From ayoung at redhat.com  Sun May  1 01:39:13 2011
From: ayoung at redhat.com (Adam Young)
Date: Sat, 30 Apr 2011 21:39:13 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <DBC3CB1E-63A2-49DF-8325-2BC35F8CFE53@citrixonline.com>
References: <764971.44560.qm@web161302.mail.bf1.yahoo.com>
	<DBC3CB1E-63A2-49DF-8325-2BC35F8CFE53@citrixonline.com>
Message-ID: <4DBCB9C1.5050806@redhat.com>

On 04/30/2011 12:10 PM, JR Aquino wrote:
> On Apr 29, 2011, at 11:45 PM, "nasir nasir"<kollathodi at yahoo.com<mailto:kollathodi at yahoo.com>>  wrote:
>
> Hi All,
>
> First of all, many thanks indeed to the developers and community for making some great strides in the open source IPA world !
>
> I am planning for a Linux deployment with the following requirements.
>
>     -- About 50 Linux clients running Kubuntu (can change this to ubuntu if necessary)

No need.  The client side of IPA is completly agnostic of the XWindows 
system or anything running in it.  THe GUI is completely Web 
technologies, and so you can hit from the Mozilla Browser just fine from 
Kubuntu.

>     -- Centralized authentication
Yes

>     -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage
IPA manages Automount, which is possibly what you want.  Are you going 
to give each user their own partition that follows them around, or are 
you going to give the a home directory on a a NAS server?  I Have to 
admit, the iSCSI home mount sounds interesting.  You could probably get 
automount to help you out there, but at this point I think that you 
would need a separate key line for each user.

Note that iSCSI won't help you if you want to mount the same partition 
on multiple clients.  For this, you either need a distributed File 
System, or stick to NFS.

>     -- NO Windows or other users
Dare I say Hooray?
>     -- Admin should be able to create and modify the accounts of all the users
Yes
>     -- Admin should be able to set password policies
>     -- Allocate /home folder for each user from the storage through iSCSI
Outside the realm of IPA, but possible to do from a central server...see 
above comments.  But if you mount the home directory on the FreeIPA 
server via NFS, you should be able to create directories upon adding a user.
>     -- Server can be CentOS/RHEL (or even Fedora if absolutely required)

Agree with  JR:  go with Fedora 15 as that is where the most focused 
development is happening.  F15 will ship with the 2.0 version of IPA.  
It is in Beta now, and should be stable enough for you to start setting 
up your environment.  CentOS hasn't release a version compatable with 
RHEL6, and the supported version of IPA is going to ship in the RHEL 6 
series.
>     -- Any other administration of users if possible !
Centralized SUDO, and Host Based Access controls are two features you 
probably want to at least look over.  Plus, IPA comes with good DNS 
integration, and you'll want to make each managed host reachable on your 
network, DNS support is pretty important.  The ability to delegate 
authority for tasks, nesteg groups, and  netgroup/hostgroup support all 
help in centralizing administration.

> I was wondering whether FreeIPA makes sense to me in this scenario ? can it satisfy all these or at least some of these ? if not, can anyone suggest me some alternative solutions which are open source ? I am flexible on the requirements and can make modifications if that is required.
I think FreeIPA  is the perfect starting point for you.

> I would really appreciate any feedback on this.
>
> Thanks in advance and regards,
> Nidal
>
> ______________________________
>
> Yes Nidal, you will find that FreeIPA satisfies almost all of these requirements.  iSCSI managment is not a feature of FreeIPA.
>
> If you are looking to begin now, I would recommend that you start with Fedora as your base server distro.
>
> IPA will be available for RHEL as a Feature preview in 6.1 with plans to be fully supported and integrated by 6.2.
>
> -JR
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From kollathodi at yahoo.com  Sun May  1 12:49:46 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Sun, 1 May 2011 05:49:46 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DBCB9C1.5050806@redhat.com>
Message-ID: <459411.75182.qm@web161308.mail.bf1.yahoo.com>

Thanks for all the replies and great suggestions! I do appreciate it a lot.
Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-)
Thanks and regards,Nidal
>? ???-- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage
IPA manages Automount, which is possibly what you want.? Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server?? I Have to admit, the iSCSI home mount sounds interesting.? You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user.

Note that iSCSI won't help you if you want to mount the same partition on multiple clients.? For this, you either need a distributed File System, or stick to NFS.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110501/6d9985c3/attachment.htm>

From root at nachtmaus.us  Sun May  1 14:01:15 2011
From: root at nachtmaus.us (root at nachtmaus.us)
Date: Sun, 1 May 2011 14:01:15 +0000
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <459411.75182.qm@web161308.mail.bf1.yahoo.com>
References: <4DBCB9C1.5050806@redhat.com><459411.75182.qm@web161308.mail.bf1.yahoo.com>
Message-ID: <1024024413-1304258475-cardhu_decombobulator_blackberry.rim.net-118089661-@bda614.bisx.prod.on.blackberry>

If you can do NFS in lieu of iSCSI, you have the perfect use case for FreeIPA. 

If you have a requirement for Ubuntu, stay with that, but FreeIPA would provide all of your needs, and it is develop and tested on Fedora Core, so you may want to consider it. Plus, having your desktops and servers running the same platform makes easier the management of the environment. 

Lastly, because sane provisioning and centralized change-initiation helps make management easier, you may want to consider Cobbler in your server for deploying desktops and Func for sending remote-control commands to the environment. 


 -DTK

Sent via BlackBerry from T-Mobile

-----Original Message-----
From: nasir nasir <kollathodi at yahoo.com>
Sender: freeipa-users-bounces at redhat.com
Date: Sun, 1 May 2011 05:49:46 
To: <freeipa-users at redhat.com>; Adam Young<ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From jhrozek at redhat.com  Sun May  1 19:08:49 2011
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Sun, 01 May 2011 21:08:49 +0200
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <764971.44560.qm@web161302.mail.bf1.yahoo.com>
References: <764971.44560.qm@web161302.mail.bf1.yahoo.com>
Message-ID: <4DBDAFC1.5050903@redhat.com>

On 04/30/2011 08:41 AM, nasir nasir wrote:
>     -- About 50 Linux clients running *Kubuntu (can change this to
> ubuntu if necessary)*

Just a warning that *Ubuntu - according to 
http://packages.ubuntu.com/sssd - still defaults to sssd 1.2.1, even in 
their "natty" release.

There was a number of issues concerning the IPA backend since the last 
1.2.x maintenance release of SSSD. For instance ticket #822 directly 
hits IPA. You might want to raise these with your distribution or 
cherry-pick them for your deployment.


From ayoung at redhat.com  Mon May  2 15:03:20 2011
From: ayoung at redhat.com (Adam Young)
Date: Mon, 02 May 2011 11:03:20 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <459411.75182.qm@web161308.mail.bf1.yahoo.com>
References: <459411.75182.qm@web161308.mail.bf1.yahoo.com>
Message-ID: <4DBEC7B8.4080209@redhat.com>

On 05/01/2011 08:49 AM, nasir nasir wrote:
> Thanks for all the replies and great suggestions! I do appreciate it a 
> lot.
>
> Apologies for being a bit confusing about the cetralized /home foder 
> in my previous mail. What I want is that all the users should have 
> their /home folder stored in the storage. This entire partition (or 
> LUN) can be attached to my Authentication server(i.e FreeIPA) by using 
> iSCSI. From the Authentication server, I am NOT looking for iSCSI to 
> get it mounted to the individual users' machine. I think NFS/automount 
> would do that(appreciate any suggestion on this !) And whenever a new 
> user is created, /home should be allocated out of this partition so 
> that whichever machine the user is using to login later, she should be 
> able to access the same /home specific to her regardless of the 
> machine. I hope it is clear to all :-)
>
> Thanks and regards,
> Nidal
>
>     >     -- Centralized storage with iSCSI for /home folder for each
>     user by means of a dedicated storage
>     IPA manages Automount, which is possibly what you want.  Are you
>     going to give each user their own partition that follows them
>     around, or are you going to give the a home directory on a a NAS
>     server?  I Have to admit, the iSCSI home mount sounds
>     interesting.  You could probably get automount to help you out
>     there, but at this point I think that you would need a separate
>     key line for each user.
>
>     Note that iSCSI won't help you if you want to mount the same
>     partition on multiple clients.  For this, you either need a
>     distributed File System, or stick to NFS.
>


Nidal,

OK, I'd probably do something like this:  After install IPA, add one 
host as an IPA client with the following switch:  --mkhomedir,, 
something like  ipa-client-install --mkhomedir -p admin.   Then, mount 
the directory that you are going to use a /home on that machine.  Once 
you create users in IPA, the first time you log in as that user, do so 
from that client, and it will attempt to create the home directory for 
you.    This should be the only machine that has permissions to create 
directories under /home.  Now, create an automount location and map, and 
create a key for /home

The instructions from our test day should get you started:

https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110502/81dc7551/attachment.htm>

From rcritten at redhat.com  Mon May  2 17:59:10 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 02 May 2011 13:59:10 -0400
Subject: [Freeipa-users] Announcing FreeIPA 2.0.1
Message-ID: <4DBEF0EE.1030003@redhat.com>

The FreeIPA Project is proud to announce the latest bugfix release of 
the FreeIPA. As always, the latest tarball can be found at 
http://freeipa.org/

== Highlights ==

  * Fixed a number of issues uncovered by pylint in preparation for 
executing it as part of the freeIPA build process.
  * Changed the algorithm used for determining indirect membership 
resulting in significant performance improvement.
  * Added index for memberHost and memberUser.
  * Fixed problems in ipa-compat-manage and ipa-nis-manage.
  * Improved detection of current installation status for both client 
and server.
  * The --gidnumber option for users has been fixed.
  * postalCode is now a string intead of an integer. Older clients will 
still send this as an Int so upgrade your clients if you need this.
  * Fix 389-ds crash issue in installer. We could try to shut down the 
server while it was trying to create an index.
  * The default groups we create should have ipaUniqueId set

== Detailed Changelog ==

Endi S. Dewata (1):
  * Fixed undefined label in permission adder dialog box.

Jan Cholasta (10):
  * Fix wording of error message.
  * Add note about ipa-dns-install to ipa-server-install man page.
  * Fix typo in ipa-server-install.
  * Fix uninitialized variables.
  * Fix double definition of output_for_cli.
  * Add lint script for static code analysis.
  * Fix lint false positives.
  * Remove unused classes.
  * Fix some minor issues uncovered by pylint.
  * Fix uninitialized attributes.

Jr Aquino (4):
  * Escape LDAP characters in member and memberof searches
  * Add memberHost and memberUser to default indexes
  * Optimize and dynamically verify group membership
  * Delete the sudoers entry when disabling Schema Compat

Martin Kosek (12):
  * Inconsistent error message for duplicate user
  * Replica installation fails for self-signed server
  * Password policy commands do not include cospriority
  * Improve DNS PTR record validation
  * IPA replica is not started after the reboot
  * Improve Directory Service open port checker
  * Log temporary files in ipa-client-install
  * Prevent uninstalling client on the IPA server
  * pwpolicy-mod doesn't accept old attribute values
  * Forbid reinstallation in ipa-client-install
  * ipa-client-install uninstall does not work on IPA server
  * LDAP Updater may crash IPA installer

Pavel Zuna (1):
  * Fix gidnumber option of user-add command.

Rob Crittenden (18):
  * Allow a client to enroll using principal when the host has a OTP
  * Make retrieval of the CA during DNS discovery non-fatal.
  * Cache the value of get_ipa_config() in the request context.
  * Change default gecos from uid to first and last name.
  * Fix ORDERING in some attributetypes and remove other unnecessary 
elements.
  * postalCode should be a string not an integer.
  * Fix traceback in ipa-nis-manage.
  * Suppress --on-master from ipa-client-install command-line and man page.
  * Sort entries returned by *-find by the primary key (if any).
  * The default groups we create should have ipaUniqueId set
  * Always ask members in LDAP*ReverseMember commands.
  * Provide attributelevelrights for the aci components in permission_show.
  * Wait for memberof task and DS to start before proceeding in 
installation.
  * Convert manager from userid to dn for storage and back for displaying.
  * Modify the default attributes shown in user-find to match the UI design.
  * Ensure that the zonemgr passed to the installer conforms to IA5String.
  * Handle principal not found errors when converting replication agreements

Simo Sorce (2):
  * Fix resource leaks.
  * ipautil: Preserve environment unless explicitly overridden by caller.

rob


From Steven.Jones at vuw.ac.nz  Tue May  3 05:13:09 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 3 May 2011 05:13:09 +0000
Subject: [Freeipa-users] test
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063423F5@STAWINCOX10MBX1.staff.vuw.ac.nz>

test



From thing.thing at gmail.com  Tue May  3 05:16:22 2011
From: thing.thing at gmail.com (Thing)
Date: Tue, 3 May 2011 17:16:22 +1200
Subject: [Freeipa-users] testing
Message-ID: <BANLkTimC56KS0JQfoFAfm0gNoe1Up1gA4A@mail.gmail.com>

test
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110503/99e976cc/attachment.htm>

From dpal at redhat.com  Tue May  3 12:46:23 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 03 May 2011 08:46:23 -0400
Subject: [Freeipa-users] Questions from Steven Jones
Message-ID: <4DBFF91F.3020302@redhat.com>

I am posting Steven's questions as they have been sent to the wrong list
and were on hold.

------------------------------------------------

Hi

Seem to be having issues posting....anyway....

I notice that free-ipa really wants to work best as its own dns
etc....problem is with AD running integrated DNS there is a clash....So
Im wondering with say a domain of ipa.ac.nz whether it would be a good
idea or sensible and worthwhile to run ipa as a dns stub say unix.ipa.ac.nz?

Would this cause any issues with anything? say passwd syncing with AD
under ipa.ac.nz  (or actually its staff.ipa.ac.nz)  ????

>From reading the docs this looks like it might be a good idea, not sure...

Are there any good high design and architecture docs I should read?  to
answer such Qs?

regards


-----------------------------------------------

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From ayoung at redhat.com  Tue May  3 13:21:39 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 03 May 2011 09:21:39 -0400
Subject: [Freeipa-users] Questions from Steven Jones
In-Reply-To: <4DBFF91F.3020302@redhat.com>
References: <4DBFF91F.3020302@redhat.com>
Message-ID: <4DC00163.8070505@redhat.com>

On 05/03/2011 08:46 AM, Dmitri Pal wrote:
> I am posting Steven's questions as they have been sent to the wrong list
> and were on hold.
>
> ------------------------------------------------
>
> Hi
>
> Seem to be having issues posting....anyway....
>
> I notice that free-ipa really wants to work best as its own dns
> etc....problem is with AD running integrated DNS there is a clash....So
> Im wondering with say a domain of ipa.ac.nz whether it would be a good
> idea or sensible and worthwhile to run ipa as a dns stub say unix.ipa.ac.nz?
>
> Would this cause any issues with anything? say passwd syncing with AD
> under ipa.ac.nz  (or actually its staff.ipa.ac.nz)  ????
>
> > From reading the docs this looks like it might be a good idea, not sure...
>
> Are there any good high design and architecture docs I should read?  to
> answer such Qs?
>
> regards
>
>
> -----------------------------------------------
>
I'd go so far as to say that it is a very good idea, but there really is 
no issue.  Either IPA runs as DNS, or it needs something else to keep 
DNS entries in sync.  Obviously, it is easier to do all inside a single 
system.  I'm guessing that what he is seeing i having IPA run DNS for 
the same zone as another DNS server: the fact that it is AD is probably 
irrelevant.

Just remember that if you make the IPA DNS be a subzone, all of the 
hostnames need to match.  Not sure if then there will be Kerberos Realm 
issues between AD and IPA, though.




From simo at redhat.com  Tue May  3 13:18:13 2011
From: simo at redhat.com (Simo Sorce)
Date: Tue, 03 May 2011 09:18:13 -0400
Subject: [Freeipa-users] Questions from Steven Jones
In-Reply-To: <4DBFF91F.3020302@redhat.com>
References: <4DBFF91F.3020302@redhat.com>
Message-ID: <1304428693.2886.19.camel@willson.li.ssimo.org>

On Tue, 2011-05-03 at 08:46 -0400, Dmitri Pal wrote:
> I am posting Steven's questions as they have been sent to the wrong list
> and were on hold.
> 
> ------------------------------------------------
> 
> Hi
> 
> Seem to be having issues posting....anyway....
> 
> I notice that free-ipa really wants to work best as its own dns
> etc....problem is with AD running integrated DNS there is a clash....So
> Im wondering with say a domain of ipa.ac.nz whether it would be a good
> idea or sensible and worthwhile to run ipa as a dns stub say unix.ipa.ac.nz?
> 
> Would this cause any issues with anything? say passwd syncing with AD
> under ipa.ac.nz  (or actually its staff.ipa.ac.nz)  ????
> 
> >From reading the docs this looks like it might be a good idea, not sure...
> 
> Are there any good high design and architecture docs I should read?  to
> answer such Qs?

Having your own subdomain (or multiple subdomains) for IPA is certainly
a good idea. This is not much due to our DNS integration, you can
definitely handle DNS on your own, but has more to do with kerberos
libraries and the way realm -> domain mapping is done in some cases.

So if you organize your naming architecture to have IPA.EXAMPLE.COM ->
ipa.example.com then you get the best interoperability matrix between
all components.

That doesn't mean other combinations won't work, but you will have to
understand the details of how Keberos and DNS interrelate and how to
change client configuration if you choose different strategies.

Password syncing will have no problems related to DNS names, except,
perhaps for the need to change your SSL certificate (as X509 certs for
SSL embed the hostname of the server).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From Steven.Jones at vuw.ac.nz  Tue May  3 20:26:27 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 3 May 2011 20:26:27 +0000
Subject: [Freeipa-users] Questions from Steven Jones
In-Reply-To: <1304428693.2886.19.camel@willson.li.ssimo.org>
References: <4DBFF91F.3020302@redhat.com>,
	<1304428693.2886.19.camel@willson.li.ssimo.org>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063427A0@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Yes I kind of figured the Kerberos Interaction might be an issue...reading it suggests its clearly better for the IPA  master to do the DNS? so its seems logical its a separate stub-zone..?

I have the rare opportunity to design from scratch....as the linux/unix component of our site  has no central system at all...but it has to inter-act with AD and windows heavily.   Its about a 30% ~70% split...over 500 servers.

What I dont want to have to do is re-configure it all later that would be a nightmare I think....200 servers to change....ikky.

So we have multiple AD zones/domains,

example.ac.nz  is the root AD
staff.
student.

For windows AD.

Both sub-domains have passwords I need to get sync off 

So I only want one Linux/unix domain....I dont want to split into staff. and student. as that is being removed from our MS AD anyway...

So I want to make it as logical and easy as possible to admin and maintain for our 1 linux admin.

Eventually we will just have example.ac.nz for AD but that's years away......in which case eventually I would have  example.ac.nz as AD syncing to unix.example.ac.nz ? as the best solution?

This is better than running IPA under the main example.ac.nz?  which is controlled by AD.......

However I suspect that my management wont be happy if they see  we have another sub-domain.....its a marketing / image thing its not uh "professional"...so I have to have good / clear reasons. 

regards




________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Simo Sorce [simo at redhat.com]
Sent: Wednesday, 4 May 2011 1:18 a.m.
To: dpal at redhat.com
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Questions from Steven Jones

On Tue, 2011-05-03 at 08:46 -0400, Dmitri Pal wrote:
> I am posting Steven's questions as they have been sent to the wrong list
> and were on hold.
>
> ------------------------------------------------
>
> Hi
>
> Seem to be having issues posting....anyway....
>
> I notice that free-ipa really wants to work best as its own dns
> etc....problem is with AD running integrated DNS there is a clash....So
> Im wondering with say a domain of ipa.ac.nz whether it would be a good
> idea or sensible and worthwhile to run ipa as a dns stub say unix.ipa.ac.nz?
>
> Would this cause any issues with anything? say passwd syncing with AD
> under ipa.ac.nz  (or actually its staff.ipa.ac.nz)  ????
>
> >From reading the docs this looks like it might be a good idea, not sure...
>
> Are there any good high design and architecture docs I should read?  to
> answer such Qs?

Having your own subdomain (or multiple subdomains) for IPA is certainly
a good idea. This is not much due to our DNS integration, you can
definitely handle DNS on your own, but has more to do with kerberos
libraries and the way realm -> domain mapping is done in some cases.

So if you organize your naming architecture to have IPA.EXAMPLE.COM ->
ipa.example.com then you get the best interoperability matrix between
all components.

That doesn't mean other combinations won't work, but you will have to
understand the details of how Keberos and DNS interrelate and how to
change client configuration if you choose different strategies.

Password syncing will have no problems related to DNS names, except,
perhaps for the need to change your SSL certificate (as X509 certs for
SSL embed the hostname of the server).

Simo.

--
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Tue May  3 20:56:40 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 3 May 2011 20:56:40 +0000
Subject: [Freeipa-users] Disk layout - requirements
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063427D8@STAWINCOX10MBX1.staff.vuw.ac.nz>


Hi,

Digging through docs / googling I cant see any disk partition suggestions and size thereof requirements...

Suggestions please?  sizing for 500 servers, 2000 desktops, 5000+ users...

Especially around having different sections of the IPA master of different raid groups if that's needed...

Also ext4 is best?

regards

Steven


From sbingram at gmail.com  Thu May  5 00:41:01 2011
From: sbingram at gmail.com (Stephen Ingram)
Date: Wed, 4 May 2011 17:41:01 -0700
Subject: [Freeipa-users] extending FreeIPA
Message-ID: <BANLkTin7rrD+QDuCZBOEU4f20mnWz2Sc5w@mail.gmail.com>

I currently maintain a directory with MTA configuration data in it
(among other items). I'm wondering what is the best way to add to the
FreeIPA schema without stepping on current and future schema additions
that might conflict with what I add. I know at one time you were
expecting to add information for Postfix and other common server
programs. Was this schema ever prepared and agreed upon, or is it best
to use some special branch to put this all under?

Also, although I read Adam Young's blog article about how to extend
the WebUI, I'm having difficulty adding attributes within the existing
structure. For example, on the user page, is there a prescribed way of
adding say, the mailAlternateAddress attribute such that it shows as a
field in the WebUI?

Steve


From simo at redhat.com  Fri May  6 12:49:30 2011
From: simo at redhat.com (Simo Sorce)
Date: Fri, 06 May 2011 08:49:30 -0400
Subject: [Freeipa-users] extending FreeIPA
In-Reply-To: <BANLkTin7rrD+QDuCZBOEU4f20mnWz2Sc5w@mail.gmail.com>
References: <BANLkTin7rrD+QDuCZBOEU4f20mnWz2Sc5w@mail.gmail.com>
Message-ID: <1304686170.14451.25.camel@willson.li.ssimo.org>

On Wed, 2011-05-04 at 17:41 -0700, Stephen Ingram wrote:
> I currently maintain a directory with MTA configuration data in it
> (among other items). I'm wondering what is the best way to add to the
> FreeIPA schema without stepping on current and future schema additions
> that might conflict with what I add. I know at one time you were
> expecting to add information for Postfix and other common server
> programs. Was this schema ever prepared and agreed upon, or is it best
> to use some special branch to put this all under?

Ok it seem we are confusing 2 things here, on one side schema extensions
(new attributes and objectclasses) and on the other side DIT structure
(subtrees within the tree where to put your information).

If you use standard schema or schema you made yourself after you got
assigned a base OID there should be no issue at all. if you do your own
schema please be careful in trying to use a prefix for attribute and
objectclass names so that you do not risk future name conflicts).

For the DIT part it really depends on what you need to do.
If you just need to add attributes to users then you have no other
option but to attach them to the users and that's fine it shouldn't
cause any issue.

If you need to add entirely new objects I can suggest to create a
cn=custom container as a top level subtree (ie at the same level of
cn=accounts and cn=etc, ...

And within it do what you need to do. This way it will not conflict with
anything we may add in future.

> Also, although I read Adam Young's blog article about how to extend
> the WebUI, I'm having difficulty adding attributes within the existing
> structure. For example, on the user page, is there a prescribed way of
> adding say, the mailAlternateAddress attribute such that it shows as a
> field in the WebUI?

I will let Adma reply to this one.

HTH,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From rcritten at redhat.com  Fri May  6 14:12:56 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 06 May 2011 10:12:56 -0400
Subject: [Freeipa-users] Disk layout - requirements
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063427D8@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E40063427D8@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC401E8.1090506@redhat.com>

Steven Jones wrote:
>
> Hi,
>
> Digging through docs / googling I cant see any disk partition suggestions and size thereof requirements...
>
> Suggestions please?  sizing for 500 servers, 2000 desktops, 5000+ users...
>
> Especially around having different sections of the IPA master of different raid groups if that's needed...

It depends in part how you use IPA. A bare-bones user entry is about 1k, 
a host that has a certificate is about the same. There is some amount of 
overhead in the DIT and you'll need to consider the space for groups, 
how many kerberos services you'll deploy (also about 1k in size) and 
what other features of IPA you'll use. We have quite a few indexes into 
the data, that will take some room too.

I think additional RAM will be better than terabytes of disk. 389-ds is 
going to try to cache much of this data, and with this number of entries 
it can probably keep most if not all of the database in memory.

We haven't done any analysis on different FS performance.

Does that help?

rob



From sigbjorn at nixtra.com  Fri May  6 15:58:42 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Fri, 06 May 2011 17:58:42 +0200
Subject: [Freeipa-users] Disk layout - requirements
In-Reply-To: <4DC401E8.1090506@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E40063427D8@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DC401E8.1090506@redhat.com>
Message-ID: <4DC41AB2.7050309@nixtra.com>

On 05/06/2011 04:12 PM, Rob Crittenden wrote:
> Steven Jones wrote:
>>
>> Hi,
>>
>> Digging through docs / googling I cant see any disk partition 
>> suggestions and size thereof requirements...
>>
>> Suggestions please?  sizing for 500 servers, 2000 desktops, 5000+ 
>> users...
>>
>> Especially around having different sections of the IPA master of 
>> different raid groups if that's needed...
>
> It depends in part how you use IPA. A bare-bones user entry is about 
> 1k, a host that has a certificate is about the same. There is some 
> amount of overhead in the DIT and you'll need to consider the space 
> for groups, how many kerberos services you'll deploy (also about 1k in 
> size) and what other features of IPA you'll use. We have quite a few 
> indexes into the data, that will take some room too.
>
> I think additional RAM will be better than terabytes of disk. 389-ds 
> is going to try to cache much of this data, and with this number of 
> entries it can probably keep most if not all of the database in memory.
>
> We haven't done any analysis on different FS performance.
>
> Does that help?
>
> rob 

Would you consider these documents describing sizing and performance 
tuning of the RH DS to be comparable/transferable to IPA?


http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html


Rgds,
Siggi



From dpal at redhat.com  Fri May  6 18:54:08 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Fri, 06 May 2011 14:54:08 -0400
Subject: [Freeipa-users] Disk layout - requirements
In-Reply-To: <4DC41AB2.7050309@nixtra.com>
References: <833D8E48405E064EBC54C84EC6B36E40063427D8@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DC401E8.1090506@redhat.com>
	<4DC41AB2.7050309@nixtra.com>
Message-ID: <4DC443D0.5050406@redhat.com>

On 05/06/2011 11:58 AM, Sigbjorn Lie wrote:
> On 05/06/2011 04:12 PM, Rob Crittenden wrote:
>> Steven Jones wrote:
>>>
>>> Hi,
>>>
>>> Digging through docs / googling I cant see any disk partition
>>> suggestions and size thereof requirements...
>>>
>>> Suggestions please?  sizing for 500 servers, 2000 desktops, 5000+
>>> users...
>>>
>>> Especially around having different sections of the IPA master of
>>> different raid groups if that's needed...
>>
>> It depends in part how you use IPA. A bare-bones user entry is about
>> 1k, a host that has a certificate is about the same. There is some
>> amount of overhead in the DIT and you'll need to consider the space
>> for groups, how many kerberos services you'll deploy (also about 1k
>> in size) and what other features of IPA you'll use. We have quite a
>> few indexes into the data, that will take some room too.
>>
>> I think additional RAM will be better than terabytes of disk. 389-ds
>> is going to try to cache much of this data, and with this number of
>> entries it can probably keep most if not all of the database in memory.
>>
>> We haven't done any analysis on different FS performance.
>>
>> Does that help?
>>
>> rob 
>
> Would you consider these documents describing sizing and performance
> tuning of the RH DS to be comparable/transferable to IPA?
>
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements
>
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html
>
>
>

Yes these documents are applicable and can be used to tune up DS server
under IPA.

> Rgds,
> Siggi
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From ayoung at redhat.com  Fri May  6 20:11:35 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 06 May 2011 16:11:35 -0400
Subject: [Freeipa-users] extending FreeIPA
In-Reply-To: <1304686170.14451.25.camel@willson.li.ssimo.org>
References: <BANLkTin7rrD+QDuCZBOEU4f20mnWz2Sc5w@mail.gmail.com>
	<1304686170.14451.25.camel@willson.li.ssimo.org>
Message-ID: <4DC455F7.5070000@redhat.com>

On 05/06/2011 08:49 AM, Simo Sorce wrote:
> On Wed, 2011-05-04 at 17:41 -0700, Stephen Ingram wrote:
>> I currently maintain a directory with MTA configuration data in it
>> (among other items). I'm wondering what is the best way to add to the
>> FreeIPA schema without stepping on current and future schema additions
>> that might conflict with what I add. I know at one time you were
>> expecting to add information for Postfix and other common server
>> programs. Was this schema ever prepared and agreed upon, or is it best
>> to use some special branch to put this all under?
> Ok it seem we are confusing 2 things here, on one side schema extensions
> (new attributes and objectclasses) and on the other side DIT structure
> (subtrees within the tree where to put your information).
>
> If you use standard schema or schema you made yourself after you got
> assigned a base OID there should be no issue at all. if you do your own
> schema please be careful in trying to use a prefix for attribute and
> objectclass names so that you do not risk future name conflicts).
>
> For the DIT part it really depends on what you need to do.
> If you just need to add attributes to users then you have no other
> option but to attach them to the users and that's fine it shouldn't
> cause any issue.
>
> If you need to add entirely new objects I can suggest to create a
> cn=custom container as a top level subtree (ie at the same level of
> cn=accounts and cn=etc, ...
>
> And within it do what you need to do. This way it will not conflict with
> anything we may add in future.
>
>> Also, although I read Adam Young's blog article about how to extend
>> the WebUI, I'm having difficulty adding attributes within the existing
>> structure. For example, on the user page, is there a prescribed way of
>> adding say, the mailAlternateAddress attribute such that it shows as a
>> field in the WebUI?

The rule is that  you need to be able to do it in the CLI first, and 
then attempt it in the WebUI.  The attribute you are attmpeting to 
access needs to be added to the user object in 
freeipa/ipalib/plugins/user.py  first.  Once you have that, you can add 
it to the ui  just like email address:

  {factory: IPA.multivalued_text_widget, name:'mail'},


However,  mail is already a multivalued attribute.  You can store 
multiple email addresses there if you want, and that is the intention.  
If you want to make these both single value fields, change it to:
  fields:
                 [  "mail","mailalternateaddress",
                    {factory: IPA.multivalued_text_widget, 
name:'telephonenumber'},...


> I will let Adma reply to this one.
>
> HTH,
> Simo.
>



From kollathodi at yahoo.com  Sun May  8 10:20:27 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Sun, 8 May 2011 03:20:27 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DBEC7B8.4080209@redhat.com>
Message-ID: <895514.84135.qm@web161308.mail.bf1.yahoo.com>


Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on configuring client machines using ipa-client package. Is this possible? if so could anyone suggest me some guide lines or docs for the same ?
Thanks and Regards,Nidal
--- On Mon, 5/2/11, Adam Young <ayoung at redhat.com> wrote:

From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Monday, May 2, 2011, 8:03 AM



  

    
  
  
    On 05/01/2011 08:49 AM, nasir nasir wrote:
    
      
        
          
            
              
                
                Thanks for all the replies and great suggestions! I do
                appreciate it a lot.
              

                Apologies for being a bit confusing about the cetralized
                /home foder in my previous mail. What I want is that all
                the users should have their /home folder stored in the
                storage. This entire partition (or LUN) can be attached
                to my Authentication server(i.e FreeIPA) by using iSCSI.
                From the Authentication server, I am NOT looking for
                iSCSI to get it mounted to the individual users'
                machine. I think NFS/automount would do that(appreciate
                any suggestion on this !) And whenever a new user is
                created, /home should be allocated out of this partition
                so that whichever machine the user is using to login
                later, she should be able to access the same /home
                specific to her regardless of the machine. I hope it is
                clear to all :-)
              

              
              Thanks and regards,
              Nidal
              

              
              
                >? ???-- Centralized storage
                  with iSCSI for /home folder for each user by means of
                  a dedicated storage

                  IPA manages Automount, which is possibly what you
                  want.? Are you going to give each user their own
                  partition that follows them around, or are you going
                  to give the a home directory on a a NAS server?? I
                  Have to admit, the iSCSI home mount sounds
                  interesting.? You could probably get automount to help
                  you out there, but at this point I think that you
                  would need a separate key line for each user.

                  

                  Note that iSCSI won't help you if you want to mount
                  the same partition on multiple clients.? For this, you
                  either need a distributed File System, or stick to
                  NFS.

                
                

                
              
            
          
        
      
    
    

    

    Nidal,

    

    OK, I'd probably do something like this:? After install IPA, add one
    host as an IPA client with the following switch:? --mkhomedir,,
    something like? ipa-client-install --mkhomedir -p admin.?? Then,
    mount the directory that you are going to use a /home on that
    machine.? Once you create users in IPA, the first time you log in as
    that user, do so from that client, and it will attempt to create the
    home directory for you.??? This should be the only machine that has
    permissions to create directories under /home.? Now, create an
    automount location and map, and create a key for /home

    

    The instructions from our test day should get you started:

    

    https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount

    

    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110508/b5ffcf2a/attachment.htm>

From ayoung at redhat.com  Sun May  8 23:39:14 2011
From: ayoung at redhat.com (Adam Young)
Date: Sun, 08 May 2011 19:39:14 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <895514.84135.qm@web161308.mail.bf1.yahoo.com>
References: <895514.84135.qm@web161308.mail.bf1.yahoo.com>
Message-ID: <4DC729A2.1010301@redhat.com>

On 05/08/2011 06:20 AM, nasir nasir wrote:
>
> Thanks indeed again for the reply. I went through the deployment guide 
> and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine 
> for testing. I also configured the browsers on this server and a 
> client Kubuntu machine as per the guide. But I can't find any doc 
> which explain how to configure a client (kubuntu in my case) for 
> single sign on or even accessing a service like nfs using the browser 
> when native ipa-client package is not available. All the docs are 
> focused on configuring client machines using ipa-client package. Is 
> this possible? if so could anyone suggest me some guide lines or docs 
> for the same ?
>

Did you try installing the ipa-client rpms with Alien?

>
> Thanks and Regards,
> Nidal
>
> --- On *Mon, 5/2/11, Adam Young /<ayoung at redhat.com>/* wrote:
>
>
>     From: Adam Young <ayoung at redhat.com>
>     Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>     To: "nasir nasir" <kollathodi at yahoo.com>
>     Cc: freeipa-users at redhat.com
>     Date: Monday, May 2, 2011, 8:03 AM
>
>     On 05/01/2011 08:49 AM, nasir nasir wrote:
>>     Thanks for all the replies and great suggestions! I do appreciate
>>     it a lot.
>>
>>     Apologies for being a bit confusing about the cetralized /home
>>     foder in my previous mail. What I want is that all the users
>>     should have their /home folder stored in the storage. This entire
>>     partition (or LUN) can be attached to my Authentication
>>     server(i.e FreeIPA) by using iSCSI. From the Authentication
>>     server, I am NOT looking for iSCSI to get it mounted to the
>>     individual users' machine. I think NFS/automount would do
>>     that(appreciate any suggestion on this !) And whenever a new user
>>     is created, /home should be allocated out of this partition so
>>     that whichever machine the user is using to login later, she
>>     should be able to access the same /home specific to her
>>     regardless of the machine. I hope it is clear to all :-)
>>
>>     Thanks and regards,
>>     Nidal
>>
>>         >     -- Centralized storage with iSCSI for /home folder for
>>         each user by means of a dedicated storage
>>         IPA manages Automount, which is possibly what you want.  Are
>>         you going to give each user their own partition that follows
>>         them around, or are you going to give the a home directory on
>>         a a NAS server?  I Have to admit, the iSCSI home mount sounds
>>         interesting.  You could probably get automount to help you
>>         out there, but at this point I think that you would need a
>>         separate key line for each user.
>>
>>         Note that iSCSI won't help you if you want to mount the same
>>         partition on multiple clients.  For this, you either need a
>>         distributed File System, or stick to NFS.
>>
>
>
>     Nidal,
>
>     OK, I'd probably do something like this:  After install IPA, add
>     one host as an IPA client with the following switch: 
>     --mkhomedir,, something like  ipa-client-install --mkhomedir -p
>     admin.   Then, mount the directory that you are going to use a
>     /home on that machine.  Once you create users in IPA, the first
>     time you log in as that user, do so from that client, and it will
>     attempt to create the home directory for you.    This should be
>     the only machine that has permissions to create directories under
>     /home.  Now, create an automount location and map, and create a
>     key for /home
>
>     The instructions from our test day should get you started:
>
>     https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110508/c719a5b0/attachment.htm>

From Steven.Jones at vuw.ac.nz  Mon May  9 01:34:37 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 9 May 2011 01:34:37 +0000
Subject: [Freeipa-users]  RHEL6.1 beta
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063488D1@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Where are the ipa-server-2.0 packages held these days ?

from previous list posts they were here, but I cant find them now....

========

ipa-server-2.0.0-16.el6.x86_64
<https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857>

Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
ipa-server-2.0.0-16.el6.i686
 <https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431>

========

regards



From kollathodi at yahoo.com  Mon May  9 03:57:30 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Sun, 8 May 2011 20:57:30 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC729A2.1010301@redhat.com>
Message-ID: <624951.6164.qm@web161314.mail.bf1.yahoo.com>


Adam,
I truly appreciate your persistence !?
I tried using alien and it generated the .deb file successfully and even installed the ipa client package without any error on the client machine(Kubuntu 11.04). But when I run the ipa-client-install command, it gave the following error,

openway at dl-360:~/rpm$ sudo ipa-client-install?There was a problem importing one of the required Python modules. Theerror was:
? ? No module named ipaclient.ipadiscovery
openway at dl-360:~/rpm$
I even created the deb file out of ipa-python package and installed it on the kubuntu machine(without any error). Still, its the same. Any idea ?
Thanks and regards,Nidal
--- On Sun, 5/8/11, Adam Young <ayoung at redhat.com> wrote:

From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Sunday, May 8, 2011, 4:39 PM



  

    
    
  
  
    On 05/08/2011 06:20 AM, nasir nasir wrote:
    
      
        
          
            

              Thanks indeed again for the reply. I went through the
              deployment guide and installed and configured FreeIPA 2.0
              on a RHEL 6.1 beta machine for testing. I also configured
              the browsers on this server and a client Kubuntu machine
              as per the guide. But I can't find any doc which explain
              how to configure a client (kubuntu in my case) for single
              sign on or even accessing a service like nfs using the
              browser when native ipa-client package is not available.
              All the docs are focused on configuring client machines
              using ipa-client package. Is this possible? if so could
              anyone suggest me some guide lines or docs for the same ?
          
        
      
    
    

    Did you try installing the ipa-client rpms with Alien?

    

    
      
        
          
            
              

              
              Thanks and Regards,
              Nidal
              

                --- On Mon, 5/2/11, Adam Young <ayoung at redhat.com>
                wrote:

                

                  From: Adam Young <ayoung at redhat.com>

                  Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
                  deployment

                  To: "nasir nasir" <kollathodi at yahoo.com>

                  Cc: freeipa-users at redhat.com

                  Date: Monday, May 2, 2011, 8:03 AM

                  

                   On 05/01/2011 08:49 AM, nasir
                    nasir wrote:
                    
                      
                        
                          
                            
                               Thanks for all the replies and great
                                suggestions! I do appreciate it a lot.
                              

                                Apologies for being a bit confusing
                                about the cetralized /home foder in my
                                previous mail. What I want is that all
                                the users should have their /home folder
                                stored in the storage. This entire
                                partition (or LUN) can be attached to my
                                Authentication server(i.e FreeIPA) by
                                using iSCSI. From the Authentication
                                server, I am NOT looking for iSCSI to
                                get it mounted to the individual users'
                                machine. I think NFS/automount would do
                                that(appreciate any suggestion on this
                                !) And whenever a new user is created,
                                /home should be allocated out of this
                                partition so that whichever machine the
                                user is using to login later, she should
                                be able to access the same /home
                                specific to her regardless of the
                                machine. I hope it is clear to all :-)
                              

                              
                              Thanks and regards,
                              Nidal
                              

                              
                              
                                >?
                                  ???-- Centralized storage with iSCSI
                                  for /home folder for each user by
                                  means of a dedicated storage

                                  IPA manages Automount, which is
                                  possibly what you want.? Are you going
                                  to give each user their own partition
                                  that follows them around, or are you
                                  going to give the a home directory on
                                  a a NAS server?? I Have to admit, the
                                  iSCSI home mount sounds interesting.?
                                  You could probably get automount to
                                  help you out there, but at this point
                                  I think that you would need a separate
                                  key line for each user.

                                  

                                  Note that iSCSI won't help you if you
                                  want to mount the same partition on
                                  multiple clients.? For this, you
                                  either need a distributed File System,
                                  or stick to NFS.

                                
                                

                                
                              
                            
                          
                        
                      
                    
                    

                    

                    Nidal,

                    

                    OK, I'd probably do something like this:? After
                    install IPA, add one host as an IPA client with the
                    following switch:? --mkhomedir,, something like?
                    ipa-client-install --mkhomedir -p admin.?? Then,
                    mount the directory that you are going to use a
                    /home on that machine.? Once you create users in
                    IPA, the first time you log in as that user, do so
                    from that client, and it will attempt to create the
                    home directory for you.??? This should be the only
                    machine that has permissions to create directories
                    under /home.? Now, create an automount location and
                    map, and create a key for /home

                    

                    The instructions from our test day should get you
                    started:

                    

                    https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount

                    

                    

                  
                
              
            
          
        
      
    
    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110508/4591b588/attachment.htm>

From dpal at redhat.com  Mon May  9 13:12:08 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 09 May 2011 09:12:08 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC729A2.1010301@redhat.com>
References: <895514.84135.qm@web161308.mail.bf1.yahoo.com>
	<4DC729A2.1010301@redhat.com>
Message-ID: <4DC7E828.3010206@redhat.com>

On 05/08/2011 07:39 PM, Adam Young wrote:
> On 05/08/2011 06:20 AM, nasir nasir wrote:
>>
>> Thanks indeed again for the reply. I went through the deployment
>> guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta
>> machine for testing. I also configured the browsers on this server
>> and a client Kubuntu machine as per the guide. But I can't find any
>> doc which explain how to configure a client (kubuntu in my case) for
>> single sign on or even accessing a service like nfs using the browser
>> when native ipa-client package is not available. All the docs are
>> focused on configuring client machines using ipa-client package. Is
>> this possible? if so could anyone suggest me some guide lines or docs
>> for the same ?
>>
>

Does the client have SSSD?
If it does making ipa-client work is probably the best path.

If the SSSD is not an option then you are in the realm of PAM_KRB5 for
the SSO.
Please see the FreeIPA 1.2.1 documentation. There is no exact
documentation ofr your case but the closest IMO would be the
instructions for the Solaris client.
http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html

Also see man pages for pam_krb5.
Hope this helps.

Thanks
Dmitri


> Did you try installing the ipa-client rpms with Alien?
>
>>
>> Thanks and Regards,
>> Nidal
>>
>> --- On *Mon, 5/2/11, Adam Young /<ayoung at redhat.com>/* wrote:
>>
>>
>>     From: Adam Young <ayoung at redhat.com>
>>     Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>>     To: "nasir nasir" <kollathodi at yahoo.com>
>>     Cc: freeipa-users at redhat.com
>>     Date: Monday, May 2, 2011, 8:03 AM
>>
>>     On 05/01/2011 08:49 AM, nasir nasir wrote:
>>>     Thanks for all the replies and great suggestions! I do
>>>     appreciate it a lot.
>>>
>>>     Apologies for being a bit confusing about the cetralized /home
>>>     foder in my previous mail. What I want is that all the users
>>>     should have their /home folder stored in the storage. This
>>>     entire partition (or LUN) can be attached to my Authentication
>>>     server(i.e FreeIPA) by using iSCSI. From the Authentication
>>>     server, I am NOT looking for iSCSI to get it mounted to the
>>>     individual users' machine. I think NFS/automount would do
>>>     that(appreciate any suggestion on this !) And whenever a new
>>>     user is created, /home should be allocated out of this partition
>>>     so that whichever machine the user is using to login later, she
>>>     should be able to access the same /home specific to her
>>>     regardless of the machine. I hope it is clear to all :-)
>>>
>>>     Thanks and regards,
>>>     Nidal
>>>
>>>         >     -- Centralized storage with iSCSI for /home folder for
>>>         each user by means of a dedicated storage
>>>         IPA manages Automount, which is possibly what you want.  Are
>>>         you going to give each user their own partition that follows
>>>         them around, or are you going to give the a home directory
>>>         on a a NAS server?  I Have to admit, the iSCSI home mount
>>>         sounds interesting.  You could probably get automount to
>>>         help you out there, but at this point I think that you would
>>>         need a separate key line for each user.
>>>
>>>         Note that iSCSI won't help you if you want to mount the same
>>>         partition on multiple clients.  For this, you either need a
>>>         distributed File System, or stick to NFS.
>>>
>>
>>
>>     Nidal,
>>
>>     OK, I'd probably do something like this:  After install IPA, add
>>     one host as an IPA client with the following switch: 
>>     --mkhomedir,, something like  ipa-client-install --mkhomedir -p
>>     admin.   Then, mount the directory that you are going to use a
>>     /home on that machine.  Once you create users in IPA, the first
>>     time you log in as that user, do so from that client, and it will
>>     attempt to create the home directory for you.    This should be
>>     the only machine that has permissions to create directories under
>>     /home.  Now, create an automount location and map, and create a
>>     key for /home
>>
>>     The instructions from our test day should get you started:
>>
>>     https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>
>>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110509/29640ac0/attachment.htm>

From ayoung at redhat.com  Mon May  9 13:17:29 2011
From: ayoung at redhat.com (Adam Young)
Date: Mon, 09 May 2011 09:17:29 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <624951.6164.qm@web161314.mail.bf1.yahoo.com>
References: <624951.6164.qm@web161314.mail.bf1.yahoo.com>
Message-ID: <4DC7E969.8060508@redhat.com>

On 05/08/2011 11:57 PM, nasir nasir wrote:
>
> Adam,
>
> I truly appreciate your persistence !
>
> I tried using alien and it generated the .deb file successfully and 
> even installed the ipa client package without any error on the client 
> machine(Kubuntu 11.04). But when I run the *ipa-client-install* 
> command, it gave the following error,
>
>
> *openway at dl-360:~/rpm$ sudo ipa-client-install *
> *There was a problem importing one of the required Python modules. The*
> *error was:*
> *
> *
> *    No module named ipaclient.ipadiscovery*
>
I'm guessing that this is a 64 bit system?  It might be an arch issue.  
IU know that Debian and RH mde different choices for 32 on 64.  
RH/Fedora puts the Python code into

/usr/lib64/python2.7/site-packages/

Debian might be looking under /usr/lib/  for Python.

Try a 32bit RPM.

> *
> *
> *openway at dl-360:~/rpm$*
>
> I even created the deb file out of ipa-python package and installed it 
> on the kubuntu machine(without any error). Still, its the same. Any idea ?
>
> Thanks and regards,
> Nidal
>
> --- On *Sun, 5/8/11, Adam Young /<ayoung at redhat.com>/*wrote:
>
>
>     From: Adam Young <ayoung at redhat.com>
>     Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>     To: "nasir nasir" <kollathodi at yahoo.com>
>     Cc: freeipa-users at redhat.com
>     Date: Sunday, May 8, 2011, 4:39 PM
>
>     On 05/08/2011 06:20 AM, nasir nasir wrote:
>>
>>     Thanks indeed again for the reply. I went through the deployment
>>     guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta
>>     machine for testing. I also configured the browsers on this
>>     server and a client Kubuntu machine as per the guide. But I can't
>>     find any doc which explain how to configure a client (kubuntu in
>>     my case) for single sign on or even accessing a service like nfs
>>     using the browser when native ipa-client package is not
>>     available. All the docs are focused on configuring client
>>     machines using ipa-client package. Is this possible? if so could
>>     anyone suggest me some guide lines or docs for the same ?
>>
>
>     Did you try installing the ipa-client rpms with Alien?
>
>>
>>     Thanks and Regards,
>>     Nidal
>>
>>     --- On *Mon, 5/2/11, Adam Young /<ayoung at redhat.com>
>>     </mc/compose?to=ayoung at redhat.com>/* wrote:
>>
>>
>>         From: Adam Young <ayoung at redhat.com>
>>         </mc/compose?to=ayoung at redhat.com>
>>         Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>>         To: "nasir nasir" <kollathodi at yahoo.com>
>>         </mc/compose?to=kollathodi at yahoo.com>
>>         Cc: freeipa-users at redhat.com
>>         </mc/compose?to=freeipa-users at redhat.com>
>>         Date: Monday, May 2, 2011, 8:03 AM
>>
>>         On 05/01/2011 08:49 AM, nasir nasir wrote:
>>>         Thanks for all the replies and great suggestions! I do
>>>         appreciate it a lot.
>>>
>>>         Apologies for being a bit confusing about the cetralized
>>>         /home foder in my previous mail. What I want is that all the
>>>         users should have their /home folder stored in the storage.
>>>         This entire partition (or LUN) can be attached to my
>>>         Authentication server(i.e FreeIPA) by using iSCSI. From the
>>>         Authentication server, I am NOT looking for iSCSI to get it
>>>         mounted to the individual users' machine. I think
>>>         NFS/automount would do that(appreciate any suggestion on
>>>         this !) And whenever a new user is created, /home should be
>>>         allocated out of this partition so that whichever machine
>>>         the user is using to login later, she should be able to
>>>         access the same /home specific to her regardless of the
>>>         machine. I hope it is clear to all :-)
>>>
>>>         Thanks and regards,
>>>         Nidal
>>>
>>>             >     -- Centralized storage with iSCSI for /home folder
>>>             for each user by means of a dedicated storage
>>>             IPA manages Automount, which is possibly what you want. 
>>>             Are you going to give each user their own partition that
>>>             follows them around, or are you going to give the a home
>>>             directory on a a NAS server?  I Have to admit, the iSCSI
>>>             home mount sounds interesting.  You could probably get
>>>             automount to help you out there, but at this point I
>>>             think that you would need a separate key line for each user.
>>>
>>>             Note that iSCSI won't help you if you want to mount the
>>>             same partition on multiple clients.  For this, you
>>>             either need a distributed File System, or stick to NFS.
>>>
>>
>>
>>         Nidal,
>>
>>         OK, I'd probably do something like this:  After install IPA,
>>         add one host as an IPA client with the following switch: 
>>         --mkhomedir,, something like  ipa-client-install --mkhomedir
>>         -p admin.   Then, mount the directory that you are going to
>>         use a /home on that machine.  Once you create users in IPA,
>>         the first time you log in as that user, do so from that
>>         client, and it will attempt to create the home directory for
>>         you.    This should be the only machine that has permissions
>>         to create directories under /home.  Now, create an automount
>>         location and map, and create a key for /home
>>
>>         The instructions from our test day should get you started:
>>
>>         https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110509/a19eb75c/attachment.htm>

From ayoung at redhat.com  Mon May  9 13:38:59 2011
From: ayoung at redhat.com (Adam Young)
Date: Mon, 09 May 2011 09:38:59 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC7E828.3010206@redhat.com>
References: <895514.84135.qm@web161308.mail.bf1.yahoo.com>	<4DC729A2.1010301@redhat.com>
	<4DC7E828.3010206@redhat.com>
Message-ID: <4DC7EE73.1080402@redhat.com>

On 05/09/2011 09:12 AM, Dmitri Pal wrote:
> On 05/08/2011 07:39 PM, Adam Young wrote:
>> On 05/08/2011 06:20 AM, nasir nasir wrote:
>>>
>>> Thanks indeed again for the reply. I went through the deployment 
>>> guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta 
>>> machine for testing. I also configured the browsers on this server 
>>> and a client Kubuntu machine as per the guide. But I can't find any 
>>> doc which explain how to configure a client (kubuntu in my case) for 
>>> single sign on or even accessing a service like nfs using the 
>>> browser when native ipa-client package is not available. All the 
>>> docs are focused on configuring client machines using ipa-client 
>>> package. Is this possible? if so could anyone suggest me some guide 
>>> lines or docs for the same ?
>>>
>>
>
> Does the client have SSSD?
> If it does making ipa-client work is probably the best path.
>
> If the SSSD is not an option then you are in the realm of PAM_KRB5 for 
> the SSO.
> Please see the FreeIPA 1.2.1 documentation. There is no exact 
> documentation ofr your case but the closest IMO would be the 
> instructions for the Solaris client.
> http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html
>
> Also see man pages for pam_krb5.
> Hope this helps.
>
> Thanks
> Dmitri


According to Stephen, Ubuntu has an older version of sssd available.  
Even Debian sid only has 1.2.1

http://packages.debian.org/unstable/main/sssd
>
>
>> Did you try installing the ipa-client rpms with Alien?
>>
>>>
>>> Thanks and Regards,
>>> Nidal
>>>
>>> --- On *Mon, 5/2/11, Adam Young /<ayoung at redhat.com>/* wrote:
>>>
>>>
>>>     From: Adam Young <ayoung at redhat.com>
>>>     Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>>>     To: "nasir nasir" <kollathodi at yahoo.com>
>>>     Cc: freeipa-users at redhat.com
>>>     Date: Monday, May 2, 2011, 8:03 AM
>>>
>>>     On 05/01/2011 08:49 AM, nasir nasir wrote:
>>>>     Thanks for all the replies and great suggestions! I do
>>>>     appreciate it a lot.
>>>>
>>>>     Apologies for being a bit confusing about the cetralized /home
>>>>     foder in my previous mail. What I want is that all the users
>>>>     should have their /home folder stored in the storage. This
>>>>     entire partition (or LUN) can be attached to my Authentication
>>>>     server(i.e FreeIPA) by using iSCSI. From the Authentication
>>>>     server, I am NOT looking for iSCSI to get it mounted to the
>>>>     individual users' machine. I think NFS/automount would do
>>>>     that(appreciate any suggestion on this !) And whenever a new
>>>>     user is created, /home should be allocated out of this
>>>>     partition so that whichever machine the user is using to login
>>>>     later, she should be able to access the same /home specific to
>>>>     her regardless of the machine. I hope it is clear to all :-)
>>>>
>>>>     Thanks and regards,
>>>>     Nidal
>>>>
>>>>         >     -- Centralized storage with iSCSI for /home folder
>>>>         for each user by means of a dedicated storage
>>>>         IPA manages Automount, which is possibly what you want. 
>>>>         Are you going to give each user their own partition that
>>>>         follows them around, or are you going to give the a home
>>>>         directory on a a NAS server?  I Have to admit, the iSCSI
>>>>         home mount sounds interesting.  You could probably get
>>>>         automount to help you out there, but at this point I think
>>>>         that you would need a separate key line for each user.
>>>>
>>>>         Note that iSCSI won't help you if you want to mount the
>>>>         same partition on multiple clients.  For this, you either
>>>>         need a distributed File System, or stick to NFS.
>>>>
>>>
>>>
>>>     Nidal,
>>>
>>>     OK, I'd probably do something like this:  After install IPA, add
>>>     one host as an IPA client with the following switch: 
>>>     --mkhomedir,, something like  ipa-client-install --mkhomedir -p
>>>     admin.   Then, mount the directory that you are going to use a
>>>     /home on that machine.  Once you create users in IPA, the first
>>>     time you log in as that user, do so from that client, and it
>>>     will attempt to create the home directory for you.    This
>>>     should be the only machine that has permissions to create
>>>     directories under /home.  Now, create an automount location and
>>>     map, and create a key for /home
>>>
>>>     The instructions from our test day should get you started:
>>>
>>>     https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>>
>>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110509/db6049ae/attachment.htm>

From bene at hkl.hms.harvard.edu  Mon May  9 13:29:46 2011
From: bene at hkl.hms.harvard.edu (Ben Eisenbraun)
Date: Mon, 9 May 2011 09:29:46 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <895514.84135.qm@web161308.mail.bf1.yahoo.com>
References: <4DBEC7B8.4080209@redhat.com>
	<895514.84135.qm@web161308.mail.bf1.yahoo.com>
Message-ID: <20110509132946.GA32264@crystal.harvard.edu>

Hi Nasir,

Here are my notes (in Trac wiki markup format no less) for manually setting
up Ubuntu clients to use our FreeIPA 1.2 server.  I haven't tested the 2.0
branch yet, but I suspect it's primarily the same.

HTH.

-ben

--
| Ben Eisenbraun
| SBGrid Consortium                          | http://sbgrid.org       |
| Harvard Medical School                     | http://hms.harvard.edu  |

== Accounts/Authentication ==
Install required packages:
{{{
apt-get install ldap-utils krb5-user libpam-ldap libnss-ldap nss-updatedb libnss-db autofs nfs-common autofs-ldap
}}}
This should spawn a dpkg-configure instance for Kerberos, give the proper information.

Edit /etc/nsswitch.conf to include:
{{{
passwd:    files ldap
group:     files ldap
automount: files ldap 
}}}

Edit /etc/ldap.conf to include:
{{{
uri                         ldap://your.server.name
base                        dc=EXAMPLE,dc=COM
bind_policy                 soft
pam_lookup_policy           yes
pam_password                md5
nss_initgroups_ignoreusers  root,ldap
nss_schema                  rfc2307bis
nss_map_attribute           uniqueMember member
ssl                         no
ldap_version                3
pam_filter                  objectClass=posixAccount
}}}

To enable pam-ldap, run:
{{{
pam-auth-update
}}}

To enable autofs-managed home directories, edit /etc/ldap/ldap.conf to read:
{{{
BASE  dc=EXAMPLE,dc=COM
URI   ldap://your.server.name
}}}

For kerberos config, edit /etc/krb5.conf to include 
{{{
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DEV-NETWORK.IN.HWLAB
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 DEV-NETWORK.IN.HWLAB = {
  kdc = your.server.name
  admin_server = your.server.name
 }

[domain_realm]
 dev-network.in.hwlab = EXAMPLE.COM
 .dev-network.in.hwlab = EXAMPLE.COM
}}}



From sgallagh at redhat.com  Mon May  9 13:43:20 2011
From: sgallagh at redhat.com (Stephen Gallagher)
Date: Mon, 09 May 2011 09:43:20 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC7EE73.1080402@redhat.com>
References: <895514.84135.qm@web161308.mail.bf1.yahoo.com>
	<4DC729A2.1010301@redhat.com> <4DC7E828.3010206@redhat.com>
	<4DC7EE73.1080402@redhat.com>
Message-ID: <1304948601.1919.10.camel@sgallagh.bos.redhat.com>

On Mon, 2011-05-09 at 09:38 -0400, Adam Young wrote:
> On 05/09/2011 09:12 AM, Dmitri Pal wrote: 
> > On 05/08/2011 07:39 PM, Adam Young wrote: 
> > > On 05/08/2011 06:20 AM, nasir nasir wrote: 
> > > > 
> > > > Thanks indeed again for the reply. I went through the deployment
> > > > guide and installed and configured FreeIPA 2.0 on a RHEL 6.1
> > > > beta machine for testing. I also configured the browsers on this
> > > > server and a client Kubuntu machine as per the guide. But I
> > > > can't find any doc which explain how to configure a client
> > > > (kubuntu in my case) for single sign on or even accessing a
> > > > service like nfs using the browser when native ipa-client
> > > > package is not available. All the docs are focused on
> > > > configuring client machines using ipa-client package. Is this
> > > > possible? if so could anyone suggest me some guide lines or docs
> > > > for the same ?
> > > 
> > 
> > Does the client have SSSD?
> > If it does making ipa-client work is probably the best path.
> > 
> > If the SSSD is not an option then you are in the realm of PAM_KRB5
> > for the SSO.
> > Please see the FreeIPA 1.2.1 documentation. There is no exact
> > documentation ofr your case but the closest IMO would be the
> > instructions for the Solaris client.
> > http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html
> > 
> > Also see man pages for pam_krb5.
> > Hope this helps.
> > 
> > Thanks
> > Dmitri
> 
> 
> According to Stephen, Ubuntu has an older version of sssd available.
> Even Debian sid only has 1.2.1
> 
> http://packages.debian.org/unstable/main/sssd


SSSD 1.2.1 has some caveats with IPA usage. Mostly because the HBAC
format changed in the final FreeIPA v2. SSSD 1.2.1 had been released
with the older format, so it won't work.

However, it should be possible to set up SSSD 1.2.1 for use with FreeIPA
if they set 'access_provider = allow' (instead of 'access_provider =
ipa')

However, it WILL require a few manual steps to set up, notably the
acquisition of the host keytab.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110509/e1887ff3/attachment.sig>

From kollathodi at yahoo.com  Mon May  9 14:43:28 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Mon, 9 May 2011 07:43:28 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC7E969.8060508@redhat.com>
Message-ID: <392594.55533.qm@web161304.mail.bf1.yahoo.com>

Dimitri/Adam/Stephen,
Thnks a lot for all the replies!
This is a 64 bit machine. So I will try to install 32 bit and let you know the result.
Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error,
[root at abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mntmount.nfs4: timeout set for Mon May ?9 17:36:14 2011mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'mount.nfs4: mount(2): Permission deniedmount.nfs4: access denied by server while mounting openipa.cohort.org:/[root at abc Packages]#
But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values.
Please suggest me what to do.
Thanks indeed in advance and regards,Nidal


--- On Mon, 5/9/11, Adam Young <ayoung at redhat.com> wrote:

From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Monday, May 9, 2011, 6:17 AM



  

    
  
  
    On 05/08/2011 11:57 PM, nasir nasir wrote:
    
      
        
          
            

              Adam,
              

              
              I truly
                appreciate your persistence !?
              

              
              I tried
                using alien and it generated the .deb file successfully
                and even installed the ipa client package without any
                error on the client machine(Kubuntu 11.04). But when I
                run the ipa-client-install command, it gave the
                following error,
              

              
              

              
              
                openway at dl-360:~/rpm$ sudo
                      ipa-client-install?
                There was a problem importing one of the
                      required Python modules. The
                error was:
                

                    
                ? ? No module named
                      ipaclient.ipadiscovery
              
            
          
        
      
    
    I'm guessing that this is a 64 bit system?? It might be an arch
    issue.? IU know that Debian and RH mde different choices for 32 on
    64.? RH/Fedora puts the Python code into 

    

    /usr/lib64/python2.7/site-packages/

    

    Debian might be looking under /usr/lib/? for Python.

    

    Try a 32bit RPM.

    

    
      
        
          
            
              
                

                    
                openway at dl-360:~/rpm$
                

                  
                
                  I even created the deb file out of ipa-python
                    package and installed it on the kubuntu
                    machine(without any error). Still, its the same. Any
                    idea ?
                  

                  
                  Thanks and regards,
                  Nidal
                  

                  
                  --- On Sun, 5/8/11, Adam Young <ayoung at redhat.com> wrote:

                

                  From: Adam Young <ayoung at redhat.com>

                  Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
                  deployment

                  To: "nasir nasir" <kollathodi at yahoo.com>

                  Cc: freeipa-users at redhat.com

                  Date: Sunday, May 8, 2011, 4:39 PM

                  

                  
                    
                    On 05/08/2011 06:20 AM, nasir nasir wrote:
                    
                      
                        
                          
                            

                              Thanks indeed again for the reply. I went
                              through the deployment guide and installed
                              and configured FreeIPA 2.0 on a RHEL 6.1
                              beta machine for testing. I also
                              configured the browsers on this server and
                              a client Kubuntu machine as per the guide.
                              But I can't find any doc which explain how
                              to configure a client (kubuntu in my case)
                              for single sign on or even accessing a
                              service like nfs using the browser when
                              native ipa-client package is not
                              available. All the docs are focused on
                              configuring client machines using
                              ipa-client package. Is this possible? if
                              so could anyone suggest me some guide
                              lines or docs for the same ?
                          
                        
                      
                    
                    

                    Did you try installing the ipa-client rpms with
                    Alien?

                    

                    
                      
                        
                          
                            
                              

                              
                              Thanks and Regards,
                              Nidal
                              

                                --- On Mon, 5/2/11, Adam Young <ayoung at redhat.com>
                                wrote:

                                

                                  From: Adam Young <ayoung at redhat.com>

                                  Subject: Re: [Freeipa-users] FreeIPA
                                  for Linux desktop deployment

                                  To: "nasir nasir" <kollathodi at yahoo.com>

                                  Cc: freeipa-users at redhat.com

                                  Date: Monday, May 2, 2011, 8:03 AM

                                  

                                   On 05/01/2011
                                    08:49 AM, nasir nasir wrote:
                                    
                                      
                                        
                                          
                                            
                                               Thanks for all the
                                                replies and great
                                                suggestions! I do
                                                appreciate it a lot.
                                              

                                                Apologies for being a
                                                bit confusing about the
                                                cetralized /home foder
                                                in my previous mail.
                                                What I want is that all
                                                the users should have
                                                their /home folder
                                                stored in the storage.
                                                This entire partition
                                                (or LUN) can be attached
                                                to my Authentication
                                                server(i.e FreeIPA) by
                                                using iSCSI. From the
                                                Authentication server, I
                                                am NOT looking for iSCSI
                                                to get it mounted to the
                                                individual users'
                                                machine. I think
                                                NFS/automount would do
                                                that(appreciate any
                                                suggestion on this !)
                                                And whenever a new user
                                                is created, /home should
                                                be allocated out of this
                                                partition so that
                                                whichever machine the
                                                user is using to login
                                                later, she should be
                                                able to access the same
                                                /home specific to her
                                                regardless of the
                                                machine. I hope it is
                                                clear to all :-)
                                              

                                              
                                              Thanks and regards,
                                              Nidal
                                              

                                              
                                              
                                                >?

                                                  ???-- Centralized
                                                  storage with iSCSI for
                                                  /home folder for each
                                                  user by means of a
                                                  dedicated storage

                                                  IPA manages Automount,
                                                  which is possibly what
                                                  you want.? Are you
                                                  going to give each
                                                  user their own
                                                  partition that follows
                                                  them around, or are
                                                  you going to give the
                                                  a home directory on a
                                                  a NAS server?? I Have
                                                  to admit, the iSCSI
                                                  home mount sounds
                                                  interesting.? You
                                                  could probably get
                                                  automount to help you
                                                  out there, but at this
                                                  point I think that you
                                                  would need a separate
                                                  key line for each
                                                  user.

                                                  

                                                  Note that iSCSI won't
                                                  help you if you want
                                                  to mount the same
                                                  partition on multiple
                                                  clients.? For this,
                                                  you either need a
                                                  distributed File
                                                  System, or stick to
                                                  NFS.

                                                
                                                

                                                
                                              
                                            
                                          
                                        
                                      
                                    
                                    

                                    

                                    Nidal,

                                    

                                    OK, I'd probably do something like
                                    this:? After install IPA, add one
                                    host as an IPA client with the
                                    following switch:? --mkhomedir,,
                                    something like? ipa-client-install
                                    --mkhomedir -p admin.?? Then, mount
                                    the directory that you are going to
                                    use a /home on that machine.? Once
                                    you create users in IPA, the first
                                    time you log in as that user, do so
                                    from that client, and it will
                                    attempt to create the home directory
                                    for you.??? This should be the only
                                    machine that has permissions to
                                    create directories under /home.?
                                    Now, create an automount location
                                    and map, and create a key for /home

                                    

                                    The instructions from our test day
                                    should get you started:

                                    

                                    https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount

                                    

                                    

                                  
                                
                              
                            
                          
                        
                      
                    
                    

                  
                
              
            
          
        
      
    
    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110509/896ae6ca/attachment.htm>

From rcritten at redhat.com  Mon May  9 15:17:31 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 09 May 2011 11:17:31 -0400
Subject: [Freeipa-users] Disk layout - requirements
In-Reply-To: <4DC443D0.5050406@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E40063427D8@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DC401E8.1090506@redhat.com>	<4DC41AB2.7050309@nixtra.com>
	<4DC443D0.5050406@redhat.com>
Message-ID: <4DC8058B.8050206@redhat.com>

Dmitri Pal wrote:
> On 05/06/2011 11:58 AM, Sigbjorn Lie wrote:
>> On 05/06/2011 04:12 PM, Rob Crittenden wrote:
>>> Steven Jones wrote:
>>>>
>>>> Hi,
>>>>
>>>> Digging through docs / googling I cant see any disk partition
>>>> suggestions and size thereof requirements...
>>>>
>>>> Suggestions please?  sizing for 500 servers, 2000 desktops, 5000+
>>>> users...
>>>>
>>>> Especially around having different sections of the IPA master of
>>>> different raid groups if that's needed...
>>>
>>> It depends in part how you use IPA. A bare-bones user entry is about
>>> 1k, a host that has a certificate is about the same. There is some
>>> amount of overhead in the DIT and you'll need to consider the space
>>> for groups, how many kerberos services you'll deploy (also about 1k
>>> in size) and what other features of IPA you'll use. We have quite a
>>> few indexes into the data, that will take some room too.
>>>
>>> I think additional RAM will be better than terabytes of disk. 389-ds
>>> is going to try to cache much of this data, and with this number of
>>> entries it can probably keep most if not all of the database in memory.
>>>
>>> We haven't done any analysis on different FS performance.
>>>
>>> Does that help?
>>>
>>> rob
>>
>> Would you consider these documents describing sizing and performance
>> tuning of the RH DS to be comparable/transferable to IPA?
>>
>>
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements
>>
>>
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html
>>
>>
>>
>
> Yes these documents are applicable and can be used to tune up DS server
> under IPA.

Be careful to note that in the first document the disk space assumptions 
are for 100 byte entries and some (but not all) of the IPA entries are 
10x that.

Thanks for the links Sigbjorn.

regards

rob



From ayoung at redhat.com  Mon May  9 15:38:02 2011
From: ayoung at redhat.com (Adam Young)
Date: Mon, 09 May 2011 11:38:02 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <392594.55533.qm@web161304.mail.bf1.yahoo.com>
References: <392594.55533.qm@web161304.mail.bf1.yahoo.com>
Message-ID: <4DC80A5A.7020605@redhat.com>

On 05/09/2011 10:43 AM, nasir nasir wrote:
> Dimitri/Adam/Stephen,
>
> Thnks a lot for all the replies!
>
> This is a 64 bit machine. So I will try to install 32 bit and let you 
> know the result.
>
> Also, I was trying to configure NFS service on the FreeIPA machine. I 
> followed exactly as given in the deployment guide and tested with 
> another *RHEL 6.1 client machine *with ipa-client installed on it. 
> When I try to mount the nfs export I am getting the following error,
> *
> *
> *[root at abc Packages]# mount -v -t nfs4 -o sec=krb5 
> openipa.cohort.org:/ /mnt*
> *mount.nfs4: timeout set for Mon May  9 17:36:14 2011*
> *mount.nfs4: trying text-based options 
> 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'*
> *mount.nfs4: mount(2): Permission denied*
> *mount.nfs4: access denied by server while mounting openipa.cohort.org:/*
> *[root at abc Packages]#*
>
> But when I try to remove the kerberos authentication (i.e without -o 
> sec=krb5) it gets mounted without any problem. I googled a lot for 
> this error and tried all the suggestions like adding allow_weak_crypto 
> parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. 
> Still it does not work. When I give weak crypto entry and add some 
> weak crypto like des-cbc-md5, server rejects and says that it is not 
> supported. My /etc/export file and all the necessary commands are copy 
> pasted from the deployment guide with only the necessary modifications 
> to suite my values.
>
> Please suggest me what to do.
>


Start off by checking the kerberos logs on both the server and client 
machines.

in /var/log/  krb5kdc.log   kadmind.log  secure

I'm not a a Kerberos Guru...bear that in mind

Make sure the clocks are in sync.  Always worth doing .  Kind of the 
Kerberos equivalent of "Make sure the network cable is actually plugged in"

The KDC needs to know about the NFS service in order to grant a ticket.  
Confirm that you can request an nfs ticket for your user and client for 
the given server.

On the IPA server side, you have to create a service entry for your NFS 
server.  Your NFS server needs to know to talk to the IPA Kerberos 
instance.  This is a likely suspect, based on the error message.

Make sure you can kinit and do simple IPA type things on the machine you 
are doing a NFS mount on.  Being able to use the IPA Kerberos ticket to 
ssh from the nfs client machine to the NFS server machine would be a 
good validation that the entire problem is just in the NFS configuration.




>
> Thanks indeed in advance and regards,
> Nidal
>
>
>
> --- On *Mon, 5/9/11, Adam Young /<ayoung at redhat.com>/* wrote:
>
>
>     From: Adam Young <ayoung at redhat.com>
>     Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>     To: "nasir nasir" <kollathodi at yahoo.com>
>     Cc: freeipa-users at redhat.com
>     Date: Monday, May 9, 2011, 6:17 AM
>
>     On 05/08/2011 11:57 PM, nasir nasir wrote:
>>
>>     Adam,
>>
>>     I truly appreciate your persistence !
>>
>>     I tried using alien and it generated the .deb file successfully
>>     and even installed the ipa client package without any error on
>>     the client machine(Kubuntu 11.04). But when I run the
>>     *ipa-client-install* command, it gave the following error,
>>
>>
>>     *openway at dl-360:~/rpm$ sudo ipa-client-install *
>>     *There was a problem importing one of the required Python
>>     modules. The*
>>     *error was:*
>>     *
>>     *
>>     *    No module named ipaclient.ipadiscovery*
>>
>     I'm guessing that this is a 64 bit system?  It might be an arch
>     issue.  IU know that Debian and RH mde different choices for 32 on
>     64.  RH/Fedora puts the Python code into
>
>     /usr/lib64/python2.7/site-packages/
>
>     Debian might be looking under /usr/lib/  for Python.
>
>     Try a 32bit RPM.
>
>>     *
>>     *
>>     *openway at dl-360:~/rpm$*
>>
>>     I even created the deb file out of ipa-python package and
>>     installed it on the kubuntu machine(without any error). Still,
>>     its the same. Any idea ?
>>
>>     Thanks and regards,
>>     Nidal
>>
>>     --- On *Sun, 5/8/11, Adam Young /<ayoung at redhat.com>
>>     </mc/compose?to=ayoung at redhat.com>/*wrote:
>>
>>
>>         From: Adam Young <ayoung at redhat.com>
>>         </mc/compose?to=ayoung at redhat.com>
>>         Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>>         To: "nasir nasir" <kollathodi at yahoo.com>
>>         </mc/compose?to=kollathodi at yahoo.com>
>>         Cc: freeipa-users at redhat.com
>>         </mc/compose?to=freeipa-users at redhat.com>
>>         Date: Sunday, May 8, 2011, 4:39 PM
>>
>>         On 05/08/2011 06:20 AM, nasir nasir wrote:
>>>
>>>         Thanks indeed again for the reply. I went through the
>>>         deployment guide and installed and configured FreeIPA 2.0 on
>>>         a RHEL 6.1 beta machine for testing. I also configured the
>>>         browsers on this server and a client Kubuntu machine as per
>>>         the guide. But I can't find any doc which explain how to
>>>         configure a client (kubuntu in my case) for single sign on
>>>         or even accessing a service like nfs using the browser when
>>>         native ipa-client package is not available. All the docs are
>>>         focused on configuring client machines using ipa-client
>>>         package. Is this possible? if so could anyone suggest me
>>>         some guide lines or docs for the same ?
>>>
>>
>>         Did you try installing the ipa-client rpms with Alien?
>>
>>>
>>>         Thanks and Regards,
>>>         Nidal
>>>
>>>         --- On *Mon, 5/2/11, Adam Young /<ayoung at redhat.com>/* wrote:
>>>
>>>
>>>             From: Adam Young <ayoung at redhat.com>
>>>             Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
>>>             deployment
>>>             To: "nasir nasir" <kollathodi at yahoo.com>
>>>             Cc: freeipa-users at redhat.com
>>>             Date: Monday, May 2, 2011, 8:03 AM
>>>
>>>             On 05/01/2011 08:49 AM, nasir nasir wrote:
>>>>             Thanks for all the replies and great suggestions! I do
>>>>             appreciate it a lot.
>>>>
>>>>             Apologies for being a bit confusing about the
>>>>             cetralized /home foder in my previous mail. What I want
>>>>             is that all the users should have their /home folder
>>>>             stored in the storage. This entire partition (or LUN)
>>>>             can be attached to my Authentication server(i.e
>>>>             FreeIPA) by using iSCSI. From the Authentication
>>>>             server, I am NOT looking for iSCSI to get it mounted to
>>>>             the individual users' machine. I think NFS/automount
>>>>             would do that(appreciate any suggestion on this !) And
>>>>             whenever a new user is created, /home should be
>>>>             allocated out of this partition so that whichever
>>>>             machine the user is using to login later, she should be
>>>>             able to access the same /home specific to her
>>>>             regardless of the machine. I hope it is clear to all :-)
>>>>
>>>>             Thanks and regards,
>>>>             Nidal
>>>>
>>>>                 >     -- Centralized storage with iSCSI for /home
>>>>                 folder for each user by means of a dedicated storage
>>>>                 IPA manages Automount, which is possibly what you
>>>>                 want.  Are you going to give each user their own
>>>>                 partition that follows them around, or are you
>>>>                 going to give the a home directory on a a NAS
>>>>                 server?  I Have to admit, the iSCSI home mount
>>>>                 sounds interesting.  You could probably get
>>>>                 automount to help you out there, but at this point
>>>>                 I think that you would need a separate key line for
>>>>                 each user.
>>>>
>>>>                 Note that iSCSI won't help you if you want to mount
>>>>                 the same partition on multiple clients.  For this,
>>>>                 you either need a distributed File System, or stick
>>>>                 to NFS.
>>>>
>>>
>>>
>>>             Nidal,
>>>
>>>             OK, I'd probably do something like this:  After install
>>>             IPA, add one host as an IPA client with the following
>>>             switch:  --mkhomedir,, something like 
>>>             ipa-client-install --mkhomedir -p admin.   Then, mount
>>>             the directory that you are going to use a /home on that
>>>             machine.  Once you create users in IPA, the first time
>>>             you log in as that user, do so from that client, and it
>>>             will attempt to create the home directory for you.   
>>>             This should be the only machine that has permissions to
>>>             create directories under /home.  Now, create an
>>>             automount location and map, and create a key for /home
>>>
>>>             The instructions from our test day should get you started:
>>>
>>>             https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>>
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110509/ddae03ac/attachment.htm>

From rcritten at redhat.com  Mon May  9 19:20:53 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 09 May 2011 15:20:53 -0400
Subject: [Freeipa-users] RHEL6.1 beta
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063488D1@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E40063488D1@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC83E95.5030206@redhat.com>

Steven Jones wrote:
> Hi,
>
> Where are the ipa-server-2.0 packages held these days ?
>
> from previous list posts they were here, but I cant find them now....
>
> ========
>
> ipa-server-2.0.0-16.el6.x86_64
> <https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857>
>
> Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
> ipa-server-2.0.0-16.el6.i686
>   <https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431>
>
> ========

Apparently the beta is over so the packages were removed.

The beta ISO's should still be available and those I'm told have the ipa 
packages via classic RHN. If you use the new entitlement system the beta 
packages are still on cdn.redhat.com.

regards

rob



From esoptron at cox.net  Mon May  9 19:36:39 2011
From: esoptron at cox.net (SR)
Date: Mon, 09 May 2011 12:36:39 -0700
Subject: [Freeipa-users] FreeIPA questions
Message-ID: <4DC84247.3030603@cox.net>

I'm new to FreeIPA and this list so please forgive me for the n00b 
questions. I have what I think is a pretty straight-forward use for 
FreeIPA. We have an Active Directory environment with a few hundred 
users. We are starting to increase our number of Macs and need a 
directory solution. There are some issues with Macs in AD which Apple 
doesn't seem interested in addressing. Open Directory would be nice if 
we only had Macs but it doesn't allow for syncing accounts to AD, so it 
won't work for us.

Based on what I've read about FreeIPA, it seems like it would be a good 
fit for us.

The problem I'm having is that I can't seem to even get FreeIPA 
installed. I've tried using Fedora 10 with all the latest updates. I've 
tried adding different .repo files I've found on the various FreeIPA 
pages, but none of them seem to be working for me.

So, my questions are:

1) What is the best distro for running FreeIPA. I'd rather not purchase 
RHEL, so it sounds like Fedora is the way to go. I just finished 
downloading Fedora 14 and will give that a try unless someone recommends 
something else.

2) Is version 2 highly recommended over version 1 or does version 1 have 
sufficient features to use it in a production environment? Essentially, 
we have about 30 current Macs users (and growing) that we want to create 
accounts for in FreeIPA and have sync'd to AD (or vice versa). The users 
will need the ability to change their passwords.

3) What is the best way to install FreeIPA? I'm having problems with yum 
(see errors below) so I was wondering if there was another way, e.g., RPMs.

# yum install freeipa-server
Loaded plugins: refresh-packagekit
Could not retrieve mirrorlist 
http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=x86_64 
error was [Errno 4] IOError: <urlopen error (101, 'Network is 
unreachable')> 
http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml: 
[Errno 4] IOError: <urlopen error (-2, 'Name or service not known')>
Trying other mirror.
fedora   | 2.8kB  00:00
updates   | 3.4kB  00:00
Setting up Install Process
No package freeipa-server available.
Nothing to do

Thanks!

--Steve



From Steven.Jones at vuw.ac.nz  Mon May  9 20:36:18 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 9 May 2011 20:36:18 +0000
Subject: [Freeipa-users] FreeIPA questions
In-Reply-To: <4DC84247.3030603@cox.net>
References: <4DC84247.3030603@cox.net>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006348BC7@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

IMHO.
 
I wouldnt use fedora as a base for a business use....its not very stable or more importantly long lived.  Ive done a proof of concept on F14, F14 is fine for that, unless f15 is out?  to take a good look at yes....

You should be able to get the macs to authenticate to AD directly....we do, I can ask the Mac guy how its done if that's a help, but its probably out there on google.

Distro - there is only RHEL that I can see at present and its a tech preview....bare in mind that this is a redhat sponsored project....so its highly Red Hat centric.   Centos, Im 99% sure there isnt a centos 6 yet (I looked last week) so Im not aware there is an alternative.

I would suggest you need at least 2 RHEL instances to give redundancy and the extra add on channel(s) so that's some licencing....I think RHEL licences are cheaper if they are virtualised guests though (we use VMware's ESXi) so ask a sales person the cheapest way....we pay per student so I dont know the commercial costs/licences fine points.   ESXi is available as a free option...I run it at home....11 guests per Dell 390.....way cool for a second hand $400 workstation....

I have not used 1.0, though I have installed a old version a while back for a look, but I like IPA2.0 a lot.....its great web interface, easy to use unlike most ldap interfaces...the best Ive seen by far, almost unusual for Red Hat as their web gui's dont impress me.....

There are a lot of dependencies for IPA so doing it via the rpms is a nightmare, I tried yesterday off the cd and it was a waste of 3 hours, the interdependencies made it impossible....

I went and kickstarted the guest again and put ipa-server in the script and it installed fine....but if you dont have the 6.1 beta dvd that isnt an option.....really yum is it.

For the repo problem I'd suggest checking your DNS and firewall, I had a lot of grief from both because our anal security ppl had stopped outward bound dns queries and didnt tell anyone, took me 2+ hours to figure that out .....so then they blocked outward http because servers "didnt need to do that" another 1+hour wasted......the security guy was lucky he is way bigger than me..I was so p*ssed....  ;]

regards



________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of SR [esoptron at cox.net]
Sent: Tuesday, 10 May 2011 7:36 a.m.
To: freeipa-users at redhat.com
Subject: [Freeipa-users] FreeIPA questions

I'm new to FreeIPA and this list so please forgive me for the n00b
questions. I have what I think is a pretty straight-forward use for
FreeIPA. We have an Active Directory environment with a few hundred
users. We are starting to increase our number of Macs and need a
directory solution. There are some issues with Macs in AD which Apple
doesn't seem interested in addressing. Open Directory would be nice if
we only had Macs but it doesn't allow for syncing accounts to AD, so it
won't work for us.

Based on what I've read about FreeIPA, it seems like it would be a good
fit for us.

The problem I'm having is that I can't seem to even get FreeIPA
installed. I've tried using Fedora 10 with all the latest updates. I've
tried adding different .repo files I've found on the various FreeIPA
pages, but none of them seem to be working for me.

So, my questions are:

1) What is the best distro for running FreeIPA. I'd rather not purchase
RHEL, so it sounds like Fedora is the way to go. I just finished
downloading Fedora 14 and will give that a try unless someone recommends
something else.

2) Is version 2 highly recommended over version 1 or does version 1 have
sufficient features to use it in a production environment? Essentially,
we have about 30 current Macs users (and growing) that we want to create
accounts for in FreeIPA and have sync'd to AD (or vice versa). The users
will need the ability to change their passwords.

3) What is the best way to install FreeIPA? I'm having problems with yum
(see errors below) so I was wondering if there was another way, e.g., RPMs.

# yum install freeipa-server
Loaded plugins: refresh-packagekit
Could not retrieve mirrorlist
http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=x86_64
error was [Errno 4] IOError: <urlopen error (101, 'Network is
unreachable')>
http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml:
[Errno 4] IOError: <urlopen error (-2, 'Name or service not known')>
Trying other mirror.
fedora   | 2.8kB  00:00
updates   | 3.4kB  00:00
Setting up Install Process
No package freeipa-server available.
Nothing to do

Thanks!

--Steve

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Mon May  9 20:42:11 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 9 May 2011 20:42:11 +0000
Subject: [Freeipa-users] Disk layout - requirements
In-Reply-To: <4DC8058B.8050206@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E40063427D8@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DC401E8.1090506@redhat.com>	<4DC41AB2.7050309@nixtra.com>
	<4DC443D0.5050406@redhat.com>,<4DC8058B.8050206@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006348BE3@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Disk space isnt an issue as such as I thin provision the VMWare guest anyway so I can be fairly generous, 200gb is easy....the thing that interests me is splitting up the table spaces to different disks sets for instance  (/dev/sdb1, /devsdc1 etc, etc). Later then I can change raid types or spread out to different LUNS if there is a performance bottleneck on the fly....that's easy to do if the "backend" is broken up to different partitions on initial build...

regards


________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rob Crittenden [rcritten at redhat.com]
Sent: Tuesday, 10 May 2011 3:17 a.m.
To: dpal at redhat.com
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Disk layout - requirements

Dmitri Pal wrote:
> On 05/06/2011 11:58 AM, Sigbjorn Lie wrote:
>> On 05/06/2011 04:12 PM, Rob Crittenden wrote:
>>> Steven Jones wrote:
>>>>
>>>> Hi,
>>>>
>>>> Digging through docs / googling I cant see any disk partition
>>>> suggestions and size thereof requirements...
>>>>
>>>> Suggestions please?  sizing for 500 servers, 2000 desktops, 5000+
>>>> users...
>>>>
>>>> Especially around having different sections of the IPA master of
>>>> different raid groups if that's needed...
>>>
>>> It depends in part how you use IPA. A bare-bones user entry is about
>>> 1k, a host that has a certificate is about the same. There is some
>>> amount of overhead in the DIT and you'll need to consider the space
>>> for groups, how many kerberos services you'll deploy (also about 1k
>>> in size) and what other features of IPA you'll use. We have quite a
>>> few indexes into the data, that will take some room too.
>>>
>>> I think additional RAM will be better than terabytes of disk. 389-ds
>>> is going to try to cache much of this data, and with this number of
>>> entries it can probably keep most if not all of the database in memory.
>>>
>>> We haven't done any analysis on different FS performance.
>>>
>>> Does that help?
>>>
>>> rob
>>
>> Would you consider these documents describing sizing and performance
>> tuning of the RH DS to be comparable/transferable to IPA?
>>
>>
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements
>>
>>
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html
>>
>>
>>
>
> Yes these documents are applicable and can be used to tune up DS server
> under IPA.

Be careful to note that in the first document the disk space assumptions
are for 100 byte entries and some (but not all) of the IPA entries are
10x that.

Thanks for the links Sigbjorn.

regards

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Mon May  9 20:51:55 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 9 May 2011 20:51:55 +0000
Subject: [Freeipa-users] test use cases
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006348BF5@STAWINCOX10MBX1.staff.vuw.ac.nz>

NB in the test use case at,

https://fedoraproject.org/wiki/QA:Testcase_freeipav2_installation#With_DNS

============
With DNS

#ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns -U --selfsign

============

It is coming back with wanting forwarders set....

So that might need updating...

eg

#ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns --no-forwarders -U --selfsign

Also the above is spitting out the install script because the FQDN isnt set, to be correct, where should it be set?

/etc/hosts?

regards



From ayoung at redhat.com  Mon May  9 21:06:59 2011
From: ayoung at redhat.com (Adam Young)
Date: Mon, 09 May 2011 17:06:59 -0400
Subject: [Freeipa-users] FreeIPA questions
In-Reply-To: <4DC84247.3030603@cox.net>
References: <4DC84247.3030603@cox.net>
Message-ID: <4DC85773.3030604@redhat.com>

On 05/09/2011 03:36 PM, SR wrote:
> I'm new to FreeIPA and this list so please forgive me for the n00b 
> questions. I have what I think is a pretty straight-forward use for 
> FreeIPA. We have an Active Directory environment with a few hundred 
> users. We are starting to increase our number of Macs and need a 
> directory solution. There are some issues with Macs in AD which Apple 
> doesn't seem interested in addressing. Open Directory would be nice if 
> we only had Macs but it doesn't allow for syncing accounts to AD, so 
> it won't work for us.
>
> Based on what I've read about FreeIPA, it seems like it would be a 
> good fit for us.
>
> The problem I'm having is that I can't seem to even get FreeIPA 
> installed. I've tried using Fedora 10 with all the latest updates. 
> I've tried adding different .repo files I've found on the various 
> FreeIPA pages, but none of them seem to be working for me.
>
> So, my questions are:
>
> 1) What is the best distro for running FreeIPA. I'd rather not 
> purchase RHEL, so it sounds like Fedora is the way to go. I just 
> finished downloading Fedora 14 and will give that a try unless someone 
> recommends something else.

WHile FreeIPA 2.0 has gone GA, it is only supported in Fedora15, which 
is currently in Beta.  I'd start with that.


>
> 2) Is version 2 highly recommended over version 1 or does version 1 
> have sufficient features to use it in a production environment? 
> Essentially, we have about 30 current Macs users (and growing) that we 
> want to create accounts for in FreeIPA and have sync'd to AD (or vice 
> versa). The users will need the ability to change their passwords.

Yes, there are so many features in 2.0 that you are going to want.
>
> 3) What is the best way to install FreeIPA? I'm having problems with 
> yum (see errors below) so I was wondering if there was another way, 
> e.g., RPMs.

If you havea F14 Machine installed for testing, upgrade it to F15 Beta, 
and youi can do yum install freeipa-server.  If you want DNS support, be 
sure to install the DNS Bind  rpm that makes it talk to the LDAP store 
as well:  bind-dyndb-ldap


>
> # yum install freeipa-server
> Loaded plugins: refresh-packagekit
> Could not retrieve mirrorlist 
> http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=x86_64 
> error was [Errno 4] IOError: <urlopen error (101, 'Network is 
> unreachable')> 
> http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml: 
> [Errno 4] IOError: <urlopen error (-2, 'Name or service not known')>
> Trying other mirror.
> fedora   | 2.8kB  00:00
> updates   | 3.4kB  00:00
> Setting up Install Process
> No package freeipa-server available.
> Nothing to do
>
> Thanks!
>
> --Steve
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From rcritten at redhat.com  Mon May  9 21:10:59 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 09 May 2011 17:10:59 -0400
Subject: [Freeipa-users] Disk layout - requirements
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006348BE3@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E40063427D8@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DC401E8.1090506@redhat.com>	<4DC41AB2.7050309@nixtra.com>	<4DC443D0.5050406@redhat.com>,
	<4DC8058B.8050206@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006348BE3@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC85863.9090504@redhat.com>

Steven Jones wrote:
> Hi,
>
> Disk space isnt an issue as such as I thin provision the VMWare guest anyway so I can be fairly generous, 200gb is easy....the thing that interests me is splitting up the table spaces to different disks sets for instance  (/dev/sdb1, /devsdc1 etc, etc). Later then I can change raid types or spread out to different LUNS if there is a performance bottleneck on the fly....that's easy to do if the "backend" is broken up to different partitions on initial build...

Apparently the biggest increase will be seen if you move the transaction 
log. See 
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Maintaining_Directory_Databases-Configuring_Transaction_Logs_for_Frequent_Database_Updates

rob

>
> regards
>
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rob Crittenden [rcritten at redhat.com]
> Sent: Tuesday, 10 May 2011 3:17 a.m.
> To: dpal at redhat.com
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Disk layout - requirements
>
> Dmitri Pal wrote:
>> On 05/06/2011 11:58 AM, Sigbjorn Lie wrote:
>>> On 05/06/2011 04:12 PM, Rob Crittenden wrote:
>>>> Steven Jones wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> Digging through docs / googling I cant see any disk partition
>>>>> suggestions and size thereof requirements...
>>>>>
>>>>> Suggestions please?  sizing for 500 servers, 2000 desktops, 5000+
>>>>> users...
>>>>>
>>>>> Especially around having different sections of the IPA master of
>>>>> different raid groups if that's needed...
>>>>
>>>> It depends in part how you use IPA. A bare-bones user entry is about
>>>> 1k, a host that has a certificate is about the same. There is some
>>>> amount of overhead in the DIT and you'll need to consider the space
>>>> for groups, how many kerberos services you'll deploy (also about 1k
>>>> in size) and what other features of IPA you'll use. We have quite a
>>>> few indexes into the data, that will take some room too.
>>>>
>>>> I think additional RAM will be better than terabytes of disk. 389-ds
>>>> is going to try to cache much of this data, and with this number of
>>>> entries it can probably keep most if not all of the database in memory.
>>>>
>>>> We haven't done any analysis on different FS performance.
>>>>
>>>> Does that help?
>>>>
>>>> rob
>>>
>>> Would you consider these documents describing sizing and performance
>>> tuning of the RH DS to be comparable/transferable to IPA?
>>>
>>>
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements
>>>
>>>
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html
>>>
>>>
>>>
>>
>> Yes these documents are applicable and can be used to tune up DS server
>> under IPA.
>
> Be careful to note that in the first document the disk space assumptions
> are for 100 byte entries and some (but not all) of the IPA entries are
> 10x that.
>
> Thanks for the links Sigbjorn.
>
> regards
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From rcritten at redhat.com  Mon May  9 21:16:31 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 09 May 2011 17:16:31 -0400
Subject: [Freeipa-users] FreeIPA questions
In-Reply-To: <4DC84247.3030603@cox.net>
References: <4DC84247.3030603@cox.net>
Message-ID: <4DC859AF.50904@redhat.com>

SR wrote:
> I'm new to FreeIPA and this list so please forgive me for the n00b
> questions. I have what I think is a pretty straight-forward use for
> FreeIPA. We have an Active Directory environment with a few hundred
> users. We are starting to increase our number of Macs and need a
> directory solution. There are some issues with Macs in AD which Apple
> doesn't seem interested in addressing. Open Directory would be nice if
> we only had Macs but it doesn't allow for syncing accounts to AD, so it
> won't work for us.
>
> Based on what I've read about FreeIPA, it seems like it would be a good
> fit for us.
>
> The problem I'm having is that I can't seem to even get FreeIPA
> installed. I've tried using Fedora 10 with all the latest updates. I've
> tried adding different .repo files I've found on the various FreeIPA
> pages, but none of them seem to be working for me.
>
> So, my questions are:
>
> 1) What is the best distro for running FreeIPA. I'd rather not purchase
> RHEL, so it sounds like Fedora is the way to go. I just finished
> downloading Fedora 14 and will give that a try unless someone recommends
> something else.

freeipa v2 really only supports Fedora 15 right now, which hasn't quite 
shipped yet. It should be released real soon now.

It works on Fedora 14 but you need to get some packages from our 
development repo (you can find the link to it on the Download page on 
freeipa.org). You'd end up with some unsupported packages which isn't a 
good place to be on the core of your infrastructure.

> 2) Is version 2 highly recommended over version 1 or does version 1 have
> sufficient features to use it in a production environment? Essentially,
> we have about 30 current Macs users (and growing) that we want to create
> accounts for in FreeIPA and have sync'd to AD (or vice versa). The users
> will need the ability to change their passwords.

For new users e only do 1-way user sync right now, just AD -> freeipa. 
Existing users in both IPA and AD will be kept in sync, as are passwords 
if you install the PassSync service on all your AD PDCs.

>
> 3) What is the best way to install FreeIPA? I'm having problems with yum
> (see errors below) so I was wondering if there was another way, e.g., RPMs.
>
> # yum install freeipa-server
> Loaded plugins: refresh-packagekit
> Could not retrieve mirrorlist
> http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=x86_64
> error was [Errno 4] IOError: <urlopen error (101, 'Network is
> unreachable')>
> http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml:
> [Errno 4] IOError: <urlopen error (-2, 'Name or service not known')>
> Trying other mirror.
> fedora | 2.8kB 00:00
> updates | 3.4kB 00:00
> Setting up Install Process
> No package freeipa-server available.
> Nothing to do

Fedora 10 is no longer supported by Fedora, though I'm surprised the 
archive isn't still up. In any case you want Fedora 15.

rob



From dpal at redhat.com  Mon May  9 21:17:19 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 09 May 2011 17:17:19 -0400
Subject: [Freeipa-users] test use cases
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006348BF5@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006348BF5@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC859DF.1090508@redhat.com>

On 05/09/2011 04:51 PM, Steven Jones wrote:
> NB in the test use case at,
>
> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_installation#With_DNS
>
> ============
> With DNS
>
> #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns -U --selfsign
>
> ============
>
> It is coming back with wanting forwarders set....
>
> So that might need updating...
>
> eg
>
> #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns --no-forwarders -U --selfsign
>
> Also the above is spitting out the install script because the FQDN isnt set, to be correct, where should it be set?
>
> /etc/hosts?
>

Yes. If the machine does now have DNS provided identity its name should
be added to the /etc/hosts first.
See first paragraph.
https://fedorahosted.org/freeipa/wiki/QuickStartGuide


> regards
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From esoptron at cox.net  Mon May  9 21:27:18 2011
From: esoptron at cox.net (SR)
Date: Mon, 09 May 2011 14:27:18 -0700
Subject: [Freeipa-users] FreeIPA questions
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006348BC7@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <4DC84247.3030603@cox.net>
	<833D8E48405E064EBC54C84EC6B36E4006348BC7@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC85C36.7090209@cox.net>

Thanks for the feedback, Steven!

The main issue we had with Macs tied directly to AD was 100% CPU 
utilization caused by the DirectoryService. I currently have my Mac tied 
to Open Directory as well as AD. This is working well with one 
exception: Logins (or even unlocking the screen) can take several 
minutes when disconnected from the network. This has been a known issue 
with Macs for quite some time, their forums have tons of complaints 
about it, yet Apple seems uninterested in working on the problem.

We have a bunch of ESXi boxes and I certainly have no problem using 
that. In fact, I'm trying to test FreeIPA on an ESXi box already. :-)

Based on past experience with dependency nightmares as well as your 
advice, I won't bother with RPMs.

I checked yesterday and there is still no CentOS 6. So, it sounds like 
RHEL is really the best way to go. I think there is an eval, so I will 
grab that to try.

Thanks again!

--Steve

Steven Jones wrote:
> Hi,
>
> IMHO.
>  
> I wouldnt use fedora as a base for a business use....its not very stable or more importantly long lived.  Ive done a proof of concept on F14, F14 is fine for that, unless f15 is out?  to take a good look at yes....
>
> You should be able to get the macs to authenticate to AD directly....we do, I can ask the Mac guy how its done if that's a help, but its probably out there on google.
>
> Distro - there is only RHEL that I can see at present and its a tech preview....bare in mind that this is a redhat sponsored project....so its highly Red Hat centric.   Centos, Im 99% sure there isnt a centos 6 yet (I looked last week) so Im not aware there is an alternative.
>
> I would suggest you need at least 2 RHEL instances to give redundancy and the extra add on channel(s) so that's some licencing....I think RHEL licences are cheaper if they are virtualised guests though (we use VMware's ESXi) so ask a sales person the cheapest way....we pay per student so I dont know the commercial costs/licences fine points.   ESXi is available as a free option...I run it at home....11 guests per Dell 390.....way cool for a second hand $400 workstation....
>
> I have not used 1.0, though I have installed a old version a while back for a look, but I like IPA2.0 a lot.....its great web interface, easy to use unlike most ldap interfaces...the best Ive seen by far, almost unusual for Red Hat as their web gui's dont impress me.....
>
> There are a lot of dependencies for IPA so doing it via the rpms is a nightmare, I tried yesterday off the cd and it was a waste of 3 hours, the interdependencies made it impossible....
>
> I went and kickstarted the guest again and put ipa-server in the script and it installed fine....but if you dont have the 6.1 beta dvd that isnt an option.....really yum is it.
>
> For the repo problem I'd suggest checking your DNS and firewall, I had a lot of grief from both because our anal security ppl had stopped outward bound dns queries and didnt tell anyone, took me 2+ hours to figure that out .....so then they blocked outward http because servers "didnt need to do that" another 1+hour wasted......the security guy was lucky he is way bigger than me..I was so p*ssed....  ;]
>
> regards
>
>
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of SR [esoptron at cox.net]
> Sent: Tuesday, 10 May 2011 7:36 a.m.
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] FreeIPA questions
>
> I'm new to FreeIPA and this list so please forgive me for the n00b
> questions. I have what I think is a pretty straight-forward use for
> FreeIPA. We have an Active Directory environment with a few hundred
> users. We are starting to increase our number of Macs and need a
> directory solution. There are some issues with Macs in AD which Apple
> doesn't seem interested in addressing. Open Directory would be nice if
> we only had Macs but it doesn't allow for syncing accounts to AD, so it
> won't work for us.
>
> Based on what I've read about FreeIPA, it seems like it would be a good
> fit for us.
>
> The problem I'm having is that I can't seem to even get FreeIPA
> installed. I've tried using Fedora 10 with all the latest updates. I've
> tried adding different .repo files I've found on the various FreeIPA
> pages, but none of them seem to be working for me.
>
> So, my questions are:
>
> 1) What is the best distro for running FreeIPA. I'd rather not purchase
> RHEL, so it sounds like Fedora is the way to go. I just finished
> downloading Fedora 14 and will give that a try unless someone recommends
> something else.
>
> 2) Is version 2 highly recommended over version 1 or does version 1 have
> sufficient features to use it in a production environment? Essentially,
> we have about 30 current Macs users (and growing) that we want to create
> accounts for in FreeIPA and have sync'd to AD (or vice versa). The users
> will need the ability to change their passwords.
>
> 3) What is the best way to install FreeIPA? I'm having problems with yum
> (see errors below) so I was wondering if there was another way, e.g., RPMs.
>
> # yum install freeipa-server
> Loaded plugins: refresh-packagekit
> Could not retrieve mirrorlist
> http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=x86_64
> error was [Errno 4] IOError: <urlopen error (101, 'Network is
> unreachable')>
> http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml:
> [Errno 4] IOError: <urlopen error (-2, 'Name or service not known')>
> Trying other mirror.
> fedora   | 2.8kB  00:00
> updates   | 3.4kB  00:00
> Setting up Install Process
> No package freeipa-server available.
> Nothing to do
>
> Thanks!
>
> --Steve
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>   



From Steven.Jones at vuw.ac.nz  Tue May 10 03:58:58 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 10 May 2011 03:58:58 +0000
Subject: [Freeipa-users] failure to un-install  FreeIPA
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006349263@STAWINCOX10MBX1.staff.vuw.ac.nz>

I am trying to un-install freeipa with

ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed!

oops.

Is there a way to force the script to check and remove everything?

Or somewhere there is a lock file or something that needs removing?

regards



From mkosek at redhat.com  Tue May 10 08:32:10 2011
From: mkosek at redhat.com (Martin Kosek)
Date: Tue, 10 May 2011 10:32:10 +0200
Subject: [Freeipa-users] failure to un-install  FreeIPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006349263@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006349263@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1305016330.11948.10.camel@dhcp-25-52.brq.redhat.com>

On Tue, 2011-05-10 at 03:58 +0000, Steven Jones wrote:
> I am trying to un-install freeipa with
> 
> ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed!
> 
> oops.
> 
> Is there a way to force the script to check and remove everything?
> 
> Or somewhere there is a lock file or something that needs removing?
> 
> regards
> 

Steven,

can you please send a full output of `ipa-server-install --uninstall`
and then the `ipa-server-install` command? (and freeipa-server package
version) There was a that could case this behavior.

Anyway, the installer files you are looking for are there:
/var/lib/ipa/sysrestore/          # server backup files
/var/lib/ipa-client/sysrestore/   # client backup files

If you remove then, the installation will continue. However, I wouldn't
recommend removing them manually as ipa-[server|client]-install
--uninstall won't be able to return the machine to it's original
configuration then. I would rather suggest using the server/client
uninstaller again.

Martin



From kollathodi at yahoo.com  Tue May 10 16:37:33 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Tue, 10 May 2011 09:37:33 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC80A5A.7020605@redhat.com>
Message-ID: <373596.88089.qm@web161317.mail.bf1.yahoo.com>


Thanks again!
Two issues,
1) I had already tried everything you had mentioned in your mail.?
? ?-- Times are perfectly in sync across the network.? ?-- I can ssh using IPA users from the client machine also.? ?-- I can mount NFS partition on client machine when NOT using?-o sec=krb5 option
So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side).?I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc)
Here is my /etc/export file,
/export ?*(rw,fsid=0,insecure,no_subtree_check)/export ?gss/krb5(rw,fsid=0,insecure,no_subtree_check)/export ?gss/krb5i(rw,fsid=0,insecure,no_subtree_check)/export ?gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, ?I can try with an earlier version of kubuntu with python 2.6 and update you on this.

Thanks a lot and regards,Nasir



--- On Mon, 5/9/11, Adam Young <ayoung at redhat.com> wrote:

From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Monday, May 9, 2011, 8:38 AM



  

    
  
  
    On 05/09/2011 10:43 AM, nasir nasir wrote:
    
      
        
          
            Dimitri/Adam/Stephen,
              

                Thnks a lot for all the replies!
                

                
                This is a 64 bit machine. So I will try to install
                  32 bit and let you know the result.
                

                
                Also, I was trying to configure NFS service on the
                  FreeIPA machine. I followed exactly as given in the
                  deployment guide and tested with another RHEL 6.1
                    client machine with ipa-client installed on it.
                  When I try to mount the nfs export I am getting the
                  following error,
                

                  
                
                  [root at abc Packages]# mount -v -t nfs4 -o
                      sec=krb5 openipa.cohort.org:/ /mnt
                  mount.nfs4: timeout set for Mon May ?9
                      17:36:14 2011
                  mount.nfs4: trying text-based options
                      'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'
                  mount.nfs4: mount(2): Permission denied
                  mount.nfs4: access denied by server while
                      mounting openipa.cohort.org:/
                  [root at abc Packages]#
                  

                    But when I try to remove the kerberos authentication
                    (i.e without -o sec=krb5) it gets mounted without
                    any problem. I googled a lot for this error and
                    tried all the suggestions like adding
                    allow_weak_crypto parameter in the krb5.conf file,
                    checking host/DNS/Keytab entries etc. Still it does
                    not work. When I give weak crypto entry and add some
                    weak crypto like des-cbc-md5, server rejects and
                    says that it is not supported. My /etc/export file
                    and all the necessary commands are copy pasted from
                    the deployment guide with only the necessary
                    modifications to suite my values.
                  

                  
                  Please suggest me what to do.
                
              
            
          
        
      
    
    

    

    Start off by checking the kerberos logs on both the server and
    client machines.? 

    

    in /var/log/? krb5kdc.log?? kadmind.log? secure 

    

    I'm not a a Kerberos Guru...bear that in mind

    

    Make sure the clocks are in sync.? Always worth doing .? Kind of the
    Kerberos equivalent of "Make sure the network cable is actually
    plugged in"

    

    The KDC needs to know about the NFS service in order to grant a
    ticket.? Confirm that you can request an nfs ticket for your user
    and client for the given server.

    

    On the IPA server side, you have to create a service entry for your
    NFS server.? Your NFS server needs to know to talk to the IPA
    Kerberos instance.? This is a likely suspect, based on the error
    message.

    

    Make sure you can kinit and do simple IPA type things on the machine
    you are doing a NFS mount on.? Being able to use the IPA Kerberos
    ticket to ssh from the nfs client machine to the NFS server machine
    would be a good validation that the entire problem is just in the
    NFS configuration.

    

    

    

    

    
      
        
          
            
              
                
                  

                  
                  Thanks indeed in advance and regards,
                  Nidal
                  

                  
                  

                  
                  

                  
                  --- On Mon, 5/9/11, Adam Young <ayoung at redhat.com>
                    wrote:

                    

                      From: Adam Young <ayoung at redhat.com>

                      Subject: Re: [Freeipa-users] FreeIPA for Linux
                      desktop deployment

                      To: "nasir nasir" <kollathodi at yahoo.com>

                      Cc: freeipa-users at redhat.com

                      Date: Monday, May 9, 2011, 6:17 AM

                      

                       On 05/08/2011 11:57 PM,
                        nasir nasir wrote:
                        
                          
                            
                              
                                

                                  Adam,
                                  

                                  
                                  I truly appreciate
                                    your persistence !?
                                  

                                  
                                  I tried using
                                    alien and it generated the .deb file
                                    successfully and even installed the
                                    ipa client package without any error
                                    on the client machine(Kubuntu
                                    11.04). But when I run the ipa-client-install
                                    command, it gave the following
                                    error,
                                  

                                  
                                  

                                  
                                  
                                    openway at dl-360:~/rpm$
                                          sudo ipa-client-install?
                                    There
                                          was a problem importing one of
                                          the required Python modules.
                                          The
                                    error
                                          was:
                                    

                                        
                                    ? ? No
                                          module named
                                          ipaclient.ipadiscovery
                                  
                                
                              
                            
                          
                        
                        I'm guessing that this is a 64 bit system?? It
                        might be an arch issue.? IU know that Debian and
                        RH mde different choices for 32 on 64.?
                        RH/Fedora puts the Python code into 

                        

                        /usr/lib64/python2.7/site-packages/

                        

                        Debian might be looking under /usr/lib/? for
                        Python.

                        

                        Try a 32bit RPM.

                        

                        
                          
                            
                              
                                
                                  
                                    

                                        
                                    openway at dl-360:~/rpm$
                                    

                                      
                                    
                                      I even created the deb file
                                        out of ipa-python package and
                                        installed it on the kubuntu
                                        machine(without any error).
                                        Still, its the same. Any idea ?
                                      

                                      
                                      Thanks and regards,
                                      Nidal
                                      

                                      
                                      --- On Sun, 5/8/11,
                                      Adam Young <ayoung at redhat.com> wrote:

                                    

                                      From: Adam Young <ayoung at redhat.com>

                                      Subject: Re: [Freeipa-users]
                                      FreeIPA for Linux desktop
                                      deployment

                                      To: "nasir nasir" <kollathodi at yahoo.com>

                                      Cc: freeipa-users at redhat.com

                                      Date: Sunday, May 8, 2011, 4:39 PM

                                      

                                      
                                        
                                        On 05/08/2011 06:20 AM, nasir
                                        nasir wrote:
                                        
                                          
                                            
                                              
                                                

                                                  Thanks indeed again
                                                  for the reply. I went
                                                  through the deployment
                                                  guide and installed
                                                  and configured FreeIPA
                                                  2.0 on a RHEL 6.1 beta
                                                  machine for testing. I
                                                  also configured the
                                                  browsers on this
                                                  server and a client
                                                  Kubuntu machine as per
                                                  the guide. But I can't
                                                  find any doc which
                                                  explain how to
                                                  configure a client
                                                  (kubuntu in my case)
                                                  for single sign on or
                                                  even accessing a
                                                  service like nfs using
                                                  the browser when
                                                  native ipa-client
                                                  package is not
                                                  available. All the
                                                  docs are focused on
                                                  configuring client
                                                  machines using
                                                  ipa-client package. Is
                                                  this possible? if so
                                                  could anyone suggest
                                                  me some guide lines or
                                                  docs for the same ?
                                              
                                            
                                          
                                        
                                        

                                        Did you try installing the
                                        ipa-client rpms with Alien?

                                        

                                        
                                          
                                            
                                              
                                                
                                                  

                                                  
                                                  Thanks and
                                                    Regards,
                                                  Nidal
                                                  

                                                    --- On Mon,
                                                      5/2/11, Adam Young
                                                      <ayoung at redhat.com>
                                                    wrote:

                                                    

                                                      From: Adam Young <ayoung at redhat.com>

                                                      Subject: Re:
                                                      [Freeipa-users]
                                                      FreeIPA for Linux
                                                      desktop deployment

                                                      To: "nasir nasir"
                                                      <kollathodi at yahoo.com>

                                                      Cc: freeipa-users at redhat.com

                                                      Date: Monday, May
                                                      2, 2011, 8:03 AM

                                                      

                                                      
                                                        On 05/01/2011
                                                        08:49 AM, nasir
                                                        nasir wrote:
                                                        
                                                          
                                                          
                                                          
                                                          
                                                           Thanks
                                                          for all the
                                                          replies and
                                                          great
                                                          suggestions! I
                                                          do appreciate
                                                          it a lot.
                                                          

                                                          Apologies for
                                                          being a bit
                                                          confusing
                                                          about the
                                                          cetralized
                                                          /home foder in
                                                          my previous
                                                          mail. What I
                                                          want is that
                                                          all the users
                                                          should have
                                                          their /home
                                                          folder stored
                                                          in the
                                                          storage. This
                                                          entire
                                                          partition (or
                                                          LUN) can be
                                                          attached to my
                                                          Authentication
                                                          server(i.e
                                                          FreeIPA) by
                                                          using iSCSI.
                                                          From the
                                                          Authentication
                                                          server, I am
                                                          NOT looking
                                                          for iSCSI to
                                                          get it mounted
                                                          to the
                                                          individual
                                                          users'
                                                          machine. I
                                                          think
                                                          NFS/automount
                                                          would do
                                                          that(appreciate
                                                          any suggestion
                                                          on this !) And
                                                          whenever a new
                                                          user is
                                                          created, /home
                                                          should be
                                                          allocated out
                                                          of this
                                                          partition so
                                                          that whichever
                                                          machine the
                                                          user is using
                                                          to login
                                                          later, she
                                                          should be able
                                                          to access the
                                                          same /home
                                                          specific to
                                                          her regardless
                                                          of the
                                                          machine. I
                                                          hope it is
                                                          clear to all
                                                          :-)
                                                          

                                                          
                                                          Thanks
                                                          and regards,
                                                          Nidal
                                                          

                                                          
                                                          
                                                          >?


                                                          ???--
                                                          Centralized
                                                          storage with
                                                          iSCSI for
                                                          /home folder
                                                          for each user
                                                          by means of a
                                                          dedicated
                                                          storage

                                                          IPA manages
                                                          Automount,
                                                          which is
                                                          possibly what
                                                          you want.? Are
                                                          you going to
                                                          give each user
                                                          their own
                                                          partition that
                                                          follows them
                                                          around, or are
                                                          you going to
                                                          give the a
                                                          home directory
                                                          on a a NAS
                                                          server?? I
                                                          Have to admit,
                                                          the iSCSI home
                                                          mount sounds
                                                          interesting.?
                                                          You could
                                                          probably get
                                                          automount to
                                                          help you out
                                                          there, but at
                                                          this point I
                                                          think that you
                                                          would need a
                                                          separate key
                                                          line for each
                                                          user.

                                                          

                                                          Note that
                                                          iSCSI won't
                                                          help you if
                                                          you want to
                                                          mount the same
                                                          partition on
                                                          multiple
                                                          clients.? For
                                                          this, you
                                                          either need a
                                                          distributed
                                                          File System,
                                                          or stick to
                                                          NFS.

                                                          
                                                          

                                                          
                                                          
                                                          
                                                          
                                                          
                                                          
                                                        
                                                        

                                                        

                                                        Nidal,

                                                        

                                                        OK, I'd probably
                                                        do something
                                                        like this:?
                                                        After install
                                                        IPA, add one
                                                        host as an IPA
                                                        client with the
                                                        following
                                                        switch:?
                                                        --mkhomedir,,
                                                        something like?
                                                        ipa-client-install

                                                        --mkhomedir -p
                                                        admin.?? Then,
                                                        mount the
                                                        directory that
                                                        you are going to
                                                        use a /home on
                                                        that machine.?
                                                        Once you create
                                                        users in IPA,
                                                        the first time
                                                        you log in as
                                                        that user, do so
                                                        from that
                                                        client, and it
                                                        will attempt to
                                                        create the home
                                                        directory for
                                                        you.??? This
                                                        should be the
                                                        only machine
                                                        that has
                                                        permissions to
                                                        create
                                                        directories
                                                        under /home.?
                                                        Now, create an
                                                        automount
                                                        location and
                                                        map, and create
                                                        a key for /home

                                                        

                                                        The instructions
                                                        from our test
                                                        day should get
                                                        you started:

                                                        

                                                        https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount

                                                        

                                                        

                                                      
                                                    
                                                  
                                                
                                              
                                            
                                          
                                        
                                        

                                      
                                    
                                  
                                
                              
                            
                          
                        
                        

                      
                    
                  
                
              
            
          
        
      
    
    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110510/9951f7c9/attachment.htm>

From ayoung at redhat.com  Tue May 10 18:37:17 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 10 May 2011 14:37:17 -0400
Subject: [Freeipa-users] failure to un-install  FreeIPA
In-Reply-To: <1305016330.11948.10.camel@dhcp-25-52.brq.redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006349263@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<1305016330.11948.10.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <4DC985DD.3090602@redhat.com>

On 05/10/2011 04:32 AM, Martin Kosek wrote:
> On Tue, 2011-05-10 at 03:58 +0000, Steven Jones wrote:
>> I am trying to un-install freeipa with
>>
>> ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed!
>>
>> oops.
>>
>> Is there a way to force the script to check and remove everything?
>>
>> Or somewhere there is a lock file or something that needs removing?
>>
>> regards
>>
> Steven,
>
> can you please send a full output of `ipa-server-install --uninstall`
> and then the `ipa-server-install` command? (and freeipa-server package
> version) There was a that could case this behavior.
>
> Anyway, the installer files you are looking for are there:
> /var/lib/ipa/sysrestore/          # server backup files
> /var/lib/ipa-client/sysrestore/   # client backup files
>
> If you remove then, the installation will continue. However, I wouldn't
> recommend removing them manually as ipa-[server|client]-install
> --uninstall won't be able to return the machine to it's original
> configuration then. I would rather suggest using the server/client
> uninstaller again.

A couple hacks:
1.  run the uninstaller multiple times
2.  I have a "sterilize" script:
http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/


> Martin
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From dpal at redhat.com  Tue May 10 18:33:58 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 10 May 2011 14:33:58 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <373596.88089.qm@web161317.mail.bf1.yahoo.com>
References: <373596.88089.qm@web161317.mail.bf1.yahoo.com>
Message-ID: <4DC98516.4030701@redhat.com>

On 05/10/2011 12:37 PM, nasir nasir wrote:
>
> Thanks again!
>
> Two issues,
>
> 1) I had already tried everything you had mentioned in your mail. 
>
>    -- Times are perfectly in sync across the network.
>    -- I can ssh using IPA users from the client machine also.
>    -- I can mount NFS partition on client machine when NOT using *-o
> sec=krb5 *option
>
> So it seems to be some issue with kerberos integration of NFS(or some
> misconfiguration from my side). I had checked all the log files,
> nothing useful. I had even enabled debug option in /etc/krb5.conf file
> (severity = DEBUG). Still it is not giving any log at all when I am
> executing the mount command. But it is giving the sequences of
> kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc)
>
> Here is my /etc/export file,
>
> */export  *(rw,fsid=0,insecure,no_subtree_check)*
> */export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)*
> */export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)*
> */export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)*
>
> 2) Regarding the kubuntu client, I tried with a 32 bit machine and it
> is still the same. But I did notice that the python version in kubuntu
> is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to
> this ? if so,  I can try with an earlier version of kubuntu with
> python 2.6 and update you on this.
>
>
> Thanks a lot and regards,
> Nasir
>

There is a set of instruction for NFS setup with kerberos:
http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_Clients.html#sect-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_5_as_an_IPA_Client-Configuring_NFS_v4_with_Kerberos

The instructions are a bit outdated as they reference the IPA commands
from v1. In the v2 the command to add a service will be different. I
think it is "ipa service-add".
Once you have a service you need to get a keytab for this service. Run
ipa-getkeytab on the NFS server as admin user that has successfully run
kinit on the NFS server.
Also you need to make sure the krb5.conf points to the IPA server
(first) otherwise the kinit will fail.

Have you done all that?



>
>
>
> --- On *Mon, 5/9/11, Adam Young /<ayoung at redhat.com>/* wrote:
>
>
>     From: Adam Young <ayoung at redhat.com>
>     Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>     To: "nasir nasir" <kollathodi at yahoo.com>
>     Cc: freeipa-users at redhat.com
>     Date: Monday, May 9, 2011, 8:38 AM
>
>     On 05/09/2011 10:43 AM, nasir nasir wrote:
>>     Dimitri/Adam/Stephen,
>>
>>     Thnks a lot for all the replies!
>>
>>     This is a 64 bit machine. So I will try to install 32 bit and let
>>     you know the result.
>>
>>     Also, I was trying to configure NFS service on the FreeIPA
>>     machine. I followed exactly as given in the deployment guide and
>>     tested with another *RHEL 6.1 client machine *with ipa-client
>>     installed on it. When I try to mount the nfs export I am getting
>>     the following error,
>>     *
>>     *
>>     *[root at abc Packages]# mount -v -t nfs4 -o sec=krb5
>>     openipa.cohort.org:/ /mnt*
>>     *mount.nfs4: timeout set for Mon May  9 17:36:14 2011*
>>     *mount.nfs4: trying text-based options
>>     'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'*
>>     *mount.nfs4: mount(2): Permission denied*
>>     *mount.nfs4: access denied by server while mounting
>>     openipa.cohort.org:/*
>>     *[root at abc Packages]#*
>>
>>     But when I try to remove the kerberos authentication (i.e without
>>     -o sec=krb5) it gets mounted without any problem. I googled a lot
>>     for this error and tried all the suggestions like adding
>>     allow_weak_crypto parameter in the krb5.conf file, checking
>>     host/DNS/Keytab entries etc. Still it does not work. When I give
>>     weak crypto entry and add some weak crypto like des-cbc-md5,
>>     server rejects and says that it is not supported. My /etc/export
>>     file and all the necessary commands are copy pasted from the
>>     deployment guide with only the necessary modifications to suite
>>     my values.
>>
>>     Please suggest me what to do.
>>
>
>
>     Start off by checking the kerberos logs on both the server and
>     client machines. 
>
>     in /var/log/  krb5kdc.log   kadmind.log  secure
>
>     I'm not a a Kerberos Guru...bear that in mind
>
>     Make sure the clocks are in sync.  Always worth doing .  Kind of
>     the Kerberos equivalent of "Make sure the network cable is
>     actually plugged in"
>
>     The KDC needs to know about the NFS service in order to grant a
>     ticket.  Confirm that you can request an nfs ticket for your user
>     and client for the given server.
>
>     On the IPA server side, you have to create a service entry for
>     your NFS server.  Your NFS server needs to know to talk to the IPA
>     Kerberos instance.  This is a likely suspect, based on the error
>     message.
>
>     Make sure you can kinit and do simple IPA type things on the
>     machine you are doing a NFS mount on.  Being able to use the IPA
>     Kerberos ticket to ssh from the nfs client machine to the NFS
>     server machine would be a good validation that the entire problem
>     is just in the NFS configuration.
>
>
>
>
>>
>>     Thanks indeed in advance and regards,
>>     Nidal
>>
>>
>>
>>     --- On *Mon, 5/9/11, Adam Young /<ayoung at redhat.com>
>>     </mc/compose?to=ayoung at redhat.com>/* wrote:
>>
>>
>>         From: Adam Young <ayoung at redhat.com>
>>         </mc/compose?to=ayoung at redhat.com>
>>         Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>>         To: "nasir nasir" <kollathodi at yahoo.com>
>>         </mc/compose?to=kollathodi at yahoo.com>
>>         Cc: freeipa-users at redhat.com
>>         </mc/compose?to=freeipa-users at redhat.com>
>>         Date: Monday, May 9, 2011, 6:17 AM
>>
>>         On 05/08/2011 11:57 PM, nasir nasir wrote:
>>>
>>>         Adam,
>>>
>>>         I truly appreciate your persistence ! 
>>>
>>>         I tried using alien and it generated the .deb file
>>>         successfully and even installed the ipa client package
>>>         without any error on the client machine(Kubuntu 11.04). But
>>>         when I run the *ipa-client-install* command, it gave the
>>>         following error,
>>>
>>>
>>>         *openway at dl-360:~/rpm$ sudo ipa-client-install *
>>>         *There was a problem importing one of the required Python
>>>         modules. The*
>>>         *error was:*
>>>         *
>>>         *
>>>         *    No module named ipaclient.ipadiscovery*
>>>
>>         I'm guessing that this is a 64 bit system?  It might be an
>>         arch issue.  IU know that Debian and RH mde different choices
>>         for 32 on 64.  RH/Fedora puts the Python code into
>>
>>         /usr/lib64/python2.7/site-packages/
>>
>>         Debian might be looking under /usr/lib/  for Python.
>>
>>         Try a 32bit RPM.
>>
>>>         *
>>>         *
>>>         *openway at dl-360:~/rpm$*
>>>
>>>         I even created the deb file out of ipa-python package and
>>>         installed it on the kubuntu machine(without any error).
>>>         Still, its the same. Any idea ?
>>>
>>>         Thanks and regards,
>>>         Nidal
>>>
>>>         --- On *Sun, 5/8/11, Adam Young /<ayoung at redhat.com>/*wrote:
>>>
>>>
>>>             From: Adam Young <ayoung at redhat.com>
>>>             Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
>>>             deployment
>>>             To: "nasir nasir" <kollathodi at yahoo.com>
>>>             Cc: freeipa-users at redhat.com
>>>             Date: Sunday, May 8, 2011, 4:39 PM
>>>
>>>             On 05/08/2011 06:20 AM, nasir nasir wrote:
>>>>
>>>>             Thanks indeed again for the reply. I went through the
>>>>             deployment guide and installed and configured FreeIPA
>>>>             2.0 on a RHEL 6.1 beta machine for testing. I also
>>>>             configured the browsers on this server and a client
>>>>             Kubuntu machine as per the guide. But I can't find any
>>>>             doc which explain how to configure a client (kubuntu in
>>>>             my case) for single sign on or even accessing a service
>>>>             like nfs using the browser when native ipa-client
>>>>             package is not available. All the docs are focused on
>>>>             configuring client machines using ipa-client package.
>>>>             Is this possible? if so could anyone suggest me some
>>>>             guide lines or docs for the same ?
>>>>
>>>
>>>             Did you try installing the ipa-client rpms with Alien?
>>>
>>>>
>>>>             Thanks and Regards,
>>>>             Nidal
>>>>
>>>>             --- On *Mon, 5/2/11, Adam Young /<ayoung at redhat.com>/*
>>>>             wrote:
>>>>
>>>>
>>>>                 From: Adam Young <ayoung at redhat.com>
>>>>                 Subject: Re: [Freeipa-users] FreeIPA for Linux
>>>>                 desktop deployment
>>>>                 To: "nasir nasir" <kollathodi at yahoo.com>
>>>>                 Cc: freeipa-users at redhat.com
>>>>                 Date: Monday, May 2, 2011, 8:03 AM
>>>>
>>>>                 On 05/01/2011 08:49 AM, nasir nasir wrote:
>>>>>                 Thanks for all the replies and great suggestions!
>>>>>                 I do appreciate it a lot.
>>>>>
>>>>>                 Apologies for being a bit confusing about the
>>>>>                 cetralized /home foder in my previous mail. What I
>>>>>                 want is that all the users should have their /home
>>>>>                 folder stored in the storage. This entire
>>>>>                 partition (or LUN) can be attached to my
>>>>>                 Authentication server(i.e FreeIPA) by using iSCSI.
>>>>>                 From the Authentication server, I am NOT looking
>>>>>                 for iSCSI to get it mounted to the individual
>>>>>                 users' machine. I think NFS/automount would do
>>>>>                 that(appreciate any suggestion on this !) And
>>>>>                 whenever a new user is created, /home should be
>>>>>                 allocated out of this partition so that whichever
>>>>>                 machine the user is using to login later, she
>>>>>                 should be able to access the same /home specific
>>>>>                 to her regardless of the machine. I hope it is
>>>>>                 clear to all :-)
>>>>>
>>>>>                 Thanks and regards,
>>>>>                 Nidal
>>>>>
>>>>>                     >     -- Centralized storage with iSCSI for
>>>>>                     /home folder for each user by means of a
>>>>>                     dedicated storage
>>>>>                     IPA manages Automount, which is possibly what
>>>>>                     you want.  Are you going to give each user
>>>>>                     their own partition that follows them around,
>>>>>                     or are you going to give the a home directory
>>>>>                     on a a NAS server?  I Have to admit, the iSCSI
>>>>>                     home mount sounds interesting.  You could
>>>>>                     probably get automount to help you out there,
>>>>>                     but at this point I think that you would need
>>>>>                     a separate key line for each user.
>>>>>
>>>>>                     Note that iSCSI won't help you if you want to
>>>>>                     mount the same partition on multiple clients. 
>>>>>                     For this, you either need a distributed File
>>>>>                     System, or stick to NFS.
>>>>>
>>>>
>>>>
>>>>                 Nidal,
>>>>
>>>>                 OK, I'd probably do something like this:  After
>>>>                 install IPA, add one host as an IPA client with the
>>>>                 following switch:  --mkhomedir,, something like 
>>>>                 ipa-client-install --mkhomedir -p admin.   Then,
>>>>                 mount the directory that you are going to use a
>>>>                 /home on that machine.  Once you create users in
>>>>                 IPA, the first time you log in as that user, do so
>>>>                 from that client, and it will attempt to create the
>>>>                 home directory for you.    This should be the only
>>>>                 machine that has permissions to create directories
>>>>                 under /home.  Now, create an automount location and
>>>>                 map, and create a key for /home
>>>>
>>>>                 The instructions from our test day should get you
>>>>                 started:
>>>>
>>>>                 https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110510/70fdec22/attachment.htm>

From Steven.Jones at vuw.ac.nz  Tue May 10 20:07:41 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 10 May 2011 20:07:41 +0000
Subject: [Freeipa-users] failure to un-install  FreeIPA
In-Reply-To: <1305016330.11948.10.camel@dhcp-25-52.brq.redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006349263@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1305016330.11948.10.camel@dhcp-25-52.brq.redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634A9E0@STAWINCOX10MBX1.staff.vuw.ac.nz>

I logged in via ssh instead so I could get an output and the install worked without a hitch...

:/

weird.......

regards

Steven
________________________________________
From: Martin Kosek [mkosek at redhat.com]
Sent: Tuesday, 10 May 2011 8:32 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] failure to un-install  FreeIPA

On Tue, 2011-05-10 at 03:58 +0000, Steven Jones wrote:
> I am trying to un-install freeipa with
>
> ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed!
>
> oops.
>
> Is there a way to force the script to check and remove everything?
>
> Or somewhere there is a lock file or something that needs removing?
>
> regards
>

Steven,

can you please send a full output of `ipa-server-install --uninstall`
and then the `ipa-server-install` command? (and freeipa-server package
version) There was a that could case this behavior.

Anyway, the installer files you are looking for are there:
/var/lib/ipa/sysrestore/          # server backup files
/var/lib/ipa-client/sysrestore/   # client backup files

If you remove then, the installation will continue. However, I wouldn't
recommend removing them manually as ipa-[server|client]-install
--uninstall won't be able to return the machine to it's original
configuration then. I would rather suggest using the server/client
uninstaller again.

Martin




From Steven.Jones at vuw.ac.nz  Tue May 10 20:10:30 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 10 May 2011 20:10:30 +0000
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <373596.88089.qm@web161317.mail.bf1.yahoo.com>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Its quite interesting that there are no real clients for ipa outside of RH/Fedora....this will probably do more to delay or restrict its adoption than anything else.

regards

Steven


________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of nasir nasir [kollathodi at yahoo.com]
Sent: Wednesday, 11 May 2011 4:37 a.m.
To: Adam Young
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment


Thanks again!

Two issues,

1) I had already tried everything you had mentioned in your mail.

   -- Times are perfectly in sync across the network.
   -- I can ssh using IPA users from the client machine also.
   -- I can mount NFS partition on client machine when NOT using -o sec=krb5 option

So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side). I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc)

Here is my /etc/export file,

/export  *(rw,fsid=0,insecure,no_subtree_check)
/export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)
/export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
/export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)

2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so,  I can try with an earlier version of kubuntu with python 2.6 and update you on this.


Thanks a lot and regards,
Nasir




--- On Mon, 5/9/11, Adam Young <ayoung at redhat.com> wrote:

From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Monday, May 9, 2011, 8:38 AM

On 05/09/2011 10:43 AM, nasir nasir wrote:
Dimitri/Adam/Stephen,

Thnks a lot for all the replies!

This is a 64 bit machine. So I will try to install 32 bit and let you know the result.

Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error,

[root at abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt
mount.nfs4: timeout set for Mon May  9 17:36:14 2011
mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting openipa.cohort.org:/
[root at abc Packages]#

But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values.

Please suggest me what to do.



Start off by checking the kerberos logs on both the server and client machines.

in /var/log/  krb5kdc.log   kadmind.log  secure

I'm not a a Kerberos Guru...bear that in mind

Make sure the clocks are in sync.  Always worth doing .  Kind of the Kerberos equivalent of "Make sure the network cable is actually plugged in"

The KDC needs to know about the NFS service in order to grant a ticket.  Confirm that you can request an nfs ticket for your user and client for the given server.

On the IPA server side, you have to create a service entry for your NFS server.  Your NFS server needs to know to talk to the IPA Kerberos instance.  This is a likely suspect, based on the error message.

Make sure you can kinit and do simple IPA type things on the machine you are doing a NFS mount on.  Being able to use the IPA Kerberos ticket to ssh from the nfs client machine to the NFS server machine would be a good validation that the entire problem is just in the NFS configuration.





Thanks indeed in advance and regards,
Nidal



--- On Mon, 5/9/11, Adam Young <ayoung at redhat.com><UrlBlockedError.aspx> wrote:

From: Adam Young <ayoung at redhat.com><UrlBlockedError.aspx>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com><UrlBlockedError.aspx>
Cc: freeipa-users at redhat.com<UrlBlockedError.aspx>
Date: Monday, May 9, 2011, 6:17 AM

On 05/08/2011 11:57 PM, nasir nasir wrote:

Adam,

I truly appreciate your persistence !

I tried using alien and it generated the .deb file successfully and even installed the ipa client package without any error on the client machine(Kubuntu 11.04). But when I run the ipa-client-install command, it gave the following error,


openway at dl-360:~/rpm$ sudo ipa-client-install
There was a problem importing one of the required Python modules. The
error was:

    No module named ipaclient.ipadiscovery

I'm guessing that this is a 64 bit system?  It might be an arch issue.  IU know that Debian and RH mde different choices for 32 on 64.  RH/Fedora puts the Python code into

/usr/lib64/python2.7/site-packages/

Debian might be looking under /usr/lib/  for Python.

Try a 32bit RPM.


openway at dl-360:~/rpm$

I even created the deb file out of ipa-python package and installed it on the kubuntu machine(without any error). Still, its the same. Any idea ?

Thanks and regards,
Nidal

--- On Sun, 5/8/11, Adam Young <ayoung at redhat.com> wrote:

From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Sunday, May 8, 2011, 4:39 PM

On 05/08/2011 06:20 AM, nasir nasir wrote:

Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on configuring client machines using ipa-client package. Is this possible? if so could anyone suggest me some guide lines or docs for the same ?

Did you try installing the ipa-client rpms with Alien?


Thanks and Regards,
Nidal

--- On Mon, 5/2/11, Adam Young <ayoung at redhat.com> wrote:

From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Monday, May 2, 2011, 8:03 AM

On 05/01/2011 08:49 AM, nasir nasir wrote:
Thanks for all the replies and great suggestions! I do appreciate it a lot.

Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-)

Thanks and regards,
Nidal

>     -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage
IPA manages Automount, which is possibly what you want.  Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server?  I Have to admit, the iSCSI home mount sounds interesting.  You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user.

Note that iSCSI won't help you if you want to mount the same partition on multiple clients.  For this, you either need a distributed File System, or stick to NFS.




Nidal,

OK, I'd probably do something like this:  After install IPA, add one host as an IPA client with the following switch:  --mkhomedir,, something like  ipa-client-install --mkhomedir -p admin.   Then, mount the directory that you are going to use a /home on that machine.  Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.    This should be the only machine that has permissions to create directories under /home.  Now, create an automount location and map, and create a key for /home

The instructions from our test day should get you started:

https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount












From dpal at redhat.com  Tue May 10 20:24:53 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 10 May 2011 16:24:53 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC99F15.5080900@redhat.com>

On 05/10/2011 04:10 PM, Steven Jones wrote:
> Hi,
>
> Its quite interesting that there are no real clients for ipa outside of RH/Fedora....this will probably do more to delay or restrict its adoption than anything else.
>

Not sure what you are talking about. Any kerberos enabled service is a
service and any pam_krb5/nss_ldap or SSSD enabled system can be a client.
SSSD is in Debian, Ubuntu, SUSE, Fedora, RH
Would be nice to have it in other OSs like Solaris and HP-UX but they
have other plans.

> regards
>
> Steven
>
>
> ________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of nasir nasir [kollathodi at yahoo.com]
> Sent: Wednesday, 11 May 2011 4:37 a.m.
> To: Adam Young
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>
>
> Thanks again!
>
> Two issues,
>
> 1) I had already tried everything you had mentioned in your mail.
>
>    -- Times are perfectly in sync across the network.
>    -- I can ssh using IPA users from the client machine also.
>    -- I can mount NFS partition on client machine when NOT using -o sec=krb5 option
>
> So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side). I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc)
>
> Here is my /etc/export file,
>
> /export  *(rw,fsid=0,insecure,no_subtree_check)
> /export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)
> /export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
> /export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
>
> 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so,  I can try with an earlier version of kubuntu with python 2.6 and update you on this.
>
>
> Thanks a lot and regards,
> Nasir
>
>
>
>
> --- On Mon, 5/9/11, Adam Young <ayoung at redhat.com> wrote:
>
> From: Adam Young <ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Monday, May 9, 2011, 8:38 AM
>
> On 05/09/2011 10:43 AM, nasir nasir wrote:
> Dimitri/Adam/Stephen,
>
> Thnks a lot for all the replies!
>
> This is a 64 bit machine. So I will try to install 32 bit and let you know the result.
>
> Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error,
>
> [root at abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt
> mount.nfs4: timeout set for Mon May  9 17:36:14 2011
> mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting openipa.cohort.org:/
> [root at abc Packages]#
>
> But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values.
>
> Please suggest me what to do.
>
>
>
> Start off by checking the kerberos logs on both the server and client machines.
>
> in /var/log/  krb5kdc.log   kadmind.log  secure
>
> I'm not a a Kerberos Guru...bear that in mind
>
> Make sure the clocks are in sync.  Always worth doing .  Kind of the Kerberos equivalent of "Make sure the network cable is actually plugged in"
>
> The KDC needs to know about the NFS service in order to grant a ticket.  Confirm that you can request an nfs ticket for your user and client for the given server.
>
> On the IPA server side, you have to create a service entry for your NFS server.  Your NFS server needs to know to talk to the IPA Kerberos instance.  This is a likely suspect, based on the error message.
>
> Make sure you can kinit and do simple IPA type things on the machine you are doing a NFS mount on.  Being able to use the IPA Kerberos ticket to ssh from the nfs client machine to the NFS server machine would be a good validation that the entire problem is just in the NFS configuration.
>
>
>
>
>
> Thanks indeed in advance and regards,
> Nidal
>
>
>
> --- On Mon, 5/9/11, Adam Young <ayoung at redhat.com><UrlBlockedError.aspx> wrote:
>
> From: Adam Young <ayoung at redhat.com><UrlBlockedError.aspx>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir" <kollathodi at yahoo.com><UrlBlockedError.aspx>
> Cc: freeipa-users at redhat.com<UrlBlockedError.aspx>
> Date: Monday, May 9, 2011, 6:17 AM
>
> On 05/08/2011 11:57 PM, nasir nasir wrote:
>
> Adam,
>
> I truly appreciate your persistence !
>
> I tried using alien and it generated the .deb file successfully and even installed the ipa client package without any error on the client machine(Kubuntu 11.04). But when I run the ipa-client-install command, it gave the following error,
>
>
> openway at dl-360:~/rpm$ sudo ipa-client-install
> There was a problem importing one of the required Python modules. The
> error was:
>
>     No module named ipaclient.ipadiscovery
>
> I'm guessing that this is a 64 bit system?  It might be an arch issue.  IU know that Debian and RH mde different choices for 32 on 64.  RH/Fedora puts the Python code into
>
> /usr/lib64/python2.7/site-packages/
>
> Debian might be looking under /usr/lib/  for Python.
>
> Try a 32bit RPM.
>
>
> openway at dl-360:~/rpm$
>
> I even created the deb file out of ipa-python package and installed it on the kubuntu machine(without any error). Still, its the same. Any idea ?
>
> Thanks and regards,
> Nidal
>
> --- On Sun, 5/8/11, Adam Young <ayoung at redhat.com> wrote:
>
> From: Adam Young <ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Sunday, May 8, 2011, 4:39 PM
>
> On 05/08/2011 06:20 AM, nasir nasir wrote:
>
> Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on configuring client machines using ipa-client package. Is this possible? if so could anyone suggest me some guide lines or docs for the same ?
>
> Did you try installing the ipa-client rpms with Alien?
>
>
> Thanks and Regards,
> Nidal
>
> --- On Mon, 5/2/11, Adam Young <ayoung at redhat.com> wrote:
>
> From: Adam Young <ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Monday, May 2, 2011, 8:03 AM
>
> On 05/01/2011 08:49 AM, nasir nasir wrote:
> Thanks for all the replies and great suggestions! I do appreciate it a lot.
>
> Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-)
>
> Thanks and regards,
> Nidal
>
>>     -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage
> IPA manages Automount, which is possibly what you want.  Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server?  I Have to admit, the iSCSI home mount sounds interesting.  You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user.
>
> Note that iSCSI won't help you if you want to mount the same partition on multiple clients.  For this, you either need a distributed File System, or stick to NFS.
>
>
>
>
> Nidal,
>
> OK, I'd probably do something like this:  After install IPA, add one host as an IPA client with the following switch:  --mkhomedir,, something like  ipa-client-install --mkhomedir -p admin.   Then, mount the directory that you are going to use a /home on that machine.  Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.    This should be the only machine that has permissions to create directories under /home.  Now, create an automount location and map, and create a key for /home
>
> The instructions from our test day should get you started:
>
> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From rcritten at redhat.com  Tue May 10 20:52:35 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 10 May 2011 16:52:35 -0400
Subject: [Freeipa-users] failure to un-install  FreeIPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634A9E0@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006349263@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1305016330.11948.10.camel@dhcp-25-52.brq.redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9E0@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC9A593.4060309@redhat.com>

Steven Jones wrote:
> I logged in via ssh instead so I could get an output and the install worked without a hitch...

ssh instead of what?

rob

>
> :/
>
> weird.......
>
> regards
>
> Steven
> ________________________________________
> From: Martin Kosek [mkosek at redhat.com]
> Sent: Tuesday, 10 May 2011 8:32 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] failure to un-install  FreeIPA
>
> On Tue, 2011-05-10 at 03:58 +0000, Steven Jones wrote:
>> I am trying to un-install freeipa with
>>
>> ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed!
>>
>> oops.
>>
>> Is there a way to force the script to check and remove everything?
>>
>> Or somewhere there is a lock file or something that needs removing?
>>
>> regards
>>
>
> Steven,
>
> can you please send a full output of `ipa-server-install --uninstall`
> and then the `ipa-server-install` command? (and freeipa-server package
> version) There was a that could case this behavior.
>
> Anyway, the installer files you are looking for are there:
> /var/lib/ipa/sysrestore/          # server backup files
> /var/lib/ipa-client/sysrestore/   # client backup files
>
> If you remove then, the installation will continue. However, I wouldn't
> recommend removing them manually as ipa-[server|client]-install
> --uninstall won't be able to return the machine to it's original
> configuration then. I would rather suggest using the server/client
> uninstaller again.
>
> Martin
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From rcritten at redhat.com  Tue May 10 20:54:21 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 10 May 2011 16:54:21 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC9A5FD.9090507@redhat.com>

Steven Jones wrote:
> Hi,
>
> Its quite interesting that there are no real clients for ipa outside of RH/Fedora....this will probably do more to delay or restrict its adoption than anything else.

nss_ldap or its equivalent exists on most operating systems.

sssd, albeit a rather old one, exists in Debian.

The code, particularly the client, should be rather portable. Packaging 
help from package maintainers on other distros would be welcome.

rob

>
> regards
>
> Steven
>
>
> ________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of nasir nasir [kollathodi at yahoo.com]
> Sent: Wednesday, 11 May 2011 4:37 a.m.
> To: Adam Young
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>
>
> Thanks again!
>
> Two issues,
>
> 1) I had already tried everything you had mentioned in your mail.
>
>     -- Times are perfectly in sync across the network.
>     -- I can ssh using IPA users from the client machine also.
>     -- I can mount NFS partition on client machine when NOT using -o sec=krb5 option
>
> So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side). I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc)
>
> Here is my /etc/export file,
>
> /export  *(rw,fsid=0,insecure,no_subtree_check)
> /export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)
> /export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
> /export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
>
> 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so,  I can try with an earlier version of kubuntu with python 2.6 and update you on this.
>
>
> Thanks a lot and regards,
> Nasir
>
>
>
>
> --- On Mon, 5/9/11, Adam Young<ayoung at redhat.com>  wrote:
>
> From: Adam Young<ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir"<kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Monday, May 9, 2011, 8:38 AM
>
> On 05/09/2011 10:43 AM, nasir nasir wrote:
> Dimitri/Adam/Stephen,
>
> Thnks a lot for all the replies!
>
> This is a 64 bit machine. So I will try to install 32 bit and let you know the result.
>
> Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error,
>
> [root at abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt
> mount.nfs4: timeout set for Mon May  9 17:36:14 2011
> mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting openipa.cohort.org:/
> [root at abc Packages]#
>
> But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values.
>
> Please suggest me what to do.
>
>
>
> Start off by checking the kerberos logs on both the server and client machines.
>
> in /var/log/  krb5kdc.log   kadmind.log  secure
>
> I'm not a a Kerberos Guru...bear that in mind
>
> Make sure the clocks are in sync.  Always worth doing .  Kind of the Kerberos equivalent of "Make sure the network cable is actually plugged in"
>
> The KDC needs to know about the NFS service in order to grant a ticket.  Confirm that you can request an nfs ticket for your user and client for the given server.
>
> On the IPA server side, you have to create a service entry for your NFS server.  Your NFS server needs to know to talk to the IPA Kerberos instance.  This is a likely suspect, based on the error message.
>
> Make sure you can kinit and do simple IPA type things on the machine you are doing a NFS mount on.  Being able to use the IPA Kerberos ticket to ssh from the nfs client machine to the NFS server machine would be a good validation that the entire problem is just in the NFS configuration.
>
>
>
>
>
> Thanks indeed in advance and regards,
> Nidal
>
>
>
> --- On Mon, 5/9/11, Adam Young<ayoung at redhat.com><UrlBlockedError.aspx>  wrote:
>
> From: Adam Young<ayoung at redhat.com><UrlBlockedError.aspx>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir"<kollathodi at yahoo.com><UrlBlockedError.aspx>
> Cc: freeipa-users at redhat.com<UrlBlockedError.aspx>
> Date: Monday, May 9, 2011, 6:17 AM
>
> On 05/08/2011 11:57 PM, nasir nasir wrote:
>
> Adam,
>
> I truly appreciate your persistence !
>
> I tried using alien and it generated the .deb file successfully and even installed the ipa client package without any error on the client machine(Kubuntu 11.04). But when I run the ipa-client-install command, it gave the following error,
>
>
> openway at dl-360:~/rpm$ sudo ipa-client-install
> There was a problem importing one of the required Python modules. The
> error was:
>
>      No module named ipaclient.ipadiscovery
>
> I'm guessing that this is a 64 bit system?  It might be an arch issue.  IU know that Debian and RH mde different choices for 32 on 64.  RH/Fedora puts the Python code into
>
> /usr/lib64/python2.7/site-packages/
>
> Debian might be looking under /usr/lib/  for Python.
>
> Try a 32bit RPM.
>
>
> openway at dl-360:~/rpm$
>
> I even created the deb file out of ipa-python package and installed it on the kubuntu machine(without any error). Still, its the same. Any idea ?
>
> Thanks and regards,
> Nidal
>
> --- On Sun, 5/8/11, Adam Young<ayoung at redhat.com>  wrote:
>
> From: Adam Young<ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir"<kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Sunday, May 8, 2011, 4:39 PM
>
> On 05/08/2011 06:20 AM, nasir nasir wrote:
>
> Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on configuring client machines using ipa-client package. Is this possible? if so could anyone suggest me some guide lines or docs for the same ?
>
> Did you try installing the ipa-client rpms with Alien?
>
>
> Thanks and Regards,
> Nidal
>
> --- On Mon, 5/2/11, Adam Young<ayoung at redhat.com>  wrote:
>
> From: Adam Young<ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir"<kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Monday, May 2, 2011, 8:03 AM
>
> On 05/01/2011 08:49 AM, nasir nasir wrote:
> Thanks for all the replies and great suggestions! I do appreciate it a lot.
>
> Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-)
>
> Thanks and regards,
> Nidal
>
>>      -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage
> IPA manages Automount, which is possibly what you want.  Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server?  I Have to admit, the iSCSI home mount sounds interesting.  You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user.
>
> Note that iSCSI won't help you if you want to mount the same partition on multiple clients.  For this, you either need a distributed File System, or stick to NFS.
>
>
>
>
> Nidal,
>
> OK, I'd probably do something like this:  After install IPA, add one host as an IPA client with the following switch:  --mkhomedir,, something like  ipa-client-install --mkhomedir -p admin.   Then, mount the directory that you are going to use a /home on that machine.  Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.    This should be the only machine that has permissions to create directories under /home.  Now, create an automount location and map, and create a key for /home
>
> The instructions from our test day should get you started:
>
> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Tue May 10 20:59:44 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 10 May 2011 20:59:44 +0000
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC9A5FD.9090507@redhat.com>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9A5FD.9090507@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634AA40@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

We run just about every distro Ive heard of I think...

So, yes....I'll need lots of different clients....however AP still have not replied to my requests.....

regards


________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, 11 May 2011 8:54 a.m.
To: Steven Jones
Cc: nasir nasir; Adam Young; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment

Steven Jones wrote:
> Hi,
>
> Its quite interesting that there are no real clients for ipa outside of RH/Fedora....this will probably do more to delay or restrict its adoption than anything else.

nss_ldap or its equivalent exists on most operating systems.

sssd, albeit a rather old one, exists in Debian.

The code, particularly the client, should be rather portable. Packaging
help from package maintainers on other distros would be welcome.

rob

>
> regards
>
> Steven
>
>
> ________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of nasir nasir [kollathodi at yahoo.com]
> Sent: Wednesday, 11 May 2011 4:37 a.m.
> To: Adam Young
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>
>
> Thanks again!
>
> Two issues,
>
> 1) I had already tried everything you had mentioned in your mail.
>
>     -- Times are perfectly in sync across the network.
>     -- I can ssh using IPA users from the client machine also.
>     -- I can mount NFS partition on client machine when NOT using -o sec=krb5 option
>
> So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side). I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc)
>
> Here is my /etc/export file,
>
> /export  *(rw,fsid=0,insecure,no_subtree_check)
> /export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)
> /export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
> /export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
>
> 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so,  I can try with an earlier version of kubuntu with python 2.6 and update you on this.
>
>
> Thanks a lot and regards,
> Nasir
>
>
>
>
> --- On Mon, 5/9/11, Adam Young<ayoung at redhat.com>  wrote:
>
> From: Adam Young<ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir"<kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Monday, May 9, 2011, 8:38 AM
>
> On 05/09/2011 10:43 AM, nasir nasir wrote:
> Dimitri/Adam/Stephen,
>
> Thnks a lot for all the replies!
>
> This is a 64 bit machine. So I will try to install 32 bit and let you know the result.
>
> Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error,
>
> [root at abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt
> mount.nfs4: timeout set for Mon May  9 17:36:14 2011
> mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'
> mount.nfs4: mount(2): Permission denied
> mount.nfs4: access denied by server while mounting openipa.cohort.org:/
> [root at abc Packages]#
>
> But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values.
>
> Please suggest me what to do.
>
>
>
> Start off by checking the kerberos logs on both the server and client machines.
>
> in /var/log/  krb5kdc.log   kadmind.log  secure
>
> I'm not a a Kerberos Guru...bear that in mind
>
> Make sure the clocks are in sync.  Always worth doing .  Kind of the Kerberos equivalent of "Make sure the network cable is actually plugged in"
>
> The KDC needs to know about the NFS service in order to grant a ticket.  Confirm that you can request an nfs ticket for your user and client for the given server.
>
> On the IPA server side, you have to create a service entry for your NFS server.  Your NFS server needs to know to talk to the IPA Kerberos instance.  This is a likely suspect, based on the error message.
>
> Make sure you can kinit and do simple IPA type things on the machine you are doing a NFS mount on.  Being able to use the IPA Kerberos ticket to ssh from the nfs client machine to the NFS server machine would be a good validation that the entire problem is just in the NFS configuration.
>
>
>
>
>
> Thanks indeed in advance and regards,
> Nidal
>
>
>
> --- On Mon, 5/9/11, Adam Young<ayoung at redhat.com><UrlBlockedError.aspx>  wrote:
>
> From: Adam Young<ayoung at redhat.com><UrlBlockedError.aspx>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir"<kollathodi at yahoo.com><UrlBlockedError.aspx>
> Cc: freeipa-users at redhat.com<UrlBlockedError.aspx>
> Date: Monday, May 9, 2011, 6:17 AM
>
> On 05/08/2011 11:57 PM, nasir nasir wrote:
>
> Adam,
>
> I truly appreciate your persistence !
>
> I tried using alien and it generated the .deb file successfully and even installed the ipa client package without any error on the client machine(Kubuntu 11.04). But when I run the ipa-client-install command, it gave the following error,
>
>
> openway at dl-360:~/rpm$ sudo ipa-client-install
> There was a problem importing one of the required Python modules. The
> error was:
>
>      No module named ipaclient.ipadiscovery
>
> I'm guessing that this is a 64 bit system?  It might be an arch issue.  IU know that Debian and RH mde different choices for 32 on 64.  RH/Fedora puts the Python code into
>
> /usr/lib64/python2.7/site-packages/
>
> Debian might be looking under /usr/lib/  for Python.
>
> Try a 32bit RPM.
>
>
> openway at dl-360:~/rpm$
>
> I even created the deb file out of ipa-python package and installed it on the kubuntu machine(without any error). Still, its the same. Any idea ?
>
> Thanks and regards,
> Nidal
>
> --- On Sun, 5/8/11, Adam Young<ayoung at redhat.com>  wrote:
>
> From: Adam Young<ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir"<kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Sunday, May 8, 2011, 4:39 PM
>
> On 05/08/2011 06:20 AM, nasir nasir wrote:
>
> Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on configuring client machines using ipa-client package. Is this possible? if so could anyone suggest me some guide lines or docs for the same ?
>
> Did you try installing the ipa-client rpms with Alien?
>
>
> Thanks and Regards,
> Nidal
>
> --- On Mon, 5/2/11, Adam Young<ayoung at redhat.com>  wrote:
>
> From: Adam Young<ayoung at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir"<kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com
> Date: Monday, May 2, 2011, 8:03 AM
>
> On 05/01/2011 08:49 AM, nasir nasir wrote:
> Thanks for all the replies and great suggestions! I do appreciate it a lot.
>
> Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-)
>
> Thanks and regards,
> Nidal
>
>>      -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage
> IPA manages Automount, which is possibly what you want.  Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server?  I Have to admit, the iSCSI home mount sounds interesting.  You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user.
>
> Note that iSCSI won't help you if you want to mount the same partition on multiple clients.  For this, you either need a distributed File System, or stick to NFS.
>
>
>
>
> Nidal,
>
> OK, I'd probably do something like this:  After install IPA, add one host as an IPA client with the following switch:  --mkhomedir,, something like  ipa-client-install --mkhomedir -p admin.   Then, mount the directory that you are going to use a /home on that machine.  Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.    This should be the only machine that has permissions to create directories under /home.  Now, create an automount location and map, and create a key for /home
>
> The instructions from our test day should get you started:
>
> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From Steven.Jones at vuw.ac.nz  Tue May 10 21:02:10 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 10 May 2011 21:02:10 +0000
Subject: [Freeipa-users] failure to un-install  FreeIPA
In-Reply-To: <4DC9A593.4060309@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006349263@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1305016330.11948.10.camel@dhcp-25-52.brq.redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9E0@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9A593.4060309@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634AA4A@STAWINCOX10MBX1.staff.vuw.ac.nz>

VMware local console....I cant cut and paste outputs or scroll back when its a KDE rdp to a windows 7 vmware guest and then into the vmware thick client and then to a "local" console simply doesnt work...

Bit messy but I get a Linux desktop....

:D

regards


________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, 11 May 2011 8:52 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] failure to un-install  FreeIPA

Steven Jones wrote:
> I logged in via ssh instead so I could get an output and the install worked without a hitch...

ssh instead of what?

rob

>
> :/
>
> weird.......
>
> regards
>
> Steven
> ________________________________________
> From: Martin Kosek [mkosek at redhat.com]
> Sent: Tuesday, 10 May 2011 8:32 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] failure to un-install  FreeIPA
>
> On Tue, 2011-05-10 at 03:58 +0000, Steven Jones wrote:
>> I am trying to un-install freeipa with
>>
>> ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed!
>>
>> oops.
>>
>> Is there a way to force the script to check and remove everything?
>>
>> Or somewhere there is a lock file or something that needs removing?
>>
>> regards
>>
>
> Steven,
>
> can you please send a full output of `ipa-server-install --uninstall`
> and then the `ipa-server-install` command? (and freeipa-server package
> version) There was a that could case this behavior.
>
> Anyway, the installer files you are looking for are there:
> /var/lib/ipa/sysrestore/          # server backup files
> /var/lib/ipa-client/sysrestore/   # client backup files
>
> If you remove then, the installation will continue. However, I wouldn't
> recommend removing them manually as ipa-[server|client]-install
> --uninstall won't be able to return the machine to it's original
> configuration then. I would rather suggest using the server/client
> uninstaller again.
>
> Martin
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From dpal at redhat.com  Tue May 10 21:06:48 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 10 May 2011 17:06:48 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634AA40@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9A5FD.9090507@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634AA40@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC9A8E8.4060505@redhat.com>

On 05/10/2011 04:59 PM, Steven Jones wrote:
> Hi,
>
> We run just about every distro Ive heard of I think...
>
> So, yes....I'll need lots of different clients....however AP still have not replied to my requests.....

He will in a due time. IPA is in tech preview in 6.1.

> regards
>
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 11 May 2011 8:54 a.m.
> To: Steven Jones
> Cc: nasir nasir; Adam Young; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>
> Steven Jones wrote:
>> Hi,
>>
>> Its quite interesting that there are no real clients for ipa outside of RH/Fedora....this will probably do more to delay or restrict its adoption than anything else.
> nss_ldap or its equivalent exists on most operating systems.
>
> sssd, albeit a rather old one, exists in Debian.
>
> The code, particularly the client, should be rather portable. Packaging
> help from package maintainers on other distros would be welcome.
>
> rob
>
>> regards
>>
>> Steven
>>
>>
>> ________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of nasir nasir [kollathodi at yahoo.com]
>> Sent: Wednesday, 11 May 2011 4:37 a.m.
>> To: Adam Young
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>>
>>
>> Thanks again!
>>
>> Two issues,
>>
>> 1) I had already tried everything you had mentioned in your mail.
>>
>>     -- Times are perfectly in sync across the network.
>>     -- I can ssh using IPA users from the client machine also.
>>     -- I can mount NFS partition on client machine when NOT using -o sec=krb5 option
>>
>> So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side). I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc)
>>
>> Here is my /etc/export file,
>>
>> /export  *(rw,fsid=0,insecure,no_subtree_check)
>> /export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)
>> /export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
>> /export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
>>
>> 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so,  I can try with an earlier version of kubuntu with python 2.6 and update you on this.
>>
>>
>> Thanks a lot and regards,
>> Nasir
>>
>>
>>
>>
>> --- On Mon, 5/9/11, Adam Young<ayoung at redhat.com>  wrote:
>>
>> From: Adam Young<ayoung at redhat.com>
>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>> To: "nasir nasir"<kollathodi at yahoo.com>
>> Cc: freeipa-users at redhat.com
>> Date: Monday, May 9, 2011, 8:38 AM
>>
>> On 05/09/2011 10:43 AM, nasir nasir wrote:
>> Dimitri/Adam/Stephen,
>>
>> Thnks a lot for all the replies!
>>
>> This is a 64 bit machine. So I will try to install 32 bit and let you know the result.
>>
>> Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error,
>>
>> [root at abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt
>> mount.nfs4: timeout set for Mon May  9 17:36:14 2011
>> mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'
>> mount.nfs4: mount(2): Permission denied
>> mount.nfs4: access denied by server while mounting openipa.cohort.org:/
>> [root at abc Packages]#
>>
>> But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values.
>>
>> Please suggest me what to do.
>>
>>
>>
>> Start off by checking the kerberos logs on both the server and client machines.
>>
>> in /var/log/  krb5kdc.log   kadmind.log  secure
>>
>> I'm not a a Kerberos Guru...bear that in mind
>>
>> Make sure the clocks are in sync.  Always worth doing .  Kind of the Kerberos equivalent of "Make sure the network cable is actually plugged in"
>>
>> The KDC needs to know about the NFS service in order to grant a ticket.  Confirm that you can request an nfs ticket for your user and client for the given server.
>>
>> On the IPA server side, you have to create a service entry for your NFS server.  Your NFS server needs to know to talk to the IPA Kerberos instance.  This is a likely suspect, based on the error message.
>>
>> Make sure you can kinit and do simple IPA type things on the machine you are doing a NFS mount on.  Being able to use the IPA Kerberos ticket to ssh from the nfs client machine to the NFS server machine would be a good validation that the entire problem is just in the NFS configuration.
>>
>>
>>
>>
>>
>> Thanks indeed in advance and regards,
>> Nidal
>>
>>
>>
>> --- On Mon, 5/9/11, Adam Young<ayoung at redhat.com><UrlBlockedError.aspx>  wrote:
>>
>> From: Adam Young<ayoung at redhat.com><UrlBlockedError.aspx>
>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>> To: "nasir nasir"<kollathodi at yahoo.com><UrlBlockedError.aspx>
>> Cc: freeipa-users at redhat.com<UrlBlockedError.aspx>
>> Date: Monday, May 9, 2011, 6:17 AM
>>
>> On 05/08/2011 11:57 PM, nasir nasir wrote:
>>
>> Adam,
>>
>> I truly appreciate your persistence !
>>
>> I tried using alien and it generated the .deb file successfully and even installed the ipa client package without any error on the client machine(Kubuntu 11.04). But when I run the ipa-client-install command, it gave the following error,
>>
>>
>> openway at dl-360:~/rpm$ sudo ipa-client-install
>> There was a problem importing one of the required Python modules. The
>> error was:
>>
>>      No module named ipaclient.ipadiscovery
>>
>> I'm guessing that this is a 64 bit system?  It might be an arch issue.  IU know that Debian and RH mde different choices for 32 on 64.  RH/Fedora puts the Python code into
>>
>> /usr/lib64/python2.7/site-packages/
>>
>> Debian might be looking under /usr/lib/  for Python.
>>
>> Try a 32bit RPM.
>>
>>
>> openway at dl-360:~/rpm$
>>
>> I even created the deb file out of ipa-python package and installed it on the kubuntu machine(without any error). Still, its the same. Any idea ?
>>
>> Thanks and regards,
>> Nidal
>>
>> --- On Sun, 5/8/11, Adam Young<ayoung at redhat.com>  wrote:
>>
>> From: Adam Young<ayoung at redhat.com>
>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>> To: "nasir nasir"<kollathodi at yahoo.com>
>> Cc: freeipa-users at redhat.com
>> Date: Sunday, May 8, 2011, 4:39 PM
>>
>> On 05/08/2011 06:20 AM, nasir nasir wrote:
>>
>> Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on configuring client machines using ipa-client package. Is this possible? if so could anyone suggest me some guide lines or docs for the same ?
>>
>> Did you try installing the ipa-client rpms with Alien?
>>
>>
>> Thanks and Regards,
>> Nidal
>>
>> --- On Mon, 5/2/11, Adam Young<ayoung at redhat.com>  wrote:
>>
>> From: Adam Young<ayoung at redhat.com>
>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>> To: "nasir nasir"<kollathodi at yahoo.com>
>> Cc: freeipa-users at redhat.com
>> Date: Monday, May 2, 2011, 8:03 AM
>>
>> On 05/01/2011 08:49 AM, nasir nasir wrote:
>> Thanks for all the replies and great suggestions! I do appreciate it a lot.
>>
>> Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the storage. This entire partition (or LUN) can be attached to my Authentication server(i.e FreeIPA) by using iSCSI. From the Authentication server, I am NOT looking for iSCSI to get it mounted to the individual users' machine. I think NFS/automount would do that(appreciate any suggestion on this !) And whenever a new user is created, /home should be allocated out of this partition so that whichever machine the user is using to login later, she should be able to access the same /home specific to her regardless of the machine. I hope it is clear to all :-)
>>
>> Thanks and regards,
>> Nidal
>>
>>>      -- Centralized storage with iSCSI for /home folder for each user by means of a dedicated storage
>> IPA manages Automount, which is possibly what you want.  Are you going to give each user their own partition that follows them around, or are you going to give the a home directory on a a NAS server?  I Have to admit, the iSCSI home mount sounds interesting.  You could probably get automount to help you out there, but at this point I think that you would need a separate key line for each user.
>>
>> Note that iSCSI won't help you if you want to mount the same partition on multiple clients.  For this, you either need a distributed File System, or stick to NFS.
>>
>>
>>
>>
>> Nidal,
>>
>> OK, I'd probably do something like this:  After install IPA, add one host as an IPA client with the following switch:  --mkhomedir,, something like  ipa-client-install --mkhomedir -p admin.   Then, mount the directory that you are going to use a /home on that machine.  Once you create users in IPA, the first time you log in as that user, do so from that client, and it will attempt to create the home directory for you.    This should be the only machine that has permissions to create directories under /home.  Now, create an automount location and map, and create a key for /home
>>
>> The instructions from our test day should get you started:
>>
>> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From Steven.Jones at vuw.ac.nz  Tue May 10 21:11:27 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 10 May 2011 21:11:27 +0000
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC99F15.5080900@redhat.com>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC99F15.5080900@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

There are OSS packages that can be installed into Solaris.....so I dont see why freeipa cant be ported....at least the x86 CPU version anyway.  Oracle/Sun may not want to do IPA but if you had ever had the mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand why few techies/ppl/businesses want it.....its bloody awful to install let alone work with or maintain....So its turns into a risky endeavour and no one sane wants that much risk in their business....let alone the 6 figure costs..........and yes Im talking over a million....

Hopefully we are getting away from the silo attitude of vendors.....Vendors might want only their products in a customer site, but realistically customers dont want that for lots of reasons, and pillaging your wallet is one of the biggest....

In our case all that happens is we wont buy Sun kit if it doesnt work the way we want to work....their loss.

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Wednesday, 11 May 2011 8:24 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment

On 05/10/2011 04:10 PM, Steven Jones wrote:
> Hi,
>
> Its quite interesting that there are no real clients for ipa outside of RH/Fedora....this will probably do more to delay or restrict its adoption than anything else.
>

Not sure what you are talking about. Any kerberos enabled service is a
service and any pam_krb5/nss_ldap or SSSD enabled system can be a client.
SSSD is in Debian, Ubuntu, SUSE, Fedora, RH
Would be nice to have it in other OSs like Solaris and HP-UX but they
have other plans.

> regards
>
> Steven



From dpal at redhat.com  Tue May 10 21:31:11 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 10 May 2011 17:31:11 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC99F15.5080900@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC9AE9F.1060508@redhat.com>

On 05/10/2011 05:11 PM, Steven Jones wrote:
> Hi,
>
> There are OSS packages that can be installed into Solaris.....so I dont see why freeipa cant be ported....at least the x86 CPU version anyway. 

I think this will be a huge undertaking. It is not that simple. And is
there really a value for IPA to be on Solaris?
I can understand the client part but the server is less important. It is
a dedicated server running on BM or VM so does it really matter what os
it is running as long it is supported and affordable?

We as a dev community will be open to any effort to port the whole stack
to some other distribution but I bet there are better uses for someones
energy that we can utilize to deliver better functionality to this user
community.

Client is a different issue. I tried to talk to IBM, HP and Sun a year
ago. They are not interested in porting SSSD to their platforms.

>  Oracle/Sun may not want to do IPA but if you had ever had the mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand why few techies/ppl/businesses want it.....its bloody awful to install let alone work with or maintain....So its turns into a risky endeavour and no one sane wants that much risk in their business....let alone the 6 figure costs..........and yes Im talking over a million....
>
> Hopefully we are getting away from the silo attitude of vendors.....Vendors might want only their products in a customer site, but realistically customers dont want that for lots of reasons, and pillaging your wallet is one of the biggest....
>
> In our case all that happens is we wont buy Sun kit if it doesnt work the way we want to work....their loss.
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Wednesday, 11 May 2011 8:24 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>
> On 05/10/2011 04:10 PM, Steven Jones wrote:
>> Hi,
>>
>> Its quite interesting that there are no real clients for ipa outside of RH/Fedora....this will probably do more to delay or restrict its adoption than anything else.
>>
> Not sure what you are talking about. Any kerberos enabled service is a
> service and any pam_krb5/nss_ldap or SSSD enabled system can be a client.
> SSSD is in Debian, Ubuntu, SUSE, Fedora, RH
> Would be nice to have it in other OSs like Solaris and HP-UX but they
> have other plans.
>
>> regards
>>
>> Steven
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From sigbjorn at nixtra.com  Tue May 10 21:36:19 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Tue, 10 May 2011 23:36:19 +0200
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <373596.88089.qm@web161317.mail.bf1.yahoo.com>
References: <373596.88089.qm@web161317.mail.bf1.yahoo.com>
Message-ID: <4DC9AFD3.4040809@nixtra.com>

Hi,

This export worked for me:
/export        *(rw,no_root_squash,sec=krb5)

I had an issue when I first set up NFS4+krb5 where my "domainname" 
command did not return anything. After manually typing "domainname 
<ipa-dns-domain>" on both server and client, NFS4+krb5 worked as a charm.

Might not be it for you, but worth a check.

Also remember to verify that you have a valid kerberos ticket as the 
user doing the mounting (root) at the client.

If your client is old, you might have an issue with the Linux NFS4+krb5 
weak encryption issue. I did not when using F14 as client, RH 6.1beta 
and NexentaStor 3.0.5 as servers.



Rgds,
Siggi


On 05/10/2011 06:37 PM, nasir nasir wrote:
>
> Thanks again!
>
> Two issues,
>
> 1) I had already tried everything you had mentioned in your mail.
>
>    -- Times are perfectly in sync across the network.
>    -- I can ssh using IPA users from the client machine also.
>    -- I can mount NFS partition on client machine when NOT using *-o 
> sec=krb5 *option
>
> So it seems to be some issue with kerberos integration of NFS(or some 
> misconfiguration from my side). I had checked all the log files, 
> nothing useful. I had even enabled debug option in /etc/krb5.conf file 
> (severity = DEBUG). Still it is not giving any log at all when I am 
> executing the mount command. But it is giving the sequences of 
> kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc)
>
> Here is my /etc/export file,
>
> */export  *(rw,fsid=0,insecure,no_subtree_check)*
> */export  gss/krb5(rw,fsid=0,insecure,no_subtree_check)*
> */export  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)*
> */export  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)*
>
> 2) Regarding the kubuntu client, I tried with a 32 bit machine and it 
> is still the same. But I did notice that the python version in kubuntu 
> is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to 
> this ? if so,  I can try with an earlier version of kubuntu with 
> python 2.6 and update you on this.
>
>
> Thanks a lot and regards,
> Nasir
>
>
>
>
> --- On *Mon, 5/9/11, Adam Young /<ayoung at redhat.com>/* wrote:
>
>
>     From: Adam Young <ayoung at redhat.com>
>     Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>     To: "nasir nasir" <kollathodi at yahoo.com>
>     Cc: freeipa-users at redhat.com
>     Date: Monday, May 9, 2011, 8:38 AM
>
>     On 05/09/2011 10:43 AM, nasir nasir wrote:
>>     Dimitri/Adam/Stephen,
>>
>>     Thnks a lot for all the replies!
>>
>>     This is a 64 bit machine. So I will try to install 32 bit and let
>>     you know the result.
>>
>>     Also, I was trying to configure NFS service on the FreeIPA
>>     machine. I followed exactly as given in the deployment guide and
>>     tested with another *RHEL 6.1 client machine *with ipa-client
>>     installed on it. When I try to mount the nfs export I am getting
>>     the following error,
>>     *
>>     *
>>     *[root at abc Packages]# mount -v -t nfs4 -o sec=krb5
>>     openipa.cohort.org:/ /mnt*
>>     *mount.nfs4: timeout set for Mon May  9 17:36:14 2011*
>>     *mount.nfs4: trying text-based options
>>     'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'*
>>     *mount.nfs4: mount(2): Permission denied*
>>     *mount.nfs4: access denied by server while mounting
>>     openipa.cohort.org:/*
>>     *[root at abc Packages]#*
>>
>>     But when I try to remove the kerberos authentication (i.e without
>>     -o sec=krb5) it gets mounted without any problem. I googled a lot
>>     for this error and tried all the suggestions like adding
>>     allow_weak_crypto parameter in the krb5.conf file, checking
>>     host/DNS/Keytab entries etc. Still it does not work. When I give
>>     weak crypto entry and add some weak crypto like des-cbc-md5,
>>     server rejects and says that it is not supported. My /etc/export
>>     file and all the necessary commands are copy pasted from the
>>     deployment guide with only the necessary modifications to suite
>>     my values.
>>
>>     Please suggest me what to do.
>>
>
>
>     Start off by checking the kerberos logs on both the server and
>     client machines.
>
>     in /var/log/  krb5kdc.log   kadmind.log  secure
>
>     I'm not a a Kerberos Guru...bear that in mind
>
>     Make sure the clocks are in sync.  Always worth doing .  Kind of
>     the Kerberos equivalent of "Make sure the network cable is
>     actually plugged in"
>
>     The KDC needs to know about the NFS service in order to grant a
>     ticket.  Confirm that you can request an nfs ticket for your user
>     and client for the given server.
>
>     On the IPA server side, you have to create a service entry for
>     your NFS server.  Your NFS server needs to know to talk to the IPA
>     Kerberos instance.  This is a likely suspect, based on the error
>     message.
>
>     Make sure you can kinit and do simple IPA type things on the
>     machine you are doing a NFS mount on.  Being able to use the IPA
>     Kerberos ticket to ssh from the nfs client machine to the NFS
>     server machine would be a good validation that the entire problem
>     is just in the NFS configuration.
>
>
>
>
>>
>>     Thanks indeed in advance and regards,
>>     Nidal
>>
>>
>>
>>     --- On *Mon, 5/9/11, Adam Young /<ayoung at redhat.com>
>>     </mc/compose?to=ayoung at redhat.com>/* wrote:
>>
>>
>>         From: Adam Young <ayoung at redhat.com>
>>         </mc/compose?to=ayoung at redhat.com>
>>         Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>>         To: "nasir nasir" <kollathodi at yahoo.com>
>>         </mc/compose?to=kollathodi at yahoo.com>
>>         Cc: freeipa-users at redhat.com
>>         </mc/compose?to=freeipa-users at redhat.com>
>>         Date: Monday, May 9, 2011, 6:17 AM
>>
>>         On 05/08/2011 11:57 PM, nasir nasir wrote:
>>>
>>>         Adam,
>>>
>>>         I truly appreciate your persistence !
>>>
>>>         I tried using alien and it generated the .deb file
>>>         successfully and even installed the ipa client package
>>>         without any error on the client machine(Kubuntu 11.04). But
>>>         when I run the *ipa-client-install* command, it gave the
>>>         following error,
>>>
>>>
>>>         *openway at dl-360:~/rpm$ sudo ipa-client-install *
>>>         *There was a problem importing one of the required Python
>>>         modules. The*
>>>         *error was:*
>>>         *
>>>         *
>>>         *    No module named ipaclient.ipadiscovery*
>>>
>>         I'm guessing that this is a 64 bit system?  It might be an
>>         arch issue.  IU know that Debian and RH mde different choices
>>         for 32 on 64.  RH/Fedora puts the Python code into
>>
>>         /usr/lib64/python2.7/site-packages/
>>
>>         Debian might be looking under /usr/lib/  for Python.
>>
>>         Try a 32bit RPM.
>>
>>>         *
>>>         *
>>>         *openway at dl-360:~/rpm$*
>>>
>>>         I even created the deb file out of ipa-python package and
>>>         installed it on the kubuntu machine(without any error).
>>>         Still, its the same. Any idea ?
>>>
>>>         Thanks and regards,
>>>         Nidal
>>>
>>>         --- On *Sun, 5/8/11, Adam Young /<ayoung at redhat.com>/*wrote:
>>>
>>>
>>>             From: Adam Young <ayoung at redhat.com>
>>>             Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
>>>             deployment
>>>             To: "nasir nasir" <kollathodi at yahoo..com>
>>>             Cc: freeipa-users at redhat.com
>>>             Date: Sunday, May 8, 2011, 4:39 PM
>>>
>>>             On 05/08/2011 06:20 AM, nasir nasir wrote:
>>>>
>>>>             Thanks indeed again for the reply. I went through the
>>>>             deployment guide and installed and configured FreeIPA
>>>>             2.0 on a RHEL 6.1 beta machine for testing I also
>>>>             configured the browsers on this server and a client
>>>>             Kubuntu machine as per the guide. But I can't find any
>>>>             doc which explain how to configure a client (kubuntu in
>>>>             my case) for single sign on or even accessing a service
>>>>             like nfs using the browser when native ipa-client
>>>>             package is not available. All the docs are focused on
>>>>             configuring client machines using ipa-client package.
>>>>             Is this possible? if so could anyone suggest me some
>>>>             guide lines or docs for the same ?
>>>>
>>>
>>>             Did you try installing the ipa-client rpms with Alien?
>>>
>>>>
>>>>             Thanks and Regards,
>>>>             Nidal
>>>>
>>>>             --- On *Mon, 5/2/11, Adam Young /<ayoung at redhat.com>/*
>>>>             wrote:
>>>>
>>>>
>>>>                 From: Adam Young <ayoung at redhat.com>
>>>>                 Subject: Re: [Freeipa-users] FreeIPA for Linux
>>>>                 desktop deployment
>>>>                 To: "nasir nasir" <kollathodi at yahoo.com>
>>>>                 Cc: freeipa-users at redhat.com
>>>>                 Date: Monday, May 2, 2011, 8:03 AM
>>>>
>>>>                 On 05/01/2011 08:49 AM, nasir nasir wrote:
>>>>>                 Thanks for all the replies and great suggestions!
>>>>>                 I do appreciate it a lot.
>>>>>
>>>>>                 Apologies for being a bit confusing about the
>>>>>                 cetralized /home foder in my previous mail. What I
>>>>>                 want is that all the users should have their /home
>>>>>                 folder stored in the storage. This entire
>>>>>                 partition (or LUN) can be attached to my
>>>>>                 Authentication server(i.e FreeIPA) by using iSCSI.
>>>>>                 From the Authentication server, I am NOT looking
>>>>>                 for iSCSI to get it mounted to the individual
>>>>>                 users' machine. I think NFS/automount would do
>>>>>                 that(appreciate any suggestion on this !) And
>>>>>                 whenever a new user is created, /home should be
>>>>>                 allocated out of this partition so that whichever
>>>>>                 machine the user is using to login later, she
>>>>>                 should be able to access the same /home specific
>>>>>                 to her regardless of the machine. I hope it is
>>>>>                 clear to all :-)
>>>>>
>>>>>                 Thanks and regards,
>>>>>                 Nidal
>>>>>
>>>>>                     >     -- Centralized storage with iSCSI for
>>>>>                     /home folder for each user by means of a
>>>>>                     dedicated storage
>>>>>                     IPA manages Automount, which is possibly what
>>>>>                     you want.  Are you going to give each user
>>>>>                     their own partition that follows them around,
>>>>>                     or are you going to give the a home directory
>>>>>                     on a a NAS server?  I Have to admit, the iSCSI
>>>>>                     home mount sounds interesting.  You could
>>>>>                     probably get automount to help you out there,
>>>>>                     but at this point I think that you would need
>>>>>                     a separate key line for each user.
>>>>>
>>>>>                     Note that iSCSI won't help you if you want to
>>>>>                     mount the same partition on multiple clients. 
>>>>>                     For this, you either need a distributed File
>>>>>                     System, or stick to NFS.
>>>>>
>>>>
>>>>
>>>>                 Nidal,
>>>>
>>>>                 OK, I'd probably do something like this:  After
>>>>                 install IPA, add one host as an IPA client with the
>>>>                 following switch:  --mkhomedir,, something like 
>>>>                 ipa-client-install --mkhomedir -p admin.   Then,
>>>>                 mount the directory that you are going to use a
>>>>                 /home on that machine.  Once you create users in
>>>>                 IPA, the first time you log in as that user, do so
>>>>                 from that client, and it will attempt to create the
>>>>                 home directory for you.    This should be the only
>>>>                 machine that has permissions to create directories
>>>>                 under /home.  Now, create an automount location and
>>>>                 map, and create a key for /home
>>>>
>>>>                 The instructions from our test day should get you
>>>>                 started:
>>>>
>>>>                 https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110510/c2700836/attachment.htm>

From sigbjorn at nixtra.com  Tue May 10 21:42:36 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Tue, 10 May 2011 23:42:36 +0200
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC9AE9F.1060508@redhat.com>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC99F15.5080900@redhat.com>	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DC9AE9F.1060508@redhat.com>
Message-ID: <4DC9B14C.9000003@nixtra.com>

Hi,

I would like to see the ipa client scripts and possibly the admin tools 
in a nice Solaris package. This would make my job a lot easier as we 
have a lot of customers running Solaris. :)

For the server part I agree with you, keep it at RHEL.

SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the 
UNIX vendors selling their iron as client machines anymore. And I don't 
see a considerable benefit in adding SSSD to servers, who will be well 
connected to the network anyway.



Rgds,
Siggi


On 05/10/2011 11:31 PM, Dmitri Pal wrote:
> On 05/10/2011 05:11 PM, Steven Jones wrote:
>> Hi,
>>
>> There are OSS packages that can be installed into Solaris.....so I dont see why freeipa cant be ported....at least the x86 CPU version anyway.
> I think this will be a huge undertaking. It is not that simple. And is
> there really a value for IPA to be on Solaris?
> I can understand the client part but the server is less important. It is
> a dedicated server running on BM or VM so does it really matter what os
> it is running as long it is supported and affordable?
>
> We as a dev community will be open to any effort to port the whole stack
> to some other distribution but I bet there are better uses for someones
> energy that we can utilize to deliver better functionality to this user
> community.
>
> Client is a different issue. I tried to talk to IBM, HP and Sun a year
> ago. They are not interested in porting SSSD to their platforms.
>
>>   Oracle/Sun may not want to do IPA but if you had ever had the mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand why few techies/ppl/businesses want it.....its bloody awful to install let alone work with or maintain....So its turns into a risky endeavour and no one sane wants that much risk in their business....let alone the 6 figure costs..........and yes Im talking over a million....
>>
>> Hopefully we are getting away from the silo attitude of vendors.....Vendors might want only their products in a customer site, but realistically customers dont want that for lots of reasons, and pillaging your wallet is one of the biggest....
>>
>> In our case all that happens is we wont buy Sun kit if it doesnt work the way we want to work....their loss.
>>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
>> Sent: Wednesday, 11 May 2011 8:24 a.m.
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>>
>> On 05/10/2011 04:10 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> Its quite interesting that there are no real clients for ipa outside of RH/Fedora....this will probably do more to delay or restrict its adoption than anything else.
>>>
>> Not sure what you are talking about. Any kerberos enabled service is a
>> service and any pam_krb5/nss_ldap or SSSD enabled system can be a client.
>> SSSD is in Debian, Ubuntu, SUSE, Fedora, RH
>> Would be nice to have it in other OSs like Solaris and HP-UX but they
>> have other plans.
>>
>>> regards
>>>
>>> Steven
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>



From Steven.Jones at vuw.ac.nz  Tue May 10 21:46:37 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 10 May 2011 21:46:37 +0000
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC9AE9F.1060508@redhat.com>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC99F15.5080900@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9AE9F.1060508@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634AAA8@STAWINCOX10MBX1.staff.vuw.ac.nz>

Ah sorry I assumed a Solaris client....not server.

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Wednesday, 11 May 2011 9:31 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment

On 05/10/2011 05:11 PM, Steven Jones wrote:
> Hi,
>
> There are OSS packages that can be installed into Solaris.....so I dont see why freeipa cant be ported....at least the x86 CPU version anyway.

I think this will be a huge undertaking. It is not that simple. And is
there really a value for IPA to be on Solaris?
I can understand the client part but the server is less important. It is
a dedicated server running on BM or VM so does it really matter what os
it is running as long it is supported and affordable?

We as a dev community will be open to any effort to port the whole stack
to some other distribution but I bet there are better uses for someones
energy that we can utilize to deliver better functionality to this user
community.

Client is a different issue. I tried to talk to IBM, HP and Sun a year
ago. They are not interested in porting SSSD to their platforms.

>  Oracle/Sun may not want to do IPA but if you had ever had the mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand why few techies/ppl/businesses want it.....its bloody awful to install let alone work with or maintain....So its turns into a risky endeavour and no one sane wants that much risk in their business....let alone the 6 figure costs..........and yes Im talking over a million....
>
> Hopefully we are getting away from the silo attitude of vendors.....Vendors might want only their products in a customer site, but realistically customers dont want that for lots of reasons, and pillaging your wallet is one of the biggest....
>
> In our case all that happens is we wont buy Sun kit if it doesnt work the way we want to work....their loss.
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Wednesday, 11 May 2011 8:24 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>
> On 05/10/2011 04:10 PM, Steven Jones wrote:
>> Hi,
>>
>> Its quite interesting that there are no real clients for ipa outside of RH/Fedora....this will probably do more to delay or restrict its adoption than anything else.
>>
> Not sure what you are talking about. Any kerberos enabled service is a
> service and any pam_krb5/nss_ldap or SSSD enabled system can be a client.
> SSSD is in Debian, Ubuntu, SUSE, Fedora, RH
> Would be nice to have it in other OSs like Solaris and HP-UX but they
> have other plans.
>
>> regards
>>
>> Steven
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From dpal at redhat.com  Tue May 10 22:24:58 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 10 May 2011 18:24:58 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC9B14C.9000003@nixtra.com>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC99F15.5080900@redhat.com>	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DC9AE9F.1060508@redhat.com>
	<4DC9B14C.9000003@nixtra.com>
Message-ID: <4DC9BB3A.6020309@redhat.com>

On 05/10/2011 05:42 PM, Sigbjorn Lie wrote:
> Hi,
>
> I would like to see the ipa client scripts and possibly the admin
> tools in a nice Solaris package. This would make my job a lot easier
> as we have a lot of customers running Solaris. :)
>
> For the server part I agree with you, keep it at RHEL.
>
> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the
> UNIX vendors selling their iron as client machines anymore. And I
> don't see a considerable benefit in adding SSSD to servers, who will
> be well connected to the network anyway.
>


https://fedorahosted.org/freeipa/ticket/1214


>
>
> Rgds,
> Siggi
>
>
> On 05/10/2011 11:31 PM, Dmitri Pal wrote:
>> On 05/10/2011 05:11 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> There are OSS packages that can be installed into Solaris.....so I
>>> dont see why freeipa cant be ported....at least the x86 CPU version
>>> anyway.
>> I think this will be a huge undertaking. It is not that simple. And is
>> there really a value for IPA to be on Solaris?
>> I can understand the client part but the server is less important. It is
>> a dedicated server running on BM or VM so does it really matter what os
>> it is running as long it is supported and affordable?
>>
>> We as a dev community will be open to any effort to port the whole stack
>> to some other distribution but I bet there are better uses for someones
>> energy that we can utilize to deliver better functionality to this user
>> community.
>>
>> Client is a different issue. I tried to talk to IBM, HP and Sun a year
>> ago. They are not interested in porting SSSD to their platforms.
>>
>>>   Oracle/Sun may not want to do IPA but if you had ever had the
>>> mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand
>>> why few techies/ppl/businesses want it.....its bloody awful to
>>> install let alone work with or maintain....So its turns into a risky
>>> endeavour and no one sane wants that much risk in their
>>> business....let alone the 6 figure costs..........and yes Im talking
>>> over a million....
>>>
>>> Hopefully we are getting away from the silo attitude of
>>> vendors.....Vendors might want only their products in a customer
>>> site, but realistically customers dont want that for lots of
>>> reasons, and pillaging your wallet is one of the biggest....
>>>
>>> In our case all that happens is we wont buy Sun kit if it doesnt
>>> work the way we want to work....their loss.
>>>
>>> regards
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com
>>> [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal
>>> [dpal at redhat.com]
>>> Sent: Wednesday, 11 May 2011 8:24 a.m.
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>>>
>>> On 05/10/2011 04:10 PM, Steven Jones wrote:
>>>> Hi,
>>>>
>>>> Its quite interesting that there are no real clients for ipa
>>>> outside of RH/Fedora....this will probably do more to delay or
>>>> restrict its adoption than anything else.
>>>>
>>> Not sure what you are talking about. Any kerberos enabled service is a
>>> service and any pam_krb5/nss_ldap or SSSD enabled system can be a
>>> client.
>>> SSSD is in Debian, Ubuntu, SUSE, Fedora, RH
>>> Would be nice to have it in other OSs like Solaris and HP-UX but they
>>> have other plans.
>>>
>>>> regards
>>>>
>>>> Steven
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From ayoung at redhat.com  Wed May 11 00:51:41 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 10 May 2011 20:51:41 -0400
Subject: [Freeipa-users] failure to un-install  FreeIPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634AA4A@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006349263@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1305016330.11948.10.camel@dhcp-25-52.brq.redhat.com>	<833D8E48405E064EBC54C84EC6B36E400634A9E0@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9A593.4060309@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634AA4A@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC9DD9D.6020505@redhat.com>

On 05/10/2011 05:02 PM, Steven Jones wrote:
> VMware local console....I cant cut and paste outputs or scroll back when its a KDE rdp to a windows 7 vmware guest and then into the vmware thick client and then to a "local" console simply doesnt work...
>
> Bit messy but I get a Linux desktop....


Yeah, I had to deal with that in my lst job.  I had a hack where I 
converted the MAC address to the IPv6 Link local in order to be able to 
get an SSH session without firing up the  vSphere Gui.


> :D
>
> regards
>
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 11 May 2011 8:52 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] failure to un-install  FreeIPA
>
> Steven Jones wrote:
>> I logged in via ssh instead so I could get an output and the install worked without a hitch...
> ssh instead of what?
>
> rob
>
>> :/
>>
>> weird.......
>>
>> regards
>>
>> Steven
>> ________________________________________
>> From: Martin Kosek [mkosek at redhat.com]
>> Sent: Tuesday, 10 May 2011 8:32 p.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] failure to un-install  FreeIPA
>>
>> On Tue, 2011-05-10 at 03:58 +0000, Steven Jones wrote:
>>> I am trying to un-install freeipa with
>>>
>>> ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed!
>>>
>>> oops.
>>>
>>> Is there a way to force the script to check and remove everything?
>>>
>>> Or somewhere there is a lock file or something that needs removing?
>>>
>>> regards
>>>
>> Steven,
>>
>> can you please send a full output of `ipa-server-install --uninstall`
>> and then the `ipa-server-install` command? (and freeipa-server package
>> version) There was a that could case this behavior.
>>
>> Anyway, the installer files you are looking for are there:
>> /var/lib/ipa/sysrestore/          # server backup files
>> /var/lib/ipa-client/sysrestore/   # client backup files
>>
>> If you remove then, the installation will continue. However, I wouldn't
>> recommend removing them manually as ipa-[server|client]-install
>> --uninstall won't be able to return the machine to it's original
>> configuration then. I would rather suggest using the server/client
>> uninstaller again.
>>
>> Martin
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Wed May 11 02:14:42 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 11 May 2011 02:14:42 +0000
Subject: [Freeipa-users] fatal error for ipa with dns.
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>

I have installed ipa but Im getting this error, named wont run as wont kinit admin.

=================
May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named
May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576
May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread
May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets
May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf'
May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535]
May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535]
May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53
May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53
May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53
May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS
May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ')
May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure
May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error)
May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10
=============

there appears to be no named.log?

regards




From Steven.Jones at vuw.ac.nz  Wed May 11 02:40:36 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 11 May 2011 02:40:36 +0000
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634B2E9@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

There also appears to be no unix.vuw.ac.nz zone, which i was expecting.....so I make this by hand?

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Wednesday, 11 May 2011 2:14 p.m.
To: freeipa-users at redhat.com
Subject: [Freeipa-users] fatal error for ipa with dns.

I have installed ipa but Im getting this error, named wont run as wont kinit admin.

=================
May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named
May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstac!
 k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576
May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread
May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets
May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf'
May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535]
May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535]
May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53
May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53
May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53
May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS
May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ')
May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure
May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error)
May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10
=============

there appears to be no named.log?

regards


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From ayoung at redhat.com  Wed May 11 03:04:58 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 10 May 2011 23:04:58 -0400
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC9FCDA.6070703@redhat.com>

Can you attach the file /var/log/ipa-server-install.log?



On 05/10/2011 10:14 PM, Steven Jones wrote:
> I have installed ipa but Im getting this error, named wont run as wont kinit admin.
>
> =================
> May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named
> May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstac!
>   k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
> May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576
> May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets
> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf'
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535]
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535]
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS
> May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ')
> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure
> May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error)
> May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10
> =============
>
> there appears to be no named.log?
>
> regards
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users





From Steven.Jones at vuw.ac.nz  Wed May 11 03:02:24 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 11 May 2011 03:02:24 +0000
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634B2F8@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Fixed I think, forgot to disable networkmanager.....so did that uninstalled and re-installed and its fine...so far...

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Wednesday, 11 May 2011 2:14 p.m.
To: freeipa-users at redhat.com
Subject: [Freeipa-users] fatal error for ipa with dns.

I have installed ipa but Im getting this error, named wont run as wont kinit admin.

=================
May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named
May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstac!
 k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576
May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread
May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets
May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf'
May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535]
May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535]
May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53
May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53
May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53
May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS
May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ')
May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure
May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error)
May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10
=============

there appears to be no named.log?

regards


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From ayoung at redhat.com  Wed May 11 03:16:13 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 10 May 2011 23:16:13 -0400
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634B2F8@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400634B2F8@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DC9FF7D.3070306@redhat.com>

Very cool.  I've had a slew on DNS related issues when trying to set 
things up in a small virtual environment using DNSMasq, so I feel your 
pain.  Please send a quick write up of your set up if you get everything 
working.


On 05/10/2011 11:02 PM, Steven Jones wrote:
> Hi,
>
> Fixed I think, forgot to disable networkmanager.....so did that uninstalled and re-installed and its fine...so far...
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Wednesday, 11 May 2011 2:14 p.m.
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] fatal error for ipa with dns.
>
> I have installed ipa but Im getting this error, named wont run as wont kinit admin.
>
> =================
> May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named
> May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstac!
>   k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
> May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576
> May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets
> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf'
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535]
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535]
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS
> May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ')
> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure
> May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error)
> May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10
> =============
>
> there appears to be no named.log?
>
> regards
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users





From Steven.Jones at vuw.ac.nz  Wed May 11 03:25:47 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 11 May 2011 03:25:47 +0000
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <4DC9FF7D.3070306@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400634B2F8@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9FF7D.3070306@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634B315@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Nope looks like DNS is barfed big time.......

==============

[root at vuwunicoipamt01 ~]# host vuwunicoipamt01.unix.vuw.ac.nz
vuwunicoipamt01.unix.vuw.ac.nz has address 130.195.81.236
[root at vuwunicoipamt01 ~]# ipa dns-resolve vuwunicoipamt01.unix.vuw.ac.nz
ipa: ERROR: Kerberos error: No credentials cache found/
[root at vuwunicoipamt01 ~]# ipa host-show vuwunicoipamt01.unix.vuw.ac.nz
ipa: ERROR: Kerberos error: No credentials cache found/
[root at vuwunicoipamt01 ~]# 

==============

also clients cant resolve against the dns server is its looking buggered....

regards



________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Adam Young [ayoung at redhat.com]
Sent: Wednesday, 11 May 2011 3:16 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] fatal error for ipa with dns.

Very cool.  I've had a slew on DNS related issues when trying to set
things up in a small virtual environment using DNSMasq, so I feel your
pain.  Please send a quick write up of your set up if you get everything
working.


On 05/10/2011 11:02 PM, Steven Jones wrote:
> Hi,
>
> Fixed I think, forgot to disable networkmanager.....so did that uninstalled and re-installed and its fine...so far...
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Wednesday, 11 May 2011 2:14 p.m.
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] fatal error for ipa with dns.
>
> I have installed ipa but Im getting this error, named wont run as wont kinit admin.
>
> =================
> May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named
> May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fst!
 ac!
>   k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
> May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576
> May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets
> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf'
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535]
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535]
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS
> May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ')
> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure
> May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error)
> May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10
> =============
>
> there appears to be no named.log?
>
> regards
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Wed May 11 03:28:00 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 11 May 2011 03:28:00 +0000
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <4DC9FF7D.3070306@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400634B2F8@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9FF7D.3070306@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634B324@STAWINCOX10MBX1.staff.vuw.ac.nz>

all the logs....

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Adam Young [ayoung at redhat.com]
Sent: Wednesday, 11 May 2011 3:16 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] fatal error for ipa with dns.

Very cool.  I've had a slew on DNS related issues when trying to set
things up in a small virtual environment using DNSMasq, so I feel your
pain.  Please send a quick write up of your set up if you get everything
working.


On 05/10/2011 11:02 PM, Steven Jones wrote:
> Hi,
>
> Fixed I think, forgot to disable networkmanager.....so did that uninstalled and re-installed and its fine...so far...
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Wednesday, 11 May 2011 2:14 p.m.
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] fatal error for ipa with dns.
>
> I have installed ipa but Im getting this error, named wont run as wont kinit admin.
>
> =================
> May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named
> May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fst!
 ac!
>   k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
> May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576
> May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets
> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf'
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535]
> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535]
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53
> May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS
> May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ')
> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure
> May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error)
> May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10
> =============
>
> there appears to be no named.log?
>
> regards
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-logs.tar.gz
Type: application/x-gzip
Size: 91558 bytes
Desc: ipa-logs.tar.gz
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110511/af0f9d6d/attachment.bin>

From ayoung at redhat.com  Wed May 11 03:33:47 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 10 May 2011 23:33:47 -0400
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634B324@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>	<833D8E48405E064EBC54C84EC6B36E400634B2F8@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9FF7D.3070306@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634B324@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DCA039B.7070701@redhat.com>

OK, I'll take a look.  BTW, what is your DNS set up outside of the IPA 
Server:  does your IPA server have A FQDN in a different server?

On 05/10/2011 11:28 PM, Steven Jones wrote:
> all the logs....
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Adam Young [ayoung at redhat.com]
> Sent: Wednesday, 11 May 2011 3:16 p.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] fatal error for ipa with dns.
>
> Very cool.  I've had a slew on DNS related issues when trying to set
> things up in a small virtual environment using DNSMasq, so I feel your
> pain.  Please send a quick write up of your set up if you get everything
> working.
>
>
> On 05/10/2011 11:02 PM, Steven Jones wrote:
>> Hi,
>>
>> Fixed I think, forgot to disable networkmanager.....so did that uninstalled and re-installed and its fine...so far...
>>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Wednesday, 11 May 2011 2:14 p.m.
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] fatal error for ipa with dns.
>>
>> I have installed ipa but Im getting this error, named wont run as wont kinit admin.
>>
>> =================
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fst!
>   ac!
>>    k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf'
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535]
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535]
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ')
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error)
>> May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10
>> =============
>>
>> there appears to be no named.log?
>>
>> regards
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users





From Steven.Jones at vuw.ac.nz  Wed May 11 03:37:45 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 11 May 2011 03:37:45 +0000
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <4DCA039B.7070701@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400634B2F8@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9FF7D.3070306@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634B324@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DCA039B.7070701@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634B34C@STAWINCOX10MBX1.staff.vuw.ac.nz>

[root at vuwunicoadmint2 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01 --domain unix.vuw.ac.nz -p admin
Discovery was successful!
Realm: UNIX.VUW.AC.NZ
DNS Domain: unix.vuw.ac.nz
IPA Server: vuwunicoipamt01
BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Password for admin at UNIX.VUW.AC.NZ:  
Joining realm failed: HTTP response code is 301, not 200
[root at vuwunicoadmint2 ~]# 

Im getting this from a client
________________________________________
From: Adam Young [ayoung at redhat.com]
Sent: Wednesday, 11 May 2011 3:33 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] fatal error for ipa with dns.

OK, I'll take a look.  BTW, what is your DNS set up outside of the IPA
Server:  does your IPA server have A FQDN in a different server?

On 05/10/2011 11:28 PM, Steven Jones wrote:
> all the logs....
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Adam Young [ayoung at redhat.com]
> Sent: Wednesday, 11 May 2011 3:16 p.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] fatal error for ipa with dns.
>
> Very cool.  I've had a slew on DNS related issues when trying to set
> things up in a small virtual environment using DNSMasq, so I feel your
> pain.  Please send a quick write up of your set up if you get everything
> working.
>
>
> On 05/10/2011 11:02 PM, Steven Jones wrote:
>> Hi,
>>
>> Fixed I think, forgot to disable networkmanager.....so did that uninstalled and re-installed and its fine...so far...
>>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Wednesday, 11 May 2011 2:14 p.m.
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] fatal error for ipa with dns.
>>
>> I have installed ipa but Im getting this error, named wont run as wont kinit admin.
>>
>> =================
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fst!
>   ac!
>>    k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf'
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535]
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535]
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ')
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error)
>> May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10
>> =============
>>
>> there appears to be no named.log?
>>
>> regards
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users





From Steven.Jones at vuw.ac.nz  Wed May 11 03:55:59 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 11 May 2011 03:55:59 +0000
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <4DCA039B.7070701@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400634B2F8@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9FF7D.3070306@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634B324@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DCA039B.7070701@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634B364@STAWINCOX10MBX1.staff.vuw.ac.nz>

client that failed install log as requested.

regards
________________________________________
From: Adam Young [ayoung at redhat.com]
Sent: Wednesday, 11 May 2011 3:33 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] fatal error for ipa with dns.

OK, I'll take a look.  BTW, what is your DNS set up outside of the IPA
Server:  does your IPA server have A FQDN in a different server?

On 05/10/2011 11:28 PM, Steven Jones wrote:
> all the logs....
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Adam Young [ayoung at redhat.com]
> Sent: Wednesday, 11 May 2011 3:16 p.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] fatal error for ipa with dns.
>
> Very cool.  I've had a slew on DNS related issues when trying to set
> things up in a small virtual environment using DNSMasq, so I feel your
> pain.  Please send a quick write up of your set up if you get everything
> working.
>
>
> On 05/10/2011 11:02 PM, Steven Jones wrote:
>> Hi,
>>
>> Fixed I think, forgot to disable networkmanager.....so did that uninstalled and re-installed and its fine...so far...
>>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Wednesday, 11 May 2011 2:14 p.m.
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] fatal error for ipa with dns.
>>
>> I have installed ipa but Im getting this error, named wont run as wont kinit admin.
>>
>> =================
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fst!
>   ac!
>>    k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf'
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535]
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535]
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ')
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error)
>> May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10
>> =============
>>
>> there appears to be no named.log?
>>
>> regards
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipaclient-install.log
Type: application/octet-stream
Size: 2014 bytes
Desc: ipaclient-install.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110511/ac838d73/attachment.obj>

From Steven.Jones at vuw.ac.nz  Wed May 11 04:00:56 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 11 May 2011 04:00:56 +0000
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634B364@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400634B2F8@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9FF7D.3070306@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634B324@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DCA039B.7070701@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E400634B364@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634B381@STAWINCOX10MBX1.staff.vuw.ac.nz>

http error log as requested
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Wednesday, 11 May 2011 3:55 p.m.
To: Adam Young
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] fatal error for ipa with dns.

client that failed install log as requested.

regards
________________________________________
From: Adam Young [ayoung at redhat.com]
Sent: Wednesday, 11 May 2011 3:33 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] fatal error for ipa with dns.

OK, I'll take a look.  BTW, what is your DNS set up outside of the IPA
Server:  does your IPA server have A FQDN in a different server?

On 05/10/2011 11:28 PM, Steven Jones wrote:
> all the logs....
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Adam Young [ayoung at redhat.com]
> Sent: Wednesday, 11 May 2011 3:16 p.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] fatal error for ipa with dns.
>
> Very cool.  I've had a slew on DNS related issues when trying to set
> things up in a small virtual environment using DNSMasq, so I feel your
> pain.  Please send a quick write up of your set up if you get everything
> working.
>
>
> On 05/10/2011 11:02 PM, Steven Jones wrote:
>> Hi,
>>
>> Fixed I think, forgot to disable networkmanager.....so did that uninstalled and re-installed and its fine...so far...
>>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Wednesday, 11 May 2011 2:14 p.m.
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] fatal error for ipa with dns.
>>
>> I have installed ipa but Im getting this error, named wont run as wont kinit admin.
>>
>> =================
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fst!
>   ac!
>>    k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf'
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535]
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535]
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ')
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure
>> May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error)
>> May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10
>> =============
>>
>> there appears to be no named.log?
>>
>> regards
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_log
Type: application/octet-stream
Size: 22002 bytes
Desc: error_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110511/01a1756e/attachment.obj>

From sgallagh at redhat.com  Wed May 11 12:42:31 2011
From: sgallagh at redhat.com (Stephen Gallagher)
Date: Wed, 11 May 2011 08:42:31 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC9B14C.9000003@nixtra.com>
References: <4DC80A5A.7020605@redhat.com>
	, <373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>
	, <4DC99F15.5080900@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DC9AE9F.1060508@redhat.com> <4DC9B14C.9000003@nixtra.com>
Message-ID: <1305117752.1881.13.camel@sgallagh.bos.redhat.com>

On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote:
> Hi,
> 
> I would like to see the ipa client scripts and possibly the admin tools 
> in a nice Solaris package. This would make my job a lot easier as we 
> have a lot of customers running Solaris. :)
> 
> For the server part I agree with you, keep it at RHEL.
> 
> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the 
> UNIX vendors selling their iron as client machines anymore. And I don't 
> see a considerable benefit in adding SSSD to servers, who will be well 
> connected to the network anyway.


Actually, SSSD is still valuable on server systems (and is used very
often in datacenters). The reason is that it can allow a server to ride
out an outage in the LDAP and/or Kerberos server and still handle
authentication and identity requests from its cache.

We've expressed interest several times in working WITH other platforms
to help them port the SSSD, but we've received no real commitment to
assisting with it. We have a lot on our plates already, so it is
difficult for us to justify spending time improving our competitors'
offerings :)

Also, SSSD has additional features with FreeIPA integration that
nss_ldap and pam_krb5 do not. Specifically, it has support for managing
access-control using FreeIPA's host-based access control model. This is
a very valuable piece of the puzzle and should not be ignored.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110511/b6f0fa64/attachment.sig>

From kollathodi at yahoo.com  Wed May 11 13:12:21 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Wed, 11 May 2011 06:12:21 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC98516.4030701@redhat.com>
Message-ID: <614314.64888.qm@web161302.mail.bf1.yahoo.com>

Thanks for the help, the NFS share works now. The problem, I think, ?was that I had followed the deployment guide (edition 0.7) which seems to have given some wrong path for keytab location.
Regarding Kubuntu client, I tried all options(many versions of kubuntu, ubuntu, 32, 64 bits etc). It is still the same. I can install the Freeipa-client package successfully. But when I run the ipa-client-install script, I get the same error,
There was a problem importing one of the required Python modules. Theerror was:
? ? No module named ipaclient.ipadiscovery
Thanks again to everyone for the great help!
Regards,Nidal

--- On Tue, 5/10/11, Dmitri Pal <dpal at redhat.com> wrote:

From: Dmitri Pal <dpal at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: freeipa-users at redhat.com
Date: Tuesday, May 10, 2011, 11:33 AM



  

    
  
  
    On 05/10/2011 12:37 PM, nasir nasir wrote:
    
      
        
          
            

              Thanks again!
              

              
              Two issues,
              

              
              1) I had already tried everything you had mentioned
                in your mail.?
              

              
              ? ?-- Times are perfectly in sync across the network.
              ? ?-- I can ssh using IPA users from the client
                machine also.
              ? ?-- I can mount NFS partition on client machine
                when NOT using?-o sec=krb5 option
              

              
              So it seems to be some issue with kerberos
                integration of NFS(or some misconfiguration from my
                side).?I had checked all the log files, nothing useful.
                I had even enabled debug option in /etc/krb5.conf file
                (severity = DEBUG). Still it is not giving any log at
                all when I am executing the mount command. But it is
                giving the sequences of kerberos commands while giving
                commands like kadmin(AS_REQ, TGS_REQ etc)
              

              
              Here is my /etc/export file,
              

              
              
                /export ?*(rw,fsid=0,insecure,no_subtree_check)
                /export
                    ?gss/krb5(rw,fsid=0,insecure,no_subtree_check)
                /export
                    ?gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
                /export
                    ?gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
              
              

              
              2) Regarding the kubuntu client, I tried with a 32
                bit machine and it is still the same. But I did notice
                that the python version in kubuntu is 2.7 and that of
                RHEL I have tried is with 2.6. Could it be due to this ?
                if so, ?I can try with an earlier version of kubuntu
                with python 2.6 and update you on this.
              

              
              

              
              Thanks a lot and regards,
              Nasir
              

              
            
          
        
      
    
    

    There is a set of instruction for NFS setup with kerberos:

http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_Clients.html#sect-Client_Configuration_Guide-Configuring_Red_Hat_Enterprise_Linux_5_as_an_IPA_Client-Configuring_NFS_v4_with_Kerberos

    

    The instructions are a bit outdated as they reference the IPA
    commands from v1. In the v2 the command to add a service will be
    different. I think it is "ipa service-add".

    Once you have a service you need to get a keytab for this service.
    Run ipa-getkeytab on the NFS server as admin user that has
    successfully run kinit on the NFS server.

    Also you need to make sure the krb5.conf points to the IPA server
    (first) otherwise the kinit will fail.

    

    Have you done all that? 

    

    

    

    
      
        
          
            
              

              
              

                
                  

                  
                  --- On Mon, 5/9/11, Adam Young <ayoung at redhat.com>
                    wrote:

                    

                      From: Adam Young <ayoung at redhat.com>

                      Subject: Re: [Freeipa-users] FreeIPA for Linux
                      desktop deployment

                      To: "nasir nasir" <kollathodi at yahoo.com>

                      Cc: freeipa-users at redhat.com

                      Date: Monday, May 9, 2011, 8:38 AM

                      

                       On 05/09/2011 10:43 AM,
                        nasir nasir wrote:
                        
                          
                            
                              
                                Dimitri/Adam/Stephen,

                                  

                                    Thnks a lot for all the replies!
                                    

                                    
                                    This is a 64 bit machine. So I
                                      will try to install 32 bit and let
                                      you know the result.
                                    

                                    
                                    Also, I was trying to configure
                                      NFS service on the FreeIPA
                                      machine. I followed exactly as
                                      given in the deployment guide and
                                      tested with another RHEL 6.1
                                        client machine with
                                      ipa-client installed on it. When I
                                      try to mount the nfs export I am
                                      getting the following error,
                                    

                                      
                                    
                                      [root at abc Packages]# mount
                                          -v -t nfs4 -o sec=krb5
                                          openipa.cohort.org:/ /mnt
                                      mount.nfs4: timeout set
                                          for Mon May ?9 17:36:14 2011
                                      mount.nfs4: trying
                                          text-based options
                                          'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'
                                      mount.nfs4: mount(2):
                                          Permission denied
                                      mount.nfs4: access denied
                                          by server while mounting
                                          openipa.cohort.org:/
                                      [root at abc Packages]#
                                      

                                        But when I try to remove the
                                        kerberos authentication (i.e
                                        without -o sec=krb5) it gets
                                        mounted without any problem. I
                                        googled a lot for this error and
                                        tried all the suggestions like
                                        adding allow_weak_crypto
                                        parameter in the krb5.conf file,
                                        checking host/DNS/Keytab entries
                                        etc. Still it does not work.
                                        When I give weak crypto entry
                                        and add some weak crypto like
                                        des-cbc-md5, server rejects and
                                        says that it is not supported.
                                        My /etc/export file and all the
                                        necessary commands are copy
                                        pasted from the deployment guide
                                        with only the necessary
                                        modifications to suite my
                                        values.
                                      

                                      
                                      Please suggest me what to do.
                                    
                                  
                                
                              
                            
                          
                        
                        

                        

                        Start off by checking the kerberos logs on both
                        the server and client machines.? 

                        

                        in /var/log/? krb5kdc.log?? kadmind.log? secure
                        

                        

                        I'm not a a Kerberos Guru...bear that in mind

                        

                        Make sure the clocks are in sync.? Always worth
                        doing .? Kind of the Kerberos equivalent of
                        "Make sure the network cable is actually plugged
                        in"

                        

                        The KDC needs to know about the NFS service in
                        order to grant a ticket.? Confirm that you can
                        request an nfs ticket for your user and client
                        for the given server.

                        

                        On the IPA server side, you have to create a
                        service entry for your NFS server.? Your NFS
                        server needs to know to talk to the IPA Kerberos
                        instance.? This is a likely suspect, based on
                        the error message.

                        

                        Make sure you can kinit and do simple IPA type
                        things on the machine you are doing a NFS mount
                        on.? Being able to use the IPA Kerberos ticket
                        to ssh from the nfs client machine to the NFS
                        server machine would be a good validation that
                        the entire problem is just in the NFS
                        configuration.

                        

                        

                        

                        

                        
                          
                            
                              
                                
                                  
                                    
                                      

                                      
                                      Thanks indeed in advance and
                                        regards,
                                      Nidal
                                      

                                      
                                      

                                      
                                      

                                      
                                      --- On Mon, 5/9/11, Adam
                                          Young <ayoung at redhat.com>
                                        wrote:

                                        

                                          From: Adam Young <ayoung at redhat.com>

                                          Subject: Re: [Freeipa-users]
                                          FreeIPA for Linux desktop
                                          deployment

                                          To: "nasir nasir" <kollathodi at yahoo.com>

                                          Cc: freeipa-users at redhat.com

                                          Date: Monday, May 9, 2011,
                                          6:17 AM

                                          

                                           On
                                            05/08/2011 11:57 PM, nasir
                                            nasir wrote:
                                            
                                              
                                                
                                                  
                                                    

                                                      Adam,
                                                      

                                                      
                                                      I truly
                                                        appreciate your
                                                        persistence !?
                                                      

                                                      
                                                      I tried
                                                        using alien and
                                                        it generated the
                                                        .deb file
                                                        successfully and
                                                        even installed
                                                        the ipa client
                                                        package without
                                                        any error on the
                                                        client
                                                        machine(Kubuntu
                                                        11.04). But when
                                                        I run the ipa-client-install
                                                        command, it gave
                                                        the following
                                                        error,
                                                      

                                                      
                                                      

                                                      
                                                      
                                                        openway at dl-360:~/rpm$

                                                          sudo
                                                          ipa-client-install?
                                                        There

                                                          was a problem
                                                          importing one
                                                          of the
                                                          required
                                                          Python
                                                          modules. The
                                                        error

                                                          was:
                                                        

                                                          
                                                        ?
                                                          ? No module
                                                          named
                                                          ipaclient.ipadiscovery
                                                      
                                                    
                                                  
                                                
                                              
                                            
                                            I'm guessing that this is a
                                            64 bit system?? It might be
                                            an arch issue.? IU know that
                                            Debian and RH mde different
                                            choices for 32 on 64.?
                                            RH/Fedora puts the Python
                                            code into 

                                            

/usr/lib64/python2.7/site-packages/

                                            

                                            Debian might be looking
                                            under /usr/lib/? for Python.

                                            

                                            Try a 32bit RPM.

                                            

                                            
                                              
                                                
                                                  
                                                    
                                                      
                                                        

                                                          
                                                        openway at dl-360:~/rpm$
                                                        

                                                          
                                                        
                                                          I even
                                                          created the
                                                          deb file out
                                                          of ipa-python
                                                          package and
                                                          installed it
                                                          on the kubuntu
                                                          machine(without
                                                          any error).
                                                          Still, its the
                                                          same. Any idea
                                                          ?
                                                          

                                                          
                                                          Thanks
                                                          and regards,
                                                          Nidal
                                                          

                                                          
                                                          --- On Sun,
                                                          5/8/11, Adam
                                                          Young <ayoung at redhat.com> wrote:

                                                        

                                                          From: Adam
                                                          Young <ayoung at redhat.com>

                                                          Subject: Re:
                                                          [Freeipa-users]
                                                          FreeIPA for
                                                          Linux desktop
                                                          deployment

                                                          To: "nasir
                                                          nasir" <kollathodi at yahoo.com>

                                                          Cc: freeipa-users at redhat.com

                                                          Date: Sunday,
                                                          May 8, 2011,
                                                          4:39 PM

                                                          

                                                          
                                                          
                                                          On 05/08/2011
                                                          06:20 AM,
                                                          nasir nasir
                                                          wrote:
                                                          
                                                          
                                                          
                                                          
                                                          

                                                          Thanks indeed
                                                          again for the
                                                          reply. I went
                                                          through the
                                                          deployment
                                                          guide and
                                                          installed and
                                                          configured
                                                          FreeIPA 2.0 on
                                                          a RHEL 6.1
                                                          beta machine
                                                          for testing. I
                                                          also
                                                          configured the
                                                          browsers on
                                                          this server
                                                          and a client
                                                          Kubuntu
                                                          machine as per
                                                          the guide. But
                                                          I can't find
                                                          any doc which
                                                          explain how to
                                                          configure a
                                                          client
                                                          (kubuntu in my
                                                          case) for
                                                          single sign on
                                                          or even
                                                          accessing a
                                                          service like
                                                          nfs using the
                                                          browser when
                                                          native
                                                          ipa-client
                                                          package is not
                                                          available. All
                                                          the docs are
                                                          focused on
                                                          configuring
                                                          client
                                                          machines using
                                                          ipa-client
                                                          package. Is
                                                          this possible?
                                                          if so could
                                                          anyone suggest
                                                          me some guide
                                                          lines or docs
                                                          for the same ?
                                                          
                                                          
                                                          
                                                          
                                                          

                                                          Did you try
                                                          installing the
                                                          ipa-client
                                                          rpms with
                                                          Alien?

                                                          

                                                          
                                                          
                                                          
                                                          
                                                          
                                                          

                                                          
                                                          Thanks
                                                          and Regards,
                                                          Nidal
                                                          

                                                          --- On Mon,

                                                          5/2/11, Adam
                                                          Young <ayoung at redhat.com>
                                                          wrote:

                                                          

                                                          From: Adam
                                                          Young <ayoung at redhat.com>

                                                          Subject: Re:
                                                          [Freeipa-users]
                                                          FreeIPA for
                                                          Linux desktop
                                                          deployment

                                                          To: "nasir
                                                          nasir" <kollathodi at yahoo.com>

                                                          Cc: freeipa-users at redhat.com

                                                          Date: Monday,
                                                          May 2, 2011,
                                                          8:03 AM

                                                          

                                                          
                                                          On 05/01/2011
                                                          08:49 AM,
                                                          nasir nasir
                                                          wrote:
                                                          
                                                          
                                                          
                                                          
                                                          
                                                           Thanks
                                                          for all the
                                                          replies and
                                                          great
                                                          suggestions! I
                                                          do appreciate
                                                          it a lot.
                                                          

                                                          Apologies for
                                                          being a bit
                                                          confusing
                                                          about the
                                                          cetralized
                                                          /home foder in
                                                          my previous
                                                          mail. What I
                                                          want is that
                                                          all the users
                                                          should have
                                                          their /home
                                                          folder stored
                                                          in the
                                                          storage. This
                                                          entire
                                                          partition (or
                                                          LUN) can be
                                                          attached to my
                                                          Authentication
                                                          server(i.e
                                                          FreeIPA) by
                                                          using iSCSI.
                                                          From the
                                                          Authentication
                                                          server, I am
                                                          NOT looking
                                                          for iSCSI to
                                                          get it mounted
                                                          to the
                                                          individual
                                                          users'
                                                          machine. I
                                                          think
                                                          NFS/automount
                                                          would do
                                                          that(appreciate
                                                          any suggestion
                                                          on this !) And
                                                          whenever a new
                                                          user is
                                                          created, /home
                                                          should be
                                                          allocated out
                                                          of this
                                                          partition so
                                                          that whichever
                                                          machine the
                                                          user is using
                                                          to login
                                                          later, she
                                                          should be able
                                                          to access the
                                                          same /home
                                                          specific to
                                                          her regardless
                                                          of the
                                                          machine. I
                                                          hope it is
                                                          clear to all
                                                          :-)
                                                          

                                                          
                                                          Thanks
                                                          and regards,
                                                          Nidal
                                                          

                                                          
                                                          
                                                          >?



                                                          ???--
                                                          Centralized
                                                          storage with
                                                          iSCSI for
                                                          /home folder
                                                          for each user
                                                          by means of a
                                                          dedicated
                                                          storage

                                                          IPA manages
                                                          Automount,
                                                          which is
                                                          possibly what
                                                          you want.? Are
                                                          you going to
                                                          give each user
                                                          their own
                                                          partition that
                                                          follows them
                                                          around, or are
                                                          you going to
                                                          give the a
                                                          home directory
                                                          on a a NAS
                                                          server?? I
                                                          Have to admit,
                                                          the iSCSI home
                                                          mount sounds
                                                          interesting.?
                                                          You could
                                                          probably get
                                                          automount to
                                                          help you out
                                                          there, but at
                                                          this point I
                                                          think that you
                                                          would need a
                                                          separate key
                                                          line for each
                                                          user.

                                                          

                                                          Note that
                                                          iSCSI won't
                                                          help you if
                                                          you want to
                                                          mount the same
                                                          partition on
                                                          multiple
                                                          clients.? For
                                                          this, you
                                                          either need a
                                                          distributed
                                                          File System,
                                                          or stick to
                                                          NFS.

                                                          
                                                          

                                                          
                                                          
                                                          
                                                          
                                                          
                                                          
                                                          
                                                          

                                                          

                                                          Nidal,

                                                          

                                                          OK, I'd
                                                          probably do
                                                          something like
                                                          this:? After
                                                          install IPA,
                                                          add one host
                                                          as an IPA
                                                          client with
                                                          the following
                                                          switch:?
                                                          --mkhomedir,,
                                                          something
                                                          like?
                                                          ipa-client-install
                                                          --mkhomedir -p
                                                          admin.?? Then,
                                                          mount the
                                                          directory that
                                                          you are going
                                                          to use a /home
                                                          on that
                                                          machine.? Once
                                                          you create
                                                          users in IPA,
                                                          the first time
                                                          you log in as
                                                          that user, do
                                                          so from that
                                                          client, and it
                                                          will attempt
                                                          to create the
                                                          home directory
                                                          for you.???
                                                          This should be
                                                          the only
                                                          machine that
                                                          has
                                                          permissions to
                                                          create
                                                          directories
                                                          under /home.?
                                                          Now, create an
                                                          automount
                                                          location and
                                                          map, and
                                                          create a key
                                                          for /home

                                                          

                                                          The
                                                          instructions
                                                          from our test
                                                          day should get
                                                          you started:

                                                          

                                                          https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount

                                                          

                                                          

                                                          
                                                          
                                                          
                                                          
                                                          
                                                          
                                                          
                                                          
                                                          

                                                          
                                                        
                                                      
                                                    
                                                  
                                                
                                              
                                            
                                            

                                          
                                        
                                      
                                    
                                  
                                
                              
                            
                          
                        
                        

                      
                    
                  
                
              
            
          
        
      
      
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
    
    

    

    -- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



  


-----Inline Attachment Follows-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110511/4f822ca3/attachment.htm>

From rcritten at redhat.com  Wed May 11 15:00:56 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 11 May 2011 11:00:56 -0400
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634B315@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>	<833D8E48405E064EBC54C84EC6B36E400634B2F8@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9FF7D.3070306@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634B315@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DCAA4A8.3020909@redhat.com>

Steven Jones wrote:
> Hi,
>
> Nope looks like DNS is barfed big time.......
>
> ==============
>
> [root at vuwunicoipamt01 ~]# host vuwunicoipamt01.unix.vuw.ac.nz
> vuwunicoipamt01.unix.vuw.ac.nz has address 130.195.81.236
> [root at vuwunicoipamt01 ~]# ipa dns-resolve vuwunicoipamt01.unix.vuw.ac.nz
> ipa: ERROR: Kerberos error: No credentials cache found/
> [root at vuwunicoipamt01 ~]# ipa host-show vuwunicoipamt01.unix.vuw.ac.nz
> ipa: ERROR: Kerberos error: No credentials cache found/
> [root at vuwunicoipamt01 ~]#

You have to kinit to get a TGT in order to run the ipa command.

rob



From ayoung at redhat.com  Wed May 11 15:17:06 2011
From: ayoung at redhat.com (Adam Young)
Date: Wed, 11 May 2011 11:17:06 -0400
Subject: [Freeipa-users] fatal error for ipa with dns.
In-Reply-To: <4DCAA4A8.3020909@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E400634B2D0@STAWINCOX10MBX1.staff.vuw.ac.nz>	<833D8E48405E064EBC54C84EC6B36E400634B2F8@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC9FF7D.3070306@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634B315@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DCAA4A8.3020909@redhat.com>
Message-ID: <4DCAA872.6090208@redhat.com>

On 05/11/2011 11:00 AM, Rob Crittenden wrote:
> Steven Jones wrote:
>> Hi,
>>
>> Nope looks like DNS is barfed big time.......
>>
>> ==============
>>
>> [root at vuwunicoipamt01 ~]# host vuwunicoipamt01.unix.vuw.ac.nz
>> vuwunicoipamt01.unix.vuw.ac.nz has address 130.195.81.236
>> [root at vuwunicoipamt01 ~]# ipa dns-resolve vuwunicoipamt01.unix.vuw.ac.nz
>> ipa: ERROR: Kerberos error: No credentials cache found/
>> [root at vuwunicoipamt01 ~]# ipa host-show vuwunicoipamt01.unix.vuw.ac.nz
>> ipa: ERROR: Kerberos error: No credentials cache found/
>> [root at vuwunicoipamt01 ~]#
>
> You have to kinit to get a TGT in order to run the ipa command.
>
> rob
Yeah, we went on IRC shortly after this.  He did kinit as one user, but 
ran the command as another, and realized it later.



From sigbjorn at nixtra.com  Wed May 11 17:51:54 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Wed, 11 May 2011 19:51:54 +0200 (CEST)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <1305117752.1881.13.camel@sgallagh.bos.redhat.com>
References: <4DC80A5A.7020605@redhat.com> ,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>
	, <4DC99F15.5080900@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DC9AE9F.1060508@redhat.com> <4DC9B14C.9000003@nixtra.com>
	<1305117752.1881.13.camel@sgallagh.bos.redhat.com>
Message-ID: <48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>

On Wed, May 11, 2011 14:42, Stephen Gallagher wrote:
> On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote:
>
>> Hi,
>>
>>
>> I would like to see the ipa client scripts and possibly the admin tools
>> in a nice Solaris package. This would make my job a lot easier as we have a lot of customers
>> running Solaris. :)
>>
>> For the server part I agree with you, keep it at RHEL.
>>
>>
>> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the
>> UNIX vendors selling their iron as client machines anymore. And I don't
>> see a considerable benefit in adding SSSD to servers, who will be well connected to the network
>> anyway.
>
>
> Actually, SSSD is still valuable on server systems (and is used very
> often in datacenters). The reason is that it can allow a server to ride out an outage in the LDAP
> and/or Kerberos server and still handle authentication and identity requests from its cache.
>
> We've expressed interest several times in working WITH other platforms
> to help them port the SSSD, but we've received no real commitment to assisting with it. We have a
> lot on our plates already, so it is difficult for us to justify spending time improving our
> competitors' offerings :)
>
> Also, SSSD has additional features with FreeIPA integration that
> nss_ldap and pam_krb5 do not. Specifically, it has support for managing access-control using
> FreeIPA's host-based access control model. This is
> a very valuable piece of the puzzle and should not be ignored.



I see you're having a valid point about the outage support. This could be worked around using the
"High Availability Add-on" in RHEL, sharing an IP address between your IPA servers, which you
would switch to the currently active IPA server.

With regards to IPA's host-based access control: What about doing access control through using
netgroups via the tcp wrappers?

You could still be configuring host based access control in IPA as it's creating transparent
netgroups for the host groups.

These are all workarounds, I assume having the functionality available trough the native sssd
would be of an advantage. But this way you would the mentioned extra functionality of SSSD without
having to do the work of supporting your competitors operating systems. :)


Rgds,
Siggi





From sgallagh at redhat.com  Wed May 11 17:58:35 2011
From: sgallagh at redhat.com (Stephen Gallagher)
Date: Wed, 11 May 2011 13:58:35 -0400 (EDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>
Message-ID: <113787744.344364.1305136715465.JavaMail.root@zmail06.collab.prod.int.phx2.redhat.com>



----- Original Message -----
From: "Sigbjorn Lie" <sigbjorn at nixtra.com>
To: "Stephen Gallagher" <sgallagh at redhat.com>
Cc: freeipa-users at redhat.com
Sent: Wednesday, May 11, 2011 1:51:54 PM
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment

On Wed, May 11, 2011 14:42, Stephen Gallagher wrote:
> On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote:
>
>> Hi,
>>
>>
>> I would like to see the ipa client scripts and possibly the admin tools
>> in a nice Solaris package. This would make my job a lot easier as we have a lot of customers
>> running Solaris. :)
>>
>> For the server part I agree with you, keep it at RHEL.
>>
>>
>> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the
>> UNIX vendors selling their iron as client machines anymore. And I don't
>> see a considerable benefit in adding SSSD to servers, who will be well connected to the network
>> anyway.
>
>
> Actually, SSSD is still valuable on server systems (and is used very
> often in datacenters). The reason is that it can allow a server to ride out an outage in the LDAP
> and/or Kerberos server and still handle authentication and identity requests from its cache.
>
> We've expressed interest several times in working WITH other platforms
> to help them port the SSSD, but we've received no real commitment to assisting with it. We have a
> lot on our plates already, so it is difficult for us to justify spending time improving our
> competitors' offerings :)
>
> Also, SSSD has additional features with FreeIPA integration that
> nss_ldap and pam_krb5 do not. Specifically, it has support for managing access-control using
> FreeIPA's host-based access control model. This is
> a very valuable piece of the puzzle and should not be ignored.



I see you're having a valid point about the outage support. This could be worked around using the
"High Availability Add-on" in RHEL, sharing an IP address between your IPA servers, which you
would switch to the currently active IPA server.

With regards to IPA's host-based access control: What about doing access control through using
netgroups via the tcp wrappers?

You could still be configuring host based access control in IPA as it's creating transparent
netgroups for the host groups.

These are all workarounds, I assume having the functionality available trough the native sssd
would be of an advantage. But this way you would the mentioned extra functionality of SSSD without
having to do the work of supporting your competitors operating systems. :)



Well, HBAC is more complex than simply using netgroups and tcp_wrappers. For example, one of the planned features for an upcoming release of FreeIPA is to have HBAC rules with time restrictions (so that logins are only permitted during certain hours). Also, tcp_wrappers is very limited, since it must be synced to every client machine, whereas with SSSD the HBAC rules are maintained centrally.



From sigbjorn at nixtra.com  Wed May 11 18:12:05 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Wed, 11 May 2011 20:12:05 +0200 (CEST)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC9BB3A.6020309@redhat.com>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC99F15.5080900@redhat.com>	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DC9AE9F.1060508@redhat.com>
	<4DC9B14C.9000003@nixtra.com> <4DC9BB3A.6020309@redhat.com>
Message-ID: <54209.192.168.210.177.1305137525.squirrel@www.nixtra.com>

Excellent, thanks.

I would add to this ticket: "Retreiving the kerberos keytab and storing in the clients's
krb5.keytab", as that's my main issue, not the actual distribution of the common client
configuration files. I do this with CFengine today.

Is the nfs/* kerberos service required for all nfs4+krb clients? If so, that should be added to
the script as well.


Rgds,
Siggi



On Wed, May 11, 2011 00:24, Dmitri Pal wrote:
> On 05/10/2011 05:42 PM, Sigbjorn Lie wrote:
>
>> Hi,
>>
>>
>> I would like to see the ipa client scripts and possibly the admin
>> tools in a nice Solaris package. This would make my job a lot easier as we have a lot of
>> customers running Solaris. :)
>>
>> For the server part I agree with you, keep it at RHEL.
>>
>>
>> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the
>> UNIX vendors selling their iron as client machines anymore. And I
>> don't see a considerable benefit in adding SSSD to servers, who will be well connected to the
>> network anyway.
>>
>
>
> https://fedorahosted.org/freeipa/ticket/1214
>
>
>
>>
>>
>> Rgds,
>> Siggi
>>
>>
>>
>> On 05/10/2011 11:31 PM, Dmitri Pal wrote:
>>
>>> On 05/10/2011 05:11 PM, Steven Jones wrote:
>>>
>>>> Hi,
>>>>
>>>>
>>>> There are OSS packages that can be installed into Solaris.....so I
>>>> dont see why freeipa cant be ported....at least the x86 CPU version anyway.
>>> I think this will be a huge undertaking. It is not that simple. And is
>>> there really a value for IPA to be on Solaris? I can understand the client part but the server
>>> is less important. It is a dedicated server running on BM or VM so does it really matter what
>>> os it is running as long it is supported and affordable?
>>>
>>> We as a dev community will be open to any effort to port the whole stack
>>> to some other distribution but I bet there are better uses for someones energy that we can
>>> utilize to deliver better functionality to this user community.
>>>
>>> Client is a different issue. I tried to talk to IBM, HP and Sun a year
>>> ago. They are not interested in porting SSSD to their platforms.
>>>
>>>> Oracle/Sun may not want to do IPA but if you had ever had the
>>>> mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand why few
>>>> techies/ppl/businesses want it.....its bloody awful to install let alone work with or
>>>> maintain....So its turns into a risky endeavour and no one sane wants that much risk in
>>>> their business....let alone the 6 figure costs..........and yes Im talking over a million....
>>>>
>>>>
>>>> Hopefully we are getting away from the silo attitude of
>>>> vendors.....Vendors might want only their products in a customer site, but realistically
>>>> customers dont want that for lots of reasons, and pillaging your wallet is one of the
>>>> biggest....
>>>>
>>>> In our case all that happens is we wont buy Sun kit if it doesnt
>>>> work the way we want to work....their loss.
>>>>
>>>> regards ________________________________________
>>>> From: freeipa-users-bounces at redhat.com
>>>> [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal
>>>> [dpal at redhat.com]
>>>> Sent: Wednesday, 11 May 2011 8:24 a.m.
>>>> To: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>>>>
>>>>
>>>> On 05/10/2011 04:10 PM, Steven Jones wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>> Its quite interesting that there are no real clients for ipa
>>>>> outside of RH/Fedora....this will probably do more to delay or restrict its adoption than
>>>>> anything else.
>>>>>
>>>> Not sure what you are talking about. Any kerberos enabled service is a
>>>> service and any pam_krb5/nss_ldap or SSSD enabled system can be a client. SSSD is in Debian,
>>>> Ubuntu, SUSE, Fedora, RH
>>>> Would be nice to have it in other OSs like Solaris and HP-UX but they
>>>> have other plans.
>>>>
>>>>> regards
>>>>>
>>>>> Steven
>>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>




From dpal at redhat.com  Wed May 11 18:51:32 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Wed, 11 May 2011 14:51:32 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>
References: <4DC80A5A.7020605@redhat.com> ,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>	,
	<4DC99F15.5080900@redhat.com>	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DC9AE9F.1060508@redhat.com>
	<4DC9B14C.9000003@nixtra.com>	<1305117752.1881.13.camel@sgallagh.bos.redhat.com>
	<48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>
Message-ID: <4DCADAB4.2050606@redhat.com>

On 05/11/2011 01:51 PM, Sigbjorn Lie wrote:
> On Wed, May 11, 2011 14:42, Stephen Gallagher wrote:
>> On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote:
>>
>>> Hi,
>>>
>>>
>>> I would like to see the ipa client scripts and possibly the admin tools
>>> in a nice Solaris package. This would make my job a lot easier as we have a lot of customers
>>> running Solaris. :)
>>>
>>> For the server part I agree with you, keep it at RHEL.
>>>
>>>
>>> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the
>>> UNIX vendors selling their iron as client machines anymore. And I don't
>>> see a considerable benefit in adding SSSD to servers, who will be well connected to the network
>>> anyway.
>>
>> Actually, SSSD is still valuable on server systems (and is used very
>> often in datacenters). The reason is that it can allow a server to ride out an outage in the LDAP
>> and/or Kerberos server and still handle authentication and identity requests from its cache.
>>
>> We've expressed interest several times in working WITH other platforms
>> to help them port the SSSD, but we've received no real commitment to assisting with it. We have a
>> lot on our plates already, so it is difficult for us to justify spending time improving our
>> competitors' offerings :)
>>
>> Also, SSSD has additional features with FreeIPA integration that
>> nss_ldap and pam_krb5 do not. Specifically, it has support for managing access-control using
>> FreeIPA's host-based access control model. This is
>> a very valuable piece of the puzzle and should not be ignored.
>
>
> I see you're having a valid point about the outage support. This could be worked around using the
> "High Availability Add-on" in RHEL, sharing an IP address between your IPA servers, which you
> would switch to the currently active IPA server.

This is not enough. Think about highly distributed environments with
small offices. You are not going to have the IPA server in every place.
The outage might be related to the network connectivity between the data
centers. Also think about cloud. We do not know yet what kind of outages
or latency issues some will face in highly dynamic environments but for
sure SSSDs caching would be very handy.

> With regards to IPA's host-based access control: What about doing access control through using
> netgroups via the tcp wrappers?
>
> You could still be configuring host based access control in IPA as it's creating transparent
> netgroups for the host groups.

Netgroups is the concept that we try to phase out. It will take quite a
while but native sudo+sssd integration is one of the steps forward along
this long and thorny path.

> These are all workarounds, I assume having the functionality available trough the native sssd
> would be of an advantage. But this way you would the mentioned extra functionality of SSSD without
> having to do the work of supporting your competitors operating systems. :)

We are all open for the competitor to take sssd and support on their OSSes.

>
> Rgds,
> Siggi
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From dpal at redhat.com  Wed May 11 18:56:38 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Wed, 11 May 2011 14:56:38 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <54209.192.168.210.177.1305137525.squirrel@www.nixtra.com>
References: <4DC80A5A.7020605@redhat.com>,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DC99F15.5080900@redhat.com>	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DC9AE9F.1060508@redhat.com>	<4DC9B14C.9000003@nixtra.com>
	<4DC9BB3A.6020309@redhat.com>
	<54209.192.168.210.177.1305137525.squirrel@www.nixtra.com>
Message-ID: <4DCADBE6.207@redhat.com>

On 05/11/2011 02:12 PM, Sigbjorn Lie wrote:
> Is the nfs/* kerberos service required for all nfs4+krb clients? If so, that should be added to
> the script as well.
>
AFAIK the service is needed only on the NFS server side but the NFS
client should be configured for Kerberos and be able to authenticate
user and get a TGT and then a service ticket for NFS.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From JR.Aquino at citrix.com  Wed May 11 19:25:02 2011
From: JR.Aquino at citrix.com (JR Aquino)
Date: Wed, 11 May 2011 19:25:02 +0000
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>
References: <4DC80A5A.7020605@redhat.com> ,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>
	, <4DC99F15.5080900@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DC9AE9F.1060508@redhat.com> <4DC9B14C.9000003@nixtra.com>
	<1305117752.1881.13.camel@sgallagh.bos.redhat.com>
	<48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>
Message-ID: <1A553EC3-FD89-4302-B292-986D5481EED8@citrixonline.com>

On May 11, 2011, at 10:51 AM, Sigbjorn Lie wrote:

> On Wed, May 11, 2011 14:42, Stephen Gallagher wrote:
>> On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote:
>> 
>>> Hi,
>>> 
>>> 
>>> I would like to see the ipa client scripts and possibly the admin tools
>>> in a nice Solaris package. This would make my job a lot easier as we have a lot of customers
>>> running Solaris. :)
>>> 
>>> For the server part I agree with you, keep it at RHEL.
>>> 
>>> 
>>> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the
>>> UNIX vendors selling their iron as client machines anymore. And I don't
>>> see a considerable benefit in adding SSSD to servers, who will be well connected to the network
>>> anyway.
>> 
>> 
>> Actually, SSSD is still valuable on server systems (and is used very
>> often in datacenters). The reason is that it can allow a server to ride out an outage in the LDAP
>> and/or Kerberos server and still handle authentication and identity requests from its cache.
>> 
>> We've expressed interest several times in working WITH other platforms
>> to help them port the SSSD, but we've received no real commitment to assisting with it. We have a
>> lot on our plates already, so it is difficult for us to justify spending time improving our
>> competitors' offerings :)
>> 
>> Also, SSSD has additional features with FreeIPA integration that
>> nss_ldap and pam_krb5 do not. Specifically, it has support for managing access-control using
>> FreeIPA's host-based access control model. This is
>> a very valuable piece of the puzzle and should not be ignored.
> 
> 
> 
> I see you're having a valid point about the outage support. This could be worked around using the
> "High Availability Add-on" in RHEL, sharing an IP address between your IPA servers, which you
> would switch to the currently active IPA server.

Not only is there a question of high availability with regard to lookups into ldap.  But there is also a problem of scale and overhead.

nss_ldap and pam_ldap perform a lookup per iteration in many cases.

Consider for example. 4 data centers with 100 servers each, all tied back to ldap for uid/gid mappings and pam_ldap for authentication and authorization.

If you have a task that logs into each of these 400 servers and performs a 'sudo ls -la /home' for example, 
your ldap servers are going to incur the cost of looking up each file on each server, the cost of each authentication, and the cost of performing several ldap lookups from the sudo binary.

SSSD is not only beneficial during periods of network inaccessibility, but also crucial with regard to scale.
 
> 
> With regards to IPA's host-based access control: What about doing access control through using
> netgroups via the tcp wrappers?
> 
> You could still be configuring host based access control in IPA as it's creating transparent
> netgroups for the host groups.

Host based access control is currently a mess in the Linux Community.

There are currently a few ways to go about it.

netgroups with
TCP Wrappers
Access.conf

^ This method implies that the changes in your central database must eventually be pushed to flatfile configs on the end hosts.
While this works pretty well in small environments, it can fall apart and have serious scale issues when dealing with hundreds or thousands of hosts.
(Yes, even when using something like Satellite or Puppet)
Consider the case of Active Directory where you scratch your head and go: "Gee, I'm SURE that i pushed that GPO, but for some reason, this set of hosts didn't get the memo"

pam_ldap + pam_check_host_attr

^ This issue has a sheer drop off problem with scale.  In this approach, you need to fill the user objects with every host that the user is permitted to login to.
When the number of users/administrators grow along with the number of hosts you have, you get: n^users * n^hosts and the administrative overhead becomes overwhelming.

> 
> These are all workarounds, I assume having the functionality available trough the native sssd
> would be of an advantage. But this way you would the mentioned extra functionality of SSSD without
> having to do the work of supporting your competitors operating systems. :)

There have been _some_ discussions surrounding a pam module that could be used as a very base level of hbac support since there are a lot of pre-required dependancies for sssd.

The advantage would be theoretical portability, and the loss would be caching.

I have personally written such a pam plugin prototype in python, and it functions just fine in linux installations.  the c code that calls the python script is not compatible with open_pam,
so there is still work to be done to support the BSD / MAC solutions, but I believe its just a matter of some syntax changes...

I hope this information helps clarify these points.

> 
> 
> Rgds,
> Siggi
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From JR.Aquino at citrix.com  Wed May 11 19:29:21 2011
From: JR.Aquino at citrix.com (JR Aquino)
Date: Wed, 11 May 2011 19:29:21 +0000
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <1A553EC3-FD89-4302-B292-986D5481EED8@citrixonline.com>
References: <4DC80A5A.7020605@redhat.com> ,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>
	, <4DC99F15.5080900@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DC9AE9F.1060508@redhat.com> <4DC9B14C.9000003@nixtra.com>
	<1305117752.1881.13.camel@sgallagh.bos.redhat.com>
	<48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>
	<1A553EC3-FD89-4302-B292-986D5481EED8@citrixonline.com>
Message-ID: <AC2F7C68-44C8-4C5D-9518-67299E7B2963@citrixonline.com>

On May 11, 2011, at 12:25 PM, JR Aquino wrote:
>> 
>> These are all workarounds, I assume having the functionality available trough the native sssd
>> would be of an advantage. But this way you would the mentioned extra functionality of SSSD without
>> having to do the work of supporting your competitors operating systems. :)
> 
> There have been _some_ discussions surrounding a pam module that could be used as a very base level of hbac support since there are a lot of pre-required dependancies for sssd.
> 
> The advantage would be theoretical portability, and the loss would be caching.
> 
> I have personally written such a pam plugin prototype in python, and it functions just fine in linux installations.  the c code that calls the python script is not compatible with open_pam,
> so there is still work to be done to support the BSD / MAC solutions, but I believe its just a matter of some syntax changes...

After closer inspection it appears that OpenPam appears to try to remain compatible with Solaris, so, a method for providing a non caching bare bones openpam compatible module would likely satisfy Solaris, MacOSX and the BSDs.




From kollathodi at yahoo.com  Thu May 12 19:30:27 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Thu, 12 May 2011 12:30:27 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DC80A5A.7020605@redhat.com>
Message-ID: <176006.55176.qm@web161301.mail.bf1.yahoo.com>

Adam,
I tried to follow your recommendations with RHEL 6.1 beta on server and client machine. Centralized login and such things work. I have NFS service too working. But automount is not working. ?For the time being I configured my server as NFS server and created a folder /export as a share for creating home folder. I have?pam_oddjob_mkhomedir.so enabled in pam files for autocreation of home folders. Now I can manually mount the /export nfs share on the server and the client successfully. But when I do that on server for testing and try to login as a new user(e.g abc), it is not creating home folder. It gives the following error,
oddjob-mkhomedir[16401]: error setting permissions on /home/abc: Operation not permitted
I have given 777 for my /export and rw permission in /etc/export. Output of the command ipa automountlocation-tofiles default.

/etc/auto.master:/- ? ? ?/etc/auto.direct/share ?/etc/auto.share/home ? /etc/auto.home---------------------------/etc/auto.direct:---------------------------/etc/auto.share:---------------------------/etc/auto.home:* ? ? ? -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192 openipa.cohort.org:/export/home/&?I tried reading many docs(RHEL deployment guide, google, FreeIPA doc etc). The problem is that they are confusing and conflicting in many cases.?
Please advice me how to proceed.
Thanks and Regards,Nidal


                                                        Nidal,

                                                        

                                                        OK, I'd probably
                                                        do something
                                                        like this:?
                                                        After install
                                                        IPA, add one
                                                        host as an IPA
                                                        client with the
                                                        following
                                                        switch:?
                                                        --mkhomedir,,
                                                        something like?
                                                        ipa-client-install

                                                        --mkhomedir -p
                                                        admin.?? Then,
                                                        mount the
                                                        directory that
                                                        you are going to
                                                        use a /home on
                                                        that machine.?
                                                        Once you create
                                                        users in IPA,
                                                        the first time
                                                        you log in as
                                                        that user, do so
                                                        from that
                                                        client, and it
                                                        will attempt to
                                                        create the home
                                                        directory for
                                                        you.??? This
                                                        should be the
                                                        only machine
                                                        that has
                                                        permissions to
                                                        create
                                                        directories
                                                        under /home.?
                                                        Now, create an
                                                        automount
                                                        location and
                                                        map, and create
                                                        a key for /home

                                                        

                                                        The instructions
                                                        from our test
                                                        day should get
                                                        you started:

                                                        

                                                        https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount

                                                        

                                                        

                                                      
                                                    
                                                  
                                                
                                              
                                            
                                          
                                        
                                        

                                      
                                    
                                  
                                
                              
                            
                          
                        
                        

                      
                    
                  
                
              
            
          
        
      
    
    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110512/dbe31e91/attachment.htm>

From sigbjorn at nixtra.com  Thu May 12 20:25:10 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Thu, 12 May 2011 22:25:10 +0200
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <1A553EC3-FD89-4302-B292-986D5481EED8@citrixonline.com>
References: <4DC80A5A.7020605@redhat.com> ,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>
	, <4DC99F15.5080900@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DC9AE9F.1060508@redhat.com> <4DC9B14C.9000003@nixtra.com>
	<1305117752.1881.13.camel@sgallagh.bos.redhat.com>
	<48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>
	<1A553EC3-FD89-4302-B292-986D5481EED8@citrixonline.com>
Message-ID: <4DCC4226.40707@nixtra.com>

On 05/11/2011 09:25 PM, JR Aquino wrote:
> On May 11, 2011, at 10:51 AM, Sigbjorn Lie wrote:
>
>> On Wed, May 11, 2011 14:42, Stephen Gallagher wrote:
>>> On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote:
>>>
>>>> Hi,
>>>>
>>>>
>>>> I would like to see the ipa client scripts and possibly the admin tools
>>>> in a nice Solaris package. This would make my job a lot easier as we have a lot of customers
>>>> running Solaris. :)
>>>>
>>>> For the server part I agree with you, keep it at RHEL.
>>>>
>>>>
>>>> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the
>>>> UNIX vendors selling their iron as client machines anymore. And I don't
>>>> see a considerable benefit in adding SSSD to servers, who will be well connected to the network
>>>> anyway.
>>>
>>> Actually, SSSD is still valuable on server systems (and is used very
>>> often in datacenters). The reason is that it can allow a server to ride out an outage in the LDAP
>>> and/or Kerberos server and still handle authentication and identity requests from its cache.
>>>
>>> We've expressed interest several times in working WITH other platforms
>>> to help them port the SSSD, but we've received no real commitment to assisting with it. We have a
>>> lot on our plates already, so it is difficult for us to justify spending time improving our
>>> competitors' offerings :)
>>>
>>> Also, SSSD has additional features with FreeIPA integration that
>>> nss_ldap and pam_krb5 do not. Specifically, it has support for managing access-control using
>>> FreeIPA's host-based access control model. This is
>>> a very valuable piece of the puzzle and should not be ignored.
>>
>>
>> I see you're having a valid point about the outage support. This could be worked around using the
>> "High Availability Add-on" in RHEL, sharing an IP address between your IPA servers, which you
>> would switch to the currently active IPA server.
> Not only is there a question of high availability with regard to lookups into ldap.  But there is also a problem of scale and overhead.
>
> nss_ldap and pam_ldap perform a lookup per iteration in many cases.
>
> Consider for example. 4 data centers with 100 servers each, all tied back to ldap for uid/gid mappings and pam_ldap for authentication and authorization.
>
> If you have a task that logs into each of these 400 servers and performs a 'sudo ls -la /home' for example,
> your ldap servers are going to incur the cost of looking up each file on each server, the cost of each authentication, and the cost of performing several ldap lookups from the sudo binary.
>
> SSSD is not only beneficial during periods of network inaccessibility, but also crucial with regard to scale.
>
>> With regards to IPA's host-based access control: What about doing access control through using
>> netgroups via the tcp wrappers?
>>
>> You could still be configuring host based access control in IPA as it's creating transparent
>> netgroups for the host groups.
> Host based access control is currently a mess in the Linux Community.
>
> There are currently a few ways to go about it.
>
> netgroups with
> TCP Wrappers
> Access.conf
>
> ^ This method implies that the changes in your central database must eventually be pushed to flatfile configs on the end hosts.
> While this works pretty well in small environments, it can fall apart and have serious scale issues when dealing with hundreds or thousands of hosts.
> (Yes, even when using something like Satellite or Puppet)
> Consider the case of Active Directory where you scratch your head and go: "Gee, I'm SURE that i pushed that GPO, but for some reason, this set of hosts didn't get the memo"
>
> pam_ldap + pam_check_host_attr
>
> ^ This issue has a sheer drop off problem with scale.  In this approach, you need to fill the user objects with every host that the user is permitted to login to.
> When the number of users/administrators grow along with the number of hosts you have, you get: n^users * n^hosts and the administrative overhead becomes overwhelming.
>
>> These are all workarounds, I assume having the functionality available trough the native sssd
>> would be of an advantage. But this way you would the mentioned extra functionality of SSSD without
>> having to do the work of supporting your competitors operating systems. :)
> There have been _some_ discussions surrounding a pam module that could be used as a very base level of hbac support since there are a lot of pre-required dependancies for sssd.
>
> The advantage would be theoretical portability, and the loss would be caching.
>
> I have personally written such a pam plugin prototype in python, and it functions just fine in linux installations.  the c code that calls the python script is not compatible with open_pam,
> so there is still work to be done to support the BSD / MAC solutions, but I believe its just a matter of some syntax changes...
>
> I hope this information helps clarify these points.
>

I wasen't going at SSSD for not being usable. I was trying to make a 
suggestion for a alternative solution for using IPA with *nix OS' that 
does not currently have SSSD.

I do agree that the host access controls in SSSD would be of great 
benefit to any server. This is not a part of IPA I've not spent a lot of 
time testing....yet....and I did not think about it before sending my email.

Back to the discussion, wouldn't nscd be able to cope with some of the 
caching for ldap passwd,group, etc lookups? Not providing an offline 
identity like SSSD would, but enough for the folder listings example you 
provided.

You could also extend the High Availability configuration I mentioned 
earlier with 1 high-available IP per IPA host, and serve them in a round 
robin DNS. This would distribute the load of the LDAP server in IPA, and 
provide high availability in case of a IPA server becoming unavailable.

The way I see it for our customers; when it comes to IPA integration 
as-it-is-today, an ipa-client-install script for other *nix that would 
configure kerberos, ldap client, and retrieves the host's keytab from 
the IPA server would make a great improvement for IPA. Then the SSSD 
could come at a later point.

What I see as one of the selling points of IPA over any "*nix client for 
Active Directory", is the ability to use the operating system built in 
tools.



Rgds,
Siggi









From rcritten at redhat.com  Thu May 12 21:31:38 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 12 May 2011 17:31:38 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DCC4226.40707@nixtra.com>
References: <4DC80A5A.7020605@redhat.com> ,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>	,
	<4DC99F15.5080900@redhat.com>	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DC9AE9F.1060508@redhat.com>
	<4DC9B14C.9000003@nixtra.com>	<1305117752.1881.13.camel@sgallagh.bos.redhat.com>	<48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>	<1A553EC3-FD89-4302-B292-986D5481EED8@citrixonline.com>
	<4DCC4226.40707@nixtra.com>
Message-ID: <4DCC51BA.8080508@redhat.com>

Sigbjorn Lie wrote:
> On 05/11/2011 09:25 PM, JR Aquino wrote:
>> On May 11, 2011, at 10:51 AM, Sigbjorn Lie wrote:
>>
>>> On Wed, May 11, 2011 14:42, Stephen Gallagher wrote:
>>>> On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>> I would like to see the ipa client scripts and possibly the admin
>>>>> tools
>>>>> in a nice Solaris package. This would make my job a lot easier as
>>>>> we have a lot of customers
>>>>> running Solaris. :)
>>>>>
>>>>> For the server part I agree with you, keep it at RHEL.
>>>>>
>>>>>
>>>>> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the
>>>>> UNIX vendors selling their iron as client machines anymore. And I
>>>>> don't
>>>>> see a considerable benefit in adding SSSD to servers, who will be
>>>>> well connected to the network
>>>>> anyway.
>>>>
>>>> Actually, SSSD is still valuable on server systems (and is used very
>>>> often in datacenters). The reason is that it can allow a server to
>>>> ride out an outage in the LDAP
>>>> and/or Kerberos server and still handle authentication and identity
>>>> requests from its cache.
>>>>
>>>> We've expressed interest several times in working WITH other platforms
>>>> to help them port the SSSD, but we've received no real commitment to
>>>> assisting with it. We have a
>>>> lot on our plates already, so it is difficult for us to justify
>>>> spending time improving our
>>>> competitors' offerings :)
>>>>
>>>> Also, SSSD has additional features with FreeIPA integration that
>>>> nss_ldap and pam_krb5 do not. Specifically, it has support for
>>>> managing access-control using
>>>> FreeIPA's host-based access control model. This is
>>>> a very valuable piece of the puzzle and should not be ignored.
>>>
>>>
>>> I see you're having a valid point about the outage support. This
>>> could be worked around using the
>>> "High Availability Add-on" in RHEL, sharing an IP address between
>>> your IPA servers, which you
>>> would switch to the currently active IPA server.
>> Not only is there a question of high availability with regard to
>> lookups into ldap. But there is also a problem of scale and overhead.
>>
>> nss_ldap and pam_ldap perform a lookup per iteration in many cases.
>>
>> Consider for example. 4 data centers with 100 servers each, all tied
>> back to ldap for uid/gid mappings and pam_ldap for authentication and
>> authorization.
>>
>> If you have a task that logs into each of these 400 servers and
>> performs a 'sudo ls -la /home' for example,
>> your ldap servers are going to incur the cost of looking up each file
>> on each server, the cost of each authentication, and the cost of
>> performing several ldap lookups from the sudo binary.
>>
>> SSSD is not only beneficial during periods of network inaccessibility,
>> but also crucial with regard to scale.
>>
>>> With regards to IPA's host-based access control: What about doing
>>> access control through using
>>> netgroups via the tcp wrappers?
>>>
>>> You could still be configuring host based access control in IPA as
>>> it's creating transparent
>>> netgroups for the host groups.
>> Host based access control is currently a mess in the Linux Community.
>>
>> There are currently a few ways to go about it.
>>
>> netgroups with
>> TCP Wrappers
>> Access.conf
>>
>> ^ This method implies that the changes in your central database must
>> eventually be pushed to flatfile configs on the end hosts.
>> While this works pretty well in small environments, it can fall apart
>> and have serious scale issues when dealing with hundreds or thousands
>> of hosts.
>> (Yes, even when using something like Satellite or Puppet)
>> Consider the case of Active Directory where you scratch your head and
>> go: "Gee, I'm SURE that i pushed that GPO, but for some reason, this
>> set of hosts didn't get the memo"
>>
>> pam_ldap + pam_check_host_attr
>>
>> ^ This issue has a sheer drop off problem with scale. In this
>> approach, you need to fill the user objects with every host that the
>> user is permitted to login to.
>> When the number of users/administrators grow along with the number of
>> hosts you have, you get: n^users * n^hosts and the administrative
>> overhead becomes overwhelming.
>>
>>> These are all workarounds, I assume having the functionality
>>> available trough the native sssd
>>> would be of an advantage. But this way you would the mentioned extra
>>> functionality of SSSD without
>>> having to do the work of supporting your competitors operating
>>> systems. :)
>> There have been _some_ discussions surrounding a pam module that could
>> be used as a very base level of hbac support since there are a lot of
>> pre-required dependancies for sssd.
>>
>> The advantage would be theoretical portability, and the loss would be
>> caching.
>>
>> I have personally written such a pam plugin prototype in python, and
>> it functions just fine in linux installations. the c code that calls
>> the python script is not compatible with open_pam,
>> so there is still work to be done to support the BSD / MAC solutions,
>> but I believe its just a matter of some syntax changes...
>>
>> I hope this information helps clarify these points.
>>
>
> I wasen't going at SSSD for not being usable. I was trying to make a
> suggestion for a alternative solution for using IPA with *nix OS' that
> does not currently have SSSD.
>
> I do agree that the host access controls in SSSD would be of great
> benefit to any server. This is not a part of IPA I've not spent a lot of
> time testing....yet....and I did not think about it before sending my
> email.
>
> Back to the discussion, wouldn't nscd be able to cope with some of the
> caching for ldap passwd,group, etc lookups? Not providing an offline
> identity like SSSD would, but enough for the folder listings example you
> provided.
>
> You could also extend the High Availability configuration I mentioned
> earlier with 1 high-available IP per IPA host, and serve them in a round
> robin DNS. This would distribute the load of the LDAP server in IPA, and
> provide high availability in case of a IPA server becoming unavailable.
>
> The way I see it for our customers; when it comes to IPA integration
> as-it-is-today, an ipa-client-install script for other *nix that would
> configure kerberos, ldap client, and retrieves the host's keytab from
> the IPA server would make a great improvement for IPA. Then the SSSD
> could come at a later point.

The tricky bit is having all the required libraries. These other *nix 
operating systems tend not to have the things we need by default. Things 
are slightly better with Solaris 10 which ships with a slew of open 
source libraries (all old).

> What I see as one of the selling points of IPA over any "*nix client for
> Active Directory", is the ability to use the operating system built in
> tools.

That's the idea of nss_ldap, etc. The trouble has been layering our 
other tools on top (ipa-getkeytab, ipa-join, etc.). I did manage to hack 
both to work on Solaris 10 a couple of years ago and remember nothing 
but pain, and the output would have been miserable to package.

Certainly in the realm of possibility but it represents a fair chunk of 
work. And that's just one Solaris release!

regards

rob



From rcritten at redhat.com  Thu May 12 21:32:15 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 12 May 2011 17:32:15 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <176006.55176.qm@web161301.mail.bf1.yahoo.com>
References: <176006.55176.qm@web161301.mail.bf1.yahoo.com>
Message-ID: <4DCC51DF.6080507@redhat.com>

nasir nasir wrote:
> Adam,
>
> I tried to follow your recommendations with RHEL 6.1 beta on server and
> client machine. Centralized login and such things work. I have NFS
> service too working. But automount is not working. For the time being I
> configured my server as NFS server and created a folder /export as a
> share for creating home folder. I have *pam_oddjob_mkhomedir.so *enabled
> in pam files for autocreation of home folders. Now I can manually mount
> the /export nfs share on the server and the client successfully. But
> when I do that on server for testing and try to login as a new user(e.g
> abc), it is not creating home folder. It gives the following error,
>
> *oddjob-mkhomedir[16401]: error setting permissions on /home/abc:
> Operation not permitted*
>
> I have given 777 for my /export and rw permission in /etc/export. Output
> of the command *ipa automountlocation-tofiles default*.
>
> *
> *
> */etc/auto.master:*
> */- /etc/auto.direct*
> */share /etc/auto.share*
> */home /etc/auto.home*
> *---------------------------*
> */etc/auto.direct:*
> *---------------------------*
> */etc/auto.share:*
> *---------------------------*
> */etc/auto.home:*
> ** -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192
> openipa.cohort.org:/export/home/&*
> * *
> I tried reading many docs(RHEL deployment guide, google, FreeIPA doc
> etc). The problem is that they are confusing and conflicting in many cases.
>
> Please advice me how to proceed.

I'd start with system error logs: /var/log/messages, /var/log/secure, 
/var/log/audit/audit.log

rob

>
> Thanks and Regards,
> Nidal
>
>>>>
>>>>                 Nidal,
>>>>
>>>>                 OK, I'd probably do something like this: After
>>>>                 install IPA, add one host as an IPA client with the
>>>>                 following switch: --mkhomedir,, something like
>>>>                 ipa-client-install --mkhomedir -p admin. Then, mount
>>>>                 the directory that you are going to use a /home on
>>>>                 that machine. Once you create users in IPA, the
>>>>                 first time you log in as that user, do so from that
>>>>                 client, and it will attempt to create the home
>>>>                 directory for you. This should be the only machine
>>>>                 that has permissions to create directories under
>>>>                 /home. Now, create an automount location and map,
>>>>                 and create a key for /home
>>>>
>>>>                 The instructions from our test day should get you
>>>>                 started:
>>>>
>>>>                 https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>>>
>>>>
>>>
>>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Thu May 12 21:35:56 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 12 May 2011 21:35:56 +0000
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DCC4226.40707@nixtra.com>
References: <4DC80A5A.7020605@redhat.com> ,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>	,
	<4DC99F15.5080900@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DC9AE9F.1060508@redhat.com> <4DC9B14C.9000003@nixtra.com>
	<1305117752.1881.13.camel@sgallagh.bos.redhat.com>
	<48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>
	<1A553EC3-FD89-4302-B292-986D5481EED8@citrixonline.com>,
	<4DCC4226.40707@nixtra.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634D26B@STAWINCOX10MBX1.staff.vuw.ac.nz>

8><--------

============
What I see as one of the selling points of IPA over any "*nix client for
Active Directory", is the ability to use the operating system built in
tools.
============

Indeed.....what makes my nether regions churn is installing something from likewise or Quest which does nasties to the guts of RHEL/linux and then Red Hat wont/cant support it not to mention the crazy cost.....indeed even if I have a connection to AD, MS wont support it either, our Windows admins wont/cant and are in fact dangerous anywhere near Linux......but of course our MS biased architect loves it because its a MS solution, and on the other side our bsd/linux ppl want a single password functionality (AD<-->unix) they dont care if its supportable just as long as their lives are easy and they have someone to beat when it breaks....I'm determined it wont be me....getting a bit sick of that, hence something like IPA fits so well...if the password sync breaks everything else should carry on.....its one single point to fault find on, and i have one vendor not 3 and some of 5000 odd intermediate faults that there is no time to work on as there is just me.....

regards



From Steven.Jones at vuw.ac.nz  Thu May 12 21:37:39 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 12 May 2011 21:37:39 +0000
Subject: [Freeipa-users] fatal error for ipa rhel 5.6 client
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634D286@STAWINCOX10MBX1.staff.vuw.ac.nz>

Any ideas with this please?

[root at vuwunicoadmint2 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01 --domain unix.vuw.ac.nz -p admin
Discovery was successful!
Realm: UNIX.VUW.AC.NZ
DNS Domain: unix.vuw.ac.nz
IPA Server: vuwunicoipamt01
BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Password for admin at UNIX.VUW.AC.NZ: 
Joining realm failed: HTTP response code is 301, not 200
[root at vuwunicoadmint2 ~]#

Im getting this from a client



From simo at redhat.com  Thu May 12 21:44:19 2011
From: simo at redhat.com (Simo Sorce)
Date: Thu, 12 May 2011 17:44:19 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DCC4226.40707@nixtra.com>
References: <4DC80A5A.7020605@redhat.com>
	, <373596.88089.qm@web161317.mail.bf1.yahoo.com>
	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>
	, <4DC99F15.5080900@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DC9AE9F.1060508@redhat.com> <4DC9B14C.9000003@nixtra.com>
	<1305117752.1881.13.camel@sgallagh.bos.redhat.com>
	<48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>
	<1A553EC3-FD89-4302-B292-986D5481EED8@citrixonline.com>
	<4DCC4226.40707@nixtra.com>
Message-ID: <1305236659.2756.7.camel@willson.li.ssimo.org>

On Thu, 2011-05-12 at 22:25 +0200, Sigbjorn Lie wrote:
> You could also extend the High Availability configuration I mentioned
> earlier with 1 high-available IP per IPA host, and serve them in a
> round robin DNS. This would distribute the load of the LDAP server in
> IPA, and provide high availability in case of a IPA server becoming
> unavailable.

Not as easy. With kerberos names have to be matched by keytabs.
So if you use an alias you also have to create a keytab for that alias
and distribute it on all machines (at the very least). Then you have to
hope all server software is able to cope with using the key that matches
the current authentication attempt (I know for a fact many services do
not cope yet, and I have opened bugs for some).

SSSD does automatically reconnect to another of the available IPA
servers btw, so another plus for SSSD :)

That said we have configuration instructions for other platforms, I am
sure the community can hack-up scripts to use them if instructions are
not enough. We can also host them if someone wants to contribute.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From sigbjorn at nixtra.com  Thu May 12 22:13:22 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Fri, 13 May 2011 00:13:22 +0200
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <1305236659.2756.7.camel@willson.li.ssimo.org>
References: <4DC80A5A.7020605@redhat.com>	,
	<373596.88089.qm@web161317.mail.bf1.yahoo.com>	<833D8E48405E064EBC54C84EC6B36E400634A9F4@STAWINCOX10MBX1.staff.vuw.ac.nz>	,
	<4DC99F15.5080900@redhat.com>	<833D8E48405E064EBC54C84EC6B36E400634AA71@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DC9AE9F.1060508@redhat.com>
	<4DC9B14C.9000003@nixtra.com>	<1305117752.1881.13.camel@sgallagh.bos.redhat.com>	<48658.192.168.210.177.1305136314.squirrel@www.nixtra.com>	<1A553EC3-FD89-4302-B292-986D5481EED8@citrixonline.com>	<4DCC4226.40707@nixtra.com>
	<1305236659.2756.7.camel@willson.li.ssimo.org>
Message-ID: <4DCC5B82.2060809@nixtra.com>


> That said we have configuration instructions for other platforms, I am
> sure the community can hack-up scripts to use them if instructions are
> not enough. We can also host them if someone wants to contribute.

Ok. Let's say I've pre-created the host on the IPA server.

I'm logged on to the Solaris/AIX/etc, machine I'm joining to IPA, I've 
configured krb and the ldap client. (And possibly tcp wrappers, 
sshd_config, etc for host (netgroup) based access control). That's the 
easy part done.

Can I somehow retrieve the keytab for this machine, at the machine itself?


Rgds,
Siggi



From kollathodi at yahoo.com  Fri May 13 02:02:27 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Thu, 12 May 2011 19:02:27 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
Message-ID: <557274.78491.qm@web161316.mail.bf1.yahoo.com>


Thanks for the reply Rob ! I had tried with all the log files you mentioned and had kept most of them in debug mode. Tried again now. The only error or clue I could see was the following I already mentioned in my previous mail,?
oddjob-mkhomedir[17823]: error setting permissions on /home/nasir: Operation not permitted
I don't think it is a problem due to autofs as this is the error when I am getting while trying to login after MANUALLY MOUTING this partition also! There is some permission blocking oddjob from creating the home folder on the fly. I can't see any debug option for /etc/oddjobd.conf file to go further.
Please help.
Thanks and regards,Nidal


--- On Thu, 5/12/11, Rob Crittenden <rcritten at redhat.com> wrote:

> From: Rob Crittenden <rcritten at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: "Adam Young" <ayoung at redhat.com>, freeipa-users at redhat.com
> Date: Thursday, May 12, 2011, 2:32 PM
> nasir nasir wrote:
> > Adam,
> >
> > I tried to follow your recommendations with RHEL 6.1
> beta on server and
> > client machine. Centralized login and such things
> work. I have NFS
> > service too working. But automount is not working. For
> the time being I
> > configured my server as NFS server and created a
> folder /export as a
> > share for creating home folder. I have
> *pam_oddjob_mkhomedir.so *enabled
> > in pam files for autocreation of home folders. Now I
> can manually mount
> > the /export nfs share on the server and the client
> successfully. But
> > when I do that on server for testing and try to login
> as a new user(e.g
> > abc), it is not creating home folder. It gives the
> following error,
> >
> > *oddjob-mkhomedir[16401]: error setting permissions on
> /home/abc:
> > Operation not permitted*
> >
> > I have given 777 for my /export and rw permission in
> /etc/export. Output
> > of the command *ipa automountlocation-tofiles
> default*.
> >
> > *
> > *
> > */etc/auto.master:*
> > */- /etc/auto.direct*
> > */share /etc/auto.share*
> > */home /etc/auto.home*
> > *---------------------------*
> > */etc/auto.direct:*
> > *---------------------------*
> > */etc/auto.share:*
> > *---------------------------*
> > */etc/auto.home:*
> > ** -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192
> > openipa.cohort.org:/export/home/&*
> > * *
> > I tried reading many docs(RHEL deployment guide,
> google, FreeIPA doc
> > etc). The problem is that they are confusing and
> conflicting in many cases.
> >
> > Please advice me how to proceed.
> 
> I'd start with system error logs: /var/log/messages,
> /var/log/secure, 
> /var/log/audit/audit.log
> 
> rob
> 
> >
> > Thanks and Regards,
> > Nidal
> >
> >>>>
> >>>>? ? ? ? ? ?
> ? ???Nidal,
> >>>>
> >>>>? ? ? ? ? ?
> ? ???OK, I'd probably do something like
> this: After
> >>>>? ? ? ? ? ?
> ? ???install IPA, add one host as an IPA
> client with the
> >>>>? ? ? ? ? ?
> ? ???following switch: --mkhomedir,,
> something like
> >>>>? ? ? ? ? ?
> ? ???ipa-client-install --mkhomedir -p
> admin. Then, mount
> >>>>? ? ? ? ? ?
> ? ???the directory that you are going to
> use a /home on
> >>>>? ? ? ? ? ?
> ? ???that machine. Once you create users
> in IPA, the
> >>>>? ? ? ? ? ?
> ? ???first time you log in as that user,
> do so from that
> >>>>? ? ? ? ? ?
> ? ???client, and it will attempt to
> create the home
> >>>>? ? ? ? ? ?
> ? ???directory for you. This should be
> the only machine
> >>>>? ? ? ? ? ?
> ? ???that has permissions to create
> directories under
> >>>>? ? ? ? ? ?
> ? ???/home. Now, create an automount
> location and map,
> >>>>? ? ? ? ? ?
> ? ???and create a key for /home
> >>>>
> >>>>? ? ? ? ? ?
> ? ???The instructions from our test day
> should get you
> >>>>? ? ? ? ? ?
> ? ???started:
> >>>>
> >>>>? ? ? ? ? ?
> ? ???https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
> >>>>
> >>>>
> >>>
> >>
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110512/d17c5e31/attachment.htm>

From Steven.Jones at vuw.ac.nz  Fri May 13 02:36:14 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Fri, 13 May 2011 02:36:14 +0000
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <557274.78491.qm@web161316.mail.bf1.yahoo.com>
References: <557274.78491.qm@web161316.mail.bf1.yahoo.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400634F1D0@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Kind of a wild shot, but what mode is selinux in?

I find if its enforcing all sorts of things pop up not working on occasion....

regards


________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of nasir nasir [kollathodi at yahoo.com]
Sent: Friday, 13 May 2011 2:02 p.m.
To: Rob Crittenden
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment


Thanks for the reply Rob ! I had tried with all the log files you mentioned and had kept most of them in debug mode. Tried again now. The only error or clue I could see was the following I already mentioned in my previous mail,

oddjob-mkhomedir[17823]: error setting permissions on /home/nasir: Operation not permitted

I don't think it is a problem due to autofs as this is the error when I am getting while trying to login after MANUALLY MOUTING this partition also! There is some permission blocking oddjob from creating the home folder on the fly. I can't see any debug option for /etc/oddjobd.conf file to go further.

Please help.

Thanks and regards,
Nidal



--- On Thu, 5/12/11, Rob Crittenden <rcritten at redhat.com> wrote:

> From: Rob Crittenden <rcritten at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: "Adam Young" <ayoung at redhat.com>, freeipa-users at redhat.com
> Date: Thursday, May 12, 2011, 2:32 PM
> nasir nasir wrote:
> > Adam,
> >
> > I tried to follow your recommendations with RHEL 6.1
> beta on server and
> > client machine. Centralized login and such things
> work. I have NFS
> > service too working. But automount is not working. For
> the time being I
> > configured my server as NFS server and created a
> folder /export as a
> > share for creating home folder. I have
> *pam_oddjob_mkhomedir.so *enabled
> > in pam files for autocreation of home folders. Now I
> can manually mount
> > the /export nfs share on the server and the client
> successfully. But
> > when I do that on server for testing and try to login
> as a new user(e.g
> > abc), it is not creating home folder. It gives the
> following error,
> >
> > *oddjob-mkhomedir[16401]: error setting permissions on
> /home/abc:
> > Operation not permitted*
> >
> > I have given 777 for my /export and rw permission in
> /etc/export. Output
> > of the command *ipa automountlocation-tofiles
> default*.
> >
> > *
> > *
> > */etc/auto.master:*
> > */- /etc/auto.direct*
> > */share /etc/auto.share*
> > */home /etc/auto.home*
> > *---------------------------*
> > */etc/auto.direct:*
> > *---------------------------*
> > */etc/auto.share:*
> > *---------------------------*
> > */etc/auto.home:*
> > ** -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192
> > openipa.cohort.org:/export/home/&*
> > * *
> > I tried reading many docs(RHEL deployment guide,
> google, FreeIPA doc
> > etc). The problem is that they are confusing and
> conflicting in many cases.
> >
> > Please advice me how to proceed.
>
> I'd start with system error logs: /var/log/messages,
> /var/log/secure,
> /var/log/audit/audit.log
>
> rob
>
> >
> > Thanks and Regards,
> > Nidal
> >
> >>>>
> >>>>
>      Nidal,
> >>>>
> >>>>
>      OK, I'd probably do something like
> this: After
> >>>>
>      install IPA, add one host as an IPA
> client with the
> >>>>
>      following switch: --mkhomedir,,
> something like
> >>>>
>      ipa-client-install --mkhomedir -p
> admin. Then, mount
> >>>>
>      the directory that you are going to
> use a /home on
> >>>>
>      that machine. Once you create users
> in IPA, the
> >>>>
>      first time you log in as that user,
> do so from that
> >>>>
>      client, and it will attempt to
> create the home
> >>>>
>      directory for you. This should be
> the only machine
> >>>>
>      that has permissions to create
> directories under
> >>>>
>      /home. Now, create an automount
> location and map,
> >>>>
>      and create a key for /home
> >>>>
> >>>>
>      The instructions from our test day
> should get you
> >>>>
>      started:
> >>>>
> >>>>
>      https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
> >>>>
> >>>>
> >>>
> >>
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>




From kollathodi at yahoo.com  Fri May 13 02:41:04 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Thu, 12 May 2011 19:41:04 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634F1D0@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <632301.33623.qm@web161317.mail.bf1.yahoo.com>

Thanks for the reply!
Selinux is disabled! Actually disabling selinux is "mandatory post-installation" step for me :-)

Thanks and regards,Nasir
--- On Thu, 5/12/11, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:

From: Steven Jones <Steven.Jones at vuw.ac.nz>
Subject: RE: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>, "Rob Crittenden" <rcritten at redhat.com>
Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Date: Thursday, May 12, 2011, 7:36 PM

Hi,

Kind of a wild shot, but what mode is selinux in?

I find if its enforcing all sorts of things pop up not working on occasion....

regards


________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of nasir nasir [kollathodi at yahoo.com]
Sent: Friday, 13 May 2011 2:02 p.m.
To: Rob Crittenden
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment


Thanks for the reply Rob ! I had tried with all the log files you mentioned and had kept most of them in debug mode. Tried again now. The only error or clue I could see was the following I already mentioned in my previous mail,

oddjob-mkhomedir[17823]: error setting permissions on /home/nasir: Operation not permitted

I don't think it is a problem due to autofs as this is the error when I am getting while trying to login after MANUALLY MOUTING this partition also! There is some permission blocking oddjob from creating the home folder on the fly. I can't see any debug option for /etc/oddjobd.conf file to go further.

Please help.

Thanks and regards,
Nidal



--- On Thu, 5/12/11, Rob Crittenden <rcritten at redhat.com> wrote:

> From: Rob Crittenden <rcritten at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: "Adam Young" <ayoung at redhat.com>, freeipa-users at redhat.com
> Date: Thursday, May 12, 2011, 2:32 PM
> nasir nasir wrote:
> > Adam,
> >
> > I tried to follow your recommendations with RHEL 6.1
> beta on server and
> > client machine. Centralized login and such things
> work. I have NFS
> > service too working. But automount is not working. For
> the time being I
> > configured my server as NFS server and created a
> folder /export as a
> > share for creating home folder. I have
> *pam_oddjob_mkhomedir.so *enabled
> > in pam files for autocreation of home folders. Now I
> can manually mount
> > the /export nfs share on the server and the client
> successfully. But
> > when I do that on server for testing and try to login
> as a new user(e.g
> > abc), it is not creating home folder. It gives the
> following error,
> >
> > *oddjob-mkhomedir[16401]: error setting permissions on
> /home/abc:
> > Operation not permitted*
> >
> > I have given 777 for my /export and rw permission in
> /etc/export. Output
> > of the command *ipa automountlocation-tofiles
> default*.
> >
> > *
> > *
> > */etc/auto.master:*
> > */- /etc/auto.direct*
> > */share /etc/auto.share*
> > */home /etc/auto.home*
> > *---------------------------*
> > */etc/auto.direct:*
> > *---------------------------*
> > */etc/auto.share:*
> > *---------------------------*
> > */etc/auto.home:*
> > ** -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192
> > openipa.cohort.org:/export/home/&*
> > * *
> > I tried reading many docs(RHEL deployment guide,
> google, FreeIPA doc
> > etc). The problem is that they are confusing and
> conflicting in many cases.
> >
> > Please advice me how to proceed.
>
> I'd start with system error logs: /var/log/messages,
> /var/log/secure,
> /var/log/audit/audit.log
>
> rob
>
> >
> > Thanks and Regards,
> > Nidal
> >
> >>>>
> >>>>
>? ? ? Nidal,
> >>>>
> >>>>
>? ? ? OK, I'd probably do something like
> this: After
> >>>>
>? ? ? install IPA, add one host as an IPA
> client with the
> >>>>
>? ? ? following switch: --mkhomedir,,
> something like
> >>>>
>? ? ? ipa-client-install --mkhomedir -p
> admin. Then, mount
> >>>>
>? ? ? the directory that you are going to
> use a /home on
> >>>>
>? ? ? that machine. Once you create users
> in IPA, the
> >>>>
>? ? ? first time you log in as that user,
> do so from that
> >>>>
>? ? ? client, and it will attempt to
> create the home
> >>>>
>? ? ? directory for you. This should be
> the only machine
> >>>>
>? ? ? that has permissions to create
> directories under
> >>>>
>? ? ? /home. Now, create an automount
> location and map,
> >>>>
>? ? ? and create a key for /home
> >>>>
> >>>>
>? ? ? The instructions from our test day
> should get you
> >>>>
>? ? ? started:
> >>>>
> >>>>
>? ? ? https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
> >>>>
> >>>>
> >>>
> >>
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110512/fc4e74fe/attachment.htm>

From Steven.Jones at vuw.ac.nz  Fri May 13 03:56:50 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Fri, 13 May 2011 03:56:50 +0000
Subject: [Freeipa-users] RHEL client to IPA
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>

Still having problems with getting a 5.6 cleint to 6.1beta master server...

[root at vuwunicologint2 x86_64]# rpm -q ipa-client
ipa-client-2.0-11
[root at vuwunicologint2 x86_64]# 


[root at vuwunicologint2 x86_64]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -p admin
Discovery was successful!
Realm: UNIX.VUW.AC.NZ
DNS Domain: unix.vuw.ac.nz
IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Password for admin at UNIX.VUW.AC.NZ:  
kinit(v5): Password incorrect while getting initial credentials

As far as I recall the password is correct....but it no longer works, but its fine to kinit on the master though...

[root at vuwunicologint2 x86_64]# klist -kt /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
[root at vuwunicologint2 x86_64]# amn klist
-bash: amn: command not found
[root at vuwunicologint2 x86_64]# man klist
[root at vuwunicologint2 x86_64]# kinit admin
Password for admin at UNIX.VUW.AC.NZ: 
kinit(v5): Password incorrect while getting initial credentials
[root at vuwunicologint2 x86_64]# rpm -q ipa-client
ipa-client-2.0-11
[root at vuwunicologint2 x86_64]# 



From Steven.Jones at vuw.ac.nz  Fri May 13 04:00:35 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Fri, 13 May 2011 04:00:35 +0000
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>

Building the keytab simply fails to populate it correctly....

============
[root at vuwunicoipamt01 etc]# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz -p admin
Keytab successfully retrieved and stored in: /tmp/vuwnicologint2.keytab
[root at vuwunicoipamt01 etc]# klist -kt /tmp/vuwnicologint2.keytab 
Keytab name: WRFILE:/tmp/vuwnicologint2.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
   6 05/13/11 15:58:34 admin at UNIX.VUW.AC.NZ
   6 05/13/11 15:58:34 admin at UNIX.VUW.AC.NZ
   6 05/13/11 15:58:35 admin at UNIX.VUW.AC.NZ
   6 05/13/11 15:58:35 admin at UNIX.VUW.AC.NZ
   7 05/13/11 15:59:20 admin at UNIX.VUW.AC.NZ
   7 05/13/11 15:59:20 admin at UNIX.VUW.AC.NZ
   7 05/13/11 15:59:21 admin at UNIX.VUW.AC.NZ
   7 05/13/11 15:59:21 admin at UNIX.VUW.AC.NZ
[root at vuwunicoipamt01 etc]# 
===================










________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Friday, 13 May 2011 3:56 p.m.
To: freeipa-users at redhat.com
Subject: [Freeipa-users] RHEL client to IPA

Still having problems with getting a 5.6 cleint to 6.1beta master server...

[root at vuwunicologint2 x86_64]# rpm -q ipa-client
ipa-client-2.0-11
[root at vuwunicologint2 x86_64]#


[root at vuwunicologint2 x86_64]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -p admin
Discovery was successful!
Realm: UNIX.VUW.AC.NZ
DNS Domain: unix.vuw.ac.nz
IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Password for admin at UNIX.VUW.AC.NZ:
kinit(v5): Password incorrect while getting initial credentials

As far as I recall the password is correct....but it no longer works, but its fine to kinit on the master though...

[root at vuwunicologint2 x86_64]# klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   3 05/13/11 12:01:09 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
   4 05/13/11 14:50:43 admin at UNIX.VUW.AC.NZ
[root at vuwunicologint2 x86_64]# amn klist
-bash: amn: command not found
[root at vuwunicologint2 x86_64]# man klist
[root at vuwunicologint2 x86_64]# kinit admin
Password for admin at UNIX.VUW.AC.NZ:
kinit(v5): Password incorrect while getting initial credentials
[root at vuwunicologint2 x86_64]# rpm -q ipa-client
ipa-client-2.0-11
[root at vuwunicologint2 x86_64]#

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From jhrozek at redhat.com  Fri May 13 09:11:28 2011
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Fri, 13 May 2011 11:11:28 +0200
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DCCF5C0.4030708@redhat.com>

On 05/13/2011 06:00 AM, Steven Jones wrote:
> [root at vuwunicoipamt01 etc]# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz -p admin

The second -p overrides the first.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/76dce933/attachment.sig>

From shelltoesuperstar at gmail.com  Fri May 13 10:11:35 2011
From: shelltoesuperstar at gmail.com (Charlie Derwent)
Date: Fri, 13 May 2011 11:11:35 +0100
Subject: [Freeipa-users] /var/log/dirsrv/slapd-* permissions
Message-ID: <BANLkTinsJkG9hdh4fkGnCwQpmC31SX_ejA@mail.gmail.com>

Hi

First time posting on the mailing list so go easy on me :-)

I've installed freeipa on our network and noticed that no real user owns the
folders /var/log/dirsrv/slapd-PKI-IPA and /var/log/dirsrv/slapd-TEST-NET.
Isn't this going to cause logrotate errors? I have a feeling this came about
because I installed freeipa then had to uninstall it, then re-installed it
again and the UID and GID's I'm seeing may have been the previous pkisrv and
dirsrv users/groups. If this is true can I just manually chown the
directories and if so what permissions should I set?

Thanks
Charlie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/c8267f4f/attachment.htm>

From simo at redhat.com  Fri May 13 11:56:02 2011
From: simo at redhat.com (Simo Sorce)
Date: Fri, 13 May 2011 07:56:02 -0400
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <4DCCF5C0.4030708@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DCCF5C0.4030708@redhat.com>
Message-ID: <1305287762.5330.3.camel@willson.li.ssimo.org>

On Fri, 2011-05-13 at 11:11 +0200, Jakub Hrozek wrote:
> On 05/13/2011 06:00 AM, Steven Jones wrote:
> > [root at vuwunicoipamt01 etc]# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz -p admin
> 
> The second -p overrides the first.

And also probably changed the "admin" password to rubbish.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From nalin at redhat.com  Fri May 13 15:20:06 2011
From: nalin at redhat.com (Nalin Dahyabhai)
Date: Fri, 13 May 2011 11:20:06 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <557274.78491.qm@web161316.mail.bf1.yahoo.com>
References: <557274.78491.qm@web161316.mail.bf1.yahoo.com>
Message-ID: <20110513152006.GA5334@redhat.com>

On Thu, May 12, 2011 at 07:02:27PM -0700, nasir nasir wrote:
>    Thanks for the reply Rob ! I had tried with all the log files you
>    mentioned and had kept most of them in debug mode. Tried again now. The
>    only error or clue I could see was the following I already mentioned in
>    my previous mail,
>    oddjob-mkhomedir[17823]: error setting permissions on /home/nasir:
>    Operation not permitted

The helper runs as root -- does the root user on your client system have
the ability to remotely write to that filesystem over NFS?

Nalin



From ayoung at redhat.com  Fri May 13 15:31:10 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 13 May 2011 11:31:10 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <176006.55176.qm@web161301.mail.bf1.yahoo.com>
References: <176006.55176.qm@web161301.mail.bf1.yahoo.com>
Message-ID: <4DCD4EBE.4040506@redhat.com>

On 05/12/2011 03:30 PM, nasir nasir wrote:
> Adam,
>
> I tried to follow your recommendations with RHEL 6.1 beta on server 
> and client machine. Centralized login and such things work. I have NFS 
> service too working. But automount is not working.  For the time being 
> I configured my server as NFS server and created a folder /export as a 
> share for creating home folder. I have *pam_oddjob_mkhomedir.so 
> *enabled in pam files for autocreation of home folders. Now I can 
> manually mount the /export nfs share on the server and the client 
> successfully. But when I do that on server for testing and try to 
> login as a new user(e.g abc), it is not creating home folder. It gives 
> the following error,
>
> *oddjob-mkhomedir[16401]: error setting permissions on /home/abc: 
> Operation not permitted*
>

It might be a root squash issue.  My guess is that the order of 
operations for creating a root directory, which is done by root, is:

1.  mkdir /home/userid
2.  chown uid:gid  /home/userid

It sounds from the error message that the first stage happened, but NFS 
is not allowing the second stage.  To confirm,  as a root (and kinit 
admin) user on the client machine, just try these two steps in order and 
see if they still fail.

chown is a different system call from mkdir, and might have different 
nfs enforced permissions.  You probably need rwx permissions in /etc/export.




>
> I have given 777 for my /export and rw permission in /etc/export. 
> Output of the command *ipa automountlocation-tofiles default*.
>
> *
> *
> */etc/auto.master:*
> */-      /etc/auto.direct*
> */share  /etc/auto.share*
> */home   /etc/auto.home*
> *---------------------------*
> */etc/auto.direct:*
> *---------------------------*
> */etc/auto.share:*
> *---------------------------*
> */etc/auto.home:*
> **       -rw,nfs4,sec=krb5,soft,rsize=8192,wsize=8192 
> openipa.cohort.org:/export/home/&*
> **
> I tried reading many docs(RHEL deployment guide, google, FreeIPA doc 
> etc). The problem is that they are confusing and conflicting in many 
> cases.
>

There is a lot of old information on the site that needs to be updated 
to 2.0, and we are working on that.  the more input (tickets logged into 
Trac) we can get for that the better.

>
> Please advice me how to proceed.
>
> Thanks and Regards,
> Nidal
>
>>>>
>>>>                 Nidal,
>>>>
>>>>                 OK, I'd probably do something like this:  After
>>>>                 install IPA, add one host as an IPA client with the
>>>>                 following switch:  --mkhomedir,, something like 
>>>>                 ipa-client-install --mkhomedir -p admin.   Then,
>>>>                 mount the directory that you are going to use a
>>>>                 /home on that machine.  Once you create users in
>>>>                 IPA, the first time you log in as that user, do so
>>>>                 from that client, and it will attempt to create the
>>>>                 home directory for you.    This should be the only
>>>>                 machine that has permissions to create directories
>>>>                 under /home.  Now, create an automount location and
>>>>                 map, and create a key for /home
>>>>
>>>>                 The instructions from our test day should get you
>>>>                 started:
>>>>
>>>>                 https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount
>>>>
>>>>
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/c217c390/attachment.htm>

From ayoung at redhat.com  Fri May 13 15:37:20 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 13 May 2011 11:37:20 -0400
Subject: [Freeipa-users] /var/log/dirsrv/slapd-* permissions
In-Reply-To: <BANLkTinsJkG9hdh4fkGnCwQpmC31SX_ejA@mail.gmail.com>
References: <BANLkTinsJkG9hdh4fkGnCwQpmC31SX_ejA@mail.gmail.com>
Message-ID: <4DCD5030.4040601@redhat.com>

On 05/13/2011 06:11 AM, Charlie Derwent wrote:
> Hi
>
> First time posting on the mailing list so go easy on me :-)
>
> I've installed freeipa on our network and noticed that no real user 
> owns the folders /var/log/dirsrv/slapd-PKI-IPA and 
> /var/log/dirsrv/slapd-TEST-NET.  Isn't this going to cause logrotate 
> errors? I have a feeling this came about because I installed freeipa 
> then had to uninstall it, then re-installed it again and the UID and 
> GID's I'm seeing may have been the previous pkisrv and dirsrv 
> users/groups. If this is true can I just manually chown the 
> directories and if so what permissions should I set?

That is not the normal state of things.  They should be owned by the 
dirsrv user and group.  Since the dirsrv user is responsible for writing 
to these files, creating the directories etc, I would not think you 
would have a usable install if this is not set up correctly.  id you do 
ps -ef | grep dirsrv, what user is running those processes?

>
> Thanks
> Charlie
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/b752804f/attachment.htm>

From rmeggins at redhat.com  Fri May 13 15:38:42 2011
From: rmeggins at redhat.com (Rich Megginson)
Date: Fri, 13 May 2011 09:38:42 -0600
Subject: [Freeipa-users] /var/log/dirsrv/slapd-* permissions
In-Reply-To: <4DCD5030.4040601@redhat.com>
References: <BANLkTinsJkG9hdh4fkGnCwQpmC31SX_ejA@mail.gmail.com>
	<4DCD5030.4040601@redhat.com>
Message-ID: <4DCD5082.7010402@redhat.com>

On 05/13/2011 09:37 AM, Adam Young wrote:
> On 05/13/2011 06:11 AM, Charlie Derwent wrote:
>> Hi
>>
>> First time posting on the mailing list so go easy on me :-)
>>
>> I've installed freeipa on our network and noticed that no real user 
>> owns the folders /var/log/dirsrv/slapd-PKI-IPA and 
>> /var/log/dirsrv/slapd-TEST-NET.  Isn't this going to cause logrotate 
>> errors? I have a feeling this came about because I installed freeipa 
>> then had to uninstall it, then re-installed it again and the UID and 
>> GID's I'm seeing may have been the previous pkisrv and dirsrv 
>> users/groups. If this is true can I just manually chown the 
>> directories and if so what permissions should I set?
>
> That is not the normal state of things.  They should be owned by the 
> dirsrv user and group.  Since the dirsrv user is responsible for 
> writing to these files, creating the directories etc, I would not 
> think you would have a usable install if this is not set up 
> correctly.  id you do ps -ef | grep dirsrv, what user is running those 
> processes?
Also, 389 does not use logrotate, it has its own log rotation policies 
based on age, size, etc.
See 
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Configuring_Logs
>
>>
>> Thanks
>> Charlie
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/a6db6b1a/attachment.htm>

From kollathodi at yahoo.com  Fri May 13 16:13:13 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Fri, 13 May 2011 09:13:13 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DCD4EBE.4040506@redhat.com>
Message-ID: <560118.85737.qm@web161309.mail.bf1.yahoo.com>

Adam,
Thanks indeed!
I tried your suggestions.?
? -- I can mkdir? -- When I try to chown, I get the following error
chown: changing ownership of `nasir': Operation not permitted
Could you please explain me what do you mean by 'You probably need rwx permissions in /etc/export' ? This is my /etc/export file,
/xtra ?*(rw,fsid=0,insecure,no_root_squash,no_subtree_check)/xtra ?gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)/xtra ?gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)/xtra ?gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
Also, I have configured a separate client machine (RHEL 6.1) and configured it as NFS server (previously my NFS server was IPA server itself) and the result is same. All the above commands are from this client machine only.
Thanks indeed again!
Regards,Nidal





              
              
                oddjob-mkhomedir[16401]: error setting
                    permissions on /home/abc: Operation not permitted
              
            
          
        
      
    
    

    It might be a root squash issue.? My guess is that the order of
    operations for creating a root directory, which is done by root, is:

    

    1.? mkdir /home/userid

    2.? chown uid:gid? /home/userid

    

    It sounds from the error message that the first stage happened, but
    NFS is not allowing the second stage.? To confirm,? as a root (and
    kinit admin) user on the client machine, just try these two steps in
    order and see if they still fail.

    

    chown is a different system call from mkdir, and might have
    different nfs enforced permissions.? You probably need rwx
    permissions in /etc/export.
    
    ? ??
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/bb952378/attachment.htm>

From rcritten at redhat.com  Fri May 13 16:22:04 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 13 May 2011 12:22:04 -0400
Subject: [Freeipa-users] fatal error for ipa rhel 5.6 client
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400634D286@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400634D286@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DCD5AAC.8050805@redhat.com>

Steven Jones wrote:
> Any ideas with this please?
>
> [root at vuwunicoadmint2 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01 --domain unix.vuw.ac.nz -p admin
> Discovery was successful!
> Realm: UNIX.VUW.AC.NZ
> DNS Domain: unix.vuw.ac.nz
> IPA Server: vuwunicoipamt01
> BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz
>
>
> Continue to configure the system with these values? [no]: yes
> Password for admin at UNIX.VUW.AC.NZ:
> Joining realm failed: HTTP response code is 301, not 200
> [root at vuwunicoadmint2 ~]#
>
> Im getting this from a client

301 is a HTTP status code meaning permanently moved. I think the problem 
is you aren't using the FQDN for your IPA server so the Apache server is 
trying to redirect the client, which doesn't support redirects yet.

rob



From ayoung at redhat.com  Fri May 13 16:29:40 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 13 May 2011 12:29:40 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <560118.85737.qm@web161309.mail.bf1.yahoo.com>
References: <560118.85737.qm@web161309.mail.bf1.yahoo.com>
Message-ID: <4DCD5C74.6040205@redhat.com>

On 05/13/2011 12:13 PM, nasir nasir wrote:
> Adam,
>
> Thanks indeed!
>
> I tried your suggestions.
>
>   -- I can mkdir
>   -- When I try to chown, I get the following error
>
> *chown: changing ownership of `nasir': Operation not permitted*
>
> Could you please explain me what do you mean by 'You probably need rwx 
> permissions in /etc/export' ? This is my /etc/export file,
>

see the  '(rw'  in those lines?  That indicates read and write privs, 
but not execute.

I'm not an nfs guru, so I might be wrong.  this post suggests that I am 
wrong:

http://jackhammer.org/node/7

SInce IPA is managing the IDs, they should be in sync across the NFS and 
autmounted client machines, but there might be something not right in 
the setup.  if the IPA server isn't managing the machine that serves as 
your NFS server, then the IDs are certainly going to be out of sync.



>
> */xtra  *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
> */xtra  gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
> */xtra  gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
> */xtra  gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>
> Also, I have configured a separate client machine (RHEL 6.1) and 
> configured it as NFS server (previously my NFS server was IPA server 
> itself) and the result is same. All the above commands are from this 
> client machine only.
>
> Thanks indeed again!
>
> Regards,
> Nidal
>
>
>
>
>>
>>     *oddjob-mkhomedir[16401]: error setting permissions on /home/abc:
>>     Operation not permitted*
>>
>
>     It might be a root squash issue.  My guess is that the order of
>     operations for creating a root directory, which is done by root, is:
>
>     1.  mkdir /home/userid
>     2.  chown uid:gid  /home/userid
>
>     It sounds from the error message that the first stage happened,
>     but NFS is not allowing the second stage.  To confirm,  as a root
>     (and kinit admin) user on the client machine, just try these two
>     steps in order and see if they still fail.
>
>     chown is a different system call from mkdir, and might have
>     different nfs enforced permissions.  You probably need rwx
>     permissions in /etc/export.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/8081e9e2/attachment.htm>

From kollathodi at yahoo.com  Fri May 13 16:57:54 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Fri, 13 May 2011 09:57:54 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DCD5C74.6040205@redhat.com>
Message-ID: <676629.40697.qm@web161306.mail.bf1.yahoo.com>

Adam/Nalin,
Two cases,
? 1) When I am testing this by manually mounting the nfs share(which is /xtra?)on the NFS server itself using the following command,
?#mount -vvvv -t nfs4 -o sec=krb5 nfsserver.cohort.org:/ /home
I get whatever problem I described in previous mail(permission issues). Now this could be because here IPA is not managing the user/group permissions completely(Correct me if I am wrong in this assumption) and all the problem you described happen.
2) When I DO NOT mount manually and instead I try to login as a new user on the nfsserver machine, ?It creates the home folder for this user on the /home partition of nfsserver machine because automount is NOT working and hence there is no mounted partition to confuse things.?So to be able to test it properly, I need to fix the issue in automount and get the case #2 tested and working properly with /home automatically mounted from the nfsserver.?This is my "ipa automountlocation-tofiles default" ?output,
/etc/auto.master:/- ? ? ?/etc/auto.direct/share ?/etc/auto.share/home ? /etc/auto.home---------------------------/etc/auto.direct:---------------------------/etc/auto.share:---------------------------/etc/auto.home:* ? ? ? -rw,sec=krb5,soft,rsize=8192,wsize=8192 nfsserver.cohort.org:/xtra/home/&

Is this OK ? Please help.
Thanks and regards,Nidal

--- On Fri, 5/13/11, Adam Young <ayoung at redhat.com> wrote:

From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com
Date: Friday, May 13, 2011, 9:29 AM



  

    
  
  
    On 05/13/2011 12:13 PM, nasir nasir wrote:
    
      
        
          
            
              Adam,
              

              
              Thanks indeed!
              

              
              I tried your suggestions.?
              

              
              ? -- I can mkdir
              ? -- When I try to chown, I get the following error
              

              
              
                chown: changing ownership of `nasir': Operation
                    not permitted
              
              

              
              Could you please explain me what do you mean by 'You
                probably need rwx permissions in /etc/export' ? This is
                my /etc/export file,
            
          
        
      
    
    

    see the? '(rw'? in those lines?? That indicates read and write
    privs, but not execute.? 

    

    I'm not an nfs guru, so I might be wrong.? this post suggests that I
    am wrong:? 

    

    http://jackhammer.org/node/7

    

    SInce IPA is managing the IDs, they should be in sync across the NFS
    and autmounted client machines, but there might be something not
    right in the setup.? if the IPA server isn't managing the machine
    that serves as your NFS server, then the IDs are certainly going to
    be out of sync.

    

    

    

    
      
        
          
            
              

              
              
                /xtra
                    ?*(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                /xtra
                    ?gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                /xtra
                    ?gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                /xtra
                    ?gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
              
              

              
              
              Also, I have configured a separate client machine
                (RHEL 6.1) and configured it as NFS server (previously
                my NFS server was IPA server itself) and the result is
                same. All the above commands are from this client
                machine only.
              

              
              Thanks indeed again!
              

              
              Regards,
              Nidal
              

              
              

              
              

              
              

              
              
                
                  
                    
                      
                        
                          
                            
                              

                                 
                              
                                oddjob-mkhomedir[16401]: error
                                    setting permissions on /home/abc:
                                    Operation not permitted
                              
                            
                          
                        
                      
                    
                    

                    It might be a root squash issue.? My guess is that
                    the order of operations for creating a root
                    directory, which is done by root, is:

                    

                    1.? mkdir /home/userid

                    2.? chown uid:gid? /home/userid

                    

                    It sounds from the error message that the first
                    stage happened, but NFS is not allowing the second
                    stage.? To confirm,? as a root (and kinit admin)
                    user on the client machine, just try these two steps
                    in order and see if they still fail.

                    

                    chown is a different system call from mkdir, and
                    might have different nfs enforced permissions.? You
                    probably need rwx permissions in /etc/export.
                   ? ??
                
              
            
          
        
      
    
    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/c0f74fbf/attachment.htm>

From ayoung at redhat.com  Fri May 13 17:11:18 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 13 May 2011 13:11:18 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <676629.40697.qm@web161306.mail.bf1.yahoo.com>
References: <676629.40697.qm@web161306.mail.bf1.yahoo.com>
Message-ID: <4DCD6636.8070103@redhat.com>

On 05/13/2011 12:57 PM, nasir nasir wrote:
> Adam/Nalin,
>
> Two cases,
>
>   1) When I am testing this by manually mounting the nfs share(which 
> is */xtra* )on the NFS server itself using the following command,
> *
> *
> * #mount -vvvv -t nfs4 -o sec=krb5 nfsserver.cohort.org:/ /home*
>
> I get whatever problem I described in previous mail(permission 
> issues). Now this could be because here IPA is not managing the 
> user/group permissions completely(Correct me if I am wrong in this 
> assumption) and all the problem you described happen.
>

I think that, in order to have a complete set up, IPA needs to manage 
the user IDs for your NFS server.  Otherwise, you will have to work at 
getting the userIDs in sync, and with out that, you do not have a 
workable NFS solution, and thus no Automount.


>
> 2) When I DO NOT mount manually and instead I try to login as a new 
> user on the nfsserver machine,  It creates the home folder for this 
> user on the /home partition of nfsserver machine because automount is 
> NOT working and hence there is no mounted partition to confuse things.
> So to be able to test it properly, I need to fix the issue in 
> automount and get the case #2 tested and working properly with /home 
> automatically mounted from the nfsserver.
> This is my "*ipa automountlocation-tofiles default" *output,
>
> */etc/auto.master:*
> */-      /etc/auto.direct*
> */share  /etc/auto.share*
> */home   /etc/auto.home*
> *---------------------------*
> */etc/auto.direct:*
> *---------------------------*
> */etc/auto.share:*
> *---------------------------*
> */etc/auto.home:*
> **       -rw,sec=krb5,soft,rsize=8192,wsize=8192 
> nfsserver.cohort.org:/xtra/home/&*
>
> *
> *
> Is this OK ? Please help.
>

If you don't do NFS, then you have no way to share the users 
directories.  If you do the ipa-client option to automatically create 
directories on first login, or your users will a new unique home 
directory on each machine they log in to, which probably isn't what you 
want. I'm a litel confused by what you wrote above:  why would you be 
mounting at all on the nfs server machine?  THe NFS server should be 
exporting the FS, and logging in to that machine as a new user should 
correctly create the home directory.  Unless, of course , you are doing 
something like mounting the NFS volume on /mnt/nfsexport, and then nfs 
mounting that to /home on the same machine, but that would be 
inefficient.  But since it looks like your nfs server is specified as 
nfsserver.cohort.org:/xtra/home/  I'm guessing that you just mistyped 
above, or I misparsed it.

The nfs server should not do automount.   And I think this might be part 
of the problem:  you need it to do the rest of identity management, but 
not autmount.  You can probably just chkconfig off autofs on the nfs 
server.  I'm not sure if there is a cleaner solution.


>
> Thanks and regards,
> Nidal
>
> *
> *
> --- On *Fri, 5/13/11, Adam Young /<ayoung at redhat.com>/*wrote:
>
>
>     From: Adam Young <ayoung at redhat.com>
>     Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>     To: "nasir nasir" <kollathodi at yahoo.com>
>     Cc: freeipa-users at redhat.com
>     Date: Friday, May 13, 2011, 9:29 AM
>
>     On 05/13/2011 12:13 PM, nasir nasir wrote:
>>     Adam,
>>
>>     Thanks indeed!
>>
>>     I tried your suggestions.
>>
>>       -- I can mkdir
>>       -- When I try to chown, I get the following error
>>
>>     *chown: changing ownership of `nasir': Operation not permitted*
>>
>>     Could you please explain me what do you mean by 'You probably
>>     need rwx permissions in /etc/export' ? This is my /etc/export file,
>>
>
>     see the  '(rw'  in those lines?  That indicates read and write
>     privs, but not execute.
>
>     I'm not an nfs guru, so I might be wrong.  this post suggests that
>     I am wrong:
>
>     http://jackhammer.org/node/7
>
>     SInce IPA is managing the IDs, they should be in sync across the
>     NFS and autmounted client machines, but there might be something
>     not right in the setup.  if the IPA server isn't managing the
>     machine that serves as your NFS server, then the IDs are certainly
>     going to be out of sync.
>
>
>
>>
>>     */xtra  *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>     */xtra  gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>     */xtra
>>      gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>     */xtra
>>      gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>
>>     Also, I have configured a separate client machine (RHEL 6.1) and
>>     configured it as NFS server (previously my NFS server was IPA
>>     server itself) and the result is same. All the above commands are
>>     from this client machine only.
>>
>>     Thanks indeed again!
>>
>>     Regards,
>>     Nidal
>>
>>
>>
>>
>>>
>>>         *oddjob-mkhomedir[16401]: error setting permissions on
>>>         /home/abc: Operation not permitted*
>>>
>>
>>         It might be a root squash issue.  My guess is that the order
>>         of operations for creating a root directory, which is done by
>>         root, is:
>>
>>         1.  mkdir /home/userid
>>         2.  chown uid:gid  /home/userid
>>
>>         It sounds from the error message that the first stage
>>         happened, but NFS is not allowing the second stage.  To
>>         confirm,  as a root (and kinit admin) user on the client
>>         machine, just try these two steps in order and see if they
>>         still fail.
>>
>>         chown is a different system call from mkdir, and might have
>>         different nfs enforced permissions.  You probably need rwx
>>         permissions in /etc/export.
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/35770269/attachment.htm>

From rcritten at redhat.com  Fri May 13 17:44:34 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 13 May 2011 13:44:34 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <676629.40697.qm@web161306.mail.bf1.yahoo.com>
References: <676629.40697.qm@web161306.mail.bf1.yahoo.com>
Message-ID: <4DCD6E02.9020002@redhat.com>

nasir nasir wrote:
> Adam/Nalin,
>
> Two cases,
>
> 1) When I am testing this by manually mounting the nfs share(which is
> */xtra* )on the NFS server itself using the following command,
> *
> *
> * #mount -vvvv -t nfs4 -o sec=krb5 nfsserver.cohort.org:/ /home*
>
> I get whatever problem I described in previous mail(permission issues).
> Now this could be because here IPA is not managing the user/group
> permissions completely(Correct me if I am wrong in this assumption) and
> all the problem you described happen.

What is it you are actually trying to do here, mount every single /home 
directory? To test automount I tended to do: cd /home/<someuser>. It 
should be automatically mounted.

If your machine is configured to use IPA for identity then yes, it 
manages all users and groups (e.g. you used ipa-client-install).

>
> 2) When I DO NOT mount manually and instead I try to login as a new user
> on the nfsserver machine, It creates the home folder for this user on
> the /home partition of nfsserver machine because automount is NOT
> working and hence there is no mounted partition to confuse things.
> So to be able to test it properly, I need to fix the issue in automount
> and get the case #2 tested and working properly with /home automatically
> mounted from the nfsserver.
> This is my "*ipa automountlocation-tofiles default" *output,
>
> */etc/auto.master:*
> */- /etc/auto.direct*
> */share /etc/auto.share*
> */home /etc/auto.home*
> *---------------------------*
> */etc/auto.direct:*
> *---------------------------*
> */etc/auto.share:*
> *---------------------------*
> */etc/auto.home:*
> ** -rw,sec=krb5,soft,rsize=8192,wsize=8192
> nfsserver.cohort.org:/xtra/home/&*
>
> *
> *
> Is this OK ? Please help.

And you configured this to automatically create the homedirectory, 
right? I wonder if there is a conflict/race with that.

This line apears to be ok. Does it work if you do cd /home/<someuser> ?

rob



From kollathodi at yahoo.com  Fri May 13 18:40:22 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Fri, 13 May 2011 11:40:22 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DCD6E02.9020002@redhat.com>
Message-ID: <545106.95513.qm@web161306.mail.bf1.yahoo.com>

I was trying to see whether I could mount the NFS share manually. Thats why I tested the first step.
I have two machines configured now. One IPA server and the other one as IPA client(with --mkhomedir switch) configured as an NFS server too. Here the /xtra partition with a home subfolder is the NFS export. Now when I create a user in the IPA server, from where shall I try to login first ? from the IPA server or NFS server ? or do you want me to try from a different machine ? In that case, I will have to install IPA client on one more machine. Currently cd /home/<someuser> is saying "no such file or directory" from both these machines.Here is my requirement in one sentence:
Whenever a newly created user is logged in from any client machine, ?a home folder should be created in my NFS server under /xtra/home as /xtra/home/$USERNAME and mounted to the client machine she is logged in as her home folder.

Thanks and regards,Nidal


What is it you are actually trying to do here, mount every single /home 
directory? To test automount I tended to do: cd /home/<someuser>. It 
should be automatically mounted.

If your machine is configured to use IPA for identity then yes, it 
manages all users and groups (e.g. you used ipa-client-install).


And you configured this to automatically create the homedirectory, 
right? I wonder if there is a conflict/race with that.

This line apears to be ok. Does it work if you do cd /home/<someuser> ?

rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/f1dc20ad/attachment.htm>

From ayoung at redhat.com  Fri May 13 19:07:33 2011
From: ayoung at redhat.com (Adam Young)
Date: Fri, 13 May 2011 15:07:33 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <545106.95513.qm@web161306.mail.bf1.yahoo.com>
References: <545106.95513.qm@web161306.mail.bf1.yahoo.com>
Message-ID: <4DCD8175.90903@redhat.com>

On 05/13/2011 02:40 PM, nasir nasir wrote:
> I was trying to see whether I could mount the NFS share manually. 
> Thats why I tested the first step.
>
> I have two machines configured now. One IPA server and the other one 
> as IPA client(with --mkhomedir switch) configured as an NFS server 
> too. Here the /xtra partition with a home subfolder is the NFS export. 
> Now when I create a user in the IPA server, from where shall I try to 
> login first ? from the IPA server or NFS server ? or do you want me to 
> try from a different machine ? In that case, I will have to install 
> IPA client on one more machine. Currently cd /home/<someuser> is 
> saying "no such file or directory" from both these machines.
> Here is my requirement in one sentence:
> *
> *
> *Whenever a newly created user is logged in from any client machine, 
>  a home folder should be created in my NFS server under /xtra/home as 
> /xtra/home/$USERNAME and mounted to the client machine she is logged 
> in as her home folder.*
>

The simplest solution is to remove the  'ldap' from the automount line 
in /etc/nsswitch.conf  on the NFS server (thanks Stephen Gallagher) but 
leave it on the other machines.  Then, install the ipa-client with the 
option to automatically create the home directory.  If you log in to the 
nfs server directly, it will be created on the (I'll assume ext4) local 
partition, if you log in to the client machine, it will create it in the 
/home partition automounted from the NFS server.  I'm not sure what odd 
jobs does, but I'd assume that it tests for the existinace of $HOME by 
doing some system call that should trigger the mount from the server, 
but I'm not certain that it does.  An alternative is to log in once on 
the nfsserver directly to create the users home directory, and then 
automount will work across the cluster.


>
>
> Thanks and regards,
> Nidal
>
>
>
>     What is it you are actually trying to do here, mount every single
>     /home
>     directory? To test automount I tended to do: cd /home/<someuser>. It
>     should be automatically mounted.
>
>     If your machine is configured to use IPA for identity then yes, it
>     manages all users and groups (e.g. you used ipa-client-install).
>
>
>     And you configured this to automatically create the homedirectory,
>     right? I wonder if there is a conflict/race with that.
>
>     This line apears to be ok. Does it work if you do cd
>     /home/<someuser> ?
>
>     rob
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110513/a5cd86e5/attachment.htm>

From kollathodi at yahoo.com  Sat May 14 12:59:58 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Sat, 14 May 2011 05:59:58 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DCD947B.9000401@redhat.com>
Message-ID: <450130.35668.qm@web161317.mail.bf1.yahoo.com>

I configured one fresh IPA client machine(RHEL 6.1 beta) and tested automount again. It is still the same. Automount is not working. ?Also, in the debug mode of autofs, I can see some messages in the /var/log/messages while restarting autofs services. Please see this,
May 14 15:20:45 rhel automount[23932]: Starting automounter version 5.0.5-29.el6, master map auto.masterMay 14 15:20:45 rhel automount[23932]: using kernel protocol version 5.01May 14 15:20:45 rhel automount[23932]: lookup_nss_read_master: reading master files auto.masterMay 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: lookup_read_master: lookup(file): read entry /miscMay 14 15:20:45 rhel automount[23932]: lookup_read_master: lookup(file): read entry /netMay 14 15:20:45 rhel automount[23932]: lookup_read_master: lookup(file): read entry +auto.masterMay 14 15:20:45 rhel automount[23932]: lookup_nss_read_master: reading master files auto.masterMay 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: lookup(file): failed to read included master map auto.masterMay 14 15:20:45 rhel
 automount[23932]: master_do_mount: mounting /miscMay 14 15:20:45 rhel automount[23932]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-miscMay 14 15:20:45 rhel automount[23932]: lookup_nss_read_map: reading map file /etc/auto.miscMay 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: mounted indirect on /misc with timeout 300, freq 75 secondsMay 14 15:20:45 rhel automount[23932]: st_ready: st_ready(): state = 0 path /miscMay 14 15:20:45 rhel automount[23932]: master_do_mount: mounting /netMay 14 15:20:45 rhel automount[23932]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-netMay 14 15:20:45 rhel automount[23932]: lookup_nss_read_map: reading map hosts (null)May 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init gathered global options: (null)May 14 15:20:45 rhel automount[23932]: mounted indirect on /net with timeout 300, freq 75 secondsMay
 14 15:20:45 rhel automount[23932]: st_ready: st_ready(): state = 0 path /net
Is the line in bold is a a problem ?
Thanks and regards,Nidal

--- On Fri, 5/13/11, Adam Young <ayoung at redhat.com> wrote:

From: Adam Young <ayoung at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" <kollathodi at yahoo.com>
Date: Friday, May 13, 2011, 1:28 PM



  

    
  
  
    On 05/13/2011 01:54 PM, nasir nasir wrote:
    
      
        
          
            Adam,
              

              
              I
                  am taking this off the list as it is going too
                  offline, but I promise I will write up the correct
                  solution and howto once I get everything up and
                  running and post it in the mail
                  for?everyone's?reference.
              

              
              Here is
                what I have and what I want to achieve (with your help
                :-) ,
              

              
              -- I
                have one IPA server(up and running) called
                openipa.cohort.org?
              -- I
                have one IPA client machine which I created with
                ipa-client-install --mkhomedir switch called
                nfsserver.cohort.org
              -- The
                nfsserver.cohort.org machine is an NFS server(actually I
                had created IPA server also with an NFS export, but then
                I stopped the NFS server on that to avoid confusion and
                instead configured the nfsserver.cohort.org as the NFS
                server). In this server I have a partition called /xtra
                and a sub directory under that called home. So
                it looks like /xtra/home. Now I want every
                users in the IPA to be able to login from any machine in
                the network and?their home directories created under
                  the /xtra/home directory of nfsserver.cohort.org and
                  automatically mounted in their client machine.
              

              
              This is
                3 parts
              ??
              ? ?1)
                ?Centralized login using IPA server openipa.cohort.org
                (This part is working now)
              ? ?2)
                ?NFS server configured on nfsserver.cohort.org with
                kerberos authentication(This is also working it seems as
                I can mount using the sec=krb5 option from client
                MANUALLY)
              ? ?3)
                Automatically create & mount home folder for each
                user under /xtra/home/XXX when they login from
                the machine(This is NOT working as of now)
              

              
              I think
                #3 is not working because the automountkey options given
                are wrong. So could you please tell me the exact
                commands with correct parameters in my case for
                automount ? I know I am asking too much. But I am stuck
                up on this point and this is getting delayed terribly
                already.
            
          
        
      
    
    

    I have a suspicion that the problem stems from the /home automount.?
    Short of it is that you probably want to force the creation of the
    users homedir once you create the account, as opposed to letting
    them create it upon login.? 

    

    Longer answer is that I suspect the issue is with this line:

    /etc/auto.home:
    * ? ? ? -rw,sec=krb5,soft,rsize=8192,wsize=8192
        nfsserver.cohort.org:/xtra/home/&
    

    

    I am guessing that what is happening is that NFS doesn't let you
    create a directory that you are going to automount.? I'm not
    certain.? Here is what I think is happening.? 1st, upon user log in,
    the cliuent machine's odd job handler does stat /home/$USER and gets
    back ENOENT.? It then does a mkdir /home/$USER but since this is a
    mount point, that operation is not allowed.

    

    If you instead automounted /home, it would probably work, but then
    all users home directories would be exposed, and I am guessing that
    you only want the currently logged in users home directory
    automounted.

    

    A simple test,?? change the automount map to just mount /home
    completely, and then create a new user.? I'm guessing that will
    work.? Basically 

    

    /etc/auto.home:
    /home ? ? ? -rw,sec=krb5,soft,rsize=8192,wsize=8192
        nfsserver.cohort.org:/xtra/home/
    

    

    

    
      
        
          
            
              

              
              Thanks
                for all the help!
              

              
              Regards,
              Nidal
              

              
              

              
              --- On Fri,
                  5/13/11, Adam Young <ayoung at redhat.com>
                wrote:

                

                  From: Adam Young <ayoung at redhat.com>

                  Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
                  deployment

                  To: "nasir nasir" <kollathodi at yahoo.com>

                  Cc: freeipa-users at redhat.com

                  Date: Friday, May 13, 2011, 10:11 AM

                  

                   On 05/13/2011 12:57 PM, nasir
                    nasir wrote:
                    
                      
                        
                          
                            
                              Adam/Nalin,
                              

                              
                              Two cases,
                              

                              
                              ? 1) When I am testing this by
                                manually mounting the nfs share(which is
                                /xtra?)on the NFS server itself
                                using the following command,
                              

                                  
                              ?#mount -vvvv
                                    -t nfs4 -o sec=krb5
                                    nfsserver.cohort.org:/ /home
                              

                              
                              I get whatever problem I described in
                                previous mail(permission issues). Now
                                this could be because here IPA is not
                                managing the user/group permissions
                                completely(Correct me if I am wrong in
                                this assumption) and all the problem you
                                described happen.
                            
                          
                        
                      
                    
                    

                    I think that, in order to have a complete set up,
                    IPA needs to manage the user IDs for your NFS
                    server.? Otherwise, you will have to work at getting
                    the userIDs in sync, and with out that, you do not
                    have a workable NFS solution, and thus no
                    Automount.? 

                    

                    

                    
                      
                        
                          
                            
                              

                              
                              2) When I DO NOT mount manually and
                                instead I try to login as a new user on
                                the nfsserver machine, ?It creates the
                                home folder for this user on the /home
                                partition of nfsserver machine because
                                automount is NOT working and hence there
                                is no mounted partition to confuse
                                things.?
                              So to be able to test it properly, I
                                need to fix the issue in automount and
                                get the case #2 tested and working
                                properly with /home automatically
                                mounted from the nfsserver.?
                              This is my "ipa
                                  automountlocation-tofiles default" ?output,
                              

                              
                              
                                /etc/auto.master:
                                /- ? ? ?/etc/auto.direct
                                /share ?/etc/auto.share
                                /home ? /etc/auto.home
                                ---------------------------
                                /etc/auto.direct:
                                ---------------------------
                                /etc/auto.share:
                                ---------------------------
                                /etc/auto.home:
                                * ? ? ?
                                    -rw,sec=krb5,soft,rsize=8192,wsize=8192
nfsserver.cohort.org:/xtra/home/&
                              
                              

                              
                              

                                
                              Is this OK ? Please help.
                            
                          
                        
                      
                    
                    

                    If you don't do NFS, then you have no way to share
                    the users directories.? If you do the ipa-client
                    option to automatically create directories on first
                    login, or your users will a new unique home
                    directory on each machine they log in to, which
                    probably isn't what you want. I'm a litel confused
                    by what you wrote above:? why would you be mounting
                    at all on the nfs server machine?? THe NFS server
                    should be exporting the FS, and logging in to that
                    machine as a new user should correctly create the
                    home directory.? Unless, of course , you are doing
                    something like mounting the NFS volume on
                    /mnt/nfsexport, and then nfs mounting that to /home
                    on the same machine, but that would be inefficient.?
                    But since it looks like your nfs server is specified
                    as nfsserver.cohort.org:/xtra/home/? I'm guessing
                    that you just mistyped above, or I misparsed it.

                    

                    The nfs server should not do automount.?? And I
                    think this might be part of the problem:? you need
                    it to do the rest of identity management, but not
                    autmount.? You can probably just chkconfig off
                    autofs on the nfs server.? I'm not sure if there is
                    a cleaner solution.

                    

                    

                    
                      
                        
                          
                            
                              

                              
                              Thanks and regards,
                              Nidal
                              

                              
                              

                                
                              --- On Fri, 5/13/11, Adam Young <ayoung at redhat.com> wrote:

                              

                                From: Adam Young <ayoung at redhat.com>

                                Subject: Re: [Freeipa-users] FreeIPA for
                                Linux desktop deployment

                                To: "nasir nasir" <kollathodi at yahoo.com>

                                Cc: freeipa-users at redhat.com

                                Date: Friday, May 13, 2011, 9:29 AM

                                

                                 On 05/13/2011
                                  12:13 PM, nasir nasir wrote:
                                  
                                    
                                      
                                        
                                          
                                            Adam,
                                            

                                            
                                            Thanks indeed!
                                            

                                            
                                            I tried your
                                              suggestions.?
                                            

                                            
                                            ? -- I can mkdir
                                            ? -- When I try to
                                              chown, I get the following
                                              error
                                            

                                            
                                            
                                              chown: changing
                                                  ownership of `nasir':
                                                  Operation not
                                                  permitted
                                            
                                            

                                            
                                            Could you please
                                              explain me what do you
                                              mean by 'You probably need
                                              rwx permissions in
                                              /etc/export' ? This is my
                                              /etc/export file,
                                          
                                        
                                      
                                    
                                  
                                  

                                  see the? '(rw'? in those lines?? That
                                  indicates read and write privs, but
                                  not execute.? 

                                  

                                  I'm not an nfs guru, so I might be
                                  wrong.? this post suggests that I am
                                  wrong:? 

                                  

                                  http://jackhammer.org/node/7

                                  

                                  SInce IPA is managing the IDs, they
                                  should be in sync across the NFS and
                                  autmounted client machines, but there
                                  might be something not right in the
                                  setup.? if the IPA server isn't
                                  managing the machine that serves as
                                  your NFS server, then the IDs are
                                  certainly going to be out of sync.

                                  

                                  

                                  

                                  
                                    
                                      
                                        
                                          
                                            

                                            
                                            
                                              /xtra
                                                  ?*(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                              /xtra
                                                  ?gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                              /xtra
                                                  ?gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                              /xtra
                                                  ?gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                            
                                            

                                            
                                            Also, I have configured
                                              a separate client machine
                                              (RHEL 6.1) and configured
                                              it as NFS server
                                              (previously my NFS server
                                              was IPA server itself) and
                                              the result is same. All
                                              the above commands are
                                              from this client machine
                                              only.
                                            

                                            
                                            Thanks indeed again!
                                            

                                            
                                            Regards,
                                            Nidal
                                            

                                            
                                            

                                            
                                            

                                            
                                            

                                            
                                            
                                              
                                                
                                                  
                                                    
                                                      
                                                        
                                                          
                                                          

                                                           
                                                          
                                                          oddjob-mkhomedir[16401]:

                                                          error setting
                                                          permissions on
                                                          /home/abc:
                                                          Operation not
                                                          permitted
                                                          
                                                          
                                                        
                                                      
                                                    
                                                  
                                                  

                                                  It might be a root
                                                  squash issue.? My
                                                  guess is that the
                                                  order of operations
                                                  for creating a root
                                                  directory, which is
                                                  done by root, is:

                                                  

                                                  1.? mkdir /home/userid

                                                  2.? chown uid:gid?
                                                  /home/userid

                                                  

                                                  It sounds from the
                                                  error message that the
                                                  first stage happened,
                                                  but NFS is not
                                                  allowing the second
                                                  stage.? To confirm,?
                                                  as a root (and kinit
                                                  admin) user on the
                                                  client machine, just
                                                  try these two steps in
                                                  order and see if they
                                                  still fail.

                                                  

                                                  chown is a different
                                                  system call from
                                                  mkdir, and might have
                                                  different nfs enforced
                                                  permissions.? You
                                                  probably need rwx
                                                  permissions in
                                                  /etc/export.
                                                 ?
                                                  ??
                                              
                                            
                                          
                                        
                                      
                                    
                                  
                                  

                                
                              
                            
                          
                        
                      
                    
                    

                  
                
              
            
          
        
      
    
    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110514/3544ede6/attachment.htm>

From sigbjorn at nixtra.com  Sat May 14 14:46:46 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Sat, 14 May 2011 16:46:46 +0200
Subject: [Freeipa-users] IPA Startup issues
Message-ID: <4DCE95D6.2070104@nixtra.com>

I've noticed that if the machine running IPA is very busy at startup, 
the IPA services will not be online when the machine is started.

I noticed this is as my test virtualization host has had it's power cord 
knocked out a few times. When I restart the host machine, all the 
virtual machines is started at the same time, causing (a lot) higher 
than normal latency for each virtual machine.

This causes the IPA daemons to start, while during the startup one or 
several IPA daemons fails due to dependencies of other daemons which is 
not started yet, and all the IPA daemons is stopped as not all the IPA 
daemons started successfully. I've noticed that the default behavior of 
the ipactl command is to shut down all the IPA daemons, if any of the 
IPA daemons should fail during startup.

This can be seen in the logs of the individual services, as some is 
started successfully, just to receive a shutdown signal shortly after. 
It seem to be the pki-ca which shut down my IPA services this morning.

When rebooting the virtual machine running the IPA daemons during normal 
load of the host machine, all the IPA daemons start successfully. 
Logging on to the IPA server and manually starting the IPA daemons after 
the load of the host machine has decreased also works.

I suggest changing the startup scripts to allow (a lot) longer startup 
times for the IPA daemons prior to failing them.


Rgds,
Siggi



From ayoung at redhat.com  Sun May 15 03:01:12 2011
From: ayoung at redhat.com (Adam Young)
Date: Sat, 14 May 2011 23:01:12 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <450130.35668.qm@web161317.mail.bf1.yahoo.com>
References: <450130.35668.qm@web161317.mail.bf1.yahoo.com>
Message-ID: <4DCF41F8.5010408@redhat.com>

Is LDAP set for automount in /etc/nsswitch.com?


On 05/14/2011 08:59 AM, nasir nasir wrote:
> I configured one fresh IPA client machine(RHEL 6.1 beta) and tested 
> automount again. It is still the same. Automount is not working. 
>  Also, in the debug mode of autofs, I can see some messages in the 
> /var/log/messages while restarting autofs services. Please see this,
>
> May 14 15:20:45 rhel automount[23932]: Starting automounter version 
> 5.0.5-29.el6, master map auto.master
> May 14 15:20:45 rhel automount[23932]: using kernel protocol version 5.01
> May 14 15:20:45 rhel automount[23932]: lookup_nss_read_master: reading 
> master files auto.master
> May 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init 
> gathered global options: (null)
> May 14 15:20:45 rhel automount[23932]: lookup_read_master: 
> lookup(file): read entry /misc
> May 14 15:20:45 rhel automount[23932]: lookup_read_master: 
> lookup(file): read entry /net
> May 14 15:20:45 rhel automount[23932]: lookup_read_master: 
> lookup(file): read entry +auto.master
> May 14 15:20:45 rhel automount[23932]: lookup_nss_read_master: reading 
> master files auto.master
> May 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init 
> gathered global options: (null)
> *May 14 15:20:45 rhel automount[23932]: lookup(file): failed to read 
> included master map auto.master*
> May 14 15:20:45 rhel automount[23932]: master_do_mount: mounting /misc
> May 14 15:20:45 rhel automount[23932]: automount_path_to_fifo: fifo 
> name /var/run/autofs.fifo-misc
> May 14 15:20:45 rhel automount[23932]: lookup_nss_read_map: reading 
> map file /etc/auto.misc
> May 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init 
> gathered global options: (null)
> May 14 15:20:45 rhel automount[23932]: mounted indirect on /misc with 
> timeout 300, freq 75 seconds
> May 14 15:20:45 rhel automount[23932]: st_ready: st_ready(): state = 0 
> path /misc
> May 14 15:20:45 rhel automount[23932]: master_do_mount: mounting /net
> May 14 15:20:45 rhel automount[23932]: automount_path_to_fifo: fifo 
> name /var/run/autofs.fifo-net
> May 14 15:20:45 rhel automount[23932]: lookup_nss_read_map: reading 
> map hosts (null)
> May 14 15:20:45 rhel automount[23932]: parse_init: parse(sun): init 
> gathered global options: (null)
> May 14 15:20:45 rhel automount[23932]: mounted indirect on /net with 
> timeout 300, freq 75 seconds
> May 14 15:20:45 rhel automount[23932]: st_ready: st_ready(): state = 0 
> path /net
>
> Is the line in bold is a a problem ?
>
> Thanks and regards,
> Nidal
>
>
> --- On *Fri, 5/13/11, Adam Young /<ayoung at redhat.com>/*wrote:
>
>
>     From: Adam Young <ayoung at redhat.com>
>     Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>     To: "nasir nasir" <kollathodi at yahoo.com>
>     Date: Friday, May 13, 2011, 1:28 PM
>
>     On 05/13/2011 01:54 PM, nasir nasir wrote:
>>     Adam,
>>
>>     I am taking this off the list as it is going too offline, but I
>>     promise I will write up the correct solution and howto once I get
>>     everything up and running and post it in the mail
>>     for everyone's reference.
>>
>>     Here is what I have and what I want to achieve (with your help :-) ,
>>
>>     -- I have one IPA server(up and running) called openipa.cohort.org
>>     -- I have one IPA client machine which I created with
>>     ipa-client-install --mkhomedir switch called nfsserver.cohort.org
>>     -- The nfsserver.cohort.org machine is an NFS server(actually I
>>     had created IPA server also with an NFS export, but then I
>>     stopped the NFS server on that to avoid confusion and instead
>>     configured the nfsserver.cohort.org as the NFS server). In this
>>     server I have a partition called */xtra *and a sub directory
>>     under that called *home. *So it looks like */xtra/home. *Now I
>>     want every users in the IPA to be able to login from any machine
>>     in the network and *their home directories created under the
>>     /xtra/home directory of nfsserver.cohort.org and automatically
>>     mounted in their client machine.*
>>
>>     This is 3 parts
>>        1)  Centralized login using IPA server openipa.cohort.org
>>     (This part is working now)
>>        2)  NFS server configured on nfsserver.cohort.org with
>>     kerberos authentication(This is also working it seems as I can
>>     mount using the sec=krb5 option from client MANUALLY)
>>        3) Automatically create & mount home folder for each user
>>     under */xtra/home/XXX* when they login from the machine(This
>>     is*NOT *working as of now)
>>
>>     I think #3 is not working because the automountkey options given
>>     are wrong. So could you please tell me the exact commands with
>>     correct parameters in my case for automount ? I know I am asking
>>     too much. But I am stuck up on this point and this is getting
>>     delayed terribly already.
>>
>
>     I have a suspicion that the problem stems from the /home
>     automount.  Short of it is that you probably want to force the
>     creation of the users homedir once you create the account, as
>     opposed to letting them create it upon login.
>
>     Longer answer is that I suspect the issue is with this line:
>     */etc/auto.home:*
>     **       -rw,sec=krb5,soft,rsize=8192,wsize=8192
>     nfsserver.cohort.org:/xtra/home/&*
>
>
>     I am guessing that what is happening is that NFS doesn't let you
>     create a directory that you are going to automount.  I'm not
>     certain.  Here is what I think is happening.  1st, upon user log
>     in, the cliuent machine's odd job handler does stat /home/$USER
>     and gets back ENOENT.  It then does a mkdir /home/$USER but since
>     this is a mount point, that operation is not allowed.
>
>     If you instead automounted /home, it would probably work, but then
>     all users home directories would be exposed, and I am guessing
>     that you only want the currently logged in users home directory
>     automounted.
>
>     A simple test,   change the automount map to just mount /home
>     completely, and then create a new user.  I'm guessing that will
>     work.  Basically
>
>     */etc/auto.home:*
>     */home       -rw,sec=krb5,soft,rsize=8192,wsize=8192
>     nfsserver.cohort.org:/xtra/home/*
>
>
>
>>
>>     Thanks for all the help!
>>
>>     Regards,
>>     Nidal
>>
>>
>>     --- On *Fri, 5/13/11, Adam Young /<ayoung at redhat.com>
>>     </mc/compose?to=ayoung at redhat.com>/* wrote:
>>
>>
>>         From: Adam Young <ayoung at redhat.com>
>>         </mc/compose?to=ayoung at redhat.com>
>>         Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>>         To: "nasir nasir" <kollathodi at yahoo.com>
>>         </mc/compose?to=kollathodi at yahoo.com>
>>         Cc: freeipa-users at redhat.com
>>         </mc/compose?to=freeipa-users at redhat.com>
>>         Date: Friday, May 13, 2011, 10:11 AM
>>
>>         On 05/13/2011 12:57 PM, nasir nasir wrote:
>>>         Adam/Nalin,
>>>
>>>         Two cases,
>>>
>>>           1) When I am testing this by manually mounting the nfs
>>>         share(which is */xtra* )on the NFS server itself using the
>>>         following command,
>>>         *
>>>         *
>>>         * #mount -vvvv -t nfs4 -o sec=krb5 nfsserver.cohort.org:/ /home*
>>>
>>>         I get whatever problem I described in previous
>>>         mail(permission issues). Now this could be because here IPA
>>>         is not managing the user/group permissions
>>>         completely(Correct me if I am wrong in this assumption) and
>>>         all the problem you described happen.
>>>
>>
>>         I think that, in order to have a complete set up, IPA needs
>>         to manage the user IDs for your NFS server.  Otherwise, you
>>         will have to work at getting the userIDs in sync, and with
>>         out that, you do not have a workable NFS solution, and thus
>>         no Automount.
>>
>>
>>>
>>>         2) When I DO NOT mount manually and instead I try to login
>>>         as a new user on the nfsserver machine,  It creates the home
>>>         folder for this user on the /home partition of nfsserver
>>>         machine because automount is NOT working and hence there is
>>>         no mounted partition to confuse things.
>>>         So to be able to test it properly, I need to fix the issue
>>>         in automount and get the case #2 tested and working properly
>>>         with /home automatically mounted from the nfsserver.
>>>         This is my "*ipa automountlocation-tofiles default" *output,
>>>
>>>         */etc/auto.master:*
>>>         */-      /etc/auto.direct*
>>>         */share  /etc/auto.share*
>>>         */home   /etc/auto.home*
>>>         *---------------------------*
>>>         */etc/auto.direct:*
>>>         *---------------------------*
>>>         */etc/auto.share:*
>>>         *---------------------------*
>>>         */etc/auto.home:*
>>>         **       -rw,sec=krb5,soft,rsize=8192,wsize=8192
>>>         nfsserver.cohort.org:/xtra/home/&*
>>>
>>>         *
>>>         *
>>>         Is this OK ? Please help.
>>>
>>
>>         If you don't do NFS, then you have no way to share the users
>>         directories.  If you do the ipa-client option to
>>         automatically create directories on first login, or your
>>         users will a new unique home directory on each machine they
>>         log in to, which probably isn't what you want. I'm a litel
>>         confused by what you wrote above:  why would you be mounting
>>         at all on the nfs server machine?  THe NFS server should be
>>         exporting the FS, and logging in to that machine as a new
>>         user should correctly create the home directory.  Unless, of
>>         course , you are doing something like mounting the NFS volume
>>         on /mnt/nfsexport, and then nfs mounting that to /home on the
>>         same machine, but that would be inefficient.  But since it
>>         looks like your nfs server is specified as
>>         nfsserver.cohort.org:/xtra/home/  I'm guessing that you just
>>         mistyped above, or I misparsed it.
>>
>>         The nfs server should not do automount.   And I think this
>>         might be part of the problem:  you need it to do the rest of
>>         identity management, but not autmount.  You can probably just
>>         chkconfig off autofs on the nfs server.  I'm not sure if
>>         there is a cleaner solution.
>>
>>
>>>
>>>         Thanks and regards,
>>>         Nidal
>>>
>>>         *
>>>         *
>>>         --- On *Fri, 5/13/11, Adam Young /<ayoung at redhat.com>/*wrote:
>>>
>>>
>>>             From: Adam Young <ayoung at redhat.com>
>>>             Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
>>>             deployment
>>>             To: "nasir nasir" <kollathodi at yahoo.com>
>>>             Cc: freeipa-users at redhat.com
>>>             Date: Friday, May 13, 2011, 9:29 AM
>>>
>>>             On 05/13/2011 12:13 PM, nasir nasir wrote:
>>>>             Adam,
>>>>
>>>>             Thanks indeed!
>>>>
>>>>             I tried your suggestions.
>>>>
>>>>               -- I can mkdir
>>>>               -- When I try to chown, I get the following error
>>>>
>>>>             *chown: changing ownership of `nasir': Operation not
>>>>             permitted*
>>>>
>>>>             Could you please explain me what do you mean by 'You
>>>>             probably need rwx permissions in /etc/export' ? This is
>>>>             my /etc/export file,
>>>>
>>>
>>>             see the  '(rw'  in those lines?  That indicates read and
>>>             write privs, but not execute.
>>>
>>>             I'm not an nfs guru, so I might be wrong.  this post
>>>             suggests that I am wrong:
>>>
>>>             http://jackhammer.org/node/7
>>>
>>>             SInce IPA is managing the IDs, they should be in sync
>>>             across the NFS and autmounted client machines, but there
>>>             might be something not right in the setup.  if the IPA
>>>             server isn't managing the machine that serves as your
>>>             NFS server, then the IDs are certainly going to be out
>>>             of sync.
>>>
>>>
>>>
>>>>
>>>>             */xtra
>>>>              *(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>>>             */xtra
>>>>              gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>>>             */xtra
>>>>              gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>>>             */xtra
>>>>              gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)*
>>>>
>>>>             Also, I have configured a separate client machine (RHEL
>>>>             6.1) and configured it as NFS server (previously my NFS
>>>>             server was IPA server itself) and the result is same.
>>>>             All the above commands are from this client machine only.
>>>>
>>>>             Thanks indeed again!
>>>>
>>>>             Regards,
>>>>             Nidal
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>                 *oddjob-mkhomedir[16401]: error setting
>>>>>                 permissions on /home/abc: Operation not permitted*
>>>>>
>>>>
>>>>                 It might be a root squash issue.  My guess is that
>>>>                 the order of operations for creating a root
>>>>                 directory, which is done by root, is:
>>>>
>>>>                 1.  mkdir /home/userid
>>>>                 2.  chown uid:gid  /home/userid
>>>>
>>>>                 It sounds from the error message that the first
>>>>                 stage happened, but NFS is not allowing the second
>>>>                 stage.  To confirm,  as a root (and kinit admin)
>>>>                 user on the client machine, just try these two
>>>>                 steps in order and see if they still fail.
>>>>
>>>>                 chown is a different system call from mkdir, and
>>>>                 might have different nfs enforced permissions.  You
>>>>                 probably need rwx permissions in /etc/export.
>>>>
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110514/84236242/attachment.htm>

From kollathodi at yahoo.com  Sun May 15 04:49:51 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Sat, 14 May 2011 21:49:51 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DCF41F8.5010408@redhat.com>
Message-ID: <142200.49205.qm@web161307.mail.bf1.yahoo.com>

Thanks again!
NO, it was not set. I added it manually now (automount: ?ldap?) and now a different error pops up in /var/log/messages while restarting autofs service,
May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol: ERR_remove_state)May 15 06:32:04 hugayat automount[16256]: lookup_nss_read_master: auto.master not found, replacing '.' with '_'May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol: ERR_remove_state)May 15 06:32:04 hugayat automount[16256]: no mounts in table
Quick googling shows that it was part of a bug in earlier version of autofs(5.0.3) but later fixed. Mine is autofs?autofs-5.0.5-29.el6.i686
Also, the symbol?ERR_remove_state is part of openssl right ? following is my output of ldd command of lookup_ldap.so,
?ldd /usr/lib/autofs/lookup_ldap.so?? ? ? ? linux-gate.so.1 => ?(0x00840000)? ? ? ? libldap-2.4.so.2 => /lib/libldap-2.4.so.2 (0x00926000)? ? ? ? liblber-2.4.so.2 => /lib/liblber-2.4.so.2 (0x00d00000)? ? ? ? libresolv.so.2 => /lib/libresolv.so.2 (0x00258000)? ? ? ? libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x002be000)? ? ? ? libxml2.so.2 => /usr/lib/libxml2.so.2 (0x002d7000)? ? ? ? libz.so.1 => /lib/libz.so.1 (0x00f7f000)? ? ? ? libm.so.6 => /lib/libm.so.6 (0x00e43000)? ? ? ? libkrb5.so.3 => /lib/libkrb5.so.3 (0x00110000)? ? ? ? libk5crypto.so.3 => /lib/libk5crypto.so.3 (0x00e74000)? ? ? ? libcom_err.so.2 => /lib/libcom_err.so.2 (0x001e5000)? ? ? ? libc.so.6 => /lib/libc.so.6 (0x00aa7000)? ? ? ? libssl3.so => /usr/lib/libssl3.so (0x004ab000)? ? ? ? libsmime3.so => /usr/lib/libsmime3.so (0x001e9000)? ? ? ? libnss3.so => /usr/lib/libnss3.so (0x004e1000)? ? ? ? libnssutil3.so =>
 /usr/lib/libnssutil3.so (0x00212000)? ? ? ? libplds4.so => /lib/libplds4.so (0x0022c000)? ? ? ? libplc4.so => /lib/libplc4.so (0x00773000)? ? ? ? libnspr4.so => /lib/libnspr4.so (0x00271000)? ? ? ? libdl.so.2 => /lib/libdl.so.2 (0x00230000)? ? ? ? libcrypt.so.1 => /lib/libcrypt.so.1 (0x00421000)? ? ? ? /lib/ld-linux.so.2 (0x008b1000)? ? ? ? libkrb5support.so.0 => /lib/libkrb5support.so.0 (0x009a4000)? ? ? ? libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00235000)? ? ? ? libpthread.so.0 => /lib/libpthread.so.0 (0x00706000)? ? ? ? libfreebl3.so => /lib/libfreebl3.so (0x00451000)? ? ? ? libselinux.so.1 => /lib/libselinux.so.1 (0x00238000)

Any idea ?
Thanks and regards,Nidal



  

    
  
  
    Is LDAP set for automount in /etc/nsswitch.com?

    

    

    On 05/14/2011 08:59 AM, nasir nasir wrote:
    
      
        
          
            I
                configured one fresh IPA client machine(RHEL 6.1 beta)
                and tested automount again. It is still the same.
                Automount is not working. ?Also, in the debug mode of
                autofs, I can see some messages in the /var/log/messages
                while restarting autofs services. Please see this,
              

              
              
                May 14 15:20:45 rhel automount[23932]:
                    Starting automounter version 5.0.5-29.el6, master
                    map auto.master
                May 14 15:20:45 rhel automount[23932]:
                    using kernel protocol version 5.01
                May 14 15:20:45 rhel automount[23932]:
                    lookup_nss_read_master: reading master files
                    auto.master
                May 14 15:20:45 rhel automount[23932]:
                    parse_init: parse(sun): init gathered global
                    options: (null)
                May 14 15:20:45 rhel automount[23932]:
                    lookup_read_master: lookup(file): read entry /misc
                May 14 15:20:45 rhel automount[23932]:
                    lookup_read_master: lookup(file): read entry /net
                May 14 15:20:45 rhel automount[23932]:
                    lookup_read_master: lookup(file): read entry
                    +auto.master
                May 14 15:20:45 rhel automount[23932]:
                    lookup_nss_read_master: reading master files
                    auto.master
                May 14 15:20:45 rhel automount[23932]:
                    parse_init: parse(sun): init gathered global
                    options: (null)
                May 14 15:20:45 rhel automount[23932]:
                      lookup(file): failed to read included master map
                      auto.master
                May 14 15:20:45 rhel automount[23932]:
                    master_do_mount: mounting /misc
                May 14 15:20:45 rhel automount[23932]:
                    automount_path_to_fifo: fifo name
                    /var/run/autofs.fifo-misc
                May 14 15:20:45 rhel automount[23932]:
                    lookup_nss_read_map: reading map file /etc/auto.misc
                May 14 15:20:45 rhel automount[23932]:
                    parse_init: parse(sun): init gathered global
                    options: (null)
                May 14 15:20:45 rhel automount[23932]:
                    mounted indirect on /misc with timeout 300, freq 75
                    seconds
                May 14 15:20:45 rhel automount[23932]:
                    st_ready: st_ready(): state = 0 path /misc
                May 14 15:20:45 rhel automount[23932]:
                    master_do_mount: mounting /net
                May 14 15:20:45 rhel automount[23932]:
                    automount_path_to_fifo: fifo name
                    /var/run/autofs.fifo-net
                May 14 15:20:45 rhel automount[23932]:
                    lookup_nss_read_map: reading map hosts (null)
                May 14 15:20:45 rhel automount[23932]:
                    parse_init: parse(sun): init gathered global
                    options: (null)
                May 14 15:20:45 rhel automount[23932]:
                    mounted indirect on /net with timeout 300, freq 75
                    seconds
                May 14 15:20:45 rhel automount[23932]:
                    st_ready: st_ready(): state = 0 path /net
                

                
                Is the
                  line in bold is a a problem ?
                

                
                Thanks
                  and regards,
                Nidal
                

                
                

                ---
                  On Fri, 5/13/11, Adam Young <ayoung at redhat.com> wrote:

                

                  From: Adam Young <ayoung at redhat.com>

                  Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
                  deployment

                  To: "nasir nasir" <kollathodi at yahoo.com>

                  Date: Friday, May 13, 2011, 1:28 PM

                  

                   On 05/13/2011 01:54 PM, nasir
                    nasir wrote:
                    
                      
                        
                          
                            Adam,
                              

                              
                              I am taking this
                                  off the list as it is going too
                                  offline, but I promise I will write up
                                  the correct solution and howto once I
                                  get everything up and running and post
                                  it in the mail
                                  for?everyone's?reference.
                              

                              
                              Here is what I have and what I
                                want to achieve (with your help :-) ,
                              

                              
                              -- I have one IPA server(up and
                                running) called openipa.cohort.org?
                              -- I have one IPA client machine
                                which I created with ipa-client-install
                                --mkhomedir switch called
                                nfsserver.cohort.org
                              -- The nfsserver.cohort.org
                                machine is an NFS server(actually I had
                                created IPA server also with an NFS
                                export, but then I stopped the NFS
                                server on that to avoid confusion and
                                instead configured the
                                nfsserver.cohort.org as the NFS server).
                                In this server I have a partition called
                                /xtra and a sub directory under
                                that called home. So it looks
                                like /xtra/home. Now I want
                                every users in the IPA to be able to
                                login from any machine in the network
                                and?their home directories created
                                  under the /xtra/home directory of
                                  nfsserver.cohort.org and automatically
                                  mounted in their client machine.
                              

                              
                              This is 3 parts
                              ??
                              ? ?1) ?Centralized login using
                                IPA server openipa.cohort.org (This part
                                is working now)
                              ? ?2) ?NFS server configured on
                                nfsserver.cohort.org with kerberos
                                authentication(This is also working it
                                seems as I can mount using the sec=krb5
                                option from client MANUALLY)
                              ? ?3) Automatically create &
                                mount home folder for each user under /xtra/home/XXX
                                when they login from the machine(This is
                                  NOT working as of now)
                              

                              
                              I think #3 is not working because
                                the automountkey options given are
                                wrong. So could you please tell me the
                                exact commands with correct parameters
                                in my case for automount ? I know I am
                                asking too much. But I am stuck up on
                                this point and this is getting delayed
                                terribly already.
                            
                          
                        
                      
                    
                    

                    I have a suspicion that the problem stems from the
                    /home automount.? Short of it is that you probably
                    want to force the creation of the users homedir once
                    you create the account, as opposed to letting them
                    create it upon login.? 

                    

                    Longer answer is that I suspect the issue is with
                    this line:

                    /etc/auto.home:
                    * ? ? ?
                        -rw,sec=krb5,soft,rsize=8192,wsize=8192
                        nfsserver.cohort.org:/xtra/home/&
                    

                    

                    I am guessing that what is happening is that NFS
                    doesn't let you create a directory that you are
                    going to automount.? I'm not certain.? Here is what
                    I think is happening.? 1st, upon user log in, the
                    cliuent machine's odd job handler does stat
                    /home/$USER and gets back ENOENT.? It then does a
                    mkdir /home/$USER but since this is a mount point,
                    that operation is not allowed.

                    

                    If you instead automounted /home, it would probably
                    work, but then all users home directories would be
                    exposed, and I am guessing that you only want the
                    currently logged in users home directory
                    automounted.

                    

                    A simple test,?? change the automount map to just
                    mount /home completely, and then create a new user.?
                    I'm guessing that will work.? Basically 

                    

                    /etc/auto.home:
                    /home ? ? ?
                        -rw,sec=krb5,soft,rsize=8192,wsize=8192
                        nfsserver.cohort.org:/xtra/home/
                    

                    

                    

                    
                      
                        
                          
                            
                              

                              
                              Thanks for all the help!
                              

                              
                              Regards,
                              Nidal
                              

                              
                              

                              
                              --- On Fri, 5/13/11, Adam
                                  Young <ayoung at redhat.com>
                                wrote:

                                

                                  From: Adam Young <ayoung at redhat.com>

                                  Subject: Re: [Freeipa-users] FreeIPA
                                  for Linux desktop deployment

                                  To: "nasir nasir" <kollathodi at yahoo.com>

                                  Cc: freeipa-users at redhat.com

                                  Date: Friday, May 13, 2011, 10:11 AM

                                  

                                   On 05/13/2011
                                    12:57 PM, nasir nasir wrote:
                                    
                                      
                                        
                                          
                                            
                                              Adam/Nalin,
                                              

                                              
                                              Two
                                                cases,
                                              

                                              
                                              ?
                                                1) When I am testing
                                                this by manually
                                                mounting the nfs
                                                share(which is /xtra?)on
                                                the NFS server itself
                                                using the following
                                                command,
                                              

                                                  
                                              ?#mount
                                                    -vvvv -t nfs4 -o
                                                    sec=krb5
                                                    nfsserver.cohort.org:/
                                                    /home
                                              

                                              
                                              I get whatever
                                                problem I described in
                                                previous mail(permission
                                                issues). Now this could
                                                be because here IPA is
                                                not managing the
                                                user/group permissions
                                                completely(Correct me if
                                                I am wrong in this
                                                assumption) and all the
                                                problem you described
                                                happen.
                                            
                                          
                                        
                                      
                                    
                                    

                                    I think that, in order to have a
                                    complete set up, IPA needs to manage
                                    the user IDs for your NFS server.?
                                    Otherwise, you will have to work at
                                    getting the userIDs in sync, and
                                    with out that, you do not have a
                                    workable NFS solution, and thus no
                                    Automount.? 

                                    

                                    

                                    
                                      
                                        
                                          
                                            
                                              

                                              
                                              2) When I DO NOT
                                                mount manually and
                                                instead I try to login
                                                as a new user on the
                                                nfsserver machine, ?It
                                                creates the home folder
                                                for this user on the
                                                /home partition of
                                                nfsserver machine
                                                because automount is NOT
                                                working and hence there
                                                is no mounted partition
                                                to confuse things.?
                                              So to be able to test
                                                it properly, I need to
                                                fix the issue in
                                                automount and get the
                                                case #2 tested and
                                                working properly with
                                                /home automatically
                                                mounted from the
                                                nfsserver.?
                                              This is my "ipa
                                                  automountlocation-tofiles
                                                  default" ?output,
                                              

                                              
                                              
                                                /etc/auto.master:
                                                /- ? ?
                                                    ?/etc/auto.direct
                                                /share
                                                    ?/etc/auto.share
                                                /home ?
                                                    /etc/auto.home
                                                ---------------------------
                                                /etc/auto.direct:
                                                ---------------------------
                                                /etc/auto.share:
                                                ---------------------------
                                                /etc/auto.home:
                                                * ? ? ?
                                                    -rw,sec=krb5,soft,rsize=8192,wsize=8192
nfsserver.cohort.org:/xtra/home/&
                                              
                                              

                                              
                                              

                                                
                                              Is this OK ? Please
                                                help.
                                            
                                          
                                        
                                      
                                    
                                    

                                    If you don't do NFS, then you have
                                    no way to share the users
                                    directories.? If you do the
                                    ipa-client option to automatically
                                    create directories on first login,
                                    or your users will a new unique home
                                    directory on each machine they log
                                    in to, which probably isn't what you
                                    want. I'm a litel confused by what
                                    you wrote above:? why would you be
                                    mounting at all on the nfs server
                                    machine?? THe NFS server should be
                                    exporting the FS, and logging in to
                                    that machine as a new user should
                                    correctly create the home
                                    directory.? Unless, of course , you
                                    are doing something like mounting
                                    the NFS volume on /mnt/nfsexport,
                                    and then nfs mounting that to /home
                                    on the same machine, but that would
                                    be inefficient.? But since it looks
                                    like your nfs server is specified as
                                    nfsserver.cohort.org:/xtra/home/?
                                    I'm guessing that you just mistyped
                                    above, or I misparsed it.

                                    

                                    The nfs server should not do
                                    automount.?? And I think this might
                                    be part of the problem:? you need it
                                    to do the rest of identity
                                    management, but not autmount.? You
                                    can probably just chkconfig off
                                    autofs on the nfs server.? I'm not
                                    sure if there is a cleaner solution.

                                    

                                    

                                    
                                      
                                        
                                          
                                            
                                              

                                              
                                              Thanks and regards,
                                              Nidal
                                              

                                              
                                              

                                                
                                              ---
                                                On Fri,
                                                5/13/11, Adam Young <ayoung at redhat.com> wrote:

                                              

                                                From: Adam Young <ayoung at redhat.com>

                                                Subject: Re:
                                                [Freeipa-users] FreeIPA
                                                for Linux desktop
                                                deployment

                                                To: "nasir nasir" <kollathodi at yahoo.com>

                                                Cc: freeipa-users at redhat.com

                                                Date: Friday, May 13,
                                                2011, 9:29 AM

                                                

                                                
                                                  On 05/13/2011 12:13
                                                  PM, nasir nasir wrote:
                                                  
                                                    
                                                      
                                                        
                                                          
                                                          Adam,
                                                          

                                                          
                                                          Thanks
                                                          indeed!
                                                          

                                                          
                                                          I tried
                                                          your
                                                          suggestions.?
                                                          

                                                          
                                                          ? -- I
                                                          can mkdir
                                                          ? -- When
                                                          I try to
                                                          chown, I get
                                                          the following
                                                          error
                                                          

                                                          
                                                          
                                                          chown:
                                                          changing
                                                          ownership of
                                                          `nasir':
                                                          Operation not
                                                          permitted
                                                          
                                                          

                                                          
                                                          Could you
                                                          please explain
                                                          me what do you
                                                          mean by 'You
                                                          probably need
                                                          rwx
                                                          permissions in
                                                          /etc/export' ?
                                                          This is my
                                                          /etc/export
                                                          file,
                                                          
                                                        
                                                      
                                                    
                                                  
                                                  

                                                  see the? '(rw'? in
                                                  those lines?? That
                                                  indicates read and
                                                  write privs, but not
                                                  execute.? 

                                                  

                                                  I'm not an nfs guru,
                                                  so I might be wrong.?
                                                  this post suggests
                                                  that I am wrong:? 

                                                  

                                                  http://jackhammer.org/node/7

                                                  

                                                  SInce IPA is managing
                                                  the IDs, they should
                                                  be in sync across the
                                                  NFS and autmounted
                                                  client machines, but
                                                  there might be
                                                  something not right in
                                                  the setup.? if the IPA
                                                  server isn't managing
                                                  the machine that
                                                  serves as your NFS
                                                  server, then the IDs
                                                  are certainly going to
                                                  be out of sync.

                                                  

                                                  

                                                  

                                                  
                                                    
                                                      
                                                        
                                                          
                                                          

                                                          
                                                          
                                                          /xtra
?*(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                                          /xtra
?gss/krb5(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                                          /xtra
?gss/krb5i(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                                          /xtra
?gss/krb5p(rw,fsid=0,insecure,no_root_squash,no_subtree_check)
                                                          
                                                          

                                                          
                                                          Also, I
                                                          have
                                                          configured a
                                                          separate
                                                          client machine
                                                          (RHEL 6.1) and
                                                          configured it
                                                          as NFS server
                                                          (previously my
                                                          NFS server was
                                                          IPA server
                                                          itself) and
                                                          the result is
                                                          same. All the
                                                          above commands
                                                          are from this
                                                          client machine
                                                          only.
                                                          

                                                          
                                                          Thanks
                                                          indeed again!
                                                          

                                                          
                                                          Regards,
                                                          Nidal
                                                          

                                                          
                                                          

                                                          
                                                          

                                                          
                                                          

                                                          
                                                          
                                                          
                                                          
                                                          
                                                          
                                                          
                                                          
                                                          
                                                          

                                                           
                                                          
                                                          oddjob-mkhomedir[16401]:


                                                          error setting
                                                          permissions on
                                                          /home/abc:
                                                          Operation not
                                                          permitted
                                                          
                                                          
                                                          
                                                          
                                                          
                                                          
                                                          

                                                          It might be a
                                                          root squash
                                                          issue.? My
                                                          guess is that
                                                          the order of
                                                          operations for
                                                          creating a
                                                          root
                                                          directory,
                                                          which is done
                                                          by root, is:

                                                          

                                                          1.? mkdir
                                                          /home/userid

                                                          2.? chown
                                                          uid:gid?
                                                          /home/userid

                                                          

                                                          It sounds from
                                                          the error
                                                          message that
                                                          the first
                                                          stage
                                                          happened, but
                                                          NFS is not
                                                          allowing the
                                                          second stage.?
                                                          To confirm,?
                                                          as a root (and
                                                          kinit admin)
                                                          user on the
                                                          client
                                                          machine, just
                                                          try these two
                                                          steps in order
                                                          and see if
                                                          they still
                                                          fail.

                                                          

                                                          chown is a
                                                          different
                                                          system call
                                                          from mkdir,
                                                          and might have
                                                          different nfs
                                                          enforced
                                                          permissions.?
                                                          You probably
                                                          need rwx
                                                          permissions in
                                                          /etc/export.
                                                          
                                                          ? ??
                                                          
                                                          
                                                          
                                                        
                                                      
                                                    
                                                  
                                                  

                                                
                                              
                                            
                                          
                                        
                                      
                                    
                                    

                                  
                                
                              
                            
                          
                        
                      
                    
                    

                  
                
              
            
          
        
      
    
    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110514/4f580be7/attachment.htm>

From jhrozek at redhat.com  Mon May 16 08:23:28 2011
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Mon, 16 May 2011 10:23:28 +0200
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <142200.49205.qm@web161307.mail.bf1.yahoo.com>
References: <142200.49205.qm@web161307.mail.bf1.yahoo.com>
Message-ID: <4DD0DF00.3060102@redhat.com>

On 05/15/2011 06:49 AM, nasir nasir wrote:
> Thanks again!
> 
> NO, it was not set. I added it manually now (*automount:  ldap *) and
> now a different error pops up in /var/log/messages while restarting
> autofs service,
> 
> *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open
> lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol:
> ERR_remove_state)*
> *May 15 06:32:04 hugayat automount[16256]: lookup_nss_read_master:
> auto.master not found, replacing '.' with '_'*
> *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open
> lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol:
> ERR_remove_state)*
> *May 15 06:32:04 hugayat automount[16256]: no mounts in table*
> 
> Quick googling shows that it was part of a bug in earlier version of
> autofs(5.0.3) but later fixed. Mine is autofs *autofs-5.0.5-29.el6.i686*
> *
> *
> Also, the symbol *ERR_remove_state *is part of openssl right ? following
> is my output of ldd command of lookup_ldap.so,

I think you ran into https://bugzilla.redhat.com/show_bug.cgi?id=579963

The ERR_remove_state call was removed in autofs-5.0.5-30.el6. I did a
quick test with that version and seemed to work fine.

As per the configuration, the necessary steps are:
1) edit /etc/nsswitch.conf and put "automount: ldap". It is also OK to
configure more sources such as "automount: files ldap".

2) edit /etc/sysconfig/autofs
You'll want to specify at least LDAP_URI and SEARCH_BASE according to
your server environment. In order for the correct attributes to be
searched for, you also need to uncomment the last set of attribute mappings:

MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"

3) service autofs restart

If things still don't work, the logs should tell us more. If you run
autofs with -v -d it would even list the exact mount invocation, which
could be useful to determine the exact problem.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/a1dbcd04/attachment.sig>

From kollathodi at yahoo.com  Mon May 16 12:08:59 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Mon, 16 May 2011 05:08:59 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DD0DF00.3060102@redhat.com>
Message-ID: <831454.73858.qm@web161302.mail.bf1.yahoo.com>


Thanks indeed for the reply!
I updated the autofs package with version 5.0.5-30.el6.i686?and that error is gone now. But still automounting is not happening. Following is the relevant portion of /var/log/messages in one of the IPA client machine(RHEL 6.1 beta) configured with --mkhomedir switch .
May 16 14:14:13 rhel automount[1787]: lookup_mount: lookup(ldap): looking up test1May 16 14:14:13 rhel automount[1787]: find_server: trying server uri ldap://192.168.1.240May 16 14:14:13 rhel automount[1787]: do_bind: lookup(ldap): auth_required: 1, sasl_mech (null)May 16 14:14:13 rhel automount[1787]: do_bind: lookup(ldap): ldap simple bind returned 0May 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): check search base listMay 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): found search base under cn=automount,dc=cohort,dc=orgMay 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): found query dn automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=orgMay 16 14:14:13 rhel automount[1787]: connected to uri ldap://192.168.1.240May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): searching for "(&(objectclass=automount)(|(automountKey=test1)(automountKey=/)(automountKey=\2A)))" under
 "automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org"May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): getting first entry for automountKey="test1"May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): examining first entryMay 16 14:14:13 rhel automount[1787]: lookup_mount: lookup(ldap): test1 -> -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/&May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/test1May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): dequote("hugayat.cohort.org:/xtra/home/test1") -> hugayat.cohort.org:/xtra/home/test1May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): core of entry:
 options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, loc=hugayat.cohort.org:/xtra/home/test1May 16 14:14:13 rhel automount[1787]: sun_mount: parse(sun): mounting root /home, mountpoint test1, what hugayat.cohort.org:/xtra/home/test1, fstype nfs4, options rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): root=/home name=test1 what=hugayat.cohort.org:/xtra/home/test1, fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): nfs options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): calling mkdir_path /home/test1May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): calling mount -t nfs4 -s -o rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/test1 /home/test1May 16 14:14:13 rhel automount[1787]: >> mount.nfs4: mounting
 hugayat.cohort.org:/xtra/home/test1 failed, reason given by server:May 16 14:14:13 rhel automount[1787]: >> ? No such file or directoryMay 16 14:14:13 rhel automount[1787]: mount(nfs): nfs: mount failure hugayat.cohort.org:/xtra/home/test1 on /home/test1May 16 14:14:13 rhel automount[1787]: dev_ioctl_send_fail: token = 47May 16 14:14:13 rhel automount[1787]: failed to mount /home/test1

Please note the following points,
? ?-- All the configuration you had suggested for autofs & nsswitch had already been done? ?-- My NFS server is another IPA client machine with RHEL 6.1(hugayat.cohort.org)? ?-- This NFS server has /xtra/home/ as the NFS partition and /etc/exports file as follows
/xtra/home ?*(rw,fsid=0,insecure,no_subtree_check)/xtra/home ?gss/krb5(rw,fsid=0,insecure,no_subtree_check)/xtra/home ?gss/krb5i(rw,fsid=0,insecure,no_subtree_check)/xtra/home ?gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
? ?-- Output of the command??ipa automountlocation-tofiles default
/etc/auto.master:/- ? ? ?/etc/auto.direct/home ? /etc/auto.home/share ?/etc/auto.share---------------------------/etc/auto.direct:---------------------------/etc/auto.home:* ? ? ? -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/&---------------------------/etc/auto.share:
I have played various entries corresponding to /etc/auto.home (like /home instead of * ) but with no success.
Any idea ?
Regards,Nidal

--- On Mon, 5/16/11, Jakub Hrozek <jhrozek at redhat.com> wrote:

From: Jakub Hrozek <jhrozek at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: freeipa-users at redhat.com
Date: Monday, May 16, 2011, 1:23 AM

On 05/15/2011 06:49 AM, nasir nasir wrote:
> Thanks again!
> 
> NO, it was not set. I added it manually now (*automount:? ldap *) and
> now a different error pops up in /var/log/messages while restarting
> autofs service,
> 
> *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open
> lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol:
> ERR_remove_state)*
> *May 15 06:32:04 hugayat automount[16256]: lookup_nss_read_master:
> auto.master not found, replacing '.' with '_'*
> *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open
> lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol:
> ERR_remove_state)*
> *May 15 06:32:04 hugayat automount[16256]: no mounts in table*
> 
> Quick googling shows that it was part of a bug in earlier version of
> autofs(5.0.3) but later fixed. Mine is autofs *autofs-5.0.5-29.el6.i686*
> *
> *
> Also, the symbol *ERR_remove_state *is part of openssl right ? following
> is my output of ldd command of lookup_ldap.so,

I think you ran into https://bugzilla.redhat.com/show_bug.cgi?id=579963

The ERR_remove_state call was removed in autofs-5.0.5-30.el6. I did a
quick test with that version and seemed to work fine.

As per the configuration, the necessary steps are:
1) edit /etc/nsswitch.conf and put "automount: ldap". It is also OK to
configure more sources such as "automount: files ldap".

2) edit /etc/sysconfig/autofs
You'll want to specify at least LDAP_URI and SEARCH_BASE according to
your server environment. In order for the correct attributes to be
searched for, you also need to uncomment the last set of attribute mappings:

MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"

3) service autofs restart

If things still don't work, the logs should tell us more. If you run
autofs with -v -d it would even list the exact mount invocation, which
could be useful to determine the exact problem.


-----Inline Attachment Follows-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/3b9b3718/attachment.htm>

From kollathodi at yahoo.com  Mon May 16 12:08:59 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Mon, 16 May 2011 05:08:59 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DD0DF00.3060102@redhat.com>
Message-ID: <831454.73858.qm@web161302.mail.bf1.yahoo.com>


Thanks indeed for the reply!
I updated the autofs package with version 5.0.5-30.el6.i686?and that error is gone now. But still automounting is not happening. Following is the relevant portion of /var/log/messages in one of the IPA client machine(RHEL 6.1 beta) configured with --mkhomedir switch .
May 16 14:14:13 rhel automount[1787]: lookup_mount: lookup(ldap): looking up test1May 16 14:14:13 rhel automount[1787]: find_server: trying server uri ldap://192.168.1.240May 16 14:14:13 rhel automount[1787]: do_bind: lookup(ldap): auth_required: 1, sasl_mech (null)May 16 14:14:13 rhel automount[1787]: do_bind: lookup(ldap): ldap simple bind returned 0May 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): check search base listMay 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): found search base under cn=automount,dc=cohort,dc=orgMay 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): found query dn automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=orgMay 16 14:14:13 rhel automount[1787]: connected to uri ldap://192.168.1.240May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): searching for "(&(objectclass=automount)(|(automountKey=test1)(automountKey=/)(automountKey=\2A)))" under
 "automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org"May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): getting first entry for automountKey="test1"May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): examining first entryMay 16 14:14:13 rhel automount[1787]: lookup_mount: lookup(ldap): test1 -> -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/&May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/test1May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): dequote("hugayat.cohort.org:/xtra/home/test1") -> hugayat.cohort.org:/xtra/home/test1May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): core of entry:
 options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, loc=hugayat.cohort.org:/xtra/home/test1May 16 14:14:13 rhel automount[1787]: sun_mount: parse(sun): mounting root /home, mountpoint test1, what hugayat.cohort.org:/xtra/home/test1, fstype nfs4, options rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): root=/home name=test1 what=hugayat.cohort.org:/xtra/home/test1, fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): nfs options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): calling mkdir_path /home/test1May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): calling mount -t nfs4 -s -o rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/test1 /home/test1May 16 14:14:13 rhel automount[1787]: >> mount.nfs4: mounting
 hugayat.cohort.org:/xtra/home/test1 failed, reason given by server:May 16 14:14:13 rhel automount[1787]: >> ? No such file or directoryMay 16 14:14:13 rhel automount[1787]: mount(nfs): nfs: mount failure hugayat.cohort.org:/xtra/home/test1 on /home/test1May 16 14:14:13 rhel automount[1787]: dev_ioctl_send_fail: token = 47May 16 14:14:13 rhel automount[1787]: failed to mount /home/test1

Please note the following points,
? ?-- All the configuration you had suggested for autofs & nsswitch had already been done? ?-- My NFS server is another IPA client machine with RHEL 6.1(hugayat.cohort.org)? ?-- This NFS server has /xtra/home/ as the NFS partition and /etc/exports file as follows
/xtra/home ?*(rw,fsid=0,insecure,no_subtree_check)/xtra/home ?gss/krb5(rw,fsid=0,insecure,no_subtree_check)/xtra/home ?gss/krb5i(rw,fsid=0,insecure,no_subtree_check)/xtra/home ?gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
? ?-- Output of the command??ipa automountlocation-tofiles default
/etc/auto.master:/- ? ? ?/etc/auto.direct/home ? /etc/auto.home/share ?/etc/auto.share---------------------------/etc/auto.direct:---------------------------/etc/auto.home:* ? ? ? -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/&---------------------------/etc/auto.share:
I have played various entries corresponding to /etc/auto.home (like /home instead of * ) but with no success.
Any idea ?
Regards,Nidal

--- On Mon, 5/16/11, Jakub Hrozek <jhrozek at redhat.com> wrote:

From: Jakub Hrozek <jhrozek at redhat.com>
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: freeipa-users at redhat.com
Date: Monday, May 16, 2011, 1:23 AM

On 05/15/2011 06:49 AM, nasir nasir wrote:
> Thanks again!
> 
> NO, it was not set. I added it manually now (*automount:? ldap *) and
> now a different error pops up in /var/log/messages while restarting
> autofs service,
> 
> *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open
> lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol:
> ERR_remove_state)*
> *May 15 06:32:04 hugayat automount[16256]: lookup_nss_read_master:
> auto.master not found, replacing '.' with '_'*
> *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open
> lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined symbol:
> ERR_remove_state)*
> *May 15 06:32:04 hugayat automount[16256]: no mounts in table*
> 
> Quick googling shows that it was part of a bug in earlier version of
> autofs(5.0.3) but later fixed. Mine is autofs *autofs-5.0.5-29.el6.i686*
> *
> *
> Also, the symbol *ERR_remove_state *is part of openssl right ? following
> is my output of ldd command of lookup_ldap.so,

I think you ran into https://bugzilla.redhat.com/show_bug.cgi?id=579963

The ERR_remove_state call was removed in autofs-5.0.5-30.el6. I did a
quick test with that version and seemed to work fine.

As per the configuration, the necessary steps are:
1) edit /etc/nsswitch.conf and put "automount: ldap". It is also OK to
configure more sources such as "automount: files ldap".

2) edit /etc/sysconfig/autofs
You'll want to specify at least LDAP_URI and SEARCH_BASE according to
your server environment. In order for the correct attributes to be
searched for, you also need to uncomment the last set of attribute mappings:

MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"

3) service autofs restart

If things still don't work, the logs should tell us more. If you run
autofs with -v -d it would even list the exact mount invocation, which
could be useful to determine the exact problem.


-----Inline Attachment Follows-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/3b9b3718/attachment-0001.htm>

From ayoung at redhat.com  Mon May 16 13:35:02 2011
From: ayoung at redhat.com (Adam Young)
Date: Mon, 16 May 2011 09:35:02 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <831454.73858.qm@web161302.mail.bf1.yahoo.com>
References: <831454.73858.qm@web161302.mail.bf1.yahoo.com>
Message-ID: <4DD12806.4090801@redhat.com>


I'm guessing that the user you are trying to create is test1?  And the 
directory
/xtra/home/test1  does not yet exist?

Does a precreated directory automount?


On 05/16/2011 08:08 AM, nasir nasir wrote:
>
> Thanks indeed for the reply!
>
> I updated the autofs package with version *5.0.5-30.el6.i686* and that 
> error is gone now. But still automounting is not happening. Following 
> is the relevant portion of /var/log/messages in one of the IPA client 
> machine(RHEL 6.1 beta) configured with --mkhomedir switch .
>
> May 16 14:14:13 rhel automount[1787]: lookup_mount: lookup(ldap): 
> looking up test1
> May 16 14:14:13 rhel automount[1787]: find_server: trying server uri 
> ldap://192.168.1.240
> May 16 14:14:13 rhel automount[1787]: do_bind: lookup(ldap): 
> auth_required: 1, sasl_mech (null)
> May 16 14:14:13 rhel automount[1787]: do_bind: lookup(ldap): ldap 
> simple bind returned 0
> May 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): 
> check search base list
> May 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): 
> found search base under cn=automount,dc=cohort,dc=org
> May 16 14:14:13 rhel automount[1787]: get_query_dn: lookup(ldap): 
> found query dn 
> automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org
> May 16 14:14:13 rhel automount[1787]: connected to uri 
> ldap://192.168.1.240
> May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): 
> searching for 
> "(&(objectclass=automount)(|(automountKey=test1)(automountKey=/)(automountKey=\2A)))" 
> under 
> "automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org"
> May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): 
> getting first entry for automountKey="test1"
> May 16 14:14:13 rhel automount[1787]: lookup_one: lookup(ldap): 
> examining first entry
> May 16 14:14:13 rhel automount[1787]: lookup_mount: lookup(ldap): 
> test1 -> -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 
> hugayat.cohort.org:/xtra/home/&
> May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): 
> expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 
> hugayat.cohort.org:/xtra/home/test1
> May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): 
> gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
> May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): 
> dequote("hugayat.cohort.org:/xtra/home/test1") -> 
> hugayat.cohort.org:/xtra/home/test1
> May 16 14:14:13 rhel automount[1787]: parse_mount: parse(sun): core of 
> entry: options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, 
> loc=hugayat.cohort.org:/xtra/home/test1
> May 16 14:14:13 rhel automount[1787]: sun_mount: parse(sun): mounting 
> root /home, mountpoint test1, what 
> hugayat.cohort.org:/xtra/home/test1, fstype nfs4, options 
> rw,sec=krb5,soft,rsize=8192,wsize=8192
> May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): 
> root=/home name=test1 what=hugayat.cohort.org:/xtra/home/test1, 
> fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192
> May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): nfs 
> options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0
> May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): calling 
> mkdir_path /home/test1
> May 16 14:14:13 rhel automount[1787]: mount_mount: mount(nfs): calling 
> mount -t nfs4 -s -o rw,sec=krb5,soft,rsize=8192,wsize=8192 
> hugayat.cohort.org:/xtra/home/test1 /home/test1
> May 16 14:14:13 rhel automount[1787]: >> mount.nfs4: mounting 
> hugayat.cohort.org:/xtra/home/test1 failed, reason given by server:
> May 16 14:14:13 rhel automount[1787]: >>   No such file or directory
> May 16 14:14:13 rhel automount[1787]: mount(nfs): nfs: mount failure 
> hugayat.cohort.org:/xtra/home/test1 on /home/test1
> May 16 14:14:13 rhel automount[1787]: dev_ioctl_send_fail: token = 47
> May 16 14:14:13 rhel automount[1787]: failed to mount /home/test1
>
>
> Please note the following points,
>
>    -- All the configuration you had suggested for autofs & nsswitch 
> had already been done
>    -- My NFS server is another IPA client machine with RHEL 
> 6.1(hugayat.cohort.org)
>    -- This NFS server has */xtra/home/* as the NFS partition and 
> /etc/exports file as follows
> *
> *
> */xtra/home  *(rw,fsid=0,insecure,no_subtree_check)*
> */xtra/home  gss/krb5(rw,fsid=0,insecure,no_subtree_check)*
> */xtra/home  gss/krb5i(rw,fsid=0,insecure,no_subtree_check)*
> */xtra/home  gss/krb5p(rw,fsid=0,insecure,no_subtree_check)*
>
>    -- Output of the command *ipa automountlocation-tofiles default*
>
> */etc/auto.master:*
> */-      /etc/auto.direct*
> */home   /etc/auto.home*
> */share  /etc/auto.share*
> *---------------------------*
> */etc/auto.direct:*
> *---------------------------*
> */etc/auto.home:*
> **       -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 
> hugayat.cohort.org:/xtra/home/&*
> *---------------------------*
> */etc/auto.share:*
>
> I have played various entries corresponding to /etc/auto.home (like 
> /home instead of * ) but with no success.
>
> Any idea ?
>
> Regards,
> Nidal
>
>
> --- On *Mon, 5/16/11, Jakub Hrozek /<jhrozek at redhat.com>/* wrote:
>
>
>     From: Jakub Hrozek <jhrozek at redhat.com>
>     Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
>     To: freeipa-users at redhat.com
>     Date: Monday, May 16, 2011, 1:23 AM
>
>     On 05/15/2011 06:49 AM, nasir nasir wrote:
>     > Thanks again!
>     >
>     > NO, it was not set. I added it manually now (*automount:  ldap
>     *) and
>     > now a different error pops up in /var/log/messages while restarting
>     > autofs service,
>     >
>     > *May 15 06:32:04 hugayat automount[16256]: open_lookup:90:
>     cannot open
>     > lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined
>     symbol:
>     > ERR_remove_state)*
>     > *May 15 06:32:04 hugayat automount[16256]: lookup_nss_read_master:
>     > auto.master not found, replacing '.' with '_'*
>     > *May 15 06:32:04 hugayat automount[16256]: open_lookup:90:
>     cannot open
>     > lookup module ldap (/usr/lib/autofs/lookup_ldap.so: undefined
>     symbol:
>     > ERR_remove_state)*
>     > *May 15 06:32:04 hugayat automount[16256]: no mounts in table*
>     >
>     > Quick googling shows that it was part of a bug in earlier version of
>     > autofs(5.0.3) but later fixed. Mine is autofs
>     *autofs-5.0.5-29.el6.i686*
>     > *
>     > *
>     > Also, the symbol *ERR_remove_state *is part of openssl right ?
>     following
>     > is my output of ldd command of lookup_ldap.so,
>
>     I think you ran into
>     https://bugzilla.redhat.com/show_bug.cgi?id=579963
>
>     The ERR_remove_state call was removed in autofs-5.0.5-30.el6. I did a
>     quick test with that version and seemed to work fine.
>
>     As per the configuration, the necessary steps are:
>     1) edit /etc/nsswitch.conf and put "automount: ldap". It is also OK to
>     configure more sources such as "automount: files ldap".
>
>     2) edit /etc/sysconfig/autofs
>     You'll want to specify at least LDAP_URI and SEARCH_BASE according to
>     your server environment. In order for the correct attributes to be
>     searched for, you also need to uncomment the last set of attribute
>     mappings:
>
>     MAP_OBJECT_CLASS="automountMap"
>     ENTRY_OBJECT_CLASS="automount"
>     MAP_ATTRIBUTE="automountMapName"
>     ENTRY_ATTRIBUTE="automountKey"
>     VALUE_ATTRIBUTE="automountInformation"
>
>     3) service autofs restart
>
>     If things still don't work, the logs should tell us more. If you run
>     autofs with -v -d it would even list the exact mount invocation, which
>     could be useful to determine the exact problem.
>
>
>     -----Inline Attachment Follows-----
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com </mc/compose?to=Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/2c92714e/attachment.htm>

From dpal at redhat.com  Mon May 16 13:41:14 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 16 May 2011 09:41:14 -0400
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DCE95D6.2070104@nixtra.com>
References: <4DCE95D6.2070104@nixtra.com>
Message-ID: <4DD1297A.8060701@redhat.com>

On 05/14/2011 10:46 AM, Sigbjorn Lie wrote:
> I've noticed that if the machine running IPA is very busy at startup,
> the IPA services will not be online when the machine is started.
>
> I noticed this is as my test virtualization host has had it's power
> cord knocked out a few times. When I restart the host machine, all the
> virtual machines is started at the same time, causing (a lot) higher
> than normal latency for each virtual machine.
>
> This causes the IPA daemons to start, while during the startup one or
> several IPA daemons fails due to dependencies of other daemons which
> is not started yet, and all the IPA daemons is stopped as not all the
> IPA daemons started successfully. I've noticed that the default
> behavior of the ipactl command is to shut down all the IPA daemons, if
> any of the IPA daemons should fail during startup.
>
> This can be seen in the logs of the individual services, as some is
> started successfully, just to receive a shutdown signal shortly after.
> It seem to be the pki-ca which shut down my IPA services this morning.
>
> When rebooting the virtual machine running the IPA daemons during
> normal load of the host machine, all the IPA daemons start
> successfully. Logging on to the IPA server and manually starting the
> IPA daemons after the load of the host machine has decreased also works.
>
> I suggest changing the startup scripts to allow (a lot) longer startup
> times for the IPA daemons prior to failing them.


F15 introduced new way to start daemons and define dependencies.
We have in our plans to port IPA to use systemd in F16. This will have
implications on the architecture of the service startup in general and
most likely will affect the current way of starting services too.

>
>
> Rgds,
> Siggi
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From jhrozek at redhat.com  Mon May 16 13:46:36 2011
From: jhrozek at redhat.com (Jakub Hrozek)
Date: Mon, 16 May 2011 15:46:36 +0200
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <831454.73858.qm@web161302.mail.bf1.yahoo.com>
References: <831454.73858.qm@web161302.mail.bf1.yahoo.com>
Message-ID: <4DD12ABC.5020702@redhat.com>

On 05/16/2011 02:08 PM, nasir nasir wrote:
> May 16 14:14:13 rhel automount[1787]: >> mount.nfs4: mounting
> hugayat.cohort.org:/xtra/home/test1 failed, reason given by server:
> May 16 14:14:13 rhel automount[1787]: >>   No such file or directory
> May 16 14:14:13 rhel automount[1787]: mount(nfs): nfs: mount failure
> hugayat.cohort.org:/xtra/home/test1 on /home/test1

According to this ^^ I suspect the NFS server is the culprit not the
automount.

Does manually mounting the homedir work?

Does "showmount -e hugayat.cohort.org" list the exports?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/0c47835c/attachment.sig>

From simo at redhat.com  Mon May 16 13:52:01 2011
From: simo at redhat.com (Simo Sorce)
Date: Mon, 16 May 2011 09:52:01 -0400
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DCE95D6.2070104@nixtra.com>
References: <4DCE95D6.2070104@nixtra.com>
Message-ID: <1305553921.20666.13.camel@willson.li.ssimo.org>

On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
> I've noticed that if the machine running IPA is very busy at startup, 
> the IPA services will not be online when the machine is started.
> 
> I noticed this is as my test virtualization host has had it's power cord 
> knocked out a few times. When I restart the host machine, all the 
> virtual machines is started at the same time, causing (a lot) higher 
> than normal latency for each virtual machine.
> 
> This causes the IPA daemons to start, while during the startup one or 
> several IPA daemons fails due to dependencies of other daemons which is 
> not started yet, and all the IPA daemons is stopped as not all the IPA 
> daemons started successfully. I've noticed that the default behavior of 
> the ipactl command is to shut down all the IPA daemons, if any of the 
> IPA daemons should fail during startup.
> 
> This can be seen in the logs of the individual services, as some is 
> started successfully, just to receive a shutdown signal shortly after. 
> It seem to be the pki-ca which shut down my IPA services this morning.
> 
> When rebooting the virtual machine running the IPA daemons during normal 
> load of the host machine, all the IPA daemons start successfully. 
> Logging on to the IPA server and manually starting the IPA daemons after 
> the load of the host machine has decreased also works.
> 
> I suggest changing the startup scripts to allow (a lot) longer startup 
> times for the IPA daemons prior to failing them.

At the moment we just run service <name> start and wait until it is
done. If the pki-cad service timeouts and returns an error I think we
need to open a bug against the dogtag component as that is the cause.

Can you open a bug in the freeipa trac with logs showing that service is
responsible for the failure ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From sigbjorn at nixtra.com  Mon May 16 14:01:51 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Mon, 16 May 2011 16:01:51 +0200
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DD1297A.8060701@redhat.com>
References: <4DCE95D6.2070104@nixtra.com> <4DD1297A.8060701@redhat.com>
Message-ID: <4DD12E4F.4010307@nixtra.com>

On 05/16/2011 03:41 PM, Dmitri Pal wrote:
> On 05/14/2011 10:46 AM, Sigbjorn Lie wrote:
>> I've noticed that if the machine running IPA is very busy at startup,
>> the IPA services will not be online when the machine is started.
>>
>> I noticed this is as my test virtualization host has had it's power
>> cord knocked out a few times. When I restart the host machine, all the
>> virtual machines is started at the same time, causing (a lot) higher
>> than normal latency for each virtual machine.
>>
>> This causes the IPA daemons to start, while during the startup one or
>> several IPA daemons fails due to dependencies of other daemons which
>> is not started yet, and all the IPA daemons is stopped as not all the
>> IPA daemons started successfully. I've noticed that the default
>> behavior of the ipactl command is to shut down all the IPA daemons, if
>> any of the IPA daemons should fail during startup.
>>
>> This can be seen in the logs of the individual services, as some is
>> started successfully, just to receive a shutdown signal shortly after.
>> It seem to be the pki-ca which shut down my IPA services this morning.
>>
>> When rebooting the virtual machine running the IPA daemons during
>> normal load of the host machine, all the IPA daemons start
>> successfully. Logging on to the IPA server and manually starting the
>> IPA daemons after the load of the host machine has decreased also works.
>>
>> I suggest changing the startup scripts to allow (a lot) longer startup
>> times for the IPA daemons prior to failing them.
>
> F15 introduced new way to start daemons and define dependencies.
> We have in our plans to port IPA to use systemd in F16. This will have
> implications on the architecture of the service startup in general and
> most likely will affect the current way of starting services too.
>

This was RHEL 6.1beta I tested at. I presume it will be some time before 
systemd will make it's way into RHEL? What can be done in the meantime 
for IPA in RHEL?


Rgds,
Siggi




From rcritten at redhat.com  Mon May 16 14:25:53 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 16 May 2011 10:25:53 -0400
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DD12E4F.4010307@nixtra.com>
References: <4DCE95D6.2070104@nixtra.com> <4DD1297A.8060701@redhat.com>
	<4DD12E4F.4010307@nixtra.com>
Message-ID: <4DD133F1.1020003@redhat.com>

Sigbjorn Lie wrote:
> On 05/16/2011 03:41 PM, Dmitri Pal wrote:
>> On 05/14/2011 10:46 AM, Sigbjorn Lie wrote:
>>> I've noticed that if the machine running IPA is very busy at startup,
>>> the IPA services will not be online when the machine is started.
>>>
>>> I noticed this is as my test virtualization host has had it's power
>>> cord knocked out a few times. When I restart the host machine, all the
>>> virtual machines is started at the same time, causing (a lot) higher
>>> than normal latency for each virtual machine.
>>>
>>> This causes the IPA daemons to start, while during the startup one or
>>> several IPA daemons fails due to dependencies of other daemons which
>>> is not started yet, and all the IPA daemons is stopped as not all the
>>> IPA daemons started successfully. I've noticed that the default
>>> behavior of the ipactl command is to shut down all the IPA daemons, if
>>> any of the IPA daemons should fail during startup.
>>>
>>> This can be seen in the logs of the individual services, as some is
>>> started successfully, just to receive a shutdown signal shortly after.
>>> It seem to be the pki-ca which shut down my IPA services this morning.
>>>
>>> When rebooting the virtual machine running the IPA daemons during
>>> normal load of the host machine, all the IPA daemons start
>>> successfully. Logging on to the IPA server and manually starting the
>>> IPA daemons after the load of the host machine has decreased also works.
>>>
>>> I suggest changing the startup scripts to allow (a lot) longer startup
>>> times for the IPA daemons prior to failing them.
>>
>> F15 introduced new way to start daemons and define dependencies.
>> We have in our plans to port IPA to use systemd in F16. This will have
>> implications on the architecture of the service startup in general and
>> most likely will affect the current way of starting services too.
>>
>
> This was RHEL 6.1beta I tested at. I presume it will be some time before
> systemd will make it's way into RHEL? What can be done in the meantime
> for IPA in RHEL?

Can you be more specific which services didn't start?

rob



From sigbjorn at nixtra.com  Mon May 16 14:43:43 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Mon, 16 May 2011 16:43:43 +0200
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <1305553921.20666.13.camel@willson.li.ssimo.org>
References: <4DCE95D6.2070104@nixtra.com>
	<1305553921.20666.13.camel@willson.li.ssimo.org>
Message-ID: <4DD1381F.6030903@nixtra.com>

On 05/16/2011 03:52 PM, Simo Sorce wrote:
> On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
>> I've noticed that if the machine running IPA is very busy at startup,
>> the IPA services will not be online when the machine is started.
>>
>> I noticed this is as my test virtualization host has had it's power cord
>> knocked out a few times. When I restart the host machine, all the
>> virtual machines is started at the same time, causing (a lot) higher
>> than normal latency for each virtual machine.
>>
>> This causes the IPA daemons to start, while during the startup one or
>> several IPA daemons fails due to dependencies of other daemons which is
>> not started yet, and all the IPA daemons is stopped as not all the IPA
>> daemons started successfully. I've noticed that the default behavior of
>> the ipactl command is to shut down all the IPA daemons, if any of the
>> IPA daemons should fail during startup.
>>
>> This can be seen in the logs of the individual services, as some is
>> started successfully, just to receive a shutdown signal shortly after.
>> It seem to be the pki-ca which shut down my IPA services this morning.
>>
>> When rebooting the virtual machine running the IPA daemons during normal
>> load of the host machine, all the IPA daemons start successfully.
>> Logging on to the IPA server and manually starting the IPA daemons after
>> the load of the host machine has decreased also works.
>>
>> I suggest changing the startup scripts to allow (a lot) longer startup
>> times for the IPA daemons prior to failing them.
> At the moment we just run service<name>  start and wait until it is
> done. If the pki-cad service timeouts and returns an error I think we
> need to open a bug against the dogtag component as that is the cause.
>
> Can you open a bug in the freeipa trac with logs showing that service is
> responsible for the failure ?

I haven't been able to figure out which service that failed IPA yet. A 
lot of log files scattered around. As you can see from the slapd errors 
file, the slapd daemon was available for almost 3 minutes before 
receiving the shutdown signal. I notice now that the PKI daemon failed 8 
seconds after slapd had shut down, so I was wrong in blaming the PKI daemon.

See below for a list of log files I've been trough. They all have on 
thing in common, the daemons starts when the host machine is started, at 
approx 06:34, then receives a shutdown signal around 06:37. Some time 
later when the host has calmed down, I'm logging in and manually 
starting IPA using "ipactl start", and all the daemons start without any 
problem. And they keep running after my manual intervention.

I wish I could be more specific, but I'm unsure where else to look. 
Suggestions?


/var/log/krb5kdc.log
/var/log/pki-ca/catalina.out
/var/log/dirsrv/slapd-IX-TEST-COM/errors
/var/log/dirsrv/slapd-PKI-IPA/errors
/var/log/httpd/error_log
/var/log/messages (named log)

slapd errors:

[14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1 B2011.062.1416 
starting up
[14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last time 
Directory Server was running, recovering database.
[14/May/2011:06:34:39 +0200] schema-compat-plugin - warning: no entries 
set up under , ou=SUDOers, dc=ix,dc=TEST,dc=com
[14/May/2011:06:34:39 +0200] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=ix,dc=TEST,dc=com--no CoS Templates found, which 
should be added b
efore the CoS Definition.
[14/May/2011:06:34:40 +0200] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=ix,dc=TEST,dc=com--no CoS Templates found, which 
should be added b
efore the CoS Definition.
[14/May/2011:06:34:41 +0200] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[14/May/2011:06:34:41 +0200] - Listening on All Interfaces port 636 for 
LDAPS requests
[14/May/2011:06:34:42 +0200] - Listening on 
/var/run/slapd-IX-TEST-COM.socket for LDAPI requests
[14/May/2011:06:37:30 +0200] - slapd shutting down - signaling operation 
threads
[14/May/2011:06:37:30 +0200] - slapd shutting down - closing down 
internal subsystems and plugins
[14/May/2011:06:37:31 +0200] - Waiting for 4 database threads to stop
[14/May/2011:06:37:32 +0200] - All database threads now stopped
[14/May/2011:06:37:32 +0200] - slapd stopped.


/var/log/pki-ca/system:
1871.main - [14/May/2011:06:37:40 CEST] [8] [3] In Ldap (bound) 
connection pool to host ipasrv01.ix.TEST.com port 7389, Cannot connect 
to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to 
server ldap://ipasrv01.ix.TEST.com:7389 (91)



From sigbjorn at nixtra.com  Mon May 16 14:44:34 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Mon, 16 May 2011 16:44:34 +0200
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DD133F1.1020003@redhat.com>
References: <4DCE95D6.2070104@nixtra.com> <4DD1297A.8060701@redhat.com>
	<4DD12E4F.4010307@nixtra.com> <4DD133F1.1020003@redhat.com>
Message-ID: <4DD13852.7010009@nixtra.com>

On 05/16/2011 04:25 PM, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>> On 05/16/2011 03:41 PM, Dmitri Pal wrote:
>>> On 05/14/2011 10:46 AM, Sigbjorn Lie wrote:
>>>> I've noticed that if the machine running IPA is very busy at startup,
>>>> the IPA services will not be online when the machine is started.
>>>>
>>>> I noticed this is as my test virtualization host has had it's power
>>>> cord knocked out a few times. When I restart the host machine, all the
>>>> virtual machines is started at the same time, causing (a lot) higher
>>>> than normal latency for each virtual machine.
>>>>
>>>> This causes the IPA daemons to start, while during the startup one or
>>>> several IPA daemons fails due to dependencies of other daemons which
>>>> is not started yet, and all the IPA daemons is stopped as not all the
>>>> IPA daemons started successfully. I've noticed that the default
>>>> behavior of the ipactl command is to shut down all the IPA daemons, if
>>>> any of the IPA daemons should fail during startup.
>>>>
>>>> This can be seen in the logs of the individual services, as some is
>>>> started successfully, just to receive a shutdown signal shortly after.
>>>> It seem to be the pki-ca which shut down my IPA services this morning.
>>>>
>>>> When rebooting the virtual machine running the IPA daemons during
>>>> normal load of the host machine, all the IPA daemons start
>>>> successfully. Logging on to the IPA server and manually starting the
>>>> IPA daemons after the load of the host machine has decreased also 
>>>> works.
>>>>
>>>> I suggest changing the startup scripts to allow (a lot) longer startup
>>>> times for the IPA daemons prior to failing them.
>>>
>>> F15 introduced new way to start daemons and define dependencies.
>>> We have in our plans to port IPA to use systemd in F16. This will have
>>> implications on the architecture of the service startup in general and
>>> most likely will affect the current way of starting services too.
>>>
>>
>> This was RHEL 6.1beta I tested at. I presume it will be some time before
>> systemd will make it's way into RHEL? What can be done in the meantime
>> for IPA in RHEL?
>
> Can you be more specific which services didn't start?

Please see my previous post when replying to Simo Sorce.


Rgds,
Siggi



From rmeggins at redhat.com  Mon May 16 14:56:34 2011
From: rmeggins at redhat.com (Rich Megginson)
Date: Mon, 16 May 2011 08:56:34 -0600
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DD1381F.6030903@nixtra.com>
References: <4DCE95D6.2070104@nixtra.com>	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com>
Message-ID: <4DD13B22.9030604@redhat.com>

On 05/16/2011 08:43 AM, Sigbjorn Lie wrote:
> On 05/16/2011 03:52 PM, Simo Sorce wrote:
>> On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
>>> I've noticed that if the machine running IPA is very busy at startup,
>>> the IPA services will not be online when the machine is started.
>>>
>>> I noticed this is as my test virtualization host has had it's power 
>>> cord
>>> knocked out a few times. When I restart the host machine, all the
>>> virtual machines is started at the same time, causing (a lot) higher
>>> than normal latency for each virtual machine.
>>>
>>> This causes the IPA daemons to start, while during the startup one or
>>> several IPA daemons fails due to dependencies of other daemons which is
>>> not started yet, and all the IPA daemons is stopped as not all the IPA
>>> daemons started successfully. I've noticed that the default behavior of
>>> the ipactl command is to shut down all the IPA daemons, if any of the
>>> IPA daemons should fail during startup.
>>>
>>> This can be seen in the logs of the individual services, as some is
>>> started successfully, just to receive a shutdown signal shortly after.
>>> It seem to be the pki-ca which shut down my IPA services this morning.
>>>
>>> When rebooting the virtual machine running the IPA daemons during 
>>> normal
>>> load of the host machine, all the IPA daemons start successfully.
>>> Logging on to the IPA server and manually starting the IPA daemons 
>>> after
>>> the load of the host machine has decreased also works.
>>>
>>> I suggest changing the startup scripts to allow (a lot) longer startup
>>> times for the IPA daemons prior to failing them.
>> At the moment we just run service<name>  start and wait until it is
>> done. If the pki-cad service timeouts and returns an error I think we
>> need to open a bug against the dogtag component as that is the cause.
>>
>> Can you open a bug in the freeipa trac with logs showing that service is
>> responsible for the failure ?
>
> I haven't been able to figure out which service that failed IPA yet. A 
> lot of log files scattered around. As you can see from the slapd 
> errors file, the slapd daemon was available for almost 3 minutes 
> before receiving the shutdown signal. I notice now that the PKI daemon 
> failed 8 seconds after slapd had shut down, so I was wrong in blaming 
> the PKI daemon.
>
> See below for a list of log files I've been trough. They all have on 
> thing in common, the daemons starts when the host machine is started, 
> at approx 06:34, then receives a shutdown signal around 06:37. Some 
> time later when the host has calmed down, I'm logging in and manually 
> starting IPA using "ipactl start", and all the daemons start without 
> any problem. And they keep running after my manual intervention.
>
> I wish I could be more specific, but I'm unsure where else to look. 
> Suggestions?
>
>
> /var/log/krb5kdc.log
> /var/log/pki-ca/catalina.out
> /var/log/dirsrv/slapd-IX-TEST-COM/errors
> /var/log/dirsrv/slapd-PKI-IPA/errors
> /var/log/httpd/error_log
> /var/log/messages (named log)
>
> slapd errors:
>
> [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1 B2011.062.1416 
> starting up
> [14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last time 
> Directory Server was running, recovering database.
1) Disorderly Shutdown means a) crash b) kill -9 or similar - neither of 
which should be happening - is this the replica install or the first 
master install?
> [14/May/2011:06:34:39 +0200] schema-compat-plugin - warning: no 
> entries set up under , ou=SUDOers, dc=ix,dc=TEST,dc=com
> [14/May/2011:06:34:39 +0200] - Skipping CoS Definition cn=Password 
> Policy,cn=accounts,dc=ix,dc=TEST,dc=com--no CoS Templates found, which 
> should be added b
> efore the CoS Definition.
> [14/May/2011:06:34:40 +0200] - Skipping CoS Definition cn=Password 
> Policy,cn=accounts,dc=ix,dc=TEST,dc=com--no CoS Templates found, which 
> should be added b
> efore the CoS Definition.
> [14/May/2011:06:34:41 +0200] - slapd started.  Listening on All 
> Interfaces port 389 for LDAP requests
> [14/May/2011:06:34:41 +0200] - Listening on All Interfaces port 636 
> for LDAPS requests
> [14/May/2011:06:34:42 +0200] - Listening on 
> /var/run/slapd-IX-TEST-COM.socket for LDAPI requests
> [14/May/2011:06:37:30 +0200] - slapd shutting down - signaling 
> operation threads
> [14/May/2011:06:37:30 +0200] - slapd shutting down - closing down 
> internal subsystems and plugins
> [14/May/2011:06:37:31 +0200] - Waiting for 4 database threads to stop
> [14/May/2011:06:37:32 +0200] - All database threads now stopped
> [14/May/2011:06:37:32 +0200] - slapd stopped.
>
>
> /var/log/pki-ca/system:
> 1871.main - [14/May/2011:06:37:40 CEST] [8] [3] In Ldap (bound) 
> connection pool to host ipasrv01.ix.TEST.com port 7389, Cannot connect 
> to LDAP server. Error: netscape.ldap.LDAPException: failed to connect 
> to server ldap://ipasrv01.ix.TEST.com:7389 (91)
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From dpal at redhat.com  Mon May 16 14:59:22 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 16 May 2011 10:59:22 -0400
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DD12E4F.4010307@nixtra.com>
References: <4DCE95D6.2070104@nixtra.com> <4DD1297A.8060701@redhat.com>
	<4DD12E4F.4010307@nixtra.com>
Message-ID: <4DD13BCA.9050202@redhat.com>

On 05/16/2011 10:01 AM, Sigbjorn Lie wrote:
> On 05/16/2011 03:41 PM, Dmitri Pal wrote:
>> On 05/14/2011 10:46 AM, Sigbjorn Lie wrote:
>>> I've noticed that if the machine running IPA is very busy at startup,
>>> the IPA services will not be online when the machine is started.
>>>
>>> I noticed this is as my test virtualization host has had it's power
>>> cord knocked out a few times. When I restart the host machine, all the
>>> virtual machines is started at the same time, causing (a lot) higher
>>> than normal latency for each virtual machine.
>>>
>>> This causes the IPA daemons to start, while during the startup one or
>>> several IPA daemons fails due to dependencies of other daemons which
>>> is not started yet, and all the IPA daemons is stopped as not all the
>>> IPA daemons started successfully. I've noticed that the default
>>> behavior of the ipactl command is to shut down all the IPA daemons, if
>>> any of the IPA daemons should fail during startup.
>>>
>>> This can be seen in the logs of the individual services, as some is
>>> started successfully, just to receive a shutdown signal shortly after.
>>> It seem to be the pki-ca which shut down my IPA services this morning.
>>>
>>> When rebooting the virtual machine running the IPA daemons during
>>> normal load of the host machine, all the IPA daemons start
>>> successfully. Logging on to the IPA server and manually starting the
>>> IPA daemons after the load of the host machine has decreased also
>>> works.
>>>
>>> I suggest changing the startup scripts to allow (a lot) longer startup
>>> times for the IPA daemons prior to failing them.
>>
>> F15 introduced new way to start daemons and define dependencies.
>> We have in our plans to port IPA to use systemd in F16. This will have
>> implications on the architecture of the service startup in general and
>> most likely will affect the current way of starting services too.
>>
>
> This was RHEL 6.1beta I tested at. I presume it will be some time
> before systemd will make it's way into RHEL? What can be done in the
> meantime for IPA in RHEL?
>

I am saying that we will have a deep look at the startup issues when we
deal with systemd and some of the analysis might reveal issues that will
have to be  addressed in RHEL much earlier. But if you have enough logs
that show the issue please file a bug or ticket in the upstream trac.

>
> Rgds,
> Siggi
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From kollathodi at yahoo.com  Mon May 16 17:55:08 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Mon, 16 May 2011 10:55:08 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DD12806.4090801@redhat.com>
Message-ID: <539939.80700.qm@web161313.mail.bf1.yahoo.com>

Great that you asked these questions! because I was finding a unique pattern with this!
Yes, the user I am trying to create is test1 and the directory does NOT exist.?I had tried with pre created one and it works ONLY on the NFS server itself(hugayat.cohort.org). ?For example, I created /xtra/home/nasir? already in my NFS server and when I try from my konsole ssh -l nasir hugayat.cohort.org it works.?But the same thing does not work when I try ssh -l nasir SOME_OTHER_CLIENT_MACHINE?it gives the following error,
[root at openipa ~]# ssh -l nasir rhel.cohort.org ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ??nasir at rhel.cohort.org's password: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Creating home directory for nasir. ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ??Last login: Mon May 16 14:13:17 2011 from 192.168.1.232 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Could not chdir to home directory /home/nasir: No such file or directory ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ??-sh-4.1$ ? ? ? ?
Following is the relevant /var/log/messages of rhel.cohort.org at this time,
May 16 20:47:06 rhel automount[1787]: find_server: trying server uri ldap://192.168.1.240May 16 20:47:06 rhel automount[1787]: do_bind: lookup(ldap): auth_required: 1, sasl_mech (null)May 16 20:47:06 rhel automount[1787]: do_bind: lookup(ldap): ldap simple bind returned 0May 16 20:47:06 rhel automount[1787]: get_query_dn: lookup(ldap): check search base listMay 16 20:47:06 rhel automount[1787]: get_query_dn: lookup(ldap): found search base under cn=automount,dc=cohort,dc=orgMay 16 20:47:06 rhel automount[1787]: get_query_dn: lookup(ldap): found query dn automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=orgMay 16 20:47:06 rhel automount[1787]: connected to uri ldap://192.168.1.240May 16 20:47:06 rhel automount[1787]: lookup_one: lookup(ldap): searching for "(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))" under "automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org"May 16 20:47:06 rhel
 automount[1787]: lookup_one: lookup(ldap): getting first entry for automountKey="nasir"May 16 20:47:06 rhel automount[1787]: lookup_one: lookup(ldap): examining first entryMay 16 20:47:06 rhel automount[1787]: lookup_mount: lookup(ldap): nasir -> -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/&May 16 20:47:06 rhel automount[1787]: parse_mount: parse(sun): expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/nasirMay 16 20:47:06 rhel automount[1787]: parse_mount: parse(sun): gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 20:47:06 rhel automount[1787]: parse_mount: parse(sun): dequote("hugayat.cohort.org:/xtra/home/nasir") -> hugayat.cohort.org:/xtra/home/nasirMay 16 20:47:06 rhel automount[1787]: parse_mount: parse(sun): core of entry: options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, loc=hugayat.cohort.org:/xtra/home/nasirMay 16 20:47:06
 rhel automount[1787]: sun_mount: parse(sun): mounting root /home, mountpoint nasir, what hugayat.cohort.org:/xtra/home/nasir, fstype nfs4, options rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 20:47:06 rhel automount[1787]: mount_mount: mount(nfs): root=/home name=nasir what=hugayat.cohort.org:/xtra/home/nasir, fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 20:47:06 rhel automount[1787]: mount_mount: mount(nfs): nfs options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0May 16 20:47:06 rhel automount[1787]: mount_mount: mount(nfs): calling mkdir_path /home/nasirMay 16 20:47:06 rhel automount[1787]: mount_mount: mount(nfs): calling mount -t nfs4 -s -o rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/nasir /home/nasirMay 16 20:47:06 rhel automount[1787]: >> mount.nfs4: mounting hugayat.cohort.org:/xtra/home/nasir failed, reason given by server:May 16 20:47:06 rhel automount[1787]: >> ? No such file or
 directoryMay 16 20:47:06 rhel automount[1787]: mount(nfs): nfs: mount failure hugayat.cohort.org:/xtra/home/nasir on /home/nasirMay 16 20:47:06 rhel automount[1787]: dev_ioctl_send_fail: token = 180May 16 20:47:06 rhel automount[1787]: failed to mount /home/nasir
Following is the /var/log/messages of hugayat.cohort.org when I execute ssh -l nasir hugayat.cohort.org
May 16 20:50:27 hugayat automount[7297]: handle_packet: type = 3May 16 20:50:27 hugayat automount[7297]: handle_packet_missing_indirect: token 311, name nasir, request pid 10754May 16 20:50:27 hugayat automount[7297]: attempting to mount entry /home/nasirMay 16 20:50:27 hugayat automount[7297]: set_tsd_user_vars: failed to set stdenv thread varMay 16 20:50:27 hugayat automount[7297]: lookup_mount: lookup(ldap): looking up nasirMay 16 20:50:27 hugayat automount[7297]: find_server: trying server uri ldap://192.168.1.240May 16 20:50:27 hugayat automount[7297]: do_bind: lookup(ldap): auth_required: 1, sasl_mech (null)May 16 20:50:27 hugayat automount[7297]: do_bind: lookup(ldap): ldap simple bind returned 0May 16 20:50:27 hugayat automount[7297]: get_query_dn: lookup(ldap): check search base list ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
 ?May 16 20:50:27 hugayat automount[7297]: get_query_dn: lookup(ldap): found search base under cn=automount,dc=cohort,dc=org ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ??May 16 20:50:27 hugayat automount[7297]: get_query_dn: lookup(ldap): found query dn automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?May 16 20:50:27 hugayat automount[7297]: connected to uri ldap://192.168.1.240 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ??May 16 20:50:27 hugayat automount[7297]: lookup_one: lookup(ldap): searching for "(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))" under
 "automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org" ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?May 16 20:50:27 hugayat automount[7297]: lookup_one: lookup(ldap): getting first entry for automountKey="nasir" ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?May 16 20:50:27 hugayat automount[7297]: lookup_one: lookup(ldap): examining first entry ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ??May 16 20:50:27 hugayat automount[7297]: lookup_mount: lookup(ldap): nasir -> -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
 hugayat.cohort.org:/xtra/home/& ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?May 16 20:50:27 hugayat automount[7297]: parse_mount: parse(sun): expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/nasir ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?May 16 20:50:27 hugayat automount[7297]: parse_mount: parse(sun): gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ??May 16 20:50:27 hugayat automount[7297]: parse_mount: parse(sun): dequote("hugayat.cohort.org:/xtra/home/nasir") -> hugayat.cohort.org:/xtra/home/nasirMay 16 20:50:27 hugayat automount[7297]: parse_mount: parse(sun): core of entry: options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, loc=hugayat.cohort.org:/xtra/home/nasirMay 16 20:50:27 hugayat automount[7297]: sun_mount: parse(sun): mounting root /home,
 mountpoint nasir, what hugayat.cohort.org:/xtra/home/nasir, fstype nfs4, options rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 20:50:27 hugayat automount[7297]: mount_mount: mount(nfs): root=/home name=nasir what=hugayat.cohort.org:/xtra/home/nasir, fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192May 16 20:50:27 hugayat automount[7297]: mount_mount: mount(nfs): nfs options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0May 16 20:50:27 hugayat automount[7297]: mount_mount: mount(nfs): calling mkdir_path /home/nasirMay 16 20:50:27 hugayat automount[7297]: mount_mount: mount(nfs): nasir is local, attempt bind mountMay 16 20:50:27 hugayat automount[7297]: mount_mount: mount(bind): calling mkdir_path /home/nasirMay 16 20:50:27 hugayat automount[7297]: mount_mount: mount(bind): calling mount --bind -s ?-o defaults /xtra/home/nasir /home/nasirMay 16 20:50:27 hugayat automount[7297]: mount_mount: mount(bind): mounted /xtra/home/nasir type
 bind on /home/nasirMay 16 20:50:27 hugayat automount[7297]: dev_ioctl_send_ready: token = 311May 16 20:50:27 hugayat automount[7297]: st_readmap: state 1 path /homeMay 16 20:50:27 hugayat automount[7297]: re-reading map for /homeMay 16 20:50:27 hugayat automount[7297]: lookup_nss_read_map: reading map ldap auto.homeMay 16 20:50:27 hugayat automount[7297]: parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.home".May 16 20:50:27 hugayat automount[7297]: parse_server_string: lookup(ldap): mapname auto.homeMay 16 20:50:27 hugayat automount[7297]: parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:May 16 20:50:27 hugayat automount[7297]: parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 1, sasl_mech: (null)May 16 20:50:27 hugayat automount[7297]: parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: (null) credential
 cache: (null)May 16 20:50:27 hugayat automount[7297]: parse_init: parse(sun): init gathered global options: (null)May 16 20:50:27 hugayat automount[7297]: st_ready: st_ready(): state = 4 path /homeMay 16 20:50:27 hugayat automount[7297]: mounted /home/nasir
So to sum up, this is the observation,
? ? -- For Non existent directory, it is NOT working for any machine? ? -- For Pre created directories, it works ONLY for the NFS server (hugayat.cohort.org)
Thanks and regards,Nasir


I'm guessing that the user you are trying to create is test1?? And
    the directory

    /xtra/home/test1? does not yet exist?? 

    

    Does a precreated directory automount?

    

    

    On 05/16/2011 08:08 AM, nasir nasir wrote:
    
      
        
          
            

              Thanks indeed for the reply!
              

              
              I updated the autofs package with version 5.0.5-30.el6.i686?and
                that error is gone now. But still automounting is not
                happening. Following is the relevant portion of
                /var/log/messages in one of the IPA client machine(RHEL
                6.1 beta) configured with --mkhomedir switch .
              

              
              
                May 16 14:14:13 rhel automount[1787]: lookup_mount:
                  lookup(ldap): looking up test1
                May 16 14:14:13 rhel automount[1787]: find_server:
                  trying server uri ldap://192.168.1.240
                May 16 14:14:13 rhel automount[1787]: do_bind:
                  lookup(ldap): auth_required: 1, sasl_mech (null)
                May 16 14:14:13 rhel automount[1787]: do_bind:
                  lookup(ldap): ldap simple bind returned 0
                May 16 14:14:13 rhel automount[1787]: get_query_dn:
                  lookup(ldap): check search base list
                May 16 14:14:13 rhel automount[1787]: get_query_dn:
                  lookup(ldap): found search base under
                  cn=automount,dc=cohort,dc=org
                May 16 14:14:13 rhel automount[1787]: get_query_dn:
                  lookup(ldap): found query dn
                  automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org
                May 16 14:14:13 rhel automount[1787]: connected to
                  uri ldap://192.168.1.240
                May 16 14:14:13 rhel automount[1787]: lookup_one:
                  lookup(ldap): searching for
                  "(&(objectclass=automount)(|(automountKey=test1)(automountKey=/)(automountKey=\2A)))"
                  under
                  "automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org"
                May 16 14:14:13 rhel automount[1787]: lookup_one:
                  lookup(ldap): getting first entry for
                  automountKey="test1"
                May 16 14:14:13 rhel automount[1787]: lookup_one:
                  lookup(ldap): examining first entry
                May 16 14:14:13 rhel automount[1787]: lookup_mount:
                  lookup(ldap): test1 ->
                  -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
                  hugayat.cohort.org:/xtra/home/&
                May 16 14:14:13 rhel automount[1787]: parse_mount:
                  parse(sun): expanded entry:
                  -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
                  hugayat.cohort.org:/xtra/home/test1
                May 16 14:14:13 rhel automount[1787]: parse_mount:
                  parse(sun): gathered options:
                  fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
                May 16 14:14:13 rhel automount[1787]: parse_mount:
                  parse(sun):
                  dequote("hugayat.cohort.org:/xtra/home/test1") ->
                  hugayat.cohort.org:/xtra/home/test1
                May 16 14:14:13 rhel automount[1787]: parse_mount:
                  parse(sun): core of entry:
                  options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192,
                  loc=hugayat.cohort.org:/xtra/home/test1
                May 16 14:14:13 rhel automount[1787]: sun_mount:
                  parse(sun): mounting root /home, mountpoint test1,
                  what hugayat.cohort.org:/xtra/home/test1, fstype nfs4,
                  options rw,sec=krb5,soft,rsize=8192,wsize=8192
                May 16 14:14:13 rhel automount[1787]: mount_mount:
                  mount(nfs): root=/home name=test1
                  what=hugayat.cohort.org:/xtra/home/test1, fstype=nfs4,
                  options=rw,sec=krb5,soft,rsize=8192,wsize=8192
                May 16 14:14:13 rhel automount[1787]: mount_mount:
                  mount(nfs): nfs
                  options="rw,sec=krb5,soft,rsize=8192,wsize=8192",
                  nosymlink=0, ro=0
                May 16 14:14:13 rhel automount[1787]: mount_mount:
                  mount(nfs): calling mkdir_path /home/test1
                May 16 14:14:13 rhel automount[1787]: mount_mount:
                  mount(nfs): calling mount -t nfs4 -s -o
                  rw,sec=krb5,soft,rsize=8192,wsize=8192
                  hugayat.cohort.org:/xtra/home/test1 /home/test1
                May 16 14:14:13 rhel automount[1787]: >>
                  mount.nfs4: mounting
                  hugayat.cohort.org:/xtra/home/test1 failed, reason
                  given by server:
                May 16 14:14:13 rhel automount[1787]: >> ? No
                  such file or directory
                May 16 14:14:13 rhel automount[1787]: mount(nfs):
                  nfs: mount failure hugayat.cohort.org:/xtra/home/test1
                  on /home/test1
                May 16 14:14:13 rhel automount[1787]:
                  dev_ioctl_send_fail: token = 47
                May 16 14:14:13 rhel automount[1787]: failed to
                  mount /home/test1
              
              

              
              

              
              Please note the following points,
              

              
              ? ?-- All the configuration you had suggested for
                autofs & nsswitch had already been done
              ? ?-- My NFS server is another IPA client machine
                with RHEL 6.1(hugayat.cohort.org)
              ? ?-- This NFS server has /xtra/home/ as the
                NFS partition and /etc/exports file as follows
              
                

                  
                /xtra/home
                    ?*(rw,fsid=0,insecure,no_subtree_check)
                /xtra/home
                    ?gss/krb5(rw,fsid=0,insecure,no_subtree_check)
                /xtra/home
                    ?gss/krb5i(rw,fsid=0,insecure,no_subtree_check)
                /xtra/home
                    ?gss/krb5p(rw,fsid=0,insecure,no_subtree_check)
              
              

              
              ? ?-- Output of the command??ipa
                  automountlocation-tofiles default
              

              
              
                /etc/auto.master:
                /- ? ? ?/etc/auto.direct
                /home ? /etc/auto.home
                /share ?/etc/auto.share
                ---------------------------
                /etc/auto.direct:
                ---------------------------
                /etc/auto.home:
                * ? ? ?
                    -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
                    hugayat.cohort.org:/xtra/home/&
                ---------------------------
                /etc/auto.share:
              
              

              
              I have played various entries corresponding to
                /etc/auto.home (like /home instead of * ) but with no
                success.
              

              
              Any idea ?
              

              
              Regards,
              Nidal
              

              
              

                --- On Mon, 5/16/11, Jakub Hrozek <jhrozek at redhat.com>
                wrote:

                

                  From: Jakub Hrozek <jhrozek at redhat.com>

                  Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
                  deployment

                  To: freeipa-users at redhat.com

                  Date: Monday, May 16, 2011, 1:23 AM

                  

                  On 05/15/2011 06:49 AM, nasir
                    nasir wrote:

                    > Thanks again!

                    > 

                    > NO, it was not set. I added it manually now
                    (*automount:? ldap *) and

                    > now a different error pops up in
                    /var/log/messages while restarting

                    > autofs service,

                    > 

                    > *May 15 06:32:04 hugayat automount[16256]:
                    open_lookup:90: cannot open

                    > lookup module ldap
                    (/usr/lib/autofs/lookup_ldap.so: undefined symbol:

                    > ERR_remove_state)*

                    > *May 15 06:32:04 hugayat automount[16256]:
                    lookup_nss_read_master:

                    > auto.master not found, replacing '.' with '_'*

                    > *May 15 06:32:04 hugayat automount[16256]:
                    open_lookup:90: cannot open

                    > lookup module ldap
                    (/usr/lib/autofs/lookup_ldap.so: undefined symbol:

                    > ERR_remove_state)*

                    > *May 15 06:32:04 hugayat automount[16256]: no
                    mounts in table*

                    > 

                    > Quick googling shows that it was part of a bug
                    in earlier version of

                    > autofs(5.0.3) but later fixed. Mine is autofs
                    *autofs-5.0.5-29.el6.i686*

                    > *

                    > *

                    > Also, the symbol *ERR_remove_state *is part of
                    openssl right ? following

                    > is my output of ldd command of lookup_ldap.so,

                    

                    I think you ran into https://bugzilla.redhat.com/show_bug.cgi?id=579963

                    

                    The ERR_remove_state call was removed in
                    autofs-5.0.5-30.el6. I did a

                    quick test with that version and seemed to work
                    fine.

                    

                    As per the configuration, the necessary steps are:

                    1) edit /etc/nsswitch.conf and put "automount:
                    ldap". It is also OK to

                    configure more sources such as "automount: files
                    ldap".

                    

                    2) edit /etc/sysconfig/autofs

                    You'll want to specify at least LDAP_URI and
                    SEARCH_BASE according to

                    your server environment. In order for the correct
                    attributes to be

                    searched for, you also need to uncomment the last
                    set of attribute mappings:

                    

                    MAP_OBJECT_CLASS="automountMap"

                    ENTRY_OBJECT_CLASS="automount"

                    MAP_ATTRIBUTE="automountMapName"

                    ENTRY_ATTRIBUTE="automountKey"

                    VALUE_ATTRIBUTE="automountInformation"

                    

                    3) service autofs restart

                    

                    If things still don't work, the logs should tell us
                    more. If you run

                    autofs with -v -d it would even list the exact mount
                    invocation, which

                    could be useful to determine the exact problem.

                    

                  
                  

                  -----Inline Attachment Follows-----

                  

                  _______________________________________________

                    Freeipa-users mailing list

                    Freeipa-users at redhat.com

                    https://www.redhat.com/mailman/listinfo/freeipa-users
                
              
            
          
        
      
      
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
    
    

  


-----Inline Attachment Follows-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/be3d5ba5/attachment.htm>

From kollathodi at yahoo.com  Mon May 16 17:58:55 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Mon, 16 May 2011 10:58:55 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DD12ABC.5020702@redhat.com>
Message-ID: <836162.28157.qm@web161306.mail.bf1.yahoo.com>


Thanks for the reply! Please see the following output from and IPA client machine.
[root at rhel ~]# showmount -e hugayat.cohort.orgExport list for hugayat.cohort.org:/xtra/home *[root at rhel ~]#
The result is same across all the machines.
Thanks and regards,Nidal

automount.

Does manually mounting the homedir work?

Does "showmount -e hugayat.cohort.org" list the exports?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/18ffe6ab/attachment.htm>

From kollathodi at yahoo.com  Mon May 16 18:45:51 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Mon, 16 May 2011 11:45:51 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DD12ABC.5020702@redhat.com>
Message-ID: <698654.98236.qm@web161305.mail.bf1.yahoo.com>

Sorry, I forgot to answer the below question in my last mail.?I can manually mount my main partition for home folder(i.e /xtra/home ) But I can't mount real home folders under that because they don't exist. If I manually create one home folder( e.g /xtra/home/abc ) under than, then I can mount it, but nothing can be written to it by the user as it gives permission denied error.
Thanks and regards,Nidal
Does manually mounting the homedir work?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/07856d55/attachment.htm>

From ayoung at redhat.com  Mon May 16 19:12:42 2011
From: ayoung at redhat.com (Adam Young)
Date: Mon, 16 May 2011 15:12:42 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <698654.98236.qm@web161305.mail.bf1.yahoo.com>
References: <698654.98236.qm@web161305.mail.bf1.yahoo.com>
Message-ID: <4DD1772A.2010604@redhat.com>


> If I manually create one home folder( e.g */xtra/home/abc* ) under 
> than, then I can mount it, but nothing can be written to it by the 
> user as it gives permission denied error.
>

Yes, but it should allow the root user to create and chown the 
directory, so the autocreation of home dirs should work.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/04f1a08c/attachment.htm>

From millerdc at fusion.gat.com  Mon May 16 22:21:50 2011
From: millerdc at fusion.gat.com (David C. Miller)
Date: Mon, 16 May 2011 15:21:50 -0700 (PDT)
Subject: [Freeipa-users] RHEL6.1 beta
In-Reply-To: <4DC83E95.5030206@redhat.com>
Message-ID: <3742c63e-4ccc-4fab-aecf-561aad91ebcf@email.gat.com>

Does anyone know how much RedHat is going to charge for an API server license? Will they charge per node? I can't find any info on their site even for the old IPA 1.x stuff..

David.

----- Original Message -----
> From: "Rob Crittenden" <rcritten at redhat.com>
> To: "Steven Jones" <Steven.Jones at vuw.ac.nz>
> Cc: freeipa-users at redhat.com
> Sent: Monday, May 9, 2011 12:20:53 PM
> Subject: Re: [Freeipa-users] RHEL6.1 beta
> 
> Steven Jones wrote:
> > Hi,
> >
> > Where are the ipa-server-2.0 packages held these days ?
> >
> > from previous list posts they were here, but I cant find them
> > now....
> >
> > ========
> >
> > ipa-server-2.0.0-16.el6.x86_64
> > <https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857>
> >
> > Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
> > ipa-server-2.0.0-16.el6.i686
> >   <https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431>
> >
> > ========
> 
> Apparently the beta is over so the packages were removed.
> 
> The beta ISO's should still be available and those I'm told have the
> ipa
> packages via classic RHN. If you use the new entitlement system the
> beta
> packages are still on cdn.redhat.com.
> 
> regards
> 
> rob
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 



From dpal at redhat.com  Mon May 16 22:34:14 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 16 May 2011 18:34:14 -0400
Subject: [Freeipa-users] RHEL6.1 beta
In-Reply-To: <3742c63e-4ccc-4fab-aecf-561aad91ebcf@email.gat.com>
References: <3742c63e-4ccc-4fab-aecf-561aad91ebcf@email.gat.com>
Message-ID: <4DD1A666.5040500@redhat.com>

On 05/16/2011 06:21 PM, David C. Miller wrote:
> Does anyone know how much RedHat is going to charge for an API server license? Will they charge per node? I can't find any info on their site even for the old IPA 1.x stuff..
>
> David.

The IPA in 6.1 in tech preview so no charge. It will be officially
supported for 6.2 so all pricing will be announced later.

> ----- Original Message -----
>> From: "Rob Crittenden" <rcritten at redhat.com>
>> To: "Steven Jones" <Steven.Jones at vuw.ac.nz>
>> Cc: freeipa-users at redhat.com
>> Sent: Monday, May 9, 2011 12:20:53 PM
>> Subject: Re: [Freeipa-users] RHEL6.1 beta
>>
>> Steven Jones wrote:
>>> Hi,
>>>
>>> Where are the ipa-server-2.0 packages held these days ?
>>>
>>> from previous list posts they were here, but I cant find them
>>> now....
>>>
>>> ========
>>>
>>> ipa-server-2.0.0-16.el6.x86_64
>>> <https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857>
>>>
>>> Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
>>> ipa-server-2.0.0-16.el6.i686
>>>   <https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431>
>>>
>>> ========
>> Apparently the beta is over so the packages were removed.
>>
>> The beta ISO's should still be available and those I'm told have the
>> ipa
>> packages via classic RHN. If you use the new entitlement system the
>> beta
>> packages are still on cdn.redhat.com.
>>
>> regards
>>
>> rob
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From kollathodi at yahoo.com  Tue May 17 01:19:25 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Mon, 16 May 2011 18:19:25 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DD1772A.2010604@redhat.com>
Message-ID: <632038.78417.qm@web161318.mail.bf1.yahoo.com>

Thanks again!
No! it allows auto mount that pre created home folder ONLY ?to the NFS server. For e.g if I have /xtra/home/nasir alread created, then it automatically mounts ?while login to NFS server ( ssh -l nasir NFS_SERVER ). But when I try to login as the same user to some other machine ( ssh -l nasir ANY_IPA_MACHINE) it gives the following error,
[root at openipa ~]# ssh -l nasir 192.168.1.222 -Xnasir at 192.168.1.222's password:?Creating home directory for nasir.Last login: Tue May 17 04:06:43 2011 from openipa.cohort.orgCould not chdir to home directory /home/nasir: No such file or directory-sh-4.1$ ls
So it is not working right ? Hope it is clear to you now.
Thanks and regards,Nidal


If I manually create one home folder( e.g /xtra/home/abc
                ) under than, then I can mount it, but nothing can be
                written to it by the user as it gives permission denied
                error.
            
          
        
      
    
    

    Yes, but it should allow the root user to create and chown the
    directory, so the autocreation of home dirs should work.

    

  


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/f3fc65dd/attachment.htm>

From ayoung at redhat.com  Tue May 17 02:11:48 2011
From: ayoung at redhat.com (Adam Young)
Date: Mon, 16 May 2011 22:11:48 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <632038.78417.qm@web161318.mail.bf1.yahoo.com>
References: <632038.78417.qm@web161318.mail.bf1.yahoo.com>
Message-ID: <4DD1D964.1030306@redhat.com>

Lets try to isolate it a little further.  If you log in to that machine 
as root, and then do su - nasir, does it let you create the directory or 
give you the same error?  I'm guessing it is ssh that is complaining 
here.  If the mount point is set up correctly, you should be able to 
crete and chown the /home/nasir directory, either via odd job, or just 
test it as root.

What I am guessing is happening here is that ssh is not triggereing the 
odd job creation of the home directory.  Either that, or this particular 
IPA client was run without the switch to create the home-dir.  If 
Automount is commented out, does the /home/nasir directory get created 
on the local disk?


On 05/16/2011 09:19 PM, nasir nasir wrote:
> Thanks again!
>
> No! it allows auto mount that pre created home folder *ONLY  to the 
> NFS server*. For e.g if I have */xtra/home/nasir* alread created, then 
> it automatically mounts  while login to NFS server ( ssh -l nasir 
> NFS_SERVER ). But when I try to login as the same user to some other 
> machine ( ssh -l nasir ANY_IPA_MACHINE) it gives the following error,
>
> *[root at openipa ~]# ssh -l nasir 192.168.1.222 -X*
> *nasir at 192.168.1.222's password: *
> *Creating home directory for nasir.*
> *Last login: Tue May 17 04:06:43 2011 from openipa.cohort.org*
> *Could not chdir to home directory /home/nasir: No such file or directory*
> *-sh-4.1$ ls*
>
> So it is not working right ? Hope it is clear to you now.
>
> Thanks and regards,
> Nidal
>
>
>
>>     If I manually create one home folder( e.g */xtra/home/abc* )
>>     under than, then I can mount it, but nothing can be written to it
>>     by the user as it gives permission denied error.
>>
>
>     Yes, but it should allow the root user to create and chown the
>     directory, so the autocreation of home dirs should work.
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/0250d20a/attachment.htm>

From kollathodi at yahoo.com  Tue May 17 02:49:21 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Mon, 16 May 2011 19:49:21 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DD1D964.1030306@redhat.com>
Message-ID: <203825.263.qm@web161301.mail.bf1.yahoo.com>

Thanks again! ?To answer your queries,
? ? -- I get the same error for su - nasir? ? -- I don't think ssh is not creating oddjobd ; see the error in the trailing mail which I am getting in the konsole while trying to login. It does try to create home folder? ? -- The client IPA machine was created with --mkhomedir switch. Also, I can see?pam_oddjob_mkhomedir.so entry in the system-auth and password-auth files of pam(But not in ssh file, though I manually tried once to insert in ssh file and then it was trying to create the home folder twice while SSHing !!).? ? -- As I said in previous mail, Pre-created directories get autmounted and setup correctly when I try to login to NFS server(cohort.org.hugyat) but NOT to other machines.? ? -- When autofs is disabled, directories get created successfully in the local hard disk on all the machines configured with --mkhomedir switch
Any clue ?
Thanks and regards,
Nidal



  

    
    
  
  
    Lets try to isolate it a little further.? If you log in to that
    machine as root, and then do su - nasir, does it let you create the
    directory or give you the same error?? I'm guessing it is ssh that
    is complaining here.? If the mount point is set up correctly, you
    should be able to crete and chown the /home/nasir directory, either
    via odd job, or just test it as root.

    

    What I am guessing is happening here is that ssh is not triggereing
    the odd job creation of the home directory.? Either that, or this
    particular IPA client was run without the switch to create the
    home-dir.? If Automount is commented out, does the /home/nasir
    directory get created on the local disk?

    

    

    On 05/16/2011 09:19 PM, nasir nasir wrote:
    
      
        
          
            
              Thanks again!
              

              
              No! it allows auto mount that pre created home folder
                ONLY ?to the NFS server. For e.g if I have /xtra/home/nasir
                alread created, then it automatically mounts ?while
                login to NFS server ( ssh -l nasir NFS_SERVER ). But
                when I try to login as the same user to some other
                machine ( ssh -l nasir ANY_IPA_MACHINE) it gives the
                following error,
              

              
              
                [root at openipa ~]# ssh -l nasir 192.168.1.222 -X
                nasir at 192.168.1.222's password:?
                Creating home directory for nasir.
                Last login: Tue May 17 04:06:43 2011 from
                    openipa.cohort.org
                Could not chdir to home directory /home/nasir:
                    No such file or directory
                -sh-4.1$ ls
              
              

              
              So it is not working right ? Hope it is clear to you
                now.
              

              
              Thanks and regards,
              Nidal
              

              
              

              
              

              
                
                  
                    
                      
                        
                          
                            If I manually create one home folder(
                              e.g /xtra/home/abc ) under than,
                              then I can mount it, but nothing can be
                              written to it by the user as it gives
                              permission denied error.
                          
                        
                      
                    
                  
                  

                  Yes, but it should allow the root user to create and
                  chown the directory, so the autocreation of home dirs
                  should work.

                  

                
                

                
              
            
          
        
      
    
    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/1a8e3852/attachment.htm>

From kollathodi at yahoo.com  Tue May 17 06:03:06 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Mon, 16 May 2011 23:03:06 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <203825.263.qm@web161301.mail.bf1.yahoo.com>
Message-ID: <659951.27052.qm@web161316.mail.bf1.yahoo.com>

Further to my previous mail, let us try to isolate it even more by comparing the login attempts to the NFS server(hugayat.cohort.org) and another IPA client(rhel.cohort.org)
This is the relevant /var/log/message in the two cases
1. ssh -l nasir hugayat.cohort.org
May 17 07:45:14 hugayat automount[15767]: get_query_dn: lookup(ldap): found search base under cn=automount,dc=cohort,dc=org?12 May 17 07:45:14 hugayat automount[15767]: get_query_dn: lookup(ldap): found query dn automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org?13 May 17 07:45:14 hugayat automount[15767]: connected to uri ldap://192.168.1.240?14 May 17 07:45:14 hugayat automount[15767]: lookup_one: lookup(ldap): searching for "(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))" under "automountmapname=auto.ho ? ?me,cn=default,cn=automount,dc=cohort,dc=org"?15 May 17 07:45:14 hugayat automount[15767]: lookup_one: lookup(ldap): getting first entry for automountKey="nasir"?16 May 17 07:45:14 hugayat automount[15767]: lookup_one: lookup(ldap): examining first entry?17 May 17 07:45:14 hugayat automount[15767]: lookup_mount: lookup(ldap): nasir -> -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
 hugayat.cohort.org:/xtra/home/&?18 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/nasir?19 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192?20 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): dequote("hugayat.cohort.org:/xtra/home/nasir") -> hugayat.cohort.org:/xtra/home/nasir?21 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): core of entry: options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, loc=hugayat.cohort.org:/xtra/home/nasir?22 May 17 07:45:14 hugayat automount[15767]: sun_mount: parse(sun): mounting root /home, mountpoint nasir, what hugayat.cohort.org:/xtra/home/nasir, fstype nfs4, options rw,sec=krb5,soft,rsize=8192,wsiz ? ?e=8192?23 May 17 07:45:14 hugayat automount[15767]: mount_mount:
 mount(nfs): root=/home name=nasir what=hugayat.cohort.org:/xtra/home/nasir, fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192?24 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): nfs options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0?25 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): calling mkdir_path /home/nasir?26 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): nasir is local, attempt bind mount?27 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): calling mkdir_path /home/nasir?28 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): calling mount --bind -s ?-o defaults /xtra/home/nasir /home/nasir?29 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(bind): mounted /xtra/home/nasir type bind on /home/nasir
2. ssh -l rhel.cohort.org
?7 May 17 07:46:06 rhel automount[15387]: find_server: trying server uri ldap://192.168.1.240? 8 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap): auth_required: 1, sasl_mech (null)? 9 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap): ldap simple bind returned 0?10 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): check search base list?11 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): found search base under cn=automount,dc=cohort,dc=org?12 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): found query dn automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org?13 May 17 07:46:06 rhel automount[15387]: connected to uri ldap://192.168.1.240?14 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): searching for "(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))" under "automountmapname=auto.home, ?
 ?cn=default,cn=automount,dc=cohort,dc=org"?15 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): getting first entry for automountKey="nasir"?16 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): examining first entry?17 May 17 07:46:06 rhel automount[15387]: lookup_mount: lookup(ldap): nasir -> -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/&?18 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/nasir?19 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192?20 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): dequote("hugayat.cohort.org:/xtra/home/nasir") -> hugayat.cohort.org:/xtra/home/nasir?21 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): core of entry:
 options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, loc=hugayat.cohort.org:/xtra/home/nasir?22 May 17 07:46:06 rhel automount[15387]: sun_mount: parse(sun): mounting root /home, mountpoint nasir, what hugayat.cohort.org:/xtra/home/nasir, fstype nfs4, options rw,sec=krb5,soft,rsize=8192,wsize=8 ? ?192?23 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): root=/home name=nasir what=hugayat.cohort.org:/xtra/home/nasir, fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192?24 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): nfs options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0?25 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): calling mkdir_path /home/nasir?26 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): calling mount -t nfs4 -s -o rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/xtra/home/nasir /home/nasir?27 May 17 07:46:06 rhel
 automount[15387]: >> mount.nfs4: mounting hugayat.cohort.org:/xtra/home/nasir failed, reason given by server:?28 May 17 07:46:06 rhel automount[15387]: >> ? No such file or directory

Please compare the lines between 20-30 in both the cases. All the?parameters are same but in the first case it says the user "nasir is local". What does it mean ??
Thanks and regards,Nidal

Thanks again! ?To answer your queries,
? ? -- I get the same error for su - nasir? ? -- I don't think ssh is not creating oddjobd ; see the error in the trailing mail which I am getting in the konsole while trying to login. It does try to create home folder? ? -- The client IPA machine was created with --mkhomedir switch. Also, I can see?pam_oddjob_mkhomedir.so entry in the system-auth and password-auth files of pam(But not in ssh file, though I manually tried once to insert in ssh file and then it was trying to create the home folder twice while SSHing !!).? ? -- As I said in previous mail, Pre-created directories get autmounted and setup correctly when I try to login to NFS server(cohort.org.hugyat) but NOT to other machines.?
 ? -- When autofs is disabled, directories get created successfully in the local hard disk on all the machines configured with --mkhomedir switch
Any clue ?
Thanks and regards,
Nidal



  

    
    
  
  
    Lets try to isolate it a little further.? If you log in to that
    machine as root, and then do su - nasir, does it let you create the
    directory or give you the same error?? I'm guessing it is ssh that
    is complaining here.? If the mount point is set up correctly, you
    should be able to crete and chown the /home/nasir directory, either
    via odd job, or just test it as root.

    

    What I am guessing is happening here is that ssh is not triggereing
    the odd job creation of the home directory.? Either that, or this
    particular IPA client was run without the switch to create the
    home-dir.? If Automount is commented out, does the /home/nasir
    directory get created on the local disk?

    

    

    On 05/16/2011 09:19 PM, nasir nasir wrote:
    
      
        
          
            
              Thanks again!
              

              
              No! it allows auto mount that pre created home folder
                ONLY ?to the NFS server. For e.g if I have /xtra/home/nasir
                alread created, then it automatically mounts ?while
                login to NFS server ( ssh -l nasir NFS_SERVER ). But
                when I try to login as the same user to some other
                machine ( ssh -l nasir ANY_IPA_MACHINE) it gives the
                following error,
              

              
              
                [root at openipa ~]# ssh -l nasir 192.168.1.222 -X
                nasir at 192.168.1.222's password:?
                Creating home directory for nasir.
                Last login: Tue May 17 04:06:43 2011 from
                    openipa.cohort.org
                Could not chdir to home directory /home/nasir:
                    No such file or directory
                -sh-4.1$ ls
              
              

              
              So it is not working right ? Hope it is clear to you
                now.
              

              
              Thanks and regards,
              Nidal
              

              
              

              
              

              
                
                  
                    
                      
                        
                          
                            If I manually create one home folder(
                              e.g /xtra/home/abc ) under than,
                              then I can mount it, but nothing can be
                              written to it by the user as it gives
                              permission denied error.
                          
                        
                      
                    
                  
                  

                  Yes, but it should allow the root user to create and
                  chown the directory, so the autocreation of home dirs
                  should work.

                  

                
                

                
              
            
          
        
      
    
    

  


-----Inline Attachment Follows-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110516/b833f9ee/attachment.htm>

From sigbjorn at nixtra.com  Tue May 17 12:40:28 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Tue, 17 May 2011 14:40:28 +0200
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DD13B22.9030604@redhat.com>
References: <4DCE95D6.2070104@nixtra.com>	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
Message-ID: <4DD26CBC.8080107@nixtra.com>

On 05/16/2011 04:56 PM, Rich Megginson wrote:
> On 05/16/2011 08:43 AM, Sigbjorn Lie wrote:
>> On 05/16/2011 03:52 PM, Simo Sorce wrote:
>>> On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
>>>> I've noticed that if the machine running IPA is very busy at startup,
>>>> the IPA services will not be online when the machine is started.
>>>>
>>>> I noticed this is as my test virtualization host has had it's power 
>>>> cord
>>>> knocked out a few times. When I restart the host machine, all the
>>>> virtual machines is started at the same time, causing (a lot) higher
>>>> than normal latency for each virtual machine.
>>>>
>>>> This causes the IPA daemons to start, while during the startup one or
>>>> several IPA daemons fails due to dependencies of other daemons 
>>>> which is
>>>> not started yet, and all the IPA daemons is stopped as not all the IPA
>>>> daemons started successfully. I've noticed that the default 
>>>> behavior of
>>>> the ipactl command is to shut down all the IPA daemons, if any of the
>>>> IPA daemons should fail during startup.
>>>>
>>>> This can be seen in the logs of the individual services, as some is
>>>> started successfully, just to receive a shutdown signal shortly after.
>>>> It seem to be the pki-ca which shut down my IPA services this morning.
>>>>
>>>> When rebooting the virtual machine running the IPA daemons during 
>>>> normal
>>>> load of the host machine, all the IPA daemons start successfully.
>>>> Logging on to the IPA server and manually starting the IPA daemons 
>>>> after
>>>> the load of the host machine has decreased also works.
>>>>
>>>> I suggest changing the startup scripts to allow (a lot) longer startup
>>>> times for the IPA daemons prior to failing them.
>>> At the moment we just run service<name>  start and wait until it is
>>> done. If the pki-cad service timeouts and returns an error I think we
>>> need to open a bug against the dogtag component as that is the cause.
>>>
>>> Can you open a bug in the freeipa trac with logs showing that 
>>> service is
>>> responsible for the failure ?
>>
>> I haven't been able to figure out which service that failed IPA yet. 
>> A lot of log files scattered around. As you can see from the slapd 
>> errors file, the slapd daemon was available for almost 3 minutes 
>> before receiving the shutdown signal. I notice now that the PKI 
>> daemon failed 8 seconds after slapd had shut down, so I was wrong in 
>> blaming the PKI daemon.
>>
>> See below for a list of log files I've been trough. They all have on 
>> thing in common, the daemons starts when the host machine is started, 
>> at approx 06:34, then receives a shutdown signal around 06:37. Some 
>> time later when the host has calmed down, I'm logging in and manually 
>> starting IPA using "ipactl start", and all the daemons start without 
>> any problem. And they keep running after my manual intervention.
>>
>> I wish I could be more specific, but I'm unsure where else to look. 
>> Suggestions?
>>
>>
>> /var/log/krb5kdc.log
>> /var/log/pki-ca/catalina.out
>> /var/log/dirsrv/slapd-IX-TEST-COM/errors
>> /var/log/dirsrv/slapd-PKI-IPA/errors
>> /var/log/httpd/error_log
>> /var/log/messages (named log)
>>
>> slapd errors:
>>
>> [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1 B2011.062.1416 
>> starting up
>> [14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last time 
>> Directory Server was running, recovering database.
> 1) Disorderly Shutdown means a) crash b) kill -9 or similar - neither 
> of which should be happening - is this the replica install or the 
> first master install?



First master install.



From kollathodi at yahoo.com  Tue May 17 13:26:02 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Tue, 17 May 2011 06:26:02 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DD1D964.1030306@redhat.com>
Message-ID: <131033.45895.qm@web161315.mail.bf1.yahoo.com>

Sorry to answer my own post!
After trying out all the permutations and combinations of automountkey-add/del command, I figured out the following entry and it works for all the PRE CREATED home folders across all the machines except NFS server,
/etc/auto.home:* ? ? ? -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 hugayat.cohort.org:/&
With this entry, it gets automounted if I have the home folder present already in my NFS partition (i.e /xtra/home/XXX). It is not working when I try to login to NFS server. Instead it is creating a home folder on the fly under /home of NFS server. Is this what I can achieve maximum ? or can I have folders automatically created while login for the first time ??
Thanks again for making me reach up to this point!
Regards,Nidal


  

    
    
  
  
    Lets try to isolate it a little further.? If you log in to that
    machine as root, and then do su - nasir, does it let you create the
    directory or give you the same error?? I'm guessing it is ssh that
    is complaining here.? If the mount point is set up correctly, you
    should be able to crete and chown the /home/nasir directory, either
    via odd job, or just test it as root.

    

    What I am guessing is happening here is that ssh is not triggereing
    the odd job creation of the home directory.? Either that, or this
    particular IPA client was run without the switch to create the
    home-dir.? If Automount is commented out, does the /home/nasir
    directory get created on the local disk?

    

    

    On 05/16/2011 09:19 PM, nasir nasir wrote:
    
      
        
          
            
              Thanks again!
              

              
              No! it allows auto mount that pre created home folder
                ONLY ?to the NFS server. For e.g if I have /xtra/home/nasir
                alread created, then it automatically mounts ?while
                login to NFS server ( ssh -l nasir NFS_SERVER ). But
                when I try to login as the same user to some other
                machine ( ssh -l nasir ANY_IPA_MACHINE) it gives the
                following error,
              

              
              
                [root at openipa ~]# ssh -l nasir 192.168.1.222 -X
                nasir at 192.168.1.222's password:?
                Creating home directory for nasir.
                Last login: Tue May 17 04:06:43 2011 from
                    openipa.cohort.org
                Could not chdir to home directory /home/nasir:
                    No such file or directory
                -sh-4.1$ ls
              
              

              
              So it is not working right ? Hope it is clear to you
                now.
              

              
              Thanks and regards,
              Nidal
              

              
              

              
              

              
                
                  
                    
                      
                        
                          
                            If I manually create one home folder(
                              e.g /xtra/home/abc ) under than,
                              then I can mount it, but nothing can be
                              written to it by the user as it gives
                              permission denied error.
                          
                        
                      
                    
                  
                  

                  Yes, but it should allow the root user to create and
                  chown the directory, so the autocreation of home dirs
                  should work.

                  

                
                

                
              
            
          
        
      
    
    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110517/e9b47b4a/attachment.htm>

From ayoung at redhat.com  Tue May 17 14:16:23 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 17 May 2011 10:16:23 -0400
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <659951.27052.qm@web161316.mail.bf1.yahoo.com>
References: <659951.27052.qm@web161316.mail.bf1.yahoo.com>
Message-ID: <4DD28337.7050607@redhat.com>

On 05/17/2011 02:03 AM, nasir nasir wrote:
> Further to my previous mail, let us try to isolate it even more by 
> comparing the login attempts to the NFS server(hugayat.cohort.org) and 
> another IPA client(rhel.cohort.org)
>
> This is the relevant /var/log/message in the two cases
>
> *1. ssh -l nasir hugayat.cohort.org*
>
> May 17 07:45:14 hugayat automount[15767]: get_query_dn: lookup(ldap): 
> found search base under cn=automount,dc=cohort,dc=org
>  12 May 17 07:45:14 hugayat automount[15767]: get_query_dn: 
> lookup(ldap): found query dn 
> automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org
>  13 May 17 07:45:14 hugayat automount[15767]: connected to uri 
> ldap://192.168.1.240
>  14 May 17 07:45:14 hugayat automount[15767]: lookup_one: 
> lookup(ldap): searching for 
> "(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))" 
> under "automountmapname=auto.ho   
>  me,cn=default,cn=automount,dc=cohort,dc=org"
>  15 May 17 07:45:14 hugayat automount[15767]: lookup_one: 
> lookup(ldap): getting first entry for automountKey="nasir"
>  16 May 17 07:45:14 hugayat automount[15767]: lookup_one: 
> lookup(ldap): examining first entry
>  17 May 17 07:45:14 hugayat automount[15767]: lookup_mount: 
> lookup(ldap): nasir -> 
> -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 
> hugayat.cohort.org:/xtra/home/&
>  18 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): 
> expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 
> hugayat.cohort.org:/xtra/home/nasir
>  19 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): 
> gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
>  20 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): 
> dequote("hugayat.cohort.org:/xtra/home/nasir") -> 
> hugayat.cohort.org:/xtra/home/nasir
>  21 May 17 07:45:14 hugayat automount[15767]: parse_mount: parse(sun): 
> core of entry: 
> options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, 
> loc=hugayat.cohort.org:/xtra/home/nasir
>  22 May 17 07:45:14 hugayat automount[15767]: sun_mount: parse(sun): 
> mounting root /home, mountpoint nasir, what 
> hugayat.cohort.org:/xtra/home/nasir, fstype nfs4, options 
> rw,sec=krb5,soft,rsize=8192,wsiz    e=8192
>  23 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): 
> root=/home name=nasir what=hugayat.cohort.org:/xtra/home/nasir, 
> fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192
>  24 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): 
> nfs options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0
>  25 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): 
> calling mkdir_path /home/nasir
>  26 May 17 07:45:14 hugayat automount[15767]: mount_mount: mount(nfs): 
> *nasir is local, attempt bind mount*
>

I'm guessing that there is some policy enforced by the NFS server here 
that lets you do something like this.
...and here's the source code....

http://autofs5.sourcearchive.com/documentation/5.0.4-2/mount__nfs_8c-source.html
Here's the comment right above the line that generates that message.

              * If the "port" option is specified, then we don't want
              * a bind mount. Use the "port" option if you want to
              * avoid attempting a local bind mount, such as when
              * tunneling NFS via localhost.


So no surprise that the behavior is different on the NFS server than the 
rest of the cluster.

>  27 May 17 07:45:14 hugayat automount[15767]: mount_mount: 
> mount(bind): calling mkdir_path /home/nasir
>  28 May 17 07:45:14 hugayat automount[15767]: mount_mount: 
> mount(bind): calling mount --bind -s  -o defaults /xtra/home/nasir 
> /home/nasir
>  29 May 17 07:45:14 hugayat automount[15767]: mount_mount: 
> mount(bind): mounted /xtra/home/nasir type bind on /home/nasir
>
> *2. ssh -l rhel.cohort.org*
>
>  7 May 17 07:46:06 rhel automount[15387]: find_server: trying server 
> uri ldap://192.168.1.240
>   8 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap): 
> auth_required: 1, sasl_mech (null)
>   9 May 17 07:46:06 rhel automount[15387]: do_bind: lookup(ldap): ldap 
> simple bind returned 0
>  10 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): 
> check search base list
>  11 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): 
> found search base under cn=automount,dc=cohort,dc=org
>  12 May 17 07:46:06 rhel automount[15387]: get_query_dn: lookup(ldap): 
> found query dn 
> automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org
>  13 May 17 07:46:06 rhel automount[15387]: connected to uri 
> ldap://192.168.1.240
>  14 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): 
> searching for 
> "(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))" 
> under "automountmapname=auto.home,   
>  cn=default,cn=automount,dc=cohort,dc=org"
>  15 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): 
> getting first entry for automountKey="nasir"
>  16 May 17 07:46:06 rhel automount[15387]: lookup_one: lookup(ldap): 
> examining first entry
>  17 May 17 07:46:06 rhel automount[15387]: lookup_mount: lookup(ldap): 
> nasir -> -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 
> hugayat.cohort.org:/xtra/home/&
>  18 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): 
> expanded entry: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 
> hugayat.cohort.org:/xtra/home/nasir
>  19 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): 
> gathered options: fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
>  20 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): 
> dequote("hugayat.cohort.org:/xtra/home/nasir") -> 
> hugayat.cohort.org:/xtra/home/nasir
>  21 May 17 07:46:06 rhel automount[15387]: parse_mount: parse(sun): 
> core of entry: 
> options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192, 
> loc=hugayat.cohort.org:/xtra/home/nasir
>  22 May 17 07:46:06 rhel automount[15387]: sun_mount: parse(sun): 
> mounting root /home, mountpoint nasir, what 
> hugayat.cohort.org:/xtra/home/nasir, fstype nfs4, options 
> rw,sec=krb5,soft,rsize=8192,wsize=8    192
>  23 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): 
> root=/home name=nasir what=hugayat.cohort.org:/xtra/home/nasir, 
> fstype=nfs4, options=rw,sec=krb5,soft,rsize=8192,wsize=8192
>  24 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): 
> nfs options="rw,sec=krb5,soft,rsize=8192,wsize=8192", nosymlink=0, ro=0
>  25 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): 
> calling mkdir_path /home/nasir
>  26 May 17 07:46:06 rhel automount[15387]: mount_mount: mount(nfs): 
> calling mount -t nfs4 -s -o rw,sec=krb5,soft,rsize=8192,wsize=8192 
> hugayat.cohort.org:/xtra/home/nasir /home/nasir
>  27 May 17 07:46:06 rhel automount[15387]: >>*mount.nfs4: mounting 
> hugayat.cohort.org:/xtra/home/nasir failed, reason given by server:*
> * 28 May 17 07:46:06 rhel automount[15387]: >>   No such file or 
> directory*
>
>
> Please compare the lines between 20-30 in both the cases. All the 
> parameters are same but in the first case it says the user "nasir is 
> local". What does it mean ?
> *
> *
> Thanks and regards,
> Nidal
>
>
>     Thanks again!  To answer your queries,
>
>         -- I get the same error for *su - nasir*
>         -- I don't think ssh is not creating oddjobd ; see the error
>     in the trailing mail which I am getting in the konsole while
>     trying to login. It does try to create home folder
>         -- The client IPA machine was created with --mkhomedir switch.
>     Also, I can see *pam_oddjob_mkhomedir.so *entry in the system-auth
>     and password-auth files of pam(But not in ssh file, though I
>     manually tried once to insert in ssh file and then it was trying
>     to create the home folder twice while SSHing !!).
>         -- As I said in previous mail, Pre-created directories get
>     autmounted and setup correctly when I try to login to NFS
>     server(cohort.org.hugyat) but NOT to other machines.
>         -- When autofs is disabled, directories get created
>     successfully in the local hard disk on all the machines configured
>     with --mkhomedir switch
>
>     Any clue ?
>
>     Thanks and regards,
>     Nidal
>
>
>         Lets try to isolate it a little further.  If you log in to
>         that machine as root, and then do su - nasir, does it let you
>         create the directory or give you the same error?  I'm guessing
>         it is ssh that is complaining here.  If the mount point is set
>         up correctly, you should be able to crete and chown the
>         /home/nasir directory, either via odd job, or just test it as
>         root.
>
>         What I am guessing is happening here is that ssh is not
>         triggereing the odd job creation of the home directory. 
>         Either that, or this particular IPA client was run without the
>         switch to create the home-dir.  If Automount is commented out,
>         does the /home/nasir directory get created on the local disk?
>
>
>         On 05/16/2011 09:19 PM, nasir nasir wrote:
>>         Thanks again!
>>
>>         No! it allows auto mount that pre created home folder *ONLY
>>          to the NFS server*. For e.g if I have */xtra/home/nasir*
>>         alread created, then it automatically mounts  while login to
>>         NFS server ( ssh -l nasir NFS_SERVER ). But when I try to
>>         login as the same user to some other machine ( ssh -l nasir
>>         ANY_IPA_MACHINE) it gives the following error,
>>
>>         *[root at openipa ~]# ssh -l nasir 192.168.1.222 -X*
>>         *nasir at 192.168.1.222's password: *
>>         *Creating home directory for nasir.*
>>         *Last login: Tue May 17 04:06:43 2011 from openipa.cohort.org*
>>         *Could not chdir to home directory /home/nasir: No such file
>>         or directory*
>>         *-sh-4.1$ ls*
>>
>>         So it is not working right ? Hope it is clear to you now.
>>
>>         Thanks and regards,
>>         Nidal
>>
>>
>>
>>>             If I manually create one home folder( e.g
>>>             */xtra/home/abc* ) under than, then I can mount it, but
>>>             nothing can be written to it by the user as it gives
>>>             permission denied error.
>>>
>>
>>             Yes, but it should allow the root user to create and
>>             chown the directory, so the autocreation of home dirs
>>             should work.
>>
>>
>
>
>     -----Inline Attachment Follows-----
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com </mc/compose?to=Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110517/648c9543/attachment.htm>

From rmeggins at redhat.com  Tue May 17 17:24:24 2011
From: rmeggins at redhat.com (Rich Megginson)
Date: Tue, 17 May 2011 11:24:24 -0600
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DD26CBC.8080107@nixtra.com>
References: <4DCE95D6.2070104@nixtra.com>	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com>
Message-ID: <4DD2AF48.6090602@redhat.com>

On 05/17/2011 06:40 AM, Sigbjorn Lie wrote:
> On 05/16/2011 04:56 PM, Rich Megginson wrote:
>> On 05/16/2011 08:43 AM, Sigbjorn Lie wrote:
>>> On 05/16/2011 03:52 PM, Simo Sorce wrote:
>>>> On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
>>>>> I've noticed that if the machine running IPA is very busy at startup,
>>>>> the IPA services will not be online when the machine is started.
>>>>>
>>>>> I noticed this is as my test virtualization host has had it's 
>>>>> power cord
>>>>> knocked out a few times. When I restart the host machine, all the
>>>>> virtual machines is started at the same time, causing (a lot) higher
>>>>> than normal latency for each virtual machine.
>>>>>
>>>>> This causes the IPA daemons to start, while during the startup one or
>>>>> several IPA daemons fails due to dependencies of other daemons 
>>>>> which is
>>>>> not started yet, and all the IPA daemons is stopped as not all the 
>>>>> IPA
>>>>> daemons started successfully. I've noticed that the default 
>>>>> behavior of
>>>>> the ipactl command is to shut down all the IPA daemons, if any of the
>>>>> IPA daemons should fail during startup.
>>>>>
>>>>> This can be seen in the logs of the individual services, as some is
>>>>> started successfully, just to receive a shutdown signal shortly 
>>>>> after.
>>>>> It seem to be the pki-ca which shut down my IPA services this 
>>>>> morning.
>>>>>
>>>>> When rebooting the virtual machine running the IPA daemons during 
>>>>> normal
>>>>> load of the host machine, all the IPA daemons start successfully.
>>>>> Logging on to the IPA server and manually starting the IPA daemons 
>>>>> after
>>>>> the load of the host machine has decreased also works.
>>>>>
>>>>> I suggest changing the startup scripts to allow (a lot) longer 
>>>>> startup
>>>>> times for the IPA daemons prior to failing them.
>>>> At the moment we just run service<name>  start and wait until it is
>>>> done. If the pki-cad service timeouts and returns an error I think we
>>>> need to open a bug against the dogtag component as that is the cause.
>>>>
>>>> Can you open a bug in the freeipa trac with logs showing that 
>>>> service is
>>>> responsible for the failure ?
>>>
>>> I haven't been able to figure out which service that failed IPA yet. 
>>> A lot of log files scattered around. As you can see from the slapd 
>>> errors file, the slapd daemon was available for almost 3 minutes 
>>> before receiving the shutdown signal. I notice now that the PKI 
>>> daemon failed 8 seconds after slapd had shut down, so I was wrong in 
>>> blaming the PKI daemon.
>>>
>>> See below for a list of log files I've been trough. They all have on 
>>> thing in common, the daemons starts when the host machine is 
>>> started, at approx 06:34, then receives a shutdown signal around 
>>> 06:37. Some time later when the host has calmed down, I'm logging in 
>>> and manually starting IPA using "ipactl start", and all the daemons 
>>> start without any problem. And they keep running after my manual 
>>> intervention.
>>>
>>> I wish I could be more specific, but I'm unsure where else to look. 
>>> Suggestions?
>>>
>>>
>>> /var/log/krb5kdc.log
>>> /var/log/pki-ca/catalina.out
>>> /var/log/dirsrv/slapd-IX-TEST-COM/errors
>>> /var/log/dirsrv/slapd-PKI-IPA/errors
>>> /var/log/httpd/error_log
>>> /var/log/messages (named log)
>>>
>>> slapd errors:
>>>
>>> [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1 
>>> B2011.062.1416 starting up
>>> [14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last 
>>> time Directory Server was running, recovering database.
>> 1) Disorderly Shutdown means a) crash b) kill -9 or similar - neither 
>> of which should be happening - is this the replica install or the 
>> first master install?
>
>
>
> First master install.
>
What is in the slapd errors log before [14/May/2011:06:33:52 +0200] - 
389-Directory/1.2.8.rc1 B2011.062.1416 starting up?



From Steven.Jones at vuw.ac.nz  Tue May 17 22:49:56 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 17 May 2011 22:49:56 +0000
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <4DCCF5C0.4030708@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DCCF5C0.4030708@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>

So what should the command be?

regards

-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek
Sent: Friday, 13 May 2011 9:11 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] RHEL client to IPA

On 05/13/2011 06:00 AM, Steven Jones wrote:
> [root at vuwunicoipamt01 etc]# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz -p admin

The second -p overrides the first.




From rcritten at redhat.com  Wed May 18 01:54:09 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 17 May 2011 21:54:09 -0400
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DCCF5C0.4030708@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DD326C1.2000403@redhat.com>

Steven Jones wrote:
> So what should the command be?

# kinit admin
# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p 
host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz

rob

>
> regards
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek
> Sent: Friday, 13 May 2011 9:11 p.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] RHEL client to IPA
>
> On 05/13/2011 06:00 AM, Steven Jones wrote:
>> [root at vuwunicoipamt01 etc]# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz -p admin
>
> The second -p overrides the first.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Wed May 18 02:22:36 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 18 May 2011 02:22:36 +0000
Subject: [Freeipa-users] How to reset the admin password
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063520A5@STAWINCOX10MBX1.staff.vuw.ac.nz>

?

regards



From rcritten at redhat.com  Wed May 18 02:27:48 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 17 May 2011 22:27:48 -0400
Subject: [Freeipa-users] How to reset the admin password
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063520A5@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E40063520A5@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DD32EA4.6080908@redhat.com>

Steven Jones wrote:
> ?


$ LDAPTLS_CACERT=/etc/ipa/ca.crt ldappasswd -ZZ -D 'cn=directory 
manager' -W -S uid=admin,cn=users,cn=accounts,dc=example,dc=com

You'll first be prompted for the new admin password twice, then for the 
Directory Manager password.

rob



From Steven.Jones at vuw.ac.nz  Wed May 18 03:18:20 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 18 May 2011 03:18:20 +0000
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <4DD326C1.2000403@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DCCF5C0.4030708@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DD326C1.2000403@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>

Im getting,

"SASL bind failed!"

8><----

Steven Jones wrote:
> So what should the command be?

# kinit admin
# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p
host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz




From JR.Aquino at citrix.com  Wed May 18 03:31:42 2011
From: JR.Aquino at citrix.com (JR Aquino)
Date: Wed, 18 May 2011 03:31:42 +0000
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DCCF5C0.4030708@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD326C1.2000403@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1C8EA3CC-160C-49BC-8022-E678924F50C5@citrixonline.com>

Is ns-ldap / kdc running on vuwunicoipamt01.unix.vuw.ac.nz?
service dirsrv status
service krb5kdc status


And are you running the command on vuwunicoipamt01.unix.vuw.ac.nz?

On May 17, 2011, at 8:23 PM, "Steven Jones" <Steven.Jones at vuw.ac.nz<mailto:Steven.Jones at vuw.ac.nz>> wrote:

Im getting,

"SASL bind failed!"

8><----

Steven Jones wrote:
So what should the command be?

# kinit admin
# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p
host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Wed May 18 03:36:56 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 18 May 2011 03:36:56 +0000
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <1C8EA3CC-160C-49BC-8022-E678924F50C5@citrixonline.com>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DCCF5C0.4030708@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD326C1.2000403@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1C8EA3CC-160C-49BC-8022-E678924F50C5@citrixonline.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063520F7@STAWINCOX10MBX1.staff.vuw.ac.nz>

the dirsrv isnt running...

its giving me " line 50: ulimit: open files: cannot modify limit: operation not permitted  dirsrv unix-vuw-ac-nz is stopped...

krb5kdc is running.

regards
________________________________________
From: JR Aquino [JR.Aquino at citrix.com]
Sent: Wednesday, 18 May 2011 3:31 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] RHEL client to IPA

Is ns-ldap / kdc running on vuwunicoipamt01.unix.vuw.ac.nz?
service dirsrv status
service krb5kdc status


And are you running the command on vuwunicoipamt01.unix.vuw.ac.nz?

On May 17, 2011, at 8:23 PM, "Steven Jones" <Steven.Jones at vuw.ac.nz<mailto:Steven.Jones at vuw.ac.nz>> wrote:

Im getting,

"SASL bind failed!"

8><----

Steven Jones wrote:
So what should the command be?

# kinit admin
# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p
host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



From rmeggins at redhat.com  Wed May 18 13:22:22 2011
From: rmeggins at redhat.com (Rich Megginson)
Date: Wed, 18 May 2011 07:22:22 -0600
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063520F7@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DCCF5C0.4030708@redhat.com>	<833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DD326C1.2000403@redhat.com>	<833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1C8EA3CC-160C-49BC-8022-E678924F50C5@citrixonline.com>
	<833D8E48405E064EBC54C84EC6B36E40063520F7@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DD3C80E.3090409@redhat.com>

On 05/17/2011 09:36 PM, Steven Jones wrote:
> the dirsrv isnt running...
>
> its giving me " line 50: ulimit: open files: cannot modify limit: operation not permitted  dirsrv unix-vuw-ac-nz is stopped...
What is the number of files that ulimit is attempting to use?
What does
grep file-max /etc/sysctl.conf
say?
what about
grep nofile /etc/security/limits.conf
?
what about
cat /proc/sys/fs/file-max
?
> krb5kdc is running.
>
> regards
> ________________________________________
> From: JR Aquino [JR.Aquino at citrix.com]
> Sent: Wednesday, 18 May 2011 3:31 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] RHEL client to IPA
>
> Is ns-ldap / kdc running on vuwunicoipamt01.unix.vuw.ac.nz?
> service dirsrv status
> service krb5kdc status
>
>
> And are you running the command on vuwunicoipamt01.unix.vuw.ac.nz?
>
> On May 17, 2011, at 8:23 PM, "Steven Jones"<Steven.Jones at vuw.ac.nz<mailto:Steven.Jones at vuw.ac.nz>>  wrote:
>
> Im getting,
>
> "SASL bind failed!"
>
> 8><----
>
> Steven Jones wrote:
> So what should the command be?
>
> # kinit admin
> # ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p
> host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From simo at redhat.com  Wed May 18 15:06:53 2011
From: simo at redhat.com (Simo Sorce)
Date: Wed, 18 May 2011 11:06:53 -0400
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DCCF5C0.4030708@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>
	, <4DD326C1.2000403@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1305731213.8582.21.camel@willson.li.ssimo.org>

On Wed, 2011-05-18 at 03:18 +0000, Steven Jones wrote:
> Im getting,
> 
> "SASL bind failed!"

As I said earlier this is happening because you changed the admin
password with a random secret when you passed -p admin in the previous
attempt.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From kollathodi at yahoo.com  Wed May 18 18:00:12 2011
From: kollathodi at yahoo.com (nasir nasir)
Date: Wed, 18 May 2011 11:00:12 -0700 (PDT)
Subject: [Freeipa-users] FreeIPA for Linux desktop deployment
In-Reply-To: <4DD28337.7050607@redhat.com>
Message-ID: <879850.34869.qm@web161319.mail.bf1.yahoo.com>

Adam,
I will look more in to this aspect and update later.
Big thanks to everyone for making me reach up to this point. I appreciate it tremendously. Now in my test environement I have a working FreeIPA server, NFS server(which is and IPA client), 2 more IPA clients. All running RHEL 6.1 beta.?
Following things work fine now,?? ? ? -- Centralized authentication and user/group management? ? ? -- Shared home folder automatically gets mounted to the client machine when the user login for the first time(Only catch is it needs to be created manually on the NFS server first)? ? ?-- User profiles are preserved in the home folder
Next steps,
? ? -- Try whether I can have this WITHOUT creating the home folder manually on the NFS server first? ? -- Replication of FreeIPA by adding one more server? ? -- Try out HBAC, Roles, Netgroups and other features of FreeIPA? ? -- Implement quota for user home folder
I will update the list about progress of all these later.
Thanks indeed to everyone once again!
Regards,Nidal
? ? ??


    I'm guessing that there is some policy enforced by the NFS server
    here that lets you do something like this.? 

    ...and here's the source code....

    

http://autofs5.sourcearchive.com/documentation/5.0.4-2/mount__nfs_8c-source.html

    Here's the comment right above the line that generates that message.

                 * If the "port" option is specified, then we don't want
             * a bind mount. Use the "port" option if you want to
             * avoid attempting a local bind mount, such as when
             * tunneling NFS via localhost.
    

    So no surprise that the behavior is different on the NFS server than
    the rest of the cluster.

    

    
      
        
          
            
              
                ?27
                  May 17 07:45:14 hugayat automount[15767]: mount_mount:
                  mount(bind): calling mkdir_path /home/nasir
                ?28
                  May 17 07:45:14 hugayat automount[15767]: mount_mount:
                  mount(bind): calling mount --bind -s ?-o defaults
                  /xtra/home/nasir /home/nasir
                ?29
                  May 17 07:45:14 hugayat automount[15767]: mount_mount:
                  mount(bind): mounted /xtra/home/nasir type bind on
                  /home/nasir
                

                
                2.
                    ssh -l rhel.cohort.org
                

                
                
                  ?7 May 17 07:46:06 rhel automount[15387]:
                    find_server: trying server uri ldap://192.168.1.240
                  ? 8 May 17 07:46:06 rhel automount[15387]:
                    do_bind: lookup(ldap): auth_required: 1, sasl_mech
                    (null)
                  ? 9 May 17 07:46:06 rhel automount[15387]:
                    do_bind: lookup(ldap): ldap simple bind returned 0
                  ?10 May 17 07:46:06 rhel automount[15387]:
                    get_query_dn: lookup(ldap): check search base list
                  ?11 May 17 07:46:06 rhel automount[15387]:
                    get_query_dn: lookup(ldap): found search base under
                    cn=automount,dc=cohort,dc=org
                  ?12 May 17 07:46:06 rhel automount[15387]:
                    get_query_dn: lookup(ldap): found query dn
                    automountmapname=auto.home,cn=default,cn=automount,dc=cohort,dc=org
                  ?13 May 17 07:46:06 rhel automount[15387]:
                    connected to uri ldap://192.168.1.240
                  ?14 May 17 07:46:06 rhel automount[15387]:
                    lookup_one: lookup(ldap): searching for
                    "(&(objectclass=automount)(|(automountKey=nasir)(automountKey=/)(automountKey=\2A)))"
                    under "automountmapname=auto.home, ?
                    ?cn=default,cn=automount,dc=cohort,dc=org"
                  ?15 May 17 07:46:06 rhel automount[15387]:
                    lookup_one: lookup(ldap): getting first entry for
                    automountKey="nasir"
                  ?16 May 17 07:46:06 rhel automount[15387]:
                    lookup_one: lookup(ldap): examining first entry
                  ?17 May 17 07:46:06 rhel automount[15387]:
                    lookup_mount: lookup(ldap): nasir ->
                    -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
                    hugayat.cohort.org:/xtra/home/&
                  ?18 May 17 07:46:06 rhel automount[15387]:
                    parse_mount: parse(sun): expanded entry:
                    -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
                    hugayat.cohort.org:/xtra/home/nasir
                  ?19 May 17 07:46:06 rhel automount[15387]:
                    parse_mount: parse(sun): gathered options:
                    fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192
                  ?20 May 17 07:46:06 rhel automount[15387]:
                    parse_mount: parse(sun):
                    dequote("hugayat.cohort.org:/xtra/home/nasir") ->
                    hugayat.cohort.org:/xtra/home/nasir
                  ?21 May 17 07:46:06 rhel automount[15387]:
                    parse_mount: parse(sun): core of entry:
                    options=fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192,
                    loc=hugayat.cohort.org:/xtra/home/nasir
                  ?22 May 17 07:46:06 rhel automount[15387]:
                    sun_mount: parse(sun): mounting root /home,
                    mountpoint nasir, what
                    hugayat.cohort.org:/xtra/home/nasir, fstype nfs4,
                    options rw,sec=krb5,soft,rsize=8192,wsize=8 ? ?192
                  ?23 May 17 07:46:06 rhel automount[15387]:
                    mount_mount: mount(nfs): root=/home name=nasir
                    what=hugayat.cohort.org:/xtra/home/nasir,
                    fstype=nfs4,
                    options=rw,sec=krb5,soft,rsize=8192,wsize=8192
                  ?24 May 17 07:46:06 rhel automount[15387]:
                    mount_mount: mount(nfs): nfs
                    options="rw,sec=krb5,soft,rsize=8192,wsize=8192",
                    nosymlink=0, ro=0
                  ?25 May 17 07:46:06 rhel automount[15387]:
                    mount_mount: mount(nfs): calling mkdir_path
                    /home/nasir
                  ?26 May 17 07:46:06 rhel automount[15387]:
                    mount_mount: mount(nfs): calling mount -t nfs4 -s -o
                    rw,sec=krb5,soft,rsize=8192,wsize=8192
                    hugayat.cohort.org:/xtra/home/nasir /home/nasir
                  ?27 May 17 07:46:06 rhel automount[15387]:
                    >> mount.nfs4: mounting
                      hugayat.cohort.org:/xtra/home/nasir failed, reason
                      given by server:
                  ?28 May 17 07:46:06 rhel automount[15387]:
                      >> ? No such file or directory
                
                

                
                

                
                Please compare the lines between 20-30 in
                    both the cases. All the?parameters
                    are same but in the first case it says the user
                    "nasir is local". What does it mean ??
              
              

                
              Thanks
                and regards,
              Nidal
              

              
              

                
                  
                    
                      
                        
                          Thanks again! ?To answer your queries,
                          

                          
                          ? ? -- I get the same error for su -
                              nasir
                          ? ? -- I don't think ssh is not creating
                          oddjobd ; see the error in the trailing mail
                          which I am getting in the konsole while trying
                          to login. It does try to create home folder
                          ? ? -- The client IPA machine was created
                            with --mkhomedir switch. Also, I can see?pam_oddjob_mkhomedir.so
                            entry in the system-auth and
                            password-auth files of pam(But not in ssh
                            file, though I manually tried once to insert
                            in ssh file and then it was trying to create
                            the home folder twice while SSHing !!).
                          ? ? -- As I said in previous mail,
                            Pre-created directories get autmounted and
                            setup correctly when I try to login to NFS
                            server(cohort.org.hugyat) but NOT to other
                            machines.
                          ? ? -- When autofs is disabled,
                            directories get created successfully in the
                            local hard disk on all the machines
                            configured with --mkhomedir switch
                          

                          
                          Any clue ?
                          

                          
                          Thanks and regards,

                            Nidal
                          

                            

                            
                              
                                
                                Lets try to isolate it a little
                                further.? If you log in to that machine
                                as root, and then do su - nasir, does it
                                let you create the directory or give you
                                the same error?? I'm guessing it is ssh
                                that is complaining here.? If the mount
                                point is set up correctly, you should be
                                able to crete and chown the /home/nasir
                                directory, either via odd job, or just
                                test it as root.

                                

                                What I am guessing is happening here is
                                that ssh is not triggereing the odd job
                                creation of the home directory.? Either
                                that, or this particular IPA client was
                                run without the switch to create the
                                home-dir.? If Automount is commented
                                out, does the /home/nasir directory get
                                created on the local disk?

                                

                                

                                On 05/16/2011 09:19 PM, nasir nasir
                                wrote:
                                
                                  
                                    
                                      
                                        
                                          Thanks again!
                                          

                                          
                                          No! it allows auto mount
                                            that pre created home folder
                                            ONLY ?to the NFS server.
                                            For e.g if I have /xtra/home/nasir
                                            alread created, then it
                                            automatically mounts ?while
                                            login to NFS server ( ssh -l
                                            nasir NFS_SERVER ). But when
                                            I try to login as the same
                                            user to some other machine (
                                            ssh -l nasir
                                            ANY_IPA_MACHINE) it gives
                                            the following error,
                                          

                                          
                                          
                                            [root at openipa ~]#
                                                ssh -l nasir
                                                192.168.1.222 -X
                                            nasir at 192.168.1.222's
                                                password:?
                                            Creating home
                                                directory for nasir.
                                            Last login: Tue May
                                                17 04:06:43 2011 from
                                                openipa.cohort.org
                                            Could not chdir to
                                                home directory
                                                /home/nasir: No such
                                                file or directory
                                            -sh-4.1$ ls
                                          
                                          

                                          
                                          So it is not working
                                            right ? Hope it is clear to
                                            you now.
                                          

                                          
                                          Thanks and regards,
                                          Nidal
                                          

                                          
                                          

                                          
                                          

                                          
                                            
                                              
                                                
                                                  
                                                    
                                                      
                                                        If I
                                                          manually
                                                          create one
                                                          home folder(
                                                          e.g /xtra/home/abc
                                                          ) under than,
                                                          then I can
                                                          mount it, but
                                                          nothing can be
                                                          written to it
                                                          by the user as
                                                          it gives
                                                          permission
                                                          denied error.
                                                      
                                                    
                                                  
                                                
                                              
                                              

                                              Yes, but it should allow
                                              the root user to create
                                              and chown the directory,
                                              so the autocreation of
                                              home dirs should work.

                                              

                                            
                                            

                                            
                                          
                                        
                                      
                                    
                                  
                                
                                

                              
                            
                          
                        
                      
                    
                  
                
                

                -----Inline Attachment Follows-----

                

                _______________________________________________

                  Freeipa-users mailing list

                  Freeipa-users at redhat.com

                  https://www.redhat.com/mailman/listinfo/freeipa-users
              
            
          
        
      
    
    

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110518/8c84e847/attachment.htm>

From Steven.Jones at vuw.ac.nz  Wed May 18 20:30:58 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 18 May 2011 20:30:58 +0000
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <1305731213.8582.21.camel@willson.li.ssimo.org>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DCCF5C0.4030708@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>
	, <4DD326C1.2000403@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1305731213.8582.21.camel@willson.li.ssimo.org>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063524A3@STAWINCOX10MBX1.staff.vuw.ac.nz>

Which is why I asked rob how to reset it which I did....so its not that?......at least it makes no obvious sense that it is?

regards


________________________________________
From: Simo Sorce [simo at redhat.com]
Sent: Thursday, 19 May 2011 3:06 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] RHEL client to IPA

On Wed, 2011-05-18 at 03:18 +0000, Steven Jones wrote:
> Im getting,
>
> "SASL bind failed!"

As I said earlier this is happening because you changed the admin
password with a random secret when you passed -p admin in the previous
attempt.

Simo.

--
Simo Sorce * Red Hat, Inc * New York




From Steven.Jones at vuw.ac.nz  Wed May 18 20:35:31 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 18 May 2011 20:35:31 +0000
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <4DD3C80E.3090409@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DCCF5C0.4030708@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD326C1.2000403@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1C8EA3CC-160C-49BC-8022-E678924F50C5@citrixonline.com>
	<833D8E48405E064EBC54C84EC6B36E40063520F7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DD3C80E.3090409@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063524B0@STAWINCOX10MBX1.staff.vuw.ac.nz>

[jonesst1 at vuwunicoipamt01 ipa]$ service dirsrv status
/etc/sysconfig/dirsrv: line 50: ulimit: open files: cannot modify limit: Operation not permitted
dirsrv UNIX-VUW-AC-NZ is stopped
[jonesst1 at vuwunicoipamt01 ipa]$ service krb5kdc status
krb5kdc (pid  4686) is running...
[jonesst1 at vuwunicoipamt01 ipa]$ grep file-max /etc/sysctl.conf 
[jonesst1 at vuwunicoipamt01 ipa]$ grep nofile /etc/security/limits.conf 
#        - nofile - max number of open files
dirsrv		-	nofile		8192
[jonesst1 at vuwunicoipamt01 ipa]$ cat /proc/sys/fs/file-max 
97190
[jonesst1 at vuwunicoipamt01 ipa]$ 
________________________________________
From: Rich Megginson [rmeggins at redhat.com]
Sent: Thursday, 19 May 2011 1:22 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] RHEL client to IPA

On 05/17/2011 09:36 PM, Steven Jones wrote:
> the dirsrv isnt running...
>
> its giving me " line 50: ulimit: open files: cannot modify limit: operation not permitted  dirsrv unix-vuw-ac-nz is stopped...
What is the number of files that ulimit is attempting to use?
What does
grep file-max /etc/sysctl.conf
say?
what about
grep nofile /etc/security/limits.conf
?
what about
cat /proc/sys/fs/file-max
?
> krb5kdc is running.
>
> regards
> ________________________________________
> From: JR Aquino [JR.Aquino at citrix.com]
> Sent: Wednesday, 18 May 2011 3:31 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] RHEL client to IPA
>
> Is ns-ldap / kdc running on vuwunicoipamt01.unix.vuw.ac.nz?
> service dirsrv status
> service krb5kdc status
>
>
> And are you running the command on vuwunicoipamt01.unix.vuw.ac.nz?
>
> On May 17, 2011, at 8:23 PM, "Steven Jones"<Steven.Jones at vuw.ac.nz<mailto:Steven.Jones at vuw.ac.nz>>  wrote:
>
> Im getting,
>
> "SASL bind failed!"
>
> 8><----
>
> Steven Jones wrote:
> So what should the command be?
>
> # kinit admin
> # ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p
> host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




From rmeggins at redhat.com  Wed May 18 20:55:22 2011
From: rmeggins at redhat.com (Rich Megginson)
Date: Wed, 18 May 2011 14:55:22 -0600
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063524B0@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DCCF5C0.4030708@redhat.com>	<833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>	<4DD326C1.2000403@redhat.com>	<833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1C8EA3CC-160C-49BC-8022-E678924F50C5@citrixonline.com>
	<833D8E48405E064EBC54C84EC6B36E40063520F7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DD3C80E.3090409@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063524B0@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DD4323A.2050702@redhat.com>

On 05/18/2011 02:35 PM, Steven Jones wrote:
> [jonesst1 at vuwunicoipamt01 ipa]$ service dirsrv status
> /etc/sysconfig/dirsrv: line 50: ulimit: open files: cannot modify limit: Operation not permitted
What is /etc/sysconfig/dirsrv line 50 i.e. what is the value ulimit -n 
is attempting to use?

Maybe the ulimit -n 8192 isn't needed in /etc/sysconfig/dirsrv if it is 
set per user in /etc/security/limits.conf ?  Can you try this, as root:
su dirsrv -c "ulimit -n 8192"
?
> dirsrv UNIX-VUW-AC-NZ is stopped
> [jonesst1 at vuwunicoipamt01 ipa]$ service krb5kdc status
> krb5kdc (pid  4686) is running...
> [jonesst1 at vuwunicoipamt01 ipa]$ grep file-max /etc/sysctl.conf
> [jonesst1 at vuwunicoipamt01 ipa]$ grep nofile /etc/security/limits.conf
> #        - nofile - max number of open files
> dirsrv		-	nofile		8192
> [jonesst1 at vuwunicoipamt01 ipa]$ cat /proc/sys/fs/file-max
> 97190
> [jonesst1 at vuwunicoipamt01 ipa]$
> ________________________________________
> From: Rich Megginson [rmeggins at redhat.com]
> Sent: Thursday, 19 May 2011 1:22 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] RHEL client to IPA
>
> On 05/17/2011 09:36 PM, Steven Jones wrote:
>> the dirsrv isnt running...
>>
>> its giving me " line 50: ulimit: open files: cannot modify limit: operation not permitted  dirsrv unix-vuw-ac-nz is stopped...
> What is the number of files that ulimit is attempting to use?
> What does
> grep file-max /etc/sysctl.conf
> say?
> what about
> grep nofile /etc/security/limits.conf
> ?
> what about
> cat /proc/sys/fs/file-max
> ?
>> krb5kdc is running.
>>
>> regards
>> ________________________________________
>> From: JR Aquino [JR.Aquino at citrix.com]
>> Sent: Wednesday, 18 May 2011 3:31 p.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] RHEL client to IPA
>>
>> Is ns-ldap / kdc running on vuwunicoipamt01.unix.vuw.ac.nz?
>> service dirsrv status
>> service krb5kdc status
>>
>>
>> And are you running the command on vuwunicoipamt01.unix.vuw.ac.nz?
>>
>> On May 17, 2011, at 8:23 PM, "Steven Jones"<Steven.Jones at vuw.ac.nz<mailto:Steven.Jones at vuw.ac.nz>>   wrote:
>>
>> Im getting,
>>
>> "SASL bind failed!"
>>
>> 8><----
>>
>> Steven Jones wrote:
>> So what should the command be?
>>
>> # kinit admin
>> # ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p
>> host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users



From simo at redhat.com  Wed May 18 22:31:54 2011
From: simo at redhat.com (Simo Sorce)
Date: Wed, 18 May 2011 18:31:54 -0400
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063524A3@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DCCF5C0.4030708@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>
	, <4DD326C1.2000403@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>
	,<1305731213.8582.21.camel@willson.li.ssimo.org>
	<833D8E48405E064EBC54C84EC6B36E40063524A3@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1305757914.13113.0.camel@willson.li.ssimo.org>

On Wed, 2011-05-18 at 20:30 +0000, Steven Jones wrote:
> Which is why I asked rob how to reset it which I did....so its not that?......at least it makes no obvious sense that it is?

Once you reset the password as Rob told you all is fine again.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From JR.Aquino at citrix.com  Wed May 18 22:38:05 2011
From: JR.Aquino at citrix.com (JR Aquino)
Date: Wed, 18 May 2011 22:38:05 +0000
Subject: [Freeipa-users] RHEL client to IPA
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063524B0@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006350205@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E4006350217@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DCCF5C0.4030708@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006351E59@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD326C1.2000403@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063520DF@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<1C8EA3CC-160C-49BC-8022-E678924F50C5@citrixonline.com>
	<833D8E48405E064EBC54C84EC6B36E40063520F7@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD3C80E.3090409@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063524B0@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <35362D8B-2721-4D84-AA56-49217D515B51@citrixonline.com>

Can you try both of those command with sudo?

sudo service dirsrv status

?

~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino
Info. Security Specialist
Citrix Online
Jr.Aquino at citrixonline.com
805.690.3478
GCIH, CCNA

On May 18, 2011, at 1:38 PM, "Steven Jones" <Steven.Jones at vuw.ac.nz> wrote:

> [jonesst1 at vuwunicoipamt01 ipa]$ service dirsrv status
> /etc/sysconfig/dirsrv: line 50: ulimit: open files: cannot modify limit: Operation not permitted
> dirsrv UNIX-VUW-AC-NZ is stopped
> [jonesst1 at vuwunicoipamt01 ipa]$ service krb5kdc status
> krb5kdc (pid  4686) is running...
> [jonesst1 at vuwunicoipamt01 ipa]$ grep file-max /etc/sysctl.conf 
> [jonesst1 at vuwunicoipamt01 ipa]$ grep nofile /etc/security/limits.conf 
> #        - nofile - max number of open files
> dirsrv        -    nofile        8192
> [jonesst1 at vuwunicoipamt01 ipa]$ cat /proc/sys/fs/file-max 
> 97190
> [jonesst1 at vuwunicoipamt01 ipa]$ 
> ________________________________________
> From: Rich Megginson [rmeggins at redhat.com]
> Sent: Thursday, 19 May 2011 1:22 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] RHEL client to IPA
> 
> On 05/17/2011 09:36 PM, Steven Jones wrote:
>> the dirsrv isnt running...
>> 
>> its giving me " line 50: ulimit: open files: cannot modify limit: operation not permitted  dirsrv unix-vuw-ac-nz is stopped...
> What is the number of files that ulimit is attempting to use?
> What does
> grep file-max /etc/sysctl.conf
> say?
> what about
> grep nofile /etc/security/limits.conf
> ?
> what about
> cat /proc/sys/fs/file-max
> ?
>> krb5kdc is running.
>> 
>> regards
>> ________________________________________
>> From: JR Aquino [JR.Aquino at citrix.com]
>> Sent: Wednesday, 18 May 2011 3:31 p.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] RHEL client to IPA
>> 
>> Is ns-ldap / kdc running on vuwunicoipamt01.unix.vuw.ac.nz?
>> service dirsrv status
>> service krb5kdc status
>> 
>> 
>> And are you running the command on vuwunicoipamt01.unix.vuw.ac.nz?
>> 
>> On May 17, 2011, at 8:23 PM, "Steven Jones"<Steven.Jones at vuw.ac.nz<mailto:Steven.Jones at vuw.ac.nz>>  wrote:
>> 
>> Im getting,
>> 
>> "SASL bind failed!"
>> 
>> 8><----
>> 
>> Steven Jones wrote:
>> So what should the command be?
>> 
>> # kinit admin
>> # ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p
>> host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Wed May 18 23:07:45 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 18 May 2011 23:07:45 +0000
Subject: [Freeipa-users] IPA server as a DNS server and design things
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006352557@STAWINCOX10MBX1.staff.vuw.ac.nz>

Qs,

1)  We have a single master only for freeipa 2.0?   so from what I can read the replicas are passive? ie do they answer LDAP queries and also DNS queries if DNS is integrated? but simply dont have a gui? or are they totally inert?  Im thinking of this as we really want 2 active DNS servers minimum.......

2) We discussed its better to have DNS as a stub domain off the main domain.....so Linux servers will be unix.vuw.ac.nz.....should I do the same for the reverse lookup?

Should I cleave off part of the class B?  say 2 x 24s?  problem then becomes what do I do with mixed environments where I have windows web front ends and linux db backends......or user areas where I cant do that...

regards



From simo at redhat.com  Wed May 18 23:22:56 2011
From: simo at redhat.com (Simo Sorce)
Date: Wed, 18 May 2011 19:22:56 -0400
Subject: [Freeipa-users] IPA server as a DNS server and design things
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006352557@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006352557@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1305760976.13113.5.camel@willson.li.ssimo.org>

On Wed, 2011-05-18 at 23:07 +0000, Steven Jones wrote:
> Qs,
> 
> 1)  We have a single master only for freeipa 2.0?   so from what I can
> read the replicas are passive? ie do they answer LDAP queries and also
> DNS queries if DNS is integrated? but simply dont have a gui? or are
> they totally inert?  Im thinking of this as we really want 2 active
> DNS servers minimum.......

We do not enable the DNS on replicas by default, it is an admin choice
on which replicas they want to enable the DNS service.

When you install the replica you can pass the --setup-dns flag.

If you forgot to do so or if you later change idea and want to install
the DNS piece you can simply run ipa-dns-install on the replica you want
to have another DNS available.

> 2) We discussed its better to have DNS as a stub domain off the main
> domain.....so Linux servers will be unix.vuw.ac.nz.....should I do the
> same for the reverse lookup?

That depends on your network topology.
At the moment we do create a reverse zone for you by default, but you
can use it, disable it, or just remove it if you have reverse lookups
handled elsewhere.

In future though we plan to improve the DNS plugin so that it will
automatically update also the reverse zone (if managed by IPA) on
clients dynamic DNS updates.

> Should I cleave off part of the class B?  say 2 x 24s?  problem then
> becomes what do I do with mixed environments where I have windows web
> front ends and linux db backends......or user areas where I cant do
> that...

It is not necessary, although I would recommend that you properly set
the ptr records at least for your servers in the DNS that is managing
your reverse zones.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From dpal at redhat.com  Wed May 18 23:52:40 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Wed, 18 May 2011 19:52:40 -0400
Subject: [Freeipa-users] IPA server as a DNS server and design things
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006352557@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006352557@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DD45BC8.9020808@redhat.com>

On 05/18/2011 07:07 PM, Steven Jones wrote:
> Qs,
>
> 1)  We have a single master only for freeipa 2.0?   so from what I can read the replicas are passive? ie do they answer LDAP queries

They are not passive. They are master clones and can in fact respond to
any traffic including administration via UI and CLI.
This is just an addition to Simo's response.

>  and also DNS queries if DNS is integrated? but simply dont have a gui? or are they totally inert?  Im thinking of this as we really want 2 active DNS servers minimum.......
>
> 2) We discussed its better to have DNS as a stub domain off the main domain.....so Linux servers will be unix.vuw.ac.nz.....should I do the same for the reverse lookup?
>
> Should I cleave off part of the class B?  say 2 x 24s?  problem then becomes what do I do with mixed environments where I have windows web front ends and linux db backends......or user areas where I cant do that...
>
> regards
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From Steven.Jones at vuw.ac.nz  Thu May 19 01:41:44 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 19 May 2011 01:41:44 +0000
Subject: [Freeipa-users] help! IPA server she explode!
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006352697@STAWINCOX10MBX1.staff.vuw.ac.nz>


I have an internal ajax error!

:(

the logs say,


[Thu May 19 09:59:35 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations
<jonesst1> [Thu May 19 09:59:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ in /etc/httpd/conf/ipa.keytab: (-1765328228, 'Cannot contact any KDC for requested realm')
<jonesst1> [Thu May 19 09:59:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ in /etc/httpd/conf/ipa.keytab: (-1765328228, 'Cannot contact any KDC for requested realm')
<jonesst1> [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/develop.js, referer: https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/ui/
<jonesst1> [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/top-bg.png, referer: https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/ui/ipa.css
<jonesst1> [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico
<jonesst1> [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico
<jonesst1> [Thu May 19 10:04:43 2011] [error] [client 130.195.81.236] mod_wsgi (pid=1917): Target WSGI script '/usr/share/ipa/wsgi.py' does not contain WSGI application 'application'.
<jonesst1> [Thu May 19 10:04:45 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico
<jonesst1> [Thu May 19 10:05:09 2011] [error] [client 130.195.81.236] mod_wsgi (pid=1916): Target WSGI script '/usr/share/ipa/wsgi.py' does not contain WSGI application 'application'.
<jonesst1> [root at vuwunicoipamt01 httpd]#

regards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ajax-error.jpeg
Type: image/jpeg
Size: 61673 bytes
Desc: ajax-error.jpeg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110519/72da60b4/attachment.jpeg>

From Steven.Jones at vuw.ac.nz  Thu May 19 03:08:54 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 19 May 2011 03:08:54 +0000
Subject: [Freeipa-users] help! IPA server she explode!
In-Reply-To: <4DD47E84.4000903@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006352697@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DD47E84.4000903@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063526F1@STAWINCOX10MBX1.staff.vuw.ac.nz>

krb5kdc log...

I can do a kinit admin so the kerberos server is i think running...dns is also not running so I suspect the ldap part has harikaried itself.

regards
________________________________
From: Dmitri Pal [dpal at redhat.com]
Sent: Thursday, 19 May 2011 2:20 p.m.
To: Steven Jones
Subject: Re: [Freeipa-users] help! IPA server she explode!

On 05/18/2011 09:41 PM, Steven Jones wrote:

I have an internal ajax error!


This happens when the web server can't contact KDC to authenticate.
Look at the kerberos logs to see what happend with KDC. It probably did not start.
It did not start probably due to DS error so check the logs there too.
I suspect that something stopped being readable/accessible due to your latest experiments.
But for more detailed answer you need to wait for engineers to wake up.
Sorry!

But mentioned logs will be handy to troubleshoot anyways.


:(

the logs say,


[Thu May 19 09:59:35 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations
<jonesst1> [Thu May 19 09:59:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ<mailto:HTTP/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ> in /etc/httpd/conf/ipa.keytab: (-1765328228, 'Cannot contact any KDC for requested realm')
<jonesst1> [Thu May 19 09:59:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ<mailto:HTTP/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ> in /etc/httpd/conf/ipa.keytab: (-1765328228, 'Cannot contact any KDC for requested realm')
<jonesst1> [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/develop.js, referer: https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/ui/
<jonesst1> [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/top-bg.png, referer: https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/ui/ipa.css
<jonesst1> [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico
<jonesst1> [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico
<jonesst1> [Thu May 19 10:04:43 2011] [error] [client 130.195.81.236] mod_wsgi (pid=1917): Target WSGI script '/usr/share/ipa/wsgi.py' does not contain WSGI application 'application'.
<jonesst1> [Thu May 19 10:04:45 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico
<jonesst1> [Thu May 19 10:05:09 2011] [error] [client 130.195.81.236] mod_wsgi (pid=1916): Target WSGI script '/usr/share/ipa/wsgi.py' does not contain WSGI application 'application'.
<jonesst1> [root at vuwunicoipamt01 httpd]#

regards


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>



-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5kdc.log
Type: application/octet-stream
Size: 270528 bytes
Desc: krb5kdc.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110519/94ec970f/attachment.obj>

From ssorce at redhat.com  Thu May 19 14:23:58 2011
From: ssorce at redhat.com (Simo Sorce)
Date: Thu, 19 May 2011 10:23:58 -0400
Subject: [Freeipa-users] help! IPA server she explode!
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006352697@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006352697@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1305815038.13113.35.camel@willson.li.ssimo.org>

On Thu, 2011-05-19 at 01:41 +0000, Steven Jones wrote:
> I have an internal ajax error!
> 
> :(
> 
> the logs say,

Ping me later on IRC, I'd like you to run some commands, and it will be
easier done interactively.

Simo.




From shelltoesuperstar at gmail.com  Thu May 19 15:20:50 2011
From: shelltoesuperstar at gmail.com (Charlie Derwent)
Date: Thu, 19 May 2011 16:20:50 +0100
Subject: [Freeipa-users] /var/log/dirsrv/slapd-* permissions
In-Reply-To: <4DCD5030.4040601@redhat.com>
References: <BANLkTinsJkG9hdh4fkGnCwQpmC31SX_ejA@mail.gmail.com>
	<4DCD5030.4040601@redhat.com>
Message-ID: <BANLkTinh8PrM4iP3R8K7_=F+Tn0ySTRgYQ@mail.gmail.com>

Yep it's a user called dirsrv and another pkisrv. Pretty sure it was all
running, I imagine it just wasn't logging properly.

I changed the ownership of the files a while ago so it's started logging
properly again but trawling through the error logfiles we've got
LOGINFO: Unable to open access file:/var/log/dirsrv/slapd-TEST-NET/access

Which is funny cause somehow it still managed to write the error into the
error log.


On Fri, May 13, 2011 at 4:37 PM, Adam Young <ayoung at redhat.com> wrote:

>  On 05/13/2011 06:11 AM, Charlie Derwent wrote:
>
> Hi
>
> First time posting on the mailing list so go easy on me :-)
>
> I've installed freeipa on our network and noticed that no real user owns
> the folders /var/log/dirsrv/slapd-PKI-IPA and
> /var/log/dirsrv/slapd-TEST-NET.  Isn't this going to cause logrotate errors?
> I have a feeling this came about because I installed freeipa then had to
> uninstall it, then re-installed it again and the UID and GID's I'm seeing
> may have been the previous pkisrv and dirsrv users/groups. If this is true
> can I just manually chown the directories and if so what permissions should
> I set?
>
>
> That is not the normal state of things.  They should be owned by the dirsrv
> user and group.  Since the dirsrv user is responsible for writing to these
> files, creating the directories etc, I would not think you would have a
> usable install if this is not set up correctly.  id you do ps -ef | grep
> dirsrv, what user is running those processes?
>
>
> Thanks
> Charlie
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110519/e0f6c74c/attachment.htm>

From rcritten at redhat.com  Thu May 19 17:52:48 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Thu, 19 May 2011 13:52:48 -0400
Subject: [Freeipa-users] help! IPA server she explode!
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006352697@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006352697@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DD558F0.2050100@redhat.com>

Steven Jones wrote:
>
> I have an internal ajax error!
>
> :(
>
> the logs say,
>
>
> [Thu May 19 09:59:35 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations
> <jonesst1>  [Thu May 19 09:59:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ in /etc/httpd/conf/ipa.keytab: (-1765328228, 'Cannot contact any KDC for requested realm')
> <jonesst1>  [Thu May 19 09:59:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ in /etc/httpd/conf/ipa.keytab: (-1765328228, 'Cannot contact any KDC for requested realm')
> <jonesst1>  [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/develop.js, referer: https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/ui/
> <jonesst1>  [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/top-bg.png, referer: https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/ui/ipa.css
> <jonesst1>  [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico
> <jonesst1>  [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico
> <jonesst1>  [Thu May 19 10:04:43 2011] [error] [client 130.195.81.236] mod_wsgi (pid=1917): Target WSGI script '/usr/share/ipa/wsgi.py' does not contain WSGI application 'application'.
> <jonesst1>  [Thu May 19 10:04:45 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico
> <jonesst1>  [Thu May 19 10:05:09 2011] [error] [client 130.195.81.236] mod_wsgi (pid=1916): Target WSGI script '/usr/share/ipa/wsgi.py' does not contain WSGI application 'application'.
> <jonesst1>  [root at vuwunicoipamt01 httpd]#
>
> regards

The key bit in the log is:

Failed to start IPA: Unable to retrieve LDAP schema. Error initializing 
principal HTTP/vuwunicoipamt01.unix.vuw.ac.nz at UNIX.VUW.AC.NZ in 
/etc/httpd/conf/ipa.keytab: (-1765328228, 'Cannot contact any KDC for 
requested realm')

Without the schema the framework can't do much of anything useful so it 
just punts. Some things to try in no particular order:

- /sbin/service httpd restart, perhaps dirsrv was down when httpd started
- on IPA server kinit admin to ensure things are working
- ensure that dirsrv is running (krb5kdc running w/o dirsrv is bound to 
fail)

rob



From Steven.Jones at vuw.ac.nz  Thu May 19 22:06:50 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 19 May 2011 22:06:50 +0000
Subject: [Freeipa-users] freeipa and AD
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063533D6@STAWINCOX10MBX1.staff.vuw.ac.nz>

is this how ipa works?

End State 5. A cross-realm trust is established between UNIX-based Kerberos and Active Directory?based Kerberos in UNIX and Windows infrastructures that remain separate. Windows and UNIX clients each authenticate to their own Kerberos Key Distribution Center (KDC) and (if the trust is two-way) can then access resources hosted by computers on the other side. 

My understanding is its simpler.....just a password sync?  which I guess is achieved by that password sync.

regards

Steven



From dpal at redhat.com  Thu May 19 22:27:25 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Thu, 19 May 2011 18:27:25 -0400
Subject: [Freeipa-users] freeipa and AD
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063533D6@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E40063533D6@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DD5994D.40108@redhat.com>

On 05/19/2011 06:06 PM, Steven Jones wrote:
> is this how ipa works?
>
> End State 5. A cross-realm trust is established between UNIX-based Kerberos and Active Directory?based Kerberos in UNIX and Windows infrastructures that remain separate. Windows and UNIX clients each authenticate to their own Kerberos Key Distribution Center (KDC) and (if the trust is two-way) can then access resources hosted by computers on the other side.

This is what we are building now.

>  
>
> My understanding is its simpler.....just a password sync?  which I guess is achieved by that password sync.

User synch from AD and password synch from in both directions is what it
is capable of now.

> regards
>
> Steven
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From Steven.Jones at vuw.ac.nz  Thu May 19 22:53:45 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 19 May 2011 22:53:45 +0000
Subject: [Freeipa-users] freeipa and AD
In-Reply-To: <4DD5994D.40108@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E40063533D6@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DD5994D.40108@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635340F@STAWINCOX10MBX1.staff.vuw.ac.nz>

So this will be freeipa 3.0?

or 4.0?  

ie I assume its not 2.0.xxx?

about how far away is it?  2 years?

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Friday, 20 May 2011 10:27 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] freeipa and AD

On 05/19/2011 06:06 PM, Steven Jones wrote:
> is this how ipa works?
>
> End State 5. A cross-realm trust is established between UNIX-based Kerberos and Active Directory?based Kerberos in UNIX and Windows infrastructures that remain separate. Windows and UNIX clients each authenticate to their own Kerberos Key Distribution Center (KDC) and (if the trust is two-way) can then access resources hosted by computers on the other side.

This is what we are building now.

>
>
> My understanding is its simpler.....just a password sync?  which I guess is achieved by that password sync.

User synch from AD and password synch from in both directions is what it
is capable of now.

> regards
>
> Steven
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Thu May 19 23:19:41 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 19 May 2011 23:19:41 +0000
Subject: [Freeipa-users] freeipa and Universties shiboleth/federation
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006353440@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi

Has anyone been near this?  

My limited understanding is the shiboleth rpms can work with FDS, so Im assuming there is a capability/link?

regards



From dpal at redhat.com  Thu May 19 23:27:23 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Thu, 19 May 2011 19:27:23 -0400
Subject: [Freeipa-users] freeipa and Universties shiboleth/federation
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006353440@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006353440@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DD5A75B.8080503@redhat.com>

On 05/19/2011 07:19 PM, Steven Jones wrote:
> Hi
>
> Has anyone been near this?  
>
> My limited understanding is the shiboleth rpms can work with FDS, so Im assuming there is a capability/link?
>
> regards
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


I do not think we ever got to trying it.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From Steven.Jones at vuw.ac.nz  Thu May 19 23:59:44 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 19 May 2011 23:59:44 +0000
Subject: [Freeipa-users] freeipa and Universties shiboleth/federation
In-Reply-To: <4DD5A75B.8080503@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006353440@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DD5A75B.8080503@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006353465@STAWINCOX10MBX1.staff.vuw.ac.nz>

oh lucky me then....

regards

Steven
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Friday, 20 May 2011 11:27 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] freeipa and Universties shiboleth/federation

On 05/19/2011 07:19 PM, Steven Jones wrote:
> Hi
>
> Has anyone been near this?
>
> My limited understanding is the shiboleth rpms can work with FDS, so Im assuming there is a capability/link?
>
> regards
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


I do not think we ever got to trying it.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From sigbjorn at nixtra.com  Sun May 22 10:16:31 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Sun, 22 May 2011 12:16:31 +0200
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DD2AF48.6090602@redhat.com>
References: <4DCE95D6.2070104@nixtra.com>	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com> <4DD2AF48.6090602@redhat.com>
Message-ID: <4DD8E27F.7070906@nixtra.com>

On 05/17/2011 07:24 PM, Rich Megginson wrote:
> On 05/17/2011 06:40 AM, Sigbjorn Lie wrote:
>> On 05/16/2011 04:56 PM, Rich Megginson wrote:
>>> On 05/16/2011 08:43 AM, Sigbjorn Lie wrote:
>>>> On 05/16/2011 03:52 PM, Simo Sorce wrote:
>>>>> On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
>>>>>> I've noticed that if the machine running IPA is very busy at 
>>>>>> startup,
>>>>>> the IPA services will not be online when the machine is started.
>>>>>>
>>>>>> I noticed this is as my test virtualization host has had it's 
>>>>>> power cord
>>>>>> knocked out a few times. When I restart the host machine, all the
>>>>>> virtual machines is started at the same time, causing (a lot) higher
>>>>>> than normal latency for each virtual machine.
>>>>>>
>>>>>> This causes the IPA daemons to start, while during the startup 
>>>>>> one or
>>>>>> several IPA daemons fails due to dependencies of other daemons 
>>>>>> which is
>>>>>> not started yet, and all the IPA daemons is stopped as not all 
>>>>>> the IPA
>>>>>> daemons started successfully. I've noticed that the default 
>>>>>> behavior of
>>>>>> the ipactl command is to shut down all the IPA daemons, if any of 
>>>>>> the
>>>>>> IPA daemons should fail during startup.
>>>>>>
>>>>>> This can be seen in the logs of the individual services, as some is
>>>>>> started successfully, just to receive a shutdown signal shortly 
>>>>>> after.
>>>>>> It seem to be the pki-ca which shut down my IPA services this 
>>>>>> morning.
>>>>>>
>>>>>> When rebooting the virtual machine running the IPA daemons during 
>>>>>> normal
>>>>>> load of the host machine, all the IPA daemons start successfully.
>>>>>> Logging on to the IPA server and manually starting the IPA 
>>>>>> daemons after
>>>>>> the load of the host machine has decreased also works.
>>>>>>
>>>>>> I suggest changing the startup scripts to allow (a lot) longer 
>>>>>> startup
>>>>>> times for the IPA daemons prior to failing them.
>>>>> At the moment we just run service<name>  start and wait until it is
>>>>> done. If the pki-cad service timeouts and returns an error I think we
>>>>> need to open a bug against the dogtag component as that is the cause.
>>>>>
>>>>> Can you open a bug in the freeipa trac with logs showing that 
>>>>> service is
>>>>> responsible for the failure ?
>>>>
>>>> I haven't been able to figure out which service that failed IPA 
>>>> yet. A lot of log files scattered around. As you can see from the 
>>>> slapd errors file, the slapd daemon was available for almost 3 
>>>> minutes before receiving the shutdown signal. I notice now that the 
>>>> PKI daemon failed 8 seconds after slapd had shut down, so I was 
>>>> wrong in blaming the PKI daemon.
>>>>
>>>> See below for a list of log files I've been trough. They all have 
>>>> on thing in common, the daemons starts when the host machine is 
>>>> started, at approx 06:34, then receives a shutdown signal around 
>>>> 06:37. Some time later when the host has calmed down, I'm logging 
>>>> in and manually starting IPA using "ipactl start", and all the 
>>>> daemons start without any problem. And they keep running after my 
>>>> manual intervention.
>>>>
>>>> I wish I could be more specific, but I'm unsure where else to look. 
>>>> Suggestions?
>>>>
>>>>
>>>> /var/log/krb5kdc.log
>>>> /var/log/pki-ca/catalina.out
>>>> /var/log/dirsrv/slapd-IX-TEST-COM/errors
>>>> /var/log/dirsrv/slapd-PKI-IPA/errors
>>>> /var/log/httpd/error_log
>>>> /var/log/messages (named log)
>>>>
>>>> slapd errors:
>>>>
>>>> [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1 
>>>> B2011.062.1416 starting up
>>>> [14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last 
>>>> time Directory Server was running, recovering database.
>>> 1) Disorderly Shutdown means a) crash b) kill -9 or similar - 
>>> neither of which should be happening - is this the replica install 
>>> or the first master install?
>>
>>
>>
>> First master install.
>>
> What is in the slapd errors log before [14/May/2011:06:33:52 +0200] - 
> 389-Directory/1.2.8.rc1 B2011.062.1416 starting up?


Hi,

Rich, there is nothing above that line. Previous entry was from last 
time the server started.

Yesterday I rebooted my host platform, graceful shutdown this time, and 
the same problem occurred again when the host, and all the virtual 
machines started. I had a look in  my boot.log file, see below for 
output. As you can see the "Starting pki-ca" return an "OK", but the 
next line says: "Failed to start CA Service"
"Shutting down".

Looking at the timestamps, it looks like the dirsrv instance is shut 
down before the pki-ca is given a chance to start, or am I looking at 
the incorrect log files?

I have included my boot.log, and the PKI-CA dirsrv log, and the pki-ca 
debug log.




/var/log/boot.log:

Starting Directory Service
Starting dirsrv:
     IX-TEST-COM...                                       [  OK  ]
     PKI-IPA...                                             [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:                                   [  OK  ]
Starting KPASSWD Service
Starting ipa_kpasswd:                                      [  OK  ]
Starting DNS Service
Starting named:                                            [  OK  ]
Starting HTTP Service
Starting httpd:                                            [  OK  ]
Starting CA Service
Starting pki-ca:                                           [  OK  ]
Failed to start CA Service
Shutting down
Stopping Kerberos 5 KDC:                                   [  OK  ]
Shutting down ipa_kpasswd:                                 [  OK  ]
Stopping named:                                            [  OK  ]
Stopping httpd:                                            [  OK  ]
Stopping pki-ca:                                           [FAILED]
Shutting down dirsrv:
     IX-TEST-COM...                                       [  OK  ]
     PKI-IPA...                                             [  OK  ]
Aborting ipactl




/var/log/dirsrv/slapd-PKI-IPA/errors:

[21/May/2011:18:47:41 +0200] - 389-Directory/1.2.8.2 B2011.104.2252 
starting up
[21/May/2011:18:47:48 +0200] - slapd started.  Listening on All 
Interfaces port 7389 for LDAP requests
[21/May/2011:18:47:49 +0200] - Listening on All Interfaces port 7390 for 
LDAPS requests
[21/May/2011:18:50:00 +0200] - slapd shutting down - signaling operation 
threads
[21/May/2011:18:50:01 +0200] - slapd shutting down - closing down 
internal subsystems and plugins
[21/May/2011:18:50:01 +0200] - Waiting for 4 database threads to stop
[21/May/2011:18:50:02 +0200] - All database threads now stopped
[21/May/2011:18:50:02 +0200] - slapd stopped.




/var/lib/pki-ca/logs/debug:

[21/May/2011:18:50:15][main]: ============================================
[21/May/2011:18:50:15][main]: =====  DEBUG SUBSYSTEM INITIALIZED   =======
[21/May/2011:18:50:15][main]: ============================================
[21/May/2011:18:50:15][main]: CMSEngine: done init id=debug
[21/May/2011:18:50:15][main]: CMSEngine: initialized debug
[21/May/2011:18:50:15][main]: CMSEngine: initSubsystem id=log
[21/May/2011:18:50:15][main]: CMSEngine: ready to init id=log
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
AUDIT_LOG_STARTUP
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
AUDIT_LOG_SHUTDOWN
[21/May/2011:18:50:16][main]: LogFile: log event type selected: ROLE_ASSUME
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CONFIG_CERT_POLICY
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CONFIG_CERT_PROFILE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CONFIG_CRL_PROFILE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CONFIG_OCSP_PROFILE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_AUTH
[21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_ROLE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_ACL
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CONFIG_SIGNED_AUDIT
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CONFIG_ENCRYPTION
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CONFIG_TRUSTED_PUBLIC_KEY
[21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_DRM
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
SELFTESTS_EXECUTION
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
AUDIT_LOG_DELETE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
LOG_PATH_CHANGE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
PRIVATE_KEY_ARCHIVE_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
KEY_RECOVERY_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
KEY_RECOVERY_REQUEST_ASYNC
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
KEY_RECOVERY_AGENT_LOGIN
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
KEY_RECOVERY_REQUEST_PROCESSED
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
KEY_GEN_ASYMMETRIC
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
NON_PROFILE_CERT_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
PROFILE_CERT_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CERT_REQUEST_PROCESSED
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CERT_STATUS_CHANGE_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CERT_STATUS_CHANGE_REQUEST_PROCESSED
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
AUTHZ_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTHZ_FAIL
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
INTER_BOUNDARY
[21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTH_FAIL
[21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTH_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CERT_PROFILE_APPROVAL
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
PROOF_OF_POSSESSION
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CRL_RETRIEVAL
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CRL_VALIDATION
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CMC_SIGNED_REQUEST_SIG_VERIFY
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
SERVER_SIDE_KEYGEN_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
COMPUTE_SESSION_KEY_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
DIVERSIFY_KEY_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
ENCRYPT_DATA_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
OCSP_ADD_CA_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
OCSP_ADD_CA_REQUEST_PROCESSED
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
OCSP_REMOVE_CA_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
COMPUTE_RANDOM_DATA_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: 
CIMC_CERT_VERIFICATION
[21/May/2011:18:50:16][main]: CMSEngine: done init id=log
[21/May/2011:18:50:16][main]: CMSEngine: initialized log
[21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=os
[21/May/2011:18:50:16][main]: CMSEngine: ready to init id=os
[21/May/2011:18:50:16][main]: CMSEngine: done init id=os
[21/May/2011:18:50:16][main]: CMSEngine: initialized os
[21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=jss
[21/May/2011:18:50:16][main]: CMSEngine: ready to init id=jss
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
cipher rsa_rc4_40_md5
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
cipher rsa_rc2_40_md5
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
cipher rsa_des_sha
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
cipher rsa_rc4_128_md5
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
cipher rsa_3des_sha
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
cipher rsa_fips_des_sha
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
cipher rsa_fips_3des_sha
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
cipher fortezza
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
cipher fortezza_rc4_128_sha
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
cipher rsa_null_md5
[21/May/2011:18:50:16][main]: CMSEngine: done init id=jss
[21/May/2011:18:50:16][main]: CMSEngine: initialized jss
[21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=dbs
[21/May/2011:18:50:16][main]: CMSEngine: ready to init id=dbs
[21/May/2011:18:50:16][main]: LdapBoundConnFactory: init
[21/May/2011:18:50:16][main]: LdapBoundConnFactory:doCloning true
[21/May/2011:18:50:16][main]: LdapAuthInfo: init()
[21/May/2011:18:50:16][main]: LdapAuthInfo: init begins
[21/May/2011:18:50:16][main]: LdapAuthInfo: init: prompt is Internal 
LDAP Database
[21/May/2011:18:50:16][main]: LdapAuthInfo: init: try getting from 
memory cache
[21/May/2011:18:50:16][main]: LdapAuthInfo: init: password not in memory
[21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: try to 
get it from password store
[21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password 
store initialized before.
[21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password 
store initialized.
[21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: about 
to get from passwored store: Internal LDAP Database
[21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
password store available
[21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
password for Internal LDAP Database not found, trying internaldb
[21/May/2011:18:50:16][main]: LdapAuthInfo: password ok: store in memory 
cache
[21/May/2011:18:50:16][main]: LdapAuthInfo: init ends
[21/May/2011:18:50:16][main]: init: before makeConnection errorIfDown is 
true
[21/May/2011:18:50:16][main]: makeConnection: errorIfDown true
[21/May/2011:18:50:16][main]: CMS:Caught EBaseException
Internal Database Error encountered: Could not connect to LDAP server 
host ipa01.ix.test.com port 7389 Error netscape.ldap.LDAPException: 
failed to conn
ect to server ldap://ipa01.ix.test.com:7389 (91)
     at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:674)
     at 
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837)
     at 
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766)
     at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:302)
     at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
     at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
     at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
     at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
     at 
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
     at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
     at 
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
     at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
     at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
     at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
     at 
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
     at 
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
     at 
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
     at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
     at 
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
     at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
     at 
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
     at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
     at 
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
     at 
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
     at 
org.apache.catalina.core.StandardService.start(StandardService.java:516)
     at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
     at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
     at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:616)
     at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[21/May/2011:18:50:16][main]: CMSEngine.shutdown()



From sigbjorn at nixtra.com  Sun May 22 19:16:58 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Sun, 22 May 2011 21:16:58 +0200
Subject: [Freeipa-users] ipa-client in RHEL5
Message-ID: <4DD9612A.8030704@nixtra.com>

Hi,

Is it so that the ipa-client-install script currently available for RHEL 
5.6 is not yet updated to work with the IPA server released in RHEL 6.1?


Rgds,
Siggi

[root at client5 ~]# rpm -qa|grep ipa-client
ipa-client-2.0-10.el5


[root at client5 ~]# ipa-client-install
Discovery was successful!
Realm: IX.TEST.COM
DNS Domain: ix.test.com
IPA Server: ipa01.ix.test.com
BaseDN: dc=ix,dc=test,dc=com


Continue to configure the system with these values? [no]: yes
Principal: admin
Password for admin at IX.TEST.COM:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=IX.TEST.COM




From Steven.Jones at vuw.ac.nz  Sun May 22 20:18:15 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Sun, 22 May 2011 20:18:15 +0000
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DD8E27F.7070906@nixtra.com>
References: <4DCE95D6.2070104@nixtra.com>
	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com>
	<4DD2AF48.6090602@redhat.com>,<4DD8E27F.7070906@nixtra.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

I seem to have similar issues, but since 6.1 proper is now out, Im starting again from scratch, I need to improve disk layouts etc anyway.

regards


________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com]
Sent: Sunday, 22 May 2011 10:16 p.m.
To: Rich Megginson
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] IPA Startup issues

On 05/17/2011 07:24 PM, Rich Megginson wrote:
> On 05/17/2011 06:40 AM, Sigbjorn Lie wrote:
>> On 05/16/2011 04:56 PM, Rich Megginson wrote:
>>> On 05/16/2011 08:43 AM, Sigbjorn Lie wrote:
>>>> On 05/16/2011 03:52 PM, Simo Sorce wrote:
>>>>> On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
>>>>>> I've noticed that if the machine running IPA is very busy at
>>>>>> startup,
>>>>>> the IPA services will not be online when the machine is started.
>>>>>>
>>>>>> I noticed this is as my test virtualization host has had it's
>>>>>> power cord
>>>>>> knocked out a few times. When I restart the host machine, all the
>>>>>> virtual machines is started at the same time, causing (a lot) higher
>>>>>> than normal latency for each virtual machine.
>>>>>>
>>>>>> This causes the IPA daemons to start, while during the startup
>>>>>> one or
>>>>>> several IPA daemons fails due to dependencies of other daemons
>>>>>> which is
>>>>>> not started yet, and all the IPA daemons is stopped as not all
>>>>>> the IPA
>>>>>> daemons started successfully. I've noticed that the default
>>>>>> behavior of
>>>>>> the ipactl command is to shut down all the IPA daemons, if any of
>>>>>> the
>>>>>> IPA daemons should fail during startup.
>>>>>>
>>>>>> This can be seen in the logs of the individual services, as some is
>>>>>> started successfully, just to receive a shutdown signal shortly
>>>>>> after.
>>>>>> It seem to be the pki-ca which shut down my IPA services this
>>>>>> morning.
>>>>>>
>>>>>> When rebooting the virtual machine running the IPA daemons during
>>>>>> normal
>>>>>> load of the host machine, all the IPA daemons start successfully.
>>>>>> Logging on to the IPA server and manually starting the IPA
>>>>>> daemons after
>>>>>> the load of the host machine has decreased also works.
>>>>>>
>>>>>> I suggest changing the startup scripts to allow (a lot) longer
>>>>>> startup
>>>>>> times for the IPA daemons prior to failing them.
>>>>> At the moment we just run service<name>  start and wait until it is
>>>>> done. If the pki-cad service timeouts and returns an error I think we
>>>>> need to open a bug against the dogtag component as that is the cause.
>>>>>
>>>>> Can you open a bug in the freeipa trac with logs showing that
>>>>> service is
>>>>> responsible for the failure ?
>>>>
>>>> I haven't been able to figure out which service that failed IPA
>>>> yet. A lot of log files scattered around. As you can see from the
>>>> slapd errors file, the slapd daemon was available for almost 3
>>>> minutes before receiving the shutdown signal. I notice now that the
>>>> PKI daemon failed 8 seconds after slapd had shut down, so I was
>>>> wrong in blaming the PKI daemon.
>>>>
>>>> See below for a list of log files I've been trough. They all have
>>>> on thing in common, the daemons starts when the host machine is
>>>> started, at approx 06:34, then receives a shutdown signal around
>>>> 06:37. Some time later when the host has calmed down, I'm logging
>>>> in and manually starting IPA using "ipactl start", and all the
>>>> daemons start without any problem. And they keep running after my
>>>> manual intervention.
>>>>
>>>> I wish I could be more specific, but I'm unsure where else to look.
>>>> Suggestions?
>>>>
>>>>
>>>> /var/log/krb5kdc.log
>>>> /var/log/pki-ca/catalina.out
>>>> /var/log/dirsrv/slapd-IX-TEST-COM/errors
>>>> /var/log/dirsrv/slapd-PKI-IPA/errors
>>>> /var/log/httpd/error_log
>>>> /var/log/messages (named log)
>>>>
>>>> slapd errors:
>>>>
>>>> [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1
>>>> B2011.062.1416 starting up
>>>> [14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last
>>>> time Directory Server was running, recovering database.
>>> 1) Disorderly Shutdown means a) crash b) kill -9 or similar -
>>> neither of which should be happening - is this the replica install
>>> or the first master install?
>>
>>
>>
>> First master install.
>>
> What is in the slapd errors log before [14/May/2011:06:33:52 +0200] -
> 389-Directory/1.2.8.rc1 B2011.062.1416 starting up?


Hi,

Rich, there is nothing above that line. Previous entry was from last
time the server started.

Yesterday I rebooted my host platform, graceful shutdown this time, and
the same problem occurred again when the host, and all the virtual
machines started. I had a look in  my boot.log file, see below for
output. As you can see the "Starting pki-ca" return an "OK", but the
next line says: "Failed to start CA Service"
"Shutting down".

Looking at the timestamps, it looks like the dirsrv instance is shut
down before the pki-ca is given a chance to start, or am I looking at
the incorrect log files?

I have included my boot.log, and the PKI-CA dirsrv log, and the pki-ca
debug log.




/var/log/boot.log:

Starting Directory Service
Starting dirsrv:
     IX-TEST-COM...                                       [  OK  ]
     PKI-IPA...                                             [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:                                   [  OK  ]
Starting KPASSWD Service
Starting ipa_kpasswd:                                      [  OK  ]
Starting DNS Service
Starting named:                                            [  OK  ]
Starting HTTP Service
Starting httpd:                                            [  OK  ]
Starting CA Service
Starting pki-ca:                                           [  OK  ]
Failed to start CA Service
Shutting down
Stopping Kerberos 5 KDC:                                   [  OK  ]
Shutting down ipa_kpasswd:                                 [  OK  ]
Stopping named:                                            [  OK  ]
Stopping httpd:                                            [  OK  ]
Stopping pki-ca:                                           [FAILED]
Shutting down dirsrv:
     IX-TEST-COM...                                       [  OK  ]
     PKI-IPA...                                             [  OK  ]
Aborting ipactl




/var/log/dirsrv/slapd-PKI-IPA/errors:

[21/May/2011:18:47:41 +0200] - 389-Directory/1.2.8.2 B2011.104.2252
starting up
[21/May/2011:18:47:48 +0200] - slapd started.  Listening on All
Interfaces port 7389 for LDAP requests
[21/May/2011:18:47:49 +0200] - Listening on All Interfaces port 7390 for
LDAPS requests
[21/May/2011:18:50:00 +0200] - slapd shutting down - signaling operation
threads
[21/May/2011:18:50:01 +0200] - slapd shutting down - closing down
internal subsystems and plugins
[21/May/2011:18:50:01 +0200] - Waiting for 4 database threads to stop
[21/May/2011:18:50:02 +0200] - All database threads now stopped
[21/May/2011:18:50:02 +0200] - slapd stopped.




/var/lib/pki-ca/logs/debug:

[21/May/2011:18:50:15][main]: ============================================
[21/May/2011:18:50:15][main]: =====  DEBUG SUBSYSTEM INITIALIZED   =======
[21/May/2011:18:50:15][main]: ============================================
[21/May/2011:18:50:15][main]: CMSEngine: done init id=debug
[21/May/2011:18:50:15][main]: CMSEngine: initialized debug
[21/May/2011:18:50:15][main]: CMSEngine: initSubsystem id=log
[21/May/2011:18:50:15][main]: CMSEngine: ready to init id=log
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
AUDIT_LOG_STARTUP
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
AUDIT_LOG_SHUTDOWN
[21/May/2011:18:50:16][main]: LogFile: log event type selected: ROLE_ASSUME
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CONFIG_CERT_POLICY
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CONFIG_CERT_PROFILE
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CONFIG_CRL_PROFILE
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CONFIG_OCSP_PROFILE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_AUTH
[21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_ROLE
[21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_ACL
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CONFIG_SIGNED_AUDIT
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CONFIG_ENCRYPTION
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CONFIG_TRUSTED_PUBLIC_KEY
[21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_DRM
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
SELFTESTS_EXECUTION
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
AUDIT_LOG_DELETE
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
LOG_PATH_CHANGE
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
PRIVATE_KEY_ARCHIVE_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_ASYNC
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
KEY_RECOVERY_AGENT_LOGIN
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_PROCESSED
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
KEY_GEN_ASYMMETRIC
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
NON_PROFILE_CERT_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
PROFILE_CERT_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CERT_REQUEST_PROCESSED
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CERT_STATUS_CHANGE_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CERT_STATUS_CHANGE_REQUEST_PROCESSED
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
AUTHZ_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTHZ_FAIL
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
INTER_BOUNDARY
[21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTH_FAIL
[21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTH_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CERT_PROFILE_APPROVAL
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
PROOF_OF_POSSESSION
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CRL_RETRIEVAL
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CRL_VALIDATION
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CMC_SIGNED_REQUEST_SIG_VERIFY
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
SERVER_SIDE_KEYGEN_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
COMPUTE_SESSION_KEY_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
DIVERSIFY_KEY_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
ENCRYPT_DATA_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
OCSP_ADD_CA_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
OCSP_ADD_CA_REQUEST_PROCESSED
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
OCSP_REMOVE_CA_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
COMPUTE_RANDOM_DATA_REQUEST
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
[21/May/2011:18:50:16][main]: LogFile: log event type selected:
CIMC_CERT_VERIFICATION
[21/May/2011:18:50:16][main]: CMSEngine: done init id=log
[21/May/2011:18:50:16][main]: CMSEngine: initialized log
[21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=os
[21/May/2011:18:50:16][main]: CMSEngine: ready to init id=os
[21/May/2011:18:50:16][main]: CMSEngine: done init id=os
[21/May/2011:18:50:16][main]: CMSEngine: initialized os
[21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=jss
[21/May/2011:18:50:16][main]: CMSEngine: ready to init id=jss
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc4_40_md5
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc2_40_md5
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_des_sha
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc4_128_md5
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_3des_sha
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_fips_des_sha
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_fips_3des_sha
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
cipher fortezza
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
cipher fortezza_rc4_128_sha
[21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_null_md5
[21/May/2011:18:50:16][main]: CMSEngine: done init id=jss
[21/May/2011:18:50:16][main]: CMSEngine: initialized jss
[21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=dbs
[21/May/2011:18:50:16][main]: CMSEngine: ready to init id=dbs
[21/May/2011:18:50:16][main]: LdapBoundConnFactory: init
[21/May/2011:18:50:16][main]: LdapBoundConnFactory:doCloning true
[21/May/2011:18:50:16][main]: LdapAuthInfo: init()
[21/May/2011:18:50:16][main]: LdapAuthInfo: init begins
[21/May/2011:18:50:16][main]: LdapAuthInfo: init: prompt is Internal
LDAP Database
[21/May/2011:18:50:16][main]: LdapAuthInfo: init: try getting from
memory cache
[21/May/2011:18:50:16][main]: LdapAuthInfo: init: password not in memory
[21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: try to
get it from password store
[21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password
store initialized before.
[21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password
store initialized.
[21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: about
to get from passwored store: Internal LDAP Database
[21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore:
password store available
[21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore:
password for Internal LDAP Database not found, trying internaldb
[21/May/2011:18:50:16][main]: LdapAuthInfo: password ok: store in memory
cache
[21/May/2011:18:50:16][main]: LdapAuthInfo: init ends
[21/May/2011:18:50:16][main]: init: before makeConnection errorIfDown is
true
[21/May/2011:18:50:16][main]: makeConnection: errorIfDown true
[21/May/2011:18:50:16][main]: CMS:Caught EBaseException
Internal Database Error encountered: Could not connect to LDAP server
host ipa01.ix.test.com port 7389 Error netscape.ldap.LDAPException:
failed to conn
ect to server ldap://ipa01.ix.test.com:7389 (91)
     at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:674)
     at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837)
     at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766)
     at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:302)
     at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
     at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
     at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
     at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
     at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
     at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
     at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
     at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
     at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
     at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
     at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
     at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
     at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
     at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
     at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
     at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
     at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
     at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
     at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
     at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
     at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
     at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
     at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
     at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:616)
     at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[21/May/2011:18:50:16][main]: CMSEngine.shutdown()

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From sigbjorn at nixtra.com  Sun May 22 22:21:55 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Mon, 23 May 2011 00:21:55 +0200
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <4DCE95D6.2070104@nixtra.com>	<1305553921.20666.13.camel@willson.li.ssimo.org>	<4DD1381F.6030903@nixtra.com>
	<4DD13B22.9030604@redhat.com>	<4DD26CBC.8080107@nixtra.com>	<4DD2AF48.6090602@redhat.com>,
	<4DD8E27F.7070906@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DD98C83.30008@nixtra.com>

Hi,

These findings we're taken from a machine that's been upgraded to RHEL 
6.1 proper.



Rgds,
Siggi



On 05/22/2011 10:18 PM, Steven Jones wrote:
> Hi,
>
> I seem to have similar issues, but since 6.1 proper is now out, Im starting again from scratch, I need to improve disk layouts etc anyway.
>
> regards
>
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com]
> Sent: Sunday, 22 May 2011 10:16 p.m.
> To: Rich Megginson
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA Startup issues
>
> On 05/17/2011 07:24 PM, Rich Megginson wrote:
>> On 05/17/2011 06:40 AM, Sigbjorn Lie wrote:
>>> On 05/16/2011 04:56 PM, Rich Megginson wrote:
>>>> On 05/16/2011 08:43 AM, Sigbjorn Lie wrote:
>>>>> On 05/16/2011 03:52 PM, Simo Sorce wrote:
>>>>>> On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
>>>>>>> I've noticed that if the machine running IPA is very busy at
>>>>>>> startup,
>>>>>>> the IPA services will not be online when the machine is started.
>>>>>>>
>>>>>>> I noticed this is as my test virtualization host has had it's
>>>>>>> power cord
>>>>>>> knocked out a few times. When I restart the host machine, all the
>>>>>>> virtual machines is started at the same time, causing (a lot) higher
>>>>>>> than normal latency for each virtual machine.
>>>>>>>
>>>>>>> This causes the IPA daemons to start, while during the startup
>>>>>>> one or
>>>>>>> several IPA daemons fails due to dependencies of other daemons
>>>>>>> which is
>>>>>>> not started yet, and all the IPA daemons is stopped as not all
>>>>>>> the IPA
>>>>>>> daemons started successfully. I've noticed that the default
>>>>>>> behavior of
>>>>>>> the ipactl command is to shut down all the IPA daemons, if any of
>>>>>>> the
>>>>>>> IPA daemons should fail during startup.
>>>>>>>
>>>>>>> This can be seen in the logs of the individual services, as some is
>>>>>>> started successfully, just to receive a shutdown signal shortly
>>>>>>> after.
>>>>>>> It seem to be the pki-ca which shut down my IPA services this
>>>>>>> morning.
>>>>>>>
>>>>>>> When rebooting the virtual machine running the IPA daemons during
>>>>>>> normal
>>>>>>> load of the host machine, all the IPA daemons start successfully.
>>>>>>> Logging on to the IPA server and manually starting the IPA
>>>>>>> daemons after
>>>>>>> the load of the host machine has decreased also works.
>>>>>>>
>>>>>>> I suggest changing the startup scripts to allow (a lot) longer
>>>>>>> startup
>>>>>>> times for the IPA daemons prior to failing them.
>>>>>> At the moment we just run service<name>   start and wait until it is
>>>>>> done. If the pki-cad service timeouts and returns an error I think we
>>>>>> need to open a bug against the dogtag component as that is the cause.
>>>>>>
>>>>>> Can you open a bug in the freeipa trac with logs showing that
>>>>>> service is
>>>>>> responsible for the failure ?
>>>>> I haven't been able to figure out which service that failed IPA
>>>>> yet. A lot of log files scattered around. As you can see from the
>>>>> slapd errors file, the slapd daemon was available for almost 3
>>>>> minutes before receiving the shutdown signal. I notice now that the
>>>>> PKI daemon failed 8 seconds after slapd had shut down, so I was
>>>>> wrong in blaming the PKI daemon.
>>>>>
>>>>> See below for a list of log files I've been trough. They all have
>>>>> on thing in common, the daemons starts when the host machine is
>>>>> started, at approx 06:34, then receives a shutdown signal around
>>>>> 06:37. Some time later when the host has calmed down, I'm logging
>>>>> in and manually starting IPA using "ipactl start", and all the
>>>>> daemons start without any problem. And they keep running after my
>>>>> manual intervention.
>>>>>
>>>>> I wish I could be more specific, but I'm unsure where else to look.
>>>>> Suggestions?
>>>>>
>>>>>
>>>>> /var/log/krb5kdc.log
>>>>> /var/log/pki-ca/catalina.out
>>>>> /var/log/dirsrv/slapd-IX-TEST-COM/errors
>>>>> /var/log/dirsrv/slapd-PKI-IPA/errors
>>>>> /var/log/httpd/error_log
>>>>> /var/log/messages (named log)
>>>>>
>>>>> slapd errors:
>>>>>
>>>>> [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1
>>>>> B2011.062.1416 starting up
>>>>> [14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last
>>>>> time Directory Server was running, recovering database.
>>>> 1) Disorderly Shutdown means a) crash b) kill -9 or similar -
>>>> neither of which should be happening - is this the replica install
>>>> or the first master install?
>>>
>>>
>>> First master install.
>>>
>> What is in the slapd errors log before [14/May/2011:06:33:52 +0200] -
>> 389-Directory/1.2.8.rc1 B2011.062.1416 starting up?
>
> Hi,
>
> Rich, there is nothing above that line. Previous entry was from last
> time the server started.
>
> Yesterday I rebooted my host platform, graceful shutdown this time, and
> the same problem occurred again when the host, and all the virtual
> machines started. I had a look in  my boot.log file, see below for
> output. As you can see the "Starting pki-ca" return an "OK", but the
> next line says: "Failed to start CA Service"
> "Shutting down".
>
> Looking at the timestamps, it looks like the dirsrv instance is shut
> down before the pki-ca is given a chance to start, or am I looking at
> the incorrect log files?
>
> I have included my boot.log, and the PKI-CA dirsrv log, and the pki-ca
> debug log.
>
>
>
>
> /var/log/boot.log:
>
> Starting Directory Service
> Starting dirsrv:
>       IX-TEST-COM...                                       [  OK  ]
>       PKI-IPA...                                             [  OK  ]
> Starting KDC Service
> Starting Kerberos 5 KDC:                                   [  OK  ]
> Starting KPASSWD Service
> Starting ipa_kpasswd:                                      [  OK  ]
> Starting DNS Service
> Starting named:                                            [  OK  ]
> Starting HTTP Service
> Starting httpd:                                            [  OK  ]
> Starting CA Service
> Starting pki-ca:                                           [  OK  ]
> Failed to start CA Service
> Shutting down
> Stopping Kerberos 5 KDC:                                   [  OK  ]
> Shutting down ipa_kpasswd:                                 [  OK  ]
> Stopping named:                                            [  OK  ]
> Stopping httpd:                                            [  OK  ]
> Stopping pki-ca:                                           [FAILED]
> Shutting down dirsrv:
>       IX-TEST-COM...                                       [  OK  ]
>       PKI-IPA...                                             [  OK  ]
> Aborting ipactl
>
>
>
>
> /var/log/dirsrv/slapd-PKI-IPA/errors:
>
> [21/May/2011:18:47:41 +0200] - 389-Directory/1.2.8.2 B2011.104.2252
> starting up
> [21/May/2011:18:47:48 +0200] - slapd started.  Listening on All
> Interfaces port 7389 for LDAP requests
> [21/May/2011:18:47:49 +0200] - Listening on All Interfaces port 7390 for
> LDAPS requests
> [21/May/2011:18:50:00 +0200] - slapd shutting down - signaling operation
> threads
> [21/May/2011:18:50:01 +0200] - slapd shutting down - closing down
> internal subsystems and plugins
> [21/May/2011:18:50:01 +0200] - Waiting for 4 database threads to stop
> [21/May/2011:18:50:02 +0200] - All database threads now stopped
> [21/May/2011:18:50:02 +0200] - slapd stopped.
>
>
>
>
> /var/lib/pki-ca/logs/debug:
>
> [21/May/2011:18:50:15][main]: ============================================
> [21/May/2011:18:50:15][main]: =====  DEBUG SUBSYSTEM INITIALIZED   =======
> [21/May/2011:18:50:15][main]: ============================================
> [21/May/2011:18:50:15][main]: CMSEngine: done init id=debug
> [21/May/2011:18:50:15][main]: CMSEngine: initialized debug
> [21/May/2011:18:50:15][main]: CMSEngine: initSubsystem id=log
> [21/May/2011:18:50:15][main]: CMSEngine: ready to init id=log
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> AUDIT_LOG_STARTUP
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> AUDIT_LOG_SHUTDOWN
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: ROLE_ASSUME
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_CERT_POLICY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_CERT_PROFILE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_CRL_PROFILE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_OCSP_PROFILE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_AUTH
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_ROLE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_ACL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_SIGNED_AUDIT
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_ENCRYPTION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_TRUSTED_PUBLIC_KEY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_DRM
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> SELFTESTS_EXECUTION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> AUDIT_LOG_DELETE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> LOG_PATH_CHANGE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PRIVATE_KEY_ARCHIVE_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST_ASYNC
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_RECOVERY_AGENT_LOGIN
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_GEN_ASYMMETRIC
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> NON_PROFILE_CERT_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PROFILE_CERT_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CERT_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CERT_STATUS_CHANGE_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CERT_STATUS_CHANGE_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> AUTHZ_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTHZ_FAIL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> INTER_BOUNDARY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTH_FAIL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTH_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CERT_PROFILE_APPROVAL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PROOF_OF_POSSESSION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CRL_RETRIEVAL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CRL_VALIDATION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CMC_SIGNED_REQUEST_SIG_VERIFY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> SERVER_SIDE_KEYGEN_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_SESSION_KEY_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> DIVERSIFY_KEY_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> ENCRYPT_DATA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> OCSP_ADD_CA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> OCSP_ADD_CA_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> OCSP_REMOVE_CA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_RANDOM_DATA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CIMC_CERT_VERIFICATION
> [21/May/2011:18:50:16][main]: CMSEngine: done init id=log
> [21/May/2011:18:50:16][main]: CMSEngine: initialized log
> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=os
> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=os
> [21/May/2011:18:50:16][main]: CMSEngine: done init id=os
> [21/May/2011:18:50:16][main]: CMSEngine: initialized os
> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=jss
> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=jss
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_rc4_40_md5
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_rc2_40_md5
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_rc4_128_md5
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_3des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_fips_des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_fips_3des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher fortezza
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher fortezza_rc4_128_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_null_md5
> [21/May/2011:18:50:16][main]: CMSEngine: done init id=jss
> [21/May/2011:18:50:16][main]: CMSEngine: initialized jss
> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=dbs
> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=dbs
> [21/May/2011:18:50:16][main]: LdapBoundConnFactory: init
> [21/May/2011:18:50:16][main]: LdapBoundConnFactory:doCloning true
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init()
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init begins
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: prompt is Internal
> LDAP Database
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: try getting from
> memory cache
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: password not in memory
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: try to
> get it from password store
> [21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password
> store initialized before.
> [21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password
> store initialized.
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: about
> to get from passwored store: Internal LDAP Database
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore:
> password store available
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore:
> password for Internal LDAP Database not found, trying internaldb
> [21/May/2011:18:50:16][main]: LdapAuthInfo: password ok: store in memory
> cache
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init ends
> [21/May/2011:18:50:16][main]: init: before makeConnection errorIfDown is
> true
> [21/May/2011:18:50:16][main]: makeConnection: errorIfDown true
> [21/May/2011:18:50:16][main]: CMS:Caught EBaseException
> Internal Database Error encountered: Could not connect to LDAP server
> host ipa01.ix.test.com port 7389 Error netscape.ldap.LDAPException:
> failed to conn
> ect to server ldap://ipa01.ix.test.com:7389 (91)
>       at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:674)
>       at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837)
>       at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766)
>       at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:302)
>       at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
>       at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
>       at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
>       at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
>       at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
>       at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
>       at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
>       at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>       at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
>       at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>       at
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>       at
> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>       at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>       at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>       at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>       at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>       at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>       at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>       at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>       at
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>       at
> org.apache.catalina.core.StandardService.start(StandardService.java:516)
>       at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>       at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>       at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>       at java.lang.reflect.Method.invoke(Method.java:616)
>       at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>       at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> [21/May/2011:18:50:16][main]: CMSEngine.shutdown()
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Mon May 23 04:42:18 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 04:42:18 +0000
Subject: [Freeipa-users] Why not unix UIDs (numbers and range)
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006355C05@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Why doesnt IPA use std unix UIDs? and how does that translate into Unix permissions on a client if it does not?

BTW neat install, under 10mins and its up!

:D

regards

Steven



From sgallagh at redhat.com  Mon May 23 11:21:08 2011
From: sgallagh at redhat.com (Stephen Gallagher)
Date: Mon, 23 May 2011 07:21:08 -0400
Subject: [Freeipa-users] ipa-client in RHEL5
In-Reply-To: <4DD9612A.8030704@nixtra.com>
References: <4DD9612A.8030704@nixtra.com>
Message-ID: <1306149673.1999.1.camel@sgallagh.bos.redhat.com>

On Sun, 2011-05-22 at 21:16 +0200, Sigbjorn Lie wrote:
> Hi,
> 
> Is it so that the ipa-client-install script currently available for RHEL 
> 5.6 is not yet updated to work with the IPA server released in RHEL 6.1?

That is correct. The ipa-client being released in RHEL 5.7 (and the
forthcoming RHEL 5.7 beta) will be updated to work properly with late
changes to the FreeIPA v2 server.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/24a45244/attachment.sig>

From sgallagh at redhat.com  Mon May 23 11:23:44 2011
From: sgallagh at redhat.com (Stephen Gallagher)
Date: Mon, 23 May 2011 07:23:44 -0400
Subject: [Freeipa-users] Why not unix UIDs (numbers and range)
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006355C05@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006355C05@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1306149825.1999.4.camel@sgallagh.bos.redhat.com>

On Mon, 2011-05-23 at 04:42 +0000, Steven Jones wrote:
> Hi,
> 
> Why doesnt IPA use std unix UIDs? and how does that translate into Unix permissions on a client if it does not?
> 
> BTW neat install, under 10mins and its up!


FreeIPA does use standard UNIX UIDs and GIDs. By default, however,
they're generated automatically behind the scenes so that the
administrator doesn't need to manage them. FreeIPA does this so it can
ensure that there are no duplicate IDs in the system, which is a common
problem in unmanaged LDAP environments.

On the various client machines, you can see that the users have UIDs and
GIDs by performing 'getent passwd <username>'.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/5945c089/attachment.sig>

From dpal at redhat.com  Mon May 23 19:55:15 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 23 May 2011 15:55:15 -0400
Subject: [Freeipa-users] ipa-client in RHEL5
In-Reply-To: <1306149673.1999.1.camel@sgallagh.bos.redhat.com>
References: <4DD9612A.8030704@nixtra.com>
	<1306149673.1999.1.camel@sgallagh.bos.redhat.com>
Message-ID: <4DDABBA3.6020704@redhat.com>

On 05/23/2011 07:21 AM, Stephen Gallagher wrote:
> On Sun, 2011-05-22 at 21:16 +0200, Sigbjorn Lie wrote:
>> Hi,
>>
>> Is it so that the ipa-client-install script currently available for RHEL 
>> 5.6 is not yet updated to work with the IPA server released in RHEL 6.1?
> That is correct. The ipa-client being released in RHEL 5.7 (and the
> forthcoming RHEL 5.7 beta) will be updated to work properly with late
> changes to the FreeIPA v2 server.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Actually Rob has been working on errata that would fix some of the 5.6
issues.
Please watch the ipa-client errata to come soon.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/bb6a3f38/attachment.htm>

From Steven.Jones at vuw.ac.nz  Mon May 23 20:58:53 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 20:58:53 +0000
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DD98C83.30008@nixtra.com>
References: <4DCE95D6.2070104@nixtra.com>
	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com>	<4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com>	<4DD2AF48.6090602@redhat.com>,
	<4DD8E27F.7070906@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DD98C83.30008@nixtra.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006355F9B@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

I just built a brand new RHEL6.1 64bit server and installed ipa-server and despite setting up the chkconfig's it wont start on boot...it will start manually later by hand...

So its not just you.

;]

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com]
Sent: Monday, 23 May 2011 10:21 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] IPA Startup issues

Hi,

These findings we're taken from a machine that's been upgraded to RHEL
6.1 proper.



Rgds,
Siggi



On 05/22/2011 10:18 PM, Steven Jones wrote:
> Hi,
>
> I seem to have similar issues, but since 6.1 proper is now out, Im starting again from scratch, I need to improve disk layouts etc anyway.
>
> regards
>
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com]
> Sent: Sunday, 22 May 2011 10:16 p.m.
> To: Rich Megginson
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA Startup issues
>
> On 05/17/2011 07:24 PM, Rich Megginson wrote:
>> On 05/17/2011 06:40 AM, Sigbjorn Lie wrote:
>>> On 05/16/2011 04:56 PM, Rich Megginson wrote:
>>>> On 05/16/2011 08:43 AM, Sigbjorn Lie wrote:
>>>>> On 05/16/2011 03:52 PM, Simo Sorce wrote:
>>>>>> On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
>>>>>>> I've noticed that if the machine running IPA is very busy at
>>>>>>> startup,
>>>>>>> the IPA services will not be online when the machine is started.
>>>>>>>
>>>>>>> I noticed this is as my test virtualization host has had it's
>>>>>>> power cord
>>>>>>> knocked out a few times. When I restart the host machine, all the
>>>>>>> virtual machines is started at the same time, causing (a lot) higher
>>>>>>> than normal latency for each virtual machine.
>>>>>>>
>>>>>>> This causes the IPA daemons to start, while during the startup
>>>>>>> one or
>>>>>>> several IPA daemons fails due to dependencies of other daemons
>>>>>>> which is
>>>>>>> not started yet, and all the IPA daemons is stopped as not all
>>>>>>> the IPA
>>>>>>> daemons started successfully. I've noticed that the default
>>>>>>> behavior of
>>>>>>> the ipactl command is to shut down all the IPA daemons, if any of
>>>>>>> the
>>>>>>> IPA daemons should fail during startup.
>>>>>>>
>>>>>>> This can be seen in the logs of the individual services, as some is
>>>>>>> started successfully, just to receive a shutdown signal shortly
>>>>>>> after.
>>>>>>> It seem to be the pki-ca which shut down my IPA services this
>>>>>>> morning.
>>>>>>>
>>>>>>> When rebooting the virtual machine running the IPA daemons during
>>>>>>> normal
>>>>>>> load of the host machine, all the IPA daemons start successfully.
>>>>>>> Logging on to the IPA server and manually starting the IPA
>>>>>>> daemons after
>>>>>>> the load of the host machine has decreased also works.
>>>>>>>
>>>>>>> I suggest changing the startup scripts to allow (a lot) longer
>>>>>>> startup
>>>>>>> times for the IPA daemons prior to failing them.
>>>>>> At the moment we just run service<name>   start and wait until it is
>>>>>> done. If the pki-cad service timeouts and returns an error I think we
>>>>>> need to open a bug against the dogtag component as that is the cause.
>>>>>>
>>>>>> Can you open a bug in the freeipa trac with logs showing that
>>>>>> service is
>>>>>> responsible for the failure ?
>>>>> I haven't been able to figure out which service that failed IPA
>>>>> yet. A lot of log files scattered around. As you can see from the
>>>>> slapd errors file, the slapd daemon was available for almost 3
>>>>> minutes before receiving the shutdown signal. I notice now that the
>>>>> PKI daemon failed 8 seconds after slapd had shut down, so I was
>>>>> wrong in blaming the PKI daemon.
>>>>>
>>>>> See below for a list of log files I've been trough. They all have
>>>>> on thing in common, the daemons starts when the host machine is
>>>>> started, at approx 06:34, then receives a shutdown signal around
>>>>> 06:37. Some time later when the host has calmed down, I'm logging
>>>>> in and manually starting IPA using "ipactl start", and all the
>>>>> daemons start without any problem. And they keep running after my
>>>>> manual intervention.
>>>>>
>>>>> I wish I could be more specific, but I'm unsure where else to look.
>>>>> Suggestions?
>>>>>
>>>>>
>>>>> /var/log/krb5kdc.log
>>>>> /var/log/pki-ca/catalina.out
>>>>> /var/log/dirsrv/slapd-IX-TEST-COM/errors
>>>>> /var/log/dirsrv/slapd-PKI-IPA/errors
>>>>> /var/log/httpd/error_log
>>>>> /var/log/messages (named log)
>>>>>
>>>>> slapd errors:
>>>>>
>>>>> [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1
>>>>> B2011.062.1416 starting up
>>>>> [14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last
>>>>> time Directory Server was running, recovering database.
>>>> 1) Disorderly Shutdown means a) crash b) kill -9 or similar -
>>>> neither of which should be happening - is this the replica install
>>>> or the first master install?
>>>
>>>
>>> First master install.
>>>
>> What is in the slapd errors log before [14/May/2011:06:33:52 +0200] -
>> 389-Directory/1.2.8.rc1 B2011.062.1416 starting up?
>
> Hi,
>
> Rich, there is nothing above that line. Previous entry was from last
> time the server started.
>
> Yesterday I rebooted my host platform, graceful shutdown this time, and
> the same problem occurred again when the host, and all the virtual
> machines started. I had a look in  my boot.log file, see below for
> output. As you can see the "Starting pki-ca" return an "OK", but the
> next line says: "Failed to start CA Service"
> "Shutting down".
>
> Looking at the timestamps, it looks like the dirsrv instance is shut
> down before the pki-ca is given a chance to start, or am I looking at
> the incorrect log files?
>
> I have included my boot.log, and the PKI-CA dirsrv log, and the pki-ca
> debug log.
>
>
>
>
> /var/log/boot.log:
>
> Starting Directory Service
> Starting dirsrv:
>       IX-TEST-COM...                                       [  OK  ]
>       PKI-IPA...                                             [  OK  ]
> Starting KDC Service
> Starting Kerberos 5 KDC:                                   [  OK  ]
> Starting KPASSWD Service
> Starting ipa_kpasswd:                                      [  OK  ]
> Starting DNS Service
> Starting named:                                            [  OK  ]
> Starting HTTP Service
> Starting httpd:                                            [  OK  ]
> Starting CA Service
> Starting pki-ca:                                           [  OK  ]
> Failed to start CA Service
> Shutting down
> Stopping Kerberos 5 KDC:                                   [  OK  ]
> Shutting down ipa_kpasswd:                                 [  OK  ]
> Stopping named:                                            [  OK  ]
> Stopping httpd:                                            [  OK  ]
> Stopping pki-ca:                                           [FAILED]
> Shutting down dirsrv:
>       IX-TEST-COM...                                       [  OK  ]
>       PKI-IPA...                                             [  OK  ]
> Aborting ipactl
>
>
>
>
> /var/log/dirsrv/slapd-PKI-IPA/errors:
>
> [21/May/2011:18:47:41 +0200] - 389-Directory/1.2.8.2 B2011.104.2252
> starting up
> [21/May/2011:18:47:48 +0200] - slapd started.  Listening on All
> Interfaces port 7389 for LDAP requests
> [21/May/2011:18:47:49 +0200] - Listening on All Interfaces port 7390 for
> LDAPS requests
> [21/May/2011:18:50:00 +0200] - slapd shutting down - signaling operation
> threads
> [21/May/2011:18:50:01 +0200] - slapd shutting down - closing down
> internal subsystems and plugins
> [21/May/2011:18:50:01 +0200] - Waiting for 4 database threads to stop
> [21/May/2011:18:50:02 +0200] - All database threads now stopped
> [21/May/2011:18:50:02 +0200] - slapd stopped.
>
>
>
>
> /var/lib/pki-ca/logs/debug:
>
> [21/May/2011:18:50:15][main]: ============================================
> [21/May/2011:18:50:15][main]: =====  DEBUG SUBSYSTEM INITIALIZED   =======
> [21/May/2011:18:50:15][main]: ============================================
> [21/May/2011:18:50:15][main]: CMSEngine: done init id=debug
> [21/May/2011:18:50:15][main]: CMSEngine: initialized debug
> [21/May/2011:18:50:15][main]: CMSEngine: initSubsystem id=log
> [21/May/2011:18:50:15][main]: CMSEngine: ready to init id=log
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> AUDIT_LOG_STARTUP
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> AUDIT_LOG_SHUTDOWN
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: ROLE_ASSUME
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_CERT_POLICY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_CERT_PROFILE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_CRL_PROFILE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_OCSP_PROFILE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_AUTH
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_ROLE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_ACL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_SIGNED_AUDIT
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_ENCRYPTION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CONFIG_TRUSTED_PUBLIC_KEY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: CONFIG_DRM
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> SELFTESTS_EXECUTION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> AUDIT_LOG_DELETE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> LOG_PATH_CHANGE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PRIVATE_KEY_ARCHIVE_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST_ASYNC
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_RECOVERY_AGENT_LOGIN
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> KEY_GEN_ASYMMETRIC
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> NON_PROFILE_CERT_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PROFILE_CERT_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CERT_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CERT_STATUS_CHANGE_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CERT_STATUS_CHANGE_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> AUTHZ_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTHZ_FAIL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> INTER_BOUNDARY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTH_FAIL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTH_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CERT_PROFILE_APPROVAL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> PROOF_OF_POSSESSION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CRL_RETRIEVAL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CRL_VALIDATION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CMC_SIGNED_REQUEST_SIG_VERIFY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> SERVER_SIDE_KEYGEN_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_SESSION_KEY_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> DIVERSIFY_KEY_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> ENCRYPT_DATA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> OCSP_ADD_CA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> OCSP_ADD_CA_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> OCSP_REMOVE_CA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_RANDOM_DATA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected:
> CIMC_CERT_VERIFICATION
> [21/May/2011:18:50:16][main]: CMSEngine: done init id=log
> [21/May/2011:18:50:16][main]: CMSEngine: initialized log
> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=os
> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=os
> [21/May/2011:18:50:16][main]: CMSEngine: done init id=os
> [21/May/2011:18:50:16][main]: CMSEngine: initialized os
> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=jss
> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=jss
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_rc4_40_md5
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_rc2_40_md5
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_rc4_128_md5
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_3des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_fips_des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_fips_3des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher fortezza
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher fortezza_rc4_128_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_null_md5
> [21/May/2011:18:50:16][main]: CMSEngine: done init id=jss
> [21/May/2011:18:50:16][main]: CMSEngine: initialized jss
> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=dbs
> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=dbs
> [21/May/2011:18:50:16][main]: LdapBoundConnFactory: init
> [21/May/2011:18:50:16][main]: LdapBoundConnFactory:doCloning true
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init()
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init begins
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: prompt is Internal
> LDAP Database
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: try getting from
> memory cache
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: password not in memory
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: try to
> get it from password store
> [21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password
> store initialized before.
> [21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password
> store initialized.
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: about
> to get from passwored store: Internal LDAP Database
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore:
> password store available
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore:
> password for Internal LDAP Database not found, trying internaldb
> [21/May/2011:18:50:16][main]: LdapAuthInfo: password ok: store in memory
> cache
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init ends
> [21/May/2011:18:50:16][main]: init: before makeConnection errorIfDown is
> true
> [21/May/2011:18:50:16][main]: makeConnection: errorIfDown true
> [21/May/2011:18:50:16][main]: CMS:Caught EBaseException
> Internal Database Error encountered: Could not connect to LDAP server
> host ipa01.ix.test.com port 7389 Error netscape.ldap.LDAPException:
> failed to conn
> ect to server ldap://ipa01.ix.test.com:7389 (91)
>       at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:674)
>       at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837)
>       at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766)
>       at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:302)
>       at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
>       at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
>       at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
>       at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
>       at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
>       at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
>       at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
>       at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>       at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
>       at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>       at
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>       at
> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>       at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>       at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>       at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>       at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>       at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>       at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>       at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>       at
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>       at
> org.apache.catalina.core.StandardService.start(StandardService.java:516)
>       at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>       at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>       at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>       at java.lang.reflect.Method.invoke(Method.java:616)
>       at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>       at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> [21/May/2011:18:50:16][main]: CMSEngine.shutdown()
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Mon May 23 21:06:31 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 21:06:31 +0000
Subject: [Freeipa-users] 4202 error no modifications can be performed
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>

um.....

I just tried to set myself with user data and I get this, worse I cant revert the changes so Im stuck in my account.

regards

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 4202-1.jpeg
Type: image/jpeg
Size: 10636 bytes
Desc: 4202-1.jpeg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/93120d38/attachment.jpeg>

From Steven.Jones at vuw.ac.nz  Mon May 23 21:09:55 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 21:09:55 +0000
Subject: [Freeipa-users] Why not unix UIDs (numbers and range)
In-Reply-To: <1306149825.1999.4.camel@sgallagh.bos.redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006355C05@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1306149825.1999.4.camel@sgallagh.bos.redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006355FC1@STAWINCOX10MBX1.staff.vuw.ac.nz>

um so I thought there was a 65k limit?

I have way more numerals than that.

Also I need to pick up that UID from somewhere as its part of a users identify in the identity managment system we have....how would I go about sucking that out of IPA after the account is provisioned?

regards

Steven
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com]
Sent: Monday, 23 May 2011 11:23 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Why not unix UIDs (numbers and range)

On Mon, 2011-05-23 at 04:42 +0000, Steven Jones wrote:
> Hi,
>
> Why doesnt IPA use std unix UIDs? and how does that translate into Unix permissions on a client if it does not?
>
> BTW neat install, under 10mins and its up!


FreeIPA does use standard UNIX UIDs and GIDs. By default, however,
they're generated automatically behind the scenes so that the
administrator doesn't need to manage them. FreeIPA does this so it can
ensure that there are no duplicate IDs in the system, which is a common
problem in unmanaged LDAP environments.

On the various client machines, you can see that the users have UIDs and
GIDs by performing 'getent passwd <username>'.



From chorn at fluxcoil.net  Mon May 23 19:11:10 2011
From: chorn at fluxcoil.net (Christian Horn)
Date: Mon, 23 May 2011 21:11:10 +0200
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006355F9B@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <4DCE95D6.2070104@nixtra.com>
	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com> <4DD2AF48.6090602@redhat.com>
	<4DD8E27F.7070906@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD98C83.30008@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006355F9B@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <20110523191110.GA12425@fluxcoil.net>

On Mon, May 23, 2011 at 08:58:53PM +0000, Steven Jones wrote:
> 
> I just built a brand new RHEL6.1 64bit server and installed ipa-server 
> and despite setting up the chkconfig's it wont start on boot...it 
> will start manually later by hand...

Works out of the box for my virt-installed virtual machine
and using my notes from
http://fluxcoil.net/doku.php/snippets/linux_quickshotsetups/ipa_server6
for the ipa installation.

Christian



From sigbjorn at nixtra.com  Mon May 23 21:20:27 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Mon, 23 May 2011 23:20:27 +0200
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <20110523191110.GA12425@fluxcoil.net>
References: <4DCE95D6.2070104@nixtra.com>
	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com> <4DD2AF48.6090602@redhat.com>
	<4DD8E27F.7070906@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD98C83.30008@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006355F9B@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<20110523191110.GA12425@fluxcoil.net>
Message-ID: <4DDACF9B.1020105@nixtra.com>

On 05/23/2011 09:11 PM, Christian Horn wrote:
> On Mon, May 23, 2011 at 08:58:53PM +0000, Steven Jones wrote:
>> I just built a brand new RHEL6.1 64bit server and installed ipa-server
>> and despite setting up the chkconfig's it wont start on boot...it
>> will start manually later by hand...
> Works out of the box for my virt-installed virtual machine
> and using my notes from
> http://fluxcoil.net/doku.php/snippets/linux_quickshotsetups/ipa_server6
> for the ipa installation.
>
> Christian
Hi,

My issue is startup of IPA only occurs when the host is extremely busy, 
such as after a reboot of the host machine when the disk is grinding and 
the cpu is almost going up in flames of all the virtual machines 
starting at once. With the IPA virtual machine being one of the virtual 
machines struggeling for cpu and disk io. :)

Thanks for the link, this sums up just about what I've noticed is 
required out of a stock build to make IPA work as well. I usually just 
do "ipa-server-install --setup-dns", and the rest is auto-detected.


Rgds,
Siggi



From sigbjorn at nixtra.com  Mon May 23 21:26:27 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Mon, 23 May 2011 23:26:27 +0200
Subject: [Freeipa-users] Why not unix UIDs (numbers and range)
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006355FC1@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006355C05@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1306149825.1999.4.camel@sgallagh.bos.redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006355FC1@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDAD103.8010609@nixtra.com>

That used to be true, but it's been a lot higher for some time now. 
Linux has had 32-bit integers for UID/GID since Linux kernel 2.4, and 
Solaris has had the same since Solaris 2.5.1.

I can't speak for other *nix flavours.


Rgds,
Siggi.


On 05/23/2011 11:09 PM, Steven Jones wrote:
> um so I thought there was a 65k limit?
>
> I have way more numerals than that.
>
> Also I need to pick up that UID from somewhere as its part of a users identify in the identity managment system we have....how would I go about sucking that out of IPA after the account is provisioned?
>
> regards
>
> Steven
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com]
> Sent: Monday, 23 May 2011 11:23 p.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Why not unix UIDs (numbers and range)
>
> On Mon, 2011-05-23 at 04:42 +0000, Steven Jones wrote:
>> Hi,
>>
>> Why doesnt IPA use std unix UIDs? and how does that translate into Unix permissions on a client if it does not?
>>
>> BTW neat install, under 10mins and its up!
>
> FreeIPA does use standard UNIX UIDs and GIDs. By default, however,
> they're generated automatically behind the scenes so that the
> administrator doesn't need to manage them. FreeIPA does this so it can
> ensure that there are no duplicate IDs in the system, which is a common
> problem in unmanaged LDAP environments.
>
> On the various client machines, you can see that the users have UIDs and
> GIDs by performing 'getent passwd<username>'.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From dpal at redhat.com  Mon May 23 21:31:41 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 23 May 2011 17:31:41 -0400
Subject: [Freeipa-users] Why not unix UIDs (numbers and range)
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006355FC1@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006355C05@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1306149825.1999.4.camel@sgallagh.bos.redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006355FC1@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDAD23D.90404@redhat.com>

On 05/23/2011 05:09 PM, Steven Jones wrote:
> um so I thought there was a 65k limit?
>

The UID is at least 32 bit on the modern systems as far as I recall and
has been this way for quite some time.

> I have way more numerals than that.
>
> Also I need to pick up that UID from somewhere as its part of a users identify in the identity managment system we have....how would I go about sucking that out of IPA after the account is provisioned?

you can get user info via CLI or LDAP.

But you can also provide yours as explicit arguments to user creation.
If you do the entry will be created with the UID and GID you want though
you would have to make sure there is no duplication yourself.

We have couple tickets that will help with detection and explanation of
this situation.
https://fedorahosted.org/freeipa/ticket/1183 (doc)
https://fedorahosted.org/freeipa/ticket/341
https://fedorahosted.org/freeipa/ticket/1231

> regards
>
> Steven
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com]
> Sent: Monday, 23 May 2011 11:23 p.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Why not unix UIDs (numbers and range)
>
> On Mon, 2011-05-23 at 04:42 +0000, Steven Jones wrote:
>> Hi,
>>
>> Why doesnt IPA use std unix UIDs? and how does that translate into Unix permissions on a client if it does not?
>>
>> BTW neat install, under 10mins and its up!
>
> FreeIPA does use standard UNIX UIDs and GIDs. By default, however,
> they're generated automatically behind the scenes so that the
> administrator doesn't need to manage them. FreeIPA does this so it can
> ensure that there are no duplicate IDs in the system, which is a common
> problem in unmanaged LDAP environments.
>
> On the various client machines, you can see that the users have UIDs and
> GIDs by performing 'getent passwd <username>'.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From dpal at redhat.com  Mon May 23 21:34:54 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 23 May 2011 17:34:54 -0400
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDAD2FE.8030605@redhat.com>

On 05/23/2011 05:06 PM, Steven Jones wrote:
> um.....
>
> I just tried to set myself with user data and I get this, worse I cant revert the changes so Im stuck in my account.
>
> regards
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Can you please provide more details about what you have done before you
saw the error?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/c3fd2735/attachment.htm>

From Steven.Jones at vuw.ac.nz  Mon May 23 21:38:16 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 21:38:16 +0000
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <4DDAD2FE.8030605@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>

I was populating the fields for me (jonesst1) as a user....

regards
________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 24 May 2011 9:34 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] 4202 error no modifications can be performed

On 05/23/2011 05:06 PM, Steven Jones wrote:

um.....

I just tried to set myself with user data and I get this, worse I cant revert the changes so Im stuck in my account.

regards




_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

Can you please provide more details about what you have done before you saw the error?


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>






From rmeggins at redhat.com  Mon May 23 21:37:06 2011
From: rmeggins at redhat.com (Rich Megginson)
Date: Mon, 23 May 2011 15:37:06 -0600
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DD8E27F.7070906@nixtra.com>
References: <4DCE95D6.2070104@nixtra.com>	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com> <4DD2AF48.6090602@redhat.com>
	<4DD8E27F.7070906@nixtra.com>
Message-ID: <4DDAD382.8040803@redhat.com>

On 05/22/2011 04:16 AM, Sigbjorn Lie wrote:
> On 05/17/2011 07:24 PM, Rich Megginson wrote:
>> On 05/17/2011 06:40 AM, Sigbjorn Lie wrote:
>>> On 05/16/2011 04:56 PM, Rich Megginson wrote:
>>>> On 05/16/2011 08:43 AM, Sigbjorn Lie wrote:
>>>>> On 05/16/2011 03:52 PM, Simo Sorce wrote:
>>>>>> On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
>>>>>>> I've noticed that if the machine running IPA is very busy at 
>>>>>>> startup,
>>>>>>> the IPA services will not be online when the machine is started.
>>>>>>>
>>>>>>> I noticed this is as my test virtualization host has had it's 
>>>>>>> power cord
>>>>>>> knocked out a few times. When I restart the host machine, all the
>>>>>>> virtual machines is started at the same time, causing (a lot) 
>>>>>>> higher
>>>>>>> than normal latency for each virtual machine.
>>>>>>>
>>>>>>> This causes the IPA daemons to start, while during the startup 
>>>>>>> one or
>>>>>>> several IPA daemons fails due to dependencies of other daemons 
>>>>>>> which is
>>>>>>> not started yet, and all the IPA daemons is stopped as not all 
>>>>>>> the IPA
>>>>>>> daemons started successfully. I've noticed that the default 
>>>>>>> behavior of
>>>>>>> the ipactl command is to shut down all the IPA daemons, if any 
>>>>>>> of the
>>>>>>> IPA daemons should fail during startup.
>>>>>>>
>>>>>>> This can be seen in the logs of the individual services, as some is
>>>>>>> started successfully, just to receive a shutdown signal shortly 
>>>>>>> after.
>>>>>>> It seem to be the pki-ca which shut down my IPA services this 
>>>>>>> morning.
>>>>>>>
>>>>>>> When rebooting the virtual machine running the IPA daemons 
>>>>>>> during normal
>>>>>>> load of the host machine, all the IPA daemons start successfully.
>>>>>>> Logging on to the IPA server and manually starting the IPA 
>>>>>>> daemons after
>>>>>>> the load of the host machine has decreased also works.
>>>>>>>
>>>>>>> I suggest changing the startup scripts to allow (a lot) longer 
>>>>>>> startup
>>>>>>> times for the IPA daemons prior to failing them.
>>>>>> At the moment we just run service<name>  start and wait until it is
>>>>>> done. If the pki-cad service timeouts and returns an error I 
>>>>>> think we
>>>>>> need to open a bug against the dogtag component as that is the 
>>>>>> cause.
>>>>>>
>>>>>> Can you open a bug in the freeipa trac with logs showing that 
>>>>>> service is
>>>>>> responsible for the failure ?
>>>>>
>>>>> I haven't been able to figure out which service that failed IPA 
>>>>> yet. A lot of log files scattered around. As you can see from the 
>>>>> slapd errors file, the slapd daemon was available for almost 3 
>>>>> minutes before receiving the shutdown signal. I notice now that 
>>>>> the PKI daemon failed 8 seconds after slapd had shut down, so I 
>>>>> was wrong in blaming the PKI daemon.
>>>>>
>>>>> See below for a list of log files I've been trough. They all have 
>>>>> on thing in common, the daemons starts when the host machine is 
>>>>> started, at approx 06:34, then receives a shutdown signal around 
>>>>> 06:37. Some time later when the host has calmed down, I'm logging 
>>>>> in and manually starting IPA using "ipactl start", and all the 
>>>>> daemons start without any problem. And they keep running after my 
>>>>> manual intervention.
>>>>>
>>>>> I wish I could be more specific, but I'm unsure where else to 
>>>>> look. Suggestions?
>>>>>
>>>>>
>>>>> /var/log/krb5kdc.log
>>>>> /var/log/pki-ca/catalina.out
>>>>> /var/log/dirsrv/slapd-IX-TEST-COM/errors
>>>>> /var/log/dirsrv/slapd-PKI-IPA/errors
>>>>> /var/log/httpd/error_log
>>>>> /var/log/messages (named log)
>>>>>
>>>>> slapd errors:
>>>>>
>>>>> [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1 
>>>>> B2011.062.1416 starting up
>>>>> [14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last 
>>>>> time Directory Server was running, recovering database.
>>>> 1) Disorderly Shutdown means a) crash b) kill -9 or similar - 
>>>> neither of which should be happening - is this the replica install 
>>>> or the first master install?
>>>
>>>
>>>
>>> First master install.
>>>
>> What is in the slapd errors log before [14/May/2011:06:33:52 +0200] - 
>> 389-Directory/1.2.8.rc1 B2011.062.1416 starting up?
>
>
> Hi,
>
> Rich, there is nothing above that line. Previous entry was from last 
> time the server started.
So it shows the server startup lines, but not server shutdown lines, 
then server startup again?  How much time passed between the server 
startups?
>
> Yesterday I rebooted my host platform, graceful shutdown this time, 
> and the same problem occurred again when the host, and all the virtual 
> machines started. I had a look in  my boot.log file, see below for 
> output. As you can see the "Starting pki-ca" return an "OK", but the 
> next line says: "Failed to start CA Service"
> "Shutting down".
>
> Looking at the timestamps, it looks like the dirsrv instance is shut 
> down before the pki-ca is given a chance to start, or am I looking at 
> the incorrect log files?
>
> I have included my boot.log, and the PKI-CA dirsrv log, and the pki-ca 
> debug log.
Yeah, weird.  Something shuts down the directory server at 18:50:00 but 
pki-ca is still attempting to use it at 18:50:16
>
>
>
>
> /var/log/boot.log:
>
> Starting Directory Service
> Starting dirsrv:
>     IX-TEST-COM...                                       [  OK  ]
>     PKI-IPA...                                             [  OK  ]
> Starting KDC Service
> Starting Kerberos 5 KDC:                                   [  OK  ]
> Starting KPASSWD Service
> Starting ipa_kpasswd:                                      [  OK  ]
> Starting DNS Service
> Starting named:                                            [  OK  ]
> Starting HTTP Service
> Starting httpd:                                            [  OK  ]
> Starting CA Service
> Starting pki-ca:                                           [  OK  ]
> Failed to start CA Service
> Shutting down
> Stopping Kerberos 5 KDC:                                   [  OK  ]
> Shutting down ipa_kpasswd:                                 [  OK  ]
> Stopping named:                                            [  OK  ]
> Stopping httpd:                                            [  OK  ]
> Stopping pki-ca:                                           [FAILED]
> Shutting down dirsrv:
>     IX-TEST-COM...                                       [  OK  ]
>     PKI-IPA...                                             [  OK  ]
> Aborting ipactl
>
>
>
>
> /var/log/dirsrv/slapd-PKI-IPA/errors:
>
> [21/May/2011:18:47:41 +0200] - 389-Directory/1.2.8.2 B2011.104.2252 
> starting up
> [21/May/2011:18:47:48 +0200] - slapd started.  Listening on All 
> Interfaces port 7389 for LDAP requests
> [21/May/2011:18:47:49 +0200] - Listening on All Interfaces port 7390 
> for LDAPS requests
> [21/May/2011:18:50:00 +0200] - slapd shutting down - signaling 
> operation threads
> [21/May/2011:18:50:01 +0200] - slapd shutting down - closing down 
> internal subsystems and plugins
> [21/May/2011:18:50:01 +0200] - Waiting for 4 database threads to stop
> [21/May/2011:18:50:02 +0200] - All database threads now stopped
> [21/May/2011:18:50:02 +0200] - slapd stopped.
>
>
>
>
> /var/lib/pki-ca/logs/debug:
>
> [21/May/2011:18:50:15][main]: 
> ============================================
> [21/May/2011:18:50:15][main]: =====  DEBUG SUBSYSTEM INITIALIZED   
> =======
> [21/May/2011:18:50:15][main]: 
> ============================================
> [21/May/2011:18:50:15][main]: CMSEngine: done init id=debug
> [21/May/2011:18:50:15][main]: CMSEngine: initialized debug
> [21/May/2011:18:50:15][main]: CMSEngine: initSubsystem id=log
> [21/May/2011:18:50:15][main]: CMSEngine: ready to init id=log
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> AUDIT_LOG_STARTUP
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> AUDIT_LOG_SHUTDOWN
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> ROLE_ASSUME
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CONFIG_CERT_POLICY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CONFIG_CERT_PROFILE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CONFIG_CRL_PROFILE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CONFIG_OCSP_PROFILE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CONFIG_AUTH
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CONFIG_ROLE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CONFIG_ACL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CONFIG_SIGNED_AUDIT
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CONFIG_ENCRYPTION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CONFIG_TRUSTED_PUBLIC_KEY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CONFIG_DRM
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> SELFTESTS_EXECUTION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> AUDIT_LOG_DELETE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> LOG_PATH_CHANGE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> PRIVATE_KEY_ARCHIVE_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> KEY_RECOVERY_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> KEY_RECOVERY_REQUEST_ASYNC
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> KEY_RECOVERY_AGENT_LOGIN
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> KEY_RECOVERY_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> KEY_GEN_ASYMMETRIC
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> NON_PROFILE_CERT_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> PROFILE_CERT_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CERT_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CERT_STATUS_CHANGE_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CERT_STATUS_CHANGE_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> AUTHZ_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> AUTHZ_FAIL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> INTER_BOUNDARY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: AUTH_FAIL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> AUTH_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CERT_PROFILE_APPROVAL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> PROOF_OF_POSSESSION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CRL_RETRIEVAL
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CRL_VALIDATION
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CMC_SIGNED_REQUEST_SIG_VERIFY
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> SERVER_SIDE_KEYGEN_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> COMPUTE_SESSION_KEY_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> DIVERSIFY_KEY_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> ENCRYPT_DATA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> OCSP_ADD_CA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> OCSP_ADD_CA_REQUEST_PROCESSED
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> OCSP_REMOVE_CA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> COMPUTE_RANDOM_DATA_REQUEST
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
> CIMC_CERT_VERIFICATION
> [21/May/2011:18:50:16][main]: CMSEngine: done init id=log
> [21/May/2011:18:50:16][main]: CMSEngine: initialized log
> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=os
> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=os
> [21/May/2011:18:50:16][main]: CMSEngine: done init id=os
> [21/May/2011:18:50:16][main]: CMSEngine: initialized os
> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=jss
> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=jss
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
> cipher rsa_rc4_40_md5
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
> cipher rsa_rc2_40_md5
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
> cipher rsa_des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
> cipher rsa_rc4_128_md5
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
> cipher rsa_3des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
> cipher rsa_fips_des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
> cipher rsa_fips_3des_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
> cipher fortezza
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
> cipher fortezza_rc4_128_sha
> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
> cipher rsa_null_md5
> [21/May/2011:18:50:16][main]: CMSEngine: done init id=jss
> [21/May/2011:18:50:16][main]: CMSEngine: initialized jss
> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=dbs
> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=dbs
> [21/May/2011:18:50:16][main]: LdapBoundConnFactory: init
> [21/May/2011:18:50:16][main]: LdapBoundConnFactory:doCloning true
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init()
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init begins
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: prompt is Internal 
> LDAP Database
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: try getting from 
> memory cache
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: password not in memory
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: try 
> to get it from password store
> [21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password 
> store initialized before.
> [21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password 
> store initialized.
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
> about to get from passwored store: Internal LDAP Database
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
> password store available
> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
> password for Internal LDAP Database not found, trying internaldb
> [21/May/2011:18:50:16][main]: LdapAuthInfo: password ok: store in 
> memory cache
> [21/May/2011:18:50:16][main]: LdapAuthInfo: init ends
> [21/May/2011:18:50:16][main]: init: before makeConnection errorIfDown 
> is true
> [21/May/2011:18:50:16][main]: makeConnection: errorIfDown true
> [21/May/2011:18:50:16][main]: CMS:Caught EBaseException
> Internal Database Error encountered: Could not connect to LDAP server 
> host ipa01.ix.test.com port 7389 Error netscape.ldap.LDAPException: 
> failed to conn
> ect to server ldap://ipa01.ix.test.com:7389 (91)
>     at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:674)
>     at 
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837)
>     at 
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766)
>     at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:302)
>     at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
>     at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
>     at 
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
>     at 
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
>     at 
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
>     at 
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
>     at 
> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
>     at 
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>     at 
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
>     at 
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>     at 
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>     at 
> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>     at 
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>     at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>     at 
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>     at 
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>     at 
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>     at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>     at 
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>     at 
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>     at 
> org.apache.catalina.core.StandardService.start(StandardService.java:516)
>     at 
> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>     at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>     at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke(Method.java:616)
>     at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> [21/May/2011:18:50:16][main]: CMSEngine.shutdown()
>



From sigbjorn at nixtra.com  Mon May 23 21:59:48 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Mon, 23 May 2011 23:59:48 +0200
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DDAD382.8040803@redhat.com>
References: <4DCE95D6.2070104@nixtra.com>	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com> <4DD2AF48.6090602@redhat.com>
	<4DD8E27F.7070906@nixtra.com> <4DDAD382.8040803@redhat.com>
Message-ID: <4DDAD8D4.8020908@nixtra.com>

On 05/23/2011 11:37 PM, Rich Megginson wrote:
> On 05/22/2011 04:16 AM, Sigbjorn Lie wrote:
>> On 05/17/2011 07:24 PM, Rich Megginson wrote:
>>> On 05/17/2011 06:40 AM, Sigbjorn Lie wrote:
>>>> On 05/16/2011 04:56 PM, Rich Megginson wrote:
>>>>> On 05/16/2011 08:43 AM, Sigbjorn Lie wrote:
>>>>>> On 05/16/2011 03:52 PM, Simo Sorce wrote:
>>>>>>> On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
>>>>>>>> I've noticed that if the machine running IPA is very busy at 
>>>>>>>> startup,
>>>>>>>> the IPA services will not be online when the machine is started.
>>>>>>>>
>>>>>>>> I noticed this is as my test virtualization host has had it's 
>>>>>>>> power cord
>>>>>>>> knocked out a few times. When I restart the host machine, all the
>>>>>>>> virtual machines is started at the same time, causing (a lot) 
>>>>>>>> higher
>>>>>>>> than normal latency for each virtual machine.
>>>>>>>>
>>>>>>>> This causes the IPA daemons to start, while during the startup 
>>>>>>>> one or
>>>>>>>> several IPA daemons fails due to dependencies of other daemons 
>>>>>>>> which is
>>>>>>>> not started yet, and all the IPA daemons is stopped as not all 
>>>>>>>> the IPA
>>>>>>>> daemons started successfully. I've noticed that the default 
>>>>>>>> behavior of
>>>>>>>> the ipactl command is to shut down all the IPA daemons, if any 
>>>>>>>> of the
>>>>>>>> IPA daemons should fail during startup.
>>>>>>>>
>>>>>>>> This can be seen in the logs of the individual services, as 
>>>>>>>> some is
>>>>>>>> started successfully, just to receive a shutdown signal shortly 
>>>>>>>> after.
>>>>>>>> It seem to be the pki-ca which shut down my IPA services this 
>>>>>>>> morning.
>>>>>>>>
>>>>>>>> When rebooting the virtual machine running the IPA daemons 
>>>>>>>> during normal
>>>>>>>> load of the host machine, all the IPA daemons start successfully.
>>>>>>>> Logging on to the IPA server and manually starting the IPA 
>>>>>>>> daemons after
>>>>>>>> the load of the host machine has decreased also works.
>>>>>>>>
>>>>>>>> I suggest changing the startup scripts to allow (a lot) longer 
>>>>>>>> startup
>>>>>>>> times for the IPA daemons prior to failing them.
>>>>>>> At the moment we just run service<name>  start and wait until it is
>>>>>>> done. If the pki-cad service timeouts and returns an error I 
>>>>>>> think we
>>>>>>> need to open a bug against the dogtag component as that is the 
>>>>>>> cause.
>>>>>>>
>>>>>>> Can you open a bug in the freeipa trac with logs showing that 
>>>>>>> service is
>>>>>>> responsible for the failure ?
>>>>>>
>>>>>> I haven't been able to figure out which service that failed IPA 
>>>>>> yet. A lot of log files scattered around. As you can see from the 
>>>>>> slapd errors file, the slapd daemon was available for almost 3 
>>>>>> minutes before receiving the shutdown signal. I notice now that 
>>>>>> the PKI daemon failed 8 seconds after slapd had shut down, so I 
>>>>>> was wrong in blaming the PKI daemon.
>>>>>>
>>>>>> See below for a list of log files I've been trough. They all have 
>>>>>> on thing in common, the daemons starts when the host machine is 
>>>>>> started, at approx 06:34, then receives a shutdown signal around 
>>>>>> 06:37. Some time later when the host has calmed down, I'm logging 
>>>>>> in and manually starting IPA using "ipactl start", and all the 
>>>>>> daemons start without any problem. And they keep running after my 
>>>>>> manual intervention.
>>>>>>
>>>>>> I wish I could be more specific, but I'm unsure where else to 
>>>>>> look. Suggestions?
>>>>>>
>>>>>>
>>>>>> /var/log/krb5kdc.log
>>>>>> /var/log/pki-ca/catalina.out
>>>>>> /var/log/dirsrv/slapd-IX-TEST-COM/errors
>>>>>> /var/log/dirsrv/slapd-PKI-IPA/errors
>>>>>> /var/log/httpd/error_log
>>>>>> /var/log/messages (named log)
>>>>>>
>>>>>> slapd errors:
>>>>>>
>>>>>> [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1 
>>>>>> B2011.062.1416 starting up
>>>>>> [14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last 
>>>>>> time Directory Server was running, recovering database.
>>>>> 1) Disorderly Shutdown means a) crash b) kill -9 or similar - 
>>>>> neither of which should be happening - is this the replica install 
>>>>> or the first master install?
>>>>
>>>>
>>>>
>>>> First master install.
>>>>
>>> What is in the slapd errors log before [14/May/2011:06:33:52 +0200] 
>>> - 389-Directory/1.2.8.rc1 B2011.062.1416 starting up?
>>
>>
>> Hi,
>>
>> Rich, there is nothing above that line. Previous entry was from last 
>> time the server started.
> So it shows the server startup lines, but not server shutdown lines, 
> then server startup again?  How much time passed between the server 
> startups?

Those log entries was after the power cord had been pulled by accident, 
which is why there was no shut down events. :)








>>
>> Yesterday I rebooted my host platform, graceful shutdown this time, 
>> and the same problem occurred again when the host, and all the 
>> virtual machines started. I had a look in  my boot.log file, see 
>> below for output. As you can see the "Starting pki-ca" return an 
>> "OK", but the next line says: "Failed to start CA Service"
>> "Shutting down".
>>
>> Looking at the timestamps, it looks like the dirsrv instance is shut 
>> down before the pki-ca is given a chance to start, or am I looking at 
>> the incorrect log files?
>>
>> I have included my boot.log, and the PKI-CA dirsrv log, and the 
>> pki-ca debug log.
> Yeah, weird.  Something shuts down the directory server at 18:50:00 
> but pki-ca is still attempting to use it at 18:50:16
>>
>>
>>
>>
>> /var/log/boot.log:
>>
>> Starting Directory Service
>> Starting dirsrv:
>>     IX-TEST-COM...                                       [  OK  ]
>>     PKI-IPA...                                             [  OK  ]
>> Starting KDC Service
>> Starting Kerberos 5 KDC:                                   [  OK  ]
>> Starting KPASSWD Service
>> Starting ipa_kpasswd:                                      [  OK  ]
>> Starting DNS Service
>> Starting named:                                            [  OK  ]
>> Starting HTTP Service
>> Starting httpd:                                            [  OK  ]
>> Starting CA Service
>> Starting pki-ca:                                           [  OK  ]
>> Failed to start CA Service
>> Shutting down
>> Stopping Kerberos 5 KDC:                                   [  OK  ]
>> Shutting down ipa_kpasswd:                                 [  OK  ]
>> Stopping named:                                            [  OK  ]
>> Stopping httpd:                                            [  OK  ]
>> Stopping pki-ca:                                           [FAILED]
>> Shutting down dirsrv:
>>     IX-TEST-COM...                                       [  OK  ]
>>     PKI-IPA...                                             [  OK  ]
>> Aborting ipactl
>>
>>
>>
>>
>> /var/log/dirsrv/slapd-PKI-IPA/errors:
>>
>> [21/May/2011:18:47:41 +0200] - 389-Directory/1.2.8.2 B2011.104.2252 
>> starting up
>> [21/May/2011:18:47:48 +0200] - slapd started.  Listening on All 
>> Interfaces port 7389 for LDAP requests
>> [21/May/2011:18:47:49 +0200] - Listening on All Interfaces port 7390 
>> for LDAPS requests
>> [21/May/2011:18:50:00 +0200] - slapd shutting down - signaling 
>> operation threads
>> [21/May/2011:18:50:01 +0200] - slapd shutting down - closing down 
>> internal subsystems and plugins
>> [21/May/2011:18:50:01 +0200] - Waiting for 4 database threads to stop
>> [21/May/2011:18:50:02 +0200] - All database threads now stopped
>> [21/May/2011:18:50:02 +0200] - slapd stopped.
>>
>>
>>
>>
>> /var/lib/pki-ca/logs/debug:
>>
>> [21/May/2011:18:50:15][main]: 
>> ============================================
>> [21/May/2011:18:50:15][main]: =====  DEBUG SUBSYSTEM INITIALIZED   
>> =======
>> [21/May/2011:18:50:15][main]: 
>> ============================================
>> [21/May/2011:18:50:15][main]: CMSEngine: done init id=debug
>> [21/May/2011:18:50:15][main]: CMSEngine: initialized debug
>> [21/May/2011:18:50:15][main]: CMSEngine: initSubsystem id=log
>> [21/May/2011:18:50:15][main]: CMSEngine: ready to init id=log
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> AUDIT_LOG_STARTUP
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> AUDIT_LOG_SHUTDOWN
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> ROLE_ASSUME
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CONFIG_CERT_POLICY
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CONFIG_CERT_PROFILE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CONFIG_CRL_PROFILE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CONFIG_OCSP_PROFILE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CONFIG_AUTH
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CONFIG_ROLE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CONFIG_ACL
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CONFIG_SIGNED_AUDIT
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CONFIG_ENCRYPTION
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CONFIG_TRUSTED_PUBLIC_KEY
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CONFIG_DRM
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> SELFTESTS_EXECUTION
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> AUDIT_LOG_DELETE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> LOG_PATH_CHANGE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> PRIVATE_KEY_ARCHIVE_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> KEY_RECOVERY_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> KEY_RECOVERY_REQUEST_ASYNC
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> KEY_RECOVERY_AGENT_LOGIN
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> KEY_RECOVERY_REQUEST_PROCESSED
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> KEY_GEN_ASYMMETRIC
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> NON_PROFILE_CERT_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> PROFILE_CERT_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CERT_REQUEST_PROCESSED
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CERT_STATUS_CHANGE_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CERT_STATUS_CHANGE_REQUEST_PROCESSED
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> AUTHZ_SUCCESS
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> AUTHZ_FAIL
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> INTER_BOUNDARY
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> AUTH_FAIL
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> AUTH_SUCCESS
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CERT_PROFILE_APPROVAL
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> PROOF_OF_POSSESSION
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CRL_RETRIEVAL
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CRL_VALIDATION
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CMC_SIGNED_REQUEST_SIG_VERIFY
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> SERVER_SIDE_KEYGEN_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> COMPUTE_SESSION_KEY_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> DIVERSIFY_KEY_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> ENCRYPT_DATA_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> OCSP_ADD_CA_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> OCSP_ADD_CA_REQUEST_PROCESSED
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> OCSP_REMOVE_CA_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> COMPUTE_RANDOM_DATA_REQUEST
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>> CIMC_CERT_VERIFICATION
>> [21/May/2011:18:50:16][main]: CMSEngine: done init id=log
>> [21/May/2011:18:50:16][main]: CMSEngine: initialized log
>> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=os
>> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=os
>> [21/May/2011:18:50:16][main]: CMSEngine: done init id=os
>> [21/May/2011:18:50:16][main]: CMSEngine: initialized os
>> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=jss
>> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=jss
>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>> cipher rsa_rc4_40_md5
>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>> cipher rsa_rc2_40_md5
>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>> cipher rsa_des_sha
>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>> cipher rsa_rc4_128_md5
>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>> cipher rsa_3des_sha
>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>> cipher rsa_fips_des_sha
>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>> cipher rsa_fips_3des_sha
>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>> cipher fortezza
>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>> cipher fortezza_rc4_128_sha
>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>> cipher rsa_null_md5
>> [21/May/2011:18:50:16][main]: CMSEngine: done init id=jss
>> [21/May/2011:18:50:16][main]: CMSEngine: initialized jss
>> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=dbs
>> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=dbs
>> [21/May/2011:18:50:16][main]: LdapBoundConnFactory: init
>> [21/May/2011:18:50:16][main]: LdapBoundConnFactory:doCloning true
>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init()
>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init begins
>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: prompt is Internal 
>> LDAP Database
>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: try getting from 
>> memory cache
>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: password not in memory
>> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: try 
>> to get it from password store
>> [21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password 
>> store initialized before.
>> [21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): password 
>> store initialized.
>> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
>> about to get from passwored store: Internal LDAP Database
>> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
>> password store available
>> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
>> password for Internal LDAP Database not found, trying internaldb
>> [21/May/2011:18:50:16][main]: LdapAuthInfo: password ok: store in 
>> memory cache
>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init ends
>> [21/May/2011:18:50:16][main]: init: before makeConnection errorIfDown 
>> is true
>> [21/May/2011:18:50:16][main]: makeConnection: errorIfDown true
>> [21/May/2011:18:50:16][main]: CMS:Caught EBaseException
>> Internal Database Error encountered: Could not connect to LDAP server 
>> host ipa01.ix.test.com port 7389 Error netscape.ldap.LDAPException: 
>> failed to conn
>> ect to server ldap://ipa01.ix.test.com:7389 (91)
>>     at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:674)
>>     at 
>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837)
>>     at 
>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766)
>>     at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:302)
>>     at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
>>     at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
>>     at 
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
>>     at 
>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
>>     at 
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
>>     at 
>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
>>     at 
>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
>>     at 
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>>     at 
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
>>     at 
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>>     at 
>> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>>     at 
>> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>>     at 
>> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>>     at 
>> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>>     at 
>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>>     at 
>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>>     at 
>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>>     at 
>> org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>>     at 
>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>>     at 
>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>>     at 
>> org.apache.catalina.core.StandardService.start(StandardService.java:516)
>>     at 
>> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>>     at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>     at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>     at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>     at java.lang.reflect.Method.invoke(Method.java:616)
>>     at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>>     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
>> [21/May/2011:18:50:16][main]: CMSEngine.shutdown()
>>
>



From Steven.Jones at vuw.ac.nz  Mon May 23 22:13:53 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 22:13:53 +0000
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006355F9B@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <4DCE95D6.2070104@nixtra.com>
	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com>	<4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com>	<4DD2AF48.6090602@redhat.com>,
	<4DD8E27F.7070906@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DD98C83.30008@nixtra.com>,
	<833D8E48405E064EBC54C84EC6B36E4006355F9B@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635602B@STAWINCOX10MBX1.staff.vuw.ac.nz>

I added another CPU now 2 and went to 4gb of ram....from 1, seems overkill....anyway

I have a screen shot of the error while booting, attached.

regards

Steven
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Tuesday, 24 May 2011 8:58 a.m.
To: Sigbjorn Lie; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] IPA Startup issues

Hi,

I just built a brand new RHEL6.1 64bit server and installed ipa-server and despite setting up the chkconfig's it wont start on boot...it will start manually later by hand...

So its not just you.

;]

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com]
Sent: Monday, 23 May 2011 10:21 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] IPA Startup issues

Hi,

These findings we're taken from a machine that's been upgraded to RHEL
6.1 proper.



Rgds,
Siggi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dirsrv-fail.jpeg
Type: image/jpeg
Size: 18221 bytes
Desc: dirsrv-fail.jpeg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/195f0411/attachment.jpeg>

From rmeggins at redhat.com  Mon May 23 22:25:43 2011
From: rmeggins at redhat.com (Rich Megginson)
Date: Mon, 23 May 2011 16:25:43 -0600
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DDAD8D4.8020908@nixtra.com>
References: <4DCE95D6.2070104@nixtra.com>	<1305553921.20666.13.camel@willson.li.ssimo.org>
	<4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com> <4DD2AF48.6090602@redhat.com>
	<4DD8E27F.7070906@nixtra.com> <4DDAD382.8040803@redhat.com>
	<4DDAD8D4.8020908@nixtra.com>
Message-ID: <4DDADEE7.1080909@redhat.com>

On 05/23/2011 03:59 PM, Sigbjorn Lie wrote:
> On 05/23/2011 11:37 PM, Rich Megginson wrote:
>> On 05/22/2011 04:16 AM, Sigbjorn Lie wrote:
>>> On 05/17/2011 07:24 PM, Rich Megginson wrote:
>>>> On 05/17/2011 06:40 AM, Sigbjorn Lie wrote:
>>>>> On 05/16/2011 04:56 PM, Rich Megginson wrote:
>>>>>> On 05/16/2011 08:43 AM, Sigbjorn Lie wrote:
>>>>>>> On 05/16/2011 03:52 PM, Simo Sorce wrote:
>>>>>>>> On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote:
>>>>>>>>> I've noticed that if the machine running IPA is very busy at 
>>>>>>>>> startup,
>>>>>>>>> the IPA services will not be online when the machine is started.
>>>>>>>>>
>>>>>>>>> I noticed this is as my test virtualization host has had it's 
>>>>>>>>> power cord
>>>>>>>>> knocked out a few times. When I restart the host machine, all the
>>>>>>>>> virtual machines is started at the same time, causing (a lot) 
>>>>>>>>> higher
>>>>>>>>> than normal latency for each virtual machine.
>>>>>>>>>
>>>>>>>>> This causes the IPA daemons to start, while during the startup 
>>>>>>>>> one or
>>>>>>>>> several IPA daemons fails due to dependencies of other daemons 
>>>>>>>>> which is
>>>>>>>>> not started yet, and all the IPA daemons is stopped as not all 
>>>>>>>>> the IPA
>>>>>>>>> daemons started successfully. I've noticed that the default 
>>>>>>>>> behavior of
>>>>>>>>> the ipactl command is to shut down all the IPA daemons, if any 
>>>>>>>>> of the
>>>>>>>>> IPA daemons should fail during startup.
>>>>>>>>>
>>>>>>>>> This can be seen in the logs of the individual services, as 
>>>>>>>>> some is
>>>>>>>>> started successfully, just to receive a shutdown signal 
>>>>>>>>> shortly after.
>>>>>>>>> It seem to be the pki-ca which shut down my IPA services this 
>>>>>>>>> morning.
>>>>>>>>>
>>>>>>>>> When rebooting the virtual machine running the IPA daemons 
>>>>>>>>> during normal
>>>>>>>>> load of the host machine, all the IPA daemons start successfully.
>>>>>>>>> Logging on to the IPA server and manually starting the IPA 
>>>>>>>>> daemons after
>>>>>>>>> the load of the host machine has decreased also works.
>>>>>>>>>
>>>>>>>>> I suggest changing the startup scripts to allow (a lot) longer 
>>>>>>>>> startup
>>>>>>>>> times for the IPA daemons prior to failing them.
>>>>>>>> At the moment we just run service<name>  start and wait until 
>>>>>>>> it is
>>>>>>>> done. If the pki-cad service timeouts and returns an error I 
>>>>>>>> think we
>>>>>>>> need to open a bug against the dogtag component as that is the 
>>>>>>>> cause.
>>>>>>>>
>>>>>>>> Can you open a bug in the freeipa trac with logs showing that 
>>>>>>>> service is
>>>>>>>> responsible for the failure ?
>>>>>>>
>>>>>>> I haven't been able to figure out which service that failed IPA 
>>>>>>> yet. A lot of log files scattered around. As you can see from 
>>>>>>> the slapd errors file, the slapd daemon was available for almost 
>>>>>>> 3 minutes before receiving the shutdown signal. I notice now 
>>>>>>> that the PKI daemon failed 8 seconds after slapd had shut down, 
>>>>>>> so I was wrong in blaming the PKI daemon.
>>>>>>>
>>>>>>> See below for a list of log files I've been trough. They all 
>>>>>>> have on thing in common, the daemons starts when the host 
>>>>>>> machine is started, at approx 06:34, then receives a shutdown 
>>>>>>> signal around 06:37. Some time later when the host has calmed 
>>>>>>> down, I'm logging in and manually starting IPA using "ipactl 
>>>>>>> start", and all the daemons start without any problem. And they 
>>>>>>> keep running after my manual intervention.
>>>>>>>
>>>>>>> I wish I could be more specific, but I'm unsure where else to 
>>>>>>> look. Suggestions?
>>>>>>>
>>>>>>>
>>>>>>> /var/log/krb5kdc.log
>>>>>>> /var/log/pki-ca/catalina.out
>>>>>>> /var/log/dirsrv/slapd-IX-TEST-COM/errors
>>>>>>> /var/log/dirsrv/slapd-PKI-IPA/errors
>>>>>>> /var/log/httpd/error_log
>>>>>>> /var/log/messages (named log)
>>>>>>>
>>>>>>> slapd errors:
>>>>>>>
>>>>>>> [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1 
>>>>>>> B2011.062.1416 starting up
>>>>>>> [14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last 
>>>>>>> time Directory Server was running, recovering database.
>>>>>> 1) Disorderly Shutdown means a) crash b) kill -9 or similar - 
>>>>>> neither of which should be happening - is this the replica 
>>>>>> install or the first master install?
>>>>>
>>>>>
>>>>>
>>>>> First master install.
>>>>>
>>>> What is in the slapd errors log before [14/May/2011:06:33:52 +0200] 
>>>> - 389-Directory/1.2.8.rc1 B2011.062.1416 starting up?
>>>
>>>
>>> Hi,
>>>
>>> Rich, there is nothing above that line. Previous entry was from last 
>>> time the server started.
>> So it shows the server startup lines, but not server shutdown lines, 
>> then server startup again?  How much time passed between the server 
>> startups?
>
> Those log entries was after the power cord had been pulled by 
> accident, which is why there was no shut down events. :)
Hmm - I wonder if the directory server database recovery took too long, 
and the startup timed out thinking that it could not be started?
>
>
>
>
>
>
>
>
>>>
>>> Yesterday I rebooted my host platform, graceful shutdown this time, 
>>> and the same problem occurred again when the host, and all the 
>>> virtual machines started. I had a look in  my boot.log file, see 
>>> below for output. As you can see the "Starting pki-ca" return an 
>>> "OK", but the next line says: "Failed to start CA Service"
>>> "Shutting down".
>>>
>>> Looking at the timestamps, it looks like the dirsrv instance is shut 
>>> down before the pki-ca is given a chance to start, or am I looking 
>>> at the incorrect log files?
>>>
>>> I have included my boot.log, and the PKI-CA dirsrv log, and the 
>>> pki-ca debug log.
>> Yeah, weird.  Something shuts down the directory server at 18:50:00 
>> but pki-ca is still attempting to use it at 18:50:16
>>>
>>>
>>>
>>>
>>> /var/log/boot.log:
>>>
>>> Starting Directory Service
>>> Starting dirsrv:
>>>     IX-TEST-COM...                                       [  OK  ]
>>>     PKI-IPA...                                             [  OK  ]
>>> Starting KDC Service
>>> Starting Kerberos 5 KDC:                                   [  OK  ]
>>> Starting KPASSWD Service
>>> Starting ipa_kpasswd:                                      [  OK  ]
>>> Starting DNS Service
>>> Starting named:                                            [  OK  ]
>>> Starting HTTP Service
>>> Starting httpd:                                            [  OK  ]
>>> Starting CA Service
>>> Starting pki-ca:                                           [  OK  ]
>>> Failed to start CA Service
>>> Shutting down
>>> Stopping Kerberos 5 KDC:                                   [  OK  ]
>>> Shutting down ipa_kpasswd:                                 [  OK  ]
>>> Stopping named:                                            [  OK  ]
>>> Stopping httpd:                                            [  OK  ]
>>> Stopping pki-ca:                                           [FAILED]
>>> Shutting down dirsrv:
>>>     IX-TEST-COM...                                       [  OK  ]
>>>     PKI-IPA...                                             [  OK  ]
>>> Aborting ipactl
>>>
>>>
>>>
>>>
>>> /var/log/dirsrv/slapd-PKI-IPA/errors:
>>>
>>> [21/May/2011:18:47:41 +0200] - 389-Directory/1.2.8.2 B2011.104.2252 
>>> starting up
>>> [21/May/2011:18:47:48 +0200] - slapd started.  Listening on All 
>>> Interfaces port 7389 for LDAP requests
>>> [21/May/2011:18:47:49 +0200] - Listening on All Interfaces port 7390 
>>> for LDAPS requests
>>> [21/May/2011:18:50:00 +0200] - slapd shutting down - signaling 
>>> operation threads
>>> [21/May/2011:18:50:01 +0200] - slapd shutting down - closing down 
>>> internal subsystems and plugins
>>> [21/May/2011:18:50:01 +0200] - Waiting for 4 database threads to stop
>>> [21/May/2011:18:50:02 +0200] - All database threads now stopped
>>> [21/May/2011:18:50:02 +0200] - slapd stopped.
>>>
>>>
>>>
>>>
>>> /var/lib/pki-ca/logs/debug:
>>>
>>> [21/May/2011:18:50:15][main]: 
>>> ============================================
>>> [21/May/2011:18:50:15][main]: =====  DEBUG SUBSYSTEM INITIALIZED   
>>> =======
>>> [21/May/2011:18:50:15][main]: 
>>> ============================================
>>> [21/May/2011:18:50:15][main]: CMSEngine: done init id=debug
>>> [21/May/2011:18:50:15][main]: CMSEngine: initialized debug
>>> [21/May/2011:18:50:15][main]: CMSEngine: initSubsystem id=log
>>> [21/May/2011:18:50:15][main]: CMSEngine: ready to init id=log
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> AUDIT_LOG_STARTUP
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> AUDIT_LOG_SHUTDOWN
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> ROLE_ASSUME
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CONFIG_CERT_POLICY
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CONFIG_CERT_PROFILE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CONFIG_CRL_PROFILE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CONFIG_OCSP_PROFILE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CONFIG_AUTH
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CONFIG_ROLE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CONFIG_ACL
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CONFIG_SIGNED_AUDIT
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CONFIG_ENCRYPTION
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CONFIG_TRUSTED_PUBLIC_KEY
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CONFIG_DRM
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> SELFTESTS_EXECUTION
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> AUDIT_LOG_DELETE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> LOG_PATH_CHANGE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> PRIVATE_KEY_ARCHIVE_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> KEY_RECOVERY_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> KEY_RECOVERY_REQUEST_ASYNC
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> KEY_RECOVERY_AGENT_LOGIN
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> KEY_RECOVERY_REQUEST_PROCESSED
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> KEY_GEN_ASYMMETRIC
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> NON_PROFILE_CERT_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> PROFILE_CERT_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CERT_REQUEST_PROCESSED
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CERT_STATUS_CHANGE_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CERT_STATUS_CHANGE_REQUEST_PROCESSED
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> AUTHZ_SUCCESS
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> AUTHZ_FAIL
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> INTER_BOUNDARY
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> AUTH_FAIL
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> AUTH_SUCCESS
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CERT_PROFILE_APPROVAL
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> PROOF_OF_POSSESSION
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CRL_RETRIEVAL
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CRL_VALIDATION
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CMC_SIGNED_REQUEST_SIG_VERIFY
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> SERVER_SIDE_KEYGEN_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> COMPUTE_SESSION_KEY_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> DIVERSIFY_KEY_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> ENCRYPT_DATA_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> OCSP_ADD_CA_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> OCSP_ADD_CA_REQUEST_PROCESSED
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> OCSP_REMOVE_CA_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> COMPUTE_RANDOM_DATA_REQUEST
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
>>> [21/May/2011:18:50:16][main]: LogFile: log event type selected: 
>>> CIMC_CERT_VERIFICATION
>>> [21/May/2011:18:50:16][main]: CMSEngine: done init id=log
>>> [21/May/2011:18:50:16][main]: CMSEngine: initialized log
>>> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=os
>>> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=os
>>> [21/May/2011:18:50:16][main]: CMSEngine: done init id=os
>>> [21/May/2011:18:50:16][main]: CMSEngine: initialized os
>>> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=jss
>>> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=jss
>>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>>> cipher rsa_rc4_40_md5
>>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>>> cipher rsa_rc2_40_md5
>>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>>> cipher rsa_des_sha
>>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>>> cipher rsa_rc4_128_md5
>>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>>> cipher rsa_3des_sha
>>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>>> cipher rsa_fips_des_sha
>>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>>> cipher rsa_fips_3des_sha
>>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>>> cipher fortezza
>>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>>> cipher fortezza_rc4_128_sha
>>> [21/May/2011:18:50:16][main]: JSSSubsystem: initSSL(): setting ssl 
>>> cipher rsa_null_md5
>>> [21/May/2011:18:50:16][main]: CMSEngine: done init id=jss
>>> [21/May/2011:18:50:16][main]: CMSEngine: initialized jss
>>> [21/May/2011:18:50:16][main]: CMSEngine: initSubsystem id=dbs
>>> [21/May/2011:18:50:16][main]: CMSEngine: ready to init id=dbs
>>> [21/May/2011:18:50:16][main]: LdapBoundConnFactory: init
>>> [21/May/2011:18:50:16][main]: LdapBoundConnFactory:doCloning true
>>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init()
>>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init begins
>>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: prompt is Internal 
>>> LDAP Database
>>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: try getting from 
>>> memory cache
>>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init: password not in 
>>> memory
>>> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
>>> try to get it from password store
>>> [21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): 
>>> password store initialized before.
>>> [21/May/2011:18:50:16][main]: CMSEngine: getPasswordStore(): 
>>> password store initialized.
>>> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
>>> about to get from passwored store: Internal LDAP Database
>>> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
>>> password store available
>>> [21/May/2011:18:50:16][main]: LdapAuthInfo: getPasswordFromStore: 
>>> password for Internal LDAP Database not found, trying internaldb
>>> [21/May/2011:18:50:16][main]: LdapAuthInfo: password ok: store in 
>>> memory cache
>>> [21/May/2011:18:50:16][main]: LdapAuthInfo: init ends
>>> [21/May/2011:18:50:16][main]: init: before makeConnection 
>>> errorIfDown is true
>>> [21/May/2011:18:50:16][main]: makeConnection: errorIfDown true
>>> [21/May/2011:18:50:16][main]: CMS:Caught EBaseException
>>> Internal Database Error encountered: Could not connect to LDAP 
>>> server host ipa01.ix.test.com port 7389 Error 
>>> netscape.ldap.LDAPException: failed to conn
>>> ect to server ldap://ipa01.ix.test.com:7389 (91)
>>>     at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:674)
>>>     at 
>>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:837)
>>>     at 
>>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:766)
>>>     at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:302)
>>>     at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
>>>     at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
>>>     at 
>>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
>>>     at 
>>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
>>>     at 
>>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
>>>     at 
>>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
>>>     at 
>>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
>>>     at 
>>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>>>     at 
>>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
>>>     at 
>>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>>>     at 
>>> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>>>     at 
>>> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>>>     at 
>>> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>>>     at 
>>> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>>>     at 
>>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>>>     at 
>>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>>>     at 
>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>>>     at 
>>> org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>>>     at 
>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>>>     at 
>>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>>>     at 
>>> org.apache.catalina.core.StandardService.start(StandardService.java:516) 
>>>
>>>     at 
>>> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>>>     at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>     at 
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>     at 
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>     at java.lang.reflect.Method.invoke(Method.java:616)
>>>     at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>>>     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
>>> [21/May/2011:18:50:16][main]: CMSEngine.shutdown()
>>>
>>
>



From Steven.Jones at vuw.ac.nz  Mon May 23 23:09:44 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 23:09:44 +0000
Subject: [Freeipa-users] DNS denied for clients
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635607D@STAWINCOX10MBX1.staff.vuw.ac.nz>


Hi,

Seems there is a change from 6.1 beta /earlier IPA to later....I now find that clients cant use dns as its denied....as attached screenshot....is this setting in IPA itself? or named.conf?
 

regards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns.jpeg
Type: image/jpeg
Size: 33823 bytes
Desc: dns.jpeg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/1f19f13e/attachment.jpeg>

From dpal at redhat.com  Mon May 23 23:23:59 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 23 May 2011 19:23:59 -0400
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDAEC8F.3030006@redhat.com>

On 05/23/2011 05:38 PM, Steven Jones wrote:
> I was populating the fields for me (jonesst1) as a user....

What kind of fields?
Adam I wonder if this is an ACI problem with self service UI.
Can you please take a look?

Steven, can you use CLI?
What is the output of the
ipa user-show jonesst1 --raw
> regards
> ________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Tuesday, 24 May 2011 9:34 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>
> On 05/23/2011 05:06 PM, Steven Jones wrote:
>
> um.....
>
> I just tried to set myself with user data and I get this, worse I cant revert the changes so Im stuck in my account.
>
> regards
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Can you please provide more details about what you have done before you saw the error?
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From Steven.Jones at vuw.ac.nz  Mon May 23 23:25:18 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 23:25:18 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to 6.1
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>

So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ.

:(

regards


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 61-mismatch01.jpeg
Type: image/jpeg
Size: 84855 bytes
Desc: 61-mismatch01.jpeg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/1d180d0e/attachment.jpeg>

From Steven.Jones at vuw.ac.nz  Mon May 23 23:30:25 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 23:30:25 +0000
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <4DDAEC8F.3030006@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEC8F.3030006@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063560AB@STAWINCOX10MBX1.staff.vuw.ac.nz>

As per attachment.

I worked through most of the fields setting values....

If I go back into the user ie me I cant exit it keeps telling me to revert or save.....even though Ive done no changes.

regards

Steven


________________________________________
From: Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 24 May 2011 11:23 a.m.
To: Steven Jones; Adam Young
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] 4202 error no modifications can be performed

On 05/23/2011 05:38 PM, Steven Jones wrote:
> I was populating the fields for me (jonesst1) as a user....

What kind of fields?
Adam I wonder if this is an ACI problem with self service UI.
Can you please take a look?

Steven, can you use CLI?
What is the output of the
ipa user-show jonesst1 --raw
> regards
> ________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Tuesday, 24 May 2011 9:34 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>
> On 05/23/2011 05:06 PM, Steven Jones wrote:
>
> um.....
>
> I just tried to set myself with user data and I get this, worse I cant revert the changes so Im stuck in my account.
>
> regards
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Can you please provide more details about what you have done before you saw the error?
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>
>
>


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa-raw.jpeg
Type: image/jpeg
Size: 23948 bytes
Desc: ipa-raw.jpeg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/feb2fc24/attachment.jpeg>

From dpal at redhat.com  Mon May 23 23:34:34 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 23 May 2011 19:34:34 -0400
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDAEF0A.5090309@redhat.com>

On 05/23/2011 07:25 PM, Steven Jones wrote:
> So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ.

Firewall?

> :(
>
> regards
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/8cd5fe82/attachment.htm>

From Steven.Jones at vuw.ac.nz  Mon May 23 23:41:34 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 23:41:34 +0000
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063560AB@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEC8F.3030006@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E40063560AB@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063560C7@STAWINCOX10MBX1.staff.vuw.ac.nz>

I just did another user and it happens when I populate teh user's manager field....I hit update, it goes blank and then I cant revert or save.

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Tuesday, 24 May 2011 11:30 a.m.
To: dpal at redhat.com; Adam Young
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] 4202 error no modifications can be performed

As per attachment.

I worked through most of the fields setting values....

If I go back into the user ie me I cant exit it keeps telling me to revert or save.....even though Ive done no changes.

regards

Steven


________________________________________
From: Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 24 May 2011 11:23 a.m.
To: Steven Jones; Adam Young
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] 4202 error no modifications can be performed

On 05/23/2011 05:38 PM, Steven Jones wrote:
> I was populating the fields for me (jonesst1) as a user....

What kind of fields?
Adam I wonder if this is an ACI problem with self service UI.
Can you please take a look?

Steven, can you use CLI?
What is the output of the
ipa user-show jonesst1 --raw
> regards
> ________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Tuesday, 24 May 2011 9:34 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>
> On 05/23/2011 05:06 PM, Steven Jones wrote:
>
> um.....
>
> I just tried to set myself with user data and I get this, worse I cant revert the changes so Im stuck in my account.
>
> regards
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Can you please provide more details about what you have done before you saw the error?
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>
>
>


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/






From Steven.Jones at vuw.ac.nz  Mon May 23 23:45:54 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 23:45:54 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <4DDAEF0A.5090309@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEF0A.5090309@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>

turned it off, same failure.

regards
________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 24 May 2011 11:34 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

On 05/23/2011 07:25 PM, Steven Jones wrote:

So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ.


Firewall?


:(

regards





_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>






From dpal at redhat.com  Mon May 23 23:50:33 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 23 May 2011 19:50:33 -0400
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063560C7@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>	<833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEC8F.3030006@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E40063560AB@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E40063560C7@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDAF2C9.4030003@redhat.com>

On 05/23/2011 07:41 PM, Steven Jones wrote:
> I just did another user and it happens when I populate teh user's manager field....I hit update, it goes blank and then I cant revert or save.

Are you using the latest RHEL bits or the tip from upstream?

> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Tuesday, 24 May 2011 11:30 a.m.
> To: dpal at redhat.com; Adam Young
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>
> As per attachment.
>
> I worked through most of the fields setting values....
>
> If I go back into the user ie me I cant exit it keeps telling me to revert or save.....even though Ive done no changes.
>
> regards
>
> Steven
>
>
> ________________________________________
> From: Dmitri Pal [dpal at redhat.com]
> Sent: Tuesday, 24 May 2011 11:23 a.m.
> To: Steven Jones; Adam Young
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>
> On 05/23/2011 05:38 PM, Steven Jones wrote:
>> I was populating the fields for me (jonesst1) as a user....
> What kind of fields?
> Adam I wonder if this is an ACI problem with self service UI.
> Can you please take a look?
>
> Steven, can you use CLI?
> What is the output of the
> ipa user-show jonesst1 --raw
>> regards
>> ________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
>> Sent: Tuesday, 24 May 2011 9:34 a.m.
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>>
>> On 05/23/2011 05:06 PM, Steven Jones wrote:
>>
>> um.....
>>
>> I just tried to set myself with user data and I get this, worse I cant revert the changes so Im stuck in my account.
>>
>> regards
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> Can you please provide more details about what you have done before you saw the error?
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From dpal at redhat.com  Mon May 23 23:52:47 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 23 May 2011 19:52:47 -0400
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEF0A.5090309@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDAF34F.3070209@redhat.com>

On 05/23/2011 07:45 PM, Steven Jones wrote:
> turned it off, same failure.
>
There are multiple protocols... did you turn it off completely or just
poke holes?
What about DNS?
Does the client resolve the server correctly?
Can you specify the server explicitly on the client command line? Would
the result be different?

> regards
> ________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Tuesday, 24 May 2011 11:34 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>
> On 05/23/2011 07:25 PM, Steven Jones wrote:
>
> So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ.
>
>
> Firewall?
>
>
> :(
>
> regards
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From Steven.Jones at vuw.ac.nz  Mon May 23 23:55:25 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 23:55:25 +0000
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <4DDAF2C9.4030003@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEC8F.3030006@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E40063560AB@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E40063560C7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF2C9.4030003@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063560F1@STAWINCOX10MBX1.staff.vuw.ac.nz>

Latest 6.1 full downloaded and patched, ws and svr.....

I have a different error off 5.6 when I try, as attached....getting a http 401 and not 200

regards



________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 24 May 2011 11:50 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] 4202 error no modifications can be performed

On 05/23/2011 07:41 PM, Steven Jones wrote:
> I just did another user and it happens when I populate teh user's manager field....I hit update, it goes blank and then I cant revert or save.

Are you using the latest RHEL bits or the tip from upstream?

> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Tuesday, 24 May 2011 11:30 a.m.
> To: dpal at redhat.com; Adam Young
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>
> As per attachment.
>
> I worked through most of the fields setting values....
>
> If I go back into the user ie me I cant exit it keeps telling me to revert or save.....even though Ive done no changes.
>
> regards
>
> Steven
>
>
> ________________________________________
> From: Dmitri Pal [dpal at redhat.com]
> Sent: Tuesday, 24 May 2011 11:23 a.m.
> To: Steven Jones; Adam Young
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>
> On 05/23/2011 05:38 PM, Steven Jones wrote:
>> I was populating the fields for me (jonesst1) as a user....
> What kind of fields?
> Adam I wonder if this is an ACI problem with self service UI.
> Can you please take a look?
>
> Steven, can you use CLI?
> What is the output of the
> ipa user-show jonesst1 --raw
>> regards
>> ________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
>> Sent: Tuesday, 24 May 2011 9:34 a.m.
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>>
>> On 05/23/2011 05:06 PM, Steven Jones wrote:
>>
>> um.....
>>
>> I just tried to set myself with user data and I get this, worse I cant revert the changes so Im stuck in my account.
>>
>> regards
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> Can you please provide more details about what you have done before you saw the error?
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 56-mismatch01.jpeg
Type: image/jpeg
Size: 25484 bytes
Desc: 56-mismatch01.jpeg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/6cfe671f/attachment.jpeg>

From Steven.Jones at vuw.ac.nz  Mon May 23 23:58:32 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 23 May 2011 23:58:32 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <4DDAF34F.3070209@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEF0A.5090309@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF34F.3070209@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006356102@STAWINCOX10MBX1.staff.vuw.ac.nz>

When its on I poked holes through it, to test I did service iptables stop....

Here's the iptables -L -n output (attached)

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 24 May 2011 11:52 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

On 05/23/2011 07:45 PM, Steven Jones wrote:
> turned it off, same failure.
>
There are multiple protocols... did you turn it off completely or just
poke holes?
What about DNS?
Does the client resolve the server correctly?
Can you specify the server explicitly on the client command line? Would
the result be different?

> regards
> ________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Tuesday, 24 May 2011 11:34 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>
> On 05/23/2011 07:25 PM, Steven Jones wrote:
>
> So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ.
>
>
> Firewall?
>
>
> :(
>
> regards
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iptables-settings.jpeg
Type: image/jpeg
Size: 74248 bytes
Desc: iptables-settings.jpeg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/fd940a26/attachment.jpeg>

From dpal at redhat.com  Tue May 24 00:06:04 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 23 May 2011 20:06:04 -0400
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063560F1@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>	<833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEC8F.3030006@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E40063560AB@STAWINCOX10MBX1.staff.vuw.ac.nz>	<833D8E48405E064EBC54C84EC6B36E40063560C7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF2C9.4030003@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063560F1@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDAF66C.4030500@redhat.com>

On 05/23/2011 07:55 PM, Steven Jones wrote:
> Latest 6.1 full downloaded and patched, ws and svr.....
>
> I have a different error off 5.6 when I try, as attached....getting a http 401 and not 200

I have seen it somewhere last week...
Was this a some kind of the DNS resolution issue?
Rob?


> regards
>
>
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Tuesday, 24 May 2011 11:50 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>
> On 05/23/2011 07:41 PM, Steven Jones wrote:
>> I just did another user and it happens when I populate teh user's manager field....I hit update, it goes blank and then I cant revert or save.
> Are you using the latest RHEL bits or the tip from upstream?
>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Tuesday, 24 May 2011 11:30 a.m.
>> To: dpal at redhat.com; Adam Young
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>>
>> As per attachment.
>>
>> I worked through most of the fields setting values....
>>
>> If I go back into the user ie me I cant exit it keeps telling me to revert or save.....even though Ive done no changes.
>>
>> regards
>>
>> Steven
>>
>>
>> ________________________________________
>> From: Dmitri Pal [dpal at redhat.com]
>> Sent: Tuesday, 24 May 2011 11:23 a.m.
>> To: Steven Jones; Adam Young
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>>
>> On 05/23/2011 05:38 PM, Steven Jones wrote:
>>> I was populating the fields for me (jonesst1) as a user....
>> What kind of fields?
>> Adam I wonder if this is an ACI problem with self service UI.
>> Can you please take a look?
>>
>> Steven, can you use CLI?
>> What is the output of the
>> ipa user-show jonesst1 --raw
>>> regards
>>> ________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
>>> Sent: Tuesday, 24 May 2011 9:34 a.m.
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>>>
>>> On 05/23/2011 05:06 PM, Steven Jones wrote:
>>>
>>> um.....
>>>
>>> I just tried to set myself with user data and I get this, worse I cant revert the changes so Im stuck in my account.
>>>
>>> regards
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> Can you please provide more details about what you have done before you saw the error?
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IPA project,
>>> Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>>>
>>>
>>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/5e68f9e8/attachment.htm>

From dpal at redhat.com  Tue May 24 00:07:55 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Mon, 23 May 2011 20:07:55 -0400
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006356102@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEF0A.5090309@redhat.com>	<833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF34F.3070209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006356102@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDAF6DB.7060305@redhat.com>

On 05/23/2011 07:58 PM, Steven Jones wrote:
> When its on I poked holes through it, to test I did service iptables stop...
>
> Here's the iptables -L -n output (attached)
>

This is as much as I can help.
Hopefully there is enough info for developers to see what is going on.

> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Tuesday, 24 May 2011 11:52 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>
> On 05/23/2011 07:45 PM, Steven Jones wrote:
>> turned it off, same failure.
>>
> There are multiple protocols... did you turn it off completely or just
> poke holes?
> What about DNS?
> Does the client resolve the server correctly?
> Can you specify the server explicitly on the client command line? Would
> the result be different?
>
>> regards
>> ________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
>> Sent: Tuesday, 24 May 2011 11:34 a.m.
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>
>> On 05/23/2011 07:25 PM, Steven Jones wrote:
>>
>> So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ.
>>
>>
>> Firewall?
>>
>>
>> :(
>>
>> regards
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110523/2804718f/attachment.htm>

From Steven.Jones at vuw.ac.nz  Tue May 24 00:39:51 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 00:39:51 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <4DDAF6DB.7060305@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEF0A.5090309@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF34F.3070209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006356102@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF6DB.7060305@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006356154@STAWINCOX10MBX1.staff.vuw.ac.nz>

? Can you specify the server explicitly on the client command line? Would the result be different?

same 401



From Steven.Jones at vuw.ac.nz  Tue May 24 00:44:06 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 00:44:06 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006356154@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEF0A.5090309@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF34F.3070209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006356102@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF6DB.7060305@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E4006356154@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006356161@STAWINCOX10MBX1.staff.vuw.ac.nz>

For 6.1 i get as per attached...

talks about the crt...think ive seen something on this will look back

==============
This is 5.6 giving me the 401

? Can you specify the server explicitly on the client command line? Would the result be different?

same 401

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 61-mismatch02.jpeg
Type: image/jpeg
Size: 68182 bytes
Desc: 61-mismatch02.jpeg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/55be6b16/attachment.jpeg>

From Steven.Jones at vuw.ac.nz  Tue May 24 00:57:07 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 00:57:07 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <4DDAF6DB.7060305@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEF0A.5090309@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF34F.3070209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006356102@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF6DB.7060305@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635617A@STAWINCOX10MBX1.staff.vuw.ac.nz>

looking at the install log its not resolving the server via DNS, Im now getting resolvining issues

Suggests the integrated DNS is poked...

regards



________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 24 May 2011 12:07 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

On 05/23/2011 07:58 PM, Steven Jones wrote:

When its on I poked holes through it, to test I did service iptables stop...

Here's the iptables -L -n output (attached)



This is as much as I can help.
Hopefully there is enough info for developers to see what is going on.


regards
________________________________________
From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>] on behalf of Dmitri Pal [dpal at redhat.com<mailto:dpal at redhat.com>]
Sent: Tuesday, 24 May 2011 11:52 a.m.
To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

On 05/23/2011 07:45 PM, Steven Jones wrote:


turned it off, same failure.



There are multiple protocols... did you turn it off completely or just
poke holes?
What about DNS?
Does the client resolve the server correctly?
Can you specify the server explicitly on the client command line? Would
the result be different?



regards
________________________________
From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>] on behalf of Dmitri Pal [dpal at redhat.com<mailto:dpal at redhat.com>]
Sent: Tuesday, 24 May 2011 11:34 a.m.
To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

On 05/23/2011 07:25 PM, Steven Jones wrote:

So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ.


Firewall?


:(

regards





_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/>




_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>






From Steven.Jones at vuw.ac.nz  Tue May 24 01:01:44 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 01:01:44 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635617A@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEF0A.5090309@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF34F.3070209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006356102@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF6DB.7060305@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E400635617A@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006356186@STAWINCOX10MBX1.staff.vuw.ac.nz>

ignore that i was making a typo....doh.

Included is the install log.....shows that same error as 5.6 in the log....

"2011-05-24 12:58:10,407 DEBUG stderr=HTTP response code is 401, not 200"

looks like its the ipa-join thats failing....



________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Tuesday, 24 May 2011 12:57 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

looking at the install log its not resolving the server via DNS, Im now getting resolvining issues

Suggests the integrated DNS is poked...

regards



________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 24 May 2011 12:07 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

On 05/23/2011 07:58 PM, Steven Jones wrote:

When its on I poked holes through it, to test I did service iptables stop...

Here's the iptables -L -n output (attached)



This is as much as I can help.
Hopefully there is enough info for developers to see what is going on.


regards
________________________________________
From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>] on behalf of Dmitri Pal [dpal at redhat.com<mailto:dpal at redhat.com>]
Sent: Tuesday, 24 May 2011 11:52 a.m.
To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

On 05/23/2011 07:45 PM, Steven Jones wrote:


turned it off, same failure.



There are multiple protocols... did you turn it off completely or just
poke holes?
What about DNS?
Does the client resolve the server correctly?
Can you specify the server explicitly on the client command line? Would
the result be different?



regards
________________________________
From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>] on behalf of Dmitri Pal [dpal at redhat.com<mailto:dpal at redhat.com>]
Sent: Tuesday, 24 May 2011 11:34 a.m.
To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

On 05/23/2011 07:25 PM, Steven Jones wrote:

So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ.


Firewall?


:(

regards





_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/>




_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>




_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipaclient-install.log
Type: application/octet-stream
Size: 4271 bytes
Desc: ipaclient-install.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/80f163b2/attachment.obj>

From Steven.Jones at vuw.ac.nz  Tue May 24 01:24:31 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 01:24:31 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006356186@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEF0A.5090309@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF34F.3070209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006356102@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF6DB.7060305@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E400635617A@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<833D8E48405E064EBC54C84EC6B36E4006356186@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635619E@STAWINCOX10MBX1.staff.vuw.ac.nz>

ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Tuesday, 24 May 2011 1:01 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

ignore that i was making a typo....doh.

Included is the install log.....shows that same error as 5.6 in the log....

"2011-05-24 12:58:10,407 DEBUG stderr=HTTP response code is 401, not 200"

looks like its the ipa-join thats failing....



________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Tuesday, 24 May 2011 12:57 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

looking at the install log its not resolving the server via DNS, Im now getting resolvining issues

Suggests the integrated DNS is poked...

regards



________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, 24 May 2011 12:07 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

On 05/23/2011 07:58 PM, Steven Jones wrote:

When its on I poked holes through it, to test I did service iptables stop...

Here's the iptables -L -n output (attached)



This is as much as I can help.
Hopefully there is enough info for developers to see what is going on.


regards
________________________________________
From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>] on behalf of Dmitri Pal [dpal at redhat.com<mailto:dpal at redhat.com>]
Sent: Tuesday, 24 May 2011 11:52 a.m.
To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

On 05/23/2011 07:45 PM, Steven Jones wrote:


turned it off, same failure.



There are multiple protocols... did you turn it off completely or just
poke holes?
What about DNS?
Does the client resolve the server correctly?
Can you specify the server explicitly on the client command line? Would
the result be different?



regards
________________________________
From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>] on behalf of Dmitri Pal [dpal at redhat.com<mailto:dpal at redhat.com>]
Sent: Tuesday, 24 May 2011 11:34 a.m.
To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

On 05/23/2011 07:25 PM, Steven Jones wrote:

So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ.


Firewall?


:(

regards





_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/><http://www.redhat.com/carveoutcosts/>




_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>




_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From rcritten at redhat.com  Tue May 24 02:24:30 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 23 May 2011 22:24:30 -0400
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635619E@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEF0A.5090309@redhat.com>	<833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF34F.3070209@redhat.com>	<833D8E48405E064EBC54C84EC6B36E4006356102@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF6DB.7060305@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E400635617A@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<833D8E48405E064EBC54C84EC6B36E4006356186@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635619E@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDB16DE.9040603@redhat.com>

Steven Jones wrote:
> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...

This is a different mismatch than you were seeing with 5.6 (and a 
completely different error message).

A few things to note:

- In general, when you reference any IPA server you should always use 
the fully-qualified name. The SSL error you had was because the name did 
not match the certificate.
- The 3xx/4xx error responses seen from ipa-join are HTTP error codes so 
you can always check the Apache error/access logs for diagnostic 
information.
- The integrated DNS stores information in LDAP, not flat files, so 
having no data in /var/named is not surprising.

ipa-join needs authentication in the form of a TGT or a one-time 
password. It definitely did one in the log you provided and you still 
got a 401, which is strange. Did you also run kinit before manually 
running ipa-join in your testing?

Running ipa-join or ipa-client-install with the -d option will provide a 
lot more debugging information.

I think the first place to check is the Apache error log to see why the 
join call failed.

rob



From rcritten at redhat.com  Tue May 24 02:27:12 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Mon, 23 May 2011 22:27:12 -0400
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063560C7@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>	<833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEC8F.3030006@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E40063560AB@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E40063560C7@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDB1780.4000906@redhat.com>

Steven Jones wrote:
> I just did another user and it happens when I populate teh user's manager field....I hit update, it goes blank and then I cant revert or save.

Manager is broken in 6.1, or at best, non-intuitive. It wants a dn and 
not a login. We've fixed this upstream so it does the translation 
automatically but that is not in 6.1. I'm not sure why this would blow 
up the UI though.

rob



From Steven.Jones at vuw.ac.nz  Tue May 24 02:58:37 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 02:58:37 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1
In-Reply-To: <4DDB16DE.9040603@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006356091@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEF0A.5090309@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063560D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF34F.3070209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006356102@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF6DB.7060305@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E400635617A@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<833D8E48405E064EBC54C84EC6B36E4006356186@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635619E@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDB16DE.9040603@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006357883@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

1) Screen data of the install from using the -d option.  (attach d.out)

2) ipa-install log

3) there are no httpd logs in /var/log/httpd/ it is an empty directory.

4) "Did you also run kinit before manually
running ipa-join in your testing?"  Yes....

5) For DNS I added,

 allow query {any;};  

into /etc/named.conf clients were then not denied DNS.

regards



________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Tuesday, 24 May 2011 2:24 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

Steven Jones wrote:
> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...

This is a different mismatch than you were seeing with 5.6 (and a
completely different error message).

A few things to note:

- In general, when you reference any IPA server you should always use
the fully-qualified name. The SSL error you had was because the name did
not match the certificate.
- The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
you can always check the Apache error/access logs for diagnostic
information.
- The integrated DNS stores information in LDAP, not flat files, so
having no data in /var/named is not surprising.

ipa-join needs authentication in the form of a TGT or a one-time
password. It definitely did one in the log you provided and you still
got a 401, which is strange. Did you also run kinit before manually
running ipa-join in your testing?

Running ipa-join or ipa-client-install with the -d option will provide a
lot more debugging information.

I think the first place to check is the Apache error log to see why the
join call failed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: d.out
Type: application/octet-stream
Size: 5216 bytes
Desc: d.out
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/b5d3c3d0/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipaclient-install.log
Type: application/octet-stream
Size: 4827 bytes
Desc: ipaclient-install.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/b5d3c3d0/attachment-0001.obj>

From Steven.Jones at vuw.ac.nz  Tue May 24 02:59:25 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 02:59:25 +0000
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <4DDB1780.4000906@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEC8F.3030006@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E40063560AB@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E40063560C7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDB1780.4000906@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635789A@STAWINCOX10MBX1.staff.vuw.ac.nz>

It needs to be disabled then as it locks up the gui and its then stuffed....

regards
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Tuesday, 24 May 2011 2:27 p.m.
To: Steven Jones
Cc: dpal at redhat.com; Adam Young; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] 4202 error no modifications can be performed

Steven Jones wrote:
> I just did another user and it happens when I populate teh user's manager field....I hit update, it goes blank and then I cant revert or save.

Manager is broken in 6.1, or at best, non-intuitive. It wants a dn and
not a login. We've fixed this upstream so it does the translation
automatically but that is not in 6.1. I'm not sure why this would blow
up the UI though.

rob



From Steven.Jones at vuw.ac.nz  Tue May 24 03:02:33 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 03:02:33 +0000
Subject: [Freeipa-users] How is/to get IPA backed up?
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063578AA@STAWINCOX10MBX1.staff.vuw.ac.nz>


ie on FDS I think you can do an export to a flat file and then import it....that way the backup client can backup a flatfile and not attempt to do the database....

regards





From Steven.Jones at vuw.ac.nz  Tue May 24 04:24:36 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 04:24:36 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>

I must be going blind in my old age.....anyway here they are.

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Tuesday, 24 May 2011 2:58 p.m.
To: Rob Crittenden
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

Hi,

1) Screen data of the install from using the -d option.  (attach d.out)

2) ipa-install log

3) there are no httpd logs in /var/log/httpd/ it is an empty directory.

4) "Did you also run kinit before manually
running ipa-join in your testing?"  Yes....

5) For DNS I added,

 allow query {any;};

into /etc/named.conf clients were then not denied DNS.

regards



________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Tuesday, 24 May 2011 2:24 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

Steven Jones wrote:
> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...

This is a different mismatch than you were seeing with 5.6 (and a
completely different error message).

A few things to note:

- In general, when you reference any IPA server you should always use
the fully-qualified name. The SSL error you had was because the name did
not match the certificate.
- The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
you can always check the Apache error/access logs for diagnostic
information.
- The integrated DNS stores information in LDAP, not flat files, so
having no data in /var/named is not surprising.

ipa-join needs authentication in the form of a TGT or a one-time
password. It definitely did one in the log you provided and you still
got a 401, which is strange. Did you also run kinit before manually
running ipa-join in your testing?

Running ipa-join or ipa-client-install with the -d option will provide a
lot more debugging information.

I think the first place to check is the Apache error log to see why the
join call failed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: access_log
Type: application/octet-stream
Size: 72342 bytes
Desc: access_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/db5d6550/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_log
Type: application/octet-stream
Size: 60599 bytes
Desc: error_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/db5d6550/attachment-0001.obj>

From chorn at fluxcoil.net  Tue May 24 03:15:49 2011
From: chorn at fluxcoil.net (Christian Horn)
Date: Tue, 24 May 2011 05:15:49 +0200
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <4DDACF9B.1020105@nixtra.com>
References: <4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com> <4DD2AF48.6090602@redhat.com>
	<4DD8E27F.7070906@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD98C83.30008@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006355F9B@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<20110523191110.GA12425@fluxcoil.net> <4DDACF9B.1020105@nixtra.com>
Message-ID: <20110524031549.GA13084@fluxcoil.net>

Hi,

On Mon, May 23, 2011 at 11:20:27PM +0200, Sigbjorn Lie wrote:
> 
> My issue is startup of IPA only occurs when the host is extremely
> busy, such as after a reboot of the host machine when the disk is
> grinding and the cpu is almost going up in flames of all the virtual
> machines starting at once. With the IPA virtual machine being one of
> the virtual machines struggeling for cpu and disk io. :)

Fedora 15 or RHEL6.1 as host?
Then managing io and cpu with cgroups could be a workaround for the
problem, ensuring the VMs get a fair share of resources.


Christian



From atkac at redhat.com  Tue May 24 08:34:12 2011
From: atkac at redhat.com (Adam Tkac)
Date: Tue, 24 May 2011 10:34:12 +0200
Subject: [Freeipa-users] DNS denied for clients
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635607D@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400635607D@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDB6D84.1000207@redhat.com>

Hello Steven,

you need to set "allow-query-cache" ACL in your named.conf if you want
to use your DNS server as recursive server for your clients.

I'm not sure if setting of this option was changed recently, it seems it
wasn't.

Regards, Adam

On 05/24/2011 01:09 AM, Steven Jones wrote:
> Hi,
>
> Seems there is a change from 6.1 beta /earlier IPA to later....I now find that clients cant use dns as its denied....as attached screenshot....is this setting in IPA itself? or named.conf?
>  
>
> regards
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/c90414b7/attachment.htm>

From sigbjorn at nixtra.com  Tue May 24 09:13:06 2011
From: sigbjorn at nixtra.com (Sigbjorn Lie)
Date: Tue, 24 May 2011 11:13:06 +0200 (CEST)
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <20110524031549.GA13084@fluxcoil.net>
References: <4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com> <4DD2AF48.6090602@redhat.com>
	<4DD8E27F.7070906@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD98C83.30008@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006355F9B@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<20110523191110.GA12425@fluxcoil.net> <4DDACF9B.1020105@nixtra.com>
	<20110524031549.GA13084@fluxcoil.net>
Message-ID: <48144.213.225.75.97.1306228386.squirrel@www.nixtra.com>

Hi,

This is a RHEL6.1 host. That is a very good suggestion!

Do you have any examples for how to do cgroup configuration for a KVM machine? I've had a quick
browse through the cgrules.conf file, and I don't see an option for specifying KVM machines...


Rgds,
Siggi






On Tue, May 24, 2011 05:15, Christian Horn wrote:
> Hi,
>
>
> On Mon, May 23, 2011 at 11:20:27PM +0200, Sigbjorn Lie wrote:
>
>>
>> My issue is startup of IPA only occurs when the host is extremely
>> busy, such as after a reboot of the host machine when the disk is grinding and the cpu is almost
>> going up in flames of all the virtual machines starting at once. With the IPA virtual machine
>> being one of the virtual machines struggeling for cpu and disk io. :)
>
> Fedora 15 or RHEL6.1 as host?
> Then managing io and cpu with cgroups could be a workaround for the
> problem, ensuring the VMs get a fair share of resources.
>
>
> Christian
>
>




From chorn at fluxcoil.net  Tue May 24 07:18:14 2011
From: chorn at fluxcoil.net (Christian Horn)
Date: Tue, 24 May 2011 09:18:14 +0200
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <48144.213.225.75.97.1306228386.squirrel@www.nixtra.com>
References: <4DD26CBC.8080107@nixtra.com> <4DD2AF48.6090602@redhat.com>
	<4DD8E27F.7070906@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD98C83.30008@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006355F9B@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<20110523191110.GA12425@fluxcoil.net> <4DDACF9B.1020105@nixtra.com>
	<20110524031549.GA13084@fluxcoil.net>
	<48144.213.225.75.97.1306228386.squirrel@www.nixtra.com>
Message-ID: <20110524071814.GB14514@fluxcoil.net>

On Tue, May 24, 2011 at 11:13:06AM +0200, Sigbjorn Lie wrote:
> 
> Do you have any examples for how to do cgroup configuration for a KVM machine? I've had a quick
> browse through the cgrules.conf file, and I don't see an option for specifying KVM machines...

Look at it as a usual process.
Linda Wang/Bob Kozdemba made a nice presentation for this years
summit on cgroups, KVM is also mentioned:
http://www.redhat.com/summit/2011/presentations/

Christian



From simo at redhat.com  Tue May 24 12:13:45 2011
From: simo at redhat.com (Simo Sorce)
Date: Tue, 24 May 2011 08:13:45 -0400
Subject: [Freeipa-users] DNS denied for clients
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635607D@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400635607D@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1306239225.6490.3.camel@willson.li.ssimo.org>

On Mon, 2011-05-23 at 23:09 +0000, Steven Jones wrote:
> Hi,
> 
> Seems there is a change from 6.1 beta /earlier IPA to later....I now
> find that clients cant use dns as its denied....as attached
> screenshot....is this setting in IPA itself? or named.conf?

Are your clients in the same subnet or in another ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From dpal at redhat.com  Tue May 24 13:14:24 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 24 May 2011 09:14:24 -0400
Subject: [Freeipa-users] How is/to get IPA backed up?
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063578AA@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E40063578AA@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDBAF30.6000401@redhat.com>

On 05/23/2011 11:02 PM, Steven Jones wrote:
> ie on FDS I think you can do an export to a flat file and then import it....that way the backup client can backup a flatfile and not attempt to do the database....
>
> regards
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

We have not documented it yet.
But the general approach:
A) If you run just one server (which is not recommended) run a full
system backup frequently. It will be much simpler than trying to do
backup of all pieces and config files affected by IPA.
B) If you run replicated environment and lost one of the servers you can
stand up another server.
Variant 1: You want to preserve replica's name
a) Install a new replica on a new hardware/VM following a standard replica
installation procedure.
b) Remove replication agreements with the old replica that became
unavailable.

Variant 2: You want to preserve replica's name
a) Create a package for the failed replica following the standard procedure
(ipa-replica-prepare)
b) On the IPA server that generated the replica run:
ipa-replica-manage init replica.example.com
This will initialize replica as it will be empty at the beginning
c) Install replica on a new hardware/VM

This is the general direction but we have not done extensive testing
(thus have not documented it)

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From dpal at redhat.com  Tue May 24 16:33:53 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 24 May 2011 12:33:53 -0400
Subject: [Freeipa-users] How is/to get IPA backed up?
In-Reply-To: <4DDBAF30.6000401@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E40063578AA@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DDBAF30.6000401@redhat.com>
Message-ID: <4DDBDDF1.80805@redhat.com>

On 05/24/2011 09:14 AM, Dmitri Pal wrote:
> On 05/23/2011 11:02 PM, Steven Jones wrote:
>> ie on FDS I think you can do an export to a flat file and then import it....that way the backup client can backup a flatfile and not attempt to do the database....
>>
>> regards
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> We have not documented it yet.
> But the general approach:
> A) If you run just one server (which is not recommended) run a full
> system backup frequently. It will be much simpler than trying to do
> backup of all pieces and config files affected by IPA.
> B) If you run replicated environment and lost one of the servers you can
> stand up another server.
> Variant 1: You want to preserve replica's name
> a) Install a new replica on a new hardware/VM following a standard replica
> installation procedure.
> b) Remove replication agreements with the old replica that became
> unavailable.
>
> Variant 2: You want to preserve replica's name

I meant "do not" preserve. Sorry for typo.

> a) Create a package for the failed replica following the standard procedure
> (ipa-replica-prepare)
> b) On the IPA server that generated the replica run:
> ipa-replica-manage init replica.example.com

Also there have been some second opinions about the correctness of this
step.

> This will initialize replica as it will be empty at the beginning
> c) Install replica on a new hardware/VM
>
> This is the general direction but we have not done extensive testing
> (thus have not documented it)
>

Bottom line is we need some help in determining the best approach and
documenting it.



-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From ayoung at redhat.com  Tue May 24 19:17:42 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 24 May 2011 15:17:42 -0400
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063560F1@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>	<833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEC8F.3030006@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E40063560AB@STAWINCOX10MBX1.staff.vuw.ac.nz>	<833D8E48405E064EBC54C84EC6B36E40063560C7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAF2C9.4030003@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063560F1@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDC0456.2040709@redhat.com>

Try a Dumb Hack:  modify a filed, any field, and hit update.

There are known issues with the "has a field changed"  test that we are 
working on fixing.  It gets tripped up on a few issues.  One used to be 
that we were trimming fields, so that white space was changed, but then 
the field didn't indicate it had changed.


If you see this problem in the future, you might have to reset the web 
app. You can usually do this by clicking on the IPA icon in the top 
left.  Closing the browser and reopening it would work as well.  If you 
still see it after doing that, it means that we have a different bug.


You can get the raw values for the ipa user show using CURL.


  curl -v           -H "Content-Type:application/json"         -H 
"Accept:applicaton/json"         --negotiate -u :          --cacert 
/etc/ipa/ca.crt           -d  
'{"method":"user_show","params":[["admin"],{}],"id":0}'          -X 
POST       https://`hostname`/ipa/json


And post the output, that might shed some light on it.



On 05/23/2011 07:55 PM, Steven Jones wrote:
> Latest 6.1 full downloaded and patched, ws and svr.....
>
> I have a different error off 5.6 when I try, as attached....getting a http 401 and not 200
>
> regards
>
>
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Tuesday, 24 May 2011 11:50 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>
> On 05/23/2011 07:41 PM, Steven Jones wrote:
>> I just did another user and it happens when I populate teh user's manager field....I hit update, it goes blank and then I cant revert or save.
> Are you using the latest RHEL bits or the tip from upstream?
>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Tuesday, 24 May 2011 11:30 a.m.
>> To: dpal at redhat.com; Adam Young
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>>
>> As per attachment.
>>
>> I worked through most of the fields setting values....
>>
>> If I go back into the user ie me I cant exit it keeps telling me to revert or save.....even though Ive done no changes.
>>
>> regards
>>
>> Steven
>>
>>
>> ________________________________________
>> From: Dmitri Pal [dpal at redhat.com]
>> Sent: Tuesday, 24 May 2011 11:23 a.m.
>> To: Steven Jones; Adam Young
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>>
>> On 05/23/2011 05:38 PM, Steven Jones wrote:
>>> I was populating the fields for me (jonesst1) as a user....
>> What kind of fields?
>> Adam I wonder if this is an ACI problem with self service UI.
>> Can you please take a look?
>>
>> Steven, can you use CLI?
>> What is the output of the
>> ipa user-show jonesst1 --raw
>>> regards
>>> ________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
>>> Sent: Tuesday, 24 May 2011 9:34 a.m.
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>>>
>>> On 05/23/2011 05:06 PM, Steven Jones wrote:
>>>
>>> um.....
>>>
>>> I just tried to set myself with user data and I get this, worse I cant revert the changes so Im stuck in my account.
>>>
>>> regards
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> Can you please provide more details about what you have done before you saw the error?
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IPA project,
>>> Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>>>
>>>
>>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/8c0f2f83/attachment.htm>

From ayoung at redhat.com  Tue May 24 19:20:15 2011
From: ayoung at redhat.com (Adam Young)
Date: Tue, 24 May 2011 15:20:15 -0400
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635789A@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>	<833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEC8F.3030006@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E40063560AB@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E40063560C7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDB1780.4000906@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635789A@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDC04EF.1040602@redhat.com>

On 05/23/2011 10:59 PM, Steven Jones wrote:
> It needs to be disabled then as it locks up the gui and its then stuffed....
>
> regards
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Tuesday, 24 May 2011 2:27 p.m.
> To: Steven Jones
> Cc: dpal at redhat.com; Adam Young; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>
> Steven Jones wrote:
>> I just did another user and it happens when I populate teh user's manager field....I hit update, it goes blank and then I cant revert or save.
> Manager is broken in 6.1, or at best, non-intuitive. It wants a dn and
> not a login. We've fixed this upstream so it does the translation
> automatically but that is not in 6.1. I'm not sure why this would blow
> up the UI though.
>
> rob
You can probably force it back to nothing in the CLI.  ipa user-mod 
<uid> --manager <manager dn>



From Steven.Jones at vuw.ac.nz  Tue May 24 20:05:52 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 20:05:52 +0000
Subject: [Freeipa-users] 4202 error no modifications can be performed
In-Reply-To: <4DDC04EF.1040602@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006355FAD@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAD2FE.8030605@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006355FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDAEC8F.3030006@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E40063560AB@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E40063560C7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDB1780.4000906@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635789A@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC04EF.1040602@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006358843@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

The point is when you have basic user administrators you dont give them a field that doesnt work.....sooner or later they will pick it....which then buggers the GUI.  So to me the sensible solution is to remove it, or at least grey it out until its fixed...

regards


________________________________________
From: Adam Young [ayoung at redhat.com]
Sent: Wednesday, 25 May 2011 7:20 a.m.
To: Steven Jones
Cc: Rob Crittenden; dpal at redhat.com; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] 4202 error no modifications can be performed

On 05/23/2011 10:59 PM, Steven Jones wrote:
> It needs to be disabled then as it locks up the gui and its then stuffed....
>
> regards
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Tuesday, 24 May 2011 2:27 p.m.
> To: Steven Jones
> Cc: dpal at redhat.com; Adam Young; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] 4202 error no modifications can be performed
>
> Steven Jones wrote:
>> I just did another user and it happens when I populate teh user's manager field....I hit update, it goes blank and then I cant revert or save.
> Manager is broken in 6.1, or at best, non-intuitive. It wants a dn and
> not a login. We've fixed this upstream so it does the translation
> automatically but that is not in 6.1. I'm not sure why this would blow
> up the UI though.
>
> rob
You can probably force it back to nothing in the CLI.  ipa user-mod
<uid> --manager <manager dn>



From Steven.Jones at vuw.ac.nz  Tue May 24 20:07:17 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 20:07:17 +0000
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <20110524031549.GA13084@fluxcoil.net>
References: <4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com> <4DD2AF48.6090602@redhat.com>
	<4DD8E27F.7070906@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD98C83.30008@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006355F9B@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<20110523191110.GA12425@fluxcoil.net>
	<4DDACF9B.1020105@nixtra.com>,<20110524031549.GA13084@fluxcoil.net>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635884D@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

My server is RHEL6.1 and has 2 x 3ghz Xeon CPUs and 4gb of ram, and does nothing....and it wont start on boot.

regards
________________________________________
From: Christian Horn [chorn at fluxcoil.net]
Sent: Tuesday, 24 May 2011 3:15 p.m.
To: Sigbjorn Lie
Cc: Steven Jones; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] IPA Startup issues

Hi,

On Mon, May 23, 2011 at 11:20:27PM +0200, Sigbjorn Lie wrote:
>
> My issue is startup of IPA only occurs when the host is extremely
> busy, such as after a reboot of the host machine when the disk is
> grinding and the cpu is almost going up in flames of all the virtual
> machines starting at once. With the IPA virtual machine being one of
> the virtual machines struggeling for cpu and disk io. :)

Fedora 15 or RHEL6.1 as host?
Then managing io and cpu with cgroups could be a workaround for the
problem, ensuring the VMs get a fair share of resources.


Christian



From Steven.Jones at vuw.ac.nz  Tue May 24 20:10:04 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 20:10:04 +0000
Subject: [Freeipa-users] DNS denied for clients
In-Reply-To: <1306239225.6490.3.camel@willson.li.ssimo.org>
References: <833D8E48405E064EBC54C84EC6B36E400635607D@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1306239225.6490.3.camel@willson.li.ssimo.org>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006358863@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

ive been expanding the POC, they used to be all on one.

Ah........they are now on different subnets....the DHCP subnet  53.xx, server subnet 81.xx and server management subnet 87.xx.

regards
________________________________________
From: Simo Sorce [simo at redhat.com]
Sent: Wednesday, 25 May 2011 12:13 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] DNS denied for clients

On Mon, 2011-05-23 at 23:09 +0000, Steven Jones wrote:
> Hi,
>
> Seems there is a change from 6.1 beta /earlier IPA to later....I now
> find that clients cant use dns as its denied....as attached
> screenshot....is this setting in IPA itself? or named.conf?

Are your clients in the same subnet or in another ?

Simo.

--
Simo Sorce * Red Hat, Inc * New York




From Steven.Jones at vuw.ac.nz  Tue May 24 20:39:37 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 20:39:37 +0000
Subject: [Freeipa-users] How is/to get IPA backed up?
In-Reply-To: <4DDBAF30.6000401@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E40063578AA@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDBAF30.6000401@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006358873@STAWINCOX10MBX1.staff.vuw.ac.nz>

But how is a backup guaranteed to be consistant?

With the FDS I played with some years back I could dump  out the db into a flat file which could then be backup...

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Wednesday, 25 May 2011 1:14 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] How is/to get IPA backed up?

On 05/23/2011 11:02 PM, Steven Jones wrote:
> ie on FDS I think you can do an export to a flat file and then import it....that way the backup client can backup a flatfile and not attempt to do the database....
>
> regards
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

We have not documented it yet.
But the general approach:
A) If you run just one server (which is not recommended) run a full
system backup frequently. It will be much simpler than trying to do
backup of all pieces and config files affected by IPA.
B) If you run replicated environment and lost one of the servers you can
stand up another server.
Variant 1: You want to preserve replica's name
a) Install a new replica on a new hardware/VM following a standard replica
installation procedure.
b) Remove replication agreements with the old replica that became
unavailable.

Variant 2: You want to preserve replica's name
a) Create a package for the failed replica following the standard procedure
(ipa-replica-prepare)
b) On the IPA server that generated the replica run:
ipa-replica-manage init replica.example.com
This will initialize replica as it will be empty at the beginning
c) Install replica on a new hardware/VM

This is the general direction but we have not done extensive testing
(thus have not documented it)

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Tue May 24 20:41:06 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 20:41:06 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1

Is there a solution to this?


regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Tuesday, 24 May 2011 4:24 p.m.
To: Rob Crittenden
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

I must be going blind in my old age.....anyway here they are.

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Tuesday, 24 May 2011 2:58 p.m.
To: Rob Crittenden
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

Hi,

1) Screen data of the install from using the -d option.  (attach d.out)

2) ipa-install log

3) there are no httpd logs in /var/log/httpd/ it is an empty directory.

4) "Did you also run kinit before manually
running ipa-join in your testing?"  Yes....

5) For DNS I added,

 allow query {any;};

into /etc/named.conf clients were then not denied DNS.

regards



________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Tuesday, 24 May 2011 2:24 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1

Steven Jones wrote:
> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...

This is a different mismatch than you were seeing with 5.6 (and a
completely different error message).

A few things to note:

- In general, when you reference any IPA server you should always use
the fully-qualified name. The SSL error you had was because the name did
not match the certificate.
- The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
you can always check the Apache error/access logs for diagnostic
information.
- The integrated DNS stores information in LDAP, not flat files, so
having no data in /var/named is not surprising.

ipa-join needs authentication in the form of a TGT or a one-time
password. It definitely did one in the log you provided and you still
got a 401, which is strange. Did you also run kinit before manually
running ipa-join in your testing?

Running ipa-join or ipa-client-install with the -d option will provide a
lot more debugging information.

I think the first place to check is the Apache error log to see why the
join call failed.

rob



From rcritten at redhat.com  Tue May 24 20:46:34 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 24 May 2011 16:46:34 -0400
Subject: [Freeipa-users] How is/to get IPA backed up?
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006358873@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E40063578AA@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDBAF30.6000401@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006358873@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDC192A.4080907@redhat.com>

Steven Jones wrote:
> But how is a backup guaranteed to be consistant?
>
> With the FDS I played with some years back I could dump  out the db into a flat file which could then be backup...

It depends on what this backup is for. If it is for catastrophic 
recovery then backing up the entire system is recommended. Having just 
the LDAP data isn't enough to completely restore.

If you want it as a snapshot in time then the LDAP data is probably 
sufficient.

rob



From simo at redhat.com  Tue May 24 20:47:38 2011
From: simo at redhat.com (Simo Sorce)
Date: Tue, 24 May 2011 16:47:38 -0400
Subject: [Freeipa-users] IPA Startup issues
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635884D@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <4DD1381F.6030903@nixtra.com> <4DD13B22.9030604@redhat.com>
	<4DD26CBC.8080107@nixtra.com> <4DD2AF48.6090602@redhat.com>
	<4DD8E27F.7070906@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006353FC0@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DD98C83.30008@nixtra.com>
	<833D8E48405E064EBC54C84EC6B36E4006355F9B@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<20110523191110.GA12425@fluxcoil.net> <4DDACF9B.1020105@nixtra.com>
	,<20110524031549.GA13084@fluxcoil.net>
	<833D8E48405E064EBC54C84EC6B36E400635884D@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1306270058.6490.57.camel@willson.li.ssimo.org>

On Tue, 2011-05-24 at 20:07 +0000, Steven Jones wrote:
> Hi,
> 
> My server is RHEL6.1 and has 2 x 3ghz Xeon CPUs and 4gb of ram, and does nothing....and it wont start on boot.

Can you identify why it doesn't start ?
FreeIPA will happily welcome any resource you throw at it,
but it does not require all that cpu/ram to work.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From rcritten at redhat.com  Tue May 24 20:51:02 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 24 May 2011 16:51:02 -0400
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDC1A36.2090704@redhat.com>

Steven Jones wrote:
> Hi,
>
> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>
> Is there a solution to this?

Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache 
and try the join again?

This should give more feedback why mod_auth_kerb/kerberos is rejecting 
the credentials.

rob

>
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Tuesday, 24 May 2011 4:24 p.m.
> To: Rob Crittenden
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> I must be going blind in my old age.....anyway here they are.
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Tuesday, 24 May 2011 2:58 p.m.
> To: Rob Crittenden
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>
> Hi,
>
> 1) Screen data of the install from using the -d option.  (attach d.out)
>
> 2) ipa-install log
>
> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>
> 4) "Did you also run kinit before manually
> running ipa-join in your testing?"  Yes....
>
> 5) For DNS I added,
>
>   allow query {any;};
>
> into /etc/named.conf clients were then not denied DNS.
>
> regards
>
>
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Tuesday, 24 May 2011 2:24 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>
> Steven Jones wrote:
>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>
> This is a different mismatch than you were seeing with 5.6 (and a
> completely different error message).
>
> A few things to note:
>
> - In general, when you reference any IPA server you should always use
> the fully-qualified name. The SSL error you had was because the name did
> not match the certificate.
> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
> you can always check the Apache error/access logs for diagnostic
> information.
> - The integrated DNS stores information in LDAP, not flat files, so
> having no data in /var/named is not surprising.
>
> ipa-join needs authentication in the form of a TGT or a one-time
> password. It definitely did one in the log you provided and you still
> got a 401, which is strange. Did you also run kinit before manually
> running ipa-join in your testing?
>
> Running ipa-join or ipa-client-install with the -d option will provide a
> lot more debugging information.
>
> I think the first place to check is the Apache error log to see why the
> join call failed.
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



From simo at redhat.com  Tue May 24 20:54:39 2011
From: simo at redhat.com (Simo Sorce)
Date: Tue, 24 May 2011 16:54:39 -0400
Subject: [Freeipa-users] DNS denied for clients
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006358863@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400635607D@STAWINCOX10MBX1.staff.vuw.ac.nz>
	,<1306239225.6490.3.camel@willson.li.ssimo.org>
	<833D8E48405E064EBC54C84EC6B36E4006358863@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1306270479.6490.58.camel@willson.li.ssimo.org>

On Tue, 2011-05-24 at 20:10 +0000, Steven Jones wrote:
> Hi,
> 
> ive been expanding the POC, they used to be all on one.
> 
> Ah........they are now on different subnets....the DHCP subnet  53.xx, server subnet 81.xx and server management subnet 87.xx.

Ok then you need to consult the bind manual an apply the proper allows
as Adam suggested in the other message.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From Steven.Jones at vuw.ac.nz  Tue May 24 21:09:48 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 21:09:48 +0000
Subject: [Freeipa-users] DNS denied for clients
In-Reply-To: <1306270479.6490.58.camel@willson.li.ssimo.org>
References: <833D8E48405E064EBC54C84EC6B36E400635607D@STAWINCOX10MBX1.staff.vuw.ac.nz>
	,<1306239225.6490.3.camel@willson.li.ssimo.org>
	<833D8E48405E064EBC54C84EC6B36E4006358863@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1306270479.6490.58.camel@willson.li.ssimo.org>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063588C0@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

yes Ive done this....problem is when its "integrated into IPA" I didnt know if this was the right/approved way to do it.

regards
________________________________________
From: Simo Sorce [simo at redhat.com]
Sent: Wednesday, 25 May 2011 8:54 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: RE: [Freeipa-users] DNS denied for clients

On Tue, 2011-05-24 at 20:10 +0000, Steven Jones wrote:
> Hi,
>
> ive been expanding the POC, they used to be all on one.
>
> Ah........they are now on different subnets....the DHCP subnet  53.xx, server subnet 81.xx and server management subnet 87.xx.

Ok then you need to consult the bind manual an apply the proper allows
as Adam suggested in the other message.

Simo.

--
Simo Sorce * Red Hat, Inc * New York




From simo at redhat.com  Tue May 24 21:14:39 2011
From: simo at redhat.com (Simo Sorce)
Date: Tue, 24 May 2011 17:14:39 -0400
Subject: [Freeipa-users] DNS denied for clients
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063588C0@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400635607D@STAWINCOX10MBX1.staff.vuw.ac.nz>
	,<1306239225.6490.3.camel@willson.li.ssimo.org>
	<833D8E48405E064EBC54C84EC6B36E4006358863@STAWINCOX10MBX1.staff.vuw.ac.nz>
	,<1306270479.6490.58.camel@willson.li.ssimo.org>
	<833D8E48405E064EBC54C84EC6B36E40063588C0@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1306271679.6490.59.camel@willson.li.ssimo.org>

On Tue, 2011-05-24 at 21:09 +0000, Steven Jones wrote:
> Hi,
> 
> yes Ive done this....problem is when its "integrated into IPA" I didnt know if this was the right/approved way to do it.

IPA manages just the zones for now.

Everything that goes in the main configuration section is handled
through named.conf

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From Steven.Jones at vuw.ac.nz  Tue May 24 21:21:36 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 21:21:36 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <4DDC1A36.2090704@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>

Logs.....
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, 25 May 2011 8:51 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> Hi,
>
> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>
> Is there a solution to this?

Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
and try the join again?

This should give more feedback why mod_auth_kerb/kerberos is rejecting
the credentials.

rob

>
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Tuesday, 24 May 2011 4:24 p.m.
> To: Rob Crittenden
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> I must be going blind in my old age.....anyway here they are.
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Tuesday, 24 May 2011 2:58 p.m.
> To: Rob Crittenden
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>
> Hi,
>
> 1) Screen data of the install from using the -d option.  (attach d.out)
>
> 2) ipa-install log
>
> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>
> 4) "Did you also run kinit before manually
> running ipa-join in your testing?"  Yes....
>
> 5) For DNS I added,
>
>   allow query {any;};
>
> into /etc/named.conf clients were then not denied DNS.
>
> regards
>
>
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Tuesday, 24 May 2011 2:24 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>
> Steven Jones wrote:
>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>
> This is a different mismatch than you were seeing with 5.6 (and a
> completely different error message).
>
> A few things to note:
>
> - In general, when you reference any IPA server you should always use
> the fully-qualified name. The SSL error you had was because the name did
> not match the certificate.
> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
> you can always check the Apache error/access logs for diagnostic
> information.
> - The integrated DNS stores information in LDAP, not flat files, so
> having no data in /var/named is not surprising.
>
> ipa-join needs authentication in the form of a TGT or a one-time
> password. It definitely did one in the log you provided and you still
> got a 401, which is strange. Did you also run kinit before manually
> running ipa-join in your testing?
>
> Running ipa-join or ipa-client-install with the -d option will provide a
> lot more debugging information.
>
> I think the first place to check is the Apache error log to see why the
> join call failed.
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_log
Type: application/octet-stream
Size: 9583 bytes
Desc: error_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/616484c7/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: access_log
Type: application/octet-stream
Size: 73700 bytes
Desc: access_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/616484c7/attachment-0001.obj>

From rcritten at redhat.com  Tue May 24 21:41:59 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 24 May 2011 17:41:59 -0400
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDC2627.9020901@redhat.com>

Steven Jones wrote:
> Logs.....

Sorry, had you set the level in the wrong file. Can you set LogLevel 
debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?

rob

> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 25 May 2011 8:51 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> Hi,
>>
>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>
>> Is there a solution to this?
>
> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
> and try the join again?
>
> This should give more feedback why mod_auth_kerb/kerberos is rejecting
> the credentials.
>
> rob
>
>>
>>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>> To: Rob Crittenden
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> I must be going blind in my old age.....anyway here they are.
>>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>> To: Rob Crittenden
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>
>> Hi,
>>
>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>
>> 2) ipa-install log
>>
>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>
>> 4) "Did you also run kinit before manually
>> running ipa-join in your testing?"  Yes....
>>
>> 5) For DNS I added,
>>
>>    allow query {any;};
>>
>> into /etc/named.conf clients were then not denied DNS.
>>
>> regards
>>
>>
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>
>> Steven Jones wrote:
>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>
>> This is a different mismatch than you were seeing with 5.6 (and a
>> completely different error message).
>>
>> A few things to note:
>>
>> - In general, when you reference any IPA server you should always use
>> the fully-qualified name. The SSL error you had was because the name did
>> not match the certificate.
>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>> you can always check the Apache error/access logs for diagnostic
>> information.
>> - The integrated DNS stores information in LDAP, not flat files, so
>> having no data in /var/named is not surprising.
>>
>> ipa-join needs authentication in the form of a TGT or a one-time
>> password. It definitely did one in the log you provided and you still
>> got a 401, which is strange. Did you also run kinit before manually
>> running ipa-join in your testing?
>>
>> Running ipa-join or ipa-client-install with the -d option will provide a
>> lot more debugging information.
>>
>> I think the first place to check is the Apache error log to see why the
>> join call failed.
>>
>> rob
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>



From Steven.Jones at vuw.ac.nz  Tue May 24 22:13:39 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 24 May 2011 22:13:39 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <4DDC2627.9020901@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>

FYI
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, 25 May 2011 9:41 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> Logs.....

Sorry, had you set the level in the wrong file. Can you set LogLevel
debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?

rob

> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 25 May 2011 8:51 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> Hi,
>>
>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>
>> Is there a solution to this?
>
> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
> and try the join again?
>
> This should give more feedback why mod_auth_kerb/kerberos is rejecting
> the credentials.
>
> rob
>
>>
>>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>> To: Rob Crittenden
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> I must be going blind in my old age.....anyway here they are.
>>
>> regards
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>> To: Rob Crittenden
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>
>> Hi,
>>
>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>
>> 2) ipa-install log
>>
>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>
>> 4) "Did you also run kinit before manually
>> running ipa-join in your testing?"  Yes....
>>
>> 5) For DNS I added,
>>
>>    allow query {any;};
>>
>> into /etc/named.conf clients were then not denied DNS.
>>
>> regards
>>
>>
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>
>> Steven Jones wrote:
>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>
>> This is a different mismatch than you were seeing with 5.6 (and a
>> completely different error message).
>>
>> A few things to note:
>>
>> - In general, when you reference any IPA server you should always use
>> the fully-qualified name. The SSL error you had was because the name did
>> not match the certificate.
>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>> you can always check the Apache error/access logs for diagnostic
>> information.
>> - The integrated DNS stores information in LDAP, not flat files, so
>> having no data in /var/named is not surprising.
>>
>> ipa-join needs authentication in the form of a TGT or a one-time
>> password. It definitely did one in the log you provided and you still
>> got a 401, which is strange. Did you also run kinit before manually
>> running ipa-join in your testing?
>>
>> Running ipa-join or ipa-client-install with the -d option will provide a
>> lot more debugging information.
>>
>> I think the first place to check is the Apache error log to see why the
>> join call failed.
>>
>> rob
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_log
Type: application/octet-stream
Size: 550 bytes
Desc: error_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/fda5931c/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: access_log
Type: application/octet-stream
Size: 74018 bytes
Desc: access_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110524/fda5931c/attachment-0001.obj>

From rcritten at redhat.com  Wed May 25 03:33:06 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 24 May 2011 23:33:06 -0400
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDC7872.8060105@redhat.com>

Steven Jones wrote:
> FYI

Ok, this is very strange, it isn't really trying very hard to do the 
kerberos authentication.

It should be requesting the HTTP service principal and then doing the 
Negotiate authentication but for some reason it is giving up.

Here is something to try (obviously replacing ipa.example.com with your 
ipa server):

% kdestroy
% scp ipa.example.com:/etc/krb5.conf test-krb5.conf
% export KRB5_CONFIG=`pwd`/test-krb5.conf
% kinit admin
% klist -f (send us this output)
% curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
% klist -f (send us this too)
% unset KRB5_CONFIG

You should get a 500 error and not a 401.

Some logs to capture the tail of:

Apache error and access logs
/var/log/krb5kdc.log

rob

> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 25 May 2011 9:41 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> Logs.....
>
> Sorry, had you set the level in the wrong file. Can you set LogLevel
> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>
> rob
>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> Hi,
>>>
>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>
>>> Is there a solution to this?
>>
>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>> and try the join again?
>>
>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>> the credentials.
>>
>> rob
>>
>>>
>>>
>>> regards
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>> To: Rob Crittenden
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> I must be going blind in my old age.....anyway here they are.
>>>
>>> regards
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>> To: Rob Crittenden
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>
>>> Hi,
>>>
>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>
>>> 2) ipa-install log
>>>
>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>
>>> 4) "Did you also run kinit before manually
>>> running ipa-join in your testing?"  Yes....
>>>
>>> 5) For DNS I added,
>>>
>>>     allow query {any;};
>>>
>>> into /etc/named.conf clients were then not denied DNS.
>>>
>>> regards
>>>
>>>
>>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>
>>> Steven Jones wrote:
>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>
>>> This is a different mismatch than you were seeing with 5.6 (and a
>>> completely different error message).
>>>
>>> A few things to note:
>>>
>>> - In general, when you reference any IPA server you should always use
>>> the fully-qualified name. The SSL error you had was because the name did
>>> not match the certificate.
>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>> you can always check the Apache error/access logs for diagnostic
>>> information.
>>> - The integrated DNS stores information in LDAP, not flat files, so
>>> having no data in /var/named is not surprising.
>>>
>>> ipa-join needs authentication in the form of a TGT or a one-time
>>> password. It definitely did one in the log you provided and you still
>>> got a 401, which is strange. Did you also run kinit before manually
>>> running ipa-join in your testing?
>>>
>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>> lot more debugging information.
>>>
>>> I think the first place to check is the Apache error log to see why the
>>> join call failed.
>>>
>>> rob
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>



From Steven.Jones at vuw.ac.nz  Wed May 25 03:43:25 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 25 May 2011 03:43:25 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <4DDC7872.8060105@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006359C3C@STAWINCOX10MBX1.staff.vuw.ac.nz>

Is this done on the cleint or the server?

regards
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, 25 May 2011 3:33 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> FYI

Ok, this is very strange, it isn't really trying very hard to do the
kerberos authentication.

It should be requesting the HTTP service principal and then doing the
Negotiate authentication but for some reason it is giving up.

Here is something to try (obviously replacing ipa.example.com with your
ipa server):

% kdestroy
% scp ipa.example.com:/etc/krb5.conf test-krb5.conf
% export KRB5_CONFIG=`pwd`/test-krb5.conf
% kinit admin
% klist -f (send us this output)
% curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
% klist -f (send us this too)
% unset KRB5_CONFIG

You should get a 500 error and not a 401.

Some logs to capture the tail of:

Apache error and access logs
/var/log/krb5kdc.log

rob

> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 25 May 2011 9:41 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> Logs.....
>
> Sorry, had you set the level in the wrong file. Can you set LogLevel
> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>
> rob
>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> Hi,
>>>
>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>
>>> Is there a solution to this?
>>
>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>> and try the join again?
>>
>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>> the credentials.
>>
>> rob
>>
>>>
>>>
>>> regards
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>> To: Rob Crittenden
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> I must be going blind in my old age.....anyway here they are.
>>>
>>> regards
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>> To: Rob Crittenden
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>
>>> Hi,
>>>
>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>
>>> 2) ipa-install log
>>>
>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>
>>> 4) "Did you also run kinit before manually
>>> running ipa-join in your testing?"  Yes....
>>>
>>> 5) For DNS I added,
>>>
>>>     allow query {any;};
>>>
>>> into /etc/named.conf clients were then not denied DNS.
>>>
>>> regards
>>>
>>>
>>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>
>>> Steven Jones wrote:
>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>
>>> This is a different mismatch than you were seeing with 5.6 (and a
>>> completely different error message).
>>>
>>> A few things to note:
>>>
>>> - In general, when you reference any IPA server you should always use
>>> the fully-qualified name. The SSL error you had was because the name did
>>> not match the certificate.
>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>> you can always check the Apache error/access logs for diagnostic
>>> information.
>>> - The integrated DNS stores information in LDAP, not flat files, so
>>> having no data in /var/named is not surprising.
>>>
>>> ipa-join needs authentication in the form of a TGT or a one-time
>>> password. It definitely did one in the log you provided and you still
>>> got a 401, which is strange. Did you also run kinit before manually
>>> running ipa-join in your testing?
>>>
>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>> lot more debugging information.
>>>
>>> I think the first place to check is the Apache error log to see why the
>>> join call failed.
>>>
>>> rob
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>




From Steven.Jones at vuw.ac.nz  Wed May 25 03:59:41 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 25 May 2011 03:59:41 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <4DDC7872.8060105@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>

FYI....

Think I did it right!

:]

regards
________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, 25 May 2011 3:33 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> FYI

Ok, this is very strange, it isn't really trying very hard to do the
kerberos authentication.

It should be requesting the HTTP service principal and then doing the
Negotiate authentication but for some reason it is giving up.

Here is something to try (obviously replacing ipa.example.com with your
ipa server):

% kdestroy
% scp ipa.example.com:/etc/krb5.conf test-krb5.conf
% export KRB5_CONFIG=`pwd`/test-krb5.conf
% kinit admin
% klist -f (send us this output)
% curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
% klist -f (send us this too)
% unset KRB5_CONFIG

You should get a 500 error and not a 401.

Some logs to capture the tail of:

Apache error and access logs
/var/log/krb5kdc.log

rob

> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 25 May 2011 9:41 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> Logs.....
>
> Sorry, had you set the level in the wrong file. Can you set LogLevel
> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>
> rob
>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> Hi,
>>>
>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>
>>> Is there a solution to this?
>>
>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>> and try the join again?
>>
>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>> the credentials.
>>
>> rob
>>
>>>
>>>
>>> regards
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>> To: Rob Crittenden
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> I must be going blind in my old age.....anyway here they are.
>>>
>>> regards
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>> To: Rob Crittenden
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>
>>> Hi,
>>>
>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>
>>> 2) ipa-install log
>>>
>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>
>>> 4) "Did you also run kinit before manually
>>> running ipa-join in your testing?"  Yes....
>>>
>>> 5) For DNS I added,
>>>
>>>     allow query {any;};
>>>
>>> into /etc/named.conf clients were then not denied DNS.
>>>
>>> regards
>>>
>>>
>>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>
>>> Steven Jones wrote:
>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>
>>> This is a different mismatch than you were seeing with 5.6 (and a
>>> completely different error message).
>>>
>>> A few things to note:
>>>
>>> - In general, when you reference any IPA server you should always use
>>> the fully-qualified name. The SSL error you had was because the name did
>>> not match the certificate.
>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>> you can always check the Apache error/access logs for diagnostic
>>> information.
>>> - The integrated DNS stores information in LDAP, not flat files, so
>>> having no data in /var/named is not surprising.
>>>
>>> ipa-join needs authentication in the form of a TGT or a one-time
>>> password. It definitely did one in the log you provided and you still
>>> got a 401, which is strange. Did you also run kinit before manually
>>> running ipa-join in your testing?
>>>
>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>> lot more debugging information.
>>>
>>> I think the first place to check is the Apache error log to see why the
>>> join call failed.
>>>
>>> rob
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: access_log
Type: application/octet-stream
Size: 84574 bytes
Desc: access_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110525/afb91a8d/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_log
Type: application/octet-stream
Size: 83114 bytes
Desc: error_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110525/afb91a8d/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5kdc.log
Type: application/octet-stream
Size: 154252 bytes
Desc: krb5kdc.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110525/afb91a8d/attachment-0002.obj>

From Steven.Jones at vuw.ac.nz  Wed May 25 04:23:42 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 25 May 2011 04:23:42 +0000
Subject: [Freeipa-users] kerberos to keberos inter-realm trusts
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006359C7C@STAWINCOX10MBX1.staff.vuw.ac.nz>

Can IPA do this?

regards



From simo at redhat.com  Wed May 25 12:48:58 2011
From: simo at redhat.com (Simo Sorce)
Date: Wed, 25 May 2011 08:48:58 -0400
Subject: [Freeipa-users] kerberos to keberos inter-realm trusts
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006359C7C@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006359C7C@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1306327738.6490.78.camel@willson.li.ssimo.org>

On Wed, 2011-05-25 at 04:23 +0000, Steven Jones wrote:
> Can IPA do this?

Technically MIT Kerberos can do that, but we do not have any
infrastructure to properly handle trusts yet at the identity level.

Cross-Realm trusts are the focus of version 3.0

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From rcritten at redhat.com  Wed May 25 13:21:30 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 25 May 2011 09:21:30 -0400
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDD025A.3060209@redhat.com>

Steven Jones wrote:
> FYI....
>
> Think I did it right!
>
> :]

What was the outcome? Did you get a 401 or 500? I can't figure it out 
based on the logs but I do see quite a few successful authentications.

Can you isolate the log data for this one curl request?

I'd run this on the 6.1 client that you're having problems with.

thanks

rob

>
> regards
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 25 May 2011 3:33 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> FYI
>
> Ok, this is very strange, it isn't really trying very hard to do the
> kerberos authentication.
>
> It should be requesting the HTTP service principal and then doing the
> Negotiate authentication but for some reason it is giving up.
>
> Here is something to try (obviously replacing ipa.example.com with your
> ipa server):
>
> % kdestroy
> % scp ipa.example.com:/etc/krb5.conf test-krb5.conf
> % export KRB5_CONFIG=`pwd`/test-krb5.conf
> % kinit admin
> % klist -f (send us this output)
> % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
> % klist -f (send us this too)
> % unset KRB5_CONFIG
>
> You should get a 500 error and not a 401.
>
> Some logs to capture the tail of:
>
> Apache error and access logs
> /var/log/krb5kdc.log
>
> rob
>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 25 May 2011 9:41 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> Logs.....
>>
>> Sorry, had you set the level in the wrong file. Can you set LogLevel
>> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>>
>> rob
>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> Steven Jones wrote:
>>>> Hi,
>>>>
>>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>>
>>>> Is there a solution to this?
>>>
>>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>>> and try the join again?
>>>
>>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>>> the credentials.
>>>
>>> rob
>>>
>>>>
>>>>
>>>> regards
>>>> ________________________________________
>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>>> To: Rob Crittenden
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>
>>>> I must be going blind in my old age.....anyway here they are.
>>>>
>>>> regards
>>>> ________________________________________
>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>>> To: Rob Crittenden
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>
>>>> Hi,
>>>>
>>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>>
>>>> 2) ipa-install log
>>>>
>>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>>
>>>> 4) "Did you also run kinit before manually
>>>> running ipa-join in your testing?"  Yes....
>>>>
>>>> 5) For DNS I added,
>>>>
>>>>      allow query {any;};
>>>>
>>>> into /etc/named.conf clients were then not denied DNS.
>>>>
>>>> regards
>>>>
>>>>
>>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>
>>>> Steven Jones wrote:
>>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>>
>>>> This is a different mismatch than you were seeing with 5.6 (and a
>>>> completely different error message).
>>>>
>>>> A few things to note:
>>>>
>>>> - In general, when you reference any IPA server you should always use
>>>> the fully-qualified name. The SSL error you had was because the name did
>>>> not match the certificate.
>>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>>> you can always check the Apache error/access logs for diagnostic
>>>> information.
>>>> - The integrated DNS stores information in LDAP, not flat files, so
>>>> having no data in /var/named is not surprising.
>>>>
>>>> ipa-join needs authentication in the form of a TGT or a one-time
>>>> password. It definitely did one in the log you provided and you still
>>>> got a 401, which is strange. Did you also run kinit before manually
>>>> running ipa-join in your testing?
>>>>
>>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>>> lot more debugging information.
>>>>
>>>> I think the first place to check is the Apache error log to see why the
>>>> join call failed.
>>>>
>>>> rob
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>



From Steven.Jones at vuw.ac.nz  Wed May 25 20:30:28 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 25 May 2011 20:30:28 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <4DDD025A.3060209@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD025A.3060209@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006359FCA@STAWINCOX10MBX1.staff.vuw.ac.nz>

Outcome?, I couldnt see where the 401 or 500 "appeared".....

the screen output of curl was as attached.

regards


________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Thursday, 26 May 2011 1:21 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> FYI....
>
> Think I did it right!
>
> :]

What was the outcome? Did you get a 401 or 500? I can't figure it out
based on the logs but I do see quite a few successful authentications.

Can you isolate the log data for this one curl request?

I'd run this on the 6.1 client that you're having problems with.

thanks

rob

>
> regards
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 25 May 2011 3:33 p.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> FYI
>
> Ok, this is very strange, it isn't really trying very hard to do the
> kerberos authentication.
>
> It should be requesting the HTTP service principal and then doing the
> Negotiate authentication but for some reason it is giving up.
>
> Here is something to try (obviously replacing ipa.example.com with your
> ipa server):
>
> % kdestroy
> % scp ipa.example.com:/etc/krb5.conf test-krb5.conf
> % export KRB5_CONFIG=`pwd`/test-krb5.conf
> % kinit admin
> % klist -f (send us this output)
> % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
> % klist -f (send us this too)
> % unset KRB5_CONFIG
>
> You should get a 500 error and not a 401.
>
> Some logs to capture the tail of:
>
> Apache error and access logs
> /var/log/krb5kdc.log
>
> rob
>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 25 May 2011 9:41 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> Logs.....
>>
>> Sorry, had you set the level in the wrong file. Can you set LogLevel
>> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>>
>> rob
>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> Steven Jones wrote:
>>>> Hi,
>>>>
>>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>>
>>>> Is there a solution to this?
>>>
>>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>>> and try the join again?
>>>
>>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>>> the credentials.
>>>
>>> rob
>>>
>>>>
>>>>
>>>> regards
>>>> ________________________________________
>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>>> To: Rob Crittenden
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>
>>>> I must be going blind in my old age.....anyway here they are.
>>>>
>>>> regards
>>>> ________________________________________
>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>>> To: Rob Crittenden
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>
>>>> Hi,
>>>>
>>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>>
>>>> 2) ipa-install log
>>>>
>>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>>
>>>> 4) "Did you also run kinit before manually
>>>> running ipa-join in your testing?"  Yes....
>>>>
>>>> 5) For DNS I added,
>>>>
>>>>      allow query {any;};
>>>>
>>>> into /etc/named.conf clients were then not denied DNS.
>>>>
>>>> regards
>>>>
>>>>
>>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>
>>>> Steven Jones wrote:
>>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>>
>>>> This is a different mismatch than you were seeing with 5.6 (and a
>>>> completely different error message).
>>>>
>>>> A few things to note:
>>>>
>>>> - In general, when you reference any IPA server you should always use
>>>> the fully-qualified name. The SSL error you had was because the name did
>>>> not match the certificate.
>>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>>> you can always check the Apache error/access logs for diagnostic
>>>> information.
>>>> - The integrated DNS stores information in LDAP, not flat files, so
>>>> having no data in /var/named is not surprising.
>>>>
>>>> ipa-join needs authentication in the form of a TGT or a one-time
>>>> password. It definitely did one in the log you provided and you still
>>>> got a 401, which is strange. Did you also run kinit before manually
>>>> running ipa-join in your testing?
>>>>
>>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>>> lot more debugging information.
>>>>
>>>> I think the first place to check is the Apache error log to see why the
>>>> join call failed.
>>>>
>>>> rob
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: curl.out
Type: application/octet-stream
Size: 1682 bytes
Desc: curl.out
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110525/f9d6c444/attachment.obj>

From rcritten at redhat.com  Wed May 25 20:32:06 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 25 May 2011 16:32:06 -0400
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006359FCA@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD025A.3060209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FCA@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDD6746.4040600@redhat.com>

Steven Jones wrote:
> Outcome?, I couldnt see where the 401 or 500 "appeared".....
>
> the screen output of curl was as attached.

You didn't use the FQDN of the ipa server so it didn't do the 
authentication.

Please run this again using the FQDN.

rob

>
> regards
>
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Thursday, 26 May 2011 1:21 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> FYI....
>>
>> Think I did it right!
>>
>> :]
>
> What was the outcome? Did you get a 401 or 500? I can't figure it out
> based on the logs but I do see quite a few successful authentications.
>
> Can you isolate the log data for this one curl request?
>
> I'd run this on the 6.1 client that you're having problems with.
>
> thanks
>
> rob
>
>>
>> regards
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 25 May 2011 3:33 p.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> FYI
>>
>> Ok, this is very strange, it isn't really trying very hard to do the
>> kerberos authentication.
>>
>> It should be requesting the HTTP service principal and then doing the
>> Negotiate authentication but for some reason it is giving up.
>>
>> Here is something to try (obviously replacing ipa.example.com with your
>> ipa server):
>>
>> % kdestroy
>> % scp ipa.example.com:/etc/krb5.conf test-krb5.conf
>> % export KRB5_CONFIG=`pwd`/test-krb5.conf
>> % kinit admin
>> % klist -f (send us this output)
>> % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
>> % klist -f (send us this too)
>> % unset KRB5_CONFIG
>>
>> You should get a 500 error and not a 401.
>>
>> Some logs to capture the tail of:
>>
>> Apache error and access logs
>> /var/log/krb5kdc.log
>>
>> rob
>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 25 May 2011 9:41 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> Steven Jones wrote:
>>>> Logs.....
>>>
>>> Sorry, had you set the level in the wrong file. Can you set LogLevel
>>> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>>>
>>> rob
>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>
>>>> Steven Jones wrote:
>>>>> Hi,
>>>>>
>>>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>>>
>>>>> Is there a solution to this?
>>>>
>>>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>>>> and try the join again?
>>>>
>>>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>>>> the credentials.
>>>>
>>>> rob
>>>>
>>>>>
>>>>>
>>>>> regards
>>>>> ________________________________________
>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>>>> To: Rob Crittenden
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>>
>>>>> I must be going blind in my old age.....anyway here they are.
>>>>>
>>>>> regards
>>>>> ________________________________________
>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>>>> To: Rob Crittenden
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>
>>>>> Hi,
>>>>>
>>>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>>>
>>>>> 2) ipa-install log
>>>>>
>>>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>>>
>>>>> 4) "Did you also run kinit before manually
>>>>> running ipa-join in your testing?"  Yes....
>>>>>
>>>>> 5) For DNS I added,
>>>>>
>>>>>       allow query {any;};
>>>>>
>>>>> into /etc/named.conf clients were then not denied DNS.
>>>>>
>>>>> regards
>>>>>
>>>>>
>>>>>
>>>>> ________________________________________
>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>>>> To: Steven Jones
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>
>>>>> Steven Jones wrote:
>>>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>>>
>>>>> This is a different mismatch than you were seeing with 5.6 (and a
>>>>> completely different error message).
>>>>>
>>>>> A few things to note:
>>>>>
>>>>> - In general, when you reference any IPA server you should always use
>>>>> the fully-qualified name. The SSL error you had was because the name did
>>>>> not match the certificate.
>>>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>>>> you can always check the Apache error/access logs for diagnostic
>>>>> information.
>>>>> - The integrated DNS stores information in LDAP, not flat files, so
>>>>> having no data in /var/named is not surprising.
>>>>>
>>>>> ipa-join needs authentication in the form of a TGT or a one-time
>>>>> password. It definitely did one in the log you provided and you still
>>>>> got a 401, which is strange. Did you also run kinit before manually
>>>>> running ipa-join in your testing?
>>>>>
>>>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>>>> lot more debugging information.
>>>>>
>>>>> I think the first place to check is the Apache error log to see why the
>>>>> join call failed.
>>>>>
>>>>> rob
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>
>



From Steven.Jones at vuw.ac.nz  Wed May 25 20:37:57 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 25 May 2011 20:37:57 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <4DDD6746.4040600@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD025A.3060209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FCA@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD6746.4040600@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E4006359FFE@STAWINCOX10MBX1.staff.vuw.ac.nz>

Strange dns things?

calling host from the comamnd line works but "something" cant resolve the ipa server....

regards




________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Thursday, 26 May 2011 8:32 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> Outcome?, I couldnt see where the 401 or 500 "appeared".....
>
> the screen output of curl was as attached.

You didn't use the FQDN of the ipa server so it didn't do the
authentication.

Please run this again using the FQDN.

rob

>
> regards
>
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Thursday, 26 May 2011 1:21 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> FYI....
>>
>> Think I did it right!
>>
>> :]
>
> What was the outcome? Did you get a 401 or 500? I can't figure it out
> based on the logs but I do see quite a few successful authentications.
>
> Can you isolate the log data for this one curl request?
>
> I'd run this on the 6.1 client that you're having problems with.
>
> thanks
>
> rob
>
>>
>> regards
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 25 May 2011 3:33 p.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> FYI
>>
>> Ok, this is very strange, it isn't really trying very hard to do the
>> kerberos authentication.
>>
>> It should be requesting the HTTP service principal and then doing the
>> Negotiate authentication but for some reason it is giving up.
>>
>> Here is something to try (obviously replacing ipa.example.com with your
>> ipa server):
>>
>> % kdestroy
>> % scp ipa.example.com:/etc/krb5.conf test-krb5.conf
>> % export KRB5_CONFIG=`pwd`/test-krb5.conf
>> % kinit admin
>> % klist -f (send us this output)
>> % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
>> % klist -f (send us this too)
>> % unset KRB5_CONFIG
>>
>> You should get a 500 error and not a 401.
>>
>> Some logs to capture the tail of:
>>
>> Apache error and access logs
>> /var/log/krb5kdc.log
>>
>> rob
>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 25 May 2011 9:41 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> Steven Jones wrote:
>>>> Logs.....
>>>
>>> Sorry, had you set the level in the wrong file. Can you set LogLevel
>>> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>>>
>>> rob
>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>
>>>> Steven Jones wrote:
>>>>> Hi,
>>>>>
>>>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>>>
>>>>> Is there a solution to this?
>>>>
>>>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>>>> and try the join again?
>>>>
>>>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>>>> the credentials.
>>>>
>>>> rob
>>>>
>>>>>
>>>>>
>>>>> regards
>>>>> ________________________________________
>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>>>> To: Rob Crittenden
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>>
>>>>> I must be going blind in my old age.....anyway here they are.
>>>>>
>>>>> regards
>>>>> ________________________________________
>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>>>> To: Rob Crittenden
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>
>>>>> Hi,
>>>>>
>>>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>>>
>>>>> 2) ipa-install log
>>>>>
>>>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>>>
>>>>> 4) "Did you also run kinit before manually
>>>>> running ipa-join in your testing?"  Yes....
>>>>>
>>>>> 5) For DNS I added,
>>>>>
>>>>>       allow query {any;};
>>>>>
>>>>> into /etc/named.conf clients were then not denied DNS.
>>>>>
>>>>> regards
>>>>>
>>>>>
>>>>>
>>>>> ________________________________________
>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>>>> To: Steven Jones
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>
>>>>> Steven Jones wrote:
>>>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>>>
>>>>> This is a different mismatch than you were seeing with 5.6 (and a
>>>>> completely different error message).
>>>>>
>>>>> A few things to note:
>>>>>
>>>>> - In general, when you reference any IPA server you should always use
>>>>> the fully-qualified name. The SSL error you had was because the name did
>>>>> not match the certificate.
>>>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>>>> you can always check the Apache error/access logs for diagnostic
>>>>> information.
>>>>> - The integrated DNS stores information in LDAP, not flat files, so
>>>>> having no data in /var/named is not surprising.
>>>>>
>>>>> ipa-join needs authentication in the form of a TGT or a one-time
>>>>> password. It definitely did one in the log you provided and you still
>>>>> got a 401, which is strange. Did you also run kinit before manually
>>>>> running ipa-join in your testing?
>>>>>
>>>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>>>> lot more debugging information.
>>>>>
>>>>> I think the first place to check is the Apache error log to see why the
>>>>> join call failed.
>>>>>
>>>>> rob
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: out2
Type: application/octet-stream
Size: 1682 bytes
Desc: out2
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110525/50730768/attachment.obj>

From danieljamesscott at gmail.com  Wed May 25 21:00:23 2011
From: danieljamesscott at gmail.com (Dan Scott)
Date: Wed, 25 May 2011 17:00:23 -0400
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
Message-ID: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>

Hello,

I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running
on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has
been released. But I have a few questions:

1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers?
2. Can Fedora 14 (and older, and Windows and Mac) clients authenticate
against FreeIPA 2 servers?
3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring
an upgrade from Fedora 14 to 15 along the way).

Overall, my questions boil down to this: Can I migrate systems as and
when possible/convenient, or do I have to do 'everything' in one go?

I looked through the documentation, but the V2 docs currently seem
quite developer-centric, does anyone have any links for me?

Thanks,

Dan Scott



From Steven.Jones at vuw.ac.nz  Wed May 25 21:21:36 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 25 May 2011 21:21:36 +0000
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
In-Reply-To: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
References: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635A2F7@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

As far as I am aware Windows clients can only authenticate against ADs.  So if you need to authenticate Windows you need a password trust/sync setup with AD and yes you need an AD as well as FreeIPA.

>From what's been said in the last day or so the next version of FreeIPA will do interREALM kerberos trusts?....so its looking a bit better than a password sync....but I think you will still need AD and FreeIPA.  From my limited understanding something has to do the authorisation still which is the LDAP bit.....so once you trust the user you still have to put in two places what the user can do....depending on what the user wants to connect to.

regards


________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dan Scott [danieljamesscott at gmail.com]
Sent: Thursday, 26 May 2011 9:00 a.m.
To: freeipa-users at redhat.com
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2

Hello,

I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running
on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has
been released. But I have a few questions:

1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers?
2. Can Fedora 14 (and older, and Windows and Mac) clients authenticate
against FreeIPA 2 servers?
3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring
an upgrade from Fedora 14 to 15 along the way).

Overall, my questions boil down to this: Can I migrate systems as and
when possible/convenient, or do I have to do 'everything' in one go?

I looked through the documentation, but the V2 docs currently seem
quite developer-centric, does anyone have any links for me?

Thanks,

Dan Scott

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From erinn.looneytriggs at gmail.com  Wed May 25 21:29:41 2011
From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs)
Date: Wed, 25 May 2011 13:29:41 -0800
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635A2F7@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E400635A2F7@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDD74C5.2010002@gmail.com>

On 05/25/2011 01:21 PM, Steven Jones wrote:
> Hi,
>
> As far as I am aware Windows clients can only authenticate against ADs.  So if you need to authenticate Windows you need a password trust/sync setup with AD and yes you need an AD as well as FreeIPA.
No Windows clients can auth against kerberos realms directly and so
should be able to auth again an IPA server as well. It is slightly
complicated and difficult to manage but it can be done.


-Erinn




From simo at redhat.com  Wed May 25 21:54:14 2011
From: simo at redhat.com (Simo Sorce)
Date: Wed, 25 May 2011 17:54:14 -0400
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
In-Reply-To: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
References: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
Message-ID: <1306360454.9511.13.camel@willson.li.ssimo.org>

On Wed, 2011-05-25 at 17:00 -0400, Dan Scott wrote:
> Hello,
> 
> I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running
> on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has
> been released. But I have a few questions:
> 
> 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers?

Yes but you should configure them as normal LDAP+Krb clients not FreeIPA
clients.

> 2. Can Fedora 14 (and older, and Windows and Mac) clients authenticate
> against FreeIPA 2 servers?

Yes as normal LDAP+Krb clients.

> 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring
> an upgrade from Fedora 14 to 15 along the way).

You need to perform an actual data migration, I suggest you install a
separate box with F15 + freeipa v2 and migrate accounts from the v1
instance. Direct upgrades from v1 to v2 by way of an rpm upgrade are not
possible.

> Overall, my questions boil down to this: Can I migrate systems as and
> when possible/convenient, or do I have to do 'everything' in one go?

You don't have to do everything in one go, except for the server
instances (unless you can live for a while in a split brain situation).

> I looked through the documentation, but the V2 docs currently seem
> quite developer-centric, does anyone have any links for me?

Take a look at this:
http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/

Still a work in progress but there is a lot already.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York



From rcritten at redhat.com  Wed May 25 22:13:30 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 25 May 2011 18:13:30 -0400
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
In-Reply-To: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
References: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
Message-ID: <4DDD7F0A.402@redhat.com>

Dan Scott wrote:
> Hello,
>
> I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running
> on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has
> been released. But I have a few questions:
>
> 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers?

Yes but you would have to configure it yourself. sssd would work nicely 
with an ldap/krb5 configuration.

> 2. Can Fedora 14 (and older, and Windows and Mac) clients authenticate
> against FreeIPA 2 servers?

You would need to either build your own Fedora 14 ipa-client v2 package 
or manually configure it. The sssd in F-14 should work well even using 
the ipa provider.

Windows domain login is not supported.

> 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring
> an upgrade from Fedora 14 to 15 along the way).

You cannot do a straight upgrade, too much changed between the two 
versions. You should be able to migrate the users and groups using the 
v2 migration system. This will maintain your user passwords at least. 
You would need to generate new principals and keytabs for your 
kerberized services.

I don't think it would be practical to try to run the two systems 
side-by-side.

rob



From Steven.Jones at vuw.ac.nz  Wed May 25 22:59:25 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Wed, 25 May 2011 22:59:25 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006359FFE@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD025A.3060209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FCA@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD6746.4040600@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E4006359FFE@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635A340@STAWINCOX10MBX1.staff.vuw.ac.nz>

any ideas pls?

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Thursday, 26 May 2011 8:37 a.m.
To: Rob Crittenden
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Strange dns things?

calling host from the comamnd line works but "something" cant resolve the ipa server....

regards




________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Thursday, 26 May 2011 8:32 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> Outcome?, I couldnt see where the 401 or 500 "appeared".....
>
> the screen output of curl was as attached.

You didn't use the FQDN of the ipa server so it didn't do the
authentication.

Please run this again using the FQDN.

rob

>
> regards
>
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Thursday, 26 May 2011 1:21 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> FYI....
>>
>> Think I did it right!
>>
>> :]
>
> What was the outcome? Did you get a 401 or 500? I can't figure it out
> based on the logs but I do see quite a few successful authentications.
>
> Can you isolate the log data for this one curl request?
>
> I'd run this on the 6.1 client that you're having problems with.
>
> thanks
>
> rob
>
>>
>> regards
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 25 May 2011 3:33 p.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> FYI
>>
>> Ok, this is very strange, it isn't really trying very hard to do the
>> kerberos authentication.
>>
>> It should be requesting the HTTP service principal and then doing the
>> Negotiate authentication but for some reason it is giving up.
>>
>> Here is something to try (obviously replacing ipa.example.com with your
>> ipa server):
>>
>> % kdestroy
>> % scp ipa.example.com:/etc/krb5.conf test-krb5.conf
>> % export KRB5_CONFIG=`pwd`/test-krb5.conf
>> % kinit admin
>> % klist -f (send us this output)
>> % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
>> % klist -f (send us this too)
>> % unset KRB5_CONFIG
>>
>> You should get a 500 error and not a 401.
>>
>> Some logs to capture the tail of:
>>
>> Apache error and access logs
>> /var/log/krb5kdc.log
>>
>> rob
>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 25 May 2011 9:41 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> Steven Jones wrote:
>>>> Logs.....
>>>
>>> Sorry, had you set the level in the wrong file. Can you set LogLevel
>>> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>>>
>>> rob
>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>
>>>> Steven Jones wrote:
>>>>> Hi,
>>>>>
>>>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>>>
>>>>> Is there a solution to this?
>>>>
>>>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>>>> and try the join again?
>>>>
>>>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>>>> the credentials.
>>>>
>>>> rob
>>>>
>>>>>
>>>>>
>>>>> regards
>>>>> ________________________________________
>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>>>> To: Rob Crittenden
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>>
>>>>> I must be going blind in my old age.....anyway here they are.
>>>>>
>>>>> regards
>>>>> ________________________________________
>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>>>> To: Rob Crittenden
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>
>>>>> Hi,
>>>>>
>>>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>>>
>>>>> 2) ipa-install log
>>>>>
>>>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>>>
>>>>> 4) "Did you also run kinit before manually
>>>>> running ipa-join in your testing?"  Yes....
>>>>>
>>>>> 5) For DNS I added,
>>>>>
>>>>>       allow query {any;};
>>>>>
>>>>> into /etc/named.conf clients were then not denied DNS.
>>>>>
>>>>> regards
>>>>>
>>>>>
>>>>>
>>>>> ________________________________________
>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>>>> To: Steven Jones
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>
>>>>> Steven Jones wrote:
>>>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>>>
>>>>> This is a different mismatch than you were seeing with 5.6 (and a
>>>>> completely different error message).
>>>>>
>>>>> A few things to note:
>>>>>
>>>>> - In general, when you reference any IPA server you should always use
>>>>> the fully-qualified name. The SSL error you had was because the name did
>>>>> not match the certificate.
>>>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>>>> you can always check the Apache error/access logs for diagnostic
>>>>> information.
>>>>> - The integrated DNS stores information in LDAP, not flat files, so
>>>>> having no data in /var/named is not surprising.
>>>>>
>>>>> ipa-join needs authentication in the form of a TGT or a one-time
>>>>> password. It definitely did one in the log you provided and you still
>>>>> got a 401, which is strange. Did you also run kinit before manually
>>>>> running ipa-join in your testing?
>>>>>
>>>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>>>> lot more debugging information.
>>>>>
>>>>> I think the first place to check is the Apache error log to see why the
>>>>> join call failed.
>>>>>
>>>>> rob
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>
>




From rcritten at redhat.com  Thu May 26 00:46:46 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Wed, 25 May 2011 20:46:46 -0400
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E4006359FFE@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD025A.3060209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FCA@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD6746.4040600@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FFE@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DDDA2F6.9090009@redhat.com>

Steven Jones wrote:
> Strange dns things?
>
> calling host from the comamnd line works but "something" cant resolve the ipa server....

This is not a DNS problem, you did not give the FQDN to curl. There are 
Apache mod_rewrite rules that attempt to redirect HTTP requests to a 
point where the name will match the Kerberos service principal for the 
server, hence the 301 you got in return.

Please just use the FQDN and all will be well.

rob

>
> regards
>
>
>
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Thursday, 26 May 2011 8:32 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> Outcome?, I couldnt see where the 401 or 500 "appeared".....
>>
>> the screen output of curl was as attached.
>
> You didn't use the FQDN of the ipa server so it didn't do the
> authentication.
>
> Please run this again using the FQDN.
>
> rob
>
>>
>> regards
>>
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Thursday, 26 May 2011 1:21 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> FYI....
>>>
>>> Think I did it right!
>>>
>>> :]
>>
>> What was the outcome? Did you get a 401 or 500? I can't figure it out
>> based on the logs but I do see quite a few successful authentications.
>>
>> Can you isolate the log data for this one curl request?
>>
>> I'd run this on the 6.1 client that you're having problems with.
>>
>> thanks
>>
>> rob
>>
>>>
>>> regards
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 25 May 2011 3:33 p.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> Steven Jones wrote:
>>>> FYI
>>>
>>> Ok, this is very strange, it isn't really trying very hard to do the
>>> kerberos authentication.
>>>
>>> It should be requesting the HTTP service principal and then doing the
>>> Negotiate authentication but for some reason it is giving up.
>>>
>>> Here is something to try (obviously replacing ipa.example.com with your
>>> ipa server):
>>>
>>> % kdestroy
>>> % scp ipa.example.com:/etc/krb5.conf test-krb5.conf
>>> % export KRB5_CONFIG=`pwd`/test-krb5.conf
>>> % kinit admin
>>> % klist -f (send us this output)
>>> % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
>>> % klist -f (send us this too)
>>> % unset KRB5_CONFIG
>>>
>>> You should get a 500 error and not a 401.
>>>
>>> Some logs to capture the tail of:
>>>
>>> Apache error and access logs
>>> /var/log/krb5kdc.log
>>>
>>> rob
>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Wednesday, 25 May 2011 9:41 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>
>>>> Steven Jones wrote:
>>>>> Logs.....
>>>>
>>>> Sorry, had you set the level in the wrong file. Can you set LogLevel
>>>> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>>>>
>>>> rob
>>>>
>>>>> ________________________________________
>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>>>>> To: Steven Jones
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>>
>>>>> Steven Jones wrote:
>>>>>> Hi,
>>>>>>
>>>>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>>>>
>>>>>> Is there a solution to this?
>>>>>
>>>>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>>>>> and try the join again?
>>>>>
>>>>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>>>>> the credentials.
>>>>>
>>>>> rob
>>>>>
>>>>>>
>>>>>>
>>>>>> regards
>>>>>> ________________________________________
>>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>>>>> To: Rob Crittenden
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>>>
>>>>>> I must be going blind in my old age.....anyway here they are.
>>>>>>
>>>>>> regards
>>>>>> ________________________________________
>>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>>>>> To: Rob Crittenden
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>>>>
>>>>>> 2) ipa-install log
>>>>>>
>>>>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>>>>
>>>>>> 4) "Did you also run kinit before manually
>>>>>> running ipa-join in your testing?"  Yes....
>>>>>>
>>>>>> 5) For DNS I added,
>>>>>>
>>>>>>        allow query {any;};
>>>>>>
>>>>>> into /etc/named.conf clients were then not denied DNS.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>>
>>>>>>
>>>>>> ________________________________________
>>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>>>>> To: Steven Jones
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>>
>>>>>> Steven Jones wrote:
>>>>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>>>>
>>>>>> This is a different mismatch than you were seeing with 5.6 (and a
>>>>>> completely different error message).
>>>>>>
>>>>>> A few things to note:
>>>>>>
>>>>>> - In general, when you reference any IPA server you should always use
>>>>>> the fully-qualified name. The SSL error you had was because the name did
>>>>>> not match the certificate.
>>>>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>>>>> you can always check the Apache error/access logs for diagnostic
>>>>>> information.
>>>>>> - The integrated DNS stores information in LDAP, not flat files, so
>>>>>> having no data in /var/named is not surprising.
>>>>>>
>>>>>> ipa-join needs authentication in the form of a TGT or a one-time
>>>>>> password. It definitely did one in the log you provided and you still
>>>>>> got a 401, which is strange. Did you also run kinit before manually
>>>>>> running ipa-join in your testing?
>>>>>>
>>>>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>>>>> lot more debugging information.
>>>>>>
>>>>>> I think the first place to check is the Apache error log to see why the
>>>>>> join call failed.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>
>>
>



From Steven.Jones at vuw.ac.nz  Thu May 26 01:20:17 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 26 May 2011 01:20:17 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <4DDDA2F6.9090009@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD025A.3060209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FCA@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD6746.4040600@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FFE@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDDA2F6.9090009@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635A3C5@STAWINCOX10MBX1.staff.vuw.ac.nz>

um...doh typo...

________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Thursday, 26 May 2011 12:46 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> Strange dns things?
>
> calling host from the comamnd line works but "something" cant resolve the ipa server....

This is not a DNS problem, you did not give the FQDN to curl. There are
Apache mod_rewrite rules that attempt to redirect HTTP requests to a
point where the name will match the Kerberos service principal for the
server, hence the 301 you got in return.

Please just use the FQDN and all will be well.

rob

>
> regards
>
>
>
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Thursday, 26 May 2011 8:32 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> Outcome?, I couldnt see where the 401 or 500 "appeared".....
>>
>> the screen output of curl was as attached.
>
> You didn't use the FQDN of the ipa server so it didn't do the
> authentication.
>
> Please run this again using the FQDN.
>
> rob
>
>>
>> regards
>>
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Thursday, 26 May 2011 1:21 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> FYI....
>>>
>>> Think I did it right!
>>>
>>> :]
>>
>> What was the outcome? Did you get a 401 or 500? I can't figure it out
>> based on the logs but I do see quite a few successful authentications.
>>
>> Can you isolate the log data for this one curl request?
>>
>> I'd run this on the 6.1 client that you're having problems with.
>>
>> thanks
>>
>> rob
>>
>>>
>>> regards
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 25 May 2011 3:33 p.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> Steven Jones wrote:
>>>> FYI
>>>
>>> Ok, this is very strange, it isn't really trying very hard to do the
>>> kerberos authentication.
>>>
>>> It should be requesting the HTTP service principal and then doing the
>>> Negotiate authentication but for some reason it is giving up.
>>>
>>> Here is something to try (obviously replacing ipa.example.com with your
>>> ipa server):
>>>
>>> % kdestroy
>>> % scp ipa.example.com:/etc/krb5.conf test-krb5.conf
>>> % export KRB5_CONFIG=`pwd`/test-krb5.conf
>>> % kinit admin
>>> % klist -f (send us this output)
>>> % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
>>> % klist -f (send us this too)
>>> % unset KRB5_CONFIG
>>>
>>> You should get a 500 error and not a 401.
>>>
>>> Some logs to capture the tail of:
>>>
>>> Apache error and access logs
>>> /var/log/krb5kdc.log
>>>
>>> rob
>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Wednesday, 25 May 2011 9:41 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>
>>>> Steven Jones wrote:
>>>>> Logs.....
>>>>
>>>> Sorry, had you set the level in the wrong file. Can you set LogLevel
>>>> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>>>>
>>>> rob
>>>>
>>>>> ________________________________________
>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>>>>> To: Steven Jones
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>>
>>>>> Steven Jones wrote:
>>>>>> Hi,
>>>>>>
>>>>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>>>>
>>>>>> Is there a solution to this?
>>>>>
>>>>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>>>>> and try the join again?
>>>>>
>>>>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>>>>> the credentials.
>>>>>
>>>>> rob
>>>>>
>>>>>>
>>>>>>
>>>>>> regards
>>>>>> ________________________________________
>>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>>>>> To: Rob Crittenden
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>>>
>>>>>> I must be going blind in my old age.....anyway here they are.
>>>>>>
>>>>>> regards
>>>>>> ________________________________________
>>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>>>>> To: Rob Crittenden
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>>>>
>>>>>> 2) ipa-install log
>>>>>>
>>>>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>>>>
>>>>>> 4) "Did you also run kinit before manually
>>>>>> running ipa-join in your testing?"  Yes....
>>>>>>
>>>>>> 5) For DNS I added,
>>>>>>
>>>>>>        allow query {any;};
>>>>>>
>>>>>> into /etc/named.conf clients were then not denied DNS.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>>
>>>>>>
>>>>>> ________________________________________
>>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>>>>> To: Steven Jones
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>>
>>>>>> Steven Jones wrote:
>>>>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>>>>
>>>>>> This is a different mismatch than you were seeing with 5.6 (and a
>>>>>> completely different error message).
>>>>>>
>>>>>> A few things to note:
>>>>>>
>>>>>> - In general, when you reference any IPA server you should always use
>>>>>> the fully-qualified name. The SSL error you had was because the name did
>>>>>> not match the certificate.
>>>>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>>>>> you can always check the Apache error/access logs for diagnostic
>>>>>> information.
>>>>>> - The integrated DNS stores information in LDAP, not flat files, so
>>>>>> having no data in /var/named is not surprising.
>>>>>>
>>>>>> ipa-join needs authentication in the form of a TGT or a one-time
>>>>>> password. It definitely did one in the log you provided and you still
>>>>>> got a 401, which is strange. Did you also run kinit before manually
>>>>>> running ipa-join in your testing?
>>>>>>
>>>>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>>>>> lot more debugging information.
>>>>>>
>>>>>> I think the first place to check is the Apache error log to see why the
>>>>>> join call failed.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>
>>
>




From Steven.Jones at vuw.ac.nz  Thu May 26 01:25:59 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 26 May 2011 01:25:59 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <4DDDA2F6.9090009@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD025A.3060209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FCA@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD6746.4040600@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FFE@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDDA2F6.9090009@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635A3D3@STAWINCOX10MBX1.staff.vuw.ac.nz>

[root at rhel61-test64ws01 jonesst1]# curl -kv --negotiate -u : https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/xml
* About to connect() to vuwunicoipamt01.unix.vuw.ac.nz port 443 (#0)
*   Trying 130.195.87.236... connected
* Connected to vuwunicoipamt01.unix.vuw.ac.nz (130.195.87.236) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=vuwunicoipamt01.unix.vuw.ac.nz,O=UNIX.VUW.AC.NZ
* 	start date: May 23 04:36:22 2011 GMT
* 	expire date: May 23 04:36:22 2021 GMT
* 	common name: vuwunicoipamt01.unix.vuw.ac.nz
* 	issuer: CN=UNIX.VUW.AC.NZ Certificate Authority
> GET /ipa/xml HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.9.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: vuwunicoipamt01.unix.vuw.ac.nz
> Accept: */*
> 
< HTTP/1.1 401 Authorization Required
< Date: Thu, 26 May 2011 01:22:26 GMT
< Server: Apache/2.2.15 (Red Hat)
* gss_init_sec_context() failed: : Server krbtgt/VUW.AC.NZ at UNIX.VUW.AC.NZ not found in Kerberos databaseWWW-Authenticate: Negotiate
< Last-Modified: Wed, 20 Apr 2011 13:57:02 GMT
< ETag: "a51-5de-4a159ffc36780"
< Accept-Ranges: bytes
< Content-Length: 1502
< Connection: close
< Content-Type: text/html; charset=UTF-8
< 
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
    <title>IPA: Identity Policy Audit</title>

    <script type="text/javascript" src="../ui/jquery.js"></script>

    <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
    <link rel="stylesheet" type="text/css" href="ipa_error.css" />

 <script type="text/javascript">
   $(document).ready(function() {
   $("#import-cert-auth-link").click(function(){
   $("#first-time").css("display","none");
   $("#next-link").css("display","block");
   return true;
   });

   });

});

 </script>
</head>

<body id="header-bg">

  <div class="container_1">
    <div class="header-logo">
            <img src="../ui/ipalogo.png" />
        </div>
       <div class="textblockkrb">
        <h1>Unable to verify your Kerberos credentials.</h1><p> Please make sure that you have valid Kerberos tickets (obtainable via <b>kinit</b>), and that you have configured
 your browser correctly. </p>
          <b>If this is your first time</b>
          <div id="first-time">
          <ul>
            <li><a id="import-cert-auth-link" href="/ipa/errors/ca.crt"  >Click here to Import the IPA Certificate Authority</a>. </li>
            <li>Make sure you select <b>all three</b> checkboxes </li>
            <li>Click the <b>OK</b> Button</li>
          </ul>
          </div>
          <div id="next-link" style="display:none;">
          . <p> <a href="browserconfig.html"> Next Step:</a></p>
          </div>
        </div>

   </div>

</body>

</html>
* Closing connection #0

________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Thursday, 26 May 2011 12:46 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> Strange dns things?
>
> calling host from the comamnd line works but "something" cant resolve the ipa server....

This is not a DNS problem, you did not give the FQDN to curl. There are
Apache mod_rewrite rules that attempt to redirect HTTP requests to a
point where the name will match the Kerberos service principal for the
server, hence the 301 you got in return.

Please just use the FQDN and all will be well.

rob

>
> regards
>
>
>
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Thursday, 26 May 2011 8:32 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> Outcome?, I couldnt see where the 401 or 500 "appeared".....
>>
>> the screen output of curl was as attached.
>
> You didn't use the FQDN of the ipa server so it didn't do the
> authentication.
>
> Please run this again using the FQDN.
>
> rob
>
>>
>> regards
>>
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Thursday, 26 May 2011 1:21 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> FYI....
>>>
>>> Think I did it right!
>>>
>>> :]
>>
>> What was the outcome? Did you get a 401 or 500? I can't figure it out
>> based on the logs but I do see quite a few successful authentications.
>>
>> Can you isolate the log data for this one curl request?
>>
>> I'd run this on the 6.1 client that you're having problems with.
>>
>> thanks
>>
>> rob
>>
>>>
>>> regards
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 25 May 2011 3:33 p.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> Steven Jones wrote:
>>>> FYI
>>>
>>> Ok, this is very strange, it isn't really trying very hard to do the
>>> kerberos authentication.
>>>
>>> It should be requesting the HTTP service principal and then doing the
>>> Negotiate authentication but for some reason it is giving up.
>>>
>>> Here is something to try (obviously replacing ipa.example.com with your
>>> ipa server):
>>>
>>> % kdestroy
>>> % scp ipa.example.com:/etc/krb5.conf test-krb5.conf
>>> % export KRB5_CONFIG=`pwd`/test-krb5.conf
>>> % kinit admin
>>> % klist -f (send us this output)
>>> % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
>>> % klist -f (send us this too)
>>> % unset KRB5_CONFIG
>>>
>>> You should get a 500 error and not a 401.
>>>
>>> Some logs to capture the tail of:
>>>
>>> Apache error and access logs
>>> /var/log/krb5kdc.log
>>>
>>> rob
>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Wednesday, 25 May 2011 9:41 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>
>>>> Steven Jones wrote:
>>>>> Logs.....
>>>>
>>>> Sorry, had you set the level in the wrong file. Can you set LogLevel
>>>> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>>>>
>>>> rob
>>>>
>>>>> ________________________________________
>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>>>>> To: Steven Jones
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>>
>>>>> Steven Jones wrote:
>>>>>> Hi,
>>>>>>
>>>>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>>>>
>>>>>> Is there a solution to this?
>>>>>
>>>>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>>>>> and try the join again?
>>>>>
>>>>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>>>>> the credentials.
>>>>>
>>>>> rob
>>>>>
>>>>>>
>>>>>>
>>>>>> regards
>>>>>> ________________________________________
>>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>>>>> To: Rob Crittenden
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>>>
>>>>>> I must be going blind in my old age.....anyway here they are.
>>>>>>
>>>>>> regards
>>>>>> ________________________________________
>>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>>>>> To: Rob Crittenden
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>>>>
>>>>>> 2) ipa-install log
>>>>>>
>>>>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>>>>
>>>>>> 4) "Did you also run kinit before manually
>>>>>> running ipa-join in your testing?"  Yes....
>>>>>>
>>>>>> 5) For DNS I added,
>>>>>>
>>>>>>        allow query {any;};
>>>>>>
>>>>>> into /etc/named.conf clients were then not denied DNS.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>>
>>>>>>
>>>>>> ________________________________________
>>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>>>>> To: Steven Jones
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>>
>>>>>> Steven Jones wrote:
>>>>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>>>>
>>>>>> This is a different mismatch than you were seeing with 5.6 (and a
>>>>>> completely different error message).
>>>>>>
>>>>>> A few things to note:
>>>>>>
>>>>>> - In general, when you reference any IPA server you should always use
>>>>>> the fully-qualified name. The SSL error you had was because the name did
>>>>>> not match the certificate.
>>>>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>>>>> you can always check the Apache error/access logs for diagnostic
>>>>>> information.
>>>>>> - The integrated DNS stores information in LDAP, not flat files, so
>>>>>> having no data in /var/named is not surprising.
>>>>>>
>>>>>> ipa-join needs authentication in the form of a TGT or a one-time
>>>>>> password. It definitely did one in the log you provided and you still
>>>>>> got a 401, which is strange. Did you also run kinit before manually
>>>>>> running ipa-join in your testing?
>>>>>>
>>>>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>>>>> lot more debugging information.
>>>>>>
>>>>>> I think the first place to check is the Apache error log to see why the
>>>>>> join call failed.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>
>>
>




From Steven.Jones at vuw.ac.nz  Thu May 26 01:30:55 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 26 May 2011 01:30:55 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635A3D3@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD025A.3060209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FCA@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD6746.4040600@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FFE@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDDA2F6.9090009@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E400635A3D3@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635A3E1@STAWINCOX10MBX1.staff.vuw.ac.nz>

* Closing connection #0
[root at rhel61-test64ws01 jonesst1]# 
[jonesst1 at 8KXL72S ~]$ more klist-out 
[root at rhel61-test64ws01 jonesst1]# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at UNIX.VUW.AC.NZ

Valid starting     Expires            Service principal
05/26/11 08:33:56  05/27/11 08:33:49  krbtgt/UNIX.VUW.AC.NZ at UNIX.VUW.AC.NZ
	Flags: FIA
[root at rhel61-test64ws01 jonesst1]#

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Thursday, 26 May 2011 1:25 p.m.
To: Rob Crittenden
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

[root at rhel61-test64ws01 jonesst1]# curl -kv --negotiate -u : https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/xml
* About to connect() to vuwunicoipamt01.unix.vuw.ac.nz port 443 (#0)
*   Trying 130.195.87.236... connected
* Connected to vuwunicoipamt01.unix.vuw.ac.nz (130.195.87.236) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=vuwunicoipamt01.unix.vuw.ac.nz,O=UNIX.VUW.AC.NZ
*       start date: May 23 04:36:22 2011 GMT
*       expire date: May 23 04:36:22 2021 GMT
*       common name: vuwunicoipamt01.unix.vuw.ac.nz
*       issuer: CN=UNIX.VUW.AC.NZ Certificate Authority
> GET /ipa/xml HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.9.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: vuwunicoipamt01.unix.vuw.ac.nz
> Accept: */*
>
< HTTP/1.1 401 Authorization Required
< Date: Thu, 26 May 2011 01:22:26 GMT
< Server: Apache/2.2.15 (Red Hat)
* gss_init_sec_context() failed: : Server krbtgt/VUW.AC.NZ at UNIX.VUW.AC.NZ not found in Kerberos databaseWWW-Authenticate: Negotiate
< Last-Modified: Wed, 20 Apr 2011 13:57:02 GMT
< ETag: "a51-5de-4a159ffc36780"
< Accept-Ranges: bytes
< Content-Length: 1502
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
    <title>IPA: Identity Policy Audit</title>

    <script type="text/javascript" src="../ui/jquery.js"></script>

    <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
    <link rel="stylesheet" type="text/css" href="ipa_error.css" />

 <script type="text/javascript">
   $(document).ready(function() {
   $("#import-cert-auth-link").click(function(){
   $("#first-time").css("display","none");
   $("#next-link").css("display","block");
   return true;
   });

   });

});

 </script>
</head>

<body id="header-bg">

  <div class="container_1">
    <div class="header-logo">
            <img src="../ui/ipalogo.png" />
        </div>
       <div class="textblockkrb">
        <h1>Unable to verify your Kerberos credentials.</h1><p> Please make sure that you have valid Kerberos tickets (obtainable via <b>kinit</b>), and that you have configured
 your browser correctly. </p>
          <b>If this is your first time</b>
          <div id="first-time">
          <ul>
            <li><a id="import-cert-auth-link" href="/ipa/errors/ca.crt"  >Click here to Import the IPA Certificate Authority</a>. </li>
            <li>Make sure you select <b>all three</b> checkboxes </li>
            <li>Click the <b>OK</b> Button</li>
          </ul>
          </div>
          <div id="next-link" style="display:none;">
          . <p> <a href="browserconfig.html"> Next Step:</a></p>
          </div>
        </div>

   </div>

</body>

</html>
* Closing connection #0

________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Thursday, 26 May 2011 12:46 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

Steven Jones wrote:
> Strange dns things?
>
> calling host from the comamnd line works but "something" cant resolve the ipa server....

This is not a DNS problem, you did not give the FQDN to curl. There are
Apache mod_rewrite rules that attempt to redirect HTTP requests to a
point where the name will match the Kerberos service principal for the
server, hence the 301 you got in return.

Please just use the FQDN and all will be well.

rob

>
> regards
>
>
>
>
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Thursday, 26 May 2011 8:32 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>
> Steven Jones wrote:
>> Outcome?, I couldnt see where the 401 or 500 "appeared".....
>>
>> the screen output of curl was as attached.
>
> You didn't use the FQDN of the ipa server so it didn't do the
> authentication.
>
> Please run this again using the FQDN.
>
> rob
>
>>
>> regards
>>
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Thursday, 26 May 2011 1:21 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>
>> Steven Jones wrote:
>>> FYI....
>>>
>>> Think I did it right!
>>>
>>> :]
>>
>> What was the outcome? Did you get a 401 or 500? I can't figure it out
>> based on the logs but I do see quite a few successful authentications.
>>
>> Can you isolate the log data for this one curl request?
>>
>> I'd run this on the 6.1 client that you're having problems with.
>>
>> thanks
>>
>> rob
>>
>>>
>>> regards
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 25 May 2011 3:33 p.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>
>>> Steven Jones wrote:
>>>> FYI
>>>
>>> Ok, this is very strange, it isn't really trying very hard to do the
>>> kerberos authentication.
>>>
>>> It should be requesting the HTTP service principal and then doing the
>>> Negotiate authentication but for some reason it is giving up.
>>>
>>> Here is something to try (obviously replacing ipa.example.com with your
>>> ipa server):
>>>
>>> % kdestroy
>>> % scp ipa.example.com:/etc/krb5.conf test-krb5.conf
>>> % export KRB5_CONFIG=`pwd`/test-krb5.conf
>>> % kinit admin
>>> % klist -f (send us this output)
>>> % curl -kv --negotiate -u : https://ipa.example.com/ipa/xml
>>> % klist -f (send us this too)
>>> % unset KRB5_CONFIG
>>>
>>> You should get a 500 error and not a 401.
>>>
>>> Some logs to capture the tail of:
>>>
>>> Apache error and access logs
>>> /var/log/krb5kdc.log
>>>
>>> rob
>>>
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Wednesday, 25 May 2011 9:41 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>
>>>> Steven Jones wrote:
>>>>> Logs.....
>>>>
>>>> Sorry, had you set the level in the wrong file. Can you set LogLevel
>>>> debug in /etc/httpd/conf.d/nss.conf, restart Apache and try again?
>>>>
>>>> rob
>>>>
>>>>> ________________________________________
>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>> Sent: Wednesday, 25 May 2011 8:51 a.m.
>>>>> To: Steven Jones
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>>
>>>>> Steven Jones wrote:
>>>>>> Hi,
>>>>>>
>>>>>> So I cant get clients to connect tot he ipa server, bei it 5.6 or 6.1
>>>>>>
>>>>>> Is there a solution to this?
>>>>>
>>>>> Can you set LogLevel debug in /etc/httpd/conf/httpd.conf, restart Apache
>>>>> and try the join again?
>>>>>
>>>>> This should give more feedback why mod_auth_kerb/kerberos is rejecting
>>>>> the credentials.
>>>>>
>>>>> rob
>>>>>
>>>>>>
>>>>>>
>>>>>> regards
>>>>>> ________________________________________
>>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>>> Sent: Tuesday, 24 May 2011 4:24 p.m.
>>>>>> To: Rob Crittenden
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs
>>>>>>
>>>>>> I must be going blind in my old age.....anyway here they are.
>>>>>>
>>>>>> regards
>>>>>> ________________________________________
>>>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
>>>>>> Sent: Tuesday, 24 May 2011 2:58 p.m.
>>>>>> To: Rob Crittenden
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> 1) Screen data of the install from using the -d option.  (attach d.out)
>>>>>>
>>>>>> 2) ipa-install log
>>>>>>
>>>>>> 3) there are no httpd logs in /var/log/httpd/ it is an empty directory.
>>>>>>
>>>>>> 4) "Did you also run kinit before manually
>>>>>> running ipa-join in your testing?"  Yes....
>>>>>>
>>>>>> 5) For DNS I added,
>>>>>>
>>>>>>        allow query {any;};
>>>>>>
>>>>>> into /etc/named.conf clients were then not denied DNS.
>>>>>>
>>>>>> regards
>>>>>>
>>>>>>
>>>>>>
>>>>>> ________________________________________
>>>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>>>> Sent: Tuesday, 24 May 2011 2:24 p.m.
>>>>>> To: Steven Jones
>>>>>> Cc: freeipa-users at redhat.com
>>>>>> Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
>>>>>>
>>>>>> Steven Jones wrote:
>>>>>>> ran the ipa-join manually and krb5.conf was not configured, scp'd that over from the ipa-server and re-ran ipa-join, still getting the same 401 failure...
>>>>>>
>>>>>> This is a different mismatch than you were seeing with 5.6 (and a
>>>>>> completely different error message).
>>>>>>
>>>>>> A few things to note:
>>>>>>
>>>>>> - In general, when you reference any IPA server you should always use
>>>>>> the fully-qualified name. The SSL error you had was because the name did
>>>>>> not match the certificate.
>>>>>> - The 3xx/4xx error responses seen from ipa-join are HTTP error codes so
>>>>>> you can always check the Apache error/access logs for diagnostic
>>>>>> information.
>>>>>> - The integrated DNS stores information in LDAP, not flat files, so
>>>>>> having no data in /var/named is not surprising.
>>>>>>
>>>>>> ipa-join needs authentication in the form of a TGT or a one-time
>>>>>> password. It definitely did one in the log you provided and you still
>>>>>> got a 401, which is strange. Did you also run kinit before manually
>>>>>> running ipa-join in your testing?
>>>>>>
>>>>>> Running ipa-join or ipa-client-install with the -d option will provide a
>>>>>> lot more debugging information.
>>>>>>
>>>>>> I think the first place to check is the Apache error log to see why the
>>>>>> join call failed.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>
>>
>


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Thu May 26 03:55:17 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 26 May 2011 03:55:17 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635A3E1@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD025A.3060209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FCA@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD6746.4040600@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FFE@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDDA2F6.9090009@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E400635A3D3@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<833D8E48405E064EBC54C84EC6B36E400635A3E1@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635A456@STAWINCOX10MBX1.staff.vuw.ac.nz>

So what's next?

regards

==================
* Closing connection #0
[root at rhel61-test64ws01 jonesst1]#
[jonesst1 at 8KXL72S ~]$ more klist-out
[root at rhel61-test64ws01 jonesst1]# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at UNIX.VUW.AC.NZ

Valid starting     Expires            Service principal
05/26/11 08:33:56  05/27/11 08:33:49  krbtgt/UNIX.VUW.AC.NZ at UNIX.VUW.AC.NZ
        Flags: FIA
[root at rhel61-test64ws01 jonesst1]#

==================

[root at rhel61-test64ws01 jonesst1]# curl -kv --negotiate -u : https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/xml
* About to connect() to vuwunicoipamt01.unix.vuw.ac.nz port 443 (#0)
*   Trying 130.195.87.236... connected
* Connected to vuwunicoipamt01.unix.vuw.ac.nz (130.195.87.236) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=vuwunicoipamt01.unix.vuw.ac.nz,O=UNIX.VUW.AC.NZ
*       start date: May 23 04:36:22 2011 GMT
*       expire date: May 23 04:36:22 2021 GMT
*       common name: vuwunicoipamt01.unix.vuw.ac.nz
*       issuer: CN=UNIX.VUW.AC.NZ Certificate Authority
> GET /ipa/xml HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.9.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: vuwunicoipamt01.unix.vuw.ac.nz
> Accept: */*
>
< HTTP/1.1 401 Authorization Required
< Date: Thu, 26 May 2011 01:22:26 GMT
< Server: Apache/2.2.15 (Red Hat)
* gss_init_sec_context() failed: : Server krbtgt/VUW.AC.NZ at UNIX.VUW.AC.NZ not found in Kerberos databaseWWW-Authenticate: Negotiate
< Last-Modified: Wed, 20 Apr 2011 13:57:02 GMT
< ETag: "a51-5de-4a159ffc36780"
< Accept-Ranges: bytes
< Content-Length: 1502
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
    <title>IPA: Identity Policy Audit</title>

    <script type="text/javascript" src="../ui/jquery.js"></script>

    <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
    <link rel="stylesheet" type="text/css" href="ipa_error.css" />

 <script type="text/javascript">
   $(document).ready(function() {
   $("#import-cert-auth-link").click(function(){
   $("#first-time").css("display","none");
   $("#next-link").css("display","block");
   return true;
   });

   });

});

 </script>
</head>

<body id="header-bg">

  <div class="container_1">
    <div class="header-logo">
            <img src="../ui/ipalogo.png" />
        </div>
       <div class="textblockkrb">
        <h1>Unable to verify your Kerberos credentials.</h1><p> Please make sure that you have valid Kerberos tickets (obtainable via <b>kinit</b>), and that you have configured
 your browser correctly. </p>
          <b>If this is your first time</b>
          <div id="first-time">
          <ul>
            <li><a id="import-cert-auth-link" href="/ipa/errors/ca.crt"  >Click here to Import the IPA Certificate Authority</a>. </li>
            <li>Make sure you select <b>all three</b> checkboxes </li>
            <li>Click the <b>OK</b> Button</li>
          </ul>
          </div>
          <div id="next-link" style="display:none;">
          . <p> <a href="browserconfig.html"> Next Step:</a></p>
          </div>
        </div>

   </div>

</body>

</html>
* Closing connection #0



From chorn at fluxcoil.net  Thu May 26 03:20:57 2011
From: chorn at fluxcoil.net (Christian Horn)
Date: Thu, 26 May 2011 05:20:57 +0200
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
In-Reply-To: <4DDD74C5.2010002@gmail.com>
References: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E400635A2F7@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DDD74C5.2010002@gmail.com>
Message-ID: <20110526032057.GA18603@fluxcoil.net>

On Wed, May 25, 2011 at 01:29:41PM -0800, Erinn Looney-Triggs wrote:
> On 05/25/2011 01:21 PM, Steven Jones wrote:
> >
> > As far as I am aware Windows clients can only authenticate against ADs.  So if you need to authenticate Windows you need a password trust/sync setup with AD and yes you need an AD as well as FreeIPA.
> No Windows clients can auth against kerberos realms directly and so
> should be able to auth again an IPA server as well. It is slightly
> complicated and difficult to manage but it can be done.

True, but does not help with the clients fetching ldap data.
I think the cross realm setup is a good idea if one wants to run Windows
clients and use SSO together with kerberized services on linux/unix:

- the windows clients stay hooked up to an AD, so in a supported 
environment
- from following mailinglists I had the impression Microsoft seems to 
support the scenario
- the linux/unix servers can use the IPA and benefit from proper de-
bugging tools, having their server OpenSourced etc.

Christian



From Steven.Jones at vuw.ac.nz  Thu May 26 05:51:59 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 26 May 2011 05:51:59 +0000
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
In-Reply-To: <20110526032057.GA18603@fluxcoil.net>
References: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E400635A2F7@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DDD74C5.2010002@gmail.com>,<20110526032057.GA18603@fluxcoil.net>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635A485@STAWINCOX10MBX1.staff.vuw.ac.nz>

Quickly as Im late.

We are setting up cross realm from AD to a school who runs MIT Kerberos with openldap underneath....A windows client in our domain can then connect to a school resource where its connected to the school's centralised setup....

So its possible, yes.

Not with freeipa from what Ive seen posted, yet...next version I am assuming so.

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Christian Horn [chorn at fluxcoil.net]
Sent: Thursday, 26 May 2011 3:20 p.m.
To: Erinn Looney-Triggs
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2

On Wed, May 25, 2011 at 01:29:41PM -0800, Erinn Looney-Triggs wrote:
> On 05/25/2011 01:21 PM, Steven Jones wrote:
> >
> > As far as I am aware Windows clients can only authenticate against ADs.  So if you need to authenticate Windows you need a password trust/sync setup with AD and yes you need an AD as well as FreeIPA.
> No Windows clients can auth against kerberos realms directly and so
> should be able to auth again an IPA server as well. It is slightly
> complicated and difficult to manage but it can be done.

True, but does not help with the clients fetching ldap data.
I think the cross realm setup is a good idea if one wants to run Windows
clients and use SSO together with kerberized services on linux/unix:

- the windows clients stay hooked up to an AD, so in a supported
environment
- from following mailinglists I had the impression Microsoft seems to
support the scenario
- the linux/unix servers can use the IPA and benefit from proper de-
bugging tools, having their server OpenSourced etc.

Christian

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From chorn at fluxcoil.net  Thu May 26 03:58:37 2011
From: chorn at fluxcoil.net (Christian Horn)
Date: Thu, 26 May 2011 05:58:37 +0200
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635A485@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E400635A2F7@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DDD74C5.2010002@gmail.com> <20110526032057.GA18603@fluxcoil.net>
	<833D8E48405E064EBC54C84EC6B36E400635A485@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <20110526035837.GC18603@fluxcoil.net>

On Thu, May 26, 2011 at 05:51:59AM +0000, Steven Jones wrote:
> Quickly as Im late.
> 
> We are setting up cross realm from AD to a school who runs MIT Kerberos with openldap underneath....A windows client in our domain can then connect to a school resource where its connected to the school's centralised setup....
> 
> So its possible, yes.
> 
> Not with freeipa from what Ive seen posted, yet...next version I am assuming so.

Ah sorry, was thinking ahead softwarewise :)

Also did that not with FreeIPA but plain MIT-kerberos in the past, also the
environment where Microsoft actively helped debugging upcoming problems was
at the MIT with ofcourse MIT-kerberos running.


Christian



From simo at redhat.com  Thu May 26 13:10:44 2011
From: simo at redhat.com (Simo Sorce)
Date: Thu, 26 May 2011 09:10:44 -0400
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635A485@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E400635A2F7@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DDD74C5.2010002@gmail.com>,<20110526032057.GA18603@fluxcoil.net>
	<833D8E48405E064EBC54C84EC6B36E400635A485@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1306415444.9511.41.camel@willson.li.ssimo.org>

On Thu, 2011-05-26 at 05:51 +0000, Steven Jones wrote:
> Quickly as Im late.
> 
> We are setting up cross realm from AD to a school who runs MIT Kerberos with openldap underneath....A windows client in our domain can then connect to a school resource where its connected to the school's centralised setup....
> 
> So its possible, yes.
> 
> Not with freeipa from what Ive seen posted, yet...next version I am assuming so.

Freeipa does not give you UI or tools to do it, although creating a
Kerberos trust is a very simple matter using kadmin.local to create the
proper principals.

Everything else would work like in the Kerberos+openldap setup in the
school you meantion.

So it is technically possible, we simply do not yet make it easy for you
by providing wrappers.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From Steven.Jones at vuw.ac.nz  Thu May 26 20:19:51 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 26 May 2011 20:19:51 +0000
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
In-Reply-To: <1306415444.9511.41.camel@willson.li.ssimo.org>
References: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E400635A2F7@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<4DDD74C5.2010002@gmail.com>,<20110526032057.GA18603@fluxcoil.net>
	<833D8E48405E064EBC54C84EC6B36E400635A485@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<1306415444.9511.41.camel@willson.li.ssimo.org>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635A804@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

The school has had its own kerberos-ldap for a decade but its a one off they are cumputer science so have "rocket scientists" to run it....its not what we want to use as we need to consider "normal" user and windows admins who need to be able to use a solution...

Its good to know the kerberos linking up would work....another plus for IPA....because its probable that this will be a requirement further along, but if I have to look for something with all the bells and whistles its 100s of K and a long time to put it in, and huge opex costs....and TCO wise I dont see it as worthwhile (think oracle Identity).....hence something low cost that does 90% of what we need ie the real core functionality is the only sane / cost effective way IMHO.


regards
 
________________________________________
From: Simo Sorce [simo at redhat.com]
Sent: Friday, 27 May 2011 1:10 a.m.
To: Steven Jones
Cc: Christian Horn; Erinn Looney-Triggs; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2

On Thu, 2011-05-26 at 05:51 +0000, Steven Jones wrote:
> Quickly as Im late.
>
> We are setting up cross realm from AD to a school who runs MIT Kerberos with openldap underneath....A windows client in our domain can then connect to a school resource where its connected to the school's centralised setup....
>
> So its possible, yes.
>
> Not with freeipa from what Ive seen posted, yet...next version I am assuming so.

Freeipa does not give you UI or tools to do it, although creating a
Kerberos trust is a very simple matter using kadmin.local to create the
proper principals.

Everything else would work like in the Kerberos+openldap setup in the
school you meantion.

So it is technically possible, we simply do not yet make it easy for you
by providing wrappers.

Simo.

--
Simo Sorce * Red Hat, Inc * New York




From Steven.Jones at vuw.ac.nz  Thu May 26 20:30:52 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 26 May 2011 20:30:52 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - httpd logs
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635A456@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E4006358559@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<833D8E48405E064EBC54C84EC6B36E400635888B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC1A36.2090704@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E40063588D5@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC2627.9020901@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E400635891B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDC7872.8060105@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359C4B@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD025A.3060209@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FCA@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDD6746.4040600@redhat.com>
	<833D8E48405E064EBC54C84EC6B36E4006359FFE@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<4DDDA2F6.9090009@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E400635A3D3@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<833D8E48405E064EBC54C84EC6B36E400635A3E1@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<833D8E48405E064EBC54C84EC6B36E400635A456@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635B602@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

Do I just assume ipa is broken for now and come back in some weeks?

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Thursday, 26 May 2011 3:55 p.m.
To: Rob Crittenden
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 - httpd logs

So what's next?

regards

==================
* Closing connection #0
[root at rhel61-test64ws01 jonesst1]#
[jonesst1 at 8KXL72S ~]$ more klist-out
[root at rhel61-test64ws01 jonesst1]# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at UNIX.VUW.AC.NZ

Valid starting     Expires            Service principal
05/26/11 08:33:56  05/27/11 08:33:49  krbtgt/UNIX.VUW.AC.NZ at UNIX.VUW.AC.NZ
        Flags: FIA
[root at rhel61-test64ws01 jonesst1]#

==================

[root at rhel61-test64ws01 jonesst1]# curl -kv --negotiate -u : https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/xml
* About to connect() to vuwunicoipamt01.unix.vuw.ac.nz port 443 (#0)
*   Trying 130.195.87.236... connected
* Connected to vuwunicoipamt01.unix.vuw.ac.nz (130.195.87.236) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=vuwunicoipamt01.unix.vuw.ac.nz,O=UNIX.VUW.AC.NZ
*       start date: May 23 04:36:22 2011 GMT
*       expire date: May 23 04:36:22 2021 GMT
*       common name: vuwunicoipamt01.unix.vuw.ac.nz
*       issuer: CN=UNIX.VUW.AC.NZ Certificate Authority
> GET /ipa/xml HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.9.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: vuwunicoipamt01.unix.vuw.ac.nz
> Accept: */*
>
< HTTP/1.1 401 Authorization Required
< Date: Thu, 26 May 2011 01:22:26 GMT
< Server: Apache/2.2.15 (Red Hat)
* gss_init_sec_context() failed: : Server krbtgt/VUW.AC.NZ at UNIX.VUW.AC.NZ not found in Kerberos databaseWWW-Authenticate: Negotiate
< Last-Modified: Wed, 20 Apr 2011 13:57:02 GMT
< ETag: "a51-5de-4a159ffc36780"
< Accept-Ranges: bytes
< Content-Length: 1502
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
    <title>IPA: Identity Policy Audit</title>

    <script type="text/javascript" src="../ui/jquery.js"></script>

    <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
    <link rel="stylesheet" type="text/css" href="ipa_error.css" />

 <script type="text/javascript">
   $(document).ready(function() {
   $("#import-cert-auth-link").click(function(){
   $("#first-time").css("display","none");
   $("#next-link").css("display","block");
   return true;
   });

   });

});

 </script>
</head>

<body id="header-bg">

  <div class="container_1">
    <div class="header-logo">
            <img src="../ui/ipalogo.png" />
        </div>
       <div class="textblockkrb">
        <h1>Unable to verify your Kerberos credentials.</h1><p> Please make sure that you have valid Kerberos tickets (obtainable via <b>kinit</b>), and that you have configured
 your browser correctly. </p>
          <b>If this is your first time</b>
          <div id="first-time">
          <ul>
            <li><a id="import-cert-auth-link" href="/ipa/errors/ca.crt"  >Click here to Import the IPA Certificate Authority</a>. </li>
            <li>Make sure you select <b>all three</b> checkboxes </li>
            <li>Click the <b>OK</b> Button</li>
          </ul>
          </div>
          <div id="next-link" style="display:none;">
          . <p> <a href="browserconfig.html"> Next Step:</a></p>
          </div>
        </div>

   </div>

</body>

</html>
* Closing connection #0

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Thu May 26 21:02:06 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Thu, 26 May 2011 21:02:06 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - latest run
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635B611@STAWINCOX10MBX1.staff.vuw.ac.nz>

[root at rhel61-test64ws01 jonesst1]# kdestroy
[root at rhel61-test64ws01 jonesst1]# export KRB5_CONFIG=/home/jonesst1/test-krb5.conf 
[root at rhel61-test64ws01 jonesst1]# kinit admin
Password for admin at UNIX.VUW.AC.NZ: 
[root at rhel61-test64ws01 jonesst1]# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at UNIX.VUW.AC.NZ

Valid starting     Expires            Service principal
05/27/11 08:49:35  05/28/11 08:49:27  krbtgt/UNIX.VUW.AC.NZ at UNIX.VUW.AC.NZ
	Flags: FIA
[root at rhel61-test64ws01 jonesst1]# curl -kv --negotiate -u : https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/xml
* About to connect() to vuwunicoipamt01.unix.vuw.ac.nz port 443 (#0)
*   Trying 130.195.87.236... connected
* Connected to vuwunicoipamt01.unix.vuw.ac.nz (130.195.87.236) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=vuwunicoipamt01.unix.vuw.ac.nz,O=UNIX.VUW.AC.NZ
* 	start date: May 23 04:36:22 2011 GMT
* 	expire date: May 23 04:36:22 2021 GMT
* 	common name: vuwunicoipamt01.unix.vuw.ac.nz
* 	issuer: CN=UNIX.VUW.AC.NZ Certificate Authority
> GET /ipa/xml HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.9.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: vuwunicoipamt01.unix.vuw.ac.nz
> Accept: */*
> 
< HTTP/1.1 401 Authorization Required
< Date: Thu, 26 May 2011 20:50:01 GMT
< Server: Apache/2.2.15 (Red Hat)
* gss_init_sec_context() failed: : Server krbtgt/VUW.AC.NZ at UNIX.VUW.AC.NZ not found in Kerberos databaseWWW-Authenticate: Negotiate
< Last-Modified: Wed, 20 Apr 2011 13:57:02 GMT
< ETag: "a51-5de-4a159ffc36780"
< Accept-Ranges: bytes
< Content-Length: 1502
< Connection: close
< Content-Type: text/html; charset=UTF-8
< 
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
    <title>IPA: Identity Policy Audit</title>

    <script type="text/javascript" src="../ui/jquery.js"></script>

    <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
    <link rel="stylesheet" type="text/css" href="ipa_error.css" />

 <script type="text/javascript">
   $(document).ready(function() {
   $("#import-cert-auth-link").click(function(){
   $("#first-time").css("display","none");
   $("#next-link").css("display","block");
   return true;
   });

   });

 </script>
</head>

<body id="header-bg">

  <div class="container_1">
    <div class="header-logo">
            <img src="../ui/ipalogo.png" />
        </div>
       <div class="textblockkrb">
        <h1>Unable to verify your Kerberos credentials.</h1><p> Please make sure that you have valid Kerberos tickets (obtainable via <b>kinit</b>), and that you have configured your browser correctly. </p>
          <b>If this is your first time</b>
          <div id="first-time">
          <ul>
            <li><a id="import-cert-auth-link" href="/ipa/errors/ca.crt"  >Click here to Import the IPA Certificate Authority</a>. </li>
            <li>Make sure you select <b>all three</b> checkboxes </li>
            <li>Click the <b>OK</b> Button</li>
          </ul>
          </div>
          <div id="next-link" style="display:none;">
          . <p> <a href="browserconfig.html"> Next Step:</a></p>
          </div>
        </div>

   </div>

</body>

</html>
* Closing connection #0
[root at rhel61-test64ws01 jonesst1]# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at UNIX.VUW.AC.NZ

Valid starting     Expires            Service principal
05/27/11 08:49:35  05/28/11 08:49:27  krbtgt/UNIX.VUW.AC.NZ at UNIX.VUW.AC.NZ
	Flags: FIA
[root at rhel61-test64ws01 jonesst1]# unset KRB5_CONFIG
[root at rhel61-test64ws01 jonesst1]# 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_log
Type: application/octet-stream
Size: 113262 bytes
Desc: error_log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110526/ad69afd7/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5kdc.log
Type: application/octet-stream
Size: 191709 bytes
Desc: krb5kdc.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110526/ad69afd7/attachment-0001.obj>

From Steven.Jones at vuw.ac.nz  Fri May 27 03:13:27 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Fri, 27 May 2011 03:13:27 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 - ds and krb full logs.
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635B718@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,

DS log and krb5 log

regards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: access
Type: application/octet-stream
Size: 304490 bytes
Desc: access
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110527/90626ec9/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5kdc.log
Type: application/octet-stream
Size: 204262 bytes
Desc: krb5kdc.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110527/90626ec9/attachment-0001.obj>

From DLWillson at TheGeek.NU  Fri May 27 04:02:11 2011
From: DLWillson at TheGeek.NU (David L. Willson)
Date: Thu, 26 May 2011 22:02:11 -0600 (MDT)
Subject: [Freeipa-users] Can FreeIPA v2 be used as Zimbra external LDAP
	authenticator?
In-Reply-To: <50ad6d28-f958-48aa-9eae-c026e12eaa3e@dlwillson-laptop>
Message-ID: <725d3c5b-90ea-434c-b36d-0f2dbeabc0d9@zimbra.thegeek.nu>

While trying to setup my new, tested FreeIPA v2 server as an external LDAP authenticator for Zimbra 7.1, I got this error:

ssl connect problem most likely untrusted certificate

I found this article:

http://www.zimbra.com/forums/administrators/16311-ssl-connect-problem-most-likely-untrusted-certificate.html

I'm pretty sure I've successfully imported the certificate for the LDAP server, which I downloaded from the web management interface on FreeIPA v2 and imported at the shell prompt on the Zimbra server with this command:

sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file humperdinck_ldap_cert

And restarted Zimbra services with these commands:

zmcontrol stop && zmcontrol start

Now the error's different. Great. I feel like I'm so close...

Has anyone got this working? Willing to share your settings? Alternately, do you already know that this can't be done? Does IPA even support LDAP auth, or is it strictly Kerberos for auth?

This is my first run with IPA. So far, it seems like an awesome product, but a bit hard to use...

Next on my wish list, is to configure about 30 Ubuntu 10.04 netbooks, 75'ish desktops, and 3 servers to use it for authentication and user-data.

David L. Willson
Trainer, Engineer, Enthusiast
RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
tel://720.333.LANS
Freedom is better when you earn it. Learn Linux.



From rcritten at redhat.com  Fri May 27 04:05:48 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Fri, 27 May 2011 00:05:48 -0400
Subject: [Freeipa-users] Can FreeIPA v2 be used as Zimbra external LDAP
 authenticator?
In-Reply-To: <725d3c5b-90ea-434c-b36d-0f2dbeabc0d9@zimbra.thegeek.nu>
References: <725d3c5b-90ea-434c-b36d-0f2dbeabc0d9@zimbra.thegeek.nu>
Message-ID: <4DDF231C.4020807@redhat.com>

David L. Willson wrote:
> While trying to setup my new, tested FreeIPA v2 server as an external LDAP authenticator for Zimbra 7.1, I got this error:
>
> ssl connect problem most likely untrusted certificate
>
> I found this article:
>
> http://www.zimbra.com/forums/administrators/16311-ssl-connect-problem-most-likely-untrusted-certificate.html
>
> I'm pretty sure I've successfully imported the certificate for the LDAP server, which I downloaded from the web management interface on FreeIPA v2 and imported at the shell prompt on the Zimbra server with this command:
>
> sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file humperdinck_ldap_cert
>
> And restarted Zimbra services with these commands:
>
> zmcontrol stop&&  zmcontrol start
>
> Now the error's different. Great. I feel like I'm so close...
>
> Has anyone got this working? Willing to share your settings? Alternately, do you already know that this can't be done? Does IPA even support LDAP auth, or is it strictly Kerberos for auth?
>
> This is my first run with IPA. So far, it seems like an awesome product, but a bit hard to use...
>
> Next on my wish list, is to configure about 30 Ubuntu 10.04 netbooks, 75'ish desktops, and 3 servers to use it for authentication and user-data.

You want to import the IPA CA. You can get a copy from /etc/ipa/ca.crt 
on the server.

rob



From DLWillson at TheGeek.NU  Fri May 27 23:26:52 2011
From: DLWillson at TheGeek.NU (David L. Willson)
Date: Fri, 27 May 2011 17:26:52 -0600 (MDT)
Subject: [Freeipa-users] Can FreeIPA v2 be used as Zimbra external LDAP
	authenticator?
In-Reply-To: <725d3c5b-90ea-434c-b36d-0f2dbeabc0d9@zimbra.thegeek.nu>
Message-ID: <ebb162f3-6fb3-4e37-9dfb-16b18edc8b89@dlwillson-laptop>

Rob Crittenden: Thank you for your help! 

This is RESOLVED, and I want to make some notes here, because finding the magic combination of syntax has been... trying. 

Products affected: 

FreeIPA 2.0.1, Zimbra 7.1 OSE 

NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra Collaboration Server. I'm NOT removing my real values, because think docs work better when you just paste in what you really used. 

0. From a shell prompt on the Zimbra server, import the CA certificate, and restart Zimbra services. 

$ wget http://humperdinck.rmsel.org/ipa/errors/ca.crt 
$ mv ca.crt humperdinck_ca.crt 
$ sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file humperdinck_ca.crt 
$ sudo su - zimbra 
$ zmcontrol stop && zmcontrol start 

1. From the Zimbra admin console, connect a domain to the IPA server for external LDAP authentication. 

On the left, under Configuration, expand Domains, and select (click) the Domain you want to authenticate with IPA. 
In the toolbar, click "Configure Authentication" 
In the drop-down list-box, choose "External LDAP" 
Type your IPA server's FQDN in "LDAP Server name:", do NOT check "Use SSL", check "Enable StartTLS" 
LDAP Filter is exactly this, WITH parentheses, and NO spaces. 
(uid=%u) 
My LDAP Search Base is exactly this, with NO parentheses, and NO spaces. You'll need to change the domain components, of course. 
cn=accounts,dc=rmsel,dc=org 
Click "next" TWICE (ie: do NOT check "Use DN/Password to bind to external server" ) 
Enter a username or full email and the matching password. (must be valid, NON-EXPIRED credentials) 
dlwillson 
********** 
Click Test. Celebrate. 

2. If you're not celebrating, use the same credentials with kinit at the shell prompt on any Kerberos client machine to confirm validity. 
kinit dlwillson 
enter password 

3. If the credentials are valid, use ldapsearch from the shell on your Zimbra server to test LDAP binding/searching. 
$ sudo su - zimbra 
$ ldapsearch --help 
$ ldapsearch -D "uid=dlwillson,cn=users,cn=accounts,dc=rmsel,dc=org" -w '**********' -b "cn=accounts,dc=rmsel,dc=org" -h humperdinck.rmsel.org -v -ZZ "uid=dlwillson" 

4. I hope you're celebrating by now, because if not, you're in for a rough time, perhaps. 

HTH, cheers, YMMV, YATLTL 

-- 
David 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110527/ec13c664/attachment.htm>

From simo at redhat.com  Fri May 27 23:42:22 2011
From: simo at redhat.com (Simo Sorce)
Date: Fri, 27 May 2011 19:42:22 -0400
Subject: [Freeipa-users] Can FreeIPA v2 be used as Zimbra external LDAP
 authenticator?
In-Reply-To: <ebb162f3-6fb3-4e37-9dfb-16b18edc8b89@dlwillson-laptop>
References: <ebb162f3-6fb3-4e37-9dfb-16b18edc8b89@dlwillson-laptop>
Message-ID: <1306539742.9511.82.camel@willson.li.ssimo.org>

On Fri, 2011-05-27 at 17:26 -0600, David L. Willson wrote:
> Rob Crittenden: Thank you for your help!
> 
> This is RESOLVED, and I want to make some notes here, because finding
> the magic combination of syntax has been... trying.
> 
> Products affected:
> 
>     FreeIPA 2.0.1, Zimbra 7.1 OSE
> 
> NOTES: 'humperdinck' is my IPA server and 'z7' is my Zimbra
> Collaboration Server. I'm NOT removing my real values, because think
> docs work better when you just paste in what you really used.
> 
> 0. From a shell prompt on the Zimbra server, import the CA
> certificate, and restart Zimbra services.
> 
>     $ wget http://humperdinck.rmsel.org/ipa/errors/ca.crt
>     $ mv ca.crt humperdinck_ca.crt
>     $ sudo /opt/zimbra/java/bin/keytool -import -alias humperdinck_ca
> -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass
> changeit -file humperdinck_ca.crt
>     $ sudo su - zimbra
>     $ zmcontrol stop && zmcontrol start
> 
> 1. From the Zimbra admin console, connect a domain to the IPA server
> for external LDAP authentication.
> 
>     On the left, under Configuration, expand Domains, and select
> (click) the Domain you want to authenticate with IPA.
>     In the toolbar, click "Configure Authentication"
>     In the drop-down list-box, choose "External LDAP"
>     Type your IPA server's FQDN in "LDAP Server name:", do NOT check
> "Use SSL", check "Enable StartTLS"
>     LDAP Filter is exactly this, WITH parentheses, and NO spaces.
>         (uid=%u)
>     My LDAP Search Base is exactly this, with NO parentheses, and NO
> spaces. You'll need to change the domain components, of course.
>         cn=accounts,dc=rmsel,dc=org
>     Click "next" TWICE (ie: do NOT check "Use DN/Password to bind to
> external server")
>     Enter a username or full email and the matching password. (must be
> valid, NON-EXPIRED credentials)
>         dlwillson
>         **********
>     Click Test. Celebrate.
> 
> 2. If you're not celebrating, use the same credentials with kinit at
> the shell prompt on any Kerberos client machine to confirm validity.
>     kinit dlwillson
>     enter password
> 
> 3. If the credentials are valid, use ldapsearch from the shell on your
> Zimbra server to test LDAP binding/searching.
>     $ sudo su - zimbra
>     $ ldapsearch --help
>     $ ldapsearch -D
> "uid=dlwillson,cn=users,cn=accounts,dc=rmsel,dc=org" -w '**********'
> -b "cn=accounts,dc=rmsel,dc=org" -h humperdinck.rmsel.org -v -ZZ
> "uid=dlwillson"
> 
> 4. I hope you're celebrating by now, because if not, you're in for a
> rough time, perhaps.
> 
> HTH, cheers, YMMV, YATLTL

Thank you for the very nice write-up.

I am curious if you are going to enable GSSAPI authentication in Zimbra
too (Zimbra support GSSAPI/Krb5 auth for IMAP and apparently should
support it for the web interface too at some point).

It would be awesome to get a similar writeup of how to configure it in
that case. I am sure many users would be delighted to be able to do SSO
against the mail server (ie no need to enter any password at all after
login).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From Steven.Jones at vuw.ac.nz  Mon May 30 01:53:34 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 30 May 2011 01:53:34 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 -
Message-ID: <833D8E48405E064EBC54C84EC6B36E400635D051@STAWINCOX10MBX1.staff.vuw.ac.nz>

While you were out.......

I cloned the original server, left it switched off and booted the clone, ran the --uninstall flag and yum remove and removed the ipa-sever packages, I then re-installed, same  SASL 9 failure messages...

:/

regards





From Steven.Jones at vuw.ac.nz  Mon May 30 22:01:25 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Mon, 30 May 2011 22:01:25 +0000
Subject: [Freeipa-users] Server - client mismatch has no progressed to
 6.1 -
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E400635D051@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E400635D051@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0BCADE@STAWINCOX10MBX4.staff.vuw.ac.nz>

I just re-kickstarted the clone without the cis-security hardening script and it runs fine, so something in the cis-script breaks IPA server.

regards


________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Monday, 30 May 2011 1:53 p.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 -

While you were out.......

I cloned the original server, left it switched off and booted the clone, ran the --uninstall flag and yum remove and removed the ipa-sever packages, I then re-installed, same  SASL 9 failure messages...

:/

regards



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Tue May 31 01:19:20 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 31 May 2011 01:19:20 +0000
Subject: [Freeipa-users] bug in ipa user-add
Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0BFB4F@STAWINCOX10MBX4.staff.vuw.ac.nz>

so if I do a ipa user-add user1 --password qwerty&sdf

It barfs on the "&"

says "sdf: command not found"

regards



From danieljamesscott at gmail.com  Tue May 31 02:12:37 2011
From: danieljamesscott at gmail.com (Dan Scott)
Date: Mon, 30 May 2011 22:12:37 -0400
Subject: [Freeipa-users] bug in ipa user-add
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0BFB4F@STAWINCOX10MBX4.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E401B0BFB4F@STAWINCOX10MBX4.staff.vuw.ac.nz>
Message-ID: <BANLkTinJ7P3rShpyawEJSgxzcKMCcDJBOQ@mail.gmail.com>

Hi,

On Mon, May 30, 2011 at 21:19, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
> so if I do a ipa user-add user1 --password qwerty&sdf
>
> It barfs on the "&"
>
> says "sdf: command not found"

I haven't tested this, but I imagine that you'd need to quote or
escape any special characters:

ipa user-add user1 --password qwerty\&sdf

or

ipa user-add user1 --password "qwerty&sdf"

Other characters will cause problems too: 'greater than', less than,
single quote, double quote, tilde, pipe etc.

Hope this helps,

Dan



From Steven.Jones at vuw.ac.nz  Tue May 31 02:17:44 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 31 May 2011 02:17:44 +0000
Subject: [Freeipa-users] bug in ipa user-add
In-Reply-To: <BANLkTinJ7P3rShpyawEJSgxzcKMCcDJBOQ@mail.gmail.com>
References: <833D8E48405E064EBC54C84EC6B36E401B0BFB4F@STAWINCOX10MBX4.staff.vuw.ac.nz>,
	<BANLkTinJ7P3rShpyawEJSgxzcKMCcDJBOQ@mail.gmail.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0BFC15@STAWINCOX10MBX4.staff.vuw.ac.nz>

Hi,

So the docs should cover this at the least....

regards
________________________________________
From: Dan Scott [danieljamesscott at gmail.com]
Sent: Tuesday, 31 May 2011 2:12 p.m.
To: Steven Jones
Cc: freeipa-users
Subject: Re: [Freeipa-users] bug in ipa user-add

Hi,

On Mon, May 30, 2011 at 21:19, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
> so if I do a ipa user-add user1 --password qwerty&sdf
>
> It barfs on the "&"
>
> says "sdf: command not found"

I haven't tested this, but I imagine that you'd need to quote or
escape any special characters:

ipa user-add user1 --password qwerty\&sdf

or

ipa user-add user1 --password "qwerty&sdf"

Other characters will cause problems too: 'greater than', less than,
single quote, double quote, tilde, pipe etc.

Hope this helps,

Dan



From Steven.Jones at vuw.ac.nz  Tue May 31 02:22:14 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 31 May 2011 02:22:14 +0000
Subject: [Freeipa-users] RHEL 5.6 client failing to join IPA server
Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0BFC26@STAWINCOX10MBX4.staff.vuw.ac.nz>

Hi,

I have RHEL 6.1 workstation joining RHEL6.1 IPA server fine, but RHEL 5.6 still fails,

incl install log

root at vuwunicoadmint2 ~]# ipa-client-install --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz
Discovery was successful!
Realm: UNIX.VUW.AC.NZ
DNS Domain: unix.vuw.ac.nz
IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Principal: admin
Password for admin at UNIX.VUW.AC.NZ:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=UNIX.VUW.AC.NZ
[root at vuwunicoadmint2 ~]# uanme -a
-bash: uanme: command not found
[root at vuwunicoadmint2 ~]# uname -a
Linux vuwunicoadmint2.unix.vuw.ac.nz 2.6.18-238.9.1.el5 #1 SMP Fri Mar 18 12:42:39 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
[root at vuwunicoadmint2 ~]# more /etc/redhat-release
Red Hat Enterprise Linux Server release 5.6 (Tikanga)
[root at vuwunicoadmint2 ~]#  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipaclient-install.log
Type: application/octet-stream
Size: 4876 bytes
Desc: ipaclient-install.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110531/32210fdc/attachment.obj>

From Steven.Jones at vuw.ac.nz  Tue May 31 02:24:22 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 31 May 2011 02:24:22 +0000
Subject: [Freeipa-users] RHEL 5.6 client failing to join IPA server
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0BFC26@STAWINCOX10MBX4.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E401B0BFC26@STAWINCOX10MBX4.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0BFC3D@STAWINCOX10MBX4.staff.vuw.ac.nz>

krb5kdc log off the server as well.

regards

Steven
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Tuesday, 31 May 2011 2:22 p.m.
To: freeipa-users at redhat.com
Subject: [Freeipa-users] RHEL 5.6 client failing to join IPA server

Hi,

I have RHEL 6.1 workstation joining RHEL6.1 IPA server fine, but RHEL 5.6 still fails,

incl install log

root at vuwunicoadmint2 ~]# ipa-client-install --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz
Discovery was successful!
Realm: UNIX.VUW.AC.NZ
DNS Domain: unix.vuw.ac.nz
IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Principal: admin
Password for admin at UNIX.VUW.AC.NZ:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=UNIX.VUW.AC.NZ
[root at vuwunicoadmint2 ~]# uanme -a
-bash: uanme: command not found
[root at vuwunicoadmint2 ~]# uname -a
Linux vuwunicoadmint2.unix.vuw.ac.nz 2.6.18-238.9.1.el5 #1 SMP Fri Mar 18 12:42:39 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
[root at vuwunicoadmint2 ~]# more /etc/redhat-release
Red Hat Enterprise Linux Server release 5.6 (Tikanga)
[root at vuwunicoadmint2 ~]#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5kdc.log
Type: application/octet-stream
Size: 47143 bytes
Desc: krb5kdc.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110531/880e7c0a/attachment.obj>

From chorn at fluxcoil.net  Tue May 31 05:18:52 2011
From: chorn at fluxcoil.net (Christian Horn)
Date: Tue, 31 May 2011 07:18:52 +0200
Subject: [Freeipa-users] bug in ipa user-add
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0BFC15@STAWINCOX10MBX4.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E401B0BFB4F@STAWINCOX10MBX4.staff.vuw.ac.nz>
	<BANLkTinJ7P3rShpyawEJSgxzcKMCcDJBOQ@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E401B0BFC15@STAWINCOX10MBX4.staff.vuw.ac.nz>
Message-ID: <20110531051852.GA32744@fluxcoil.net>

On Tue, May 31, 2011 at 02:17:44AM +0000, Steven Jones wrote:
> 
> So the docs should cover this at the least....

It's actually not a problem of ipa but a feature of your shell.
I bet there is documentation for your shell explaining the usage
of &.
In case you use a shell which does not use & to create background
jobs or perform other actions the quotes should not be required.

Christian



From simo at redhat.com  Tue May 31 11:36:23 2011
From: simo at redhat.com (Simo Sorce)
Date: Tue, 31 May 2011 07:36:23 -0400
Subject: [Freeipa-users] bug in ipa user-add
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0BFC15@STAWINCOX10MBX4.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E401B0BFB4F@STAWINCOX10MBX4.staff.vuw.ac.nz>
	, <BANLkTinJ7P3rShpyawEJSgxzcKMCcDJBOQ@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E401B0BFC15@STAWINCOX10MBX4.staff.vuw.ac.nz>
Message-ID: <1306841783.9511.103.camel@willson.li.ssimo.org>

On Tue, 2011-05-31 at 02:17 +0000, Steven Jones wrote:
> Hi,
> 
> So the docs should cover this at the least....

Sorry Steve,
that's basic shell behavior, and you'll fine info in the bash man pages.
Nothing to do with the IPA commands.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From dpal at redhat.com  Tue May 31 13:40:43 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 31 May 2011 09:40:43 -0400
Subject: [Freeipa-users] RHEL 5.6 client failing to join IPA server
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0BFC26@STAWINCOX10MBX4.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E401B0BFC26@STAWINCOX10MBX4.staff.vuw.ac.nz>
Message-ID: <4DE4EFDB.8050103@redhat.com>

On 05/30/2011 10:22 PM, Steven Jones wrote:
> Hi,
>
> I have RHEL 6.1 workstation joining RHEL6.1 IPA server fine, but RHEL 5.6 still fails,
>

The errata for this should be out any day if not already.
Please check the RHN for update to ipa-client rpm.

> incl install log
>
> root at vuwunicoadmint2 ~]# ipa-client-install --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz
> Discovery was successful!
> Realm: UNIX.VUW.AC.NZ
> DNS Domain: unix.vuw.ac.nz
> IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
> BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz
>
>
> Continue to configure the system with these values? [no]: yes
> Principal: admin
> Password for admin at UNIX.VUW.AC.NZ:
> Joining realm failed: Operation failed! unsupported extended operation
> child exited with 9
> Certificate subject base is: O=UNIX.VUW.AC.NZ
> [root at vuwunicoadmint2 ~]# uanme -a
> -bash: uanme: command not found
> [root at vuwunicoadmint2 ~]# uname -a
> Linux vuwunicoadmint2.unix.vuw.ac.nz 2.6.18-238.9.1.el5 #1 SMP Fri Mar 18 12:42:39 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
> [root at vuwunicoadmint2 ~]# more /etc/redhat-release
> Red Hat Enterprise Linux Server release 5.6 (Tikanga)
> [root at vuwunicoadmint2 ~]#  
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110531/b06e790e/attachment.htm>

From tomasz.napierala at allegro.pl  Tue May 31 14:45:23 2011
From: tomasz.napierala at allegro.pl (tomasz.napierala at allegro.pl)
Date: Tue, 31 May 2011 16:45:23 +0200
Subject: [Freeipa-users] v1 to v2 migration problem: unknown object class
 "radiusprofile" and attribute "memberofindirect" not allowed
Message-ID: <A427AD6C-E71F-44DD-9949-DC480412CE9F@allegro.pl>

Hi,
I'm trying to migrate data form our current FreeIPA install (v1) and I'm having problems with nonexistant objectClass in v2, which seems to be by default present in v1:

ipa migrate-ds --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts ldap://ipaserverv1:389
Failed user:
  username: unknown object class "radiusprofile"

Also groups that are memboers of other groups are having problems too:
groupname: attribute "memberofindirect" not allowed 

Is there any way to avoid this errors during migration?

Regards,
-- 
Tomasz Z. Napiera?a
Systems Architecture Engineer,
IT Infrastructure Department
Allegro Team
http://www.allegro.pl/

Grupa Allegro Sp. z o.o. z siedzib? w Poznaniu, 60-324 Pozna?, przy ul. Marceli?skiej 90, wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy Pozna? - Nowe Miasto i Wilda, Wydzia? VIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000268796, o kapitale zak?adowym w wysoko?ci 33 474 500 z?, posiadaj?ca numer identyfikacji podatkowej NIP: 5272525995.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4565 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110531/b8ec86dd/attachment.p7s>

From dpal at redhat.com  Tue May 31 16:18:16 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 31 May 2011 12:18:16 -0400
Subject: [Freeipa-users] v1 to v2 migration problem: unknown object
 class "radiusprofile" and attribute "memberofindirect" not allowed
In-Reply-To: <A427AD6C-E71F-44DD-9949-DC480412CE9F@allegro.pl>
References: <A427AD6C-E71F-44DD-9949-DC480412CE9F@allegro.pl>
Message-ID: <4DE514C8.4050400@redhat.com>

On 05/31/2011 10:45 AM, tomasz.napierala at allegro.pl wrote:
> Hi,
> I'm trying to migrate data form our current FreeIPA install (v1) and I'm having problems with nonexistant objectClass in v2, which seems to be by default present in v1:
>
> ipa migrate-ds --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts ldap://ipaserverv1:389
> Failed user:
>   username: unknown object class "radiusprofile"
>
> Also groups that are memboers of other groups are having problems too:
> groupname: attribute "memberofindirect" not allowed 
>
> Is there any way to avoid this errors during migration?

I do not think we tried this migration.

Do you have any radius data populated in the v1? It seems that this is
in come way getting in the way.
The second issue is more worrying. We will see what can be done.

Please file two tickets and we will try to look at them.


> Regards,
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110531/2415c937/attachment.htm>

From rcritten at redhat.com  Tue May 31 17:41:14 2011
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 31 May 2011 13:41:14 -0400
Subject: [Freeipa-users] v1 to v2 migration problem: unknown object
 class "radiusprofile" and attribute "memberofindirect" not allowed
In-Reply-To: <4DE514C8.4050400@redhat.com>
References: <A427AD6C-E71F-44DD-9949-DC480412CE9F@allegro.pl>
	<4DE514C8.4050400@redhat.com>
Message-ID: <4DE5283A.6080404@redhat.com>

Dmitri Pal wrote:
>   On 05/31/2011 10:45 AM, tomasz.napierala at allegro.pl wrote:
>> Hi,
>> I'm trying to migrate data form our current FreeIPA install (v1) and I'm having problems with nonexistant objectClass in v2, which seems to be by default present in v1:
>>
>> ipa migrate-ds --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accountsldap://ipaserverv1:389
>> Failed user:
>>    username: unknown object class "radiusprofile"
>>
>> Also groups that are memboers of other groups are having problems too:
>> groupname: attribute "memberofindirect" not allowed
>>
>> Is there any way to avoid this errors during migration?
>
> I do not think we tried this migration.
>
> Do you have any radius data populated in the v1? It seems that this is
> in come way getting in the way.
> The second issue is more worrying. We will see what can be done.
>
> Please file two tickets and we will try to look at them.

The second problem is fixed upstream.

The objectclass problem is a bit trickier. We don't currently offer e 
mechanism for adding/dropping objectclasses on-the-fly.

The best fix would be to remove the OC from all users in the v1 server 
then do the migration. This is assuming you aren't using radius in v1.

An alternative fix would be to drop the file 60radius.ldif into the v2 
schema directory and restart dirsrv:

On your v1 server it is in /etc/dirsrv/slapd-INSTANCE/schema. Copy this 
to the equivalent location on the v2 server.

rob



From Steven.Jones at vuw.ac.nz  Tue May 31 18:52:29 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 31 May 2011 18:52:29 +0000
Subject: [Freeipa-users] RHEL 5.6 client failing to join IPA server
In-Reply-To: <4DE4EFDB.8050103@redhat.com>
References: <833D8E48405E064EBC54C84EC6B36E401B0BFC26@STAWINCOX10MBX4.staff.vuw.ac.nz>,
	<4DE4EFDB.8050103@redhat.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0D3F6A@STAWINCOX10MBX1.staff.vuw.ac.nz>

Hi,



Thanks, it looks like its come out over-night, will test.



regards

________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Wednesday, 1 June 2011 1:40 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] RHEL 5.6 client failing to join IPA server

On 05/30/2011 10:22 PM, Steven Jones wrote:

Hi,

I have RHEL 6.1 workstation joining RHEL6.1 IPA server fine, but RHEL 5.6 still fails,



The errata for this should be out any day if not already.
Please check the RHN for update to ipa-client rpm.


incl install log

root at vuwunicoadmint2 ~]# ipa-client-install --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz
Discovery was successful!
Realm: UNIX.VUW.AC.NZ
DNS Domain: unix.vuw.ac.nz
IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Principal: admin
Password for admin at UNIX.VUW.AC.NZ:<mailto:admin at UNIX.VUW.AC.NZ:>
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=UNIX.VUW.AC.NZ
[root at vuwunicoadmint2 ~]# uanme -a
-bash: uanme: command not found
[root at vuwunicoadmint2 ~]# uname -a
Linux vuwunicoadmint2.unix.vuw.ac.nz 2.6.18-238.9.1.el5 #1 SMP Fri Mar 18 12:42:39 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
[root at vuwunicoadmint2 ~]# more /etc/redhat-release
Red Hat Enterprise Linux Server release 5.6 (Tikanga)
[root at vuwunicoadmint2 ~]#


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>






From Steven.Jones at vuw.ac.nz  Tue May 31 19:04:43 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 31 May 2011 19:04:43 +0000
Subject: [Freeipa-users] RHEL 5.6 client failing to join IPA server
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0D3F6A@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E401B0BFC26@STAWINCOX10MBX4.staff.vuw.ac.nz>,
	<4DE4EFDB.8050103@redhat.com>,
	<833D8E48405E064EBC54C84EC6B36E401B0D3F6A@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0D4F7C@STAWINCOX10MBX1.staff.vuw.ac.nz>

Looks good!

:D

regards

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
Sent: Wednesday, 1 June 2011 6:52 a.m.
To: dpal at redhat.com; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] RHEL 5.6 client failing to join IPA server

Hi,



Thanks, it looks like its come out over-night, will test.



regards

________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Wednesday, 1 June 2011 1:40 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] RHEL 5.6 client failing to join IPA server

On 05/30/2011 10:22 PM, Steven Jones wrote:

Hi,

I have RHEL 6.1 workstation joining RHEL6.1 IPA server fine, but RHEL 5.6 still fails,



The errata for this should be out any day if not already.
Please check the RHN for update to ipa-client rpm.


incl install log

root at vuwunicoadmint2 ~]# ipa-client-install --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz
Discovery was successful!
Realm: UNIX.VUW.AC.NZ
DNS Domain: unix.vuw.ac.nz
IPA Server: vuwunicoipamt01.unix.vuw.ac.nz
BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Principal: admin
Password for admin at UNIX.VUW.AC.NZ:<mailto:admin at UNIX.VUW.AC.NZ:>
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=UNIX.VUW.AC.NZ
[root at vuwunicoadmint2 ~]# uanme -a
-bash: uanme: command not found
[root at vuwunicoadmint2 ~]# uname -a
Linux vuwunicoadmint2.unix.vuw.ac.nz 2.6.18-238.9.1.el5 #1 SMP Fri Mar 18 12:42:39 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
[root at vuwunicoadmint2 ~]# more /etc/redhat-release
Red Hat Enterprise Linux Server release 5.6 (Tikanga)
[root at vuwunicoadmint2 ~]#


_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>




_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



From Steven.Jones at vuw.ac.nz  Tue May 31 19:06:17 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 31 May 2011 19:06:17 +0000
Subject: [Freeipa-users] Connecting ubuntu,
	Centos 5.x and netbsd to IPA server
Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0D4F87@STAWINCOX10MBX1.staff.vuw.ac.nz>

Anybody good and help/howto documentation for this please?

regards



From dpal at redhat.com  Tue May 31 19:50:35 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 31 May 2011 15:50:35 -0400
Subject: [Freeipa-users] Connecting ubuntu,
 Centos 5.x and netbsd to IPA server
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0D4F87@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E401B0D4F87@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DE5468B.30702@redhat.com>

On 05/31/2011 03:06 PM, Steven Jones wrote:
> Anybody good and help/howto documentation for this please?
>
> regards
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
Ubuntu ha one of the early versions of SSSD so configuring LDAP+Kerberos
should work there.
Centos - depends upon what version of SSSD they have. If not
NSS_LDAP+PAM_KRB5 would be a good starting point.
Same with netbsd.

I would look at this as a guidance. Ther might be differences but it is
a good starting point:
http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-_Configuring_HP_UX_as_an_IPA_Client.html

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From sbingram at gmail.com  Tue May 31 20:45:36 2011
From: sbingram at gmail.com (Stephen Ingram)
Date: Tue, 31 May 2011 13:45:36 -0700
Subject: [Freeipa-users] Connecting ubuntu,
	Centos 5.x and netbsd to IPA server
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0D4FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E401B0D4F87@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<BANLkTi=EP6u6Rx8pnpdiqQgCn6Ljc=2nbA@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E401B0D4FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <BANLkTimTSLNkF8=UDuKsEsyePh8vnizXFw@mail.gmail.com>

Steven-

Sorry, I meant to reply to the list in hopes someone would know about
this. Let me try again:

I could be wrong on this, but wasn't there documentation available at
one time (on the Website) as to how to manually join a system to IPA?
Obviously that's not the ideal solution, but it's great if you are
using an unsupported system.

Steve



On Tue, May 31, 2011 at 1:09 PM, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
> Hi,
>
> Good manual documentation would be fine....worst case I can always re-write to an idiots level to suit me...like I am with other stuff....
>
> ;]
>
> Ive been googling and if its out there Ive not found it yet......but if I put it on my website that's a start.
>
> Ubuntu/Debian is of particular interest....but netbsd isnt far behind.....oh and Macs......Solaris.....
>
> They will all jump down my throat shortly I suspect once I have AD sync going and ppl find out...
>
> regards
>
> ________________________________________
> From: Stephen Ingram [sbingram at gmail.com]
> Sent: Wednesday, 1 June 2011 8:01 a.m.
> To: Steven Jones
> Subject: Re: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server
>
> I could be wrong on this, but wasn't there documentation available at
> one time (on the Website) as to how to manually join a system to IPA?
> Obviously that's not the ideal solution, but it's great if you are
> using an unsupported system.
>
> Steve
>
> On Tue, May 31, 2011 at 12:06 PM, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
>> Anybody good and help/howto documentation for this please?
>>
>> regards
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>



From Steven.Jones at vuw.ac.nz  Tue May 31 21:12:02 2011
From: Steven.Jones at vuw.ac.nz (Steven Jones)
Date: Tue, 31 May 2011 21:12:02 +0000
Subject: [Freeipa-users] Connecting ubuntu,
 Centos 5.x and netbsd to IPA server
In-Reply-To: <BANLkTimTSLNkF8=UDuKsEsyePh8vnizXFw@mail.gmail.com>
References: <833D8E48405E064EBC54C84EC6B36E401B0D4F87@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<BANLkTi=EP6u6Rx8pnpdiqQgCn6Ljc=2nbA@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E401B0D4FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<BANLkTimTSLNkF8=UDuKsEsyePh8vnizXFw@mail.gmail.com>
Message-ID: <833D8E48405E064EBC54C84EC6B36E401B0D502D@STAWINCOX10MBX1.staff.vuw.ac.nz>

Ive tried googling and found nothing really.......it doesnt bode well.

regards

________________________________________
From: Stephen Ingram [sbingram at gmail.com]
Sent: Wednesday, 1 June 2011 8:45 a.m.
To: Steven Jones; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server

Steven-

Sorry, I meant to reply to the list in hopes someone would know about
this. Let me try again:

I could be wrong on this, but wasn't there documentation available at
one time (on the Website) as to how to manually join a system to IPA?
Obviously that's not the ideal solution, but it's great if you are
using an unsupported system.

Steve



On Tue, May 31, 2011 at 1:09 PM, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
> Hi,
>
> Good manual documentation would be fine....worst case I can always re-write to an idiots level to suit me...like I am with other stuff....
>
> ;]
>
> Ive been googling and if its out there Ive not found it yet......but if I put it on my website that's a start.
>
> Ubuntu/Debian is of particular interest....but netbsd isnt far behind.....oh and Macs......Solaris.....
>
> They will all jump down my throat shortly I suspect once I have AD sync going and ppl find out...
>
> regards
>
> ________________________________________
> From: Stephen Ingram [sbingram at gmail.com]
> Sent: Wednesday, 1 June 2011 8:01 a.m.
> To: Steven Jones
> Subject: Re: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server
>
> I could be wrong on this, but wasn't there documentation available at
> one time (on the Website) as to how to manually join a system to IPA?
> Obviously that's not the ideal solution, but it's great if you are
> using an unsupported system.
>
> Steve
>
> On Tue, May 31, 2011 at 12:06 PM, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
>> Anybody good and help/howto documentation for this please?
>>
>> regards
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>



From simo at redhat.com  Tue May 31 21:18:12 2011
From: simo at redhat.com (Simo Sorce)
Date: Tue, 31 May 2011 17:18:12 -0400
Subject: [Freeipa-users] Connecting ubuntu,
 Centos 5.x and netbsd to IPA server
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0D502D@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E401B0D4F87@STAWINCOX10MBX1.staff.vuw.ac.nz>
	<BANLkTi=EP6u6Rx8pnpdiqQgCn6Ljc=2nbA@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E401B0D4FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>
	, <BANLkTimTSLNkF8=UDuKsEsyePh8vnizXFw@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E401B0D502D@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <1306876692.9511.138.camel@willson.li.ssimo.org>



On Tue, 2011-05-31 at 21:12 +0000, Steven Jones wrote:
> Ive tried googling and found nothing really.......it doesnt bode well.

For OSs that we do not have scripts for the common denominator is to
treat IPa as a normal LDAP + Krb5 combo. Paying attention to the fact we
use RFC2307bis for group membership (ie with have member=<dn> in group
entries instead of the older meberuid=<username>).

We are still working out a guide for clients that have sssd available
but no ipa-client-install yet.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



From dpal at redhat.com  Tue May 31 21:18:54 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 31 May 2011 17:18:54 -0400
Subject: [Freeipa-users] Connecting ubuntu,
 Centos 5.x and netbsd to IPA server
In-Reply-To: <833D8E48405E064EBC54C84EC6B36E401B0D502D@STAWINCOX10MBX1.staff.vuw.ac.nz>
References: <833D8E48405E064EBC54C84EC6B36E401B0D4F87@STAWINCOX10MBX1.staff.vuw.ac.nz>	<BANLkTi=EP6u6Rx8pnpdiqQgCn6Ljc=2nbA@mail.gmail.com>	<833D8E48405E064EBC54C84EC6B36E401B0D4FF7@STAWINCOX10MBX1.staff.vuw.ac.nz>,
	<BANLkTimTSLNkF8=UDuKsEsyePh8vnizXFw@mail.gmail.com>
	<833D8E48405E064EBC54C84EC6B36E401B0D502D@STAWINCOX10MBX1.staff.vuw.ac.nz>
Message-ID: <4DE55B3E.9000707@redhat.com>

On 05/31/2011 05:12 PM, Steven Jones wrote:
> Ive tried googling and found nothing really.......it doesnt bode well.

The general theme: is use standard NSS_LDAP + PAM_KRB5 instructions
provided on the platforms that do not support SSSD.
There is nothing better than that.

> regards
>
> ________________________________________
> From: Stephen Ingram [sbingram at gmail.com]
> Sent: Wednesday, 1 June 2011 8:45 a.m.
> To: Steven Jones; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server
>
> Steven-
>
> Sorry, I meant to reply to the list in hopes someone would know about
> this. Let me try again:
>
> I could be wrong on this, but wasn't there documentation available at
> one time (on the Website) as to how to manually join a system to IPA?
> Obviously that's not the ideal solution, but it's great if you are
> using an unsupported system.
>
> Steve
>
>
>
> On Tue, May 31, 2011 at 1:09 PM, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
>> Hi,
>>
>> Good manual documentation would be fine....worst case I can always re-write to an idiots level to suit me...like I am with other stuff....
>>
>> ;]
>>
>> Ive been googling and if its out there Ive not found it yet......but if I put it on my website that's a start.
>>
>> Ubuntu/Debian is of particular interest....but netbsd isnt far behind.....oh and Macs......Solaris.....
>>
>> They will all jump down my throat shortly I suspect once I have AD sync going and ppl find out...
>>
>> regards
>>
>> ________________________________________
>> From: Stephen Ingram [sbingram at gmail.com]
>> Sent: Wednesday, 1 June 2011 8:01 a.m.
>> To: Steven Jones
>> Subject: Re: [Freeipa-users] Connecting ubuntu, Centos 5.x and netbsd to IPA server
>>
>> I could be wrong on this, but wasn't there documentation available at
>> one time (on the Website) as to how to manually join a system to IPA?
>> Obviously that's not the ideal solution, but it's great if you are
>> using an unsupported system.
>>
>> Steve
>>
>> On Tue, May 31, 2011 at 12:06 PM, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
>>> Anybody good and help/howto documentation for this please?
>>>
>>> regards
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





From danieljamesscott at gmail.com  Tue May 31 22:02:12 2011
From: danieljamesscott at gmail.com (Dan Scott)
Date: Tue, 31 May 2011 18:02:12 -0400
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
In-Reply-To: <4DDD7F0A.402@redhat.com>
References: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>
	<4DDD7F0A.402@redhat.com>
Message-ID: <BANLkTinuXTEj1c1XGm3iVyF5Z+FBVm4w_g@mail.gmail.com>

Hi,

Thanks for all the replies.

On Wed, May 25, 2011 at 18:13, Rob Crittenden <rcritten at redhat.com> wrote:
>> I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running
>> on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has
>> been released. But I have a few questions:
>>
>> 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers?
>
> Yes but you would have to configure it yourself. sssd would work nicely with
> an ldap/krb5 configuration.

I've set up a Fedora 15 VM and have successfully configured it to
authenticate against my FreeIPA 1 servers, so this is good. One small
problem was that I couldn't get passwordless ssh logins *to* the F15
system working. I created and installed a host keytab, same as for all
the other systems, but no luck. I was able to ssh *from* the F15
system without a password however. Any ideas?

>> 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring
>> an upgrade from Fedora 14 to 15 along the way).
>
> You cannot do a straight upgrade, too much changed between the two versions.
> You should be able to migrate the users and groups using the v2 migration
> system. This will maintain your user passwords at least. You would need to
> generate new principals and keytabs for your kerberized services.

I've setup a Fedora 15 VM and installed the FreeIPA server. I ran the
ipa migrate-ds command provided in the documentation. All of the user
groups were migrated successfully, but none of the users were migrated
due to 'unknown object class "radiusprofile"' errors.

I've seen this post here:

https://www.redhat.com/archives/freeipa-users/2011-May/msg00282.html

but I wanted to add that I don't use any of the radius functionality
and my FreeIPA v1 installation is pretty standard, so other users
might run into this. I didn't find a bug report, but can file one if
needed?

Thanks,

Dan



From dpal at redhat.com  Tue May 31 22:26:02 2011
From: dpal at redhat.com (Dmitri Pal)
Date: Tue, 31 May 2011 18:26:02 -0400
Subject: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2
In-Reply-To: <BANLkTinuXTEj1c1XGm3iVyF5Z+FBVm4w_g@mail.gmail.com>
References: <BANLkTimPBjjZtsYVnRzjbkFZi_z=yptPDw@mail.gmail.com>	<4DDD7F0A.402@redhat.com>
	<BANLkTinuXTEj1c1XGm3iVyF5Z+FBVm4w_g@mail.gmail.com>
Message-ID: <4DE56AFA.5080602@redhat.com>

On 05/31/2011 06:02 PM, Dan Scott wrote:
> Hi,
>
> Thanks for all the replies.
>
> On Wed, May 25, 2011 at 18:13, Rob Crittenden <rcritten at redhat.com> wrote:
>>> I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running
>>> on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has
>>> been released. But I have a few questions:
>>>
>>> 1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers?
>> Yes but you would have to configure it yourself. sssd would work nicely with
>> an ldap/krb5 configuration.
> I've set up a Fedora 15 VM and have successfully configured it to
> authenticate against my FreeIPA 1 servers, so this is good. One small
> problem was that I couldn't get passwordless ssh logins *to* the F15
> system working. I created and installed a host keytab, same as for all
> the other systems, but no luck. I was able to ssh *from* the F15
> system without a password however. Any ideas?
>
>>> 3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring
>>> an upgrade from Fedora 14 to 15 along the way).
>> You cannot do a straight upgrade, too much changed between the two versions.
>> You should be able to migrate the users and groups using the v2 migration
>> system. This will maintain your user passwords at least. You would need to
>> generate new principals and keytabs for your kerberized services.
> I've setup a Fedora 15 VM and installed the FreeIPA server. I ran the
> ipa migrate-ds command provided in the documentation. All of the user
> groups were migrated successfully, but none of the users were migrated
> due to 'unknown object class "radiusprofile"' errors.
>
> I've seen this post here:
>
> https://www.redhat.com/archives/freeipa-users/2011-May/msg00282.html
>
> but I wanted to add that I don't use any of the radius functionality
> and my FreeIPA v1 installation is pretty standard, so other users
> might run into this. I didn't find a bug report, but can file one if
> needed?
>

Yes please: https://fedorahosted.org/freeipa/

> Thanks,
>
> Dan
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/