From rcritten at redhat.com Mon Apr 2 12:50:33 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Apr 2012 08:50:33 -0400 Subject: [Freeipa-users] AIX client headaches In-Reply-To: References: Message-ID: <4F79A099.3000201@redhat.com> KodaK wrote: > Hello, > > I'm attempting to configure an AIX 5.3 client, I've followed the instructions > (and then some) that are found here: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_AIX.html > > I keep overcoming hurdles (like the documentation asking you in step 3 > to authenticate with a user you create in step 11) but now I'm really stuck. > I have a user, creatively named "testuser" and the password is of sufficient > complexity. I can authenticate with this user to a Linux box that's been > configured with the ipa-client, so I'm pretty sure my server configuration is > OK. > > When I connect to an AIX client, though, it tells me: > > Received disconnect from 10.200.2.68: 2: Too many authentication > failures for testuser > > Here's the output of ssh -v testuser at slnldca01.unix.magellanhealth.com: > > > [jebalicki at mo0031472 ~]$ kinit testuser > Password for testuser at UNIX.MAGELLANHEALTH.COM: > [jebalicki at mo0031472 ~]$ ssh -v testuser at slnldca01.unix.magellanhealth.com > OpenSSH_5.6p1, OpenSSL 1.0.0g-fips 18 Jan 2012 > debug1: Reading configuration data /home/jebalicki/.ssh/config > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to slnldca01.unix.magellanhealth.com [10.200.2.68] port 22. > debug1: Connection established. > debug1: identity file /home/jebalicki/.ssh/id_rsa type 1 > debug1: identity file /home/jebalicki/.ssh/id_rsa-cert type -1 > debug1: identity file /home/jebalicki/.ssh/id_dsa type -1 > debug1: identity file /home/jebalicki/.ssh/id_dsa-cert type -1 > debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1 > debug1: match: OpenSSH_4.1 pat OpenSSH_4* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.6 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'slnldca01.unix.magellanhealth.com' is known and matches > the RSA host key. > debug1: Found key in /home/jebalicki/.ssh/known_hosts:10 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > debug1: Next authentication method: gssapi-with-mic > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /home/jebalicki/.ssh/id_rsa > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > debug1: Trying private key: /home/jebalicki/.ssh/id_dsa > debug1: Next authentication method: keyboard-interactive > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > debug1: Next authentication method: password > testuser at slnldca01.unix.magellanhealth.com's password: > Received disconnect from 10.200.2.68: 2: Too many authentication > failures for testuser > > Here's the output of sshd -ddd on the AIX client: > > > bash-3.00# /usr/sbin/sshd -dddd > debug2: load_server_config: filename /etc/ssh/sshd_config > debug2: load_server_config: done config len = 248 > debug2: parse_server_config: config /etc/ssh/sshd_config len 248 > debug1: sshd version OpenSSH_4.1p1 > debug1: private host key: #0 type 0 RSA1 > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #2 type 2 DSA > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-dddd' > debug2: fd 3 setting O_NONBLOCK > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug2: fd 4 setting O_NONBLOCK > debug1: Bind to port 22 on ::. > Bind to port 22 on :: failed: Address already in use. > Generating 768 bit RSA key. > RSA key generation complete. > debug1: fd 4 clearing O_NONBLOCK > debug1: Server will not fork when running in debugging mode. > debug3: send_rexec_state: entering fd = 7 config len 248 > debug3: ssh_msg_send: type 0 > debug3: send_rexec_state: done > debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 > debug1: inetd sockets after dupping: 3, 3 > Connection from 10.200.10.117 port 49075 > debug1: Client protocol version 2.0; client software version OpenSSH_5.6 > debug1: match: OpenSSH_5.6 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-1.99-OpenSSH_4.1 > debug1: init_func_ptrs passed > debug2: fd 3 setting O_NONBLOCK > debug3: privsep user:group 202:201 > debug1: permanently_set_uid: 202/201 > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug2: Network child is on pid 348394 > debug3: preauth child monitor started > debug3: mm_request_receive entering > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: > ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug3: mm_request_send entering: type 0 > debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI > debug3: mm_request_receive_expect entering: type 1 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 0 > debug3: mm_answer_moduli: got parameters: 1024 1024 8192 > debug3: mm_request_send entering: type 1 > debug3: mm_choose_dh: remaining 0 > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug2: monitor_read: 0 used once, disabling now > debug3: mm_request_receive entering > debug2: dh_gen_key: priv key bits set: 130/256 > debug2: bits set: 481/1024 > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug2: bits set: 505/1024 > debug3: mm_key_sign entering > debug3: mm_request_send entering: type 4 > debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN > debug3: monitor_read: checking request 4 > debug3: mm_request_receive_expect entering: type 5 > debug3: mm_answer_sign > debug3: mm_request_receive entering > debug3: mm_answer_sign: signature 20042f88(143) > debug3: mm_request_send entering: type 5 > debug2: monitor_read: 4 used once, disabling now > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug3: mm_request_receive entering > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user testuser service ssh-connection method none > debug1: attempt 0 failures 0 > debug3: mm_getpwnamallow entering > debug3: mm_request_send entering: type 6 > debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM > debug3: monitor_read: checking request 6 > debug3: mm_request_receive_expect entering: type 7 > debug3: mm_answer_pwnamallow > debug3: mm_request_receive entering > debug3: AIX/loginrestrictions returned 0 msg (none) > debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 > debug3: mm_request_send entering: type 7 > debug2: monitor_read: 6 used once, disabling now > debug2: input_userauth_request: setting up authctxt for testuser > debug3: mm_request_receive entering > debug3: mm_inform_authserv entering > debug3: mm_request_send entering: type 3 > debug2: input_userauth_request: try method none > debug3: monitor_read: checking request 3 > debug3: mm_auth_password entering > debug3: mm_answer_authserv: service=ssh-connection, style= > debug3: mm_request_send entering: type 10 > debug2: monitor_read: 3 used once, disabling now > debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD > debug3: mm_request_receive entering > debug3: mm_request_receive_expect entering: type 11 > debug3: monitor_read: checking request 10 > debug3: mm_request_receive entering > debug3: mm_answer_authpassword: sending result 0 > debug3: mm_request_send entering: type 11 > debug3: mm_auth_password: user not authenticated > Failed none for testuser from 10.200.10.117 port 49075 ssh2 > Failed none for testuser from 10.200.10.117 port 49075 ssh2 > debug3: mm_request_receive entering > debug1: userauth-request for user testuser service ssh-connection > method gssapi-with-mic > debug1: attempt 1 failures 1 > debug2: input_userauth_request: try method gssapi-with-mic > debug3: mm_request_send entering: type 37 > debug3: mm_request_receive_expect entering: type 38 > debug3: monitor_read: checking request 37 > debug3: mm_request_receive entering > debug1: Miscellaneous failure > No principal in keytab matches desired name > > debug3: mm_request_send entering: type 38 > Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2 > debug3: mm_request_receive entering > debug1: userauth-request for user testuser service ssh-connection > method gssapi-with-mic > debug1: attempt 2 failures 2 > debug2: input_userauth_request: try method gssapi-with-mic > Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2 > debug1: userauth-request for user testuser service ssh-connection > method gssapi-with-mic > debug1: attempt 3 failures 3 > debug2: input_userauth_request: try method gssapi-with-mic > Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2 > debug1: userauth-request for user testuser service ssh-connection > method gssapi-with-mic > debug1: attempt 4 failures 4 > debug2: input_userauth_request: try method gssapi-with-mic > Failed gssapi-with-mic for testuser from 10.200.10.117 port 49075 ssh2 > debug1: userauth-request for user testuser service ssh-connection > method publickey > debug1: attempt 5 failures 5 > debug2: input_userauth_request: try method publickey > debug1: test whether pkalg/pkblob are acceptable > debug3: mm_key_allowed entering > debug3: mm_request_send entering: type 20 > debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED > debug3: mm_request_receive_expect entering: type 21 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 20 > debug3: mm_answer_keyallowed entering > debug3: mm_answer_keyallowed: key_from_blob: 20042fd8 > debug1: temporarily_use_uid: 1115600008/1115600008 (e=0/0) > debug1: trying public key file /home/testuser/.ssh/authorized_keys > debug1: restore_uid: 0/0 > debug1: temporarily_use_uid: 1115600008/1115600008 (e=0/0) > debug1: trying public key file /home/testuser/.ssh/authorized_keys2 > debug1: restore_uid: 0/0 > debug3: mm_answer_keyallowed: key 20042fd8 is disallowed > debug3: mm_request_send entering: type 21 > debug3: mm_request_receive entering > debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa > Failed publickey for testuser from 10.200.10.117 port 49075 ssh2 > debug1: userauth-request for user testuser service ssh-connection > method keyboard-interactive > debug1: attempt 6 failures 6 > debug2: input_userauth_request: try method keyboard-interactive > debug1: keyboard-interactive devs > debug1: auth2_challenge: user=testuser devs= > debug1: kbdint_alloc: devices '' > debug2: auth2_challenge_start: devices > Failed keyboard-interactive for testuser from 10.200.10.117 port 49075 ssh2 > debug1: userauth-request for user testuser service ssh-connection > method password > debug1: attempt 7 failures 7 > debug2: input_userauth_request: try method password > debug3: mm_auth_password entering > debug3: mm_request_send entering: type 10 > debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD > debug3: mm_request_receive_expect entering: type 11 > debug3: mm_request_receive entering > debug3: monitor_read: checking request 10 > debug3: inside auth_password > debug3: AIX/authenticate result 1, msg > debug3: AIX SYSTEM attribute KRB5ALXAP or compat > debug3: mm_answer_authpassword: sending result 0 > debug3: mm_request_send entering: type 11 > Failed password for testuser from 10.200.10.117 port 49075 ssh2 > debug3: mm_auth_password: user not authenticated > Failed password for testuser from 10.200.10.117 port 49075 ssh2 > Disconnecting: Too many authentication failures for testuser > debug1: do_cleanup > debug3: AIX/setauthdb set registry 'LDAP' > debug3: aix_restoreauthdb: restoring old registry '' > debug3: mm_request_receive entering > debug1: do_cleanup > bash-3.00# > > here's klist -k -e on the AIX box: > > bash-3.00# /usr/krb5/bin/klist -k -e > Keytab name: FILE:/etc/krb5/krb5.keytab > KVNO Principal > ---- --------- > 1 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (DES cbc mode with CRC-32) > 3 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (Triple DES cbc mode with HMAC/sha1) > 3 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (ArcFour with HMAC/md5) > 4 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (Triple DES cbc mode with HMAC/sha1) > 4 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (ArcFour with HMAC/md5) > 5 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (Triple DES cbc mode with HMAC/sha1) > 5 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (ArcFour with HMAC/md5) > 6 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (DES cbc mode with CRC-32) > 6 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (Triple DES cbc mode with HMAC/sha1) > 6 host/slpidml01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (ArcFour with HMAC/md5) > 2 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (DES cbc mode with CRC-32) > 2 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (Triple DES cbc mode with HMAC/sha1) > 2 sshd/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (ArcFour with HMAC/md5) > 1 host/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (Triple DES cbc mode with HMAC/sha1) > 1 host/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > (ArcFour with HMAC/md5) > > here's the relevent portion in krb5kdc.log: > > > ar 30 18:13:10 slpidml01.unix.magellanhealth.com krb5kdc[13765](info): > TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.200.10.117: ISSUE: authtime > 1333149153, etypes {rep=18 tkt=16 ses=16}, > testuser at UNIX.MAGELLANHEALTH.COM for > host/slnldca01.unix.magellanhealth.com at UNIX.MAGELLANHEALTH.COM > Mar 30 18:13:15 slpidml01.unix.magellanhealth.com > krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68: > NEEDED_PREAUTH: testuser at UNIX.MAGELLANHEALTH.COM for > krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM, Additional > pre-authentication required > Mar 30 18:13:16 slpidml01.unix.magellanhealth.com > krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68: > ISSUE: authtime 1333149196, etypes {rep=16 tkt=18 ses=16}, > testuser at UNIX.MAGELLANHEALTH.COM for > krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM > > Any help? If it's not obvious, I have no clue what I'm doing -- but > I've been banging my head on this for three days straight, I have a > ticket open with Red Hat and I've been reading everything I can find. > > Oh, I get similar entries in the kdc log if I telnet instead of ssh: > > Mar 30 18:33:42 slpidml01.unix.magellanhealth.com > krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68: > NEEDED_PREAUTH: testuser at UNIX.MAGELLANHEALTH.COM for > krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM, Additional > pre-authentication required > Mar 30 18:33:43 slpidml01.unix.magellanhealth.com > krb5kdc[13765](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.200.2.68: > ISSUE: authtime 1333150423, etypes {rep=16 tkt=18 ses=16}, > testuser at UNIX.MAGELLANHEALTH.COM for > krbtgt/UNIX.MAGELLANHEALTH.COM at UNIX.MAGELLANHEALTH.COM The sshd output suggests that it can't find its own service principal: No principal in keytab matches desired name The keytab looks ok, you might check permissions to make sure it can be read by sshd. You shouldn't need sshd services, it uses the host service principal. rob From Steven.Jones at vuw.ac.nz Tue Apr 3 00:58:50 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 3 Apr 2012 00:58:50 +0000 Subject: [Freeipa-users] While trying to connect to IPA I am getting this, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC6D875@STAWINCOX10MBX1.staff.vuw.ac.nz> ============ XML Parsing Error: undefined entity Location: jar:file:///usr/lib64/firefox-3.6/chrome/browser.jar!/content/browser/certerror/aboutCertError.xhtml Line Number 59, Column 12: &certerror.pagetitle; -----------^ ============ Firefox works to localhost on the IPA server's console but not from my workstation....... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Tue Apr 3 03:06:09 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 3 Apr 2012 03:06:09 +0000 Subject: [Freeipa-users] firefox on windows how to get a kerberos ticket? Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC6D8C1@STAWINCOX10MBX1.staff.vuw.ac.nz> regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From pspacek at redhat.com Tue Apr 3 11:39:02 2012 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 03 Apr 2012 13:39:02 +0200 Subject: [Freeipa-users] firefox on windows how to get a kerberos ticket? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC6D8C1@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC6D8C1@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F7AE156.4070108@redhat.com> Hello, AFAIK best way to control Kerberos environment/behaviour in MS Windows is to install Kerberos for Windows from MIT: See http://web.mit.edu/kerberos/www/dist/index.html#kfw-3.2 There is GUI and also command line utilities to configure Kerberos client, obtain tickets etc. Petr^2 Spacek On 04/03/2012 05:06 AM, Steven Jones wrote: > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 From pspacek at redhat.com Tue Apr 3 11:43:25 2012 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 03 Apr 2012 13:43:25 +0200 Subject: [Freeipa-users] While trying to connect to IPA I am getting this, In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC6D875@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC6D875@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F7AE25D.8050308@redhat.com> Hello, On 04/03/2012 02:58 AM, Steven Jones wrote: > > ============ > > XML Parsing Error: undefined entity > Location: jar:file:///usr/lib64/firefox-3.6/chrome/browser.jar!/content/browser/certerror/aboutCertError.xhtml > Line Number 59, Column 12:&certerror.pagetitle; > -----------^ > > ============ > > Firefox works to localhost on the IPA server's console but not from my workstation....... It is very strange error. I suspect Firefox installation on your workstation. It's possible to open any other site with invalid/untrusted certificate? Is error message properly shown in that case? Please try to reinstall your firefox package. Petr^2 Spacek > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 From rcritten at redhat.com Tue Apr 3 12:56:58 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Apr 2012 08:56:58 -0400 Subject: [Freeipa-users] While trying to connect to IPA I am getting this, In-Reply-To: <4F7AE25D.8050308@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC6D875@STAWINCOX10MBX1.staff.vuw.ac.nz> <4F7AE25D.8050308@redhat.com> Message-ID: <4F7AF39A.3000104@redhat.com> Petr Spacek wrote: > Hello, > > On 04/03/2012 02:58 AM, Steven Jones wrote: >> >> ============ >> >> XML Parsing Error: undefined entity >> Location: >> jar:file:///usr/lib64/firefox-3.6/chrome/browser.jar!/content/browser/certerror/aboutCertError.xhtml >> >> Line Number 59, Column 12:&certerror.pagetitle; >> -----------^ >> >> ============ >> >> Firefox works to localhost on the IPA server's console but not from my >> workstation....... > > It is very strange error. I suspect Firefox installation on your > workstation. It's possible to open any other site with invalid/untrusted > certificate? Is error message properly shown in that case? > > Please try to reinstall your firefox package. I agree about reinstalling, this is a very strange response from Firefox. If I understand this correctly this is Firefox trying to tell you it has connected to an SSL site (IPA) signed by an untrusted CA. It wants to display to the user the scary Untrusted Certificate Authority page but it is blowing up due to this XML parsing error. Something else to try might be a new profile (firefox -P). rob From Steven.Jones at vuw.ac.nz Tue Apr 3 21:06:35 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 3 Apr 2012 21:06:35 +0000 Subject: [Freeipa-users] firefox on windows how to get a kerberos ticket? In-Reply-To: <4F7AE156.4070108@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC6D8C1@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7AE156.4070108@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC6EB7D@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, That isnt an option, so there are no other practical way? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Petr Spacek [pspacek at redhat.com] Sent: Tuesday, 3 April 2012 11:39 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] firefox on windows how to get a kerberos ticket? Hello, AFAIK best way to control Kerberos environment/behaviour in MS Windows is to install Kerberos for Windows from MIT: See http://web.mit.edu/kerberos/www/dist/index.html#kfw-3.2 There is GUI and also command line utilities to configure Kerberos client, obtain tickets etc. Petr^2 Spacek On 04/03/2012 05:06 AM, Steven Jones wrote: > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From jdennis at redhat.com Tue Apr 3 21:52:53 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 03 Apr 2012 17:52:53 -0400 Subject: [Freeipa-users] firefox on windows how to get a kerberos ticket? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC6EB7D@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC6D8C1@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7AE156.4070108@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC6EB7D@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F7B7135.2050802@redhat.com> What are you trying to accomplish? In IPA 2.2 you can log onto the web UI without a kerberos ticket by using password based auth, thus the web UI no longer requires a kerberos ticket. This applies only to the web UI, not other IPA components (at the moment). John -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Tue Apr 3 21:58:41 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 3 Apr 2012 21:58:41 +0000 Subject: [Freeipa-users] firefox on windows how to get a kerberos ticket? In-Reply-To: <4F7B7135.2050802@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC6D8C1@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7AE156.4070108@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC6EB7D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7B7135.2050802@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC6ED00@STAWINCOX10MBX1.staff.vuw.ac.nz> So how do I login without a kerberos ticket? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: John Dennis [jdennis at redhat.com] Sent: Wednesday, 4 April 2012 9:52 a.m. To: Steven Jones Cc: Petr Spacek; freeipa-users at redhat.com Subject: Re: [Freeipa-users] firefox on windows how to get a kerberos ticket? What are you trying to accomplish? In IPA 2.2 you can log onto the web UI without a kerberos ticket by using password based auth, thus the web UI no longer requires a kerberos ticket. This applies only to the web UI, not other IPA components (at the moment). John -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jdennis at redhat.com Tue Apr 3 22:52:01 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 03 Apr 2012 18:52:01 -0400 Subject: [Freeipa-users] firefox on windows how to get a kerberos ticket? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC6ED00@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC6D8C1@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7AE156.4070108@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC6EB7D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7B7135.2050802@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC6ED00@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F7B7F11.5050608@redhat.com> On 04/03/2012 05:58 PM, Steven Jones wrote: > So how do I login without a kerberos ticket? See attached screenshot snippets > ________________________________________ > From: John Dennis [jdennis at redhat.com] > Sent: Wednesday, 4 April 2012 9:52 a.m. > To: Steven Jones > Cc: Petr Spacek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] firefox on windows how to get a kerberos ticket? > > What are you trying to accomplish? In IPA 2.2 you can log onto the web > UI without a kerberos ticket by using password based auth, thus the web > UI no longer requires a kerberos ticket. This applies only to the web > UI, not other IPA components (at the moment). -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- A non-text attachment was scrubbed... Name: login1.jpg Type: image/jpeg Size: 17746 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: login2.jpg Type: image/jpeg Size: 14103 bytes Desc: not available URL: From Steven.Jones at vuw.ac.nz Tue Apr 3 22:58:40 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 3 Apr 2012 22:58:40 +0000 Subject: [Freeipa-users] firefox on windows how to get a kerberos ticket? In-Reply-To: <4F7B7F11.5050608@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC6D8C1@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7AE156.4070108@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC6EB7D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7B7135.2050802@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC6ED00@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7B7F11.5050608@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC6ED4B@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I actually found it on the web thanks....ie setting httpd....and then in section 4.3.5....doh. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: John Dennis [jdennis at redhat.com] Sent: Wednesday, 4 April 2012 10:52 a.m. To: Steven Jones Cc: Petr Spacek; freeipa-users at redhat.com Subject: Re: [Freeipa-users] firefox on windows how to get a kerberos ticket? On 04/03/2012 05:58 PM, Steven Jones wrote: > So how do I login without a kerberos ticket? See attached screenshot snippets > ________________________________________ > From: John Dennis [jdennis at redhat.com] > Sent: Wednesday, 4 April 2012 9:52 a.m. > To: Steven Jones > Cc: Petr Spacek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] firefox on windows how to get a kerberos ticket? > > What are you trying to accomplish? In IPA 2.2 you can log onto the web > UI without a kerberos ticket by using password based auth, thus the web > UI no longer requires a kerberos ticket. This applies only to the web > UI, not other IPA components (at the moment). -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Tue Apr 3 23:04:59 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 3 Apr 2012 23:04:59 +0000 Subject: [Freeipa-users] 2 things, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC6ED59@STAWINCOX10MBX1.staff.vuw.ac.nz> how do I logout, ie make my sessions expire so I can login as someone else? and how do I make more admin level accounts? I made one that looks identical to admin, but I cant get a login with it.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From jdennis at redhat.com Wed Apr 4 01:00:39 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 03 Apr 2012 21:00:39 -0400 Subject: [Freeipa-users] 2 things, In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC6ED59@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC6ED59@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F7B9D37.6090201@redhat.com> On 04/03/2012 07:04 PM, Steven Jones wrote: > how do I logout, ie make my sessions expire so I can login as someone else? Once you are logged in you will see in the upper right hand corner of every page something that says "logged in as XXXX" and right next to it is a a clickable item "logout". Click on the logout and you will be logged out and then you can log back in as someone else. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Wed Apr 4 01:17:08 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 4 Apr 2012 01:17:08 +0000 Subject: [Freeipa-users] 2 things, In-Reply-To: <4F7B9D37.6090201@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC6ED59@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7B9D37.6090201@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC6EED6@STAWINCOX10MBX1.staff.vuw.ac.nz> My gui doesnt have the "logout" button. :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: John Dennis [jdennis at redhat.com] Sent: Wednesday, 4 April 2012 1:00 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] 2 things, On 04/03/2012 07:04 PM, Steven Jones wrote: > how do I logout, ie make my sessions expire so I can login as someone else? Once you are logged in you will see in the upper right hand corner of every page something that says "logged in as XXXX" and right next to it is a a clickable item "logout". Click on the logout and you will be logged out and then you can log back in as someone else. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Wed Apr 4 01:23:11 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 4 Apr 2012 01:23:11 +0000 Subject: [Freeipa-users] 2 things, In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC6EED6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC6ED59@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7B9D37.6090201@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CC6EED6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC6EF7B@STAWINCOX10MBX1.staff.vuw.ac.nz> top right corner shot... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Wednesday, 4 April 2012 1:17 p.m. To: John Dennis Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] 2 things, My gui doesnt have the "logout" button. :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: John Dennis [jdennis at redhat.com] Sent: Wednesday, 4 April 2012 1:00 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] 2 things, On 04/03/2012 07:04 PM, Steven Jones wrote: > how do I logout, ie make my sessions expire so I can login as someone else? Once you are logged in you will see in the upper right hand corner of every page something that says "logged in as XXXX" and right next to it is a a clickable item "logout". Click on the logout and you will be logged out and then you can log back in as someone else. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: logout-01.jpeg Type: image/jpeg Size: 10201 bytes Desc: logout-01.jpeg URL: From jdennis at redhat.com Wed Apr 4 01:27:14 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 03 Apr 2012 21:27:14 -0400 Subject: [Freeipa-users] 2 things, In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC6EED6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC6ED59@STAWINCOX10MBX1.staff.vuw.ac.nz>, <4F7B9D37.6090201@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC6EED6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F7BA372.1020405@redhat.com> On 04/03/2012 09:17 PM, Steven Jones wrote: > My gui doesnt have the "logout" button. > > :( It will :-) It's a new feature, currently in beta. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Wed Apr 4 01:49:15 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 4 Apr 2012 01:49:15 +0000 Subject: [Freeipa-users] 2 things, In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC6ED59@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC6ED59@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC6EFA5@STAWINCOX10MBX1.staff.vuw.ac.nz> 8><--------- and how do I make more admin level accounts? I made one that looks identical to admin, but I cant get a login with it.... 8><---------- Figured it out, the problem is with forcing a password change on first use.....until you login with kinit and re-set your password you cannot login, so what really needs to happen is a dialogue box pops up asking you to change your password....or at least a pop up telling you to go elsewhere and do it, rather than silently failing. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rcritten at redhat.com Wed Apr 4 02:43:14 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Apr 2012 22:43:14 -0400 Subject: [Freeipa-users] 2 things, In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC6EFA5@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC6ED59@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC6EFA5@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4F7BB542.2030107@redhat.com> Steven Jones wrote: > 8><--------- > > and how do I make more admin level accounts? > > I made one that looks identical to admin, but I cant get a login with it.... > > 8><---------- > > Figured it out, the problem is with forcing a password change on first use.....until you login with kinit and re-set your password you cannot login, so what really needs to happen is a dialogue box pops up asking you to change your password....or at least a pop up telling you to go elsewhere and do it, rather than silently failing. Did you enable KrbMethodK5Passwd? The browser does not provide a facility for changing passwords using Basic or any authentication that I'm aware of. As far as IPA is concerned the user provided invalid credentials, that's all. It doesn't get the details of why. That is handled by mod_auth_kerb. To log out of a browser using 2.1.x you need to kdestroy and kinit again on the local system. If you've authenticated using basic auth the only way to "log out" is to restart the browser. rob From lyamanishi at sesda2.com Tue Apr 3 21:53:24 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Tue, 03 Apr 2012 17:53:24 -0400 Subject: [Freeipa-users] Reverse-proxy for the WebUI Message-ID: <4F7B7154.7040805@sesda2.com> Hello, Has anybody successfully configured a reverse proxy for the web ui? I've tried a few different setups to no avail. My goal is to allow self-service from the Internet. Lucas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: OpenPGP digital signature URL: From simo at redhat.com Wed Apr 4 13:30:01 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 04 Apr 2012 09:30:01 -0400 Subject: [Freeipa-users] Reverse-proxy for the WebUI In-Reply-To: <4F7B7154.7040805@sesda2.com> References: <4F7B7154.7040805@sesda2.com> Message-ID: <1333546201.22628.289.camel@willson.li.ssimo.org> On Tue, 2012-04-03 at 17:53 -0400, Lucas Yamanishi wrote: > Hello, > > Has anybody successfully configured a reverse proxy for the web ui? > I've tried a few different setups to no avail. > > My goal is to allow self-service from the Internet. It will probably not work with kerberos authentication as the client will not have the right name to get a ticket against, and, if I understand the scenario, it will not even have access to the KDC to get a ticket from. Once 2.2 is released and form-based auth will be available you should be able to make it work with that. Simo. -- Simo Sorce * Red Hat, Inc * New York From sakodak at gmail.com Mon Apr 9 18:07:24 2012 From: sakodak at gmail.com (KodaK) Date: Mon, 9 Apr 2012 13:07:24 -0500 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries Message-ID: I have two IPA servers. The primary/master is SLPIDML01 and the replica is SLPIDML01. I have followed the instructions for creating a replica and the install on SLPIDML02 completed successfully. However, the instructions tell me to add some entries to the DNS zone file, and I'm stumped. The FreeIPA documentation has this to say about setting up DNS for replicas: Updating DNS for IPA Replicas After you have configured a new IPA replica, you should update your DNS entries so that IPA clients can discover the new server. For example, for an IPA replica with a server name of $HOST, you should add the following entries to your zone file: _ldap._tcp IN SRV 0 100 389 $HOST _kerberos._tcp IN SRV 0 100 88 $HOST _kerberos._udp IN SRV 0 100 88 $HOST _kerberos-master._tcp IN SRV 0 100 88 $HOST _kerberos-master._udp IN SRV 0 100 88 $HOST _kpasswd._tcp IN SRV 0 100 464 $HOST _kpasswd._udp IN SRV 0 100 464 $HOST _ntp._udp IN SRV 0 100 123 $HOST I know very little about configuring DNS. Where exactly should this go? It says to add it to your zone file, all I see is a named.rfc1912.zones file, and it appears to be rather structured. Do I just dump these at the end? That doesn't seem to make any sense. I see a reference to /var/named/example.com.zone.db, but I don't have one for my domain, and I still don't know what the format of the file should be. Do I need to make entries for both hosts (and any others I add in the future?) Thanks, --Jason From sbingram at gmail.com Mon Apr 9 18:25:21 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Mon, 9 Apr 2012 11:25:21 -0700 Subject: [Freeipa-users] --subject option for ipa-server-install Message-ID: In an attempt to make the CA certificate from IPA a little more noticeable for the users in our realm I've successfully used the --subject option during the ipa-server-install process. It seems however, that you cannot change the CN from the default "Certificate Authority". I've added O=, OU= and C=, but as some certificate managers in browsers/os's (i.e. Mac OS X) organize certificates by CN name, it would be nice to point to something representing the company name instead of the generic Certificate Authority. It even seems that in the older 2.0 release candidates, they used the default "REALM Certificate Authority" for the CN instead of just Certificate Authority. Can this be easily changed so that at least the realm could be slipped in front of Certificate Authority or customize the CN altogether? Steve From dpal at redhat.com Mon Apr 9 18:34:34 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 09 Apr 2012 14:34:34 -0400 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: References: Message-ID: <4F832BBA.7000809@redhat.com> On 04/09/2012 02:07 PM, KodaK wrote: > I have two IPA servers. The primary/master is SLPIDML01 and the > replica is SLPIDML01. I have followed the instructions for creating a > replica and the install on SLPIDML02 completed successfully. However, > the instructions tell me to add some entries to the DNS zone file, and > I'm stumped. > > The FreeIPA documentation has this to say about setting up DNS for replicas: > > Updating DNS for IPA Replicas > > After you have configured a new IPA replica, you should update your > DNS entries so that IPA clients can discover the new server. For > example, for an IPA replica with a server name of $HOST, you should > add the following entries to your zone file: > > _ldap._tcp IN SRV 0 100 389 $HOST > _kerberos._tcp IN SRV 0 100 88 $HOST > _kerberos._udp IN SRV 0 100 88 $HOST > _kerberos-master._tcp IN SRV 0 100 88 $HOST > _kerberos-master._udp IN SRV 0 100 88 $HOST > _kpasswd._tcp IN SRV 0 100 464 $HOST > _kpasswd._udp IN SRV 0 100 464 $HOST > _ntp._udp IN SRV 0 100 123 $HOST > > I know very little about configuring DNS. Where exactly should this > go? It says to add it to your zone file, all I see is a > named.rfc1912.zones file, and it appears to be rather structured. Do > I just dump these at the end? That doesn't seem to make any sense. I > see a reference to /var/named/example.com.zone.db, but I don't have > one for my domain, and I still don't know what the format of the file > should be. Do I need to make entries for both hosts (and any others I > add in the future?) > What DNS server do you use? Did you consider using DNS server that comes with IPA? > Thanks, > > --Jason > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Apr 9 18:35:01 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 09 Apr 2012 14:35:01 -0400 Subject: [Freeipa-users] --subject option for ipa-server-install In-Reply-To: References: Message-ID: <4F832BD5.1000507@redhat.com> On 04/09/2012 02:25 PM, Stephen Ingram wrote: > In an attempt to make the CA certificate from IPA a little more > noticeable for the users in our realm I've successfully used the > --subject option during the ipa-server-install process. It seems > however, that you cannot change the CN from the default "Certificate > Authority". I've added O=, OU= and C=, but as some certificate > managers in browsers/os's (i.e. Mac OS X) organize certificates by CN > name, it would be nice to point to something representing the company > name instead of the generic Certificate Authority. It even seems that > in the older 2.0 release candidates, they used the default "REALM > Certificate Authority" for the CN instead of just Certificate > Authority. Can this be easily changed so that at least the realm could > be slipped in front of Certificate Authority or customize the CN > altogether? > Please open an RFE ticket. > Steve > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Apr 9 18:46:49 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 09 Apr 2012 14:46:49 -0400 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: References: <4F832BBA.7000809@redhat.com> Message-ID: <4F832E99.8000601@redhat.com> On 04/09/2012 02:41 PM, KodaK wrote: > On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal wrote: >> On 04/09/2012 02:07 PM, KodaK wrote: >>> I have two IPA servers. The primary/master is SLPIDML01 and the >>> replica is SLPIDML01. I have followed the instructions for creating a >>> replica and the install on SLPIDML02 completed successfully. However, >>> the instructions tell me to add some entries to the DNS zone file, and >>> I'm stumped. >>> >>> The FreeIPA documentation has this to say about setting up DNS for replicas: >>> >>> Updating DNS for IPA Replicas >>> >>> After you have configured a new IPA replica, you should update your >>> DNS entries so that IPA clients can discover the new server. For >>> example, for an IPA replica with a server name of $HOST, you should >>> add the following entries to your zone file: >>> >>> _ldap._tcp IN SRV 0 100 389 $HOST >>> _kerberos._tcp IN SRV 0 100 88 $HOST >>> _kerberos._udp IN SRV 0 100 88 $HOST >>> _kerberos-master._tcp IN SRV 0 100 88 $HOST >>> _kerberos-master._udp IN SRV 0 100 88 $HOST >>> _kpasswd._tcp IN SRV 0 100 464 $HOST >>> _kpasswd._udp IN SRV 0 100 464 $HOST >>> _ntp._udp IN SRV 0 100 123 $HOST >>> >>> I know very little about configuring DNS. Where exactly should this >>> go? It says to add it to your zone file, all I see is a >>> named.rfc1912.zones file, and it appears to be rather structured. Do >>> I just dump these at the end? That doesn't seem to make any sense. I >>> see a reference to /var/named/example.com.zone.db, but I don't have >>> one for my domain, and I still don't know what the format of the file >>> should be. Do I need to make entries for both hosts (and any others I >>> add in the future?) >>> >> What DNS server do you use? >> Did you consider using DNS server that comes with IPA? >> > I am using the DNS server that comes with IPA. Then the replicas are added automatically to the DNS servers managed by IPA. I think the documentation refers to the case when you are not using the DNS server provided by IPA. Then you need to add mentioned entries. If this is not clear please open a ticket and provide a pointer to the section that caused the confusion. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Apr 9 18:53:33 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 09 Apr 2012 14:53:33 -0400 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: References: <4F832BBA.7000809@redhat.com> <4F832E99.8000601@redhat.com> Message-ID: <4F83302D.1030104@redhat.com> On 04/09/2012 02:50 PM, KodaK wrote: > On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal wrote: >> On 04/09/2012 02:41 PM, KodaK wrote: >>> On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal wrote: >>>> On 04/09/2012 02:07 PM, KodaK wrote: >>>>> I have two IPA servers. The primary/master is SLPIDML01 and the >>>>> replica is SLPIDML01. I have followed the instructions for creating a >>>>> replica and the install on SLPIDML02 completed successfully. However, >>>>> the instructions tell me to add some entries to the DNS zone file, and >>>>> I'm stumped. >>>>> >>>>> The FreeIPA documentation has this to say about setting up DNS for replicas: >>>>> >>>>> Updating DNS for IPA Replicas >>>>> >>>>> After you have configured a new IPA replica, you should update your >>>>> DNS entries so that IPA clients can discover the new server. For >>>>> example, for an IPA replica with a server name of $HOST, you should >>>>> add the following entries to your zone file: >>>>> >>>>> _ldap._tcp IN SRV 0 100 389 $HOST >>>>> _kerberos._tcp IN SRV 0 100 88 $HOST >>>>> _kerberos._udp IN SRV 0 100 88 $HOST >>>>> _kerberos-master._tcp IN SRV 0 100 88 $HOST >>>>> _kerberos-master._udp IN SRV 0 100 88 $HOST >>>>> _kpasswd._tcp IN SRV 0 100 464 $HOST >>>>> _kpasswd._udp IN SRV 0 100 464 $HOST >>>>> _ntp._udp IN SRV 0 100 123 $HOST >>>>> >>>>> I know very little about configuring DNS. Where exactly should this >>>>> go? It says to add it to your zone file, all I see is a >>>>> named.rfc1912.zones file, and it appears to be rather structured. Do >>>>> I just dump these at the end? That doesn't seem to make any sense. I >>>>> see a reference to /var/named/example.com.zone.db, but I don't have >>>>> one for my domain, and I still don't know what the format of the file >>>>> should be. Do I need to make entries for both hosts (and any others I >>>>> add in the future?) >>>>> >>>> What DNS server do you use? >>>> Did you consider using DNS server that comes with IPA? >>>> >>> I am using the DNS server that comes with IPA. >> Then the replicas are added automatically to the DNS servers managed by >> IPA. I think the documentation refers to the case when you are not using >> the DNS server provided by IPA. Then you need to add mentioned entries. >> If this is not clear please open a ticket and provide a pointer to the >> section that caused the confusion. > I've opened a ticket, thanks. > > When I manually turn off the network interfaces on the master, the > replica does not take over. How you test it? The client will fail over if it can't access the server that you turned off. > For the record, the documentation makes no discernible differentiation > between IPA's DNS and external DNS: > > "Once the installation process completes, update the DNS entries so > that IPA clients can discover the new server. For example, for an IPA > replica with a hostname of ipareplica.example.com:" Thanks. > --Jason -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Apr 9 18:56:29 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 09 Apr 2012 14:56:29 -0400 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: <4F83302D.1030104@redhat.com> References: <4F832BBA.7000809@redhat.com> <4F832E99.8000601@redhat.com> <4F83302D.1030104@redhat.com> Message-ID: <4F8330DD.8040804@redhat.com> On 04/09/2012 02:53 PM, Dmitri Pal wrote: > On 04/09/2012 02:50 PM, KodaK wrote: >> On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal wrote: >>> On 04/09/2012 02:41 PM, KodaK wrote: >>>> On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal wrote: >>>>> On 04/09/2012 02:07 PM, KodaK wrote: >>>>>> I have two IPA servers. The primary/master is SLPIDML01 and the >>>>>> replica is SLPIDML01. I have followed the instructions for creating a >>>>>> replica and the install on SLPIDML02 completed successfully. However, >>>>>> the instructions tell me to add some entries to the DNS zone file, and >>>>>> I'm stumped. >>>>>> >>>>>> The FreeIPA documentation has this to say about setting up DNS for replicas: >>>>>> >>>>>> Updating DNS for IPA Replicas >>>>>> >>>>>> After you have configured a new IPA replica, you should update your >>>>>> DNS entries so that IPA clients can discover the new server. For >>>>>> example, for an IPA replica with a server name of $HOST, you should >>>>>> add the following entries to your zone file: >>>>>> >>>>>> _ldap._tcp IN SRV 0 100 389 $HOST >>>>>> _kerberos._tcp IN SRV 0 100 88 $HOST >>>>>> _kerberos._udp IN SRV 0 100 88 $HOST >>>>>> _kerberos-master._tcp IN SRV 0 100 88 $HOST >>>>>> _kerberos-master._udp IN SRV 0 100 88 $HOST >>>>>> _kpasswd._tcp IN SRV 0 100 464 $HOST >>>>>> _kpasswd._udp IN SRV 0 100 464 $HOST >>>>>> _ntp._udp IN SRV 0 100 123 $HOST >>>>>> >>>>>> I know very little about configuring DNS. Where exactly should this >>>>>> go? It says to add it to your zone file, all I see is a >>>>>> named.rfc1912.zones file, and it appears to be rather structured. Do >>>>>> I just dump these at the end? That doesn't seem to make any sense. I >>>>>> see a reference to /var/named/example.com.zone.db, but I don't have >>>>>> one for my domain, and I still don't know what the format of the file >>>>>> should be. Do I need to make entries for both hosts (and any others I >>>>>> add in the future?) >>>>>> >>>>> What DNS server do you use? >>>>> Did you consider using DNS server that comes with IPA? >>>>> >>>> I am using the DNS server that comes with IPA. >>> Then the replicas are added automatically to the DNS servers managed by >>> IPA. I think the documentation refers to the case when you are not using >>> the DNS server provided by IPA. Then you need to add mentioned entries. >>> If this is not clear please open a ticket and provide a pointer to the >>> section that caused the confusion. >> I've opened a ticket, thanks. I do not see it. >> When I manually turn off the network interfaces on the master, the >> replica does not take over. > How you test it? > The client will fail over if it can't access the server that you turned > off. > > >> For the record, the documentation makes no discernible differentiation >> between IPA's DNS and external DNS: >> >> "Once the installation process completes, update the DNS entries so >> that IPA clients can discover the new server. For example, for an IPA >> replica with a hostname of ipareplica.example.com:" > Thanks. > >> --Jason > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sbingram at gmail.com Mon Apr 9 19:00:22 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Mon, 9 Apr 2012 12:00:22 -0700 Subject: [Freeipa-users] --subject option for ipa-server-install In-Reply-To: <4F832BD5.1000507@redhat.com> References: <4F832BD5.1000507@redhat.com> Message-ID: On Mon, Apr 9, 2012 at 11:35 AM, Dmitri Pal wrote: > On 04/09/2012 02:25 PM, Stephen Ingram wrote: >> In an attempt to make the CA certificate from IPA a little more >> noticeable for the users in our realm I've successfully used the >> --subject option during the ipa-server-install process. It seems >> however, that you cannot change the CN from the default "Certificate >> Authority". I've added O=, OU= and C=, but as some certificate >> managers in browsers/os's (i.e. Mac OS X) organize certificates by CN >> name, it would be nice to point to something representing the company >> name instead of the generic Certificate Authority. It even seems that >> in the older 2.0 release candidates, they used the default "REALM >> Certificate Authority" for the CN instead of just Certificate >> Authority. Can this be easily changed so that at least the realm could >> be slipped in front of Certificate Authority or customize the CN >> altogether? >> > > Please open an RFE ticket. Done. Ticket 2614. Steve From sakodak at gmail.com Mon Apr 9 19:02:59 2012 From: sakodak at gmail.com (KodaK) Date: Mon, 9 Apr 2012 14:02:59 -0500 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: <4F83302D.1030104@redhat.com> References: <4F832BBA.7000809@redhat.com> <4F832E99.8000601@redhat.com> <4F83302D.1030104@redhat.com> Message-ID: On Mon, Apr 9, 2012 at 1:53 PM, Dmitri Pal wrote: > On 04/09/2012 02:50 PM, KodaK wrote: >> On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal wrote: >>> On 04/09/2012 02:41 PM, KodaK wrote: >>>> On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal wrote: >>>>> On 04/09/2012 02:07 PM, KodaK wrote: >>>>>> I have two IPA servers. ?The primary/master is SLPIDML01 and the >>>>>> replica is SLPIDML01. ?I have followed the instructions for creating a >>>>>> replica and the install on SLPIDML02 completed successfully. ?However, >>>>>> the instructions tell me to add some entries to the DNS zone file, and >>>>>> I'm stumped. >>>>>> >>>>>> The FreeIPA documentation has this to say about setting up DNS for replicas: >>>>>> >>>>>> Updating DNS for IPA Replicas >>>>>> >>>>>> After you have configured a new IPA replica, you should update your >>>>>> DNS entries so that IPA clients can discover the new server. For >>>>>> example, for an IPA replica with a server name of $HOST, you should >>>>>> add the following entries to your zone file: >>>>>> >>>>>> _ldap._tcp ? ? ? ? ? ? IN SRV 0 100 389 ? ? ? $HOST >>>>>> _kerberos._tcp ? ? ? ? IN SRV 0 100 88 $HOST >>>>>> _kerberos._udp ? ? ? ? IN SRV 0 100 88 $HOST >>>>>> _kerberos-master._tcp ?IN SRV 0 100 88 $HOST >>>>>> _kerberos-master._udp ?IN SRV 0 100 88 $HOST >>>>>> _kpasswd._tcp ? ? ? ? ?IN SRV 0 100 464 $HOST >>>>>> _kpasswd._udp ? ? ? ? ?IN SRV 0 100 464 $HOST >>>>>> _ntp._udp ? ? ? ? ? ? ?IN SRV 0 100 123 $HOST >>>>>> >>>>>> I know very little about configuring DNS. ?Where exactly should this >>>>>> go? ?It says to add it to your zone file, all I see is a >>>>>> named.rfc1912.zones file, and it appears to be rather structured. ?Do >>>>>> I just dump these at the end? ?That doesn't seem to make any sense. ?I >>>>>> see a reference to /var/named/example.com.zone.db, but I don't have >>>>>> one for my domain, and I still don't know what the format of the file >>>>>> should be. ?Do I need to make entries for both hosts (and any others I >>>>>> add in the future?) >>>>>> >>>>> What DNS server do you use? >>>>> Did you consider using DNS server that comes with IPA? >>>>> >>>> I am using the DNS server that comes with IPA. >>> Then the replicas are added automatically to the DNS servers managed by >>> IPA. I think the documentation refers to the case when you are not using >>> the DNS server provided by IPA. Then you need to add mentioned entries. >>> If this is not clear please open a ticket and provide a pointer to the >>> section that caused the confusion. >> I've opened a ticket, thanks. >> >> When I manually turn off the network interfaces on the master, the >> replica does not take over. > > How you test it? > The client will fail over if it can't access the server that you turned > off. > > >> For the record, the documentation makes no discernible differentiation >> between IPA's DNS and external DNS: >> >> "Once the installation process completes, update the DNS entries so >> that IPA clients can discover the new server. For example, for an IPA >> replica with a hostname of ipareplica.example.com:" > Sorry, I thought I did reply to the list. I must be misunderstanding something. When I ipa-replica-install it does not automatically set up a DNS replica, correct? When I run ipa dnsrecord-add domain.com @ --ns-rec slpidml02.unix.magellanhealth.com. I'm only telling IPA that this new host is now a nameserver, correct? So at what point do DNS entries replicate? Or do I set that up outside of IPA? Thanks again, --Jason From sakodak at gmail.com Mon Apr 9 19:04:05 2012 From: sakodak at gmail.com (KodaK) Date: Mon, 9 Apr 2012 14:04:05 -0500 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: <4F8330DD.8040804@redhat.com> References: <4F832BBA.7000809@redhat.com> <4F832E99.8000601@redhat.com> <4F83302D.1030104@redhat.com> <4F8330DD.8040804@redhat.com> Message-ID: On Mon, Apr 9, 2012 at 1:56 PM, Dmitri Pal wrote: > On 04/09/2012 02:53 PM, Dmitri Pal wrote: >> On 04/09/2012 02:50 PM, KodaK wrote: >>> On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal wrote: >>>> On 04/09/2012 02:41 PM, KodaK wrote: >>>>> On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal wrote: >>>>>> On 04/09/2012 02:07 PM, KodaK wrote: >>>>>>> I have two IPA servers. ?The primary/master is SLPIDML01 and the >>>>>>> replica is SLPIDML01. ?I have followed the instructions for creating a >>>>>>> replica and the install on SLPIDML02 completed successfully. ?However, >>>>>>> the instructions tell me to add some entries to the DNS zone file, and >>>>>>> I'm stumped. >>>>>>> >>>>>>> The FreeIPA documentation has this to say about setting up DNS for replicas: >>>>>>> >>>>>>> Updating DNS for IPA Replicas >>>>>>> >>>>>>> After you have configured a new IPA replica, you should update your >>>>>>> DNS entries so that IPA clients can discover the new server. For >>>>>>> example, for an IPA replica with a server name of $HOST, you should >>>>>>> add the following entries to your zone file: >>>>>>> >>>>>>> _ldap._tcp ? ? ? ? ? ? IN SRV 0 100 389 ? ? ? $HOST >>>>>>> _kerberos._tcp ? ? ? ? IN SRV 0 100 88 $HOST >>>>>>> _kerberos._udp ? ? ? ? IN SRV 0 100 88 $HOST >>>>>>> _kerberos-master._tcp ?IN SRV 0 100 88 $HOST >>>>>>> _kerberos-master._udp ?IN SRV 0 100 88 $HOST >>>>>>> _kpasswd._tcp ? ? ? ? ?IN SRV 0 100 464 $HOST >>>>>>> _kpasswd._udp ? ? ? ? ?IN SRV 0 100 464 $HOST >>>>>>> _ntp._udp ? ? ? ? ? ? ?IN SRV 0 100 123 $HOST >>>>>>> >>>>>>> I know very little about configuring DNS. ?Where exactly should this >>>>>>> go? ?It says to add it to your zone file, all I see is a >>>>>>> named.rfc1912.zones file, and it appears to be rather structured. ?Do >>>>>>> I just dump these at the end? ?That doesn't seem to make any sense. ?I >>>>>>> see a reference to /var/named/example.com.zone.db, but I don't have >>>>>>> one for my domain, and I still don't know what the format of the file >>>>>>> should be. ?Do I need to make entries for both hosts (and any others I >>>>>>> add in the future?) >>>>>>> >>>>>> What DNS server do you use? >>>>>> Did you consider using DNS server that comes with IPA? >>>>>> >>>>> I am using the DNS server that comes with IPA. >>>> Then the replicas are added automatically to the DNS servers managed by >>>> IPA. I think the documentation refers to the case when you are not using >>>> the DNS server provided by IPA. Then you need to add mentioned entries. >>>> If this is not clear please open a ticket and provide a pointer to the >>>> section that caused the confusion. >>> I've opened a ticket, thanks. > > I do not see it. I opened a ticket at access.redhat.com, if there's another place you'd rather I open it I can do that too, sorry. --Jason From dpal at redhat.com Mon Apr 9 19:36:57 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 09 Apr 2012 15:36:57 -0400 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: References: <4F832BBA.7000809@redhat.com> <4F832E99.8000601@redhat.com> <4F83302D.1030104@redhat.com> <4F8330DD.8040804@redhat.com> Message-ID: <4F833A59.3020706@redhat.com> On 04/09/2012 03:04 PM, KodaK wrote: > On Mon, Apr 9, 2012 at 1:56 PM, Dmitri Pal wrote: >> On 04/09/2012 02:53 PM, Dmitri Pal wrote: >>> On 04/09/2012 02:50 PM, KodaK wrote: >>>> On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal wrote: >>>>> On 04/09/2012 02:41 PM, KodaK wrote: >>>>>> On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal wrote: >>>>>>> On 04/09/2012 02:07 PM, KodaK wrote: >>>>>>>> I have two IPA servers. The primary/master is SLPIDML01 and the >>>>>>>> replica is SLPIDML01. I have followed the instructions for creating a >>>>>>>> replica and the install on SLPIDML02 completed successfully. However, >>>>>>>> the instructions tell me to add some entries to the DNS zone file, and >>>>>>>> I'm stumped. >>>>>>>> >>>>>>>> The FreeIPA documentation has this to say about setting up DNS for replicas: >>>>>>>> >>>>>>>> Updating DNS for IPA Replicas >>>>>>>> >>>>>>>> After you have configured a new IPA replica, you should update your >>>>>>>> DNS entries so that IPA clients can discover the new server. For >>>>>>>> example, for an IPA replica with a server name of $HOST, you should >>>>>>>> add the following entries to your zone file: >>>>>>>> >>>>>>>> _ldap._tcp IN SRV 0 100 389 $HOST >>>>>>>> _kerberos._tcp IN SRV 0 100 88 $HOST >>>>>>>> _kerberos._udp IN SRV 0 100 88 $HOST >>>>>>>> _kerberos-master._tcp IN SRV 0 100 88 $HOST >>>>>>>> _kerberos-master._udp IN SRV 0 100 88 $HOST >>>>>>>> _kpasswd._tcp IN SRV 0 100 464 $HOST >>>>>>>> _kpasswd._udp IN SRV 0 100 464 $HOST >>>>>>>> _ntp._udp IN SRV 0 100 123 $HOST >>>>>>>> >>>>>>>> I know very little about configuring DNS. Where exactly should this >>>>>>>> go? It says to add it to your zone file, all I see is a >>>>>>>> named.rfc1912.zones file, and it appears to be rather structured. Do >>>>>>>> I just dump these at the end? That doesn't seem to make any sense. I >>>>>>>> see a reference to /var/named/example.com.zone.db, but I don't have >>>>>>>> one for my domain, and I still don't know what the format of the file >>>>>>>> should be. Do I need to make entries for both hosts (and any others I >>>>>>>> add in the future?) >>>>>>>> >>>>>>> What DNS server do you use? >>>>>>> Did you consider using DNS server that comes with IPA? >>>>>>> >>>>>> I am using the DNS server that comes with IPA. >>>>> Then the replicas are added automatically to the DNS servers managed by >>>>> IPA. I think the documentation refers to the case when you are not using >>>>> the DNS server provided by IPA. Then you need to add mentioned entries. >>>>> If this is not clear please open a ticket and provide a pointer to the >>>>> section that caused the confusion. >>>> I've opened a ticket, thanks. >> I do not see it. > I opened a ticket at access.redhat.com, if there's another place you'd > rather I open it I can do that too, sorry. > > --Jason You are on the open source project mailing list so the tickets should go into the trac instance: https://fedorahosted.org/freeipa/ You need to have a Fedora user account to log the ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sakodak at gmail.com Mon Apr 9 19:39:21 2012 From: sakodak at gmail.com (KodaK) Date: Mon, 9 Apr 2012 14:39:21 -0500 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: References: <4F832BBA.7000809@redhat.com> <4F832E99.8000601@redhat.com> <4F83302D.1030104@redhat.com> <4F8330DD.8040804@redhat.com> Message-ID: On Mon, Apr 9, 2012 at 2:04 PM, KodaK wrote: > On Mon, Apr 9, 2012 at 1:56 PM, Dmitri Pal wrote: >> On 04/09/2012 02:53 PM, Dmitri Pal wrote: >>> On 04/09/2012 02:50 PM, KodaK wrote: >>>> On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal wrote: >>>>> On 04/09/2012 02:41 PM, KodaK wrote: >>>>>> On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal wrote: >>>>>>> On 04/09/2012 02:07 PM, KodaK wrote: >>>>>>>> I have two IPA servers. ?The primary/master is SLPIDML01 and the >>>>>>>> replica is SLPIDML01. ?I have followed the instructions for creating a >>>>>>>> replica and the install on SLPIDML02 completed successfully. ?However, >>>>>>>> the instructions tell me to add some entries to the DNS zone file, and >>>>>>>> I'm stumped. >>>>>>>> >>>>>>>> The FreeIPA documentation has this to say about setting up DNS for replicas: >>>>>>>> >>>>>>>> Updating DNS for IPA Replicas >>>>>>>> >>>>>>>> After you have configured a new IPA replica, you should update your >>>>>>>> DNS entries so that IPA clients can discover the new server. For >>>>>>>> example, for an IPA replica with a server name of $HOST, you should >>>>>>>> add the following entries to your zone file: >>>>>>>> >>>>>>>> _ldap._tcp ? ? ? ? ? ? IN SRV 0 100 389 ? ? ? $HOST >>>>>>>> _kerberos._tcp ? ? ? ? IN SRV 0 100 88 $HOST >>>>>>>> _kerberos._udp ? ? ? ? IN SRV 0 100 88 $HOST >>>>>>>> _kerberos-master._tcp ?IN SRV 0 100 88 $HOST >>>>>>>> _kerberos-master._udp ?IN SRV 0 100 88 $HOST >>>>>>>> _kpasswd._tcp ? ? ? ? ?IN SRV 0 100 464 $HOST >>>>>>>> _kpasswd._udp ? ? ? ? ?IN SRV 0 100 464 $HOST >>>>>>>> _ntp._udp ? ? ? ? ? ? ?IN SRV 0 100 123 $HOST >>>>>>>> >>>>>>>> I know very little about configuring DNS. ?Where exactly should this >>>>>>>> go? ?It says to add it to your zone file, all I see is a >>>>>>>> named.rfc1912.zones file, and it appears to be rather structured. ?Do >>>>>>>> I just dump these at the end? ?That doesn't seem to make any sense. ?I >>>>>>>> see a reference to /var/named/example.com.zone.db, but I don't have >>>>>>>> one for my domain, and I still don't know what the format of the file >>>>>>>> should be. ?Do I need to make entries for both hosts (and any others I >>>>>>>> add in the future?) >>>>>>>> >>>>>>> What DNS server do you use? >>>>>>> Did you consider using DNS server that comes with IPA? >>>>>>> >>>>>> I am using the DNS server that comes with IPA. >>>>> Then the replicas are added automatically to the DNS servers managed by >>>>> IPA. I think the documentation refers to the case when you are not using >>>>> the DNS server provided by IPA. Then you need to add mentioned entries. >>>>> If this is not clear please open a ticket and provide a pointer to the >>>>> section that caused the confusion. >>>> I've opened a ticket, thanks. >> >> I do not see it. > > I opened a ticket at access.redhat.com, if there's another place you'd > rather I open it I can do that too, sorry. I've opened a bugzilla ticket (two, actually.) --Jason From dpal at redhat.com Mon Apr 9 19:40:36 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 09 Apr 2012 15:40:36 -0400 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: References: <4F832BBA.7000809@redhat.com> <4F832E99.8000601@redhat.com> <4F83302D.1030104@redhat.com> Message-ID: <4F833B34.3040503@redhat.com> On 04/09/2012 03:02 PM, KodaK wrote: > On Mon, Apr 9, 2012 at 1:53 PM, Dmitri Pal wrote: >> On 04/09/2012 02:50 PM, KodaK wrote: >>> On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal wrote: >>>> On 04/09/2012 02:41 PM, KodaK wrote: >>>>> On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal wrote: >>>>>> On 04/09/2012 02:07 PM, KodaK wrote: >>>>>>> I have two IPA servers. The primary/master is SLPIDML01 and the >>>>>>> replica is SLPIDML01. I have followed the instructions for creating a >>>>>>> replica and the install on SLPIDML02 completed successfully. However, >>>>>>> the instructions tell me to add some entries to the DNS zone file, and >>>>>>> I'm stumped. >>>>>>> >>>>>>> The FreeIPA documentation has this to say about setting up DNS for replicas: >>>>>>> >>>>>>> Updating DNS for IPA Replicas >>>>>>> >>>>>>> After you have configured a new IPA replica, you should update your >>>>>>> DNS entries so that IPA clients can discover the new server. For >>>>>>> example, for an IPA replica with a server name of $HOST, you should >>>>>>> add the following entries to your zone file: >>>>>>> >>>>>>> _ldap._tcp IN SRV 0 100 389 $HOST >>>>>>> _kerberos._tcp IN SRV 0 100 88 $HOST >>>>>>> _kerberos._udp IN SRV 0 100 88 $HOST >>>>>>> _kerberos-master._tcp IN SRV 0 100 88 $HOST >>>>>>> _kerberos-master._udp IN SRV 0 100 88 $HOST >>>>>>> _kpasswd._tcp IN SRV 0 100 464 $HOST >>>>>>> _kpasswd._udp IN SRV 0 100 464 $HOST >>>>>>> _ntp._udp IN SRV 0 100 123 $HOST >>>>>>> >>>>>>> I know very little about configuring DNS. Where exactly should this >>>>>>> go? It says to add it to your zone file, all I see is a >>>>>>> named.rfc1912.zones file, and it appears to be rather structured. Do >>>>>>> I just dump these at the end? That doesn't seem to make any sense. I >>>>>>> see a reference to /var/named/example.com.zone.db, but I don't have >>>>>>> one for my domain, and I still don't know what the format of the file >>>>>>> should be. Do I need to make entries for both hosts (and any others I >>>>>>> add in the future?) >>>>>>> >>>>>> What DNS server do you use? >>>>>> Did you consider using DNS server that comes with IPA? >>>>>> >>>>> I am using the DNS server that comes with IPA. >>>> Then the replicas are added automatically to the DNS servers managed by >>>> IPA. I think the documentation refers to the case when you are not using >>>> the DNS server provided by IPA. Then you need to add mentioned entries. >>>> If this is not clear please open a ticket and provide a pointer to the >>>> section that caused the confusion. >>> I've opened a ticket, thanks. >>> >>> When I manually turn off the network interfaces on the master, the >>> replica does not take over. >> How you test it? >> The client will fail over if it can't access the server that you turned >> off. >> >> >>> For the record, the documentation makes no discernible differentiation >>> between IPA's DNS and external DNS: >>> >>> "Once the installation process completes, update the DNS entries so >>> that IPA clients can discover the new server. For example, for an IPA >>> replica with a hostname of ipareplica.example.com:" > Sorry, I thought I did reply to the list. > > I must be misunderstanding something. > > When I ipa-replica-install it does not automatically set up a DNS > replica, correct? > > When I run ipa dnsrecord-add domain.com @ --ns-rec > slpidml02.unix.magellanhealth.com. I'm only telling IPA that this new > host is now a nameserver, correct? > > So at what point do DNS entries replicate? Or do I set that up outside of IPA? > > Thanks again, > > --Jason Rob, When we add replicas, do we create SRV records for them automatically? I thought so but may be I am wrong? Can you please chime in? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Apr 9 19:41:02 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 09 Apr 2012 15:41:02 -0400 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: References: <4F832BBA.7000809@redhat.com> <4F832E99.8000601@redhat.com> <4F83302D.1030104@redhat.com> <4F8330DD.8040804@redhat.com> Message-ID: <4F833B4E.10604@redhat.com> On 04/09/2012 03:39 PM, KodaK wrote: > On Mon, Apr 9, 2012 at 2:04 PM, KodaK wrote: >> On Mon, Apr 9, 2012 at 1:56 PM, Dmitri Pal wrote: >>> On 04/09/2012 02:53 PM, Dmitri Pal wrote: >>>> On 04/09/2012 02:50 PM, KodaK wrote: >>>>> On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal wrote: >>>>>> On 04/09/2012 02:41 PM, KodaK wrote: >>>>>>> On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal wrote: >>>>>>>> On 04/09/2012 02:07 PM, KodaK wrote: >>>>>>>>> I have two IPA servers. The primary/master is SLPIDML01 and the >>>>>>>>> replica is SLPIDML01. I have followed the instructions for creating a >>>>>>>>> replica and the install on SLPIDML02 completed successfully. However, >>>>>>>>> the instructions tell me to add some entries to the DNS zone file, and >>>>>>>>> I'm stumped. >>>>>>>>> >>>>>>>>> The FreeIPA documentation has this to say about setting up DNS for replicas: >>>>>>>>> >>>>>>>>> Updating DNS for IPA Replicas >>>>>>>>> >>>>>>>>> After you have configured a new IPA replica, you should update your >>>>>>>>> DNS entries so that IPA clients can discover the new server. For >>>>>>>>> example, for an IPA replica with a server name of $HOST, you should >>>>>>>>> add the following entries to your zone file: >>>>>>>>> >>>>>>>>> _ldap._tcp IN SRV 0 100 389 $HOST >>>>>>>>> _kerberos._tcp IN SRV 0 100 88 $HOST >>>>>>>>> _kerberos._udp IN SRV 0 100 88 $HOST >>>>>>>>> _kerberos-master._tcp IN SRV 0 100 88 $HOST >>>>>>>>> _kerberos-master._udp IN SRV 0 100 88 $HOST >>>>>>>>> _kpasswd._tcp IN SRV 0 100 464 $HOST >>>>>>>>> _kpasswd._udp IN SRV 0 100 464 $HOST >>>>>>>>> _ntp._udp IN SRV 0 100 123 $HOST >>>>>>>>> >>>>>>>>> I know very little about configuring DNS. Where exactly should this >>>>>>>>> go? It says to add it to your zone file, all I see is a >>>>>>>>> named.rfc1912.zones file, and it appears to be rather structured. Do >>>>>>>>> I just dump these at the end? That doesn't seem to make any sense. I >>>>>>>>> see a reference to /var/named/example.com.zone.db, but I don't have >>>>>>>>> one for my domain, and I still don't know what the format of the file >>>>>>>>> should be. Do I need to make entries for both hosts (and any others I >>>>>>>>> add in the future?) >>>>>>>>> >>>>>>>> What DNS server do you use? >>>>>>>> Did you consider using DNS server that comes with IPA? >>>>>>>> >>>>>>> I am using the DNS server that comes with IPA. >>>>>> Then the replicas are added automatically to the DNS servers managed by >>>>>> IPA. I think the documentation refers to the case when you are not using >>>>>> the DNS server provided by IPA. Then you need to add mentioned entries. >>>>>> If this is not clear please open a ticket and provide a pointer to the >>>>>> section that caused the confusion. >>>>> I've opened a ticket, thanks. >>> I do not see it. >> I opened a ticket at access.redhat.com, if there's another place you'd >> rather I open it I can do that too, sorry. > I've opened a bugzilla ticket (two, actually.) > > --Jason Ok, this is fine. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Mon Apr 9 20:01:26 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 09 Apr 2012 16:01:26 -0400 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: <4F833B34.3040503@redhat.com> References: <4F832BBA.7000809@redhat.com> <4F832E99.8000601@redhat.com> <4F83302D.1030104@redhat.com> <4F833B34.3040503@redhat.com> Message-ID: <4F834016.1090901@redhat.com> Dmitri Pal wrote: > On 04/09/2012 03:02 PM, KodaK wrote: >> On Mon, Apr 9, 2012 at 1:53 PM, Dmitri Pal wrote: >>> On 04/09/2012 02:50 PM, KodaK wrote: >>>> On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal wrote: >>>>> On 04/09/2012 02:41 PM, KodaK wrote: >>>>>> On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal wrote: >>>>>>> On 04/09/2012 02:07 PM, KodaK wrote: >>>>>>>> I have two IPA servers. The primary/master is SLPIDML01 and the >>>>>>>> replica is SLPIDML01. I have followed the instructions for creating a >>>>>>>> replica and the install on SLPIDML02 completed successfully. However, >>>>>>>> the instructions tell me to add some entries to the DNS zone file, and >>>>>>>> I'm stumped. >>>>>>>> >>>>>>>> The FreeIPA documentation has this to say about setting up DNS for replicas: >>>>>>>> >>>>>>>> Updating DNS for IPA Replicas >>>>>>>> >>>>>>>> After you have configured a new IPA replica, you should update your >>>>>>>> DNS entries so that IPA clients can discover the new server. For >>>>>>>> example, for an IPA replica with a server name of $HOST, you should >>>>>>>> add the following entries to your zone file: >>>>>>>> >>>>>>>> _ldap._tcp IN SRV 0 100 389 $HOST >>>>>>>> _kerberos._tcp IN SRV 0 100 88 $HOST >>>>>>>> _kerberos._udp IN SRV 0 100 88 $HOST >>>>>>>> _kerberos-master._tcp IN SRV 0 100 88 $HOST >>>>>>>> _kerberos-master._udp IN SRV 0 100 88 $HOST >>>>>>>> _kpasswd._tcp IN SRV 0 100 464 $HOST >>>>>>>> _kpasswd._udp IN SRV 0 100 464 $HOST >>>>>>>> _ntp._udp IN SRV 0 100 123 $HOST >>>>>>>> >>>>>>>> I know very little about configuring DNS. Where exactly should this >>>>>>>> go? It says to add it to your zone file, all I see is a >>>>>>>> named.rfc1912.zones file, and it appears to be rather structured. Do >>>>>>>> I just dump these at the end? That doesn't seem to make any sense. I >>>>>>>> see a reference to /var/named/example.com.zone.db, but I don't have >>>>>>>> one for my domain, and I still don't know what the format of the file >>>>>>>> should be. Do I need to make entries for both hosts (and any others I >>>>>>>> add in the future?) >>>>>>>> >>>>>>> What DNS server do you use? >>>>>>> Did you consider using DNS server that comes with IPA? >>>>>>> >>>>>> I am using the DNS server that comes with IPA. >>>>> Then the replicas are added automatically to the DNS servers managed by >>>>> IPA. I think the documentation refers to the case when you are not using >>>>> the DNS server provided by IPA. Then you need to add mentioned entries. >>>>> If this is not clear please open a ticket and provide a pointer to the >>>>> section that caused the confusion. >>>> I've opened a ticket, thanks. >>>> >>>> When I manually turn off the network interfaces on the master, the >>>> replica does not take over. >>> How you test it? >>> The client will fail over if it can't access the server that you turned >>> off. >>> >>> >>>> For the record, the documentation makes no discernible differentiation >>>> between IPA's DNS and external DNS: >>>> >>>> "Once the installation process completes, update the DNS entries so >>>> that IPA clients can discover the new server. For example, for an IPA >>>> replica with a hostname of ipareplica.example.com:" >> Sorry, I thought I did reply to the list. >> >> I must be misunderstanding something. >> >> When I ipa-replica-install it does not automatically set up a DNS >> replica, correct? >> >> When I run ipa dnsrecord-add domain.com @ --ns-rec >> slpidml02.unix.magellanhealth.com. I'm only telling IPA that this new >> host is now a nameserver, correct? >> >> So at what point do DNS entries replicate? Or do I set that up outside of IPA? >> >> Thanks again, >> >> --Jason > > Rob, > > When we add replicas, do we create SRV records for them automatically? I > thought so but may be I am wrong? Can you please chime in? > Yes, we always try to create the SRV records when installing a replica. rob From sakodak at gmail.com Mon Apr 9 20:46:27 2012 From: sakodak at gmail.com (KodaK) Date: Mon, 9 Apr 2012 15:46:27 -0500 Subject: [Freeipa-users] Setting up replication, documentation unclear regarding DNS entries In-Reply-To: <4F834016.1090901@redhat.com> References: <4F832BBA.7000809@redhat.com> <4F832E99.8000601@redhat.com> <4F83302D.1030104@redhat.com> <4F833B34.3040503@redhat.com> <4F834016.1090901@redhat.com> Message-ID: On Mon, Apr 9, 2012 at 3:01 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> >> On 04/09/2012 03:02 PM, KodaK wrote: >>> >>> On Mon, Apr 9, 2012 at 1:53 PM, Dmitri Pal ?wrote: >>>> >>>> On 04/09/2012 02:50 PM, KodaK wrote: >>>>> >>>>> On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal ?wrote: >>>>>> >>>>>> On 04/09/2012 02:41 PM, KodaK wrote: >>>>>>> >>>>>>> On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal ?wrote: >>>>>>>> >>>>>>>> On 04/09/2012 02:07 PM, KodaK wrote: >>>>>>>>> >>>>>>>>> I have two IPA servers. ?The primary/master is SLPIDML01 and the >>>>>>>>> replica is SLPIDML01. ?I have followed the instructions for >>>>>>>>> creating a >>>>>>>>> replica and the install on SLPIDML02 completed successfully. >>>>>>>>> ?However, >>>>>>>>> the instructions tell me to add some entries to the DNS zone file, >>>>>>>>> and >>>>>>>>> I'm stumped. >>>>>>>>> >>>>>>>>> The FreeIPA documentation has this to say about setting up DNS for >>>>>>>>> replicas: >>>>>>>>> >>>>>>>>> Updating DNS for IPA Replicas >>>>>>>>> >>>>>>>>> After you have configured a new IPA replica, you should update your >>>>>>>>> DNS entries so that IPA clients can discover the new server. For >>>>>>>>> example, for an IPA replica with a server name of $HOST, you should >>>>>>>>> add the following entries to your zone file: >>>>>>>>> >>>>>>>>> _ldap._tcp ? ? ? ? ? ? IN SRV 0 100 389 ? ? ? $HOST >>>>>>>>> _kerberos._tcp ? ? ? ? IN SRV 0 100 88 $HOST >>>>>>>>> _kerberos._udp ? ? ? ? IN SRV 0 100 88 $HOST >>>>>>>>> _kerberos-master._tcp ?IN SRV 0 100 88 $HOST >>>>>>>>> _kerberos-master._udp ?IN SRV 0 100 88 $HOST >>>>>>>>> _kpasswd._tcp ? ? ? ? ?IN SRV 0 100 464 $HOST >>>>>>>>> _kpasswd._udp ? ? ? ? ?IN SRV 0 100 464 $HOST >>>>>>>>> _ntp._udp ? ? ? ? ? ? ?IN SRV 0 100 123 $HOST >>>>>>>>> >>>>>>>>> I know very little about configuring DNS. ?Where exactly should >>>>>>>>> this >>>>>>>>> go? ?It says to add it to your zone file, all I see is a >>>>>>>>> named.rfc1912.zones file, and it appears to be rather structured. >>>>>>>>> ?Do >>>>>>>>> I just dump these at the end? ?That doesn't seem to make any sense. >>>>>>>>> ?I >>>>>>>>> see a reference to /var/named/example.com.zone.db, but I don't have >>>>>>>>> one for my domain, and I still don't know what the format of the >>>>>>>>> file >>>>>>>>> should be. ?Do I need to make entries for both hosts (and any >>>>>>>>> others I >>>>>>>>> add in the future?) >>>>>>>>> >>>>>>>> What DNS server do you use? >>>>>>>> Did you consider using DNS server that comes with IPA? >>>>>>>> >>>>>>> I am using the DNS server that comes with IPA. >>>>>> >>>>>> Then the replicas are added automatically to the DNS servers managed >>>>>> by >>>>>> IPA. I think the documentation refers to the case when you are not >>>>>> using >>>>>> the DNS server provided by IPA. Then you need to add mentioned >>>>>> entries. >>>>>> If this is not clear please open a ticket and provide a pointer to the >>>>>> section that caused the confusion. >>>>> >>>>> I've opened a ticket, thanks. >>>>> >>>>> When I manually turn off the network interfaces on the master, the >>>>> replica does not take over. >>>> >>>> How you test it? >>>> The client will fail over if it can't access the server that you turned >>>> off. >>>> >>>> >>>>> For the record, the documentation makes no discernible differentiation >>>>> between IPA's DNS and external DNS: >>>>> >>>>> "Once the installation process completes, update the DNS entries so >>>>> that IPA clients can discover the new server. For example, for an IPA >>>>> replica with a hostname of ipareplica.example.com:" >>> >>> Sorry, I thought I did reply to the list. >>> >>> I must be misunderstanding something. >>> >>> When I ipa-replica-install it does not automatically set up a DNS >>> replica, correct? >>> >>> When I run ipa dnsrecord-add domain.com @ --ns-rec >>> slpidml02.unix.magellanhealth.com. I'm only telling IPA that this new >>> host is now a nameserver, correct? >>> >>> So at what point do DNS entries replicate? ?Or do I set that up outside >>> of IPA? >>> >>> Thanks again, >>> >>> --Jason >> >> >> Rob, >> >> When we add replicas, do we create SRV records for them automatically? I >> thought so but may be I am wrong? Can you please chime in? >> > > Yes, we always try to create the SRV records when installing a replica. > Ok, thanks, guys. I must have something misconfigured, then. I'll dig a bit and probably post again later. At least I know what it *should* be doing now. --Jason From sbingram at gmail.com Tue Apr 10 13:27:45 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 10 Apr 2012 06:27:45 -0700 Subject: [Freeipa-users] --subject option for ipa-server-install In-Reply-To: References: <4F832BD5.1000507@redhat.com> Message-ID: On Mon, Apr 9, 2012 at 12:00 PM, Stephen Ingram wrote: > On Mon, Apr 9, 2012 at 11:35 AM, Dmitri Pal wrote: >> On 04/09/2012 02:25 PM, Stephen Ingram wrote: >>> In an attempt to make the CA certificate from IPA a little more >>> noticeable for the users in our realm I've successfully used the >>> --subject option during the ipa-server-install process. It seems >>> however, that you cannot change the CN from the default "Certificate >>> Authority". I've added O=, OU= and C=, but as some certificate >>> managers in browsers/os's (i.e. Mac OS X) organize certificates by CN >>> name, it would be nice to point to something representing the company >>> name instead of the generic Certificate Authority. It even seems that >>> in the older 2.0 release candidates, they used the default "REALM >>> Certificate Authority" for the CN instead of just Certificate >>> Authority. Can this be easily changed so that at least the realm could >>> be slipped in front of Certificate Authority or customize the CN >>> altogether? >>> >> >> Please open an RFE ticket. > > Done. Ticket 2614. In the meantime, I've changed /usr/lib/python2.x/site-packages/ipaserver/install/cainstance.py to force a CN and obtained a successful install. After the install, trying to create a cert failed so I also patched /usr/lib/python2.x/site-packages/ipalib/x509.py to allow for the different CN. Is there anywhere else I could get into trouble later on that might also need to be changed? Steve From rcritten at redhat.com Tue Apr 10 14:17:03 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 Apr 2012 10:17:03 -0400 Subject: [Freeipa-users] --subject option for ipa-server-install In-Reply-To: References: <4F832BD5.1000507@redhat.com> Message-ID: <4F8440DF.6000805@redhat.com> Stephen Ingram wrote: > On Mon, Apr 9, 2012 at 12:00 PM, Stephen Ingram wrote: >> On Mon, Apr 9, 2012 at 11:35 AM, Dmitri Pal wrote: >>> On 04/09/2012 02:25 PM, Stephen Ingram wrote: >>>> In an attempt to make the CA certificate from IPA a little more >>>> noticeable for the users in our realm I've successfully used the >>>> --subject option during the ipa-server-install process. It seems >>>> however, that you cannot change the CN from the default "Certificate >>>> Authority". I've added O=, OU= and C=, but as some certificate >>>> managers in browsers/os's (i.e. Mac OS X) organize certificates by CN >>>> name, it would be nice to point to something representing the company >>>> name instead of the generic Certificate Authority. It even seems that >>>> in the older 2.0 release candidates, they used the default "REALM >>>> Certificate Authority" for the CN instead of just Certificate >>>> Authority. Can this be easily changed so that at least the realm could >>>> be slipped in front of Certificate Authority or customize the CN >>>> altogether? >>>> >>> >>> Please open an RFE ticket. >> >> Done. Ticket 2614. > > In the meantime, I've changed > /usr/lib/python2.x/site-packages/ipaserver/install/cainstance.py to > force a CN and obtained a successful install. After the install, > trying to create a cert failed so I also patched > /usr/lib/python2.x/site-packages/ipalib/x509.py to allow for the > different CN. Is there anywhere else I could get into trouble later on > that might also need to be changed? I think you might have issues if you try to install a replica. You'd probably need to change ipaserver/install/certs.py, plus duplicate the other changes as well. rob From christoph.kaminski at biotronik.com Wed Apr 11 18:21:35 2012 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Wed, 11 Apr 2012 20:21:35 +0200 Subject: [Freeipa-users] Problem with DNS Message-ID: An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Apr 11 18:30:11 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 11 Apr 2012 14:30:11 -0400 Subject: [Freeipa-users] Problem with DNS In-Reply-To: References: Message-ID: <1334169011.28422.16.camel@willson.li.ssimo.org> Is your client pointing at the ipa server as DNS server ? See /etc/resolv.conf The symptoms look like you may not be doing that or that you may be pointing at other DNS servers too that do not have the information you are looking for. Simo. On Wed, 2012-04-11 at 20:21 +0200, Christoph Kaminski wrote: > Hi All > > I have a problem with cnames in ipa dns settings. If I set a cname, it > doesnt work. I have configured a cname 'icinga' to A record 'azazel'. > If I do 'host azazel' then I get: > azazel.chao5.int has address 192.168.50.20 > Host azazel.chao5.int not found: 3(NXDOMAIN) > Host azazel.chao5.int not found: 3(NXDOMAIN) > (yep 2 times the same) > > If I do 'host icinga' then I get: > Host icinga not found: 3(NXDOMAIN) > > This doesnt work to: 'ipa dns-resolve icinga' > ipa: ERROR: Host 'icinga.chao5.int.' not found > > In LDAP I can see the attrib: 'cNAMERecord icinga' on > 'idnsname=azazel,idnsname=chao5.int,cn=dns,dc=chao5,dc=int' > what can be the problem? > > IPA Version is the last stable for centos6. > > TiA > > MfG > Christoph Kaminski > > > > www.biotronik.com > > ______________________________________________________________________ > > BIOTRONIK SE & Co. KG > Woermannkehre 1, 12359 Berlin, Germany > Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 > > Vertreten durch ihre Komplement?rin: > BIOTRONIK MT SE > Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B > Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. > Lothar Krings, Dr. Torsten Wolf > > ______________________________________________________________________ > > BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm > Management systems and Vascular Intervention devices. Quality, > innovation, and reliability define BIOTRONIK and our growing success. > We are innovators of technologies like the first wireless remote > monitoring system - Home Monitoring?, Closed Loop Stimulation and > coveted lead solutions as well as state-of-the-art stents, balloons > and guide wires for coronary and peripheral indications. We highly > invest in the development of drug eluting devices and are leading the > industry with our drug eluting absorbable metal scaffold program. > > ______________________________________________________________________ > > This e-mail and the information it contains including attachments are > confidential and meant only for use by the intended recipient(s); > disclosure or copying is strictly prohibited. If you are not > addressed, but in the possession of this e-mail, please notify the > sender immediately and delete the document. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York From christoph.kaminski at biotronik.com Wed Apr 11 19:14:46 2012 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Wed, 11 Apr 2012 21:14:46 +0200 Subject: [Freeipa-users] Antwort: Re: Problem with DNS In-Reply-To: <1334169011.28422.16.camel@willson.li.ssimo.org> References: <1334169011.28422.16.camel@willson.li.ssimo.org>, Message-ID: An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Apr 11 19:37:22 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 11 Apr 2012 21:37:22 +0200 Subject: [Freeipa-users] Problem with DNS In-Reply-To: References: Message-ID: <4F85DD72.5030301@redhat.com> Hello, On 04/11/2012 08:21 PM, Christoph Kaminski wrote: > Hi All > > I have a problem with cnames in ipa dns settings. If I set a cname, it > doesnt work. I have configured a cname 'icinga' to A record 'azazel'. > If I do 'host azazel' then I get: > azazel.chao5.int has address 192.168.50.20 > Host azazel.chao5.int not found: 3(NXDOMAIN) > Host azazel.chao5.int not found: 3(NXDOMAIN) > (yep 2 times the same) > > If I do 'host icinga' then I get: > Host icinga not found: 3(NXDOMAIN) > > This doesnt work to: 'ipa dns-resolve icinga' > ipa: ERROR: Host 'icinga.chao5.int.' not found > > In LDAP I can see the attrib: 'cNAMERecord icinga' on > 'idnsname=azazel,idnsname=chao5.int,cn=dns,dc=chao5,dc=int' > what can be the problem? These names are flipped, I think. Do you want to create cname "alias" icinga => azazel, right? So when somebody resolves icinga, he actually gets record for azazel. It's meant in this way? If I understood correctly, you have to create LDAP object 'idnsname=icinga,idnsname=chao5.int,cn=dns,dc=chao5,dc=int' with cNAMERecord 'azazel'. It says 'if you are looking for name icinga, right place is azazel'. I tested this on RHEL 6.2 with bind-dyndb-ldap.x86_64 0:0.2.0-7.el6. Right IPA command is: ipa dnsrecord-add chao5.int icinga --cname-rec=azazel Please don't forget to remove cname attribute from azazel. It's not allowed to mix cname with other records. In that case behaviour is undefined. > IPA Version is the last stable for centos6. Please provide exact version number: rpm -q bind-dyndb-ldap Petr^2 Spacek > TiA > > MfG > Christoph Kaminski From christoph.kaminski at biotronik.com Wed Apr 11 20:10:18 2012 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Wed, 11 Apr 2012 22:10:18 +0200 Subject: [Freeipa-users] Antwort: Re: Problem with DNS In-Reply-To: <4F85DD72.5030301@redhat.com> References: <4F85DD72.5030301@redhat.com>, Message-ID: An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Apr 11 20:26:36 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 11 Apr 2012 22:26:36 +0200 Subject: [Freeipa-users] Antwort: Re: Problem with DNS In-Reply-To: References: <4F85DD72.5030301@redhat.com>, Message-ID: <4F85E8FC.2020804@redhat.com> On 04/11/2012 10:10 PM, Christoph Kaminski wrote: > [root at cerber ~]# rpm -q bind-dyndb-ldap > bind-dyndb-ldap-0.2.0-7.el6.x86_64 > > yep found the solution to (with help from ipa irc channel)... > The GUI and the ipa tools created the cNAMERecord inside the A Object. > This doesnt work. It needs to be a separate Object for cname. In > unstable IPA it is already fixed/changed. As I wrote below, it works in latest RHEL 6.2. If your CentOS has a equivalent, you can upgrade to latest stable. Petr^2 Spacek > > MfG > Christoph Kaminski > > > -----freeipa-users-bounces at redhat.com schrieb: ----- > > Hello, > > On 04/11/2012 08:21 PM, Christoph Kaminski wrote: > > Hi All > > > > I have a problem with cnames in ipa dns settings. If I set a > cname, it > > doesnt work. I have configured a cname 'icinga' to A record 'azazel'. > > If I do 'host azazel' then I get: > > azazel.chao5.int has address 192.168.50.20 > > Host azazel.chao5.int not found: 3(NXDOMAIN) > > Host azazel.chao5.int not found: 3(NXDOMAIN) > > (yep 2 times the same) > > > > If I do 'host icinga' then I get: > > Host icinga not found: 3(NXDOMAIN) > > > > This doesnt work to: 'ipa dns-resolve icinga' > > ipa: ERROR: Host 'icinga.chao5.int.' not found > > > > In LDAP I can see the attrib: 'cNAMERecord icinga' on > > 'idnsname=azazel,idnsname=chao5.int,cn=dns,dc=chao5,dc=int' > > what can be the problem? > These names are flipped, I think. > Do you want to create cname "alias" icinga => azazel, right? So when > somebody resolves icinga, he actually gets record for azazel. It's > meant > in this way? > > If I understood correctly, you have to create LDAP object > 'idnsname=icinga,idnsname=chao5.int,cn=dns,dc=chao5,dc=int' with > cNAMERecord 'azazel'. > > It says 'if you are looking for name icinga, right place is azazel'. > > I tested this on RHEL 6.2 with bind-dyndb-ldap.x86_64 0:0.2.0-7.el6. > > Right IPA command is: > ipa dnsrecord-add chao5.int icinga --cname-rec=azazel > > > Please don't forget to remove cname attribute from azazel. It's not > allowed to mix cname with other records. In that case behaviour is > undefined. > > > IPA Version is the last stable for centos6. > Please provide exact version number: > rpm -q bind-dyndb-ldap > > Petr^2 Spacek > > > TiA > > > > MfG > > Christoph Kaminski From Steven.Jones at vuw.ac.nz Thu Apr 12 04:09:20 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 12 Apr 2012 04:09:20 +0000 Subject: [Freeipa-users] Unable to login where previously OK Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC767E5@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have a user, myself that used to be able to login to a specific IPA client / host but I am no longer able to.... The /var/log/secure log appears to be telling me my password is wrong, so I reset it in IPA, but on initial login I cant put in the temp password and then reset it....I still get denied. I am also having a similar problem for a new user.... So I went to another client/host and I can login and set a new password...so IPA looks to be OK....so its either a rule or the client/host is broken.... next I went into the allow_all HBAC policy and turned it back on but I am still denied..... So where do I look for a specific failure msg to tell me the issue? I assume its the host/client side.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From jhrozek at redhat.com Thu Apr 12 07:47:58 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 12 Apr 2012 09:47:58 +0200 Subject: [Freeipa-users] Unable to login where previously OK In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC767E5@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC767E5@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120412074758.GA15350@hendrix.redhat.com> On Thu, Apr 12, 2012 at 04:09:20AM +0000, Steven Jones wrote: > Hi, > > I have a user, myself that used to be able to login to a specific IPA client / host but I am no longer able to.... > > The /var/log/secure log appears to be telling me my password is wrong, so I reset it in IPA, but on initial login I cant put in the temp password and then reset it....I still get denied. I am also having a similar problem for a new user.... > > So I went to another client/host and I can login and set a new password...so IPA looks to be OK....so its either a rule or the client/host is broken.... > > next I went into the allow_all HBAC policy and turned it back on but I am still denied..... > > So where do I look for a specific failure msg to tell me the issue? I assume its the host/client side.... > Can you paste what /var/log/secure or /var/log/messages had to say? If there is nothing to trace the error with, can you enable debugging(*) in SSSD and paste the relevant contents of the SSSD log? (*) put debug_level=6 or higher into the [domain/*] section of the SSSD, service sssd restart, retry the login From Steven.Jones at vuw.ac.nz Thu Apr 12 20:23:00 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 12 Apr 2012 20:23:00 +0000 Subject: [Freeipa-users] Unable to login where previously OK In-Reply-To: <20120412074758.GA15350@hendrix.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC767E5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20120412074758.GA15350@hendrix.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC76A97@STAWINCOX10MBX1.staff.vuw.ac.nz> screenshot of secure log. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com] Sent: Thursday, 12 April 2012 7:47 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to login where previously OK On Thu, Apr 12, 2012 at 04:09:20AM +0000, Steven Jones wrote: > Hi, > > I have a user, myself that used to be able to login to a specific IPA client / host but I am no longer able to.... > > The /var/log/secure log appears to be telling me my password is wrong, so I reset it in IPA, but on initial login I cant put in the temp password and then reset it....I still get denied. I am also having a similar problem for a new user.... > > So I went to another client/host and I can login and set a new password...so IPA looks to be OK....so its either a rule or the client/host is broken.... > > next I went into the allow_all HBAC policy and turned it back on but I am still denied..... > > So where do I look for a specific failure msg to tell me the issue? I assume its the host/client side.... > Can you paste what /var/log/secure or /var/log/messages had to say? If there is nothing to trace the error with, can you enable debugging(*) in SSSD and paste the relevant contents of the SSSD log? (*) put debug_level=6 or higher into the [domain/*] section of the SSSD, service sssd restart, retry the login _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh-fault-01.jpeg Type: image/jpeg Size: 112773 bytes Desc: ssh-fault-01.jpeg URL: From Steven.Jones at vuw.ac.nz Thu Apr 12 21:23:03 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 12 Apr 2012 21:23:03 +0000 Subject: [Freeipa-users] Unable to login where previously OK In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC76A97@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC767E5@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20120412074758.GA15350@hendrix.redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CC76A97@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC77622@STAWINCOX10MBX1.staff.vuw.ac.nz> sssd log at lvl6 regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 13 April 2012 8:23 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to login where previously OK screenshot of secure log. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com] Sent: Thursday, 12 April 2012 7:47 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to login where previously OK On Thu, Apr 12, 2012 at 04:09:20AM +0000, Steven Jones wrote: > Hi, > > I have a user, myself that used to be able to login to a specific IPA client / host but I am no longer able to.... > > The /var/log/secure log appears to be telling me my password is wrong, so I reset it in IPA, but on initial login I cant put in the temp password and then reset it....I still get denied. I am also having a similar problem for a new user.... > > So I went to another client/host and I can login and set a new password...so IPA looks to be OK....so its either a rule or the client/host is broken.... > > next I went into the allow_all HBAC policy and turned it back on but I am still denied..... > > So where do I look for a specific failure msg to tell me the issue? I assume its the host/client side.... > Can you paste what /var/log/secure or /var/log/messages had to say? If there is nothing to trace the error with, can you enable debugging(*) in SSSD and paste the relevant contents of the SSSD log? (*) put debug_level=6 or higher into the [domain/*] section of the SSSD, service sssd restart, retry the login _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd_ods.vuw.ac.nz.log Type: application/octet-stream Size: 75102 bytes Desc: sssd_ods.vuw.ac.nz.log URL: From christoph.kaminski at biotronik.com Fri Apr 13 07:23:41 2012 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Fri, 13 Apr 2012 09:23:41 +0200 Subject: [Freeipa-users] multiple domains/realms? Message-ID: An HTML attachment was scrubbed... URL: From kelvin at kindsight.net Fri Apr 13 16:54:44 2012 From: kelvin at kindsight.net (Kelvin Edmison) Date: Fri, 13 Apr 2012 12:54:44 -0400 Subject: [Freeipa-users] ipa-client-install on CentOS 5 creating zero-length /etc/sysconfig/network file Message-ID: Hi, When troubleshooting what I thought was an NFS4 issue, I have found what looks to be a bug in ipa-client-install. On a CentOS 5.8 machine, I ran ipa-client-install --no-ntp --force --hostname=kelvin-c5. and successfully bound to the domain. I am now trying to get nfs4 up and running, and found that idmapd was not starting. I traced that back to an empty /etc/sysconfig/network file, and ipa-client-install looks to be the cause. [root at kelvin-c5 ~]# ls -al /etc/sysconfig/network /etc/sysconfig/network.orig /var/lib/ipa-client/sysrestore/*-network -rw------- 1 root root 0 Apr 13 11:58 /etc/sysconfig/network -rw-r--r-- 1 root root 54 Aug 12 2011 /etc/sysconfig/network.orig -rw-r--r-- 1 root root 54 Aug 12 2011 /var/lib/ipa-client/sysrestore/477d00fd6ff85634-network I looked back on another CentOS 5 machine we have, and the same problem exists there. I was surprised to see that most network services were working when the file was empty. It turns out that many network services start properly with an empty /etc/sysconfig/network file, but some do not. It appears to be down to the structure of the test in the init scripts; e.g. [ "${NETWORKING}" = "no" ] && exit 0 vs. [ "${NETWORKING}" != "yes" ] && exit 6 So, is this a bug in ipa-client-install? Can I just copy my network.orig back into place in order to get rpcidmapd and friends to run correctly? Thanks, Kelvin= From rcritten at redhat.com Fri Apr 13 17:09:42 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 Apr 2012 13:09:42 -0400 Subject: [Freeipa-users] ipa-client-install on CentOS 5 creating zero-length /etc/sysconfig/network file In-Reply-To: References: Message-ID: <4F885DD6.7070800@redhat.com> Kelvin Edmison wrote: > Hi, > > When troubleshooting what I thought was an NFS4 issue, I have found what looks to be a bug in ipa-client-install. > > On a CentOS 5.8 machine, I ran > ipa-client-install --no-ntp --force --hostname=kelvin-c5. > and successfully bound to the domain. > > I am now trying to get nfs4 up and running, and found that idmapd was not starting. I traced that back to an empty /etc/sysconfig/network file, and ipa-client-install looks to be the cause. > > [root at kelvin-c5 ~]# ls -al /etc/sysconfig/network /etc/sysconfig/network.orig /var/lib/ipa-client/sysrestore/*-network > -rw------- 1 root root 0 Apr 13 11:58 /etc/sysconfig/network > -rw-r--r-- 1 root root 54 Aug 12 2011 /etc/sysconfig/network.orig > -rw-r--r-- 1 root root 54 Aug 12 2011 /var/lib/ipa-client/sysrestore/477d00fd6ff85634-network > > I looked back on another CentOS 5 machine we have, and the same problem exists there. > > I was surprised to see that most network services were working when the file was empty. It turns out that many network services start properly with an empty /etc/sysconfig/network file, but some do not. It appears to be down to the structure of the test in the init scripts; e.g. > [ "${NETWORKING}" = "no" ]&& exit 0 > vs. > [ "${NETWORKING}" != "yes" ]&& exit 6 > > So, is this a bug in ipa-client-install? > Can I just copy my network.orig back into place in order to get rpcidmapd and friends to run correctly? Yes, it should be safe to copy that file back. What we try to do is ensure that the hostmae provided to ipa-client-install is reflected in /etc/sysconfig/networking. What rpm version of ipa-client-install are you using? rob From kelvin at kindsight.net Fri Apr 13 17:14:36 2012 From: kelvin at kindsight.net (Kelvin Edmison) Date: Fri, 13 Apr 2012 13:14:36 -0400 Subject: [Freeipa-users] ipa-client-install on CentOS 5 creating zero-length /etc/sysconfig/network file In-Reply-To: <4F885DD6.7070800@redhat.com> References: <4F885DD6.7070800@redhat.com> Message-ID: On 2012-04-13, at 1:09 PM, Rob Crittenden wrote: > Kelvin Edmison wrote: >> Hi, >> >> When troubleshooting what I thought was an NFS4 issue, I have found what looks to be a bug in ipa-client-install. >> >> On a CentOS 5.8 machine, I ran >> ipa-client-install --no-ntp --force --hostname=kelvin-c5. >> and successfully bound to the domain. >> >> I am now trying to get nfs4 up and running, and found that idmapd was not starting. I traced that back to an empty /etc/sysconfig/network file, and ipa-client-install looks to be the cause. >> >> [root at kelvin-c5 ~]# ls -al /etc/sysconfig/network /etc/sysconfig/network.orig /var/lib/ipa-client/sysrestore/*-network >> -rw------- 1 root root 0 Apr 13 11:58 /etc/sysconfig/network >> -rw-r--r-- 1 root root 54 Aug 12 2011 /etc/sysconfig/network.orig >> -rw-r--r-- 1 root root 54 Aug 12 2011 /var/lib/ipa-client/sysrestore/477d00fd6ff85634-network >> >> I looked back on another CentOS 5 machine we have, and the same problem exists there. >> >> I was surprised to see that most network services were working when the file was empty. It turns out that many network services start properly with an empty /etc/sysconfig/network file, but some do not. It appears to be down to the structure of the test in the init scripts; e.g. >> [ "${NETWORKING}" = "no" ]&& exit 0 >> vs. >> [ "${NETWORKING}" != "yes" ]&& exit 6 >> >> So, is this a bug in ipa-client-install? >> Can I just copy my network.orig back into place in order to get rpcidmapd and friends to run correctly? > > Yes, it should be safe to copy that file back. What we try to do is ensure that the hostmae provided to ipa-client-install is reflected in /etc/sysconfig/networking. > > What rpm version of ipa-client-install are you using? ipa-client-2.1.3-1.el5 Thanks, Kelvin= From rcritten at redhat.com Fri Apr 13 17:18:22 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 Apr 2012 13:18:22 -0400 Subject: [Freeipa-users] ipa-client-install on CentOS 5 creating zero-length /etc/sysconfig/network file In-Reply-To: References: <4F885DD6.7070800@redhat.com> Message-ID: <4F885FDE.2080803@redhat.com> Kelvin Edmison wrote: > > On 2012-04-13, at 1:09 PM, Rob Crittenden wrote: > >> Kelvin Edmison wrote: >>> Hi, >>> >>> When troubleshooting what I thought was an NFS4 issue, I have found what looks to be a bug in ipa-client-install. >>> >>> On a CentOS 5.8 machine, I ran >>> ipa-client-install --no-ntp --force --hostname=kelvin-c5. >>> and successfully bound to the domain. >>> >>> I am now trying to get nfs4 up and running, and found that idmapd was not starting. I traced that back to an empty /etc/sysconfig/network file, and ipa-client-install looks to be the cause. >>> >>> [root at kelvin-c5 ~]# ls -al /etc/sysconfig/network /etc/sysconfig/network.orig /var/lib/ipa-client/sysrestore/*-network >>> -rw------- 1 root root 0 Apr 13 11:58 /etc/sysconfig/network >>> -rw-r--r-- 1 root root 54 Aug 12 2011 /etc/sysconfig/network.orig >>> -rw-r--r-- 1 root root 54 Aug 12 2011 /var/lib/ipa-client/sysrestore/477d00fd6ff85634-network >>> >>> I looked back on another CentOS 5 machine we have, and the same problem exists there. >>> >>> I was surprised to see that most network services were working when the file was empty. It turns out that many network services start properly with an empty /etc/sysconfig/network file, but some do not. It appears to be down to the structure of the test in the init scripts; e.g. >>> [ "${NETWORKING}" = "no" ]&& exit 0 >>> vs. >>> [ "${NETWORKING}" != "yes" ]&& exit 6 >>> >>> So, is this a bug in ipa-client-install? >>> Can I just copy my network.orig back into place in order to get rpcidmapd and friends to run correctly? >> >> Yes, it should be safe to copy that file back. What we try to do is ensure that the hostmae provided to ipa-client-install is reflected in /etc/sysconfig/networking. >> >> What rpm version of ipa-client-install are you using? > > ipa-client-2.1.3-1.el5 Hmm, strange. I don't think this is specific to el5, you were just the lucky contestant to find this bug. Can you provide the contents of the original network file? It is probable that our replacement function isn't doing the right thing. thanks rob From kelvin at kindsight.net Fri Apr 13 17:25:49 2012 From: kelvin at kindsight.net (Kelvin Edmison) Date: Fri, 13 Apr 2012 13:25:49 -0400 Subject: [Freeipa-users] ipa-client-install on CentOS 5 creating zero-length /etc/sysconfig/network file In-Reply-To: <4F885FDE.2080803@redhat.com> References: <4F885DD6.7070800@redhat.com> <4F885FDE.2080803@redhat.com> Message-ID: On 2012-04-13, at 1:18 PM, Rob Crittenden wrote: > Kelvin Edmison wrote: >> >> On 2012-04-13, at 1:09 PM, Rob Crittenden wrote: >> >>> Kelvin Edmison wrote: >>>> Hi, >>>> >>>> When troubleshooting what I thought was an NFS4 issue, I have found what looks to be a bug in ipa-client-install. >>>> >>>> On a CentOS 5.8 machine, I ran >>>> ipa-client-install --no-ntp --force --hostname=kelvin-c5. >>>> and successfully bound to the domain. >>>> >>>> I am now trying to get nfs4 up and running, and found that idmapd was not starting. I traced that back to an empty /etc/sysconfig/network file, and ipa-client-install looks to be the cause. >>>> >>>> [root at kelvin-c5 ~]# ls -al /etc/sysconfig/network /etc/sysconfig/network.orig /var/lib/ipa-client/sysrestore/*-network >>>> -rw------- 1 root root 0 Apr 13 11:58 /etc/sysconfig/network >>>> -rw-r--r-- 1 root root 54 Aug 12 2011 /etc/sysconfig/network.orig >>>> -rw-r--r-- 1 root root 54 Aug 12 2011 /var/lib/ipa-client/sysrestore/477d00fd6ff85634-network >>>> >>>> I looked back on another CentOS 5 machine we have, and the same problem exists there. >>>> >>>> I was surprised to see that most network services were working when the file was empty. It turns out that many network services start properly with an empty /etc/sysconfig/network file, but some do not. It appears to be down to the structure of the test in the init scripts; e.g. >>>> [ "${NETWORKING}" = "no" ]&& exit 0 >>>> vs. >>>> [ "${NETWORKING}" != "yes" ]&& exit 6 >>>> >>>> So, is this a bug in ipa-client-install? >>>> Can I just copy my network.orig back into place in order to get rpcidmapd and friends to run correctly? >>> >>> Yes, it should be safe to copy that file back. What we try to do is ensure that the hostmae provided to ipa-client-install is reflected in /etc/sysconfig/networking. >>> >>> What rpm version of ipa-client-install are you using? >> >> ipa-client-2.1.3-1.el5 > > Hmm, strange. I don't think this is specific to el5, you were just the lucky contestant to find this bug. Can you provide the contents of the original network file? It is probable that our replacement function isn't doing the right thing. > Gladly. [root at kelvin-c5 ~]# cat /etc/sysconfig/network NETWORKING=yes NETWORKING_IPV6=yes HOSTNAME=kelvin-c5 [root at kelvin-c5 ~]# The hostname is not a FQDN because we are growing from an environment where the domainname is assigned via DHCP. Thanks, Kelvin= From danieljamesscott at gmail.com Fri Apr 13 17:39:17 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 13 Apr 2012 13:39:17 -0400 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? Message-ID: Hi, I've been using FreeIPA for a couple of years (Upgraded/Migrated from FreeIPA 1). The servers are in various states (Some upgraded from Fedora 10/11 through each release, some fresh installs of Fedora 15/16). I've also had to add/remove replicas many times - and run into problems installing which required some manual intervention. I'm convinced that my LDAP directories contain lots of cruft which has built up and is causing problems on my system. There may even be some corruption since there's an entry which I'm unable to remove - this entry does not get replicated to the other servers. I also see inconsistent replication states on the servers. i.e. server1 shows that it's replicating with server2 but server2 does not show that it's replicating with server1. Is there some way that I can refresh/clean my LDAP directories and ensure that everything's running correctly. Thanks, Dan From rmeggins at redhat.com Fri Apr 13 17:43:11 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 13 Apr 2012 11:43:11 -0600 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: References: Message-ID: <4F8865AF.3000909@redhat.com> On 04/13/2012 11:39 AM, Dan Scott wrote: > Hi, > > I've been using FreeIPA for a couple of years (Upgraded/Migrated from > FreeIPA 1). The servers are in various states (Some upgraded from > Fedora 10/11 through each release, some fresh installs of Fedora > 15/16). I've also had to add/remove replicas many times - and run into > problems installing which required some manual intervention. > > I'm convinced that my LDAP directories contain lots of cruft which has > built up and is causing problems on my system. There may even be some > corruption since there's an entry which I'm unable to remove - this > entry does not get replicated to the other servers. What version of 389-ds-base is this? Do you get any errors? It just silently fails to delete this particular entry? > I also see > inconsistent replication states on the servers. i.e. server1 shows > that it's replicating with server2 but server2 does not show that it's > replicating with server1. Do you have errors in the server2 log showing that it is attempting to replicate with server1 but failing with some error? > > Is there some way that I can refresh/clean my LDAP directories and > ensure that everything's running correctly. We first need to find out what's going on and why you are seeing these failures before we can recommend a particular course of action. There is currently no "find all of my problems and fix them" command. > > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From danieljamesscott at gmail.com Fri Apr 13 18:22:10 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 13 Apr 2012 14:22:10 -0400 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: <4F8865AF.3000909@redhat.com> References: <4F8865AF.3000909@redhat.com> Message-ID: On Fri, Apr 13, 2012 at 13:43, Rich Megginson wrote: > On 04/13/2012 11:39 AM, Dan Scott wrote: >> I'm convinced that my LDAP directories contain lots of cruft which has >> built up and is causing problems on my system. There may even be some >> corruption since there's an entry which I'm unable to remove - this >> entry does not get replicated to the other servers. > > > What version of 389-ds-base is this? ?Do you get any errors? ?It just > silently fails to delete this particular entry? [root at fileserver1 ~]# rpm -qa|grep 389 389-ds-base-libs-1.2.10.4-2.fc16.x86_64 389-ds-base-1.2.10.4-2.fc16.x86_64 [root at fileserver1 ~]#ldapmodify -f rmfileserver5.ldif -D 'cn=directory manager' -W Enter LDAP Password: deleting entry "cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu" ldap_delete: Operation not allowed on non-leaf (66) [root at fileserver1 ~]# ldapsearch -D 'cn=directory manager' -W -v -b 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' '(objectclass=*)' ldap_initialize( ) Enter LDAP Password: filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # fileserver5.ecg.mit.edu, masters, ipa, etc, ecg.mit.edu dn: cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu cn: fileserver5.ecg.mit.edu objectClass: top objectClass: nsContainer # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root at fileserver1 ~]# If I'm interpreting this correctly, it can't be deleted because it's not a leaf node, but it doesn't have any sub-entries that I can delete first. >> I also see >> inconsistent replication states on the servers. i.e. server1 shows >> that it's replicating with server2 but server2 does not show that it's >> replicating with server1. > > > Do you have errors in the server2 log showing that it is attempting to > replicate with server1 but failing with some error? [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver1.ecg.mit.edu Directory Manager password: fileserver2.ecg.mit.edu last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2012-04-13 17:57:39+00:00 [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver2.ecg.mit.edu Directory Manager password: fileserver1.ecg.mit.edu last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2012-04-13 17:57:41+00:00 fileserver3.ecg.mit.edu last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2012-04-13 17:57:41+00:00 [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver3.ecg.mit.edu Directory Manager password: fileserver2.ecg.mit.edu last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2012-04-13 17:57:44+00:00 fileserver1.ecg.mit.edu last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2012-04-13 17:57:43+00:00 [root at fileserver1 ~]# fileserver1's (and fileserver2s) /var/log/dirsrv/slapd-PKI-IPA/errors contains lots of: [13/Apr/2012:13:57:43 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 fileserver3's /var/log/dirsrv/slapd-PKI-IPA/errors contains lots of: [13/Apr/2012:13:52:50 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [13/Apr/2012:13:57:39 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20 fileserver2's non-PKI replication agreements to both fileserver1 and 3 are in place, but both say: Incremental update has failed and requires administrator actionSystem error. When I try to re-initialize: [root at fileserver2 ~]# ipa-replica-manage re-initialize --from fileserver3.ecg.mit.edu Directory Manager password: [fileserver3.ecg.mit.edu] reports: Replica Busy! Status: [1 Replication error acquiring replica: replica busy] this command has been running for 1/2hr and produced no more output (fileserver2 is the remaining server running Fedora 15, the others are Fedora 16 with latest updates). >> Is there some way that I can refresh/clean my LDAP directories and >> ensure that everything's running correctly. > > We first need to find out what's going on and why you are seeing these > failures before we can recommend a particular course of action. ?There is > currently no "find all of my problems and fix them" command. :) Wish there was. It's just that I've been having lots of problems recently and I was thinking that there is something fundamentally wrong with my installation. I keep having to ask you guys for help. An additional problem, which Rob Crittenden is helping with is that I'm trying to install another replica (fileserver4) which fails when setting up the CA: 2012-04-11 11:30:47,289 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-JJIkrk' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'LI1En8UwjZ2BYDcnu8nJ' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' XXXXXXXX '-sd_hostname' 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero exit status 255 Sorry to dump a tonne of problems in one go, but you can see why I think there's something (probably several things) badly wrong with my installation. I guess I was looking for a few very basic things to check to ensure that the servers are fundamentally configured properly. Thanks, Dan Scott From simo at redhat.com Fri Apr 13 18:38:58 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 13 Apr 2012 14:38:58 -0400 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: References: Message-ID: <1334342338.16658.57.camel@willson.li.ssimo.org> On Fri, 2012-04-13 at 13:39 -0400, Dan Scott wrote: > Hi, > > I've been using FreeIPA for a couple of years (Upgraded/Migrated from > FreeIPA 1). The servers are in various states (Some upgraded from > Fedora 10/11 through each release, some fresh installs of Fedora > 15/16). I've also had to add/remove replicas many times - and run into > problems installing which required some manual intervention. > > I'm convinced that my LDAP directories contain lots of cruft which has > built up and is causing problems on my system. There may even be some > corruption since there's an entry which I'm unable to remove - this > entry does not get replicated to the other servers. I also see > inconsistent replication states on the servers. i.e. server1 shows > that it's replicating with server2 but server2 does not show that it's > replicating with server1. > > Is there some way that I can refresh/clean my LDAP directories and > ensure that everything's running correctly. Well it really depends on what you need to achieve. Of course you have the big hammer of setting up a brand new realm and then migrating over users/groups, but that would require to start from scratch with hbac and related rules and re-enrollment of users and hosts. In general if you haven't willfully changed stuff manually over ldap you should be in good shape. It should be sufficient to find out and fix why DS is not allowing you to delete that entry you want to delete and then you should be able to clean up stuff trhough the CLI or the WebUI tools. Simo. -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Fri Apr 13 18:38:02 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 13 Apr 2012 12:38:02 -0600 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: References: <4F8865AF.3000909@redhat.com> Message-ID: <4F88728A.6070208@redhat.com> On 04/13/2012 12:22 PM, Dan Scott wrote: > On Fri, Apr 13, 2012 at 13:43, Rich Megginson wrote: >> On 04/13/2012 11:39 AM, Dan Scott wrote: >>> I'm convinced that my LDAP directories contain lots of cruft which has >>> built up and is causing problems on my system. There may even be some >>> corruption since there's an entry which I'm unable to remove - this >>> entry does not get replicated to the other servers. >> >> What version of 389-ds-base is this? Do you get any errors? It just >> silently fails to delete this particular entry? > [root at fileserver1 ~]# rpm -qa|grep 389 > 389-ds-base-libs-1.2.10.4-2.fc16.x86_64 > 389-ds-base-1.2.10.4-2.fc16.x86_64 > [root at fileserver1 ~]#ldapmodify -f rmfileserver5.ldif -D 'cn=directory > manager' -W > Enter LDAP Password: > deleting entry "cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu" > ldap_delete: Operation not allowed on non-leaf (66) > > [root at fileserver1 ~]# ldapsearch -D 'cn=directory manager' -W -v -b > 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' > '(objectclass=*)' > ldap_initialize( ) > Enter LDAP Password: > filter: (objectclass=*) > requesting: All userApplication attributes > # extended LDIF > # > # LDAPv3 > # base > with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # fileserver5.ecg.mit.edu, masters, ipa, etc, ecg.mit.edu > dn: cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu > cn: fileserver5.ecg.mit.edu > objectClass: top > objectClass: nsContainer > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > [root at fileserver1 ~]# > > If I'm interpreting this correctly, it can't be deleted because it's > not a leaf node, but it doesn't have any sub-entries that I can delete > first. You are correct. Try this: ldapsearch -D 'cn=directory manager' -W -v -b 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' '(|(objectclass=nstombstone)(objectclass=*))' > >>> I also see >>> inconsistent replication states on the servers. i.e. server1 shows >>> that it's replicating with server2 but server2 does not show that it's >>> replicating with server1. >> >> Do you have errors in the server2 log showing that it is attempting to >> replicate with server1 but failing with some error? > [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver1.ecg.mit.edu > Directory Manager password: > > fileserver2.ecg.mit.edu > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2012-04-13 17:57:39+00:00 > [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver2.ecg.mit.edu > Directory Manager password: > > fileserver1.ecg.mit.edu > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2012-04-13 17:57:41+00:00 > fileserver3.ecg.mit.edu > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2012-04-13 17:57:41+00:00 > [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver3.ecg.mit.edu > Directory Manager password: > > fileserver2.ecg.mit.edu > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2012-04-13 17:57:44+00:00 > fileserver1.ecg.mit.edu > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2012-04-13 17:57:43+00:00 > [root at fileserver1 ~]# > > fileserver1's (and fileserver2s) /var/log/dirsrv/slapd-PKI-IPA/errors > contains lots of: > [13/Apr/2012:13:57:43 -0400] NSMMReplicationPlugin - > repl_set_mtn_referrals: could not set referrals for replica o=ipaca: > 20 This error usually means a replica was deleted and the RUV needs to be cleaned. see http://port389.org/wiki/Howto:CLEANRUV and https://fedorahosted.org/freeipa/ticket/2303 and https://fedorahosted.org/389/ticket/337 > > fileserver3's /var/log/dirsrv/slapd-PKI-IPA/errors contains lots of: > [13/Apr/2012:13:52:50 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) This is a real connection error - could be cert or hostname lookup related. > [13/Apr/2012:13:57:39 -0400] NSMMReplicationPlugin - > repl_set_mtn_referrals: could not set referrals for replica o=ipaca: > 20 > > fileserver2's non-PKI replication agreements to both fileserver1 and 3 > are in place, but both say: Incremental update has failed and requires > administrator actionSystem error. > When I try to re-initialize: > > [root at fileserver2 ~]# ipa-replica-manage re-initialize --from > fileserver3.ecg.mit.edu > Directory Manager password: > > [fileserver3.ecg.mit.edu] reports: Replica Busy! Status: [1 > Replication error acquiring replica: replica busy] This is a transient condition. > > this command has been running for 1/2hr and produced no more output > (fileserver2 is the remaining server running Fedora 15, the others are > Fedora 16 with latest updates). Not sure how ipa-replica-manage handles busy - does it keep trying until it is not busy? > >>> Is there some way that I can refresh/clean my LDAP directories and >>> ensure that everything's running correctly. >> We first need to find out what's going on and why you are seeing these >> failures before we can recommend a particular course of action. There is >> currently no "find all of my problems and fix them" command. > :) Wish there was. It's just that I've been having lots of problems > recently and I was thinking that there is something fundamentally > wrong with my installation. I keep having to ask you guys for help. I think some of these problems were due to the fact that an alpha version of 389 got pushed to the Stable repo in F-16, and in between that alpha version and the real "Stable" version we were forced to change the database format to fix a serious issue, and that introduced some inconsistencies into the database upon upgrade. > > An additional problem, which Rob Crittenden is helping with is that > I'm trying to install another replica (fileserver4) which fails when > setting up the CA: > > 2012-04-11 11:30:47,289 CRITICAL failed to configure ca instance > Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' > 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' > '/tmp/tmp-JJIkrk' '-client_certdb_pwd' XXXXXXXX '-preop_pin' > 'LI1En8UwjZ2BYDcnu8nJ' '-domain_name' 'IPA' '-admin_user' 'admin' > '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX > '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' > '-agent_key_type' 'rsa' '-agent_cert_subject' > 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' > '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' > XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' > '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' > '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' > 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA > Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP > Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' > 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' > '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' > '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' > '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' > '-clone_p12_password' XXXXXXXX '-sd_hostname' > 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' > 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' > '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero > exit status 255 > > Sorry to dump a tonne of problems in one go, but you can see why I > think there's something (probably several things) badly wrong with my > installation. I guess I was looking for a few very basic things to > check to ensure that the servers are fundamentally configured > properly. Unfortunately, it appears that some of your problems are unexpected and/or have not been seen before. > > Thanks, > > Dan Scott From danieljamesscott at gmail.com Fri Apr 13 19:03:20 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 13 Apr 2012 15:03:20 -0400 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: <4F88728A.6070208@redhat.com> References: <4F8865AF.3000909@redhat.com> <4F88728A.6070208@redhat.com> Message-ID: Thanks for the quick response. Simo: Thanks - I'd prefer to clean it up properly rather than start from scratch. I haven't changed the LDAP schema at all. All I've done is the use the IPA tools for user admin and add/remove replicas. I just felt like I've been emailing this list once a week or so for the past few months - I was beginning to think that it was beyond repair! :) On Fri, Apr 13, 2012 at 14:38, Rich Megginson wrote: > On 04/13/2012 12:22 PM, Dan Scott wrote: >> >> On Fri, Apr 13, 2012 at 13:43, Rich Megginson ?wrote: >>> >>> On 04/13/2012 11:39 AM, Dan Scott wrote: >>>> >>>> I'm convinced that my LDAP directories contain lots of cruft which has >>>> built up and is causing problems on my system. There may even be some >>>> corruption since there's an entry which I'm unable to remove - this >>>> entry does not get replicated to the other servers. >>> >>> >>> What version of 389-ds-base is this? ?Do you get any errors? ?It just >>> silently fails to delete this particular entry? >> >> [root at fileserver1 ~]# rpm -qa|grep 389 >> 389-ds-base-libs-1.2.10.4-2.fc16.x86_64 >> 389-ds-base-1.2.10.4-2.fc16.x86_64 >> [root at fileserver1 ~]#ldapmodify -f rmfileserver5.ldif -D 'cn=directory >> manager' -W >> Enter LDAP Password: >> deleting entry >> "cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu" >> ldap_delete: Operation not allowed on non-leaf (66) >> >> [root at fileserver1 ~]# ldapsearch -D 'cn=directory manager' -W -v -b >> 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' >> '(objectclass=*)' >> ldap_initialize( ?) >> Enter LDAP Password: >> filter: (objectclass=*) >> requesting: All userApplication attributes >> # extended LDIF >> # >> # LDAPv3 >> # >> base >> with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # fileserver5.ecg.mit.edu, masters, ipa, etc, ecg.mit.edu >> dn: >> cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu >> cn: fileserver5.ecg.mit.edu >> objectClass: top >> objectClass: nsContainer >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> [root at fileserver1 ~]# >> >> If I'm interpreting this correctly, it can't be deleted because it's >> not a leaf node, but it doesn't have any sub-entries that I can delete >> first. > > > You are correct. ?Try this: > > ldapsearch -D 'cn=directory manager' -W -v -b > 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' > '(|(objectclass=nstombstone)(objectclass=*))' Ahh, so there are some 'child' entries: [root at fileserver1 ~]# ldapsearch -D 'cn=directory manager' -W -b 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' '(|(objectclass=nstombstone)(objectclass=*))' Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (|(objectclass=nstombstone)(objectclass=*)) # requesting: ALL # # aaa2c704-63cf11e1-ac8dadbd-35182efb, fileserver5.ecg.mit.edu, masters, ipa, etc, ecg.mit.edu dn: nsuniqueid=aaa2c704-63cf11e1-ac8dadbd-35182efb,cn=fileserver5.ecg.mit.edu, cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu objectClass: top objectClass: nsContainer objectClass: nsTombstone cn: fileserver5.ecg.mit.edu nsParentUniqueId: 4fff591e-e48611e0-bf3681aa-d1a3957d # 17708e04-63dd11e1-9b079095-05c635b0, fileserver5.ecg.mit.edu, masters, ipa, etc, ecg.mit.edu dn: nsuniqueid=17708e04-63dd11e1-9b079095-05c635b0,cn=fileserver5.ecg.mit.edu, cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu objectClass: top objectClass: nsContainer objectClass: nsTombstone cn: fileserver5.ecg.mit.edu nsParentUniqueId: 4fff591e-e48611e0-bf3681aa-d1a3957d # 5ceb8604-63f211e1-bc108552-1fbf39e2, fileserver5.ecg.mit.edu, masters, ipa, etc, ecg.mit.edu dn: nsuniqueid=5ceb8604-63f211e1-bc108552-1fbf39e2,cn=fileserver5.ecg.mit.edu, cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu objectClass: top objectClass: nsContainer objectClass: nsTombstone cn: fileserver5.ecg.mit.edu nsParentUniqueId: 4fff591e-e48611e0-bf3681aa-d1a3957d # fileserver5.ecg.mit.edu, masters, ipa, etc, ecg.mit.edu dn: cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu cn: fileserver5.ecg.mit.edu objectClass: top objectClass: nsContainer # c480f184-83f011e1-90d1df13-bba55eff, HTTP, fileserver5.ecg.mit.edu, masters , ipa, etc, ecg.mit.edu dn: nsuniqueid=c480f184-83f011e1-90d1df13-bba55eff,cn=HTTP,cn=fileserver5.ecg. mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu objectClass: nsContainer objectClass: ipaConfigObject objectClass: top objectClass: nsTombstone ipaConfigString: enabledService ipaConfigString: startOrder 40 cn: HTTP nsParentUniqueId: 1eba8a03-642311e1-9b95afe9-fc1b53ef # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5 Is it safe to delete them? >>>> I also see >>>> inconsistent replication states on the servers. i.e. server1 shows >>>> that it's replicating with server2 but server2 does not show that it's >>>> replicating with server1. >>> >>> >>> Do you have errors in the server2 log showing that it is attempting to >>> replicate with server1 but failing with some error? >> >> [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver1.ecg.mit.edu >> Directory Manager password: >> >> fileserver2.ecg.mit.edu >> ? last init status: None >> ? last init ended: None >> ? last update status: 0 Replica acquired successfully: Incremental >> update succeeded >> ? last update ended: 2012-04-13 17:57:39+00:00 >> [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver2.ecg.mit.edu >> Directory Manager password: >> >> fileserver1.ecg.mit.edu >> ? last init status: None >> ? last init ended: None >> ? last update status: 0 Replica acquired successfully: Incremental >> update succeeded >> ? last update ended: 2012-04-13 17:57:41+00:00 >> fileserver3.ecg.mit.edu >> ? last init status: None >> ? last init ended: None >> ? last update status: 0 Replica acquired successfully: Incremental >> update succeeded >> ? last update ended: 2012-04-13 17:57:41+00:00 >> [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver3.ecg.mit.edu >> Directory Manager password: >> >> fileserver2.ecg.mit.edu >> ? last init status: None >> ? last init ended: None >> ? last update status: 0 Replica acquired successfully: Incremental >> update succeeded >> ? last update ended: 2012-04-13 17:57:44+00:00 >> fileserver1.ecg.mit.edu >> ? last init status: None >> ? last init ended: None >> ? last update status: 0 Replica acquired successfully: Incremental >> update succeeded >> ? last update ended: 2012-04-13 17:57:43+00:00 >> [root at fileserver1 ~]# >> >> fileserver1's (and fileserver2s) /var/log/dirsrv/slapd-PKI-IPA/errors >> contains lots of: >> [13/Apr/2012:13:57:43 -0400] NSMMReplicationPlugin - >> repl_set_mtn_referrals: could not set referrals for replica o=ipaca: >> 20 > > > This error usually means a replica was deleted and the RUV needs to be > cleaned. > see http://port389.org/wiki/Howto:CLEANRUV > and > https://fedorahosted.org/freeipa/ticket/2303 > and > https://fedorahosted.org/389/ticket/337 OK, I've seen this before - is it important to remove them? I've had to add and remove replicas so much that I don't really want to do it unless it's necessary. I'm happy to live with them if it's not a problem. >> fileserver3's /var/log/dirsrv/slapd-PKI-IPA/errors contains lots of: >> [13/Apr/2012:13:52:50 -0400] slapi_ldap_bind - Error: could not send >> startTLS request: error -1 (Can't contact LDAP server) errno 107 >> (Transport endpoint is not connected) > > > This is a real connection error - could be cert or hostname lookup related. How do I find out if it's cert or hostname lookup? Which hostname? Fileserver3 runs DNS, and it seems to be working fine. >> [13/Apr/2012:13:57:39 -0400] NSMMReplicationPlugin - >> repl_set_mtn_referrals: could not set referrals for replica o=ipaca: >> 20 >> >> fileserver2's non-PKI replication agreements to both fileserver1 and 3 >> are in place, but both say: Incremental update has failed and requires >> administrator actionSystem error. > > > >> When I try to re-initialize: >> >> [root at fileserver2 ~]# ipa-replica-manage re-initialize --from >> fileserver3.ecg.mit.edu >> Directory Manager password: >> >> [fileserver3.ecg.mit.edu] reports: Replica Busy! Status: [1 >> Replication error acquiring replica: replica busy] > > > This is a transient condition. Fileserver2 is busy? The /var/log/dirsrv/slapd-ECG-MIT-EDU/errors is now full of: [13/Apr/2012:14:59:19 -0400] NSMMReplicationPlugin - conn=1 op=571 csn=4f70a9e5000100060000: Can't created glue entry cn=fileserver4.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu uniqueid=6949d104-775b11e1-abce82a1-a45dd3c3, error 68 Should I delete the LDAP entry which is trying to replicate fileserver2 with fileserver4? >> this command has been running for 1/2hr and produced no more output >> (fileserver2 is the remaining server running Fedora 15, the others are >> Fedora 16 with latest updates). > > > Not sure how ipa-replica-manage handles busy - does it keep trying until it > is not busy? > > >> >>>> Is there some way that I can refresh/clean my LDAP directories and >>>> ensure that everything's running correctly. >>> >>> We first need to find out what's going on and why you are seeing these >>> failures before we can recommend a particular course of action. ?There is >>> currently no "find all of my problems and fix them" command. >> >> :) Wish there was. It's just that I've been having lots of problems >> recently and I was thinking that there is something fundamentally >> wrong with my installation. I keep having to ask you guys for help. > > > I think some of these problems were due to the fact that an alpha version of > 389 got pushed to the Stable repo in F-16, and in between that alpha version > and the real "Stable" version we were forced to change the database format > to fix a serious issue, and that introduced some inconsistencies into the > database upon upgrade. Yeah, I think most of my troubles have started since that version. Hope I can get it fixed! :) >> An additional problem, which Rob Crittenden is helping with is that >> I'm trying to install another replica (fileserver4) which fails when >> setting up the CA: >> >> 2012-04-11 11:30:47,289 CRITICAL failed to configure ca instance >> Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' >> 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' >> '/tmp/tmp-JJIkrk' '-client_certdb_pwd' XXXXXXXX '-preop_pin' >> 'LI1En8UwjZ2BYDcnu8nJ' '-domain_name' 'IPA' '-admin_user' 'admin' >> '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX >> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' >> '-agent_key_type' 'rsa' '-agent_cert_subject' >> 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' >> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' >> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' >> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >> Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP >> Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' >> 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' >> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' >> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' >> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >> '-clone_p12_password' XXXXXXXX '-sd_hostname' >> 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' >> 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' >> '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero >> exit status 255 >> >> Sorry to dump a tonne of problems in one go, but you can see why I >> think there's something (probably several things) badly wrong with my >> installation. I guess I was looking for a few very basic things to >> check to ensure that the servers are fundamentally configured >> properly. > > > Unfortunately, it appears that some of your problems are unexpected and/or > have not been seen before. Hopefully I can fix them, as long as you don't mind my endless emails to the list.... :) Thanks, Dan From bcook at redhat.com Fri Apr 13 19:27:05 2012 From: bcook at redhat.com (Brian Cook) Date: Fri, 13 Apr 2012 12:27:05 -0700 Subject: [Freeipa-users] routing requests to local servers Message-ID: Has anyone worked any magic to keep DNS, kerberos and LDAP request routed to local servers in an IPA setup where topology is separated by WAN links? I have looked at things like doing sorts in the DNS client configuration, BIND views, etc. but I would like to know if anyone else has tried to tackle this issue. Thanks, Brian --- Brian Cook -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Apr 13 19:24:36 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 13 Apr 2012 13:24:36 -0600 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: References: <4F8865AF.3000909@redhat.com> <4F88728A.6070208@redhat.com> Message-ID: <4F887D74.6050607@redhat.com> On 04/13/2012 01:03 PM, Dan Scott wrote: > Thanks for the quick response. > > Simo: Thanks - I'd prefer to clean it up properly rather than start > from scratch. I haven't changed the LDAP schema at all. All I've done > is the use the IPA tools for user admin and add/remove replicas. > > I just felt like I've been emailing this list once a week or so for > the past few months - I was beginning to think that it was beyond > repair! :) > > On Fri, Apr 13, 2012 at 14:38, Rich Megginson wrote: >> On 04/13/2012 12:22 PM, Dan Scott wrote: >>> On Fri, Apr 13, 2012 at 13:43, Rich Megginson wrote: >>>> On 04/13/2012 11:39 AM, Dan Scott wrote: >>>>> I'm convinced that my LDAP directories contain lots of cruft which has >>>>> built up and is causing problems on my system. There may even be some >>>>> corruption since there's an entry which I'm unable to remove - this >>>>> entry does not get replicated to the other servers. >>>> >>>> What version of 389-ds-base is this? Do you get any errors? It just >>>> silently fails to delete this particular entry? >>> [root at fileserver1 ~]# rpm -qa|grep 389 >>> 389-ds-base-libs-1.2.10.4-2.fc16.x86_64 >>> 389-ds-base-1.2.10.4-2.fc16.x86_64 >>> [root at fileserver1 ~]#ldapmodify -f rmfileserver5.ldif -D 'cn=directory >>> manager' -W >>> Enter LDAP Password: >>> deleting entry >>> "cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu" >>> ldap_delete: Operation not allowed on non-leaf (66) >>> >>> [root at fileserver1 ~]# ldapsearch -D 'cn=directory manager' -W -v -b >>> 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' >>> '(objectclass=*)' >>> ldap_initialize( ) >>> Enter LDAP Password: >>> filter: (objectclass=*) >>> requesting: All userApplication attributes >>> # extended LDIF >>> # >>> # LDAPv3 >>> # >>> base >>> with scope subtree >>> # filter: (objectclass=*) >>> # requesting: ALL >>> # >>> >>> # fileserver5.ecg.mit.edu, masters, ipa, etc, ecg.mit.edu >>> dn: >>> cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu >>> cn: fileserver5.ecg.mit.edu >>> objectClass: top >>> objectClass: nsContainer >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> [root at fileserver1 ~]# >>> >>> If I'm interpreting this correctly, it can't be deleted because it's >>> not a leaf node, but it doesn't have any sub-entries that I can delete >>> first. >> >> You are correct. Try this: >> >> ldapsearch -D 'cn=directory manager' -W -v -b >> 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' >> '(|(objectclass=nstombstone)(objectclass=*))' > Ahh, so there are some 'child' entries: > > [root at fileserver1 ~]# ldapsearch -D 'cn=directory manager' -W -b > 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' > '(|(objectclass=nstombstone)(objectclass=*))' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base > with scope subtree > # filter: (|(objectclass=nstombstone)(objectclass=*)) > # requesting: ALL > # > > # aaa2c704-63cf11e1-ac8dadbd-35182efb, fileserver5.ecg.mit.edu, masters, ipa, > etc, ecg.mit.edu > dn: nsuniqueid=aaa2c704-63cf11e1-ac8dadbd-35182efb,cn=fileserver5.ecg.mit.edu, > cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu > objectClass: top > objectClass: nsContainer > objectClass: nsTombstone > cn: fileserver5.ecg.mit.edu > nsParentUniqueId: 4fff591e-e48611e0-bf3681aa-d1a3957d > > # 17708e04-63dd11e1-9b079095-05c635b0, fileserver5.ecg.mit.edu, masters, ipa, > etc, ecg.mit.edu > dn: nsuniqueid=17708e04-63dd11e1-9b079095-05c635b0,cn=fileserver5.ecg.mit.edu, > cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu > objectClass: top > objectClass: nsContainer > objectClass: nsTombstone > cn: fileserver5.ecg.mit.edu > nsParentUniqueId: 4fff591e-e48611e0-bf3681aa-d1a3957d > > # 5ceb8604-63f211e1-bc108552-1fbf39e2, fileserver5.ecg.mit.edu, masters, ipa, > etc, ecg.mit.edu > dn: nsuniqueid=5ceb8604-63f211e1-bc108552-1fbf39e2,cn=fileserver5.ecg.mit.edu, > cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu > objectClass: top > objectClass: nsContainer > objectClass: nsTombstone > cn: fileserver5.ecg.mit.edu > nsParentUniqueId: 4fff591e-e48611e0-bf3681aa-d1a3957d > > # fileserver5.ecg.mit.edu, masters, ipa, etc, ecg.mit.edu > dn: cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu > cn: fileserver5.ecg.mit.edu > objectClass: top > objectClass: nsContainer > > # c480f184-83f011e1-90d1df13-bba55eff, HTTP, fileserver5.ecg.mit.edu, masters > , ipa, etc, ecg.mit.edu > dn: nsuniqueid=c480f184-83f011e1-90d1df13-bba55eff,cn=HTTP,cn=fileserver5.ecg. > mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu > objectClass: nsContainer > objectClass: ipaConfigObject > objectClass: top > objectClass: nsTombstone > ipaConfigString: enabledService > ipaConfigString: startOrder 40 > cn: HTTP > nsParentUniqueId: 1eba8a03-642311e1-9b95afe9-fc1b53ef > > # search result > search: 2 > result: 0 Success > > # numResponses: 6 > # numEntries: 5 > > Is it safe to delete them? Yes. > >>>>> I also see >>>>> inconsistent replication states on the servers. i.e. server1 shows >>>>> that it's replicating with server2 but server2 does not show that it's >>>>> replicating with server1. >>>> >>>> Do you have errors in the server2 log showing that it is attempting to >>>> replicate with server1 but failing with some error? >>> [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver1.ecg.mit.edu >>> Directory Manager password: >>> >>> fileserver2.ecg.mit.edu >>> last init status: None >>> last init ended: None >>> last update status: 0 Replica acquired successfully: Incremental >>> update succeeded >>> last update ended: 2012-04-13 17:57:39+00:00 >>> [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver2.ecg.mit.edu >>> Directory Manager password: >>> >>> fileserver1.ecg.mit.edu >>> last init status: None >>> last init ended: None >>> last update status: 0 Replica acquired successfully: Incremental >>> update succeeded >>> last update ended: 2012-04-13 17:57:41+00:00 >>> fileserver3.ecg.mit.edu >>> last init status: None >>> last init ended: None >>> last update status: 0 Replica acquired successfully: Incremental >>> update succeeded >>> last update ended: 2012-04-13 17:57:41+00:00 >>> [root at fileserver1 ~]# ipa-csreplica-manage list -v fileserver3.ecg.mit.edu >>> Directory Manager password: >>> >>> fileserver2.ecg.mit.edu >>> last init status: None >>> last init ended: None >>> last update status: 0 Replica acquired successfully: Incremental >>> update succeeded >>> last update ended: 2012-04-13 17:57:44+00:00 >>> fileserver1.ecg.mit.edu >>> last init status: None >>> last init ended: None >>> last update status: 0 Replica acquired successfully: Incremental >>> update succeeded >>> last update ended: 2012-04-13 17:57:43+00:00 >>> [root at fileserver1 ~]# >>> >>> fileserver1's (and fileserver2s) /var/log/dirsrv/slapd-PKI-IPA/errors >>> contains lots of: >>> [13/Apr/2012:13:57:43 -0400] NSMMReplicationPlugin - >>> repl_set_mtn_referrals: could not set referrals for replica o=ipaca: >>> 20 >> >> This error usually means a replica was deleted and the RUV needs to be >> cleaned. >> see http://port389.org/wiki/Howto:CLEANRUV >> and >> https://fedorahosted.org/freeipa/ticket/2303 >> and >> https://fedorahosted.org/389/ticket/337 > OK, I've seen this before - is it important to remove them? I've had > to add and remove replicas so much that I don't really want to do it > unless it's necessary. I'm happy to live with them if it's not a > problem. It's not a problem until it's a problem :-) I would go ahead and run CLEANRUV. > >>> fileserver3's /var/log/dirsrv/slapd-PKI-IPA/errors contains lots of: >>> [13/Apr/2012:13:52:50 -0400] slapi_ldap_bind - Error: could not send >>> startTLS request: error -1 (Can't contact LDAP server) errno 107 >>> (Transport endpoint is not connected) >> >> This is a real connection error - could be cert or hostname lookup related. > How do I find out if it's cert or hostname lookup? Which hostname? > Fileserver3 runs DNS, and it seems to be working fine. Try ldapsearch - on server3 LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-PKI-IPA ldapsearch -x -ZZ -H ldap://server2.fqdn -D "cn=directory manager" -W -s base -b "" If that works, check to make sure the replication agreement has the correct server2.fqdn If that doesn't work, use ldapsearch -d 1 -x ..... to get further debugging information. > >>> [13/Apr/2012:13:57:39 -0400] NSMMReplicationPlugin - >>> repl_set_mtn_referrals: could not set referrals for replica o=ipaca: >>> 20 >>> >>> fileserver2's non-PKI replication agreements to both fileserver1 and 3 >>> are in place, but both say: Incremental update has failed and requires >>> administrator actionSystem error. >> >> >>> When I try to re-initialize: >>> >>> [root at fileserver2 ~]# ipa-replica-manage re-initialize --from >>> fileserver3.ecg.mit.edu >>> Directory Manager password: >>> >>> [fileserver3.ecg.mit.edu] reports: Replica Busy! Status: [1 >>> Replication error acquiring replica: replica busy] >> >> This is a transient condition. > Fileserver2 is busy? Yes. > The /var/log/dirsrv/slapd-ECG-MIT-EDU/errors is > now full of: > > [13/Apr/2012:14:59:19 -0400] NSMMReplicationPlugin - conn=1 op=571 > csn=4f70a9e5000100060000: Can't created glue entry > cn=fileserver4.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu > uniqueid=6949d104-775b11e1-abce82a1-a45dd3c3, error 68 > > Should I delete the LDAP entry which is trying to replicate > fileserver2 with fileserver4? Yes. And it may be due to the fact that the entry it is trying to delete has those tombstone children that have to be deleted too. > >>> this command has been running for 1/2hr and produced no more output >>> (fileserver2 is the remaining server running Fedora 15, the others are >>> Fedora 16 with latest updates). >> >> Not sure how ipa-replica-manage handles busy - does it keep trying until it >> is not busy? >> >> >>>>> Is there some way that I can refresh/clean my LDAP directories and >>>>> ensure that everything's running correctly. >>>> We first need to find out what's going on and why you are seeing these >>>> failures before we can recommend a particular course of action. There is >>>> currently no "find all of my problems and fix them" command. >>> :) Wish there was. It's just that I've been having lots of problems >>> recently and I was thinking that there is something fundamentally >>> wrong with my installation. I keep having to ask you guys for help. >> >> I think some of these problems were due to the fact that an alpha version of >> 389 got pushed to the Stable repo in F-16, and in between that alpha version >> and the real "Stable" version we were forced to change the database format >> to fix a serious issue, and that introduced some inconsistencies into the >> database upon upgrade. > Yeah, I think most of my troubles have started since that version. > Hope I can get it fixed! :) > >>> An additional problem, which Rob Crittenden is helping with is that >>> I'm trying to install another replica (fileserver4) which fails when >>> setting up the CA: >>> >>> 2012-04-11 11:30:47,289 CRITICAL failed to configure ca instance >>> Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' >>> 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' >>> '/tmp/tmp-JJIkrk' '-client_certdb_pwd' XXXXXXXX '-preop_pin' >>> 'LI1En8UwjZ2BYDcnu8nJ' '-domain_name' 'IPA' '-admin_user' 'admin' >>> '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX >>> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' >>> '-agent_key_type' 'rsa' '-agent_cert_subject' >>> 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' >>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' >>> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >>> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' >>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >>> Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP >>> Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' >>> 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' >>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' >>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' >>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >>> '-clone_p12_password' XXXXXXXX '-sd_hostname' >>> 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' >>> 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' >>> '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero >>> exit status 255 >>> >>> Sorry to dump a tonne of problems in one go, but you can see why I >>> think there's something (probably several things) badly wrong with my >>> installation. I guess I was looking for a few very basic things to >>> check to ensure that the servers are fundamentally configured >>> properly. >> >> Unfortunately, it appears that some of your problems are unexpected and/or >> have not been seen before. > Hopefully I can fix them, as long as you don't mind my endless emails > to the list.... :) At some point, you may run into diminishing returns trying to fix your current broken installation - that is, the time spent playing whack-a-mole with these problems might be better spent starting over from scratch . . . > > Thanks, > > Dan From rcritten at redhat.com Fri Apr 13 19:30:59 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 Apr 2012 15:30:59 -0400 Subject: [Freeipa-users] routing requests to local servers In-Reply-To: References: Message-ID: <4F887EF3.5090905@redhat.com> Brian Cook wrote: > Has anyone worked any magic to keep DNS, kerberos and LDAP request > routed to local servers in an IPA setup where topology is separated by > WAN links? > > I have looked at things like doing sorts in the DNS client > configuration, BIND views, etc. but I would like to know if anyone else > has tried to tackle this issue. Which clients? For some things (logins, etc) you can reverse the order of the servers in /etc/sssd/sssd.conf so a fixed server comes before the _srv_ entry in ipa_server. This way you can point at a desired server but still be able to fall back to DNS if it is down. rob From bcook at redhat.com Fri Apr 13 20:04:55 2012 From: bcook at redhat.com (Brian Cook) Date: Fri, 13 Apr 2012 13:04:55 -0700 Subject: [Freeipa-users] routing requests to local servers In-Reply-To: <4F887EF3.5090905@redhat.com> References: <4F887EF3.5090905@redhat.com> Message-ID: Ideally I would rely on a -group- of servers, and then rely on DNS if it is down. I don't want to hammer one server. We're talking about 500-1000 servers running virtual machines, so potentially a lot of traffic. Got any suggestions for that? --- Brian Cook Solutions Architect, Red Hat, Inc. 407-212-7079 On Apr 13, 2012, at 12:30 PM, Rob Crittenden wrote: > Brian Cook wrote: >> Has anyone worked any magic to keep DNS, kerberos and LDAP request >> routed to local servers in an IPA setup where topology is separated by >> WAN links? >> >> I have looked at things like doing sorts in the DNS client >> configuration, BIND views, etc. but I would like to know if anyone else >> has tried to tackle this issue. > > Which clients? For some things (logins, etc) you can reverse the order of the servers in /etc/sssd/sssd.conf so a fixed server comes before the _srv_ entry in ipa_server. This way you can point at a desired server but still be able to fall back to DNS if it is down. > > rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 13 20:25:35 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 Apr 2012 16:25:35 -0400 Subject: [Freeipa-users] ipa-client-install on CentOS 5 creating zero-length /etc/sysconfig/network file In-Reply-To: References: <4F885DD6.7070800@redhat.com> <4F885FDE.2080803@redhat.com> Message-ID: <4F888BBF.2090308@redhat.com> Kelvin Edmison wrote: > > On 2012-04-13, at 1:18 PM, Rob Crittenden wrote: > >> Kelvin Edmison wrote: >>> >>> On 2012-04-13, at 1:09 PM, Rob Crittenden wrote: >>> >>>> Kelvin Edmison wrote: >>>>> Hi, >>>>> >>>>> When troubleshooting what I thought was an NFS4 issue, I have found what looks to be a bug in ipa-client-install. >>>>> >>>>> On a CentOS 5.8 machine, I ran >>>>> ipa-client-install --no-ntp --force --hostname=kelvin-c5. >>>>> and successfully bound to the domain. >>>>> >>>>> I am now trying to get nfs4 up and running, and found that idmapd was not starting. I traced that back to an empty /etc/sysconfig/network file, and ipa-client-install looks to be the cause. >>>>> >>>>> [root at kelvin-c5 ~]# ls -al /etc/sysconfig/network /etc/sysconfig/network.orig /var/lib/ipa-client/sysrestore/*-network >>>>> -rw------- 1 root root 0 Apr 13 11:58 /etc/sysconfig/network >>>>> -rw-r--r-- 1 root root 54 Aug 12 2011 /etc/sysconfig/network.orig >>>>> -rw-r--r-- 1 root root 54 Aug 12 2011 /var/lib/ipa-client/sysrestore/477d00fd6ff85634-network >>>>> >>>>> I looked back on another CentOS 5 machine we have, and the same problem exists there. >>>>> >>>>> I was surprised to see that most network services were working when the file was empty. It turns out that many network services start properly with an empty /etc/sysconfig/network file, but some do not. It appears to be down to the structure of the test in the init scripts; e.g. >>>>> [ "${NETWORKING}" = "no" ]&& exit 0 >>>>> vs. >>>>> [ "${NETWORKING}" != "yes" ]&& exit 6 >>>>> >>>>> So, is this a bug in ipa-client-install? >>>>> Can I just copy my network.orig back into place in order to get rpcidmapd and friends to run correctly? >>>> >>>> Yes, it should be safe to copy that file back. What we try to do is ensure that the hostmae provided to ipa-client-install is reflected in /etc/sysconfig/networking. >>>> >>>> What rpm version of ipa-client-install are you using? >>> >>> ipa-client-2.1.3-1.el5 >> >> Hmm, strange. I don't think this is specific to el5, you were just the lucky contestant to find this bug. Can you provide the contents of the original network file? It is probable that our replacement function isn't doing the right thing. >> > Gladly. > > [root at kelvin-c5 ~]# cat /etc/sysconfig/network > NETWORKING=yes > NETWORKING_IPV6=yes > HOSTNAME=kelvin-c5 > [root at kelvin-c5 ~]# > > The hostname is not a FQDN because we are growing from an environment where the domainname is assigned via DHCP. Ok, I'll open a ticket on this. It may be that we assume that the hostname is always found. rob From jhrozek at redhat.com Fri Apr 13 20:28:39 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 13 Apr 2012 22:28:39 +0200 Subject: [Freeipa-users] routing requests to local servers In-Reply-To: References: <4F887EF3.5090905@redhat.com> Message-ID: <20120413202839.GE26246@hendrix.redhat.com> On Fri, Apr 13, 2012 at 01:04:55PM -0700, Brian Cook wrote: > Ideally I would rely on a -group- of servers, and then rely on DNS if it > is down. I don't want to hammer one server. We're talking about 500-1000 > servers running virtual machines, so potentially a lot of traffic. Got > any suggestions for that? Hello Brian, I'm not sure I understand what you are trying to achieve. Are you trying to spread the client load among replicas? If so, then I think the SRV records in DNS are really the best answer. You can organize the servers in "tiers" by using the priority field and then spread the load in a tier by using the "weight" field. From danieljamesscott at gmail.com Fri Apr 13 20:30:23 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 13 Apr 2012 16:30:23 -0400 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: <4F887D74.6050607@redhat.com> References: <4F8865AF.3000909@redhat.com> <4F88728A.6070208@redhat.com> <4F887D74.6050607@redhat.com> Message-ID: On Fri, Apr 13, 2012 at 15:24, Rich Megginson wrote: > On 04/13/2012 01:03 PM, Dan Scott wrote: >>>> If I'm interpreting this correctly, it can't be deleted because it's >>>> not a leaf node, but it doesn't have any sub-entries that I can delete >>>> first. >>> >>> You are correct. ?Try this: >>> >>> ldapsearch -D 'cn=directory manager' -W -v -b >>> >>> 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' >>> '(|(objectclass=nstombstone)(objectclass=*))' >> >> Ahh, so there are some 'child' entries: >> [snip] >> Is it safe to delete them? > > Yes. I deleted them, but it's still complaining about a non-leaf: [root at fileserver1 ~]# ldapmodify -f rmfileserver5.ldif -D 'cn=directory manager' -W Enter LDAP Password: deleting entry "cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu" ldap_delete: Operation not allowed on non-leaf (66) [root at fileserver1 ~]# ldapsearch -D 'cn=directory manager' -W -b 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' '(|(objectclass=nstombstone)(objectclass=*))' Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (|(objectclass=nstombstone)(objectclass=*)) # requesting: ALL # # fileserver5.ecg.mit.edu, masters, ipa, etc, ecg.mit.edu dn: cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu cn: fileserver5.ecg.mit.edu objectClass: top objectClass: nsContainer # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root at fileserver1 ~]# >>>>>> I also see >>>>>> inconsistent replication states on the servers. i.e. server1 shows >>>>>> that it's replicating with server2 but server2 does not show that it's >>>>>> replicating with server1. >>>>> >>>>> >>>>> Do you have errors in the server2 log showing that it is attempting to >>>>> replicate with server1 but failing with some error? >>>> >>>> [root at fileserver1 ~]# ipa-csreplica-manage list -v >>>> fileserver1.ecg.mit.edu >>>> Directory Manager password: >>>> >>>> fileserver2.ecg.mit.edu >>>> ? last init status: None >>>> ? last init ended: None >>>> ? last update status: 0 Replica acquired successfully: Incremental >>>> update succeeded >>>> ? last update ended: 2012-04-13 17:57:39+00:00 >>>> [root at fileserver1 ~]# ipa-csreplica-manage list -v >>>> fileserver2.ecg.mit.edu >>>> Directory Manager password: >>>> >>>> fileserver1.ecg.mit.edu >>>> ? last init status: None >>>> ? last init ended: None >>>> ? last update status: 0 Replica acquired successfully: Incremental >>>> update succeeded >>>> ? last update ended: 2012-04-13 17:57:41+00:00 >>>> fileserver3.ecg.mit.edu >>>> ? last init status: None >>>> ? last init ended: None >>>> ? last update status: 0 Replica acquired successfully: Incremental >>>> update succeeded >>>> ? last update ended: 2012-04-13 17:57:41+00:00 >>>> [root at fileserver1 ~]# ipa-csreplica-manage list -v >>>> fileserver3.ecg.mit.edu >>>> Directory Manager password: >>>> >>>> fileserver2.ecg.mit.edu >>>> ? last init status: None >>>> ? last init ended: None >>>> ? last update status: 0 Replica acquired successfully: Incremental >>>> update succeeded >>>> ? last update ended: 2012-04-13 17:57:44+00:00 >>>> fileserver1.ecg.mit.edu >>>> ? last init status: None >>>> ? last init ended: None >>>> ? last update status: 0 Replica acquired successfully: Incremental >>>> update succeeded >>>> ? last update ended: 2012-04-13 17:57:43+00:00 >>>> [root at fileserver1 ~]# >>>> >>>> fileserver1's (and fileserver2s) /var/log/dirsrv/slapd-PKI-IPA/errors >>>> contains lots of: >>>> [13/Apr/2012:13:57:43 -0400] NSMMReplicationPlugin - >>>> repl_set_mtn_referrals: could not set referrals for replica o=ipaca: >>>> 20 >>> >>> >>> This error usually means a replica was deleted and the RUV needs to be >>> cleaned. >>> see http://port389.org/wiki/Howto:CLEANRUV >>> and >>> https://fedorahosted.org/freeipa/ticket/2303 >>> and >>> https://fedorahosted.org/389/ticket/337 >> >> OK, I've seen this before - is it important to remove them? I've had >> to add and remove replicas so much that I don't really want to do it >> unless it's necessary. I'm happy to live with them if it's not a >> problem. > > > It's not a problem until it's a problem :-) ?I would go ahead and run > CLEANRUV. I cleaned up a load of these entries, but now I think I've broken the replication between fileserver1 and 3: fileserver1:/var/log/dirsrv/slapd-ECG-MIT-EDU/errors [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - changelog program - agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): CSN 4f5039960000002b0000 not found, we aren't as up to date, or we purged [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): Data required to update replica has been purged. The replica must be reinitialized. [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): Incremental update failed and requires administrator action fileserver3:/var/log/dirsrv/slapd-ECG-MIT-EDU/errors [13/Apr/2012:16:19:38 -0400] NSMMReplicationPlugin - changelog program - agmt="cn=meTofileserver1.ecg.mit.edu" (fileserver1:389): CSN 4f031e76001d000b0000 not found, we aren't as up to date, or we purged Is it safe to run: [root at fileserver3 ~]# ipa-replica-manage re-initialize --from fileserver1.ecg.mit.edu I want to make sure I get it the correct way round! >>>> fileserver3's /var/log/dirsrv/slapd-PKI-IPA/errors contains lots of: >>>> [13/Apr/2012:13:52:50 -0400] slapi_ldap_bind - Error: could not send >>>> startTLS request: error -1 (Can't contact LDAP server) errno 107 >>>> (Transport endpoint is not connected) >>> >>> >>> This is a real connection error - could be cert or hostname lookup >>> related. >> >> How do I find out if it's cert or hostname lookup? Which hostname? >> Fileserver3 runs DNS, and it seems to be working fine. > > > Try ldapsearch - on server3 > > LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-PKI-IPA ldapsearch -x -ZZ -H > ldap://server2.fqdn -D "cn=directory manager" -W -s base -b "" > > If that works, check to make sure the replication agreement has the correct > server2.fqdn > > If that doesn't work, use ldapsearch -d 1 -x ..... to get further debugging > information. The replication agreements (according to ipa-replica-manage) all have the correct host names - I'm not sure what ldapsearch command to run to check the replication agreements. >> The /var/log/dirsrv/slapd-ECG-MIT-EDU/errors is >> now full of: >> >> [13/Apr/2012:14:59:19 -0400] NSMMReplicationPlugin - conn=1 op=571 >> csn=4f70a9e5000100060000: Can't created glue entry >> cn=fileserver4.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu >> uniqueid=6949d104-775b11e1-abce82a1-a45dd3c3, error 68 >> >> Should I delete the LDAP entry which is trying to replicate >> fileserver2 with fileserver4? > > > Yes. ?And it may be due to the fact that the entry it is trying to delete > has those tombstone children that have to be deleted too. OK, I'll see how this goes, once the tombstones are gone. Thanks, Dan From rmeggins at redhat.com Fri Apr 13 20:41:40 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 13 Apr 2012 14:41:40 -0600 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: References: <4F8865AF.3000909@redhat.com> <4F88728A.6070208@redhat.com> <4F887D74.6050607@redhat.com> Message-ID: <4F888F84.8080303@redhat.com> On 04/13/2012 02:30 PM, Dan Scott wrote: > On Fri, Apr 13, 2012 at 15:24, Rich Megginson wrote: >> On 04/13/2012 01:03 PM, Dan Scott wrote: >>>>> If I'm interpreting this correctly, it can't be deleted because it's >>>>> not a leaf node, but it doesn't have any sub-entries that I can delete >>>>> first. >>>> You are correct. Try this: >>>> >>>> ldapsearch -D 'cn=directory manager' -W -v -b >>>> >>>> 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' >>>> '(|(objectclass=nstombstone)(objectclass=*))' >>> Ahh, so there are some 'child' entries: >>> > [snip] > >>> Is it safe to delete them? >> Yes. > I deleted them, but it's still complaining about a non-leaf: > > [root at fileserver1 ~]# ldapmodify -f rmfileserver5.ldif -D > 'cn=directory manager' -W > Enter LDAP Password: > deleting entry "cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu" > ldap_delete: Operation not allowed on non-leaf (66) > > [root at fileserver1 ~]# ldapsearch -D 'cn=directory manager' -W -b > 'cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu' > '(|(objectclass=nstombstone)(objectclass=*))' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base > with scope subtree > # filter: (|(objectclass=nstombstone)(objectclass=*)) > # requesting: ALL > # > > # fileserver5.ecg.mit.edu, masters, ipa, etc, ecg.mit.edu > dn: cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu > cn: fileserver5.ecg.mit.edu > objectClass: top > objectClass: nsContainer > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > [root at fileserver1 ~]# Wow - never seen this one before > >>>>>>> I also see >>>>>>> inconsistent replication states on the servers. i.e. server1 shows >>>>>>> that it's replicating with server2 but server2 does not show that it's >>>>>>> replicating with server1. >>>>>> >>>>>> Do you have errors in the server2 log showing that it is attempting to >>>>>> replicate with server1 but failing with some error? >>>>> [root at fileserver1 ~]# ipa-csreplica-manage list -v >>>>> fileserver1.ecg.mit.edu >>>>> Directory Manager password: >>>>> >>>>> fileserver2.ecg.mit.edu >>>>> last init status: None >>>>> last init ended: None >>>>> last update status: 0 Replica acquired successfully: Incremental >>>>> update succeeded >>>>> last update ended: 2012-04-13 17:57:39+00:00 >>>>> [root at fileserver1 ~]# ipa-csreplica-manage list -v >>>>> fileserver2.ecg.mit.edu >>>>> Directory Manager password: >>>>> >>>>> fileserver1.ecg.mit.edu >>>>> last init status: None >>>>> last init ended: None >>>>> last update status: 0 Replica acquired successfully: Incremental >>>>> update succeeded >>>>> last update ended: 2012-04-13 17:57:41+00:00 >>>>> fileserver3.ecg.mit.edu >>>>> last init status: None >>>>> last init ended: None >>>>> last update status: 0 Replica acquired successfully: Incremental >>>>> update succeeded >>>>> last update ended: 2012-04-13 17:57:41+00:00 >>>>> [root at fileserver1 ~]# ipa-csreplica-manage list -v >>>>> fileserver3.ecg.mit.edu >>>>> Directory Manager password: >>>>> >>>>> fileserver2.ecg.mit.edu >>>>> last init status: None >>>>> last init ended: None >>>>> last update status: 0 Replica acquired successfully: Incremental >>>>> update succeeded >>>>> last update ended: 2012-04-13 17:57:44+00:00 >>>>> fileserver1.ecg.mit.edu >>>>> last init status: None >>>>> last init ended: None >>>>> last update status: 0 Replica acquired successfully: Incremental >>>>> update succeeded >>>>> last update ended: 2012-04-13 17:57:43+00:00 >>>>> [root at fileserver1 ~]# >>>>> >>>>> fileserver1's (and fileserver2s) /var/log/dirsrv/slapd-PKI-IPA/errors >>>>> contains lots of: >>>>> [13/Apr/2012:13:57:43 -0400] NSMMReplicationPlugin - >>>>> repl_set_mtn_referrals: could not set referrals for replica o=ipaca: >>>>> 20 >>>> >>>> This error usually means a replica was deleted and the RUV needs to be >>>> cleaned. >>>> see http://port389.org/wiki/Howto:CLEANRUV >>>> and >>>> https://fedorahosted.org/freeipa/ticket/2303 >>>> and >>>> https://fedorahosted.org/389/ticket/337 >>> OK, I've seen this before - is it important to remove them? I've had >>> to add and remove replicas so much that I don't really want to do it >>> unless it's necessary. I'm happy to live with them if it's not a >>> problem. >> >> It's not a problem until it's a problem :-) I would go ahead and run >> CLEANRUV. > I cleaned up a load of these entries, but now I think I've broken the > replication between fileserver1 and 3: > > fileserver1:/var/log/dirsrv/slapd-ECG-MIT-EDU/errors > [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - changelog program > - agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): CSN > 4f5039960000002b0000 not found, we aren't as up to date, or we purged > [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - > agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): Data required > to update replica has been purged. The replica must be reinitialized. > [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - > agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): Incremental > update failed and requires administrator action > > fileserver3:/var/log/dirsrv/slapd-ECG-MIT-EDU/errors > [13/Apr/2012:16:19:38 -0400] NSMMReplicationPlugin - changelog program > - agmt="cn=meTofileserver1.ecg.mit.edu" (fileserver1:389): CSN > 4f031e76001d000b0000 not found, we aren't as up to date, or we purged > > Is it safe to run: > [root at fileserver3 ~]# ipa-replica-manage re-initialize --from > fileserver1.ecg.mit.edu > > I want to make sure I get it the correct way round! Are you sure that fileserver1 has the correct data? > >>>>> fileserver3's /var/log/dirsrv/slapd-PKI-IPA/errors contains lots of: >>>>> [13/Apr/2012:13:52:50 -0400] slapi_ldap_bind - Error: could not send >>>>> startTLS request: error -1 (Can't contact LDAP server) errno 107 >>>>> (Transport endpoint is not connected) >>>> >>>> This is a real connection error - could be cert or hostname lookup >>>> related. >>> How do I find out if it's cert or hostname lookup? Which hostname? >>> Fileserver3 runs DNS, and it seems to be working fine. >> >> Try ldapsearch - on server3 >> >> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-PKI-IPA ldapsearch -x -ZZ -H >> ldap://server2.fqdn -D "cn=directory manager" -W -s base -b "" >> >> If that works, check to make sure the replication agreement has the correct >> server2.fqdn >> >> If that doesn't work, use ldapsearch -d 1 -x ..... to get further debugging >> information. > The replication agreements (according to ipa-replica-manage) all have > the correct host names - I'm not sure what ldapsearch command to run > to check the replication agreements. ipa-replica-manage --list? or something like that? > >>> The /var/log/dirsrv/slapd-ECG-MIT-EDU/errors is >>> now full of: >>> >>> [13/Apr/2012:14:59:19 -0400] NSMMReplicationPlugin - conn=1 op=571 >>> csn=4f70a9e5000100060000: Can't created glue entry >>> cn=fileserver4.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu >>> uniqueid=6949d104-775b11e1-abce82a1-a45dd3c3, error 68 >>> >>> Should I delete the LDAP entry which is trying to replicate >>> fileserver2 with fileserver4? >> >> Yes. And it may be due to the fact that the entry it is trying to delete >> has those tombstone children that have to be deleted too. > OK, I'll see how this goes, once the tombstones are gone. > > Thanks, > > Dan From kelvin at kindsight.net Fri Apr 13 20:45:10 2012 From: kelvin at kindsight.net (Kelvin Edmison) Date: Fri, 13 Apr 2012 16:45:10 -0400 Subject: [Freeipa-users] ipa-client-install on CentOS 5 creating zero-length /etc/sysconfig/network file In-Reply-To: <4F888BBF.2090308@redhat.com> References: <4F885DD6.7070800@redhat.com> <4F885FDE.2080803@redhat.com> <4F888BBF.2090308@redhat.com> Message-ID: On 2012-04-13, at 4:25 PM, Rob Crittenden wrote: > Kelvin Edmison wrote: >> >> On 2012-04-13, at 1:18 PM, Rob Crittenden wrote: >> >>> Kelvin Edmison wrote: >>>> >>>> On 2012-04-13, at 1:09 PM, Rob Crittenden wrote: >>>> >>>>> Kelvin Edmison wrote: >>>>>> Hi, >>>>>> >>>>>> When troubleshooting what I thought was an NFS4 issue, I have found what looks to be a bug in ipa-client-install. >>>>>> >>>>>> On a CentOS 5.8 machine, I ran >>>>>> ipa-client-install --no-ntp --force --hostname=kelvin-c5. >>>>>> and successfully bound to the domain. >>>>>> >>>>>> I am now trying to get nfs4 up and running, and found that idmapd was not starting. I traced that back to an empty /etc/sysconfig/network file, and ipa-client-install looks to be the cause. >>>>>> >>>>>> [root at kelvin-c5 ~]# ls -al /etc/sysconfig/network /etc/sysconfig/network.orig /var/lib/ipa-client/sysrestore/*-network >>>>>> -rw------- 1 root root 0 Apr 13 11:58 /etc/sysconfig/network >>>>>> -rw-r--r-- 1 root root 54 Aug 12 2011 /etc/sysconfig/network.orig >>>>>> -rw-r--r-- 1 root root 54 Aug 12 2011 /var/lib/ipa-client/sysrestore/477d00fd6ff85634-network >>>>>> >>>>>> I looked back on another CentOS 5 machine we have, and the same problem exists there. >>>>>> >>>>>> I was surprised to see that most network services were working when the file was empty. It turns out that many network services start properly with an empty /etc/sysconfig/network file, but some do not. It appears to be down to the structure of the test in the init scripts; e.g. >>>>>> [ "${NETWORKING}" = "no" ]&& exit 0 >>>>>> vs. >>>>>> [ "${NETWORKING}" != "yes" ]&& exit 6 >>>>>> >>>>>> So, is this a bug in ipa-client-install? >>>>>> Can I just copy my network.orig back into place in order to get rpcidmapd and friends to run correctly? >>>>> >>>>> Yes, it should be safe to copy that file back. What we try to do is ensure that the hostmae provided to ipa-client-install is reflected in /etc/sysconfig/networking. >>>>> >>>>> What rpm version of ipa-client-install are you using? >>>> >>>> ipa-client-2.1.3-1.el5 >>> >>> Hmm, strange. I don't think this is specific to el5, you were just the lucky contestant to find this bug. Can you provide the contents of the original network file? It is probable that our replacement function isn't doing the right thing. >>> >> Gladly. >> >> [root at kelvin-c5 ~]# cat /etc/sysconfig/network >> NETWORKING=yes >> NETWORKING_IPV6=yes >> HOSTNAME=kelvin-c5 >> [root at kelvin-c5 ~]# >> >> The hostname is not a FQDN because we are growing from an environment where the domainname is assigned via DHCP. > > Ok, I'll open a ticket on this. It may be that we assume that the hostname is always found. Some info that may help reproducing the issue: On that host, I found that dnsdomainname was returning nothing, which is unusual in our environment. It turned out that was because the bare hostname (kelvin-c5) was in the /etc/hosts for 127.0.0.1. This was different than other machines we have, and deleting the kelvin-c5 from the 127.0.0.1 entry actually made dnsdomainname work again. Regards, Kelvin From danieljamesscott at gmail.com Fri Apr 13 21:40:49 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 13 Apr 2012 17:40:49 -0400 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: <4F888F84.8080303@redhat.com> References: <4F8865AF.3000909@redhat.com> <4F88728A.6070208@redhat.com> <4F887D74.6050607@redhat.com> <4F888F84.8080303@redhat.com> Message-ID: On Fri, Apr 13, 2012 at 16:41, Rich Megginson wrote: > On 04/13/2012 02:30 PM, Dan Scott wrote: >> >> On Fri, Apr 13, 2012 at 15:24, Rich Megginson ?wrote: >>> It's not a problem until it's a problem :-) ?I would go ahead and run >>> CLEANRUV. >> >> I cleaned up a load of these entries, but now I think I've broken the >> replication between fileserver1 and 3: >> >> fileserver1:/var/log/dirsrv/slapd-ECG-MIT-EDU/errors >> [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - changelog program >> - agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): CSN >> 4f5039960000002b0000 not found, we aren't as up to date, or we purged >> [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - >> agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): Data required >> to update replica has been purged. The replica must be reinitialized. >> [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - >> agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): Incremental >> update failed and requires administrator action >> >> fileserver3:/var/log/dirsrv/slapd-ECG-MIT-EDU/errors >> [13/Apr/2012:16:19:38 -0400] NSMMReplicationPlugin - changelog program >> - agmt="cn=meTofileserver1.ecg.mit.edu" (fileserver1:389): CSN >> 4f031e76001d000b0000 not found, we aren't as up to date, or we purged >> >> Is it safe to run: >> [root at fileserver3 ~]# ipa-replica-manage re-initialize --from >> fileserver1.ecg.mit.edu >> >> I want to make sure I get it the correct way round! > > > Are you sure that fileserver1 has the correct data? Maybe? :) I've snapshotted both VMs and re-initialized from fileserver1 - looking good so far. I cleaned up all the "ruv_compare_ruv: RUV [changelog max RUV] does not contain element" errors in the logs for each of fileservers 1, 2 and 3. The ldapsearch for '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' is still showing entries though. Is that OK? Also, the PKI-CA error logs are showing RUV errors, should I clean those too? I guess that I need to modify the commands (-b o=ipaca -p 7389 -h localhost). >>>>>> fileserver3's /var/log/dirsrv/slapd-PKI-IPA/errors contains lots of: >>>>>> [13/Apr/2012:13:52:50 -0400] slapi_ldap_bind - Error: could not send >>>>>> startTLS request: error -1 (Can't contact LDAP server) errno 107 >>>>>> (Transport endpoint is not connected) >>>>> >>>>> >>>>> This is a real connection error - could be cert or hostname lookup >>>>> related. >>>> >>>> How do I find out if it's cert or hostname lookup? Which hostname? >>>> Fileserver3 runs DNS, and it seems to be working fine. >>> >>> >>> Try ldapsearch - on server3 >>> >>> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-PKI-IPA ldapsearch -x -ZZ -H >>> ldap://server2.fqdn -D "cn=directory manager" -W -s base -b "" >>> >>> If that works, check to make sure the replication agreement has the >>> correct >>> server2.fqdn >>> >>> If that doesn't work, use ldapsearch -d 1 -x ..... to get further >>> debugging >>> information. >> >> The replication agreements (according to ipa-replica-manage) all have >> the correct host names - I'm not sure what ldapsearch command to run >> to check the replication agreements. > > > ipa-replica-manage --list? ?or something like that? That's what I was using - they are all correct. >>>> The /var/log/dirsrv/slapd-ECG-MIT-EDU/errors is >>>> now full of: >>>> >>>> [13/Apr/2012:14:59:19 -0400] NSMMReplicationPlugin - conn=1 op=571 >>>> csn=4f70a9e5000100060000: Can't created glue entry >>>> cn=fileserver4.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu >>>> uniqueid=6949d104-775b11e1-abce82a1-a45dd3c3, error 68 >>>> >>>> Should I delete the LDAP entry which is trying to replicate >>>> fileserver2 with fileserver4? >>> >>> >>> Yes. ?And it may be due to the fact that the entry it is trying to delete >>> has those tombstone children that have to be deleted too. >> >> OK, I'll see how this goes, once the tombstones are gone. The tombstones for ECG-MIT-EDU are gone now, still receiving this message in the logs. I think that's enough for this week - I'll look into it more next week. Thanks for your help, have a good weekend. Dan From pspacek at redhat.com Fri Apr 13 21:41:30 2012 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 13 Apr 2012 23:41:30 +0200 Subject: [Freeipa-users] routing requests to local servers - DNS SRV + view? In-Reply-To: <20120413202839.GE26246@hendrix.redhat.com> References: <4F887EF3.5090905@redhat.com> <20120413202839.GE26246@hendrix.redhat.com> Message-ID: <4F889D8A.2060502@redhat.com> On 04/13/2012 10:28 PM, Jakub Hrozek wrote: > On Fri, Apr 13, 2012 at 01:04:55PM -0700, Brian Cook wrote: >> Ideally I would rely on a -group- of servers, and then rely on DNS if it >> is down. I don't want to hammer one server. We're talking about 500-1000 >> servers running virtual machines, so potentially a lot of traffic. Got >> any suggestions for that? > > Hello Brian, > > I'm not sure I understand what you are trying to achieve. Are you trying > to spread the client load among replicas? If so, then I think the SRV > records in DNS are really the best answer. You can organize the servers > in "tiers" by using the priority field and then spread the load in a > tier by using the "weight" field. Greetings, if I understand correctly, you need to set different priority for SRV records and this new priority has to be dependent on client's IP address. AFAIK only way how to accomplish this is BIND "view" clause. You have to: - create copy of original zone for each location and modify SRV record priorities - then you have to set "views" and create mapping between IP address <-> new zone This way requires multiple copies of original zone, each with little differences. In case of classical zone files is not a big problem: You can keep SRV records separated in small files and "$INCLUDE" normal records to them from single place. In cases with LDAP database it's a much harder, because there is no simple $INCLUDE clause, I think. We have to consult this problem with 389 guys ... It can be task for some kind of directory server plugin. Some examples and documentation: http://wiki.sipfoundry.org/display/sipXecs/Location+based+DNS+views+for+sipXecs+using+BIND (It belongs to some SIP solution, but it's exactly what you want.) http://www.zytrax.com/books/dns/ch7/view.html http://ftp.isc.org/isc/bind9/cur/9.7/doc/arm/Bv9ARM.ch06.html#view_statement_grammar I'm adding BIND maintainer to this discussion. Petr^2 Spacek From rmeggins at redhat.com Fri Apr 13 21:44:24 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 13 Apr 2012 15:44:24 -0600 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: References: <4F8865AF.3000909@redhat.com> <4F88728A.6070208@redhat.com> <4F887D74.6050607@redhat.com> <4F888F84.8080303@redhat.com> Message-ID: <4F889E38.3030800@redhat.com> On 04/13/2012 03:40 PM, Dan Scott wrote: > On Fri, Apr 13, 2012 at 16:41, Rich Megginson wrote: >> On 04/13/2012 02:30 PM, Dan Scott wrote: >>> On Fri, Apr 13, 2012 at 15:24, Rich Megginson wrote: >>>> It's not a problem until it's a problem :-) I would go ahead and run >>>> CLEANRUV. >>> I cleaned up a load of these entries, but now I think I've broken the >>> replication between fileserver1 and 3: >>> >>> fileserver1:/var/log/dirsrv/slapd-ECG-MIT-EDU/errors >>> [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - changelog program >>> - agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): CSN >>> 4f5039960000002b0000 not found, we aren't as up to date, or we purged >>> [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - >>> agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): Data required >>> to update replica has been purged. The replica must be reinitialized. >>> [13/Apr/2012:15:57:56 -0400] NSMMReplicationPlugin - >>> agmt="cn=meTofileserver3.ecg.mit.edu" (fileserver3:389): Incremental >>> update failed and requires administrator action >>> >>> fileserver3:/var/log/dirsrv/slapd-ECG-MIT-EDU/errors >>> [13/Apr/2012:16:19:38 -0400] NSMMReplicationPlugin - changelog program >>> - agmt="cn=meTofileserver1.ecg.mit.edu" (fileserver1:389): CSN >>> 4f031e76001d000b0000 not found, we aren't as up to date, or we purged >>> >>> Is it safe to run: >>> [root at fileserver3 ~]# ipa-replica-manage re-initialize --from >>> fileserver1.ecg.mit.edu >>> >>> I want to make sure I get it the correct way round! >> >> Are you sure that fileserver1 has the correct data? > Maybe? :) I've snapshotted both VMs and re-initialized from > fileserver1 - looking good so far. > > I cleaned up all the "ruv_compare_ruv: RUV [changelog max RUV] does > not contain element" errors in the logs for each of fileservers 1, 2 > and 3. The ldapsearch for > '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' > is still showing entries though. Is that OK? The entry should exist, but the deleted servers should not be present in the nsds50ruv attribute. > > Also, the PKI-CA error logs are showing RUV errors, should I clean > those too? I guess that I need to modify the commands (-b o=ipaca -p > 7389 -h localhost). Yes. > >>>>>>> fileserver3's /var/log/dirsrv/slapd-PKI-IPA/errors contains lots of: >>>>>>> [13/Apr/2012:13:52:50 -0400] slapi_ldap_bind - Error: could not send >>>>>>> startTLS request: error -1 (Can't contact LDAP server) errno 107 >>>>>>> (Transport endpoint is not connected) >>>>>> >>>>>> This is a real connection error - could be cert or hostname lookup >>>>>> related. >>>>> How do I find out if it's cert or hostname lookup? Which hostname? >>>>> Fileserver3 runs DNS, and it seems to be working fine. >>>> >>>> Try ldapsearch - on server3 >>>> >>>> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-PKI-IPA ldapsearch -x -ZZ -H >>>> ldap://server2.fqdn -D "cn=directory manager" -W -s base -b "" >>>> >>>> If that works, check to make sure the replication agreement has the >>>> correct >>>> server2.fqdn >>>> >>>> If that doesn't work, use ldapsearch -d 1 -x ..... to get further >>>> debugging >>>> information. >>> The replication agreements (according to ipa-replica-manage) all have >>> the correct host names - I'm not sure what ldapsearch command to run >>> to check the replication agreements. >> >> ipa-replica-manage --list? or something like that? > That's what I was using - they are all correct. Ok. And the LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-PKI-IPA ldapsearch ... is working? > >>>>> The /var/log/dirsrv/slapd-ECG-MIT-EDU/errors is >>>>> now full of: >>>>> >>>>> [13/Apr/2012:14:59:19 -0400] NSMMReplicationPlugin - conn=1 op=571 >>>>> csn=4f70a9e5000100060000: Can't created glue entry >>>>> cn=fileserver4.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu >>>>> uniqueid=6949d104-775b11e1-abce82a1-a45dd3c3, error 68 >>>>> >>>>> Should I delete the LDAP entry which is trying to replicate >>>>> fileserver2 with fileserver4? >>>> >>>> Yes. And it may be due to the fact that the entry it is trying to delete >>>> has those tombstone children that have to be deleted too. >>> OK, I'll see how this goes, once the tombstones are gone. > The tombstones for ECG-MIT-EDU are gone now, still receiving this > message in the logs. > > I think that's enough for this week - I'll look into it more next > week. Thanks for your help, have a good weekend. > > Dan From bcook at redhat.com Sat Apr 14 03:00:29 2012 From: bcook at redhat.com (Brian Cook) Date: Fri, 13 Apr 2012 20:00:29 -0700 Subject: [Freeipa-users] routing requests to local servers - DNS SRV + view? In-Reply-To: <4F889D8A.2060502@redhat.com> References: <4F887EF3.5090905@redhat.com> <20120413202839.GE26246@hendrix.redhat.com> <4F889D8A.2060502@redhat.com> Message-ID: Yes, this is exactly what I am trying to accomplish. I've already been looking in to the BIND views clause and would like to hear if anyone has any feedback as to how well this works in the real world. In this case the implementation of IPA is using an external standard BIND implementation loading from text files. However, views would be very useful for IPA to be able to do internally, so figuring out how to get this option in to BIND using 389ds backend would be a useful step. Thanks, Brian --- Brian Cook Solutions Architect, Red Hat, Inc. 407-212-7079 On Apr 13, 2012, at 2:41 PM, Petr Spacek wrote: > On 04/13/2012 10:28 PM, Jakub Hrozek wrote: >> On Fri, Apr 13, 2012 at 01:04:55PM -0700, Brian Cook wrote: >>> Ideally I would rely on a -group- of servers, and then rely on DNS if it >>> is down. I don't want to hammer one server. We're talking about 500-1000 >>> servers running virtual machines, so potentially a lot of traffic. Got >>> any suggestions for that? >> >> Hello Brian, >> >> I'm not sure I understand what you are trying to achieve. Are you trying >> to spread the client load among replicas? If so, then I think the SRV >> records in DNS are really the best answer. You can organize the servers >> in "tiers" by using the priority field and then spread the load in a >> tier by using the "weight" field. > > Greetings, > > if I understand correctly, you need to set different priority for SRV records and this new priority has to be dependent on client's IP address. > > AFAIK only way how to accomplish this is BIND "view" clause. You have to: > - create copy of original zone for each location and modify SRV record priorities > - then you have to set "views" and create mapping between IP address <-> new zone > > > This way requires multiple copies of original zone, each with little differences. > In case of classical zone files is not a big problem: You can keep SRV records separated in small files and "$INCLUDE" normal records to them from single place. > > In cases with LDAP database it's a much harder, because there is no simple $INCLUDE clause, I think. > We have to consult this problem with 389 guys ... It can be task for some kind of directory server plugin. > > > Some examples and documentation: > http://wiki.sipfoundry.org/display/sipXecs/Location+based+DNS+views+for+sipXecs+using+BIND > (It belongs to some SIP solution, but it's exactly what you want.) > > http://www.zytrax.com/books/dns/ch7/view.html > > http://ftp.isc.org/isc/bind9/cur/9.7/doc/arm/Bv9ARM.ch06.html#view_statement_grammar > > > I'm adding BIND maintainer to this discussion. > > Petr^2 Spacek > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Sat Apr 14 12:20:17 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sat, 14 Apr 2012 14:20:17 +0200 Subject: [Freeipa-users] Screensaver unlock with expired password Message-ID: <4F896B81.4030702@nixtra.com> Hi, I ran into a issue with unlocking the screensaver when an users password has expired. These results are from RHEL 5. When running KDE and unlocking a screensaver with an expired password, an error message is displayed advising that the password subsystem has failed with instructions to kill the PID of the screensaver manually. When running GNOME and unlocking the screensaver with an expired password, an unlock is allowed, but no message is displayed, and the kerberos ticket is not renewed. Neither of these situations are ideal. A workaround for KDE is to switch to a console login window with CTRL-ALT-F2, and log in where you will be prompted for changing your password. Switch back to KDE, and unlock the screensaver with the new password. Not really user friendly. We did have the krb5-auth-dialog running, but it turned out that after being away over the weekend there many of these appearing on the screen on monday morning, and once you typed in your password a new kerberos ticket was aquired with start date of when the krb5-auth-dialog appeared!! So if I left the office on Friday, and the krb5-auth-dialog appeared on Saturday, I would get a ticket expiring on the Sunday that's already passed, even though I typed in the password on Monday, rendering the ticket useless for authenticating anywhere... so we removed this package from our workstations. Has anyone else run into these sort of issues? I would like to know how you chose to work around these issues. Thanks. Regards, Siggi From dpal at redhat.com Mon Apr 16 13:33:01 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 16 Apr 2012 09:33:01 -0400 Subject: [Freeipa-users] Screensaver unlock with expired password In-Reply-To: <4F896B81.4030702@nixtra.com> References: <4F896B81.4030702@nixtra.com> Message-ID: <4F8C1F8D.2020602@redhat.com> On 04/14/2012 08:20 AM, Sigbjorn Lie wrote: > Hi, > > I ran into a issue with unlocking the screensaver when an users > password has expired. These results are from RHEL 5. > > When running KDE and unlocking a screensaver with an expired password, > an error message is displayed advising that the password subsystem has > failed with instructions to kill the PID of the screensaver manually. > > When running GNOME and unlocking the screensaver with an expired > password, an unlock is allowed, but no message is displayed, and the > kerberos ticket is not renewed. > > Neither of these situations are ideal. > > A workaround for KDE is to switch to a console login window with > CTRL-ALT-F2, and log in where you will be prompted for changing your > password. Switch back to KDE, and unlock the screensaver with the new > password. Not really user friendly. > > We did have the krb5-auth-dialog running, but it turned out that after > being away over the weekend there many of these appearing on the > screen on monday morning, and once you typed in your password a new > kerberos ticket was aquired with start date of when the > krb5-auth-dialog appeared!! > > So if I left the office on Friday, and the krb5-auth-dialog appeared > on Saturday, I would get a ticket expiring on the Sunday that's > already passed, even though I typed in the password on Monday, > rendering the ticket useless for authenticating anywhere... so we > removed this package from our workstations. > > Has anyone else run into these sort of issues? I would like to know > how you chose to work around these issues. > > Thanks. > It can also be a client configuration or software problem. What do you use on the client? SSSD? nss_ldap+pam_krb5? I assume you use IPA as a server. You can check the logs on the server to see whether the new password is requested. The client logs would really show what is going on. Best would be if you provide a clear reproduction steps and file a ticket attaching logs and configuration to it. If it is a bug in SSSD we would need to fix it ASAP though we have not seen this behavior in SSSD ever. > > Regards, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Mon Apr 16 13:40:16 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 16 Apr 2012 09:40:16 -0400 Subject: [Freeipa-users] routing requests to local servers - DNS SRV + view? In-Reply-To: References: <4F887EF3.5090905@redhat.com> <20120413202839.GE26246@hendrix.redhat.com> <4F889D8A.2060502@redhat.com> Message-ID: <4F8C2140.6050502@redhat.com> On 04/13/2012 11:00 PM, Brian Cook wrote: > Yes, this is exactly what I am trying to accomplish. I've already > been looking in to the BIND views clause and would like to hear if > anyone has any feedback as to how well this works in the real world. > > In this case the implementation of IPA is using an external standard > BIND implementation loading from text files. However, views would be > very useful for IPA to be able to do internally, so figuring out how > to get this option in to BIND using 389ds backend would be a useful step. > AFAIK there is an SSSD RFE that allows you to define a group of primary servers for a client that the client would use to fail over between and only when they all are not available it will fail over to DNS. At least I remember a discussion about it. It seems that such feature would accomplish the same but with less work. Would it be sufficient? See comment 6 in the https://fedorahosted.org/sssd/ticket/1128 > Thanks, > Brian > > --- > Brian Cook > Solutions Architect, Red Hat, Inc. > 407-212-7079 > > > > > On Apr 13, 2012, at 2:41 PM, Petr Spacek wrote: > >> On 04/13/2012 10:28 PM, Jakub Hrozek wrote: >>> On Fri, Apr 13, 2012 at 01:04:55PM -0700, Brian Cook wrote: >>>> Ideally I would rely on a -group- of servers, and then rely on >>>> DNS if it >>>> is down. I don't want to hammer one server. We're talking >>>> about 500-1000 >>>> servers running virtual machines, so potentially a lot of >>>> traffic. Got >>>> any suggestions for that? >>> >>> Hello Brian, >>> >>> I'm not sure I understand what you are trying to achieve. Are you trying >>> to spread the client load among replicas? If so, then I think the SRV >>> records in DNS are really the best answer. You can organize the servers >>> in "tiers" by using the priority field and then spread the load in a >>> tier by using the "weight" field. >> >> Greetings, >> >> if I understand correctly, you need to set different priority for SRV >> records and this new priority has to be dependent on client's IP address. >> >> AFAIK only way how to accomplish this is BIND "view" clause. You have to: >> - create copy of original zone for each location and modify SRV >> record priorities >> - then you have to set "views" and create mapping between IP address >> <-> new zone >> >> >> This way requires multiple copies of original zone, each with little >> differences. >> In case of classical zone files is not a big problem: You can keep >> SRV records separated in small files and "$INCLUDE" normal records to >> them from single place. >> >> In cases with LDAP database it's a much harder, because there is no >> simple $INCLUDE clause, I think. >> We have to consult this problem with 389 guys ... It can be task for >> some kind of directory server plugin. >> >> >> Some examples and documentation: >> http://wiki.sipfoundry.org/display/sipXecs/Location+based+DNS+views+for+sipXecs+using+BIND >> (It belongs to some SIP solution, but it's exactly what you want.) >> >> http://www.zytrax.com/books/dns/ch7/view.html >> >> http://ftp.isc.org/isc/bind9/cur/9.7/doc/arm/Bv9ARM.ch06.html#view_statement_grammar >> >> >> I'm adding BIND maintainer to this discussion. >> >> Petr^2 Spacek >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Apr 16 13:46:10 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 16 Apr 2012 15:46:10 +0200 Subject: [Freeipa-users] routing requests to local servers - DNS SRV + view? In-Reply-To: <4F8C2140.6050502@redhat.com> References: <4F887EF3.5090905@redhat.com> <20120413202839.GE26246@hendrix.redhat.com> <4F889D8A.2060502@redhat.com> <4F8C2140.6050502@redhat.com> Message-ID: <20120416134610.GI29804@zeppelin.brq.redhat.com> On Mon, Apr 16, 2012 at 09:40:16AM -0400, Dmitri Pal wrote: > On 04/13/2012 11:00 PM, Brian Cook wrote: > > Yes, this is exactly what I am trying to accomplish. I've already been > looking in to the BIND views clause and would like to hear if anyone has > any feedback as to how well this works in the real world. > In this case the implementation of IPA is using an external standard > BIND implementation loading from text files. However, views would be > very useful for IPA to be able to do internally, so figuring out how to > get this option in to BIND using 389ds backend would be a useful step. > > AFAIK there is an SSSD RFE that allows you to define a group of primary > servers for a client that the client would use to fail over between and > only when they all are not available it will fail over to DNS. At least I > remember a discussion about it. It seems that such feature would > accomplish the same but with less work. Would it be sufficient? > > See comment 6 in the https://fedorahosted.org/sssd/ticket/1128 Yes, except with the feature that Petr Spacek is proposing, the configuration would be performed purely on server side, as I understood. The SSSD fix would work, but would require that clients in different "sites" have different primary servers configured. Still, doable with puppet or something, just not as convenient. From dpal at redhat.com Mon Apr 16 14:03:35 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 16 Apr 2012 10:03:35 -0400 Subject: [Freeipa-users] multiple domains/realms? In-Reply-To: References: Message-ID: <4F8C26B7.8030701@redhat.com> On 04/13/2012 03:23 AM, Christoph Kaminski wrote: > Hi > > I have multiple domains her but I want to use one user/group etc. > database. How can I do it? Options: > 1. Different realm for each domain, but how to share the user/group > etc infos betwen different ipa servers? > 2. One realm for al domains. Possible? (it is possible to change the > realm after install/config?) > 3. ? > > Does someone have experience with multiple domains and ipa and can > give some tips? > TiA > IPA currently supports just a single domain. Can you please provide more information about what you are trying to accomplish? If you want to have same user/group name space across multiple realms then why do you need multiple realms? You can have one realm and many replicas that serve many offices if this is the use case you are trying to solve. Thanks Dmitri > MfG > Christoph Kaminski > > > > www.biotronik.com > ------------------------------------------------------------------------ > > BIOTRONIK SE & Co. KG > Woermannkehre 1, 12359 Berlin, Germany > Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 > > Vertreten durch ihre Komplement?rin: > BIOTRONIK MT SE > Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B > Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. > Lothar Krings, Dr. Torsten Wolf > ------------------------------------------------------------------------ > > *BIOTRONIK* - A global manufacturer of advanced Cardiac Rhythm > Management systems and Vascular Intervention devices. Quality, > innovation, and reliability define BIOTRONIK and our growing success. > We are innovators of technologies like the first wireless remote > monitoring system - Home Monitoring?, Closed Loop Stimulation and > coveted lead solutions as well as state-of-the-art stents, balloons > and guide wires for coronary and peripheral indications. We highly > invest in the development of drug eluting devices and are leading the > industry with our drug eluting absorbable metal scaffold program. > ------------------------------------------------------------------------ > > This e-mail and the information it contains including attachments are > confidential and meant only for use by the intended recipient(s); > disclosure or copying is strictly prohibited. If you are not > addressed, but in the possession of this e-mail, please notify the > sender immediately and delete the document. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Apr 16 14:05:44 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 16 Apr 2012 10:05:44 -0400 Subject: [Freeipa-users] routing requests to local servers - DNS SRV + view? In-Reply-To: <20120416134610.GI29804@zeppelin.brq.redhat.com> References: <4F887EF3.5090905@redhat.com> <20120413202839.GE26246@hendrix.redhat.com> <4F889D8A.2060502@redhat.com> <4F8C2140.6050502@redhat.com> <20120416134610.GI29804@zeppelin.brq.redhat.com> Message-ID: <4F8C2738.1010907@redhat.com> On 04/16/2012 09:46 AM, Jakub Hrozek wrote: > On Mon, Apr 16, 2012 at 09:40:16AM -0400, Dmitri Pal wrote: >> On 04/13/2012 11:00 PM, Brian Cook wrote: >> >> Yes, this is exactly what I am trying to accomplish. I've already been >> looking in to the BIND views clause and would like to hear if anyone has >> any feedback as to how well this works in the real world. >> In this case the implementation of IPA is using an external standard >> BIND implementation loading from text files. However, views would be >> very useful for IPA to be able to do internally, so figuring out how to >> get this option in to BIND using 389ds backend would be a useful step. >> >> AFAIK there is an SSSD RFE that allows you to define a group of primary >> servers for a client that the client would use to fail over between and >> only when they all are not available it will fail over to DNS. At least I >> remember a discussion about it. It seems that such feature would >> accomplish the same but with less work. Would it be sufficient? >> >> See comment 6 in the https://fedorahosted.org/sssd/ticket/1128 > Yes, except with the feature that Petr Spacek is proposing, the > configuration would be performed purely on server side, as I understood. > > The SSSD fix would work, but would require that clients in different > "sites" have different primary servers configured. Still, doable with > puppet or something, just not as convenient. Sure but it is a minor feature for SSSD while would be a major feature for IPA. On SSSD side it is already scheduled on the IPA side we might not have enough time to do it soon. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jhrozek at redhat.com Mon Apr 16 14:28:25 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 16 Apr 2012 16:28:25 +0200 Subject: [Freeipa-users] Unable to login where previously OK In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC77622@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC767E5@STAWINCOX10MBX1.staff.vuw.ac.nz> <20120412074758.GA15350@hendrix.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CC76A97@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CC77622@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120416142825.GK29804@zeppelin.brq.redhat.com> On Thu, Apr 12, 2012 at 09:23:03PM +0000, Steven Jones wrote: > sssd log at lvl6 > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > Which SSSD version is this? Are the clients that work OK the same version? Can you also attach /var/log/sssd/sssd_pam.log ? From sakodak at gmail.com Mon Apr 16 19:13:24 2012 From: sakodak at gmail.com (KodaK) Date: Mon, 16 Apr 2012 14:13:24 -0500 Subject: [Freeipa-users] Disaster Recovery Best Practices? Message-ID: Hi, I have googled around a bit, but I still have a couple of questions: 1) is it possible to get "getent shadow" to return shadow entries from the ipa server? This is so we can do a DR test on some server or set of servers without also having to restore the IPA server first. I can do a "getent passwd" easily enough, and I could rebuild the shadow file for local users, so it's not critical, but it would be a "nice to have" in the case of a DR. 2) What is everyone else doing to prepare IPA for a DR? I've read that the best way to do it is to turn off the IPA services on a replica and then back that replica up. I also read that this will miss some important files that only exist on the master. I don't want to turn off the master server services for a DR due to failover lag. Would it be safe to take a backup of the master while "hot", then restore a replica, and promote it to master using the "hot" backup of the master (just the specific CA files needed)? Thanks, --Jason From dpal at redhat.com Mon Apr 16 19:40:17 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 16 Apr 2012 15:40:17 -0400 Subject: [Freeipa-users] Disaster Recovery Best Practices? In-Reply-To: References: Message-ID: <4F8C75A1.3080403@redhat.com> On 04/16/2012 03:13 PM, KodaK wrote: > Hi, > > I have googled around a bit, but I still have a couple of questions: > > 1) is it possible to get "getent shadow" to return shadow entries from > the ipa server? This is so we can do a DR test on some server or set > of servers without also having to restore the IPA server first. I can > do a "getent passwd" easily enough, and I could rebuild the shadow > file for local users, so it's not critical, but it would be a "nice to > have" in the case of a DR. Please use SSSD on the client. It will do all the caching for you. If the connection is lost to the central server the client will continue to operate and authenticate users that logged in previously at least once. There is no need to create shadow files on the client in this case. Shadow is a mistake of the past that should not be used when there are are other much more secure technologies available now. > 2) What is everyone else doing to prepare IPA for a DR? I've read > that the best way to do it is to turn off the IPA services on a > replica and then back that replica up. I also read that this will > miss some important files that only exist on the master. That is the case when you use selfsigned cert but the preferred and default configuration is not with the self-signed certs. It was in the past but not any more. Currently when you install IPA and then replicas there is no difference between master and replicas (if you installed CA on the replica) so picking any one and recycling is possible. You won't loose anything. > I don't want > to turn off the master server services for a DR due to failover lag. > Would it be safe to take a backup of the master while "hot", then > restore a replica, and promote it to master using the "hot" backup of > the master (just the specific CA files needed)? So turning off any server of your choice backing it up (taking a snapshot) and then re-starting it again is the simplest way of dealing with DR. But to do this make sure that the server that you plan to use for taking backup snapshots has a CA. > Thanks, > > --Jason > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Mon Apr 16 20:42:46 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 16 Apr 2012 16:42:46 -0400 Subject: [Freeipa-users] Disaster Recovery Best Practices? In-Reply-To: References: Message-ID: <1334608966.16658.143.camel@willson.li.ssimo.org> On Mon, 2012-04-16 at 14:13 -0500, KodaK wrote: > Hi, > > I have googled around a bit, but I still have a couple of questions: > > 1) is it possible to get "getent shadow" to return shadow entries from > the ipa server? No, we do not have any shadow map in ipa, enforcement of password and account expiration is done by the server, not deferred to the clients. > This is so we can do a DR test on some server or set > of servers without also having to restore the IPA server first. I can > do a "getent passwd" easily enough, and I could rebuild the shadow > file for local users, so it's not critical, but it would be a "nice to > have" in the case of a DR. What are you looking for in the shadow map ? > 2) What is everyone else doing to prepare IPA for a DR? I've read > that the best way to do it is to turn off the IPA services on a > replica and then back that replica up. I also read that this will > miss some important files that only exist on the master. This was true for ipa v1 only where we used a selfsigned CA available only in the first master, since v2 you are supposed to use the dogtag PKI, so if you clone the PKI as well (you need to explicitly set it up, by default replicas do not replicate the CA) you have full redundancy with regard to network facing data. > I don't want > to turn off the master server services for a DR due to failover lag. > Would it be safe to take a backup of the master while "hot", then > restore a replica, and promote it to master using the "hot" backup of > the master (just the specific CA files needed)? If you are using the dogtag CA it wouldn't as it uses a DS instance as well. If you are using the selfsigned CA well, I guess you have no other option. Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Mon Apr 16 21:17:35 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 16 Apr 2012 23:17:35 +0200 Subject: [Freeipa-users] Screensaver unlock with expired password In-Reply-To: <4F8C1F8D.2020602@redhat.com> References: <4F896B81.4030702@nixtra.com> <4F8C1F8D.2020602@redhat.com> Message-ID: <4F8C8C6F.4050507@nixtra.com> On 04/16/2012 03:33 PM, Dmitri Pal wrote: > On 04/14/2012 08:20 AM, Sigbjorn Lie wrote: >> Hi, >> >> I ran into a issue with unlocking the screensaver when an users >> password has expired. These results are from RHEL 5. >> >> When running KDE and unlocking a screensaver with an expired password, >> an error message is displayed advising that the password subsystem has >> failed with instructions to kill the PID of the screensaver manually. >> >> When running GNOME and unlocking the screensaver with an expired >> password, an unlock is allowed, but no message is displayed, and the >> kerberos ticket is not renewed. >> >> Neither of these situations are ideal. >> >> A workaround for KDE is to switch to a console login window with >> CTRL-ALT-F2, and log in where you will be prompted for changing your >> password. Switch back to KDE, and unlock the screensaver with the new >> password. Not really user friendly. >> >> We did have the krb5-auth-dialog running, but it turned out that after >> being away over the weekend there many of these appearing on the >> screen on monday morning, and once you typed in your password a new >> kerberos ticket was aquired with start date of when the >> krb5-auth-dialog appeared!! >> >> So if I left the office on Friday, and the krb5-auth-dialog appeared >> on Saturday, I would get a ticket expiring on the Sunday that's >> already passed, even though I typed in the password on Monday, >> rendering the ticket useless for authenticating anywhere... so we >> removed this package from our workstations. >> >> Has anyone else run into these sort of issues? I would like to know >> how you chose to work around these issues. >> >> Thanks. >> > It can also be a client configuration or software problem. What do you > use on the client? SSSD? nss_ldap+pam_krb5? > I assume you use IPA as a server. You can check the logs on the server > to see whether the new password is requested. > The client logs would really show what is going on. > The clients use nss_ldap+pam_krb5, SSSD was crashing for us on RHEL 5. The server is the IPA server provided in RHEL 6.2. When I check the logs on the client it states that authentication succeeded, and that the password has expired. And that's where the screensaver fails. It show an info message that the password has expired, and then an error message advising that "The password subsystem has failed..." > Best would be if you provide a clear reproduction steps and file a > ticket attaching logs and configuration to it. > If it is a bug in SSSD we would need to fix it ASAP though we have not > seen this behavior in SSSD ever. > This is not SSSD, I believe it either comes down to lack of support in the KDE screensaver or a requirement for change in the PAM configuration. The current PAM configuration is set by the system-config-auth script with the" --enable-ldap --enable-krb5" options. I was hoping for a change in the PAM configuration and that someone had an example that works to advise me about. Regards, Siggi From dpal at redhat.com Mon Apr 16 21:24:21 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 16 Apr 2012 17:24:21 -0400 Subject: [Freeipa-users] Screensaver unlock with expired password In-Reply-To: <4F8C8C6F.4050507@nixtra.com> References: <4F896B81.4030702@nixtra.com> <4F8C1F8D.2020602@redhat.com> <4F8C8C6F.4050507@nixtra.com> Message-ID: <4F8C8E05.1060206@redhat.com> On 04/16/2012 05:17 PM, Sigbjorn Lie wrote: > On 04/16/2012 03:33 PM, Dmitri Pal wrote: >> On 04/14/2012 08:20 AM, Sigbjorn Lie wrote: >>> Hi, >>> >>> I ran into a issue with unlocking the screensaver when an users >>> password has expired. These results are from RHEL 5. >>> >>> When running KDE and unlocking a screensaver with an expired password, >>> an error message is displayed advising that the password subsystem has >>> failed with instructions to kill the PID of the screensaver manually. >>> >>> When running GNOME and unlocking the screensaver with an expired >>> password, an unlock is allowed, but no message is displayed, and the >>> kerberos ticket is not renewed. >>> >>> Neither of these situations are ideal. >>> >>> A workaround for KDE is to switch to a console login window with >>> CTRL-ALT-F2, and log in where you will be prompted for changing your >>> password. Switch back to KDE, and unlock the screensaver with the new >>> password. Not really user friendly. >>> >>> We did have the krb5-auth-dialog running, but it turned out that after >>> being away over the weekend there many of these appearing on the >>> screen on monday morning, and once you typed in your password a new >>> kerberos ticket was aquired with start date of when the >>> krb5-auth-dialog appeared!! >>> >>> So if I left the office on Friday, and the krb5-auth-dialog appeared >>> on Saturday, I would get a ticket expiring on the Sunday that's >>> already passed, even though I typed in the password on Monday, >>> rendering the ticket useless for authenticating anywhere... so we >>> removed this package from our workstations. >>> >>> Has anyone else run into these sort of issues? I would like to know >>> how you chose to work around these issues. >>> >>> Thanks. >>> >> It can also be a client configuration or software problem. What do you >> use on the client? SSSD? nss_ldap+pam_krb5? >> I assume you use IPA as a server. You can check the logs on the server >> to see whether the new password is requested. >> The client logs would really show what is going on. >> > The clients use nss_ldap+pam_krb5, SSSD was crashing for us on RHEL 5. > > The server is the IPA server provided in RHEL 6.2. > > When I check the logs on the client it states that authentication > succeeded, and that the password has expired. And that's where the > screensaver fails. It show an info message that the password has > expired, and then an error message advising that "The password > subsystem has failed..." > >> Best would be if you provide a clear reproduction steps and file a >> ticket attaching logs and configuration to it. >> If it is a bug in SSSD we would need to fix it ASAP though we have not >> seen this behavior in SSSD ever. >> > > This is not SSSD, I believe it either comes down to lack of support in > the KDE screensaver or a requirement for change in the PAM > configuration. The current PAM configuration is set by the > system-config-auth script with the" --enable-ldap --enable-krb5" options. > > I was hoping for a change in the PAM configuration and that someone > had an example that works to advise me about. > I do not think we know enough about KDE to be able help you here. Sorry. > > > Regards, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From nalin at redhat.com Mon Apr 16 21:43:39 2012 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 16 Apr 2012 17:43:39 -0400 Subject: [Freeipa-users] Screensaver unlock with expired password In-Reply-To: <4F8C8C6F.4050507@nixtra.com> References: <4F896B81.4030702@nixtra.com> <4F8C1F8D.2020602@redhat.com> <4F8C8C6F.4050507@nixtra.com> Message-ID: <20120416214339.GF8158@redhat.com> On Mon, Apr 16, 2012 at 11:17:35PM +0200, Sigbjorn Lie wrote: > The clients use nss_ldap+pam_krb5, SSSD was crashing for us on RHEL 5. > > The server is the IPA server provided in RHEL 6.2. > > When I check the logs on the client it states that authentication > succeeded, and that the password has expired. And that's where the > screensaver fails. It show an info message that the password has > expired, and then an error message advising that "The password > subsystem has failed..." > > >Best would be if you provide a clear reproduction steps and file a > >ticket attaching logs and configuration to it. > >If it is a bug in SSSD we would need to fix it ASAP though we have not > >seen this behavior in SSSD ever. > > This is not SSSD, I believe it either comes down to lack of support > in the KDE screensaver or a requirement for change in the PAM > configuration. The current PAM configuration is set by the > system-config-auth script with the" --enable-ldap --enable-krb5" > options. > > I was hoping for a change in the PAM configuration and that someone > had an example that works to advise me about. Short version: try turning on the "chpw_prompt" option for pam_krb5, by setting something like this in /etc/krb5.conf: [appdefaults] pam = { chpw_prompt = kscreensaver gnome-screensaver } Long version: as you've noticed, some applications don't quite do what PAM expects of them when the user's password has expired. When the user needs to set a new password, PAM is supposed to succeed in the authentication phase, and then return an specific status, indicating that a password change is needed, in the account management phase. Based on that second result, the application can either start a password change through PAM (and then allow access only if that change operation succeeds), or reject the user if it can't handle a password change (think of FTP servers, where the protocol keeps a server from being able to ask for a new password). Some applications don't know to do either, so the password-expired status is treated as a fatal error, and that appears to be what's going on here. Turning on the "chpw_prompt" option causes pam_krb5 to let libkrb5 attempt to change the password, during authentication, if a password change is needed. Depending on the application, that might be enough to fix things. It depends on the application to not just reply with the same password without relaying the question to the user, and you don't get the chance to add any client-side password quality checking via PAM, but it might work if the application can handle multiple prompts correctly. If that change allows users to log in (or unlock their screens, in this case), then you've found a bug in the PAM-enabled application, which is unfortunately not unheard of. The need to provide this option was first reported [1] after we fixed pam_krb5 to do the right thing [2]. HTH, Nalin [1] https://bugzilla.redhat.com/show_bug.cgi?id=509092 [2] https://bugzilla.redhat.com/show_bug.cgi?id=402721 From jorge.argibay at watea.com.ar Mon Apr 16 21:14:41 2012 From: jorge.argibay at watea.com.ar (Jorge Argibay Molina) Date: Mon, 16 Apr 2012 18:14:41 -0300 Subject: [Freeipa-users] Problem creating replica file Message-ID: Hi, I'm in the testing phase of the deployment of FreeIPA in my network. So far I've been able to configure the server, and several clients. What I've been unable to do, and seems very easy going thru the documentation, is generate the replica. Whenever I do: ipa-replica-prepare hades.watea.com.ar --ip-address 192.168.1.180 I get Directory Manager (existing master) password: Warning: Hostname (hades.watea.com.ar) not found in DNS Preparing replica for hades.watea.com.ar from ares.watea.com.ar Creating SSL certificate for the Directory Server Certificate issuance failed I'm attaching the pki-ca debug log, where I get an error. I'm out of ideas, Can anyone suggest what maybe broken or any documentation that has a suggestion about fixing this issue? -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: temp.txt URL: -------------- next part -------------- Thanks Jorge Argibay jorge.argibay at watea.com.ar Tel.: (+54) 11 5277 0305 Int.: 4900 Cel: (+549) 11 4028 4900 USA: (+1) 786 866 7837 Int.: 4900 C. Rica: (+506) 4000 1650 Int.: 4900 From dpal at redhat.com Mon Apr 16 22:27:28 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 16 Apr 2012 18:27:28 -0400 Subject: [Freeipa-users] Problem creating replica file In-Reply-To: References: Message-ID: <4F8C9CD0.5090100@redhat.com> On 04/16/2012 05:14 PM, Jorge Argibay Molina wrote: > Hi, > > I'm in the testing phase of the deployment of FreeIPA in my network. > > So far I've been able to configure the server, and several clients. > > What I've been unable to do, and seems very easy going thru the documentation, is generate the replica. > > Whenever I do: > > ipa-replica-prepare hades.watea.com.ar --ip-address 192.168.1.180 > > I get > > Directory Manager (existing master) password: > > Warning: Hostname (hades.watea.com.ar) not found in DNS > Preparing replica for hades.watea.com.ar from ares.watea.com.ar > Creating SSL certificate for the Directory Server > Certificate issuance failed > > I'm attaching the pki-ca debug log, where I get an error. > > > I'm out of ideas, Can anyone suggest what maybe broken or any documentation that has a suggestion about fixing this issue? Please provide package versions for the ipa, 389 and dogtag. Did you use any specific certificate related option when installed the first IPA master? > > > > Thanks > > > > > > > Jorge Argibay > jorge.argibay at watea.com.ar > > Tel.: (+54) 11 5277 0305 Int.: 4900 > Cel: (+549) 11 4028 4900 > > USA: (+1) 786 866 7837 Int.: 4900 > C. Rica: (+506) 4000 1650 Int.: 4900 > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From christoph.kaminski at biotronik.com Tue Apr 17 06:09:44 2012 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Tue, 17 Apr 2012 08:09:44 +0200 Subject: [Freeipa-users] client without certmonger/dbus Message-ID: hi It is possible to use the ipa-client without certmonger/dbus? Have an openvz environemnt where I cant start dbus... - MfG Christoph Kaminski www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplement?rin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. Lothar Krings, Dr. Torsten Wolf BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our drug eluting absorbable metal scaffold program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document. -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Tue Apr 17 13:26:27 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 17 Apr 2012 09:26:27 -0400 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: <4F889E38.3030800@redhat.com> References: <4F8865AF.3000909@redhat.com> <4F88728A.6070208@redhat.com> <4F887D74.6050607@redhat.com> <4F888F84.8080303@redhat.com> <4F889E38.3030800@redhat.com> Message-ID: On Fri, Apr 13, 2012 at 17:44, Rich Megginson wrote: > On 04/13/2012 03:40 PM, Dan Scott wrote: >> I cleaned up all the "ruv_compare_ruv: RUV [changelog max RUV] does >> not contain element" errors in the logs for each of fileservers 1, 2 >> and 3. The ldapsearch for >> >> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >> is still showing entries though. Is that OK? > > > The entry should exist, but the deleted servers should not be present in the > nsds50ruv attribute. OK, so it's safe to delete replica entries which have ldap://fileserver4.ecg.mit.edu:389 (fileserver4 is not currently a replica) but not for the other servers? >>>>>>>> fileserver3's /var/log/dirsrv/slapd-PKI-IPA/errors contains lots of: >>>>>>>> [13/Apr/2012:13:52:50 -0400] slapi_ldap_bind - Error: could not send >>>>>>>> startTLS request: error -1 (Can't contact LDAP server) errno 107 >>>>>>>> (Transport endpoint is not connected) >>>>>>> >>>>>>> >>>>>>> This is a real connection error - could be cert or hostname lookup >>>>>>> related. >>>>>> >>>>>> How do I find out if it's cert or hostname lookup? Which hostname? >>>>>> Fileserver3 runs DNS, and it seems to be working fine. >>>>> >>>>> >>>>> Try ldapsearch - on server3 >>>>> >>>>> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-PKI-IPA ldapsearch -x -ZZ -H >>>>> ldap://server2.fqdn -D "cn=directory manager" -W -s base -b "" >>>>> >>>>> If that works, check to make sure the replication agreement has the >>>>> correct >>>>> server2.fqdn >>>>> >>>>> If that doesn't work, use ldapsearch -d 1 -x ..... to get further >>>>> debugging >>>>> information. >>>> >>>> The replication agreements (according to ipa-replica-manage) all have >>>> the correct host names - I'm not sure what ldapsearch command to run >>>> to check the replication agreements. >>> >>> >>> ipa-replica-manage --list? ?or something like that? >> >> That's what I was using - they are all correct. > > > Ok. ?And the LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-PKI-IPA ldapsearch ... is > working? It returns a load of supportedExtension: and supportedControl: entries - I guess that means 'working'? :) Thanks, Dan From rmeggins at redhat.com Tue Apr 17 13:26:39 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 17 Apr 2012 07:26:39 -0600 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: References: <4F8865AF.3000909@redhat.com> <4F88728A.6070208@redhat.com> <4F887D74.6050607@redhat.com> <4F888F84.8080303@redhat.com> <4F889E38.3030800@redhat.com> Message-ID: <4F8D6F8F.70105@redhat.com> On 04/17/2012 07:26 AM, Dan Scott wrote: > On Fri, Apr 13, 2012 at 17:44, Rich Megginson wrote: >> On 04/13/2012 03:40 PM, Dan Scott wrote: >>> I cleaned up all the "ruv_compare_ruv: RUV [changelog max RUV] does >>> not contain element" errors in the logs for each of fileservers 1, 2 >>> and 3. The ldapsearch for >>> >>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>> is still showing entries though. Is that OK? >> >> The entry should exist, but the deleted servers should not be present in the >> nsds50ruv attribute. > OK, so it's safe to delete replica entries which have > ldap://fileserver4.ecg.mit.edu:389 (fileserver4 is not currently a > replica) but not for the other servers? Yes. Following the CLEANRUV procedure: http://port389.org/wiki/Howto:CLEANRUV > >>>>>>>>> fileserver3's /var/log/dirsrv/slapd-PKI-IPA/errors contains lots of: >>>>>>>>> [13/Apr/2012:13:52:50 -0400] slapi_ldap_bind - Error: could not send >>>>>>>>> startTLS request: error -1 (Can't contact LDAP server) errno 107 >>>>>>>>> (Transport endpoint is not connected) >>>>>>>> >>>>>>>> This is a real connection error - could be cert or hostname lookup >>>>>>>> related. >>>>>>> How do I find out if it's cert or hostname lookup? Which hostname? >>>>>>> Fileserver3 runs DNS, and it seems to be working fine. >>>>>> >>>>>> Try ldapsearch - on server3 >>>>>> >>>>>> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-PKI-IPA ldapsearch -x -ZZ -H >>>>>> ldap://server2.fqdn -D "cn=directory manager" -W -s base -b "" >>>>>> >>>>>> If that works, check to make sure the replication agreement has the >>>>>> correct >>>>>> server2.fqdn >>>>>> >>>>>> If that doesn't work, use ldapsearch -d 1 -x ..... to get further >>>>>> debugging >>>>>> information. >>>>> The replication agreements (according to ipa-replica-manage) all have >>>>> the correct host names - I'm not sure what ldapsearch command to run >>>>> to check the replication agreements. >>>> >>>> ipa-replica-manage --list? or something like that? >>> That's what I was using - they are all correct. >> >> Ok. And the LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-PKI-IPA ldapsearch ... is >> working? > It returns a load of supportedExtension: and supportedControl: entries > - I guess that means 'working'? :) Yes. Then I'm not sure why TLS/SSL connections with replication are not working. > > Thanks, > > Dan From danieljamesscott at gmail.com Tue Apr 17 14:09:07 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 17 Apr 2012 10:09:07 -0400 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: <4F8D6F8F.70105@redhat.com> References: <4F8865AF.3000909@redhat.com> <4F88728A.6070208@redhat.com> <4F887D74.6050607@redhat.com> <4F888F84.8080303@redhat.com> <4F889E38.3030800@redhat.com> <4F8D6F8F.70105@redhat.com> Message-ID: On Tue, Apr 17, 2012 at 09:26, Rich Megginson wrote: > On 04/17/2012 07:26 AM, Dan Scott wrote: >> >> On Fri, Apr 13, 2012 at 17:44, Rich Megginson ?wrote: >>> >>> On 04/13/2012 03:40 PM, Dan Scott wrote: >>>> >>>> I cleaned up all the "ruv_compare_ruv: RUV [changelog max RUV] does >>>> not contain element" errors in the logs for each of fileservers 1, 2 >>>> and 3. The ldapsearch for >>>> >>>> >>>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>>> is still showing entries though. Is that OK? >>> >>> >>> The entry should exist, but the deleted servers should not be present in >>> the >>> nsds50ruv attribute. >> >> OK, so it's safe to delete replica entries which have >> ldap://fileserver4.ecg.mit.edu:389 (fileserver4 is not currently a >> replica) but not for the other servers? > > Yes. ?Following the CLEANRUV procedure: > http://port389.org/wiki/Howto:CLEANRUV Thanks. I think I'm getting there - removed the tombstones from the main directory and the PKI-IPA directory (only one server so far though). I still have a few strange entries though: [root at fileserver1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b dc=ecg,dc=mit,dc=edu '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' Enter LDAP Password: dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=ecg,dc=mit,dc=edu objectClass: top objectClass: nsTombstone objectClass: extensibleobject nsds50ruv: {replicageneration} 4e7b746e000000040000 nsds50ruv: {replica 6 ldap://fileserver1.ecg.mit.edu:389} 4f50e685001d00060000 4f8d7874000200060000 nsds50ruv: {replica 43 ldap://fileserver2.ecg.mit.edu:389} 4f88cf450001002b000 0 4f8d78140000002b0000 nsds50ruv: {replica 5 ldap://fileserver3.ecg.mit.edu:389} 4f5047ad001d00050000 4f8d77c3000000050000 nsds50ruv: {replica 4 ldap://fileserver3.ecg.mit.edu:389} nsds50ruv: {replica 9 ldap://fileserver3.ecg.mit.edu:389} nsds50ruv: {replica 8 ldap://fileserver3.ecg.mit.edu:389} 4f7363d2001d00080000 4f736402000700080000 dc: ecg nsruvReplicaLastModified: {replica 6 ldap://fileserver1.ecg.mit.edu:389} 4f8d7 806 nsruvReplicaLastModified: {replica 43 ldap://fileserver2.ecg.mit.edu:389} 4f8d 77a6 nsruvReplicaLastModified: {replica 5 ldap://fileserver3.ecg.mit.edu:389} 4f8d7 756 nsruvReplicaLastModified: {replica 4 ldap://fileserver3.ecg.mit.edu:389} 00000 000 nsruvReplicaLastModified: {replica 9 ldap://fileserver3.ecg.mit.edu:389} 00000 000 nsruvReplicaLastModified: {replica 8 ldap://fileserver3.ecg.mit.edu:389} 00000 000 Is it safe to run CLEANRUV on IDs 4 and 9? That still leaves me with 2 entries for fileserver3. How do I know which one to delete? On my PKI-IPA server, the CLEANRUV task doesn't seem to work. It keeps re-adding entries after I remove them. I have 3 entries for my non-existent fileserver4 - They disappear when I remove them, but they come back after a few minutes. Thanks, Dan From rmeggins at redhat.com Tue Apr 17 14:29:36 2012 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 17 Apr 2012 10:29:36 -0400 (EDT) Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: Message-ID: <98591d10-182e-4e34-bc0a-ad60684017bc@zmail16.collab.prod.int.phx2.redhat.com> ----- Original Message ----- > On Tue, Apr 17, 2012 at 09:26, Rich Megginson > wrote: > > On 04/17/2012 07:26 AM, Dan Scott wrote: > >> > >> On Fri, Apr 13, 2012 at 17:44, Rich Megginson > >> ?wrote: > >>> > >>> On 04/13/2012 03:40 PM, Dan Scott wrote: > >>>> > >>>> I cleaned up all the "ruv_compare_ruv: RUV [changelog max RUV] > >>>> does > >>>> not contain element" errors in the logs for each of fileservers > >>>> 1, 2 > >>>> and 3. The ldapsearch for > >>>> > >>>> > >>>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' > >>>> is still showing entries though. Is that OK? > >>> > >>> > >>> The entry should exist, but the deleted servers should not be > >>> present in > >>> the > >>> nsds50ruv attribute. > >> > >> OK, so it's safe to delete replica entries which have > >> ldap://fileserver4.ecg.mit.edu:389 (fileserver4 is not currently a > >> replica) but not for the other servers? > > > > Yes. ?Following the CLEANRUV procedure: > > http://port389.org/wiki/Howto:CLEANRUV > > Thanks. I think I'm getting there - removed the tombstones from the > main directory and the PKI-IPA directory (only one server so far > though). I still have a few strange entries though: > > [root at fileserver1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W > -b > dc=ecg,dc=mit,dc=edu > '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' > Enter LDAP Password: > dn: > nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=ecg,dc=mit,dc=edu > objectClass: top > objectClass: nsTombstone > objectClass: extensibleobject > nsds50ruv: {replicageneration} 4e7b746e000000040000 > nsds50ruv: {replica 6 ldap://fileserver1.ecg.mit.edu:389} > 4f50e685001d00060000 > 4f8d7874000200060000 > nsds50ruv: {replica 43 ldap://fileserver2.ecg.mit.edu:389} > 4f88cf450001002b000 > 0 4f8d78140000002b0000 > nsds50ruv: {replica 5 ldap://fileserver3.ecg.mit.edu:389} > 4f5047ad001d00050000 > 4f8d77c3000000050000 > nsds50ruv: {replica 4 ldap://fileserver3.ecg.mit.edu:389} > nsds50ruv: {replica 9 ldap://fileserver3.ecg.mit.edu:389} > nsds50ruv: {replica 8 ldap://fileserver3.ecg.mit.edu:389} > 4f7363d2001d00080000 > 4f736402000700080000 > dc: ecg > nsruvReplicaLastModified: {replica 6 > ldap://fileserver1.ecg.mit.edu:389} 4f8d7 > 806 > nsruvReplicaLastModified: {replica 43 > ldap://fileserver2.ecg.mit.edu:389} 4f8d > 77a6 > nsruvReplicaLastModified: {replica 5 > ldap://fileserver3.ecg.mit.edu:389} 4f8d7 > 756 > nsruvReplicaLastModified: {replica 4 > ldap://fileserver3.ecg.mit.edu:389} 00000 > 000 > nsruvReplicaLastModified: {replica 9 > ldap://fileserver3.ecg.mit.edu:389} 00000 > 000 > nsruvReplicaLastModified: {replica 8 > ldap://fileserver3.ecg.mit.edu:389} 00000 > 000 > > Is it safe to run CLEANRUV on IDs 4 and 9? That still leaves me with > 2 > entries for fileserver3. How do I know which one to delete? Whichever one is the one currently in use. ldapsearch -xLLL -h fileserver3 -D "cn=directory manager" -W -b cn=config cn=replica What is the replica ID? That is the one that is currently in use. You should be able to safely delete the others. > > On my PKI-IPA server, the CLEANRUV task doesn't seem to work. It > keeps > re-adding entries after I remove them. I have 3 entries for my > non-existent fileserver4 - They disappear when I remove them, but > they > come back after a few minutes. Right, because they are being replicated from another master. You will need to run the CLEANRUV on all masters at the same time. > > Thanks, > > Dan > From jorge.argibay at watea.com.ar Tue Apr 17 14:30:51 2012 From: jorge.argibay at watea.com.ar (Jorge Argibay Molina) Date: Tue, 17 Apr 2012 11:30:51 -0300 Subject: [Freeipa-users] Fwd: Problem creating replica file References: <4F8C9CD0.5090100@redhat.com> Message-ID: Dmitri, I'm attaching the result of rpm -qa | sort I tried to follow the installation instructions to the letter, as it was my first installation. As I didn't have an existing CA, I asked the installation script to install its own CA. This is the only problem the installation seems to be having, because there are several fedora desktops authenticating happily against the IPA instance. Thanks for your prompt response. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: rpms.txt URL: -------------- next part -------------- Inicio del mensaje reenviado: > De: Dmitri Pal > Asunto: Re: [Freeipa-users] Problem creating replica file > Fecha: 16 de abril de 2012 19:27:28 GMT-03:00 > Para: freeipa-users at redhat.com > Responder a: dpal at redhat.com > > On 04/16/2012 05:14 PM, Jorge Argibay Molina wrote: >> Hi, >> >> I'm in the testing phase of the deployment of FreeIPA in my network. >> >> So far I've been able to configure the server, and several clients. >> >> What I've been unable to do, and seems very easy going thru the documentation, is generate the replica. >> >> Whenever I do: >> >> ipa-replica-prepare hades.watea.com.ar --ip-address 192.168.1.180 >> >> I get >> >> Directory Manager (existing master) password: >> >> Warning: Hostname (hades.watea.com.ar) not found in DNS >> Preparing replica for hades.watea.com.ar from ares.watea.com.ar >> Creating SSL certificate for the Directory Server >> Certificate issuance failed >> >> I'm attaching the pki-ca debug log, where I get an error. >> >> >> I'm out of ideas, Can anyone suggest what maybe broken or any documentation that has a suggestion about fixing this issue? >> > > Please provide package versions for the ipa, 389 and dogtag. > Did you use any specific certificate related option when installed the first IPA master? > >> >> >> >> Thanks >> >> >> >> >> >> >> Jorge Argibay >> >> jorge.argibay at watea.com.ar >> >> >> Tel.: (+54) 11 5277 0305 Int.: 4900 >> Cel: (+549) 11 4028 4900 >> >> USA: (+1) 786 866 7837 Int.: 4900 >> C. Rica: (+506) 4000 1650 Int.: 4900 >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Jorge Argibay jorge.argibay at watea.com.ar Tel.: (+54) 11 5277 0305 Int.: 4900 Cel: (+549) 11 4028 4900 USA: (+1) 786 866 7837 Int.: 4900 C. Rica: (+506) 4000 1650 Int.: 4900 From dpal at redhat.com Tue Apr 17 14:43:26 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 17 Apr 2012 10:43:26 -0400 Subject: [Freeipa-users] client without certmonger/dbus In-Reply-To: References: Message-ID: <4F8D818E.1040807@redhat.com> On 04/17/2012 02:09 AM, Christoph Kaminski wrote: > hi > > It is possible to use the ipa-client without certmonger/dbus? Have an > openvz environemnt where I cant start dbus... A quick review of openvz indicates that it supports dbus, so why this is an issue? If you feel this is still necessary please file an RFE with your justification. > > - > MfG > Christoph Kaminski > > > _ > __www.biotronik.com_ > ------------------------------------------------------------------------ > > BIOTRONIK SE & Co. KG > Woermannkehre 1, 12359 Berlin, Germany > Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 > > Vertreten durch ihre Komplement?rin: > BIOTRONIK MT SE > Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B > Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. > Lothar Krings, Dr. Torsten Wolf > ------------------------------------------------------------------------ > * > BIOTRONIK* - A global manufacturer of advanced Cardiac Rhythm > Management systems and Vascular Intervention devices. Quality, > innovation, and reliability define BIOTRONIK and our growing success. > We are innovators of technologies like the first wireless remote > monitoring system - Home Monitoring?, Closed Loop Stimulation and > coveted lead solutions as well as state-of-the-art stents, balloons > and guide wires for coronary and peripheral indications. We highly > invest in the development of drug eluting devices and are leading the > industry with our drug eluting absorbable metal scaffold program. > ------------------------------------------------------------------------ > > This e-mail and the information it contains including attachments are > confidential and meant only for use by the intended recipient(s); > disclosure or copying is strictly prohibited. If you are not > addressed, but in the possession of this e-mail, please notify the > sender immediately and delete the document. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Tue Apr 17 15:29:36 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 17 Apr 2012 17:29:36 +0200 (CEST) Subject: [Freeipa-users] Screensaver unlock with expired password In-Reply-To: <20120416214339.GF8158@redhat.com> References: <4F896B81.4030702@nixtra.com> <4F8C1F8D.2020602@redhat.com> <4F8C8C6F.4050507@nixtra.com> <20120416214339.GF8158@redhat.com> Message-ID: <24788.213.225.75.97.1334676576.squirrel@www.nixtra.com> On Mon, April 16, 2012 23:43, Nalin Dahyabhai wrote: > On Mon, Apr 16, 2012 at 11:17:35PM +0200, Sigbjorn Lie wrote: > >> The clients use nss_ldap+pam_krb5, SSSD was crashing for us on RHEL 5. >> >> >> The server is the IPA server provided in RHEL 6.2. >> >> >> When I check the logs on the client it states that authentication >> succeeded, and that the password has expired. And that's where the screensaver fails. It show an >> info message that the password has expired, and then an error message advising that "The >> password subsystem has failed..." >> >>> Best would be if you provide a clear reproduction steps and file a >>> ticket attaching logs and configuration to it. If it is a bug in SSSD we would need to fix it >>> ASAP though we have not >>> seen this behavior in SSSD ever. >> >> This is not SSSD, I believe it either comes down to lack of support >> in the KDE screensaver or a requirement for change in the PAM configuration. The current PAM >> configuration is set by the system-config-auth script with the" --enable-ldap --enable-krb5" >> options. >> >> I was hoping for a change in the PAM configuration and that someone >> had an example that works to advise me about. > > Short version: try turning on the "chpw_prompt" option for pam_krb5, by > setting something like this in /etc/krb5.conf: > > [appdefaults] > pam = { chpw_prompt = kscreensaver gnome-screensaver } > > > Long version: as you've noticed, some applications don't quite do what > PAM expects of them when the user's password has expired. When the user > needs to set a new password, PAM is supposed to succeed in the authentication phase, and then > return an specific status, indicating that a password change is needed, in the account management > phase. > > Based on that second result, the application can either start a password > change through PAM (and then allow access only if that change operation succeeds), or reject the > user if it can't handle a password change (think of FTP servers, where the protocol keeps a server > from being able to ask for a new password). Some applications don't know to do either, so the > password-expired status is treated as a fatal error, and that appears to be what's going on here. > > Turning on the "chpw_prompt" option causes pam_krb5 to let libkrb5 > attempt to change the password, during authentication, if a password change is needed. Depending > on the application, that might be enough to fix things. It depends on the application to not just > reply with the same password without relaying the question to the user, and you don't get the > chance to add any client-side password quality checking via PAM, but it might work if the > application can handle multiple prompts correctly. > > If that change allows users to log in (or unlock their screens, in this > case), then you've found a bug in the PAM-enabled application, which is unfortunately not unheard > of. The need to provide this option was first reported [1] after we fixed pam_krb5 to do the > right thing [2]. > > HTH, > > > Nalin > > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=509092 > [2] https://bugzilla.redhat.com/show_bug.cgi?id=402721 > Hi Nalin, Thank you for your reply. I have testing this and it works with GNOME! It did not work with KDE, I was still advised that the password had expired, but then there we're not further messages, and I was returned to the unlock prompt. Unfortunately we are running KDE in our client production environment. Do you have any other suggestions I could try? Thanks. Regards, Siggi From danieljamesscott at gmail.com Tue Apr 17 15:59:23 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 17 Apr 2012 11:59:23 -0400 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: <98591d10-182e-4e34-bc0a-ad60684017bc@zmail16.collab.prod.int.phx2.redhat.com> References: <98591d10-182e-4e34-bc0a-ad60684017bc@zmail16.collab.prod.int.phx2.redhat.com> Message-ID: On Tue, Apr 17, 2012 at 10:29, Richard Megginson wrote: > ----- Original Message ----- >> On Tue, Apr 17, 2012 at 09:26, Rich Megginson >> wrote: >> > On 04/17/2012 07:26 AM, Dan Scott wrote: >> >> >> >> On Fri, Apr 13, 2012 at 17:44, Rich Megginson >> >> ?wrote: >> >>> >> >>> On 04/13/2012 03:40 PM, Dan Scott wrote: >> >>>> >> >>>> I cleaned up all the "ruv_compare_ruv: RUV [changelog max RUV] >> >>>> does >> >>>> not contain element" errors in the logs for each of fileservers >> >>>> 1, 2 >> >>>> and 3. The ldapsearch for >> >>>> >> >>>> >> >>>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >> >>>> is still showing entries though. Is that OK? >> >>> >> >>> >> >>> The entry should exist, but the deleted servers should not be >> >>> present in >> >>> the >> >>> nsds50ruv attribute. >> >> >> >> OK, so it's safe to delete replica entries which have >> >> ldap://fileserver4.ecg.mit.edu:389 (fileserver4 is not currently a >> >> replica) but not for the other servers? >> > >> > Yes. ?Following the CLEANRUV procedure: >> > http://port389.org/wiki/Howto:CLEANRUV >> >> Thanks. I think I'm getting there - removed the tombstones from the >> main directory and the PKI-IPA directory (only one server so far >> though). I still have a few strange entries though: >> >> [root at fileserver1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W >> -b >> dc=ecg,dc=mit,dc=edu >> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >> Enter LDAP Password: >> dn: >> nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=ecg,dc=mit,dc=edu >> objectClass: top >> objectClass: nsTombstone >> objectClass: extensibleobject >> nsds50ruv: {replicageneration} 4e7b746e000000040000 >> nsds50ruv: {replica 6 ldap://fileserver1.ecg.mit.edu:389} >> 4f50e685001d00060000 >> ? 4f8d7874000200060000 >> nsds50ruv: {replica 43 ldap://fileserver2.ecg.mit.edu:389} >> 4f88cf450001002b000 >> ?0 4f8d78140000002b0000 >> nsds50ruv: {replica 5 ldap://fileserver3.ecg.mit.edu:389} >> 4f5047ad001d00050000 >> ? 4f8d77c3000000050000 >> nsds50ruv: {replica 4 ldap://fileserver3.ecg.mit.edu:389} >> nsds50ruv: {replica 9 ldap://fileserver3.ecg.mit.edu:389} >> nsds50ruv: {replica 8 ldap://fileserver3.ecg.mit.edu:389} >> 4f7363d2001d00080000 >> ? 4f736402000700080000 >> dc: ecg >> nsruvReplicaLastModified: {replica 6 >> ldap://fileserver1.ecg.mit.edu:389} 4f8d7 >> ?806 >> nsruvReplicaLastModified: {replica 43 >> ldap://fileserver2.ecg.mit.edu:389} 4f8d >> ?77a6 >> nsruvReplicaLastModified: {replica 5 >> ldap://fileserver3.ecg.mit.edu:389} 4f8d7 >> ?756 >> nsruvReplicaLastModified: {replica 4 >> ldap://fileserver3.ecg.mit.edu:389} 00000 >> ?000 >> nsruvReplicaLastModified: {replica 9 >> ldap://fileserver3.ecg.mit.edu:389} 00000 >> ?000 >> nsruvReplicaLastModified: {replica 8 >> ldap://fileserver3.ecg.mit.edu:389} 00000 >> ?000 >> >> Is it safe to run CLEANRUV on IDs 4 and 9? That still leaves me with >> 2 >> entries for fileserver3. How do I know which one to delete? > > Whichever one is the one currently in use. > > ldapsearch -xLLL -h fileserver3 -D "cn=directory manager" -W -b cn=config cn=replica > > What is the replica ID? ?That is the one that is currently in use. ?You should be able to safely delete the others. Excellent thanks. Nearly there now. I think my only remaining problems are: 1. The fileserver5.ecg.mit.edu entry (dn: cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu) which I cannot delete due to: [LDAP: error code 66 - Not Allowed On Non-leaf] 2. One inconsistency in my replication agreements: ipa-csreplica-manage -v list fileserver1.ecg.mit.edu shows only fileserver2. ipa-csreplica-manage -v list fileserver3.ecg.mit.edu shows both fileservers 1 and 2. So, fileserver3 thinks that it's replicating fine with fileserver1, but fileserver1 is not replicating with fileserver3. Any ideas? Thanks for all your help. It's looking good now. Dan From pspacek at redhat.com Tue Apr 17 16:01:05 2012 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 17 Apr 2012 18:01:05 +0200 Subject: [Freeipa-users] DNS zone delegation In-Reply-To: <4F2A5604.9040605@redhat.com> References: <1328120480.23084.19.camel@arepa.pzo.lgs.com.ve> <4F2A5604.9040605@redhat.com> Message-ID: <4F8D93C1.10506@redhat.com> On 02/02/2012 10:23 AM, Adam Tkac wrote: > On 02/01/2012 07:21 PM, Loris Santamaria wrote: >> Hi, >> >> I have a dns zone managed by IPA and I'm trying to delegate a zone >> managed by Active Directory. >> >> The IPA managed zone is called "corpfbk", and the AD one is >> "ad.corpfbk". >> >> I started by adding the proper glue records: >> >> ipa dnsrecord-add corpfbk ns1.ad --a-rec=192.168.3.36 >> ipa dnsrecord-add corpfbk ns2.ad --a-rec=192.168.3.241 >> >> Then I add what I consider should be the zone delegation: >> >> ipa dnsrecord-add corpfbk ad --ns-rec=ns1.ad.corpfbk.,ns2.ad.corpfbk. >> >> Problem is, IPA DNS can't resolve any host in the ad.corpfbk zone, >> except ns1 and ns2. Recursion is enabled in named.conf. Dig results: >> >> dig @localhost ad.corpfbk NS +norecurse >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21862 >> ;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4 >> >> ;; QUESTION SECTION: >> ;ad.corpfbk. IN NS >> >> ;; ANSWER SECTION: >> ad.corpfbk. 86400 IN NS ns1.ad.corpfbk. >> ad.corpfbk. 86400 IN NS ns2.ad.corpfbk. >> >> ;; AUTHORITY SECTION: >> corpfbk. 86400 IN NS ipa01.central.corpfbk. >> corpfbk. 86400 IN NS ipa02.central.corpfbk. >> >> ;; ADDITIONAL SECTION: >> ns1.ad.corpfbk. 86400 IN A 192.168.3.36 >> ns2.ad.corpfbk. 86400 IN A 192.168.3.241 >> ipa01.central.corpfbk. 86400 IN A 192.168.3.6 >> ipa02.central.corpfbk. 86400 IN A 192.168.3.16 >> >> It seems to me, and after testing with other non-IPA based DNS servers, >> that the response shouldn't have and "Answer section", but it should >> have an "authority section" pointing to ad.corpfbk. >> >> I am doing something wrong? Should I file a bug? >> > You are right, ad.corpfbk. records should be in auth section. This seems > like a bug in the bind-dyndb-ldap plugin. Please fill it with reference > to this thread to bugzilla.redhat.com. Thank you in advance! > > Regards, Adam These problems are fixed in latest bind-dyndb-ldap upstream version (commit 9bcd08be60aad4cb55393d494887b97bd31526be). Petr^2 Spacek From rmeggins at redhat.com Tue Apr 17 19:32:13 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 17 Apr 2012 13:32:13 -0600 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: References: <98591d10-182e-4e34-bc0a-ad60684017bc@zmail16.collab.prod.int.phx2.redhat.com> Message-ID: <4F8DC53D.1000805@redhat.com> On 04/17/2012 09:59 AM, Dan Scott wrote: > On Tue, Apr 17, 2012 at 10:29, Richard Megginson wrote: >> ----- Original Message ----- >>> On Tue, Apr 17, 2012 at 09:26, Rich Megginson >>> wrote: >>>> On 04/17/2012 07:26 AM, Dan Scott wrote: >>>>> On Fri, Apr 13, 2012 at 17:44, Rich Megginson >>>>> wrote: >>>>>> On 04/13/2012 03:40 PM, Dan Scott wrote: >>>>>>> I cleaned up all the "ruv_compare_ruv: RUV [changelog max RUV] >>>>>>> does >>>>>>> not contain element" errors in the logs for each of fileservers >>>>>>> 1, 2 >>>>>>> and 3. The ldapsearch for >>>>>>> >>>>>>> >>>>>>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>>>>>> is still showing entries though. Is that OK? >>>>>> >>>>>> The entry should exist, but the deleted servers should not be >>>>>> present in >>>>>> the >>>>>> nsds50ruv attribute. >>>>> OK, so it's safe to delete replica entries which have >>>>> ldap://fileserver4.ecg.mit.edu:389 (fileserver4 is not currently a >>>>> replica) but not for the other servers? >>>> Yes. Following the CLEANRUV procedure: >>>> http://port389.org/wiki/Howto:CLEANRUV >>> Thanks. I think I'm getting there - removed the tombstones from the >>> main directory and the PKI-IPA directory (only one server so far >>> though). I still have a few strange entries though: >>> >>> [root at fileserver1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W >>> -b >>> dc=ecg,dc=mit,dc=edu >>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>> Enter LDAP Password: >>> dn: >>> nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=ecg,dc=mit,dc=edu >>> objectClass: top >>> objectClass: nsTombstone >>> objectClass: extensibleobject >>> nsds50ruv: {replicageneration} 4e7b746e000000040000 >>> nsds50ruv: {replica 6 ldap://fileserver1.ecg.mit.edu:389} >>> 4f50e685001d00060000 >>> 4f8d7874000200060000 >>> nsds50ruv: {replica 43 ldap://fileserver2.ecg.mit.edu:389} >>> 4f88cf450001002b000 >>> 0 4f8d78140000002b0000 >>> nsds50ruv: {replica 5 ldap://fileserver3.ecg.mit.edu:389} >>> 4f5047ad001d00050000 >>> 4f8d77c3000000050000 >>> nsds50ruv: {replica 4 ldap://fileserver3.ecg.mit.edu:389} >>> nsds50ruv: {replica 9 ldap://fileserver3.ecg.mit.edu:389} >>> nsds50ruv: {replica 8 ldap://fileserver3.ecg.mit.edu:389} >>> 4f7363d2001d00080000 >>> 4f736402000700080000 >>> dc: ecg >>> nsruvReplicaLastModified: {replica 6 >>> ldap://fileserver1.ecg.mit.edu:389} 4f8d7 >>> 806 >>> nsruvReplicaLastModified: {replica 43 >>> ldap://fileserver2.ecg.mit.edu:389} 4f8d >>> 77a6 >>> nsruvReplicaLastModified: {replica 5 >>> ldap://fileserver3.ecg.mit.edu:389} 4f8d7 >>> 756 >>> nsruvReplicaLastModified: {replica 4 >>> ldap://fileserver3.ecg.mit.edu:389} 00000 >>> 000 >>> nsruvReplicaLastModified: {replica 9 >>> ldap://fileserver3.ecg.mit.edu:389} 00000 >>> 000 >>> nsruvReplicaLastModified: {replica 8 >>> ldap://fileserver3.ecg.mit.edu:389} 00000 >>> 000 >>> >>> Is it safe to run CLEANRUV on IDs 4 and 9? That still leaves me with >>> 2 >>> entries for fileserver3. How do I know which one to delete? >> Whichever one is the one currently in use. >> >> ldapsearch -xLLL -h fileserver3 -D "cn=directory manager" -W -b cn=config cn=replica >> >> What is the replica ID? That is the one that is currently in use. You should be able to safely delete the others. > Excellent thanks. > > Nearly there now. > > I think my only remaining problems are: > > 1. The fileserver5.ecg.mit.edu entry (dn: > cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu) > which I cannot delete due to: [LDAP: error code 66 - Not Allowed On > Non-leaf] It won't let you delete the tombstones? Or it is not showing any tombstones? If this is due to "orphan" tombstone entries, the only resolution will be to db2ldif, then ldif2db. > 2. One inconsistency in my replication agreements: > ipa-csreplica-manage -v list fileserver1.ecg.mit.edu shows only fileserver2. > ipa-csreplica-manage -v list fileserver3.ecg.mit.edu shows both > fileservers 1 and 2. > > So, fileserver3 thinks that it's replicating fine with fileserver1, > but fileserver1 is not replicating with fileserver3. > > Any ideas? Not sure. You can look at the replication agreements directly using ldapsearch: ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsds5replicationagreement > > Thanks for all your help. It's looking good now. > > Dan From rcritten at redhat.com Tue Apr 17 21:46:58 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 Apr 2012 17:46:58 -0400 Subject: [Freeipa-users] client without certmonger/dbus In-Reply-To: References: Message-ID: <4F8DE4D2.9060300@redhat.com> Christoph Kaminski wrote: > hi > > It is possible to use the ipa-client without certmonger/dbus? Have an > openvz environemnt where I cant start dbus... > Is it not working for you at all? lack of certmonger should not cause a fatal installation problem, just a slew of scary error messages. There is no option to not configure certmonger. rob From sbingram at gmail.com Tue Apr 17 22:07:05 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 17 Apr 2012 15:07:05 -0700 Subject: [Freeipa-users] client without certmonger/dbus In-Reply-To: References: Message-ID: On Mon, Apr 16, 2012 at 11:09 PM, Christoph Kaminski wrote: > hi > > It is possible to use the ipa-client without certmonger/dbus? Have an openvz > environemnt where I cant start dbus... Christoph- You can install IPA in OpenVZ container. I was able to install after doing the following: 1. mkdir -m 1777 /dev/shm 2. add this line to fstab: tmp /dev/shm tmpfs defaults 0 0 3. mkdir /var/run/dbus 4. service messagebus start Also, make sure you give yourself lots of memory to install IPA. Once it's installed you can reduce back down depending on the size of your directory. Steve From sbingram at gmail.com Wed Apr 18 05:32:56 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 17 Apr 2012 22:32:56 -0700 Subject: [Freeipa-users] client without certmonger/dbus In-Reply-To: References: Message-ID: On Tue, Apr 17, 2012 at 10:28 PM, Christoph Kaminski wrote: > done it without success :( > > [root at xaphon ~]# dbus-daemon --system --nofork > Failed to start message bus: Failed to drop capabilities: Operation not > permitted What OS and version are you using? I was using Fedora 15 template from OpenVZ. Steve From christoph.kaminski at biotronik.com Wed Apr 18 05:28:25 2012 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Wed, 18 Apr 2012 07:28:25 +0200 Subject: [Freeipa-users] Antwort: Re: client without certmonger/dbus In-Reply-To: References: , Message-ID: An HTML attachment was scrubbed... URL: From christoph.kaminski at biotronik.com Wed Apr 18 06:07:56 2012 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Wed, 18 Apr 2012 08:07:56 +0200 Subject: [Freeipa-users] Antwort: Re: Re: client without certmonger/dbus In-Reply-To: References: , Message-ID: An HTML attachment was scrubbed... URL: From sbingram at gmail.com Wed Apr 18 06:33:46 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 17 Apr 2012 23:33:46 -0700 Subject: [Freeipa-users] client without certmonger/dbus In-Reply-To: References: Message-ID: On Tue, Apr 17, 2012 at 11:07 PM, Christoph Kaminski wrote: > centos 6.2 inside vserver, but I dont know what OS is the host system. > (leased at heckrath.com) You can do a cat /proc/version inside your container to see what version of the kernel they are using. I'm guessing it is pretty old since that problem was solved some time ago as it caused problems with the operation of the container. If it is really old, you might want to see if they can migrate your container to a newer host node with an updated kernel. I haven't tried this on Redhat or CentOS using OpenVZ as I switched to KVM to take advantage of SELinux. Fedora 15 worked great on the 2.6.18-238.9.1.el5.028stab089.1 kernel. I also looked at your provider's Website and saw that the largest container they offer is 512MB. I'll be very surprised if you can get FreeIPA to install inside a container with only 512MB. I had to use around 2GB just to get it to install. Once complete, then I was able to lower the memory to around 1GB. For some reason the install requires an enormous amount of RAM. Steve From christoph.kaminski at biotronik.com Wed Apr 18 07:06:02 2012 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Wed, 18 Apr 2012 09:06:02 +0200 Subject: [Freeipa-users] Antwort: Re: Re: Re: client without certmonger/dbus In-Reply-To: References: Message-ID: [root at xaphon ~]# cat /proc/version Linux version 2.6.26-2-openvz-amd64 (Debian 2.6.26-26lenny1) (dannf at debian.org) (gcc version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Thu Nov 25 05:14:47 UTC 2010 I have 2GB RAM on my vhost (512MB is only initialy, you can buy additional ram later) But I want to install the client, not ipa server. - MfG Christoph Kaminski Von: Stephen Ingram An: Christoph Kaminski Kopie: freeipa-users at redhat.com Datum: 18.04.2012 08:34 Betreff: Re: Re: Re: [Freeipa-users] client without certmonger/dbus On Tue, Apr 17, 2012 at 11:07 PM, Christoph Kaminski wrote: > centos 6.2 inside vserver, but I dont know what OS is the host system. > (leased at heckrath.com) You can do a cat /proc/version inside your container to see what version of the kernel they are using. I'm guessing it is pretty old since that problem was solved some time ago as it caused problems with the operation of the container. If it is really old, you might want to see if they can migrate your container to a newer host node with an updated kernel. I haven't tried this on Redhat or CentOS using OpenVZ as I switched to KVM to take advantage of SELinux. Fedora 15 worked great on the 2.6.18-238.9.1.el5.028stab089.1 kernel. I also looked at your provider's Website and saw that the largest container they offer is 512MB. I'll be very surprised if you can get FreeIPA to install inside a container with only 512MB. I had to use around 2GB just to get it to install. Once complete, then I was able to lower the memory to around 1GB. For some reason the install requires an enormous amount of RAM. Steve www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplement?rin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Gesch?ftsf?hrende Direktoren: Christoph B?hmer, Dr. Werner Braun, Dr. Lothar Krings, Dr. Torsten Wolf BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring?, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our drug eluting absorbable metal scaffold program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document. -------------- next part -------------- An HTML attachment was scrubbed... URL: From danieljamesscott at gmail.com Wed Apr 18 13:22:01 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 18 Apr 2012 09:22:01 -0400 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: <4F8DC53D.1000805@redhat.com> References: <98591d10-182e-4e34-bc0a-ad60684017bc@zmail16.collab.prod.int.phx2.redhat.com> <4F8DC53D.1000805@redhat.com> Message-ID: On Tue, Apr 17, 2012 at 15:32, Rich Megginson wrote: > On 04/17/2012 09:59 AM, Dan Scott wrote: >> >> On Tue, Apr 17, 2012 at 10:29, Richard Megginson >> ?wrote: >>> >>> ----- Original Message ----- >>>> >>>> On Tue, Apr 17, 2012 at 09:26, Rich Megginson >>>> wrote: >>>>> >>>>> On 04/17/2012 07:26 AM, Dan Scott wrote: >>>>>> >>>>>> On Fri, Apr 13, 2012 at 17:44, Rich Megginson >>>>>> ?wrote: >>>>>>> >>>>>>> On 04/13/2012 03:40 PM, Dan Scott wrote: >>>>>>>> >>>>>>>> I cleaned up all the "ruv_compare_ruv: RUV [changelog max RUV] >>>>>>>> does >>>>>>>> not contain element" errors in the logs for each of fileservers >>>>>>>> 1, 2 >>>>>>>> and 3. The ldapsearch for >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>>>>>>> is still showing entries though. Is that OK? >>>>>>> >>>>>>> >>>>>>> The entry should exist, but the deleted servers should not be >>>>>>> present in >>>>>>> the >>>>>>> nsds50ruv attribute. >>>>>> >>>>>> OK, so it's safe to delete replica entries which have >>>>>> ldap://fileserver4.ecg.mit.edu:389 (fileserver4 is not currently a >>>>>> replica) but not for the other servers? >>>>> >>>>> Yes. ?Following the CLEANRUV procedure: >>>>> http://port389.org/wiki/Howto:CLEANRUV >>>> >>>> Thanks. I think I'm getting there - removed the tombstones from the >>>> main directory and the PKI-IPA directory (only one server so far >>>> though). I still have a few strange entries though: >>>> >>>> [root at fileserver1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W >>>> -b >>>> dc=ecg,dc=mit,dc=edu >>>> >>>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>>> Enter LDAP Password: >>>> dn: >>>> nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=ecg,dc=mit,dc=edu >>>> objectClass: top >>>> objectClass: nsTombstone >>>> objectClass: extensibleobject >>>> nsds50ruv: {replicageneration} 4e7b746e000000040000 >>>> nsds50ruv: {replica 6 ldap://fileserver1.ecg.mit.edu:389} >>>> 4f50e685001d00060000 >>>> ? 4f8d7874000200060000 >>>> nsds50ruv: {replica 43 ldap://fileserver2.ecg.mit.edu:389} >>>> 4f88cf450001002b000 >>>> ?0 4f8d78140000002b0000 >>>> nsds50ruv: {replica 5 ldap://fileserver3.ecg.mit.edu:389} >>>> 4f5047ad001d00050000 >>>> ? 4f8d77c3000000050000 >>>> nsds50ruv: {replica 4 ldap://fileserver3.ecg.mit.edu:389} >>>> nsds50ruv: {replica 9 ldap://fileserver3.ecg.mit.edu:389} >>>> nsds50ruv: {replica 8 ldap://fileserver3.ecg.mit.edu:389} >>>> 4f7363d2001d00080000 >>>> ? 4f736402000700080000 >>>> dc: ecg >>>> nsruvReplicaLastModified: {replica 6 >>>> ldap://fileserver1.ecg.mit.edu:389} 4f8d7 >>>> ?806 >>>> nsruvReplicaLastModified: {replica 43 >>>> ldap://fileserver2.ecg.mit.edu:389} 4f8d >>>> ?77a6 >>>> nsruvReplicaLastModified: {replica 5 >>>> ldap://fileserver3.ecg.mit.edu:389} 4f8d7 >>>> ?756 >>>> nsruvReplicaLastModified: {replica 4 >>>> ldap://fileserver3.ecg.mit.edu:389} 00000 >>>> ?000 >>>> nsruvReplicaLastModified: {replica 9 >>>> ldap://fileserver3.ecg.mit.edu:389} 00000 >>>> ?000 >>>> nsruvReplicaLastModified: {replica 8 >>>> ldap://fileserver3.ecg.mit.edu:389} 00000 >>>> ?000 >>>> >>>> Is it safe to run CLEANRUV on IDs 4 and 9? That still leaves me with >>>> 2 >>>> entries for fileserver3. How do I know which one to delete? >>> >>> Whichever one is the one currently in use. >>> >>> ldapsearch -xLLL -h fileserver3 -D "cn=directory manager" -W -b cn=config >>> cn=replica >>> >>> What is the replica ID? ?That is the one that is currently in use. ?You >>> should be able to safely delete the others. >> >> Excellent thanks. >> >> Nearly there now. >> >> I think my only remaining problems are: >> >> 1. The fileserver5.ecg.mit.edu entry (dn: >> cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu) >> which I cannot delete due to: [LDAP: error code 66 - Not Allowed On >> Non-leaf] > > > It won't let you delete the tombstones? ?Or it is not showing any > tombstones? > If this is due to "orphan" tombstone entries, the only resolution will be to > db2ldif, then ldif2db. It's not showing any tombstones. Is there any documentation for "db2ldif, then ldif2db"? I guess it's the scripts in /var/lib/dirsrv/scripts-ECG-MIT-EDU/. But I'm not sure if there are any options I should be using? >> 2. One inconsistency in my replication agreements: >> ipa-csreplica-manage -v list fileserver1.ecg.mit.edu shows only >> fileserver2. >> ipa-csreplica-manage -v list fileserver3.ecg.mit.edu shows both >> fileservers 1 and 2. >> >> So, fileserver3 thinks that it's replicating fine with fileserver1, >> but fileserver1 is not replicating with fileserver3. >> >> Any ideas? > > > Not sure. ?You can look at the replication agreements directly using > ldapsearch: > > ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config > objectclass=nsds5replicationagreement The agreements agree with the output of ipa-replica-manage list i.e. There's an entry on fileserver3 pointing to fileserver1: dn: cn=masterAgreement1-fileserver1.ecg.mit.edu-pki-ca,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config but no equivalent entry on fileserver1. Is there an easy way to fix this? I think I have also found yet another problem. On fileserver2, the output of: ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsds5replicationagreement Shows lots of entries for missing replicas: nsruvReplicaLastModified: {replica 5 ldap://fileserver3.ecg.mit.edu:389} 00000 000 nsruvReplicaLastModified: {replica 4 ldap://fileserver3.ecg.mit.edu:389} 00000 000 nsruvReplicaLastModified: {replica 9 ldap://fileserver3.ecg.mit.edu:389} 00000 000 But these entries do not show up in the output of: ldapsearch -xLLL -D "cn=directory manager" -W -s sub -b cn=config objectclass=nsds5replica Do I need to run the cleanruv task for the above replica IDs? Thanks, Dan From lyamanishi at sesda2.com Tue Apr 17 23:23:23 2012 From: lyamanishi at sesda2.com (Lucas Yamanishi) Date: Tue, 17 Apr 2012 19:23:23 -0400 Subject: [Freeipa-users] Replica promotion and CA serial testing Message-ID: <4F8DFB6B.2080906@sesda2.com> Hi, What's the best way to verify _everything will be OK_ after completing the steps in section 16.8 of the Guide? Also, why is it necessary to add the master.ca.* entries when they did not exist in the previous master? The Guide is a little unclear on that. -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature URL: From simo at redhat.com Wed Apr 18 13:26:19 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 18 Apr 2012 09:26:19 -0400 Subject: [Freeipa-users] client without certmonger/dbus In-Reply-To: References: Message-ID: <1334755579.16658.231.camel@willson.li.ssimo.org> On Tue, 2012-04-17 at 23:33 -0700, Stephen Ingram wrote: > On Tue, Apr 17, 2012 at 11:07 PM, Christoph Kaminski > wrote: > > centos 6.2 inside vserver, but I dont know what OS is the host system. > > (leased at heckrath.com) > > You can do a cat /proc/version inside your container to see what > version of the kernel they are using. I'm guessing it is pretty old > since that problem was solved some time ago as it caused problems with > the operation of the container. If it is really old, you might want to > see if they can migrate your container to a newer host node with an > updated kernel. I haven't tried this on Redhat or CentOS using OpenVZ > as I switched to KVM to take advantage of SELinux. Fedora 15 worked > great on the 2.6.18-238.9.1.el5.028stab089.1 kernel. > > I also looked at your provider's Website and saw that the largest > container they offer is 512MB. I'll be very surprised if you can get > FreeIPA to install inside a container with only 512MB. I had to use > around 2GB just to get it to install. Once complete, then I was able > to lower the memory to around 1GB. For some reason the install > requires an enormous amount of RAM. FWIW I regularly install FreeIPA in a VM with 768MB of ram allocated (and some swap) and it is just fine for an install. Granted there isn't much RAM left once FreeIPa is up and running (esp with the PKI). For production I would recommend to stay around a few G of RAM, as DS will use all the RAM it can for caches, and you also need to run tomcat/java for the CA, which is another process that demands a bit of RAM. Also using a few CPUs is not a bad idea at all. While FreeIPA will work fine with one or 2 CPUs, having more will mean the system will be more responsive when many clients hit it using a mix of protocols (LDAP, KRB, DNS). Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Wed Apr 18 13:51:40 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Apr 2012 09:51:40 -0400 Subject: [Freeipa-users] Replica promotion and CA serial testing In-Reply-To: <4F8DFB6B.2080906@sesda2.com> References: <4F8DFB6B.2080906@sesda2.com> Message-ID: <4F8EC6EC.1000505@redhat.com> Lucas Yamanishi wrote: > Hi, > > What's the best way to verify _everything will be OK_ after completing > the steps in section 16.8 of the Guide? > > Also, why is it necessary to add the master.ca.* entries when they did > not exist in the previous master? The Guide is a little unclear on that. I'm assuming you're using a dogtag CA? For dogtag only one of the masters generates the CRL. All these modifications do is change the server on which the CRL is generated. To test this you'd just want to add the entries to one, remove from the previous master and restart both. Then watch the promoted master's debug log to ensure that it is regenerating the CRL on schedule. rob From sbingram at gmail.com Wed Apr 18 16:09:05 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 18 Apr 2012 09:09:05 -0700 Subject: [Freeipa-users] client without certmonger/dbus In-Reply-To: References: Message-ID: On Wed, Apr 18, 2012 at 12:06 AM, Christoph Kaminski < christoph.kaminski at biotronik.com> wrote: > [root at xaphon ~]# cat /proc/version > Linux version 2.6.26-2-openvz-amd64 (Debian 2.6.26-26lenny1) ( > dannf at debian.org) (gcc version 4.1.3 20080704 (prerelease) (Debian > 4.1.2-25)) #1 SMP Thu Nov 25 05:14:47 UTC 2010 > > I have 2GB RAM on my vhost (512MB is only initialy, you can buy additional > ram later) > But I want to install the client, not ipa server. I'm sorry, I thought we were talking about the server here. That's a recent OpenVZ kernel so there shouldn't be any issues there. 2GB of RAM is more than enough for the client. I'm going to setup a container with CentOS 6.2 and see if I can replicate what you are talking about. I'll report back. Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Wed Apr 18 17:28:12 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 18 Apr 2012 10:28:12 -0700 Subject: [Freeipa-users] client without certmonger/dbus In-Reply-To: References: Message-ID: On Wed, Apr 18, 2012 at 9:09 AM, Stephen Ingram wrote: > On Wed, Apr 18, 2012 at 12:06 AM, Christoph Kaminski > wrote: >> >> [root at xaphon ~]# cat /proc/version >> Linux version 2.6.26-2-openvz-amd64 (Debian 2.6.26-26lenny1) >> (dannf at debian.org) (gcc version 4.1.3 20080704 (prerelease) (Debian >> 4.1.2-25)) #1 SMP Thu Nov 25 05:14:47 UTC 2010 >> >> I have 2GB RAM on my vhost (512MB is only initialy, you can buy additional >> ram later) >> But I want to install the client, not ipa server. > > > I'm sorry, I thought we were talking about the server here. That's a recent > OpenVZ kernel so there shouldn't be any issues there. 2GB of RAM is more > than enough for the client. I'm going to setup a container with CentOS 6.2 > and see if I can replicate what you are talking about. I'll report back. I just installed and successfully started dbus on a CentOS 6.2 container. I would ask your provider why you can't run dbus on the container (that bug was fixed over 2 years ago), and, perhaps try another image. Of course, you can always forgo certmonger and manually integrate your system into an IPA realm. You would lose the certificate auto-renew, but everything else should work great. Steve From rmeggins at redhat.com Wed Apr 18 18:24:36 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 18 Apr 2012 12:24:36 -0600 Subject: [Freeipa-users] General status of my FreeIPA servers - is there a method for cleaning them? In-Reply-To: References: <98591d10-182e-4e34-bc0a-ad60684017bc@zmail16.collab.prod.int.phx2.redhat.com> <4F8DC53D.1000805@redhat.com> Message-ID: <4F8F06E4.2020202@redhat.com> On 04/18/2012 07:22 AM, Dan Scott wrote: > On Tue, Apr 17, 2012 at 15:32, Rich Megginson wrote: >> On 04/17/2012 09:59 AM, Dan Scott wrote: >>> On Tue, Apr 17, 2012 at 10:29, Richard Megginson >>> wrote: >>>> ----- Original Message ----- >>>>> On Tue, Apr 17, 2012 at 09:26, Rich Megginson >>>>> wrote: >>>>>> On 04/17/2012 07:26 AM, Dan Scott wrote: >>>>>>> On Fri, Apr 13, 2012 at 17:44, Rich Megginson >>>>>>> wrote: >>>>>>>> On 04/13/2012 03:40 PM, Dan Scott wrote: >>>>>>>>> I cleaned up all the "ruv_compare_ruv: RUV [changelog max RUV] >>>>>>>>> does >>>>>>>>> not contain element" errors in the logs for each of fileservers >>>>>>>>> 1, 2 >>>>>>>>> and 3. The ldapsearch for >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>>>>>>>> is still showing entries though. Is that OK? >>>>>>>> >>>>>>>> The entry should exist, but the deleted servers should not be >>>>>>>> present in >>>>>>>> the >>>>>>>> nsds50ruv attribute. >>>>>>> OK, so it's safe to delete replica entries which have >>>>>>> ldap://fileserver4.ecg.mit.edu:389 (fileserver4 is not currently a >>>>>>> replica) but not for the other servers? >>>>>> Yes. Following the CLEANRUV procedure: >>>>>> http://port389.org/wiki/Howto:CLEANRUV >>>>> Thanks. I think I'm getting there - removed the tombstones from the >>>>> main directory and the PKI-IPA directory (only one server so far >>>>> though). I still have a few strange entries though: >>>>> >>>>> [root at fileserver1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W >>>>> -b >>>>> dc=ecg,dc=mit,dc=edu >>>>> >>>>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>>>> Enter LDAP Password: >>>>> dn: >>>>> nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=ecg,dc=mit,dc=edu >>>>> objectClass: top >>>>> objectClass: nsTombstone >>>>> objectClass: extensibleobject >>>>> nsds50ruv: {replicageneration} 4e7b746e000000040000 >>>>> nsds50ruv: {replica 6 ldap://fileserver1.ecg.mit.edu:389} >>>>> 4f50e685001d00060000 >>>>> 4f8d7874000200060000 >>>>> nsds50ruv: {replica 43 ldap://fileserver2.ecg.mit.edu:389} >>>>> 4f88cf450001002b000 >>>>> 0 4f8d78140000002b0000 >>>>> nsds50ruv: {replica 5 ldap://fileserver3.ecg.mit.edu:389} >>>>> 4f5047ad001d00050000 >>>>> 4f8d77c3000000050000 >>>>> nsds50ruv: {replica 4 ldap://fileserver3.ecg.mit.edu:389} >>>>> nsds50ruv: {replica 9 ldap://fileserver3.ecg.mit.edu:389} >>>>> nsds50ruv: {replica 8 ldap://fileserver3.ecg.mit.edu:389} >>>>> 4f7363d2001d00080000 >>>>> 4f736402000700080000 >>>>> dc: ecg >>>>> nsruvReplicaLastModified: {replica 6 >>>>> ldap://fileserver1.ecg.mit.edu:389} 4f8d7 >>>>> 806 >>>>> nsruvReplicaLastModified: {replica 43 >>>>> ldap://fileserver2.ecg.mit.edu:389} 4f8d >>>>> 77a6 >>>>> nsruvReplicaLastModified: {replica 5 >>>>> ldap://fileserver3.ecg.mit.edu:389} 4f8d7 >>>>> 756 >>>>> nsruvReplicaLastModified: {replica 4 >>>>> ldap://fileserver3.ecg.mit.edu:389} 00000 >>>>> 000 >>>>> nsruvReplicaLastModified: {replica 9 >>>>> ldap://fileserver3.ecg.mit.edu:389} 00000 >>>>> 000 >>>>> nsruvReplicaLastModified: {replica 8 >>>>> ldap://fileserver3.ecg.mit.edu:389} 00000 >>>>> 000 >>>>> >>>>> Is it safe to run CLEANRUV on IDs 4 and 9? That still leaves me with >>>>> 2 >>>>> entries for fileserver3. How do I know which one to delete? >>>> Whichever one is the one currently in use. >>>> >>>> ldapsearch -xLLL -h fileserver3 -D "cn=directory manager" -W -b cn=config >>>> cn=replica >>>> >>>> What is the replica ID? That is the one that is currently in use. You >>>> should be able to safely delete the others. >>> Excellent thanks. >>> >>> Nearly there now. >>> >>> I think my only remaining problems are: >>> >>> 1. The fileserver5.ecg.mit.edu entry (dn: >>> cn=fileserver5.ecg.mit.edu,cn=masters,cn=ipa,cn=etc,dc=ecg,dc=mit,dc=edu) >>> which I cannot delete due to: [LDAP: error code 66 - Not Allowed On >>> Non-leaf] >> >> It won't let you delete the tombstones? Or it is not showing any >> tombstones? >> If this is due to "orphan" tombstone entries, the only resolution will be to >> db2ldif, then ldif2db. > It's not showing any tombstones. Is there any documentation for > "db2ldif, then ldif2db"? I guess it's the scripts in > /var/lib/dirsrv/scripts-ECG-MIT-EDU/. But I'm not sure if there are > any options I should be using? > >>> 2. One inconsistency in my replication agreements: >>> ipa-csreplica-manage -v list fileserver1.ecg.mit.edu shows only >>> fileserver2. >>> ipa-csreplica-manage -v list fileserver3.ecg.mit.edu shows both >>> fileservers 1 and 2. >>> >>> So, fileserver3 thinks that it's replicating fine with fileserver1, >>> but fileserver1 is not replicating with fileserver3. >>> >>> Any ideas? >> >> Not sure. You can look at the replication agreements directly using >> ldapsearch: >> >> ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config >> objectclass=nsds5replicationagreement > The agreements agree with the output of ipa-replica-manage list i.e. > There's an entry on fileserver3 pointing to fileserver1: > dn: cn=masterAgreement1-fileserver1.ecg.mit.edu-pki-ca,cn=replica,cn=o\3Dipaca,cn=mapping > tree,cn=config > > but no equivalent entry on fileserver1. Is there an easy way to fix this? Add it using the ipa-csreplica-manage or ipa-replica-manage tool? > > I think I have also found yet another problem. On fileserver2, the output of: > ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config > objectclass=nsds5replicationagreement > > Shows lots of entries for missing replicas: > > nsruvReplicaLastModified: {replica 5 ldap://fileserver3.ecg.mit.edu:389} 00000 > 000 > nsruvReplicaLastModified: {replica 4 ldap://fileserver3.ecg.mit.edu:389} 00000 > 000 > nsruvReplicaLastModified: {replica 9 ldap://fileserver3.ecg.mit.edu:389} 00000 > 000 Do you see deleted replicas in the nsds50ruv attribute, or only the nsruvReplicaLastModified attribute? > > But these entries do not show up in the output of: > ldapsearch -xLLL -D "cn=directory manager" -W -s sub -b cn=config > objectclass=nsds5replica > > Do I need to run the cleanruv task for the above replica IDs? Only if you see them in the nsds50ruv attribute > > Thanks, > > Dan From j.petersson at gmail.com Thu Apr 19 20:58:50 2012 From: j.petersson at gmail.com (johan petersson) Date: Thu, 19 Apr 2012 22:58:50 +0200 Subject: [Freeipa-users] Solaris 11 client Message-ID: Hi, I need to add several Solaris 11 servers as clients to a Freeipa server and wonder if there is anyone that have done so successfully? The guide in freeipa documentation mentions Solaris 9 and 10 but nothing on Solaris 11. I have tried with the guide for Solaris 11 but do not get it to work except for the kerberos configuration. id testuser or su - testuser do not work but kinit testuser does. Thanks, Johan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lagern at lafayette.edu Fri Apr 20 13:41:39 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Fri, 20 Apr 2012 09:41:39 -0400 Subject: [Freeipa-users] IPA, kerberos ticket issue for web admin. Message-ID: <4F916793.9090003@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've got an ipa server setup on RHEL6. I have a Fedora 16 client, which i joined to the IPA domain using the ipa-client-install utility. When i attempt to authenticate to my ipa server's web admin portal, i get a generic error: Your kerberos ticket is no longer valid. And it goes on to tell me to configure my browser if this is my first time accessing. I've done so, and the error remains. It also tells me to re-run kinit if i havent done so aleady, which i've also done. Kinit returns no errors. I've tried authing as my user (which is in the admin group) and as the admin user. Both give me the same result. While googling for the error, i found some helpful information about enabling debug logging both on the ipa server, and my browser (firefox). Doing so, i found the following errors: On the server: [Thu Apr 19 16:56:02 2012] [debug] src/mod_auth_kerb.c(1578): [client xx.xx.xx.xx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://(my.ipa.server)/ipa/ui/ And from my browser: - -1713670336[7fd299b24590]: nsHttpNegotiateAuth::ChallengeReceived URI blocked These have shed little to no light on the situation, other than, it sounds like something is getting blocked. I was able to join this same client to a different IPA domain (a non production version of this same domain), which worked properly. I used the ipa-client-install --uninstall command to clean up ipa before re-joining this system to the production ipa domain. I also rebooted for good measure. One major difference between the two domains is that the IPA server for dev lives on a much more open network. Our development network, and the production ipa domain lives on a production auth network, which is much more locked down. I believe i have all of the proper ports open. nmap scans give me the following for tcp and udp. PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 88/tcp open kerberos-sec 389/tcp open ldap 443/tcp open https 464/tcp open kpasswd5 636/tcp open ldapssl 123/udp open ntp Any direction here would be most useful. Thanks! - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+RZ5MACgkQsZqG4IN3sun/XgCffQ7mig01JduWGwrKRdzoRTrm mWAAn3etLizqgYnE75aMktQL08ttL5mr =Rwb+ -----END PGP SIGNATURE----- From bcook at redhat.com Fri Apr 20 14:46:08 2012 From: bcook at redhat.com (Brian Cook) Date: Fri, 20 Apr 2012 07:46:08 -0700 Subject: [Freeipa-users] Disaster Recovery Best Practices? In-Reply-To: <4F8C75A1.3080403@redhat.com> References: <4F8C75A1.3080403@redhat.com> Message-ID: On Apr 16, 2012, at 12:40 PM, Dmitri Pal wrote: >> 2) What is everyone else doing to prepare IPA for a DR? I've read >> that the best way to do it is to turn off the IPA services on a >> replica and then back that replica up. I also read that this will >> miss some important files that only exist on the master. > > That is the case when you use selfsigned cert but the preferred and > default configuration is not with the self-signed certs. It was in the > past but not any more. Currently when you install IPA and then replicas > there is no difference between master and replicas (if you installed CA > on the replica) so picking any one and recycling is possible. You won't > loose anything. Can 389DS produce a full 'backup' in an LDIF of schema / objects while running? -Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 20 15:41:21 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Apr 2012 11:41:21 -0400 Subject: [Freeipa-users] IPA, kerberos ticket issue for web admin. In-Reply-To: <4F916793.9090003@lafayette.edu> References: <4F916793.9090003@lafayette.edu> Message-ID: <4F9183A1.2090502@redhat.com> Nathan Lager wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I've got an ipa server setup on RHEL6. I have a Fedora 16 client, > which i joined to the IPA domain using the ipa-client-install utility. > > When i attempt to authenticate to my ipa server's web admin portal, i > get a generic error: > Your kerberos ticket is no longer valid. > And it goes on to tell me to configure my browser if this is my first > time accessing. I've done so, and the error remains. It also tells > me to re-run kinit if i havent done so aleady, which i've also done. > > Kinit returns no errors. I've tried authing as my user (which is in > the admin group) and as the admin user. Both give me the same result. > > While googling for the error, i found some helpful information about > enabling debug logging both on the ipa server, and my browser > (firefox). Doing so, i found the following errors: > > On the server: > [Thu Apr 19 16:56:02 2012] [debug] src/mod_auth_kerb.c(1578): [client > xx.xx.xx.xx] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos, referer: https://(my.ipa.server)/ipa/ui/ > > And from my browser: > - -1713670336[7fd299b24590]: nsHttpNegotiateAuth::ChallengeReceived URI > blocked > > These have shed little to no light on the situation, other than, it > sounds like something is getting blocked. > > > I was able to join this same client to a different IPA domain (a non > production version of this same domain), which worked properly. I > used the ipa-client-install --uninstall command to clean up ipa before > re-joining this system to the production ipa domain. I also rebooted > for good measure. > > One major difference between the two domains is that the IPA server > for dev lives on a much more open network. Our development network, > and the production ipa domain lives on a production auth network, > which is much more locked down. I believe i have all of the proper > ports open. > > nmap scans give me the following for tcp and udp. > > PORT STATE SERVICE > 22/tcp open ssh > 80/tcp open http > 88/tcp open kerberos-sec > 389/tcp open ldap > 443/tcp open https > 464/tcp open kpasswd5 > 636/tcp open ldapssl > > 123/udp open ntp > > > Any direction here would be most useful. Thanks! Are you going through a proxy? They often times mess up Negotiate headers. I've never seen a URI blocked error in the browser. The (NULL) user is expected. The first request comes in with no authentication from the browser and this is the server asking "who are you?" The next request should include the authentication header. rob From rmeggins at redhat.com Fri Apr 20 15:47:48 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 20 Apr 2012 09:47:48 -0600 Subject: [Freeipa-users] Disaster Recovery Best Practices? In-Reply-To: References: <4F8C75A1.3080403@redhat.com> Message-ID: <4F918524.3050300@redhat.com> On 04/20/2012 08:46 AM, Brian Cook wrote: > > On Apr 16, 2012, at 12:40 PM, Dmitri Pal wrote: > >>> 2) What is everyone else doing to prepare IPA for a DR? I've read >>> that the best way to do it is to turn off the IPA services on a >>> replica and then back that replica up. I also read that this will >>> miss some important files that only exist on the master. >> >> That is the case when you use selfsigned cert but the preferred and >> default configuration is not with the self-signed certs. It was in the >> past but not any more. Currently when you install IPA and then replicas >> there is no difference between master and replicas (if you installed CA >> on the replica) so picking any one and recycling is possible. You won't >> loose anything. > > Can 389DS produce a full 'backup' in an LDIF of schema / objects while > running? While running - yes Here is a document that describes 389 database management: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases.html Schema files can just be copied/tarred from /etc/dirsrv/slapd-*/schema The real question is - how does this work with IPA? > > -Brian > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 20 15:53:25 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Apr 2012 11:53:25 -0400 Subject: [Freeipa-users] Solaris 11 client In-Reply-To: References: Message-ID: <4F918675.6000506@redhat.com> johan petersson wrote: > Hi, > > I need to add several Solaris 11 servers as clients to a Freeipa server > and wonder if there is anyone that have done so successfully? > The guide in freeipa documentation mentions Solaris 9 and 10 but nothing > on Solaris 11. > I have tried with the guide for Solaris 11 but do not get it to work > except for the kerberos configuration. > > id testuser or su - testuser do not work but kinit testuser does. What did you use to configure the Solaris 11 client, ldapinit? Can you see any connections in the IPA LDAP server from this client? (on server in /var/log/dirsrv/slapd-YOUR-REALM/access, note this is buffered so it may take 30s to be seen). rob From danieljamesscott at gmail.com Fri Apr 20 16:15:17 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 20 Apr 2012 12:15:17 -0400 Subject: [Freeipa-users] Problem installing replica CA Message-ID: Hi, My FreeIPA servers were in a real mess recently and I think I've finally got them into a reasonable state by cleaning up the tombstone entries and fixing some broken replication agreements. I'm trying to setup a new replica and receive the following error: Configuring certificate server: Estimated time 3 minutes 30 seconds [1/12]: creating certificate server user [2/12]: creating pki-ca instance [3/12]: configuring certificate server instance root : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-JwjkjT' '-client_certdb_pwd' XXXXXXXX '-preop_pin' '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' '-clone_p12_password' XXXXXXXX '-sd_hostname' 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed The /var/log/pki-ca/debug file contains: [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to import user certificate.org.mozilla.jss.crypto.TokenException: PK11_ImportDERCertForKey Unable to import certificate to its token: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... certTag=sslserver [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type org.apache.catalina.connector.ResponseFacade [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type java.lang.Boolean [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type org.apache.catalina.connector.RequestFacade So it looks like there's some certificate confusion going on. Can someone help? Is there anything particularly sensitive in the /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I shouldn't send them to the list? Thanks, Dan From lagern at lafayette.edu Fri Apr 20 17:56:49 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Fri, 20 Apr 2012 13:56:49 -0400 Subject: [Freeipa-users] IPA, kerberos ticket issue for web admin. In-Reply-To: <4F9183A1.2090502@redhat.com> References: <4F916793.9090003@lafayette.edu> <4F9183A1.2090502@redhat.com> Message-ID: <4F91A361.6090208@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No, no proxy in place. Because this gui will be used primarily by people like Me (high privileged admin users), and flat-out blocked to everyone else, a proxy seemed like overkill. On 04/20/2012 11:41 AM, Rob Crittenden wrote: > > Are you going through a proxy? They often times mess up Negotiate > headers. I've never seen a URI blocked error in the browser. > > The (NULL) user is expected. The first request comes in with no > authentication from the browser and this is the server asking "who > are you?" The next request should include the authentication > header. > > rob - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+Ro2EACgkQsZqG4IN3sukdCgCeK+GiGB0GfxnerEtznomC4o2t imgAnRBRYgDDOqeLiZgE9JiivntOcWd7 =b1qD -----END PGP SIGNATURE----- From rcritten at redhat.com Fri Apr 20 18:26:40 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Apr 2012 14:26:40 -0400 Subject: [Freeipa-users] IPA, kerberos ticket issue for web admin. In-Reply-To: <4F91A361.6090208@lafayette.edu> References: <4F916793.9090003@lafayette.edu> <4F9183A1.2090502@redhat.com> <4F91A361.6090208@lafayette.edu> Message-ID: <4F91AA60.8080007@redhat.com> Nathan Lager wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > No, no proxy in place. Because this gui will be used primarily by > people like Me (high privileged admin users), and flat-out blocked to > everyone else, a proxy seemed like overkill. Have you configured the browser for Kerberos? http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html That error seems to indicate that the domain isn't defined in network.negotiate-auth.trusted-uris regards rob From dpal at redhat.com Fri Apr 20 19:23:52 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 20 Apr 2012 15:23:52 -0400 Subject: [Freeipa-users] Disaster Recovery Best Practices? In-Reply-To: <4F918524.3050300@redhat.com> References: <4F8C75A1.3080403@redhat.com> <4F918524.3050300@redhat.com> Message-ID: <4F91B7C8.8040309@redhat.com> On 04/20/2012 11:47 AM, Rich Megginson wrote: > On 04/20/2012 08:46 AM, Brian Cook wrote: >> >> On Apr 16, 2012, at 12:40 PM, Dmitri Pal wrote: >> >>>> 2) What is everyone else doing to prepare IPA for a DR? I've read >>>> that the best way to do it is to turn off the IPA services on a >>>> replica and then back that replica up. I also read that this will >>>> miss some important files that only exist on the master. >>> >>> That is the case when you use selfsigned cert but the preferred and >>> default configuration is not with the self-signed certs. It was in the >>> past but not any more. Currently when you install IPA and then replicas >>> there is no difference between master and replicas (if you installed CA >>> on the replica) so picking any one and recycling is possible. You won't >>> loose anything. >> >> Can 389DS produce a full 'backup' in an LDIF of schema / objects >> while running? > > While running - yes > > Here is a document that describes 389 database management: > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases.html > > Schema files can just be copied/tarred from /etc/dirsrv/slapd-*/schema > > The real question is - how does this work with IPA? > The problem is that there are config files, certificates in the NSS database that also need to be backed up to be able to restore the system. It is easy to just stand up a new replica instead of the lost one than to collect data and then try to restore. >> >> -Brian >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 20 19:26:37 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 20 Apr 2012 15:26:37 -0400 Subject: [Freeipa-users] Problem installing replica CA In-Reply-To: References: Message-ID: <4F91B86D.3050406@redhat.com> On 04/20/2012 12:15 PM, Dan Scott wrote: > Hi, > > My FreeIPA servers were in a real mess recently and I think I've > finally got them into a reasonable state by cleaning up the tombstone > entries and fixing some broken replication agreements. > > I'm trying to setup a new replica and receive the following error: > > Configuring certificate server: Estimated time 3 minutes 30 seconds > [1/12]: creating certificate server user > [2/12]: creating pki-ca instance > [3/12]: configuring certificate server instance > root : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' > 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' > '/tmp/tmp-JwjkjT' '-client_certdb_pwd' XXXXXXXX '-preop_pin' > '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' > '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX > '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' > '-agent_key_type' 'rsa' '-agent_cert_subject' > 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' > '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' > XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' > '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' > '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' > 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA > Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP > Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' > 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' > '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' > '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' > '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' > '-clone_p12_password' XXXXXXXX '-sd_hostname' > 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' > 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' > '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero > exit status 255 > creation of replica failed: Configuration of CA failed > > The /var/log/pki-ca/debug file contains: > > [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to > import user certificate.org.mozilla.jss.crypto.TokenException: > PK11_ImportDERCertForKey Unable to import certificate to its token: > (-8054) You are attempting to import a cert with the same > issuer/serial as an existing cert, but that is not the same cert. > [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... certTag=sslserver > [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() > [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true > [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true > [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 > [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 > [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() > [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true > [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true > [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 > [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 > [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 > [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 > [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 > [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys > [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 > [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml > [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type > org.apache.catalina.connector.ResponseFacade > [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type java.lang.Boolean > [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type > org.apache.catalina.connector.RequestFacade > > So it looks like there's some certificate confusion going on. > > Can someone help? Is there anything particularly sensitive in the > /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I > shouldn't send them to the list? > Are you installing it on a new machine? What version of the OS and tomcat is there? There have been some glitches in the tomcat package in the past. > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From danieljamesscott at gmail.com Fri Apr 20 19:35:28 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Fri, 20 Apr 2012 15:35:28 -0400 Subject: [Freeipa-users] Problem installing replica CA In-Reply-To: <4F91B86D.3050406@redhat.com> References: <4F91B86D.3050406@redhat.com> Message-ID: On Fri, Apr 20, 2012 at 15:26, Dmitri Pal wrote: > On 04/20/2012 12:15 PM, Dan Scott wrote: >> Hi, >> >> My FreeIPA servers were in a real mess recently and I think I've >> finally got them into a reasonable state by cleaning up the tombstone >> entries and fixing some broken replication agreements. >> >> I'm trying to setup a new replica and receive the following error: >> >> Configuring certificate server: Estimated time 3 minutes 30 seconds >> ? [1/12]: creating certificate server user >> ? [2/12]: creating pki-ca instance >> ? [3/12]: configuring certificate server instance >> root ? ? ? ?: CRITICAL failed to configure ca instance Command >> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' >> 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' >> '/tmp/tmp-JwjkjT' '-client_certdb_pwd' XXXXXXXX '-preop_pin' >> '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' >> '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX >> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' >> '-agent_key_type' 'rsa' '-agent_cert_subject' >> 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' >> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' >> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' >> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >> Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP >> Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' >> 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' >> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' >> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' >> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >> '-clone_p12_password' XXXXXXXX '-sd_hostname' >> 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' >> 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' >> '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero >> exit status 255 >> creation of replica failed: Configuration of CA failed >> >> The /var/log/pki-ca/debug file contains: >> >> [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to >> import user certificate.org.mozilla.jss.crypto.TokenException: >> PK11_ImportDERCertForKey Unable to import certificate to its token: >> (-8054) You are attempting to import a cert with the same >> issuer/serial as an existing cert, but that is not the same cert. >> [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... certTag=sslserver >> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() >> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true >> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true >> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 >> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 >> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() >> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true >> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true >> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 >> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 >> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 >> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 >> [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 >> [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys >> [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 >> [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml >> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >> org.apache.catalina.connector.ResponseFacade >> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type java.lang.Boolean >> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >> org.apache.catalina.connector.RequestFacade >> >> So it looks like there's some certificate confusion going on. >> >> Can someone help? Is there anything particularly sensitive in the >> /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I >> shouldn't send them to the list? >> > > Are you installing it on a new machine? > What version of the OS and tomcat is there? > There have been some glitches in the tomcat package in the past. It's quite new - a VM which I installed 10 days ago. I tried to install a replica on it before I cleaned my other IPA servers. It's Scientific Linux 6.2. tomcat6-6.0.24-36.el6_2 Thanks, Dan From bcook at redhat.com Fri Apr 20 23:28:58 2012 From: bcook at redhat.com (Brian Cook) Date: Fri, 20 Apr 2012 16:28:58 -0700 Subject: [Freeipa-users] Disaster Recovery Best Practices? In-Reply-To: <4F91B7C8.8040309@redhat.com> References: <4F8C75A1.3080403@redhat.com> <4F918524.3050300@redhat.com> <4F91B7C8.8040309@redhat.com> Message-ID: <6086D02E-693C-4509-82B8-49D98854031F@redhat.com> My question was more along the lines of object level recovery. If you can keep regular backups of the objects (as LDIF) than you can restore a piece of that LDIF if someone accidentally deletes a large group or something along those lines. -Brian On Apr 20, 2012, at 12:23 PM, Dmitri Pal wrote: > On 04/20/2012 11:47 AM, Rich Megginson wrote: >> >> On 04/20/2012 08:46 AM, Brian Cook wrote: >>> >>> >>> On Apr 16, 2012, at 12:40 PM, Dmitri Pal wrote: >>> >>>>> 2) What is everyone else doing to prepare IPA for a DR? I've read >>>>> that the best way to do it is to turn off the IPA services on a >>>>> replica and then back that replica up. I also read that this will >>>>> miss some important files that only exist on the master. >>>> >>>> That is the case when you use selfsigned cert but the preferred and >>>> default configuration is not with the self-signed certs. It was in the >>>> past but not any more. Currently when you install IPA and then replicas >>>> there is no difference between master and replicas (if you installed CA >>>> on the replica) so picking any one and recycling is possible. You won't >>>> loose anything. >>> >>> Can 389DS produce a full 'backup' in an LDIF of schema / objects while running? >> >> While running - yes >> >> Here is a document that describes 389 database management: >> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases.html >> >> Schema files can just be copied/tarred from /etc/dirsrv/slapd-*/schema >> >> The real question is - how does this work with IPA? >> > The problem is that there are config files, certificates in the NSS database that also need to be backed up to be able to restore the system. > It is easy to just stand up a new replica instead of the lost one than to collect data and then try to restore. > > >>> >>> -Brian >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Sat Apr 21 01:15:14 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 20 Apr 2012 19:15:14 -0600 Subject: [Freeipa-users] Disaster Recovery Best Practices? In-Reply-To: <6086D02E-693C-4509-82B8-49D98854031F@redhat.com> References: <4F8C75A1.3080403@redhat.com> <4F918524.3050300@redhat.com> <4F91B7C8.8040309@redhat.com> <6086D02E-693C-4509-82B8-49D98854031F@redhat.com> Message-ID: <4F920A22.8090302@redhat.com> On 04/20/2012 05:28 PM, Brian Cook wrote: > My question was more along the lines of object level recovery. If you > can keep regular backups of the objects (as LDIF) than you can restore > a piece of that LDIF if someone accidentally deletes a large group or > something along those lines. The 389 db2ldif.pl can take LDIF snapshots while the server is running. > > -Brian > > > On Apr 20, 2012, at 12:23 PM, Dmitri Pal wrote: > >> On 04/20/2012 11:47 AM, Rich Megginson wrote: >>> On 04/20/2012 08:46 AM, Brian Cook wrote: >>>> >>>> On Apr 16, 2012, at 12:40 PM, Dmitri Pal wrote: >>>> >>>>>> 2) What is everyone else doing to prepare IPA for a DR? I've read >>>>>> that the best way to do it is to turn off the IPA services on a >>>>>> replica and then back that replica up. I also read that this will >>>>>> miss some important files that only exist on the master. >>>>> >>>>> That is the case when you use selfsigned cert but the preferred and >>>>> default configuration is not with the self-signed certs. It was in the >>>>> past but not any more. Currently when you install IPA and then >>>>> replicas >>>>> there is no difference between master and replicas (if you >>>>> installed CA >>>>> on the replica) so picking any one and recycling is possible. You >>>>> won't >>>>> loose anything. >>>> >>>> Can 389DS produce a full 'backup' in an LDIF of schema / objects >>>> while running? >>> >>> While running - yes >>> >>> Here is a document that describes 389 database management: >>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases.html >>> >>> Schema files can just be copied/tarred from /etc/dirsrv/slapd-*/schema >>> >>> The real question is - how does this work with IPA? >>> >> The problem is that there are config files, certificates in the NSS >> database that also need to be backed up to be able to restore the system. >> It is easy to just stand up a new replica instead of the lost one >> than to collect data and then try to restore. >> >> >>>> >>>> -Brian >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Sun Apr 22 19:50:49 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 22 Apr 2012 21:50:49 +0200 Subject: [Freeipa-users] 389-ds memory usage Message-ID: <4F946119.1020603@nixtra.com> Hi, I have different ipa domains, installed on Red Hat 6.2 or CentOS 6.2 servers, with all 389-ds updates applied. After some time all the memory in the server is consumed, mostly by the ns-slapd process. I've looked at the RH Directory Server tuning manual at docs.redhat.com and looked through the various tuning options. I found the "nsslapd-cachememsize" and "nsslapd-dbcachesize" options to be set to around 10MB by default. The id2entry.db4 file for the database in the test IPA domain comes in at 6.7MB. If I restart the directory server the memory is released. And then slowly consumed again over time. Running benchmarks with ldclt reveals much better numbers for the directory servers that's recently been rebootet and does not yet consume all the memory in the machine. Am I missing some configuration? Is this normal behaviour for 389-ds to consume all physical memory AND all swap memory? It certainly seem to have a performance impact for the ldap server. top - 21:31:51 up 52 days, 22:03, 2 users, load average: 0.33, 0.15, 0.07 Tasks: 136 total, 1 running, 135 sleeping, 0 stopped, 0 zombie Cpu(s): 0.3%us, 0.7%sy, 0.0%ni, 92.7%id, 6.3%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 2055084k total, 1981892k used, 73192k free, 996k buffers Swap: 1048568k total, 1048568k used, 0k free, 17172k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1347 dirsrv 20 0 3301m 1.4g 2736 S 0.3 70.0 340:27.17 ns-slapd Regards, Siggi From sigbjorn at nixtra.com Sun Apr 22 22:17:05 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 23 Apr 2012 00:17:05 +0200 Subject: [Freeipa-users] Solaris 11 client In-Reply-To: <4F918675.6000506@redhat.com> References: <4F918675.6000506@redhat.com> Message-ID: <4F948361.8070303@nixtra.com> On 04/20/2012 05:53 PM, Rob Crittenden wrote: > johan petersson wrote: >> Hi, >> >> I need to add several Solaris 11 servers as clients to a Freeipa server >> and wonder if there is anyone that have done so successfully? >> The guide in freeipa documentation mentions Solaris 9 and 10 but nothing >> on Solaris 11. >> I have tried with the guide for Solaris 11 but do not get it to work >> except for the kerberos configuration. >> >> id testuser or su - testuser do not work but kinit testuser does. > > What did you use to configure the Solaris 11 client, ldapinit? > > Can you see any connections in the IPA LDAP server from this client? > (on server in /var/log/dirsrv/slapd-YOUR-REALM/access, note this is > buffered so it may take 30s to be seen). > I've tested with Solaris 11, using the same setup I used for Solaris 10 with almost success. Before starting, edit /etc/nsswitch.ldap and replace "ldap" with "dns" from the hosts and ipnodes databases. Also remove "ldap" from the networks, protocols, rpc, netmasks, bootparams, publickey, services databases. Perform step 1-5 in the docs: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 Please note that there is a default DUAProfile with IPA that allows you to skip the manual configuration of ldapclient, and just do "ldapclient init ipa-server-fqdn". I don't understand why the documentation says to do a manual configuration of ldapclient. The example provided also does a lot of unnecessary attribute mapping. I'm also using cn=groups,cn=compat for Solaris, and NOT cn=groups,cn=accounts like the documentation states. Step 6 in the documentation does not work and apparently is not supported. All keytabs must be retreived using the ipa-getkeytab command. Go to a IPA server and retreive a keytab with the ipa-getkeytab command: $ ipa-getkeytab -s ipa01 -p host/solaris11.ix.test.com -k /tmp/solaris11.keytab Copy the solaris11.keytab file from the IPA server to /etc/krb5/krb5.conf on the Solaris machine. Login now works for me using SSH. The automounter works, looking up aliases for sendmail works, looking up netgroups works. Additional "serviceSearchDescriptor" entries must be added for the automounter,aliases, and sendmail aliases to work. Please see the attached profile.ldif file for details of the DUA config profile I'm using with Solaris clients using SSL. SSL connection for the client also works, but you need to convert the certificate into PEM format and create a cert database using certutil that's placed in the /var/ldap directory. I'm using SSL connections on both Solaris 10 and 11 with success. However I cannot log on to the console. Enabling debugging on pam tells me: Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt integrity check failed There was an issue on Solaris 10 with incorrect configuration to allow aes256 support, only aes128 and downwars we're enabled by default. This does not seem to be the case for Solaris 11. Does anyone else get the same decrypt failed issue? Regards, Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: profile.ldif Type: text/x-ldif Size: 1196 bytes Desc: not available URL: From rcritten at redhat.com Sun Apr 22 23:31:48 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 22 Apr 2012 19:31:48 -0400 Subject: [Freeipa-users] Solaris 11 client In-Reply-To: <4F948361.8070303@nixtra.com> References: <4F918675.6000506@redhat.com> <4F948361.8070303@nixtra.com> Message-ID: <4F9494E4.3050207@redhat.com> Sigbjorn Lie wrote: > On 04/20/2012 05:53 PM, Rob Crittenden wrote: >> johan petersson wrote: >>> Hi, >>> >>> I need to add several Solaris 11 servers as clients to a Freeipa server >>> and wonder if there is anyone that have done so successfully? >>> The guide in freeipa documentation mentions Solaris 9 and 10 but nothing >>> on Solaris 11. >>> I have tried with the guide for Solaris 11 but do not get it to work >>> except for the kerberos configuration. >>> >>> id testuser or su - testuser do not work but kinit testuser does. >> >> What did you use to configure the Solaris 11 client, ldapinit? >> >> Can you see any connections in the IPA LDAP server from this client? >> (on server in /var/log/dirsrv/slapd-YOUR-REALM/access, note this is >> buffered so it may take 30s to be seen). >> > > I've tested with Solaris 11, using the same setup I used for Solaris 10 > with almost success. > > Before starting, edit /etc/nsswitch.ldap and replace "ldap" with "dns" > from the hosts and ipnodes databases. Also remove "ldap" from the > networks, protocols, rpc, netmasks, bootparams, publickey, services > databases. > > Perform step 1-5 in the docs: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 > > Please note that there is a default DUAProfile with IPA that allows you > to skip the manual configuration of ldapclient, and just do "ldapclient > init ipa-server-fqdn". I don't understand why the documentation says to > do a manual configuration of ldapclient. The example provided also does > a lot of unnecessary attribute mapping. The documentation includes a manual configuration so one can do it if desired. > I'm also using cn=groups,cn=compat for Solaris, and NOT > cn=groups,cn=accounts like the documentation states. > > Step 6 in the documentation does not work and apparently is not > supported. All keytabs must be retreived using the ipa-getkeytab command. > > Go to a IPA server and retreive a keytab with the ipa-getkeytab command: > $ ipa-getkeytab -s ipa01 -p host/solaris11.ix.test.com -k > /tmp/solaris11.keytab > > Copy the solaris11.keytab file from the IPA server to > /etc/krb5/krb5.conf on the Solaris machine. Yes, we noticed this as well. This will be fixed when the updated 2.2 documentation gets released. > > Login now works for me using SSH. The automounter works, looking up > aliases for sendmail works, looking up netgroups works. Additional > "serviceSearchDescriptor" entries must be added for the > automounter,aliases, and sendmail aliases to work. Please see the > attached profile.ldif file for details of the DUA config profile I'm > using with Solaris clients using SSL. > > SSL connection for the client also works, but you need to convert the > certificate into PEM format and create a cert database using certutil > that's placed in the /var/ldap directory. I'm using SSL connections on > both Solaris 10 and 11 with success. > > > > However I cannot log on to the console. Enabling debugging on pam tells me: > > Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth): > attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt > integrity check failed > > There was an issue on Solaris 10 with incorrect configuration to allow > aes256 support, only aes128 and downwars we're enabled by default. This > does not seem to be the case for Solaris 11. > > Does anyone else get the same decrypt failed issue? I tested Solaris 10 x86 many moons ago and IIRC console login worked for me. rob From sigbjorn at nixtra.com Mon Apr 23 08:44:36 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 23 Apr 2012 10:44:36 +0200 (CEST) Subject: [Freeipa-users] Solaris 11 client In-Reply-To: <4F9494E4.3050207@redhat.com> References: <4F918675.6000506@redhat.com> <4F948361.8070303@nixtra.com> <4F9494E4.3050207@redhat.com> Message-ID: <25868.213.225.75.97.1335170676.squirrel@www.nixtra.com> >> Perform step 1-5 in the docs: >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Conf >> iguring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 >> >> Please note that there is a default DUAProfile with IPA that allows you >> to skip the manual configuration of ldapclient, and just do "ldapclient init ipa-server-fqdn". I >> don't understand why the documentation says to do a manual configuration of ldapclient. The >> example provided also does a lot of unnecessary attribute mapping. > > The documentation includes a manual configuration so one can do it if > desired. > The documentation includes only the manual configuration. Using a DUAProfile is easier both for installing, and maintaining the Solaris clients as they will re-read configuration from the DUA profile periodically. Manual configuration should be avoided if possible. Do you want me to open a DOC BUG to have this changed? AND include a more functional DUAProfile by default configuring the clients for ethers and automount support as well. Do you want me to open a ticket for this? the profile I send in the previous email can be used as a template. >> However I cannot log on to the console. Enabling debugging on pam tells me: >> >> >> Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth): >> attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt >> integrity check failed >> >> There was an issue on Solaris 10 with incorrect configuration to allow >> aes256 support, only aes128 and downwars we're enabled by default. This does not seem to be the >> case for Solaris 11. >> >> Does anyone else get the same decrypt failed issue? >> > > I tested Solaris 10 x86 many moons ago and IIRC console login worked for me. > Yes, Solaris 10 works just fine for console login, both x86 and sparc. This seem to be an issue in Solaris 11. It could be a configuration error, I just haven't had time to look into it yet. We do not use Solaris 11 in production as per today. Regards, Siggi From eshabahang at yahoo.com Mon Apr 23 09:46:02 2012 From: eshabahang at yahoo.com (shabahang elmian) Date: Mon, 23 Apr 2012 02:46:02 -0700 (PDT) Subject: [Freeipa-users] Error in Installation - unable to create CA Message-ID: <1335174362.20027.YahooMailNeo@web161605.mail.bf1.yahoo.com> Hello, There is a problem on configuring FreeIPA. would you please help. please find following : 2012-04-23 12:38:53,812 DEBUG ? duration: 5 seconds >2012-04-23 12:38:53,812 DEBUG ? [3/17]: configuring certificate server instance >2012-04-23 12:38:56,227 DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa.mtnirancell.ir -cs_port 9445 -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR -external false -clone false >2012-04-23 12:38:56,228 DEBUG stdout=libpath=/usr/lib64 >####################################################################### >CRYPTO INIT WITH CERTDB:/tmp/tmp-d9LkHR >tokenpwd:XXXXXXXX >############################################# >Attempting to connect to: ipa.mtnirancell.ir:9445 >Exception in LoginPanel(): java.lang.NullPointerException >ERROR: ConfigureCA: LoginPanel() failure >ERROR: unable to create CA >####################################################################### > >2012-04-23 12:38:56,228 DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused > >java.net.ConnectException: Connection refused >at java.net.PlainSocketImpl.socketConnect(Native Method) > >at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) > >at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) > >at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) > >at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) > >at java.net.Socket.connect(Socket.java:546) > >at java.net.Socket.connect(Socket.java:495) > >at java.net.Socket.(Socket.java:392) > >at java.net.Socket.(Socket.java:235) > >at HTTPClient.sslConnect(HTTPClient.java:326) > >at ConfigureCA.LoginPanel(ConfigureCA.java:244) > >at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > >at ConfigureCA.main(ConfigureCA.java:1672) > >java.lang.NullPointerException >at ConfigureCA.LoginPanel(ConfigureCA.java:245) > >at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > >at ConfigureCA.main(ConfigureCA.java:1672) > > > >2012-04-23 12:38:56,229 CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa.mtnirancell.ir -cs_port 9445 -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR -external false -clone false' returned non-zero exit status 255 >2012-04-23 12:38:56,266 DEBUG Configuration of CA failed >? File "/usr/sbin/ipa-server-install", line 1173, in >? ? rval = main() > > >? File "/usr/sbin/ipa-server-install", line 974, in main >? ? subject_base=options.subject) > > >? File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 537, in configure_instance >? ? self.start_creation("Configuring certificate server", 210) > > >? File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 248, in start_creation >? ? method() > > >? File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 677, in __configure_instance >? ? raise RuntimeError('Configuration of CA failed') please note : [root at ipa ~]# uname -a? >Linux ipa.mtnirancell.ir 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr 21 12:43:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux >[root at ipa ~]# cat /etc/redhat-release? >Fedora release 16 (Verne) >[root at ipa ~]#? -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Apr 23 13:00:28 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 23 Apr 2012 09:00:28 -0400 Subject: [Freeipa-users] Solaris 11 client In-Reply-To: <25868.213.225.75.97.1335170676.squirrel@www.nixtra.com> References: <4F918675.6000506@redhat.com> <4F948361.8070303@nixtra.com> <4F9494E4.3050207@redhat.com> <25868.213.225.75.97.1335170676.squirrel@www.nixtra.com> Message-ID: <1335186028.16658.607.camel@willson.li.ssimo.org> On Mon, 2012-04-23 at 10:44 +0200, Sigbjorn Lie wrote: > >> Perform step 1-5 in the docs: > >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Conf > >> iguring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 > >> > >> Please note that there is a default DUAProfile with IPA that allows you > >> to skip the manual configuration of ldapclient, and just do "ldapclient init ipa-server-fqdn". I > >> don't understand why the documentation says to do a manual configuration of ldapclient. The > >> example provided also does a lot of unnecessary attribute mapping. > > > > The documentation includes a manual configuration so one can do it if > > desired. > > > > The documentation includes only the manual configuration. Using a DUAProfile is easier both for > installing, and maintaining the Solaris clients as they will re-read configuration from the DUA > profile periodically. Manual configuration should be avoided if possible. > > Do you want me to open a DOC BUG to have this changed? Please do. > AND include a more functional DUAProfile by default configuring the clients for ethers and > automount support as well. > > Do you want me to open a ticket for this? the profile I send in the previous email can be used as > a template. Yes please. > >> However I cannot log on to the console. Enabling debugging on pam tells me: > >> > >> > >> Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth): > >> attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt > >> integrity check failed > >> > >> There was an issue on Solaris 10 with incorrect configuration to allow > >> aes256 support, only aes128 and downwars we're enabled by default. This does not seem to be the > >> case for Solaris 11. > >> > >> Does anyone else get the same decrypt failed issue? > >> > > > > I tested Solaris 10 x86 many moons ago and IIRC console login worked for me. > > > > Yes, Solaris 10 works just fine for console login, both x86 and sparc. This seem to be an issue in > Solaris 11. It could be a configuration error, I just haven't had time to look into it yet. We do > not use Solaris 11 in production as per today. Do you see anything special on the KDC side when you get that error in the console ? Do you play with enctypes when you obtain the system keytab ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Mon Apr 23 13:15:59 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 23 Apr 2012 07:15:59 -0600 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4F946119.1020603@nixtra.com> References: <4F946119.1020603@nixtra.com> Message-ID: <4F95560F.5000508@redhat.com> On 04/22/2012 01:50 PM, Sigbjorn Lie wrote: > Hi, > > I have different ipa domains, installed on Red Hat 6.2 or CentOS 6.2 > servers, with all 389-ds updates applied. After some time all the > memory in the server is consumed, mostly by the ns-slapd process. > > I've looked at the RH Directory Server tuning manual at > docs.redhat.com and looked through the various tuning options. I found > the "nsslapd-cachememsize" and "nsslapd-dbcachesize" options to be set > to around 10MB by default. The id2entry.db4 file for the database in > the test IPA domain comes in at 6.7MB. > > If I restart the directory server the memory is released. And then > slowly consumed again over time. > > Running benchmarks with ldclt reveals much better numbers for the > directory servers that's recently been rebootet and does not yet > consume all the memory in the machine. > > Am I missing some configuration? Try increasing your nsslapd-cachememsize and monitoring it closely. Using the size of id2entry.db4 is a good place to start, but that will not be enough. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Monitoring_Server_and_Database_Activity-Monitoring_Database_Activity.html See also https://fedorahosted.org/389/ticket/51 and https://bugzilla.redhat.com/show_bug.cgi?id=697701 > Is this normal behaviour for 389-ds to consume all physical memory AND > all swap memory? It is not normal behaviour. > It certainly seem to have a performance impact for the ldap server. Indeed. > > > > top - 21:31:51 up 52 days, 22:03, 2 users, load average: 0.33, 0.15, > 0.07 > Tasks: 136 total, 1 running, 135 sleeping, 0 stopped, 0 zombie > Cpu(s): 0.3%us, 0.7%sy, 0.0%ni, 92.7%id, 6.3%wa, 0.0%hi, > 0.0%si, 0.0%st > Mem: 2055084k total, 1981892k used, 73192k free, 996k buffers > Swap: 1048568k total, 1048568k used, 0k free, 17172k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 1347 dirsrv 20 0 3301m 1.4g 2736 S 0.3 70.0 340:27.17 ns-slapd > > > > Regards, > Siggi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From lagern at lafayette.edu Mon Apr 23 14:30:04 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Mon, 23 Apr 2012 10:30:04 -0400 Subject: [Freeipa-users] IPA, kerberos ticket issue for web admin. In-Reply-To: <4F91AA60.8080007@redhat.com> References: <4F916793.9090003@lafayette.edu> <4F9183A1.2090502@redhat.com> <4F91A361.6090208@lafayette.edu> <4F91AA60.8080007@redhat.com> Message-ID: <4F95676C.9000309@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/20/2012 02:26 PM, Rob Crittenden wrote: > Have you configured the browser for Kerberos? > http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html > > > > That error seems to indicate that the domain isn't defined in > network.negotiate-auth.trusted-uris > > regards > > rob I've been through the clicky-clicky that ipa's web gui sends you through (accepting the certs, and configuring the browser), a number of times. I just confirmed the trusted uri's and delegation uris. They are both correct, they look like: .my.ipa.domain.com I even tried resetting delegation-uris, and trusted-uri's to the default, and then allowing the ipa web gui to re-configure them, it hasnt helped. Thanks for the response. Sorry for the delay in mine. - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+VZ2sACgkQsZqG4IN3sukTkwCgqnLc6JL/ZPjC5jlt05QAWDPb eacAn3iW/mn7jqdl5/9qbcLIJr0eKAVv =wXtv -----END PGP SIGNATURE----- From sigbjorn at nixtra.com Mon Apr 23 15:22:24 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 23 Apr 2012 17:22:24 +0200 (CEST) Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4F95560F.5000508@redhat.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> Message-ID: <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> > > Try increasing your nsslapd-cachememsize and monitoring it closely. > Using the size of id2entry.db4 is a good place to start, but that will > not be enough. > > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Monitori > ng_Server_and_Database_Activity-Monitoring_Database_Activity.html > > See also https://fedorahosted.org/389/ticket/51 and > https://bugzilla.redhat.com/show_bug.cgi?id=697701 > I'm using the latest available server in RHEL 6, has the fix for those bugs been applied to this version? 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 How much do you recommend increasing this too? My id2entry.db4 file is 7.2 MB. Regards, Siggi From rcritten at redhat.com Mon Apr 23 15:46:37 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Apr 2012 11:46:37 -0400 Subject: [Freeipa-users] Error in Installation - unable to create CA In-Reply-To: <1335174362.20027.YahooMailNeo@web161605.mail.bf1.yahoo.com> References: <1335174362.20027.YahooMailNeo@web161605.mail.bf1.yahoo.com> Message-ID: <4F95795D.6050507@redhat.com> shabahang elmian wrote: > Hello, > There is a problem on configuring FreeIPA. > would you please help. > > please find following : > > 2012-04-23 12:38:53,812 DEBUG duration: 5 seconds > 2012-04-23 12:38:53,812 DEBUG [3/17]: configuring certificate server > instance > 2012-04-23 12:38:56,227 DEBUG args=/usr/bin/perl /usr/bin/pkisilent > ConfigureCA -cs_hostname ipa.mtnirancell.ir -cs_port 9445 > -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX > -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin > -admin_email root at localhost -admin_password XXXXXXXX -agent_name > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa > -agent_cert_subject CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host > ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size > 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true > -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR > -external false -clone false > 2012-04-23 12:38:56,228 DEBUG stdout=libpath=/usr/lib64 > ####################################################################### > CRYPTO INIT WITH CERTDB:/tmp/tmp-d9LkHR > tokenpwd:XXXXXXXX > ############################################# > Attempting to connect to: ipa.mtnirancell.ir:9445 > Exception in LoginPanel(): java.lang.NullPointerException > ERROR: ConfigureCA: LoginPanel() failure > ERROR: unable to create CA > ####################################################################### > 2012-04-23 12:38:56,228 DEBUG stderr=Exception: Unable to Send > Request:java.net.ConnectException: Connection refused > java.net.ConnectException: Connection refused > at java.net.PlainSocketImpl.socketConnect(Native Method) > at > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) > at > java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) > at > java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) > at java.net.Socket.connect(Socket.java:546) > at java.net.Socket.connect(Socket.java:495) > at java.net.Socket.(Socket.java:392) > at java.net.Socket.(Socket.java:235) > at HTTPClient.sslConnect(HTTPClient.java:326) > at ConfigureCA.LoginPanel(ConfigureCA.java:244) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > at ConfigureCA.main(ConfigureCA.java:1672) > java.lang.NullPointerException > at ConfigureCA.LoginPanel(ConfigureCA.java:245) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > at ConfigureCA.main(ConfigureCA.java:1672) > > 2012-04-23 12:38:56,229 CRITICAL failed to configure ca instance > Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > ipa.mtnirancell.ir -cs_port 9445 -client_certdb_dir /tmp/tmp-d9LkHR > -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA > -domain_name IPA -admin_user admin -admin_email root at localhost > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size > 2048 -agent_key_type rsa -agent_cert_subject > CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password > XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type > rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR > -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR > -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR > -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR > -external false -clone false' returned non-zero exit status 255 > 2012-04-23 12:38:56,266 DEBUG Configuration of CA failed > File "/usr/sbin/ipa-server-install", line 1173, in > rval = main() > > File "/usr/sbin/ipa-server-install", line 974, in main > subject_base=options.subject) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 537, in configure_instance > self.start_creation("Configuring certificate server", 210) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 248, in start_creation > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 677, in __configure_instance > raise RuntimeError('Configuration of CA failed') > > please note : > > [root at ipa ~]# uname -a > Linux ipa.mtnirancell.ir 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr 21 > 12:43:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux > [root at ipa ~]# cat /etc/redhat-release > Fedora release 16 (Verne) > [root at ipa ~]# It would appear that the CA silent installer (pki-silent) couldn't talk to the CA. There are more logs in /var/log/pki-ca that may hold more information on why. You might also want to look for any new AVCs in /var/log/audit/audit.log. regards rob From rmeggins at redhat.com Mon Apr 23 15:45:05 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 23 Apr 2012 09:45:05 -0600 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> Message-ID: <4F957901.5040508@redhat.com> On 04/23/2012 09:22 AM, Sigbjorn Lie wrote: >> Try increasing your nsslapd-cachememsize and monitoring it closely. >> Using the size of id2entry.db4 is a good place to start, but that will >> not be enough. >> >> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Monitori >> ng_Server_and_Database_Activity-Monitoring_Database_Activity.html >> >> See also https://fedorahosted.org/389/ticket/51 and >> https://bugzilla.redhat.com/show_bug.cgi?id=697701 >> > I'm using the latest available server in RHEL 6, has the fix for those bugs been applied to this > version? No. The fix will be in RHEL 6.3 > > 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 > > How much do you recommend increasing this too? My id2entry.db4 file is 7.2 MB. Hard to day. Start out with 14.4 MB and monitor the cache usage over time. > > > Regards, > Siggi > > From rcritten at redhat.com Mon Apr 23 15:58:23 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Apr 2012 11:58:23 -0400 Subject: [Freeipa-users] IPA, kerberos ticket issue for web admin. In-Reply-To: <4F95676C.9000309@lafayette.edu> References: <4F916793.9090003@lafayette.edu> <4F9183A1.2090502@redhat.com> <4F91A361.6090208@lafayette.edu> <4F91AA60.8080007@redhat.com> <4F95676C.9000309@lafayette.edu> Message-ID: <4F957C1F.8030301@redhat.com> Nathan Lager wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 04/20/2012 02:26 PM, Rob Crittenden wrote: >> Have you configured the browser for Kerberos? >> http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html >> >> >> >> That error seems to indicate that the domain isn't defined in >> network.negotiate-auth.trusted-uris >> >> regards >> >> rob > > I've been through the clicky-clicky that ipa's web gui sends you > through (accepting the certs, and configuring the browser), a number > of times. I just confirmed the trusted uri's and delegation uris. > They are both correct, they look like: .my.ipa.domain.com > > I even tried resetting delegation-uris, and trusted-uri's to the > default, and then allowing the ipa web gui to re-configure them, it > hasnt helped. > > Thanks for the response. Sorry for the delay in mine. Hmm, that is very strange. The code in question in Firefox looks like: bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs); if (!allowed) { LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n")); return NS_ERROR_ABORT; } which seems to be the error you are seeing. It's a shame there isn't more logging around the uris. I see that you had enabled debug logging on the Apache side. Can you provide some more context on the failed request? thanks rob From sigbjorn at nixtra.com Mon Apr 23 18:17:52 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 23 Apr 2012 20:17:52 +0200 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4F957901.5040508@redhat.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> Message-ID: <4F959CD0.4050608@nixtra.com> On 04/23/2012 05:45 PM, Rich Megginson wrote: > On 04/23/2012 09:22 AM, Sigbjorn Lie wrote: >>> Try increasing your nsslapd-cachememsize and monitoring it closely. >>> Using the size of id2entry.db4 is a good place to start, but that will >>> not be enough. >>> >>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Monitori >>> >>> ng_Server_and_Database_Activity-Monitoring_Database_Activity.html >>> >>> See also https://fedorahosted.org/389/ticket/51 and >>> https://bugzilla.redhat.com/show_bug.cgi?id=697701 >>> >> I'm using the latest available server in RHEL 6, has the fix for >> those bugs been applied to this >> version? > No. The fix will be in RHEL 6.3 >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >> >> How much do you recommend increasing this too? My id2entry.db4 file >> is 7.2 MB. > > Hard to day. Start out with 14.4 MB and monitor the cache usage over > time. > >> > Ok, will do. A restart of the directory server seem to be overdue. This was waiting for me today at the same server that I took the screendump of "top" yesterday... It does take a few weeks to build up, so it might take me some time to respond with any findings. named invoked oom-killer: gfp_mask=0x201da, order=0, oom_adj=0, oom_score_adj=0 named cpuset=/ mems_allowed=0 Pid: 3997, comm: named Not tainted 2.6.32-220.4.2.el6.x86_64 #1 Call Trace: [] ? cpuset_print_task_mems_allowed+0x91/0xb0 [] ? dump_header+0x90/0x1b0 [] ? security_real_capable_noaudit+0x3c/0x70 [] ? oom_kill_process+0x8a/0x2c0 [] ? select_bad_process+0xe1/0x120 [] ? out_of_memory+0x220/0x3c0 [] ? __alloc_pages_nodemask+0x89e/0x940 [] ? alloc_pages_current+0xaa/0x110 [] ? __page_cache_alloc+0x87/0x90 [] ? __do_page_cache_readahead+0xdb/0x210 [] ? ra_submit+0x21/0x30 [] ? filemap_fault+0x4c3/0x500 [] ? __do_fault+0x54/0x510 [] ? handle_pte_fault+0xf7/0xb50 [] ? sock_aio_read+0x181/0x190 [] ? handle_mm_fault+0x1e4/0x2b0 [] ? do_sync_read+0xfa/0x140 [] ? __do_page_fault+0x139/0x480 [] ? selinux_file_permission+0xbf/0x150 [] ? kvm_clock_read+0x1c/0x20 [] ? do_page_fault+0x3e/0xa0 [] ? page_fault+0x25/0x30 Mem-Info: Node 0 DMA per-cpu: CPU 0: hi: 0, btch: 1 usd: 0 Node 0 DMA32 per-cpu: CPU 0: hi: 186, btch: 31 usd: 67 active_anon:347835 inactive_anon:119039 isolated_anon:0 active_file:49 inactive_file:3712 isolated_file:0 unevictable:0 dirty:1 writeback:0 unstable:0 free:13252 slab_reclaimable:2830 slab_unreclaimable:13380 mapped:827 shmem:59 pagetables:4953 bounce:0 Node 0 DMA free:8356kB min:332kB low:412kB high:496kB active_anon:2952kB inactive_anon:3832kB active_file:116kB inactive_file:232kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15348kB mlocked:0kB dirty:0kB writeback:0kB mapped:120kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:4kB kernel_stack:8kB pagetables:44kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:160 all_unreclaimable? no lowmem_reserve[]: 0 2004 2004 2004 Node 0 DMA32 free:44652kB min:44720kB low:55900kB high:67080kB active_anon:1388388kB inactive_anon:472324kB active_file:80kB inactive_file:14616kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:2052308kB mlocked:0kB dirty:8kB writeback:0kB mapped:3188kB shmem:236kB slab_reclaimable:11320kB slab_unreclaimable:53516kB kernel_stack:2320kB pagetables:19768kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:277 all_unreclaimable? yes lowmem_reserve[]: 0 0 0 0 Node 0 DMA: 1*4kB 2*8kB 3*16kB 3*32kB 4*64kB 2*128kB 2*256kB 2*512kB 0*1024kB 1*2048kB 1*4096kB = 8356kB Node 0 DMA32: 917*4kB 677*8kB 347*16kB 212*32kB 117*64kB 57*128kB 13*256kB 4*512kB 1*1024kB 1*2048kB 0*4096kB = 44652kB 6230 total pagecache pages 2406 pages in swap cache Swap cache stats: add 288041, delete 285635, find 4565761/4568506 Free swap = 0kB Total swap = 1048568kB 524284 pages RAM 10513 pages reserved 6827 pages shared 494838 pages non-shared [ pid ] uid tgid total_vm rss cpu oom_adj oom_score_adj name [ 493] 0 493 2782 57 0 -17 -1000 udevd [ 1187] 0 1187 1553 2 0 0 0 portreserve [ 1194] 0 1194 62187 93 0 0 0 rsyslogd [ 1236] 32 1236 4756 44 0 0 0 rpcbind [ 1254] 29 1254 5800 20 0 0 0 rpc.statd [ 1286] 0 1286 7376 31 0 0 0 rpc.idmapd [ 1306] 0 1306 9841 44 0 0 0 rpc.gssd [ 1347] 496 1347 845694 366306 0 0 0 ns-slapd [ 1419] 498 1419 297187 11273 0 0 0 ns-slapd [ 1499] 0 1499 30950 7834 0 0 0 krb5kdc [ 1511] 0 1511 14022 20 0 0 0 ipa_kpasswd [ 1640] 497 1640 415291 24719 0 0 0 java [ 1691] 81 1691 24853 66 0 0 0 dbus-daemon [ 1703] 0 1703 47295 2 0 0 0 cupsd [ 1728] 0 1728 1033 1 0 0 0 acpid [ 1737] 68 1737 6776 169 0 0 0 hald [ 1738] 0 1738 4539 2 0 0 0 hald-runner [ 1784] 0 1784 5068 2 0 0 0 hald-addon-inpu [ 1801] 68 1801 4464 2 0 0 0 hald-addon-acpi [ 1858] 0 1858 44108 98 0 0 0 sssd [ 1864] 0 1864 63923 714 0 0 0 sssd_be [ 1876] 0 1876 16024 26 0 0 0 sshd [ 1884] 38 1884 8069 66 0 0 0 ntpd [ 1891] 0 1891 43086 207 0 0 0 sssd_nss [ 1892] 0 1892 44935 234 0 0 0 sssd_pam [ 1978] 0 1978 19679 26 0 0 0 master [ 1985] 89 1985 20260 60 0 0 0 qmgr [ 2002] 0 2002 29709 51 0 0 0 abrtd [ 2010] 0 2010 2304 19 0 0 0 abrt-dump-oops [ 2024] 0 2024 27120 114 0 0 0 ksmtuned [ 2033] 0 2033 29312 25 0 0 0 crond [ 2044] 0 2044 5373 5 0 0 0 atd [ 2062] 0 2062 14288 27 0 0 0 certmonger [ 2231] 0 2231 7556 19 0 0 0 cfservd [ 2378] 0 2378 24457 131 0 0 0 cfexecd [ 2452] 0 2452 7640 149 0 0 0 cfenvd [ 2553] 0 2553 1029 2 0 0 0 mingetty [ 2555] 0 2555 1029 2 0 0 0 mingetty [ 2557] 0 2557 1029 2 0 0 0 mingetty [ 2559] 0 2559 1029 2 0 0 0 mingetty [ 2561] 0 2561 1029 2 0 0 0 mingetty [ 2563] 0 2563 1029 2 0 0 0 mingetty [ 2569] 0 2569 3111 108 0 -17 -1000 udevd [ 2587] 0 2587 23312 41 0 -17 -1000 auditd [ 2923] 0 2923 187259 776 0 0 0 automount [ 3999] 0 3999 9846 40 0 0 0 nss_pcache [ 4001] 0 4001 221259 1345 0 0 0 httpd [ 3996] 25 3996 56544 12252 0 0 0 named [30951] 0 30951 6053 59 0 0 0 xinetd [31131] 0 31131 2781 54 0 -17 -1000 udevd [30457] 0 30457 25642 407 0 0 0 sshd [30464] 5000 30464 25642 406 0 0 0 sshd [30465] 5000 30465 27640 116 0 0 0 bash [28720] 0 28720 25642 406 0 0 0 sshd [28723] 5000 28723 25642 405 0 0 0 sshd [28724] 5000 28724 27615 109 0 0 0 bash [31792] 48 31792 263393 10920 0 0 0 httpd [31793] 48 31793 263393 10920 0 0 0 httpd [31794] 48 31794 227580 2198 0 0 0 httpd [31795] 48 31795 227580 2198 0 0 0 httpd [31796] 48 31796 227580 2198 0 0 0 httpd [31797] 48 31797 227580 2199 0 0 0 httpd [31798] 48 31798 227580 2200 0 0 0 httpd [31799] 48 31799 227580 2204 0 0 0 httpd [31800] 48 31800 227580 2198 0 0 0 httpd [31801] 48 31801 227580 2198 0 0 0 httpd [23118] 48 23118 227580 2198 0 0 0 httpd [14842] 89 14842 20216 204 0 0 0 pickup [16012] 0 16012 4334 50 0 0 0 anacron [16688] 0 16688 25240 18 0 0 0 sleep Out of memory: Kill process 1347 (ns-slapd) score 788 or sacrifice child Killed process 1347, UID 496, (ns-slapd) total-vm:3382776kB, anon-rss:1463896kB, file-rss:1328kB From rmeggins at redhat.com Mon Apr 23 18:38:38 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 23 Apr 2012 12:38:38 -0600 Subject: [Freeipa-users] 389-ds memory usage In-Reply-To: <4F959CD0.4050608@nixtra.com> References: <4F946119.1020603@nixtra.com> <4F95560F.5000508@redhat.com> <26130.213.225.75.97.1335194544.squirrel@www.nixtra.com> <4F957901.5040508@redhat.com> <4F959CD0.4050608@nixtra.com> Message-ID: <4F95A1AE.8090704@redhat.com> On 04/23/2012 12:17 PM, Sigbjorn Lie wrote: > On 04/23/2012 05:45 PM, Rich Megginson wrote: >> On 04/23/2012 09:22 AM, Sigbjorn Lie wrote: >>>> Try increasing your nsslapd-cachememsize and monitoring it closely. >>>> Using the size of id2entry.db4 is a good place to start, but that will >>>> not be enough. >>>> >>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Monitori >>>> >>>> ng_Server_and_Database_Activity-Monitoring_Database_Activity.html >>>> >>>> See also https://fedorahosted.org/389/ticket/51 and >>>> https://bugzilla.redhat.com/show_bug.cgi?id=697701 >>>> >>> I'm using the latest available server in RHEL 6, has the fix for >>> those bugs been applied to this >>> version? >> No. The fix will be in RHEL 6.3 > >>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >>> >>> How much do you recommend increasing this too? My id2entry.db4 file >>> is 7.2 MB. >> >> Hard to day. Start out with 14.4 MB and monitor the cache usage over >> time. >> >>> >> > > Ok, will do. A restart of the directory server seem to be overdue. > This was waiting for me today at the same server that I took the > screendump of "top" yesterday... > > It does take a few weeks to build up, so it might take me some time to > respond with any findings. Ok. The current theory is that the memory growth is caused by the churn of entries being added to and removed from the entry cache. It's not yet known why this growth is seen. It could be just that the memory is getting fragmented, or there is a real yet undetected memory leak. That's why entry cache sizing and monitoring is very important, to see if you are churning entries in/out of the cache, and if that is correlated with the memory growth. > > > named invoked oom-killer: gfp_mask=0x201da, order=0, oom_adj=0, > oom_score_adj=0 > named cpuset=/ mems_allowed=0 > Pid: 3997, comm: named Not tainted 2.6.32-220.4.2.el6.x86_64 #1 > Call Trace: > [] ? cpuset_print_task_mems_allowed+0x91/0xb0 > [] ? dump_header+0x90/0x1b0 > [] ? security_real_capable_noaudit+0x3c/0x70 > [] ? oom_kill_process+0x8a/0x2c0 > [] ? select_bad_process+0xe1/0x120 > [] ? out_of_memory+0x220/0x3c0 > [] ? __alloc_pages_nodemask+0x89e/0x940 > [] ? alloc_pages_current+0xaa/0x110 > [] ? __page_cache_alloc+0x87/0x90 > [] ? __do_page_cache_readahead+0xdb/0x210 > [] ? ra_submit+0x21/0x30 > [] ? filemap_fault+0x4c3/0x500 > [] ? __do_fault+0x54/0x510 > [] ? handle_pte_fault+0xf7/0xb50 > [] ? sock_aio_read+0x181/0x190 > [] ? handle_mm_fault+0x1e4/0x2b0 > [] ? do_sync_read+0xfa/0x140 > [] ? __do_page_fault+0x139/0x480 > [] ? selinux_file_permission+0xbf/0x150 > [] ? kvm_clock_read+0x1c/0x20 > [] ? do_page_fault+0x3e/0xa0 > [] ? page_fault+0x25/0x30 > Mem-Info: > Node 0 DMA per-cpu: > CPU 0: hi: 0, btch: 1 usd: 0 > Node 0 DMA32 per-cpu: > CPU 0: hi: 186, btch: 31 usd: 67 > active_anon:347835 inactive_anon:119039 isolated_anon:0 > active_file:49 inactive_file:3712 isolated_file:0 > unevictable:0 dirty:1 writeback:0 unstable:0 > free:13252 slab_reclaimable:2830 slab_unreclaimable:13380 > mapped:827 shmem:59 pagetables:4953 bounce:0 > Node 0 DMA free:8356kB min:332kB low:412kB high:496kB > active_anon:2952kB inactive_anon:3832kB active_file:116kB > inactive_file:232kB unevictable:0kB isolated(anon):0kB > isolated(file):0kB present:15348kB mlocked:0kB dirty:0kB writeback:0kB > mapped:120kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:4kB > kernel_stack:8kB pagetables:44kB unstable:0kB bounce:0kB > writeback_tmp:0kB pages_scanned:160 all_unreclaimable? no > lowmem_reserve[]: 0 2004 2004 2004 > Node 0 DMA32 free:44652kB min:44720kB low:55900kB high:67080kB > active_anon:1388388kB inactive_anon:472324kB active_file:80kB > inactive_file:14616kB unevictable:0kB isolated(anon):0kB > isolated(file):0kB present:2052308kB mlocked:0kB dirty:8kB > writeback:0kB mapped:3188kB shmem:236kB slab_reclaimable:11320kB > slab_unreclaimable:53516kB kernel_stack:2320kB pagetables:19768kB > unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:277 > all_unreclaimable? yes > lowmem_reserve[]: 0 0 0 0 > Node 0 DMA: 1*4kB 2*8kB 3*16kB 3*32kB 4*64kB 2*128kB 2*256kB 2*512kB > 0*1024kB 1*2048kB 1*4096kB = 8356kB > Node 0 DMA32: 917*4kB 677*8kB 347*16kB 212*32kB 117*64kB 57*128kB > 13*256kB 4*512kB 1*1024kB 1*2048kB 0*4096kB = 44652kB > 6230 total pagecache pages > 2406 pages in swap cache > Swap cache stats: add 288041, delete 285635, find 4565761/4568506 > Free swap = 0kB > Total swap = 1048568kB > 524284 pages RAM > 10513 pages reserved > 6827 pages shared > 494838 pages non-shared > [ pid ] uid tgid total_vm rss cpu oom_adj oom_score_adj name > [ 493] 0 493 2782 57 0 -17 -1000 udevd > [ 1187] 0 1187 1553 2 0 0 0 > portreserve > [ 1194] 0 1194 62187 93 0 0 0 rsyslogd > [ 1236] 32 1236 4756 44 0 0 0 rpcbind > [ 1254] 29 1254 5800 20 0 0 0 rpc.statd > [ 1286] 0 1286 7376 31 0 0 0 > rpc.idmapd > [ 1306] 0 1306 9841 44 0 0 0 rpc.gssd > [ 1347] 496 1347 845694 366306 0 0 0 ns-slapd > [ 1419] 498 1419 297187 11273 0 0 0 ns-slapd > [ 1499] 0 1499 30950 7834 0 0 0 krb5kdc > [ 1511] 0 1511 14022 20 0 0 0 > ipa_kpasswd > [ 1640] 497 1640 415291 24719 0 0 0 java > [ 1691] 81 1691 24853 66 0 0 0 > dbus-daemon > [ 1703] 0 1703 47295 2 0 0 0 cupsd > [ 1728] 0 1728 1033 1 0 0 0 acpid > [ 1737] 68 1737 6776 169 0 0 0 hald > [ 1738] 0 1738 4539 2 0 0 0 > hald-runner > [ 1784] 0 1784 5068 2 0 0 0 > hald-addon-inpu > [ 1801] 68 1801 4464 2 0 0 0 > hald-addon-acpi > [ 1858] 0 1858 44108 98 0 0 0 sssd > [ 1864] 0 1864 63923 714 0 0 0 sssd_be > [ 1876] 0 1876 16024 26 0 0 0 sshd > [ 1884] 38 1884 8069 66 0 0 0 ntpd > [ 1891] 0 1891 43086 207 0 0 0 sssd_nss > [ 1892] 0 1892 44935 234 0 0 0 sssd_pam > [ 1978] 0 1978 19679 26 0 0 0 master > [ 1985] 89 1985 20260 60 0 0 0 qmgr > [ 2002] 0 2002 29709 51 0 0 0 abrtd > [ 2010] 0 2010 2304 19 0 0 0 > abrt-dump-oops > [ 2024] 0 2024 27120 114 0 0 0 ksmtuned > [ 2033] 0 2033 29312 25 0 0 0 crond > [ 2044] 0 2044 5373 5 0 0 0 atd > [ 2062] 0 2062 14288 27 0 0 0 > certmonger > [ 2231] 0 2231 7556 19 0 0 0 cfservd > [ 2378] 0 2378 24457 131 0 0 0 cfexecd > [ 2452] 0 2452 7640 149 0 0 0 cfenvd > [ 2553] 0 2553 1029 2 0 0 0 mingetty > [ 2555] 0 2555 1029 2 0 0 0 mingetty > [ 2557] 0 2557 1029 2 0 0 0 mingetty > [ 2559] 0 2559 1029 2 0 0 0 mingetty > [ 2561] 0 2561 1029 2 0 0 0 mingetty > [ 2563] 0 2563 1029 2 0 0 0 mingetty > [ 2569] 0 2569 3111 108 0 -17 -1000 udevd > [ 2587] 0 2587 23312 41 0 -17 -1000 auditd > [ 2923] 0 2923 187259 776 0 0 0 automount > [ 3999] 0 3999 9846 40 0 0 0 > nss_pcache > [ 4001] 0 4001 221259 1345 0 0 0 httpd > [ 3996] 25 3996 56544 12252 0 0 0 named > [30951] 0 30951 6053 59 0 0 0 xinetd > [31131] 0 31131 2781 54 0 -17 -1000 udevd > [30457] 0 30457 25642 407 0 0 0 sshd > [30464] 5000 30464 25642 406 0 0 0 sshd > [30465] 5000 30465 27640 116 0 0 0 bash > [28720] 0 28720 25642 406 0 0 0 sshd > [28723] 5000 28723 25642 405 0 0 0 sshd > [28724] 5000 28724 27615 109 0 0 0 bash > [31792] 48 31792 263393 10920 0 0 0 httpd > [31793] 48 31793 263393 10920 0 0 0 httpd > [31794] 48 31794 227580 2198 0 0 0 httpd > [31795] 48 31795 227580 2198 0 0 0 httpd > [31796] 48 31796 227580 2198 0 0 0 httpd > [31797] 48 31797 227580 2199 0 0 0 httpd > [31798] 48 31798 227580 2200 0 0 0 httpd > [31799] 48 31799 227580 2204 0 0 0 httpd > [31800] 48 31800 227580 2198 0 0 0 httpd > [31801] 48 31801 227580 2198 0 0 0 httpd > [23118] 48 23118 227580 2198 0 0 0 httpd > [14842] 89 14842 20216 204 0 0 0 pickup > [16012] 0 16012 4334 50 0 0 0 anacron > [16688] 0 16688 25240 18 0 0 0 sleep > Out of memory: Kill process 1347 (ns-slapd) score 788 or sacrifice child > Killed process 1347, UID 496, (ns-slapd) total-vm:3382776kB, > anon-rss:1463896kB, file-rss:1328kB > > > From sigbjorn at nixtra.com Mon Apr 23 19:25:17 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 23 Apr 2012 21:25:17 +0200 Subject: [Freeipa-users] Solaris 11 client In-Reply-To: <1335186028.16658.607.camel@willson.li.ssimo.org> References: <4F918675.6000506@redhat.com> <4F948361.8070303@nixtra.com> <4F9494E4.3050207@redhat.com> <25868.213.225.75.97.1335170676.squirrel@www.nixtra.com> <1335186028.16658.607.camel@willson.li.ssimo.org> Message-ID: <4F95AC9D.5020600@nixtra.com> On 04/23/2012 03:00 PM, Simo Sorce wrote: > On Mon, 2012-04-23 at 10:44 +0200, Sigbjorn Lie wrote: >>>> Perform step 1-5 in the docs: >>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Conf >>>> iguring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 >>>> >>>> Please note that there is a default DUAProfile with IPA that allows you >>>> to skip the manual configuration of ldapclient, and just do "ldapclient init ipa-server-fqdn". I >>>> don't understand why the documentation says to do a manual configuration of ldapclient. The >>>> example provided also does a lot of unnecessary attribute mapping. >>> The documentation includes a manual configuration so one can do it if >>> desired. >>> >> The documentation includes only the manual configuration. Using a DUAProfile is easier both for >> installing, and maintaining the Solaris clients as they will re-read configuration from the DUA >> profile periodically. Manual configuration should be avoided if possible. >> >> Do you want me to open a DOC BUG to have this changed? > Please do. > Please see: https://bugzilla.redhat.com/show_bug.cgi?id=815533 >> AND include a more functional DUAProfile by default configuring the clients for ethers and >> automount support as well. >> >> Do you want me to open a ticket for this? the profile I send in the previous email can be used as >> a template. > Yes please. Please see: https://bugzilla.redhat.com/show_bug.cgi?id=815515 > >>>> However I cannot log on to the console. Enabling debugging on pam tells me: >>>> >>>> >>>> Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth): >>>> attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt >>>> integrity check failed >>>> >>>> There was an issue on Solaris 10 with incorrect configuration to allow >>>> aes256 support, only aes128 and downwars we're enabled by default. This does not seem to be the >>>> case for Solaris 11. >>>> >>>> Does anyone else get the same decrypt failed issue? >>>> >>> I tested Solaris 10 x86 many moons ago and IIRC console login worked for me. >>> >> Yes, Solaris 10 works just fine for console login, both x86 and sparc. This seem to be an issue in >> Solaris 11. It could be a configuration error, I just haven't had time to look into it yet. We do >> not use Solaris 11 in production as per today. > Do you see anything special on the KDC side when you get that error in > the console ? > > Do you play with enctypes when you obtain the system keytab ? I did not look at the KDC logs. And yes, I did try to limit the enc types to 3des and below, it still did not work. I will have to visit this again later. Rgds, Siggi From simo at redhat.com Mon Apr 23 19:39:18 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 23 Apr 2012 15:39:18 -0400 Subject: [Freeipa-users] Solaris 11 client In-Reply-To: <4F95AC9D.5020600@nixtra.com> References: <4F918675.6000506@redhat.com> <4F948361.8070303@nixtra.com> <4F9494E4.3050207@redhat.com> <25868.213.225.75.97.1335170676.squirrel@www.nixtra.com> <1335186028.16658.607.camel@willson.li.ssimo.org> <4F95AC9D.5020600@nixtra.com> Message-ID: <1335209958.16658.656.camel@willson.li.ssimo.org> On Mon, 2012-04-23 at 21:25 +0200, Sigbjorn Lie wrote: > Please see: https://bugzilla.redhat.com/show_bug.cgi?id=815533 [..] > Please see: https://bugzilla.redhat.com/show_bug.cgi?id=815515 Thanks a lot. > > Do you play with enctypes when you obtain the system keytab ? > > I did not look at the KDC logs. And yes, I did try to limit the enc > types to 3des and below, it still did not work. Depending on how this was done it may be the issue. > I will have to visit this again later. Ok, let me know if we can help somehow. Simo. -- Simo Sorce * Red Hat, Inc * New York From ohamada at redhat.com Tue Apr 24 06:58:13 2012 From: ohamada at redhat.com (Ondrej Hamada) Date: Tue, 24 Apr 2012 08:58:13 +0200 Subject: [Freeipa-users] Problem installing replica CA In-Reply-To: References: <4F91B86D.3050406@redhat.com> Message-ID: <4F964F05.7030304@redhat.com> On 04/20/2012 09:35 PM, Dan Scott wrote: > On Fri, Apr 20, 2012 at 15:26, Dmitri Pal wrote: >> On 04/20/2012 12:15 PM, Dan Scott wrote: >>> Hi, >>> >>> My FreeIPA servers were in a real mess recently and I think I've >>> finally got them into a reasonable state by cleaning up the tombstone >>> entries and fixing some broken replication agreements. >>> >>> I'm trying to setup a new replica and receive the following error: >>> >>> Configuring certificate server: Estimated time 3 minutes 30 seconds >>> [1/12]: creating certificate server user >>> [2/12]: creating pki-ca instance >>> [3/12]: configuring certificate server instance >>> root : CRITICAL failed to configure ca instance Command >>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' >>> 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' >>> '/tmp/tmp-JwjkjT' '-client_certdb_pwd' XXXXXXXX '-preop_pin' >>> '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' >>> '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX >>> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' >>> '-agent_key_type' 'rsa' '-agent_cert_subject' >>> 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' >>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' >>> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >>> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' >>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >>> Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP >>> Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' >>> 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' >>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' >>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' >>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >>> '-clone_p12_password' XXXXXXXX '-sd_hostname' >>> 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' >>> 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' >>> '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero >>> exit status 255 >>> creation of replica failed: Configuration of CA failed >>> >>> The /var/log/pki-ca/debug file contains: >>> >>> [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to >>> import user certificate.org.mozilla.jss.crypto.TokenException: >>> PK11_ImportDERCertForKey Unable to import certificate to its token: >>> (-8054) You are attempting to import a cert with the same >>> issuer/serial as an existing cert, but that is not the same cert. >>> [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... certTag=sslserver >>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() >>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true >>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true >>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 >>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 >>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() >>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true >>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true >>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 >>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 >>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 >>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 >>> [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 >>> [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys >>> [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 >>> [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml >>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >>> org.apache.catalina.connector.ResponseFacade >>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type java.lang.Boolean >>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >>> org.apache.catalina.connector.RequestFacade >>> >>> So it looks like there's some certificate confusion going on. >>> >>> Can someone help? Is there anything particularly sensitive in the >>> /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I >>> shouldn't send them to the list? >>> >> Are you installing it on a new machine? >> What version of the OS and tomcat is there? >> There have been some glitches in the tomcat package in the past. > It's quite new - a VM which I installed 10 days ago. I tried to > install a replica on it before I cleaned my other IPA servers. Are you sure that the CA was cleaned up on the replica? Run 'ipa-server-install --uninstall' and then check existence of /var/lib/pki-ca. if it's still there -> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/Installation_and_Configuration-Uninstalling_Certificate_System_Subsystems.html > It's Scientific Linux 6.2. tomcat6-6.0.24-36.el6_2 > > Thanks, > > Dan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Regards, Ondrej Hamada FreeIPA team jabber: ohama at jabbim.cz IRC: ohamada From sigbjorn at nixtra.com Tue Apr 24 08:03:02 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 24 Apr 2012 10:03:02 +0200 (CEST) Subject: [Freeipa-users] named-dyndb-ldap looses connection when the LDAP server is under high load Message-ID: <25595.213.225.75.97.1335254582.squirrel@www.nixtra.com> Hi I have an issue that occured before, but I did not figure out what it was. It happened again today, and the issue is related to high load on the LDAP servers. I ran a batch job that added a lot of users to different groups, using the "ipa group-add-member --users="$members" $group" command. This caused high CPU load across all the LDAP servers as the changes we're replicating between the servers. After a few minutes DNS stopped working and errors started to occur in the messages log. The only way to get around it is to stop the batch job to lower the CPU load on the LDAP servers, and then kill the named daemon with kill -9 and restart named. "service named restart" timed out while stopping named and did not manage to restart the named daemon. This happened across all 3 IPA servers almost at the same time, taking the entire environment down. A rather nasty bug. Apr 24 09:32:08 ipa03 named[31837]: LDAP error: Invalid DN syntax Apr 24 09:32:08 ipa03 named[31837]: connection to the LDAP server was lost Apr 24 09:32:09 ipa03 named[31837]: LDAP error: Invalid DN syntax Apr 24 09:32:09 ipa03 named[31837]: connection to the LDAP server was lost Regards, Siggi From pspacek at redhat.com Tue Apr 24 09:10:39 2012 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 24 Apr 2012 11:10:39 +0200 Subject: [Freeipa-users] named-dyndb-ldap looses connection when the LDAP server is under high load In-Reply-To: <25595.213.225.75.97.1335254582.squirrel@www.nixtra.com> References: <25595.213.225.75.97.1335254582.squirrel@www.nixtra.com> Message-ID: <4F966E0F.2070501@redhat.com> On 04/24/2012 10:03 AM, Sigbjorn Lie wrote: > Hi > > I have an issue that occured before, but I did not figure out what it was. It happened again > today, and the issue is related to high load on the LDAP servers. > > I ran a batch job that added a lot of users to different groups, using the "ipa group-add-member > --users="$members" $group" command. This caused high CPU load across all the LDAP servers as the > changes we're replicating between the servers. > > After a few minutes DNS stopped working and errors started to occur in the messages log. > > The only way to get around it is to stop the batch job to lower the CPU load on the LDAP servers, > and then kill the named daemon with kill -9 and restart named. "service named restart" timed out > while stopping named and did not manage to restart the named daemon. > > This happened across all 3 IPA servers almost at the same time, taking the entire environment down. > > A rather nasty bug. > > > Apr 24 09:32:08 ipa03 named[31837]: LDAP error: Invalid DN syntax > Apr 24 09:32:08 ipa03 named[31837]: connection to the LDAP server was lost > Apr 24 09:32:09 ipa03 named[31837]: LDAP error: Invalid DN syntax > Apr 24 09:32:09 ipa03 named[31837]: connection to the LDAP server was lost > > > > Regards, > Siggi Hello, you are right, it's very nasty bug. We know about this problem with "Invalid DN syntax". Patch is already done and on the way to upstream, please stay tuned. Petr^2 Spacek From sigbjorn at nixtra.com Tue Apr 24 09:23:07 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 24 Apr 2012 11:23:07 +0200 (CEST) Subject: [Freeipa-users] named-dyndb-ldap looses connection when the LDAP server is under high load In-Reply-To: <4F966E0F.2070501@redhat.com> References: <25595.213.225.75.97.1335254582.squirrel@www.nixtra.com> <4F966E0F.2070501@redhat.com> Message-ID: <22679.213.225.75.97.1335259387.squirrel@www.nixtra.com> On Tue, April 24, 2012 11:10, Petr Spacek wrote: > On 04/24/2012 10:03 AM, Sigbjorn Lie wrote: > >> Hi >> >> >> I have an issue that occured before, but I did not figure out what it was. It happened again >> today, and the issue is related to high load on the LDAP servers. >> >> I ran a batch job that added a lot of users to different groups, using the "ipa >> group-add-member --users="$members" $group" command. This caused high CPU load across all the >> LDAP servers as the >> changes we're replicating between the servers. >> >> After a few minutes DNS stopped working and errors started to occur in the messages log. >> >> >> The only way to get around it is to stop the batch job to lower the CPU load on the LDAP >> servers, and then kill the named daemon with kill -9 and restart named. "service named restart" >> timed out while stopping named and did not manage to restart the named daemon. >> >> This happened across all 3 IPA servers almost at the same time, taking the entire environment >> down. >> >> A rather nasty bug. >> >> >> >> Apr 24 09:32:08 ipa03 named[31837]: LDAP error: Invalid DN syntax >> Apr 24 09:32:08 ipa03 named[31837]: connection to the LDAP server was lost >> Apr 24 09:32:09 ipa03 named[31837]: LDAP error: Invalid DN syntax >> Apr 24 09:32:09 ipa03 named[31837]: connection to the LDAP server was lost >> >> >> >> >> Regards, >> Siggi >> > > Hello, > > > you are right, it's very nasty bug. > > We know about this problem with "Invalid DN syntax". Patch is already done and > on the way to upstream, please stay tuned. > Thanks for the reply. Will it be released as an update to RHEL 6.2, or will it not make it until RHEL 6.3? Rgds, Siggi From danieljamesscott at gmail.com Tue Apr 24 13:58:07 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Tue, 24 Apr 2012 09:58:07 -0400 Subject: [Freeipa-users] Problem installing replica CA In-Reply-To: <4F964F05.7030304@redhat.com> References: <4F91B86D.3050406@redhat.com> <4F964F05.7030304@redhat.com> Message-ID: On Tue, Apr 24, 2012 at 02:58, Ondrej Hamada wrote: > On 04/20/2012 09:35 PM, Dan Scott wrote: >> >> On Fri, Apr 20, 2012 at 15:26, Dmitri Pal ?wrote: >>> >>> On 04/20/2012 12:15 PM, Dan Scott wrote: >>>> >>>> Hi, >>>> >>>> My FreeIPA servers were in a real mess recently and I think I've >>>> finally got them into a reasonable state by cleaning up the tombstone >>>> entries and fixing some broken replication agreements. >>>> >>>> I'm trying to setup a new replica and receive the following error: >>>> >>>> Configuring certificate server: Estimated time 3 minutes 30 seconds >>>> ? [1/12]: creating certificate server user >>>> ? [2/12]: creating pki-ca instance >>>> ? [3/12]: configuring certificate server instance >>>> root ? ? ? ?: CRITICAL failed to configure ca instance Command >>>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' >>>> 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' >>>> '/tmp/tmp-JwjkjT' '-client_certdb_pwd' XXXXXXXX '-preop_pin' >>>> '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' >>>> '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX >>>> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' >>>> '-agent_key_type' 'rsa' '-agent_cert_subject' >>>> 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' >>>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' >>>> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >>>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >>>> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' >>>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >>>> Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP >>>> Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' >>>> 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' >>>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' >>>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' >>>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >>>> '-clone_p12_password' XXXXXXXX '-sd_hostname' >>>> 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' >>>> 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' >>>> '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero >>>> exit status 255 >>>> creation of replica failed: Configuration of CA failed >>>> >>>> The /var/log/pki-ca/debug file contains: >>>> >>>> [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to >>>> import user certificate.org.mozilla.jss.crypto.TokenException: >>>> PK11_ImportDERCertForKey Unable to import certificate to its token: >>>> (-8054) You are attempting to import a cert with the same >>>> issuer/serial as an existing cert, but that is not the same cert. >>>> [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... >>>> certTag=sslserver >>>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() >>>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true >>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true >>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 >>>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 >>>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() >>>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true >>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true >>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 >>>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 >>>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 >>>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 >>>> [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 >>>> [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys >>>> [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 >>>> [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml >>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >>>> org.apache.catalina.connector.ResponseFacade >>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >>>> java.lang.Boolean >>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >>>> org.apache.catalina.connector.RequestFacade >>>> >>>> So it looks like there's some certificate confusion going on. >>>> >>>> Can someone help? Is there anything particularly sensitive in the >>>> /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I >>>> shouldn't send them to the list? >>>> >>> Are you installing it on a new machine? >>> What version of the OS and tomcat is there? >>> There have been some glitches in the tomcat package in the past. >> >> It's quite new - a VM which I installed 10 days ago. I tried to >> install a replica on it before I cleaned my other IPA servers. > > Are you sure that the CA was cleaned up on the replica? Run > 'ipa-server-install --uninstall' and then check existence of > /var/lib/pki-ca. if it's still there -> > http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/Installation_and_Configuration-Uninstalling_Certificate_System_Subsystems.html Yes, the CA was cleaned on the replica - I've also re-installed this system from scratch and the install still fails. Thanks, Dan From rcritten at redhat.com Tue Apr 24 15:28:30 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 Apr 2012 11:28:30 -0400 Subject: [Freeipa-users] Problem installing replica CA In-Reply-To: References: <4F91B86D.3050406@redhat.com> <4F964F05.7030304@redhat.com> Message-ID: <4F96C69E.1080101@redhat.com> Dan Scott wrote: > On Tue, Apr 24, 2012 at 02:58, Ondrej Hamada wrote: >> On 04/20/2012 09:35 PM, Dan Scott wrote: >>> >>> On Fri, Apr 20, 2012 at 15:26, Dmitri Pal wrote: >>>> >>>> On 04/20/2012 12:15 PM, Dan Scott wrote: >>>>> >>>>> Hi, >>>>> >>>>> My FreeIPA servers were in a real mess recently and I think I've >>>>> finally got them into a reasonable state by cleaning up the tombstone >>>>> entries and fixing some broken replication agreements. >>>>> >>>>> I'm trying to setup a new replica and receive the following error: >>>>> >>>>> Configuring certificate server: Estimated time 3 minutes 30 seconds >>>>> [1/12]: creating certificate server user >>>>> [2/12]: creating pki-ca instance >>>>> [3/12]: configuring certificate server instance >>>>> root : CRITICAL failed to configure ca instance Command >>>>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' >>>>> 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' >>>>> '/tmp/tmp-JwjkjT' '-client_certdb_pwd' XXXXXXXX '-preop_pin' >>>>> '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' >>>>> '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX >>>>> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' >>>>> '-agent_key_type' 'rsa' '-agent_cert_subject' >>>>> 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' >>>>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' >>>>> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' >>>>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' >>>>> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' >>>>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA >>>>> Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP >>>>> Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' >>>>> 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' >>>>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' >>>>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' >>>>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' >>>>> '-clone_p12_password' XXXXXXXX '-sd_hostname' >>>>> 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' >>>>> 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' >>>>> '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero >>>>> exit status 255 >>>>> creation of replica failed: Configuration of CA failed >>>>> >>>>> The /var/log/pki-ca/debug file contains: >>>>> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to >>>>> import user certificate.org.mozilla.jss.crypto.TokenException: >>>>> PK11_ImportDERCertForKey Unable to import certificate to its token: >>>>> (-8054) You are attempting to import a cert with the same >>>>> issuer/serial as an existing cert, but that is not the same cert. >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... >>>>> certTag=sslserver >>>>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() >>>>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 >>>>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 >>>>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() >>>>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 >>>>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 >>>>> [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 >>>>> [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys >>>>> [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 >>>>> [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >>>>> org.apache.catalina.connector.ResponseFacade >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >>>>> java.lang.Boolean >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type >>>>> org.apache.catalina.connector.RequestFacade >>>>> >>>>> So it looks like there's some certificate confusion going on. >>>>> >>>>> Can someone help? Is there anything particularly sensitive in the >>>>> /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I >>>>> shouldn't send them to the list? >>>>> >>>> Are you installing it on a new machine? >>>> What version of the OS and tomcat is there? >>>> There have been some glitches in the tomcat package in the past. >>> >>> It's quite new - a VM which I installed 10 days ago. I tried to >>> install a replica on it before I cleaned my other IPA servers. >> >> Are you sure that the CA was cleaned up on the replica? Run >> 'ipa-server-install --uninstall' and then check existence of >> /var/lib/pki-ca. if it's still there -> >> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/Installation_and_Configuration-Uninstalling_Certificate_System_Subsystems.html > > Yes, the CA was cleaned on the replica - I've also re-installed this > system from scratch and the install still fails. > > Thanks, > > Dan It is a very strange error message. What this means is that the same cert exists somewhere (same subject and serial number but has a different set of keys). Where that somewhere is I don't know, and considering you have a fresh VM the mystery only deepens. I'm cc'ing one of the dogtag devs to see if he has any ideas. rob From alee at redhat.com Tue Apr 24 19:00:12 2012 From: alee at redhat.com (Ade Lee) Date: Tue, 24 Apr 2012 15:00:12 -0400 Subject: [Freeipa-users] Problem installing replica CA In-Reply-To: <4F96C69E.1080101@redhat.com> References: <4F91B86D.3050406@redhat.com> <4F964F05.7030304@redhat.com> <4F96C69E.1080101@redhat.com> Message-ID: <1335294013.1178.29.camel@aleeredhat.laptop> On Tue, 2012-04-24 at 11:28 -0400, Rob Crittenden wrote: > Dan Scott wrote: > > On Tue, Apr 24, 2012 at 02:58, Ondrej Hamada wrote: > >> On 04/20/2012 09:35 PM, Dan Scott wrote: > >>> > >>> On Fri, Apr 20, 2012 at 15:26, Dmitri Pal wrote: > >>>> > >>>> On 04/20/2012 12:15 PM, Dan Scott wrote: > >>>>> > >>>>> Hi, > >>>>> > >>>>> My FreeIPA servers were in a real mess recently and I think I've > >>>>> finally got them into a reasonable state by cleaning up the tombstone > >>>>> entries and fixing some broken replication agreements. > >>>>> > >>>>> I'm trying to setup a new replica and receive the following error: > >>>>> > >>>>> Configuring certificate server: Estimated time 3 minutes 30 seconds > >>>>> [1/12]: creating certificate server user > >>>>> [2/12]: creating pki-ca instance > >>>>> [3/12]: configuring certificate server instance > >>>>> root : CRITICAL failed to configure ca instance Command > >>>>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' > >>>>> 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir' > >>>>> '/tmp/tmp-JwjkjT' '-client_certdb_pwd' XXXXXXXX '-preop_pin' > >>>>> '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin' > >>>>> '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX > >>>>> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' > >>>>> '-agent_key_type' 'rsa' '-agent_cert_subject' > >>>>> 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu' > >>>>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password' > >>>>> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' > >>>>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' > >>>>> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' > >>>>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA > >>>>> Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP > >>>>> Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name' > >>>>> 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU' > >>>>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU' > >>>>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU' > >>>>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12' > >>>>> '-clone_p12_password' XXXXXXXX '-sd_hostname' > >>>>> 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name' > >>>>> 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true' > >>>>> '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero > >>>>> exit status 255 > >>>>> creation of replica failed: Configuration of CA failed > >>>>> > >>>>> The /var/log/pki-ca/debug file contains: > >>>>> > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to > >>>>> import user certificate.org.mozilla.jss.crypto.TokenException: > >>>>> PK11_ImportDERCertForKey Unable to import certificate to its token: > >>>>> (-8054) You are attempting to import a cert with the same > >>>>> issuer/serial as an existing cert, but that is not the same cert. > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Updating local request... > >>>>> certTag=sslserver > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn() > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2 > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3 > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12 > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13 > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: panel no=13 > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19 > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type > >>>>> org.apache.catalina.connector.ResponseFacade > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type > >>>>> java.lang.Boolean > >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type > >>>>> org.apache.catalina.connector.RequestFacade > >>>>> > >>>>> So it looks like there's some certificate confusion going on. > >>>>> > >>>>> Can someone help? Is there anything particularly sensitive in the > >>>>> /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I > >>>>> shouldn't send them to the list? > >>>>> > >>>> Are you installing it on a new machine? > >>>> What version of the OS and tomcat is there? > >>>> There have been some glitches in the tomcat package in the past. > >>> > >>> It's quite new - a VM which I installed 10 days ago. I tried to > >>> install a replica on it before I cleaned my other IPA servers. > >> > >> Are you sure that the CA was cleaned up on the replica? Run > >> 'ipa-server-install --uninstall' and then check existence of > >> /var/lib/pki-ca. if it's still there -> > >> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/Installation_and_Configuration-Uninstalling_Certificate_System_Subsystems.html > > > > Yes, the CA was cleaned on the replica - I've also re-installed this > > system from scratch and the install still fails. > > > > Thanks, > > > > Dan > > It is a very strange error message. What this means is that the same > cert exists somewhere (same subject and serial number but has a > different set of keys). Where that somewhere is I don't know, and > considering you have a fresh VM the mystery only deepens. > > I'm cc'ing one of the dogtag devs to see if he has any ideas. > > rob In the CertRequestPanel for a replica, we are trying to import the newly generated sslserver cert into the dogtag security database in /var/lib/pki-ca/alias. Here is roughly how this all works: 1. pkicreate runs and creates a new dogtag CA instance. It creates the security databases under /var/lib/pki-ca/alias and creates a self signed server cert for bootstrap SSL connection. 2. In the RestoreKeyCertPanel, the dogtag installer reads the pk12 file provided by IPA for the master. It imports various master certs into the security database. It should NOT import an sslserver cert. 3. In the CertRequestPanel, the bootstrap server cert is deleted, and a newly generated sslserver cert is imported into the security database. 1. Please do a cleanup and confirm that the directory /var/lib/pki-ca/alias does not exist. If it does, you need to do additional cleanup. 2. Check the PK12 file for the certs and keys being imported from the master. An ssl server cert should not be included in this file. (Rob, where is this file and how can it be extracted?) 3. If there is a server cert in the PK12 file, check the debug log to confirm that it is not imported in the RestoreKeyCertPanel. 4. Check in the debug log to see if the bootstrap server is in fact deleted. If none of the above pinpoints the problem, send the logs for the replica and the output of the following commands to me and Rob. certutil -L -d /var/lib/pki-ca/alias certutil -K -d /var/lib/pki-ca/alias The security database password is in /etc/pki-ca/password.conf and is prefixed as internal=foo Ade From prmarino1 at gmail.com Thu Apr 26 16:57:10 2012 From: prmarino1 at gmail.com (Paul Robert Marino) Date: Thu, 26 Apr 2012 12:57:10 -0400 Subject: [Freeipa-users] A couple of quick questions about FreeIPA Message-ID: Hello I'm trying to figure out if free IPA is a good solution for my environment or if i should just construct a custom infrastructure with 389 server and i just have a couple of quick questions. I have a long history working with LDAPv3 and I'm currently planing a new infrastructure for my current employer. I've worked with OpenLDAP 389 server and even 389 servers original incarnation when Netscape was still around 1) Can the Kerberos server be on an other box. I'm not a python programer so I haven't been able to test it my self but many of the Kerberos calls look like wrappers to the C libraries. if so than it might be possible 2) Can I configure it not to store the Kerberos data in the LDAP server. I don't like the chicken and the egg authentication conundrum this can cause, and I have no intention of allowing users to use LDAPv2 so I actually don't want the password field in the database or at least blocked by an ACL so it cant be used. I personally find the fact that applications still use this field for authentication appalling because it essentially turned back the clock to before shadow password files. 3) This is the most important question, there has been a lot of talk about fixing the issues with MIT Kerberos. Is there someplace I can look To see what the status of these fixes are other than pouring through the change logs for MIT Kerberos. I don't want to get in to a Kerberos holy war but most of these are really old bugs in MIT Kerberos that made me abandon the Idea of ever using the MIT server in production over a decade ago. I know exactly the issues that lead to the Samba group choose to code only to Heimdal all too well because I first remember hitting them and reporting them back 2001 to the Samba group via usenet. The big thing for me is the thread safety because this often caused the MIT Kerberos server to crash then Samba was running in domain mode on the same box, Honestly I still don't trust MIT's implementation in a mission critical environment, From dpal at redhat.com Thu Apr 26 17:19:01 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 26 Apr 2012 13:19:01 -0400 Subject: [Freeipa-users] A couple of quick questions about FreeIPA In-Reply-To: References: Message-ID: <4F998385.9070001@redhat.com> On 04/26/2012 12:57 PM, Paul Robert Marino wrote: > Hello > I'm trying to figure out if free IPA is a good solution for my > environment or if i should just construct a custom infrastructure with > 389 server and i just have a couple of quick questions. I have a long > history working with LDAPv3 and I'm currently planing a new > infrastructure for my current employer. I've worked with OpenLDAP 389 > server and even 389 servers original incarnation when Netscape was > still around > > 1) Can the Kerberos server be on an other box. > I'm not a python programer so I haven't been able to test it my self > but many of the Kerberos calls look like wrappers to the C libraries. > if so than it might be possible > Currently no, since KDC uses local LDAP calls over ldapi. Can you please explain why KDC on a separate box is a requirement in your case? > 2) Can I configure it not to store the Kerberos data in the LDAP > server. This defeats the purpose of the solution. The whole point is to make them integrated. If you do not want this you can get any LDAP server and Kerberos and do it yourself. > I don't like the chicken and the egg authentication conundrum > this can cause, and I have no intention of allowing users to use > LDAPv2 so I actually don't want the password field in the database or > at least blocked by an ACL so it cant be used. This is all taken care for you in IPA. It is unclear what problem you are trying to solve. LDAP will store userPassword with different strong hashes that can be used for Kerberos auth and for LDAP auth. You can close anonymous bind that we recommend. You can require TLS for simple bind. > I personally find the > fact that applications still use this field for authentication > appalling because it essentially turned back the clock to before > shadow password files. There are all sorts of ways to control what kind of authentication is allowed and not expose weaker authentication methods if you do not want to. > > 3) This is the most important question, there has been a lot of talk > about fixing the issues with MIT Kerberos. Is there someplace I can > look To see what the status of these fixes are other than pouring > through the change logs for MIT Kerberos. Which bugs in particular? > I don't want to get in to a Kerberos holy war but most of these are > really old bugs in MIT Kerberos that made me abandon the Idea of ever > using the MIT server in production over a decade ago. I know exactly > the issues that lead to the Samba group choose to code only to Heimdal > all too well because I first remember hitting them and reporting them > back 2001 to the Samba group via usenet. > The big thing for me is the thread safety because this often caused > the MIT Kerberos server to crash then Samba was running in domain mode > on the same box, Honestly I still don't trust MIT's implementation in > a mission critical environment, Are you talking libkrb5? I do not think it is used inside IPA server. KDC is not threaded but LDAP driver (KDC glue to LDAP) is capable of working with multithreaded DS. So far we have not seen any issues there in the whole lifetime of the IPA which is more than 4 years. Generally we have been actively working with MIT and if there are any specific issues that you think are still there and worth solving we would like to hear about them. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Thu Apr 26 17:19:33 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 26 Apr 2012 17:19:33 +0000 Subject: [Freeipa-users] A couple of quick questions about FreeIPA In-Reply-To: References: Message-ID: <58CBD1F7-E777-42B7-A771-DE2CFC2E7644@citrixonline.com> On Apr 26, 2012, at 9:57 AM, Paul Robert Marino wrote: > Hello > I'm trying to figure out if free IPA is a good solution for my > environment or if i should just construct a custom infrastructure with > 389 server and i just have a couple of quick questions. I have a long > history working with LDAPv3 and I'm currently planing a new > infrastructure for my current employer. I've worked with OpenLDAP 389 > server and even 389 servers original incarnation when Netscape was > still around > > 1) Can the Kerberos server be on an other box. > I'm not a python programer so I haven't been able to test it my self > but many of the Kerberos calls look like wrappers to the C libraries. > if so than it might be possible Currently FreeIPA integrates Kerberos directly and its not something that can be removed or setup on a seperate box AFAIK > 2) Can I configure it not to store the Kerberos data in the LDAP > server. I don't like the chicken and the egg authentication conundrum > this can cause, and I have no intention of allowing users to use > LDAPv2 so I actually don't want the password field in the database or > at least blocked by an ACL so it cant be used. I personally find the > fact that applications still use this field for authentication > appalling because it essentially turned back the clock to before > shadow password files. ^ Same answer > > > 3) This is the most important question, there has been a lot of talk > about fixing the issues with MIT Kerberos. Is there someplace I can > look To see what the status of these fixes are other than pouring > through the change logs for MIT Kerberos. > I don't want to get in to a Kerberos holy war but most of these are > really old bugs in MIT Kerberos that made me abandon the Idea of ever > using the MIT server in production over a decade ago. I know exactly > the issues that lead to the Samba group choose to code only to Heimdal > all too well because I first remember hitting them and reporting them > back 2001 to the Samba group via usenet. > The big thing for me is the thread safety because this often caused > the MIT Kerberos server to crash then Samba was running in domain mode > on the same box, Honestly I still don't trust MIT's implementation in > a mission critical environment, A great deal of things have changed since 2001, but I guess the real thing to do here is to answer a question with a question. What specific 'bugs' are you concerned with regarding MIT Kerberos? I maintain a very large global FreeIPA deployment with heavy Kerberos SSO, Sudo, and LDAP Usage. Things are quite stable. "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 jr.aquino at citrix.com http://www.citrixonline.com From simo at redhat.com Thu Apr 26 17:20:57 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 26 Apr 2012 13:20:57 -0400 Subject: [Freeipa-users] A couple of quick questions about FreeIPA In-Reply-To: References: Message-ID: <1335460857.5722.10.camel@willson.li.ssimo.org> On Thu, 2012-04-26 at 12:57 -0400, Paul Robert Marino wrote: > Hello > I'm trying to figure out if free IPA is a good solution for my > environment or if i should just construct a custom infrastructure with > 389 server and i just have a couple of quick questions. I have a long > history working with LDAPv3 and I'm currently planing a new > infrastructure for my current employer. I've worked with OpenLDAP 389 > server and even 389 servers original incarnation when Netscape was > still around > > 1) Can the Kerberos server be on an other box. > I'm not a python programer so I haven't been able to test it my self > but many of the Kerberos calls look like wrappers to the C libraries. > if so than it might be possible No. Our install scripts support setting up the KDC only locally on the same box for various reasons of simplicity and performance. > 2) Can I configure it not to store the Kerberos data in the LDAP > server. I don't like the chicken and the egg authentication conundrum > this can cause, and I have no intention of allowing users to use > LDAPv2 so I actually don't want the password field in the database or > at least blocked by an ACL so it cant be used. I personally find the > fact that applications still use this field for authentication > appalling because it essentially turned back the clock to before > shadow password files. No, KDC data is in LDAP, but there is no chicken/egg issue, plus we do not expose userPassword nor any of the krb5 keys to users (keys are exposed to the KDC process of course). You have to use LDAP simple binds or SASL/GSSAPI binds to authenticate when you use IPA. > 3) This is the most important question, there has been a lot of talk > about fixing the issues with MIT Kerberos. Is there someplace I can > look To see what the status of these fixes are other than pouring > through the change logs for MIT Kerberos. Plans for what goes in various MIT Kerberos releases are generally available on http://k5wiki.kerberos.org/, but the changelog is the authoritative source of info for what is fixed in current releases. > I don't want to get in to a Kerberos holy war but most of these are > really old bugs in MIT Kerberos that made me abandon the Idea of ever > using the MIT server in production over a decade ago. I know exactly > the issues that lead to the Samba group choose to code only to Heimdal > all too well because I first remember hitting them and reporting them > back 2001 to the Samba group via usenet. > The big thing for me is the thread safety because this often caused > the MIT Kerberos server to crash then Samba was running in domain mode > on the same box, Honestly I still don't trust MIT's implementation in > a mission critical environment, MIT Kerberos libraries are thread safe, this has been the case for a long while now. If you have specific questions or doubts feel free to ask. Simo. -- Simo Sorce * Red Hat, Inc * New York From cao2dan at yahoo.com Thu Apr 26 20:51:01 2012 From: cao2dan at yahoo.com (hshhs caca) Date: Thu, 26 Apr 2012 13:51:01 -0700 (PDT) Subject: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA In-Reply-To: <4F998385.9070001@redhat.com> References: <4F998385.9070001@redhat.com> Message-ID: <1335473461.20871.YahooMailNeo@web125703.mail.ne1.yahoo.com> Hi folks, ?When evaluating migration from existing seperate LDAP/Kerberos solution to integrated IPA, I got confused on the purposes of Dogtag Certificate system inside IPA. What are the main purposes of it? or what value it brings in to IPA? ?I can see the points of KDC and 389 Directory server parts, even NTP and DNS, but not for Dogtag. Frankly, I am not sure where I should put it. Say, For Kerberos authentication, I need only /etc/krb5.conf and /etc/krb5.keytab locally on client and then krb5 tools/libs will do their work happily.? Then why should I authenticate a machine with certificate, or certificate+keytab -- either way the certificate part is a MUST -- see document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html ( at the very bottom). A close question is: what are the main points/benefits of machine authentication? because of with traditional keytab based kerberos setup, the users, machines and services can authenticate no problem, then why we need an extra authentication with machine certificate as a must? ?Please help me clarify the question of why the statement 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after running ipa-client-install script? what is its purposes? Last problem is: after I following the steps at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html to setup my Linux client manually, I still can not run 'ipa user-find' command on the client; when another same type linux client installed with 'ipa-client-install' has no problem to run it. Does there are any difference between manual and automatic installations? Sorry I got too many questions and probably more, as I read though the Redhat IPA document serveral times, and every time more questions pop up. :) Thanks a lot. --Robinson -------------- next part -------------- An HTML attachment was scrubbed... URL: From prmarino1 at gmail.com Thu Apr 26 20:52:51 2012 From: prmarino1 at gmail.com (Paul Robert Marino) Date: Thu, 26 Apr 2012 16:52:51 -0400 Subject: [Freeipa-users] A couple of quick questions about FreeIPA In-Reply-To: <1335460857.5722.10.camel@willson.li.ssimo.org> References: <1335460857.5722.10.camel@willson.li.ssimo.org> Message-ID: Thank You every one for answering so quickly On Thu, Apr 26, 2012 at 1:20 PM, Simo Sorce wrote: > On Thu, 2012-04-26 at 12:57 -0400, Paul Robert Marino wrote: >> Hello >> I'm trying to figure out if free IPA is a good solution for my >> environment or if i should just construct a custom infrastructure with >> 389 server and i just have a couple of quick questions. I have a long >> history working with LDAPv3 and I'm currently planing a new >> infrastructure for my current employer. I've worked with OpenLDAP 389 >> server and even 389 servers original incarnation when Netscape was >> still around >> >> 1) Can the Kerberos server be on an other box. >> I'm not a python programer so I haven't been able to test it my self >> but many of the Kerberos calls look like wrappers to the C libraries. >> if so than it might be possible > > No. > Our install scripts support setting up the KDC only locally on the same > box for various reasons of simplicity and performance. I understand the reasoning I just don't like sub components to be too dependent on each other, especially when talking about distributed authentication infrastructures. Ive had instances where a bug in a piece of software (or just a poorly written piece of software) has opened a ridiculous number of connections and caused cascading failures of LDAP servers due to exceeding the max file handle limit on the boxes usually its web apps that do it. In those instances the only thing that bought me enough time to deal with the issues before it caused a serious outage was the fact that my Kerberos servers were not effected and the fact that I had properly tuned nscd on the boxes. I know ssd and pam_nss are planed to completely replace it but I still find nscd very useful, and every place I've seen it cause problems it was because it was never properly tuned e.g. if you have a web server that accepts 1000 or more connections the maximum number of threads being limited to default of 32 is obviously far too low and results in the Apache processes DOSing it. that's how it winds up in states where it eats an entire cpu core and never seems to answer any queries essentially its still working through its backlog of expired queries, and eventually crashes if the problem persists. I also tend to double the deceptively named " suggested size" for passwd, group, and hosts as i find it significantly improves the hit rate and max number of cached values. > >> 2) Can I configure it not to store the Kerberos data in the LDAP >> server. I don't like the chicken ?and the egg authentication conundrum >> this can cause, and I have no intention of allowing users to use >> LDAPv2 so I actually don't want the password field in the database or >> at least blocked by an ACL so it cant be used. I personally find the >> fact that applications still use this field for authentication >> appalling because it essentially turned back the clock to before >> shadow password files. > > No, KDC data is in LDAP, but there is no chicken/egg issue, plus we do > not expose userPassword nor any of the krb5 keys to users (keys are > exposed to the KDC process of course). > You have to use LDAP simple binds or SASL/GSSAPI binds to authenticate > when you use IPA. glad to hear the userPassword is not exposed however many poorly written applications expect to login as a user that can see the field and than do the authentication themselves rather than doing a bind for each user who logs in. even Apaches LDAP auth modules do this, personally I think the idea behind "Auth MemCache Cookie" sounds close to the ideal way web apps should handle authentication for this kind of thing even for non LDAP auth because it avoids doing a full login for every file downloaded although admittedly I haven't tried that module yet. > >> 3) This is the most important question, there has been a lot of talk >> about fixing the issues with MIT Kerberos. Is there someplace I can >> look To see what the status of these fixes are other than pouring >> through the change logs for MIT Kerberos. > > Plans for what goes in various MIT Kerberos releases are generally > available on http://k5wiki.kerberos.org/, but the changelog is the > authoritative source of info for what is fixed in current releases. > >> I don't want to get in to a Kerberos holy war but most of these are >> really old bugs in MIT Kerberos that made me abandon the Idea of ever >> using the MIT server in production over a decade ago. I know exactly >> the issues that lead to the Samba group choose to code only to Heimdal >> all too well because I first remember hitting them and reporting them >> back 2001 to the Samba group via usenet. >> The big thing for me is the thread safety because this often caused >> the MIT Kerberos server to crash then Samba was running in domain mode >> on the same box, Honestly I still don't trust MIT's implementation in >> a mission critical environment, > > MIT Kerberos libraries are thread safe, this has been the case for a > long while now. If you have specific questions or doubts feel free to > ask. Glad to hear that the thread safety was fixed it has been a few years since i looked to that.it use to be quite a serious problem and not just for Samba, for those of you who were familiar with it. it was a libkrb5 issue that was caused usually when a multi-threaded app would try to simultaneously via local socket instead of the network. These condition usually resulted the Kerberos server crashing. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > I still have to think about it because there are still a few separation things I would like to do that I would still be prohibited from doing on one set of servers like have a second realm and OU just for my network gear. but ill definitely do some experiments before i make my final decision. From Steven.Jones at vuw.ac.nz Thu Apr 26 21:18:56 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 26 Apr 2012 21:18:56 +0000 Subject: [Freeipa-users] IPv6 Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC8477D@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, FYI, I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt work....slight oops there... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From simo at redhat.com Thu Apr 26 21:40:48 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 26 Apr 2012 17:40:48 -0400 Subject: [Freeipa-users] A couple of quick questions about FreeIPA In-Reply-To: References: <1335460857.5722.10.camel@willson.li.ssimo.org> Message-ID: <1335476448.5722.22.camel@willson.li.ssimo.org> On Thu, 2012-04-26 at 16:52 -0400, Paul Robert Marino wrote: > Thank You every one for answering so quickly > I understand the reasoning I just don't like sub components to be too > dependent on each other, especially when talking about distributed > authentication infrastructures. > Ive had instances where a bug in a piece of software (or just a poorly > written piece of software) has opened a ridiculous number of > connections and caused cascading failures of LDAP servers due to > exceeding the max file handle limit on the boxes usually its web apps > that do it. > In those instances the only thing that bought me enough time to deal > with the issues before it caused a serious outage was the fact that my > Kerberos servers were not effected and the fact that I had properly > tuned nscd on the boxes. Use replicas with forntend servers, that way you will at most bring down a replica but not the core infrastructure. > I know ssd and pam_nss are planed to completely replace it but I still > find nscd very useful, and every place I've seen it cause problems it > was because it was never properly tuned e.g. if you have a web server > that accepts 1000 or more connections the maximum number of threads > being limited to default of 32 is obviously far too low and results in > the Apache processes DOSing it. that's how it winds up in states where > it eats an entire cpu core and never seems to answer any queries > essentially its still working through its backlog of expired queries, > and eventually crashes if the problem persists. I also tend to double > the deceptively named " suggested size" for passwd, group, and hosts > as i find it significantly improves the hit rate and max number of > cached values. Yes, tuning is always important when dealing with network facing services, you will be required to tune your installations in all cases. With sssd we replace nscd simply because it knows better when it make sense to make a query, how to pool queries, and when servers are not reachable and it can immediately answer back. Also we added a shmem bases cache to pam_sss in master that brings performance on par with nscd for the cases where it matters most. > glad to hear the userPassword is not exposed > however many poorly written applications expect to login as a user > that can see the field and than do the authentication themselves > rather than doing a bind for each user who logs in. Well we have no magic wand here do we :-) If you have those applications you will have to decide if it is a good idea to relax permissions on userPassword or if it is possible to modify the application or use alternatives. > even Apaches LDAP auth modules do this, personally I think the idea > behind "Auth MemCache Cookie" sounds close to the ideal way web apps > should handle authentication for this kind of thing even for non LDAP > auth because it avoids doing a full login for every file downloaded > although admittedly I haven't tried that module yet. Yes, we are planning to eventually extend this method to a usable method for third party apps on other servers through standard APIs, but we are not there yet. > Glad to hear that the thread safety was fixed it has been a few years > since i looked to that.it use to be quite a serious problem and not > just for Samba, FWIW all of samba except libsmbclient is not multi-threaded and is largely non multi-thread safe, so I am not really sure why that would have been an issue there, but it is fixed, and we are all happy now :) > for those of you who were familiar with it. it was a libkrb5 issue > that was caused usually when a multi-threaded app would try to > simultaneously via local socket instead of the network. These > condition usually resulted the Kerberos server crashing. A few other samba libraries cough*nss_winbindd*cough were also not thread safe until relatively recently ... this things happen, and they get fixed. > I still have to think about it because there are still a few > separation things I would like to do that I would still be prohibited > from doing on one set of servers like have a second realm and OU just > for my network gear. > but ill definitely do some experiments before i make my final decision. We are working on cross realm trust as the next big feature, that will allow you to have a separate infrastructure for network gear if you like and still be able to authenticate from one realm to the other. IPA-IPA cross realm is not fully tabled yet, it will come after our first stab at AD-IPA cross realm trust support. Simo. -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Thu Apr 26 21:42:07 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 26 Apr 2012 17:42:07 -0400 Subject: [Freeipa-users] IPv6 In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC8477D@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC8477D@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1335476527.5722.23.camel@willson.li.ssimo.org> On Thu, 2012-04-26 at 21:18 +0000, Steven Jones wrote: > Hi, > > FYI, > > I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt work....slight oops there... Hi Steve, can you be more explicit on how you 'shutdown' IPv6 ? And can you please tell exactly how IPA breaks in that case ? Is this after IPA is fully installed ? Or does the installer fail ? Simo. -- Simo Sorce * Red Hat, Inc * New York From cao2dan at yahoo.com Thu Apr 26 22:51:56 2012 From: cao2dan at yahoo.com (hshhs caca) Date: Thu, 26 Apr 2012 15:51:56 -0700 (PDT) Subject: [Freeipa-users] Manually installed IPA clients failes to run 'ipa user-find', 'ipa host-find', etc. In-Reply-To: <4F998385.9070001@redhat.com> References: <4F998385.9070001@redhat.com> Message-ID: <1335480716.53812.YahooMailNeo@web125706.mail.ne1.yahoo.com> Hi folks, ?I'm pretty new to freeIPA. And here is a freeIPA installation problem encountered in my work. For company policies reasons we can not use ipa-client-install on Linux clients, instead manual installation method is in use and most of the freeIPA client config files are pushed out with cfengine. The problem details/steps are listed below: 1, following the steps at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html, we registered all clients in IPA master, created and downloaded into subversion the keytab files for all clients, then use 'ipa-client-install' on one clients and save the config files into subversion too. 2, when a new Linux node is newly deployed, we deploy the files below onto the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf, /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac, smartcard-auth-ac}, with permissions and ownership setup correctly. 3, then we tested kerberos commands kinit/kdestroy/klist and they were all working; we tested 'getent passwd ', 'getent group ipausers' and they were working too, at last we tried ssh/login and they were working as expected as well. 4, at this step I could claim that IPA authentication and authorization worked successfully. Then I continued to try IPA admin command but unexpected them failed. [root at ipaclient04 ~]# ipa ipa: ERROR: Client is not configured. Run ipa-client-install. [root at ipaclient04 ~]# ipa user-find ipa: ERROR: Client is not configured. Run ipa-client-install. [root at ipaclient04 ~]# 5, so I copied the files /etc/ca.crt and /etc/default.conf from a client installed with 'ipa-client-install' to this manual client, and tried the above command again and them stopped whiling and showed help screen as expected; but real IPA administration commands failed with the following error prompts: [root at ipaclient04 ~]# ipa user-find ipa: ERROR: cert validation failed for "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to u'https://ipamaster.pegaclouds.com/ipa/xml': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. 6, So it looks like there are some kinds of new authentication steps I have missed somewhere -- could not find any clue on the Redhat IPA document for further steps --? I tried several times but results are not fruitful. Could anyone please shed a light at here? Thanks a lot. -- David -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Thu Apr 26 23:10:53 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Thu, 26 Apr 2012 16:10:53 -0700 (PDT) Subject: [Freeipa-users] IPA Bug??: IPA replica installation problem on IPV4-only nodes In-Reply-To: <1335473461.20871.YahooMailNeo@web125703.mail.ne1.yahoo.com> References: <4F998385.9070001@redhat.com> <1335473461.20871.YahooMailNeo@web125703.mail.ne1.yahoo.com> Message-ID: <1335481853.64709.YahooMailNeo@web125701.mail.ne1.yahoo.com> IPA Replica installation fails on IPV4 Linux box, The exception/messages on screen are: ... error: [Errno 97] Address family not supported by protocol ... After looking into the python code, it is found out that the IPA program tried to test both IPV4 and IPv6 address families, and it failed there when IPV6 is turned off. So I turn on IPV6 again, try ipa-conncheck again and it works this time. --David ________________________________ From: hshhs caca To: "freeipa-users at redhat.com" Sent: Thursday, April 26, 2012 1:51 PM Subject: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA Hi folks, ?When evaluating migration from existing seperate LDAP/Kerberos solution to integrated IPA, I got confused on the purposes of Dogtag Certificate system inside IPA. What are the main purposes of it? or what value it brings in to IPA? ?I can see the points of KDC and 389 Directory server parts, even NTP and DNS, but not for Dogtag. Frankly, I am not sure where I should put it. Say, For Kerberos authentication, I need only /etc/krb5.conf and /etc/krb5.keytab locally on client and then krb5 tools/libs will do their work happily.? Then why should I authenticate a machine with certificate, or certificate+keytab -- either way the certificate part is a MUST -- see document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html ( at the very bottom). A close question is: what are the main points/benefits of machine authentication? because of with traditional keytab based kerberos setup, the users, machines and services can authenticate no problem, then why we need an extra authentication with machine certificate as a must? ?Please help me clarify the question of why the statement 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after running ipa-client-install script? what is its purposes? Last problem is: after I following the steps at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html to setup my Linux client manually, I still can not run 'ipa user-find' command on the client; when another same type linux client installed with 'ipa-client-install' has no problem to run it. Does there are any difference between manual and automatic installations? Sorry I got too many questions and probably more, as I read though the Redhat IPA document serveral times, and every time more questions pop up. :) Thanks a lot. --Robinson _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Fri Apr 27 01:01:18 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Thu, 26 Apr 2012 18:01:18 -0700 Subject: [Freeipa-users] Manually installed IPA clients failes to run 'ipa user-find', 'ipa host-find', etc. In-Reply-To: <1335480716.53812.YahooMailNeo@web125706.mail.ne1.yahoo.com> References: <4F998385.9070001@redhat.com> <1335480716.53812.YahooMailNeo@web125706.mail.ne1.yahoo.com> Message-ID: On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca wrote: > Hi folks, > > ?I'm pretty new to freeIPA. And here is a freeIPA installation problem > encountered in my work. For company policies reasons we can not use > ipa-client-install on Linux clients, instead manual installation method is > in use and most of the freeIPA client config files are pushed out with > cfengine. The problem details/steps are listed below: > > 1, following the steps at > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html, > we registered all clients in IPA master, created and downloaded into > subversion the keytab files for all clients, then use 'ipa-client-install' > on one clients and save the config files into subversion too. > > 2, when a new Linux node is newly deployed, we deploy the files below onto > the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf, > /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac, > smartcard-auth-ac}, with permissions and ownership setup correctly. > > 3, then we tested kerberos commands kinit/kdestroy/klist and they were all > working; we tested 'getent passwd ', 'getent group ipausers' and > they were working too, at last we tried ssh/login and they were working as > expected as well. > > 4, at this step I could claim that IPA authentication and authorization > worked successfully. Then I continued to try IPA admin command but > unexpected them failed. > > [root at ipaclient04 ~]# ipa > ipa: ERROR: Client is not configured. Run ipa-client-install. > [root at ipaclient04 ~]# ipa user-find > ipa: ERROR: Client is not configured. Run ipa-client-install. > [root at ipaclient04 ~]# > > 5, so I copied the files /etc/ca.crt and /etc/default.conf from a client > installed with 'ipa-client-install' to this manual client, and tried the > above command again and them stopped whiling and showed help screen as > expected; but real IPA administration commands failed with the following > error prompts: > > [root at ipaclient04 ~]# ipa user-find > ipa: ERROR: cert validation failed for > "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) > Peer's certificate issuer has been marked as not trusted by the user.) > ipa: ERROR: cannot connect to u'https://ipamaster.pegaclouds.com/ipa/xml': > [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has > been marked as not trusted by the user. > > 6, So it looks like there are some kinds of new authentication steps I have > missed somewhere -- could not find any clue on the Redhat IPA document for > further steps --? I tried several times but results are not fruitful. Could > anyone please shed a light at here? Thanks a lot. David- It looks like you didn't import the CA into the host certificate store in /etc/pki/nssdb. I believe those commands require that you trust your IPA CA. You can import the CA with: certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt Also, make sure and generate a host cert for the machine (also in /etc/pki/nssdb) and have IPA sign it. Steve From cao2dan at yahoo.com Fri Apr 27 02:08:17 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Thu, 26 Apr 2012 19:08:17 -0700 (PDT) Subject: [Freeipa-users] Manually installed IPA clients failes to run 'ipa user-find', 'ipa host-find', etc. Message-ID: <1335492497.89975.YahooMailNeo@web125703.mail.ne1.yahoo.com> Hi, Stephen, ? Thanks for your reply, and it works great, though I still have one question around the host cert -- what are the typical usage senarios of host cert for IPA clients? > >> >>On 4/26/12 6:01 PM, "Stephen Ingram" wrote: >> >>On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca wrote: >>> Hi folks, >>> >>> ?I'm pretty new to freeIPA. And here is a freeIPA installation problem >>> encountered in my work. For company policies reasons we can not use >>> ipa-client-install on Linux clients, instead manual installation method is >>> in use and most of the freeIPA client config files are pushed out with >>> cfengine. The problem details/steps are listed below: >>> >>> 1, following the steps at >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html, >>> we registered all clients in IPA master, created and downloaded into >>> subversion the keytab files for all clients, then use 'ipa-client-install' >>> on one clients and save the config files into subversion too. >>> >>> 2, when a new Linux node is newly deployed, we deploy the files below onto >>> the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, /etc/sssd/sssd.conf, >>> /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac, >>> smartcard-auth-ac}, with permissions and ownership setup correctly. >>> >>> 3, then we tested kerberos commands kinit/kdestroy/klist and they were all >>> working; we tested 'getent passwd ', 'getent group ipausers' and >>> they were working too, at last we tried ssh/login and they were working as >>> expected as well. >>> >>> 4, at this step I could claim that IPA authentication and authorization >>> worked successfully. Then I continued to try IPA admin command but >>> unexpected them failed. >>> >>> [root at ipaclient04 ~]# ipa >>> ipa: ERROR: Client is not configured. Run ipa-client-install. >>> [root at ipaclient04 ~]# ipa user-find >>> ipa: ERROR: Client is not configured. Run ipa-client-install. >>> [root at ipaclient04 ~]# >>>>> >>> [root at ipaclient04 ~]# ipa user-find >>> ipa: ERROR: cert validation failed for >>> "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) >>> Peer's certificate issuer has been marked as not trusted by the user.) >>> ipa: ERROR: cannot connect to u'https://ipamaster.pegaclouds.com/ipa/xml': >>> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has >>> been marked as not trusted by the user. >>> >>> 6, So it looks like there are some kinds of new authentication steps I have >>> missed somewhere -- could not find any clue on the Redhat IPA document for >>> further steps --? I tried several times but results are not fruitful. Could >>> anyone please shed a light at here? Thanks a lot. >> >>David- >> >>It looks like you didn't import the CA into the host certificate store >>in /etc/pki/nssdb. I believe those commands require that you trust >>your IPA CA. You can import the CA with: >> >>certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt >> > >That is the magic finger!! and the IPA commands 'ipa user-find', 'ipa host-add', etc >works without a glitch. >> >>Also, make sure and generate a host cert for the machine (also in >>/etc/pki/nssdb) and have IPA sign it. >> > >I have to fire up service messagebus, certmonger, and then run 'ipa-getcert request' >command to generate a CSR, send it to IPA Master to sign it, save certificate at IPA master, >and save the host private key / certificate locally inder /etc/pki/nssdb. > >So what are the benefits of host certificates? bascically what are the usage senarios to allure >users to go though these efforts to register and renew a host certicate? I am new to host certificate >(not httpd SSL certificate) and really not sure where they can be helpful. > >Thanks. > >--David > >>> 5, so I copied the files /etc/ca.crt and /etc/default.conf from a client >>> installed with 'ipa-client-install' to this manual client, and tried the >>> above command again and them stopped whiling and showed help screen as >>> expected; but real IPA administration commands failed with the following >>> error prompts: > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Fri Apr 27 02:58:28 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Thu, 26 Apr 2012 19:58:28 -0700 (PDT) Subject: [Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one?? In-Reply-To: <1335476448.5722.22.camel@willson.li.ssimo.org> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> Message-ID: <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> Hi, ?Just have a silly case where I've to download the existing version keytab for a service principal. It is download only -- not recreate a new version and download the new version which ipa-getkeytab does. -- ipa-getkeytab command name seems a little bit misleading because it does both 'set' and 'get' operations. ?I've overheard that there is way to get it from underlying 389 directory server but not sure how to do it. Any one please shed a light on this? Similarly, how to download a host certificate form Dogtag because 'ipa-getcert request' also resetting it -- I may be wrong and so please feel free to correct me :);? or how about a user principal's keytab from 389 too? Thanks a lot. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Fri Apr 27 06:15:49 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Thu, 26 Apr 2012 23:15:49 -0700 Subject: [Freeipa-users] Manually installed IPA clients failes to run 'ipa user-find', 'ipa host-find', etc. In-Reply-To: <1335492497.89975.YahooMailNeo@web125703.mail.ne1.yahoo.com> References: <1335492497.89975.YahooMailNeo@web125703.mail.ne1.yahoo.com> Message-ID: On Thu, Apr 26, 2012 at 7:08 PM, David Copperfield wrote: > Hi, Stephen, > > ? Thanks for your reply, and it works great, though I still have one > question around the host cert -- what are the typical usage senarios of host > cert for IPA clients? > >> >> >>On 4/26/12 6:01 PM, "Stephen Ingram" wrote: >> >>On Thu, Apr 26, 2012 at 3:51 PM, hshhs caca wrote: >>> Hi folks, >>> >>> ?I'm pretty new to freeIPA. And here is a freeIPA installation problem >>> encountered in my work. For company policies reasons we can not use >>> ipa-client-install on Linux clients, instead manual installation method >>> is >>> in use and most of the freeIPA client config files are pushed out with >>> cfengine. The problem details/steps are listed below: >>> >>> 1, following the steps at >>> >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html, >>> we registered all clients in IPA master, created and downloaded into >>> subversion the keytab files for all clients, then use >>> 'ipa-client-install' >>> on one clients and save the config files into subversion too. >>> >>> 2, when a new Linux node is newly deployed, we deploy the files below >>> onto >>> the nodes: /etc/{krb5.conf, krb5.keytab,nsswitch.conf}, >>> /etc/sssd/sssd.conf, >>> /etc/pam.d/{fingerprint-auth-ac, password-auth-ac, system-auth-ac, >>> smartcard-auth-ac}, with permissions and ownership setup correctly. >>> >>> 3, then we tested kerberos commands kinit/kdestroy/klist and they were >>> all >>> working; we tested 'getent passwd ', 'getent group ipausers' >>> and >>> they were working too, at last we tried ssh/login and they were working >>> as >>> expected as well. >>> >>> 4, at this step I could claim that IPA authentication and authorization >>> worked successfully. Then I continued to try IPA admin command but >>> unexpected them failed. >>> >>> [root at ipaclient04 ~]# ipa >>> ipa: ERROR: Client is not configured. Run ipa-client-install. >>> [root at ipaclient04 ~]# ipa user-find >>> ipa: ERROR: Client is not configured. Run ipa-client-install. >>> [root at ipaclient04 ~]# >>>>> >>> [root at ipaclient04 ~]# ipa user-find >>> ipa: ERROR: cert validation failed for >>> "CN=ipamaster.pegaclouds.com,O=PEGACLOUDS.COM" >>> ((SEC_ERROR_UNTRUSTED_ISSUER) >>> Peer's certificate issuer has been marked as not trusted by the user.) >>> ipa: ERROR: cannot connect to >>> u'https://ipamaster.pegaclouds.com/ipa/xml': >>> [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has >>> been marked as not trusted by the user. >>> >>> 6, So it looks like there are some kinds of new authentication steps I >>> have >>> missed somewhere -- could not find any clue on the Redhat IPA document >>> for >>> further steps --? I tried several times but results are not fruitful. >>> Could >>> anyone please shed a light at here? Thanks a lot. >> >>David- >> >>It looks like you didn't import the CA into the host certificate store >>in /etc/pki/nssdb. I believe those commands require that you trust >>your IPA CA. You can import the CA with: >> >>certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt >> > > That is the magic finger!! and the IPA commands 'ipa user-find', 'ipa > host-add', etc > works without a glitch. Excellent! I really enjoy the fact that all of this can be done manually as well as automatically by ipa-client-install. I think it speaks well of the design of IPA instead of working with some closed up box, where, if it breaks, you really have no idea of how to fix it. >>Also, make sure and generate a host cert for the machine (also in >>/etc/pki/nssdb) and have IPA sign it. >> > > I have to fire up service messagebus, certmonger, and then run 'ipa-getcert > request' > command to generate a CSR, send it to IPA Master to sign it, save > certificate at IPA master, > and save the host private key / certificate locally inder /etc/pki/nssdb. > > So what are the benefits of host certificates? bascically what are the usage > senarios to allure > users to go though these efforts to register and renew a host certicate? I > am new to host certificate > (not httpd SSL certificate) and really not sure where they can be helpful. > > Thanks. > > --David The host and CA certificates are used in IPA to provide some soft of assurance that you are talking to whom you think you are talking to such that you won't be sending IPA commands to just anyone. Also, it's nice for IPA to have some assurance of who the machine is making the requests. Steve From pspacek at redhat.com Fri Apr 27 08:45:10 2012 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 27 Apr 2012 10:45:10 +0200 Subject: [Freeipa-users] IPv6 In-Reply-To: <1335476527.5722.23.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E404CC8477D@STAWINCOX10MBX1.staff.vuw.ac.nz> <1335476527.5722.23.camel@willson.li.ssimo.org> Message-ID: <4F9A5C96.8060106@redhat.com> On 04/26/2012 11:42 PM, Simo Sorce wrote: > On Thu, 2012-04-26 at 21:18 +0000, Steven Jones wrote: >> Hi, >> >> FYI, >> >> I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt work....slight oops there... > > Hi Steve, > can you be more explicit on how you 'shutdown' IPv6 ? > And can you please tell exactly how IPA breaks in that case ? > > Is this after IPA is fully installed ? Or does the installer fail ? > > Simo. > Is it same issue as described in https://www.redhat.com/archives/freeipa-users/2012-April/msg00160.html ? Petr^2 Spacek From jdennis at redhat.com Fri Apr 27 12:43:45 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 27 Apr 2012 08:43:45 -0400 Subject: [Freeipa-users] IPv6 In-Reply-To: <4F9A5C96.8060106@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC8477D@STAWINCOX10MBX1.staff.vuw.ac.nz> <1335476527.5722.23.camel@willson.li.ssimo.org> <4F9A5C96.8060106@redhat.com> Message-ID: <4F9A9481.5000705@redhat.com> On 04/27/2012 04:45 AM, Petr Spacek wrote: > On 04/26/2012 11:42 PM, Simo Sorce wrote: >> On Thu, 2012-04-26 at 21:18 +0000, Steven Jones wrote: >>> Hi, >>> >>> FYI, >>> >>> I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt work....slight oops there... >> >> Hi Steve, >> can you be more explicit on how you 'shutdown' IPv6 ? >> And can you please tell exactly how IPA breaks in that case ? >> >> Is this after IPA is fully installed ? Or does the installer fail ? >> >> Simo. >> > Is it same issue as described in > https://www.redhat.com/archives/freeipa-users/2012-April/msg00160.html ? We do IPv6 in several places, but a while ago I noticed the way we iterate over address families in nsslib in conjunction with getaddrinfo (the io.AddrInfo class) looks dubious, it seems overly complex as if it's trying to force a family selection (not sure, I would have to go back and really look at the code again). In any event getaddrinfo is designed to return a list of possible addresses sorted in priority order by the system. You're supposed to start at the first address in the list and see if you can connect, if not try the next address. You're not supposed to take addresses in the list based on some other criteria (which is what we seem to be doing with the family). FWIW, the raw c lib getaddrinfo allows one to specify constraints (such as family), unfortunately NSPR (the wrapper around getaddrinfo in nsslib) does not permit this, not sure why (probably because NSPR has to fallback to other mechanisms if getaddrinfo is not available) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From lagern at lafayette.edu Fri Apr 27 15:52:43 2012 From: lagern at lafayette.edu (Nathan Lager) Date: Fri, 27 Apr 2012 11:52:43 -0400 Subject: [Freeipa-users] IPA, kerberos ticket issue for web admin. In-Reply-To: <4F957C1F.8030301@redhat.com> References: <4F916793.9090003@lafayette.edu> <4F9183A1.2090502@redhat.com> <4F91A361.6090208@lafayette.edu> <4F91AA60.8080007@redhat.com> <4F95676C.9000309@lafayette.edu> <4F957C1F.8030301@redhat.com> Message-ID: <4F9AC0CB.6080902@lafayette.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/23/2012 11:58 AM, Rob Crittenden wrote: > Nathan Lager wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> >> On 04/20/2012 02:26 PM, Rob Crittenden wrote: >>> Have you configured the browser for Kerberos? >>> http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html >>> >>> >>> >>> >>> >>> That error seems to indicate that the domain isn't defined in >>> network.negotiate-auth.trusted-uris >>> >>> regards >>> >>> rob >> >> I've been through the clicky-clicky that ipa's web gui sends you >> through (accepting the certs, and configuring the browser), a >> number of times. I just confirmed the trusted uri's and >> delegation uris. They are both correct, they look like: >> .my.ipa.domain.com >> >> I even tried resetting delegation-uris, and trusted-uri's to the >> default, and then allowing the ipa web gui to re-configure them, >> it hasnt helped. >> >> Thanks for the response. Sorry for the delay in mine. > > Hmm, that is very strange. The code in question in Firefox looks > like: > > bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs); if > (!allowed) { LOG(("nsHttpNegotiateAuth::ChallengeReceived URI > blocked\n")); return NS_ERROR_ABORT; } > > which seems to be the error you are seeing. It's a shame there > isn't more logging around the uris. > > I see that you had enabled debug logging on the Apache side. Can > you provide some more context on the failed request? > > thanks > > rob Again, sorry for the delay. This is just one in my long list of current projects. Here's the requested log data. Its a tail -f of the access and error logs. Server nanme, and client ip stripped. ==> error_log <== [Fri Apr 27 11:47:04 2012] [info] Connection to child 0 established (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:04 -0400] "POST /ca/ocsp HTTP/1.1" 200 2326 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1" ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request received for child 0 (server ipaserver.domain.com:443) [Fri Apr 27 11:47:05 2012] [error] [client xxx.xxx.xxx.xxx] File does not exist: /usr/share/ipa/ui/develop.js, referer: https://ipaserver.domain.com/ipa/ui/ ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "GET /ipa/ui/develop.js HTTP/1.1" 404 306 ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Connection to child 0 closed (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) [Fri Apr 27 11:47:05 2012] [info] Connection to child 6 established (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) [Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request received for child 6 (server ipaserver.domain.com:443) [Fri Apr 27 11:47:05 2012] [debug] src/mod_auth_kerb.c(1578): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://ipaserver.domain.com/ipa/ui/ ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "POST /ipa/json HTTP/1.1" 401 1771 ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Connection to child 6 closed (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+awMsACgkQsZqG4IN3sulfnACfWNbbddw5ALIW4J9X+nLrovU+ Lg8AmQExUXpbs8LDPiwN4SMKefjF0KaB =o2KT -----END PGP SIGNATURE----- From dpal at redhat.com Fri Apr 27 18:37:01 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 27 Apr 2012 14:37:01 -0400 Subject: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA In-Reply-To: <1335473461.20871.YahooMailNeo@web125703.mail.ne1.yahoo.com> References: <4F998385.9070001@redhat.com> <1335473461.20871.YahooMailNeo@web125703.mail.ne1.yahoo.com> Message-ID: <4F9AE74D.80401@redhat.com> On 04/26/2012 04:51 PM, hshhs caca wrote: > > Hi folks, > > When evaluating migration from existing seperate LDAP/Kerberos > solution to integrated IPA, I got confused on the purposes of Dogtag > Certificate system inside IPA. What are the main purposes of it? or > what value it brings in to IPA? > > I can see the points of KDC and 389 Directory server parts, even NTP > and DNS, but not for Dogtag. Frankly, I am not sure where I should put > it. Say, For Kerberos authentication, I need only /etc/krb5.conf and > /etc/krb5.keytab locally on client and then krb5 tools/libs will do > their work happily. Then why should I authenticate a machine with > certificate, or certificate+keytab -- either way the certificate part > is a MUST -- see document > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html > ( at the very bottom). > > A close question is: what are the main points/benefits of machine > authentication? because of with traditional keytab based kerberos > setup, the users, machines and services can authenticate no problem, > then why we need an extra authentication with machine certificate as a > must? > > Please help me clarify the question of why the statement > 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after > running ipa-client-install script? what is its purposes? > > Last problem is: after I following the steps at > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html > to setup my Linux client manually, I still can not run 'ipa user-find' > command on the client; when another same type linux client installed > with 'ipa-client-install' has no problem to run it. Does there are any > difference between manual and automatic installations? > > Sorry I got too many questions and probably more, as I read though the > Redhat IPA document serveral times, and every time more questions pop > up. :) > > Thanks a lot. > Let us teake one a time. Dogtag is the certificate system. Web services and many other servers use certificates for SSL/TLS peer-to-peer confidentiality and authentication. The certificates needs to be issued so IPA can issue certs for those services in your environment. There is a client component called certmonger. Certmonger can track the expiration of the certs and connects to IPA automatically to acquire a new cert. There will be more certificate related features over time. They would include support of pkinit, issuance and management of the user certificates and many others. Some of the work started but not complete, this why you might notice pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file. Hope it clarifies things. What is the reason for manually configuring the client? > --Robinson > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 27 18:37:55 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 27 Apr 2012 14:37:55 -0400 Subject: [Freeipa-users] IPA Bug??: IPA replica installation problem on IPV4-only nodes In-Reply-To: <1335481853.64709.YahooMailNeo@web125701.mail.ne1.yahoo.com> References: <4F998385.9070001@redhat.com> <1335473461.20871.YahooMailNeo@web125703.mail.ne1.yahoo.com> <1335481853.64709.YahooMailNeo@web125701.mail.ne1.yahoo.com> Message-ID: <4F9AE783.1080306@redhat.com> On 04/26/2012 07:10 PM, David Copperfield wrote: > IPA Replica installation fails on IPV4 Linux box, The > exception/messages on screen are: > > ... > error: [Errno 97] Address family not supported by protocol > ... > > After looking into the python code, it is found out that the IPA > program tried to test both IPV4 and IPv6 address families, and it > failed there when IPV6 is turned off. > > So I turn on IPV6 again, try ipa-conncheck again and it works this time. > This rings the bell, I think we already have a ticket for that. > --David > > > > ------------------------------------------------------------------------ > *From:* hshhs caca > *To:* "freeipa-users at redhat.com" > *Sent:* Thursday, April 26, 2012 1:51 PM > *Subject:* [Freeipa-users] What are the main purposes of Dogtag > certificate system inside IPA > > > Hi folks, > > When evaluating migration from existing seperate LDAP/Kerberos > solution to integrated IPA, I got confused on the purposes of Dogtag > Certificate system inside IPA. What are the main purposes of it? or > what value it brings in to IPA? > > I can see the points of KDC and 389 Directory server parts, even NTP > and DNS, but not for Dogtag. Frankly, I am not sure where I should put > it. Say, For Kerberos authentication, I need only /etc/krb5.conf and > /etc/krb5.keytab locally on client and then krb5 tools/libs will do > their work happily. Then why should I authenticate a machine with > certificate, or certificate+keytab -- either way the certificate part > is a MUST -- see document > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html > ( at the very bottom). > > A close question is: what are the main points/benefits of machine > authentication? because of with traditional keytab based kerberos > setup, the users, machines and services can authenticate no problem, > then why we need an extra authentication with machine certificate as a > must? > > Please help me clarify the question of why the statement > 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after > running ipa-client-install script? what is its purposes? > > Last problem is: after I following the steps at > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html > to setup my Linux client manually, I still can not run 'ipa user-find' > command on the client; when another same type linux client installed > with 'ipa-client-install' has no problem to run it. Does there are any > difference between manual and automatic installations? > > Sorry I got too many questions and probably more, as I read though the > Redhat IPA document serveral times, and every time more questions pop > up. :) > > Thanks a lot. > > --Robinson > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 27 18:52:20 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 27 Apr 2012 14:52:20 -0400 Subject: [Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one?? In-Reply-To: <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> Message-ID: <4F9AEAE4.8000003@redhat.com> On 04/26/2012 10:58 PM, David Copperfield wrote: > Hi, > > Just have a silly case where I've to download the existing version > keytab for a service principal. It is download only -- not recreate a > new version and download the new version which ipa-getkeytab does. -- > ipa-getkeytab command name seems a little bit misleading because it > does both 'set' and 'get' operations. > > I've overheard that there is way to get it from underlying 389 > directory server but not sure how to do it. Any one please shed a > light on this? Similarly, how to download a host certificate form > Dogtag because 'ipa-getcert request' also resetting it -- I may be > wrong and so please feel free to correct me :); or how about a user > principal's keytab from 389 too? Thanks a lot. > > --David > Is it a one time operation? If so you can use ldapsearch utility. The object that will have ipaHost object class in IPA. You can use a Directory Manager credential to authenticate. I suggest you do it on the server and then deliver the key and the cert manually. I thought that there was a flag for ipa-getkeytab to fetch existing key but my knowledge in this area is rusty. Same with the cert. May be someone else would chime in. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Fri Apr 27 19:05:34 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Fri, 27 Apr 2012 12:05:34 -0700 (PDT) Subject: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA In-Reply-To: <4F9AE74D.80401@redhat.com> References: <4F998385.9070001@redhat.com> <1335473461.20871.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9AE74D.80401@redhat.com> Message-ID: <1335553534.95430.YahooMailNeo@web125705.mail.ne1.yahoo.com> >From: Dmitri Pal >> > >Let us teake one a time. >Dogtag is the certificate system. >Web services and many other servers use certificates for SSL/TLS peer-to-peer confidentiality and authentication. >The certificates needs to be issued so IPA can issue certs for those services in your environment. >There is a client component called certmonger. Certmonger can track the expiration of the certs and connects to IPA automatically to acquire a new cert.>There will be more certificate related features over time. They would include support of pkinit, issuance and management of the user certificates and many others. >Some of the work started but not complete, this why you might notice pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file. >>>Hope it clarifies things. > Thanks. That's pretty clear. certmonger and Dogtag could be a very useful combination. For my case, where internal/outside company web servers already have external certified 3-year wildcard certificates, and IPA/LDAP servers have the dogtag/certmonger installed for them, maybe I can put off installing host certificates and certmonger services on other IPA clients to save a few CPU cycles now? Sure I can turn certmonger on and create host certificates anytime as long as needs pop up later.> >What is the reason for manually configuring the client? The main purposes here is company policy. we use central config management systems to push out config files and etc. Basically we did it for seperate Kerberos and LDAP solutions, and not it is required to do that for IPA solution as well. Another benefit is, as long as I know how to do it manually, hen in case the compo script ipa-client-install is a overkill, I can do subcomponent only. Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 27 19:15:08 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 27 Apr 2012 15:15:08 -0400 Subject: [Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA In-Reply-To: <1335553534.95430.YahooMailNeo@web125705.mail.ne1.yahoo.com> References: <4F998385.9070001@redhat.com> <1335473461.20871.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9AE74D.80401@redhat.com> <1335553534.95430.YahooMailNeo@web125705.mail.ne1.yahoo.com> Message-ID: <4F9AF03C.5010405@redhat.com> On 04/27/2012 03:05 PM, David Copperfield wrote: > >From: Dmitri Pal > >> > > > >Let us teake one a time. > >Dogtag is the certificate system. > >Web services and many other servers use certificates for SSL/TLS > peer-to-peer confidentiality and authentication. > >The certificates needs to be issued so IPA can issue certs for those > services in your environment. > >There is a client component called certmonger. Certmonger can track > the expiration of the certs and connects to IPA automatically to > acquire a new cert.>There will be more certificate related features > over time. They would include support of pkinit, issuance and > management of the user certificates and many others. > >Some of the work started but not complete, this why you might notice > pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file. > >>>Hope it clarifies things. > > > Thanks. That's pretty clear. certmonger and Dogtag could be a very > useful combination. > For my case, where internal/outside company web servers already have > external certified 3-year wildcard certificates, and IPA/LDAP servers > have the dogtag/certmonger installed for them, maybe I can put off > installing host certificates and certmonger services on other IPA > clients to save a few CPU cycles now? > Up to you. > Sure I can turn certmonger on and create host certificates anytime as > long as needs pop up later.> > >What is the reason for manually configuring the client? > > The main purposes here is company policy. we use central config > management systems to push out config files and etc. Basically we did > it for seperate Kerberos and LDAP solutions, and not it is required to > do that for IPA solution as well. Another benefit is, as long as I > know how to do it manually, hen in case the compo script > ipa-client-install is a overkill, I can do subcomponent only. May be it would be helpful to share your experience on a IPA wiki page for others for follow with the similar use cases? Do you have something that I can post there? If you found anything missing in the documentation please file a BZ or ticket in upstream trac. > > Thanks. > > --David -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Fri Apr 27 20:25:59 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 27 Apr 2012 16:25:59 -0400 Subject: [Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one?? In-Reply-To: <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> Message-ID: <1335558359.877.33.camel@sgallagh520.sgallagh.bos.redhat.com> On Thu, 2012-04-26 at 19:58 -0700, David Copperfield wrote: > Hi, > > > Just have a silly case where I've to download the existing version > keytab for a service principal. It is download only -- not recreate a > new version and download the new version which ipa-getkeytab does. -- > ipa-getkeytab command name seems a little bit misleading because it > does both 'set' and 'get' operations. Well, this is actually intentional. I'm curious what your reasoning is for wanting to access the original key. There really isn't any downside to just pulling a brand-new one for a host, and the upside is that you just rolled your keys, so if they happened to be compromised, you're safe now. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From nalin at redhat.com Fri Apr 27 20:34:18 2012 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 27 Apr 2012 16:34:18 -0400 Subject: [Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one?? In-Reply-To: <4F9AEAE4.8000003@redhat.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4F9AEAE4.8000003@redhat.com> Message-ID: <20120427203418.GA14742@redhat.com> On Fri, Apr 27, 2012 at 02:52:20PM -0400, Dmitri Pal wrote: > I thought that there was a flag for ipa-getkeytab to fetch existing key > but my knowledge in this area is rusty. Same with the cert. > May be someone else would chime in. There's a way for certificates, at least. If you still have the matching private key on the host (unless I'm mistaken, we don't have optional escrow yet, so if you don't have the private key, you're out of luck, and there's no point in bothering with any of this), you should be able to dig up the corresponding certificate. Since the regular IPA machinery already knows how to pull up a certificate if you know its serial number, we just need to figure out the serial number. On the server, we search Dogtag's directory server instance by running: DOMAIN=EXAMPLE.COM FQDN=clientbox1.example.com ldapsearch -h localhost:7389 -x -D "cn=Directory Manager" -W \ -b ou=certificateRepository,ou=ca,o=ipaca \ subjectname="cn=$FQDN",o=$DOMAIN cn serialno We'll need to supply the directory server administrator password. We'll get back the "cn" and "serialno" values for any matching entries. The "cn" values appear to be the serial numbers. If multiple certificates were issued to the host, we'll get more than one serial number back. We can pass any of them to "ipa cert-show" to retrieve the certificate with that was issued with that serial number. The "Certificate:" value is base64 without a header or footer, but we can pipe the whole value through OpenSSL's utility to both make sure we have the whole thing, and clean it up in the process. Run this command, and copy/paste the value into it: openssl base64 -d | openssl x509 -inform der The result can be stored in the relevant file for use with OpenSSL, or imported into the relevant database for use with NSS. Like Stephen noted about keytabs, though, there should be no harm in just issuing a new certificate for the host in question. Certificates are always issued with limited validity periods, so anything that breaks when if/when a certificate is replaced needs to be fixed anyway. HTH, Nalin From cao2dan at yahoo.com Sat Apr 28 03:20:08 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Fri, 27 Apr 2012 20:20:08 -0700 (PDT) Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> Message-ID: <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> Hi follks, ?I'm completely lost at reading the IPA document on how to promote a IPA replica into master IPA. When I'm try to follow the steps listed in the chapter '16.8.1 Promoting a Replica with a Dogtag Certificate System CA' at the link http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, the last steps 'g' said: ?? g. Disable the redirect settings for CRL generation requests: ??????? master.ca.agent.host=hostname ??????? master.ca.agent.port=port number The above instructions don't give any hints of 'hostname', or 'port number'. users don't have any clues about them, should them be this replica's name, or the original master's name? and what is the por t number? it is a TCP port, or a UDP port? As a serious evaluator of IPA, I have to think more above just for fun. So it is a natural thought to think about disaster recovery and smooth/continuous operations(simulation and real case): how to back up data, how to promote replica into master, etc. But this document just post quite way too much challenges for me. :) Any one who have successfuly passed this test, please shed a light here. Thanks a lot. --Guolin -------------- next part -------------- An HTML attachment was scrubbed... URL: From eshabahang at yahoo.com Sun Apr 29 07:51:14 2012 From: eshabahang at yahoo.com (shabahang elmian) Date: Sun, 29 Apr 2012 00:51:14 -0700 (PDT) Subject: [Freeipa-users] Error in Installation - unable to create CA References: <1335174362.20027.YahooMailNeo@web161605.mail.bf1.yahoo.com> <4F95795D.6050507@redhat.com> Message-ID: <1335685874.17289.YahooMailNeo@web161602.mail.bf1.yahoo.com> [2012-04-23 17:07:32] [debug] set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] Processing PKI security modules for '/var/lib/pki-ca' ... [2012-04-23 17:07:32] [debug] ? ? Attempting to add hardware security modules to system if applicable ... [2012-04-23 17:07:32] [debug] ? ? ? ? module name: lunasa ?lib: /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST! [2012-04-23 17:07:32] [debug] ? ? ? ? module name: nfast ?lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! [2012-04-23 17:07:32] [debug] configuring SELinux ... [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9180. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9701. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9443. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9444. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9446. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9445. ?Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9447. ?Port already defined otherwise. [2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to run semanage. [2012-04-23 17:07:34] [debug] Running restorecon commands [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /usr/share/java/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /usr/share/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/lib/pki-ca) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/run/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/log/pki-ca) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /etc/pki-ca) [2012-04-23 17:07:34] [debug] Installation manifest: /var/lib/pki-ca/install_info [2012-04-23 17:07:34] [debug] The following was performed: Installed Files: ? ? /etc/pki-ca/CS.cfg ... . . ? ? /var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar Removed Items: ? ? /etc/pki-ca/noise ? ? /etc/pki-ca/pfile [2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart pki-cad at pki-ca.service) [2012-04-23 17:07:34] [error] FAILED run_command("/bin/systemctl restart pki-cad at pki-ca.service"), exit status=1 output="Job failed. See system logs and 'systemctl status' for details." [2012-04-23 17:07:34] [log] Configuration Wizard listening on https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs [2012-04-23 17:07:34] [log] After configuration, the server can be operated by the command: /bin/systemctl restart pki-cad at pki-ca.service [root at ipa ~]#? [root at ipa system]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: y Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA directory server [root at ipa system]#? [root at ipa system]#? [root at ipa system]# > /var/log/audit/audit.log? [root at ipa system]#? [root at ipa system]#? [root at ipa system]# ipa-server-install --setup-dns The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: ? * Configure a stand-alone CA (dogtag) for certificate management ? * Configure the Network Time Daemon (ntpd) ? * Create and configure an instance of Directory Server ? * Create and configure a Kerberos Key Distribution Center (KDC) ? * Configure Apache (httpd) ? * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: y Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [ipa.mtnirancell.ir]:? Warning: skipping DNS resolution of host ipa.mtnirancell.ir The domain name has been calculated based on the host name. Please confirm the domain name [mtnirancell.ir]:? The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [MTNIRANCELL.IR]:? Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password:? Password (confirm):? The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password:? Password (confirm):? Do you want to configure DNS forwarders? [yes]:? Enter the IP address of DNS forwarder to use, or press Enter to finish. Enter IP address for a DNS forwarder:? No DNS forwarders configured Do you want to configure the reverse zone? [yes]:? Please specify the reverse zone name [58.131.10.in-addr.arpa.]:? Using reverse zone 58.131.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: ? ? ?ipa.mtnirancell.ir IP address: ? ?10.131.58.43 Domain name: ? mtnirancell.ir Realm name: ? ?MTNIRANCELL.IR BIND DNS server will be configured to serve IPA domain with: Forwarders: ? ?No forwarders Reverse zone: ?58.131.10.in-addr.arpa. Continue to configure the system with these values? [no]: y The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring ntpd ? [1/4]: stopping ntpd ? [2/4]: writing configuration ? [3/4]: configuring ntpd to start on boot ? [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 minutes 30 seconds ? [1/3]: creating directory server user ? [2/3]: creating directory server instance ? [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 33 minutes 30 seconds ? [1/16]: creating certificate server user ? [2/16]: configuring certificate server instance ipa ? ? ? ? : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname' 'ipa.mtnirancell.ir' '-cs_port' '9445' '-client_certdb_dir' '/tmp/tmp-gEoCj_' '-client_certdb_pwd' XXXXXXXX '-preop_pin' 'OiqLyU0CQxx8MRRZpuGs' '-domain_name' 'IPA' '-admin_user' 'admin' '-admin_email' 'root at localhost' '-admin_XXXXXXXX' XXXXXXXX '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048' '-agent_key_type' 'rsa' '-agent_cert_subject' 'CN=ipa-ca-agent,O=MTNIRANCELL.IR' '-ldap_host' 'ipa.mtnirancell.ir' '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_XXXXXXXX' XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048' '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true' '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name' 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA Subsystem,O=MTNIRANCELL.IR' '-ca_ocsp_cert_subject_name' 'CN=OCSP Subsystem,O=MTNIRANCELL.IR' '-ca_server_cert_subject_name' 'CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR' '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=MTNIRANCELL.IR' '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=MTNIRANCELL.IR' '-external' 'false' '-clone' 'false'' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: ?Configuration of CA failed [root at ipa system]# cat ?/var/log/audit/audit.log? type=SERVICE_START msg=audit(1335685711.759:154): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ntpd" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1335685715.634:155): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1335685716.195:156): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1335685716.195:157): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1335685716.270:158): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv at PKI-IPA" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' [root at ipa system]#? shabahang ________________________________ From: Rob Crittenden To: shabahang elmian Cc: "freeipa-users at redhat.com" Sent: Monday, April 23, 2012 8:16 PM Subject: Re: [Freeipa-users] Error in Installation - unable to create CA shabahang elmian wrote: > Hello, > There is a problem on configuring FreeIPA. > would you please help. > > please find following : > >? ? 2012-04-23 12:38:53,812 DEBUG duration: 5 seconds >? ? 2012-04-23 12:38:53,812 DEBUG [3/17]: configuring certificate server >? ? instance >? ? 2012-04-23 12:38:56,227 DEBUG args=/usr/bin/perl /usr/bin/pkisilent >? ? ConfigureCA -cs_hostname ipa.mtnirancell.ir -cs_port 9445 >? ? -client_certdb_dir /tmp/tmp-d9LkHR -client_certdb_pwd XXXXXXXX >? ? -preop_pin IFJ2Tgb4EzHm3OVCSAAA -domain_name IPA -admin_user admin >? ? -admin_email root at localhost -admin_password XXXXXXXX -agent_name >? ? ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >? ? -agent_cert_subject CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host >? ? ipa.mtnirancell.ir -ldap_port 7389 -bind_dn cn=Directory Manager >? ? -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size >? ? 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true >? ? -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal >? ? -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR >? ? -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR >? ? -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR >? ? -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR >? ? -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR >? ? -external false -clone false >? ? 2012-04-23 12:38:56,228 DEBUG stdout=libpath=/usr/lib64 >? ? ####################################################################### >? ? CRYPTO INIT WITH CERTDB:/tmp/tmp-d9LkHR >? ? tokenpwd:XXXXXXXX >? ? ############################################# >? ? Attempting to connect to: ipa.mtnirancell.ir:9445 >? ? Exception in LoginPanel(): java.lang.NullPointerException >? ? ERROR: ConfigureCA: LoginPanel() failure >? ? ERROR: unable to create CA >? ? ####################################################################### >? ? 2012-04-23 12:38:56,228 DEBUG stderr=Exception: Unable to Send >? ? Request:java.net.ConnectException: Connection refused >? ? java.net.ConnectException: Connection refused >? ? at java.net.PlainSocketImpl.socketConnect(Native Method) >? ? at >? ? java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) >? ? at >? ? java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) >? ? at >? ? java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) >? ? at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) >? ? at java.net.Socket.connect(Socket.java:546) >? ? at java.net.Socket.connect(Socket.java:495) >? ? at java.net.Socket.(Socket.java:392) >? ? at java.net.Socket.(Socket.java:235) >? ? at HTTPClient.sslConnect(HTTPClient.java:326) >? ? at ConfigureCA.LoginPanel(ConfigureCA.java:244) >? ? at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) >? ? at ConfigureCA.main(ConfigureCA.java:1672) >? ? java.lang.NullPointerException >? ? at ConfigureCA.LoginPanel(ConfigureCA.java:245) >? ? at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) >? ? at ConfigureCA.main(ConfigureCA.java:1672) > >? ? 2012-04-23 12:38:56,229 CRITICAL failed to configure ca instance >? ? Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >? ? ipa.mtnirancell.ir -cs_port 9445 -client_certdb_dir /tmp/tmp-d9LkHR >? ? -client_certdb_pwd XXXXXXXX -preop_pin IFJ2Tgb4EzHm3OVCSAAA >? ? -domain_name IPA -admin_user admin -admin_email root at localhost >? ? -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size >? ? 2048 -agent_key_type rsa -agent_cert_subject >? ? CN=ipa-ca-agent,O=MTNIRANCELL.IR -ldap_host ipa.mtnirancell.ir >? ? -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password >? ? XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type >? ? rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX >? ? -subsystem_name pki-cad -token_name internal >? ? -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MTNIRANCELL.IR >? ? -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MTNIRANCELL.IR >? ? -ca_server_cert_subject_name CN=ipa.mtnirancell.ir,O=MTNIRANCELL.IR >? ? -ca_audit_signing_cert_subject_name CN=CA Audit,O=MTNIRANCELL.IR >? ? -ca_sign_cert_subject_name CN=Certificate Authority,O=MTNIRANCELL.IR >? ? -external false -clone false' returned non-zero exit status 255 >? ? 2012-04-23 12:38:56,266 DEBUG Configuration of CA failed >? ? File "/usr/sbin/ipa-server-install", line 1173, in >? ? rval = main() > >? ? File "/usr/sbin/ipa-server-install", line 974, in main >? ? subject_base=options.subject) > >? ? File >? ? "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >? ? line 537, in configure_instance >? ? self.start_creation("Configuring certificate server", 210) > >? ? File >? ? "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >? ? line 248, in start_creation >? ? method() > >? ? File >? ? "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >? ? line 677, in __configure_instance >? ? raise RuntimeError('Configuration of CA failed') > > please note : > >? ? [root at ipa ~]# uname -a >? ? Linux ipa.mtnirancell.ir 3.3.2-6.fc16.x86_64 #1 SMP Sat Apr 21 >? ? 12:43:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux >? ? [root at ipa ~]# cat /etc/redhat-release >? ? Fedora release 16 (Verne) >? ? [root at ipa ~]# It would appear that the CA silent installer (pki-silent) couldn't talk to the CA. There are more logs in /var/log/pki-ca that may hold more information on why. You might also want to look for any new AVCs in /var/log/audit/audit.log. regards rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From dlackey at redhat.com Sun Apr 29 23:34:25 2012 From: dlackey at redhat.com (E Deon Lackey) Date: Sun, 29 Apr 2012 18:34:25 -0500 Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> Message-ID: <4F9DD001.2080204@redhat.com> On 4/27/2012 10:20 PM, David Copperfield wrote: > Hi follks, > > I'm completely lost at reading the IPA document on how to promote a > IPA replica into master IPA. When I'm try to follow the steps listed > in the chapter '16.8.1 Promoting a Replica with a Dogtag Certificate > System CA' at the link > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, > the last steps 'g' said: > > g. Disable the redirect settings for CRL generation requests: > master.ca.agent.host=hostname > master.ca.agent.port=port number > > The above instructions don't give any hints of 'hostname', or 'port > number'. users don't have any clues about them, should them be this > replica's name, or the original master's name? and what is the por > t number? it is a TCP port, or a UDP port? Hi, Guolin, The replica is configured to check for information from the master CA -- in this case, asking the master CA to generate a CRL. Those parameters tell the replica where to look. Part of promoting the replica is telling it *not* to look for a master CA. So, those parameters should be blanked or removed. I can definitely make that more clear. > > As a serious evaluator of IPA, I have to think more above just for > fun. So it is a natural thought to think about disaster recovery and > smooth/continuous operations(simulation and real case): how to back up > data, Currently, there is no disaster recovery or backup information. There are a couple of RFEs open to develop this information. My understanding (and this is something that Dmitri or one of the engineers can explain better) is that the best thing to do is to back up the DS instances using db2ldif and then spin up a new server/replica instance and import the backed up data using ldif2db. > how to promote replica into master, etc. But this document just post > quite way too much challenges for me. :) What challenges? Can you elaborate? Or, even better, file a bug so that I can make the docs better! (I'm the doc writer.) One thing that would be helpful to me is to know what kinds of scenarios you need covered; then I can work with engineering to get something into the documentation. Thank you very much for your feedback! Deon -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Sun Apr 29 23:37:23 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 29 Apr 2012 23:37:23 +0000 Subject: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down. Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC858B6@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Maybe I am missing something here but I thought/assumed that if one of teh IPA servers was off line the client would use the other IPA server? This doesnt seem to be the case, so am I wrong on how IPA works, or do I have a setup error? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Apr 30 07:54:47 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 30 Apr 2012 09:54:47 +0200 Subject: [Freeipa-users] IPv6 In-Reply-To: <4F9A9481.5000705@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC8477D@STAWINCOX10MBX1.staff.vuw.ac.nz> <1335476527.5722.23.camel@willson.li.ssimo.org> <4F9A5C96.8060106@redhat.com> <4F9A9481.5000705@redhat.com> Message-ID: <4F9E4547.7060504@redhat.com> On 04/27/2012 02:43 PM, John Dennis wrote: > On 04/27/2012 04:45 AM, Petr Spacek wrote: >> On 04/26/2012 11:42 PM, Simo Sorce wrote: >>> On Thu, 2012-04-26 at 21:18 +0000, Steven Jones wrote: >>>> Hi, >>>> >>>> FYI, >>>> >>>> I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt >>>> work....slight oops there... >>> >>> Hi Steve, >>> can you be more explicit on how you 'shutdown' IPv6 ? >>> And can you please tell exactly how IPA breaks in that case ? >>> >>> Is this after IPA is fully installed ? Or does the installer fail ? >>> >>> Simo. >>> >> Is it same issue as described in >> https://www.redhat.com/archives/freeipa-users/2012-April/msg00160.html ? > > We do IPv6 in several places, but a while ago I noticed the way we iterate > over address families in nsslib in conjunction with getaddrinfo (the > io.AddrInfo class) looks dubious, it seems overly complex as if it's trying to > force a family selection (not sure, I would have to go back and really look at > the code again). Family selection should not be enforced from our code, I think. This way can create hidden dependency based on our (probably wrong) assumptions. > In any event getaddrinfo is designed to return a list of possible addresses > sorted in priority order by the system. You're supposed to start at the first > address in the list and see if you can connect, if not try the next address. > You're not supposed to take addresses in the list based on some other criteria > (which is what we seem to be doing with the family). > > FWIW, the raw c lib getaddrinfo allows one to specify constraints (such as > family), unfortunately NSPR (the wrapper around getaddrinfo in nsslib) does > not permit this, not sure why (probably because NSPR has to fallback to other > mechanisms if getaddrinfo is not available) AFAIK "right place" to specify this kind of constraints is to use "/etc/gai.conf" configuration file. NSPR ignores it? Petr^2 Spacek From sgallagh at redhat.com Mon Apr 30 11:28:39 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 30 Apr 2012 07:28:39 -0400 Subject: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CC858B6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CC858B6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1335785319.4578.1.camel@sgallagh520.sgallagh.bos.redhat.com> On Sun, 2012-04-29 at 23:37 +0000, Steven Jones wrote: > Hi, > > Maybe I am missing something here but I thought/assumed that if one of > teh IPA servers was off line the client would use the other IPA > server? > > This doesnt seem to be the case, so am I wrong on how IPA works, or do > I have a setup error? We're looking into it. Someone else reported a similar issue on Friday. We may have introduced a regression in the failover logic of SSSD. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From jdennis at redhat.com Mon Apr 30 12:27:53 2012 From: jdennis at redhat.com (John Dennis) Date: Mon, 30 Apr 2012 08:27:53 -0400 Subject: [Freeipa-users] IPv6 In-Reply-To: <4F9E4547.7060504@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC8477D@STAWINCOX10MBX1.staff.vuw.ac.nz> <1335476527.5722.23.camel@willson.li.ssimo.org> <4F9A5C96.8060106@redhat.com> <4F9A9481.5000705@redhat.com> <4F9E4547.7060504@redhat.com> Message-ID: <4F9E8549.60303@redhat.com> On 04/30/2012 03:54 AM, Petr Spacek wrote: > On 04/27/2012 02:43 PM, John Dennis wrote: >> On 04/27/2012 04:45 AM, Petr Spacek wrote: >>> On 04/26/2012 11:42 PM, Simo Sorce wrote: >>>> On Thu, 2012-04-26 at 21:18 +0000, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> FYI, >>>>> >>>>> I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt >>>>> work....slight oops there... >>>> >>>> Hi Steve, >>>> can you be more explicit on how you 'shutdown' IPv6 ? >>>> And can you please tell exactly how IPA breaks in that case ? >>>> >>>> Is this after IPA is fully installed ? Or does the installer fail ? >>>> >>>> Simo. >>>> >>> Is it same issue as described in >>> https://www.redhat.com/archives/freeipa-users/2012-April/msg00160.html ? >> >> We do IPv6 in several places, but a while ago I noticed the way we iterate >> over address families in nsslib in conjunction with getaddrinfo (the >> io.AddrInfo class) looks dubious, it seems overly complex as if it's trying to >> force a family selection (not sure, I would have to go back and really look at >> the code again). > Family selection should not be enforced from our code, I think. This way can > create hidden dependency based on our (probably wrong) assumptions. Agreed. We should not try to influence family selection. I will open an IPA trac ticket. >> In any event getaddrinfo is designed to return a list of possible addresses >> sorted in priority order by the system. You're supposed to start at the first >> address in the list and see if you can connect, if not try the next address. >> You're not supposed to take addresses in the list based on some other criteria >> (which is what we seem to be doing with the family). >> >> FWIW, the raw c lib getaddrinfo allows one to specify constraints (such as >> family), unfortunately NSPR (the wrapper around getaddrinfo in nsslib) does >> not permit this, not sure why (probably because NSPR has to fallback to other >> mechanisms if getaddrinfo is not available) > > AFAIK "right place" to specify this kind of constraints is to use > "/etc/gai.conf" configuration file. NSPR ignores it? No. I believe /etc/gai.conf will be respected on modern systems with getaddrinfo support by NSPR because NSPR calls into getaddrinfo which is influenced by /etc/gai.conf. What I was referring to is that getaddrinfo exposes network address selection filtration based on gai.conf (or so I believe). -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From jdennis at redhat.com Mon Apr 30 12:36:15 2012 From: jdennis at redhat.com (John Dennis) Date: Mon, 30 Apr 2012 08:36:15 -0400 Subject: [Freeipa-users] IPv6 In-Reply-To: <4F9E8549.60303@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC8477D@STAWINCOX10MBX1.staff.vuw.ac.nz> <1335476527.5722.23.camel@willson.li.ssimo.org> <4F9A5C96.8060106@redhat.com> <4F9A9481.5000705@redhat.com> <4F9E4547.7060504@redhat.com> <4F9E8549.60303@redhat.com> Message-ID: <4F9E873F.5060006@redhat.com> On 04/30/2012 08:27 AM, John Dennis wrote: > Agreed. We should not try to influence family selection. > > I will open an IPA trac ticket. https://fedorahosted.org/freeipa/ticket/2695 -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From cao2dan at yahoo.com Mon Apr 30 19:02:36 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 12:02:36 -0700 (PDT) Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <4F9DD001.2080204@redhat.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> Message-ID: <1335812556.58378.YahooMailNeo@web125701.mail.ne1.yahoo.com> Hi Deon and all, >> Hi follks, >> >>? I'm completely lost at reading the IPA document on how to promote a IPA replica into master IPA. When I'm try to follow the steps listed in the chapter '16.8.1 Promoting a Replica with a Dogtag Certificate System CA' at the link http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, the last steps 'g' said: >> >>??? g. Disable the redirect settings for CRL generation requests: >>???????? master.ca.agent.host=hostname >>???????? master.ca.agent.port=port number >> >> The above instructions don't give any hints of 'hostname', or 'port number'. users don't have any clues about them, should them be this replica's name, or the original master's name? and what is the por >> t number? it is a TCP port, or a UDP port? > >The replica is configured to check for information from the master CA -- in this case, asking the master CA to generate a CRL. Those parameters tell the replica where to look. Part of promoting the replica is telling it *not* to look for a master CA. So, those parameters should be blanked or removed. > >I can definitely make that more clear. Sure, please elabroate -- I'll still half undertstand only :) This part is pretty confusing by itself. First, when a IPA replica is first installed, the dogtag certification system is not installed at all, so the directory /var/lib/pki-ca/conf doesn't exist on IPA slave at all. The directory shows after only after 'ipa-ca-install' command is run on the replica. After running the command 'ipa-ca-install', in the configuration file '/var/lib/pki-ca/conf/CS.conf', there are no 'ca.crl.*' statements on IPA replica at all; there are no master.ca.agent.{host/port} s tatement either. What we really need to clarify here, from users' respective, are elaborated below(may not be completed): 1, how to promote a IPA replica into a IPA master? 2, What's the effect on other sibling IPA replicas? -- do we need to break original replication agreement with old IPA master? and create new aggrement with new server? If so, how to do it? 3, How to check/verify that new IPA replica is really promoted into new IPA master? 4, how to check/verify that old IPA Master is stopped its orignal master function? disowning the master CA in the PKI hierarchy as claimed? 4, what's the operations on the original IPA master? ? 4.1 case #1, what is the 'official' steps to remove/decommission original IPA master? -- what's the steps besides final 'ipa-master-install --uninstall'? ? 4.2 case #2, if the original IPA server is broken completely and all IPA replica could not reach it? -- Then what's are the steps to promote a IPA replica? Do we need the orignal /root/cacert.p12? ? 4.3 case #2, if the original IPA server is only temporarily unreachable? -- then after an IPA replica is promoted into new IPA master, how to depromote the orignal IPA master to replica after it is up? >> >> As a serious evaluator of IPA, I have to think more above just for fun. So it is a natural thought to think about disaster recovery and smooth/continuous operations(simulation and real case): how to back up data, > >Currently, there is no disaster recovery or backup information. There are a couple of RFEs open to develop this information. My understanding (and this is something that Dmitri or one of the engineers can explain better) is that the best thing to do is to back up the DS instances using db2ldif and then spin up a new server/replica instance and import the backed up data using ldif2db. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Mon Apr 30 19:41:58 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 12:41:58 -0700 (PDT) Subject: [Freeipa-users] Password migrating into IPA with SSSD failed Message-ID: <1335814918.50174.YahooMailNeo@web125704.mail.ne1.yahoo.com> Hi folks, ?Tried serveral times to do the password migration following documented steps at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html#migr-kerb, and every time it failed. A solid example will be very helpful here, documented steps will be greatly appreciated. The existing document states all the steps as listed below. 1. A user tries to log into a machine with SSSD. 2. SSSD attempts to perform Kerberos authentication against the IPA server. 3. Even though the user exists in the system, the authentication will fail with the error key type is not supported because the Kerberos hashes do not yet exist. 4. SSSD the performs a plaintext LDAP bind over a secure connection. 5. IPA intercepts this bind request. If the user has a Kerberos principal but no Kerberos hashes, then the IPA identity provider generates the hashes and stores them in the user entry. 6. If authentication is successful, SSSD disconnects from IPA and tries Kerberos authentication again. This time, the request succeeds because the hash exists in the entry. The steps 4-6 are a little difficult to understand: Are these steps SSSD/IPA's internal information exchange mechanism? or do I have to setup something at IPA client/server side to fullfill? like setup pam_ldap or nslcd/nss_ldap? I've mirgated all my users and groups from openLDAP into IPA without user password/hash ( another bug here: needs --group-objectclas='posixGroup' option, and optionally --schema='RFC2307'), the passwords were not migrated, and so I tried the above method to setup new passwords seamlessly for users, unfortunately all tries failed. What I have done are listed bleow, any helps are greatly appreciated. 1, prepare IPA server for password migration: ??? ipa config-mod --enable-migration=TRUE 2, On two IPA clients, ssh from one to another under an account with password already manually setup, and it proves working without password prompt (kinit/ssh works). 3, on the same two IPA clients, ssh from the same source node to destination node, but this time with a migrated user account without password, assumed it should asking for password and save the password hash into IPA master --- but it failed. The detailed error are attached below (users with password hash succeeded at step gssapi-keyex). ??? [root at ipaclient01 tmp]# ssh -x ipaclient02 -l guest -v OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 ... debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug1: Trying private key: /root/.ssh/id_rsa debug1: Trying private key: /root/.ssh/id_dsa debug1: Next authentication method: password guest at ipaclient02's password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. guest at ipaclient02's password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. guest at ipaclient02's password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). 4, Please have a check and let me know if there are any steps missed at client side; and please let me know if any configs are need to verify. Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Mon Apr 30 19:50:23 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Mon, 30 Apr 2012 15:50:23 -0400 Subject: [Freeipa-users] Password migrating into IPA with SSSD failed In-Reply-To: <1335814918.50174.YahooMailNeo@web125704.mail.ne1.yahoo.com> References: <1335814918.50174.YahooMailNeo@web125704.mail.ne1.yahoo.com> Message-ID: <1335815423.4578.65.camel@sgallagh520.sgallagh.bos.redhat.com> > > The existing document states all the steps as listed below. > > A user tries to log into a machine with SSSD. > SSSD attempts to perform Kerberos authentication against the > IPA server. > Even though the user exists in the system, the authentication > will fail with the error key type is not supported because the > Kerberos hashes do not yet exist. > SSSD the performs a plaintext LDAP bind over a secure > connection. > IPA intercepts this bind request. If the user has a Kerberos > principal but no Kerberos hashes, then the IPA identity > provider generates the hashes and stores them in the user > entry. > If authentication is successful, SSSD disconnects from IPA and > tries Kerberos authentication again. This time, the request > succeeds because the hash exists in the entry. > The steps 4-6 are a little difficult to understand: Are these steps > SSSD/IPA's internal information exchange mechanism? or do I have to > setup something at IPA client/server side to fullfill? like setup > pam_ldap or nslcd/nss_ldap? > Steps 4-6 are handled automatically by SSSD as long as it is configured with 'id_provider = ipa' and 'auth_provider = ipa' (which is how ipa-client-install configures it) and migration mode is enabled on the server. > > I've mirgated all my users and groups from openLDAP into IPA without > user password/hash ( another bug here: needs > --group-objectclas='posixGroup' option, and optionally > --schema='RFC2307'), the passwords were not migrated, and so I tried > the above method to setup new passwords seamlessly for users, > unfortunately all tries failed. > This is the problem. In order for seamless password migration to work, you need to migrate the hashes. If we cannot bind with the old password, we can't set that up for Kerberos. What it sounds like you probably want to do (since you aren't keeping the hashes) is just reset the passwords for all of your users, which will require them to change it on first login. There's an admin command 'ipa passwd ' that can reset a user password. There may also be tools to do this in bulk, but someone else will need to chime in here. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From dpal at redhat.com Mon Apr 30 19:57:11 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 30 Apr 2012 15:57:11 -0400 Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335812556.58378.YahooMailNeo@web125701.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335812556.58378.YahooMailNeo@web125701.mail.ne1.yahoo.com> Message-ID: <4F9EEE97.2000206@redhat.com> On 04/30/2012 03:02 PM, David Copperfield wrote: > Hi Deon and all, > > >> Hi follks, > >> > >> I'm completely lost at reading the IPA document on how to promote > a IPA replica into master IPA. When I'm try to follow the steps listed > in the chapter '16.8.1 Promoting a Replica with a Dogtag Certificate > System CA' at the link > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, > the last steps 'g' said: > >> > >> g. Disable the redirect settings for CRL generation requests: > >> master.ca.agent.host=hostname > >> master.ca.agent.port=port number > >> > >> The above instructions don't give any hints of 'hostname', or 'port > number'. users don't have any clues about them, should them be this > replica's name, or the original master's name? and what is the por > >> t number? it is a TCP port, or a UDP port? > > > >The replica is configured to check for information from the master CA > -- in this case, asking the master CA to generate a CRL. Those > parameters tell the replica where to look. Part of promoting the > replica is telling it *not* to look for a master CA. So, those > parameters should be blanked or removed. > > > >I can definitely make that more clear. Have you used a --selfsign option when you installed the first server? If you did, you installed the server without CA. This is an advanced option for those who know why they do not want the CA at all. The standard, default way is to not provide --selfsign flag. This will install CA on the first replica. On the other replicas you can have a CA at your discretion. Or add it later if you did not install it at the beginning. HTH. > > Sure, please elabroate -- I'll still half undertstand only :) This > part is pretty confusing by itself. > > First, when a IPA replica is first installed, the dogtag certification > system is not installed at all, so the directory /var/lib/pki-ca/conf > doesn't exist on IPA slave at all. The directory shows after > only after 'ipa-ca-install' command is run on the replica. > > After running the command 'ipa-ca-install', in the configuration file > '/var/lib/pki-ca/conf/CS.conf', there are no 'ca.crl.*' statements on > IPA replica at all; there are no master.ca.agent.{host/port} s > tatement either. > > What we really need to clarify here, from users' respective, are > elaborated below(may not be completed): > > 1, how to promote a IPA replica into a IPA master? > > 2, What's the effect on other sibling IPA replicas? -- do we need to > break original replication agreement with old IPA master? and create > new aggrement with new server? If so, how to do it? > > 3, How to check/verify that new IPA replica is really promoted into > new IPA master? > > 4, how to check/verify that old IPA Master is stopped its orignal > master function? disowning the master CA in the PKI hierarchy as claimed? > > 4, what's the operations on the original IPA master? > 4.1 case #1, what is the 'official' steps to remove/decommission > original IPA master? -- what's the steps besides final > 'ipa-master-install --uninstall'? > 4.2 case #2, if the original IPA server is broken completely and all > IPA replica could not reach it? -- Then what's are the steps to > promote a IPA replica? Do we need the orignal /root/cacert.p12? > 4.3 case #2, if the original IPA server is only temporarily > unreachable? -- then after an IPA replica is promoted into new IPA > master, how to depromote the orignal IPA master to replica after it is up? > > >> > >> As a serious evaluator of IPA, I have to think more above just for > fun. So it is a natural thought to think about disaster recovery and > smooth/continuous operations(simulation and real case): how to back up > data, > > > >Currently, there is no disaster recovery or backup information. There > are a couple of RFEs open to develop this information. My > understanding (and this is something that Dmitri or one of the > engineers can explain better) is that the best thing to do is to back > up the DS instances using db2ldif and then spin up a new > server/replica instance and import the backed up data using ldif2db. > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Apr 30 20:11:03 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 30 Apr 2012 16:11:03 -0400 Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335812556.58378.YahooMailNeo@web125701.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335812556.58378.YahooMailNeo@web125701.mail.ne1.yahoo.com> Message-ID: <4F9EF1D7.2090909@redhat.com> David Copperfield wrote: > Hi Deon and all, > > >> Hi follks, > >> > >> I'm completely lost at reading the IPA document on how to promote a > IPA replica into master IPA. When I'm try to follow the steps listed in > the chapter '16.8.1 Promoting a Replica with a Dogtag Certificate System > CA' at the link > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, > the last steps 'g' said: > >> > >> g. Disable the redirect settings for CRL generation requests: > >> master.ca.agent.host=hostname > >> master.ca.agent.port=port number > >> > >> The above instructions don't give any hints of 'hostname', or 'port > number'. users don't have any clues about them, should them be this > replica's name, or the original master's name? and what is the por > >> t number? it is a TCP port, or a UDP port? > > > >The replica is configured to check for information from the master CA > -- in this case, asking the master CA to generate a CRL. Those > parameters tell the replica where to look. Part of promoting the replica > is telling it *not* to look for a master CA. So, those parameters should > be blanked or removed. > > > >I can definitely make that more clear. > > Sure, please elabroate -- I'll still half undertstand only :) This part > is pretty confusing by itself. > > First, when a IPA replica is first installed, the dogtag certification > system is not installed at all, so the directory /var/lib/pki-ca/conf > doesn't exist on IPA slave at all. The directory shows after > only after 'ipa-ca-install' command is run on the replica. > > After running the command 'ipa-ca-install', in the configuration file > '/var/lib/pki-ca/conf/CS.conf', there are no 'ca.crl.*' statements on > IPA replica at all; there are no master.ca.agent.{host/port} s > tatement either. > > What we really need to clarify here, from users' respective, are > elaborated below(may not be completed): > > 1, how to promote a IPA replica into a IPA master? All replicas are equal with the exception that: * some may have a CA and others may not * some may have a DNS server and others may not The only distinction that the initial CA installation has is that it is the one that generates the CRL. > 2, What's the effect on other sibling IPA replicas? -- do we need to > break original replication agreement with old IPA master? and create new > aggrement with new server? If so, how to do it? No, nothing changes, this is all MMR. > 3, How to check/verify that new IPA replica is really promoted into new > IPA master? You would verify that the CRL is being generated on the master you choose (/var/log/pki-ca/debug). > 4, how to check/verify that old IPA Master is stopped its orignal master > function? disowning the master CA in the PKI hierarchy as claimed? Verify that it is no longer generating a CRL (/var/log/pki-ca/debug) > > 4, what's the operations on the original IPA master? > 4.1 case #1, what is the 'official' steps to remove/decommission > original IPA master? -- what's the steps besides final > 'ipa-master-install --uninstall'? If you are decommissioning an instance then you'll want to break all replication agreements it has. > 4.2 case #2, if the original IPA server is broken completely and all IPA > replica could not reach it? -- Then what's are the steps to promote a > IPA replica? Do we need the orignal /root/cacert.p12? No, use the documented steps. The only thing to do is to generate the CRL on a different host. > 4.3 case #2, if the original IPA server is only temporarily unreachable? > -- then after an IPA replica is promoted into new IPA master, how to > depromote the orignal IPA master to replica after it is up? You would just reverse the CRL generation. Note that if the server is down for longer than the changelog then you'll want to re-initialize bot the the CA and IPA LDAP databases from one of the other masters. rob From cao2dan at yahoo.com Mon Apr 30 20:29:19 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 13:29:19 -0700 (PDT) Subject: [Freeipa-users] any methods to import Kerberos password hashes into IPA? Message-ID: <1335817759.30637.YahooMailNeo@web125701.mail.ne1.yahoo.com> Hi all, ?Just wonder if anyone has migrated password hashes from? standalone Kerberos V servers into IPA servers before, assume that they share a same Kerberos Realm name. Bother original standalone kerberos server, and IPA servers uses the same version kerberos V daemons. So if there is a way to dump the kerberos password hashes with 'kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans' or similar command, then load it into IPA server with kprop or other IPA tool(s)? Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Mon Apr 30 20:49:32 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 13:49:32 -0700 (PDT) Subject: [Freeipa-users] Password migrating into IPA with SSSD failed In-Reply-To: <1335815423.4578.65.camel@sgallagh520.sgallagh.bos.redhat.com> References: <1335814918.50174.YahooMailNeo@web125704.mail.ne1.yahoo.com> <1335815423.4578.65.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1335818972.36971.YahooMailNeo@web125703.mail.ne1.yahoo.com> > >> >> The existing document states all the steps as listed below. >> >>??????? A user tries to log into a machine with SSSD. >>??????? SSSD attempts to perform Kerberos authentication against the >>??????? IPA server. >>??????? Even though the user exists in the system, the authentication >>??????? will fail with the error key type is not supported because the >>??????? Kerberos hashes do not yet exist. >>??????? SSSD the performs a plaintext LDAP bind over a secure >>??????? connection. >>??????? IPA intercepts this bind request. If the user has a Kerberos >>??????? principal but no Kerberos hashes, then the IPA identity >>??????? provider generates the hashes and stores them in the user >>??????? entry. >>??????? If authentication is successful, SSSD disconnects from IPA and >>??????? tries Kerberos authentication again. This time, the request >>??????? succeeds because the hash exists in the entry. >> The steps 4-6 are a little difficult to understand: Are these steps >> SSSD/IPA's internal information exchange mechanism? or do I have to >> setup something at IPA client/server side to fullfill? like setup >> pam_ldap or nslcd/nss_ldap? >> >>>Steps 4-6 are handled automatically by SSSD as long as it is configured >with 'id_provider = ipa' and 'auth_provider = ipa' (which is how >ipa-client-install configures it) and migration mode is enabled on the >server. > IPA server's migration mode was already setup, and sssd have the providers setup to IPA already for both id and auth. >> >> I've mirgated all my users and groups from openLDAP into IPA without >> user password/hash ( another bug here: needs >> --group-objectclas='posixGroup' option, and optionally >> --schema='RFC2307'), the passwords were not migrated, and so I tried >> the above method to setup new passwords seamlessly for users, >> unfortunately all tries failed. >> >> > >This is the problem. In order for seamless password migration to work, >you need to migrate the hashes. If we cannot bind with the old password, >we can't set that up for Kerberos. > This is the popint. If I understand correctly -- please feel free to correct --, the document claims a way to initialize password hash for IPA users, when the accounts are migrated and without a password hash, and they use the user's password input to initialize the password hash. The ssh session fails may be related to the 'REQUIRE-PREAUTH' attribute for IPA accounts but I am not sure. >What it sounds like you probably want to do (since you aren't keeping >the hashes) is just reset the passwords for all of your users, which >will require them to change it on first login. There's an admin command >'ipa passwd ' that can reset a user password. There may also >be tools to do this in bulk, but someone else will need to chime in >here. > I know this way password-resetting (to 'abcd1234' :) ) should work, but it is not the document claims. for bulk setup, I've use the following IPA command to find all users without password hash: ipa user-find | perl -00 -ni -e '/Keytab: False/ && print $_;' | grep -i 'User login:' | cut -d: -f2 and then run a loop to apply command 'ipa passwd '. There maybe a better and simpler ldapsearch command to find a list of users against 389 directory server directly, but I am still in the learning curve. --David > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Apr 30 20:55:14 2012 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 30 Apr 2012 16:55:14 -0400 Subject: [Freeipa-users] Password migrating into IPA with SSSD failed In-Reply-To: <1335818972.36971.YahooMailNeo@web125703.mail.ne1.yahoo.com> References: <1335814918.50174.YahooMailNeo@web125704.mail.ne1.yahoo.com> <1335815423.4578.65.camel@sgallagh520.sgallagh.bos.redhat.com> <1335818972.36971.YahooMailNeo@web125703.mail.ne1.yahoo.com> Message-ID: <4F9EFC32.5040203@redhat.com> On 04/30/2012 04:49 PM, David Copperfield wrote: > > > >> > >> The existing document states all the steps as listed below. > >> > >> A user tries to log into a machine with SSSD. > >> SSSD attempts to perform Kerberos authentication against the > >> IPA server. > >> Even though the user exists in the system, the authentication > >> will fail with the error key type is not supported because the > >> Kerberos hashes do not yet exist. > >> SSSD the performs a plaintext LDAP bind over a secure > >> connection. > >> IPA intercepts this bind request. If the user has a Kerberos > >> principal but no Kerberos hashes, then the IPA identity > >> provider generates the hashes and stores them in the user > >> entry. > >> If authentication is successful, SSSD disconnects from IPA and > >> tries Kerberos authentication again. This time, the request > >> succeeds because the hash exists in the entry. > >> The steps 4-6 are a little difficult to understand: Are these steps > >> SSSD/IPA's internal information exchange mechanism? or do I have to > >> setup something at IPA client/server side to fullfill? like setup > >> pam_ldap or nslcd/nss_ldap? > >> > >>>Steps 4-6 are handled automatically by SSSD as long as it is configured > >with 'id_provider = ipa' and 'auth_provider = ipa' (which is how > >ipa-client-install configures it) and migration mode is enabled on the > >server. > > > > IPA server's migration mode was already setup, and sssd have the > providers setup > to IPA already for both id and auth. > > >> > >> I've mirgated all my users and groups from openLDAP into IPA without > >> user password/hash ( another bug here: needs > >> --group-objectclas='posixGroup' option, and optionally > >> --schema='RFC2307'), the passwords were not migrated, and so I tried > >> the above method to setup new passwords seamlessly for users, > >> unfortunately all tries failed. > >> > >> > > > >This is the problem. In order for seamless password migration to work, > >you need to migrate the hashes. If we cannot bind with the old password, > >we can't set that up for Kerberos. > > > > This is the popint. If I understand correctly -- please feel free to > correct --, the document claims a way to initialize password hash for > IPA users, when the accounts are migrated and without a password hash, > and they use the user's password input to initialize the password hash. > I think the confusion is not "without any hash" but "without a kerberos hash". You need old password hashes copied over for the LDAP authentication to be successful to make sure that the password is the same as the old one. Deon we should make it more clear. > The ssh session fails may be related to the 'REQUIRE-PREAUTH' > attribute for IPA accounts but I am not sure. > > >What it sounds like you probably want to do (since you aren't keeping > >the hashes) is just reset the passwords for all of your users, which > >will require them to change it on first login. There's an admin command > >'ipa passwd ' that can reset a user password. There may also > >be tools to do this in bulk, but someone else will need to chime in > >here. > > > > I know this way password-resetting (to 'abcd1234' :) ) should work, > but it is not the document claims. for bulk setup, I've use the > following IPA command to find all users without password hash: > ipa user-find | perl -00 -ni -e '/Keytab: False/ && print $_;' | grep > -i 'User login:' | cut -d: -f2 > and then run a loop to apply command 'ipa passwd '. > > There maybe a better and simpler ldapsearch command to find a list of > users against 389 directory server directly, but I am still in the > learning curve. > > --David > > > > > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Mon Apr 30 21:06:47 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 14:06:47 -0700 (PDT) Subject: [Freeipa-users] migration of netgroups into IPA ?? In-Reply-To: <1335554991.39114.YahooMailNeo@web125706.mail.ne1.yahoo.com> References: <4F998385.9070001@redhat.com> <1335473461.20871.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9AE74D.80401@redhat.com> <1335553534.95430.YahooMailNeo@web125705.mail.ne1.yahoo.com> <4F9AF03C.5010405@redhat.com> <1335554991.39114.YahooMailNeo@web125706.mail.ne1.yahoo.com> Message-ID: <1335820007.33988.YahooMailNeo@web125702.mail.ne1.yahoo.com> Hi folks, ?We have quite a bunch of netgroups which are hosted on openldap server presently, and now it is time to migrate them into freeIPA. The NIS triples are in the format: ?(-, username, - ) or ?(hostname001, - , - ) And these openldap netgroups are used for variable purposes, host listing for ssh/gssh, access control, sudoers, etc. So after user accounts and groups are migrated, netgroups needs to be migrated too for openldap/IPA migration/cutover. There is no Redhat documents on this part though. Has any one tried netgroup migration before?? Or we have to input by hand into IPA (host, hostgroup, user-group) and replace netgroup with hostgroup(which will create respective netgroups in the background), and replace NIS user groups and real posix user groups? Please advice. Thanks a lot. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Mon Apr 30 21:28:32 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 14:28:32 -0700 (PDT) Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335812556.58378.YahooMailNeo@web125701.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335812556.58378.YahooMailNeo@web125701.mail.ne1.yahoo.com> Message-ID: <1335821312.90703.YahooMailNeo@web125701.mail.ne1.yahoo.com> Hi Deon, Dmitri, and all, > > >> Hi follks, > > > >>? I'm completely lost at reading the IPA document on how to promote a IPA replica into master IPA. When I'm try to follow the steps listed in the chapter '16.8.1 Promoting a Replica with a Dogtag Certificate System CA' at the link http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/promoting-replica.html#promoting-pki, the last steps 'g' said: > >> > >>??? g. Disable the redirect settings for CRL generation requests: > >>???????? master.ca.agent.host=hostname > >>???????? master.ca.agent.port=port number > >> > >> The above instructions don't give any hints of 'hostname', or 'port number'. users don't have any clues about them, should them be this replica's name, or the original master's name? and what is the por > >> t number? it is a TCP port, or a UDP port? > > > >The replica is configured to check for information from the master CA -- in this case, asking the master CA to generate a CRL. Those parameters tell the replica where to look. Part of promoting the replica is telling it *not* to look for a master CA. So, those parameters should be blanked or removed. > > > >I can definitely make that more clear. > > > > > Have you used a --selfsign option when you installed the first server? > If you did, you installed the server without CA. This is an advanced option for those who know why they do not want the CA at all. > The standard, default way is to not provide --selfsign flag. > This will install CA on the first replica. On the other replicas you can have a CA at your discretion. Or add it later if you did not install it at the beginning. > HTH. > > It's my pleasure to clarify here: no '--selfsign' option was used to create IPA master, or the first replica, or other replica siblings. But the Dogtag installation results are: ?IPA master has the dogtag systems installed, and the '/var/lib/pki-ca/conf/CS.conf' file created. Inside there was not 'master.ca.agent.{host,port} statement. ?IPA replica (first replica and its siblings): NO dogtag certificate system was automatically installed. Even no /var/lib/pki-ca/ directory. ? By the way, on the document page, the commands 'service pki-ca stop' and 'service pki-ca start' was wrong too -- as there was only 'pki-cad' service, not 'pki-ca'. :) So, please have the migration page updated and submit it here so that users can follow the updated version and give you more feedback immediately. it looks like a win-win solution. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Mon Apr 30 21:51:03 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 14:51:03 -0700 (PDT) Subject: [Freeipa-users] freeIPA bug: Kerberos clients fails taking to IPA server after ipa-client-install Message-ID: <1335822663.65917.YahooMailNeo@web125704.mail.ne1.yahoo.com> Hi folks, ?During migration existing Kerberos/LDAP setup clients to IPA, after 'ipa-client-install' command is run and reports successful migration, we found that the client fails to talk with IPA server. ?The symptom is: in the /var/log/messages file at IPA client side, we can see the following entries: ??????? Apr 30 11:07:04 ldapclient02 sssd: Starting up ??????? Apr 30 11:07:05 ldapclient02 sssd[be[pegaclouds.com]]: Starting up ??????? Apr 30 11:07:06 ldapclient02 sssd[pam]: Starting up ??????? Apr 30 11:07:06 ldapclient02 sssd[nss]: Starting up ??????? Apr 30 11:07:06 ldapclient02 [sssd[ldap_child[2133]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. ?It is figured out that, instead of backup and overwrite /etc/krb5.keytab, ipa-client-install only appends the new generated host keytab entries to the same file /etc/krb5.keytab. Then when the original entries have a higher KVNO version than the newly generated siblings, the latter is shadowed and ignored. ?????????????????????? ?After manual removing the old entries from /etc/krb5.keytab with the tool ktutil (rkt, delent, wkt), the client immdiately connects to IPA server and problem goes away. It will be greatly appreciated if native ipa-rmkeytab can be extended to do the same job. Thanks. --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Apr 30 22:14:07 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 30 Apr 2012 22:14:07 +0000 Subject: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down. In-Reply-To: <1335785319.4578.1.camel@sgallagh520.sgallagh.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CC858B6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1335785319.4578.1.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CC876C0@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Do you want me to open a RH case? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Stephen Gallagher [sgallagh at redhat.com] Sent: Monday, 30 April 2012 11:28 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down. On Sun, 2012-04-29 at 23:37 +0000, Steven Jones wrote: > Hi, > > Maybe I am missing something here but I thought/assumed that if one of > teh IPA servers was off line the client would use the other IPA > server? > > This doesnt seem to be the case, so am I wrong on how IPA works, or do > I have a setup error? We're looking into it. Someone else reported a similar issue on Friday. We may have introduced a regression in the failover logic of SSSD. From cao2dan at yahoo.com Mon Apr 30 22:58:34 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 15:58:34 -0700 (PDT) Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <4F9DD001.2080204@redhat.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> Message-ID: <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> Hi, > > Currently, there is no disaster recovery or backup information. There are a couple of RFEs open to develop this information. My understanding (and this is something that > Dmitri or one of the engineers can explain better) is that the best thing to do is to back up the DS instances using db2ldif and then spin up a new server/replica instance and > import the backed up data using ldif2db. Thanks for pointing out a way to do partial backup/restore. But the command db2ldif, or its sibling command ldif2db can not be located on IPA master/replica. The IPA servers only install 389-ds-base and 389-ds-base-libs RPMs. and the two commands doesn't show up anywhere. Could anyone elaborate how to use the two template commands, or please point me to the document or http link(s) is enough. Thanks a lot. [root at ipamaster script-templates]# rpm -qa | grep 389 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 [root at ipamaster script-templates]# rpm -ql 389-ds-base 389-ds-base-libs | grep -P 'db2ldif|ldif2db' /usr/share/dirsrv/script-templates/template-db2ldif /usr/share/dirsrv/script-templates/template-db2ldif.pl /usr/share/dirsrv/script-templates/template-ldif2db /usr/share/dirsrv/script-templates/template-ldif2db.pl [root at ipamaster script-templates]# --David -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Apr 30 23:23:54 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 30 Apr 2012 17:23:54 -0600 Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> Message-ID: <4F9F1F0A.1020903@redhat.com> On 04/30/2012 04:58 PM, David Copperfield wrote: > Hi, > > > > > Currently, there is no disaster recovery or backup information. > There are a couple of RFEs open to develop this information. My > understanding (and this is something that > > Dmitri or one of the engineers can explain better) is that the best > thing to do is to back up the DS instances using db2ldif and then spin > up a new server/replica instance and > > import the backed up data using ldif2db. > > Thanks for pointing out a way to do partial backup/restore. > > But the command db2ldif, or its sibling command ldif2db can not be > located on IPA master/replica. look in /var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD > The IPA servers only install 389-ds-base and 389-ds-base-libs RPMs. > and the two commands doesn't show up anywhere. > > Could anyone elaborate how to use the two template commands, or please > point me to the document or http link(s) is enough. Thanks a lot. > > [root at ipamaster script-templates]# rpm -qa | grep 389 > 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 > 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 > > [root at ipamaster script-templates]# rpm -ql 389-ds-base > 389-ds-base-libs | grep -P 'db2ldif|ldif2db' > /usr/share/dirsrv/script-templates/template-db2ldif > /usr/share/dirsrv/script-templates/template-db2ldif.pl > /usr/share/dirsrv/script-templates/template-ldif2db > /usr/share/dirsrv/script-templates/template-ldif2db.pl > [root at ipamaster script-templates]# > > --David > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From cao2dan at yahoo.com Mon Apr 30 23:52:30 2012 From: cao2dan at yahoo.com (David Copperfield) Date: Mon, 30 Apr 2012 16:52:30 -0700 (PDT) Subject: [Freeipa-users] Confused/lost at promoting a replica into a master In-Reply-To: <4F9F1F0A.1020903@redhat.com> References: <1335460857.5722.10.camel@willson.li.ssimo.org> <1335476448.5722.22.camel@willson.li.ssimo.org> <1335495508.8685.YahooMailNeo@web125702.mail.ne1.yahoo.com> <1335583208.17796.YahooMailNeo@web125703.mail.ne1.yahoo.com> <4F9DD001.2080204@redhat.com> <1335826714.53461.YahooMailNeo@web125702.mail.ne1.yahoo.com> <4F9F1F0A.1020903@redhat.com> Message-ID: <1335829950.17347.YahooMailNeo@web125706.mail.ne1.yahoo.com> Hi Rich and all, Thank you a lot for pointing out the place of the scripts. The scripts are found at the place specified and trued, they are working great in general, but there are still some places needs help: 1, there are no manual or help regarding the command options. Not sure where the normal usage could be looked up. [root at ipamaster scripts-PEGACLOUDS-COM]# man db2ldif No manual entry for db2ldif [root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif --help Usage: db2ldif {-n backend_instance}* | {-s includesuffix}* ?????????????? [{-x excludesuffix}*] [-a outputfile] ?????????????? [-N] [-r] [-C] [-u] [-U] [-m] [-M] [-1] Note: either "-n backend_instance" or "-s includesuffix" is required. [root at ipamaster scripts-PEGACLOUDS-COM]# 2, what is the 'official' way increase file descriptors for IPA & 389 Directory server?? [root at ipamaster scripts-PEGACLOUDS-COM]# ./db2ldif -s 'dc=pegaclouds,dc=com' Exported ldif file: /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_164542.ldif [30/Apr/2012:16:45:42 -0700] - /etc/dirsrv/slapd-PEGACLOUDS-COM/dse.ldif: nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).? Server will use a setting of 1024. [30/Apr/2012:16:45:42 -0700] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 1024 (the current process limit).? Server will use a setting of 1024. ... 3, the ldif2db command will abort when IPA(Directory Server) is running. ?I have to stop IPA first, then run ldif2db, and fireup IPA at the end. It may not be a bad thing to avoid potential data base corruption. But please confirm whether this is a feature or a bug. [root at ipamaster scripts-PEGACLOUDS-COM]# ./ldif2db -s 'dc=pegaclouds,dc=com' -i /var/lib/dirsrv/slapd-PEGACLOUDS-COM/ldif/PEGACLOUDS-COM-pegaclouds-2012_04_30_163506.ldif importing data ... ... [30/Apr/2012:16:50:00 -0700] - Backend Instance: userRoot [30/Apr/2012:16:50:00 -0700] - Unable to import the database because it is being used by another slapd process. [30/Apr/2012:16:50:00 -0700] - Shutting down due to possible conflicts with other slapd processes Thanks. --David ________________________________ From: Rich Megginson To: David Copperfield Cc: E Deon Lackey ; "freeipa-users at redhat.com" Sent: Monday, April 30, 2012 4:23 PM Subject: Re: [Freeipa-users] Confused/lost at promoting a replica into a master On 04/30/2012 04:58 PM, David Copperfield wrote: Hi, > >> > >> Currently, there is no disaster recovery or backup information. There are a couple of RFEs open to develop this information. My understanding (and this is something that >> Dmitri or one of the engineers can explain better) is that the best thing to do is to back up the DS instances using db2ldif and then spin up a new server/replica instance and >> import the backed up data using ldif2db. > >Thanks for pointing out a way to do partial backup/restore. > >But the command db2ldif, or its sibling command ldif2db can not be located on IPA master/replica. look in /var/lib/dirsrv/scripts-YOURDOMAIN-YOURTLD The IPA servers only install 389-ds-base and 389-ds-base-libs RPMs. and the two commands doesn't show up anywhere. > >Could anyone elaborate how to use the two template commands, or please point me to the document or http link(s) is enough. Thanks a lot. > > >[root at ipamaster script-templates]# rpm -qa | grep 389 >389-ds-base-1.2.9.14-1.el6_2.2.x86_64 >389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 > >[root at ipamaster script-templates]# rpm -ql 389-ds-base 389-ds-base-libs | grep -P 'db2ldif|ldif2db' >/usr/share/dirsrv/script-templates/template-db2ldif >/usr/share/dirsrv/script-templates/template-db2ldif.pl >/usr/share/dirsrv/script-templates/template-ldif2db >/usr/share/dirsrv/script-templates/template-ldif2db.pl >[root at ipamaster script-templates]# > >--David > > > > >_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: