwwAGyQVYBIqQxTc2Ya6GD2xDeTUNZ > sdNMKhYDnJGXmJIjFQRBP513m/2yMg02NQZk/4Bq6KBbEoU= > -----END CERTIFICATE----- This is the MS AD server cert, not the CA cert for the CA that issued MS AD server cert. You need the CA cert > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 30 March 2011 9:04 a.m. > To: Steven Jones > Cc: Rob Crittenden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > On 03/29/2011 02:02 PM, Steven Jones wrote: >> Hi, >> >> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? > can you paste the output of > openssl x509 -in /home/jonesst1/domaincert.cer -text > ? >> regards >> >> Steven >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 2:50 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] AD setup failure >> >> Steven Jones wrote: >>> Got a bit further.......I was missing "--passsync" >> I think you were using the V1 documentation. The "Enterprise Identity >> Management Guide" is what you want off freeipa.org in the Documentation >> section. >> >>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >>> unexpected error: Failed to setup winsync replication >>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >>> dc0001.ipa.ac.nz has address 192.168.101.2 >>> [root at fed14-64-ipam001 samba]# >>> >>> But still isnt working......... >> I think you have the wrong AD cert. -8179 translates to "Certificate is >> signed by an unknown issuer". Can you verify that you have the AD CA >> certificate? >> >> rob >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 29 20:32:21 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 20:32:21 +0000 Subject: [Freeipa-users] AD setup failure In-Reply-To: <4D924096.5010405@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D924096.5010405@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40029961@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Yes its a "intermediate CA" In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do that....I think you need to re-visit that assumption..... The older docs suggested a manual import of the root cert is possible? regards ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 30 March 2011 9:27 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:14 PM, Steven Jones wrote: > So I need 2 certificates? No. > and I have to manually add the root CA with certutil? No. > to the IPA master as a separate process? No. You only need the CA certificate for the CA that issued the MS AD server certificate. ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer will add the CA. If the MS CA is an intermediate CA, you should ask the administrator to give you a single CA certificate file (base64 encoded) that contains the intermediate CA and all of the parent CA up to the root CA. > regards > > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 9:05 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > Steven Jones wrote: >> Hi, >> >> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? > That's what we're doing here. You need to provide the CA that issued the > SSL certificate for the AD server we're connecting to. > > I'm guessing they didn't give you the root CA cert. > > rob > >> regards >> >> Steven >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 2:50 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] AD setup failure >> >> Steven Jones wrote: >>> Got a bit further.......I was missing "--passsync" >> I think you were using the V1 documentation. The "Enterprise Identity >> Management Guide" is what you want off freeipa.org in the Documentation >> section. >> >>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >>> unexpected error: Failed to setup winsync replication >>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >>> dc0001.ipa.ac.nz has address 192.168.101.2 >>> [root at fed14-64-ipam001 samba]# >>> >>> But still isnt working......... >> I think you have the wrong AD cert. -8179 translates to "Certificate is >> signed by an unknown issuer". Can you verify that you have the AD CA >> certificate? >> >> rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From rmeggins at redhat.com Tue Mar 29 20:36:43 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 29 Mar 2011 14:36:43 -0600 Subject: [Freeipa-users] AD setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40029961@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D924096.5010405@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029961@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D9242DB.9040902@redhat.com> On 03/29/2011 02:32 PM, Steven Jones wrote: > Hi, > > Yes its a "intermediate CA" In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do that....I think you need to re-visit that assumption..... It does not appear to be CA cert at all, much less an "intermediate CA". Someone please correct me if I'm wrong, but the CA does not have the X509v3 Basic Constraints extension. For example, here is a CA cert issued by Windows 2008: Certificate: Data: Version: 3 (0x2) Serial Number: 6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7 Signature Algorithm: sha1WithRSAEncryption Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA Validity Not Before: Feb 9 17:44:10 2011 GMT Not After : Feb 9 17:54:07 2021 GMT Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA ... X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE > The older docs suggested a manual import of the root cert is possible? > > regards > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 30 March 2011 9:27 a.m. > To: Steven Jones > Cc: Rob Crittenden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > On 03/29/2011 02:14 PM, Steven Jones wrote: >> So I need 2 certificates? > No. >> and I have to manually add the root CA with certutil? > No. >> to the IPA master as a separate process? > No. > > You only need the CA certificate for the CA that issued the MS AD server > certificate. > ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer > will add the CA. > > If the MS CA is an intermediate CA, you should ask the administrator to > give you a single CA certificate file (base64 encoded) that contains the > intermediate CA and all of the parent CA up to the root CA. >> regards >> >> >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 9:05 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] AD setup failure >> >> Steven Jones wrote: >>> Hi, >>> >>> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? >> That's what we're doing here. You need to provide the CA that issued the >> SSL certificate for the AD server we're connecting to. >> >> I'm guessing they didn't give you the root CA cert. >> >> rob >> >>> regards >>> >>> Steven >>> ________________________________________ >>> From: Rob Crittenden [rcritten at redhat.com] >>> Sent: Wednesday, 30 March 2011 2:50 a.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] AD setup failure >>> >>> Steven Jones wrote: >>>> Got a bit further.......I was missing "--passsync" >>> I think you were using the V1 documentation. The "Enterprise Identity >>> Management Guide" is what you want off freeipa.org in the Documentation >>> section. >>> >>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >>>> unexpected error: Failed to setup winsync replication >>>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >>>> dc0001.ipa.ac.nz has address 192.168.101.2 >>>> [root at fed14-64-ipam001 samba]# >>>> >>>> But still isnt working......... >>> I think you have the wrong AD cert. -8179 translates to "Certificate is >>> signed by an unknown issuer". Can you verify that you have the AD CA >>> certificate? >>> >>> rob >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 29 20:47:40 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 20:47:40 +0000 Subject: [Freeipa-users] AD setup failure In-Reply-To: <4D9242DB.9040902@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D924096.5010405@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029961@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9242DB.9040902@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40029983@STAWINCOX10MBX1.staff.vuw.ac.nz> some more output, ========== [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn "cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz" --bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/Cacrt.cer dc0001.ipa.ac.nz -v ipa: CRITICAL: Error importing CA cert file named [/home/jonesst1/Cacrt.cer]: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -A -n Imported CA -t CT,,C -a' returned non-zero exit status 255 Could not load the required CA certificate file [/home/jonesst1/Cacrt.cer] [root at fed14-64-ipam001 samba]# cd ~jonesst1 [root at fed14-64-ipam001 jonesst1]# ls -l total 52 -rw-rw-r--. 1 jonesst1 jonesst1 384 Mar 29 15:16 ad-fail -rwxr--r--. 1 jonesst1 jonesst1 1628 Mar 30 09:16 Cacrt.cer -rw-rw-r--. 1 jonesst1 jonesst1 984 Mar 29 16:11 client2.fail -rw-rw-r--. 1 jonesst1 jonesst1 345 Mar 29 15:22 connect-fail drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Desktop drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Documents -rwxr--r--. 1 jonesst1 jonesst1 2020 Mar 29 14:06 domaincert.cer drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Downloads drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Music drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Pictures drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Public drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Templates drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Videos [root at fed14-64-ipam001 jonesst1]# ========= Certificate: Data: Version: 3 (0x2) Serial Number: 48:58:cd:99:6c:e4:53:b5:4f:6f:5b:9a:86:21:46:b6 Signature Algorithm: sha1WithRSAEncryption Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001 Validity Not Before: Mar 29 00:45:47 2011 GMT Not After : Mar 29 00:55:22 2016 GMT Subject: DC=nz, DC=ac, DC=ipa, CN=dc0001 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b2:f0:2a:e2:a1:f7:6d:6e:96:dc:a8:a1:84:ff: e8:24:f7:79:de:ad:a9:ac:c4:6d:73:51:ab:7e:fc: cf:98:d2:85:72:0e:89:7e:df:61:c9:d8:03:1f:9f: 4b:23:bf:29:44:e6:e8:99:87:69:63:09:7e:c6:3e: ad:99:ac:31:1e:b6:08:80:03:3d:99:6a:e5:85:b1: ea:77:1e:8c:70:8a:c7:b8:6b:b7:a5:fd:13:15:83: 95:8b:f6:cd:2a:a4:f9:f6:7e:f0:b4:a8:a1:38:ee: e3:ff:13:00:64:b0:60:01:ac:e8:79:1e:2d:3c:e9: 44:df:17:46:d8:e5:8a:0a:40:53:2e:60:8d:7c:93: 4e:e8:ea:ab:7a:c2:16:45:14:79:57:7c:21:f7:d9: a2:2c:09:4b:cb:ff:b8:a5:80:d4:b5:a2:f4:03:5f: 3a:b8:8d:1c:14:d6:b7:b5:29:c8:38:80:1b:41:29: 54:0f:6b:6a:80:f5:9c:38:d8:31:51:ae:25:70:06: 2d:f7:5d:90:06:33:b6:93:d9:3a:33:4d:ce:4f:41: 30:df:89:55:87:ee:c1:86:e6:e8:20:3f:c5:58:e8: fa:7f:40:00:60:f6:10:d7:ec:38:7d:d0:1d:20:f4: d1:a9:fe:e8:3d:fd:a7:91:b9:0e:2f:f2:fd:0f:e1: 0a:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB X509v3 CRL Distribution Points: Full Name: URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha1WithRSAEncryption 1c:69:e5:c3:fe:06:e2:22:86:cf:20:a7:18:7f:49:02:6c:c7: 31:8f:40:84:79:72:20:6c:3f:45:2d:e5:7c:91:33:ad:db:e6: f2:d9:90:4f:20:0e:ba:1f:63:3c:5c:70:5f:b3:b7:29:75:83: 1f:dd:d4:c7:56:e1:e5:b0:32:a4:cb:70:4f:21:d7:49:3c:cd: 43:c9:2b:e7:02:12:8b:ad:d8:f4:b4:c9:af:69:c2:3d:16:9c: 92:4b:08:45:4a:51:45:01:0d:bb:57:30:95:98:0c:68:14:74: ee:9f:c1:bb:f1:76:5b:ea:e4:95:d5:83:fc:21:d2:a3:00:1a: 71:bb:fc:90:c6:27:56:e6:ba:73:71:2b:8e:7f:c2:e8:e6:be: 7b:0a:4e:ef:66:6c:62:54:5d:01:61:cd:21:bd:15:3d:f5:a2: d1:bc:e5:36:a2:4e:c8:22:82:99:e7:0e:17:97:c5:fd:80:39: 59:af:fa:c3:28:b2:22:34:d2:3b:9c:5b:43:80:1a:a9:08:46: 83:2c:56:c0:fc:64:98:03:0b:7a:53:f3:fb:98:a1:62:f2:5d: 8b:6f:d9:81:43:41:ba:31:d2:02:6e:b2:26:3e:63:59:df:d8: d6:d7:c2:70:5d:18:26:3e:5c:98:11:51:59:a4:52:13:17:80: 74:eb:90:89 -----BEGIN CERTIFICATE----- MIIEcTCCA1mgAwIBAgIQSFjNmWzkU7VPb1uahiFGtjANBgkqhkiG9w0BAQUFADBO MRIwEAYKCZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmS JomT8ixkARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNDU0N1oX DTE2MDMyOTAwNTUyMlowTjESMBAGCgmSJomT8ixkARkWAm56MRIwEAYKCZImiZPy LGQBGRYCYWMxEzARBgoJkiaJk/IsZAEZFgNpcGExDzANBgNVBAMTBmRjMDAwMTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLwKuKh921ultyooYT/6CT3 ed6tqazEbXNRq378z5jShXIOiX7fYcnYAx+fSyO/KUTm6JmHaWMJfsY+rZmsMR62 CIADPZlq5YWx6ncejHCKx7hrt6X9ExWDlYv2zSqk+fZ+8LSooTju4/8TAGSwYAGs 6HkeLTzpRN8XRtjligpAUy5gjXyTTujqq3rCFkUUeVd8IffZoiwJS8v/uKWA1LWi 9ANfOriNHBTWt7UpyDiAG0EpVA9raoD1nDjYMVGuJXAGLfddkAYztpPZOjNNzk9B MN+JVYfuwYbm6CA/xVjo+n9AAGD2ENfsOH3QHSD00an+6D39p5G5Di/y/Q/hCgsC AwEAAaOCAUkwggFFMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud DgQWBBTM1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHf hoGtbGRhcDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMl MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD PWlwYSxEQz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/ b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEu aXBhLmFjLm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDAQBgkrBgEEAYI3FQEEAwIB ADANBgkqhkiG9w0BAQUFAAOCAQEAHGnlw/4G4iKGzyCnGH9JAmzHMY9AhHlyIGw/ RS3lfJEzrdvm8tmQTyAOuh9jPFxwX7O3KXWDH93Ux1bh5bAypMtwTyHXSTzNQ8kr 5wISi63Y9LTJr2nCPRackksIRUpRRQENu1cwlZgMaBR07p/Bu/F2W+rkldWD/CHS owAacbv8kMYnVua6c3Erjn/C6Oa+ewpO72ZsYlRdAWHNIb0VPfWi0bzlNqJOyCKC mecOF5fF/YA5Wa/6wyiyIjTSO5xbQ4AaqQhGgyxWwPxkmAMLelPz+5ihYvJdi2/Z gUNBujHSAm6yJj5jWd/Y1tfCcF0YJj5cmBFRWaRSExeAdOuQiQ== -----END CERTIFICATE----- ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 30 March 2011 9:36 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:32 PM, Steven Jones wrote: > Hi, > > Yes its a "intermediate CA" In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do that....I think you need to re-visit that assumption..... It does not appear to be CA cert at all, much less an "intermediate CA". Someone please correct me if I'm wrong, but the CA does not have the X509v3 Basic Constraints extension. For example, here is a CA cert issued by Windows 2008: Certificate: Data: Version: 3 (0x2) Serial Number: 6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7 Signature Algorithm: sha1WithRSAEncryption Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA Validity Not Before: Feb 9 17:44:10 2011 GMT Not After : Feb 9 17:54:07 2021 GMT Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA ... X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE > The older docs suggested a manual import of the root cert is possible? > > regards > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 30 March 2011 9:27 a.m. > To: Steven Jones > Cc: Rob Crittenden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > On 03/29/2011 02:14 PM, Steven Jones wrote: >> So I need 2 certificates? > No. >> and I have to manually add the root CA with certutil? > No. >> to the IPA master as a separate process? > No. > > You only need the CA certificate for the CA that issued the MS AD server > certificate. > ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer > will add the CA. > > If the MS CA is an intermediate CA, you should ask the administrator to > give you a single CA certificate file (base64 encoded) that contains the > intermediate CA and all of the parent CA up to the root CA. >> regards >> >> >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 9:05 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] AD setup failure >> >> Steven Jones wrote: >>> Hi, >>> >>> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? >> That's what we're doing here. You need to provide the CA that issued the >> SSL certificate for the AD server we're connecting to. >> >> I'm guessing they didn't give you the root CA cert. >> >> rob >> >>> regards >>> >>> Steven >>> ________________________________________ >>> From: Rob Crittenden [rcritten at redhat.com] >>> Sent: Wednesday, 30 March 2011 2:50 a.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] AD setup failure >>> >>> Steven Jones wrote: >>>> Got a bit further.......I was missing "--passsync" >>> I think you were using the V1 documentation. The "Enterprise Identity >>> Management Guide" is what you want off freeipa.org in the Documentation >>> section. >>> >>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >>>> unexpected error: Failed to setup winsync replication >>>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >>>> dc0001.ipa.ac.nz has address 192.168.101.2 >>>> [root at fed14-64-ipam001 samba]# >>>> >>>> But still isnt working......... >>> I think you have the wrong AD cert. -8179 translates to "Certificate is >>> signed by an unknown issuer". Can you verify that you have the AD CA >>> certificate? >>> >>> rob >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Tue Mar 29 20:49:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 16:49:41 -0400 Subject: [Freeipa-users] AD setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40029983@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D924096.5010405@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029961@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9242DB.9040902@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029983@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D9245E5.2080705@redhat.com> Steven Jones wrote: > some more output, > The new cert looks a lot better. I think you need to remove the old one and this should start working: # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n Imported CA This is trying to add a new cert with the same nickname. Too bad the error messages out of certutil aren't more helpful. rob > ========== > > [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn "cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz" --bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/Cacrt.cer dc0001.ipa.ac.nz -v > ipa: CRITICAL: Error importing CA cert file named [/home/jonesst1/Cacrt.cer]: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -A -n Imported CA -t CT,,C -a' returned non-zero exit status 255 > Could not load the required CA certificate file [/home/jonesst1/Cacrt.cer] > [root at fed14-64-ipam001 samba]# cd ~jonesst1 > [root at fed14-64-ipam001 jonesst1]# ls -l > total 52 > -rw-rw-r--. 1 jonesst1 jonesst1 384 Mar 29 15:16 ad-fail > -rwxr--r--. 1 jonesst1 jonesst1 1628 Mar 30 09:16 Cacrt.cer > -rw-rw-r--. 1 jonesst1 jonesst1 984 Mar 29 16:11 client2.fail > -rw-rw-r--. 1 jonesst1 jonesst1 345 Mar 29 15:22 connect-fail > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Desktop > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Documents > -rwxr--r--. 1 jonesst1 jonesst1 2020 Mar 29 14:06 domaincert.cer > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Downloads > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Music > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Pictures > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Public > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Templates > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Videos > [root at fed14-64-ipam001 jonesst1]# > > ========= > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 48:58:cd:99:6c:e4:53:b5:4f:6f:5b:9a:86:21:46:b6 > Signature Algorithm: sha1WithRSAEncryption > Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001 > Validity > Not Before: Mar 29 00:45:47 2011 GMT > Not After : Mar 29 00:55:22 2016 GMT > Subject: DC=nz, DC=ac, DC=ipa, CN=dc0001 > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:b2:f0:2a:e2:a1:f7:6d:6e:96:dc:a8:a1:84:ff: > e8:24:f7:79:de:ad:a9:ac:c4:6d:73:51:ab:7e:fc: > cf:98:d2:85:72:0e:89:7e:df:61:c9:d8:03:1f:9f: > 4b:23:bf:29:44:e6:e8:99:87:69:63:09:7e:c6:3e: > ad:99:ac:31:1e:b6:08:80:03:3d:99:6a:e5:85:b1: > ea:77:1e:8c:70:8a:c7:b8:6b:b7:a5:fd:13:15:83: > 95:8b:f6:cd:2a:a4:f9:f6:7e:f0:b4:a8:a1:38:ee: > e3:ff:13:00:64:b0:60:01:ac:e8:79:1e:2d:3c:e9: > 44:df:17:46:d8:e5:8a:0a:40:53:2e:60:8d:7c:93: > 4e:e8:ea:ab:7a:c2:16:45:14:79:57:7c:21:f7:d9: > a2:2c:09:4b:cb:ff:b8:a5:80:d4:b5:a2:f4:03:5f: > 3a:b8:8d:1c:14:d6:b7:b5:29:c8:38:80:1b:41:29: > 54:0f:6b:6a:80:f5:9c:38:d8:31:51:ae:25:70:06: > 2d:f7:5d:90:06:33:b6:93:d9:3a:33:4d:ce:4f:41: > 30:df:89:55:87:ee:c1:86:e6:e8:20:3f:c5:58:e8: > fa:7f:40:00:60:f6:10:d7:ec:38:7d:d0:1d:20:f4: > d1:a9:fe:e8:3d:fd:a7:91:b9:0e:2f:f2:fd:0f:e1: > 0a:0b > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Certificate Sign, CRL Sign > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Subject Key Identifier: > CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB > X509v3 CRL Distribution Points: > > Full Name: > URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint > URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl > > 1.3.6.1.4.1.311.21.1: > ... > Signature Algorithm: sha1WithRSAEncryption > 1c:69:e5:c3:fe:06:e2:22:86:cf:20:a7:18:7f:49:02:6c:c7: > 31:8f:40:84:79:72:20:6c:3f:45:2d:e5:7c:91:33:ad:db:e6: > f2:d9:90:4f:20:0e:ba:1f:63:3c:5c:70:5f:b3:b7:29:75:83: > 1f:dd:d4:c7:56:e1:e5:b0:32:a4:cb:70:4f:21:d7:49:3c:cd: > 43:c9:2b:e7:02:12:8b:ad:d8:f4:b4:c9:af:69:c2:3d:16:9c: > 92:4b:08:45:4a:51:45:01:0d:bb:57:30:95:98:0c:68:14:74: > ee:9f:c1:bb:f1:76:5b:ea:e4:95:d5:83:fc:21:d2:a3:00:1a: > 71:bb:fc:90:c6:27:56:e6:ba:73:71:2b:8e:7f:c2:e8:e6:be: > 7b:0a:4e:ef:66:6c:62:54:5d:01:61:cd:21:bd:15:3d:f5:a2: > d1:bc:e5:36:a2:4e:c8:22:82:99:e7:0e:17:97:c5:fd:80:39: > 59:af:fa:c3:28:b2:22:34:d2:3b:9c:5b:43:80:1a:a9:08:46: > 83:2c:56:c0:fc:64:98:03:0b:7a:53:f3:fb:98:a1:62:f2:5d: > 8b:6f:d9:81:43:41:ba:31:d2:02:6e:b2:26:3e:63:59:df:d8: > d6:d7:c2:70:5d:18:26:3e:5c:98:11:51:59:a4:52:13:17:80: > 74:eb:90:89 > -----BEGIN CERTIFICATE----- > MIIEcTCCA1mgAwIBAgIQSFjNmWzkU7VPb1uahiFGtjANBgkqhkiG9w0BAQUFADBO > MRIwEAYKCZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmS > JomT8ixkARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNDU0N1oX > DTE2MDMyOTAwNTUyMlowTjESMBAGCgmSJomT8ixkARkWAm56MRIwEAYKCZImiZPy > LGQBGRYCYWMxEzARBgoJkiaJk/IsZAEZFgNpcGExDzANBgNVBAMTBmRjMDAwMTCC > ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLwKuKh921ultyooYT/6CT3 > ed6tqazEbXNRq378z5jShXIOiX7fYcnYAx+fSyO/KUTm6JmHaWMJfsY+rZmsMR62 > CIADPZlq5YWx6ncejHCKx7hrt6X9ExWDlYv2zSqk+fZ+8LSooTju4/8TAGSwYAGs > 6HkeLTzpRN8XRtjligpAUy5gjXyTTujqq3rCFkUUeVd8IffZoiwJS8v/uKWA1LWi > 9ANfOriNHBTWt7UpyDiAG0EpVA9raoD1nDjYMVGuJXAGLfddkAYztpPZOjNNzk9B > MN+JVYfuwYbm6CA/xVjo+n9AAGD2ENfsOH3QHSD00an+6D39p5G5Di/y/Q/hCgsC > AwEAAaOCAUkwggFFMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud > DgQWBBTM1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHf > hoGtbGRhcDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMl > MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD > PWlwYSxEQz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/ > b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEu > aXBhLmFjLm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDAQBgkrBgEEAYI3FQEEAwIB > ADANBgkqhkiG9w0BAQUFAAOCAQEAHGnlw/4G4iKGzyCnGH9JAmzHMY9AhHlyIGw/ > RS3lfJEzrdvm8tmQTyAOuh9jPFxwX7O3KXWDH93Ux1bh5bAypMtwTyHXSTzNQ8kr > 5wISi63Y9LTJr2nCPRackksIRUpRRQENu1cwlZgMaBR07p/Bu/F2W+rkldWD/CHS > owAacbv8kMYnVua6c3Erjn/C6Oa+ewpO72ZsYlRdAWHNIb0VPfWi0bzlNqJOyCKC > mecOF5fF/YA5Wa/6wyiyIjTSO5xbQ4AaqQhGgyxWwPxkmAMLelPz+5ihYvJdi2/Z > gUNBujHSAm6yJj5jWd/Y1tfCcF0YJj5cmBFRWaRSExeAdOuQiQ== > -----END CERTIFICATE----- > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 30 March 2011 9:36 a.m. > To: Steven Jones > Cc: Rob Crittenden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > On 03/29/2011 02:32 PM, Steven Jones wrote: >> Hi, >> >> Yes its a "intermediate CA" In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do that....I think you need to re-visit that assumption..... > It does not appear to be CA cert at all, much less an "intermediate > CA". Someone please correct me if I'm wrong, but the CA does not have > the X509v3 Basic Constraints extension. For example, here is a CA cert > issued by Windows 2008: > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7 > Signature Algorithm: sha1WithRSAEncryption > Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA > Validity > Not Before: Feb 9 17:44:10 2011 GMT > Not After : Feb 9 17:54:07 2021 GMT > Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA > ... > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Certificate Sign, CRL Sign > X509v3 Basic Constraints: critical > CA:TRUE > >> The older docs suggested a manual import of the root cert is possible? >> >> regards >> ________________________________________ >> From: Rich Megginson [rmeggins at redhat.com] >> Sent: Wednesday, 30 March 2011 9:27 a.m. >> To: Steven Jones >> Cc: Rob Crittenden; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] AD setup failure >> >> On 03/29/2011 02:14 PM, Steven Jones wrote: >>> So I need 2 certificates? >> No. >>> and I have to manually add the root CA with certutil? >> No. >>> to the IPA master as a separate process? >> No. >> >> You only need the CA certificate for the CA that issued the MS AD server >> certificate. >> ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer >> will add the CA. >> >> If the MS CA is an intermediate CA, you should ask the administrator to >> give you a single CA certificate file (base64 encoded) that contains the >> intermediate CA and all of the parent CA up to the root CA. >>> regards >>> >>> >>> ________________________________________ >>> From: Rob Crittenden [rcritten at redhat.com] >>> Sent: Wednesday, 30 March 2011 9:05 a.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] AD setup failure >>> >>> Steven Jones wrote: >>>> Hi, >>>> >>>> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? >>> That's what we're doing here. You need to provide the CA that issued the >>> SSL certificate for the AD server we're connecting to. >>> >>> I'm guessing they didn't give you the root CA cert. >>> >>> rob >>> >>>> regards >>>> >>>> Steven >>>> ________________________________________ >>>> From: Rob Crittenden [rcritten at redhat.com] >>>> Sent: Wednesday, 30 March 2011 2:50 a.m. >>>> To: Steven Jones >>>> Cc: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] AD setup failure >>>> >>>> Steven Jones wrote: >>>>> Got a bit further.......I was missing "--passsync" >>>> I think you were using the V1 documentation. The "Enterprise Identity >>>> Management Guide" is what you want off freeipa.org in the Documentation >>>> section. >>>> >>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >>>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >>>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >>>>> unexpected error: Failed to setup winsync replication >>>>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >>>>> dc0001.ipa.ac.nz has address 192.168.101.2 >>>>> [root at fed14-64-ipam001 samba]# >>>>> >>>>> But still isnt working......... >>>> I think you have the wrong AD cert. -8179 translates to "Certificate is >>>> signed by an unknown issuer". Can you verify that you have the AD CA >>>> certificate? >>>> >>>> rob >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users > From Steven.Jones at vuw.ac.nz Tue Mar 29 20:53:15 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 20:53:15 +0000 Subject: [Freeipa-users] AD setup failure In-Reply-To: <4D9245E5.2080705@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D924096.5010405@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029961@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9242DB.9040902@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029983@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9245E5.2080705@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400299A0@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I get "certutil: function failed: security library: bad database." ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 9:49 a.m. To: Steven Jones Cc: Rich Megginson; freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: > some more output, > The new cert looks a lot better. I think you need to remove the old one and this should start working: # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n Imported CA This is trying to add a new cert with the same nickname. Too bad the error messages out of certutil aren't more helpful. ro From Steven.Jones at vuw.ac.nz Tue Mar 29 20:56:37 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 20:56:37 +0000 Subject: [Freeipa-users] AD setup failure In-Reply-To: <4D9245E5.2080705@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D924096.5010405@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029961@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9242DB.9040902@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029983@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9245E5.2080705@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400299B4@STAWINCOX10MBX1.staff.vuw.ac.nz> My windows person tells me that this cert is the root one, which apparently has no permissions to do anything... regards ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 9:49 a.m. To: Steven Jones Cc: Rich Megginson; freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: > some more output, > The new cert looks a lot better. I think you need to remove the old one and this should start working: # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n Imported CA This is trying to add a new cert with the same nickname. Too bad the error messages out of certutil aren't more helpful. rob > ========== > > [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn "cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz" --bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/Cacrt.cer dc0001.ipa.ac.nz -v > ipa: CRITICAL: Error importing CA cert file named [/home/jonesst1/Cacrt.cer]: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -A -n Imported CA -t CT,,C -a' returned non-zero exit status 255 > Could not load the required CA certificate file [/home/jonesst1/Cacrt.cer] > [root at fed14-64-ipam001 samba]# cd ~jonesst1 > [root at fed14-64-ipam001 jonesst1]# ls -l > total 52 > -rw-rw-r--. 1 jonesst1 jonesst1 384 Mar 29 15:16 ad-fail > -rwxr--r--. 1 jonesst1 jonesst1 1628 Mar 30 09:16 Cacrt.cer > -rw-rw-r--. 1 jonesst1 jonesst1 984 Mar 29 16:11 client2.fail > -rw-rw-r--. 1 jonesst1 jonesst1 345 Mar 29 15:22 connect-fail > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Desktop > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Documents > -rwxr--r--. 1 jonesst1 jonesst1 2020 Mar 29 14:06 domaincert.cer > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Downloads > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Music > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Pictures > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Public > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Templates > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Videos > [root at fed14-64-ipam001 jonesst1]# > > ========= > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 48:58:cd:99:6c:e4:53:b5:4f:6f:5b:9a:86:21:46:b6 > Signature Algorithm: sha1WithRSAEncryption > Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001 > Validity > Not Before: Mar 29 00:45:47 2011 GMT > Not After : Mar 29 00:55:22 2016 GMT > Subject: DC=nz, DC=ac, DC=ipa, CN=dc0001 > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:b2:f0:2a:e2:a1:f7:6d:6e:96:dc:a8:a1:84:ff: > e8:24:f7:79:de:ad:a9:ac:c4:6d:73:51:ab:7e:fc: > cf:98:d2:85:72:0e:89:7e:df:61:c9:d8:03:1f:9f: > 4b:23:bf:29:44:e6:e8:99:87:69:63:09:7e:c6:3e: > ad:99:ac:31:1e:b6:08:80:03:3d:99:6a:e5:85:b1: > ea:77:1e:8c:70:8a:c7:b8:6b:b7:a5:fd:13:15:83: > 95:8b:f6:cd:2a:a4:f9:f6:7e:f0:b4:a8:a1:38:ee: > e3:ff:13:00:64:b0:60:01:ac:e8:79:1e:2d:3c:e9: > 44:df:17:46:d8:e5:8a:0a:40:53:2e:60:8d:7c:93: > 4e:e8:ea:ab:7a:c2:16:45:14:79:57:7c:21:f7:d9: > a2:2c:09:4b:cb:ff:b8:a5:80:d4:b5:a2:f4:03:5f: > 3a:b8:8d:1c:14:d6:b7:b5:29:c8:38:80:1b:41:29: > 54:0f:6b:6a:80:f5:9c:38:d8:31:51:ae:25:70:06: > 2d:f7:5d:90:06:33:b6:93:d9:3a:33:4d:ce:4f:41: > 30:df:89:55:87:ee:c1:86:e6:e8:20:3f:c5:58:e8: > fa:7f:40:00:60:f6:10:d7:ec:38:7d:d0:1d:20:f4: > d1:a9:fe:e8:3d:fd:a7:91:b9:0e:2f:f2:fd:0f:e1: > 0a:0b > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Certificate Sign, CRL Sign > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Subject Key Identifier: > CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB > X509v3 CRL Distribution Points: > > Full Name: > URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint > URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl > > 1.3.6.1.4.1.311.21.1: > ... > Signature Algorithm: sha1WithRSAEncryption > 1c:69:e5:c3:fe:06:e2:22:86:cf:20:a7:18:7f:49:02:6c:c7: > 31:8f:40:84:79:72:20:6c:3f:45:2d:e5:7c:91:33:ad:db:e6: > f2:d9:90:4f:20:0e:ba:1f:63:3c:5c:70:5f:b3:b7:29:75:83: > 1f:dd:d4:c7:56:e1:e5:b0:32:a4:cb:70:4f:21:d7:49:3c:cd: > 43:c9:2b:e7:02:12:8b:ad:d8:f4:b4:c9:af:69:c2:3d:16:9c: > 92:4b:08:45:4a:51:45:01:0d:bb:57:30:95:98:0c:68:14:74: > ee:9f:c1:bb:f1:76:5b:ea:e4:95:d5:83:fc:21:d2:a3:00:1a: > 71:bb:fc:90:c6:27:56:e6:ba:73:71:2b:8e:7f:c2:e8:e6:be: > 7b:0a:4e:ef:66:6c:62:54:5d:01:61:cd:21:bd:15:3d:f5:a2: > d1:bc:e5:36:a2:4e:c8:22:82:99:e7:0e:17:97:c5:fd:80:39: > 59:af:fa:c3:28:b2:22:34:d2:3b:9c:5b:43:80:1a:a9:08:46: > 83:2c:56:c0:fc:64:98:03:0b:7a:53:f3:fb:98:a1:62:f2:5d: > 8b:6f:d9:81:43:41:ba:31:d2:02:6e:b2:26:3e:63:59:df:d8: > d6:d7:c2:70:5d:18:26:3e:5c:98:11:51:59:a4:52:13:17:80: > 74:eb:90:89 > -----BEGIN CERTIFICATE----- > MIIEcTCCA1mgAwIBAgIQSFjNmWzkU7VPb1uahiFGtjANBgkqhkiG9w0BAQUFADBO > MRIwEAYKCZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmS > JomT8ixkARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNDU0N1oX > DTE2MDMyOTAwNTUyMlowTjESMBAGCgmSJomT8ixkARkWAm56MRIwEAYKCZImiZPy > LGQBGRYCYWMxEzARBgoJkiaJk/IsZAEZFgNpcGExDzANBgNVBAMTBmRjMDAwMTCC > ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLwKuKh921ultyooYT/6CT3 > ed6tqazEbXNRq378z5jShXIOiX7fYcnYAx+fSyO/KUTm6JmHaWMJfsY+rZmsMR62 > CIADPZlq5YWx6ncejHCKx7hrt6X9ExWDlYv2zSqk+fZ+8LSooTju4/8TAGSwYAGs > 6HkeLTzpRN8XRtjligpAUy5gjXyTTujqq3rCFkUUeVd8IffZoiwJS8v/uKWA1LWi > 9ANfOriNHBTWt7UpyDiAG0EpVA9raoD1nDjYMVGuJXAGLfddkAYztpPZOjNNzk9B > MN+JVYfuwYbm6CA/xVjo+n9AAGD2ENfsOH3QHSD00an+6D39p5G5Di/y/Q/hCgsC > AwEAAaOCAUkwggFFMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud > DgQWBBTM1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHf > hoGtbGRhcDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMl > MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD > PWlwYSxEQz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/ > b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEu > aXBhLmFjLm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDAQBgkrBgEEAYI3FQEEAwIB > ADANBgkqhkiG9w0BAQUFAAOCAQEAHGnlw/4G4iKGzyCnGH9JAmzHMY9AhHlyIGw/ > RS3lfJEzrdvm8tmQTyAOuh9jPFxwX7O3KXWDH93Ux1bh5bAypMtwTyHXSTzNQ8kr > 5wISi63Y9LTJr2nCPRackksIRUpRRQENu1cwlZgMaBR07p/Bu/F2W+rkldWD/CHS > owAacbv8kMYnVua6c3Erjn/C6Oa+ewpO72ZsYlRdAWHNIb0VPfWi0bzlNqJOyCKC > mecOF5fF/YA5Wa/6wyiyIjTSO5xbQ4AaqQhGgyxWwPxkmAMLelPz+5ihYvJdi2/Z > gUNBujHSAm6yJj5jWd/Y1tfCcF0YJj5cmBFRWaRSExeAdOuQiQ== > -----END CERTIFICATE----- > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 30 March 2011 9:36 a.m. > To: Steven Jones > Cc: Rob Crittenden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > On 03/29/2011 02:32 PM, Steven Jones wrote: >> Hi, >> >> Yes its a "intermediate CA" In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do that....I think you need to re-visit that assumption..... > It does not appear to be CA cert at all, much less an "intermediate > CA". Someone please correct me if I'm wrong, but the CA does not have > the X509v3 Basic Constraints extension. For example, here is a CA cert > issued by Windows 2008: > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7 > Signature Algorithm: sha1WithRSAEncryption > Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA > Validity > Not Before: Feb 9 17:44:10 2011 GMT > Not After : Feb 9 17:54:07 2021 GMT > Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA > ... > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Certificate Sign, CRL Sign > X509v3 Basic Constraints: critical > CA:TRUE > >> The older docs suggested a manual import of the root cert is possible? >> >> regards >> ________________________________________ >> From: Rich Megginson [rmeggins at redhat.com] >> Sent: Wednesday, 30 March 2011 9:27 a.m. >> To: Steven Jones >> Cc: Rob Crittenden; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] AD setup failure >> >> On 03/29/2011 02:14 PM, Steven Jones wrote: >>> So I need 2 certificates? >> No. >>> and I have to manually add the root CA with certutil? >> No. >>> to the IPA master as a separate process? >> No. >> >> You only need the CA certificate for the CA that issued the MS AD server >> certificate. >> ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer >> will add the CA. >> >> If the MS CA is an intermediate CA, you should ask the administrator to >> give you a single CA certificate file (base64 encoded) that contains the >> intermediate CA and all of the parent CA up to the root CA. >>> regards >>> >>> >>> ________________________________________ >>> From: Rob Crittenden [rcritten at redhat.com] >>> Sent: Wednesday, 30 March 2011 9:05 a.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] AD setup failure >>> >>> Steven Jones wrote: >>>> Hi, >>>> >>>> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? >>> That's what we're doing here. You need to provide the CA that issued the >>> SSL certificate for the AD server we're connecting to. >>> >>> I'm guessing they didn't give you the root CA cert. >>> >>> rob >>> >>>> regards >>>> >>>> Steven >>>> ________________________________________ >>>> From: Rob Crittenden [rcritten at redhat.com] >>>> Sent: Wednesday, 30 March 2011 2:50 a.m. >>>> To: Steven Jones >>>> Cc: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] AD setup failure >>>> >>>> Steven Jones wrote: >>>>> Got a bit further.......I was missing "--passsync" >>>> I think you were using the V1 documentation. The "Enterprise Identity >>>> Management Guide" is what you want off freeipa.org in the Documentation >>>> section. >>>> >>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >>>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >>>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >>>>> unexpected error: Failed to setup winsync replication >>>>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >>>>> dc0001.ipa.ac.nz has address 192.168.101.2 >>>>> [root at fed14-64-ipam001 samba]# >>>>> >>>>> But still isnt working......... >>>> I think you have the wrong AD cert. -8179 translates to "Certificate is >>>> signed by an unknown issuer". Can you verify that you have the AD CA >>>> certificate? >>>> >>>> rob >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users > From rcritten at redhat.com Tue Mar 29 20:57:13 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 16:57:13 -0400 Subject: [Freeipa-users] AD setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400299A0@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D924096.5010405@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029961@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9242DB.9040902@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029983@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9245E5.2080705@redhat.com> <833D8E48405E064EBC54C84EC6B36E400299A0@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D9247A9.8020008@redhat.com> Steven Jones wrote: > Hi, > > I get > > "certutil: function failed: security library: bad database." Sorry, I should have quoted Imported CA, try: # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n "Imported CA" rob > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 9:49 a.m. > To: Steven Jones > Cc: Rich Megginson; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > Steven Jones wrote: >> some more output, >> > > The new cert looks a lot better. I think you need to remove the old one > and this should start working: > > # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n Imported CA > > This is trying to add a new cert with the same nickname. Too bad the > error messages out of certutil aren't more helpful. > > ro From Steven.Jones at vuw.ac.nz Tue Mar 29 20:58:10 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 20:58:10 +0000 Subject: [Freeipa-users] AD setup failure In-Reply-To: <4D9242DB.9040902@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D924096.5010405@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029961@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9242DB.9040902@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400299C1@STAWINCOX10MBX1.staff.vuw.ac.nz> uh, this is a AD 2003 domain, so this stuff only works with 2008 AD? regards ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 30 March 2011 9:36 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:32 PM, Steven Jones wrote: > Hi, > > Yes its a "intermediate CA" In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do that....I think you need to re-visit that assumption..... It does not appear to be CA cert at all, much less an "intermediate CA". Someone please correct me if I'm wrong, but the CA does not have the X509v3 Basic Constraints extension. For example, here is a CA cert issued by Windows 2008: Certificate: Data: Version: 3 (0x2) Serial Number: 6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7 Signature Algorithm: sha1WithRSAEncryption Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA Validity Not Before: Feb 9 17:44:10 2011 GMT Not After : Feb 9 17:54:07 2021 GMT Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA ... X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE > The older docs suggested a manual import of the root cert is possible? > > regards > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 30 March 2011 9:27 a.m. > To: Steven Jones > Cc: Rob Crittenden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > On 03/29/2011 02:14 PM, Steven Jones wrote: >> So I need 2 certificates? > No. >> and I have to manually add the root CA with certutil? > No. >> to the IPA master as a separate process? > No. > > You only need the CA certificate for the CA that issued the MS AD server > certificate. > ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer > will add the CA. > > If the MS CA is an intermediate CA, you should ask the administrator to > give you a single CA certificate file (base64 encoded) that contains the > intermediate CA and all of the parent CA up to the root CA. >> regards >> >> >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 9:05 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] AD setup failure >> >> Steven Jones wrote: >>> Hi, >>> >>> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? >> That's what we're doing here. You need to provide the CA that issued the >> SSL certificate for the AD server we're connecting to. >> >> I'm guessing they didn't give you the root CA cert. >> >> rob >> >>> regards >>> >>> Steven >>> ________________________________________ >>> From: Rob Crittenden [rcritten at redhat.com] >>> Sent: Wednesday, 30 March 2011 2:50 a.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] AD setup failure >>> >>> Steven Jones wrote: >>>> Got a bit further.......I was missing "--passsync" >>> I think you were using the V1 documentation. The "Enterprise Identity >>> Management Guide" is what you want off freeipa.org in the Documentation >>> section. >>> >>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >>>> unexpected error: Failed to setup winsync replication >>>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >>>> dc0001.ipa.ac.nz has address 192.168.101.2 >>>> [root at fed14-64-ipam001 samba]# >>>> >>>> But still isnt working......... >>> I think you have the wrong AD cert. -8179 translates to "Certificate is >>> signed by an unknown issuer". Can you verify that you have the AD CA >>> certificate? >>> >>> rob >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Mar 29 21:02:08 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 21:02:08 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <4D923FE7.7070103@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9239F2.4010807@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923B19.4000806@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296EC@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923E07.6050003@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002991F@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923FE7.7070103@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400299CE@STAWINCOX10MBX1.staff.vuw.ac.nz> ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 9:24 a.m. To: Steven Jones Cc: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: > What patch? > > and how do I apply it? You asked "What do I put in the python script as a work around?" and I pointed you to the patch in https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html It is just a 2-liner, you should be able to easily make the changes by hand. rob 8><-------- Interesting assumption....and no it could be japanese or something Im not a programmer. regards From Steven.Jones at vuw.ac.nz Tue Mar 29 21:04:22 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 21:04:22 +0000 Subject: [Freeipa-users] AD setup failure In-Reply-To: <4D9247A9.8020008@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D924096.5010405@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029961@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9242DB.9040902@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029983@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9245E5.2080705@redhat.com> <833D8E48405E064EBC54C84EC6B36E400299A0@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9247A9.8020008@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400299DC@STAWINCOX10MBX1.staff.vuw.ac.nz> Same failure message ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 9:57 a.m. To: Steven Jones Cc: Rich Megginson; freeipa-users at redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: > Hi, > > I get > > "certutil: function failed: security library: bad database." Sorry, I should have quoted Imported CA, try: # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n "Imported CA" rob > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 9:49 a.m. > To: Steven Jones > Cc: Rich Megginson; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > Steven Jones wrote: >> some more output, >> > > The new cert looks a lot better. I think you need to remove the old one > and this should start working: > > # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n Imported CA > > This is trying to add a new cert with the same nickname. Too bad the > error messages out of certutil aren't more helpful. > > ro From rmeggins at redhat.com Tue Mar 29 21:04:45 2011 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 29 Mar 2011 15:04:45 -0600 Subject: [Freeipa-users] AD setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400299C1@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E400291C0@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E40029240@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D91E3AB.1090004@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296CA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923BA6.3010307@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029901@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D924096.5010405@redhat.com> <833D8E48405E064EBC54C84EC6B36E40029961@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9242DB.9040902@redhat.com> <833D8E48405E064EBC54C84EC6B36E400299C1@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D92496D.2010605@redhat.com> On 03/29/2011 02:58 PM, Steven Jones wrote: > uh, this is a AD 2003 domain, so this stuff only works with 2008 AD? No, should not matter. The example I gave was from a Windows 2008 Enterprise CA - a CA cert from a Windows 2003 Enterprise CA looks very similar. > regards > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 30 March 2011 9:36 a.m. > To: Steven Jones > Cc: Rob Crittenden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > On 03/29/2011 02:32 PM, Steven Jones wrote: >> Hi, >> >> Yes its a "intermediate CA" In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do that....I think you need to re-visit that assumption..... > It does not appear to be CA cert at all, much less an "intermediate > CA". Someone please correct me if I'm wrong, but the CA does not have > the X509v3 Basic Constraints extension. For example, here is a CA cert > issued by Windows 2008: > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7 > Signature Algorithm: sha1WithRSAEncryption > Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA > Validity > Not Before: Feb 9 17:44:10 2011 GMT > Not After : Feb 9 17:54:07 2021 GMT > Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA > ... > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Certificate Sign, CRL Sign > X509v3 Basic Constraints: critical > CA:TRUE > >> The older docs suggested a manual import of the root cert is possible? >> >> regards >> ________________________________________ >> From: Rich Megginson [rmeggins at redhat.com] >> Sent: Wednesday, 30 March 2011 9:27 a.m. >> To: Steven Jones >> Cc: Rob Crittenden; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] AD setup failure >> >> On 03/29/2011 02:14 PM, Steven Jones wrote: >>> So I need 2 certificates? >> No. >>> and I have to manually add the root CA with certutil? >> No. >>> to the IPA master as a separate process? >> No. >> >> You only need the CA certificate for the CA that issued the MS AD server >> certificate. >> ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer >> will add the CA. >> >> If the MS CA is an intermediate CA, you should ask the administrator to >> give you a single CA certificate file (base64 encoded) that contains the >> intermediate CA and all of the parent CA up to the root CA. >>> regards >>> >>> >>> ________________________________________ >>> From: Rob Crittenden [rcritten at redhat.com] >>> Sent: Wednesday, 30 March 2011 9:05 a.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] AD setup failure >>> >>> Steven Jones wrote: >>>> Hi, >>>> >>>> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....? >>> That's what we're doing here. You need to provide the CA that issued the >>> SSL certificate for the AD server we're connecting to. >>> >>> I'm guessing they didn't give you the root CA cert. >>> >>> rob >>> >>>> regards >>>> >>>> Steven >>>> ________________________________________ >>>> From: Rob Crittenden [rcritten at redhat.com] >>>> Sent: Wednesday, 30 March 2011 2:50 a.m. >>>> To: Steven Jones >>>> Cc: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] AD setup failure >>>> >>>> Steven Jones wrote: >>>>> Got a bit further.......I was missing "--passsync" >>>> I think you were using the V1 documentation. The "Enterprise Identity >>>> Management Guide" is what you want off freeipa.org in the Documentation >>>> section. >>>> >>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement >>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz >>>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >>>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} >>>>> unexpected error: Failed to setup winsync replication >>>>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >>>>> dc0001.ipa.ac.nz has address 192.168.101.2 >>>>> [root at fed14-64-ipam001 samba]# >>>>> >>>>> But still isnt working......... >>>> I think you have the wrong AD cert. -8179 translates to "Certificate is >>>> signed by an unknown issuer". Can you verify that you have the AD CA >>>> certificate? >>>> >>>> rob >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Tue Mar 29 21:06:46 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 17:06:46 -0400 Subject: [Freeipa-users] client setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400299CE@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9239F2.4010807@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923B19.4000806@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296EC@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923E07.6050003@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002991F@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923FE7.7070103@redhat.com> <833D8E48405E064EBC54C84EC6B36E400299CE@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D9249E6.3060606@redhat.com> Steven Jones wrote: > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 9:24 a.m. > To: Steven Jones > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > Steven Jones wrote: >> What patch? >> >> and how do I apply it? > > You asked "What do I put in the python script as a work around?" and I > pointed you to the patch in > https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html > > It is just a 2-liner, you should be able to easily make the changes by hand. > > rob > > 8><-------- > > Interesting assumption....and no it could be japanese or something Im not a programmer. > > regards > > # cd /usr/lib/python2.7/site-packages # patch -p2 < /path/to/freeipa-rcrit-758-client.patch rob From Steven.Jones at vuw.ac.nz Tue Mar 29 21:19:37 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 21:19:37 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <4D9249E6.3060606@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9239F2.4010807@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923B19.4000806@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296EC@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923E07.6050003@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002991F@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923FE7.7070103@redhat.com> <833D8E48405E064EBC54C84EC6B36E400299CE@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9249E6.3060606@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E400299FF@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Thanks, but still no luck, Obviously dc0001 isnt the IPA server......... [root at fed14-64-cli01 site-packages]# patch -p2 < ~jonesst1/binFtBcaDVUoI.bin patching file ipaclient/ipadiscovery.py [root at fed14-64-cli01 site-packages]# ipa-client-install --server fed14-64-ipam001.vuw.ac.nz --domain ipa.ac.nz --force Failed to verify that dc0001.ipa.ac.nz is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. [root at fed14-64-cli01 site-packages]# regards Steven ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 10:06 a.m. To: Steven Jones Cc: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: > > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 9:24 a.m. > To: Steven Jones > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > Steven Jones wrote: >> What patch? >> >> and how do I apply it? > > You asked "What do I put in the python script as a work around?" and I > pointed you to the patch in > https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html > > It is just a 2-liner, you should be able to easily make the changes by hand. > > rob > > 8><-------- > > Interesting assumption....and no it could be japanese or something Im not a programmer. > > regards > > # cd /usr/lib/python2.7/site-packages # patch -p2 < /path/to/freeipa-rcrit-758-client.patch rob From rcritten at redhat.com Tue Mar 29 21:23:58 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2011 17:23:58 -0400 Subject: [Freeipa-users] client setup failure In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400299FF@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9239F2.4010807@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923B19.4000806@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296EC@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923E07.6050003@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002991F@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923FE7.7070103@redhat.com> <833D8E48405E064EBC54C84EC6B36E400299CE@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9249E6.3060606@redhat.com> <833D8E48405E064EBC54C84EC6B36E400299FF@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4D924DEE.7000601@redhat.com> Steven Jones wrote: > Hi, > > Thanks, but still no luck, > > Obviously dc0001 isnt the IPA server......... > > [root at fed14-64-cli01 site-packages]# patch -p2< ~jonesst1/binFtBcaDVUoI.bin > patching file ipaclient/ipadiscovery.py > [root at fed14-64-cli01 site-packages]# ipa-client-install --server fed14-64-ipam001.vuw.ac.nz --domain ipa.ac.nz --force > Failed to verify that dc0001.ipa.ac.nz is an IPA Server. > This may mean that the remote server is not up or is not reachable > due to network or firewall settings. > [root at fed14-64-cli01 site-packages]# We must have made other changes to this since rc3. You can try building the 2.0.0 rpms on F-14 using the F-15 src.rpm. You'd still need this patch though. rob > > regards > > Steven > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 10:06 a.m. > To: Steven Jones > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > Steven Jones wrote: >> >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 9:24 a.m. >> To: Steven Jones >> Cc: dpal at redhat.com; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] client setup failure >> >> Steven Jones wrote: >>> What patch? >>> >>> and how do I apply it? >> >> You asked "What do I put in the python script as a work around?" and I >> pointed you to the patch in >> https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html >> >> It is just a 2-liner, you should be able to easily make the changes by hand. >> >> rob >> >> 8><-------- >> >> Interesting assumption....and no it could be japanese or something Im not a programmer. >> >> regards >> >> > > # cd /usr/lib/python2.7/site-packages > # patch -p2< /path/to/freeipa-rcrit-758-client.patch > > rob From Steven.Jones at vuw.ac.nz Tue Mar 29 21:35:07 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 29 Mar 2011 21:35:07 +0000 Subject: [Freeipa-users] client setup failure In-Reply-To: <4D924DEE.7000601@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E4002918C@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1301386852.3592.26.camel@dhcp-25-52.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E40029625@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D92332B.4010108@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002966E@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923805.5070200@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296AD@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9239F2.4010807@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296BF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923B19.4000806@redhat.com> <833D8E48405E064EBC54C84EC6B36E400296EC@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923E07.6050003@redhat.com> <833D8E48405E064EBC54C84EC6B36E4002991F@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D923FE7.7070103@redhat.com> <833D8E48405E064EBC54C84EC6B36E400299CE@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D9249E6.3060606@redhat.com> <833D8E48405E064EBC54C84EC6B36E400299FF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4D924DEE.7000601@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E40029A1E@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi Way too time consuming and too much of a challenge.....I will abandon IPA for now...... Thanks......... Might re-visit on F14 rc4 or something..... I think you really need to re-examine how you do your development.....too many things being developed and on a developing platform is stupidity IMHO. F15 itself is alpha code....crazy........ regards Steven ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Wednesday, 30 March 2011 10:23 a.m. To: Steven Jones Cc: dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: > Hi, > > Thanks, but still no luck, > > Obviously dc0001 isnt the IPA server......... > > [root at fed14-64-cli01 site-packages]# patch -p2< ~jonesst1/binFtBcaDVUoI.bin > patching file ipaclient/ipadiscovery.py > [root at fed14-64-cli01 site-packages]# ipa-client-install --server fed14-64-ipam001.vuw.ac.nz --domain ipa.ac.nz --force > Failed to verify that dc0001.ipa.ac.nz is an IPA Server. > This may mean that the remote server is not up or is not reachable > due to network or firewall settings. > [root at fed14-64-cli01 site-packages]# We must have made other changes to this since rc3. You can try building the 2.0.0 rpms on F-14 using the F-15 src.rpm. You'd still need this patch though. rob > > regards > > Steven > ________________________________________ > From: Rob Crittenden [rcritten at redhat.com] > Sent: Wednesday, 30 March 2011 10:06 a.m. > To: Steven Jones > Cc: dpal at redhat.com; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] client setup failure > > Steven Jones wrote: >> >> ________________________________________ >> From: Rob Crittenden [rcritten at redhat.com] >> Sent: Wednesday, 30 March 2011 9:24 a.m. >> To: Steven Jones >> Cc: dpal at redhat.com; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] client setup failure >> >> Steven Jones wrote: >>> What patch? >>> >>> and how do I apply it? >> >> You asked "What do I put in the python script as a work around?" and I >> pointed you to the patch in >> https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html >> >> It is just a 2-liner, you should be able to easily make the changes by hand. >> >> rob >> >> 8><-------- >> >> Interesting assumption....and no it could be japanese or something Im not a programmer. >> >> regards >> >> > > # cd /usr/lib/python2.7/site-packages > # patch -p2< /path/to/freeipa-rcrit-758-client.patch > > rob From dpal at redhat.com Wed Mar 30 13:00:14 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 30 Mar 2011 09:00:14 -0400 Subject: [Freeipa-users] Auto membership plugin Message-ID: <4D93295E.1030507@redhat.com> Hello, Please find the design for the auto membership plugin: https://fedorahosted.org/freeipa/ticket/753 Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design I have some comments and questions: 1) Is the AND functionality for inclusion criteria required? 2) How the attributes are escaped? Do they need to? Probably there will be cases when they should be escaped 3) Parsing pairs in the value as a bit of overhead. I wonder if there is any way to avoid it? 4) I have concerns about the UI and CLI, do you see any good ways to mange such entries? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Wed Mar 30 13:32:17 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2011 09:32:17 -0400 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D93295E.1030507@redhat.com> References: <4D93295E.1030507@redhat.com> Message-ID: <4D9330E1.5090107@redhat.com> Dmitri Pal wrote: > Hello, > > Please find the design for the auto membership plugin: > https://fedorahosted.org/freeipa/ticket/753 > Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design > > I have some comments and questions: > 1) Is the AND functionality for inclusion criteria required? > 2) How the attributes are escaped? Do they need to? Probably there will > be cases when they should be escaped > 3) Parsing pairs in the value as a bit of overhead. I wonder if there is > any way to avoid it? > 4) I have concerns about the UI and CLI, do you see any good ways to > mange such entries? > Because the configuration is stored in cn=config we would need to bind as DM to be able to manage it (unless we want to make an exception and allow writing here. Could a bad config could prevent 389-ds from starting). I assume a restart would be needed whenever a configuration change is made? What happens if the target in automembertargetgroup gets removed? rob From nkinder at redhat.com Wed Mar 30 14:31:14 2011 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 30 Mar 2011 07:31:14 -0700 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D9330E1.5090107@redhat.com> References: <4D93295E.1030507@redhat.com> <4D9330E1.5090107@redhat.com> Message-ID: <4D933EB2.6040007@redhat.com> On 03/30/2011 06:32 AM, Rob Crittenden wrote: > Dmitri Pal wrote: >> Hello, >> >> Please find the design for the auto membership plugin: >> https://fedorahosted.org/freeipa/ticket/753 >> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design >> >> I have some comments and questions: >> 1) Is the AND functionality for inclusion criteria required? >> 2) How the attributes are escaped? Do they need to? Probably there will >> be cases when they should be escaped >> 3) Parsing pairs in the value as a bit of overhead. I wonder if there is >> any way to avoid it? >> 4) I have concerns about the UI and CLI, do you see any good ways to >> mange such entries? >> > > Because the configuration is stored in cn=config we would need to bind > as DM to be able to manage it (unless we want to make an exception and > allow writing here. Could a bad config could prevent 389-ds from > starting). No. Similar to a bad DNA or managed entry setup, an error would be logged and the bad config entry would be skipped. > > I assume a restart would be needed whenever a configuration change is > made? Only enabling the plug-in at the top level, which we could enabled by default. The definition entry changes would be dynamic. > > What happens if the target in automembertargetgroup gets removed? I still need to fill in the "Behavior" section in the design doc, but this plug-in is not a referential integrity plug-in. It simply monitors ADD operations and updates the membership accordingly. Nothing is done for MOD, DEL, or MODRDN operations. -NGK > > rob From rcritten at redhat.com Wed Mar 30 14:34:43 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2011 10:34:43 -0400 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D933EB2.6040007@redhat.com> References: <4D93295E.1030507@redhat.com> <4D9330E1.5090107@redhat.com> <4D933EB2.6040007@redhat.com> Message-ID: <4D933F83.7010004@redhat.com> Nathan Kinder wrote: > On 03/30/2011 06:32 AM, Rob Crittenden wrote: >> Dmitri Pal wrote: >>> Hello, >>> >>> Please find the design for the auto membership plugin: >>> https://fedorahosted.org/freeipa/ticket/753 >>> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design >>> >>> I have some comments and questions: >>> 1) Is the AND functionality for inclusion criteria required? >>> 2) How the attributes are escaped? Do they need to? Probably there will >>> be cases when they should be escaped >>> 3) Parsing pairs in the value as a bit of overhead. I wonder if there is >>> any way to avoid it? >>> 4) I have concerns about the UI and CLI, do you see any good ways to >>> mange such entries? >>> >> >> Because the configuration is stored in cn=config we would need to bind >> as DM to be able to manage it (unless we want to make an exception and >> allow writing here. Could a bad config could prevent 389-ds from >> starting). > No. Similar to a bad DNA or managed entry setup, an error would be > logged and the bad config entry would be skipped. Ok, great. But we would still need to carve out an exception for allow people to write in cn=config, right? >> >> I assume a restart would be needed whenever a configuration change is >> made? > Only enabling the plug-in at the top level, which we could enabled by > default. The definition entry changes would be dynamic. >> >> What happens if the target in automembertargetgroup gets removed? > I still need to fill in the "Behavior" section in the design doc, but > this plug-in is not a referential integrity plug-in. It simply monitors > ADD operations and updates the membership accordingly. Nothing is done > for MOD, DEL, or MODRDN operations. I was thinking more what happens if the targetgroup is deleted and a new user is added? Will this result in a failed modify or would the user get a member pointer to a non-existent entry, or something else? rob From nkinder at redhat.com Wed Mar 30 14:39:32 2011 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 30 Mar 2011 07:39:32 -0700 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D93295E.1030507@redhat.com> References: <4D93295E.1030507@redhat.com> Message-ID: <4D9340A4.4050302@redhat.com> On 03/30/2011 06:00 AM, Dmitri Pal wrote: > Hello, > > Please find the design for the auto membership plugin: > https://fedorahosted.org/freeipa/ticket/753 > Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design > > I have some comments and questions: > 1) Is the AND functionality for inclusion criteria required? I'm not sure. Is there a use case for it? > 2) How the attributes are escaped? Do they need to? Probably there will > be cases when they should be escaped Where exactly are you thinking that they need to be escaped? Why do you think they might need to be escaped? > 3) Parsing pairs in the value as a bit of overhead. I wonder if there is > any way to avoid it? Do you mean parsing the pair contained in the "autoMemberGroupingAttr" attribute in the config definition entry? This will only be parsed when the definition entry is loaded at startup or when it is modified. It would be stored in a different form that is more efficient to use when we actually need to perform auto membership operations. -NGK > 4) I have concerns about the UI and CLI, do you see any good ways to > mange such entries? > From nkinder at redhat.com Wed Mar 30 14:43:10 2011 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 30 Mar 2011 07:43:10 -0700 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D933F83.7010004@redhat.com> References: <4D93295E.1030507@redhat.com> <4D9330E1.5090107@redhat.com> <4D933EB2.6040007@redhat.com> <4D933F83.7010004@redhat.com> Message-ID: <4D93417E.8080006@redhat.com> On 03/30/2011 07:34 AM, Rob Crittenden wrote: > Nathan Kinder wrote: >> On 03/30/2011 06:32 AM, Rob Crittenden wrote: >>> Dmitri Pal wrote: >>>> Hello, >>>> >>>> Please find the design for the auto membership plugin: >>>> https://fedorahosted.org/freeipa/ticket/753 >>>> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design >>>> >>>> I have some comments and questions: >>>> 1) Is the AND functionality for inclusion criteria required? >>>> 2) How the attributes are escaped? Do they need to? Probably there >>>> will >>>> be cases when they should be escaped >>>> 3) Parsing pairs in the value as a bit of overhead. I wonder if >>>> there is >>>> any way to avoid it? >>>> 4) I have concerns about the UI and CLI, do you see any good ways to >>>> mange such entries? >>>> >>> >>> Because the configuration is stored in cn=config we would need to bind >>> as DM to be able to manage it (unless we want to make an exception and >>> allow writing here. Could a bad config could prevent 389-ds from >>> starting). >> No. Similar to a bad DNA or managed entry setup, an error would be >> logged and the bad config entry would be skipped. > > Ok, great. But we would still need to carve out an exception for allow > people to write in cn=config, right? Yes, someone will need to write the config entry, so that will need to be allowed. > >>> >>> I assume a restart would be needed whenever a configuration change is >>> made? >> Only enabling the plug-in at the top level, which we could enabled by >> default. The definition entry changes would be dynamic. >>> >>> What happens if the target in automembertargetgroup gets removed? >> I still need to fill in the "Behavior" section in the design doc, but >> this plug-in is not a referential integrity plug-in. It simply monitors >> ADD operations and updates the membership accordingly. Nothing is done >> for MOD, DEL, or MODRDN operations. > > I was thinking more what happens if the targetgroup is deleted and a > new user is added? Will this result in a failed modify or would the > user get a member pointer to a non-existent entry, or something else? That's an interesting case. It would result in a failed modify, as we would not be able to update the non-existent group entry. This plug-in does not add a pointer to the user entry (that's done by the memberOf plug-in if it is desired). The usre entry would still be consistent, but you would have an error in the errors log about the failed modify. > > rob From dpal at redhat.com Wed Mar 30 15:03:41 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 30 Mar 2011 11:03:41 -0400 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D9340A4.4050302@redhat.com> References: <4D93295E.1030507@redhat.com> <4D9340A4.4050302@redhat.com> Message-ID: <4D93464D.8070708@redhat.com> On 03/30/2011 10:39 AM, Nathan Kinder wrote: > On 03/30/2011 06:00 AM, Dmitri Pal wrote: >> Hello, >> >> Please find the design for the auto membership plugin: >> https://fedorahosted.org/freeipa/ticket/753 >> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design >> >> I have some comments and questions: >> 1) Is the AND functionality for inclusion criteria required? > I'm not sure. Is there a use case for it? >> 2) How the attributes are escaped? Do they need to? Probably there will >> be cases when they should be escaped > Where exactly are you thinking that they need to be escaped? Why do > you think they might need to be escaped? Wild cards and regular expression might have special symbols like "=" "\" slashes etc. If we decode to support AND it would probably be solved by concatenating multiple attr=regex pairs in one attribute. I am concerned it will be a challenge to parse. >> 3) Parsing pairs in the value as a bit of overhead. I wonder if there is >> any way to avoid it? > Do you mean parsing the pair contained in the "autoMemberGroupingAttr" > attribute in the config definition entry? This will only be parsed > when the definition entry is loaded at startup or when it is > modified. It would be stored in a different form that is more > efficient to use when we actually need to perform auto membership > operations. Yes I am concerned about parsing pairs for the purposes of the modify operation in CLI/UI. > > -NGK >> 4) I have concerns about the UI and CLI, do you see any good ways to >> mange such entries? >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Mar 30 15:06:51 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 30 Mar 2011 11:06:51 -0400 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D93417E.8080006@redhat.com> References: <4D93295E.1030507@redhat.com> <4D9330E1.5090107@redhat.com> <4D933EB2.6040007@redhat.com> <4D933F83.7010004@redhat.com> <4D93417E.8080006@redhat.com> Message-ID: <4D93470B.40707@redhat.com> On 03/30/2011 10:43 AM, Nathan Kinder wrote: > On 03/30/2011 07:34 AM, Rob Crittenden wrote: >> Nathan Kinder wrote: >>> On 03/30/2011 06:32 AM, Rob Crittenden wrote: >>>> Dmitri Pal wrote: >>>>> Hello, >>>>> >>>>> Please find the design for the auto membership plugin: >>>>> https://fedorahosted.org/freeipa/ticket/753 >>>>> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design >>>>> >>>>> I have some comments and questions: >>>>> 1) Is the AND functionality for inclusion criteria required? >>>>> 2) How the attributes are escaped? Do they need to? Probably there >>>>> will >>>>> be cases when they should be escaped >>>>> 3) Parsing pairs in the value as a bit of overhead. I wonder if >>>>> there is >>>>> any way to avoid it? >>>>> 4) I have concerns about the UI and CLI, do you see any good ways to >>>>> mange such entries? >>>>> >>>> >>>> Because the configuration is stored in cn=config we would need to bind >>>> as DM to be able to manage it (unless we want to make an exception and >>>> allow writing here. Could a bad config could prevent 389-ds from >>>> starting). >>> No. Similar to a bad DNA or managed entry setup, an error would be >>> logged and the bad config entry would be skipped. >> >> Ok, great. But we would still need to carve out an exception for >> allow people to write in cn=config, right? > Yes, someone will need to write the config entry, so that will need to > be allowed. But can it be an ordinary user controlled by CLI or it is a DM? Will newly added rule be respected right away? You probably want to have an enable/disable flag on the rule to give some staging capability to the admin. >> >>>> >>>> I assume a restart would be needed whenever a configuration change is >>>> made? >>> Only enabling the plug-in at the top level, which we could enabled by >>> default. The definition entry changes would be dynamic. >>>> >>>> What happens if the target in automembertargetgroup gets removed? >>> I still need to fill in the "Behavior" section in the design doc, but >>> this plug-in is not a referential integrity plug-in. It simply monitors >>> ADD operations and updates the membership accordingly. Nothing is done >>> for MOD, DEL, or MODRDN operations. >> >> I was thinking more what happens if the targetgroup is deleted and a >> new user is added? Will this result in a failed modify or would the >> user get a member pointer to a non-existent entry, or something else? > That's an interesting case. It would result in a failed modify, as we > would not be able to update the non-existent group entry. This > plug-in does not add a pointer to the user entry (that's done by the > memberOf plug-in if it is desired). The usre entry would still be > consistent, but you would have an error in the errors log about the > failed modify. >> >> rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > All the rest seems fine so far. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From nkinder at redhat.com Wed Mar 30 16:44:38 2011 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 30 Mar 2011 09:44:38 -0700 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D93295E.1030507@redhat.com> References: <4D93295E.1030507@redhat.com> Message-ID: <4D935DF6.9060408@redhat.com> On 03/30/2011 06:00 AM, Dmitri Pal wrote: > Hello, > > Please find the design for the auto membership plugin: > https://fedorahosted.org/freeipa/ticket/753 > Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design I had a lengthy discussion with JR, and I have come up with an alternate approach. I have added this approach to the design document. I am currently leaning towards this new approach. Please take a look at it. > I have some comments and questions: > 1) Is the AND functionality for inclusion criteria required? > 2) How the attributes are escaped? Do they need to? Probably there will > be cases when they should be escaped > 3) Parsing pairs in the value as a bit of overhead. I wonder if there is > any way to avoid it? > 4) I have concerns about the UI and CLI, do you see any good ways to > mange such entries? > From dpal at redhat.com Wed Mar 30 17:19:56 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 30 Mar 2011 13:19:56 -0400 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D935DF6.9060408@redhat.com> References: <4D93295E.1030507@redhat.com> <4D935DF6.9060408@redhat.com> Message-ID: <4D93663C.3000109@redhat.com> On 03/30/2011 12:44 PM, Nathan Kinder wrote: > On 03/30/2011 06:00 AM, Dmitri Pal wrote: >> Hello, >> >> Please find the design for the auto membership plugin: >> https://fedorahosted.org/freeipa/ticket/753 >> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design > I had a lengthy discussion with JR, and I have come up with an > alternate approach. I have added this approach to the design > document. I am currently leaning towards this new approach. Please > take a look at it. >> I have some comments and questions: >> 1) Is the AND functionality for inclusion criteria required? >> 2) How the attributes are escaped? Do they need to? Probably there will >> be cases when they should be escaped >> 3) Parsing pairs in the value as a bit of overhead. I wonder if there is >> any way to avoid it? >> 4) I have concerns about the UI and CLI, do you see any good ways to >> mange such entries? >> Makes sense -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From nkinder at redhat.com Wed Mar 30 18:17:03 2011 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 30 Mar 2011 11:17:03 -0700 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D93470B.40707@redhat.com> References: <4D93295E.1030507@redhat.com> <4D9330E1.5090107@redhat.com> <4D933EB2.6040007@redhat.com> <4D933F83.7010004@redhat.com> <4D93417E.8080006@redhat.com> <4D93470B.40707@redhat.com> Message-ID: <4D93739F.9050603@redhat.com> On 03/30/2011 08:06 AM, Dmitri Pal wrote: > On 03/30/2011 10:43 AM, Nathan Kinder wrote: >> On 03/30/2011 07:34 AM, Rob Crittenden wrote: >>> Nathan Kinder wrote: >>>> On 03/30/2011 06:32 AM, Rob Crittenden wrote: >>>>> Dmitri Pal wrote: >>>>>> Hello, >>>>>> >>>>>> Please find the design for the auto membership plugin: >>>>>> https://fedorahosted.org/freeipa/ticket/753 >>>>>> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design >>>>>> >>>>>> I have some comments and questions: >>>>>> 1) Is the AND functionality for inclusion criteria required? >>>>>> 2) How the attributes are escaped? Do they need to? Probably there >>>>>> will >>>>>> be cases when they should be escaped >>>>>> 3) Parsing pairs in the value as a bit of overhead. I wonder if >>>>>> there is >>>>>> any way to avoid it? >>>>>> 4) I have concerns about the UI and CLI, do you see any good ways to >>>>>> mange such entries? >>>>>> >>>>> Because the configuration is stored in cn=config we would need to bind >>>>> as DM to be able to manage it (unless we want to make an exception and >>>>> allow writing here. Could a bad config could prevent 389-ds from >>>>> starting). >>>> No. Similar to a bad DNA or managed entry setup, an error would be >>>> logged and the bad config entry would be skipped. >>> Ok, great. But we would still need to carve out an exception for >>> allow people to write in cn=config, right? >> Yes, someone will need to write the config entry, so that will need to >> be allowed. > But can it be an ordinary user controlled by CLI or it is a DM? I believe this could be done by a normal (admin) user if the ACI allows it. > Will newly added rule be respected right away? Yes, changes to the definition entry would be respected right away. > You probably want to have an enable/disable flag on the rule to give > some staging capability to the admin. Makes sense. > >>>>> I assume a restart would be needed whenever a configuration change is >>>>> made? >>>> Only enabling the plug-in at the top level, which we could enabled by >>>> default. The definition entry changes would be dynamic. >>>>> What happens if the target in automembertargetgroup gets removed? >>>> I still need to fill in the "Behavior" section in the design doc, but >>>> this plug-in is not a referential integrity plug-in. It simply monitors >>>> ADD operations and updates the membership accordingly. Nothing is done >>>> for MOD, DEL, or MODRDN operations. >>> I was thinking more what happens if the targetgroup is deleted and a >>> new user is added? Will this result in a failed modify or would the >>> user get a member pointer to a non-existent entry, or something else? >> That's an interesting case. It would result in a failed modify, as we >> would not be able to update the non-existent group entry. This >> plug-in does not add a pointer to the user entry (that's done by the >> memberOf plug-in if it is desired). The usre entry would still be >> consistent, but you would have an error in the errors log about the >> failed modify. >>> rob >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > All the rest seems fine so far. > From nkinder at redhat.com Wed Mar 30 18:23:32 2011 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 30 Mar 2011 11:23:32 -0700 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D93464D.8070708@redhat.com> References: <4D93295E.1030507@redhat.com> <4D9340A4.4050302@redhat.com> <4D93464D.8070708@redhat.com> Message-ID: <4D937524.1010905@redhat.com> On 03/30/2011 08:03 AM, Dmitri Pal wrote: > On 03/30/2011 10:39 AM, Nathan Kinder wrote: >> On 03/30/2011 06:00 AM, Dmitri Pal wrote: >>> Hello, >>> >>> Please find the design for the auto membership plugin: >>> https://fedorahosted.org/freeipa/ticket/753 >>> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design >>> >>> I have some comments and questions: >>> 1) Is the AND functionality for inclusion criteria required? >> I'm not sure. Is there a use case for it? >>> 2) How the attributes are escaped? Do they need to? Probably there will >>> be cases when they should be escaped >> Where exactly are you thinking that they need to be escaped? Why do >> you think they might need to be escaped? > Wild cards and regular expression might have special symbols like "=" > "\" slashes etc. > If we decode to support AND it would probably be solved by concatenating > multiple attr=regex pairs in one attribute. I am concerned it will be a > challenge to parse. We use libpcre elsewhere in 389 to allow regular expressions to be used. We actually have a public regular expression API within SLAPI (the slapi_re_* functions). We would leverage these functions in this plug-in. The SASL mapping code already uses these for something similar, so there is not a new problem to solve here. >>> 3) Parsing pairs in the value as a bit of overhead. I wonder if there is >>> any way to avoid it? >> Do you mean parsing the pair contained in the "autoMemberGroupingAttr" >> attribute in the config definition entry? This will only be parsed >> when the definition entry is loaded at startup or when it is >> modified. It would be stored in a different form that is more >> efficient to use when we actually need to perform auto membership >> operations. > Yes I am concerned about parsing pairs for the purposes of the modify > operation in CLI/UI. This is only done when loading the config, so it's a one-time penalty at startup or when the config is modified (which should be fairly rare). I wouldn't worry about this. >> -NGK >>> 4) I have concerns about the UI and CLI, do you see any good ways to >>> mange such entries? >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > From dpal at redhat.com Wed Mar 30 20:34:12 2011 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 30 Mar 2011 16:34:12 -0400 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D937524.1010905@redhat.com> References: <4D93295E.1030507@redhat.com> <4D9340A4.4050302@redhat.com> <4D93464D.8070708@redhat.com> <4D937524.1010905@redhat.com> Message-ID: <4D9393C4.9080008@redhat.com> On 03/30/2011 02:23 PM, Nathan Kinder wrote: > On 03/30/2011 08:03 AM, Dmitri Pal wrote: >> On 03/30/2011 10:39 AM, Nathan Kinder wrote: >>> On 03/30/2011 06:00 AM, Dmitri Pal wrote: >>>> Hello, >>>> >>>> Please find the design for the auto membership plugin: >>>> https://fedorahosted.org/freeipa/ticket/753 >>>> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design >>>> >>>> I have some comments and questions: >>>> 1) Is the AND functionality for inclusion criteria required? >>> I'm not sure. Is there a use case for it? >>>> 2) How the attributes are escaped? Do they need to? Probably there >>>> will >>>> be cases when they should be escaped >>> Where exactly are you thinking that they need to be escaped? Why do >>> you think they might need to be escaped? >> Wild cards and regular expression might have special symbols like "=" >> "\" slashes etc. >> If we decode to support AND it would probably be solved by concatenating >> multiple attr=regex pairs in one attribute. I am concerned it will be a >> challenge to parse. > We use libpcre elsewhere in 389 to allow regular expressions to be > used. We actually have a public regular expression API within SLAPI > (the slapi_re_* functions). We would leverage these functions in this > plug-in. The SASL mapping code already uses these for something > similar, so there is not a new problem to solve here. I am not worried about you, I am worried that we will have to parse it in the python code and may be Javascript in ?CLI. Hope we can create an abstraction on the management plugin side that will do the trick and hide it from actual UI and client part of CLI. But anyways this means two different parsers - internal in the DS plugin and external in the management plugin. >>>> 3) Parsing pairs in the value as a bit of overhead. I wonder if >>>> there is >>>> any way to avoid it? >>> Do you mean parsing the pair contained in the "autoMemberGroupingAttr" >>> attribute in the config definition entry? This will only be parsed >>> when the definition entry is loaded at startup or when it is >>> modified. It would be stored in a different form that is more >>> efficient to use when we actually need to perform auto membership >>> operations. >> Yes I am concerned about parsing pairs for the purposes of the modify >> operation in CLI/UI. > This is only done when loading the config, so it's a one-time penalty > at startup or when the config is modified (which should be fairly > rare). I wouldn't worry about this. >>> -NGK >>>> 4) I have concerns about the UI and CLI, do you see any good ways to >>>> mange such entries? >>>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From roland.kaeser at intersoft-networks.ch Thu Mar 31 09:30:23 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Thu, 31 Mar 2011 11:30:23 +0200 (CEST) Subject: [Freeipa-users] IPA Client join In-Reply-To: Message-ID: Hello Just try to add Scientific Linux 6 (RHEL 6) into the freeipa. Sorry to say that but after reading a lot of the documentation I found that the most of it is obselete or just wrong. For Sample: in http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_Configuration_Guide-Configuring_Fedora_as_an_IPA_Client the command: ipa-addservice is nowhere avialable. Currently I try to get a keytab file for the afs service made via web interface using: ipa-getkeytab -s freeipa.[domain] -p afs/afs.[domain]@[REALM] -k /tmp/afs.keytab all I get is: Operation failed! unsupported extended operation Note: Replaced the original domain and realm with placeholders. The client is: ipa-client-2.0-9.el6.i686 The server is: freeipa-server-2.0.0.rc3-0.fc14.i686 First, I had to made the kerberos principal key for host and afs-service by hand on command line. Why? Second why can I not get this key out of the web interface to add it to the afs service? I can only see the option to delete this key in the section services. The ipa-getkeytab also fails (see above) Third: The documentation contains no section to add a RHEL6/SL client to free ipa. Why? Fourth: The default principal set to kadmin is wrong, its set to admin/admin at REALM instead of admin at REALM (seems to be wrong on all kerberos implementations) Fifth: Running ipa-client-install works only with the _ldap._tcp.[Domain] SRV 10 10 389 [server] _kerberos._tcp.[Domain] SRV 0 0 88 [server] in the dns zone. The informations in: http://freeipa.org/page/DNS_Location_Discovery are completely wrong. The entries for _ldap and _kerberos are not related to _network which not even exist in bind9 they are related to a domain/zone. Sixth: the ipa-client install doesn't generate a keytab file for the host principal and does not extract the ca cert from the ipa server for the ldap communication with the server. Looks all really confusing to me. So whats the correct steps to add a freeipa 2.0 client and a service such as nfs/afs/smb etc. to a freeipa 2.0 server on Fedora 14? Regards Roland ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Mar 31 13:14:48 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Mar 2011 09:14:48 -0400 Subject: [Freeipa-users] IPA Client join In-Reply-To: References: Message-ID: <4D947E48.6070907@redhat.com> Roland Kaeser wrote: > Hello > > Just try to add Scientific Linux 6 (RHEL 6) into the freeipa. Sorry to > say that but after reading a lot of the documentation I found that the > most of it is obselete or just wrong. For Sample: > in > http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_Configurat > ion_Guide-Configuring_Fedora_as_an_IPA_Client > > the command: ipa-addservice is nowhere avialable. You want to use this guide: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/ I've removed references to the older documentation. The command you want is ipa service-add afs/... > > Currently I try to get a keytab file for the afs service made via web > interface using: > > ipa-getkeytab -s freeipa.[domain] -p afs/afs.[domain]@[REALM] -k > /tmp/afs.keytab > all I get is: Operation failed! unsupported extended operation > Note: Replaced the original domain and realm with placeholders. > > The client is: ipa-client-2.0-9.el6.i686 > The server is: freeipa-server-2.0.0.rc3-0.fc14.i686 In rc2 we had to make a change to the OID used for some operations because they were duplicated. The OID for the ipa-getkeytab operation was one of them, so older clients don't work with newer servers. IIRC the EL6 ipa-client was based on the alpha 3 release. I attached a patch that gives the general idea of what needs to change. It was originally for the EL 5 branch but it may work with few changes in EL6. > First, I had to made the kerberos principal key for host and afs-service > by hand on command line. Why? I'm not sure what you mean given the next question. > Second why can I not get this key out of the web interface to add it to > the afs service? I can only see the option to delete this key in the > section services. The ipa-getkeytab also fails (see above) The only way to retrieve a keytab currently is with the ipa-getkeytab command. > Third: The documentation contains no section to add a RHEL6/SL client to > free ipa. Why? Old documentation. > Fourth: The default principal set to kadmin is wrong, its set to > admin/admin at REALM instead of admin at REALM (seems to be wrong on all > kerberos implementations) admin is a user we create. > Fifth: Running ipa-client-install works only with the > _ldap._tcp.[Domain] SRV 10 10 389 [server] > _kerberos._tcp.[Domain] SRV 0 0 88 [server] > in the dns zone. You should be able to provide the server name to the ipa-client-install script. > The informations in: http://freeipa.org/page/DNS_Location_Discovery > are completely wrong. > The entries for _ldap and _kerberos are not related to _network which > not even exist in bind9 they are related to a domain/zone. This is just a draft design document. > Sixth: the ipa-client install doesn't generate a keytab file for the > host principal and does not extract the ca cert from the ipa server for > the ldap communication with the server. Did the installation complete successfully? From everything you've said up to now it sounds like ipa-client-install has been failing in one way or another. If it succeeds you'll end up with a host service principal in /etc/krb5.keytab. > Looks all really confusing to me. > So whats the correct steps to add a freeipa 2.0 client and a service > such as nfs/afs/smb etc. to a freeipa 2.0 server on Fedora 14? (you need the freeipa-python, freeipa-admintools and freeipa-client pkgs for this) # ipa-client-install # kinit admin # ipa service-add afs/client.example.com # ipa-getkeytab -s ipa.example.com -k /etc/krb5.keytab -p afs/client.example.com at EXAMPLE.COM Also note that the 2.0 GA release is not available on Fedora 14. It lacks certified dogtag 9 packages. They are available from our development repo but you'd be unlikely to get support on those. We realize that Fedora 15 isn't quite ready yet but it was always our release target for IPA v2. regards rob -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-client-oid.patch Type: application/mbox Size: 1138 bytes Desc: not available URL: From sigbjorn at nixtra.com Thu Mar 31 14:14:34 2011 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 31 Mar 2011 16:14:34 +0200 (CEST) Subject: [Freeipa-users] IPA Client join In-Reply-To: <4D947E48.6070907@redhat.com> References: <4D947E48.6070907@redhat.com> Message-ID: <4172.62.148.39.180.1301580874.squirrel@www.nixtra.com> > > In rc2 we had to make a change to the OID used for some operations > because they were duplicated. The OID for the ipa-getkeytab operation was one of them, so older > clients don't work with newer servers. IIRC the EL6 ipa-client was based on the alpha 3 release. > > I attached a patch that gives the general idea of what needs to change. > It was originally for the EL 5 branch but it may work with few changes > in EL6. > Will there be an update to the ipa-client package in RHEL 6.0, or do we have to wait for RHEL 6.1? Rgds, Siggi From nkinder at redhat.com Thu Mar 31 15:41:02 2011 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 31 Mar 2011 08:41:02 -0700 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D93663C.3000109@redhat.com> References: <4D93295E.1030507@redhat.com> <4D935DF6.9060408@redhat.com> <4D93663C.3000109@redhat.com> Message-ID: <4D94A08E.9050804@redhat.com> On 03/30/2011 10:19 AM, Dmitri Pal wrote: > On 03/30/2011 12:44 PM, Nathan Kinder wrote: >> On 03/30/2011 06:00 AM, Dmitri Pal wrote: >>> Hello, >>> >>> Please find the design for the auto membership plugin: >>> https://fedorahosted.org/freeipa/ticket/753 >>> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design >> I had a lengthy discussion with JR, and I have come up with an >> alternate approach. I have added this approach to the design >> document. I am currently leaning towards this new approach. Please >> take a look at it. >>> I have some comments and questions: >>> 1) Is the AND functionality for inclusion criteria required? >>> 2) How the attributes are escaped? Do they need to? Probably there will >>> be cases when they should be escaped >>> 3) Parsing pairs in the value as a bit of overhead. I wonder if there is >>> any way to avoid it? >>> 4) I have concerns about the UI and CLI, do you see any good ways to >>> mange such entries? >>> > Makes sense Great. Unless I hear otherwise, I am going to move forward with this newer approach and abandon the original approach (and clean it from the design doc to avoid confusion). -NGK From roland.kaeser at intersoft-networks.ch Thu Mar 31 18:34:29 2011 From: roland.kaeser at intersoft-networks.ch (Roland Kaeser) Date: Thu, 31 Mar 2011 20:34:29 +0200 (CEST) Subject: [Freeipa-users] IPA Client join In-Reply-To: <4172.62.148.39.180.1301580874.squirrel@www.nixtra.com> Message-ID: Hello >Will there be an update to the ipa-client package in RHEL 6.0, or do we have to wait for RHEL 6.1? So which is the software stack to use for my pilot and the later production environment? I wouldn't like to use Fedora in company production environments. I would be really prefer to use RHEL6/6.1 I also checked the latest avialable fedora 15 version. I only can find a alpha version iso from february, 28. I would really like to have a software stack which works with freeipa (client/server) and afs-server. Regards Roland ----- Urspr?ngliche Mail ----- Von: "Sigbjorn Lie" An: "Rob Crittenden" CC: "Roland K??ser" , freeipa-users at redhat.com Gesendet: Donnerstag, 31. M?rz 2011 16:14:34 Betreff: Re: [Freeipa-users] IPA Client join > > In rc2 we had to make a change to the OID used for some operations > because they were duplicated. The OID for the ipa-getkeytab operation was one of them, so older > clients don't work with newer servers. IIRC the EL6 ipa-client was based on the alpha 3 release. > > I attached a patch that gives the general idea of what needs to change. > It was originally for the EL 5 branch but it may work with few changes > in EL6. > Will there be an update to the ipa-client package in RHEL 6.0, or do we have to wait for RHEL 6.1? Rgds, Siggi -- InterSoft Networks Roland K?ser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ From rcritten at redhat.com Thu Mar 31 18:46:27 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Mar 2011 14:46:27 -0400 Subject: [Freeipa-users] IPA Client join In-Reply-To: References: Message-ID: <4D94CC03.30406@redhat.com> Roland Kaeser wrote: > Hello > >> Will there be an update to the ipa-client package in RHEL 6.0, or do we have to wait for RHEL 6.1? The next update will be in 6.1. I can probably cobble together a srpm that would work on 6.0 until 6.1 is released if you'd like. > > So which is the software stack to use for my pilot and the later production environment? > I wouldn't like to use Fedora in company production environments. I would be really prefer to use RHEL6/6.1 > I also checked the latest avialable fedora 15 version. I only can find a alpha version iso from february, 28. > > I would really like to have a software stack which works with freeipa (client/server) and afs-server. Yeah, this is a bit of a grey area right now. IPA does a lot of cat herding and keeping all the various versions of the packages we require in sync is very tedious. For a pilot I think you'd be fine using Fedora 14 though I would recommend doing some amount of re-testing in F-15 once it is released. We've done 80% of our development in F-14 and it works very well. The dogtag project built F-14 packages for us as a favor. They don't want to support deployments of it because they've done zero testing of their own on F-14. You'd need to build the packages yourself though, we haven't pushed this to F-14 because of the dogtag issue. mock should be able to build it fairly painlessly. What I've done for my F-15 installations is to install F-14 and then upgrade to Fedora-15 from there. It has been fairly painless. The GA IPA release is in the stable repo of F-15 now. regards rob > > > ----- Urspr?ngliche Mail ----- > Von: "Sigbjorn Lie" > An: "Rob Crittenden" > CC: "Roland K??ser", freeipa-users at redhat.com > Gesendet: Donnerstag, 31. M?rz 2011 16:14:34 > Betreff: Re: [Freeipa-users] IPA Client join > >> >> In rc2 we had to make a change to the OID used for some operations >> because they were duplicated. The OID for the ipa-getkeytab operation was one of them, so older >> clients don't work with newer servers. IIRC the EL6 ipa-client was based on the alpha 3 release. >> >> I attached a patch that gives the general idea of what needs to change. >> It was originally for the EL 5 branch but it may work with few changes >> in EL6. >> > > Will there be an update to the ipa-client package in RHEL 6.0, or do we have to wait for RHEL 6.1? > > > Rgds, > Siggi > > > From rcritten at redhat.com Thu Mar 31 19:28:41 2011 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Mar 2011 15:28:41 -0400 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D94A08E.9050804@redhat.com> References: <4D93295E.1030507@redhat.com> <4D935DF6.9060408@redhat.com> <4D93663C.3000109@redhat.com> <4D94A08E.9050804@redhat.com> Message-ID: <4D94D5E9.4020900@redhat.com> Nathan Kinder wrote: > On 03/30/2011 10:19 AM, Dmitri Pal wrote: >> On 03/30/2011 12:44 PM, Nathan Kinder wrote: >>> On 03/30/2011 06:00 AM, Dmitri Pal wrote: >>>> Hello, >>>> >>>> Please find the design for the auto membership plugin: >>>> https://fedorahosted.org/freeipa/ticket/753 >>>> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design >>> I had a lengthy discussion with JR, and I have come up with an >>> alternate approach. I have added this approach to the design >>> document. I am currently leaning towards this new approach. Please >>> take a look at it. >>>> I have some comments and questions: >>>> 1) Is the AND functionality for inclusion criteria required? >>>> 2) How the attributes are escaped? Do they need to? Probably there will >>>> be cases when they should be escaped >>>> 3) Parsing pairs in the value as a bit of overhead. I wonder if >>>> there is >>>> any way to avoid it? >>>> 4) I have concerns about the UI and CLI, do you see any good ways to >>>> mange such entries? >>>> >> Makes sense > Great. Unless I hear otherwise, I am going to move forward with this > newer approach and abandon the original approach (and clean it from the > design doc to avoid confusion). I think this is fine though I'm concerned that some of these entries could end up being huge. The alternate design lumps all configuration for a particular object type into a single entry so a default can be set, which is fine. But what happens over time as this grows, are these huge entries going to be unmanageable? The cli already has a bit of iffy management of multi-valued attributes. We'd definitely need to add a delattr option so individual elements of a MV could be removed. What will the behavior be if there are multiple configurations that match? Say you have 2 objectclass=posixAccount for adding users to groups, both with a default. Does the user get added to 2 groups? If adding membership fails (already a member, for example) is that error thrown away? rob From nkinder at redhat.com Thu Mar 31 20:03:32 2011 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 31 Mar 2011 13:03:32 -0700 Subject: [Freeipa-users] Auto membership plugin In-Reply-To: <4D94D5E9.4020900@redhat.com> References: <4D93295E.1030507@redhat.com> <4D935DF6.9060408@redhat.com> <4D93663C.3000109@redhat.com> <4D94A08E.9050804@redhat.com> <4D94D5E9.4020900@redhat.com> Message-ID: <4D94DE14.5010604@redhat.com> On 03/31/2011 12:28 PM, Rob Crittenden wrote: > Nathan Kinder wrote: >> On 03/30/2011 10:19 AM, Dmitri Pal wrote: >>> On 03/30/2011 12:44 PM, Nathan Kinder wrote: >>>> On 03/30/2011 06:00 AM, Dmitri Pal wrote: >>>>> Hello, >>>>> >>>>> Please find the design for the auto membership plugin: >>>>> https://fedorahosted.org/freeipa/ticket/753 >>>>> Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design >>>> I had a lengthy discussion with JR, and I have come up with an >>>> alternate approach. I have added this approach to the design >>>> document. I am currently leaning towards this new approach. Please >>>> take a look at it. >>>>> I have some comments and questions: >>>>> 1) Is the AND functionality for inclusion criteria required? >>>>> 2) How the attributes are escaped? Do they need to? Probably there >>>>> will >>>>> be cases when they should be escaped >>>>> 3) Parsing pairs in the value as a bit of overhead. I wonder if >>>>> there is >>>>> any way to avoid it? >>>>> 4) I have concerns about the UI and CLI, do you see any good ways to >>>>> mange such entries? >>>>> >>> Makes sense >> Great. Unless I hear otherwise, I am going to move forward with this >> newer approach and abandon the original approach (and clean it from the >> design doc to avoid confusion). > > I think this is fine though I'm concerned that some of these entries > could end up being huge. > > The alternate design lumps all configuration for a particular object > type into a single entry so a default can be set, which is fine. > > But what happens over time as this grows, are these huge entries going > to be unmanageable? I agree, but I don't know if it's any more manageable to have hundreds of entries. > > The cli already has a bit of iffy management of multi-valued > attributes. We'd definitely need to add a delattr option so individual > elements of a MV could be removed. > > What will the behavior be if there are multiple configurations that > match? Say you have 2 objectclass=posixAccount for adding users to > groups, both with a default. Does the user get added to 2 groups? Yes. > > If adding membership fails (already a member, for example) is that > error thrown away? Yes, that should be a soft failure (though it shouldn't happen since the user is being newly added, which would mean the group entry has a dangling member). > > rob From Steven.Jones at vuw.ac.nz Thu Mar 31 23:21:03 2011 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 31 Mar 2011 23:21:03 +0000 Subject: [Freeipa-users] IPA Client join In-Reply-To: <4D94CC03.30406@redhat.com> References: , <4D94CC03.30406@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E4002CE1B@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Just a note...on compatibility....yes I know IPA isnt fit yet but....... If your POC environment is Vmware based F14 isnt supported for vmtools and you cant install vmware tools either it barfs at kernel detection, not good. So, if I want to do freeIPA I have to run F14 on RHEL6.0 as KVMs and connect to VMWare ESXi with ethernet cables....then I have to have RHEL6 on real hardware as well running virtual box so I can run a virtualised copy of my Sun 7410 array (NB you cant run virtual box on rhel6 with kvm at the same time) and there is no vmware or kvm image for the sun array software and I have to make this all work.....its goddam painful....you should see my desk.....a spider would feel happy.... :/ It will be really nice when there are some binary IPA rpms for RHEL 6.x, trying to / accidently restricting stuff just hurts. :( regards Steven ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rob Crittenden [rcritten at redhat.com] Sent: Friday, 1 April 2011 7:46 a.m. To: Roland K?ser Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Client join Roland Kaeser wrote: > Hello > >> Will there be an update to the ipa-client package in RHEL 6.0, or do we have to wait for RHEL 6.1? The next update will be in 6.1. I can probably cobble together a srpm that would work on 6.0 until 6.1 is released if you'd like. > > So which is the software stack to use for my pilot and the later production environment? > I wouldn't like to use Fedora in company production environments. I would be really prefer to use RHEL6/6.1 > I also checked the latest avialable fedora 15 version. I only can find a alpha version iso from february, 28. > > I would really like to have a software stack which works with freeipa (client/server) and afs-server. Yeah, this is a bit of a grey area right now. IPA does a lot of cat herding and keeping all the various versions of the packages we require in sync is very tedious. For a pilot I think you'd be fine using Fedora 14 though I would recommend doing some amount of re-testing in F-15 once it is released. We've done 80% of our development in F-14 and it works very well. The dogtag project built F-14 packages for us as a favor. They don't want to support deployments of it because they've done zero testing of their own on F-14. You'd need to build the packages yourself though, we haven't pushed this to F-14 because of the dogtag issue. mock should be able to build it fairly painlessly. What I've done for my F-15 installations is to install F-14 and then upgrade to Fedora-15 from there. It has been fairly painless. The GA IPA release is in the stable repo of F-15 now. regards rob > > > ----- Urspr?ngliche Mail ----- > Von: "Sigbjorn Lie" > An: "Rob Crittenden" > CC: "Roland K??ser", freeipa-users at redhat.com > Gesendet: Donnerstag, 31. M?rz 2011 16:14:34 > Betreff: Re: [Freeipa-users] IPA Client join > >> >> In rc2 we had to make a change to the OID used for some operations >> because they were duplicated. The OID for the ipa-getkeytab operation was one of them, so older >> clients don't work with newer servers. IIRC the EL6 ipa-client was based on the alpha 3 release. >> >> I attached a patch that gives the general idea of what needs to change. >> It was originally for the EL 5 branch but it may work with few changes >> in EL6. >> > > Will there be an update to the ipa-client package in RHEL 6.0, or do we have to wait for RHEL 6.1? > > > Rgds, > Siggi > > > _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users